commit 9cdd7993893c59a7a72551654377ea9a524c0ec8 · ptr.pet/ark

+7 -2

hosts/wolumonde/modules/atproto.nix

···

       28
        
               forceSSL = true;

     

       29
        
             });

     

       30
        
         };

     

       0
        
       
     

       0
        
       
     

       31
        
       in

     

       32
        
       {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       33
        
         services.nginx.virtualHosts = {

     

       34
        
           # "gaze.systems" = mkWellKnownCfg {

     

       35
        
           #   "atproto-did" = pkgs.writeText "server" "did:plc:dfl62fgb7wtjj3fcbb72naae";

     
···

       41
        
           #   "atproto-did" = pkgs.writeText "server" "did:plc:dfl62fgb7wtjj3fcbb72naae";

     

       42
        
           # };

     

       43
        
         }

     

       44
       -
         // (mkDidWebCfg "dawn.gaze.systems")

     

       45
       -
         // (mkDidWebCfg "guestbook.gaze.systems");

     

       46
        
         # // (mkDidWebCfg "9.0.0.0.8.e.f.1.5.0.7.4.0.1.0.0.2.ip6.arpa");

     

       47
        
       }

···

       28
        
               forceSSL = true;

     

       29
        
             });

     

       30
        
         };

     

       31
       +
         dawnDid = "dawn.gaze.systems";

     

       32
       +
         guestbookDid = "guestbook.gaze.systems";

     

       33
        
       in

     

       34
        
       {

     

       35
       +
         security.acme.certs."gaze.systems".extraDomainNames = [

     

       36
       +
           dawnDid guestbookDid

     

       37
       +
         ];

     

       38
        
         services.nginx.virtualHosts = {

     

       39
        
           # "gaze.systems" = mkWellKnownCfg {

     

       40
        
           #   "atproto-did" = pkgs.writeText "server" "did:plc:dfl62fgb7wtjj3fcbb72naae";

     
···

       46
        
           #   "atproto-did" = pkgs.writeText "server" "did:plc:dfl62fgb7wtjj3fcbb72naae";

     

       47
        
           # };

     

       48
        
         }

     

       49
       +
         // (mkDidWebCfg dawnDid)

     

       50
       +
         // (mkDidWebCfg guestbookDid);

     

       51
        
         # // (mkDidWebCfg "9.0.0.0.8.e.f.1.5.0.7.4.0.1.0.0.2.ip6.arpa");

     

       52
        
       }

+2 -1

hosts/wolumonde/modules/forgejo.nix/default.nix

···

       54
        
             "public"

     

       55
        
           ];

     

       56
        
       

     

       57
       -
         services.nginx.virtualHosts."git.gaze.systems" = {

     

       0
        
       
     

       58
        
           useACMEHost = "gaze.systems";

     

       59
        
           forceSSL = true;

     

       60
        
           quic = true;

···

       54
        
             "public"

     

       55
        
           ];

     

       56
        
       

     

       57
       +
         security.acme.certs."gaze.systems".extraDomainNames = [forgejoCfg.server.DOMAIN];

     

       58
       +
         services.nginx.virtualHosts.${forgejoCfg.server.DOMAIN} = {

     

       59
        
           useACMEHost = "gaze.systems";

     

       60
        
           forceSSL = true;

     

       61
        
           quic = true;

-36

hosts/wolumonde/modules/headscale.nix/acl.hujson

···

       1
       -
       {

     

       2
       -
           "groups": {

     

       3
       -
               "group:admin": ["90008@gaze.systems"],

     

       4
       -
           },

     

       5
       -
           "tagOwners": {

     

       6
       -
               "tag:private-infra": ["group:admin"],

     

       7
       -
               "tag:other-infra": ["group:admin"],

     

       8
       -
           },

     

       9
       -
           "acls": [

     

       10
       -
               {

     

       11
       -
                   "action": "accept",

     

       12
       -
                   "src": ["group:admin"],

     

       13
       -
                   "dst": ["tag:private-infra:*", "tag:other-infra:*"],

     

       14
       -
               },

     

