RED ALERT: Claude AI Agent proven to be able to find unknown zero days in the code which is publicly available: https://www.youtube.com/watch?v=-ndTTdOW_i4 ALL SERVICES ARE NOW TAKEN DOWN

NIXIUM IS IN CRISIS RECOVERY MODE.

NiXium (N/X)

Transparent Nix-based Open-Source Infrastructure as Code (OSS IaaC) for mission-critical tasks in paranoid, high-security environments. All configurations are declarative and version-controlled.

This is the experimental branch - experiments conducted here prior to submission to central branch.

• disko — Declarative Filesystem Management
• impermanence — Enforce Declarative Setup
• flake-parts — Nix Flake Management
• home-manager — User Configuration
• ragenix — Secrets Management
• mission-control — Task Runner
• lanzaboote — Declarative Secure Boot
• nixos-generators — Filesystem Images
• Release-independent Modules — Cross-release compatibility

Standards

All Nix code must follow the Nx Language Standard.

Directory Structure

Run , tree to generate this structure:

├── config -- Project Configuration<br/> ├── lib -- Project-Oriented Libraries<br/> ├── src -- Source Code Files<br/>  |      ├── nixos -- Source Files Relevant to the NixOS Distribution<br/>  |       |      ├── images -- Custom tools to manage the NixOS Distribution<br/>  |       |      ├── machines -- Machine Management in the NixOS Distribution<br/>  |       |       |      ├── template -- Example of Machine Management<br/>  |       |       |       |      ├── config -- Invidual System configuration<br/>  |       |       |       |      ├── lib -- Libraries Exported by the Machine to Others<br/>  |       |       |       |      ├── releases -- Management across releases for the invidual machine<br/>  |       |       |       |      ├── secrets -- Machine-invidual secrets<br/>  |       |       |       |      ├── services -- Machine managed services<br/>  |       |      ├── modules -- NixOS-related Modules<br/>  |       |       |      ├── programs -- NixOS-related Programs Adjustments<br/>  |       |       |      ├── security -- NixOS-related Security Management<br/>  |       |       |      ├── services -- NixOS-related Service Adjustments<br/>  |       |       |      ├── system -- NixOS-related System Management<br/>  |       |       |      ├── impermenance -- NixOS-related management of impermanence<br/>  |       |      ├── overlays -- Overlay Management<br/>  |       |       |      ├── packages -- Changes to individual packages repository-wide<br/>  |       |      ├── users -- Management of Users in NixOS Distribution<br/>  |       |       |      ├── modules -- Home-Manager specific modules applied to all users<br/>  |       |       |      ├── users -- Invidual User Management<br/>  |       |       |       |      ├── kreyren -- Management of Kreyren User<br/>  |       |       |       |       |      ├── home -- User Kreyren's Home Management<br/> ├── tasks -- Routines to work with the project<br/>  |      ├── shellcheck -- Run shellcheck on all shell scripts in the repository<br/>  |     ├── docs -- Tasks related to the project documentation<br/>  |      |      ├── tree -- Task used to generate this file hierarchy output<br/> ├── vendor -- 3rd party repos used in this projects<br/>

---

Services (Provided to Community)

All services via Tor onion routing. Configure MapAddress for memorable URLs (e.g., monero.nx).

Monero Node

Hostname: jj6qehtyrfvvi4gtwttpg2qyaukqzxwaoxvak534nidlnnelmqtlm3qd.onion
Port: 18081
Username: Monerochan
Password: iL0VEMoNeRoChan<3

Security: Transactions may be deanonymized if using insecure OS, misconfigured Tor, shared nodes (lose Dandelion++), identifiable fee rates, or KYC exchanges. Post-quantum risk exists until FCMP++/Carrot is implemented.

<details> <summary><strong>Security Details (click to expand)</strong></summary>

Deanonymization Risks:

• Insecure OS with proprietary components
• Not using Tor or misconfigured
• Not running your own node (lose Dandelion++ benefits)
• Changing default fee rate in identifiable ways
• Using KYC exchanges

Post-Quantum Threat: Transactions likely harvested for "Harvest Now, Decrypt Later". Monero vulnerable until FCMP++/Carrot is implemented.

References:

• Monerochain presentation
• Detailed analysis

</details>

Vikunja (Internal Todo)

Hostname: u65cyt3tdc66u7ciin55atl5sattytx3rjzzrzhlfdfc2t7pqbhyd6qd.onion
Port: 80

Access upon request. Consider Vikunja Cloud to support upstream.

---

Contributing

Getting Started

This is a hardened codebase with strict checks. Start with small contributions fixing "tagged code" to learn the process.

Never submit new features without issue tracking and assignment.

# Install direnv for automatic environment loading
# Then:
cd /path/to/NiXium
, <task-name>    # direnv auto-loads (recommended)

# Examples:
, verify    # Verify system configuration
, codium    # Open in VSCodium
, tree      # Show directory structure

Without direnv: nix develop then , <task-name>

RFC 2119 Keywords

This repository uses RFC 2119 keywords: MUST, SHOULD, MAY. See RFC 2119 for definitions.

Tagged Code

# FIXME-QA(Krey): Make it possible to accept list of strings
# FIXME-UPSTREAM(Krey): These options should be added to NixOS Module
services.monero.extraConfig = toString [
  "prune-blockchain=1"
  "proxy=127.0.0.1:9050"
];

| Tag | Meaning | |-----|---------| | FIXME: | General fixme | | FIXME-QA: | Quality assurance | | FIXME-SECURITY: | Security issue | | FIXME-UPSTREAM: | Fix upstream | | TODO: | Task for author | | DOCS: | Documentation needed | | HACK: | Workaround | | REVIEW: | Needs review | | DNM: | Do Not Merge (blocks merge) | | DNC: | Do Not Contribute | | DNR: | Do Not Release | | NOTE: | Important note | | PURITY: | Impure operation |

Search for starter issues:

grep -rP "(FIXME|TODO|DOCS|HACK|REVIEW|DNM|DNC|DNR)((\-.*|)\(.*\)):" .

Leave some trivial tagged items for humans as starter issues.

---

Implementation Notes

Nix Language

We write Nix differently from upstream due to security concerns (see nixpkgs#133088 and related issues).

Indentation: Tabs, not spaces.

let
	inherit (builtins) readFile;
in {
	perSystem = { pkgs, ... }: {
		mission-control.scripts = {
			"build" = {
				exec = pkgs.writeShellApplication {
					name = "build-script";
					text = readFile ./script.sh;
				};
			};
		};
	};
}

Use let inherit (builtins) readFile; in at top level.

Shell Scripts

We p