From b8e00b75f6141bf6ab318fcee27d356d0244e618 Mon Sep 17 00:00:00 2001
From: Dan <dleink@gmail.com>
Date: Mon, 20 Oct 2025 23:55:47 -0700
Subject: [PATCH] Add VM testing configuration for pre-deployment validation

- Add ops-jrz1-vm NixOS configuration to flake outputs
- Create hosts/ops-jrz1-vm.nix with VM-specific settings
- Configure test credentials (root:test) for local testing
- Import all Matrix platform modules for validation
- Enable VM testing workflow to catch deployment issues early

The VM config uses specialArgs to pass pkgs-unstable for Matrix
packages while keeping the base system on nixpkgs 24.05 stable.
---
 flake.nix             | 17 +++++++++++
 hosts/ops-jrz1-vm.nix | 71 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 88 insertions(+)
 create mode 100644 hosts/ops-jrz1-vm.nix

diff --git a/flake.nix b/flake.nix
index cef7560..85c0d36 100644
--- a/flake.nix
+++ b/flake.nix
@@ -13,6 +13,7 @@
 
   outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, ... }@inputs: {
     nixosConfigurations = {
+      # Production configuration (for actual VPS deployment)
       ops-jrz1 = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         specialArgs = {
@@ -27,6 +28,22 @@
           sops-nix.nixosModules.sops
         ];
       };
+
+      # VM testing configuration (for local validation before deployment)
+      ops-jrz1-vm = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = {
+          pkgs-unstable = import nixpkgs-unstable {
+            system = "x86_64-linux";
+            config.allowUnfree = true;
+          };
+        };
+        modules = [
+          ./configuration.nix
+          ./hosts/ops-jrz1-vm.nix
+          # Note: No sops-nix for VM testing
+        ];
+      };
     };
   };
 }
diff --git a/hosts/ops-jrz1-vm.nix b/hosts/ops-jrz1-vm.nix
new file mode 100644
index 0000000..76de4bb
--- /dev/null
+++ b/hosts/ops-jrz1-vm.nix
@@ -0,0 +1,71 @@
+# VM testing configuration for ops-jrz1
+# This configuration allows testing without real secrets
+{ config, pkgs, pkgs-unstable, lib, ... }:
+
+{
+  imports = [
+    # Import all modules (same as production)
+    ../modules/matrix-continuwuity.nix
+    ../modules/mautrix-slack.nix
+    ../modules/mautrix-whatsapp.nix
+    ../modules/mautrix-gmessages.nix
+    ../modules/dev-services.nix
+    ../modules/security/fail2ban.nix
+    ../modules/security/ssh-hardening.nix
+    # Note: Skip matrix-secrets for VM (no sops-nix in VM)
+  ];
+
+  # VM-specific settings
+  networking.hostName = "ops-jrz1-vm";
+
+  # Enable services for testing (using test values)
+  services.matrix-homeserver = {
+    enable = true;
+    domain = "matrix.example.org";
+    port = 8008;
+    enableRegistration = true;
+    enableFederation = false;
+  };
+
+  # Enable Slack bridge for testing structure
+  services.mautrix-slack = {
+    enable = true;
+    matrix = {
+      homeserverUrl = "http://127.0.0.1:8008";
+      serverName = "matrix.example.org";
+    };
+    bridge = {
+      permissions = {
+        "matrix.example.org" = "user";
+        "@admin:matrix.example.org" = "admin";
+      };
+    };
+  };
+
+  # PostgreSQL for bridge databases
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "mautrix_slack" ];
+    ensureUsers = [{
+      name = "mautrix_slack";
+      ensureDBOwnership = true;
+    }];
+  };
+
+  # Disable sops-nix for VM (no real secrets available)
+  # The matrix-secrets module isn't imported, so no sops config needed
+
+  # VM-specific: Allow password auth for easy VM access
+  services.openssh.settings.PasswordAuthentication = lib.mkForce true;
+
+  # VM-specific: Simple root password for testing
+  users.users.root.password = "test";
+
+  # VM-specific: More permissive firewall for testing
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 22 80 443 8008 3000 ];
+  };
+
+  system.stateVersion = "24.05";
+}