diff --git a/Dockerfile b/Dockerfile
index 32d9a2a..58600ea 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,7 +9,7 @@ RUN go mod download
 COPY zooid zooid
 COPY cmd cmd
 
-RUN CGO_ENABLED=0 GOOS=linux go build -o bin/zooid cmd/relay/main.go
+RUN CGO_ENABLED=1 GOOS=linux go build -o bin/zooid cmd/relay/main.go
 
 FROM gcr.io/distroless/base-debian12 AS run
 
diff --git a/README.md b/README.md
index d08d406..e8d0925 100644
--- a/README.md
+++ b/README.md
@@ -113,7 +113,7 @@ adduser zooid
 
 # Install system dependencies
 sudo apt update
-sudo apt install git
+apt install nginx git certbot python3-certbot-nginx sqlite3 gcc
 
 # Install go and add it to path
 wget -qO- https://go.dev/dl/go1.25.1.linux-amd64.tar.gz | sudo tar -C /usr/local -xzf -
@@ -124,7 +124,7 @@ su --login zooid
 
 # Clone the repository and build
 git clone https://github.com/coracle-social/zooid.git ~/zooid && cd zooid
-go build -o bin/zooid cmd/relay/main.go
+CGO_ENABLED=1 go build -o bin/zooid cmd/relay/main.go
 
 # Back to root
 exit
@@ -136,7 +136,15 @@ cp /home/zooid/zooid/zooid.service /etc/systemd/system/zooid.service
 systemctl enable zooid
 service zooid start
 
-# Next, optionally set up a reverse proxy and create a config file for each virtual relay
+# Set up nginx - be sure to edit the server_name to your domain
+cp /home/zooid/zooid/nginx.conf /etc/nginx/sites-available/zooid.conf
+ln -s /etc/nginx/sites-{available,enabled}/zooid.conf
+
+# Set up a SSL certificate - you'll need to verify and renew this manually
+certbot --nginx -d '*.yourdomain.com'
+
+# Enable the site and restart nginx
+service nginx restart
 ```
 
 ## Deploying via container
diff --git a/justfile b/justfile
index 490fe98..bef2ee6 100644
--- a/justfile
+++ b/justfile
@@ -2,7 +2,7 @@ run:
   go run cmd/relay/main.go
 
 build:
-  go build -o bin/zooid cmd/relay/main.go
+  CGO_ENABLED=1 go build -o bin/zooid cmd/relay/main.go
 
 test:
   go test -v ./...
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..1c5332b
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,13 @@
+server {
+    listen              80;
+    server_name         *.yourdomain.com;
+
+    location / {
+        proxy_pass http://127.0.0.1:3334;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+    }
+
+}
diff --git a/zooid/instance.go b/zooid/instance.go
index 866fe85..3dbf2a8 100644
--- a/zooid/instance.go
+++ b/zooid/instance.go
@@ -405,52 +405,60 @@ func (instance *Instance) OnRequest(ctx context.Context, filter nostr.Filter) (r
 
 func (instance *Instance) QueryStored(ctx context.Context, filter nostr.Filter) iter.Seq[nostr.Event] {
 	return func(yield func(nostr.Event) bool) {
-		pubkey, ok := khatru.GetAuthed(ctx)
+		if khatru.IsInternalCall(ctx) {
+  		for event := range instance.Events.QueryEvents(filter, 0) {
+  			if !yield(event) {
+  				return
+  			}
+  		}
+		} else {
+  		pubkey, isAuthed := khatru.GetAuthed(ctx)
 
-		if !ok {
-			log.Fatal("Unauthenticated user was allowed to query events")
-		}
+  		if !isAuthed {
+  			log.Panic("Unauthorized user was allowed to query events")
+  		}
 
-		stripSignature := func(event nostr.Event) nostr.Event {
-			if instance.Config.Policy.StripSignatures && !instance.Config.IsAdmin(pubkey) {
-				var zeroSig [64]byte
-				event.Sig = zeroSig
-			}
+  		stripSignature := func(event nostr.Event) nostr.Event {
+  			if instance.Config.Policy.StripSignatures && !instance.Config.IsAdmin(pubkey) {
+  				var zeroSig [64]byte
+  				event.Sig = zeroSig
+  			}
 
-			return event
-		}
+  			return event
+  		}
 
-		if slices.Contains(filter.Kinds, AUTH_INVITE) && instance.Config.CanInvite(pubkey) {
-			if !yield(stripSignature(instance.GenerateInviteEvent(pubkey))) {
-				return
-			}
-		}
+  		if slices.Contains(filter.Kinds, AUTH_INVITE) && instance.Config.CanInvite(pubkey) {
+  			if !yield(stripSignature(instance.GenerateInviteEvent(pubkey))) {
+  				return
+  			}
+  		}
 
-		for event := range instance.Events.QueryEvents(filter, 1000) {
-			// We save some ephemeral events for bookkeeping, don't return them
-			if event.Kind.IsEphemeral() {
-				continue
-			}
+  		for event := range instance.Events.QueryEvents(filter, 1000) {
+  			// We save some ephemeral events for bookkeeping, don't return them
+  			if event.Kind.IsEphemeral() {
+  				continue
+  			}
 
-			h := GetGroupIDFromEvent(event)
+  			h := GetGroupIDFromEvent(event)
 
-			if h != "" {
-				if !instance.Config.Groups.Enabled {
-					continue
-				}
+  			if h != "" {
+  				if !instance.Config.Groups.Enabled {
+  					continue
+  				}
 
-				if !instance.HasGroupAccess(h, pubkey) {
-					continue
-				}
-			}
+  				if !instance.HasGroupAccess(h, pubkey) {
+  					continue
+  				}
+  			}
 
-			if !instance.Config.Groups.Enabled && slices.Contains(nip29.MetadataEventKinds, event.Kind) {
-				continue
-			}
+  			if !instance.Config.Groups.Enabled && slices.Contains(nip29.MetadataEventKinds, event.Kind) {
+  				continue
+  			}
 
-			if !yield(event) {
-				return
-			}
+  			if !yield(event) {
+  				return
+  			}
+  		}
 		}
 	}
 }