Transparent Nix-based Open-Source Infrastructure as Code (OSS IaaC) Management Solution for Multiple Systems and Domains designed to be a reliable tool for mission-critical tasks in paranoid and high-security environment.
We are using:
- disko for Declarative Filesystem Management
- impermanence to Enforce Declarative Setup
- flake-parts for Nix Flake Management
- home-manager for User Configuration
- ragenix for Managing of Secrets
- mission-control as a Frontend for this repository
- lanzaboote for Declarative Secure Boot
- nixos-generators to Generate Filesystem Images
├── config -- Project Configuration
├── lib -- Project-Oriented Libraries
├── src -- Source Code Files
 |      ├── nixos -- Source Files Relevant to the NixOS Distribution
 |       |      ├── machines -- Machine Management in the NixOS Distribution
 |       |       |      ├── template -- Example of Machine Management
 |       |       |       |      ├── config -- Invidual System configuration
 |       |       |       |      ├── lib -- Libraries Exported by the Machine to Others
 |       |       |       |      ├── releases -- Management across releases for the invidual machine
 |       |       |       |      ├── secrets -- Machine-invidual secrets
 |       |       |       |      ├── services -- Machine managed services
 |       |      ├── modules -- NixOS-related Modules
 |       |       |      ├── programs -- NixOS-related Programs Adjustments
 |       |       |      ├── security -- NixOS-related Security Management
 |       |       |      ├── services -- NixOS-related Service Adjustments
 |       |       |      ├── system -- NixOS-related System Management
 |       |       |       |      ├── impermenance -- NixOS-related management of impermanence
 |       |      ├── overlays -- Changes on top of nixpkgs
 |       |      ├── users -- Management of Users in NixOS Distribution
 |       |       |      ├── modules -- Home-Manager specific modules applied to all users
 |       |       |      ├── users -- Invidual User Management
 |       |       |       |      ├── kreyren -- Management of Kreyren User
 |       |       |       |       |      ├── home -- User Kreyren's Home Management
├── tasks -- Routines to work with the project
 |      ├── docs -- Tasks related to the project documentation
 |       |      ├── tree -- Task used to generate this file hierarchy output
├── vendor -- 3rd party repos used in this projects
This file hierarchy output is generated using the tree task that processes directories with the .about file containing short description about the purpose of the directory
All of our services are provided primarely through onion routing, for ease of use we recommend that you configure MapAddress so that you can use easily memorable URLs instead of the long and cryptic Onion URLs.
Without MapAddress: somewhereInTheDarks45h5f8h76sd7f98h7sd9h6sg876hsl.org
With MapAddress: cool-service.nx
We provide a private Monero Node for all viewers of this repository to process your Monero transactions through our transparent infrastructure:
Recommended MapAddress: monero.nx
Hostname: jj6qehtyrfvvi4gtwttpg2qyaukqzxwaoxvak534nidlnnelmqtlm3qd.onion
Port: 18081
Username: Monerochan
Password: iL0VEMoNeRoChan<3
Providing system: mracek.systems.nx
Configurtion: https://github.com/Arcanyx-org/NiXium/blob/central/src/nixos/machines/mracek/services/monero.nix
The node is set up to communicate with the outside world exclusively via Tor-only including it's synchronization with the blockchain for added security and privacy.
Please be aware of the probabilistic attack demonstrated by chainlysis that can successfully deanonymize the transactions and identities of monero users if:
- You use an insecure Operating System with proprietary code components.
- You do not use Tor or have it configured incorrectly.
- If you do not run your own node then you won't get the benefit of Dandelion++ which is assumed to significantly reduce the effectiveness of the probabilistic attacks.
- you are changing the default fee rate and ensuring that your used wallet doesn't change this in an indentifiable way.
- Use exchange services that require Know Your Customer identification e.g. photo of Citizen ID Card or share data with threat actors.
References:
- Original Leaked presentation: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/monero-chain.mp4
- Detailed explanation on: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/6de54b143e669e368af6
For those reasons we currently do not recommend stack wallet until the following issue is addressed: cypherstack/stack_wallet#1066
To manage the risk of rogue exchange services, consider using Haveno.
