first working blogbox done

home/modules/programs/ssh.nix

@@ -23,12 +23,12 @@
       "blogbox-2" = {
         hostname = "10.1.0.11";
         proxyJump = "alisceon-core";
-        user = "opc";
+        user = "alisceon";
       };
       "blogbox-1" = {
-        hostname = "10.1.0.247";
+        hostname = "10.1.0.10";
         proxyJump = "alisceon-core";
-        user = "opc";
+        user = "alisceon";
       };
       "filurbox" = {
         hostname = "oci.malice.zone";

nixos/hosts/blogbox/configuration.nix

@@ -3,26 +3,20 @@
   imports = [
     "${modulesPath}/virtualisation/oci-image.nix"
     ../../modules/services/cloud-init.nix
-    ../../modules/services/forgejo.nix
-    ../../modules/services/nginx.nix
     ../../modules/services/oci-authorized-keys.nix
-    ../../modules/services/tor.nix
   ];
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 
+  oci.efi = lib.mkForce false;
+
+  virtualisation.diskSize = lib.mkForce (8 * 1024);
+
   networking = {
     hostName = "blogbox";
     networkmanager.enable = lib.mkForce false;
     firewall.allowedTCPPorts = [
       22
-      80
-      443
-      22000
-      24601
-    ];
-    firewall.allowedUDPPorts = [
-      22000
     ];
   };
 
@@ -34,13 +28,29 @@
       "virtio_net"
       "xhci_pci"
     ];
+    kernelParams = lib.mkForce [
+      "nvme.shutdown_timeout=10"
+      "nvme_core.shutdown_timeout=10"
+      "libiscsi.debug_libiscsi_eh=1"
+      "crash_kexec_post_notifiers"
+      "console=tty1"
+      "console=ttyS0,115200n8"
+      "earlyprintk=serial,ttyS0,115200"
+      "loglevel=7"
+      "systemd.log_target=console"
+      "systemd.journald.forward_to_console=1"
+    ];
+    kernelPackages = lib.mkForce pkgs.linuxPackages;
+    loader.grub.configurationLimit = lib.mkForce 3;
     loader.systemd-boot.configurationLimit = lib.mkForce 3;
   };
 
   nix = {
     settings = {
-      min-free = lib.mkForce (512 * 1024 * 1024);
+      cores = lib.mkForce 1;
-      max-free = lib.mkForce (2 * 1024 * 1024 * 1024);
+      max-jobs = lib.mkForce 1;
+      min-free = lib.mkForce (256 * 1024 * 1024);
+      max-free = lib.mkForce (1024 * 1024 * 1024);
     };
     gc = {
       dates = lib.mkForce "daily";
@@ -49,25 +59,19 @@
   };
 
   virtualisation = {
+    containers.enable = lib.mkForce false;
     docker.enable = lib.mkForce false;
-    podman = {
+    libvirtd = {
-      enable = true;
+      enable = lib.mkForce false;
-      dockerSocket.enable = true;
+      qemu.swtpm.enable = lib.mkForce false;
-      autoPrune = {
-        enable = true;
-        dates = "daily";
-        flags = [ "--all" ];
-      };
     };
+    podman.enable = lib.mkForce false;
   };
 
   users.users.alisceon.extraGroups = [ "systemd-journal" ];
 
   alisceon = {
-    cloud-init = {
+    cloud-init.enable = true;
-      enable = true;
-      defaultShell = "/run/current-system/sw/bin/xonsh";
-    };
     ociAuthorizedKeys.enable = true;
   };
 
@@ -80,96 +84,30 @@
   };
 
   services.openssh.settings = {
+    KbdInteractiveAuthentication = false;
     PasswordAuthentication = false;
-    PermitRootLogin = lib.mkForce "prohibit-password";
+    PermitRootLogin = lib.mkForce "no";
   };
 
