Manage access to payment metrics

Fixes https://whetstone.privatestorage.io/privatestorage/privatestorageops/-/issues/368

This MR adds an NGINX reverse proxy in front of our PaymentServer (a cool ½ GB added to the deployment, what are those people smoking) and allows access to the /metrics endpoint only to IPs within the monitoringvpn subnet 172.23.23.0/24.

This could go further. Possibilities:

1. Run PaymentServer without privileges. From my reading around, a good approach for this could be the Nix-recommended way of Systemd's DynamicUser. Until when systemd breaks our whole distributed system with something Poettering would call a "small bug" or a "slight regression". Personally I might go with the more conservative approach of having a static user id, like here for example.

2. Moving the NGINX config from morph/lib/customize-issuer.nix to nixos/modules/issuer.nix, making it an integral part to the issuer, like we have it in grafana.nix already.

   1. NGINX is well integrated with NixOS and can, for example, with very little custom settings/code care for its TLS certs. It also creates preliminary self-signed certs. If we want, we could thus remove all custom LetsEncrypt and TLS code.
   2. This would make adding tests for this MR easier.