nginx hardening

A handful of nginx defaults I set on every box before anything goes public. None of it is clever; all of it earns its keep.

• Origin lockdown. The site only accepts traffic from Cloudflare's IP ranges, so the origin can't be hit directly. Everything else gets dropped at the edge.
• TLS done properly. Let's Encrypt via DNS-01, modern ciphers only, HSTS once you're confident you won't need to back out.
• Security headers. X-Content-Type-Options: nosniff, a sane X-Frame-Options, and a Content-Security-Policy tight enough to matter.
• Caching with intent. Immutable, fingerprinted assets cached hard; HTML kept fresh. Free performance.
• fail2ban watching auth logs to discourage SSH brute-forcing.

This is the front door for self-hosting on Hetzner — the proxy is the only thing the public can actually reach, so it's worth getting right.