root/flake
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

almost ready. now to harden

Browse source
This commit is contained in:
root 2025-11-04 11:30:34 +00:00
parent 29cbf8b2d8
commit e856c0dfb1
20 changed files with 539 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

220
flake.lock generated
View file

@ -1,6 +1,207 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"systems": "systems"
},
"locked": {
"lastModified": 1761656077,
"narHash": "sha256-lsNWuj4Z+pE7s0bd2OKicOFq9bK86JE0ZGeKJbNqb94=",
"owner": "ryantm",
"repo": "agenix",
"rev": "9ba0d85de3eaa7afeab493fed622008b6e4924f5",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"git-hooks": {
"inputs": {
"flake-compat": [
"nixos-mailserver",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"nixos-mailserver",
"nixpkgs"
]
},
"locked": {
"lastModified": 1742649964,
"narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"nixos-mailserver",
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat",
"git-hooks": "git-hooks",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-25_05": "nixpkgs-25_05"
},
"locked": {
"lastModified": 1755110674,
"narHash": "sha256-PigqTAGkdBYXVFWsJnqcirrLeFqRFN4PFigLA8FzxeI=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "f5936247dbdb8501221978562ab0b302dd75456c",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-25.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"nixpkgs": { "nixpkgs": {
"locked": {
"lastModified": 1754028485,
"narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "59e69648d345d6e8fef86158c555730fa12af9de",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-25_05": {
"locked": {
"lastModified": 1747610100,
"narHash": "sha256-rpR5ZPMkWzcnCcYYo3lScqfuzEw5Uyfh+R0EKZfroAc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ca49c4304acf0973078db0a9d200fd2bae75676d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1761597516, "lastModified": 1761597516,
"narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=", "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
@ -17,7 +218,24 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs" "agenix": "agenix",
"nixos-mailserver": "nixos-mailserver",
"nixpkgs": "nixpkgs_2"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
} }
} }
}, },

13
flake.nix
View file

@ -3,11 +3,22 @@
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-25.05"; nixpkgs.url = "nixpkgs/nixos-25.05";
nixos-mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix = {
url = "github:ryantm/agenix";
inputs.agenix.inputs.nixpkgs.follows = "nixpkgs";
inputs.agenix.inputs.darwin.follows = "";
};
}; };
outputs = { outputs = {
self, self,
nixpkgs, nixpkgs,
nixos-mailserver,
agenix,
... ...
}: let }: let
lib = nixpkgs.lib; lib = nixpkgs.lib;
@ -15,7 +26,7 @@
nixosConfigurations = { nixosConfigurations = {
distrust = lib.nixosSystem { distrust = lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [./system ./services]; modules = [./system ./services nixos-mailserver.nixosModules.default agenix.nixosModules.default];
}; };
}; };
}; };

8
secrets/bind_pw Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 OPPxWw Slc68CGLIV6b8991IWvlIPpkdBxDG6hH3ytF+eWlZS0
CZFb1fdZ67vbZHwhQUokWwHL7NOapVfOgx1sk+Z8rp4
-> ssh-ed25519 aO1l/A R8fGdM3+lIABd5s8uPQUibKm3zhqYvvn4w4mEZuy9B4
J/YMkcSa76rhuq64UCYc8Q4GVRh/jdYVKWU8V7LQ+i4
--- tD1M4bRODHpYr9AnDocT8hN+TZUB11QMq9KytykLb5k
レキ
イトNヘウ式y<EFBFBD><EFBFBD>、gY0マ2pLミDセト=*ウ。k蚯ニネ<EFBE86>oを

BIN
secrets/nextcloud-admin-pass Normal file
View file

Binary file not shown.

14
secrets/secrets.nix Normal file
View file

@ -0,0 +1,14 @@
let
user = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk+P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno:16_179_196";
users = [ user ];
system = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKxw1fDsIUUh3vWCD90LDgDMAG/NSVRg7QamUbknz5A root@distrust";
systems = [ system ];
all = users ++ systems;
in
{
"bind_pw".publicKeys = all;
"nextcloud-admin-pass".publicKeys = all;
"vaultwarden.env".publicKeys = all;
}

BIN
secrets/vaultwarden.env Normal file
View file

Binary file not shown.

