MarigoldOS is an experimental operating system that attempts to explore what a sustainable computer system might look like. kernelpanic.cafe runs a clearnet fork of MarigoldOS.

MarigoldOS is (currently) a Nixos configuration. This means that you can use most all of it from your Nixos system. Everything in the profiles directory was designed to drop-in to other Nixos systems and be used independently of the rest of 0x00.

It is equally happy on your laptop, server, as a virtual machine on your existing computer, or on your motorcycle and can switch on-the-fly. Although the public instance is a service node on the yggdrasil network, it is perfectly capable of working on the public internet, as demonstrated by kernelpanic.cafe running many of the profiles in this repository.

Several advanced features are in various stages of implementation, including custom android builds that are preconfigured to use your node and self-replication from another (offline) node. At boot time you have the choice of several kernels to load, with appropriate software configuration to match.

NOT INTENDED FOR PUBLIC RELEASE (yet)

That said the developer uses it on his daily-driver laptop, on a handful of servers, and on a motorcycle. It should run fine with only a minimal amount of manual configuration. The public repo has been scrubbed of dumb things like hardcoded addresses and keys, but until this message is removed you should double check anyway. Feel free to contact me on email echo "sy@Xiuliejblrs.sbni" | tr subterminalXjoy crablikefunkpow or matrix echo "@sy:Xiuliejblrs.sbni" | tr subterminalXjoy crablikefunkpow and I can help you get running quickly.

Ideals

If you aim for the stars, the worst that could happen is that you blow up on the launch pad.

Full Stack Libre

Open source from the silicon to the network. Excited about RISC-V. You won't find any SaaS APIs (ITS FREE FOREVER LOL) here.

Lightweight

Minimize resource use. $20 cell phones would have been a great computer a decade ago. Any old laptop is a perfectly capable server, and it doesn't matter if the screen is broken, the battery barely works, and it's missing keys on the keyboard. If those all work even better.

Mobile Identities

You should be able to log into your personalized system running locally on any other computer by simply entering user@domain on login.

Resilient

Your system configuration and data, including encrypted data, should be restorable from a single private key like a BIP39 seed on any fresh computer.

Passwordless

Usernames and passwords suck. Skip them whenever possible.

Paintext

Plaintext files are extraordinarily powerful for users of your program: - These can be edited by hand or programmatically - searching/indexing local text files happens faster than any web search - You don't need any special software on any platform

Use them instead of a database whenever possible.

Peer to Peer

The client-server paradigm should be migrated to a peer-to-peer model as much as possible. When peer-to-peer is not possible, self-hosting should be the next option. Servers should be able to run on your old computers, instead of throwing them out. In exceptional cases, servers could be hosted by a trusted friend/family member but this should be considered -- but this should be avoided whenever possible and only used for low-impact services or services that benefit from small-group anonymity (privacy preserving frontends, for example).

New and old

Old technologies are worth revisiting or remixing with new technologies. Ex: Yggdrasil gives every computer a public, static, IP with end-to-end encrypted traffic, regardless of where they connect to the network. This plus Alfis allows every computer to run it's own email server on it's own domain name with no external dependencies.

Keep it Simple, Stupid

You run kubernetes, docker, ansible, chef, elasticsearch, and have 3 seperate management machines to make nginx on your raspberry pi work. I know you want to LARP as a faang employee, but faang employees LARP as real hackers. I bet you have a lot of followers, though.

Minimize Manual Configuration

Manual configuration should be minimized with sensible defaults, but never at the expense of personalization. Feel free to be opinionated, but you don't think you know better than the users. Don't be so opinionated that you are effectively a soft-fork and you make it difficult for others to use the vanilla software documentation.

Precompilation over JIT

If you can build it ahead of time and run/serve it statically, that is better than doing it as the user requests it. It allows you to skip having extra processes running, databases, etc.

Experiment

Don't be afraid to things differently, but don't cling to them for novelty's sake if they don't work out.

Hype

Some things your operating system doesn't do:

• An absolutely badass recovery/repair mode + live USB (see profiles/recovery.nix)

• Custom smallweb metasearch via searx. Uses five search engines optimized for the smolweb and handmade sites.

• Automation for food production: Irrigation for outside food, irrigation, grow lights, and forced air pumps for indoor hydroponics and mushrooms.

• Custom android distribution matched and preconfigured for your computer system, with over the air updates.

• Run on a motorcycle.

• Select-a-kernel (stable, latest, hardened, zen) at boot time. Select-a-role (server, laptop, hybrid, stealth, vehicle) at boot time.

