diff --git a/shared/applications/server/nginx.nix b/shared/applications/server/nginx.nix
index 0d837d5..9de4208 100644
--- a/shared/applications/server/nginx.nix
+++ b/shared/applications/server/nginx.nix
@@ -10,47 +10,58 @@ let
       -out "$out/ca.pem" -keyout "$out/ca.key"
   '';
 in {
-  services.nginx = {
-    enable = true;
-
-    recommendedOptimisation = true;
-    recommendedTlsSettings = true;
-    recommendedGzipSettings = true;
-    # recommendedBrotliSettings = true;
-    recommendedProxySettings = true;
-
-    # only allow PFS-enabled ciphers with AES256
-    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
-
-    # disable access logs
-    commonHttpConfig= ''
-      access_log off;
-    '';
-
-    # setup a default site
-    virtualHosts.default = {
-      default = lib.mkDefault true;
-      addSSL = true;
-
-      sslCertificateKey = "${snakeOilCa}/ca.key";
-      sslCertificate = "${snakeOilCa}/ca.pem";
-
-      root = pkgs.writeTextDir "index.html" ''
-        <html>
-          <head>
-            <title>Nothing to see</title>
-          </head>
-          <body>
-            <p>Like I said, nothing to see here</p>
-          </body>
-        </html>
-      '';
-    };
+  # block all /metrics endpoints
+  options.services.nginx.virtualHosts = lib.mkOption {
+    type = lib.types.attrsOf (lib.types.submodule {
+      config.locations."/metrics" = lib.mkDefault {
+        extraConfig = "deny all;";
+      };
+    });
   };
 
-  networking.firewall = {
-    allowedTCPPorts = [80 443];
-    allowedUDPPorts = [443];
+  config = {
+    services.nginx = {
+      enable = true;
+
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+      # recommendedBrotliSettings = true;
+      recommendedProxySettings = true;
+
+      # only allow PFS-enabled ciphers with AES256
+      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+      # disable access logs
+      commonHttpConfig= ''
+        access_log off;
+      '';
+
+      # setup a default site
+      virtualHosts.default = {
+        default = lib.mkDefault true;
+        addSSL = true;
+
+        sslCertificateKey = "${snakeOilCa}/ca.key";
+        sslCertificate = "${snakeOilCa}/ca.pem";
+
+        root = pkgs.writeTextDir "index.html" ''
+          <html>
+            <head>
+              <title>Nothing to see</title>
+            </head>
+            <body>
+              <p>Like I said, nothing to see here</p>
+            </body>
+          </html>
+        '';
+      };
+    };
+
+    networking.firewall = {
+      allowedTCPPorts = [80 443];
+      allowedUDPPorts = [443];
+    };
   };
 }