diff --git a/nix-system-configs/modules/system/traefik.nix b/nix-system-configs/modules/system/traefik.nix
index f8718ef..e58c7f7 100644
--- a/nix-system-configs/modules/system/traefik.nix
+++ b/nix-system-configs/modules/system/traefik.nix
@@ -170,6 +170,22 @@
             rule = "HostSNI(`*`)";
             service = "matrix-federation";
             entryPoints = ["federation"];
+            # Pass TLS through to the backend (Conduit handles TLS on port 12244)
+            tls = {
+              passthrough = true;
+            };
+          };
+          # Also accept TLS passthrough on port 443 for the Matrix host so
+          # other servers that contact :443/_matrix/*
+          # will be forwarded to Conduit as well.
+          matrix-tls443 = {
+            # match by SNI to avoid interfering with other HTTPS sites
+            rule = "HostSNI(`lgbtq.prg-radio.org`)";
+            service = "matrix-federation";
+            entryPoints = ["websecure"];
+            tls = {
+              passthrough = true;
+            };
           };
         };