Skip to content

Apolloccrypt/ParamantOS

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

82 Commits
.github/workflows
.github/workflows
 
 
docs
docs
 
 
mint
mint
 
 
nixos
nixos
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
scripts.nix
scripts.nix
 
 

Repository files navigation

paramantOS

License: BUSL-1.1 Relay NixOS Jurisdiction

Hardened Linux for paramant relay operators.

Boots from USB, installs to disk, or runs live. Relay starts automatically. All 38 paramant-* operator tools included. No setup wizard required — paramant-setup walks you through everything.

Two editions

Edition Base Size Best for
NixOS v2.4.5 NixOS unstable ~1.7 GB Production servers, reproducible builds, declarative config
Mint v1.0-β Linux Mint 22.1 ~2.5 GB VPS, bare metal, familiar Cinnamon desktop

Download

File Tag SHA256
ParamantOS.iso v2.4.5-nixos SHA256
paramantOS-1.0-amd64 (part-aa) · part-ab v1.0-mint SHA256

The Mint ISO is split due to GitHub's 2 GB asset limit:

cat paramantOS-1.0-amd64.iso.part-aa paramantOS-1.0-amd64.iso.part-ab > paramantOS-1.0-amd64.iso
sha256sum -c paramantOS-1.0-amd64.sha256

Boot

USB (BIOS or UEFI)

sudo dd if=ParamantOS.iso of=/dev/sdX bs=4M status=progress && sync

Works on BIOS and UEFI hardware out of the box.

VirtualBox

Setting Value
System → EFI ON or OFF — both work
System → Boot Order Optical first
Display → Graphics Controller VMSVGA
Display → Video Memory 128 MB
Storage → Controller IDE → attach ISO

QEMU / KVM

# BIOS mode
qemu-system-x86_64 -enable-kvm -m 4096 -smp 2 -cpu host \
  -cdrom ParamantOS.iso -boot d -vga std -display gtk

# UEFI mode (OVMF)
qemu-system-x86_64 -enable-kvm -m 4096 -smp 2 -cpu host \
  -bios /usr/share/edk2/ovmf/OVMF_CODE.fd \
  -cdrom ParamantOS.iso -boot d -vga std -display gtk

Default login: paramant / paramant123paramant-setup forces a password change.

Boot flow

ISO boots → auto-login as 'paramant' → boot-choice menu

  1. Install to disk — offline   (bundled packages, no internet)
  2. Install to disk — online    (downloads latest from Nix cache)
  3. Run as live system
  4. Open shell

First steps after booting

paramant-setup          # first-boot wizard: password + relay config
paramant-relay-setup    # clone paramant-relay + configure .env + start Docker
paramant-status         # verify relay is running and healthy
security-status         # verify all security layers

All 38 paramant-* tools

Setup & diagnostics

Command What it does
paramant-help Full command reference
paramant-setup First-boot wizard — password, relay URL, API key
paramant-info System overview — OS, relay version, uptime, edition
paramant-doctor Automated health check for relay + security
paramant-install Interactive disk installer

Relay control

Command What it does
paramant-status Relay health, version, edition, uptime
paramant-relay-setup Clone paramant-relay repo + configure .env + start Docker
paramant-relay-ctl Privileged relay service control (start/stop/reload)
paramant-restart Restart the relay
paramant-dashboard Live TUI dashboard — stats, connections, throughput (2s refresh)
paramant-logs Live relay log stream
paramant-update Check for relay updates and show upgrade path

Sector tools (use-case specific)

Command What it does
paramant-referral Healthcare referral — NEN 7510, HL7 FHIR, DICOM
paramant-notary Legal document transport — eIDAS, KNB notary
paramant-legal Court document relay (replaces Zivver/e-Court)
paramant-payslip HR payslip distribution — GDPR compliant bulk send
paramant-firmware IoT/body cam firmware updates — IEC 62443
paramant-cra Software supply chain relay — EU CRA 2027, SBOM
paramant-ticket One-time transit ticket issuer and verifier

API key management

Command What it does
paramant-keys List all API keys
paramant-key-add Add a new API key
paramant-key-revoke Revoke an API key
paramant-license Show license status and upgrade path