All encrypted transactions on Monero are most likely being harvested by threat actors in a technique called Harvest Now, Decrypt Later which stores the encrypted data until a breakthrough in technology is discovered that enables them to be decrypted.
Monero is currently vulnerable to this threat until the FCMP++/Carrot functionality is implemented.
The open-source to-do app, access is provided upon special request.
Recommended MapAddress: vikunja.nx
Hostname: u65cyt3tdc66u7ciin55atl5sattytx3rjzzrzhlfdfc2t7pqbhyd6qd.onion
Port: 80
Providing system: mracek.systems.nx
Configurtion: https://github.com/Arcanyx-org/NiXium/blob/central/src/nixos/machines/mracek/services/vikunja.nix
This service is mostly used internally to organize private projects. We recommend you to use the Vikunja Cloud Services instead to support the upstream developers if you are not in position to self-host it.
This repository claims the "NX" as it's Custom Top Level Domain ("cTLD") and kindly asks all DNS providers and Network Solutions to acknowledge it, we don't recognize the Internet Corporation for Assigned Names and Numbers ("ICANN") as authority due to their monopolistic position on assignments of Top Level Domains and their unreasonable high fees for cTLDs to attempt to decentralize this assignment.
All changes need to be discussed in a form of an issue to be approved for merge with the exception of "Tagged Code" which is always up for grabs.
Tagged Code is code that has a "tag" over it:
# FIXME-QA(Krey): Make it possible to accept list of strings for better readability without the `toString`
# FIXME-QA(Krey): Figure out how to get a list of unsigned integers into a string `${toString config.services.tor.settings.SOCKSPort}` in `proxy` and `tx-proxy` for Tor port
# FIXME-UPSTREAM(Krey): These options should be added to NixOS Module for better maintanability
services.monero.extraConfig = toString [
"prune-blockchain=1" # Use the pruned blockchain to save space
"proxy=127.0.0.1:9050" # Use Tor Proxy to access the internet
...
];Which is the self-review which the developer adds in a scenario where they were unable to address the issue in a reasonable amount of time during their development which doesn't block merge. Those are often cosmetic, maintainability and readability issues. If you use the repository-provided vscodium, then you will get a configured extension to find these easily or you can run:
$ grep -A 10 -rP "(FIXME|DOCS|)((\\-.*|)\\(.*\\))" /path/to/this/repositoryTo get them printed in your terminal.
The used programming, scripting and frameworking languages are separated into invidual files and all follow coding standardization, any peer-review is always very appreciated.
Notes to the implementation:
- POSIX Shell Script: The environment and libraries are managed by the Nix Daemon so they do not include shebang and bash options as those are supplemented by Nix, all these files should include notice at the first line about this management (please report this to us if it's not present). Additionally Nix runs these files through a very strict shellcheck where any unhandled failure or warning will terminate evaluation with detailed info about the isuse prior to executing the script.
- Nix Language: Is the sole exception that does not follow the standard coding practices provided by upstream as they are considered not sensible and introduce too many security issues that are not fixable at the current NixOS Foundation Administration chaired by Eelco Dolstra for us to be in the process of writting an alternative one. NixOS/nixpkgs/133088 NixOS/nixpkgs/133089 NixOS/nixpkgs/243089 NixOS/nixpkgs/254625 NixOS/nixpkgs/296013 NixOS/nixpkgs/296013
For financial aid to help us maintain the system and continue provide the public services we accept Monero, refer to https://github.com/Kreyren#donate for details.
Maintaining a secure infrastructure is a challenging task to do in an independent and reliable way, for that we ask for your help in sourcing the hardware to aid us in being able to provide the needed processing resources for our workflow.
If you want to donate Hardware then contact @Kreyren or make a new issue, preferably in the central europe area.
We mainly want the chips from these devices to put them on OSHW hardware so even devices that suffered a fatal hardware failure are very appreciated.
Devices with Snapdragon 845 such as OnePlus 6, Xiaomi Mi 8, Xiaomi POCO F1, etc.. have linux mainline support and can be salvaged for single board computers or personal devices for the infrastructure members or to refurbish them and provide them with pre-installed linux distribution for the general public.
