Add recommended Nginx settings and enable automatic SSL with Let's Encrypt

Enhanced the shared Nix configuration by adding recommended settings for Nginx, including Gzip, optimization, and TLS settings. Disabled proxy settings to prevent interference with WebSocket. Additionally, enabled automatic SSL certificate generation using Let's Encrypt and configured fail2ban for improved security.

This update aims to strengthen the web application's security and performance while maintaining flexibility in the Nginx setup.

config/shared.nix

@@ -18,6 +18,12 @@
   services.nginx = {
     enable = true;
 
+    # Recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = false;  # DISABLED - was interfering with WebSocket
+    recommendedTlsSettings = true;
+
     # Web-app service
     virtualHosts."app.${domain}" = {
       root = "/var/src/web-app-dist";
@@ -43,9 +49,28 @@
     };
   };
 
+  # Enable automatic SSL certificate generation with Let's Encrypt
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@aiolabs.dev";
+  };
+
   # Open firewall for HTTP/HTTPS
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
+  # Enable fail2ban for additional security
+  services.fail2ban = {
+    enable = true;
+    jails = {
+      nginx-http-auth.settings = {
+        enabled = true;
+        filter = "nginx-http-auth";
+        logpath = "/var/log/nginx/error.log";
+        backend = "systemd";
+      };
+    };
+  };
+
   # NixOS release version
   system.stateVersion = "25.05";
 }