diff --git a/generic/overlays/default.nix b/generic/overlays/default.nix
index 85de732..140239f 100644
--- a/generic/overlays/default.nix
+++ b/generic/overlays/default.nix
@@ -3,4 +3,19 @@
   nixpkgs.config.packageOverrides = pkgs: rec {
     spdev = import ./../pkgs { inherit pkgs; };
   };
+
+  nixpkgs.overlays = [
+    (self: super: {
+      nginx = super.nginxMainline.override {
+        withDebug = false;
+        withStream = false;
+        modules = [
+          pkgs.nginxModules.rtmp
+          pkgs.nginxModules.dav
+          pkgs.nginxModules.moreheaders
+          pkgs.nginxModules.modsecurity-nginx
+        ];
+      };
+    })
+  ];
 }
diff --git a/generic/services/webserver/nginx.nix b/generic/services/webserver/nginx.nix
index 6e925ad..6868063 100644
--- a/generic/services/webserver/nginx.nix
+++ b/generic/services/webserver/nginx.nix
@@ -1,11 +1,14 @@
-{ pkgs, config, ... }:
+{ lib, pkgs, config, ... }:
 let
   domain = config.services.userdata.domain;
 in
 {
+  systemd.services.nginx.serviceConfig.SystemCallFilter = lib.mkForce "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid";
+
   services.nginx = {
     enable = true;
     enableReload = true;
+    package = pkgs.nginx;
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedProxySettings = true;