{ lib, pkgs, modulesPath, ... }: { imports = [ "${modulesPath}/virtualisation/oci-image.nix" ../../modules/services/cloud-init.nix ../../modules/services/forgejo.nix ../../modules/services/nginx.nix ../../modules/services/oci-authorized-keys.nix ../../modules/services/tor.nix ]; nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; networking = { hostName = "alisceon-core"; networkmanager.enable = lib.mkForce false; firewall.allowedTCPPorts = [ 22 80 443 22000 24601 ]; firewall.allowedUDPPorts = [ 22000 ]; }; boot = { initrd.availableKernelModules = [ "virtio_pci" "virtio_blk" "virtio_scsi" "virtio_net" "xhci_pci" ]; loader.systemd-boot.configurationLimit = lib.mkForce 3; }; nix = { settings = { min-free = lib.mkForce (512 * 1024 * 1024); max-free = lib.mkForce (2 * 1024 * 1024 * 1024); }; gc = { dates = lib.mkForce "daily"; options = lib.mkForce "--delete-older-than 3d"; }; }; virtualisation = { docker.enable = lib.mkForce false; podman = { enable = true; dockerSocket.enable = true; autoPrune = { enable = true; dates = "daily"; flags = [ "--all" ]; }; }; }; users.users.alisceon.extraGroups = [ "systemd-journal" ]; alisceon = { cloud-init = { enable = true; defaultShell = "/run/current-system/sw/bin/xonsh"; }; ociAuthorizedKeys.enable = true; }; security = { acme = { acceptTerms = true; defaults.email = "acme@alisceon.com"; }; sudo-rs.wheelNeedsPassword = false; }; services.openssh.settings = { PasswordAuthentication = false; PermitRootLogin = lib.mkForce "prohibit-password"; }; services.syncthing = { enable = true; dataDir = "/var/lib/syncthing"; guiAddress = "127.0.0.1:8384"; openDefaultPorts = false; overrideDevices = false; overrideFolders = false; settings = { gui = { insecureAdminAccess = false; insecureSkipHostcheck = false; }; options = { globalAnnounceEnabled = false; localAnnounceEnabled = false; listenAddresses = [ "tcp://0.0.0.0:22000" "quic://0.0.0.0:22000" ]; natEnabled = false; relaysEnabled = false; urAccepted = -1; }; }; }; alisceon.forgejo.domain = "forgejo.alisceon.com"; services.gitea-actions-runner.instances.alisceon-core-podman.labels = [ "podman" "aarch64" "arm64" ]; services.nginx.virtualHosts = { ${"forgejo.alisceon.com"} = { serverName = "forgejo.alisceon.com"; forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:3000"; recommendedProxySettings = true; }; }; ${"syncthing.alisceon.com"} = { serverName = "syncthing.alisceon.com"; forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:8384"; recommendedProxySettings = false; extraConfig = '' proxy_set_header Host $proxy_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 600s; proxy_send_timeout 600s; ''; }; }; }; systemd.services.syncthing = { serviceConfig = { LockPersonality = true; PrivateIPC = true; ProcSubset = "pid"; ProtectClock = true; ProtectHome = true; ProtectProc = "invisible"; ProtectSystem = "strict"; ReadWritePaths = [ "/var/lib/syncthing" ]; RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" ]; SystemCallArchitectures = "native"; UMask = "0077"; }; }; environment.systemPackages = with pkgs; [ curl git htop jq vim wget ]; system.stateVersion = lib.mkForce "25.11"; }