{
  # Enable nginx
  services.nginx = {
    enable = true;

    # Recommended settings for reverse proxy (DISABLED recommendedProxySettings for WebSocket compatibility)
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = false;  # DISABLED - was interfering with WebSocket
    recommendedTlsSettings = true;
  };

  # Enable automatic SSL certificate generation with Let's Encrypt
  security.acme = {
    acceptTerms = true;
    defaults.email = "admin@aiolabs.dev";
  };

  # Open firewall ports
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  # Optional: Enable fail2ban for additional security
  services.fail2ban = {
    enable = true;
    jails = {
      nginx-http-auth.settings = {
        enabled = true;
        filter = "nginx-http-auth";
        logpath = "/var/log/nginx/error.log";
        backend = "systemd";
      };
    };
  };
}