diff --git a/modules/default.nix b/modules/default.nix
index 2155137..cc943b2 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -2,5 +2,6 @@
 {
   imports = [
     ./backup.nix
+    ./nginx.nix
   ];
 }
diff --git a/modules/nginx.nix b/modules/nginx.nix
new file mode 100644
index 0000000..f7da511
--- /dev/null
+++ b/modules/nginx.nix
@@ -0,0 +1,28 @@
+{ config, lib, ...}:
+  let
+    cfg = config.my.nginx;
+  in
+  {
+  options.my.nginx = {
+    enable = lib.mkEnableOption "nginx";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.nginx = {
+      enable = true;
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedZstdSettings = true;
+      recommendedProxySettings = true;
+
+      # HSTS for all domains
+      appendHttpConfig = ''
+        map $scheme $hsts_header {
+            https   "max-age=31536000; includeSubdomains; preload";
+        }
+        add_header Strict-Transport-Security $hsts_header;
+      '';
+    };
+  };
+}