diff --git a/specs/004-vps-migration/spec.md b/specs/004-vps-migration/spec.md index f47f946..831c870 100644 --- a/specs/004-vps-migration/spec.md +++ b/specs/004-vps-migration/spec.md @@ -134,14 +134,15 @@ As an operator, I want a checklist of potential missing configuration from exist - **FR-001**: The system MUST designate the new VPS as the primary host for reverse proxying and ensure all enabled services are routed through it without relocating the services. - **FR-002**: The system MUST ensure proxy configuration is enabled for all services currently enabled on the host server so traffic flows through the new VPS while services remain on the host server. - **FR-003**: The system MUST request existing proxy configuration files for verification and flag any subdomain mismatches against current service definitions. -- **FR-004**: The system MUST apply firewall rules on the new VPS that match the existing VPS behavior for all documented inbound and outbound flows. -- **FR-014**: The system MUST apply the existing iptables ruleset as-is to achieve firewall parity. +- **FR-004**: The system MUST apply the existing iptables ruleset as-is on the new VPS to match the existing VPS behavior for all documented inbound and outbound flows. - **FR-005**: The system MUST enable the VPN configuration on the new VPS with the specified peer addresses and ensure each peer is uniquely identified. - **FR-006**: The system MUST support encrypting sensitive VPN keys and pause for user-provided secret material when required. - **FR-015**: The system MUST store VPN keys only in the existing secrets system and must not place them in plaintext configuration. - **FR-007**: The system MUST create service users and groups for deployment workflows and grant SSH access via specified public keys. - **FR-008**: The system MUST configure SSH access for all standard admin hosts and update the VPS connection target to the new public IP. - **FR-016**: The system MUST grant SSH access only to workstation, server, deacero, and galaxy admin hosts. +- **FR-017**: The system MUST configure SSHD to use a non-default port and disable root/password authentication to match the existing VPS security posture. +- **FR-018**: The system MUST harden remote rebuild access by using a non-root SSH user with least-privilege access for rebuild operations. - **FR-009**: The system MUST update dependent host configurations so existing VPN client connections target the new VPS. - **FR-010**: The system MUST review provided history logs and produce a clarification list of potential missing configurations. - **FR-011**: The system MUST document migration steps for the analytics service and include them in the migration plan. diff --git a/specs/004-vps-migration/tasks.md b/specs/004-vps-migration/tasks.md index 65ee45a..3c1ca3a 100644 --- a/specs/004-vps-migration/tasks.md +++ b/specs/004-vps-migration/tasks.md @@ -16,10 +16,10 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host ## Phase 2: Foundational -- [ ] T003 [P] Review toggles and mainHost options to identify reverse-proxy owner in hosts/ and modules/ (record candidate paths) -- [ ] T004 [P] Locate wireguard module and host toggles in modules/ and hosts/ (record candidate paths) -- [ ] T005 [P] Review SSH config locations and vps IP references to update to 45.33.0.228 -- [ ] T006 [P] Review caddy config locations to prepare subdomain comparison (record file paths) +- [ ] T003 [P] Review mainServer and enableProxy options in hosts/server/toggles.nix and modules/modules.nix +- [ ] T004 [P] Review wireguard module in modules/services/wireguard.nix and VPS host config in hosts/vps/configuration.nix +- [ ] T005 [P] Review SSH host/IP settings in config/jawz.nix and modules/modules.nix for vps IP updates +- [ ] T006 [P] Review caddy file list references in jawz_hist and sudo_hist to prepare subdomain comparison inputs ## Phase 3: User Story 1 (P1) - Primary VPS reverse proxy @@ -27,9 +27,9 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host **Independent test criteria**: Proxy mappings resolve through VPS to host server services without relocating services. -- [ ] T007 [US1] Set mainHost to vps in the relevant host/module option file (update file path once located) -- [ ] T008 [US1] Enable proxying for all enabled services on the VPS without moving service runtime (update relevant hosts/*/toggles.nix or equivalent) -- [ ] T009 [US1] Capture caddy config files and compare subdomains to servers/*.nix domain definitions; document mismatches in specs/004-vps-migration/quickstart.md +- [ ] T007 [US1] Set mainServer to \"vps\" in hosts/server/toggles.nix +- [ ] T008 [US1] Enable proxying on VPS by setting my.enableProxy = true in hosts/vps/configuration.nix and ensure services in hosts/server/toggles.nix have enableProxy = true +- [ ] T009 [US1] Capture provided caddy config files (e.g., /etc/caddy/Caddyfile.d/*) and compare subdomains to modules/servers/*.nix domain definitions; document mismatches in specs/004-vps-migration/quickstart.md ## Phase 4: User Story 2 (P1) - Firewall parity @@ -37,7 +37,7 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host **Independent test criteria**: Known inbound/outbound flows match existing VPS behavior. -- [ ] T010 [US2] Apply iptables ruleset as-is to