diff --git a/flake.lock b/flake.lock
index 14109bb..a67f7ca 100644
--- a/flake.lock
+++ b/flake.lock
@@ -691,11 +691,11 @@
         "tools": "tools"
       },
       "locked": {
-        "lastModified": 1704819298,
-        "narHash": "sha256-9HqMzusFFykwHkk+7R4WibzYZbaqIuqV0IswHrGn7rk=",
+        "lastModified": 1704875218,
+        "narHash": "sha256-Ag6DfxlMpt08ZQhpe7bt9Fhhj5WyUPnqVvz+01jp3fs=",
         "owner": "RGBCube",
         "repo": "Site",
-        "rev": "2cda7f1edc1f638f190c25d9f01277dd17bb87de",
+        "rev": "658b1f63e63f0f80313b3d5bc5e01c6e2f03704c",
         "type": "github"
       },
       "original": {
diff --git a/hosts/cube/acme.nix b/hosts/cube/acme.nix
new file mode 100644
index 0000000..9117a76
--- /dev/null
+++ b/hosts/cube/acme.nix
@@ -0,0 +1,16 @@
+{ ulib, ... }: with ulib;
+
+serverSystemConfiguration {
+  security.acme = {
+    acceptTerms = true;
+
+    defaults = {
+      credentialsFile = "/home/cube/.credentials/acme";
+      dnsProvider     = "cloudflare";
+      dnsResolver     = "1.1.1.1";
+      email           = "rgbsphere@gmail.com";
+    };
+
+    certs."rgbcu.be".extraDomainNames = [ "*.rgbcu.be" ];
+  };
+}
diff --git a/hosts/cube/nginx.nix b/hosts/cube/nginx.nix
new file mode 100644
index 0000000..374bd3a
--- /dev/null
+++ b/hosts/cube/nginx.nix
@@ -0,0 +1,46 @@
+{ lib, ulib, pkgs, ... }: with ulib;
+
+serverSystemConfiguration {
+  services.nginx = enabled {
+    recommendedGzipSettings  = true;
+    recommendedOptimisation  = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings   = true;
+
+    commonHttpConfig = let
+      fileToList = file: lib.splitString "\n" (builtins.readFile file);
+
+      cloudflareIpsV4 = fileToList (pkgs.fetchurl {
+        url    = "https://www.cloudflare.com/ips-v4";
+        sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
+      });
+      cloudflareIpsV6 = fileToList (pkgs.fetchurl {
+        url    = "https://www.cloudflare.com/ips-v6";
+        sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
+      });
+
+      realIpsFromList = lib.concatMapStringsSep "\n" (ip: "set_real_ip_from ${ip};");
+    in ''
+      ${realIpsFromList cloudflareIpsV4}
+      ${realIpsFromList cloudflareIpsV6}
+      real_ip_header CF-Connecting-IP;
+    '';
+
+    appendHttpConfig = ''
+      map $scheme $hsts_header {
+          https "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      add_header "Referrer-Policy" "no-referrer";
+
+      add_header X-Frame-Options DENY;
+
+      add_header X-Content-Type-Options nosniff;
+
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+  };
+}
diff --git a/hosts/cube/site.nix b/hosts/cube/site.nix
index aab16d7..ee7298c 100644
--- a/hosts/cube/site.nix
+++ b/hosts/cube/site.nix
@@ -2,8 +2,6 @@
 
 serverSystemConfiguration {
   services.site = enabled {
-    httpPort     = 80;
-    httpsPort    = 443;
-    openFirewall = true;
+    configureNginx = true;
   };
 }