# ops-jrz1 NixOS Server Configuration **Status**: Work in Progress - Matrix Platform Extraction This repository contains the NixOS configuration for the ops-jrz1 dev/test server, including extracted Matrix homeserver modules and bridge configurations from the ops-base production environment. ## Overview The ops-jrz1 server provides a Matrix homeserver (Continuwuity/Conduwuit) with bridges for: - Slack (mautrix-slack) - WhatsApp (mautrix-whatsapp) - Google Messages (mautrix-gmessages) Additional services: - Security hardening (fail2ban, SSH hardening) - Secrets management (sops-nix with age encryption) ## Current Status **Phase**: Extracting and sanitizing modules from ops-base - [x] Repository structure created - [x] Skeleton configuration files (flake.nix, configuration.nix, hosts/ops-jrz1.nix) - [x] Sanitization and validation scripts - [x] Git hooks for security validation - [ ] Module extraction from ops-base - [ ] Documentation (deployment guides, bridge setup) - [ ] Server deployment and testing ## Repository Structure ``` ops-jrz1/ ├── flake.nix # Nix flake configuration ├── configuration.nix # Main NixOS configuration ├── hosts/ │ └── ops-jrz1.nix # Server-specific configuration ├── modules/ # Extracted Matrix platform modules (pending) ├── docs/ # Deployment and setup documentation (pending) ├── secrets/ # sops-nix encrypted secrets (gitignored) ├── scripts/ # Sanitization and validation scripts │ ├── sanitize-files.sh │ └── validate-sanitization.sh └── specs/ # Project planning and specifications └── 001-extract-matrix-platform/ ``` ## Planned Features ### Matrix Homeserver - **Continuwuity/Conduwuit**: Lightweight Rust-based Matrix homeserver - Federation support - User registration with tokens - Admin room for management ### Bridges - **Slack**: Socket Mode authentication, workspace integration - **WhatsApp**: QR code pairing, message synchronization - **Google Messages**: Pairing flow, SMS/MMS support ### Security & Operations - **fail2ban**: Intrusion prevention - **SSH hardening**: Key-only authentication, restricted access - **sops-nix**: Encrypted secrets management with age keys - **Git hooks**: Pre-commit validation, pre-push build checks ## Development Workflow ### Prerequisites - NixOS 24.05+ or Nix with flakes enabled - SSH access to ops-jrz1 server - Age encryption key for secrets management ### Building Locally ```bash # Check flake validity nix flake check # Build ops-jrz1 configuration nix build .#nixosConfigurations.ops-jrz1 # Deploy to server (when ready) nixos-rebuild switch --flake .#ops-jrz1 --target-host root@ops-jrz1 ``` ### Sanitization Workflow ```bash # Extract modules from ops-base ./scripts/sanitize-files.sh ~/proj/ops-base/modules staging/modules # Validate sanitization ./scripts/validate-sanitization.sh staging/modules # Move to permanent location mv staging/modules/* modules/ ``` ## Security Notes - **Never commit secrets**: All secrets managed via sops-nix, encrypted with age keys - **Git hooks active**: Pre-commit hooks validate for personal information leakage - **Sanitization enforced**: All extracted code must pass validation before commit ## License MIT License (see LICENSE file) ## Related Documentation - Project Specification: `specs/001-extract-matrix-platform/spec.md` - Implementation Plan: `specs/001-extract-matrix-platform/plan.md` - Task Breakdown: `specs/001-extract-matrix-platform/tasks.md` - Sanitization Rules: `specs/001-extract-matrix-platform/contracts/sanitization-rules.yaml` --- **Note**: This repository is currently in active development. Documentation and deployment guides will be added as modules are extracted and tested.