diff --git a/compose/.env-template b/compose/.env-template
index 64d7d60..9acc048 100644
--- a/compose/.env-template
+++ b/compose/.env-template
@@ -3,20 +3,45 @@
 # -----------------------------------------------------------------------------
 # 1.  Copy this file to `.env` in the same directory as `compose.yaml`.
 # 2.  Replace the placeholders on the right‑hand side with your real values.
+# 3.  Place all SSL certificates and Diffie‑Hellman parameters in the
+#     `nginx/ssl` directory.
+# 4.  Run `docker‑compose up -d` to start the containers.
 #
-# Variables
-# ---------
-# COLLAB_FQDN   Public hostname (FQDN) that end‑users hit to reach the Collab
-#               service (e.g. collab.example.com).
+# Variables (all required unless stated otherwise)
+# ----------------------------------------------
+# COLLAB_FQDN        Public hostname (FQDN) that end‑users hit to reach the
+#                    Collab service (e.g. collab.example.com).
 #
-# INTEL_FQDN    Public hostname (FQDN) for the Intel service
-#               (e.g. intel.example.com).
+# INTEL_FQDN         Public hostname (FQDN) for the Intel service
+#                    (e.g. intel.example.com).
 #
-# INTEL_SECRET  Shared secret Collab uses to authenticate when authenticating 
-#               communication with the intel service.
-#               Use a strong, private value.
+# INTEL_SECRET       Shared secret Collab uses to authenticate when
+#                    communicating with the Intel service. Use a strong,
+#                    private value.
+#
+# SSL_COLLAB_CERT    Certificate filename that Nginx serves for the Collab
+#                    virtual host (e.g. ssl-collab.crt).
+#
+# SSL_COLLAB_KEY     Private key filename for the Collab certificate
+#                    (e.g. ssl-collab.key).
+#
+# SSL_INTEL_CERT     Certificate filename for the Intel virtual host
+#                    (e.g. ssl-intel.crt).
+#
+# SSL_INTEL_KEY      Private key filename for the Intel certificate
+#                    (e.g. ssl-intel.key).
+#
+# DHPARAM_PATH       Diffie‑Hellman parameters file (e.g. dhparam.pem).
 ###############################################################################
 
 COLLAB_FQDN=collab.example.com
 INTEL_FQDN=intel.example.com
-INTEL_SECRET=super-secret-string
\ No newline at end of file
+INTEL_SECRET=super-secret-string
+
+SSL_COLLAB_CERT=ssl-collab.crt
+SSL_COLLAB_KEY=ssl-collab.key
+
+SSL_INTEL_CERT=ssl-intel.crt
+SSL_INTEL_KEY=ssl-intel.key
+
+DHPARAM_PATH=dhparam.pem
\ No newline at end of file
diff --git a/compose/compose.yaml b/compose/compose.yaml
index 27c3e94..e5e96d2 100644
--- a/compose/compose.yaml
+++ b/compose/compose.yaml
@@ -18,10 +18,14 @@ services:
   nginx:
     image: nginx:latest
     container_name: codetogether-nginx
+    env_file:
+      - .env
+    environment:
+      - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx
     ports:
       - "443:443"
     volumes:
-      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
+      - ./nginx/nginx.conf.template:/etc/nginx/templates/nginx.conf.template:ro
       - ./nginx/ssl:/etc/nginx/ssl
       - ./nginx/log:/var/log/nginx
     networks:
diff --git a/compose/nginx/nginx.conf b/compose/nginx/nginx.conf.template
similarity index 88%
rename from compose/nginx/nginx.conf
rename to compose/nginx/nginx.conf.template
index b5a33eb..4418cd7 100644
--- a/compose/nginx/nginx.conf
+++ b/compose/nginx/nginx.conf.template
@@ -1,6 +1,7 @@
 events {
     worker_connections  1024;
 }
+
 http {
     include       mime.types;
     default_type  application/octet-stream;
@@ -8,12 +9,12 @@ http {
     keepalive_timeout  65;
     server {
         listen       443 ssl http2;
-        server_name  <collab-server-fqdn>;
+        server_name  ${COLLAB_FQDN};
         proxy_buffer_size 128k;
         proxy_buffers 4 256k;
-        ssl_certificate      <path-to-ssl-collab-bundle.crt>;
-        ssl_certificate_key  <path-to-ssl-collab.key>;
-        ssl_dhparam          <path-to-dhparam.pem>;
+        ssl_certificate /etc/nginx/ssl/${SSL_COLLAB_CERT};
+        ssl_certificate_key /etc/nginx/ssl/${SSL_COLLAB_KEY};
+        ssl_dhparam /etc/nginx/ssl/${DHPARAM_PATH};
         ssl_prefer_server_ciphers on;
         ssl_protocols TLSv1.2;
         ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
@@ -47,7 +48,7 @@ http {
         }
     }
     server {
-        server_name          <server-fqdn>;
+        server_name          ${INTEL_FQDN};
         listen               443 ssl http2;
 
         # configure proxy buffer sizes
@@ -55,9 +56,9 @@ http {
         proxy_buffers        4 256k;
 
         # setup the SSL certificate
-        ssl_certificate      <path-to-ssl-intel-bundle.crt>;
-        ssl_certificate_key  <path-to-ssl-intel.key>;
-        ssl_dhparam          <path-to-dhparam.pem>;
+        ssl_certificate /etc/nginx/ssl/${SSL_INTEL_CERT};
+        ssl_certificate_key /etc/nginx/ssl/${SSL_INTEL_KEY};
+        ssl_dhparam /etc/nginx/ssl/${DHPARAM_PATH};
         ssl_prefer_server_ciphers on;
         ssl_protocols        TLSv1.2;
         ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
@@ -91,4 +92,4 @@ http {
             proxy_send_timeout    360;
         }
     }
-}
+}
\ No newline at end of file