diff --git a/CloudronManifest.json b/CloudronManifest.json
index 3a7822d..6068887 100644
--- a/CloudronManifest.json
+++ b/CloudronManifest.json
@@ -10,7 +10,7 @@
   "tagline": "Take back control of your videos",
   "icon": "file://logo.png",
   "healthCheckPath": "/",
-  "httpPort": 9000,
+  "httpPort": 80,
   "tcpPorts": {
     "RTMP_PORT": {
       "title": "RTMP Port",
diff --git a/Dockerfile b/Dockerfile
index c67657b..1a02eb7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -31,5 +31,18 @@ ENV NODE_CONFIG_DIR /app/code/server/config
 
 RUN printf '#!/bin/bash\n\ncd /app/code/cli && node dist/server/tools/peertube.js $@\n' > /usr/bin/peertube && chmod +x /usr/bin/peertube
 
+
+# add nginx config
+RUN rm /etc/nginx/sites-enabled/*
+RUN ln -sf /dev/stdout /var/log/nginx/access.log
+RUN ln -sf /dev/stderr /var/log/nginx/error.log
+RUN ln -sf /run/peertube-nginx.conf /etc/nginx/sites-enabled/peertube.conf
+COPY nginx/readonlyrootfs.conf /etc/nginx/conf.d/readonlyrootfs.conf
+COPY nginx/peertube.conf /app/pkg/peertube-nginx.conf
+
+# supervisor
+COPY supervisor/ /etc/supervisor/conf.d/
+RUN sed -e 's,^logfile=.*$,logfile=/run/supervisord.log,' -i /etc/supervisor/supervisord.conf
+
 CMD [ "/app/pkg/start.sh" ]
 
