From a3b4781bd09a168171d8fec121c46a8e93c39d2e Mon Sep 17 00:00:00 2001
From: William <baduhai@proton.me>
Date: Mon, 16 Feb 2026 00:07:36 -0300
Subject: [PATCH] fix forgejo on trantor

---
 aspects/hosts/_trantor/forgejo.nix | 5 ++++-
 aspects/hosts/_trantor/nginx.nix   | 2 --
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/aspects/hosts/_trantor/forgejo.nix b/aspects/hosts/_trantor/forgejo.nix
index 1112622..8421adb 100644
--- a/aspects/hosts/_trantor/forgejo.nix
+++ b/aspects/hosts/_trantor/forgejo.nix
@@ -67,5 +67,8 @@ in
   };
 
   # Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories
-  systemd.services.forgejo.serviceConfig.PrivateMounts = lib.mkForce false;
+  systemd.services.forgejo.serviceConfig = {
+    PrivateMounts = lib.mkForce false;
+    ProtectSystem = lib.mkForce false;
+  };
 }
diff --git a/aspects/hosts/_trantor/nginx.nix b/aspects/hosts/_trantor/nginx.nix
index eccfb12..24f96c3 100644
--- a/aspects/hosts/_trantor/nginx.nix
+++ b/aspects/hosts/_trantor/nginx.nix
@@ -8,10 +8,8 @@
 let
   services = inputs.self.services;
 
-  # Get all unique domains from shared services on trantor (host = "trantor")
   localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "trantor") services));
 
-  # Generate ACME cert configs for all local domains
   acmeCerts = lib.genAttrs localDomains (domain: {
     group = "nginx";
   });