From 390b68502e3b978cbf0aa3a8ef9ad8e6523941d5 Mon Sep 17 00:00:00 2001 From: Administrator Date: Wed, 5 Nov 2025 21:33:22 +0000 Subject: [PATCH] remove dante&btcpayserver, update site, add btc&xmr&ipfs nodes --- flake.lock | 114 +++----------------------------------- flake.nix | 11 +--- services/akkoma.nix | 7 +-- services/btc.nix | 3 - services/btcpayserver.nix | 18 ------ services/crypto.nix | 17 ++++++ services/dante.nix | 14 ----- services/default.nix | 5 +- services/lldap.nix | 39 ++++++------- services/mailserver.nix | 1 + services/paste.nix | 41 +++++++------- site/index.html | 2 + system/configuration.nix | 1 + 13 files changed, 74 insertions(+), 199 deletions(-) delete mode 100644 services/btc.nix delete mode 100644 services/btcpayserver.nix create mode 100644 services/crypto.nix delete mode 100644 services/dante.nix diff --git a/flake.lock b/flake.lock index f031026..632527d 100644 --- a/flake.lock +++ b/flake.lock @@ -39,32 +39,6 @@ "type": "gitlab" } }, - "extra-container": { - "inputs": { - "flake-utils": [ - "nix-bitcoin", - "flake-utils" - ], - "nixpkgs": [ - "nix-bitcoin", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1734005403, - "narHash": "sha256-vgh3TqfkFdnPxREBedw4MQehIDc3N8YyxBOB45n+AvU=", - "owner": "erikarvstedt", - "repo": "extra-container", - "rev": "f4de6c329b306a9d3a9798a30e060c166f781baa", - "type": "github" - }, - "original": { - "owner": "erikarvstedt", - "ref": "0.13", - "repo": "extra-container", - "type": "github" - } - }, "flake-compat": { "flake": false, "locked": { @@ -81,24 +55,6 @@ "type": "github" } }, - "flake-utils": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "git-hooks": { "inputs": { "flake-compat": [ @@ -168,29 +124,6 @@ "type": "github" } }, - "nix-bitcoin": { - "inputs": { - "extra-container": "extra-container", - "flake-utils": "flake-utils", - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-unstable": "nixpkgs-unstable" - }, - "locked": { - "lastModified": 1761560050, - "narHash": "sha256-dbMLlIEamKfXP/Ww205FGDMkfEKd6Pzs/VpxUbSsmtU=", - "owner": "fort-nix", - "repo": "nix-bitcoin", - "rev": "b217b6019c3bba6eba2f2f5a277464b7579c3ab9", - "type": "github" - }, - "original": { - "owner": "fort-nix", - "repo": "nix-bitcoin", - "type": "github" - } - }, "nixos-mailserver": { "inputs": { "blobs": "blobs", @@ -202,32 +135,31 @@ "nixpkgs-25_05": "nixpkgs-25_05" }, "locked": { - "lastModified": 1755110674, - "narHash": "sha256-PigqTAGkdBYXVFWsJnqcirrLeFqRFN4PFigLA8FzxeI=", + "lastModified": 1762302830, + "narHash": "sha256-f3xe6CRPT51vCQFZotJOXi/JpGOiukz0WIa86arJSE8=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "f5936247dbdb8501221978562ab0b302dd75456c", + "rev": "58659fbdfd8aba9bd8f4517d3e5c388c4d8266c4", "type": "gitlab" }, "original": { "owner": "simple-nixos-mailserver", - "ref": "nixos-25.05", "repo": "nixos-mailserver", "type": "gitlab" } }, "nixpkgs": { "locked": { - "lastModified": 1761597516, - "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=", + "lastModified": 1762111121, + "narHash": "sha256-4vhDuZ7OZaZmKKrnDpxLZZpGIJvAeMtK6FKLJYUtAdw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55", + "rev": "b3d51a0365f6695e7dd5cdf3e180604530ed33b4", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-25.05", + "ref": "nixos-unstable", "type": "indirect" } }, @@ -247,26 +179,9 @@ "type": "github" } }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1760965567, - "narHash": "sha256-0JDOal5P7xzzAibvD0yTE3ptyvoVOAL0rcELmDdtSKg=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "cb82756ecc37fa623f8cf3e88854f9bf7f64af93", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "root": { "inputs": { "agenix": "agenix", - "nix-bitcoin": "nix-bitcoin", "nixos-mailserver": "nixos-mailserver", "nixpkgs": "nixpkgs" } @@ -285,21 +200,6 @@ "repo": "default", "type": "github" } - }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 2f2ed1b..92da8ac 100644 --- a/flake.nix +++ b/flake.nix @@ -2,9 +2,9 @@ description = "distrust.network Flake"; inputs = { - nixpkgs.url = "nixpkgs/nixos-25.05"; + nixpkgs.url = "nixpkgs/nixos-unstable"; nixos-mailserver = { - url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05"; + url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; inputs.nixpkgs.follows = "nixpkgs"; }; agenix = { @@ -12,17 +12,12 @@ inputs.nixpkgs.follows = "nixpkgs"; inputs.darwin.follows = ""; }; - nix-bitcoin = { - url = "github:fort-nix/nix-bitcoin"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; outputs = { nixpkgs, nixos-mailserver, agenix, - nix-bitcoin, ... }: let inherit (nixpkgs) lib; @@ -30,7 +25,7 @@ nixosConfigurations = { distrust = lib.nixosSystem { system = "x86_64-linux"; - modules = [./system ./services nixos-mailserver.nixosModules.default agenix.nixosModules.default nix-bitcoin.nixosModules.default]; + modules = [./system ./services nixos-mailserver.nixosModules.default agenix.nixosModules.default]; }; }; }; diff --git a/services/akkoma.nix b/services/akkoma.nix index 7531f60..20dc366 100644 --- a/services/akkoma.nix +++ b/services/akkoma.nix @@ -1,9 +1,4 @@ -{ - config, - lib, - pkgs, - ... -}: let +{pkgs, ...}: let fediPort = 8083; onionUrl = "http://n5j5sq55iem2hzbgvkba5vwd5gx5qj2pkb7nxyginbtmnkah74rtulad.onion"; inherit ((pkgs.formats.elixirConf {}).lib) mkAtom; diff --git a/services/btc.nix b/services/btc.nix deleted file mode 100644 index 5812acc..0000000 --- a/services/btc.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - nix-bitcoin.generateSecrets = true; -} diff --git a/services/btcpayserver.nix b/services/btcpayserver.nix deleted file mode 100644 index 40c74c6..0000000 --- a/services/btcpayserver.nix +++ /dev/null @@ -1,18 +0,0 @@ -let - btcpayPort = 8086; - onionUrl = "http://yon54asykwaovefzstakipoigbflmfrsw243ezumd7sj4cwtsnjnlyad.onion"; -in { - services = { - btcpayserver = { - enable = true; - port = btcpayPort; - lightningBackend = "lnd"; - }; - caddy.virtualHosts."https://pay.distrust.network ${onionUrl}".extraConfig = '' - reverse_proxy localhost:${toString btcpayPort} - ''; - tor.relay.onionServices."btcpayserver".map = [ - 80 - ]; - }; -} diff --git a/services/crypto.nix b/services/crypto.nix new file mode 100644 index 0000000..a42d926 --- /dev/null +++ b/services/crypto.nix @@ -0,0 +1,17 @@ +{ + services = { + bitcoind."default" = { + enable = true; + prune = 100000; + }; + + monero = { + enable = true; + prune = true; + }; + + kubo.enable = true; + }; + + networking.firewall.allowedTCPPorts = [8333 18080 4001]; +} diff --git a/services/dante.nix b/services/dante.nix deleted file mode 100644 index 60bae3a..0000000 --- a/services/dante.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - services.dante = { - enable = true; - config = '' - internal: 0.0.0.0 port=1080 - external: eth0 - clientmethod: none - socksmethod: none - ''; - }; - - networking.firewall.allowedTCPPorts = [1080]; - networking.firewall.allowedUDPPorts = [1080]; -} diff --git a/services/default.nix b/services/default.nix index bd5c49f..0737374 100644 --- a/services/default.nix +++ b/services/default.nix @@ -7,11 +7,8 @@ ./akkoma.nix ./prosody.nix ./lldap.nix - # Dante not working right now, possibly misconfigured. - #./dante.nix ./paste.nix - ./btcpayserver.nix - ./btc.nix + ./crypto.nix ./vaultwarden.nix ./mailserver.nix ]; diff --git a/services/lldap.nix b/services/lldap.nix index 5e02b0e..5069208 100644 --- a/services/lldap.nix +++ b/services/lldap.nix @@ -1,24 +1,25 @@ let onionUrl = "http://i3a47orggn2cebueja2jur66yjgyqd2y7kzthajar4ghuerbx2kzwqyd.onion"; -in -{ - services.lldap = { - enable = true; - settings = { - http_url = "https://login.distrust.network"; - ldap_user_email = "root@distrust.network"; - ldap_user_dn = "root"; - ldap_base_dn = "dc=distrust,dc=network"; - ldap_user_pass = "VERY_SECURE"; +in { + services = { + lldap = { + enable = true; + settings = { + http_url = "https://login.distrust.network"; + ldap_user_email = "root@distrust.network"; + ldap_user_dn = "root"; + ldap_base_dn = "dc=distrust,dc=network"; + ldap_user_pass = "VERY_SECURE"; + }; }; + + caddy.virtualHosts."https://login.distrust.network ${onionUrl}".extraConfig = '' + reverse_proxy localhost:17170 + header Onion-Location ${onionUrl} + ''; + + tor.relay.onionServices."lldap".map = [ + 80 + ]; }; - - services.caddy.virtualHosts."https://login.distrust.network ${onionUrl}".extraConfig = '' - reverse_proxy localhost:17170 - header Onion-Location ${onionUrl} - ''; - - services.tor.relay.onionServices."lldap".map = [ - 80 - ]; } diff --git a/services/mailserver.nix b/services/mailserver.nix index c034882..50bdc09 100644 --- a/services/mailserver.nix +++ b/services/mailserver.nix @@ -1,5 +1,6 @@ {config, ...}: { mailserver = { + stateVersion = 3; enable = true; fqdn = "distrust.network"; domains = ["distrust.network"]; diff --git a/services/paste.nix b/services/paste.nix index 9619ffa..abf97f0 100644 --- a/services/paste.nix +++ b/services/paste.nix @@ -1,26 +1,27 @@ let pastePort = 8087; onionUrl = "http://s4h5nfnwwhzku55opxlqouobioibx4htwygnp2l4fkp256lur5s53rad.onion"; -in -{ - services.microbin = { - enable = true; - settings = { - MICROBIN_PORT = pastePort; - MICROBIN_ENABLE_BURN_AFTER = true; - MICROBIN_QR = true; - MICROBIN_NO_LISTING = true; - MICROBIN_HIGHLIGHTSYNTAX = true; - MICROBIN_PUBLIC_PATH = "https://paste.distrust.network/"; +in { + services = { + microbin = { + enable = true; + settings = { + MICROBIN_PORT = pastePort; + MICROBIN_ENABLE_BURN_AFTER = true; + MICROBIN_QR = true; + MICROBIN_NO_LISTING = true; + MICROBIN_HIGHLIGHTSYNTAX = true; + MICROBIN_PUBLIC_PATH = "https://paste.distrust.network/"; + }; }; + + caddy.virtualHosts."https://paste.distrust.network ${onionUrl}".extraConfig = '' + reverse_proxy localhost:${toString pastePort} + header Onion-Location ${onionUrl} + ''; + + tor.relay.onionServices."microbin".map = [ + 80 + ]; }; - - services.caddy.virtualHosts."https://paste.distrust.network ${onionUrl}".extraConfig = '' - reverse_proxy localhost:${toString pastePort} - header Onion-Location ${onionUrl} - ''; - - services.tor.relay.onionServices."microbin".map = [ - 80 - ]; } diff --git a/site/index.html b/site/index.html index be8515a..747ad6b 100755 --- a/site/index.html +++ b/site/index.html @@ -54,7 +54,9 @@
  • Forgejo [tor] [clearnet]
  • Vaultwarden [tor] [clearnet] [hover]
  • Microbin (Paste) [tor] [clearnet]
    • +
  • Public TOR SOCKS5 Proxy [hover]
    • +

    We also host nodes for Bitcoin (BTC), Monero (XMR), and (soon) IPFS to strengthen their networks.

    All services have a strict no-metrics policy, with logs being kept for at most 1 hour (for debugging purposes). Where it is difficult to configure this in a service, logs are directly piped and/or symlinked to /dev/null.

    The server runs a hardened NixOS config, and is updated when appropriate for any security/hardening tweaks. This NixOS config is auditable and freely accessible over TOR and clearnet.

    If you are interested, email me with your desired username.

    diff --git a/system/configuration.nix b/system/configuration.nix index 9b83a77..9a3827d 100644 --- a/system/configuration.nix +++ b/system/configuration.nix @@ -52,6 +52,7 @@ in { Persistent = true; Unit = "clear-var-log.service"; }; + wantedBy = ["timers.target"]; }; };