feat(nginx): add hardened nginx app with security improvements

- Rate limiting (10 req/s per IP, burst 20)
- Modern security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
- Request body size limits (50m)
- Fixed header inheritance bug in static files location block
- Removed unused form fields (NGINX_INTERNAL_PORT, NGINX_ENABLE_ACCESS_LOG)
- SSL handled by Runtipi reverse proxy

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/nginx/data/conf.d/default.conf

@@ -0,0 +1,42 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    server_name _;
+
+    root /usr/share/nginx/html;
+    index index.html index.htm;
+
+    # Headers de securite
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+
+    # Rate limiting (burst de 20 requetes autorise)
+    limit_req zone=general burst=20 nodelay;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    # Desactiver l'acces aux fichiers caches
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # Cache pour les fichiers statiques
+    # Note: on utilise uniquement "expires" ici pour ne pas ecraser
+    # les headers de securite du bloc server (comportement add_header de nginx)
+    location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf|txt|woff|woff2|ttf|svg)$ {
+        expires 7d;
+    }
+
+    error_page 404 /404.html;
+    error_page 500 502 503 504 /50x.html;
+    location = /50x.html {
+        root /usr/share/nginx/html;
+    }
+}