       15
       -
               {

     

       16
       -
                   "action": "accept",

     

       17
       -
                   "src": ["tag:private-infra"],

     

       18
       -
                   "dst": ["tag:other-infra:*"],

     

       19
       -
               },

     

       20
       -
               {

     

       21
       -
                   "action": "accept",

     

       22
       -
                   "src": ["tag:private-infra"],

     

       23
       -
                   "dst": ["tag:private-infra:*"],

     

       24
       -
               },

     

       25
       -
               {

     

       26
       -
                   "action": "accept",

     

       27
       -
                   "src": ["90008@gaze.systems"],

     

       28
       -
                   "dst": ["90008@gaze.systems:*"],

     

       29
       -
               },

     

       30
       -
               {

     

       31
       -
                   "action": "accept",

     

       32
       -
                   "src": ["90008@gaze.systems", "tag:private-infra"],

     

       33
       -
                   "dst": ["autogroup:internet:*"],

     

       34
       -
               },

     

       35
       -
           ],

     

       36
       -
       }

hosts/wolumonde/modules/headscale.nix/default.nix

···

       67
        
           };

     

       68
        
         };

     

       69
        
       

     

       0
        
       
     

       70
        
         services.nginx.virtualHosts.${domain} = {

     

       71
        
           useACMEHost = rootDomain;

     

       72
        
           forceSSL = true;

···

       67
        
           };

     

       68
        
         };

     

       69
        
       

     

       70
       +
         security.acme.certs."gaze.systems".extraDomainNames = [domain];

     

       71
        
         services.nginx.virtualHosts.${domain} = {

     

       72
        
           useACMEHost = rootDomain;

     

       73
        
           forceSSL = true;

+6 -3

hosts/wolumonde/modules/hedgedoc.nix

···

       1
       -
       { config, ... }:

     

       0
        
       
     

       0
        
       
     

       2
        
       {

     

       3
        
         services.hedgedoc = {

     

       4
        
           enable = true;

     
···

       14
        
           };

     

       15
        
         };

     

       16
        
       

     

       17
       -
         services.nginx.virtualHosts."doc.gaze.systems" = {

     

       0
        
       
     

       18
        
           useACMEHost = "gaze.systems";

     

       19
        
           forceSSL = true;

     

       20
        
           quic = true;

     

       21
        
           kTLS = true;

     

       22
        
           locations."/".proxyPass =

     

       23
       -
             "http://${config.services.hedgedoc.settings.host}:${toString config.services.hedgedoc.settings.port}";

     

       24
        
         };

     

       25
        
       }

···

       1
       +
       { config, ... }: let

     

       2
       +
         cfg = config.services.hedgedoc.settings;

     

       3
       +
       in

     

       4
        
       {

     

       5
        
         services.hedgedoc = {

     

       6
        
           enable = true;

     
···

       16
        
           };

     

       17
        
         };

     

       18
        
       

     

       19
       +
         security.acme.certs."gaze.systems".extraDomainNames = [cfg.domain];

     

       20
       +
         services.nginx.virtualHosts.${cfg.domain} = {

     

       21
        
           useACMEHost = "gaze.systems";

     

       22
        
           forceSSL = true;

     

       23
        
           quic = true;

     

       24
        
           kTLS = true;

     

       25
        
           locations."/".proxyPass =

     

       26
       +
             "http://${cfg.host}:${toString cfg.port}";

     

       27
        
         };

     

       28
        
       }

+9 -3

hosts/wolumonde/modules/limbusart.nix

···

       6
        
       }:

     

       7
        
       let

     

       8
        
         pkg = pkgs.callPackage "${inputs.limbusart}/package.nix" { };

     

       0
        
       
     

       0
        
       
     

       9
        
       in

     

       10
        
       {

     

       11
        
         systemd.services.limbusart = {

     
···

       35
        
         };

     

       36
        
         users.groups.limbusart = { };

     

       37
        
       

     

       38
       -
         services.nginx.virtualHosts."pmart.gaze.systems" = {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       39
        
           useACMEHost = "gaze.systems";

     

