diff --git a/docs/rspamd-tuning.rst b/docs/rspamd-tuning.rst
index 3ba8133..9de09fa 100644
--- a/docs/rspamd-tuning.rst
+++ b/docs/rspamd-tuning.rst
@@ -93,18 +93,13 @@ With an nginx reverse-proxy
 
 If you have a secured nginx reverse proxy set on the host, you can use it to expose the socket.
 **Keep in mind the UI is unsecured by default, you need to setup an authentication scheme**, for
-exemple with `basic auth <https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/>`_:
+example with `basic auth <https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/>`_:
 
 .. code:: nix
 
-  services.nginx.virtualHosts.rspamd = {
-    forceSSL = true;
-    enableACME = true;
-    basicAuthFile = "/basic/auth/hashes/file";
-    serverName = "rspamd.example.com";
-    locations = {
-      "/" = {
-        proxyPass = "http://unix:/run/rspamd/worker-controller.sock:/";
-      };
-    };
+  mailserver.rspamdWebUi = {
+    enable = true;
+    domain = "rspamd.example.com";
   };
+
+  services.nginx.virtualHosts."${config.mailserver.rspamdWebUi.domain}".basicAuthFile = "/basic/auth/hashes/file";
diff --git a/mail-server/rspamd.nix b/mail-server/rspamd.nix
index 8fb9b00..11c79b9 100644
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@@ -24,6 +24,27 @@ let
   rspamdSocket = "rspamd.service";
 in
 {
+  options.mailserver.rspamdWebUi = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = ''
+        Whether to enable the rspamd web ui on the configured domain.
+
+        :::warning
+        Make sure to configure authentication for it!
+        :::
+      '';
+    };
+
+    domain = lib.mkOption {
+      type = lib.types.str;
+      example = "rspamd.example.org";
+      description = "The domain under which the rspamd web ui should be reachable.";
+    };
+  };
+
   config = with cfg; lib.mkIf enable {
     environment.systemPackages = lib.mkBefore [
       (pkgs.runCommand "rspamc-wrapped" {
@@ -34,9 +55,28 @@ in
       '')
     ];
 
+    services.nginx = lib.mkIf cfg.rspamdWebUi.enable {
+      enable = true;
+      virtualHosts = {
+        "${cfg.rspamdWebUi.domain}" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/".proxyPass = "http://unix:/run/rspamd/worker-controller.sock:/";
+        };
+      };
+    };
+
     services.rspamd = {
       enable = true;
       inherit debug;
+
+      overrides = lib.mkIf cfg.rspamdWebUi.enable {
+        "worker-controller.inc".text = ''
+          secure_ip = "0.0.0.0/0";
+          secure_ip = "::/0";
+        '';
+      };
+
       locals = {
           "milter_headers.conf" = { text = ''
               extended_spam_headers = true;