create www-data

docs/constitution.md

@@ -7,7 +7,7 @@
 
 ## Repository Overview
 - Architecture: Flake-based repo using `flake-parts` with inputs for pkgs (stable/unstable), stylix, home-manager, sops-nix, and service overlays. Common modules are composed through `parts/core.nix` and `parts/hosts.nix`.
-- Module auto-import: `modules/modules.nix` auto-imports `.nix` files under `modules/apps`, `modules/dev`, `modules/scripts`, `modules/servers`, `modules/services`, `modules/shell`, and `modules/network`, excluding `librewolf.nix`. Factories live in `modules/factories/` (`mkserver`, `mkscript`), and shared options are in `modules/nix` and `modules/users`.
+- Module auto-import: `modules/modules.nix` auto-imports `.nix` files under `modules/apps`, `modules/dev`, `modules/scripts`, `modules/servers`, `modules/services`, `modules/shell`, `modules/websites`, and `modules/network`, excluding `librewolf.nix`. Factories live in `modules/factories/` (`mkserver`, `mkscript`), and shared options are in `modules/nix` and `modules/users`.
 - Hosts and toggles: Host definitions live in `hosts/<name>/configuration.nix` with host-specific toggles in `hosts/<name>/toggles.nix`. The `my` namespace carries toggles for apps/dev/scripts/services/shell, feature flags like `enableProxy` and `enableContainers`, and per-host `interfaces` and `ips` maps.
 - Main server and proxies: `my.mainServer` selects the host that should serve traffic by default (default `vps`). Reverse proxies use helpers in `parts/core.nix` (`proxy`, `proxyReverse`, `proxyReverseFix`, `proxyReversePrivate`) and pick IPs from `my.ips` plus the hostName/ip set by `mkserver` options. Nginx defaults to `proxyReverse` for any server with `enableProxy = true` unless `useDefaultProxy = false` or the server is listed in the Fix/Private proxy lists.
 - Secure hosts and secrets: `my.secureHost` gates SOPS secrets. Secure hosts load secrets from `secrets/*.yaml` and wireguard definitions; non-secure hosts (e.g., `hosts/emacs`) skip secret-dependent services. Default SOPS file is `secrets/secrets.yaml` via `config/base.nix`. Proxy-only services that need private certificates must still define their cert secrets when `enableProxy = true`.
@@ -34,6 +34,7 @@ config.services = {
 - Options: Settings under the `my` namespace (e.g., `my.services.<service>`, `my.scripts.<script>`).
 - Toggles: Enablement maps in `hosts/<name>/toggles.nix` controlling categories (apps/dev/shell/scripts/services/servers/units) and features (`enableProxy`, `enableContainers`).
 - Servers: Reverse-proxied services under `modules/servers/`, normally created with `mkserver` options (including `useDefaultProxy` to opt out of default proxyReverse).
+- Websites: Static nginx vhosts under `modules/websites/` (portfolio/blog, mb-report), gated by `my.websites.*.enableProxy`.
 - Scripts: Units defined via `mkscript` with `enable`, `install`, `service`, `users`, `timer`, and `package` fields.
 - Playbooks: Workflow guides under `docs/playbooks/` for repeatable tasks.
 - Reference map: Navigation index under `docs/reference/index.md` for paths and responsibilities.
@@ -45,7 +46,7 @@ config.services = {
 - VPS enrollment flow: The vps host generates its own key on first boot, then operators enroll the public key, re-encrypt secrets, and redeploy. Follow `docs/playbooks/enroll-vps.md`.
 
 ## Module Categories and Active Hosts
-- Module categories: apps, dev, scripts, servers, services, shell, network, users, nix, patches. Factories sit in `modules/factories/` and are imported explicitly.
+- Module categories: apps, dev, scripts, servers, services, shell, websites, network, users, nix, patches. Factories sit in `modules/factories/` and are imported explicitly.
 - Active hosts: `workstation`, `server`, `miniserver`, `galaxy`, `emacs`. Host roles and secure status are defined in `hosts/<name>/configuration.nix` and toggles in `hosts/<name>/toggles.nix`.
 
