diff --git a/hosts/hetzner-arm/containers/rss/default.nix b/hosts/hetzner-arm/containers/rss/default.nix
index 2a34d00..859e9d7 100644
--- a/hosts/hetzner-arm/containers/rss/default.nix
+++ b/hosts/hetzner-arm/containers/rss/default.nix
@@ -50,6 +50,25 @@ in {
       enableACME = true;
       forceSSL = true;
       locations."/".proxyPass = "http://${containerIP}:80/";
+      proxyWebsockets = true;
+      recommendedProxySettings = true;
+      appendConfig = ''
+        add_header X-Frame-Options SAMEORIGIN;
+        add_header X-XSS-Protection "1; mode=block";
+        proxy_redirect off;
+        proxy_buffering off;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Prefix /freshrss/;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_read_timeout 90;
+
+        # Forward the Authorization header for the Google Reader API.
+        proxy_set_header Authorization $http_authorization;
+        proxy_pass_header Authorization;
+      '';
     };
   };
 }
diff --git a/profiles/base/nix.nix b/profiles/base/nix.nix
index 2d41cf4..cd0e7a7 100644
--- a/profiles/base/nix.nix
+++ b/profiles/base/nix.nix
@@ -9,7 +9,7 @@
   inherit (lib.lists) optional;
   inherit (lib.modules) mkIf;
 in {
-  environment.systemPackages = with pkgs; [ nix-output-monitor ];
+  environment.systemPackages = with pkgs; [nix-output-monitor];
 
   nix = {
     nixPath = ["nixpkgs=${inputs.nixpkgs}"];
diff --git a/profiles/sound/base.nix b/profiles/sound/base.nix
index f81e7c9..5a09d8b 100644
--- a/profiles/sound/base.nix
+++ b/profiles/sound/base.nix
@@ -1,5 +1,4 @@
 {
-  lib,
   pkgs,
   ...
 }: {