MarigoldOS is an experimental operating system that attempts to explore what a sustainable computer system might look like. runs a clearnet fork of MarigoldOS.

MarigoldOS is (currently) a Nixos configuration. This means that you can use most all of it from your Nixos system. Everything in the profiles directory was designed to drop-in to other Nixos systems and be used independently of the rest of 0x00.

It is equally happy on your laptop, server, as a virtual machine on your existing computer, or on your motorcycle and can switch on-the-fly. Although the public instance is a service node on the yggdrasil network, it is perfectly capable of working on the public internet, as demonstrated by running many of the profiles in this repository.

Several advanced features are in various stages of implementation, including custom android builds that are preconfigured to use your node and self-replication from another (offline) node. At boot time you have the choice of several kernels to load, with appropriate software configuration to match.


That said the developer uses it on his daily-driver laptop, on a handful of servers, and on a motorcycle. It should run fine with only a minimal amount of manual configuration. The public repo has been scrubbed of dumb things like hardcoded addresses and keys, but until this message is removed you should double check anyway. Feel free to contact me on email echo "sy@Xiuliejblrs.sbni" | tr subterminalXjoy crablikefunkpow or matrix echo "@sy:Xiuliejblrs.sbni" | tr subterminalXjoy crablikefunkpow and I can help you get running quickly.


If you aim for the stars, the worst that could happen is that you blow up on the launch pad.

Full Stack Libre

Open source from the silicon to the network. Excited about RISC-V. You won't find any SaaS APIs (ITS FREE FOREVER LOL) here.


Minimize resource use. $20 cell phones would have been a great computer a decade ago. Any old laptop is a perfectly capable server, and it doesn't matter if the screen is broken, the battery barely works, and it's missing keys on the keyboard. If those all work even better.

Mobile Identities

You should be able to log into your personalized system running locally on any other computer by simply entering user@domain on login.


Your system configuration and data, including encrypted data, should be restorable from a single private key like a BIP39 seed on any fresh computer.


Usernames and passwords suck. Skip them whenever possible.


Plaintext files are extraordinarily powerful for users of your program: - These can be edited by hand or programmatically - searching/indexing local text files happens faster than any web search - You don't need any special software on any platform

Use them instead of a database whenever possible.

Peer to Peer

The client-server paradigm should be migrated to a peer-to-peer model as much as possible. When peer-to-peer is not possible, self-hosting should be the next option. Servers should be able to run on your old computers, instead of throwing them out. In exceptional cases, servers could be hosted by a trusted friend/family member but this should be considered -- but this should be avoided whenever possible and only used for low-impact services or services that benefit from small-group anonymity (privacy preserving frontends, for example).

New and old

Old technologies are worth revisiting or remixing with new technologies. Ex: Yggdrasil gives every computer a public, static, IP with end-to-end encrypted traffic, regardless of where they connect to the network. This plus Alfis allows every computer to run it's own email server on it's own domain name with no external dependencies.

Keep it Simple, Stupid

You run kubernetes, docker, ansible, chef, elasticsearch, and have 3 seperate management machines to make nginx on your raspberry pi work. I know you want to LARP as a faang employee, but faang employees LARP as real hackers. I bet you have a lot of followers, though.

Minimize Manual Configuration

Manual configuration should be minimized with sensible defaults, but never at the expense of personalization. Feel free to be opinionated, but you don't think you know better than the users. Don't be so opinionated that you are effectively a soft-fork and you make it difficult for others to use the vanilla software documentation.

Precompilation over JIT

If you can build it ahead of time and run/serve it statically, that is better than doing it as the user requests it. It allows you to skip having extra processes running, databases, etc.


Don't be afraid to things differently, but don't cling to them for novelty's sake if they don't work out.


Some things your operating system doesn't do:

*but you can squat on any domain name you want, or use a number of p2p (non-cryptocoin) domain name systems


These are specialized configurations that are selectable at boot-time. They can also be changed at runtime, but the kernel-level stuff obviously won't take effect.




Hardened kernel, and a bunch of hardened system settings. Uses doas instead of sudo. I think firefox is broken with this kernel atm so maybe don't use it for a daily driver machine.

Low Power

Self-explanatory. Standard kernel, low power cpu governor, lower clock speed, powertop, and a few other things.


Zen kernel. Performance cpu governor. Full clock speed.


Standard kernel (Should this be latest?). Self-explanatory. WIP stuff that's probably broken or doesn't have appropriate explanations/documentation.


Nothing network-based is automatic, to keep your computer quiet on the net. Use for public hotspots and other untrusted networks where you won't be hosting any services. (Should services on overlay networks be enabled? That could be a switch or another profile, I guess.)


