From c09268891e43efa2efce657babf0c914f16ba8fe Mon Sep 17 00:00:00 2001
From: Danilo Reyes <danilo.reyes.251@proton.me>
Date: Thu, 5 Feb 2026 12:45:39 -0600
Subject: [PATCH] firewall migration

---
 hosts/vps/configuration.nix           | 74 ++++++++++++++++++++++-----
 specs/004-vps-migration/quickstart.md | 11 ++--
 specs/004-vps-migration/tasks.md      |  2 +-
 3 files changed, 70 insertions(+), 17 deletions(-)

diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix
index fc50bc3..2af6424 100644
--- a/hosts/vps/configuration.nix
+++ b/hosts/vps/configuration.nix
@@ -5,6 +5,10 @@
   pkgs,
   ...
 }:
+let
+  externalInterface = config.my.interfaces.${config.networking.hostName};
+  homeServer = config.my.ips.wg-server;
+in
 {
   imports = [
     ./hardware-configuration.nix
@@ -21,18 +25,64 @@
       ];
     };
   };
-  environment.etc."iptables.rules".source = ../../iptables;
-  networking.firewall.enable = lib.mkForce false;
-  networking.nftables.enable = false;
-  systemd.services.iptables-restore = {
-    description = "Apply iptables ruleset";
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network-pre.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-      ExecStart = "${pkgs.iptables}/bin/iptables-restore --wait /etc/iptables.rules";
-    };
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      80
+      443
+      3456
+    ];
+    allowedUDPPorts = [ 51820 ];
+    extraForwardRules = ''
+      ct state established,related accept
+
+      ip daddr ${homeServer}/32 tcp dport { 22, 51412 } accept
+      ip daddr ${homeServer}/32 udp dport 51412 accept
+
+      ip saddr 10.8.0.2/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
+      ip saddr 10.8.0.3/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
+      ip saddr 10.8.0.4/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
+      ip saddr 10.8.0.5/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
+      ip saddr ${homeServer}/32 ip daddr 10.8.0.2/32 tcp dport 22000 accept
+      ip saddr ${homeServer}/32 ip daddr 10.8.0.3/32 tcp dport 22000 accept
+      ip saddr ${homeServer}/32 ip daddr 10.8.0.4/32 tcp dport 22000 accept
+      ip saddr ${homeServer}/32 ip daddr 10.8.0.5/32 tcp dport 22000 accept
+
+      ip saddr 10.8.0.0/24 ip daddr ${homeServer}/32 tcp dport { 8008, 8448, 8999 } accept
+
+      ip saddr 10.8.0.0/24 ip daddr ${homeServer}/32 icmp type echo-request accept
+      ip saddr ${homeServer}/32 ip daddr 10.8.0.0/24 icmp type echo-reply accept
+
+      ip saddr 10.9.0.0/24 ip daddr ${homeServer}/32 tcp dport 9999 accept
+      ip saddr 10.9.0.0/24 ip daddr ${homeServer}/32 icmp type echo-request accept
+      ip saddr ${homeServer}/32 ip daddr 10.9.0.0/24 icmp type echo-reply accept
+
+      ip saddr 10.8.0.0/24 oifname "${externalInterface}" accept
+      ip saddr 10.9.0.0/24 oifname "${externalInterface}" accept
+
+      ip saddr 10.8.0.0/24 ip daddr 10.77.0.0/24 drop
+      ip saddr 10.77.0.0/24 ip daddr 10.8.0.0/24 drop
+      ip saddr 10.9.0.0/24 ip daddr 10.77.0.0/24 drop
+      ip saddr 10.77.0.0/24 ip daddr 10.9.0.0/24 drop
+      ip saddr 10.9.0.0/24 ip daddr 10.8.0.0/24 drop
+      ip saddr 10.8.0.0/24 ip daddr 10.9.0.0/24 drop
+    '';
+    extraCommands = ''
+      iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination ${homeServer}:22
+      iptables -t nat -A PREROUTING -p tcp --dport 51412 -j DNAT --to-destination ${homeServer}:51412
+      iptables -t nat -A PREROUTING -p udp --dport 51412 -j DNAT --to-destination ${homeServer}:51412
+      iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport 22 -j MASQUERADE
+      iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport 51412 -j MASQUERADE
+      iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p udp --dport 51412 -j MASQUERADE
+    '';
+    extraStopCommands = ''
+      iptables -t nat -D PREROUTING -p tcp --dport 22 -j DNAT --to-destination ${homeServer}:22 || true
+      iptables -t nat -D PREROUTING -p tcp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 || true
+      iptables -t nat -D PREROUTING -p udp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 || true
+      iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport 22 -j MASQUERADE || true
+      iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport 51412 -j MASQUERADE || true
+      iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p udp --dport 51412 -j MASQUERADE || true
+    '';
   };
   image.modules.linode = { };
   networking.hostName = "vps";
diff --git a/specs/004-vps-migration/quickstart.md b/specs/004-vps-migration/quickstart.md
index eb05150..8e7ef1a 100644
--- a/specs/004-vps-migration/quickstart.md
+++ b/specs/004-vps-migration/quickstart.md
@@ -60,9 +60,12 @@
 - `mb-report.lebubu.org` and `torrent.lebubu.org` are present in caddy but no matching Nix server host was found.
 