 ## Precedence and Conflict Resolution

docs/reference/index.md

@@ -7,6 +7,7 @@
 - servers → `modules/servers/` (reverse-proxied services built via `mkserver`)
 - services → `modules/services/` (supporting services like syncthing, wireguard)
 - shell → `modules/shell/` (shell customizations and CLI tooling)
+- websites → `modules/websites/` (static nginx vhosts for portfolio/blog and reports)
 - network → `modules/network/` (networking rules, firewall helpers)
 - users → `modules/users/` (user-related options)
 - nix → `modules/nix/` (Nix configuration and helpers)
@@ -60,7 +61,7 @@
 - MCP server reference: `docs/reference/mcp-server.md` (tool catalog, `nixos-mcp` wrapper, invocation, sync-docs)
 
 ## Quick Audit Checklist
-- Module coverage: All categories (apps, dev, scripts, servers, services, shell, network, users, nix, patches) have corresponding entries and auto-import rules.
+- Module coverage: All categories (apps, dev, scripts, servers, services, shell, websites, network, users, nix, patches) have corresponding entries and auto-import rules.
 - Host coverage: Active hosts listed with roles and secureHost status; `mainServer` noted.
 - Proxy rules: `enableProxy` usage, proxy helper selection, and `my.ips` mappings documented.
 - Secrets map: Every secrets file and secureHost gating captured; new secret types aligned to file purposes.

hosts/vps/configuration.nix

@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  pkgs,
   inputs,
   ...
 }:
@@ -134,16 +135,25 @@ in
     groups = {
       deploy = { };
       lidarr-reports = { };
+      www-data = { };
     };
     users = {
+      nginx.extraGroups = [ "www-data" ];
       deploy = {
         isSystemUser = true;
         group = "deploy";
+        home = "/var/lib/deploy";
+        createHome = true;
+        shell = pkgs.bashInteractive;
+        extraGroups = [ "www-data" ];
         openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_deploy.pub ];
       };
       lidarr-reports = {
         isSystemUser = true;
         group = "lidarr-reports";
+        home = "/var/lib/lidarr-reports";
+        createHome = true;
+        shell = pkgs.bashInteractive;
         openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_lidarr-reports.pub ];
       };
     };

hosts/vps/toggles.nix

@@ -32,6 +32,12 @@ in
       port = 8081;
     };
   }
+  // {
+    websites = {
+      portfolio.enableProxy = true;
+      lidarrMbReport.enableProxy = true;
+    };
+  }
   // enableList mkEnabledProxyIp [
     "audiobookshelf"
     "bazarr"

