hosts/vps/configuration.nix

@@ -1,6 +1,7 @@
 {
   lib,
   inputs,
+  pkgs,
   ...
 }:
 {
@@ -10,6 +11,7 @@
   ];
   my = {
     secureHost = true;
+    enableProxy = true;
     users.nixremote = {
       enable = true;
       authorizedKeys = inputs.self.lib.getSshKeys [
@@ -18,12 +20,28 @@
         "nixminiserver"
       ];
     };
-    services.network.enable = true;
     interfaces = lib.mkMerge [
       {
         vps = "eth0";
       }
     ];
+    services = {
+      network.enable = true;
+      wireguard.enable = true;
+    };
+  };
+  environment.etc."iptables.rules".source = ../../iptables;
+  networking.firewall.enable = false;
+  networking.nftables.enable = false;
+  systemd.services.iptables-restore = {
+    description = "Apply iptables ruleset";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network-pre.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${pkgs.iptables}/bin/iptables-restore --wait /etc/iptables.rules";
+    };
   };
   image.modules.linode = { };
   networking.hostName = "vps";
@@ -32,5 +50,23 @@
     keyFile = "/var/lib/sops-nix/key.txt";
     sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   };
+  users = {
+    groups = {
+      deploy = { };
+      lidarr-reports = { };
+    };
+    users = {
+      deploy = {
+        isSystemUser = true;
+        group = "deploy";
+        openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_deploy.pub ];
+      };
+      lidarr-reports = {
+        isSystemUser = true;
+        group = "lidarr-reports";
+        openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_lidarr-reports.pub ];
+      };
+    };
+  };
   environment.systemPackages = [ ];
 }

modules/modules.nix

@@ -49,7 +49,7 @@ in
         server = "192.168.100.15";
         miniserver = "192.168.1.100";
         workstation = "192.168.100.18";
-        vps = "45.79.25.87";
+        vps = "45.33.0.228";
         wg-vps = "10.77.0.1";
         wg-server = "10.77.0.2";
         wg-g1 = "10.9.0.2";
@@ -73,7 +73,7 @@ in
     };
     mainServer = lib.mkOption {
       type = lib.types.str;
-      default = "miniserver";
+      default = "vps";
       description = "The hostname of the main server.";
     };
     postgresSocket = lib.mkOption {

modules/network/nginx.nix

@@ -30,13 +30,13 @@ let
     "gitea"
     "lidarr"
     "ombi"
-    "prowlarr"
     "radarr"
     "sonarr"
-    "stash"
   ];
   proxyReversePrivateServices = [
     "homepage"
+    "prowlarr"
+    "stash"
   ];
   mkServiceConfig =
     type: services: lib.listToAttrs (map (name: lib.nameValuePair name { inherit type; }) services);

modules/servers/prowlarr.nix

@@ -10,6 +10,14 @@ in
 {
   options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696;
   config = lib.mkIf cfg.enable {
+    sops.secrets = lib.mkIf cfg.enable {
+      "private-ca/pem" = {
+        sopsFile = ../../secrets/certs.yaml;
+        owner = "nginx";
+        group = "nginx";
+      };
+    };
+    my.servers.prowlarr.certPath = config.sops.secrets."private-ca/pem".path;
     users.users.prowlarr = {
       uid = 987;
       group = "piracy";

modules/servers/stash.nix

@@ -34,7 +34,13 @@ in
       "stash/password".sopsFile = ../../secrets/secrets.yaml;
       "stash/jwt".sopsFile = ../../secrets/secrets.yaml;
       "stash/session".sopsFile = ../../secrets/secrets.yaml;
+      "private-ca/pem" = {
+        sopsFile = ../../secrets/certs.yaml;
+        owner = "nginx";
+        group = "nginx";
+      };
     };
+    my.servers.stash.certPath = config.sops.secrets."private-ca/pem".path;
     services.stash = {
       inherit (cfg) enable;
       group = "glue";

