feat(rpi5): add nginx reverse-proxy module

Enable nginx with the recommended proxy/TLS/optimisation/gzip settings and a
declarative virtualHosts table -- each proxied service is a Nix entry, so the
routing lives in-repo. Ships one HTTP-only example vhost; enableACME/forceSSL
are present but commented, to be flipped per-vhost once a DNS name and cert
exist. Opens 80 and 443.

system/machine/RPi5/reverse-proxy.nix

@@ -0,0 +1,39 @@
+# Native nginx reverse proxy. The proxy configuration is declarative Nix:
+# every proxied service is an entry under services.nginx.virtualHosts, so the
+# whole routing table lives in this file and is built/version-controlled with
+# the rest of the system.
+#
+# To add a proxied service, add another virtualHosts."<host>" entry following
+# the example below. To serve it over HTTPS, uncomment enableACME + forceSSL on
+# that vhost once it has a real DNS name and the ACME HTTP-01/DNS-01 challenge
+# can be satisfied (see security.acme for the account/email and DNS settings).
+{ ... }:
+{
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true; # sane proxy_set_header defaults (Host, X-Forwarded-*)
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+
+    virtualHosts = {
+      # Example reverse-proxy vhost. Replace the name and upstream with a real
+      # service (e.g. a container published by the Docker host on this machine).
+      "example.lan" = {
+        # enableACME = true;   # request a Let's Encrypt cert for this host
+        # forceSSL = true;     # redirect HTTP -> HTTPS once the cert exists
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8080";
+          proxyWebsockets = true; # forward Upgrade/Connection for WebSocket apps
+        };
+      };
+    };
+  };
+
+  # Public reverse-proxy ports. 443 is opened now so flipping a vhost to TLS
+  # needs no firewall change.
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+}