• Host websites, gemini capsules, and gopher holes right from a markdown folder in your home directory. Lightweight markdown files are synced to your phone for easy mobile editing. Automatic rebuilds.

• Builds completely from source, distributed across every laptop, server, vending machine, and motorcycle you own.

• Self-replicating when the internet is down. Plug into another computer and boot over the network. Includes packages.

• Self-replicating over ssh. As long as you have root/sudo on the remote box, it'll load the image, kexec right it, then format your disk.

• Always up-to-date live USB that boots into your (fully configured) system anywhere, with your data loaded opportunistically (anything that doesn't fit on the drive is loaded from external sneaker/overlay network). Can install to disk too, obviously.

• Plugging in a usb Wifi card makes a hotspot to retrofit a lot of these features to lesser operating systems.

• Autopeering on half a dozen overlay networks.

• Fully automatic photogrammetry (photos-to-3d model) pipeline. Take some pics, drop them in the right folder, model comes out the other end. You can't explain that.

• Sneakernet compatible. Run commands, move files, and treat it like a networked computer, even if it's airgapped. Transport commands and files by vehicle, smartphone, or avian carrier.

• Independent in every sense of the word. You don't need a domain name*, a public IP, and your ports can't be blocked. Overlay-networks by default to bypass the problems of the legacy internet.

*but you can squat on any domain name you want, or use a number of p2p (non-cryptocoin) domain name systems

• Opportunistic encryption of all tcp traffic on the clearnet. Anything on the overlay networks is end-to-end encrypted.

• Automatic theming from the boot menu on your laptop, to your website car/house. Seriously.

• Passwordless if you have a u2f devices like a trezor.

• Automatic static photo gallery with offline facial recognition.

Specialisations

These are specialized configurations that are selectable at boot-time. They can also be changed at runtime, but the kernel-level stuff obviously won't take effect.

Default

(PUT SOMETHING HERE)

Hardened

Hardened kernel, and a bunch of hardened system settings. Uses doas instead of sudo. I think firefox is broken with this kernel atm so maybe don't use it for a daily driver machine.

Low Power

Self-explanatory. Standard kernel, low power cpu governor, lower clock speed, powertop, and a few other things.

Performance

Zen kernel. Performance cpu governor. Full clock speed.

Dev

Standard kernel (Should this be latest?). Self-explanatory. WIP stuff that's probably broken or doesn't have appropriate explanations/documentation.

Stealth

Nothing network-based is automatic, to keep your computer quiet on the net. Use for public hotspots and other untrusted networks where you won't be hosting any services. (Should services on overlay networks be enabled? That could be a switch or another profile, I guess.)

Profiles

Configuration: How much manual configuration is required. Sensible defaults should push most services towards a 0 UI level.

0: Zero configuration. Uncomment profile, get service.

1: Optional configuration. Defaults will work, but may be suboptimal. For example the default server may be far away or overloaded.

2: Minimal configuration. A few simple items. Username, domain name, etc.

3: Extra configuration. Simple, but with a larger number of items than minimal. Should be easy, but may take some time.

4: Greybeard configuration. Service may require technical knowledge, search engines, and a free afternoon.

Purity: How much configuration is done outside of version controlled files. Otherwise known as state.

0: Nix or nothing. Boot your system directly from git.

1: Minimally impure. May require the first/admin user to be created.

2: Allergic to config files and command line flags. Requires significant imperitave configuration of the service.

Please Note

A goal is to reduce manual configuration and impurities to zero, so even though a module may be listed as "complete", work won't stop until config/Purity are at 0/0. Complete mostly just means that things are working, I guess. This isn't an exact science.

Additionally, many profiles with a high purity and low UX may have the ability to run from configuration files or command-line flags but this hasn't been implemented in nix yet. Feel free to submit PRs.

Archivebox

Status: Completeish Configuration: 0 Purity: 1 Source: https://github.com/ArchiveBox/ArchiveBox

Archives websites and media in a variety of formats. Can run automatically from browser history and archive links coming off of the target pages as well.

Adguard

Status: Exploratory. Service running at adguard.${fqdn}, not integrated with DNS stack. Profile: ./profiles/adguard.nix Configuration: 4 Purity: ? Source: https://github.com/AdguardTeam/AdGuardHome/

Ad and tracking blackhole. Looks to be highly impure, may have to just download the blackhole lists without using the whole adguard service. Full-network blocking is a nice to have but focusing on local resolution first. This probably isn't the correct place to run your network-wide nameserver, anyway.

