diff --git a/roles/ingress/defaults/main.yml b/roles/ingress/defaults/main.yml
index 785636c..6a88ed9 100644
--- a/roles/ingress/defaults/main.yml
+++ b/roles/ingress/defaults/main.yml
@@ -31,6 +31,25 @@ ingress_listen_tls: yes
 ingress_tls_protocols: TLSv1.2 TLSv1.3
 ingress_tls_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 ingress_tls_prefer_server_ciphers: "off"
+# Escape hatch for a bunch of directives
+# Defaults here are for general-purpose use, like compression
+ingress_directives:
+  - gzip on
+  - gzip_comp_level 5
+  - gzip_min_length 256
+  - gzip_proxied any
+  - gzip_vary on
+  - gzip_types
+      application/javascript
+      application/json
+      application/wasm
+      application/xhtml+xml
+      image/x-ms-bmp
+      image/svg+xml
+      image/x-icon
+      text/css
+      text/plain
+      text/xml
 
 # Vhost configuration
 # ingress_servers:
diff --git a/roles/ingress/templates/vhosts.conf.j2 b/roles/ingress/templates/vhosts.conf.j2
index 9a084a4..286aea2 100644
--- a/roles/ingress/templates/vhosts.conf.j2
+++ b/roles/ingress/templates/vhosts.conf.j2
@@ -7,6 +7,12 @@ server {
 {% endif %}
 	server_name {{ server.name }};
 
+{% if ingress_directives is defined %}
+{% for directive in ingress_directives %}
+	{{ directive }};
+{% endfor %}
+{% endif %}
+
 {% if ingress_listen_tls %}
 	# TLS configuration
 	ssl_certificate /etc/letsencrypt/live/{{ ingress_servers[0].name }}/fullchain.pem;