diff --git a/nixos/boxes/colony/vms/shill/containers/middleman.nix b/nixos/boxes/colony/vms/shill/containers/middleman.nix
index f5de0a9..a727a16 100644
--- a/nixos/boxes/colony/vms/shill/containers/middleman.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman.nix
@@ -1,4 +1,4 @@
-{ lib, ...}: {
+{ lib, ... }: {
   nixos.systems.middleman = {
     system = "x86_64-linux";
     nixpkgs = "mine";
@@ -16,7 +16,7 @@
       };
     };
 
-    configuration = { lib, config, assignments, ... }:
+    configuration = { lib, config, assignments, allAssignments, ... }:
     let
       inherit (lib) mkMerge mkIf;
       inherit (lib.my) networkdAssignment;
@@ -29,6 +29,7 @@
 
             secrets = {
               key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuvP9DEsffop53Fsh7xIdeVyQSF6tSKrOUs2faq6rip";
+              files."dhparams.pem" = {};
             };
 
             firewall = {
@@ -47,6 +48,63 @@
             nginx = {
               enable = true;
               enableReload = true;
+
+              recommendedTlsSettings = true;
+              clientMaxBodySize = "0";
+              serverTokens = true;
+              resolver = {
+                addresses = [ "[${allAssignments.estuary.base.ipv6.address}]" ];
+                valid = "5s";
+              };
+              proxyResolveWhileRunning = true;
+              sslDhparam = config.age.secrets."dhparams.pem".path;
+
+              # Based on recommended*Settings, but probably better to be explicit about these
+              appendHttpConfig = ''
+                # NixOS provides a logrotate config that auto-compresses :)
+                access_log /var/log/nginx/access.log combined;
+
+                # optimisation
+                sendfile on;
+                tcp_nopush on;
+                tcp_nodelay on;
+                keepalive_timeout 65;
+
+                # gzip
+                gzip on;
+                gzip_proxied any;
+                gzip_comp_level 5;
+                gzip_types
+                  application/atom+xml
+                  application/javascript
+                  application/json
+                  application/xml
+                  application/xml+rss
+                  image/svg+xml
+                  text/css
+                  text/javascript
+                  text/plain
+                  text/xml;
+                gzip_vary on;
+
+                # proxying
+                proxy_buffering off;
+                proxy_redirect off;
+                proxy_connect_timeout 60s;
+                proxy_read_timeout 60s;
+                proxy_send_timeout 60s;
+                proxy_http_version 1.1;
+
+                # proxy headers
+                proxy_set_header Host $host;
+                proxy_set_header X-Forwarded-Host $http_host;
+                proxy_set_header X-Forwarded-Server $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_set_header X-Forwarded-Protocol $scheme;
+                proxy_set_header X-Scheme $scheme;
+              '';
             };
           };
         }
diff --git a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
index 7cd34f1..cccc01f 100644
--- a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
+++ b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
@@ -1,4 +1,4 @@
-{ lib, ...}: {
+{ lib, ... }: {
   nixos.systems.vaultwarden = {
     system = "x86_64-linux";
     nixpkgs = "mine";
diff --git a/secrets/dhparams.pem.age b/secrets/dhparams.pem.age
new file mode 100644
index 0000000..49d2a75
Binary files /dev/null and b/secrets/dhparams.pem.age differ