nixos_config/nixos/hosts/alisceon-core/configuration.nix

{ lib, pkgs, modulesPath, ... }:
{
  imports = [
    "${modulesPath}/virtualisation/oci-image.nix"
    ../../modules/services/cloud-init.nix
    ../../modules/services/forgejo.nix
    ../../modules/services/nginx.nix
    ../../modules/services/oci-authorized-keys.nix
    ../../modules/services/tor.nix
  ];

  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";

  networking = {
    hostName = "alisceon-core";
    networkmanager.enable = lib.mkForce false;
    firewall.allowedTCPPorts = [
      22
      80
      443
      22000
      24601
    ];
    firewall.allowedUDPPorts = [
      22000
    ];
  };

  boot = {
    initrd.availableKernelModules = [
      "virtio_pci"
      "virtio_blk"
      "virtio_scsi"
      "virtio_net"
      "xhci_pci"
    ];
    loader.systemd-boot.configurationLimit = lib.mkForce 3;
  };

  nix = {
    settings = {
      min-free = lib.mkForce (512 * 1024 * 1024);
      max-free = lib.mkForce (2 * 1024 * 1024 * 1024);
    };
    gc = {
      dates = lib.mkForce "daily";
      options = lib.mkForce "--delete-older-than 3d";
    };
  };

  virtualisation = {
    docker.enable = lib.mkForce false;
    podman = {
      enable = true;
      dockerSocket.enable = true;
      autoPrune = {
        enable = true;
        dates = "daily";
        flags = [ "--all" ];
      };
    };
  };

  users.users.alisceon.extraGroups = [ "systemd-journal" ];

  alisceon = {
    cloud-init = {
      enable = true;
      defaultShell = "/run/current-system/sw/bin/xonsh";
    };
    ociAuthorizedKeys.enable = true;
  };

  security = {
    acme = {
      acceptTerms = true;
      defaults.email = "acme@alisceon.com";
    };
    sudo-rs.wheelNeedsPassword = false;
  };

  services.openssh.settings = {
    PasswordAuthentication = false;
    PermitRootLogin = lib.mkForce "prohibit-password";
  };

  services.syncthing = {
    enable = true;
    dataDir = "/var/lib/syncthing";
    guiAddress = "127.0.0.1:8384";
    openDefaultPorts = false;
    overrideDevices = false;
    overrideFolders = false;
    settings = {
      gui = {
        insecureAdminAccess = false;
        insecureSkipHostcheck = false;
      };
      options = {
        globalAnnounceEnabled = false;
        localAnnounceEnabled = false;
        listenAddresses = [
          "tcp://0.0.0.0:22000"
          "quic://0.0.0.0:22000"
        ];
        natEnabled = false;
        relaysEnabled = false;
        urAccepted = -1;
      };
    };
  };

  alisceon.forgejo.domain = "forgejo.alisceon.com";

  services.gitea-actions-runner.instances.alisceon-core-podman.labels = [
    "podman"
    "aarch64"
    "arm64"
  ];

  services.nginx.virtualHosts = {
    ${"forgejo.alisceon.com"} = {
      serverName = "forgejo.alisceon.com";
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:3000";
        recommendedProxySettings = true;
      };
    };
    ${"syncthing.alisceon.com"} = {
      serverName = "syncthing.alisceon.com";
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8384";
        recommendedProxySettings = false;
        extraConfig = ''
          proxy_set_header Host $proxy_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Host $host;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_read_timeout 600s;
          proxy_send_timeout 600s;
        '';
      };
    };
  };

  systemd.services.syncthing = {
    serviceConfig = {
      LockPersonality = true;
      PrivateIPC = true;
      ProcSubset = "pid";
      ProtectClock = true;
      ProtectHome = true;
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      ReadWritePaths = [ "/var/lib/syncthing" ];
      RemoveIPC = true;
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_NETLINK"
        "AF_UNIX"
      ];
      SystemCallArchitectures = "native";
      UMask = "0077";
    };
  };

  environment.systemPackages = with pkgs; [
    curl
    git
    htop
    jq
    vim
    wget
  ];

  system.stateVersion = lib.mkForce "25.11";
}
add oci target 2026-05-27 16:39:26 +02:00			`{ lib, pkgs, modulesPath, ... }:`
			`{`
			`imports = [`
			`"${modulesPath}/virtualisation/oci-image.nix"`
add blogbox target 2026-05-29 19:30:07 +02:00			`../../modules/services/cloud-init.nix`
cleaning and refactoring alisceon-core 2026-05-29 18:13:23 +02:00			`../../modules/services/forgejo.nix`
			`../../modules/services/nginx.nix`
add blogbox target 2026-05-29 19:30:07 +02:00			`../../modules/services/oci-authorized-keys.nix`
cleaning and refactoring alisceon-core 2026-05-29 18:13:23 +02:00			`../../modules/services/tor.nix`
add oci target 2026-05-27 16:39:26 +02:00			`];`

			`nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";`

			`networking = {`
name change 2026-05-27 21:34:02 +02:00			`hostName = "alisceon-core";`
add oci target 2026-05-27 16:39:26 +02:00			`networkmanager.enable = lib.mkForce false;`
lgtm ship it 2026-05-27 22:44:34 +02:00			`firewall.allowedTCPPorts = [`
			`22`
			`80`
			`443`
add syncthing to alisceon-core 2026-05-29 15:17:42 +02:00			`22000`
regress to sane port 2026-05-27 23:26:48 +02:00			`24601`
lgtm ship it 2026-05-27 22:44:34 +02:00			`];`
add syncthing to alisceon-core 2026-05-29 15:17:42 +02:00			`firewall.allowedUDPPorts = [`
			`22000`
			`];`
add oci target 2026-05-27 16:39:26 +02:00			`};`

lgtm ship it 2026-05-27 22:44:34 +02:00			`boot = {`
			`initrd.availableKernelModules = [`
			`"virtio_pci"`
			`"virtio_blk"`
			`"virtio_scsi"`
			`"virtio_net"`
			`"xhci_pci"`
			`];`
			`loader.systemd-boot.configurationLimit = lib.mkForce 3;`
			`};`