Configuration: How much manual configuration is required. Sensible defaults should push most services towards a 0 UI level.

0: Zero configuration. Uncomment profile, get service.

1: Optional configuration. Defaults will work, but may be suboptimal. For example the default server may be far away or overloaded.

2: Minimal configuration. A few simple items. Username, domain name, etc.

3: Extra configuration. Simple, but with a larger number of items than minimal. Should be easy, but may take some time.

4: Greybeard configuration. Service may require technical knowledge, search engines, and a free afternoon.

Purity: How much configuration is done outside of version controlled files. Otherwise known as state.

0: Nix or nothing. Boot your system directly from git.

1: Minimally impure. May require the first/admin user to be created.

2: Allergic to config files and command line flags. Requires significant imperitave configuration of the service.

Please Note

A goal is to reduce manual configuration and impurities to zero, so even though a module may be listed as "complete", work won't stop until config/Purity are at 0/0. Complete mostly just means that things are working, I guess. This isn't an exact science.

Additionally, many profiles with a high purity and low UX may have the ability to run from configuration files or command-line flags but this hasn't been implemented in nix yet. Feel free to submit PRs.


Status: Completeish Configuration: 0 Purity: 1 Source:

Archives websites and media in a variety of formats. Can run automatically from browser history and archive links coming off of the target pages as well.


Status: Exploratory. Service running at adguard.${fqdn}, not integrated with DNS stack. Profile: ./profiles/adguard.nix Configuration: 4 Purity: ? Source:

Ad and tracking blackhole. Looks to be highly impure, may have to just download the blackhole lists without using the whole adguard service. Full-network blocking is a nice to have but focusing on local resolution first. This probably isn't the correct place to run your network-wide nameserver, anyway.


Status: Complete. Profile: ./profiles/alfis.nix UI: 1 Purity: 1 Source:

Lightweight peer-to-peer DNS service. Open GUI, get domain name. This one is really cool, don't miss it. Mining your initial key may take 1-2 days on older hardware, but subsequent updates have a much lower difficulty level.


Status: Ongoing Profile: ./profiles/alias.nix UI: 0 Purity: 0 Source: ./profiles/alias.nix

Many aliases to save keystrokes or add more sensible defaults are available, see ./profiles/alias.nix for details.

ADB (Android)

Status: Complete Profile: ./profiles/android.nix UI: 0 Purity: 0 ADB is a debugger for android. Source:


Status: WIP Profile: ./robotnix/bonito.nix UI: 3 Purity: 0 Source:

Custom android build for your node, thanks to robotnix. Big plans for this.


Status: Exploratory Profile: ./profiles/avahi.nix UI: 4 Purity: 0 Source: /home/cw/0x00/profiles/avahi.nix

WIP. Broadcast your domain names on the local network. Not sure if it works at all for non-".local" domains. Needs experimentation.

Cryptocurrency Wallets

Status: Complete Profile: ./profiles/cryptocurrency.nix UI: 0 Purity: 0 Source: /home/cw/0x00/profiles/cryptocurrency.nix

Too many bitcoin wallets, need to trim a few off. Supports Trezor (open source hardware wallet), bitcoin(+cash), monero, and namecoin.


Status: WIP Profile: ./profiles/calibre.nix UI: 3 Purity: 2 Source:

Ebook reader/manager with webserver.


Status: Server done, client needs a wrapper for the binary that points at the server. Profile: ./profiles/charm.nix UI: 2 Purity: 0 Source:

"Charm is a set of tools that makes adding a backend to your terminal-based applications fun and easy. Quickly build modern CLI applications without worrying about user accounts, data storage and encryption."

It's a pretty slick tool. Check it (and skate) on Github

Charm Skate


Profile: ./profiles/fonts.nix

We got em. Nerdfonts are huge (~2G) and inevitably require upload/download from horrible connections and/or at the worst time.


Status: Clients Complete, Server WIP. Profile: ./profiles/gemini.nix UI: 0 Purity: 0 Source:

CLI, TUI, GUI clients are available.

Gemini is a new internet protocol which: - Is heavier than gopher - Is lighter than the web - Will not replace either - Strives for maximum power to weight ratio - Takes user privacy very seriously


Status: Complete Profile: ./profiles/gitea.nix UI: 2 Purity: 1 Source:

Probably where you're reading this. Lightweight, but still familiar.


Status: Meh. Profile: ./profiles/gitweb.nix Configuration: 0 Purity: 0

Default read-only git hosting. Ugly.

Encrypted pastebin

Status: Exploratory

There's a bunch of these types of things. 0bin, hedgedoc, and many others. A few of them kinda work but none have been evaluated on their merits.

