infra: add nginx

nix/infra/default.nix

@@ -15,6 +15,7 @@
     ./system.nix
     ./disk.nix
     ./backend.nix
+    ./nginx.nix
     ./users
   ];
 

nix/infra/nginx.nix

@@ -0,0 +1,35 @@
+ {
+  ...
+ }:
+
+{
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "clan-war.net" = {
+        enableACME = true;
+        forceSSL = true;
+      };
+      "api.clan-war.net" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/".proxyPass = "http://localhost:8080";
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "security@clan-war.net";
+  };
+
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 80 ];
+    allowedUDPPorts = [ 80 ];
+  };
+}