# Data Model: VPS Migration

## Host

- **Fields**: name, role (primary/secondary), publicIp, vpnEndpoint, services[], proxyMappings[], firewallRuleSet
- **Rules**: Exactly one primary host for reverse proxying.

## Service

- **Fields**: name, enabled, runsOnHost, proxyEnabled, domains[]
- **Rules**: Services remain on host server; proxyEnabled true on VPS for all enabled services.

## ProxyMapping

- **Fields**: domain, targetService, tlsRequired
- **Rules**: domain must be unique across mappings; domain must match service definitions.

## FirewallRuleSet

- **Fields**: sourceFile (iptables reference), rules[], appliedHost
- **Rules**: Ruleset must be applied as-is; no translation allowed.

## VPNPeer

- **Fields**: name, publicKeyRef, allowedIps[]
- **Rules**: allowedIps must be unique across peers; publicKeyRef must resolve via secrets system.

## VPNInterface

- **Fields**: addressRanges[], listenPort, privateKeyRef
- **Rules**: privateKeyRef stored in secrets system; listenPort exposed on VPS.

## ServiceUser

- **Fields**: username, group, authorizedKeys[]
- **Rules**: deploy uses ed25519_deploy.pub; lidarr-reports uses ed25519_lidarr-reports.pub.

## MigrationChecklistItem

- **Fields**: task, verificationStep, status
- **Rules**: each migration task must have a verification step.