File server

Status: Completeish Profile: ./profiles/warez.nix UI: 0 Purity: 0 Source: /home/cw/0x00/profiles/warez.nix

Users in group 'warez' can drop files in /var/www/warez/ to make them available at warez.${fqdn}. Next step is giving users their own subdomain for files.

Hardware Tokens

Status: WIP Profile: ./profiles/u2f.nix UI: 1 Purity: 1 Source: /home/cw/spacenix/profiles/u2f.nix

Supports using U2F/Fido2/webauthn tokens such as the trezor to log into your system, ssh, sudo, and as 2fa for webservices (gitea).


Status: Complete Profile: ./profiles/invidious.nix UI: 0 Purity: 0 Source:

Alternate youtube frontend. Lightweight, ad-free, tracking free, javascript not required, audio only mode, and much more. Can subscribe to channels independent from google. Supported by the sponsorblock firefox plugin. It's available at invidious.${fqdn}, don't miss it.


Status: Complete Profile: ./profiles/nitter.nix Configuration: 0 Purity: 0

Alternative twitter frontend. Lightweight, ad-free, tracking free, javascript free. Available at nitter.${fqdn} .


Status: Complete Profile: ./profiles/jellyfin.nix UI: 3 Purity: 2 Source:

Powerful media player with remote control and android clients. Supports synced playback with other clients over LAN or internet. Looks really nice, but playback/transcoding can be finnicky. Maybe ffmpegfs can help smooth things out.


Status: Complete Profile: ./profiles/jitsi.nix UI: 0 Purity: 0 Source:

Video chat service supporting end-to-end encryption. Zoom alternative.


Status: Complete Profile: ./profiles/libreddit.nix UI: 0 Purity: 0 Source:

Alternative reddit frontend. Lightweight, JS not required, and no trackers/ads. Eliminates the dark patterns.


Status: Server complete, webmail and desktop clients WIP. Profile: ./profiles/mail.nix UI: 1 Purity: 0-1 Source: /home/cw/0x00/profiles/mail.nix

Email server. May require DNS configuration. Doesn't automatically update alfis... yet. Needs home-manager to set up clients.


Status: Meh.

Router enabled, nothing special done yet.


Status: Needs ezstreamer or sth Profile: ./profiles/icecast.nix UI: 0 Purity: 0

Internet radio.


Status: Complete Profile: ./profiles/matrix.nix UI: 0 Purity: 1 Source:

Matrix is an eventually-consistent system for federated state exhange. Or a chat/voip system. New apps like forums/social media/webpage commenting(a la disqus) are being built on matrix backends, and bridging to other messaging services are first-class here.

Synapse is a first-generation homeserver for matrix. It needs PAM integration via so that system users can be created with nixos-magic, but this isn't implemented yet.


Status: Works Profile: ./profiles/mumble.nix UI: 1 Purity: 2

Mumble is a low-latency voice chat service. Included is a radio bot to play music from your music library.


Status: Complete Profile: ./profiles/nncp.nix UI: 3 Source:

Node to Node copy is a collection of utilities simplifying secure store-and-forward files, mail and command exchanging. This utilities are intended to help build up small size (dozens of nodes) ad-hoc friend-to-friend (F2F) statically routed darknet delay-tolerant networks for fire-and-forget secure reliable files, file requests, Internet mail and commands transmission. All packets are integrity checked, end-to-end encrypted, explicitly authenticated by known participants public keys. Onion encryption is applied to relayed packets. Each node acts both as a client and server, can use push and poll behaviour model. Also there is multicasting areas support.

Out-of-box offline sneakernet/floppynet, dead drops, sequential and append-only CD-ROM/tape storages, air-gapped computers support. But online TCP daemon with full-duplex resumable data transmission exists.


Status: Complete Profile: ./profiles/nix-bitcoin.nix UI: 0 Purity: 2 Source:

A self-hosted cryptocurrency payment processor and storefront with lightning network support and hardware wallet integration.


Status: 80% Profile: ./profiles/nix-bitcoin.nix UI: 2 Purity: 2 Source:

nix-bitcoin is a collection of Nix packages and NixOS modules for easily installing full-featured Bitcoin nodes with an emphasis on security.

Check github for the long list of features.


Status: Exploratory Profile: ./profiles/nodeinfo.nix UI: 3 Purity: 0 Source: /home/cw/0x00/profiles/nodeinfo.nix

Directory for webservices on your computer. Like a start menu but for things in your browser, built automatically (soon).


