Add reverse-proxy configuration with DMZ-specific security

- Create reverse-proxy machine configuration for VPS edge server
- Configure SSH access only via Tailscale (100.96.189.104)
- Implement strict DMZ firewall rules (HTTP/HTTPS only externally)
- Add enhanced fail2ban settings for DMZ environment
- Include sma user with SSH key management
- Configure Nginx reverse proxy with Let's Encrypt SSL
- Add reverse-proxy to flake.nix nixosConfigurations

Security features:
- SSH only accessible through Tailscale interface
- Aggressive fail2ban settings (24h ban, 3 max retries)
- Firewall rejects all non-essential traffic
- No common network config to avoid security conflicts

flake.nix

@@ -48,6 +48,18 @@
           ./modules/common/tty.nix
         ];
       };
+
+      # reverse-proxy - VPS edge server with Nginx reverse proxy
+      reverse-proxy = nixpkgs.lib.nixosSystem {
+        inherit system specialArgs;
+        modules = [
+          ./machines/reverse-proxy/configuration.nix
+          ./machines/reverse-proxy/gandicloud.nix
+          ./modules/common/nix.nix
+          ./modules/common/base.nix
+          ./modules/common/tty.nix
+        ];
+      };
     };
 
     # Custom packages for the home lab
@@ -70,6 +82,7 @@
           echo "Available configurations:"
           echo "  - congenital-optimist (Threadripper workstation)"
           echo "  - sleeper-service (Xeon file server)"
+          echo "  - reverse-proxy (VPS edge server)"
           echo ""
           echo "Build with: nixos-rebuild build --flake .#<config>"
           echo "Switch with: nixos-rebuild switch --flake .#<config>"