diff --git a/bundles/mariadb/items.py b/bundles/mariadb/items.py
index 1eb5c06..031a386 100644
--- a/bundles/mariadb/items.py
+++ b/bundles/mariadb/items.py
@@ -81,8 +81,8 @@ for db, conf in node.metadata.get('mariadb/databases', {}).items():
         ],
     }
     actions[f'mariadb_grant_privileges_to_{db}'] = {
-        'command': mariadb(f"GRANT ALL PRIVILEGES ON {db} TO '{db}'", database=db),
-        'unless': mariadb(f"SHOW GRANTS FOR {db}") + f" | grep -q '^GRANT ALL PRIVILEGES ON `{db}`.`{db}` TO `{db}`@`%`$'",
+        'command': mariadb(f"GRANT ALL PRIVILEGES ON {db}.* TO '{db}'", database=db),
+        'unless': mariadb(f"SHOW GRANTS FOR {db}") + f" | grep -q '^GRANT ALL PRIVILEGES ON `{db}`.* TO `{db}`@`%`'",
         'needs': [
             f'action:mariadb_user_{db}_create',
         ],
diff --git a/bundles/wordpress/metadata.py b/bundles/wordpress/metadata.py
index 7adbbb0..a1c844c 100644
--- a/bundles/wordpress/metadata.py
+++ b/bundles/wordpress/metadata.py
@@ -10,7 +10,7 @@ def wordpress(metadata):
             site: {
                 'db_password': repo.vault.password_for(f"wordpress {site} db").value,
             }
-                for site in metadata.get('wordpress', {})
+                for site in metadata.get('wordpress')
         },
     }
 
@@ -25,7 +25,7 @@ def mariadb(metadata):
                 site: {
                     'password': metadata.get(f'wordpress/{site}/db_password')
                 }
-                    for site in metadata.get('wordpress', {})
+                    for site in metadata.get('wordpress')
             },
         },
     }
@@ -48,3 +48,19 @@ def vhost(metadata):
             },
         },
     }
+
+
+@metadata_reactor.provides(
+    'zfs/datasets',
+)
+def zfs(metadata):
+    return {
+        'zfs': {
+            'datasets': {
+                f'tank/{site}': {
+                    'mountpoint': f'/opt/{site}',
+                }
+                    for site in metadata.get('wordpress')
+            },
+        },
+    }
diff --git a/data/wordpress/vhost.conf b/data/wordpress/vhost.conf
index 146556f..61b678e 100644
--- a/data/wordpress/vhost.conf
+++ b/data/wordpress/vhost.conf
@@ -1,9 +1,15 @@
 # Upstream to abstract backend connection(s) for php
 server {
+    listen 443      ssl http2;
+    listen [::]:443 ssl http2;
+
     server_name ${server_name};
     root ${root};
     index index.php;
 
+    ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
+    ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
+
     location = /favicon.ico {
         log_not_found off;
         access_log off;