Alfis

Status: Complete. Profile: ./profiles/alfis.nix UI: 1 Purity: 1 Source: https://github.com/Revertron/Alfis/

Lightweight peer-to-peer DNS service. Open GUI, get domain name. This one is really cool, don't miss it. Mining your initial key may take 1-2 days on older hardware, but subsequent updates have a much lower difficulty level.

Aliases

Status: Ongoing Profile: ./profiles/alias.nix UI: 0 Purity: 0 Source: ./profiles/alias.nix

Many aliases to save keystrokes or add more sensible defaults are available, see ./profiles/alias.nix for details.

ADB (Android)

Status: Complete Profile: ./profiles/android.nix UI: 0 Purity: 0 ADB is a debugger for android. Source: https://source.android.com/

Android

Status: WIP Profile: ./robotnix/bonito.nix UI: 3 Purity: 0 Source: https://github.com/danielfullmer/robotnix

Custom android build for your node, thanks to robotnix. Big plans for this.

Avahi/mDNS

Status: Exploratory Profile: ./profiles/avahi.nix UI: 4 Purity: 0 Source: /home/cw/0x00/profiles/avahi.nix

WIP. Broadcast your domain names on the local network. Not sure if it works at all for non-".local" domains. Needs experimentation.

Cryptocurrency Wallets

Status: Complete Profile: ./profiles/cryptocurrency.nix UI: 0 Purity: 0 Source: /home/cw/0x00/profiles/cryptocurrency.nix

Too many bitcoin wallets, need to trim a few off. Supports Trezor (open source hardware wallet), bitcoin(+cash), monero, and namecoin.

Calibre

Status: WIP Profile: ./profiles/calibre.nix UI: 3 Purity: 2 Source: https://github.com/janeczku/calibre-web

Ebook reader/manager with webserver.

Charm

Status: Server done, client needs a wrapper for the binary that points at the server. Profile: ./profiles/charm.nix UI: 2 Purity: 0 Source: https://github.com/charmbracelet/charm

"Charm is a set of tools that makes adding a backend to your terminal-based applications fun and easy. Quickly build modern CLI applications without worrying about user accounts, data storage and encryption."

It's a pretty slick tool. Check it (and skate) on Github

Charm Skate

Fonts

Profile: ./profiles/fonts.nix

We got em. Nerdfonts are huge (~2G) and inevitably require upload/download from horrible connections and/or at the worst time.

Gemini

Status: Clients Complete, Server WIP. Profile: ./profiles/gemini.nix UI: 0 Purity: 0 Source: https://gemini.circumlunar.space

CLI, TUI, GUI clients are available.

Gemini is a new internet protocol which: - Is heavier than gopher - Is lighter than the web - Will not replace either - Strives for maximum power to weight ratio - Takes user privacy very seriously

Gitea

Status: Complete Profile: ./profiles/gitea.nix UI: 2 Purity: 1 Source: https://github.com/go-gitea/gitea

Probably where you're reading this. Lightweight, but still familiar.

Gitweb

Status: Meh. Profile: ./profiles/gitweb.nix Configuration: 0 Purity: 0

Default read-only git hosting. Ugly.

Encrypted pastebin

Status: Exploratory

There's a bunch of these types of things. 0bin, hedgedoc, and many others. A few of them kinda work but none have been evaluated on their merits.

File server

Status: Completeish Profile: ./profiles/warez.nix UI: 0 Purity: 0 Source: /home/cw/0x00/profiles/warez.nix

Users in group 'warez' can drop files in /var/www/warez/ to make them available at warez.${fqdn}. Next step is giving users their own subdomain for files.

Hardware Tokens

Status: WIP Profile: ./profiles/u2f.nix UI: 1 Purity: 1 Source: /home/cw/spacenix/profiles/u2f.nix

Supports using U2F/Fido2/webauthn tokens such as the trezor to log into your system, ssh, sudo, and as 2fa for webservices (gitea).

Invidious

Status: Complete Profile: ./profiles/invidious.nix UI: 0 Purity: 0 Source: https://github.com/iv-org/invidious

Alternate youtube frontend. Lightweight, ad-free, tracking free, javascript not required, audio only mode, and much more. Can subscribe to channels independent from google. Supported by the sponsorblock firefox plugin. It's available at invidious.${fqdn}, don't miss it.

Nitter

Status: Complete Profile: ./profiles/nitter.nix Configuration: 0 Purity: 0

Alternative twitter frontend. Lightweight, ad-free, tracking free, javascript free. Available at nitter.${fqdn} .

Jellyfin

Status: Complete Profile: ./profiles/jellyfin.nix UI: 3 Purity: 2 Source: https://github.com/jellyfin/jellyfin

Powerful media player with remote control and android clients. Supports synced playback with other clients over LAN or internet. Looks really nice, but playback/transcoding can be finnicky. Maybe ffmpegfs can help smooth things out.

