Move individual custom firewall rules to their own service files

modules/system/services/server/owncast/default.nix

@@ -0,0 +1,21 @@
+{ config, lib, ... }:
+{
+  imports = [ ./nginx ];
+
+  config = lib.mkIf config.system.socialserver.enable {
+    services.owncast = {
+      enable = true;
+      port = 8060;
+      rtmp-port = 1945;
+    };
+    networking.nftables.tables.owncast = {
+      family = "inet";
+      content = ''
+        chain input {
+          ip saddr 10.0.0.0/8 tcp dport 1945 accept comment "Accept RTMP"
+        }
+      '';
+    };
+    environment.persistence."/persist".directories = [ "/var/lib/owncast" ];
+  };
+}

modules/system/services/server/owncast/nginx/default.nix

@@ -0,0 +1,11 @@
+{ config, lib, ... }:
+{
+  services.nginx.virtualHosts."live.nixfox.ca" = lib.mkIf config.services.owncast.enable {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8060";
+      proxyWebsockets = true;
+    };
+  };
+}