       40
        
           forceSSL = true;

     

       41
        
           quic = true;

     
···

       43
        
           locations."/".proxyPass = "http://localhost:3000";

     

       44
        
         };

     

       45
        
         # redirects

     

       46
       -
         services.nginx.virtualHosts."limbus.gaze.systems" = {

     

       47
        
           useACMEHost = "gaze.systems";

     

       48
        
           forceSSL = true;

     

       49
        
           quic = true;

     

       50
        
           kTLS = true;

     

       51
       -
           globalRedirect = "pmart.gaze.systems";

     

       52
        
         };

     

       53
        
       }

···

       6
        
       }:

     

       7
        
       let

     

       8
        
         pkg = pkgs.callPackage "${inputs.limbusart}/package.nix" { };

     

       9
       +
         domain = "pmart.gaze.systems";

     

       10
       +
         oldDomain = "limbus.gaze.systems";

     

       11
        
       in

     

       12
        
       {

     

       13
        
         systemd.services.limbusart = {

     
···

       37
        
         };

     

       38
        
         users.groups.limbusart = { };

     

       39
        
       

     

       40
       +
         security.acme.certs."gaze.systems".extraDomainNames = [

     

       41
       +
           domain

     

       42
       +
           oldDomain

     

       43
       +
         ];

     

       44
       +
         services.nginx.virtualHosts.${domain} = {

     

       45
        
           useACMEHost = "gaze.systems";

     

       46
        
           forceSSL = true;

     

       47
        
           quic = true;

     
···

       49
        
           locations."/".proxyPass = "http://localhost:3000";

     

       50
        
         };

     

       51
        
         # redirects

     

       52
       +
         services.nginx.virtualHosts.${oldDomain} = {

     

       53
        
           useACMEHost = "gaze.systems";

     

       54
        
           forceSSL = true;

     

       55
        
           quic = true;

     

       56
        
           kTLS = true;

     

       57
       +
           globalRedirect = domain;

     

       58
        
         };

     

       59
        
       }

+1 -20

hosts/wolumonde/modules/nginx.nix

···

       45
        
           defaults.email = (import "${inputs.self}/personal.nix").emails.primary;

     

       46
        
           defaults.webroot = "/var/lib/acme/acme-challenge";

     

       47
        
           certs."poor.dog" = { };

     

       48
       -
           certs."gaze.systems" = {

     

       49
       -
             extraDomainNames = [

     

       50
       -
               "git.gaze.systems"

     

       51
       -
               # "test.gaze.systems"

     

       52
       -
               # "ms.gaze.systems"

     

       53
       -
               # "mq.gaze.systems"

     

       54
       -
               # "couchdb.gaze.systems"

     

       55
       -
               "doc.gaze.systems"

     

       56
       -
               "pmart.gaze.systems"

     

       57
       -
               "limbus.gaze.systems"

     

       58
       -
               # "bsky.gaze.systems"

     

       59
       -
               "dawn.gaze.systems"

     

       60
       -
               "guestbook.gaze.systems"

     

       61
       -
               "dash.gaze.systems"

     

       62
       -
               "knot.gaze.systems"

     

       63
       -
               "spindle.gaze.systems"

     

       64
       -
               "id.gaze.systems"

     

       65
       -
               "vpn.gaze.systems"

     

       66
       -
             ];

     

       67
       -
           };

     

       68
        
         };

     

       69
        
         services.nginx.virtualHosts."gaze.systems" = {

     

       70
        
           quic = true;

···

       45
        
           defaults.email = (import "${inputs.self}/personal.nix").emails.primary;

     

       46
        
           defaults.webroot = "/var/lib/acme/acme-challenge";

     

       47
        
           certs."poor.dog" = { };

     

       48
       +
           certs."gaze.systems" = { };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       49
        
         };

     

       50
        
         services.nginx.virtualHosts."gaze.systems" = {

     

       51
        
           quic = true;

+4 -5

hosts/wolumonde/modules/nsid-tracker.nix

···

       49
        
             ExecStart = "${pkgs.curl}/bin/curl http://dusk-devel-mobi:${toString port}/events";