iptables

@@ -1,126 +0,0 @@
-# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan  2 03:44:23 2026
-*mangle
-:PREROUTING ACCEPT [95853893:179831236298]
-:INPUT ACCEPT [94316554:179510512585]
-:FORWARD ACCEPT [1536524:320567864]
-:OUTPUT ACCEPT [49857522:93072472240]
-:POSTROUTING ACCEPT [51393797:93393029789]
-COMMIT
-# Completed on Fri Jan  2 03:44:23 2026
-# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan  2 03:44:23 2026
-*raw
-:PREROUTING ACCEPT [95853893:179831236298]
-:OUTPUT ACCEPT [49857522:93072472240]
-COMMIT
-# Completed on Fri Jan  2 03:44:23 2026
-# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan  2 03:44:23 2026
-*filter
-:INPUT ACCEPT [94315678:179510353216]
-:FORWARD ACCEPT [46534:2774394]
-:OUTPUT ACCEPT [49857520:93072471971]
-
-
-# --- Incoming (INPUT) rules for VPS itself ---
-# Accept SSH on port 3456 (new SSH port)
-# allow SSH to VPS
--A INPUT -p tcp --dport 3456 -m conntrack --ctstate NEW -j ACCEPT
-
-# allow established connections (responses)
--A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-# (Optionally, add other INPUT rules for any services the VPS itself runs, if any, like HTTP/HTTPS if needed)
-
-# If a default DROP policy is desired on INPUT, or an explicit drop rule:
-# -A INPUT -j DROP   # (optional: lock down any other input)
-
-# --- Forwarding (FORWARD) rules for VPN traffic ---
-# allow return traffic for established sessions
--A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-# Syncthing between 10.8.0.2 and home server
-# 10.8.0.2 -> 10.77.0.0 Syncthing
--A FORWARD -s 10.8.0.2/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
--A FORWARD -s 10.8.0.3/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
--A FORWARD -s 10.8.0.4/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
--A FORWARD -s 10.8.0.5/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
-# home -> 10.8.0.0 Syncthing
--A FORWARD -s 10.77.0.2/32 -d 10.8.0.2/32 -p tcp --dport 22000 -j ACCEPT
--A FORWARD -s 10.77.0.2/32 -d 10.8.0.3/32 -p tcp --dport 22000 -j ACCEPT
--A FORWARD -s 10.77.0.2/32 -d 10.8.0.4/32 -p tcp --dport 22000 -j ACCEPT
--A FORWARD -s 10.77.0.2/32 -d 10.8.0.5/32 -p tcp --dport 22000 -j ACCEPT
-
-# Matrix/Synapse access from 10.8 subnet to home server
-# allow Matrix client port
--A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8008 -j ACCEPT
-# allow Matrix federation port
--A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8448 -j ACCEPT
-# allow TURN/other (if used)
--A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8999 -j ACCEPT
-
-# ICMP between 10.8 subnet and home
-# ping home from 10.8 clients
--A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p icmp -j ACCEPT
-# ping 10.8 clients from home
--A FORWARD -s 10.77.0.2/32 -d 10.8.0.0/24 -p icmp -j ACCEPT
-
-# New Friend's subnet (10.9) access rule
-# allow new subnet to access port 9999 on home
--A FORWARD -s 10.9.0.2/24 -d 10.77.0.2/32 -p tcp --dport 9999 -j ACCEPT
-# allow ping to home
--A FORWARD -s 10.9.0.2/24 -d 10.77.0.2/32 -p icmp -j ACCEPT
-# allow ping reply from home
--A FORWARD -s 10.77.0.2/32 -d 10.9.0.2/24 -p icmp -j ACCEPT
-
-# Allow VPN subnets to reach Internet (MASQUERADE will SNAT them)
-# 10.8 clients to internet
--A FORWARD -s 10.8.0.0/24 -o eth0 -j ACCEPT
-# 10.9 clients to internet
--A FORWARD -s 10.9.0.2/24 -o eth0 -j ACCEPT
-
-# Drop all other traffic between these subnets and home or between subnets (isolation)
-# drop any 10.8 -> home not allowed
--A FORWARD -s 10.8.0.0/24 -d 10.77.0.0/24 -j DROP
-# drop any home -> 10.8 not allowed
--A FORWARD -s 10.77.0.0/24 -d 10.8.0.0/24 -j DROP
-
-# drop any 10.9 -> home not allowed (except 9999/ping above)
--A FORWARD -s 10.9.0.0/24 -d 10.77.0.0/24 -j DROP
-# drop any home -> 10.9 not allowed
--A FORWARD -s 10.77.0.0/24 -d 10.9.0.0/24 -j DROP
-
-# drop 10.9 -> 10.8 (no client-to-client)
--A FORWARD -s 10.9.0.0/24 -d 10.8.0.0/24 -j DROP
-# drop 10.8 -> 10.9
--A FORWARD -s 10.8.0.0/24 -d 10.9.0.0/24 -j DROP
-
-COMMIT
-
-*nat
-:PREROUTING ACCEPT [3368888:178175988]
-:INPUT ACCEPT [3348703:174454011]
-:OUTPUT ACCEPT [30120:1902454]
-:POSTROUTING ACCEPT [32339:2018208]
-# Port forwarding (DNAT) rules:
-# forward SSH (port 22) to home server
--A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 10.77.0.2:22
-# forward port 51412 to home (TCP)
--A PREROUTING -p tcp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
-# forward port 51412 to home (UDP)
--A PREROUTING -p udp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
-# (Remove the above 51412 rules if not used; keep 22 as it’s for Gitea’s SSH access)
-
-# Masquerade (SNAT) rules:
-# masquerade replies from home for SSH
--A POSTROUTING -d 10.77.0.2/32 -p tcp --dport 22 -j MASQUERADE
-# masquerade replies for 51412 (TCP)
--A POSTROUTING -d 10.77.0.2/32 -p tcp --dport 51412 -j MASQUERADE
-#masquerade replies for 51412 (UDP)
--A POSTROUTING -d 10.77.0.2/32 -p udp --dport 51412 -j MASQUERADE
-# (If 51412 rules removed above, remove their masquerade lines too)
-
-# NAT for 10.8.0.x clients to internet
--A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-# NAT for 10.9.0.x clients to internet
--A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
-
-COMMIT

