diff --git a/profiles/templates/homeassistant/homeassistant/ini.env b/profiles/templates/homeassistant/homeassistant/ini.env
index db90a6c..a47e25f 100644
--- a/profiles/templates/homeassistant/homeassistant/ini.env
+++ b/profiles/templates/homeassistant/homeassistant/ini.env
@@ -2,3 +2,25 @@
 [homeassistant]
 protocol = http
 domain = home.example.org
+
+# for a self-signed certificate
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+req_extensions = req_ext
+distinguished_name = some_dn
+
+[some_dn]
+C = RU
+L = Saint-Petersburg
+O = Calculate Linux
+emailAddress = support@calculate.ru
+CN = calculate-linux.org
+
+[req_ext]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = otherdomain.com
+IP.1 = 1.2.3.4
diff --git a/profiles/templates/homeassistant/nginx/homeassistant.conf b/profiles/templates/homeassistant/nginx/homeassistant.conf
index 864ed0c..eca3332 100644
--- a/profiles/templates/homeassistant/nginx/homeassistant.conf
+++ b/profiles/templates/homeassistant/nginx/homeassistant.conf
@@ -3,6 +3,7 @@ map $http_upgrade $connection_upgrade {
 	default upgrade;
 	'' close;
 }
+
 server {
 	listen 80;
 	location / {
@@ -20,3 +21,29 @@ server {
 		proxy_set_header X-Real-IP $remote_addr;
 	}
 }
+
+server {
+    server_name #-ini(homeassistant.domain)-#;
+
+    ssl_certificate /var/calculate/ssl/fullchain.pem;
+    ssl_certificate_key /var/calculate/ssl/privkey.pem;
+
+    listen 443 ssl;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
+    ssl_protocols TLSv1.2;
+    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+
+    proxy_buffering off;
+
+    location / {
+        proxy_pass http://127.0.0.1:8123;
+        proxy_set_header Host $host;
+        proxy_redirect http:// https://;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+    }
+}
diff --git a/profiles/templates/homeassistant/nginx/ssl/.calculate_directory b/profiles/templates/homeassistant/nginx/ssl/.calculate_directory
new file mode 100644
index 0000000..814ccaf
--- /dev/null
+++ b/profiles/templates/homeassistant/nginx/ssl/.calculate_directory
@@ -0,0 +1 @@
+# Calculate path=/var/calculate
diff --git a/profiles/templates/homeassistant/nginx/ssl/create-ssl b/profiles/templates/homeassistant/nginx/ssl/create-ssl
new file mode 100644
index 0000000..2284d76
--- /dev/null
+++ b/profiles/templates/homeassistant/nginx/ssl/create-ssl
@@ -0,0 +1,6 @@
+# Calculate run=/bin/bash
+
+cd /var/calculate/ssl
+openssl req -new -x509 -nodes -subj "/CN=calculate.root" -newkey rsa:2048 -keyout ca.key -out ca.crt -reqexts v3_req -extensions v3_ca
+openssl req -new -nodes -sha256 -newkey rsa:2048 -config /var/calculate/ini.env -out domain.csr -keyout privkey.pem
+openssl x509 -req -in domain.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 500 -sha256 -extfile /var/calculate/ini.env -extensions req_ext -out fullchain.pem