6.2 KiB
6.2 KiB
Quickstart: VPS Migration
Prerequisites
- Access to this repo and the new VPS host configuration
- Existing iptables ruleset file available at repo root (reference for nftables parity):
iptables - VPN keys present in the secrets system
- SSH public keys present in
secrets/ssh/
Steps
-
Review the spec and clarifications:
/home/jawz/Development/NixOS/specs/004-vps-migration/spec.md
-
Ensure secrets are available:
- VPN private/public keys are stored in the secrets system
secrets/ssh/ed25519_deploy.pubandsecrets/ssh/ed25519_lidarr-reports.pubexist
-
Update host configuration:
- Set new VPS as primary reverse proxy host
- Enable proxying for all enabled services (services remain on host server)
- Apply nftables/NixOS firewall rules derived from the iptables reference
- Enable wireguard on VPS and expose port
- Add service users and admin SSH keys
- Update VPS public IP to
45.33.0.228in SSH configuration - Update host server VPN client to target the new VPS
-
Provide and review legacy proxy config snapshot:
- Supply caddy files for subdomain comparison
- Treat caddy as migration input only; nginx is the only proxy target for NixOS runtime
Caddy vs Nix Subdomain Comparison (from provided caddy/ directory)
Caddy-only domains (present in caddy, not found in current Nix server hosts):
- danilo-reyes.com
- www.danilo-reyes.com
- blog.danilo-reyes.com
- www.blog.danilo-reyes.com
- mb-report.lebubu.org
- torrent.lebubu.org
Nix-only domains (present in Nix server hosts, not in caddy config):
- auth-proxy.lebubu.org
- comments.danilo-reyes.com
- flix.rotehaare.art
- 55a608953f6d64c199.lebubu.org
- pYLemuAfsrzNBaH77xSu.lebubu.org
- bookmarks.lebubu.org
- drpp.lebubu.org
- portfolio.lebubu.org
- qampqwn4wprhqny8h8zj.lebubu.org
- requests.lebubu.org
- start.lebubu.org
- sync.lebubu.org
- tranga.lebubu.org
Notes:
auth-proxy.lebubu.orgappears only in15-private.caddyfile__(not imported by Caddy), so it is currently inactive in caddy.danilo-reyes.comandblog.danilo-reyes.comare handled as static sites in caddy; Nix hasmy.websites.portfolioandissowhich may need mapping to these domains.mb-report.lebubu.organdtorrent.lebubu.orgare present in caddy but no matching Nix server host was found.
-
Migrate analytics data:
- Identify the analytics system (e.g., Plausible) and its data store location or database
- Freeze writes during export (stop the analytics service or enable maintenance mode)
- Export analytics data from the existing server (db dump or data directory archive)
- Transfer the export to the new server using the secure path already used for secrets/config
- Import the data on the new server and restart the analytics service
- Validate historical data is present (date range coverage, dashboard counts, and sample events)
-
Run verification steps for each task (per spec FR-012).
Clarification Candidates From History Review
opentrackerwas installed and enabled (systemctl enable --now opentracker) with firewall rules for TCP/UDP6969; confirm if tracker service is still required on NixOS.ip6tableswas enabled on Fedora (systemctl enable ip6tables); confirm if equivalent IPv6 policy is required on VPS.net.ipv4.conf.wg0.rp_filter=0was set during forwarding troubleshooting; confirm if this sysctl needs to be persisted on VPS.- Fedora-specific SELinux SSH port handling (
semanage ssh_port_t) appears in history; confirm it can remain excluded on NixOS.
Verification Steps
- T001:
test -f ./iptables && test -f ./secrets/ssh/ed25519_deploy.pub && test -f ./secrets/ssh/ed25519_lidarr-reports.pub && test -f ./secrets/wireguard.yaml - T002: verify this section exists in
/home/jawz/Development/NixOS/specs/004-vps-migration/quickstart.md - T003:
rg -n "mainServer|enableProxy" hosts/server/toggles.nix modules/modules.nix - T004:
rg -n "wireguard|wg0|services.wireguard" modules/services/wireguard.nix hosts/vps/configuration.nix - T005:
rg -n "vps|45.33.0.228|programs.ssh" config/jawz.nix modules/modules.nix - T006:
rg -n "/etc/caddy/Caddyfile.d" sudo_hist jawz_hist - T007:
rg -n 'mainServer = "vps"' hosts/server/toggles.nix modules/modules.nix - T008:
rg -n "enableProxy = true" hosts/vps/toggles.nix hosts/vps/configuration.nix hosts/server/toggles.nix - T009: ensure Caddy vs Nix comparison section remains in this file
- T010:
rg -n "iqQCY4iAWO-ca/pem|certPath|proxyReversePrivate" modules/network/nginx.nix modules/servers - T011:
rg -n "nftables|forwardPorts|vps-snat" hosts/vps/configuration.nix - T012:
rg -n "services.wireguard.enable = true" hosts/vps/configuration.nix - T013: confirm
wireguard/privateexists insecrets/wireguard.yaml - T014:
rg -n "10.77.0.1/24|10.8.0.1/24|10.9.0.1/24|AllowedIPs|allowedIPs" modules/services/wireguard.nix - T015:
rg -n "users\\.deploy|users\\.lidarr-reports|ed25519_deploy|ed25519_lidarr-reports" hosts/vps/configuration.nix - T016:
rg -n "workstation|server|deacero|galaxy" hosts/vps/configuration.nix - T017:
rg -n "ports = \\[ 3456 \\]|PermitRootLogin = \"no\"" hosts/vps/configuration.nix - T018:
rg -n "sudo-rs\\.extraRules|nixos-rebuild|nixremote" hosts/vps/configuration.nix - T019:
rg -n "nixworkstation" hosts/vps/configuration.nix - T020:
rg -n "45\\.33\\.0\\.228" modules/modules.nix config/jawz.nix - T021:
rg -n "endpoint = .*my\\.ips\\.vps" hosts/server/configuration.nix - T022: verify "Clarification Candidates From History Review" section exists in this file
- T023:
rg -n "Migrate analytics data|Export analytics|Import.*analytics|Validate historical data" /home/jawz/Development/NixOS/specs/004-vps-migration/quickstart.md - T024: verify each task from T001-T026 has a corresponding verification line in this section
- T025:
rg -n "caddy|Caddy" README.org docs || trueand confirm no active-proxy references remain outside legacy migration notes - T026:
rg -n "T0[0-2][0-9]" /home/jawz/Development/NixOS/specs/004-vps-migration/tasks.mdand confirm each task mentions at least one concrete path - T027:
rg -n "modules/websites|danilo-reyes.com|blog.danilo-reyes.com|mb-report.lebubu.org" modules/websites hosts/vps/toggles.nix