modules/modules.nix

@@ -15,6 +15,7 @@ in
     ++ inputs.self.lib.autoImport ./servers filterNames
     ++ inputs.self.lib.autoImport ./services filterNames
     ++ inputs.self.lib.autoImport ./shell filterNames
+    ++ inputs.self.lib.autoImport ./websites filterNames
     ++ inputs.self.lib.autoImport ./network filterNames
     ++ [
       ./factories/mkscript.nix

modules/servers/portfolio.nix

@@ -1,22 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-let
-  setup = import ../factories/mkserver.nix { inherit lib config; };
-  cfg = config.my.websites.portfolio;
-in
-{
-  options.my.websites.portfolio = setup.mkOptions "portfolio" "portfolio" 0;
-  config.services.nginx.virtualHosts."danilo-reyes.com" = lib.mkIf cfg.enableProxy {
-    forceSSL = true;
-    enableACME = true;
-    http2 = true;
-    root = "/srv/www/danilo-reyes.com";
-    # index = "index.html";
-    locations."/".extraConfig = ''
-      try_files $uri $uri/ =404;
-    '';
-  };
-}

modules/websites/lidarr-mb-report.nix

@@ -0,0 +1,42 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.my.websites.lidarrMbReport;
+  mbHeaders = ''
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+  '';
+in
+{
+  options.my.websites.lidarrMbReport = {
+    enableProxy = lib.mkEnableOption "lidarr mb report static site";
+  };
+  config = lib.mkIf (cfg.enableProxy && config.my.enableProxy) {
+    services.nginx.virtualHosts."mb-report.lebubu.org" = {
+      forceSSL = true;
+      enableACME = true;
+      root = "/var/www/html/lidarr-mb-gap";
+      locations = {
+        "/" = {
+          extraConfig = ''
+            try_files $uri /missing_albums.html;
+          '';
+        };
+        "~* \\.html$" = {
+          extraConfig = ''
+            add_header Content-Type "text/html; charset=utf-8";
+          '';
+        };
+        "~* \\.json$" = {
+          extraConfig = ''
+            add_header Content-Type "application/json";
+          '';
+        };
+      };
+      extraConfig = mbHeaders;
+    };
+  };
+}

