diff --git a/service/prosody/container/config/prosody.cfg.lua b/service/prosody/container/config/prosody.cfg.lua
index 81cf3e6..60b242f 100644
--- a/service/prosody/container/config/prosody.cfg.lua
+++ b/service/prosody/container/config/prosody.cfg.lua
@@ -78,6 +78,9 @@ modules_enabled = {
 -- to disable them then uncomment them here:
 modules_disabled = {}
 
+-- Enable direct TLS connections for clients.
+c2s_direct_tls_ports = {5223}
+
 -- Force clients to use encrypted connections? This option will
 -- prevent clients from authenticating unless they are using encryption.
 c2s_require_encryption = true
@@ -94,15 +97,13 @@ s2s_require_encryption = true
 -- For more information see https://prosody.im/doc/s2s#security
 s2s_secure_auth = true
 
--- Some servers have invalid or self-signed certificates. You can list
--- remote domains here that will not be required to authenticate using
--- certificates. They will be authenticated using DNS instead, even
--- when s2s_secure_auth is enabled.
---s2s_insecure_domains = { "insecure.example" }
+-- HTTP interface and port configuration.
+http_ports = {5280}
+http_interfaces = {"*", "::"}
 
--- Even if you leave s2s_secure_auth disabled, you can still require valid
--- certificates for some domains by specifying a list here.
---s2s_secure_domains = { "jabber.org" }
+-- Explicitly disable HTTPS, as we're intended to use a reverse proxy in front of Prosody.
+https_ports = {}
+https_interfaces = {}
 
 -- WebSockets configuration
 consider_websocket_secure = true
@@ -126,11 +127,6 @@ sql = {
     database = "/var/lib/prosody/prosody.sqlite",
 }
 
--- For the "sql" backend, you can uncomment *one* of the below to configure:
---sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
---sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
---sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
-
 -- Archiving configuration
 -- If mod_mam is enabled, Prosody will store a copy of every message. This
 -- is used to synchronize conversations between multiple clients, even if
diff --git a/service/prosody/systemd/prosody.service b/service/prosody/systemd/prosody.service
index 86b128f..6309aac 100644
--- a/service/prosody/systemd/prosody.service
+++ b/service/prosody/systemd/prosody.service
@@ -11,7 +11,7 @@ Restart=on-failure
 Environment=PODMAN_SYSTEMD_UNIT=%n
 ExecStart=/bin/podman run --replace --name %N --net internal --sdnotify=conmon \
                           --env-file %E/coreos-home-server/%N/%N.env \
-                          --publish 5222:5222 --publish 5269:5269 --publish 5347:5347 \
+                          --publish 5222:5222 --publish 5223:5223 --publish 5269:5269 --publish 5347:5347 \
                           --volume %N:/var/lib/%N:z \
                           --volume prosody-conf:/etc/%N/conf.d:z \
                           --volume letsencrypt:/etc/ssl/private:z \