Transparent Nix-based Open-Source Infrastructure as Code (OSS IaaC) Management Solution for Multiple Systems and Domains designed to be a reliable tool for mission-critical tasks in paranoid and high-security environment.
We are using:
- disko for Declarative Filesystem Management
- impermanence to Enforce Declarative Setup
- flake-parts for Nix Flake Management
- home-manager for User Configuration
- ragenix for Managing of Secrets
- mission-control as a Frontend for this repository
- lanzaboote for Declarative Secure Boot
- nixos-generators to Generate Filesystem Images
├── config -- Project Configuration
├── lib -- Project-Oriented Libraries
├── src -- Source Code Files
| ├── nixos -- Source Files Relevant to the NixOS Distribution
| | ├── machines -- Machine Management in the NixOS Distribution
| | | ├── template -- Example of Machine Management
| | | | ├── config -- Invidual System configuration
| | | | ├── lib -- Libraries Exported by the Machine to Others
| | | | ├── releases -- Management across releases for the invidual machine
| | | | ├── secrets -- Machine-invidual secrets
| | | | ├── services -- Machine managed services
| | ├── modules -- NixOS-related Modules
| | | ├── programs -- NixOS-related Programs Adjustments
| | | ├── security -- NixOS-related Security Management
| | | ├── services -- NixOS-related Service Adjustments
| | | ├── system -- NixOS-related System Management
| | | | ├── impermenance -- NixOS-related management of impermanence
| | ├── overlays -- Changes on top of nixpkgs
| | ├── users -- Management of Users in NixOS Distribution
| | | ├── modules -- Home-Manager specific modules applied to all users
| | | ├── users -- Invidual User Management
| | | | ├── kreyren -- Management of Kreyren User
| | | | | ├── home -- User Kreyren's Home Management
├── tasks -- Routines to work with the project
| ├── docs -- Tasks related to the project documentation
| | ├── tree -- Task used to generate this file hierarchy output
├── vendor -- 3rd party repos used in this projects
This file hierarchy output is generated using the tree task that processes directories with the .about file containing short description about the purpose of the directory
All of our services are provided primarely through onion routing, for ease of use we recommend that you configure MapAddress so that you can use easily memorable URLs instead of the long and cryptic Onion URLs.
Without MapAddress: somewhereInTheDarks45h5f8h76sd7f98h7sd9h6sg876hsl.org With MapAddress: cool-service.nx
We provide a private Monero Node for all viewers of this repository to process your Monero transactions through our transparent infrastructure:
Recommended MapAddress: monero.nx
Hostname: jj6qehtyrfvvi4gtwttpg2qyaukqzxwaoxvak534nidlnnelmqtlm3qd.onion
Port: 18081
Username: Monerochan
Password: iL0VEMoNeRoChan<3
Providing system: mracek.systems.nx
Configurtion: https://github.com/Arcanyx-org/NiXium/blob/central/src/nixos/machines/mracek/services/monero.nix
The node is set up to communicate with the outside world exclusively via Tor including it's synchronization with the blockchain for added security and privacy.
The open-source to-do app, access is provided upon special request.
Recommended MapAddress: vikunja.nx
Hostname: u65cyt3tdc66u7ciin55atl5sattytx3rjzzrzhlfdfc2t7pqbhyd6qd.onion
Port: 80
Providing system: mracek.systems.nx
Configurtion: https://github.com/Arcanyx-org/NiXium/blob/central/src/nixos/machines/mracek/services/vikunja.nix
This service is mostly used internally to organize private projects. We recommend you to use the Vikunja Cloud Services instead to support the upstream developers if you are not in position to self-host it.
This repository claims the "NX" as it's Custom Top Level Domain ("cTLD") and kindly asks all DNS providers and Network Solutions to acknowledge it, we don't recognize the Internet Corporation for Assigned Names and Numbers ("ICANN") as authority due to their monopolistic position on assignments of Top Level Domains and their unreasonable high fees for cTLDs to attempt to decentralize this assignment.
All changes need to be discussed in a form of an issue to be approved for merge with the exception of "Tagged Code" which is always up for grabs.
Tagged Code is code that has a "tag" over it:
# FIXME-QA(Krey): Make it possible to accept list of strings for better readability without the `toString`
# FIXME-QA(Krey): Figure out how to get a list of unsigned integers into a string `${toString config.services.tor.settings.SOCKSPort}` in `proxy` and `tx-proxy` for Tor port
# FIXME-UPSTREAM(Krey): These options should be added to NixOS Module for better maintanability
services.monero.extraConfig = toString [
"prune-blockchain=1" # Use the pruned blockchain to save space
"proxy=127.0.0.1:9050" # Use Tor Proxy to access the internet
...
];Which is the self-review which the developer adds in a scenario where they were unable to address the issue in a reasonable amount of time during their development which doesn't block merge. Those are often cosmetic, maintainability and readability issues. If you use the repository-provided vscodium, then you will get a configured extension to find these easily or you can run:
$ grep -A 10 -rP "(FIXME|DOCS|)((\\-.*|)\\(.*\\))" /path/to/this/repositoryTo get them printed in your terminal.
The used programming, scripting and frameworking languages are separated into invidual files and all follow coding standardization, any peer-review is always very appreciated.