modules/websites/portfolio.nix

@@ -0,0 +1,93 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.my.websites.portfolio;
+  issoCfg = config.my.servers.isso;
+  hugoHeaders = ''
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  '';
+  hugoLocations = {
+    "/" = {
+      extraConfig = ''
+        try_files $uri $uri/ /index.html;
+      '';
+    };
+    "~* \\.html$" = {
+      extraConfig = ''
+        try_files $uri $uri/ /index.html;
+      '';
+    };
+    "~* \\.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|xml)$" = {
+      extraConfig = ''
+        expires 1y;
+        add_header Cache-Control "public, max-age=31536000, immutable";
+      '';
+    };
+    "~ /\\.(?!well-known).*" = {
+      extraConfig = ''
+        return 404;
+      '';
+    };
+    "= /js/script.js" = {
+      proxyPass = "https://analytics.lebubu.org";
+      extraConfig = ''
+        proxy_set_header Host analytics.lebubu.org;
+        rewrite ^ /js/script.file-downloads.hash.outbound-links.js break;
+      '';
+    };
+    "= /api/event" = {
+      proxyPass = "https://analytics.lebubu.org";
+      extraConfig = ''
+        proxy_set_header Host analytics.lebubu.org;
+      '';
+    };
+  };
+in
+{
+  options.my.websites.portfolio = {
+    enableProxy = lib.mkEnableOption "portfolio and blog static sites";
+  };
+  config = lib.mkIf (cfg.enableProxy && config.my.enableProxy) {
+    services.nginx.virtualHosts = {
+      "www.danilo-reyes.com" = {
+        forceSSL = true;
+        enableACME = true;
+        globalRedirect = "danilo-reyes.com";
+      };
+      "www.blog.danilo-reyes.com" = {
+        forceSSL = true;
+        enableACME = true;
+        globalRedirect = "blog.danilo-reyes.com";
+      };
+      "danilo-reyes.com" = {
+        forceSSL = true;
+        enableACME = true;
+        root = "/var/www/html/portfolio";
+        locations = hugoLocations;
+        extraConfig = hugoHeaders;
+      };
+      "blog.danilo-reyes.com" = {
+        forceSSL = true;
+        enableACME = true;
+        root = "/var/www/html/blog";
+        locations = hugoLocations // {
+          "^~ /isso" = {
+            proxyPass = "http://${issoCfg.ip}:${toString issoCfg.port}";
+            extraConfig = ''
+              rewrite ^/isso/?(.*)$ /$1 break;
+              proxy_set_header Host $host;
+            '';
+          };
+        };
+        extraConfig = hugoHeaders;
+      };
+    };
+  };
+}

specs/004-vps-migration/quickstart.md

@@ -88,7 +88,7 @@
 - **T008**: `rg -n "enableProxy = true" hosts/vps/toggles.nix hosts/vps/configuration.nix hosts/server/toggles.nix`
 - **T009**: ensure Caddy vs Nix comparison section remains in this file
 - **T010**: `rg -n "iqQCY4iAWO-ca/pem|certPath|proxyReversePrivate" modules/network/nginx.nix modules/servers`
-- **T011**: `rg -n "iptables.rules|iptables-restore|networking.firewall.enable = false" hosts/vps/configuration.nix`
+- **T011**: `rg -n "nftables|forwardPorts|vps-snat" hosts/vps/configuration.nix`
 - **T012**: `rg -n "services.wireguard.enable = true" hosts/vps/configuration.nix`
 - **T013**: confirm `wireguard/private` exists in `secrets/wireguard.yaml`
 - **T014**: `rg -n "10.77.0.1/24|10.8.0.1/24|10.9.0.1/24|AllowedIPs|allowedIPs" modules/services/wireguard.nix`
@@ -104,3 +104,4 @@
 - **T024**: verify each task from T001-T026 has a corresponding verification line in this section
 - **T025**: `rg -n "caddy|Caddy" README.org docs || true` and confirm no active-proxy references remain outside legacy migration notes
 - **T026**: `rg -n "T0[0-2][0-9]" /home/jawz/Development/NixOS/specs/004-vps-migration/tasks.md` and confirm each task mentions at least one concrete path
+- **T027**: `rg -n "modules/websites|danilo-reyes.com|blog.danilo-reyes.com|mb-report.lebubu.org" modules/websites hosts/vps/toggles.nix`

