diff --git a/system/hosts/mcp/containers/dm-companion.nix b/system/hosts/mcp/containers/dm-companion.nix
index 7885be0..223bcfa 100644
--- a/system/hosts/mcp/containers/dm-companion.nix
+++ b/system/hosts/mcp/containers/dm-companion.nix
@@ -1,6 +1,72 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 let
   inherit (import ./lib.nix config) mkContainer localHostRule terakoda;
+
+  nginxConf = pkgs.writeText "dm-companion-nginx.conf" ''
+    user  nginx;
+    worker_processes  auto;
+
+    # error.log is symlinked to /dev/stderr
+    error_log  /var/log/nginx/error.log notice;
+    pid        /run/nginx.pid;
+
+    events {
+        worker_connections  1024;
+    }
+
+    http {
+      include       /etc/nginx/mime.types;
+      default_type  application/octet-stream;
+
+      log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                        '$status $body_bytes_sent "$http_referer" '
+                        '"$http_user_agent" "$http_x_forwarded_for"';
+
+      # access.log is symlinked to /dev/stdout
+      access_log  /var/log/nginx/access.log  main;
+
+      sendfile        on;
+
+      keepalive_timeout  65;
+
+      gzip  on;
+
+      server {
+        listen       80;
+        server_name  dm.blazestar.net;
+        root /usr/share/nginx/html;
+
+        # X-Frame-Options is to prevent from clickJacking attack
+        add_header X-Frame-Options SAMEORIGIN;
+
+        # disable content-type sniffing on some browsers.
+        add_header X-Content-Type-Options nosniff;
+
+        # This header enables the Cross-site scripting (XSS) filter
+        add_header X-XSS-Protection "1; mode=block";
+
+        add_header Referrer-Policy "no-referrer-when-downgrade";
+
+        # Enables response header of "Vary: Accept-Encoding"
+        # This lets the cache have different entries depending on the encoding, e.g. compression
+        gzip_vary on;
+
+        # Serve static files separately.
+        location ~ ^/(robots.txt|manifest.json) {
+          expires modified 1y;
+          add_header Cache-Control "public";
+          access_log off;
+        }
+
+        location / {
+          try_files $uri $uri/ /index.html;
+          index index.html;
+          expires -1;
+          add_header Cache-Control "no-store, no-cache, must-revalidate";
+        }
+      }
+    }
+  '';
 in
 {
   virtualisation.oci-containers.containers = {
@@ -34,6 +100,7 @@ in
       ];
       volumes = [
         "/tank/web/dm.terakoda.com/dist:/usr/share/nginx/html:ro"
+        "${nginxConf}:/etc/nginx/nginx.conf:ro"
       ];
     };
   };