From 9e0f725c2d7785a05d044131a97b1e5315e58993 Mon Sep 17 00:00:00 2001
From: Mel <mel@rnrd.eu>
Date: Fri, 24 Apr 2026 03:30:04 +0200
Subject: Force disable Nginx on tunnel egress nodes

Signed-off-by: Mel <mel@rnrd.eu>
---
 modules/tunnel/egress.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/modules/tunnel/egress.nix b/modules/tunnel/egress.nix
index 7858751..4334f80 100644
--- a/modules/tunnel/egress.nix
+++ b/modules/tunnel/egress.nix
@@ -7,7 +7,7 @@
 }:
 
 let
-  inherit (lib) findFirst;
+  inherit (lib) findFirst mkForce;
 
   # this is the https port, we use it to try to trick dpi into thinking
   # we are just serving normal encrypted web traffic, nothing interesting! :)
@@ -130,4 +130,8 @@ in
     enable = true;
     settingsFile = "/run/xray-configuration/xray.json";
   };
+
+  # nginx can not run on an egress node because xray has to run on port 443.
+  services.nginx.enable = mkForce false;
+  systemd.services.nginx.enable = mkForce false;
 }
-- 
cgit 1.4.1