- Kills all processes for a user
- Terminates login session
- Logs to syslog with reason
- Refuses to kill system users (uid < 1000)
- Closes ops-jrz1-396
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- docs/security-posture.md: Threat model, risk assessment, recommendations
- Make home directories private (chmod 700)
- Update learner-add.sh to create private homes
- Closes ops-jrz1-k2a
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Check opencode (system package) instead of claude
- Add nodejs check for npm-based tool installation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove manual /usr/local/bin/claude install
- Remove claude symlink setup from learner-add.sh
- Update onboarding docs with npm install instructions
- Users choose their AI coder: claude, opencode, gemini, codex
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- opencode (v1.0.224) via flake input from github:sst/opencode
- nodejs_22 for npm-based AI tools (gemini-cli, codex)
- Closes ops-jrz1-ecw
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- tmux for session persistence
- beads (bd CLI) via flake input from github:steveyegge/beads
- Closes ops-jrz1-d38, ops-jrz1-jvt
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Install claude binary to /usr/local/bin
- Symlink to ~/.local/bin for users (in PATH)
- Update learner-add.sh to set up symlink for new users
- Add /usr/local/bin to PATH via shellInit
- test-learner-env.sh: SSH, nix-ld, Slack tokens, Python, API connectivity
- test-slack-bolt.py: Socket Mode connection test
- Makefile: test runner with env/slack-bolt/vscode targets
- Add python3 + uv to system packages
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- learner-add.sh: add users to learners group, source Slack env
- New design doc comparing direct Slack vs maubot/Matrix approach
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use 'users' group instead of per-user groups
- Remove shell specification (NixOS has different paths)
- Use 'ip' command instead of 'hostname -I' for IP detection
Added comprehensive documentation:
- Manual workaround for sender_localpart registration bug
- QA testing checklist for untested features
- Future monitoring/alerting requirements
- Current architecture diagram and data flow
- Security model and operational notes
Changes:
- Fix nginx proxy_pass directives to use 127.0.0.1 instead of localhost
- Fix bridge homeserverUrl to use explicit IPv4 address
- Enable debug logging on conduwuit
- Add spec-kit framework files to .gitignore
- Document deployment in comprehensive worklog
Resolves connection refused errors from localhost resolving to IPv6 [::1]
while services bind only to IPv4 127.0.0.1. Bridge now fully operational
with bidirectional Slack-Matrix message flow working.
Successfully deployed ops-jrz1 Matrix platform to production VPS using
extracted modules from ops-base. Validated deployment workflow following
ops-base best practices: boot -> reboot -> verify.
Changes:
- Pin sops-nix to June 2024 version for nixpkgs 24.05 compatibility
- Configure sops secrets for Matrix registration token and ACME email
- Add encrypted secrets.yaml (safe to commit, encrypted with age)
- Document deployment process and lessons learned
All services verified running:
- Matrix homeserver (matrix-continuwuity): conduwuit 0.5.0-rc.8
- nginx: Proxying Matrix and Forgejo
- PostgreSQL 15.10: Database services
- Forgejo 7.0.12: Git platform
Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
- Configure pkgs-unstable with permittedInsecurePackages in flake.nix
- Matches VM configuration approach
- Allows mautrix bridges to build successfully
- Add permittedInsecurePackages for deprecated olm library
- Required by mautrix-slack, mautrix-whatsapp, mautrix-gmessages bridges
- Acceptable risk for Matrix bridge functionality until alternatives available
- Accept Let's Encrypt terms of service
- Configure email for certificate notifications (dlei@duck.com)
- Nginx virtual hosts already configured with enableACME and forceSSL
Ready for deployment to VPS.