Jitsi

Status: Complete Profile: ./profiles/jitsi.nix UI: 0 Purity: 0 Source: https://github.com/jitsi/jitsi-meet

Video chat service supporting end-to-end encryption. Zoom alternative.

libreddit

Status: Complete Profile: ./profiles/libreddit.nix UI: 0 Purity: 0 Source: https://github.com/spikecodes/libreddit

Alternative reddit frontend. Lightweight, JS not required, and no trackers/ads. Eliminates the reddit.com dark patterns.

Email

Status: Server complete, webmail and desktop clients WIP. Profile: ./profiles/mail.nix UI: 1 Purity: 0-1 Source: /home/cw/0x00/profiles/mail.nix

Email server. May require DNS configuration. Doesn't automatically update alfis... yet. Needs home-manager to set up clients.

I2P

Status: Meh.

Router enabled, nothing special done yet.

Icecast

Status: Needs ezstreamer or sth Profile: ./profiles/icecast.nix UI: 0 Purity: 0

Internet radio.

Matrix

Status: Complete Profile: ./profiles/matrix.nix UI: 0 Purity: 1 Source: https://github.com/matrix-org/synapse

Matrix is an eventually-consistent system for federated state exhange. Or a chat/voip system. New apps like forums/social media/webpage commenting(a la disqus) are being built on matrix backends, and bridging to other messaging services are first-class here.

Synapse is a first-generation homeserver for matrix. It needs PAM integration via https://github.com/14mRh4X0r/matrix-synapse-pam so that system users can be created with nixos-magic, but this isn't implemented yet.

Mumble

Status: Works Profile: ./profiles/mumble.nix UI: 1 Purity: 2

Mumble is a low-latency voice chat service. Included is a radio bot to play music from your music library.

NNCP

Status: Complete Profile: ./profiles/nncp.nix UI: 3 Source: http://www.nncpgo.org/Tarballs.html

Node to Node copy is a collection of utilities simplifying secure store-and-forward files, mail and command exchanging. This utilities are intended to help build up small size (dozens of nodes) ad-hoc friend-to-friend (F2F) statically routed darknet delay-tolerant networks for fire-and-forget secure reliable files, file requests, Internet mail and commands transmission. All packets are integrity checked, end-to-end encrypted, explicitly authenticated by known participants public keys. Onion encryption is applied to relayed packets. Each node acts both as a client and server, can use push and poll behaviour model. Also there is multicasting areas support.

Out-of-box offline sneakernet/floppynet, dead drops, sequential and append-only CD-ROM/tape storages, air-gapped computers support. But online TCP daemon with full-duplex resumable data transmission exists.

BTCPayServer

Status: Complete Profile: ./profiles/nix-bitcoin.nix UI: 0 Purity: 2 Source: https://github.com/btcpayserver/btcpayserver

A self-hosted cryptocurrency payment processor and storefront with lightning network support and hardware wallet integration.

Nix-bitcoin

Status: 80% Profile: ./profiles/nix-bitcoin.nix UI: 2 Purity: 2 Source: https://github.com/fort-nix/nix-bitcoin

nix-bitcoin is a collection of Nix packages and NixOS modules for easily installing full-featured Bitcoin nodes with an emphasis on security.

Check github for the long list of features.

nodeinfo

Status: Exploratory Profile: ./profiles/nodeinfo.nix UI: 3 Purity: 0 Source: /home/cw/0x00/profiles/nodeinfo.nix

Directory for webservices on your computer. Like a start menu but for things in your browser, built automatically (soon).

ntopng

Status: Complete Profile: ./profiles/ntopng.nix Configuration: 0 Purity: 0

Network monitor. Defaults to all interfaces, probably needs a better configuration but works well enough.

photogrammetry

Status: Exploratory Profile: ./profiles/photogrammetry.nix

Turn images to 3d. There's a ton of software for this, even more algorithms, and none of them work that well. I have the beginning of an automatic pipeline going but am not very happy with it.

peertube

Status: Exploratory Profile: ./profiles/peertube.nix UI: 4 Purity: 1 Source: https://github.com/Chocobozzz/PeerTube

Federated video server that supports webtorrent for load distribution. Be part of a network of multiple small federated, interoperable video hosting providers. Follow video creators and create videos. No vendor lock-in. All on a platform that is community-owned and ad-free.

pelican site generator

Status: Complete Profile: ./profiles/pelican.nix UI: 0 Purity: 1

Pelican is a static site generator that takes markdown and builds something normies care about. The profile automatically rebuilds your site on any updates to the source markdown. It's in syncthing for easy editing from any computer or phone.

plik

Status: Complete Profile: ./profiles/plik.nix UI: 1 Purity: 0 Source: https://github.com/root-gg/plik

Featureful temporary file upload service that supports command-line (curl) or browser interfaces. Aditional features such as self-destructing files and streaming files directly from uploader to downloader (nothing stored on server). Thunderbird addon for uploading attachments to plik is available here.

powersave

Status: Complete

UI: 1

Purity: 0

Power-save mode that includes tlp, upower, throttled, powertop, and cpu frequency governor.

