and fixed, the listen listen [::]:443 ssl http2; was missing. Oddly enough, so was listen [::]:80 but testing on ipv6 test sites said it was reachable. I'm currently sitting a v4 only box so I couldn't test myself (yay tx home service providers). Will try from a v6 enabled box later.