Documents restore procedures for full server loss, partial restore,
and user data recovery scenarios. Includes verification checklists,
time estimates, and break-glass quick reference.
Also documents known gaps (home dirs, ACME, RocksDB consistency)
that need fixing before the runbook is production-ready.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove beads from VPS deployment (kept locally for dev workflow)
- Add slack-bot-token and slack-app-token secrets with devs group access
- Remove dead acme-email secret reference
- Increase egress limits from 30/min to 150/min (burst 60→300)
- Change egress blocking from REJECT to DROP for better app behavior
- Add egress-status script for user self-diagnosis
- Update dev-slack-direct.md with new /run/secrets access patterns
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Documents who, w, finger, write, wall, ytalk and .plan files.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add users.groups.devs for shared resources
- dev-add: check devs group exists before creating user
- dev-add: use .profile for login shell PATH setup
- dev-add: configure npm prefix and .npm-global directory
- dev-add: create AGENTS.md with friendly capability guide
- Update onboarding message with npm install examples
- Add docs/server-AGENTS.md for reference
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Covers four methods: system-wide, per-user nix profile,
per-project devShell, and external flakes.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- docs/security-posture.md: Threat model, risk assessment, recommendations
- Make home directories private (chmod 700)
- Update learner-add.sh to create private homes
- Closes ops-jrz1-k2a
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove manual /usr/local/bin/claude install
- Remove claude symlink setup from learner-add.sh
- Update onboarding docs with npm install instructions
- Users choose their AI coder: claude, opencode, gemini, codex
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- learner-add.sh: add users to learners group, source Slack env
- New design doc comparing direct Slack vs maubot/Matrix approach
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changes:
- Fix nginx proxy_pass directives to use 127.0.0.1 instead of localhost
- Fix bridge homeserverUrl to use explicit IPv4 address
- Enable debug logging on conduwuit
- Add spec-kit framework files to .gitignore
- Document deployment in comprehensive worklog
Resolves connection refused errors from localhost resolving to IPv6 [::1]
while services bind only to IPv4 127.0.0.1. Bridge now fully operational
with bidirectional Slack-Matrix message flow working.
Successfully deployed ops-jrz1 Matrix platform to production VPS using
extracted modules from ops-base. Validated deployment workflow following
ops-base best practices: boot -> reboot -> verify.
Changes:
- Pin sops-nix to June 2024 version for nixpkgs 24.05 compatibility
- Configure sops secrets for Matrix registration token and ACME email
- Add encrypted secrets.yaml (safe to commit, encrypted with age)
- Document deployment process and lessons learned
All services verified running:
- Matrix homeserver (matrix-continuwuity): conduwuit 0.5.0-rc.8
- nginx: Proxying Matrix and Forgejo
- PostgreSQL 15.10: Database services
- Forgejo 7.0.12: Git platform
Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
