After further investigation it looks that I had port 80 (not 443) open to the internet.
I used to run a static HTML there. But OMV installs using port 80 by default and therefor exposing itself to the internet.
It guess the hacker used this to log into OMV and install the nanominer.
Since the server has no personal data, I will just reinstall, to remove any traces.
The port 80 forwarding from the internet has been removed from the firewall.