# Tasks: VPS Migration **Branch**: `004-vps-migration` **Date**: 2026-02-04 **Spec**: /home/jawz/Development/NixOS/specs/004-vps-migration/spec.md **Plan**: /home/jawz/Development/NixOS/specs/004-vps-migration/plan.md ## Implementation Strategy Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host server). Then complete firewall parity (US2), secure access (US3), and migration gap review + verification (US4). ## Phase 1: Setup - [ ] T001 Confirm baseline files exist: iptables, secrets/ssh/ed25519_deploy.pub, secrets/ssh/ed25519_lidarr-reports.pub, secrets system entries for VPN keys - [ ] T002 Create working checklist placeholder for verification steps in /home/jawz/Development/NixOS/specs/004-vps-migration/tasks.md (this file) ## Phase 2: Foundational - [ ] T003 [P] Review toggles and mainHost options to identify reverse-proxy owner in hosts/ and modules/ (record candidate paths) - [ ] T004 [P] Locate wireguard module and host toggles in modules/ and hosts/ (record candidate paths) - [ ] T005 [P] Review SSH config locations and vps IP references to update to 45.33.0.228 - [ ] T006 [P] Review caddy config locations to prepare subdomain comparison (record file paths) ## Phase 3: User Story 1 (P1) - Primary VPS reverse proxy **Story goal**: New VPS is primary reverse-proxy host (nginx only) while services remain on host server. **Independent test criteria**: Proxy mappings resolve through VPS to host server services without relocating services. - [ ] T007 [US1] Set mainHost to vps in the relevant host/module option file (update file path once located) - [ ] T008 [US1] Enable proxying for all enabled services on the VPS without moving service runtime (update relevant hosts/*/toggles.nix or equivalent) - [ ] T009 [US1] Capture caddy config files and compare subdomains to servers/*.nix domain definitions; document mismatches in specs/004-vps-migration/quickstart.md ## Phase 4: User Story 2 (P1) - Firewall parity **Story goal**: Firewall behavior on new VPS matches old VPS by applying iptables ruleset as-is. **Independent test criteria**: Known inbound/outbound flows match existing VPS behavior. - [ ] T010 [US2] Apply iptables ruleset as-is to VPS firewall configuration in hosts/vps/ or modules/ (reference repo root iptables file) ## Phase 5: User Story 3 (P2) - Secure access and VPN peers **Story goal**: Wireguard enabled on VPS with secrets-managed keys; SSH access for service users and admin hosts. **Independent test criteria**: VPN peers connect with correct addresses; SSH keys authenticate as expected. - [ ] T011 [US3] Enable wireguard module on VPS host configuration (hosts/vps/ or equivalent) and ensure listen port exposed - [ ] T012 [US3] Update wireguard peer configuration in modules/wireguard.nix using secrets refs for public/private keys (no plaintext) - [ ] T013 [US3] Add service users and groups deploy and lidarr-reports with authorized_keys from secrets/ssh/ed25519_deploy.pub and secrets/ssh/ed25519_lidarr-reports.pub - [ ] T014 [US3] Add admin SSH authorized_keys for workstation, server, deacero, galaxy in the standard SSH config files - [ ] T015 [US3] Update SSH config to replace VPS IP with 45.33.0.228 - [ ] T016 [US3] Update host server wireguard client configuration to target the new VPS endpoint ## Phase 6: User Story 4 (P3) - Migration gaps and verification **Story goal**: Identify missing configuration from history logs and provide verification steps for every task. **Independent test criteria**: Clarification list exists and each task has a verification step. - [ ] T017 [US4] Review sudo_hist and jawz_hist for missing configuration; record clarification list in specs/004-vps-migration/quickstart.md - [ ] T018 [US4] Document analytics data migration steps (export, import, validate) in specs/004-vps-migration/quickstart.md - [ ] T019 [US4] Add verification steps for each task in specs/004-vps-migration/quickstart.md ## Phase 7: Polish & Cross-Cutting Concerns - [ ] T020 [P] Update any references to old VPS proxy logic (caddy) to ensure nginx is the only proxy in documentation (README.org or docs/ if applicable) - [ ] T021 [P] Validate that all tasks have explicit file paths and update task descriptions accordingly ## Dependencies - US1 → US2 → US3 → US4 ## Parallel Execution Examples - US1: T007, T008, T009 can proceed once T003 and T006 identify the correct files. - US2: T010 can proceed once iptables application location is identified. - US3: T011 and T015 can proceed after T004 and T005 identify file locations; T012 depends on secrets references. - US4: T017, T018, T019 can proceed independently once logs are reviewed and quickstart.md is open. ## Validation - All tasks use the required checklist format with IDs, story labels, and file paths (to be filled precisely in T021).