diff --git a/README.md b/README.md
index 2b3758a..e4412c5 100644
--- a/README.md
+++ b/README.md
@@ -17,3 +17,17 @@ ansible-playbook -i inventory.yml --ask-vault-pass main.yml
 ```
 
 You need to provide a user with sudo rights and the vault password.
+
+## HTTPS ingress configuration
+
+HTTPS ingress is controlled by the server [holmium](https://wiki.netz39.de/admin:servers:holmium) and forwarded to the configured servers.
+
+To set up a new HTTPS vhost, the following steps need to be taken:
+
+1. Select a domain (for internal services we use sub-domains of `.n39.eu`).
+2. Create an external CNAME from this domain to `dyndns.n39.eu`.
+3. Create an internal DNS entry in the [Descartes DNS config](https://gitea.n39.eu/Netz39_Admin/config.descartes/src/branch/prepare/dns_dhcp.txt). This is usually an alias on an existing server.
+4. Add the entry to the [holmium playbook](holmium.yml).
+5. Set up Dehydrated and vhost on the target host, e.g. using `setup-http-site-proxy`.
+
+Do not forget to execute all playbooks with relevant changes.