init

specs/004-vps-migration/data-model.md

@@ -0,0 +1,41 @@
+# Data Model: VPS Migration
+
+## Host
+
+- **Fields**: name, role (primary/secondary), publicIp, vpnEndpoint, services[], proxyMappings[], firewallRuleSet
+- **Rules**: Exactly one primary host for reverse proxying.
+
+## Service
+
+- **Fields**: name, enabled, runsOnHost, proxyEnabled, domains[]
+- **Rules**: Services remain on host server; proxyEnabled true on VPS for all enabled services.
+
+## ProxyMapping
+
+- **Fields**: domain, targetService, tlsRequired
+- **Rules**: domain must be unique across mappings; domain must match service definitions.
+
+## FirewallRuleSet
+
+- **Fields**: sourceFile (iptables), rules[], appliedHost
+- **Rules**: Ruleset must be applied as-is; no translation allowed.
+
+## VPNPeer
+
+- **Fields**: name, publicKeyRef, allowedIps[]
+- **Rules**: allowedIps must be unique across peers; publicKeyRef must resolve via secrets system.
+
+## VPNInterface
+
+- **Fields**: addressRanges[], listenPort, privateKeyRef
+- **Rules**: privateKeyRef stored in secrets system; listenPort exposed on VPS.
+
+## ServiceUser
+
+- **Fields**: username, group, authorizedKeys[]
+- **Rules**: deploy uses ed25519_deploy.pub; lidarr-reports uses ed25519_lidarr-reports.pub.
+
+## MigrationChecklistItem
+
+- **Fields**: task, verificationStep, status
+- **Rules**: each migration task must have a verification step.