diff --git a/machines/bomba/services/nginx.nix b/machines/bomba/services/nginx.nix
new file mode 100644
index 0000000..202baa3
--- /dev/null
+++ b/machines/bomba/services/nginx.nix
@@ -0,0 +1,42 @@
+{ currentSystemEmail, ... }:
+{
+  services.nginx = {
+    enable = false;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    virtualHosts =
+      let
+        base = locations: {
+          inherit locations;
+
+          enableACME = true;
+          forceSSL = true;
+        };
+        proxy =
+          ipPort:
+          base {
+            "/".proxyPass = "http://" + ipPort + "/";
+          };
+      in
+      {
+        "patrickcanal.it" = {
+          root = "/var/www/patrickcanal.it/public/";
+          enableACME = true;
+          forceSSL = true;
+        };
+        "gitea.patrickcanal.it" = proxy "127.0.0.1:8001" // {
+          default = true;
+        };
+        "vaultwarden.patrickcanal.it" = proxy "172.18.0.2:8002" // {
+          default = true;
+        };
+      };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = currentSystemEmail;
+  };
+}