     

       50
        
           };

     

       51
        
         };

     

       52
       -
         systemd.timers.nsid-tracker-keep-alive = {

     

       53
       -
           timerConfig = {

     

       54
       -
             OnCalendar = "*-*-* *:00/5:05";

     

       55
       -
             Unit = "nsid-tracker-keep-alive.service";

     

       56
       -
           };

     

       57
        
         };

     

       58
        
       

     

       59
        
         services.nginx.virtualHosts."gaze.systems" = {

···

       49
        
             ExecStart = "${pkgs.curl}/bin/curl http://dusk-devel-mobi:${toString port}/events";

     

       50
        
           };

     

       51
        
         };

     

       52
       +
         systemd.timers.nsid-tracker-keep-alive.timerConfig = {

     

       53
       +
           OnBootSec = "5 min";

     

       54
       +
           OnUnitActiveSec = "5 min";

     

       55
       +
           Unit = "nsid-tracker-keep-alive.service";

     

       0
        
       
     

       56
        
         };

     

       57
        
       

     

       58
        
         services.nginx.virtualHosts."gaze.systems" = {

hosts/wolumonde/modules/perses.nix/default.nix

···

       78
        
           cp -f ${./provision}/* ${provisioningFolder}

     

       79
        
         '';

     

       80
        
       

     

       0
        
       
     

       81
        
         services.nginx.virtualHosts.${domain} = {

     

       82
        
           useACMEHost = "gaze.systems"; # TODO: write a module to define vhosts for subdomains

     

       83
        
           quic = true;

···

       78
        
           cp -f ${./provision}/* ${provisioningFolder}

     

       79
        
         '';

     

       80
        
       

     

       81
       +
         security.acme.certs."gaze.systems".extraDomainNames = [domain];

     

       82
        
         services.nginx.virtualHosts.${domain} = {

     

       83
        
           useACMEHost = "gaze.systems"; # TODO: write a module to define vhosts for subdomains

     

       84
        
           quic = true;

hosts/wolumonde/modules/pocket-id.nix

···

       13
        
           };

     

       14
        
         };

     

       15
        
       

     

       0
        
       
     

       0
        
       
     

       16
        
         services.nginx.virtualHosts.${domain} = {

     

       17
        
           useACMEHost = "gaze.systems";

     

       18
        
           forceSSL = true;

···

       13
        
           };

     

       14
        
         };

     

       15
        
       

     

       16
       +
         security.acme.certs."gaze.systems".extraDomainNames = [domain];

     

       17
       +
       

     

       18
        
         services.nginx.virtualHosts.${domain} = {

     

       19
        
           useACMEHost = "gaze.systems";

     

       20
        
           forceSSL = true;

+1 -86

hosts/wolumonde/modules/tangled.nix/default.nix

···

       1
        
       {

     

       2
       -
         lib,

     

       3
       -
         config,

     

       4
       -
         inputs,

     

       5
       -
         terra,

     

       6
       -
         ...

     

       7
       -
       }:

     

       8
       -
       let

     

       9
       -
         knotCfg = config.services.tangled-knot;

     

       10
       -
         spindleCfg = config.services.tangled-spindle;

     

       11
       -
       in

     

       12
       -
       {

     

       13
       -
         imports = [

     

       14
       -
           "${inputs.tangled}/nix/modules/knot.nix"

     

       15
       -
           "${inputs.tangled}/nix/modules/spindle.nix"

     

       16
       -
         ];

     

       17
       -
       

     

       18
       -
         age.secrets.tangledKnot.file = ../../../../secrets/tangledKnot.age;

     

       19
       -
       

     

       20
       -
         services.tangled-knot = {

     

       21
       -
           enable = true;

     

       22
       -
           package = terra.tangled-knot;

     

       23
       -
           gitUser = "git";

     

       24
       -
           motdFile = ./motd;

     

       25
       -
           server = {

     

       26
       -
             listenAddr = "0.0.0.0:7777";

     

       27
       -
             secretFile = config.age.secrets.tangledKnot.path;