 5. Migrate analytics data:
-   - Export data from existing server
-   - Import into new server
-   - Validate historical data is present
+   - Identify the analytics system (e.g., Plausible) and its data store location or database
+   - Freeze writes during export (stop the analytics service or enable maintenance mode)
+   - Export analytics data from the existing server (db dump or data directory archive)
+   - Transfer the export to the new server using the secure path already used for secrets/config
+   - Import the data on the new server and restart the analytics service
+   - Validate historical data is present (date range coverage, dashboard counts, and sample events)
 
 6. Run verification steps for each task (per spec FR-012).
 
@@ -97,7 +100,7 @@
 - **T020**: `rg -n "45\\.33\\.0\\.228" modules/modules.nix config/jawz.nix`
 - **T021**: `rg -n "endpoint = .*my\\.ips\\.vps" hosts/server/configuration.nix`
 - **T022**: verify "Clarification Candidates From History Review" section exists in this file
-- **T023**: intentionally skipped by operator for this implementation pass
+- **T023**: `rg -n "Migrate analytics data|Export analytics|Import.*analytics|Validate historical data" /home/jawz/Development/NixOS/specs/004-vps-migration/quickstart.md`
 - **T024**: verify each task from T001-T026 has a corresponding verification line in this section
 - **T025**: `rg -n "caddy|Caddy" README.org docs || true` and confirm no active-proxy references remain outside legacy migration notes
 - **T026**: `rg -n "T0[0-2][0-9]" /home/jawz/Development/NixOS/specs/004-vps-migration/tasks.md` and confirm each task mentions at least one concrete path
diff --git a/specs/004-vps-migration/tasks.md b/specs/004-vps-migration/tasks.md
index 8dbfba2..e07d8af 100644
--- a/specs/004-vps-migration/tasks.md
+++ b/specs/004-vps-migration/tasks.md
@@ -64,7 +64,7 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host
 **Independent test criteria**: Clarification list exists and each task has a verification step.
 
 - [x] T022 [US4] Review sudo_hist and jawz_hist for missing configuration; record clarification list in specs/004-vps-migration/quickstart.md
-- [ ] T023 [US4] Document analytics data migration steps (export, import, validate) in specs/004-vps-migration/quickstart.md
+- [x] T023 [US4] Document analytics data migration steps (export, import, validate) in specs/004-vps-migration/quickstart.md
 - [x] T024 [US4] Add verification steps for each task in specs/004-vps-migration/quickstart.md
 
 ## Phase 7: Polish & Cross-Cutting Concerns