specs/004-vps-migration/spec.md

@@ -56,7 +56,7 @@ and for lidarr-reports ed25519_lidarr-reports.pub
 
 - Q: Are any services being migrated to the new VPS, and what does enableProxy do? → A: No services are migrated; enableProxy only configures nginx on the VPS, wireguard exposes the port, and services continue running on the host server.
 - Q: How should the analytics service be migrated? → A: Migrate existing analytics data to the new server.
-- Q: How should firewall parity be achieved on the new VPS? → A: Use the existing iptables ruleset as-is.
+- Q: How should firewall parity be achieved on the new VPS? → A: Use the existing iptables ruleset as the source of truth and implement equivalent nftables/NixOS firewall rules; document any intentional deviations.
 - Q: Where should VPN keys be stored? → A: Preserve keys only in the existing secrets system.
 - Q: Which admin hosts should receive SSH authorized_keys entries? → A: Only the listed hosts (workstation, server, deacero, galaxy).
 
@@ -134,7 +134,7 @@ As an operator, I want a checklist of potential missing configuration from exist
 - **FR-001**: The system MUST designate the new VPS as the primary host for reverse proxying and ensure all enabled services are routed through it without relocating the services.
 - **FR-002**: The system MUST ensure proxy configuration is enabled for all services currently enabled on the host server so traffic flows through the new VPS while services remain on the host server.
 - **FR-003**: The system MUST request existing proxy configuration files for verification and flag any subdomain mismatches against current service definitions.
-- **FR-004**: The system MUST apply the existing iptables ruleset as-is on the new VPS to match the existing VPS behavior for all documented inbound and outbound flows.
+- **FR-004**: The system MUST mirror the existing iptables behavior on the new VPS using nftables/NixOS firewall rules and document any intentional deviations from the source ruleset.
 - **FR-005**: The system MUST enable the VPN configuration on the new VPS with the specified peer addresses and ensure each peer is uniquely identified.
 - **FR-006**: The system MUST support encrypting sensitive VPN keys and pause for user-provided secret material when required.
 - **FR-015**: The system MUST store VPN keys only in the existing secrets system and must not place them in plaintext configuration.
@@ -172,6 +172,6 @@ As an operator, I want a checklist of potential missing configuration from exist
 ## Assumptions
 
 - The existing proxy configuration files will be provided by the user for comparison.
-- The firewall rules from the existing VPS are authoritative and should be mirrored on the new VPS.
+- The firewall rules from the existing VPS are authoritative and should be mirrored on the new VPS, even if implemented via nftables equivalents.
 - The list of standard admin hosts for SSH access is complete unless the review identifies an omission.
 - The analytics service migration steps are documentation-only and do not require immediate cutover.

specs/004-vps-migration/tasks.md

@@ -38,7 +38,7 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host
 
 **Independent test criteria**: Known inbound/outbound flows match existing VPS behavior.
 
-- [x] T011 [US2] Apply iptables ruleset as-is to VPS configuration in hosts/vps/configuration.nix using the repo root iptables file
+- [x] T011 [US2] Apply firewall parity to VPS configuration using nftables/NixOS rules derived from the repo root iptables file and document any intentional deviations
 
 ## Phase 5: User Story 3 (P2) - Secure access and VPN peers
 
@@ -71,6 +71,7 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host
 
 - [x] T025 [P] Update references to old VPS proxy logic (caddy) to ensure nginx is the only runtime proxy in README.org and docs/*.md
 - [x] T026 [P] Validate all task descriptions include explicit file paths in specs/004-vps-migration/tasks.md and update mismatches
+- [x] T027 [P] Move static site vhosts (portfolio/blog and mb-report) into modules/websites and enable them via host toggles
 
 ## Dependencies