NixOS/specs/004-vps-migration/quickstart.md

Quickstart: VPS Migration

Prerequisites

• Access to this repo and the new VPS host configuration
• Existing iptables ruleset file available at repo root: iptables
• VPN keys present in the secrets system
• SSH public keys present in secrets/ssh/

Steps

1. Review the spec and clarifications:

   • /home/jawz/Development/NixOS/specs/004-vps-migration/spec.md

2. Ensure secrets are available:

   • VPN private/public keys are stored in the secrets system
   • secrets/ssh/ed25519_deploy.pub and secrets/ssh/ed25519_lidarr-reports.pub exist

3. Update host configuration:

   • Set new VPS as primary reverse proxy host
   • Enable proxying for all enabled services (services remain on host server)
   • Apply iptables ruleset as-is
   • Enable wireguard on VPS and expose port
   • Add service users and admin SSH keys
   • Update VPS public IP to 45.33.0.228 in SSH configuration
   • Update host server VPN client to target the new VPS

4. Provide and review legacy proxy config snapshot:

   • Supply caddy files for subdomain comparison
   • Treat caddy as migration input only; nginx is the only proxy target for NixOS runtime

Caddy vs Nix Subdomain Comparison (from provided caddy/ directory)

Caddy-only domains (present in caddy, not found in current Nix server hosts):

• danilo-reyes.com
• www.danilo-reyes.com
• blog.danilo-reyes.com
• www.blog.danilo-reyes.com
• mb-report.lebubu.org
• torrent.lebubu.org

Nix-only domains (present in Nix server hosts, not in caddy config):

• auth-proxy.lebubu.org
• comments.danilo-reyes.com
• flix.rotehaare.art
• 55a608953f6d64c199.lebubu.org
• pYLemuAfsrzNBaH77xSu.lebubu.org
• bookmarks.lebubu.org
• drpp.lebubu.org
• portfolio.lebubu.org
• qampqwn4wprhqny8h8zj.lebubu.org
• requests.lebubu.org
• start.lebubu.org
• sync.lebubu.org
• tranga.lebubu.org

Notes:

• auth-proxy.lebubu.org appears only in 15-private.caddyfile__ (not imported by Caddy), so it is currently inactive in caddy.
• danilo-reyes.com and blog.danilo-reyes.com are handled as static sites in caddy; Nix has my.websites.portfolio and isso which may need mapping to these domains.
• mb-report.lebubu.org and torrent.lebubu.org are present in caddy but no matching Nix server host was found.

5. Migrate analytics data:

   • Identify the analytics system (e.g., Plausible) and its data store location or database
   • Freeze writes during export (stop the analytics service or enable maintenance mode)
   • Export analytics data from the existing server (db dump or data directory archive)
   • Transfer the export to the new server using the secure path already used for secrets/config
   • Import the data on the new server and restart the analytics service
   • Validate historical data is present (date range coverage, dashboard counts, and sample events)

6. Run verification steps for each task (per spec FR-012).

Clarification Candidates From History Review

• opentracker was installed and enabled (systemctl enable --now opentracker) with firewall rules for TCP/UDP 6969; confirm if tracker service is still required on NixOS.
• ip6tables was enabled on Fedora (systemctl enable ip6tables); confirm if equivalent IPv6 policy is required on VPS.
• net.ipv4.conf.wg0.rp_filter=0 was set during forwarding troubleshooting; confirm if this sysctl needs to be persisted on VPS.
• Fedora-specific SELinux SSH port handling (semanage ssh_port_t) appears in history; confirm it can remain excluded on NixOS.

Verification Steps

• T001: test -f ./iptables && test -f ./secrets/ssh/ed25519_deploy.pub && test -f ./secrets/ssh/ed25519_lidarr-reports.pub && test -f ./secrets/wireguard.yaml
• T002: verify this section exists in /home/jawz/Development/NixOS/specs/004-vps-migration/quickstart.md
• T003: rg -n "mainServer|enableProxy" hosts/server/toggles.nix modules/modules.nix
• T004: rg -n "wireguard|wg0|services.wireguard" modules/services/wireguard.nix hosts/vps/configuration.nix
• T005: rg -n "vps|45.33.0.228|programs.ssh" config/jawz.nix modules/modules.nix
• T006: rg -n "/etc/caddy/Caddyfile.d" sudo_hist jawz_hist
• T007: rg -n 'mainServer = "vps"' hosts/server/toggles.nix modules/modules.nix
• T008: rg -n "enableProxy = true" hosts/vps/toggles.nix hosts/vps/configuration.nix hosts/server/toggles.nix
• T009: ensure Caddy vs Nix comparison section remains in this file
• T010: rg -n "iqQCY4iAWO-ca/pem|certPath|proxyReversePrivate" modules/network/nginx.nix modules/servers
• T011: rg -n "nftables|forwardPorts|vps-snat" hosts/vps/configuration.nix
• T012: rg -n "services.wireguard.enable = true" hosts/vps/configuration.nix
• T013: confirm wireguard/private exists in secrets/wireguard.yaml
• T014: rg -n "10.77.0.1/24|10.8.0.1/24|10.9.0.1/24|AllowedIPs|allowedIPs" modules/services/wireguard.nix
• T015: rg -n "users\\.deploy|users\\.lidarr-reports|ed25519_deploy|ed25519_lidarr-reports" hosts/vps/configuration.nix
• T016: rg -n "workstation|server|deacero|galaxy" hosts/vps/configuration.nix
• T017: rg -n "ports = \\[ 3456 \\]|PermitRootLogin = \"no\"" hosts/vps/configuration.nix
• T018: rg -n "sudo-rs\\.extraRules|nixos-rebuild|nixremote" hosts/vps/configuration.nix
• T019: rg -n "nixworkstation" hosts/vps/configuration.nix
• T020: rg -n "45\\.33\\.0\\.228" modules/modules.nix config/jawz.nix
• T021: rg -n "endpoint = .*my\\.ips\\.vps" hosts/server/configuration.nix
• T022: verify "Clarification Candidates From History Review" section exists in this file
• T023: rg -n "Migrate analytics data|Export analytics|Import.*analytics|Validate historical data" /home/jawz/Development/NixOS/specs/004-vps-migration/quickstart.md
• T024: verify each task from T001-T026 has a corresponding verification line in this section
• T025: rg -n "caddy|Caddy" README.org docs || true and confirm no active-proxy references remain outside legacy migration notes
• T026: rg -n "T0[0-2][0-9]" /home/jawz/Development/NixOS/specs/004-vps-migration/tasks.md and confirm each task mentions at least one concrete path
• T027: rg -n "modules/websites|danilo-reyes.com|blog.danilo-reyes.com|mb-report.lebubu.org" modules/websites hosts/vps/toggles.nix