diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index d5724e7188cab5155d7f1976420185388caf5d64..4360965bd1054e79365d3b3f939f24c4533c2d01 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -30,7 +30,8 @@ in {
   };
 
   config = {
-    # networking.firewall.allowedTCPPorts = [ 80 443 ];
+    # Port 80 for ACME ssl retrieval only. 443 for nginx -> grafana.
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
 
     services.grafana = {
       enable = true;
@@ -67,11 +68,25 @@ in {
     };
 
     # nginx reverse proxy
-    services.nginx.enable = true;
-    services.nginx.virtualHosts.${config.services.grafana.domain} = {
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
-        proxyWebsockets = true;
+    services.nginx = {
+      enable = true;
+
+      # Yes, use the NixOS recommended settings:
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      # Only allow PFS-enabled ciphers with AES256:
+      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+      virtualHosts.${config.services.grafana.domain} = {
+        enableACME = true;
+        onlySSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
+          proxyWebsockets = true;
+        };
       };
     };
   };