Transparent Nix-based Open-Source Infrastructure as Code (OSS IaaC) Management Solution for Multiple Systems and Domains designed to be a reliable tool for mission-critical tasks in paranoid and high-security environment.
We are using:
- disko for filesystem management
- impermanence to enforce fully declarative setup
- flake-parts for nix flake management
- home-manager for user configuration
- ragenix for Secrets
- mission-control to administrate this repository
- lanzaboote for declarative secure boot
- nixos-generators to generate filesystem images
Trusted community members are welcomed to commit their systems for collective administration and share of resources.
Work In Progress..
All of our services are provided primarely through onion routing, for ease of use we recommend that you configure MapAddress so that you can use easily memorable URLs instead of the long and cryptic Onion URLs.
Without MapAddress: somewhereInTheDarks45h5f8h76sd7f98h7sd9h6sg876hsl.org With MapAddress: cool-service.nx
We provide a private Monero Node for all viewers of this repository to process your Monero transactions through our transparent infrastructure:
Recommended MapAddress: monero.nx
Hostname: jj6qehtyrfvvi4gtwttpg2qyaukqzxwaoxvak534nidlnnelmqtlm3qd.onion
Port: 18081
Username: Monerochan
Password: iL0VEMoNeRoChan<3
Providing system: mracek.systems.nx
Configurtion: https://github.com/NiXium-org/NiXium/blob/central/src/nixos/machines/mracek/services/monero.nix
The node is set up to communicate with the outside world exclusively via Tor including it's synchronization with the blockchain for added security and privacy.
The open-source to-do app, access is provided upon special request.
Recommended MapAddress: vikunja.nx
Hostname: u65cyt3tdc66u7ciin55atl5sattytx3rjzzrzhlfdfc2t7pqbhyd6qd.onion
Port: 80
Providing system: mracek.systems.nx
Configurtion: https://github.com/NiXium-org/NiXium/blob/central/src/nixos/machines/mracek/services/vikunja.nix
This service is mostly used internally to organize private projects. We recommend you to use the Vikunja Cloud Services instead to support the upstream developers if you are not in position to self-host it.
This repository claims the "NX" as it's Custom Top Level Domain ("cTLD") and kindly asks all DNS providers and Network Solutions to acknowledge it, we don't recognize the Internet Corporation for Assigned Names and Numbers ("ICANN") as authority due to their monopolistic position on assignments of Top Level Domains and their unreasonable high fees for cTLDs to attempt to decentralize this assignment.
All changes need to be discussed in a form of an issue to be approved for merge with the exception of "Tagged Code" which is always up for grabs.
Tagged Code is code that has a "tag" over it:
# FIXME-QA(Krey): Make it possible to accept list of strings for better readability without the `toString`
# FIXME-QA(Krey): Figure out how to get a list of unsigned integers into a string `${toString config.services.tor.settings.SOCKSPort}` in `proxy` and `tx-proxy` for Tor port
# FIXME-UPSTREAM(Krey): These options should be added to NixOS Module for better maintanability
services.monero.extraConfig = toString [
"prune-blockchain=1" # Use the pruned blockchain to save space
"proxy=127.0.0.1:9050" # Use Tor Proxy to access the internet
...
];
Which is the self-review which the developer adds in a scenario where they were unable to address the issue in a reasonable amount of time during their development which doesn't block merge. Those are often cosmetic, maintainability and readability issues. If you use the repository-provided vscodium, then you will get a configured extension to find these easily or you can run:
$ grep -A 10 -rP "(FIXME|DOCS|)((\\-.*|)\\(.*\\))" /path/to/this/repository
To get them printed in your terminal.
For financial aid to help us maintain the system and continue provide the public services we accept Monero, refer to https://github.com/Kreyren#donate for details.
We are almost always accepting any functional or broken hardware (notebooks, phones, PCs, etc..) to either refurbish for resell or add to our infrastructure.
If you want to donate Hardware then contact @Kreyren or make a new issue, preferably in the central europe area.