diff --git a/nginx/peertube.conf b/nginx/peertube.conf
new file mode 100644
index 0000000..5905263
--- /dev/null
+++ b/nginx/peertube.conf
@@ -0,0 +1,210 @@
+upstream backend {
+  server 127.0.0.1:9000;
+}
+
+server {
+  listen 80;
+  server_name default_server;
+
+  ##
+  # Application
+  ##
+
+  location @api {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host            $host;
+    proxy_set_header X-Real-IP       $remote_addr;
+
+    client_max_body_size  100k; # default is 1M
+
+    proxy_connect_timeout 10m;
+    proxy_send_timeout    10m;
+    proxy_read_timeout    10m;
+    send_timeout          10m;
+
+    proxy_pass http://backend;
+  }
+
+  location / {
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/videos/(upload-resumable|([^/]+/source/replace-resumable))$ {
+    client_max_body_size    0;
+    proxy_request_buffering off;
+
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/videos/(upload|([^/]+/studio/edit))$ {
+    limit_except POST HEAD { deny all; }
+
+    # This is the maximum upload size, which roughly matches the maximum size of a video file.
+    # Note that temporary space is needed equal to the total size of all concurrent uploads.
+    # This data gets stored in /var/lib/nginx by default, so you may want to put this directory
+    # on a dedicated filesystem.
+    client_max_body_size                      12G; # default is 1M
+    add_header            X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
+
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/runners/jobs/[^/]+/(update|success)$ {
+    client_max_body_size                      12G; # default is 1M
+    add_header            X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
+
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/(videos|video-playlists|video-channels|users/me) {
+    client_max_body_size                      6M; # default is 1M
+    add_header            X-File-Maximum-Size 4M always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
+
+    try_files /dev/null @api;
+  }
+
+  ##
+  # Websocket
+  ##
+
+  location @api_websocket {
+    proxy_http_version 1.1;
+    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header   Host            $host;
+    proxy_set_header   X-Real-IP       $remote_addr;
+    proxy_set_header   Upgrade         $http_upgrade;
+    proxy_set_header   Connection      "upgrade";
+
+    proxy_pass http://backend;
+  }
+
+  location /socket.io {
+    try_files /dev/null @api_websocket;
+  }
+
+  location /tracker/socket {
+    # Peers send a message to the tracker every 15 minutes
+    # Don't close the websocket before then
+    proxy_read_timeout 15m; # default is 60s
+
+    try_files /dev/null @api_websocket;
+  }
+
+  # Plugin websocket routes
+  location ~ ^/plugins/[^/]+(/[^/]+)?/ws/ {
+    try_files /dev/null @api_websocket;
+  }
+
+  ##
+  # Performance optimizations
+  # For extra performance please refer to https://github.com/denji/nginx-tuning
+  ##
+
+  #  root /var/www/peertube/storage;
+  root /app/data/storage;
+
+  # Enable compression for JS/CSS/HTML, for improved client load times.
+  # It might be nice to compress JSON/XML as returned by the API, but
+  # leaving that out to protect against potential BREACH attack.
+  gzip              on;
+  gzip_vary         on;
+  gzip_types        # text/html is always compressed by HttpGzipModule
+                    text/css
+                    application/javascript
+                    font/truetype
+                    font/opentype
+                    application/vnd.ms-fontobject
+                    image/svg+xml;
+  gzip_min_length   1000; # default is 20 bytes
+  gzip_buffers      16 8k;
+  gzip_comp_level   2; # default is 1
+
+  client_body_timeout       30s; # default is 60
+  client_header_timeout     10s; # default is 60
+  send_timeout              10s; # default is 60
+  keepalive_timeout         10s; # default is 75
+  resolver_timeout          10s; # default is 30
+  reset_timedout_connection on;
+  proxy_ignore_client_abort on;
+
+  tcp_nopush                on; # send headers in one piece
+  tcp_nodelay               on; # don't buffer data sent, good for small data bursts in real time
+
+  # If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
+  # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
+  #client_body_temp_path /var/www/peertube/storage/nginx/;
+
+  # Bypass PeerTube for performance reasons. Optional.
+  # Should be consistent with client-overrides assets list in client.ts server controller
+  location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png|default-playlist\.jpg|default-avatar-account\.png|default-avatar-account-48x48\.png|default-avatar-video-channel\.png|default-avatar-video-channel-48x48\.png))$ {
+    add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
+
+    root /app/code/server;
+
+    #    try_files /storage/client-overrides/$1 /peertube-latest/client/dist/$1 @api;
+    try_files /app/data/storage/client-overrides/$1 /app/code/server/client/dist/$1 @api;
+  }
+
+  # Bypass PeerTube for performance reasons. Optional.
+  location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ {
+    add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
+
+    #    alias /var/www/peertube/peertube-latest/client/dist/$1;
+    alias /app/code/server/client/dist/$1;
+  }
+
+  location ~ ^(/static/(webseed|web-videos|streaming-playlists)/private/)|^/download {
+    # We can't rate limit a try_files directive, so we need to duplicate @api
+
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host            $host;
+    proxy_set_header X-Real-IP       $remote_addr;
+
+    proxy_limit_rate 5M;
+
+    proxy_pass http://backend;
+  }
+
+  # Bypass PeerTube for performance reasons. Optional.
+  location ~ ^/static/(webseed|web-videos|redundancy|streaming-playlists)/ {
+    limit_rate_after            5M;
+
+    set $peertube_limit_rate  5M;
+
+    # Use this line with nginx >= 1.17.0
+    limit_rate $peertube_limit_rate;
+    # Or this line with nginx < 1.17.0
+    # set $limit_rate $peertube_limit_rate;
+
+    if ($request_method = 'OPTIONS') {
+      add_header Access-Control-Allow-Origin  '*';
+      add_header Access-Control-Allow-Methods 'GET, OPTIONS';
+      add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+      add_header Access-Control-Max-Age       1728000; # Preflight request can be cached 20 days
+      add_header Content-Type                 'text/plain charset=UTF-8';
+      add_header Content-Length               0;
+      return 204;
+    }
+
+    if ($request_method = 'GET') {
+      add_header Access-Control-Allow-Origin  '*';
+      add_header Access-Control-Allow-Methods 'GET, OPTIONS';
+      add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+
+      # Don't spam access log file with byte range requests
+      access_log off;
+    }
+
+    # Enabling the sendfile directive eliminates the step of copying the data into the buffer
+    # and enables direct copying data from one file descriptor to another.
+    sendfile on;
+    sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
+    aio threads;
+
+    # web-videos is the name of the directory mapped to the `storage.web_videos` key in your PeerTube configuration
+    rewrite ^/static/webseed/(.*)$ /web-videos/$1 break;
+    rewrite ^/static/(.*)$         /$1        break;
+
+    try_files $uri @api;
+  }
+}
diff --git a/nginx/readonlyrootfs.conf b/nginx/readonlyrootfs.conf
new file mode 100644
index 0000000..1034f37
--- /dev/null
+++ b/nginx/readonlyrootfs.conf
@@ -0,0 +1,7 @@
+# this is already in a http block
+
+client_body_temp_path /run/nginx;
+proxy_temp_path /run/nginx;
+fastcgi_temp_path /run/nginx;
+uwsgi_temp_path /run/nginx;
+scgi_temp_path /run/nginx;
diff --git a/start.sh b/start.sh
index d7ae917..7b77a91 100755
--- a/start.sh
+++ b/start.sh
@@ -113,5 +113,9 @@ else
     [[ -n "${CLOUDRON_LDAP_SERVER:-}" ]] && update_ldap
 fi
 
