{ inputs, lib, ... }:

{
  imports = [
    ./hardware-configuration.nix
    ./disk-config.nix
    ../../configs/mcpkg.nix
    ../../configs/mcp.nix
  ];

  config = {
    # svc is BIOS, not UEFI — override baseline systemd-boot.
    boot.loader.systemd-boot.enable = lib.mkForce false;
    boot.loader.grub.enable = true;
    boot.loader.grub.device = "/dev/xvda";

    # mc-proxy (container) binds 443; MCNS (container) binds 53; MCP agent on 9555.
    networking.firewall.allowedTCPPorts = [ 53 443 9555 ];
    networking.firewall.allowedUDPPorts = [ 53 ];

    # Allow rootless containers to bind privileged ports (mc-proxy :443, MCNS :53).
    boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 0;
  };
}