diff --git a/ops/cryps.gg.nginx.conf b/ops/cryps.gg.nginx.conf
new file mode 100644
index 00000000..975cf1b1
--- /dev/null
+++ b/ops/cryps.gg.nginx.conf
@@ -0,0 +1,44 @@
+upstream cryps {
+    server 127.0.0.1:40000;
+}
+
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
+server {
+    root /home/git/cryps/client/dist/;
+    index index.html;
+
+    server_name cryps.gg; # managed by Certbot
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    listen [::]:443 ssl ipv6only=on; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/cryps.gg/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/cryps.gg/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+    location /ws {
+        proxy_pass http://cryps;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+    }
+}
+
+server {
+    if ($host = cryps.gg) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    listen 80 ;
+    listen [::]:80 ;
+    server_name cryps.gg;
+    return 404; # managed by Certbot
+}
diff --git a/ops/init_db.sh b/ops/init_db.sh
index 4ba8581c..c1c4f7ba 100755
--- a/ops/init_db.sh
+++ b/ops/init_db.sh
@@ -7,5 +7,5 @@ sudo -u postgres createdb cryps
 sudo -u postgres createuser --encrypted cryps
 sudo -u postgres psql -c "alter user cryps with encrypted password 'craftbeer';"
 
-npm i
+# npm i
 npm run migrate
diff --git a/server/WORKLOG.md b/server/WORKLOG.md
index 6dbfd1ae..6ee9f5c6 100755
--- a/server/WORKLOG.md
+++ b/server/WORKLOG.md
@@ -53,6 +53,8 @@
 * delete games when a cryp is deleted
   * does this need to happen? can have historical games
 
+* run nginx as not root
+
 # Mechanic Ideas
 teams
 1v1 2v2 3v3
diff --git a/server/src/rpc.rs b/server/src/rpc.rs
index cd6210eb..b31abc00 100755
--- a/server/src/rpc.rs
+++ b/server/src/rpc.rs
@@ -69,7 +69,7 @@ impl Rpc {
         }
     }
 
-    fn game_state(data: Vec<u8>, tx: &mut Transaction, account: Option<Account>, client: &mut WebSocket<TcpStream>) -> Result<RpcResponse, Error> {
+    fn game_state(data: Vec<u8>, tx: &mut Transaction, account: Option<Account>, _client: &mut WebSocket<TcpStream>) -> Result<RpcResponse, Error> {
         let a = match account {
             Some(a) => a,
             None => return Err(err_msg("auth required")),