| configurations | ||
| docs | ||
| hosts | ||
| modules | ||
| scripts | ||
| secrets | ||
| specs/001-extract-matrix-platform | ||
| .gitignore | ||
| .pre-commit-config.yaml | ||
| CLAUDE.md | ||
| configuration.nix | ||
| flake.lock | ||
| flake.nix | ||
| hardware-configuration.nix | ||
| LICENSE | ||
| README.md | ||
ops-jrz1 NixOS Server Configuration
Status: Work in Progress - Matrix Platform Extraction
This repository contains the NixOS configuration for the ops-jrz1 dev/test server, including extracted Matrix homeserver modules and bridge configurations from the ops-base production environment.
Overview
The ops-jrz1 server provides a Matrix homeserver (Continuwuity/Conduwuit) with bridges for:
- Slack (mautrix-slack)
- WhatsApp (mautrix-whatsapp)
- Google Messages (mautrix-gmessages)
Additional services:
- Security hardening (fail2ban, SSH hardening)
- Secrets management (sops-nix with age encryption)
Current Status
Phase: Extracting and sanitizing modules from ops-base
- Repository structure created
- Skeleton configuration files (flake.nix, configuration.nix, hosts/ops-jrz1.nix)
- Sanitization and validation scripts
- Git hooks for security validation
- Module extraction from ops-base
- Documentation (deployment guides, bridge setup)
- Server deployment and testing
Repository Structure
ops-jrz1/
├── flake.nix # Nix flake configuration
├── configuration.nix # Main NixOS configuration
├── hosts/
│ └── ops-jrz1.nix # Server-specific configuration
├── modules/ # Extracted Matrix platform modules (pending)
├── docs/ # Deployment and setup documentation (pending)
├── secrets/ # sops-nix encrypted secrets (gitignored)
├── scripts/ # Sanitization and validation scripts
│ ├── sanitize-files.sh
│ └── validate-sanitization.sh
└── specs/ # Project planning and specifications
└── 001-extract-matrix-platform/
Planned Features
Matrix Homeserver
- Continuwuity/Conduwuit: Lightweight Rust-based Matrix homeserver
- Federation support
- User registration with tokens
- Admin room for management
Bridges
- Slack: Socket Mode authentication, workspace integration
- WhatsApp: QR code pairing, message synchronization
- Google Messages: Pairing flow, SMS/MMS support
Security & Operations
- fail2ban: Intrusion prevention
- SSH hardening: Key-only authentication, restricted access
- sops-nix: Encrypted secrets management with age keys
- Git hooks: Pre-commit validation, pre-push build checks
Development Workflow
Prerequisites
- NixOS 24.05+ or Nix with flakes enabled
- SSH access to ops-jrz1 server
- Age encryption key for secrets management
Building Locally
# Check flake validity
nix flake check
# Build ops-jrz1 configuration
nix build .#nixosConfigurations.ops-jrz1
# Deploy to server (when ready)
nixos-rebuild switch --flake .#ops-jrz1 --target-host root@ops-jrz1
Sanitization Workflow
# Extract modules from ops-base
./scripts/sanitize-files.sh ~/proj/ops-base/modules staging/modules
# Validate sanitization
./scripts/validate-sanitization.sh staging/modules
# Move to permanent location
mv staging/modules/* modules/
Security Notes
- Never commit secrets: All secrets managed via sops-nix, encrypted with age keys
- Git hooks active: Pre-commit hooks validate for personal information leakage
- Sanitization enforced: All extracted code must pass validation before commit
License
MIT License (see LICENSE file)
Related Documentation
- Project Specification:
specs/001-extract-matrix-platform/spec.md - Implementation Plan:
specs/001-extract-matrix-platform/plan.md - Task Breakdown:
specs/001-extract-matrix-platform/tasks.md - Sanitization Rules:
specs/001-extract-matrix-platform/contracts/sanitization-rules.yaml
Note: This repository is currently in active development. Documentation and deployment guides will be added as modules are extracted and tested.