diff --git a/hosts/hainich/services/nginx.nix b/hosts/hainich/services/nginx.nix
index 6e2879b..98d0c58 100644
--- a/hosts/hainich/services/nginx.nix
+++ b/hosts/hainich/services/nginx.nix
@@ -25,27 +25,32 @@
   };
 
   networking.firewall.allowedTCPPorts = [ 1935 ];
-  services.nginx.appendConfig = ''
-  rtmp {
-    server {
-      listen 1935;
-      application cutiestream {
-        live on;
-        allow publish all;
-        allow play all;
+  services.nginx = {
+    appendHttpConfig = ''
+      add_header Permissions-Policy "interest-cohort=()";
+    '';
+    appendConfig = ''
+      rtmp {
+        server {
+          listen 1935;
+          application cutiestream {
+            live on;
+            allow publish all;
+            allow play all;
+          }
+          application ingest {
+            live on;
+    
+            record all;
+            record_path /data/ingest;
+            record_unique on;
+    
+    #        include /var/secrets/ingest.conf;
+          }
+        }
       }
-      application ingest {
-        live on;
-
-        record all;
-        record_path /data/ingest;
-        record_unique on;
-
-#        include /var/secrets/ingest.conf;
-      }
-    }
-  }
-  '';
+    '';
+  };
 
   systemd.services.nginx.serviceConfig.ReadWriteDirectories = "/data/ingest /var/secrets";
 }