2.0 KiB
Implementation Plan: VPS Migration
Branch: 004-vps-migration | Date: 2026-02-04 | Spec: /home/jawz/Development/NixOS/specs/004-vps-migration/spec.md
Input: Feature specification from /specs/004-vps-migration/spec.md
Summary
Migrate VPS responsibilities to the new NixOS host by making it the primary reverse-proxy host (nginx only), mirroring the existing iptables ruleset via nftables/NixOS equivalents, enabling wireguard with secret-managed keys, and restoring SSH/service-user access, while keeping all services running on the host server. Provide validation steps, review historical configs for gaps, and document analytics data migration.
Technical Context
Language/Version: Nix (flakes; nixpkgs 25.11)
Primary Dependencies: NixOS modules, sops-nix, nginx, wireguard, openssh, nftables (iptables reference)
Storage: Files (configuration and secrets)
Testing: Manual validation steps (no automated test harness)
Target Platform: Linux server (NixOS)
Project Type: configuration repo
Performance Goals: N/A (configuration change)
Constraints: Services remain on host server; VPS only terminates proxy and exposes wireguard port; nftables parity required
Scale/Scope: Single VPS + host server, small set of VPN peers and admin SSH principals
Constitution Check
No enforceable constitution rules are defined (placeholders only). Gate passes by default.
Post-design check: unchanged (no enforceable gates found).
Project Structure
Documentation (this feature)
specs/004-vps-migration/
├── plan.md
├── research.md
├── data-model.md
├── quickstart.md
├── contracts/
└── tasks.md
Source Code (repository root)
hosts/
modules/
secrets/
iptables (reference ruleset)
scripts/
Structure Decision: Use the existing NixOS configuration layout (hosts/, modules/, secrets/) and the root iptables ruleset file as the reference for nftables parity.