See also https://discourse.nixos.org/t/what-is-the-correct-way-to-allow-binding-of-port-80-and-443
I recommend setting boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 0; .
Advantage: You can simply bind your web server process to port 80 without giving it any additional privileges (which can also lead to security issues) or doing any forwarding.
Disadvantage: Normal users can now also bind to that port. This is only a problem if there are untrusted users on that machine, i.e., users that might want to block your webserver by occupying that port before your webserver starts.
See also https://ar.al/2022/08/30/dear-linux-privileged-ports-must-die/