diff --git a/hosts/sombrero/configuration.nix b/hosts/sombrero/configuration.nix
index 12d93d3..06861ec 100644
--- a/hosts/sombrero/configuration.nix
+++ b/hosts/sombrero/configuration.nix
@@ -73,24 +73,12 @@
 
     firewall = {
       allowedTCPPorts = [
-        80
-        443
         1122  # ssh
       ];
     };
   };
 
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = "alex@a2x.se";
-
   services = {
-    nginx = {
-      enable = true;
-
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-    };
-
     openssh = {
       enable = true;
       ports = [ 1122 ];
@@ -183,6 +171,7 @@
 
   mod = {
     docker.enable = true;
+    nginx.enable = true;
     syncthing.enable = true;
     plex.enable = true;
     calibre-web.enable = true;
diff --git a/hosts/sombrero/modules/calibre-web/default.nix b/hosts/sombrero/modules/calibre-web/default.nix
index f16f479..32ac39a 100644
--- a/hosts/sombrero/modules/calibre-web/default.nix
+++ b/hosts/sombrero/modules/calibre-web/default.nix
@@ -1,6 +1,7 @@
 { lib, config, ... }:
 let
   enabled = config.mod.calibre-web.enable;
+  nginxEnabled = config.mod.nginx.enable;
 in
 {
   options = {
@@ -9,7 +10,7 @@ in
     };
   };
 
-  config = lib.mkIf enabled {
+  config = lib.mkIf (enabled && nginxEnabled) {
     services = {
       calibre-web = {
         enable = true;
diff --git a/hosts/sombrero/modules/nginx/default.nix b/hosts/sombrero/modules/nginx/default.nix
new file mode 100644
index 0000000..b077ccb
--- /dev/null
+++ b/hosts/sombrero/modules/nginx/default.nix
@@ -0,0 +1,38 @@
+{ lib, config, ... }:
+let
+  enabled = config.mod.nginx.enable;
+in
+{
+  options = {
+    mod.nginx = {
+      enable = lib.mkEnableOption "add nginx module";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    security = {
+      acme = {
+        acceptTerms = true;
+
+        defaults = {
+          email = "alex@a2x.se";
+        };
+      };
+    };
+
+    services = {
+      nginx = {
+        enable = true;
+
+        recommendedProxySettings = true;
+        recommendedTlsSettings = true;
+      };
+    };
+
+    networking = {
+      firewall = {
+        allowedTCPPorts = [ 80 443 ];
+      };
+    };
+  };
+}
diff --git a/hosts/sombrero/modules/syncthing/default.nix b/hosts/sombrero/modules/syncthing/default.nix
index abc35f9..9649045 100644
--- a/hosts/sombrero/modules/syncthing/default.nix
+++ b/hosts/sombrero/modules/syncthing/default.nix
@@ -1,6 +1,7 @@
 { lib, config, ... }:
 let
   enabled = config.mod.syncthing.enable;
+  nginxEnabled = config.mod.nginx.enable;
 in
 {
   options = {
@@ -9,7 +10,7 @@ in
     };
   };
 
-  config = lib.mkIf enabled {
+  config = lib.mkIf (enabled && nginxEnabled) {
     networking = {
       firewall = {
         allowedTCPPorts = [ 8384 ];