2.0 KiB
Implementation Plan: VPS Image Migration
Branch: 003-vps-image-migration | Date: February 3, 2026 | Spec: /home/jawz/Development/NixOS/specs/003-vps-image-migration/spec.md
Input: Feature specification from /specs/003-vps-image-migration/spec.md
Summary
Migrate image building away from the deprecated generator to the upstream NixOS image workflow, add a new vps host that produces a Linode-compatible image, and implement a secure two-phase secrets bootstrap that requires re-encryption after the host generates its own key. Provide a repeatable remote rebuild workflow limited to explicitly authorized operator machines.
Technical Context
Language/Version: Nix (flakes; nixpkgs 25.11)
Primary Dependencies: nixpkgs, flake-parts, sops-nix
Storage: N/A (configuration repo)
Testing: Manual validation (image build, boot, network, secret availability, rebuild)
Target Platform: NixOS image for Linode VPS
Project Type: Infrastructure configuration (single repo)
Performance Goals: N/A
Constraints: No regressions for existing hosts; secrets must remain secure; first boot must be reachable for enrollment; rebuilds restricted to authorized operator machines
Scale/Scope: Small number of hosts, single vps target
Constitution Check
No enforceable principles are defined in the current constitution file (placeholders only). Gate passes by default. Post-design re-check: no changes; still pass.
Project Structure
Documentation (this feature)
specs/003-vps-image-migration/
├── plan.md
├── research.md
├── data-model.md
├── quickstart.md
├── contracts/
└── tasks.md
Source Code (repository root)
flake.nix
parts/
hosts/
modules/
secrets/
scripts/
config/
environments/
Structure Decision: Use the existing Nix flake layout with host definitions in hosts/, shared logic in modules/, and flake assembly in parts/.
Complexity Tracking
No constitution violations to track.