[$ xmrhost] _

$ pwd

/node/vps/vps-1

[$ ] VPS-1 — no-KYC offshore VPS (Iceland, Romania, Monero)

// NAME

vps-1 — Entry-level KVM VPS, anonymous & DMCA-resistant.

// SYNOPSIS 

xmrhost-cli provision --plan=vps-1 --region=<is|ro>

// SPEC

$ xmrhost-cli spec --plan=vps-1

cpu 1 vCPU (AMD EPYC)
ram 2 GB DDR4 ECC
storage 25 GB NVMe SSD
bandwidth 1 TB / month
port 1 Gbps
virtualization KVM
os Ubuntu, Debian, AlmaLinux, Rocky, Fedora, Whonix
ip 1 × IPv4 + IPv6
ddos-shield 10 Gbps
uptime-sla 99.9%

// REGIONS

$ xmrhost-cli regions --plan=vps-1

region country ping flag
is Iceland (Reykjavik) ~38ms FRA --region=is
ro Romania (Bucharest) ~28ms FRA --region=ro

// ORDER

Order VPS-1

monthly +30% $10
annual -20% $77
biennial -25% $144
$ order vps-1

// no-kyc crypto billing (xmr recommended; btc / ltn / ltc / eth / usdt accepted) — why-monero covers the rationale, payments the flow.

// PROVISIONING

after you click order 

$ xmrhost-cli provision --plan=vps-1 --region=is
[ok] reserving capacity in region=is
[ok] node allocated: vps-1-is-10
[ok] applying hardened-by-default profile (sshd, fail2ban, unattended-upgrades)
[ok] base image bootstrapped (Debian 12)
[ok] handoff key sealed → view via the console at /console
provisioned in 47s. ssh access via onion-auth or wireguard, your choice.

// you receive the onion-auth key + initial sshd config in the same handoff. no email-shipped credentials. nothing is logged to the operator side.

// HARDENING BASELINE — WHAT SHIPS BY DEFAULT

$ cat /etc/xmrhost/baseline.d/*

Every VPS-1 ships with the xmrhost hardening baseline applied on the first boot — no opt-in flag, no add-on, no separate purchase. The baseline is the same across the catalog (vps / dedicated / gpu / tor / i2p / lokinet); category-specific extras are listed below the common section. Detailed per-control runbooks live in /docs; the cross-cutting overview is at /hardening.

  • KERNEL. KSPP-baseline sysctls applied (kernel.kptr_restrict=2, kernel.yama.ptrace_scope=1, kernel.unprivileged_bpf_disabled=1, vm.unprivileged_userfaultfd=0, net.ipv4.tcp_syncookies=1, +12 more), unprivileged user-namespace creation gated, kexec disabled at runtime. Full list and rationale: /docs/kernel-hardening-checklist.
  • SSHD. PasswordAuthentication no, ChallengeResponseAuthentication no, KbdInteractiveAuthentication no, PermitRootLogin prohibit-password, MaxAuthTries 3, Ed25519-only host keys (RSA host keys removed), legacy KEX / cipher / MAC families disabled. fail2ban preconfigured with the sshd-default ruleset. Runbook: /docs/harden-sshd; key migration: /docs/ssh-key-migration.
  • AUDIT. auditd enabled with the laurel-compatible default ruleset (auth, identity, network-config, time-change, mount, perm-mod). unattended-upgrades on for main/security only — feature releases stay operator-controlled. systemd-journald persistent storage with SystemMaxUse=512M.
  • NETWORK. Egress-default-permit (the box reaches the internet), ingress-default-deny (only sshd + the customer's declared services). Outbound port 25 (SMTP) closed by default; customers operating a real MTA request the lift via /contact with the reverse-DNS pointing to a domain they control. Dual-stack IPv4 + IPv6 (/64 routed). RIPE- allocated PI on Iceland and Romania.
  • MONITORING. node_exporter (Prometheus textfile exporter) listening on 127.0.0.1:9100 — the operator's monitoring scrapes via wireguard from the management VLAN, never from the public internet. Customers wanting their own metrics tap add a second exporter on a private interface.
  • VPS HEADROOM. KVM virtualization, dedicated vCPU allocation (no oversold cores), local NVMe, 1 IPv4 + IPv6 /64 routed to the guest, console access via the customer panel for emergency reinstall without a support ticket.

