diff --git a/nixos/common.nix b/nixos/common.nix
index 54cfc67..b8c91c2 100644
--- a/nixos/common.nix
+++ b/nixos/common.nix
@@ -114,6 +114,8 @@ in
 
       allowedTCPPorts = [
         22
+        80
+        443
       ];
     };
   };
diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix
index a52fff6..309d42d 100644
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@@ -3,6 +3,7 @@
     ./fail2ban.nix
     ./sysctl.nix
     ./host.nix
+    ./nginx.nix
     ./snapper.nix
     ./substituters.nix
   ];
diff --git a/nixos/modules/nginx.nix b/nixos/modules/nginx.nix
new file mode 100644
index 0000000..38ff082
--- /dev/null
+++ b/nixos/modules/nginx.nix
@@ -0,0 +1,32 @@
+{ config, lib, ... }:
+let
+  fqdn = config.networking.fqdn;
+
+  mkVhost =
+    attrs:
+    {
+      forceSSL = false; # TODO: tweak per host
+    }
+    // attrs;
+
+  mkProxy = port: {
+    proxyPass = "http://127.0.0.1:${toString port}/";
+  };
+in
+{
+  services.nginx = {
+    enable = true;
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+
+    # services.nginx.virtualHosts."${fqdn}" = {
+    #   addSSL = true;
+    #   root = "/var/www/myhost.org";
+    #   default = true;
+    # };
+  };
+}