clear logs hourly

site/index.html

@@ -47,14 +47,14 @@
 	<p>We provide a plethora of services, available through either <a href="http://nzmkihvxjazbb3fgu7drbklpt6ibg4suff4glxpadhrd4pf5wd2od5yd.onion/">TOR</a> or the <a href="https://distrust.network/">clearnet</a>. These include (and <i>are</i> limited to):</p>
         <ul>
 	    <li>E-Mail <a title="An E-Mail client is included as a Nextcloud App. Alternatively, bring your own."><small>[hover]</small></a></li>
-	    <li>Nextcloud (10GB) <small><a href="http://znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion/login">[tor]</a><a href="https://cloud.distrust.network">[clearnet]</a></small></li>
+	    <li>Nextcloud (10GB) <small><a href="http://znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion/login">[tor]</a> <a href="https://cloud.distrust.network">[clearnet]</a></small></li>
 	    <li>XMPP <small><a title="Bring your own client.">[hover]</a></small></li>
 	    <li>Akkoma (Fediverse) <small><a href="http://n5j5sq55iem2hzbgvkba5vwd5gx5qj2pkb7nxyginbtmnkah74rtulad.onion"/>[tor]</a> <a href="https://social.distrust.network">[clearnet]</a></small></li>
             <li>Static Site Hosting (TOR &amp; clearnet, <a href="mailto:root@distrust.network?subject=SITE%20HOSTING%20REQUEST">email me</a> upon registration)</li>
 	    <li>Forgejo <small><a href="http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion/">[tor]</a> <a href="https://git.distrust.network">[clearnet]</a></small></li>
 	    <li>Vaultwarden <small><a href="http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion/">[tor]</a> <a href="https://vault.distrust.network">[clearnet]</a> <a title="Once you have logged in for the first time, check your inbox.">[hover]</a></small></li>
         </ul>
-        <p>All services have a strict no-logs and no-metrics policy. Where it is difficult to configure this in a service, logs are directly piped and/or symlinked to <code>/dev/null</code>.</p>
+        <p>All services have a strict no-metrics policy, with logs being kept for at most 1 hour (for debugging purposes). Where it is difficult to configure this in a service, logs are directly piped and/or symlinked to <code>/dev/null</code>.</p>
 	<p>The server runs a hardened NixOS config, and is updated when appropriate for any security/hardening tweaks. This NixOS config is auditable and freely accessible over <a href="http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion/root/flake">TOR</a> and <a href="https://git.distrust.network/root/flake">clearnet</a>.</p>
         <p>If you are interested, <a href="mailto:root@distrust.network?subject=ACCOUNT%20REQUEST&body=Replace%20this%20email%20body%20with%20your%20desired%20username.">email me</a> with your desired username.</p>
         <hr>

system/configuration.nix

@@ -26,6 +26,35 @@ in {
     };
   };
 
-  users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk=P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno;16-179-196"];
+  users.users.root.hashedPassword = "!";
+  users.users.anon = {
+    isNormalUser = true;
+    extraGroups = ["wheel"];
+    hashedPassword = "$6$GAyfgaTQgaBipAbb$gF/9YBh2ucVa/9vDQvEu9DVjSbsqdvSoXwA5RX0kP7.xdCfLqXhGBLlSXHg0e4rkLLd6zI1gRTWd4TfMjnnpS/";
+    openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk+P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno:16_179_196"];
+  };
+  security.sudo.wheelNeedsPassword = true;
+
+  systemd = {
+    services.clear-var-log = {
+      description = "Clear /var/log directory";
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.coreutils}/bin/rm -rf /var/log/*";
+        User = "root";
+        Group = "root";
+      };
+    };
+    timers.clear-var-log = {
+      description = "Hourly timer to clear /var/log";
+      wants = ["clear-var-log.service"];
+      timerConfig = {
+        OnCalendar = "hourly";
+        Persistent = true;
+        Unit = "clear-var-log.service";
+      };
+    };
+  };
+
   system.stateVersion = "25.05";
 }

system/networking.nix

@@ -3,10 +3,10 @@
   # details gathered from the active system.
   networking = {
     nameservers = [
-      "213.136.95.10"
+      "9.9.9.9"
-      "213.136.95.11"
+      "149.112.112.112"
-      "2a02:c207::1"
+      "2620:fe::fe"
-      "8.8.8.8"
+      "2620:fe::9"
     ];
     defaultGateway = "157.173.112.1";
     defaultGateway6 = {