diff --git a/README.md b/README.md
index 2e516ea..7589dec 100644
--- a/README.md
+++ b/README.md
@@ -7,6 +7,7 @@ Random opinionated helper scripts & front-end customizations for my [personal Ma
 The [wiki of this repo](https://github.com/jakejarvis/mastodon-scripts/wiki) and the [`/etc` folder](etc/) are simply my way of not forgetting how I did something, which I do quite a bit. Refer there for random notes on PgBouncer, Grafana, etc. but **DO NOT BLINDLY COPY & PASTE** anything there without doing your own research!
 
 - [Grafana & Prometheus](https://github.com/jakejarvis/mastodon-scripts/wiki/Prometheus-&-Grafana)
+- [ElasticSearch](https://github.com/jakejarvis/mastodon-scripts/wiki/ElasticSearch)
 - [PgBouncer](https://github.com/jakejarvis/mastodon-scripts/wiki/Postgres-&-PgBouncer)
 - [Brotli compression](https://github.com/jakejarvis/mastodon-scripts/wiki/Brotli-compression-for-nginx)
 
diff --git a/etc/elasticsearch/elasticsearch.yml b/etc/elasticsearch/elasticsearch.yml
new file mode 100644
index 0000000..c286d39
--- /dev/null
+++ b/etc/elasticsearch/elasticsearch.yml
@@ -0,0 +1,53 @@
+# ======================== Elasticsearch Configuration =========================
+#
+# NOTE: Elasticsearch comes with reasonable defaults for most settings.
+#       Before you set out to tweak and tune the configuration, make sure you
+#       understand what are you trying to accomplish and the consequences.
+#
+# The primary way of configuring a node is via this file. This template lists
+# the most important settings you may want to configure for a production cluster.
+#
+# Please consult the documentation for further information on configuration options:
+# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
+#
+# ----------------------------------- Paths ------------------------------------
+#
+# Path to directory where to store the data (separate multiple locations by comma):
+#
+path.data: /var/lib/elasticsearch
+#
+# Path to log files:
+#
+path.logs: /var/log/elasticsearch
+#
+# ---------------------------------- Network -----------------------------------
+#
+# By default Elasticsearch is only accessible on localhost. Set a different
+# address here to expose this node on the network:
+#
+# network.host: 0.0.0.0
+#
+# By default Elasticsearch listens for HTTP traffic on the first free port it
+# finds starting at 9200. Set a specific HTTP port here:
+#
+http.port: 9200
+#
+# For more information, consult the network module documentation.
+#
+# ---------------------------------- Security ----------------------------------
+#
+#                                 *** WARNING ***
+#
+# Elasticsearch security features are not enabled by default.
+# These features are free, but require configuration changes to enable them.
+# This means that users don’t have to provide credentials and can get full access
+# to the cluster. Network connections are also not encrypted.
+#
+# To protect your data, we strongly encourage you to enable the Elasticsearch security features.
+# Refer to the following documentation for instructions.
+#
+# https://www.elastic.co/guide/en/elasticsearch/reference/7.16/configuring-stack-security.html
+#
+
+# shuts up constant warning logs about security (N/A because of strict firewall):
+xpack.security.enabled: false
diff --git a/etc/elasticsearch/jvm.options.d/heap-size.options b/etc/elasticsearch/jvm.options.d/heap-size.options
new file mode 100644
index 0000000..e292d3f
--- /dev/null
+++ b/etc/elasticsearch/jvm.options.d/heap-size.options
@@ -0,0 +1,2 @@
+-Xms1g
+-Xmx1g
diff --git a/etc/grafana/grafana.ini b/etc/grafana/grafana.ini
index 1bc5013..d455912 100644
--- a/etc/grafana/grafana.ini
+++ b/etc/grafana/grafana.ini
@@ -33,13 +33,16 @@ default_theme = dark
 disable_login = true
 disable_login_form = true
 
+[auth.anonymous]
+hide_version = true
+
 [auth.grafana_com]
 enabled = true
 allow_sign_up = false
-client_id =
-client_secret =
+client_id = XXXXXX
+client_secret = XXXXXX
 scopes = user:email
-allowed_organizations =
+allowed_organizations = XXXXXX
 
 [metrics]
 enabled = false
diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf
index 21c1701..42f4eb4 100644
--- a/etc/nginx/nginx.conf
+++ b/etc/nginx/nginx.conf
@@ -1,4 +1,4 @@
-user mastodon; # jake: changed from nginx
+user mastodon; # changed from 'nginx'
 worker_processes auto;
 pid /run/nginx.pid;
 
