jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

remediations

Browse Source
This commit is contained in:
Danilo Reyes
2026-02-03 20:43:25 -06:00
parent a74adc7f95
commit 86557548db
2 changed files with 30 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
specs/004-vps-migration/tasks.md
View File

@@ -16,10 +16,10 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host
## Phase 2: Foundational
- [ ] T003 [P] Review toggles and mainHost options to identify reverse-proxy owner in hosts/ and modules/ (record candidate paths)
- [ ] T004 [P] Locate wireguard module and host toggles in modules/ and hosts/ (record candidate paths)
- [ ] T005 [P] Review SSH config locations and vps IP references to update to 45.33.0.228
- [ ] T006 [P] Review caddy config locations to prepare subdomain comparison (record file paths)
- [ ] T003 [P] Review mainServer and enableProxy options in hosts/server/toggles.nix and modules/modules.nix
- [ ] T004 [P] Review wireguard module in modules/services/wireguard.nix and VPS host config in hosts/vps/configuration.nix
- [ ] T005 [P] Review SSH host/IP settings in config/jawz.nix and modules/modules.nix for vps IP updates
- [ ] T006 [P] Review caddy file list references in jawz_hist and sudo_hist to prepare subdomain comparison inputs
## Phase 3: User Story 1 (P1) - Primary VPS reverse proxy
@@ -27,9 +27,9 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host
**Independent test criteria**: Proxy mappings resolve through VPS to host server services without relocating services.
- [ ] T007 [US1] Set mainHost to vps in the relevant host/module option file (update file path once located)
- [ ] T008 [US1] Enable proxying for all enabled services on the VPS without moving service runtime (update relevant hosts/*/toggles.nix or equivalent)
- [ ] T009 [US1] Capture caddy config files and compare subdomains to servers/*.nix domain definitions; document mismatches in specs/004-vps-migration/quickstart.md
- [ ] T007 [US1] Set mainServer to \"vps\" in hosts/server/toggles.nix
- [ ] T008 [US1] Enable proxying on VPS by setting my.enableProxy = true in hosts/vps/configuration.nix and ensure services in hosts/server/toggles.nix have enableProxy = true
- [ ] T009 [US1] Capture provided caddy config files (e.g., /etc/caddy/Caddyfile.d/*) and compare subdomains to modules/servers/*.nix domain definitions; document mismatches in specs/004-vps-migration/quickstart.md
## Phase 4: User Story 2 (P1) - Firewall parity
@@ -37,7 +37,7 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host
**Independent test criteria**: Known inbound/outbound flows match existing VPS behavior.
- [ ] T010 [US2] Apply iptables ruleset as-is to VPS firewall configuration in hosts/vps/ or modules/ (reference repo root iptables file)
- [ ] T010 [US2] Apply iptables ruleset as-is to VPS configuration in hosts/vps/configuration.nix using the repo root iptables file
## Phase 5: User Story 3 (P2) - Secure access and VPN peers
@@ -45,12 +45,16 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host
**Independent test criteria**: VPN peers connect with correct addresses; SSH keys authenticate as expected.
- [ ] T011 [US3] Enable wireguard module on VPS host configuration (hosts/vps/ or equivalent) and ensure listen port exposed
- [ ] T012 [US3] Update wireguard peer configuration in modules/wireguard.nix using secrets refs for public/private keys (no plaintext)
- [ ] T013 [US3] Add service users and groups deploy and lidarr-reports with authorized_keys from secrets/ssh/ed25519_deploy.pub and secrets/ssh/ed25519_lidarr-reports.pub
- [ ] T014 [US3] Add admin SSH authorized_keys for workstation, server, deacero, galaxy in the standard SSH config files
- [ ] T015 [US3] Update SSH config to replace VPS IP with 45.33.0.228
- [ ] T016 [US3] Update host server wireguard client configuration to target the new VPS endpoint
- [ ] T011 [US3] Enable wireguard module on VPS in hosts/vps/configuration.nix (my.services.wireguard.enable = true) and ensure listen port exposed
