Changed certificate generation from HTTP-01 to DNS-01 challenge to support
services behind Tailscale/CGNAT IPs. HTTP-01 challenges fail because Let's
Encrypt cannot reach private Tailscale IPs (100.x.x.x) that Cloudflare DNS
points to.
Changes:
- Pre-configure certificates in security.acme.certs using DNS-01 via Cloudflare
- Auto-generate certificate configs from shared/services.nix
- Alexandria: filters services with host == "alexandria"
- Trantor: filters services with host == "trantor"
- Updated mkNginxVHosts to use useACMEHost instead of enableACME
- Each domain gets its own certificate configured with DNS-01 challenge
This ensures all services get valid Let's Encrypt certificates even when
accessible only through Tailscale or private networks.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Migrated forgejo service and configuration to trantor. Added nginx reverse
proxy support on trantor with ACME configuration for SSL certificates.
Fixed vaultwarden domain in shared services from vault.baduhai.dev to
pass.baduhai.dev to match actual nginx configuration.
