diff --git a/configs/nixos/ni/default.nix b/configs/nixos/ni/default.nix
index 05ae879c..b98fb947 100644
--- a/configs/nixos/ni/default.nix
+++ b/configs/nixos/ni/default.nix
@@ -20,6 +20,7 @@
     services.backup.enable = true;
     services.monitoring.enable = true;
     services.penpot.enable = true;
+    services.reverse-proxy.enable = true;
     setups = {
       desktop.enable = true;
       development.enable = true;
diff --git a/configs/nixos/ni/modules/default.nix b/configs/nixos/ni/modules/default.nix
index 78bc7def..b67caa27 100644
--- a/configs/nixos/ni/modules/default.nix
+++ b/configs/nixos/ni/modules/default.nix
@@ -5,6 +5,7 @@
     ./networking/setup.nix
     ./networking/wireguard.nix
     ./services/backup
+    ./services/reverse-proxy.nix
     ./services/monitoring.nix
     ./services/download-media
     ./services/penpot
diff --git a/configs/nixos/ni/modules/services/reverse-proxy.nix b/configs/nixos/ni/modules/services/reverse-proxy.nix
new file mode 100644
index 00000000..5b4cb4f1
--- /dev/null
+++ b/configs/nixos/ni/modules/services/reverse-proxy.nix
@@ -0,0 +1,21 @@
+# A private-use reverse proxy for certain system services.
+{ config, lib, pkgs, ... }:
+
+let
+  hostCfg = config.hosts.ni;
+  cfg = hostCfg.services.reverse-proxy;
+in
+{
+  options.hosts.ni.services.reverse-proxy.enable =
+    lib.mkEnableOption "private-use reverse proxy setup";
+
+  config = lib.mkIf cfg.enable {
+    services.nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      recommendedProxySettings = true;
+    };
+  };
+}