From d574f96379d339a51610274fd16b241f72b11aec Mon Sep 17 00:00:00 2001
From: Sovran Systems <99053422+naturallaw777@users.noreply.github.com>
Date: Sat, 23 May 2026 15:42:59 -0500
Subject: [PATCH 1/2] Update README.md

---
 README.md | 17 ++---------------
 1 file changed, 2 insertions(+), 15 deletions(-)
diff --git a/README.md b/README.md
index 2ae20a9..b0dca3d 100644
--- a/README.md
+++ b/README.md
@@ -2,21 +2,16 @@
 
 <img src="iso/assets/sovran-hub-icon.svg" alt="Sovran Systems" width="160" />
 
-# Sovran_SystemsOS — Internal Mirror
-
-Private development mirror of **Sovran_SystemsOS**.
-Canonical source lives on Gitea — this repo is for internal work only.
+# Sovran_SystemsOS
 
 `Base Development` · NixOS Flake · AGPL-3.0
 
-[Canonical source (Gitea)](https://git.sovransystems.com/Sovran_Systems/Sovran_SystemsOS) · [Public site](https://sovransystems.com)
+[Sovran Systems](https://sovransystems.com)
 
 </div>
 
 ---
 
-> **Heads up:** This repo is private. End users never see it. Public docs, build instructions, and marketing copy live on the website and on Gitea — do not duplicate them here. This README is for internal contributors.
-
 ## Table of Contents
 
 1. [What This Repo Is](#what-this-repo-is)
@@ -135,10 +130,6 @@ Facts about the defaults, straight from `configuration.nix` and the modules:
 - **Firewall on, public sshd off, RDP off, auto-login off.**
 - **EFI** is mounted with `umask=0077`.
 - **Kernel surface trimmed.** `boot.blacklistedKernelModules = [ "rxrpc" ];`
-- **Emergency mode disabled** (`systemd.enableEmergencyMode = false`).
-- **GNOME Keyring** wired into PAM (`gdm-password`, `gdm-autologin`); the keyring file is declaratively created with `0600` perms via `systemd.tmpfiles`.
-- **PostgreSQL** is local-only (`local trust`, `127.0.0.1/32 trust`, `::1/128 trust`). Not exposed to the network.
-- **Secrets** are materialized through `modules/credentials.nix` and `nix-bitcoin-secrets` (`/etc/nix-bitcoin-secrets/`, included in backups).
 - **Weekly garbage collection** with `--delete-older-than 7d`.
 
 ## Backups & Recovery
@@ -161,7 +152,3 @@ The second drive is mounted by label (`BTCEcoandBackup`) with `nofail` so a miss
 ## License
 
 Licensed under the **GNU Affero General Public License v3.0** — see [`LICENSE`](./LICENSE).
-
----
-
-<sub>Internal mirror. Public copy lives on Gitea.</sub>

From a841665b07a31a580e82fc9532709893ba5fcef7 Mon Sep 17 00:00:00 2001
From: Sovran Systems <99053422+naturallaw777@users.noreply.github.com>
Date: Sat, 23 May 2026 15:46:24 -0500
Subject: [PATCH 2/2] Refine networking and security section in README

---
 README.md | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index b0dca3d..7b1c1fb 100644
--- a/README.md
+++ b/README.md
@@ -114,21 +114,19 @@ Internal commands. Run from the flake root.
 
 ## Networking & Reverse Proxy
 
-- **Firewall on by default** (`networking.firewall.enable = true`). The only port opened at host level is **UDP 5353** for mDNS (Avahi). Every other port is opened by the module that needs it.
-- **Caddy** (`modules/core/caddy.nix`) terminates TLS for all HTTP services. Operator vhosts go through `sovran_systemsOS.caddy.extraVirtualHosts`.
+- **Firewall on by default** (`networking.firewall.enable = true`). Port are opened by the module that needs it.
+- **Caddy** (`modules/core/caddy.nix`) terminates TLS for all HTTP services.
 - **Njalla** dynamic DNS (`modules/core/njalla.nix`) keeps records in sync via a 15-minute cron job.
-- **Avahi** publishes `sovransystemsos.local` on the LAN.
 - **Tor** is enabled with `torsocks` available. The Bitcoin stack uses it directly — see [Security Posture](#security-posture).
-- **SSH:** localhost-only by default (`core/sshd-localhost.nix`). Public OpenSSH is opt-in (`modules/sshd.nix`).
-
+- **SSH:** localhost-only by default (`core/sshd-localhost.nix`).
+  
 ## Security Posture
 
 Facts about the defaults, straight from `configuration.nix` and the modules:
 
 - **Reproducible builds.** Every artifact derives from `flake.lock`. The same commit produces the same OS.
 - **Bitcoin stack over Tor.** In `modules/bitcoinecosystem.nix`, `bitcoind`, `electrs`, and `lnd` all set `tor.enforce = true`, and onion services are exposed for `bitcoind`, `electrs`, `lnd`, and friends.
-- **Firewall on, public sshd off, RDP off, auto-login off.**
-- **EFI** is mounted with `umask=0077`.
+- **Firewall on, public sshd off, RDP off, auto-login off, fail2bain active**
 - **Kernel surface trimmed.** `boot.blacklistedKernelModules = [ "rxrpc" ];`
 - **Weekly garbage collection** with `--delete-older-than 7d`.
 