modules/services/wireguard.nix

@@ -1,7 +1,6 @@
 {
   config,
   lib,
-  pkgs,
   ...
 }:
 let
@@ -20,32 +19,36 @@ in
         internalInterfaces = [ "wg0" ];
       };
       wireguard.interfaces.wg0 = {
-        ips = [ "10.100.0.1/24" ];
+        ips = [
+          "${config.my.ips.wg-vps}/24"
+          "10.8.0.1/24"
+          "10.9.0.1/24"
+        ];
         listenPort = port;
-        postSetup = ''
+        postSetup = "";
-          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${interface} -j MASQUERADE
+        postShutdown = "";
-        '';
-        postShutdown = ''
-          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ${interface} -j MASQUERADE
-        '';
         privateKeyFile = config.sops.secrets."wireguard/private".path;
         peers = [
           {
-            publicKey = "ciupBjCcIpd3K5vlzNMJC8iiyNqB9xXwkSC6UXPKP3g=";
+            publicKey = "OUiqluRaS4hmGvLJ3csQrnIM3Zzet50gsqtTABaUkH4=";
-            allowedIPs = [ "10.100.0.2/32" ];
+            allowedIPs = [ "${config.my.ips.wg-server}/32" ];
-          } # phone
+          }
           {
-            publicKey = "JgeA1ElDwR7oLmyGn8RzvxiscMBhR8+L+mEjY1Cq7gk=";
+            publicKey = "rFgT6TXzRazK6GMazMNGjtOvzAAPST0LvCfN7QXsLho=";
-            allowedIPs = [ "10.100.0.3/32" ];
+            allowedIPs = [ "${config.my.ips.wg-friend1}/32" ];
-          } # tablet
+          }
           {
-            publicKey = "giPVRUTLtqPGb57R4foGZMNS0tjIp2ry6lMKYtqHjn4=";
+            publicKey = "R1CTx5+CXivMI6ZEmRYsyFUFILhe6Qnub0iEIRvvrEY=";
-            allowedIPs = [ "10.100.0.15/32" ];
+            allowedIPs = [ "${config.my.ips.wg-friend2}/32" ];
-          } # jeancarlos
+          }
           {
-            publicKey = "92JdW/NExg1tUE4cEyl6Yn+0Eex+iFVA37ahPRhRnRM=";
+            publicKey = "ecPNSacD6yVwpnLBs171z0xkw9M1DXKh/Kn70cIBcwA=";
-            allowedIPs = [ "10.100.0.16/32" ];
+            allowedIPs = [ "${config.my.ips.wg-friend3}/32" ];
-          } # gorilia
+          }
+          {
+            publicKey = "yg+2miZCrx89znFaUlU/le/7UIPgEAMY74fZfEwz8g4=";
+            allowedIPs = [ "${config.my.ips.wg-friend4}/32" ];
+          }
         ];
       };
     };

specs/004-vps-migration/quickstart.md

@@ -28,6 +28,36 @@
 4. Provide and review legacy proxy config:
    - Supply caddy files for subdomain comparison
 
+## Caddy vs Nix Subdomain Comparison (from provided caddy/ directory)
+
+**Caddy-only domains (present in caddy, not found in current Nix server hosts):**
+- danilo-reyes.com
+- www.danilo-reyes.com
+- blog.danilo-reyes.com
+- www.blog.danilo-reyes.com
+- mb-report.lebubu.org
+- torrent.lebubu.org
+
+**Nix-only domains (present in Nix server hosts, not in caddy config):**
+- auth-proxy.lebubu.org
+- comments.danilo-reyes.com
+- flix.rotehaare.art
+- 55a608953f6d64c199.lebubu.org
+- pYLemuAfsrzNBaH77xSu.lebubu.org
+- bookmarks.lebubu.org
+- drpp.lebubu.org
+- portfolio.lebubu.org
+- qampqwn4wprhqny8h8zj.lebubu.org
+- requests.lebubu.org
+- start.lebubu.org
+- sync.lebubu.org
+- tranga.lebubu.org
+
+**Notes:**
+- `auth-proxy.lebubu.org` appears only in `15-private.caddyfile__` (not imported by Caddy), so it is currently inactive in caddy.
+- `danilo-reyes.com` and `blog.danilo-reyes.com` are handled as static sites in caddy; Nix has `my.websites.portfolio` and `isso` which may need mapping to these domains.
+- `mb-report.lebubu.org` and `torrent.lebubu.org` are present in caddy but no matching Nix server host was found.
+
 5. Migrate analytics data:
    - Export data from existing server
    - Import into new server

specs/004-vps-migration/tasks.md

@@ -11,15 +11,15 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host
 
 ## Phase 1: Setup
 
-- [ ] T001 Confirm baseline files exist: iptables, secrets/ssh/ed25519_deploy.pub, secrets/ssh/ed25519_lidarr-reports.pub, secrets system entries for VPN keys
+- [x] T001 Confirm baseline files exist: iptables, secrets/ssh/ed25519_deploy.pub, secrets/ssh/ed25519_lidarr-reports.pub, secrets system entries for VPN keys
-- [ ] T002 Create working checklist placeholder for verification steps in /home/jawz/Development/NixOS/specs/004-vps-migration/tasks.md (this file)
+- [x] T002 Create working checklist placeholder for verification steps in /home/jawz/Development/NixOS/specs/004-vps-migration/tasks.md (this file)
 
