diff --git a/group_vars/mirrors/misc.yml b/group_vars/mirrors/misc.yml
index e64ea812b9f6e4a5830e61ae2e1377856c4f58bf..de398e896a650071dc640d0fbdb9d166be97402b 100644
--- a/group_vars/mirrors/misc.yml
+++ b/group_vars/mirrors/misc.yml
@@ -3,3 +3,5 @@ archweb_db_host: "{{ hostvars['archlinux.org']['wireguard_address'] }}"
 # raise tcp window limits to 32MiB
 tcp_rmem: "10240 87380 33554432"
 tcp_wmem: "10240 87380 33554432"
+
+nginx_enable_http3: true
diff --git a/roles/geo_dns/templates/geo.yml.j2 b/roles/geo_dns/templates/geo.yml.j2
index 35274725078371c81638dce2bedb57a1863eb874..eb95d4de266e1164ba0c2df3da7bdb3feb82312c 100644
--- a/roles/geo_dns/templates/geo.yml.j2
+++ b/roles/geo_dns/templates/geo.yml.j2
@@ -24,6 +24,17 @@ domains:
               AAAA "ifurlup('https://{{ domain }}{{ geo_options[domain]['health_check_path'] | default('/') }}',
               {'{{ hosts | map('extract', hostvars, ['ipv6_address']) | join("', '") }}'},
               {selector='pickclosest', useragent='pdns on {{ inventory_hostname }}'})"
+        - lua:
+            ttl: 300
+            content: >
+              HTTPS "'1 . alpn=h2,h3 ipv4hint=' ..
+              ifurlup('https://{{ domain }}{{ geo_options[domain]['health_check_path'] | default('/') }}',
+              {'{{ hosts | map('extract', hostvars, ['ipv4_address']) | join("', '") }}'},
+              {selector='pickclosest', useragent='pdns on {{ inventory_hostname }}'})[1] ..
+              ' ipv6hint=' ..
+              ifurlup('https://{{ domain }}{{ geo_options[domain]['health_check_path'] | default('/') }}',
+              {'{{ hosts | map('extract', hostvars, ['ipv6_address']) | join("', '") }}'},
+              {selector='pickclosest', useragent='pdns on {{ inventory_hostname }}'})[1]"
       _acme-challenge.{{ domain }}:
         - ns: {{ geo_acme_dns_challenge_ns }}
   {% endfor %}
diff --git a/roles/prometheus/defaults/main.yml b/roles/prometheus/defaults/main.yml
index 9d5a35fc8fb794cfb8787e5be7f47e41bd65cb61..e73cd8391aed1f0e1ac814fd2f640c30ebe67d58 100644
--- a/roles/prometheus/defaults/main.yml
+++ b/roles/prometheus/defaults/main.yml
@@ -97,8 +97,10 @@ blackbox_targets:
     - lists.archlinux.org:25
   geo_dns_geo.mirror.pkgbuild.com_a: "{{ groups['geo_mirrors'] }}"
   geo_dns_geo.mirror.pkgbuild.com_aaaa: "{{ groups['geo_mirrors'] }}"
+  geo_dns_geo.mirror.pkgbuild.com_https: "{{ groups['geo_mirrors'] }}"
   geo_dns_riscv.mirror.pkgbuild.com_a: "{{ groups['geo_mirrors'] }}"
   geo_dns_riscv.mirror.pkgbuild.com_aaaa: "{{ groups['geo_mirrors'] }}"
+  geo_dns_riscv.mirror.pkgbuild.com_https: "{{ groups['geo_mirrors'] }}"
 matrix_metrics_endpoints:
   - homeserver
   - appservice
diff --git a/roles/prometheus_exporters/templates/blackbox.yml.j2 b/roles/prometheus_exporters/templates/blackbox.yml.j2
index 06751f5774c892d0c4f8da58e47f73d6669436e3..2704edf3dad2a72a2cf0232b77f0f336977297a5 100644
--- a/roles/prometheus_exporters/templates/blackbox.yml.j2
+++ b/roles/prometheus_exporters/templates/blackbox.yml.j2
@@ -47,4 +47,13 @@ modules:
       validate_answer_rrs:
         fail_if_not_matches_regexp:
           - {{ domain | replace('.', '\.') }}\.\t.*\tIN\tAAAA\t({{ hosts | map('extract', hostvars, ['ipv6_address']) | join('|') }})
+  geo_dns_{{ domain }}_https:
+    prober: dns
+    timeout: 5s
+    dns:
+      query_name: {{ domain }}
+      query_type: HTTPS
+      validate_answer_rrs:
+        fail_if_not_matches_regexp:
+          - {{ domain | replace('.', '\.') }}\.\t.*\tIN\tHTTPS\t1 \. alpn="h2,h3" ipv4hint="({{ hosts | map('extract', hostvars, ['ipv4_address']) | join('|') | replace('.', '\.') }})" ipv6hint="({{ hosts | map('extract', hostvars, ['ipv6_address']) | join('|') }})"
   {% endfor %}
diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index 7b0cd029f6d5ea9891461b8521dfa724ef95acab..fe578ebf05ac8fd0d701ccd35b7cade5efc41457 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -119,6 +119,7 @@ locals {
       server_type = "cx22"
       domain      = "mirror"
       zone        = hetznerdns_zone.pkgbuild.id
+      http3       = true
     }
     "monitoring.archlinux.org" = {
       server_type = "cx32"
@@ -281,6 +282,7 @@ locals {
     rsync = {
       ipv4_address = "168.119.141.106"
       ipv6_address = "2a01:4f8:251:598::"
+      http3        = true
     }
     runner1 = {
       ipv4_address = "138.199.19.15"
@@ -355,38 +357,47 @@ locals {
     "america.mirror" = {
       ipv4_address = "143.244.34.62"
       ipv6_address = "2a02:6ea0:cc0e::2"
+      http3        = true
     }
     "america.archive" = {
       ipv4_address = "143.244.34.62"
       ipv6_address = "2a02:6ea0:cc0e::2"
+      http3        = true
     }
     "asia.mirror" = {
       ipv4_address = "84.17.57.98"
       ipv6_address = "2a02:6ea0:d605::2"
+      http3        = true
     }
     "asia.archive" = {
       ipv4_address = "84.17.57.98"
       ipv6_address = "2a02:6ea0:d605::2"
+      http3        = true
     }
     "europe.mirror" = {
       ipv4_address = "89.187.191.12"
       ipv6_address = "2a02:6ea0:c237::2"
+      http3        = true
     }
     "europe.archive" = {
       ipv4_address = "89.187.191.12"
       ipv6_address = "2a02:6ea0:c237::2"
+      http3        = true
     }
     "london.mirror" = {
       ipv4_address = "185.73.44.89"
       ipv6_address = "2001:ba8:0:4030::2"
+      http3        = true
     }
     "seoul.mirror" = {
       ipv4_address = "145.40.87.75"
       ipv6_address = "2604:1380:11:2600::1"
+      http3        = true
     }
     "sydney.mirror" = {
       ipv4_address = "147.75.48.159"
       ipv6_address = "2604:1380:40f1:6a00::1"
+      http3        = true
     }
     repro2 = {
       ipv4_address = "212.102.38.209"