nixos_config/nixos/hosts/blogbox/configuration.nix

{ lib, pkgs, modulesPath, ... }:
{
  imports = [
    "${modulesPath}/virtualisation/oci-image.nix"
    ../../modules/services/blogbox.nix
    ../../modules/services/cloud-init.nix
    ../../modules/services/oci-authorized-keys.nix
  ];

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

  oci.efi = lib.mkForce false;

  virtualisation.diskSize = lib.mkForce (8 * 1024);

  networking = {
    hostName = "blogbox";
    networkmanager.enable = lib.mkForce false;
    firewall.allowedTCPPorts = [
      22
    ];
  };

  boot = {
    initrd.availableKernelModules = [
      "virtio_pci"
      "virtio_blk"
      "virtio_scsi"
      "virtio_net"
      "xhci_pci"
    ];
    kernelParams = lib.mkForce [
      "nvme.shutdown_timeout=10"
      "nvme_core.shutdown_timeout=10"
      "libiscsi.debug_libiscsi_eh=1"
      "crash_kexec_post_notifiers"
      "console=tty1"
      "console=ttyS0,115200n8"
      "earlyprintk=serial,ttyS0,115200"
      "loglevel=7"
      "systemd.log_target=console"
      "systemd.journald.forward_to_console=1"
    ];
    kernelPackages = lib.mkForce pkgs.linuxPackages;
    loader.grub.configurationLimit = lib.mkForce 3;
    loader.systemd-boot.configurationLimit = lib.mkForce 3;
  };

  nix = {
    settings = {
      cores = lib.mkForce 1;
      max-jobs = lib.mkForce 1;
      min-free = lib.mkForce (256 * 1024 * 1024);
      max-free = lib.mkForce (1024 * 1024 * 1024);
    };
    gc = {
      dates = lib.mkForce "daily";
      options = lib.mkForce "--delete-older-than 3d";
    };
  };

  virtualisation = {
    containers.enable = lib.mkForce false;
    docker.enable = lib.mkForce false;
    libvirtd = {
      enable = lib.mkForce false;
      qemu.swtpm.enable = lib.mkForce false;
    };
    podman.enable = lib.mkForce false;
  };

  users.users.alisceon.extraGroups = [ "systemd-journal" ];

  alisceon = {
    blogbox.enable = true;
    cloud-init.enable = true;
    ociAuthorizedKeys.enable = true;
  };

  security = {
    acme = {
      acceptTerms = true;
      defaults.email = "acme@alisceon.com";
    };
    sudo-rs.wheelNeedsPassword = false;
  };

  services.openssh.settings = {
    KbdInteractiveAuthentication = false;
    PasswordAuthentication = false;
    PermitRootLogin = lib.mkForce "no";
  };

  services.journald.extraConfig = ''
    SystemMaxUse=64M
    RuntimeMaxUse=32M
  '';

  system.autoUpgrade = {
    enable = lib.mkForce true;
    persistent = lib.mkForce true;
  };

  systemd = {
    services = {
      dev-flake-garbage-collect.enable = lib.mkForce false;
      nixos-upgrade.serviceConfig = {
        IOSchedulingClass = "idle";
        MemoryHigh = "512M";
        MemoryMax = "900M";
        Nice = 15;
        OOMPolicy = "stop";
      };
    };
    timers.dev-flake-garbage-collect.enable = lib.mkForce false;
  };

  services.cloud-init.settings.disable_root = true;

  environment.systemPackages = with pkgs; [
    curl
    git
    htop
    jq
    vim
    wget
  ];

  swapDevices = [
    {
      device = "/swapfile";
      size = 4096;
    }
  ];

  zramSwap = {
    enable = true;
    memoryPercent = 75;
  };

  system.stateVersion = lib.mkForce "25.11";
}