Network & discovery

Command What it does
paramant-ip IP addresses, interfaces, relay accessibility
paramant-ports Firewall rules and listening ports
paramant-wifi Interactive WiFi manager
paramant-scan Discover paramant relay nodes via registry and local network

Security & verification

Command What it does
security-status All security layers at a glance
paramant-security Firewall, SSH, kernel hardening status
paramant-ports Open ports and firewall rules
paramant-verify Out-of-band TOFU fingerprint verification
paramant-doctor Automated relay health check
paramant-crypto-audit Crypto inventory scanner — 10 categories, HNDL risk, JSON report
paramant-migrate Crypto-agility helper — migrate TLS/SSH/backups away from RSA

Backup & data

Command What it does
paramant-backup Backup relay keys and CT log
paramant-restore Restore from backup
paramant-export Export audit log to USB drive
paramant-data-ctl Privileged relay data-dir management
paramant-cron Manage systemd timers for relay maintenance

Security hardening

Both editions include the same security baseline:

Layer What
Kernel Hardened — STACKLEAK, RANDSTRUCT, KSPP sysctl, CIS L2
SSH Ed25519 only, no password auth, post-quantum KEX
Firewall nftables — ports 22 + 3000-3004 only
AppArmor Enforcing on all relay processes
auditd CIS Level 2 rules
fail2ban SSH jail — 3 attempts = 1h ban
USBGuard Unknown USB devices blocked
AIDE File integrity check — daily cron
Swap Disabled (zero-storage relay requirement)
Docker cap_drop ALL, no-new-privileges, read-only rootfs

Relay setup (after OS install)

Automated (recommended)

paramant-relay-setup
# Clones paramant-relay, configures .env, generates ADMIN_TOKEN, starts Docker

Manual

git clone https://github.com/Apolloccrypt/paramant-relay ~/paramant-relay
cd ~/paramant-relay
cp .env.example .env
echo "ADMIN_TOKEN=$(openssl rand -hex 32)" >> .env
docker compose up -d
curl http://localhost:3001/health
# {"ok":true,"version":"2.4.5","sector":"health","edition":"community"}

Build from source

NixOS edition

cd nixos
nix build .#iso
# output: result/iso/paramantOS.iso

Mint edition

bash ~/Downloads/build-paramantOS.sh
# output: dist/paramantOS-1.0-amd64.iso
# requires: podman, ~20 GB disk, internet

Security audits

2026-04-11 — R. Zwarts (verification review)

14 findings, all resolved in commit e6f216d.

# Severity Finding Fix
1 High Admin login uses === on ADMIN_TOKEN + no rate limit timingSafeEqual + per-IP rate limiter
5 Medium TOTP allows code reuse within window Full window scan + _usedTotpCodes replay prevention
8 Medium CT log uses appendFileSync + no rotation Async write stream + size-based rotation

2026-04-10 — R. Zwarts (independent audit)

6 findings, all resolved in commit 0db3ef0.

# Severity Finding Fix
2 High /v2/stream-next returns synthetic HMAC hash, not real blob hash Per-device queue with real SHA-256
3 High Webhook SSRF — DNS not resolved before connecting isSsrfSafeUrl() applied; port allowlist 443+80
6 Medium Blob burned before transfer complete — mid-transfer disconnect = data loss Deferred deletion on res.finish()

2026-04-13 — Dependency review

0 npm vulnerabilities. Node 20 EOL → node:22-alpine. express 4.x → 5.x. 0 GPL/AGPL/LGPL licenses.

License

BUSL-1.1 — same as paramant-relay. Free for ≤ 5 active API keys per relay instance.

Contact: privacy@paramant.app
Relay: Apolloccrypt/paramant-relay
Website: paramant.app · Status · Free key

About

paramantOS — hardened NixOS for relay operators. Post-quantum Ghost Pipe relay baked in.

Topics

linux security relay nixos post-quantum hardened bootable-iso eu-jurisdiction

Resources

Readme

Security policy

Security policy
Activity

Stars

5 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 5

ParamantOS v2.4.5 — VGA Boot TUI Fixed Latest
Apr 14, 2026
+ 4 releases

Packages

 
 
 

Contributors

Languages