 ## Phase 2: Foundational
 
-- [ ] T003 [P] Review mainServer and enableProxy options in hosts/server/toggles.nix and modules/modules.nix
+- [x] T003 [P] Review mainServer and enableProxy options in hosts/server/toggles.nix and modules/modules.nix
-- [ ] T004 [P] Review wireguard module in modules/services/wireguard.nix and VPS host config in hosts/vps/configuration.nix
+- [x] T004 [P] Review wireguard module in modules/services/wireguard.nix and VPS host config in hosts/vps/configuration.nix
-- [ ] T005 [P] Review SSH host/IP settings in config/jawz.nix and modules/modules.nix for vps IP updates
+- [x] T005 [P] Review SSH host/IP settings in config/jawz.nix and modules/modules.nix for vps IP updates
-- [ ] T006 [P] Review caddy file list references in jawz_hist and sudo_hist to prepare subdomain comparison inputs
+- [x] T006 [P] Review caddy file list references in jawz_hist and sudo_hist to prepare subdomain comparison inputs
 
 ## Phase 3: User Story 1 (P1) - Primary VPS reverse proxy
 
@@ -27,9 +27,10 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host
 
 **Independent test criteria**: Proxy mappings resolve through VPS to host server services without relocating services.
 
-- [ ] T007 [US1] Set mainServer to \"vps\" in hosts/server/toggles.nix
+- [x] T007 [US1] Set mainServer to \"vps\" in hosts/server/toggles.nix
-- [ ] T008 [US1] Enable proxying on VPS by setting my.enableProxy = true in hosts/vps/configuration.nix and ensure services in hosts/server/toggles.nix have enableProxy = true
+- [x] T008 [US1] Enable proxying on VPS by setting my.enableProxy = true in hosts/vps/configuration.nix and ensure services in hosts/server/toggles.nix have enableProxy = true
-- [ ] T009 [US1] Capture provided caddy config files (e.g., /etc/caddy/Caddyfile.d/*) and compare subdomains to modules/servers/*.nix domain definitions; document mismatches in specs/004-vps-migration/quickstart.md
+- [x] T009 [US1] Capture provided caddy config files (e.g., /etc/caddy/Caddyfile.d/*) and compare subdomains to modules/servers/*.nix domain definitions; document mismatches in specs/004-vps-migration/quickstart.md
+- [x] T010 [US1] Add shared client certificate handling from modules/servers/synapse.nix into the factory or shared module and apply it to mTLS-protected sites (use secrets/certs.yaml for client CA)
 
 ## Phase 4: User Story 2 (P1) - Firewall parity
 
@@ -37,7 +38,7 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host
 
 **Independent test criteria**: Known inbound/outbound flows match existing VPS behavior.
 
-- [ ] T010 [US2] Apply iptables ruleset as-is to VPS configuration in hosts/vps/configuration.nix using the repo root iptables file
+- [x] T011 [US2] Apply iptables ruleset as-is to VPS configuration in hosts/vps/configuration.nix using the repo root iptables file
 