-  services.syncthing = {
+  services.journald.extraConfig = ''
-    enable = true;
+    SystemMaxUse=64M
-    dataDir = "/var/lib/syncthing";
+    RuntimeMaxUse=32M
-    guiAddress = "127.0.0.1:8384";
-    openDefaultPorts = false;
-    overrideDevices = false;
-    overrideFolders = false;
-    settings = {
-      gui = {
-        insecureAdminAccess = false;
-        insecureSkipHostcheck = false;
-      };
-      options = {
-        globalAnnounceEnabled = false;
-        localAnnounceEnabled = false;
-        listenAddresses = [
-          "tcp://0.0.0.0:22000"
-          "quic://0.0.0.0:22000"
-        ];
-        natEnabled = false;
-        relaysEnabled = false;
-        urAccepted = -1;
-      };
-    };
-  };
-
-  alisceon.forgejo.domain = "forgejo.alisceon.com";
-
-  services.gitea-actions-runner.instances.alisceon-core-podman.labels = [
-    "podman"
-    "x86_64"
-    "amd64"
-  ];
-
-  services.nginx.virtualHosts = {
-    ${"forgejo.alisceon.com"} = {
-      serverName = "forgejo.alisceon.com";
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:3000";
-        recommendedProxySettings = true;
-      };
-    };
-    ${"syncthing.alisceon.com"} = {
-      serverName = "syncthing.alisceon.com";
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:8384";
-        recommendedProxySettings = false;
-        extraConfig = ''
-          proxy_set_header Host $proxy_host;
-          proxy_set_header X-Real-IP $remote_addr;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header X-Forwarded-Host $host;
-          proxy_set_header X-Forwarded-Proto $scheme;
-          proxy_read_timeout 600s;
-          proxy_send_timeout 600s;
   '';
-      };
+
-    };
+  system.autoUpgrade = {
+    enable = lib.mkForce false;
+    persistent = lib.mkForce false;
   };
 
-  systemd.services.syncthing = {
+  systemd = {
-    serviceConfig = {
+    services = {
-      LockPersonality = true;
+      dev-flake-garbage-collect.enable = lib.mkForce false;
-      PrivateIPC = true;
-      ProcSubset = "pid";
-      ProtectClock = true;
-      ProtectHome = true;
-      ProtectProc = "invisible";
-      ProtectSystem = "strict";
-      ReadWritePaths = [ "/var/lib/syncthing" ];
-      RemoveIPC = true;
-      RestrictAddressFamilies = [
-        "AF_INET"
-        "AF_INET6"
-        "AF_NETLINK"
-        "AF_UNIX"
-      ];
-      SystemCallArchitectures = "native";
-      UMask = "0077";
     };
+    timers.dev-flake-garbage-collect.enable = lib.mkForce false;
   };
 
+  services.cloud-init.settings.disable_root = true;
+
   environment.systemPackages = with pkgs; [
     curl
     git
@@ -179,5 +117,17 @@
     wget
   ];
 
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 4096;
+    }
+  ];
+
+  zramSwap = {
+    enable = true;
+    memoryPercent = 75;
+  };
+
   system.stateVersion = lib.mkForce "25.11";
 }

nixos/modules/profiles/workstation.nix

@@ -114,6 +114,7 @@ in
       pkgs.plymouth
       pkgs.xhost
       (pkgs.bottles.override { removeWarningPopup = true; })
+      pkgs.hydra-check
     ];
     sessionVariables.NIXOS_OZONE_WL = "1";
   };

nixos/modules/services/oci-authorized-keys.nix

@@ -84,7 +84,11 @@ in
   config = lib.mkIf cfg.enable {
     systemd.services.fetch-oci-authorized-keys = {
       description = "Fetch OCI metadata authorized_keys for ${cfg.user}";
-      wantedBy = [ "multi-user.target" ];
+      wantedBy = [
+        "sshd.service"
+        "multi-user.target"
+      ];
+      before = [ "sshd.service" ];
       after = [ "network-online.target" ];
       wants = [ "network-online.target" ];
       serviceConfig = {