Status: Complete Profile: ./profiles/ntopng.nix Configuration: 0 Purity: 0

Network monitor. Defaults to all interfaces, probably needs a better configuration but works well enough.


Status: Exploratory Profile: ./profiles/photogrammetry.nix

Turn images to 3d. There's a ton of software for this, even more algorithms, and none of them work that well. I have the beginning of an automatic pipeline going but am not very happy with it.


Status: Exploratory Profile: ./profiles/peertube.nix UI: 4 Purity: 1 Source:

Federated video server that supports webtorrent for load distribution. Be part of a network of multiple small federated, interoperable video hosting providers. Follow video creators and create videos. No vendor lock-in. All on a platform that is community-owned and ad-free.

pelican site generator

Status: Complete Profile: ./profiles/pelican.nix UI: 0 Purity: 1

Pelican is a static site generator that takes markdown and builds something normies care about. The profile automatically rebuilds your site on any updates to the source markdown. It's in syncthing for easy editing from any computer or phone.


Status: Complete Profile: ./profiles/plik.nix UI: 1 Purity: 0 Source:

Featureful temporary file upload service that supports command-line (curl) or browser interfaces. Aditional features such as self-destructing files and streaming files directly from uploader to downloader (nothing stored on server). Thunderbird addon for uploading attachments to plik is available here.


Status: Complete

UI: 1

Purity: 0

Power-save mode that includes tlp, upower, throttled, powertop, and cpu frequency governor.

Installation/Recovery disk

Status: Complete Profile: ./profiles/recovery.nix UI: 0 Purity: 0 Source: /home/cw/0x00/profiles/recovery.nix

Disk with a full suite of software to fix a broken computer, intall the operating system, and in general for tech work. Can also be used as a usb-bootable server if you need to temporarily host some services. For the full list of available software, see the profile.


Status: Complete Profile: ./profiles/searx.nix Configuration: 0 Purity: 0 Source:

Privacy-respecting, extensible, and configurable metasearch engine. I have a cool smallweb metasearch that searches a few specialty/smallweb search engines. Actually great results for the kinds of things people make their own websites about (food, diy, hacking, etc).


Status: Complete Profile: ./profiles/zsh-starship.nix UI: 1 Purity: 0 Source: /home/cw/0x00/profiles/zsh-starship.nix

zsh+oh-my-zsh+starship is default. Powerlevel10k is also available.


Status: 50% Profile: ./profiles/syncthing.nix UI: 3 Purity: 2 Source:

P2P file sync service. Works imperitavely, but declarative syncthing looks ugly. Need a nix way to generate syncthing IDs from bip39 keys.

Tiling Window Manager

Status: Complete

UI: 1

Purity: 1

Tiling WMs are default. i3/xfce is complete, but I need something that works for grandma. KDE/Bismuth is close but I don't really like it. Hyprwm looks good but haven't tested it.


Status: Complete

UI: 0

Purity: 1

Distributed microblogging.

Whiteboard Online

Status: Complete

UI: 0

Purity: 0

Collaborative online whiteboard.


Status: Complete

UI: 2

Purity: 1

Yggdrasil is an overlay network implementation of a new routing scheme for mesh networks. It is designed to be a future-proof decentralised alternative to the structured routing protocols commonly used today on the Internet and other networks. The highlights of Yggdrasil are that it is: - Scalable Supports large, complex or even internet-scale topologies


Status: Complete UI: 1 Purity: 0

Yggmail is a single-binary all-in-one mail transfer agent which sends and receives email natively over the Yggdrasil Network.

Yggmail runs just about anywhere you like — your inbox is stored right on your own machine;
Implements IMAP and SMTP protocols for sending and receiving mail, so you can use your favourite client (hopefully);
Mails are exchanged between Yggmail users using built-in Yggdrasil connectivity;
All mail exchange traffic between any two Yggmail nodes is always end-to-end encrypted without exception;
Yggdrasil and Yggmail nodes on the same network are discovered automatically using multicast or you can configure a static Yggdrasil peer.


Status: Untested

UI: 0

Purity: 0

Implements a yggdrasil hotspot as described here.

As a Desktop

Several shells are supported including: - bash - zsh+oh-my-zsh+(p10k/starship)

You get a load of timesaving aliases in ./profiles/alias.nix. These probably need some pruning, and the functions in ./.alias need nixification.

Several DE/WM combos are supported including: - i3+xfce - plasma5+bismuth (tiling WM plugin)


Support my work

If you want to support my work be sure to use facebook, tiktok, the metaverse, #hashtag, and buy my rare NFTs. You could probably ask an AI too, I'm sure it'll have some good advice.

If you don't want to do any of that stuff, send me an email or message me on matrix.