Kreyren: I also accept broken/locked iDevices (please don't send me stolen devices, return them to their owners instead) as apple often artificially shortens their lifespan through various means e.g. serilizing the replacement parts, making the glass replacement extremly uneconomical, etc.. to force their customers to buy a new model and I like to mess with Apple by fixing them and selling them for cheap, installing Linux on them or making new PCBs with better chips~
- NixOS Flakes Wiki
- Nix Flakes, Part 3: Managing NixOS systems - Eelco Dolstra
- NixOS Configuration with Flakes - jordanisaacs
- The working programmer’s guide to setting up Haskell projects - jonascarpay
- Shell Scripts with Nix - Jon Sangster
- OpenSSH security and hardening - Linux Audit
- sshd_config - How to configure the OpenSSH server - www.ssh.com
- openssh - mozilla
- Arch security wiki
- Arch openssh wiki
- Ask for a password in POSIX-compliant shell? - stackexchange
- Shell Stlye Guide - google
- Parameter Expansion - The Open Group Base Specifications Issue
- Here Documents
- getopt, getopts or manual parsing - what to use when I want to support both short and long options?
- How to autorebase MRs in GitLab CI - Marcin Wosinek
- https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
- Paranoid NixOS Setup - Christine Dodrill
Feel Free To Contribute Relevant Topics
Collection of NixOS configurations that you might find useful as a reference for your configuration:
- https://github.com/Mic92/dotfiles
- https://github.com/jordanisaacs/dotfiles
- https://github.com/jordanisaacs/dwm-flake
- https://github.com/gvolpe/nix-config
- https://github.com/divnix/digga
- https://github.com/mitchellh/nixos-config
- https://codeberg.org/matthew/nixdot
- https://github.com/terlar/nix-config
- https://github.com/qbit/xin
- https://github.com/mrjones2014/dotfiles
- https://git.sr.ht/~x4d6165/nix-configuration
- https://github.com/TLATER/dotfiles
- https://gitlab.com/engmark/root
- https://codeberg.org/samuelsung/nixos-config (flake-parts)
- https://github.com/srid/nixos-config (flake-parts)
- https://github.com/Mic92/dotfiles (flake-parts)
- https://github.com/chvp/nixos-config
- https://github.com/NickCao/flakes (agenix)
- https://github.com/ocfox/den (agenix)
- https://github.com/Clansty/flake (flakes + deploy-rs)
- https://github.com/fufexan/dotfiles (flakes + agenix + flake-parts + home-manager)
- https://github.com/gvolpe/nix-config
- https://github.com/cole-h/nixos-config (flakes + agenix)
- https://github.com/moni-dz/nix-config (flakes + flake-parts + agenix + home-manager + darwin)
- https://github.com/vkleen/machines
- https://github.com/wimpysworld/nix-config
- https://github.com/gvolpe/nix-config
Feel Free To Add Yours
Relevant References through GitHub Querries:
- https://github.com/topics/nixos-configuration -- for other public nixos configurations
- https://github.com/search?q=flake.homeManagerModules&type=code -- home-manager references
- https://github.com/search?q=flake-parts+path%3Aflake.nix&type=code&p=3 -- GitHub repositories which use flake-parts
- flake-compat
- sops-nix
- NixOS hardware repo
- update-flake-lock
- arkenfox's user.js
- de956's browser-privacy
- https://github.com/redcode-labs/RedNixOS
To update NixOS (and other inputs) run nix flake update
You may also update a subset of inputs, e.g.
$ nix flake lock --update-input nixpkgs --update-input home-manager
Credit: Samuel Sung
To free up disk space you can clear unused nixos generations
# nix-env -p /nix/var/nix/profiles/system --delete-generations +2 # Remove all NixOS Generations but last 2
# nixos-rebuild boot # Build a new generation and deploy it on next reboot
This can easily safe you few Gigabytes if you don't have set maximum number of generations.
Credit: Samuel Sung
Feel Free To Add Your Tips