dan/ops-jrz1
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
NixOS configuration for ops-jrz1 VPS with Matrix platform
18 commits 2 branches 1 tag 402 KiB
Nix 64.3%
Shell 35.7%
Find a file
Dan 8d51f6f16e Fix bridge homeserver URL to use IPv4 (127.0.0.1) instead of localhost
2025-10-25 21:48:38 -07:00
.claude/commands Initialize ops-jrz1 repository with Matrix platform extraction foundation 2025-10-13 13:37:17 -07:00
.specify Initialize ops-jrz1 repository with Matrix platform extraction foundation 2025-10-13 13:37:17 -07:00
configurations Phase 3: Extract and sanitize Matrix platform modules from ops-base 2025-10-13 14:51:14 -07:00
docs Add comprehensive security & validation test report for Generation 31 2025-10-21 22:25:08 -07:00
hosts Fix mautrix-slack configuration and Matrix integration 2025-10-25 17:36:07 -07:00
modules Fix bridge homeserver URL to use IPv4 (127.0.0.1) instead of localhost 2025-10-25 21:48:38 -07:00
scripts Initialize ops-jrz1 repository with Matrix platform extraction foundation 2025-10-13 13:37:17 -07:00
secrets Deploy Generation 31 with sops-nix secrets management 2025-10-21 21:32:23 -07:00
specs/001-extract-matrix-platform Initialize ops-jrz1 repository with Matrix platform extraction foundation 2025-10-13 13:37:17 -07:00
.gitignore Phase 3: Extract and sanitize Matrix platform modules from ops-base 2025-10-13 14:51:14 -07:00
.pre-commit-config.yaml Initialize ops-jrz1 repository with Matrix platform extraction foundation 2025-10-13 13:37:17 -07:00
CLAUDE.md Initialize ops-jrz1 repository with Matrix platform extraction foundation 2025-10-13 13:37:17 -07:00
configuration.nix Allow olm-3.2.16 for mautrix bridges in production 2025-10-21 18:37:03 -07:00
flake.lock Update nixpkgs-unstable for conduwuit 0.5.0-rc.8 2025-10-25 17:50:37 -07:00
flake.nix Deploy Generation 31 with sops-nix secrets management 2025-10-21 21:32:23 -07:00
hardware-configuration.nix Configure ops-jrz1 for production deployment to Vultr VPS 2025-10-21 18:13:32 -07:00
LICENSE Initialize ops-jrz1 repository with Matrix platform extraction foundation 2025-10-13 13:37:17 -07:00
README.md Initialize ops-jrz1 repository with Matrix platform extraction foundation 2025-10-13 13:37:17 -07:00

README.md

ops-jrz1 NixOS Server Configuration

Status: Work in Progress - Matrix Platform Extraction

This repository contains the NixOS configuration for the ops-jrz1 dev/test server, including extracted Matrix homeserver modules and bridge configurations from the ops-base production environment.

Overview

The ops-jrz1 server provides a Matrix homeserver (Continuwuity/Conduwuit) with bridges for:

  • Slack (mautrix-slack)
  • WhatsApp (mautrix-whatsapp)
  • Google Messages (mautrix-gmessages)

Additional services:

  • Security hardening (fail2ban, SSH hardening)
  • Secrets management (sops-nix with age encryption)

Current Status

Phase: Extracting and sanitizing modules from ops-base

  • Repository structure created
  • Skeleton configuration files (flake.nix, configuration.nix, hosts/ops-jrz1.nix)
  • Sanitization and validation scripts
  • Git hooks for security validation
  • Module extraction from ops-base
  • Documentation (deployment guides, bridge setup)
  • Server deployment and testing

Repository Structure

ops-jrz1/
├── flake.nix              # Nix flake configuration
├── configuration.nix       # Main NixOS configuration
├── hosts/
│   └── ops-jrz1.nix       # Server-specific configuration
├── modules/               # Extracted Matrix platform modules (pending)
├── docs/                  # Deployment and setup documentation (pending)
├── secrets/               # sops-nix encrypted secrets (gitignored)
├── scripts/               # Sanitization and validation scripts
│   ├── sanitize-files.sh
│   └── validate-sanitization.sh
└── specs/                 # Project planning and specifications
    └── 001-extract-matrix-platform/

Planned Features

Matrix Homeserver

  • Continuwuity/Conduwuit: Lightweight Rust-based Matrix homeserver
  • Federation support
  • User registration with tokens
  • Admin room for management

Bridges

  • Slack: Socket Mode authentication, workspace integration
  • WhatsApp: QR code pairing, message synchronization
  • Google Messages: Pairing flow, SMS/MMS support

Security & Operations

  • fail2ban: Intrusion prevention
  • SSH hardening: Key-only authentication, restricted access
  • sops-nix: Encrypted secrets management with age keys
  • Git hooks: Pre-commit validation, pre-push build checks

Development Workflow

Prerequisites

  • NixOS 24.05+ or Nix with flakes enabled
  • SSH access to ops-jrz1 server
  • Age encryption key for secrets management

Building Locally

# Check flake validity
nix flake check

# Build ops-jrz1 configuration
nix build .#nixosConfigurations.ops-jrz1

# Deploy to server (when ready)
nixos-rebuild switch --flake .#ops-jrz1 --target-host root@ops-jrz1

Sanitization Workflow

# Extract modules from ops-base
./scripts/sanitize-files.sh ~/proj/ops-base/modules staging/modules

# Validate sanitization
./scripts/validate-sanitization.sh staging/modules

# Move to permanent location
mv staging/modules/* modules/

Security Notes

  • Never commit secrets: All secrets managed via sops-nix, encrypted with age keys
  • Git hooks active: Pre-commit hooks validate for personal information leakage
  • Sanitization enforced: All extracted code must pass validation before commit

License

MIT License (see LICENSE file)

Related Documentation

  • Project Specification: specs/001-extract-matrix-platform/spec.md
  • Implementation Plan: specs/001-extract-matrix-platform/plan.md
  • Task Breakdown: specs/001-extract-matrix-platform/tasks.md
  • Sanitization Rules: specs/001-extract-matrix-platform/contracts/sanitization-rules.yaml

Note: This repository is currently in active development. Documentation and deployment guides will be added as modules are extracted and tested.