Notes to the implementation:
- POSIX Shell Script: The environment and libraries are managed by the Nix Daemon so they do not include shebang and bash options as those are supplemented by Nix, all these files should include notice at the first line about this management (please report this to us if it's not present). Additionally Nix runs these files through a very strict shellcheck where any unhandled failure or warning will terminate evaluation with detailed info about the isuse prior to executing the script.
- Nix Language: Is the sole exception that does not follow the standard coding practices provided by upstream as they are considered not sensible and introduce too many security issues that are not fixable at the current NixOS Foundation Administration chaired by Eelco Dolstra for us to be in the process of writting an alternative one. NixOS/nixpkgs/133088 NixOS/nixpkgs/133089 NixOS/nixpkgs/243089 NixOS/nixpkgs/254625 NixOS/nixpkgs/296013 NixOS/nixpkgs/296013
For financial aid to help us maintain the system and continue provide the public services we accept Monero, refer to https://github.com/Kreyren#donate for details.
We are almost always accepting any functional or broken hardware (notebooks, phones, PCs, etc..) to either refurbish for resell or add to our infrastructure.
If you want to donate Hardware then contact @Kreyren or make a new issue, preferably in the central europe area.
Kreyren: I also accept broken/locked iDevices (please don't send me stolen devices, return them to their owners instead) as apple often artificially shortens their lifespan through various means e.g. serilizing the replacement parts, making the glass replacement extremly uneconomical, etc.. to force their customers to buy a new model and I like to mess with Apple by fixing them and selling them for cheap, installing Linux on them or making new PCBs with better chips~
- NixOS Flakes Wiki
- Nix Flakes, Part 3: Managing NixOS systems - Eelco Dolstra
- NixOS Configuration with Flakes - jordanisaacs
- The working programmer’s guide to setting up Haskell projects - jonascarpay
- Shell Scripts with Nix - Jon Sangster
- OpenSSH security and hardening - Linux Audit
- sshd_config - How to configure the OpenSSH server - www.ssh.com
- openssh - mozilla
- Arch security wiki
- Arch openssh wiki
- Ask for a password in POSIX-compliant shell? - stackexchange
- Shell Stlye Guide - google
- Parameter Expansion - The Open Group Base Specifications Issue
- Here Documents
- getopt, getopts or manual parsing - what to use when I want to support both short and long options?
- How to autorebase MRs in GitLab CI - Marcin Wosinek
- https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
- Paranoid NixOS Setup - Christine Dodrill
Feel Free To Contribute Relevant Topics
Collection of NixOS configurations that you might find useful as a reference for your configuration:
- https://github.com/Mic92/dotfiles
- https://github.com/jordanisaacs/dotfiles
- https://github.com/jordanisaacs/dwm-flake
- https://github.com/gvolpe/nix-config
- https://github.com/divnix/digga
- https://github.com/mitchellh/nixos-config
- https://codeberg.org/matthew/nixdot
- https://github.com/terlar/nix-config
- https://github.com/qbit/xin
- https://github.com/mrjones2014/dotfiles
- https://git.sr.ht/~x4d6165/nix-configuration
- https://github.com/TLATER/dotfiles
- https://gitlab.com/engmark/root
- https://codeberg.org/samuelsung/nixos-config (flake-parts)
- https://github.com/srid/nixos-config (flake-parts)
- https://github.com/Mic92/dotfiles (flake-parts)
- https://github.com/chvp/nixos-config
- https://github.com/NickCao/flakes (agenix)
- https://github.com/ocfox/den (agenix)
- https://github.com/Clansty/flake (flakes + deploy-rs)
- https://github.com/fufexan/dotfiles (flakes + agenix + flake-parts + home-manager)
- https://github.com/gvolpe/nix-config
- https://github.com/cole-h/nixos-config (flakes + agenix)
- https://github.com/moni-dz/nix-config (flakes + flake-parts + agenix + home-manager + darwin)
- https://github.com/vkleen/machines
- https://github.com/wimpysworld/nix-config
- https://github.com/gvolpe/nix-config
Feel Free To Add Yours
Relevant References through GitHub Querries:
- https://github.com/topics/nixos-configuration -- for other public nixos configurations
- https://github.com/search?q=flake.homeManagerModules&type=code -- home-manager references
- https://github.com/search?q=flake-parts+path%3Aflake.nix&type=code&p=3 -- GitHub repositories which use flake-parts
- flake-compat
- sops-nix
- NixOS hardware repo
- update-flake-lock
- arkenfox's user.js
- de956's browser-privacy
- https://github.com/redcode-labs/RedNixOS
To update NixOS (and other inputs) run nix flake update
You may also update a subset of inputs, e.g.
$ nix flake lock --update-input nixpkgs --update-input home-managerCredit: Samuel Sung
To free up disk space you can clear unused nixos generations
# nix-env -p /nix/var/nix/profiles/system --delete-generations +2 # Remove all NixOS Generations but last 2
# nixos-rebuild boot # Build a new generation and deploy it on next rebootThis can easily safe you few Gigabytes if you don't have set maximum number of generations.
Credit: Samuel Sung
Feel Free To Add Your Tips