Skip to content

Apolloccrypt/ParamantOS

BranchesTags

Repository files navigation

ParamantOS

License: BUSL-1.1 Relay NixOS

Boot. Install. Done.

A minimal NixOS image with Paramant Ghost Pipe Relay baked in — primary purpose is installing to disk for servers, VMs, and enterprise deployments. Boot the ISO and the interactive installer starts automatically. Live mode (run from USB, no installation) is also available.

Download

→ Latest release (ParamantOS.iso)

File Size Format
ParamantOS.iso ~1.7 GB Bootable ISO 9660 (BIOS + UEFI)

Flash to USB

# Linux / macOS — replace /dev/sdX with your USB drive
sudo dd if=ParamantOS.iso of=/dev/sdX bs=4M status=progress && sync
# Windows — use Rufus (https://rufus.ie) or balenaEtcher

Installation (recommended)

Boot the ISO — the installer menu appears automatically:

┌──────────────────────────────────────────────────────────────┐
│  ParamantOS — Boot Menu                                      │
│                                                              │
│  Welcome! What would you like to do?                         │
│                                                              │
│  > Install ParamantOS to disk  [recommended]                 │
│    Run as live system          [no installation]             │
│    Open shell                  [advanced]                    │
└──────────────────────────────────────────────────────────────┘

The installer (paramant-install) handles everything:

  1. Disk selection — choose from all available disks
  2. Hostname — set the relay node name
  3. Password — set the admin password
  4. SSH key — paste your public key (optional)
  5. Partitioning — auto-detects UEFI or BIOS, creates GPT layout
  6. Install — copies ParamantOS config + runs nixos-install
  7. Reboot — ready in ~5 minutes

Supports servers, VMs (QEMU/KVM, VMware, Proxmox), and bare-metal x86_64.

Live mode (run without installing)

Choose "Run as live system" in the boot menu — the relay starts immediately from RAM, nothing is written to disk. Useful for testing or temporary deployments.

First boot after installation

No graphical splash. No distro branding. Clean text console with EU-stars boot screen, relay auto-starts:

                    * * *
                *         *
              *   PARAMANT  *     ← shown during kernel init
                *         *
                    * * *

  Initializing ML-KEM-768...
  Loading paramant_core... OK
  EU_SECURE_BOOT... CONFIRMED
  Establishing encrypted link...

Then at the login prompt (green ASCII EU circle + info box):

                    ★ ★ ★
                ★         ★
              ★    PARAMANT    ★
                ★         ★
                    ★ ★ ★

╔════════════════════════════════════════╗
║  ParamantOS v2.4.2  ·  EU/DE          ║
║  Ghost Pipe · Post-Quantum Relay       ║
╠════════════════════════════════════════╣
║  kernel    : paramant-hardened         ║
║  crypto    : ML-KEM-768 + AES-256-GCM  ║
║  relay     : RAM-only · burn-on-read   ║
║  license   : BUSL-1.1 · source available ║
║  jurisdiction: EU/DE · no CLOUD Act    ║
╠════════════════════════════════════════╣
║  [ paramant-help ] for all commands    ║
╚════════════════════════════════════════╝

Default login: paramant / paramant123

On first login the setup wizard runs automatically — it walks you through:

  1. Changing your password
  2. Setting the hostname
  3. Adding a license key (optional — Community Edition is free)
  4. Adding your SSH public key

Built-in commands

Type paramant-help to see all commands. Everything you need is already installed.

Setup & diagnostics

Command What it does
paramant-install Interactive disk installer (UEFI + BIOS, auto-partitions)
paramant-setup First-boot wizard (re-run with --force)
paramant-info System overview (relay, OS, hardware, network)
paramant-doctor Automated health check with fix instructions
paramant-help Full command reference

Relay control

Command What it does
paramant-status Relay health, version, edition
paramant-restart Restart the relay
paramant-logs Live relay log stream
paramant-dashboard Live TUI dashboard (auto-refresh, keyboard shortcuts)

API keys

Command What it does
paramant-keys List all API keys
paramant-key-add Add a new API key (interactive)
paramant-key-revoke Revoke an API key (interactive)

License & network

Command What it does
paramant-license License status, expiry, upgrade info
paramant-wifi Interactive WiFi manager
paramant-ip Show IP addresses + port status
paramant-ports Firewall rules + listening ports
paramant-scan Query relay registry + scan LAN for Paramant nodes

Security & sectors

Command What it does
paramant-security Firewall, SSH, kernel hardening status
paramant-verify TOFU fingerprint verification for Ghost Pipe devices
paramant-sector-add Add a new relay sector (health/finance/legal/iot/custom)

Data management

Command What it does
paramant-backup Backup keys + CT log
paramant-restore Restore from backup (interactive)
paramant-export Export audit log to USB drive
paramant-cron Manage systemd timers (backup/watchdog/license-alert)
paramant-update Check for updates + show upgrade path