8
services/akkoma.nix
View file

@ -5,6 +5,7 @@
... ...
}: let }: let
fediPort = 8083; fediPort = 8083;
onionUrl = "http://n5j5sq55iem2hzbgvkba5vwd5gx5qj2pkb7nxyginbtmnkah74rtulad.onion";
inherit ((pkgs.formats.elixirConf {}).lib) mkAtom; inherit ((pkgs.formats.elixirConf {}).lib) mkAtom;
in { in {
services.akkoma = { services.akkoma = {
@ -39,14 +40,11 @@ in {
}; };
}; };
services.caddy.virtualHosts."social.distrust.network".extraConfig = '' services.caddy.virtualHosts."http://social.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString fediPort} reverse_proxy localhost:${toString fediPort}
''; '';
services.tor.relay.onionServices."akkoma".map = [ services.tor.relay.onionServices."akkoma".map = [
{ 80
port = 80;
target = {port = fediPort;};
}
]; ];
} }

14
services/dante.nix Normal file
View file

@ -0,0 +1,14 @@
{
services.dante = {
enable = true;
config = ''
internal: 0.0.0.0 port=1080
external: eth0
clientmethod: none
socksmethod: none
'';
};
networking.firewall.allowedTCPPorts = [ 1080 ];
networking.firewall.allowedUDPPorts = [ 1080 ];
}

4
services/default.nix
View file

@ -1,12 +1,14 @@
{ {
imports = [ imports = [
./caddy.nix ./caddy.nix
./tor.nix
./site.nix ./site.nix
./nextcloud.nix ./nextcloud.nix
./forgejo.nix ./forgejo.nix
./akkoma.nix ./akkoma.nix
./prosody.nix ./prosody.nix
./lldap.nix ./lldap.nix
./dante.nix
./vaultwarden.nix
./mailserver.nix
]; ];
} }

9
services/forgejo.nix
View file

@ -1,5 +1,6 @@
let let
forgejoPort = 8082; forgejoPort = 8082;
onionUrl = "http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion";
in { in {
services.forgejo = { services.forgejo = {
enable = true; enable = true;
@ -8,17 +9,15 @@ in {
DOMAIN = "git.distrust.network"; DOMAIN = "git.distrust.network";
HTTP_PORT = forgejoPort; HTTP_PORT = forgejoPort;
ROOT_URL = "https://git.distrust.network/"; ROOT_URL = "https://git.distrust.network/";
SSH_PORT = 292;
}; };
}; };
services.caddy.virtualHosts."git.distrust.network".extraConfig = '' services.caddy.virtualHosts."https://git.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString forgejoPort} reverse_proxy localhost:${toString forgejoPort}
''; '';
services.tor.relay.onionServices."forgejo".map = [ services.tor.relay.onionServices."forgejo".map = [
{ 80
port = 80;
target = {port = forgejoPort;};
}
]; ];
} }

16
services/mailserver.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, ... }:
{
mailserver = {
enable = true;
fqdn = "distrust.network";
domains = [ "distrust.network" ];
certificateScheme = "acme";
ldap = {
enable = true;
bind.dn = "cn=bind,ou=people,dc=distrust,dc=network";
bind.passwordFile = config.age.secrets."bind_pw".path;
searchBase = "ou=people,dc=distrust,dc=network";
uris = [ "ldap://localhost:3890" ];
};
};
}

95
services/nextcloud.nix
View file

@ -1,17 +1,23 @@
{ {
pkgs, pkgs,
config, config,
lib,
... ...
}: let }: let
nextcloudPort = 8081; onionUrl = "http://znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion";
in { in {
environment.etc."nextcloud-admin-pass".text = "PWD"; age.secrets."nextcloud-admin-pass".file = ../secrets/nextcloud-admin-pass;
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
hostName = "cloud.distrust.network"; hostName = "cloud.distrust.network";
settings.trusted_domains = ["znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion"]; settings = {
trusted_domains = ["znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion"];
trusted_proxies = ["127.0.0.1"];
maintenance_window_start = 1;
};
config = { config = {
adminpassFile = "/etc/nextcloud-admin-pass"; adminpassFile = config.age.secrets."nextcloud-admin-pass".path;
dbtype = "pgsql"; dbtype = "pgsql";
}; };
package = pkgs.nextcloud32; package = pkgs.nextcloud32;
@ -21,14 +27,77 @@ in {
database.createLocally = true; database.createLocally = true;
}; };
services.nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [ users.groups.nextcloud.members = [ "nextcloud" "caddy" ];
{ services.nginx.enable = lib.mkForce false;
addr = "127.0.0.1"; services.phpfpm.pools.nextcloud.settings = {
port = nextcloudPort; "listen.owner" = "caddy";
} "listen.group" = "caddy";
]; };
services.caddy.virtualHosts."https://cloud.distrust.network ${onionUrl}".extraConfig = ''
# encode zstd gzip
services.caddy.virtualHosts."https://cloud.distrust.network".extraConfig = '' root * ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
reverse_proxy localhost:${toString nextcloudPort}
''; redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/* /index.php{uri} 301
redir /remote/* /remote.php{uri} 301
header {
Strict-Transport-Security max-age=31536000
Permissions-Policy interest-cohort=()
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy no-referrer
X-XSS-Protection "1; mode=block"
X-Permitted-Cross-Domain-Policies none
X-Robots-Tag "noindex, nofollow"
-X-Powered-By
Host {host}
X-Real-IP {remote_host}
X-Forwarded-For {remote_host}
X-Forwarded-Proto {scheme}
X-Forwarded-Host {host}
}
php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
root ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
env front_controller_active true
env modHeadersAvailable true
}
@forbidden {
path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
path /.* /autotest* /occ* /issue* /indie* /db_* /console*
not path /.well-known/*
}
error @forbidden 404
@immutable {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
query v=*
}
header @immutable Cache-Control "max-age=15778463, immutable"
@static {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
not query v=*
}
header @static Cache-Control "max-age=15778463"
@woff2 path *.woff2
header @woff2 Cache-Control "max-age=604800"
file_server
'';
services.nextcloud.phpOptions = {
"opcache.interned_strings_buffer" = 64;
};
services.tor.relay.onionServices."nextcloud".map = [
80
];
} }

