diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index 37526255f8a9..d4c7cb08eef9 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -118,19 +118,31 @@ let
             ssl_certificate_key ${vhost.sslCertificateKey};
           ''}
 
-          ${genLocations vhost.locations}
+          ${optionalString (vhost.basicAuth != {}) (mkBasicAuth serverName vhost.basicAuth)}
+
+          ${mkLocations vhost.locations}
 
           ${vhost.extraConfig}
         }
       ''
   ) virtualHosts);
-  genLocations = locations: concatStringsSep "\n" (mapAttrsToList (location: config: ''
+  mkLocations = locations: concatStringsSep "\n" (mapAttrsToList (location: config: ''
     location ${location} {
       ${optionalString (config.proxyPass != null) "proxy_pass ${config.proxyPass};"}
       ${optionalString (config.root != null) "root ${config.root};"}
       ${config.extraConfig}
     }
   '') locations);
+  mkBasicAuth = serverName: authDef: let
+    htpasswdFile = pkgs.writeText "${serverName}.htpasswd" (
+      concatStringsSep "\n" (mapAttrsToList (user: password: ''
+        ${user}:{PLAIN}${password}
+      '') authDef)
+    );
+  in ''
+    auth_basic secured;
+    auth_basic_user_file ${htpasswdFile};
+  '';
 in
 
 {