diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
index 70cedf32..9c011b4e 100755
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -1415,10 +1415,10 @@ matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-syn
 matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_api_plain_port|string}}"
 
 matrix_nginx_proxy_proxy_dendrite_enabled: "{{ matrix_dendrite_enabled }}"
-matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_container_client_api_port }}"
-matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}"
-matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_container_federation_api_plain_port|string }}"
-matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_container_federation_api_plain_port|string }}"
+matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_http_bind_port|string }}"
+matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_http_bind_port|string }}"
+matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_http_bind_port|string }}"
+matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_http_bind_port|string }}"
 
 # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter.
 matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}"
@@ -2209,11 +2209,11 @@ matrix_postgres_backup_databases: |
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it,
 # you can expose Dendrite's ports to the host.
 #
-# For exposing the Matrix Client API's port (plain HTTP) to the local host.
-matrix_dendrite_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}"
+# For exposing Dendrite's plain HTTP server to the local host.
+matrix_dendrite_container_http_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' + matrix_dendrite_http_bind_port|string) }}"
 #
-# For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces.
-matrix_dendrite_container_federation_api_tls_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else matrix_federation_public_port }}"
+# For exposing Dendrite's HTTPS server to the local host.
+matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled or not matrix_dendrite_https_bind_port else ('127.0.0.1:' + matrix_dendrite_https_bind_port|string) }}"
 
 matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}"
 
diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml
index 11952ce7..8cd4c168 100644
--- a/roles/matrix-dendrite/defaults/main.yml
+++ b/roles/matrix-dendrite/defaults/main.yml
@@ -14,31 +14,42 @@ matrix_dendrite_storage_path: "{{ matrix_dendrite_base_path }}/storage"
 matrix_dendrite_media_store_path: "{{ matrix_dendrite_storage_path }}/media-store"
 matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext"
 
-matrix_dendrite_container_http_bind_port: 8008
+# By default, we make Dendrite only serve HTTP (not HTTPS).
+# HTTPS is usually served at the reverse-proxy side (usually via `matrix-nginx-proxy`).
+#
+# To enable HTTPS serving by Dendrite (directly):
+# - `matrix_dendrite_https_bind_port` must be set
+# - `-tls-cert` and `-tls-key` must be passed to Dendrite via `matrix_dendrite_process_extra_arguments`
+# - the TLS certificate files must be mounted into the container using `matrix_dendrite_container_additional_volumes`
+matrix_dendrite_http_bind_port: 8008
+matrix_dendrite_https_bind_port: ~
 
-# This is passed as a flag `-http-bind-address` flag to the Dendrite server in the container
-matrix_dendrite_container_http_bind_address: ":{{ matrix_dendrite_container_http_bind_port }}"
+# This is passed as an `-http-bind-address` flag to the Dendrite server in the container
+matrix_dendrite_http_bind_address: "{{ (':' + matrix_dendrite_http_bind_port|string) if matrix_dendrite_http_bind_port else '' }}"
 
-# Dendrite monolith exposes both the Client API and the Federation API on the same port
-matrix_dendrite_container_client_api_port: "{{ matrix_dendrite_container_http_bind_port }}"
-matrix_dendrite_container_federation_api_plain_port: "{{ matrix_dendrite_container_http_bind_port }}"
+# This is passed as an `-https-bind-address` flag to the Dendrite server in the container
+matrix_dendrite_https_bind_address: "{{ (':' + matrix_dendrite_https_bind_port|string) if matrix_dendrite_https_bind_port else '' }}"
 
-# Controls whether the matrix-dendrite container exposes the Client/Server API port (tcp/8008 in the container).
+# Controls whether the matrix-dendrite container exposes the HTTP port (tcp/{{ matrix_dendrite_http_bind_port }} in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8008"), or empty string to not expose.
-matrix_dendrite_container_client_api_host_bind_port: ""
+matrix_dendrite_container_http_host_bind_address: ""
 
-# Controls whether the matrix-dendrite container exposes the tls (encrypted) Server/Server (Federation) API port (tcp/8448 in the container).
+# Controls whether the matrix-dendrite container exposes the HTTPS port (tcp/{{ matrix_dendrite_https_bind_port }} in the container).
 #
-# Takes effect only if federation is enabled (matrix_dendrite_federation_enabled)
-# and TLS support is enabled (matrix_dendrite_tls_federation_listener_enabled).
-#
-# Takes an "<ip>:<port>" or "<port>" value (e.g. "8448"), or empty string to not expose.
-matrix_dendrite_container_federation_api_tls_host_bind_port: ""
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8448"), or empty string to not expose.
+matrix_dendrite_container_https_host_bind_address: ""
 
-# A list of extra arguments to pass to the container
+# A list of extra arguments to pass to the container (`docker run` command)
 matrix_dendrite_container_extra_arguments: []
 
+# A list of extra arguments to pass to the container process (`dendrite-monolith` command)
+# Example:
+# matrix_dendrite_process_extra_arguments:
+#  - "-tls-cert /some/path.crt"
+#  - "-tls-key /some/path.pem"
+matrix_dendrite_process_extra_arguments: []
+
 # List of systemd services that matrix-dendrite.service depends on
 matrix_dendrite_systemd_required_services_list: ["docker.service"]
 
diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2
index a67a3c20..4c357fd1 100644
--- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2
+++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2
@@ -29,11 +29,11 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_dendrite_tmp_directory_size_mb }}m \
 			--network={{ matrix_docker_network }} \
-			{% if matrix_dendrite_container_client_api_host_bind_port %}
-			-p {{ matrix_dendrite_container_client_api_host_bind_port }}:8008 \
+			{% if matrix_dendrite_container_http_host_bind_address and matrix_dendrite_http_bind_port %}
+			-p {{ matrix_dendrite_container_http_host_bind_address }}:{{ matrix_dendrite_http_bind_port }} \
 			{% endif %}
-			{% if matrix_dendrite_container_federation_api_tls_host_bind_port %}
-			-p {{ matrix_dendrite_container_federation_api_tls_host_bind_port }}:8448 \
+			{% if matrix_dendrite_container_https_host_bind_address and matrix_dendrite_https_bind_port %}
+			-p {{ matrix_dendrite_container_https_host_bind_address }}:{{ matrix_dendrite_https_bind_port }} \
 			{% endif %}
 			--mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data,ro \
 			--mount type=bind,src={{ matrix_dendrite_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \
@@ -45,7 +45,13 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \
 			{% endfor %}
 			{{ matrix_dendrite_docker_image }} \
 			-config /data/dendrite.yaml \
-			-http-bind-address {{ matrix_dendrite_container_http_bind_address }}
+			{% if matrix_dendrite_http_bind_address %}
+			-http-bind-address {{ matrix_dendrite_http_bind_address }}
+			{% endif %}
+			{% if matrix_dendrite_https_bind_address %}
+			-https-bind-address {{ matrix_dendrite_https_bind_address }}
+			{% endif %}
+			{{ matrix_dendrite_process_extra_arguments|join(' ') }}
 
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-dendrite
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-dendrite