diff --git a/configurations/nixos/gate/configuration.nix b/configurations/nixos/gate/configuration.nix
new file mode 100644
index 0000000..2edd35c
--- /dev/null
+++ b/configurations/nixos/gate/configuration.nix
@@ -0,0 +1,15 @@
+{ ... }: {
+  imports = [
+    ./hardware-configuration.nix
+    ./networking.nix # generated at runtime by nixos-infect
+
+  ];
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+  networking.hostName = "gate";
+  networking.domain = "";
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = [ ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQRxPoqlThDrkR58pKnJgmeWPY9/wleReRbZ2MOZRyd'' ];
+  system.stateVersion = "23.11";
+}
diff --git a/configurations/nixos/gate/default.nix b/configurations/nixos/gate/default.nix
new file mode 100644
index 0000000..cf03e48
--- /dev/null
+++ b/configurations/nixos/gate/default.nix
@@ -0,0 +1,39 @@
+{ flake, pkgs, ... }:
+
+let
+  inherit (flake) inputs;
+  inherit (inputs) self;
+in
+{
+  # nixos-unified.sshTarget = "root@5.161.184.111";
+  nixos-unified.sshTarget = "gate";
+
+  imports = [
+    ./configuration.nix
+    (self + /modules/nixos/shared/primary-as-admin.nix)
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+  services.tailscale.enable = true;
+  services.openssh.settings.PasswordAuthentication = false;
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts."actualism.app" = {
+      # FIXME: Don't hardcode, instead of read from pureintent's containers.nix
+      locations."/".proxyPass = "http://pureintent:3000";
+      enableACME = true;
+      addSSL = true;
+    };
+  };
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "srid@srid.ca";
+  };
+  networking.firewall.allowedTCPPorts = [ 80 443 22 ];
+
+  # Workaround the annoying `Failed to start Network Manager Wait Online` error on switch.
+  # https://github.com/NixOS/nixpkgs/issues/180175
+  systemd.services.NetworkManager-wait-online.enable = false;
+}
diff --git a/configurations/nixos/gate/hardware-configuration.nix b/configurations/nixos/gate/hardware-configuration.nix
new file mode 100644
index 0000000..b1aacee
--- /dev/null
+++ b/configurations/nixos/gate/hardware-configuration.nix
@@ -0,0 +1,9 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+
+}
diff --git a/configurations/nixos/gate/networking.nix b/configurations/nixos/gate/networking.nix
new file mode 100644
index 0000000..2b25d5f
--- /dev/null
+++ b/configurations/nixos/gate/networking.nix
@@ -0,0 +1,34 @@
+{ lib, ... }: {
+  # This file was populated at runtime with the networking
+  # details gathered from the active system.
+  networking = {
+    nameservers = [
+      "8.8.8.8"
+    ];
+    defaultGateway = "172.31.1.1";
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "eth0";
+    };
+    dhcpcd.enable = false;
+    usePredictableInterfaceNames = lib.mkForce false;
+    interfaces = {
+      eth0 = {
+        ipv4.addresses = [
+          { address = "5.161.184.111"; prefixLength = 32; }
+        ];
+        ipv6.addresses = [
+          { address = "2a01:4ff:f0:9d5a::1"; prefixLength = 64; }
+          { address = "fe80::9400:3ff:fedc:b821"; prefixLength = 64; }
+        ];
+        ipv4.routes = [{ address = "172.31.1.1"; prefixLength = 32; }];
+        ipv6.routes = [{ address = "fe80::1"; prefixLength = 128; }];
+      };
+
+    };
+  };
+  services.udev.extraRules = ''
+    ATTR{address}=="96:00:03:dc:b8:21", NAME="eth0"
+    
+  '';
+}
diff --git a/configurations/nixos/pureintent/containers.nix b/configurations/nixos/pureintent/containers.nix
index b0be69f..0180066 100644
--- a/configurations/nixos/pureintent/containers.nix
+++ b/configurations/nixos/pureintent/containers.nix
@@ -4,8 +4,6 @@
 let
   inherit (flake) inputs;
   actualism-app = inputs.actualism-app.packages.${pkgs.system}.default;
-  app-port = 3000;
-  app-domain = "actualism.app";
 in
 {
   containers.actualism-app = {
@@ -21,12 +19,4 @@ in
       };
     };
   };
-
-  # TODO: cloudflare tunnels
-  services.nginx = {
-    enable = true;
-    virtualHosts.${app-domain} = {
-      locations."/".proxyPass = "http://localhost:${builtins.toString app-port}";
-    };
-  };
 }
diff --git a/flake.lock b/flake.lock
index d15feaf..2147c29 100644
--- a/flake.lock
+++ b/flake.lock
@@ -11,11 +11,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1731511273,
-        "narHash": "sha256-WyhJUyqpYTE/zgUI/VAJhVNVUr7I/aeU57QFpdLkn4g=",
+        "lastModified": 1732052927,
+        "narHash": "sha256-j2ZXXDUehk5ruu1GFaVoBA8dxTSa0aFxjhJbFBPbqb0=",
         "owner": "srid",
         "repo": "actualism-app",
-        "rev": "f4f829186819f96f27fda04d270d15cd23de7d16",
+        "rev": "83cac5782e2604b0d64aed4ec8bef438cf877220",
         "type": "github"
       },
       "original": {
diff --git a/justfile b/justfile
index a359f4b..5fd2ebc 100644
--- a/justfile
+++ b/justfile
@@ -3,14 +3,19 @@ default:
 
 # Activate local configuration
 [group('main')]
-activate:
+local:
     nix run
 
-# Deploy host 'pureintent'
-[group('main')]
-deploy:
+# Deploy to Beelink
+[group('deploy')]
+pureintent:
     nix run . pureintent
 
+# Deploy to nginx gate
+[group('deploy')]
+gate:
+    nix run . gate
+
 # Format the nix source tree
 fmt:
     pre-commit run --all-files