// the baseline is editorial-stable — when the operator changes a default, the change is logged in /notes with the rationale and the migration notes for boxes already in service. /hardening is the canonical pillar; /docs is the procedural manual.

// RECOMMENDED PLAYBOOKS

$ grep -l 'vps-1' /usr/share/doc/xmrhost/playbook/

  • /playbook/vpn — self-hosted wireguard / openvpn endpoint — your trust boundary is the vps, not a third-party provider
  • /playbook/tor-relay — operate a tor middle/exit relay or obfs4 bridge with bgp-stable uplinks and a sane abuse posture
  • /playbook/scraping — stable-asn vps for ethical crawling: clean ip reputation, generous egress, no per-target rate limits

// FAQ

$ faq -p vps-1

Q.Where is the VPS hosted?

A.Iceland (Reykjavik, RIPE) or Romania (Bucharest, RIPE) — the customer picks at checkout. Both are inside the European Economic Area for GDPR purposes; Iceland is outside the EU and has no DMCA equivalent (the closest analog is Höfundalög nr. 73/1972, which does not provide a takedown-without-court-order procedure). Romania transposes the EU 2001/29/EC copyright directive via Legea nr. 8/1996. The detailed jurisdictional comparison is at /vs/iceland-vs-romania-offshore-jurisdiction.

Q.Do I need to pay in Monero?

A.No. XMR is recommended (chain-analytics-resistant) but the OxaPay processor accepts BTC, Lightning, LTC, ETH, and USDT (Tron / Polygon / ETH). The trade-off is documented at /why-monero — transparent rails are accepted because not every threat model weights chain-analytics privacy the same way. No card surface, no fiat rail, no KYC bridge.

Q.Is KYC required at signup?

A.No. The signup form asks for an email address (used for the receipt and the password-reset flow) and a password. No real-name field, no government-ID upload, no address verification, no phone-number prompt. The email address can be a pseudonym at any provider that accepts a Tor exit; the Mailbox.org / Riseup / Protonmail combinations are compatible with the verification flow.

Q.What does "hardened by default" actually mean?

A.Every VPS ships with the KSPP kernel-hardening baseline applied (kernel.kptr_restrict=2, kernel.yama.ptrace_scope=1, vm.unprivileged_userfaultfd=0, etc.), sshd configured per the OpenSSH hardening guide (PasswordAuthentication no, ChallengeResponseAuthentication no, MaxAuthTries 3, Ed25519-only host keys), fail2ban active on sshd with default ruleset, auditd enabled, unattended-upgrades on for security packages. Documented in full at /docs/kernel-hardening-checklist and /docs/harden-sshd.

Q.Can I run a Tor relay or VPN on this VPS?

A.Yes. The AUP (/legal/aup) explicitly permits Tor relays (middle, exit, bridge), I2P routers, Lokinet nodes, and self-hosted VPN endpoints (WireGuard, OpenVPN, etc.). Operating an exit node is permitted; the customer publishes their own ContactInfo on the relay descriptor for upstream-network coordination. The xmrhost operator does not process third-party abuse reports against tenant traffic — see /contact 'WHAT WE DO NOT PROCESS'. For dedicated Tor hosting, /node/tor-hidden-service is the preconfigured tier.

Q.Can I get a refund?

A.Yes — the refund policy at /legal/refund covers a 7-day window from the order. Refunds are returned in the same currency as the original payment to a customer-supplied address; for XMR orders this means XMR back to a wallet the customer controls. No fiat off-ramp on either side; no exchange-KYC introduced by the refund flow. Per-order subaddresses (XMR) are derived from the operator view-key per MRL-0006.

// ORDER

$ xmrhost-cli order --plan=vps-1

// no-kyc crypto billing (xmr recommended; btc / ltn / ltc / eth / usdt accepted) — why-monero covers the rationale, payments the flow.

// BEFORE YOU ORDER — RELEVANT GUIDES

$ ls /guide