NixOS/specs/004-vps-migration/tasks.md

Tasks: VPS Migration

Branch: 004-vps-migration
Date: 2026-02-04
Spec: /home/jawz/Development/NixOS/specs/004-vps-migration/spec.md
Plan: /home/jawz/Development/NixOS/specs/004-vps-migration/plan.md

Implementation Strategy

Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host server). Then complete firewall parity (US2), secure access (US3), and migration gap review + verification (US4).

Phase 1: Setup

• T001 Confirm baseline files exist: iptables, secrets/ssh/ed25519_deploy.pub, secrets/ssh/ed25519_lidarr-reports.pub, secrets system entries for VPN keys
• T002 Create working checklist placeholder for verification steps in /home/jawz/Development/NixOS/specs/004-vps-migration/tasks.md (this file)

Phase 2: Foundational

• T003 [P] Review mainServer and enableProxy options in hosts/server/toggles.nix and modules/modules.nix
• T004 [P] Review wireguard module in modules/services/wireguard.nix and VPS host config in hosts/vps/configuration.nix
• T005 [P] Review SSH host/IP settings in config/jawz.nix and modules/modules.nix for vps IP updates
• T006 [P] Review caddy file list references in ./jawz_hist and ./sudo_hist to prepare subdomain comparison inputs

Phase 3: User Story 1 (P1) - Primary VPS reverse proxy

Story goal: New VPS is primary reverse-proxy host (nginx only) while services remain on host server.

Independent test criteria: Proxy mappings resolve through VPS to host server services without relocating services.

• T007 [US1] Set mainServer to "vps" in hosts/server/toggles.nix
• T008 [US1] Enable proxying on VPS by setting my.enableProxy = true in hosts/vps/configuration.nix and ensure services in hosts/server/toggles.nix have enableProxy = true
• T009 [US1] Capture provided caddy config files (e.g., /etc/caddy/Caddyfile.d/) and compare subdomains to modules/servers/.nix domain definitions; document mismatches in specs/004-vps-migration/quickstart.md
• T010 [US1] Add shared client certificate handling from modules/servers/synapse.nix into the factory or shared module and apply it to mTLS-protected sites (use secrets/certs.yaml for client CA)

Phase 4: User Story 2 (P1) - Firewall parity

Story goal: Firewall behavior on new VPS matches old VPS by applying iptables ruleset as-is.

Independent test criteria: Known inbound/outbound flows match existing VPS behavior.

• T011 [US2] Apply firewall parity to VPS configuration using nftables/NixOS rules derived from the repo root iptables file and document any intentional deviations

Phase 5: User Story 3 (P2) - Secure access and VPN peers

Story goal: Wireguard enabled on VPS with secrets-managed keys; SSH access for service users and admin hosts.

Independent test criteria: VPN peers connect with correct addresses; SSH keys authenticate as expected.

• T012 [US3] Enable wireguard module on VPS in hosts/vps/configuration.nix (my.services.wireguard.enable = true) and ensure listen port exposed
• T013 [US3] Add sops secrets entries for wireguard keys in secrets/wireguard.yaml and confirm user-provided key material
• T014 [US3] Update wireguard peer configuration in modules/services/wireguard.nix using sops secrets refs for public/private keys (no plaintext)
• T015 [US3] Add service users and groups deploy and lidarr-reports with authorized_keys in hosts/vps/configuration.nix using secrets/ssh/ed25519_deploy.pub and secrets/ssh/ed25519_lidarr-reports.pub
• T016 [US3] Add admin SSH authorized_keys for workstation, server, deacero, galaxy in hosts/vps/configuration.nix
• T017 [US3] Configure sshd port and auth settings in hosts/vps/configuration.nix to match: Port 3456, PermitRootLogin no, PasswordAuthentication no
• T018 [US3] Harden remote rebuild access by switching to a non-root SSH user for rebuilds (nixremote) and requiring sudo for nixos-rebuild in hosts/vps/configuration.nix and modules/users/nixremote.nix
• T019 [US3] Restrict SSH access for remote rebuilds by limiting allowed users/keys for nixremote (update inputs.self.lib.getSshKeys list in hosts/vps/configuration.nix)
• T020 [US3] Update VPS IP to 45.33.0.228 in modules/modules.nix and config/jawz.nix SSH host entry
• T021 [US3] Update host server wireguard client configuration in hosts/server/configuration.nix to target the new VPS endpoint

Phase 6: User Story 4 (P3) - Migration gaps and verification

Story goal: Identify missing configuration from history logs and provide verification steps for every task.

Independent test criteria: Clarification list exists and each task has a verification step.

• T022 [US4] Review sudo_hist and jawz_hist for missing configuration; record clarification list in specs/004-vps-migration/quickstart.md
• T023 [US4] Document analytics data migration steps (export, import, validate) in specs/004-vps-migration/quickstart.md
• T024 [US4] Add verification steps for each task in specs/004-vps-migration/quickstart.md

Phase 7: Polish & Cross-Cutting Concerns

• T025 [P] Update references to old VPS proxy logic (caddy) to ensure nginx is the only runtime proxy in README.org and docs/*.md
• T026 [P] Validate all task descriptions include explicit file paths in specs/004-vps-migration/tasks.md and update mismatches
• T027 [P] Move static site vhosts (portfolio/blog and mb-report) into modules/websites and enable them via host toggles

Dependencies

• US1 → US2 → US3 → US4

Parallel Execution Examples

• US1: T007, T008, T009 can proceed once T003 and T006 are reviewed.
• US2: T011 can proceed once iptables application location is identified.
• US3: T012, T016, T017, T018, and T020 can proceed after T004 and T005 review; T013 depends on user-provided secrets.
• US4: T022, T023, T024 can proceed independently once logs are reviewed and quickstart.md is open.

Validation

• All tasks use the required checklist format with IDs, story labels, and explicit file paths.

Verification Steps (Placeholder)

• To be filled during T024 with per-task verification steps.