diff --git a/nixos/modules/nginx.nix b/nixos/modules/nginx.nix
index e6e5f53..604784c 100644
--- a/nixos/modules/nginx.nix
+++ b/nixos/modules/nginx.nix
@@ -3,13 +3,20 @@ let
   inherit (config.networking) fqdn;
 
   mkVhost =
-    attrs:
+    attrs: locations:
     let
       acmeEnabled = config.acme.enable;
     in
     {
       forceSSL = acmeEnabled;
       useACMEHost = if acmeEnabled then fqdn else null;
+
+      locations = {
+        "= /robots.txt" = {
+          alias = disallowedRobotsTxt;
+        };
+      }
+      // locations;
     }
     // attrs;
 
@@ -21,6 +28,19 @@ let
       proxy_request_buffering off;
     '';
   };
+
+  mkSsi = webRoot: {
+    root = webRoot;
+
+    extraConfig = ''
+      ssi on;
+    '';
+  };
+
+  disallowedRobotsTxt = builtins.toFile "robots.txt" ''
+    User-agent: *
+    Disallow: /
+  '';
 in
 {
   services.nginx = {
@@ -32,20 +52,12 @@ in
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
 
-    virtualHosts."${fqdn}" = mkVhost {
-      default = true;
-
-      locations."/" = {
-        root = "${self.pins.website}/web-root";
-
-        extraConfig = ''
-          ssi on;
-        '';
-      };
+    virtualHosts."${fqdn}" = mkVhost { default = true; } {
+      "/" = mkSsi "${self.pins.website}/web-root";
     };
 
-    virtualHosts."git.${fqdn}" = mkVhost {
-      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
+    virtualHosts."git.${fqdn}" = mkVhost { } {
+      "/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
     };
   };