- [ ] T012 [US3] Add sops secrets entries for wireguard keys in secrets/wireguard.yaml and confirm user-provided key material
- [ ] T013 [US3] Update wireguard peer configuration in modules/services/wireguard.nix using sops secrets refs for public/private keys (no plaintext)
- [ ] T014 [US3] Add service users and groups deploy and lidarr-reports with authorized_keys in hosts/vps/configuration.nix using secrets/ssh/ed25519_deploy.pub and secrets/ssh/ed25519_lidarr-reports.pub
- [ ] T015 [US3] Add admin SSH authorized_keys for workstation, server, deacero, galaxy in hosts/vps/configuration.nix
- [ ] T016 [US3] Configure sshd port and auth settings in config/base.nix to match: Port 3456, PermitRootLogin no, PasswordAuthentication no, AuthorizedKeysFile .ssh/authorized_keys
- [ ] T017 [US3] Harden remote rebuild access by switching to a non-root SSH user for rebuilds (nixremote) and requiring sudo for nixos-rebuild in hosts/vps/configuration.nix and modules/users/nixremote.nix
- [ ] T018 [US3] Restrict SSH access for remote rebuilds by limiting allowed users/keys for nixremote (update inputs.self.lib.getSshKeys list in hosts/vps/configuration.nix)
- [ ] T019 [US3] Update VPS IP to 45.33.0.228 in modules/modules.nix and config/jawz.nix SSH host entry
- [ ] T020 [US3] Update host server wireguard client configuration in hosts/server/configuration.nix to target the new VPS endpoint
## Phase 6: User Story 4 (P3) - Migration gaps and verification
@@ -58,14 +62,14 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host
**Independent test criteria**: Clarification list exists and each task has a verification step.
- [ ] T017 [US4] Review sudo_hist and jawz_hist for missing configuration; record clarification list in specs/004-vps-migration/quickstart.md
- [ ] T018 [US4] Document analytics data migration steps (export, import, validate) in specs/004-vps-migration/quickstart.md
- [ ] T019 [US4] Add verification steps for each task in specs/004-vps-migration/quickstart.md
- [ ] T021 [US4] Review sudo_hist and jawz_hist for missing configuration; record clarification list in specs/004-vps-migration/quickstart.md
- [ ] T022 [US4] Document analytics data migration steps (export, import, validate) in specs/004-vps-migration/quickstart.md
- [ ] T023 [US4] Add verification steps for each task in specs/004-vps-migration/quickstart.md
## Phase 7: Polish & Cross-Cutting Concerns
- [ ] T020 [P] Update any references to old VPS proxy logic (caddy) to ensure nginx is the only proxy in documentation (README.org or docs/ if applicable)
- [ ] T021 [P] Validate that all tasks have explicit file paths and update task descriptions accordingly
- [ ] T024 [P] Update any references to old VPS proxy logic (caddy) to ensure nginx is the only proxy in documentation (README.org or docs/ if applicable)
- [ ] T025 [P] Validate that all tasks have explicit file paths and update task descriptions accordingly
## Dependencies
@@ -73,11 +77,11 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host
## Parallel Execution Examples
- US1: T007, T008, T009 can proceed once T003 and T006 identify the correct files.
- US1: T007, T008, T009 can proceed once T003 and T006 are reviewed.
- US2: T010 can proceed once iptables application location is identified.
- US3: T011 and T015 can proceed after T004 and T005 identify file locations; T012 depends on secrets references.
- US4: T017, T018, T019 can proceed independently once logs are reviewed and quickstart.md is open.
- US3: T011, T015, T016, T017, and T019 can proceed after T004 and T005 review; T012 depends on user-provided secrets.
- US4: T021, T022, T023 can proceed independently once logs are reviewed and quickstart.md is open.
## Validation
- All tasks use the required checklist format with IDs, story labels, and file paths (to be filled precisely in T021).
- All tasks use the required checklist format with IDs, story labels, and explicit file paths.