Installation/Recovery disk

Status: Complete Profile: ./profiles/recovery.nix UI: 0 Purity: 0 Source: /home/cw/0x00/profiles/recovery.nix

Disk with a full suite of software to fix a broken computer, intall the operating system, and in general for tech work. Can also be used as a usb-bootable server if you need to temporarily host some services. For the full list of available software, see the profile.

searx

Status: Complete Profile: ./profiles/searx.nix Configuration: 0 Purity: 0 Source: https://github.com/searx/searx

Privacy-respecting, extensible, and configurable metasearch engine. I have a cool smallweb metasearch that searches a few specialty/smallweb search engines. Actually great results for the kinds of things people make their own websites about (food, diy, hacking, etc).

Shell

Status: Complete Profile: ./profiles/zsh-starship.nix UI: 1 Purity: 0 Source: /home/cw/0x00/profiles/zsh-starship.nix

zsh+oh-my-zsh+starship is default. Powerlevel10k is also available.

Syncthing

Status: 50% Profile: ./profiles/syncthing.nix UI: 3 Purity: 2 Source: https://github.com/syncthing/syncthing

P2P file sync service. Works imperitavely, but declarative syncthing looks ugly. Need a nix way to generate syncthing IDs from bip39 keys.

Tiling Window Manager

Status: Complete

UI: 1

Purity: 1

Tiling WMs are default. i3/xfce is complete, but I need something that works for grandma. KDE/Bismuth is close but I don't really like it. Hyprwm looks good but haven't tested it.

twtxt

Status: Complete

UI: 0

Purity: 1

Distributed microblogging.

Whiteboard Online

Status: Complete

UI: 0

Purity: 0

Collaborative online whiteboard.

yggdrasil

Status: Complete

UI: 2

Purity: 1

Yggdrasil is an overlay network implementation of a new routing scheme for mesh networks. It is designed to be a future-proof decentralised alternative to the structured routing protocols commonly used today on the Internet and other networks. The highlights of Yggdrasil are that it is: - Scalable Supports large, complex or even internet-scale topologies

• Self-healing Network responds quickly to connection failures or mobility events

• Encrypted Traffic sent across the network is always fully end-to-end encrypted

• Peer-to-peer Works entirely ad-hoc by design with no built-in points of centralisation

• Publicly reachable, static IPs. No NATs or firewalls to interfere with nodes connecting directly to each other. IPs are static regardless of where on the network a node connects.

yggmail

Status: Complete UI: 1 Purity: 0

Yggmail is a single-binary all-in-one mail transfer agent which sends and receives email natively over the Yggdrasil Network.

Yggmail runs just about anywhere you like — your inbox is stored right on your own machine;
Implements IMAP and SMTP protocols for sending and receiving mail, so you can use your favourite client (hopefully);
Mails are exchanged between Yggmail users using built-in Yggdrasil connectivity;
All mail exchange traffic between any two Yggmail nodes is always end-to-end encrypted without exception;
Yggdrasil and Yggmail nodes on the same network are discovered automatically using multicast or you can configure a static Yggdrasil peer.

yggspot

Status: Untested

UI: 0

Purity: 0

Implements a yggdrasil hotspot as described here.

As a Desktop

Several shells are supported including: - bash - zsh+oh-my-zsh+(p10k/starship)

You get a load of timesaving aliases in ./profiles/alias.nix. These probably need some pruning, and the functions in ./.alias need nixification.

Several DE/WM combos are supported including: - i3+xfce - plasma5+bismuth (tiling WM plugin)

Gemini

• gemget Like curl for geminispace.

• amfora TUI browser for gemini.

• lagrange Full featured GUI browser for gemini. Lagrange is only built if xserver is enabled.

Support my work

If you want to support my work be sure to use facebook, tiktok, the metaverse, #hashtag, and buy my rare NFTs. You could probably ask an AI too, I'm sure it'll have some good advice.

If you don't want to do any of that stuff, send me an email or message me on matrix.