diff --git a/hosts/orion/default.nix b/hosts/orion/default.nix
index 5c113c1..5a0e632 100644
--- a/hosts/orion/default.nix
+++ b/hosts/orion/default.nix
@@ -102,6 +102,13 @@
     smartmontools
   ];
 
+  ataraxia.services.nginx.enable = true;
+  ataraxia.services.nginx.defaultSettings = {
+    useACMEHost = "ataraxiadev.com";
+    enableACME = false;
+    forceSSL = true;
+  };
+
   ataraxia.containers.filestash.enable = true;
   ataraxia.containers.media-stack.enable = true;
   ataraxia.containers.tinyproxy.enable = true;
diff --git a/modules/nixos/security/acme.nix b/modules/nixos/security/acme.nix
index 6589f23..cb78206 100644
--- a/modules/nixos/security/acme.nix
+++ b/modules/nixos/security/acme.nix
@@ -8,6 +8,8 @@ let
   inherit (lib) mkEnableOption mkIf;
 
   cfg = config.ataraxia.security.acme;
+  nginxEnabled = config.ataraxia.services.nginx.enable;
+  nginxGroup = config.services.nginx.group;
 in
 {
   options.ataraxia.security.acme = {
@@ -25,6 +27,7 @@ in
       defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; # production
       defaults.email = "admin@ataraxiadev.com";
       defaults.renewInterval = "weekly";
+      defaults.group = mkIf nginxEnabled nginxGroup;
       certs = {
         "ataraxiadev.com" = {
           extraDomainNames = [ "*.ataraxiadev.com" ];
diff --git a/modules/nixos/services/nginx.nix b/modules/nixos/services/nginx.nix
new file mode 100644
index 0000000..58490ad
--- /dev/null
+++ b/modules/nixos/services/nginx.nix
@@ -0,0 +1,60 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf mkOption;
+  inherit (lib.types) attrs;
+
+  cfg = config.ataraxia.services.nginx;
+in
+{
+  options.ataraxia.services.nginx = {
+    enable = mkEnableOption "Enable nginx service";
+    defaultSettings = mkOption {
+      type = attrs;
+      default = { };
+      description = ''
+        Default settings to append to virtualHosts. Does not apllied automatically.
+        Usage example: `your-host = recursiveUpdate defaultSettings { };`
+      '';
+    };
+    # extraConfig = mkOption {
+    #   type = str;
+    #   default = "";
+    #   description = ''
+    #     Default settings to append to extraConfig of virtual host's location. Does not apllied automatically.
+    #     Usage example: `extraConfig = recursiveUpdate extraConfig "";`
+    #   '';
+    # };
+  };
+
+  config = mkIf cfg.enable {
+    services.nginx = {
+      enable = true;
+      package = pkgs.nginxQuic;
+      recommendedBrotliSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedUwsgiSettings = true;
+      recommendedZstdSettings = true;
+      clientMaxBodySize = "250m";
+      commonHttpConfig = ''
+        proxy_hide_header X-Frame-Options;
+      '';
+    };
+
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+    networking.firewall.allowedUDPPorts = [
+      80
+      443
+    ];
+  };
+}