     

       28
       -
             hostname = "knot.gaze.systems";

     

       29
       -
           };

     

       30
       -
         };

     

       31
       -
       

     

       32
       -
         services.nginx.virtualHosts.${knotCfg.server.hostname} = {

     

       33
       -
           useACMEHost = "gaze.systems";

     

       34
       -
           forceSSL = true;

     

       35
       -
           quic = true;

     

       36
       -
           kTLS = true;

     

       37
       -
           locations."/" = {

     

       38
       -
             proxyPass = "http://${knotCfg.server.listenAddr}";

     

       39
       -
             proxyWebsockets = true;

     

       40
       -
           };

     

       41
       -
         };

     

       42
       -
       

     

       43
       -
         services.tangled-spindle = {

     

       44
       -
           enable = true;

     

       45
       -
           package = terra.tangled-spindle;

     

       46
       -
           server = {

     

       47
       -
             listenAddr = "0.0.0.0:7391";

     

       48
       -
             hostname = "spindle.gaze.systems";

     

       49
       -
             owner = "did:plc:dfl62fgb7wtjj3fcbb72naae";

     

       50
       -
             secrets = {

     

       51
       -
               provider = "openbao";

     

       52
       -
               openbao.proxyAddr = "http://spindle.bao.lan.gaze.systems";

     

       53
       -
             };

     

       54
       -
           };

     

       55
       -
         };

     

       56
       -
         users.users.spindle = {

     

       57
       -
           group = "spindle";

     

       58
       -
           isSystemUser = true;

     

       59
       -
         };

     

       60
       -
         users.groups.spindle = { };

     

       61
       -
         users.groups.podman.members = [ "spindle" ];

     

       62
       -
         systemd.services.spindle = {

     

       63
       -
           after = lib.mkForce [ "network.target" "openbao-proxy-spindle.service" ];

     

       64
       -
           serviceConfig = {

     

       65
       -
             User = "spindle";

     

       66
       -
             Group = "spindle";

     

       67
       -
           };

     

       68
       -
         };

     

       69
       -
       

     

       70
       -
         services.nginx.virtualHosts.${spindleCfg.server.hostname} = {

     

       71
       -
           useACMEHost = "gaze.systems";

     

       72
       -
           forceSSL = true;

     

       73
       -
           quic = true;

     

       74
       -
           kTLS = true;

     

       75
       -
           locations."/" = {

     

       76
       -
             proxyPass = "http://${spindleCfg.server.listenAddr}";

     

       77
       -
             proxyWebsockets = true;

     

       78
       -
           };

     

       79
       -
         };

     

       80
       -
       

     

       81
       -
         virtualisation.docker.enable = lib.mkForce false;

     

       82
       -
         virtualisation.podman = {

     

       83
       -
           enable = true;

     

       84
       -
           autoPrune.enable = true;

     

       85
       -
           dockerCompat = true;

     

       86
       -
           dockerSocket.enable = true;

     

       87
       -
         };

     

       88
        
       }

···

       1
        
       {

     

       2
       +
         imports = [./knot.nix ./spindle.nix];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       3
        
       }

+41

hosts/wolumonde/modules/tangled.nix/knot.nix

···

       1
       +
       {

     

       2
       +
         config,

     

       3
       +
         inputs,

     

       4
       +
         terra,

     

       5
       +
         ...

     

       6
       +
       }:

     

       7
       +
       let

     

       8
       +
         knotCfg = config.services.tangled-knot;

     

       9
       +
       in

     

       10
       +
       {

     

       11
       +
         imports = [

     

       12
       +
           "${inputs.tangled}/nix/modules/knot.nix"

     

       13
       +
         ];

     

       14
       +
       

     

       15
       +
         age.secrets.tangledKnot.file = ../../../../secrets/tangledKnot.age;

     

       16
       +
       

     

       17
       +
         services.tangled-knot = {

     

       18
       +
           enable = true;

     

       19
       +
           package = terra.tangled-knot;

     

       20
       +
           gitUser = "git";

     

       21
       +
           motdFile = ./motd;

     

