NixOS/specs/004-vps-migration/plan.md

# Implementation Plan: VPS Migration

**Branch**: `004-vps-migration` | **Date**: 2026-02-04 | **Spec**: /home/jawz/Development/NixOS/specs/004-vps-migration/spec.md
**Input**: Feature specification from `/specs/004-vps-migration/spec.md`

## Summary

Migrate VPS responsibilities to the new NixOS host by making it the primary reverse-proxy host (nginx only), mirroring the existing iptables ruleset, enabling wireguard with secret-managed keys, and restoring SSH/service-user access, while keeping all services running on the host server. Provide validation steps, review historical configs for gaps, and document analytics data migration.

## Technical Context

**Language/Version**: Nix (flakes; nixpkgs 25.11)  
**Primary Dependencies**: NixOS modules, sops-nix, nginx, wireguard, openssh, iptables  
**Storage**: Files (configuration and secrets)  
**Testing**: Manual validation steps (no automated test harness)  
**Target Platform**: Linux server (NixOS)  
**Project Type**: configuration repo  
**Performance Goals**: N/A (configuration change)  
**Constraints**: Services remain on host server; VPS only terminates proxy and exposes wireguard port; iptables parity required  
**Scale/Scope**: Single VPS + host server, small set of VPN peers and admin SSH principals

## Constitution Check

No enforceable constitution rules are defined (placeholders only). Gate passes by default.

Post-design check: unchanged (no enforceable gates found).

## Project Structure

### Documentation (this feature)

```text
specs/004-vps-migration/
├── plan.md
├── research.md
├── data-model.md
├── quickstart.md
├── contracts/
└── tasks.md
```

### Source Code (repository root)

```text
hosts/
modules/
secrets/
iptables
scripts/
```

**Structure Decision**: Use the existing NixOS configuration layout (`hosts/`, `modules/`, `secrets/`) and the root `iptables` ruleset file.