VPS firewall configuration in hosts/vps/ or modules/ (reference repo root iptables file) +- [ ] T010 [US2] Apply iptables ruleset as-is to VPS configuration in hosts/vps/configuration.nix using the repo root iptables file ## Phase 5: User Story 3 (P2) - Secure access and VPN peers @@ -45,12 +45,16 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host **Independent test criteria**: VPN peers connect with correct addresses; SSH keys authenticate as expected. -- [ ] T011 [US3] Enable wireguard module on VPS host configuration (hosts/vps/ or equivalent) and ensure listen port exposed -- [ ] T012 [US3] Update wireguard peer configuration in modules/wireguard.nix using secrets refs for public/private keys (no plaintext) -- [ ] T013 [US3] Add service users and groups deploy and lidarr-reports with authorized_keys from secrets/ssh/ed25519_deploy.pub and secrets/ssh/ed25519_lidarr-reports.pub -- [ ] T014 [US3] Add admin SSH authorized_keys for workstation, server, deacero, galaxy in the standard SSH config files -- [ ] T015 [US3] Update SSH config to replace VPS IP with 45.33.0.228 -- [ ] T016 [US3] Update host server wireguard client configuration to target the new VPS endpoint +- [ ] T011 [US3] Enable wireguard module on VPS in hosts/vps/configuration.nix (my.services.wireguard.enable = true) and ensure listen port exposed +- [ ] T012 [US3] Add sops secrets entries for wireguard keys in secrets/wireguard.yaml and confirm user-provided key material +- [ ] T013 [US3] Update wireguard peer configuration in modules/services/wireguard.nix using sops secrets refs for public/private keys (no plaintext) +- [ ] T014 [US3] Add service users and groups deploy and lidarr-reports with authorized_keys in hosts/vps/configuration.nix using secrets/ssh/ed25519_deploy.pub and secrets/ssh/ed25519_lidarr-reports.pub +- [ ] T015 [US3] Add admin SSH authorized_keys for workstation, server, deacero, galaxy in hosts/vps/configuration.nix +- [ ] T016 [US3] Configure sshd port and auth settings in config/base.nix to match: Port 3456, PermitRootLogin no, PasswordAuthentication no, AuthorizedKeysFile .ssh/authorized_keys +- [ ] T017 [US3] Harden remote rebuild access by switching to a non-root SSH user for rebuilds (nixremote) and requiring sudo for nixos-rebuild in hosts/vps/configuration.nix and modules/users/nixremote.nix +- [ ] T018 [US3] Restrict SSH access for remote rebuilds by limiting allowed users/keys for nixremote (update inputs.self.lib.getSshKeys list in hosts/vps/configuration.nix) +- [ ] T019 [US3] Update VPS IP to 45.33.0.228 in modules/modules.nix and config/jawz.nix SSH host entry +- [ ] T020 [US3] Update host server wireguard client configuration in hosts/server/configuration.nix to target the new VPS endpoint ## Phase 6: User Story 4 (P3) - Migration gaps and verification @@ -58,14 +62,14 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host **Independent test criteria**: Clarification list exists and each task has a verification step. -- [ ] T017 [US4] Review sudo_hist and jawz_hist for missing configuration; record clarification list in specs/004-vps-migration/quickstart.md -- [ ] T018 [US4] Document analytics data migration steps (export, import, validate) in specs/004-vps-migration/quickstart.md -- [ ] T019 [US4] Add verification steps for each task in specs/004-vps-migration/quickstart.md +- [ ] T021 [US4] Review sudo_hist and jawz_hist for missing configuration; record clarification list in specs/004-vps-migration/quickstart.md +- [ ] T022 [US4] Document analytics data migration steps (export, import, validate) in specs/004-vps-migration/quickstart.md +- [ ] T023 [US4] Add verification steps for each task in specs/004-vps-migration/quickstart.md ## Phase 7: Polish & Cross-Cutting Concerns -- [ ] T020 [P] Update any references to old VPS proxy logic (caddy) to ensure nginx is the only proxy in documentation (README.org or docs/ if applicable) -- [ ] T021 [P] Validate that all tasks have explicit file paths and update task descriptions accordingly +- [ ] T024 [P] Update any references to old VPS proxy logic (caddy) to ensure nginx is the only proxy in documentation (README.org or docs/ if applicable) +- [ ] T025 [P] Validate that all tasks have explicit file paths and update task descriptions accordingly ## Dependencies @@ -73,11 +77,11 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host ## Parallel Execution Examples -- US1: T007, T008, T009 can proceed once T003 and T006 identify the correct files. +- US1: T007, T008, T009 can proceed once T003 and T006 are reviewed. - US2: T010 can proceed once iptables application location is identified. -- US3: T011 and T015 can proceed after T004 and T005 identify file locations; T012 depends on secrets references. -- US4: T017, T018, T019 can proceed independently once logs are reviewed and quickstart.md is open. +- US3: T011, T015, T016, T017, and T019 can proceed after T004 and T005 review; T012 depends on user-provided secrets. +- US4: T021, T022, T023 can proceed independently once logs are reviewed and quickstart.md is open. ## Validation -- All tasks use the required checklist format with IDs, story labels, and file paths (to be filled precisely in T021). +- All tasks use the required checklist format with IDs, story labels, and explicit file paths.