diff --git a/services/bitwarden_rs.nix b/services/bitwarden_rs.nix
index 27bd4be..8d26243 100644
--- a/services/bitwarden_rs.nix
+++ b/services/bitwarden_rs.nix
@@ -57,13 +57,6 @@ in {
     };
 
     services.nginx = {
-      enable = true;
-
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedTlsSettings = true;
-      recommendedProxySettings = true;
-
       virtualHosts = {
         "pass.${domain}" = {
           forceSSL = true;
diff --git a/services/default.nix b/services/default.nix
index 7a4290b..5f4c64a 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -8,6 +8,7 @@
     ./matrix.nix
     ./miniflux.nix
     ./monitoring.nix
+    ./nginx.nix
     ./postgresql-backup.nix
   ];
 }
diff --git a/services/gitea.nix b/services/gitea.nix
index 196a8ee..42615b4 100644
--- a/services/gitea.nix
+++ b/services/gitea.nix
@@ -84,13 +84,6 @@ in {
     };
 
     services.nginx = {
-      enable = true;
-
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedTlsSettings = true;
-      recommendedProxySettings = true;
-
       virtualHosts = {
         "git.${domain}" = {
           forceSSL = true;
diff --git a/services/matrix.nix b/services/matrix.nix
index f508325..86aeefa 100644
--- a/services/matrix.nix
+++ b/services/matrix.nix
@@ -69,13 +69,6 @@ in {
     };
 
     services.nginx = {
-      enable = true;
-
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedTlsSettings = true;
-      recommendedProxySettings = true;
-
       virtualHosts = {
         "matrix.${domain}" = {
           forceSSL = true;
diff --git a/services/miniflux.nix b/services/miniflux.nix
index 04afd77..35a5fe2 100644
--- a/services/miniflux.nix
+++ b/services/miniflux.nix
@@ -47,13 +47,6 @@ in {
     };
 
     services.nginx = {
-      enable = true;
-
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedTlsSettings = true;
-      recommendedProxySettings = true;
-
       virtualHosts = {
         "reader.${domain}" = {
           forceSSL = true;
diff --git a/services/monitoring.nix b/services/monitoring.nix
index db60d6e..68f1316 100644
--- a/services/monitoring.nix
+++ b/services/monitoring.nix
@@ -68,13 +68,6 @@ in {
     };
 
     services.nginx = {
-      enable = true;
-
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-
       virtualHosts.${config.services.grafana.domain} = {
         locations."/" = {
           proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
diff --git a/services/nginx.nix b/services/nginx.nix
new file mode 100644
index 0000000..79c1dec
--- /dev/null
+++ b/services/nginx.nix
@@ -0,0 +1,21 @@
+# Part of config shamelessly stolen from:
+#
+# https://github.com/delroth/infra.delroth.net
+{ config, lib, ... }:
+{
+  # Whenever something defines an nginx vhost, ensure that nginx defaults are
+  # properly set.
+  config = lib.mkIf ((builtins.attrNames config.services.nginx.virtualHosts) != [ ]) {
+    services.nginx = {
+      enable = true;
+      statusPage = true; # For monitoring scraping.
+
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      recommendedProxySettings = true;
+    };
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+  };
+}