diff --git a/hosts/architect/nginx.nix b/hosts/architect/nginx.nix
index ba5c4a9..0f323d3 100644
--- a/hosts/architect/nginx.nix
+++ b/hosts/architect/nginx.nix
@@ -1,6 +1,24 @@
 { services, pkgs, lib, ... }:
+let
+  serviceSkeleton = { default ? false }: {
+    inherit default;
 
-{
+    enableACME = true;
+    forceSSL = true;
+    root = "/var/lib/nginx/error_pages";
+    extraConfig = "error_page 404 /index.htm;";
+
+    locations = {
+      "/" = { return = "404"; };
+
+      "/index.htm" = { };
+
+      "/style.css" = { };
+
+      "/wat.jpg" = { };
+    };
+  };
+in {
   services.nginx = {
     enable = true;
     package = pkgs.openresty;
@@ -9,61 +27,49 @@
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
 
-    virtualHosts."architect.devs.giugl.io" = {
-      default = true;
-      enableACME = true;
-      addSSL = true;
-      root = "/var/lib/nginx/error_pages";
-      extraConfig = "error_page 404 /index.htm;";
+    virtualHosts."architect.devs.giugl.io" = serviceSkeleton { default = true; };
+    virtualHosts."runas.rocks" = serviceSkeleton {};
+    
+    appendHttpConfig =
+      let
+        extraPureLuaPackages = with pkgs.luajitPackages; [
+          lua-resty-openidc
+          lua-resty-http
+          lua-resty-session
+          lua-resty-jwt
+          lua-resty-openssl
+        ];
+        luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
+        makeLuaPath = lib.concatMapStringsSep ";" luaPath;
+      in
+      ''
+        lua_package_path '${makeLuaPath extraPureLuaPackages};;';
+        lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+        lua_ssl_verify_depth 5;
 
-      locations = {
-        "/" = { return = "404"; };
+        # cache for OIDC discovery metadata
+        lua_shared_dict discovery 1m;
+        lua_shared_dict jwks 1m;
 
-        "/index.htm" = { };
+        # https://github.com/openresty/lua-resty-redis/issues/159
+        resolver local=on ipv6=off;
 
-        "/style.css" = { };
+        init_worker_by_lua_block {
+          function check_role (res, role)
+            if res.user.roles == nil then
+              return false
+            end
 
-        "/wat.jpg" = { };
-      };
-    };
-    appendHttpConfig = let
-      extraPureLuaPackages = with pkgs.luajitPackages; [
-        lua-resty-openidc
-        lua-resty-http
-        lua-resty-session
-        lua-resty-jwt
-        lua-resty-openssl
-      ];
-      luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
-      makeLuaPath = lib.concatMapStringsSep ";" luaPath;
-    in ''
-      lua_package_path '${makeLuaPath extraPureLuaPackages};;';
-      lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
-      lua_ssl_verify_depth 5;
+            for _,v in pairs(res.user.roles) do
+              if string.lower(v) == role then
+                return true
+              end
+            end
 
-      # cache for OIDC discovery metadata
-      lua_shared_dict discovery 1m;
-      lua_shared_dict jwks 1m;
-
-      # https://github.com/openresty/lua-resty-redis/issues/159
-      resolver local=on ipv6=off;
-
-      init_worker_by_lua_block {
-        function check_role (res, role)
-          if res.user.roles == nil then
             return false
           end
-
-          for _,v in pairs(res.user.roles) do
-            if string.lower(v) == role then
-              return true
-            end
-          end
-
-          return false
-        end
-      }
-    '';
+        }
+      '';
 
     appendConfig = ''
       worker_processes 24;