@@ -7,7 +7,7 @@ load_module modules/ngx_http_brotli_filter_module.so;
 load_module modules/ngx_http_brotli_static_module.so;
 
 events {
-	worker_connections 768;
+	worker_connections 1024;
 }
 
 http {
@@ -24,7 +24,14 @@ http {
 	keepalive_timeout 65;
 	types_hash_max_size 2048;
 
-	# jake: added (prometheus target)
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	# stats for prometheus nginx exporter
 	server {
 		listen 9181;
 		location /metrics {
@@ -34,13 +41,6 @@ http {
 		}
 	}
 
-	##
-	# Logging Settings
-	##
-
-	access_log /var/log/nginx/access.log;
-	error_log /var/log/nginx/error.log;
-
 	##
 	# Virtual Host Configs
 	##
diff --git a/etc/nginx/sites-available/default.conf b/etc/nginx/sites-available/default.conf
index 419fd56..da59816 100644
--- a/etc/nginx/sites-available/default.conf
+++ b/etc/nginx/sites-available/default.conf
@@ -1,4 +1,6 @@
-# don't respond to direct IP address requests
+# don't respond to direct IP address requests:
+# https://www.codedodle.com/disable-direct-ip-access-nginx.html
+
 server {
   listen 80 default_server;
   listen [::]:80 default_server;
diff --git a/etc/nginx/sites-available/mastodon.conf b/etc/nginx/sites-available/mastodon.conf
index 29dd94e..8475279 100644
--- a/etc/nginx/sites-available/mastodon.conf
+++ b/etc/nginx/sites-available/mastodon.conf
@@ -1,3 +1,5 @@
+# modified from https://github.com/mastodon/mastodon/blob/v4.0.2/dist/nginx.conf
+
 map $http_upgrade $connection_upgrade {
   default upgrade;
   ''      close;
@@ -23,7 +25,7 @@ server {
     return 301 https://$host$request_uri;
   } # managed by Certbot
 
-  return 404; # managed by Certbot
+  return 403;
 }
 
 server {
@@ -62,8 +64,8 @@ server {
              image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
   gzip_min_length 256;
 
-  # jake: added
   # https://github.com/google/ngx_brotli#sample-configuration
+  # https://github.com/jakejarvis/mastodon-scripts/wiki/Brotli-compression-for-nginx
   brotli on;
   brotli_comp_level 4;
   brotli_static on;
@@ -74,60 +76,22 @@ server {
                image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
   brotli_min_length 256;
 
-  location / {
-    try_files $uri @proxy;
-  }
-
-  # jake: added
+  # add shortcut to public Grafana dashboard
   location ~ ^/dashboard/?$ {
     return 302 https://grafana.pipe.fail/public-dashboards/b5ca7a7c8e844f90b0973d2ab02bad0a;
   }
 
-  # If Docker is used for deployment and Rails serves static files,
-  # then needed must replace line `try_files $uri =404;` with `try_files $uri @proxy;`.
+  location / {
+    try_files $uri @proxy;
+  }
+
   location = /sw.js {
     add_header Cache-Control "public, max-age=604800, must-revalidate";
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
     try_files $uri =404;
   }
 
-  location ~ ^/assets/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/avatars/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/emoji/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/headers/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/packs/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/shortcuts/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    try_files $uri =404;
-  }
-
-  location ~ ^/sounds/ {
+  location ~ ^/(assets|avatars|emoji|headers|packs|shortcuts|sounds)/ {
     add_header Cache-Control "public, max-age=2419200, must-revalidate";
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
     try_files $uri =404;
@@ -155,7 +119,7 @@ server {
 
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
 
-    # jake: added (debugging)
+    # debugging
     add_header Via "1.1 $proxy_host" always;
 
     tcp_nodelay on;
@@ -167,7 +131,7 @@ server {
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header Proxy "";
-    # jake: removed
+    # remove 'Server: Mastodon' response header
     # proxy_pass_header Server;
 
     proxy_pass http://backend;
@@ -182,11 +146,11 @@ server {
     proxy_cache_valid 410 24h;
     proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
 
-    # jake: added (security)
+    # security
     proxy_hide_header Referrer-Policy;
     add_header Referrer-Policy "strict-origin" always;
 
-    # jake: added (debugging)
+    # debugging
     add_header Via "1.1 $proxy_host" always;
     add_header X-Cache-Status $upstream_cache_status always;
     add_header X-Got-Milk "2%" always;