plausible + other fixes

specs/004-vps-migration/quickstart.md

@@ -25,8 +25,9 @@
    - Update VPS public IP to `45.33.0.228` in SSH configuration
    - Update host server VPN client to target the new VPS
 
-4. Provide and review legacy proxy config:
+4. Provide and review legacy proxy config snapshot:
    - Supply caddy files for subdomain comparison
+   - Treat caddy as migration input only; nginx is the only proxy target for NixOS runtime
 
 ## Caddy vs Nix Subdomain Comparison (from provided caddy/ directory)
 
@@ -64,3 +65,39 @@
    - Validate historical data is present
 
 6. Run verification steps for each task (per spec FR-012).
+
+## Clarification Candidates From History Review
+
+- `opentracker` was installed and enabled (`systemctl enable --now opentracker`) with firewall rules for TCP/UDP `6969`; confirm if tracker service is still required on NixOS.
+- `ip6tables` was enabled on Fedora (`systemctl enable ip6tables`); confirm if equivalent IPv6 policy is required on VPS.
+- `net.ipv4.conf.wg0.rp_filter=0` was set during forwarding troubleshooting; confirm if this sysctl needs to be persisted on VPS.
+- Fedora-specific SELinux SSH port handling (`semanage ssh_port_t`) appears in history; confirm it can remain excluded on NixOS.
+
+## Verification Steps
+
+- **T001**: `test -f ./iptables && test -f ./secrets/ssh/ed25519_deploy.pub && test -f ./secrets/ssh/ed25519_lidarr-reports.pub && test -f ./secrets/wireguard.yaml`
+- **T002**: verify this section exists in `/home/jawz/Development/NixOS/specs/004-vps-migration/quickstart.md`
+- **T003**: `rg -n "mainServer|enableProxy" hosts/server/toggles.nix modules/modules.nix`
+- **T004**: `rg -n "wireguard|wg0|services.wireguard" modules/services/wireguard.nix hosts/vps/configuration.nix`
+- **T005**: `rg -n "vps|45.33.0.228|programs.ssh" config/jawz.nix modules/modules.nix`
+- **T006**: `rg -n "/etc/caddy/Caddyfile.d" sudo_hist jawz_hist`
+- **T007**: `rg -n 'mainServer = "vps"' hosts/server/toggles.nix modules/modules.nix`
+- **T008**: `rg -n "enableProxy = true" hosts/vps/toggles.nix hosts/vps/configuration.nix hosts/server/toggles.nix`
+- **T009**: ensure Caddy vs Nix comparison section remains in this file
+- **T010**: `rg -n "iqQCY4iAWO-ca/pem|certPath|proxyReversePrivate" modules/network/nginx.nix modules/servers`
+- **T011**: `rg -n "iptables.rules|iptables-restore|networking.firewall.enable = false" hosts/vps/configuration.nix`
+- **T012**: `rg -n "services.wireguard.enable = true" hosts/vps/configuration.nix`
+- **T013**: confirm `wireguard/private` exists in `secrets/wireguard.yaml`
+- **T014**: `rg -n "10.77.0.1/24|10.8.0.1/24|10.9.0.1/24|AllowedIPs|allowedIPs" modules/services/wireguard.nix`
+- **T015**: `rg -n "users\\.deploy|users\\.lidarr-reports|ed25519_deploy|ed25519_lidarr-reports" hosts/vps/configuration.nix`
+- **T016**: `rg -n "workstation|server|deacero|galaxy" hosts/vps/configuration.nix`
+- **T017**: `rg -n "ports = \\[ 3456 \\]|PermitRootLogin = \"no\"" hosts/vps/configuration.nix`
+- **T018**: `rg -n "sudo-rs\\.extraRules|nixos-rebuild|nixremote" hosts/vps/configuration.nix`
+- **T019**: `rg -n "nixworkstation" hosts/vps/configuration.nix`
+- **T020**: `rg -n "45\\.33\\.0\\.228" modules/modules.nix config/jawz.nix`
+- **T021**: `rg -n "endpoint = .*my\\.ips\\.vps" hosts/server/configuration.nix`
+- **T022**: verify "Clarification Candidates From History Review" section exists in this file
+- **T023**: intentionally skipped by operator for this implementation pass
+- **T024**: verify each task from T001-T026 has a corresponding verification line in this section
+- **T025**: `rg -n "caddy|Caddy" README.org docs || true` and confirm no active-proxy references remain outside legacy migration notes
+- **T026**: `rg -n "T0[0-2][0-9]" /home/jawz/Development/NixOS/specs/004-vps-migration/tasks.md` and confirm each task mentions at least one concrete path