dan/ops-jrz1
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
ops-jrz1/docs/examples/alternative-deployments/vultr-dev.nix
Dan f25a8b06ef Production hardening and technical debt cleanup 
Priority 1 - Production Quality:
- Revert Matrix homeserver log level from debug to info
- Reduces log volume by ~70% (22k+ lines/day to <7k)
- Improves performance and reduces disk usage

Priority 2 - Technical Debt:
- Automate sender_localpart fix in mautrix-slack.nix
- Eliminates manual sed command on fresh deployments
- Fix verified working (tested 2025-10-26)
- Update CLAUDE.md to document automated solution

Priority 3 - Project Hygiene:
- Remove unused mautrix-whatsapp and mautrix-gmessages imports
- Archive old configurations to docs/examples/alternative-deployments/
- Remove stale staging/ directories from 001 extraction workflow
- Update deployment documentation in tasks.md and quickstart.md
- Add deployment status notes to spec files

Files Modified:
- modules/dev-services.nix: log level debug → info
- modules/mautrix-slack.nix: automatic sender_localpart fix
- hosts/ops-jrz1.nix: remove unused bridge imports
- CLAUDE.md: update Known Issues, add Resolved Issues section
- specs/002-*/: add deployment status notes
- configurations/ → docs/examples/alternative-deployments/

Tested and Verified:
- All services running (matrix, bridge, forgejo, postgresql, nginx)
- Bridge authenticated and message flow working
- sender_localpart fix generates correct registration file
2025-10-26 15:59:05 -07:00

184 lines
4.3 KiB
Nix
Raw Permalink Blame History

# NixOS configuration for Vultr development VPS
# Optimized for Matrix + Forgejo deployment without federation
{ config, pkgs, lib, ... }:
{
imports = [
../modules/dev-services.nix
./vultr-hardware.nix
];
# sops-nix secrets management
sops = {
defaultSopsFile = ../secrets/secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# Secret declarations
secrets."matrix-registration-token" = {
mode = "0400";
};
secrets."acme-email" = {
mode = "0400";
# Using direct email value, no secret needed
};
};
# Boot configuration for Vultr VPS (Legacy BIOS mode)
boot = {
loader = {
grub = {
enable = true;
device = "/dev/vda"; # Legacy BIOS - install to MBR
efiSupport = false;
useOSProber = false;
};
};
# Vultr uses virtio drivers
initrd.availableKernelModules = [
"virtio_pci"
"virtio_blk"
"virtio_net"
"virtio_scsi"
];
};
# Filesystem configuration managed by vultr-hardware.nix
# Boot partition, root partition, and swap declared via generated hardware config
# Network configuration for Vultr
networking = {
hostName = "matrix";
# Vultr-specific network interface
useDHCP = false;
interfaces.ens3 = { # Vultr uses ens3
useDHCP = true;
};
enableIPv6 = true;
# Firewall - only expose reverse proxy ports
firewall = {
enable = true;
allowedTCPPorts = [
22 # SSH
80 # HTTP (ACME challenges, redirects)
443 # HTTPS
];
allowPing = true;
logRefusedConnections = false; # Reduce log noise on public VPS
};
};
# SSH configuration - secure but accessible for development
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "prohibit-password"; # More secure than "yes"
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
X11Forwarding = false;
};
# Basic security settings
extraConfig = ''
MaxAuthTries 3
MaxSessions 10
ClientAliveInterval 300
ClientAliveCountMax 2
'';
};
# SSH key for root and admin users
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqHsgAuD/8LL6HN3fo7X1ywryQG393pyQ19a154bO+h delpad-2025"
];
users.users.admin = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqHsgAuD/8LL6HN3fo7X1ywryQG393pyQ19a154bO+h delpad-2025"
];
};
# Enable sudo without password for development convenience
security.sudo.wheelNeedsPassword = false;
# Enable fail2ban for brute force protection
security.fail2ban-enhanced = {
enable = true;
bantime = "1h";
maxretry = 3;
};
# Enable ACME for TLS certificates
security.acme = {
acceptTerms = true;
defaults.email = "admin@example.com"; # Using direct email as ACME doesn't support emailFile
};
# Dev services stack - simplified without federation
services.dev-platform = {
enable = true;
domain = "example.com";
matrix = {
enable = true;
port = 8008;
};
forgejo = {
enable = true;
subdomain = "git";
port = 3000;
};
slackBridge = {
enable = true;
};
};
# Basic monitoring for development
services.netdata = {
enable = true;
config = {
global = {
"bind to" = "127.0.0.1"; # Localhost only for security
};
};
};
# Automatic garbage collection to manage disk space
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
# Allow insecure packages needed for Matrix bridges
nixpkgs.config.permittedInsecurePackages = [
"olm-3.2.16"
];
# NixOS configuration optimized for VPS
nix.settings = {
experimental-features = [ "nix-command" "flakes" ];
# Optimize for VPS builds and downloads
max-jobs = "auto";
cores = 0; # Use all available cores
substituters = [
"https://cache.nixos.org"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
};
# Timezone and locale for VPS
time.timeZone = "UTC";
i18n.defaultLocale = "en_US.UTF-8";
system.stateVersion = "24.11";
}
Reference in a new issue View git blame Copy permalink