5
services/prosody.nix
View file

@ -1,8 +1,11 @@
{ {
pkgs, pkgs,
lib, lib,
config,
... ...
}: { }: {
age.secrets."bind_pw".file = ../secrets/bind_pw;
services.prosody = { services.prosody = {
package = pkgs.prosody.override { package = pkgs.prosody.override {
withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap]; withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
@ -27,7 +30,7 @@
ldap_base = "ou=people,dc=distrust,dc=network" ldap_base = "ou=people,dc=distrust,dc=network"
ldap_server = "localhost:3890" ldap_server = "localhost:3890"
ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network" ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
ldap_password = "bindpassword" ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}"
''; '';
}; };

25
services/site.nix
View file

@ -4,29 +4,16 @@
... ...
}: let }: let
sitePort = 8080; sitePort = 8080;
onionUrl = "http://nzmkihvxjazbb3fgu7drbklpt6ibg4suff4glxpadhrd4pf5wd2od5yd.onion";
in { in {
systemd.services.python-http-server = { services.caddy.virtualHosts = {
description = "Simple Python HTTP Server"; "https://distrust.network ${onionUrl}".extraConfig = ''
after = ["network.target"]; root * /etc/nixos/site
wantedBy = ["multi-user.target"]; file_server
serviceConfig = {
ExecStart = "${pkgs.python3}/bin/python3 -m http.server ${toString sitePort} --directory /var/www/distrust.network";
Restart = "on-failure";
User = "nobody";
WorkingDirectory = "/var/www/distrust.network";
};
};
services.caddy.virtualHosts."distrust.network" = {
extraConfig = ''
reverse_proxy localhost:${toString sitePort}
''; '';
}; };
services.tor.relay.onionServices."site".map = [ services.tor.relay.onionServices."site".map = [
{ 80
port = 80;
target = {port = sitePort;};
}
]; ];
} }

9
services/tor.nix
View file

@ -1,9 +0,0 @@
{lib, ...}: {
services.tor = {
settings.HiddenServiceNonAnonymousMode = false;
client = {
enable = true;
dns.enable = true;
};
};
}

25
services/vaultwarden.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, ... }:
let
vaultPort = 8222;
onionUrl = "http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion";
in
{
age.secrets."vaultwarden.env".file = ../secrets/vaultwarden.env;
services.vaultwarden = {
enable = true;
config = {
DOMAIN = "https://vault.distrust.network";
ROCKET_PORT = vaultPort;
};
environmentFile = config.age.secrets."vaultwarden.env".path;
};
services.caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString vaultPort}
'';
services.tor.relay.onionServices."vaultwarden".map = [
80
];
}

