diff --git a/roles/ingress/defaults/main.yml b/roles/ingress/defaults/main.yml
index 4338e6d..e84540a 100644
--- a/roles/ingress/defaults/main.yml
+++ b/roles/ingress/defaults/main.yml
@@ -22,10 +22,14 @@ ingress_container_certbot_email: rehashedsalt@cock.li
 
 # General Nginx configuration
 ingress_listen_args: "443 ssl"
+ingress_resolver: 8.8.8.8
 # This non-obvious setting controls whether directives for certificates will be added to hosts
 # Set to "no" if you do not plan on terminating TLS at the ingress controller, like when using
 # a custom container that *doesn't* automatically-provision LE certs
 ingress_listen_tls: yes
+ingress_tls_protocols: TLSv1.2 TLSv1.3
+ingress_tls_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ingress_tls_prefer_server_ciphers: "off"
 
 # Vhost configuration
 # ingress_servers:
diff --git a/roles/ingress/templates/vhosts.conf.j2 b/roles/ingress/templates/vhosts.conf.j2
index 633cbe6..4fbea21 100644
--- a/roles/ingress/templates/vhosts.conf.j2
+++ b/roles/ingress/templates/vhosts.conf.j2
@@ -13,6 +13,11 @@ server {
 	ssl_certificate_key /etc/letsencrypt/live/{{ ingress_servers[0].name }}/privkey.pem;
 	ssl_trusted_certificate /etc/letsencrypt/live/{{ ingress_servers[0].name }}/chain.pem;
 	ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
+	ssl_stapling on;
+	ssl_stapling_verify on;
+	ssl_protocols {{ ingress_tls_protocols }};
+	ssl_ciphers {{ ingress_tls_ciphers }};
+	ssl_prefer_server_ciphers {{ ingress_tls_prefer_server_ciphers }};
 {% endif %}
 
 {% if server.directives is defined %}
@@ -49,5 +54,6 @@ server {
 {% endfor %}
 {% endif %}
 
+	resolver {{ ingress_resolver }};
 }
 {% endfor %}