diff --git a/modules/common/default.nix b/modules/common/default.nix
index 0989a26..35642b2 100644
--- a/modules/common/default.nix
+++ b/modules/common/default.nix
@@ -10,6 +10,7 @@
     ./acme.nix
     ./boot.nix
     ./exporters.nix
+    ./nginx.nix
     ./nix.nix
     ./ssh.nix
     ./tailscale.nix
diff --git a/modules/common/nginx.nix b/modules/common/nginx.nix
new file mode 100644
index 0000000..1908ef2
--- /dev/null
+++ b/modules/common/nginx.nix
@@ -0,0 +1,10 @@
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  services.nginx = {
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    enable = true;
+  };
+}
diff --git a/modules/monitoring/grafana.nix b/modules/monitoring/grafana.nix
index bec53b0..3c21a17 100644
--- a/modules/monitoring/grafana.nix
+++ b/modules/monitoring/grafana.nix
@@ -14,13 +14,7 @@ in
 
   networking.domains.subDomains."${domain}" = { };
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-  services.nginx = {
-    enable = true;
-    recommendedTlsSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    virtualHosts."${domain}" = {
+  services.nginx.virtualHosts."${domain}" = {
       enableACME = true;
       forceSSL = true;
       locations."/" = {
@@ -28,7 +22,6 @@ in
         proxyWebsockets = true;
       };
     };
-  };
 
   services.grafana = {
     enable = true;
diff --git a/nodes/sync/syncthing.nix b/nodes/sync/syncthing.nix
index 933c9c2..151a943 100644
--- a/nodes/sync/syncthing.nix
+++ b/nodes/sync/syncthing.nix
@@ -3,26 +3,15 @@ let
   domain = "sync.xnee.net";
 in
 {
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-  security.acme = {
-    defaults.email = "acme@xnee.net";
-    acceptTerms = true;
-    certs."${domain}" = { };
-  };
+  security.acme.certs."${domain}" = { };
 
-  services.nginx = {
-    enable = true;
-    recommendedTlsSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    virtualHosts."${domain}" = {
+  services.nginx.virtualHosts."${domain}" = {
       enableACME = true;
       forceSSL = true;
       locations."/" = {
         proxyPass = "http://${config.services.syncthing.guiAddress}";
       };
     };
-  };
 
   services.syncthing = {
     enable = true;