Install in QEMU / VM

# Create a 20 GB disk image
qemu-img create -f qcow2 paramantos.qcow2 20G

# Boot the installer ISO (UEFI mode)
qemu-system-x86_64 \
  -m 2048 \
  -bios /usr/share/ovmf/OVMF.fd \
  -cdrom ParamantOS.iso \
  -drive file=paramantos.qcow2,format=qcow2 \
  -boot d \
  -enable-kvm \
  -netdev user,id=net0,hostfwd=tcp::13000-:3000 \
  -device virtio-net,netdev=net0 \
  -nographic

# After installation + reboot, boot from disk:
qemu-system-x86_64 \
  -m 2048 \
  -bios /usr/share/ovmf/OVMF.fd \
  -drive file=paramantos.qcow2,format=qcow2 \
  -enable-kvm \
  -netdev user,id=net0,hostfwd=tcp::13000-:3000 \
  -device virtio-net,netdev=net0 \
  -nographic

Test live in QEMU (without installing)

qemu-system-x86_64 \
  -m 2048 \
  -cdrom ParamantOS.iso \
  -boot d \
  -enable-kvm \
  -netdev user,id=net0,hostfwd=tcp::13000-:3000 \
  -device virtio-net,netdev=net0 \
  -nographic

Then in a separate terminal (after ~60s boot):

curl http://localhost:13000/health
# {"ok":true,"version":"2.4.2","sector":"relay","edition":"community","max_keys":5}

Network

Port Purpose
22 SSH
3000 Relay main (sector: relay)
3001–3004 Additional sectors (health / finance / legal / iot)

WiFi managed by NetworkManager (paramant-wifi or nmcli).

Editions

Edition API keys How to enable
Community (default) Max 5 No config needed — free forever
Licensed Unlimited Add license key via setup wizard or manually

License keys are Ed25519-signed — cannot be forged or modified.

Scenario Result
No key Community Edition, max 5 keys
Valid key Licensed Edition, unlimited keys
Expired key Graceful fallback to Community Edition
Invalid key Graceful fallback to Community Edition

Add a license key

Option A — setup wizard:

paramant-setup --force   # Step 3 prompts for the key

Option B — manually:

echo 'PLK_KEY=plk_your_key_here' >> /etc/paramant/license
systemctl restart paramant-relay
curl -s http://localhost:3000/health | python3 -m json.tool

Get a key: paramant.app/pricing

Security

  • Post-quantum SSH: ML-KEM-768 + Curve25519 KEX (mlkem768x25519-sha256), Ed25519 host key only, no password auth, no root login (CVE-2023-51767 / CVE-2025-26465 / CVE-2025-26466 / CVE-2025-32728)
  • Ghost Pipe crypto: ML-KEM-768 + ECDH P-256 hybrid encryption, AES-256-GCM, ML-DSA-65 relay identity (NIST FIPS 203/204)
  • Relay registry: each relay signs its registration with ML-DSA-65; paramant-scan queries the registry + verifies CT log continuity
  • Kernel hardening: kernel.unprivileged_bpf_disabled, kernel.kptr_restrict=2, net.core.bpf_jit_harden=2
  • Firewall: only ports 22 + 3000–3004 open
  • Service isolation: relay runs as dedicated system user paramant-relay
  • Systemd hardening: NoNewPrivileges, ProtectSystem=strict, PrivateTmp, PrivateDevices, RestrictNamespaces
  • RAM-only relay: blobs stored in RAM, burned after first download, never written to disk
  • Jurisdiction: EU/DE hosted — no CLOUD Act exposure

See relay security model for the full threat model, four-layer key verification, and audit report.

Hardware requirements

Component Minimum
CPU x86_64, 2 cores
RAM 2 GB recommended
Storage USB drive — boots live, no install needed
Network Ethernet or WiFi

Build from source

Requires Nix with flakes enabled.

git clone https://github.com/Apolloccrypt/ParamantOS
cd ParamantOS

# Build the bootable ISO (~30 min first build, cached after)
nix build .#iso

# Verify config without building
nix flake check --no-build

The resulting ISO is at result/iso/*.iso.

Repo structure

ParamantOS/
├── flake.nix             — Nix flake: nixosConfigurations + packages
├── configuration.nix     — NixOS system config (relay, SSH, firewall, MOTD)
├── hardware.nix          — Generic VM/bare-metal hardware (BIOS + GRUB)
├── module.nix            — NixOS module: services.paramant-relay.*
├── scripts.nix           — All paramant-* operator commands
├── scripts/              — Shell scripts (one per command)
└── paramant-relay.nix    — Nix package: buildNpmPackage from GitHub

License

Business Source License 1.1 — same license as the relay software.

  • Source available, free for ≤ 5 active API keys per relay instance
  • Licensor: PARAMANT / Mick Beer
  • For unlimited users: paramant.app/pricing

NixOS / nixpkgs components are MIT and various open source licenses.

Questions: privacy@paramant.app

About

ParamantOS — bootable NixOS with Paramant Ghost Pipe relay baked in

Resources

Readme

License

View license

Security policy

Security policy
Activity

Stars

2 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 3

ParamantOS v2.4.3 Latest
Apr 11, 2026
+ 2 releases

Packages

 
 
 

Contributors

Languages