+echo "==> Configuring nginx"
+cp /app/pkg/peertube-nginx.conf /run/peertube-nginx.conf
+
 echo "==> Starting PeerTube"
-exec gosu cloudron:cloudron npm start
+#exec gosu cloudron:cloudron npm start
+exec /usr/bin/supervisord --configuration /etc/supervisor/supervisord.conf --nodaemon -i PeerTube
diff --git a/supervisor/nginx.conf b/supervisor/nginx.conf
new file mode 100644
index 0000000..c2668ac
--- /dev/null
+++ b/supervisor/nginx.conf
@@ -0,0 +1,11 @@
+[program:nginx]
+priority=100
+directory=/tmp
+command=/usr/sbin/nginx -g "daemon off;"
+user=root
+autostart=true
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
diff --git a/supervisor/peertube.conf b/supervisor/peertube.conf
new file mode 100644
index 0000000..847d296
--- /dev/null
+++ b/supervisor/peertube.conf
@@ -0,0 +1,11 @@
+[program:peertube]
+directory=/app/code/server
+user=cloudron
+environment=HOME="/home/cloudron",USER="cloudron"
+command=npm start
+autostart=true
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
diff --git a/test/test.js b/test/test.js
index 59892b0..b7afe9e 100644
--- a/test/test.js
+++ b/test/test.js
@@ -32,11 +32,12 @@ describe('Application life cycle test', function () {
     const TEST_TIMEOUT = parseInt(process.env.TEST_TIMEOUT, 10) || 30000;
     const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
 
-    var browser;
-    var app;
-    var username = process.env.USERNAME;
-    var password = process.env.PASSWORD;
-    var email = process.env.EMAIL;
+    let browser;
+    let app;
+    let host_os;
+    let username = process.env.USERNAME;
+    let password = process.env.PASSWORD;
+    let email = process.env.EMAIL;
 
     before(function () {
         browser = new Builder().forBrowser('chrome').setChromeOptions(new Options().windowSize({ width: 1280, height: 1024 })).build();
@@ -47,11 +48,17 @@ describe('Application life cycle test', function () {
     });
 
     function getAppInfo() {
-        var inspect = JSON.parse(execSync('cloudron inspect'));
+        let inspect = JSON.parse(execSync('cloudron inspect'));
         app = inspect.apps.filter(function (a) { return a.location.indexOf(LOCATION) === 0; })[0];
         expect(app).to.be.an('object');
     }
 
+    async function getOS() {
+        if (typeof(host_os) == 'undefined' || host_os == null)
+            host_os = String(await execSync('uname -s')).trim();
+        return host_os;
+    }
+
     async function waitForElement(elem) {
         await browser.wait(until.elementLocated(elem), TEST_TIMEOUT);
         await browser.wait(until.elementIsVisible(browser.findElement(elem)), TEST_TIMEOUT);
@@ -90,13 +97,15 @@ describe('Application life cycle test', function () {
     }
 
     async function completeSetup() {
-        var button;
+        let button;
 
         await browser.get(`https://${app.fqdn}`);
         await waitForElement(By.xpath('//a[contains(text(), "Configure my instance")]'));
         await browser.findElement(By.xpath('//a[contains(text(), "Configure my instance")]')).click(); // this opens a new window
 
-        execSync('spd-say "Close the newly opened configuration tab."');
+        let say_cmd = await getOS() == "Darwin" ? "say" : "spd-say";
+        execSync(`${say_cmd} "Close the newly opened configuration tab."`);
+
         await rl.question('Is tab closed? ');
     }
 
@@ -120,14 +129,14 @@ describe('Application life cycle test', function () {
     }
 
     xit('build app', function () { execSync('cloudron build', EXEC_ARGS); });
-    it('install app', async function () {
+    xit('install app', async function () {
         execSync('cloudron install --location ' + LOCATION, EXEC_ARGS);
         await sleep(40000); // takes a bit to create root user in background
     });
 
     it('can get app information', getAppInfo);
     it('can root login', login.bind(null, 'root', 'changeme'));
-    it('can complete setup', completeSetup);
+    xit('can complete setup', completeSetup);
     it('can upload video', uploadVideo);
     it('video exists', videoExists);
     it('logout', logout);