diff --git a/infra/services/nginx/README.md b/infra/services/nginx/README.md
new file mode 100644
index 000000000..43e570946
--- /dev/null
+++ b/infra/services/nginx/README.md
@@ -0,0 +1,21 @@
+# Nginx
+
+This is a base nginx service that terminates TLS, and can be used as a reverse
+proxy for arbitrary services by adding new entries in `/root/nginx/conf.d` and
+`sudo systemctl restart nginx`.
+
+## Installation
+
+Create a directory to house service specific configuration
+
+    sudo mkdir -p /root/nginx/conf.d
+
+Add the SSL certificate provided by Cloudflare
+
+    sudo tee /root/nginx/cert.pem
+    sudo tee /root/nginx/key.pem
+
+## Adding a service
+
+When adding new services that sit behind nginx, add their nginx conf file to
+`/root/nginx/conf.d` and and restart the nginx service.
diff --git a/infra/services/nginx/nginx.service b/infra/services/nginx/nginx.service
new file mode 100644
index 000000000..4f772d38d
--- /dev/null
+++ b/infra/services/nginx/nginx.service
@@ -0,0 +1,19 @@
+[Unit]
+Documentation=https://www.docker.com/blog/how-to-use-the-official-nginx-docker-image/
+Requires=docker.service
+After=docker.service
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+ExecStartPre=docker pull nginx
+ExecStartPre=-docker stop nginx
+ExecStartPre=-docker rm nginx
+ExecStart=docker run --name nginx \
+    --add-host=host.docker.internal:host-gateway \
+    -p 443:443 \
+    -v /root/nginx/cert.pem:/etc/ssl/certs/cert.pem:ro \
+    -v /root/nginx/key.pem:/etc/ssl/private/key.pem:ro \
+    -v /root/nginx/conf.d:/etc/nginx/conf.d:ro \
+    nginx