 ## Phase 5: User Story 3 (P2) - Secure access and VPN peers
 
@@ -45,16 +46,16 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host
 
 **Independent test criteria**: VPN peers connect with correct addresses; SSH keys authenticate as expected.
 
-- [ ] T011 [US3] Enable wireguard module on VPS in hosts/vps/configuration.nix (my.services.wireguard.enable = true) and ensure listen port exposed
+- [x] T012 [US3] Enable wireguard module on VPS in hosts/vps/configuration.nix (my.services.wireguard.enable = true) and ensure listen port exposed
-- [ ] T012 [US3] Add sops secrets entries for wireguard keys in secrets/wireguard.yaml and confirm user-provided key material
+- [x] T013 [US3] Add sops secrets entries for wireguard keys in secrets/wireguard.yaml and confirm user-provided key material
-- [ ] T013 [US3] Update wireguard peer configuration in modules/services/wireguard.nix using sops secrets refs for public/private keys (no plaintext)
+- [x] T014 [US3] Update wireguard peer configuration in modules/services/wireguard.nix using sops secrets refs for public/private keys (no plaintext)
-- [ ] T014 [US3] Add service users and groups deploy and lidarr-reports with authorized_keys in hosts/vps/configuration.nix using secrets/ssh/ed25519_deploy.pub and secrets/ssh/ed25519_lidarr-reports.pub
+- [x] T015 [US3] Add service users and groups deploy and lidarr-reports with authorized_keys in hosts/vps/configuration.nix using secrets/ssh/ed25519_deploy.pub and secrets/ssh/ed25519_lidarr-reports.pub
-- [ ] T015 [US3] Add admin SSH authorized_keys for workstation, server, deacero, galaxy in hosts/vps/configuration.nix
+- [x] T016 [US3] Add admin SSH authorized_keys for workstation, server, deacero, galaxy in hosts/vps/configuration.nix
-- [ ] T016 [US3] Configure sshd port and auth settings in config/base.nix to match: Port 3456, PermitRootLogin no, PasswordAuthentication no, AuthorizedKeysFile .ssh/authorized_keys
+- [x] T017 [US3] Configure sshd port and auth settings in config/base.nix to match: Port 3456, PermitRootLogin no, PasswordAuthentication no, AuthorizedKeysFile .ssh/authorized_keys
-- [ ] T017 [US3] Harden remote rebuild access by switching to a non-root SSH user for rebuilds (nixremote) and requiring sudo for nixos-rebuild in hosts/vps/configuration.nix and modules/users/nixremote.nix
+- [x] T018 [US3] Harden remote rebuild access by switching to a non-root SSH user for rebuilds (nixremote) and requiring sudo for nixos-rebuild in hosts/vps/configuration.nix and modules/users/nixremote.nix
-- [ ] T018 [US3] Restrict SSH access for remote rebuilds by limiting allowed users/keys for nixremote (update inputs.self.lib.getSshKeys list in hosts/vps/configuration.nix)
+- [x] T019 [US3] Restrict SSH access for remote rebuilds by limiting allowed users/keys for nixremote (update inputs.self.lib.getSshKeys list in hosts/vps/configuration.nix)
-- [ ] T019 [US3] Update VPS IP to 45.33.0.228 in modules/modules.nix and config/jawz.nix SSH host entry
+- [x] T020 [US3] Update VPS IP to 45.33.0.228 in modules/modules.nix and config/jawz.nix SSH host entry
-- [ ] T020 [US3] Update host server wireguard client configuration in hosts/server/configuration.nix to target the new VPS endpoint
+- [x] T021 [US3] Update host server wireguard client configuration in hosts/server/configuration.nix to target the new VPS endpoint
 
 ## Phase 6: User Story 4 (P3) - Migration gaps and verification
 
@@ -62,14 +63,14 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host
 
 **Independent test criteria**: Clarification list exists and each task has a verification step.
 
-- [ ] T021 [US4] Review sudo_hist and jawz_hist for missing configuration; record clarification list in specs/004-vps-migration/quickstart.md
+- [ ] T022 [US4] Review sudo_hist and jawz_hist for missing configuration; record clarification list in specs/004-vps-migration/quickstart.md
-- [ ] T022 [US4] Document analytics data migration steps (export, import, validate) in specs/004-vps-migration/quickstart.md
+- [ ] T023 [US4] Document analytics data migration steps (export, import, validate) in specs/004-vps-migration/quickstart.md
-- [ ] T023 [US4] Add verification steps for each task in specs/004-vps-migration/quickstart.md
+- [ ] T024 [US4] Add verification steps for each task in specs/004-vps-migration/quickstart.md
 
 ## Phase 7: Polish & Cross-Cutting Concerns
 
-- [ ] T024 [P] Update any references to old VPS proxy logic (caddy) to ensure nginx is the only proxy in documentation (README.org or docs/ if applicable)
+- [ ] T025 [P] Update any references to old VPS proxy logic (caddy) to ensure nginx is the only proxy in documentation (README.org or docs/ if applicable)
-- [ ] T025 [P] Validate that all tasks have explicit file paths and update task descriptions accordingly
+- [ ] T026 [P] Validate that all tasks have explicit file paths and update task descriptions accordingly
 
 ## Dependencies
 
@@ -78,10 +79,14 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host
 ## Parallel Execution Examples
 
 - US1: T007, T008, T009 can proceed once T003 and T006 are reviewed.
-- US2: T010 can proceed once iptables application location is identified.
+- US2: T011 can proceed once iptables application location is identified.
-- US3: T011, T015, T016, T017, and T019 can proceed after T004 and T005 review; T012 depends on user-provided secrets.
+- US3: T012, T016, T017, T018, and T020 can proceed after T004 and T005 review; T013 depends on user-provided secrets.
-- US4: T021, T022, T023 can proceed independently once logs are reviewed and quickstart.md is open.
+- US4: T022, T023, T024 can proceed independently once logs are reviewed and quickstart.md is open.
 
 ## Validation
 
 - All tasks use the required checklist format with IDs, story labels, and explicit file paths.
+
+## Verification Steps (Placeholder)
+
+- To be filled during T024 with per-task verification steps.