63
site/index.html Executable file
View file

@ -0,0 +1,63 @@
<!DOCTYPE html>
<head>
<title>distrust.network</title>
<style>
.centered {
position: absolute;
top: 50%;
left: 50%;
transform: translate(-50%, -50%);
font-family: monospace;
}
@media (max-width: 640px) {
.centered {
position: fixed;
top: 10%;
left: 0;
transform: none;
width: 100vw;
height: 100vh;
padding: 1rem;
box-sizing: border-box;
}
}
body {
background-color: #121212;
color: #FFFFFF;
}
a {
color: #a2a2a2;
text-decoration: underline;
}
.privacy-policy {
float: right;
}
</style>
</head>
<body>
<div class="centered">
<h1>distrust.network</h1>
<hr>
<p><i>"The mask of self-deception was no longer a mask for me, it was a part of me."</i> <small>Robert W. Chambers</small></p>
<h3>About</h3>
<hr>
<p><code>distrust.network</code> works off one simple principle:</p>
<i>> I don't know you, and I don't want to.</i>
<p>Pricing starts at $1 per month (or however you'd like to pay, any extra being a tip), and upgrades to lifetime access as soon as you have paid $100 total. Payment is in <a title="I will reply with an address to send the money to once you request an account.">BTC only</a>.</p>
<p>We provide a plethora of services, available through either <a href="http://nzmkihvxjazbb3fgu7drbklpt6ibg4suff4glxpadhrd4pf5wd2od5yd.onion/">TOR</a> or the <a href="https://distrust.network/">clearnet</a>. These include (and <i>are</i> limited to):</p>
<ul>
<li>E-Mail <a title="An E-Mail client is included as a Nextcloud App. Alternatively, bring your own."><small>[hover]</small></a></li>
<li>Nextcloud (10GB) <small><a href="http://znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion/login">[tor]</a><a href="https://cloud.distrust.network">[clearnet]</a></small></li>
<li>XMPP <small><a title="Bring your own client.">[hover]</a></small></li>
<li>Akkoma (Fediverse) <small><a href="http://n5j5sq55iem2hzbgvkba5vwd5gx5qj2pkb7nxyginbtmnkah74rtulad.onion"/>[tor]</a> <a href="https://social.distrust.network">[clearnet]</a></small></li>
<li>Static Site Hosting (TOR &amp; clearnet, <a href="mailto:root@distrust.network?subject=SITE%20HOSTING%20REQUEST">email me</a> upon registration)</li>
<li>Forgejo <small><a href="http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion/">[tor]</a> <a href="https://git.distrust.network">[clearnet]</a></small></li>
<li>Vaultwarden <small><a href="http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion/">[tor]</a> <a href="https://vault.distrust.network">[clearnet]</a> <a title="Once you have logged in for the first time, check your inbox.">[hover]</a></small></li>
</ul>
<p>All services have a strict no-logs and no-metrics policy. Where it is difficult to configure this in a service, logs are directly piped and/or symlinked to <code>/dev/null</code>.</p>
<p>The server runs a hardened NixOS config, and is updated when appropriate for any security/hardening tweaks.</p>
<p>If you are interested, <a href="mailto:root@distrust.network?subject=ACCOUNT%20REQUEST&body=Replace%20this%20email%20body%20with%20your%20desired%20username.">email me</a> with your desired username.</p>
<hr>
<a href="mailto:root@distrust.network?subject=INQUIRY">Contact</a><a href="/privacy-policy.html" class="privacy-policy">Privacy Policy</a>
</div>
</body>

45
site/privacy-policy.html Executable file
View file

@ -0,0 +1,45 @@
<!DOCTYPE html>
<head>
<title>distrust.network - Privacy Policy</title>
<style>
.centered {
position: absolute;
top: 50%;
left: 50%;
transform: translate(-50%, -50%);
font-family: monospace;
}
@media (max-width: 640px) {
.centered {
position: fixed;
top: 10%;
left: 0;
transform: none;
width: 100vw;
height: 100vh;
padding: 1rem;
box-sizing: border-box;
}
}
body {
background-color: #121212;
color: #FFFFFF;
}
a {
color: #a2a2a2;
text-decoration: underline;
}
.privacy-policy {
float: right;
}
</style>
</head>
<body>
<div class="centered">
<h1>Privacy Policy</h1>
<hr>
<p>Alan, add privacy policy.</p>
<hr>
<a href="mailto:root@distrust.network?subject=INQUIRY">Contact</a><a href="/" class="privacy-policy">Home</a></span>
</div>
</body>

25
system/configuration.nix
View file

@ -1,13 +1,30 @@
{pkgs, ...}: { {pkgs, ...}:
environment.systemPackages = with pkgs; [vim btop git alejandra statix deadnix]; let updateScript = pkgs.writeShellScriptBin "rebuild" ''
#!/bin/sh
nixos-rebuild switch --flake /etc/nixos#distrust --impure
'';
in
{
environment.systemPackages = with pkgs; [vim btop git alejandra statix deadnix] ++ [ updateScript ];
nix.settings.experimental-features = ["nix-command" "flakes"]; nix.settings.experimental-features = ["nix-command" "flakes"];
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
networking.hostName = "distrust"; networking.hostName = "distrust";
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "yes"; services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
ports = [292];
};
services.fail2ban.enable = true;
services.endlessh = {
enable = true;
port = 22;
openFirewall = true;
};
users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk=P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno;16-179-196"]; users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk=P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno;16-179-196"];
system.stateVersion = "25.05"; system.stateVersion = "25.05";
} }

1
system/default.nix
View file

@ -3,5 +3,6 @@
./configuration.nix ./configuration.nix
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix ./networking.nix
<nixpkgs/nixos/modules/profiles/hardened.nix>
]; ];
} }