ops-jrz1 NixOS Server Configuration

Status: Work in Progress - Matrix Platform Extraction

This repository contains the NixOS configuration for the ops-jrz1 dev/test server, including extracted Matrix homeserver modules and bridge configurations from the ops-base production environment.

Overview

The ops-jrz1 server provides a Matrix homeserver (Continuwuity/Conduwuit) with bridges for:

• Slack (mautrix-slack)
• WhatsApp (mautrix-whatsapp)
• Google Messages (mautrix-gmessages)

Additional services:

• Security hardening (fail2ban, SSH hardening)
• Secrets management (sops-nix with age encryption)

Current Status

Phase: Extracting and sanitizing modules from ops-base

• Repository structure created
• Skeleton configuration files (flake.nix, configuration.nix, hosts/ops-jrz1.nix)
• Sanitization and validation scripts
• Git hooks for security validation
• Module extraction from ops-base
• Documentation (deployment guides, bridge setup)
• Server deployment and testing

Repository Structure

ops-jrz1/
├── flake.nix              # Nix flake configuration
├── configuration.nix       # Main NixOS configuration
├── hosts/
│   └── ops-jrz1.nix       # Server-specific configuration
├── modules/               # Extracted Matrix platform modules (pending)
├── docs/                  # Deployment and setup documentation (pending)
├── secrets/               # sops-nix encrypted secrets (gitignored)
├── scripts/               # Sanitization and validation scripts
│   ├── sanitize-files.sh
│   └── validate-sanitization.sh
└── specs/                 # Project planning and specifications
    └── 001-extract-matrix-platform/

Planned Features

Matrix Homeserver

• Continuwuity/Conduwuit: Lightweight Rust-based Matrix homeserver
• Federation support
• User registration with tokens
• Admin room for management

Bridges

• Slack: Socket Mode authentication, workspace integration
• WhatsApp: QR code pairing, message synchronization
• Google Messages: Pairing flow, SMS/MMS support

Security & Operations

• fail2ban: Intrusion prevention
• SSH hardening: Key-only authentication, restricted access
• sops-nix: Encrypted secrets management with age keys
• Git hooks: Pre-commit validation, pre-push build checks

Development Workflow

Prerequisites

• NixOS 24.05+ or Nix with flakes enabled
• SSH access to ops-jrz1 server
• Age encryption key for secrets management

Building Locally

# Check flake validity
nix flake check

# Build ops-jrz1 configuration
nix build .#nixosConfigurations.ops-jrz1

# Deploy to server (when ready)
nixos-rebuild switch --flake .#ops-jrz1 --target-host root@ops-jrz1

Sanitization Workflow

# Extract modules from ops-base
./scripts/sanitize-files.sh ~/proj/ops-base/modules staging/modules

# Validate sanitization
./scripts/validate-sanitization.sh staging/modules

# Move to permanent location
mv staging/modules/* modules/

Security Notes

• Never commit secrets: All secrets managed via sops-nix, encrypted with age keys
• Git hooks active: Pre-commit hooks validate for personal information leakage
• Sanitization enforced: All extracted code must pass validation before commit

License

MIT License (see LICENSE file)

Related Documentation

• Project Specification: specs/001-extract-matrix-platform/spec.md
• Implementation Plan: specs/001-extract-matrix-platform/plan.md
• Task Breakdown: specs/001-extract-matrix-platform/tasks.md
• Sanitization Rules: specs/001-extract-matrix-platform/contracts/sanitization-rules.yaml

---

Note: This repository is currently in active development. Documentation and deployment guides will be added as modules are extracted and tested.