			`nix = {`
			`settings = {`
			`min-free = lib.mkForce (512 * 1024 * 1024);`
			`max-free = lib.mkForce (2 * 1024 * 1024 * 1024);`
			`};`
			`gc = {`
			`dates = lib.mkForce "daily";`
			`options = lib.mkForce "--delete-older-than 3d";`
			`};`
			`};`

			`virtualisation = {`
			`docker.enable = lib.mkForce false;`
			`podman = {`
			`enable = true;`
			`dockerSocket.enable = true;`
			`autoPrune = {`
			`enable = true;`
			`dates = "daily";`
			`flags = [ "--all" ];`
			`};`
			`};`
			`};`
add oci target 2026-05-27 16:39:26 +02:00
			`users.users.alisceon.extraGroups = [ "systemd-journal" ];`

add blogbox target 2026-05-29 19:30:07 +02:00			`alisceon = {`
			`cloud-init = {`
			`enable = true;`
			`defaultShell = "/run/current-system/sw/bin/xonsh";`
			`};`
			`ociAuthorizedKeys.enable = true;`
			`};`

lgtm ship it 2026-05-27 22:44:34 +02:00			`security = {`
			`acme = {`
			`acceptTerms = true;`
			`defaults.email = "acme@alisceon.com";`
			`};`
			`sudo-rs.wheelNeedsPassword = false;`
			`};`
add oci target 2026-05-27 16:39:26 +02:00
			`services.openssh.settings = {`
			`PasswordAuthentication = false;`
			`PermitRootLogin = lib.mkForce "prohibit-password";`
			`};`

add syncthing to alisceon-core 2026-05-29 15:17:42 +02:00			`services.syncthing = {`
			`enable = true;`
			`dataDir = "/var/lib/syncthing";`
			`guiAddress = "127.0.0.1:8384";`
			`openDefaultPorts = false;`
			`overrideDevices = false;`
			`overrideFolders = false;`
			`settings = {`
			`gui = {`
			`insecureAdminAccess = false;`
			`insecureSkipHostcheck = false;`
			`};`
			`options = {`
			`globalAnnounceEnabled = false;`
			`localAnnounceEnabled = false;`
			`listenAddresses = [`
			`"tcp://0.0.0.0:22000"`
			`"quic://0.0.0.0:22000"`
			`];`
			`natEnabled = false;`
			`relaysEnabled = false;`
			`urAccepted = -1;`
			`};`
			`};`
			`};`

add blogbox target 2026-05-29 19:30:07 +02:00			`alisceon.forgejo.domain = "forgejo.alisceon.com";`
lgtm ship it 2026-05-27 22:44:34 +02:00
cleaning and refactoring alisceon-core 2026-05-29 18:13:23 +02:00			`services.gitea-actions-runner.instances.alisceon-core-podman.labels = [`
			`"podman"`
			`"aarch64"`
			`"arm64"`
			`];`

			`services.nginx.virtualHosts = {`
add blogbox target 2026-05-29 19:30:07 +02:00			`${"forgejo.alisceon.com"} = {`
			`serverName = "forgejo.alisceon.com";`
cleaning and refactoring alisceon-core 2026-05-29 18:13:23 +02:00			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:3000";`
			`recommendedProxySettings = true;`
lgtm ship it 2026-05-27 22:44:34 +02:00			`};`
			`};`
add blogbox target 2026-05-29 19:30:07 +02:00			`${"syncthing.alisceon.com"} = {`
			`serverName = "syncthing.alisceon.com";`
cleaning and refactoring alisceon-core 2026-05-29 18:13:23 +02:00			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:8384";`
			`recommendedProxySettings = false;`
421 and tor connection 2026-05-27 23:17:53 +02:00			`extraConfig = ''`
cleaning and refactoring alisceon-core 2026-05-29 18:13:23 +02:00			`proxy_set_header Host $proxy_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Host $host;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_read_timeout 600s;`
			`proxy_send_timeout 600s;`
421 and tor connection 2026-05-27 23:17:53 +02:00			`'';`
lgtm ship it 2026-05-27 22:44:34 +02:00			`};`
			`};`
			`};`

add syncthing to alisceon-core 2026-05-29 15:17:42 +02:00			`systemd.services.syncthing = {`
			`serviceConfig = {`
			`LockPersonality = true;`
			`PrivateIPC = true;`
			`ProcSubset = "pid";`
			`ProtectClock = true;`
			`ProtectHome = true;`
			`ProtectProc = "invisible";`
			`ProtectSystem = "strict";`
			`ReadWritePaths = [ "/var/lib/syncthing" ];`
			`RemoveIPC = true;`
			`RestrictAddressFamilies = [`
			`"AF_INET"`
			`"AF_INET6"`
			`"AF_NETLINK"`
			`"AF_UNIX"`
			`];`
			`SystemCallArchitectures = "native";`
			`UMask = "0077";`
			`};`
			`};`

add oci target 2026-05-27 16:39:26 +02:00			`environment.systemPackages = with pkgs; [`
			`curl`
			`git`
			`htop`
			`jq`
			`vim`
			`wget`
			`];`

			`system.stateVersion = lib.mkForce "25.11";`
			`}`