Add svc host: NixOS config for TornadoVPS edge node

BIOS boot with GRUB on /dev/xvda, MCP agent via systemd,
mc-proxy and MCNS as containers via MCP agent.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

flake.nix

@@ -67,6 +67,7 @@
       "rift"
       "sk"
       "straylight"
+      "svc"
       "vade"
     ] (hostName: lib.nixosSystem {
       specialArgs = { inherit inputs; };

hw/svc/default.nix

@@ -0,0 +1,24 @@
+{ inputs, lib, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disk-config.nix
+    ../../configs/mcpkg.nix
+    ../../configs/mcp.nix
+  ];
+
+  config = {
+    # svc is BIOS, not UEFI — override baseline systemd-boot.
+    boot.loader.systemd-boot.enable = lib.mkForce false;
+    boot.loader.grub.enable = true;
+    boot.loader.grub.device = "/dev/xvda";
+
+    # mc-proxy (container) binds 443; MCNS (container) binds 53; MCP agent on 9555.
+    networking.firewall.allowedTCPPorts = [ 53 443 9555 ];
+    networking.firewall.allowedUDPPorts = [ 53 ];
+
+    # Allow rootless containers to bind privileged ports (mc-proxy :443, MCNS :53).
+    boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 0;
+  };
+}

hw/svc/disk-config.nix

@@ -0,0 +1,29 @@
+{ lib, ... }:
+
+{
+  disko.devices = {
+    disk = {
+      main = {
+        device = lib.mkDefault "/dev/xvda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "1M";
+              type = "EF02"; # BIOS boot partition for GRUB
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hw/svc/hardware-configuration.nix

@@ -0,0 +1,2 @@
+# Placeholder — overwritten by nixos-anywhere --generate-hardware-config.
+{ ... }: {}