Next-Gen Mobile device with projected decent linux mainline support which often suffers a hardware failure due to insufficient cooling that melts the solder on internal electronics to render them disfuncitonal to be a point of interest for development.
Point of interest device for development. - Potential for use in thin clients
Point of Interest device for VR/AR development.
Point of interest for x86 coreboot and hardening development as on-demand alternative to arm.
Devices with AMD Phoenix architecture are projected to have Proof-of-Concept code for OpenSIL to be used for development and research so that our infrastructure has the option of smooth transition if needed.
We are almost always accepting any functional or broken hardware (notebooks, phones, PCs, etc..) to either refurbish for resell or add to our infrastructure.
- NixOS Flakes Wiki
- Nix Flakes, Part 3: Managing NixOS systems - Eelco Dolstra
- NixOS Configuration with Flakes - jordanisaacs
- The working programmer’s guide to setting up Haskell projects - jonascarpay
- Shell Scripts with Nix - Jon Sangster
- OpenSSH security and hardening - Linux Audit
- sshd_config - How to configure the OpenSSH server - www.ssh.com
- openssh - mozilla
- Arch security wiki
- Arch openssh wiki
- Ask for a password in POSIX-compliant shell? - stackexchange
- Shell Stlye Guide - google
- Parameter Expansion - The Open Group Base Specifications Issue
- Here Documents
- getopt, getopts or manual parsing - what to use when I want to support both short and long options?
- How to autorebase MRs in GitLab CI - Marcin Wosinek
- https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
- Paranoid NixOS Setup - Christine Dodrill
Feel Free To Contribute Relevant Topics
Collection of NixOS configurations that you might find useful as a reference for your configuration:
- https://github.com/Mic92/dotfiles
- https://github.com/jordanisaacs/dotfiles
- https://github.com/jordanisaacs/dwm-flake
- https://github.com/gvolpe/nix-config
- https://github.com/divnix/digga
- https://github.com/mitchellh/nixos-config
- https://codeberg.org/matthew/nixdot
- https://github.com/terlar/nix-config
- https://github.com/qbit/xin
- https://github.com/mrjones2014/dotfiles
- https://git.sr.ht/~x4d6165/nix-configuration
- https://github.com/TLATER/dotfiles
- https://gitlab.com/engmark/root
- https://codeberg.org/samuelsung/nixos-config (flake-parts)
- https://github.com/srid/nixos-config (flake-parts)
- https://github.com/Mic92/dotfiles (flake-parts)
- https://github.com/chvp/nixos-config
- https://github.com/NickCao/flakes (agenix)
- https://github.com/ocfox/den (agenix)
- https://github.com/Clansty/flake (flakes + deploy-rs)
- https://github.com/fufexan/dotfiles (flakes + agenix + flake-parts + home-manager)
- https://github.com/gvolpe/nix-config
- https://github.com/cole-h/nixos-config (flakes + agenix)
- https://github.com/moni-dz/nix-config (flakes + flake-parts + agenix + home-manager + darwin)
- https://github.com/vkleen/machines
- https://github.com/wimpysworld/nix-config
- https://github.com/gvolpe/nix-config
Feel Free To Add Yours
Relevant References through GitHub Querries:
- https://github.com/topics/nixos-configuration -- for other public nixos configurations
- https://github.com/search?q=flake.homeManagerModules&type=code -- home-manager references
- https://github.com/search?q=flake-parts+path%3Aflake.nix&type=code&p=3 -- GitHub repositories which use flake-parts
- flake-compat
- sops-nix
- NixOS hardware repo
- update-flake-lock
- arkenfox's user.js
- de956's browser-privacy
- https://github.com/redcode-labs/RedNixOS
To update NixOS (and other inputs) run nix flake update
You may also update a subset of inputs, e.g.
$ nix flake lock --update-input nixpkgs --update-input home-managerCredit: Samuel Sung
To free up disk space you can clear unused nixos generations
# nix-env -p /nix/var/nix/profiles/system --delete-generations +2 # Remove all NixOS Generations but last 2
# nixos-rebuild boot # Build a new generation and deploy it on next rebootThis can easily safe you few Gigabytes if you don't have set maximum number of generations.
Credit: Samuel Sung
Feel Free To Add Your Tips