init

specs/004-vps-migration/plan.md

@@ -0,0 +1,52 @@
+# Implementation Plan: VPS Migration
+
+**Branch**: `004-vps-migration` | **Date**: 2026-02-04 | **Spec**: /home/jawz/Development/NixOS/specs/004-vps-migration/spec.md
+**Input**: Feature specification from `/specs/004-vps-migration/spec.md`
+
+## Summary
+
+Migrate VPS responsibilities to the new NixOS host by making it the primary reverse-proxy host (nginx only), mirroring the existing iptables ruleset, enabling wireguard with secret-managed keys, and restoring SSH/service-user access, while keeping all services running on the host server. Provide validation steps, review historical configs for gaps, and document analytics data migration.
+
+## Technical Context
+
+**Language/Version**: Nix (flakes; nixpkgs 25.11)  
+**Primary Dependencies**: NixOS modules, sops-nix, nginx, wireguard, openssh, iptables  
+**Storage**: Files (configuration and secrets)  
+**Testing**: Manual validation steps (no automated test harness)  
+**Target Platform**: Linux server (NixOS)  
+**Project Type**: configuration repo  
+**Performance Goals**: N/A (configuration change)  
+**Constraints**: Services remain on host server; VPS only terminates proxy and exposes wireguard port; iptables parity required  
+**Scale/Scope**: Single VPS + host server, small set of VPN peers and admin SSH principals
+
+## Constitution Check
+
+No enforceable constitution rules are defined (placeholders only). Gate passes by default.
+
+Post-design check: unchanged (no enforceable gates found).
+
+## Project Structure
+
+### Documentation (this feature)
+
+```text
+specs/004-vps-migration/
+├── plan.md
+├── research.md
+├── data-model.md
+├── quickstart.md
+├── contracts/
+└── tasks.md
+```
+
+### Source Code (repository root)
+
+```text
+hosts/
+modules/
+secrets/
+iptables
+scripts/
+```
+
+**Structure Decision**: Use the existing NixOS configuration layout (`hosts/`, `modules/`, `secrets/`) and the root `iptables` ruleset file.