fix: fueltide hosting

hosts/nas/modules/pyload.nix

@@ -90,6 +90,9 @@ in
     };
 
     serviceConfig = {
+      # Disable PrivateTmp so unrar can use system /tmp for extraction
+      PrivateTmp = lib.mkForce false;
+
       # Bind-mount DNS configuration files into the sandboxed service
       BindReadOnlyPaths = [
         "/etc/resolv.conf"

hosts/nb/modules/desktop/default.nix

@@ -19,6 +19,7 @@ in {
     fontforge
     freecad
     firefox
+    handbrake
     openscad
     orca-slicer
 

hosts/nb/modules/development/default.nix

@@ -25,6 +25,10 @@ in {
     glib
     gnumake
 
+    # mobile
+    flutter
+    supabase-cli
+
     air
     go
 
@@ -35,6 +39,7 @@ in {
     nix-prefetch-git
     nodejs_22
     php
+    postgresql
     rbw
     sops
     unzip

hosts/nb/modules/development/nvim/config/terminal.lua

@@ -3,7 +3,7 @@ local config = {
   on_config_done = nil,
   -- size can be a number or function which is passed the current terminal
   size = 60,
-  open_mapping = [[<M-t>]],
+  open_mapping = nil,
   hide_numbers = true, -- hide the number column in toggleterm buffers
   shade_filetypes = {},
   shade_terminals = true,

hosts/web-arm/modules/nextcloud/default.nix

@@ -1,11 +1,5 @@
 { pkgs, config, ... }: 
 let
-  nextcloud30 = pkgs.nextcloud30.overrideAttrs (oldAttrs: {
-    src = pkgs.fetchurl {
-      url = "https://download.nextcloud.com/server/releases/nextcloud-30.0.2.tar.bz2";
-      sha256 = "sha256-kpu4BF6WIW/iKmXc1mJ55b17oauynZm/QB1CO2RqRF8=";
-    };
-  });
 in
 {
   sops.secrets.nextcloud-adminpass.owner = "nextcloud";

hosts/web-arm/sites/fueltide.io.nix

@@ -1,11 +1,21 @@
 { pkgs, lib, config, ... }:
-let
-  domain = "fueltide.cloonar.dev";
-  dataDir = "/var/www/${domain}";
-in {
+{
+  # SOPS secret for fueltide.io DNS credentials (separate Hetzner API token)
+  sops.secrets.fueltide-lego-credentials = { };
 
-  services.webstack.instances."${domain}" = {
+  # Override ACME credentials for fueltide.io domains
+  # These use a separate Hetzner DNS API token from the global default
+  security.acme.certs."app.fueltide.io" = {
+    credentialsFile = config.sops.secrets.fueltide-lego-credentials.path;
+  };
+
+  security.acme.certs."app.stage.fueltide.io" = {
+    credentialsFile = config.sops.secrets.fueltide-lego-credentials.path;
+  };
+
+  services.webstack.instances."fueltide.cloonar.dev" = {
     enablePhp = false;
+    enableDefaultLocations = false;
 
     authorizedKeys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
@@ -13,6 +23,47 @@ in {
 
     locations."/".extraConfig = ''
       index index.html;
+      try_files $uri $uri/ /index.html;
+    '';
+
+    locations."~* \.(js|jpg|gif|png|webp|avif|css|woff2)$".extraConfig = ''
+      expires 365d;
+      add_header Pragma "public";
+      add_header Cache-Control "public";
+    '';
+  };
+
+  services.webstack.instances."app.fueltide.io" = {
+    enablePhp = false;
+    enableDefaultLocations = false;
+
+    authorizedKeys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
+    ];
+
+    locations."/".extraConfig = ''
+      index index.html;
+      try_files $uri $uri/ /index.html;
+    '';
+
+    locations."~* \.(js|jpg|gif|png|webp|avif|css|woff2)$".extraConfig = ''
+      expires 365d;
+      add_header Pragma "public";
+      add_header Cache-Control "public";
+    '';
+  };
+
+  services.webstack.instances."app.stage.fueltide.io" = {
+    enablePhp = false;
+    enableDefaultLocations = false;
+
+    authorizedKeys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
+    ];
+
+    locations."/".extraConfig = ''
+      index index.html;
+      try_files $uri $uri/ /index.html;
     '';
 
     locations."~* \.(js|jpg|gif|png|webp|avif|css|woff2)$".extraConfig = ''