       22
       +
           server = {

     

       23
       +
             listenAddr = "0.0.0.0:7777";

     

       24
       +
             secretFile = config.age.secrets.tangledKnot.path;

     

       25
       +
             hostname = "knot.gaze.systems";

     

       26
       +
           };

     

       27
       +
         };

     

       28
       +
       

     

       29
       +
         security.acme.certs."gaze.systems".extraDomainNames = [knotCfg.server.hostname];

     

       30
       +
       

     

       31
       +
         services.nginx.virtualHosts.${knotCfg.server.hostname} = {

     

       32
       +
           useACMEHost = "gaze.systems";

     

       33
       +
           forceSSL = true;

     

       34
       +
           quic = true;

     

       35
       +
           kTLS = true;

     

       36
       +
           locations."/" = {

     

       37
       +
             proxyPass = "http://${knotCfg.server.listenAddr}";

     

       38
       +
             proxyWebsockets = true;

     

       39
       +
           };

     

       40
       +
         };

     

       41
       +
       }

+63

hosts/wolumonde/modules/tangled.nix/spindle.nix

···

       1
       +
       {

     

       2
       +
         lib,

     

       3
       +
         config,

     

       4
       +
         inputs,

     

       5
       +
         terra,

     

       6
       +
         ...

     

       7
       +
       }:

     

       8
       +
       let

     

       9
       +
         spindleCfg = config.services.tangled-spindle;

     

       10
       +
       in

     

       11
       +
       {

     

       12
       +
         imports = [

     

       13
       +
           "${inputs.tangled}/nix/modules/spindle.nix"

     

       14
       +
         ];

     

       15
       +
       

     

       16
       +
         services.tangled-spindle = {

     

       17
       +
           enable = true;

     

       18
       +
           package = terra.tangled-spindle;

     

       19
       +
           server = {

     

       20
       +
             listenAddr = "0.0.0.0:7391";

     

       21
       +
             hostname = "spindle.gaze.systems";

     

       22
       +
             owner = "did:plc:dfl62fgb7wtjj3fcbb72naae";

     

       23
       +
             secrets = {

     

       24
       +
               provider = "openbao";

     

       25
       +
               openbao.proxyAddr = "http://spindle.bao.lan.gaze.systems";

     

       26
       +
             };

     

       27
       +
           };

     

       28
       +
         };

     

       29
       +
         users.users.spindle = {

     

       30
       +
           group = "spindle";

     

       31
       +
           isSystemUser = true;

     

       32
       +
         };

     

       33
       +
         users.groups.spindle = { };

     

       34
       +
         users.groups.podman.members = [ "spindle" ];

     

       35
       +
         systemd.services.spindle = {

     

       36
       +
           after = lib.mkForce [ "network.target" "openbao-proxy-spindle.service" ];

     

       37
       +
           serviceConfig = {

     

       38
       +
             User = "spindle";

     

       39
       +
             Group = "spindle";

     

       40
       +
           };

     

       41
       +
         };

     

       42
       +
       

     

       43
       +
         security.acme.certs."gaze.systems".extraDomainNames = [spindleCfg.server.hostname];

     

       44
       +
       

     

       45
       +
         services.nginx.virtualHosts.${spindleCfg.server.hostname} = {

     

       46
       +
           useACMEHost = "gaze.systems";

     

       47
       +
           forceSSL = true;

     

       48
       +
           quic = true;

     

       49
       +
           kTLS = true;

     

       50
       +
           locations."/" = {

     

       51
       +
             proxyPass = "http://${spindleCfg.server.listenAddr}";

     

       52
       +
             proxyWebsockets = true;

     

       53
       +
           };

     

       54
       +
         };

     

       55
       +
       

     

       56
       +
         virtualisation.docker.enable = lib.mkForce false;

     

       57
       +
         virtualisation.podman = {

     

       58
       +
           enable = true;

     

       59
       +
           autoPrune.enable = true;

     

       60
       +
           dockerCompat = true;

     

       61
       +
           dockerSocket.enable = true;

     

       62
       +
         };

     

       63
       +
       }