[$ xmrhost] _

$ cat /etc/xmrhost/release

[$ ] About — privacy-tech offshore hosting for operators

// NAME

xmrhost.io (operating under the XMRHost brand) — offshore VPS, dedicated, GPU, and Tor / I2P / Lokinet node hosting. Iceland and Romania. No-KYC multi-crypto billing (XMR recommended). Operator-run; small editorial team.

// SYNOPSIS 

operator           independent (jurisdiction pending counsel decision)
brand              XMRHost
domain             xmrhost.io
founded            2026
regions            Iceland (IS) + Romania (RO)
billing            no-KYC crypto via OxaPay (XMR / BTC / LTN / LTC / ETH / USDT)
editors            2 — see /about/team

// WHAT

$ man 7 what-this-is

xmrhost.io is a small operator-run hosting brand serving the privacy-tech niche. The audience is sysadmins, security researchers, OSS maintainers running CI on offshore boxes, privacy-tooling developers, journalists running source-protection intake, and small newsrooms needing CMS hosting outside their domestic jurisdiction. Not a hyperscaler. Not a marketing-funded venture-capital play. Not a free service cross-funded by advertising.

The deliverable is technical infrastructure with a coherent editorial stack around it: the catalog at /node, the operator runbooks at /docs, the long-form editorial at /notes, the threat-model dossiers at /threat-models, the customer-side guides at /guide. Every published surface is editorially reviewed before it ships.

// WHY

$ man 7 founding-rationale

Three reasons the brand exists:

  • The offshore-hosting niche is full of marketing theatre. Brands claim "100% anonymous" and ship KYC-at-signup. Brands claim "99.99% uptime" and have no monitoring. Brands claim "no logs" and ship Cloudflare in front. The brand voice exists to be honest about what is and isn't in scope.
  • Tor / I2P / Lokinet operator workloads need specialised infrastructure. Hardened-by-default tor.conf, onion-auth-gated sshd, mkp224o vanity-onion generation, OXEN-staking integration for Lokinet exits — these are not standard features on generalist offshore hosts.
  • Chain-analytics-aware payment posture is missing. Most offshore hosts that accept crypto also accept BTC and route through chain-analytics-tagged processors, undermining the offshore posture at the payment layer. The brand defaults to Monero (via OxaPay, no-KYC) and documents the trade-off honestly when customers choose other rails.

// WHO

$ cat /etc/xmrhost/masthead

Pseudonymous editorial team. The operator's wallet, real-name, and operational location remain separate from the brand identities listed below — this is by design and is the standard practice in the privacy-tech publication space (Tor Project contributors, EFF technologists, Freedom of the Press Foundation engineering staff all use a mix of real names and pseudonyms; the operator picked the pseudonymous side for the same reasons).

  • 0xLambda (ops)

    Lead operations — infrastructure, hardening, Tor / I2P / Lokinet provisioning

  • Vex (editorial)

    Editorial — threat models, journalism / source-protection posture, legal-jurisdictional analysis

// full editor profiles at /about/team; upstream contributions (CVEs, OSS PRs, conference talks) at /about/contributions.

// WHERE

$ man 7 operating-regions

Two operating regions, picked for jurisdictional + operational properties — not for marketing.

  • Iceland (RIPE, IS) — Höfundalög nr. 73/1972 + IMMI source-protection statutes; outside Five Eyes / Fourteen Eyes; EEA-not-EU; three submarine cables for transit redundancy (FARICE-1, DANICE, IRIS); geothermal power baseline. Default region for source-protection deployments.
  • Romania (RIPE, RO) — Legea nr. 8/1996; EU member; dense mainland-EU peering (~28ms to Frankfurt DE-CIX); among the cheapest bandwidth-per-Mbps pricing in the EU. Default region for European-audience deployments where EU-internal latency matters.

// long-form region comparison at /vs/iceland-vs-romania-offshore-jurisdiction. Per-region dossiers at /location/is and /location/ro.

// HOW — OPERATING PRACTICE

$ man 7 operating-practice

The day-to-day operating practice, stated plainly:

  • Hardened-by-default. Every plan ships KSPP-baseline kernel + sshd hardened (Ed25519 only, no password auth) + auditd configured + restrictive nftables. Customer extends rather than configures from zero. Documented at /hardening.
  • Narrow AUP. The operator declines a small, enumerated set of workloads (CSAM, malware C2 infrastructure, targeted fraud / phishing, terrorism / mass-violence material, non-consensual imagery). Everything else is the customer's responsibility under the law of the hosting jurisdiction. See /legal/aup.
  • Court-process-only takedowns. The operator does not run a DMCA-format notice-and-takedown machinery. Copyright complaints under Iceland Höfundalög or Romania Legea 8/1996 are processed when served by a court of competent jurisdiction. Misformatted notices are responded to with a pointer to the correct procedure.
  • Minimum-collected identity. Pseudonym signup, email optional, payment via OxaPay no-KYC. The operator only collects what's required to support the account — when a court order arrives demanding identity data the operator does not possess, the response is that the data does not exist.
  • No Cloudflare, no CDN-edge, no third-party analytics. Caddy serves direct, Plausible self-host for traffic stats (planned, separate VPS), no fingerprinting surface.
  • Publication cadence. Notes + docs ship on a documented cadence (1-2 long-form per week is the target). Material incidents get post-incident write-ups within 7 days. The brand surface is meant to be a living publication, not a frozen marketing site.

// WHAT WE DO NOT PROMISE

$ grep -v promise /etc/xmrhost/voice

Honest non-promises — what the brand will not claim regardless of marketing pressure:

  • Not "100% anonymous". Anonymity is a threat-model trade-off; 100% is the wrong target. The brand documents what is and isn't defended against (the three-tier guide at /guide/how-to-host-a-website-anonymously walks the tiers).
  • Not "100% uptime". Infrastructure has failure modes. The published SLA target is 99.9% node / 99.95% network on rolling 30-day windows. Service-credit ladder at /uptime.
  • Not "no logs ever". Specific minimum logs for operational reasons (Tor notice level on tor.log, sshd auth events to auditd, billing transaction record) exist. What the operator does not log: visitor identity, IP-to- customer mapping above what billing requires, browser- fingerprint data, third-party-analytics telemetry.
  • Not "court-process-proof". A duly-issued court order from a court of competent jurisdiction in Iceland or Romania is honored. What's defeated is the much larger volume of low-merit pressure (DMCA-format notices, civil cease-and-desist letters, regulator pressure out-of-jurisdiction).
  • Not "the best". The methodology guide at /guide/best-offshore-vps-2026 frames "best" as a threat-model + budget trade-off. The brand declines to claim superiority over peer providers.

// SEE ALSO

$ ls /usr/share/doc/xmrhost

  • /about/team — full editor profiles with specialties and Schema.org Person bylines.
  • /about/contributions — upstream OSS contributions, CVEs, conference talks.
  • /legal/tos — terms of service.
  • /legal/aup — acceptable use policy.
  • /uptime — reliability + SLA posture.
  • /contact — server-handled form for support / legal / abuse / privacy / press.