diff --git a/config/shared.nix b/config/shared.nix
index 29c0104..c9a426d 100644
--- a/config/shared.nix
+++ b/config/shared.nix
@@ -18,6 +18,12 @@
   services.nginx = {
     enable = true;
 
+    # Recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = false;  # DISABLED - was interfering with WebSocket
+    recommendedTlsSettings = true;
+
     # Web-app service
     virtualHosts."app.${domain}" = {
       root = "/var/src/web-app-dist";
@@ -43,9 +49,28 @@
     };
   };
 
+  # Enable automatic SSL certificate generation with Let's Encrypt
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@aiolabs.dev";
+  };
+
   # Open firewall for HTTP/HTTPS
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
+  # Enable fail2ban for additional security
+  services.fail2ban = {
+    enable = true;
+    jails = {
+      nginx-http-auth.settings = {
+        enabled = true;
+        filter = "nginx-http-auth";
+        logpath = "/var/log/nginx/error.log";
+        backend = "systemd";
+      };
+    };
+  };
+
   # NixOS release version
   system.stateVersion = "25.05";
 }
\ No newline at end of file