Add MIT license and Nix packaging

README.md

@@ -35,6 +35,10 @@ This keeps the application usable immediately while leaving room for a more adva
 - `internal/service`: runs concurrent log followers and applies automatic decisions
 - `internal/web`: serves the local review UI and JSON API
 
+## License
+
+This project is licensed under the MIT License. See `LICENSE`.
+
 ## Quick start
 
 1. Generate or provision OPNsense API credentials.
@@ -88,6 +92,58 @@ CGO_ENABLED=0 go build ./cmd/caddy-opnsense-blocker
 
 `CGO_ENABLED=0` is useful on systems without a C toolchain. The application itself only relies on pure-Go dependencies.
 
+## Nix packaging
+
+The repository ships with first-class Nix files:
+
+- `package.nix`: reusable package definition
+- `default.nix`: convenience entry point for `nix-build`
+- `module.nix`: reusable NixOS module
+
+Build the package directly from the repository root:
+
+```bash
+nix-build
+```
+
+Use the NixOS module from another configuration:
+
+```nix
+{
+  imports = [ /path/to/caddy-opnsense-blocker/module.nix ];
+
+  services.caddy-opnsense-blocker = {
+    enable = true;
+    credentials.opnsenseApiKeyFile = "/run/secrets/opnsense-api-key";
+    credentials.opnsenseApiSecretFile = "/run/secrets/opnsense-api-secret";
+
+    settings = {
+      opnsense = {
+        enabled = true;
+        base_url = "https://router.example.test";
+        ensure_alias = true;
+        alias.name = "blocked-ips";
+      };
+
+      profiles.public-web = {
+        auto_block = true;
+        block_unexpected_posts = true;
+        block_php_paths = true;
+        suspicious_path_prefixes = [ "/wp-admin" "/wp-login.php" "/.env" ];
+      };
+
+      sources = [
+        {
+          name = "public-web";
+          path = "/var/log/caddy/public-web.json";
+          profile = "public-web";
+        }
+      ];
+    };
+  };
+}
+```
+
 ## Roadmap
 
 - richer decision engine