ops-jrz1/hosts/ops-jrz1.nix

{ pkgs, ... }:

{
  # ops-jrz1 production VPS configuration
  # Imports extracted Matrix modules from ops-base

  # Disable built-in NixOS maubot module to use our sops-nix enhanced version
  disabledModules = [ "services/matrix/maubot.nix" ];

  imports = [
    # Hardware configuration
    ../hardware-configuration.nix

    # Matrix platform modules
    ../modules/matrix-continuwuity.nix
    ../modules/mautrix-slack.nix
    ../modules/maubot.nix
    ../modules/musiclink.nix
    ../modules/dev-services.nix
    ../modules/security/fail2ban.nix
    ../modules/security/ssh-hardening.nix
    ../modules/matrix-secrets
    ../modules/backup.nix
    ../modules/backup-b2.nix
  ];

  # System configuration
  networking.hostName = "jrz1";

  # sops-nix secrets management
  sops = {
    defaultSopsFile = ../secrets/secrets.yaml;
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

    secrets = {
      # Used by dev-services.nix matrix-continuwuity via systemd LoadCredential
      # Root ownership is correct for DynamicUser services
      matrix-registration-token.mode = "0400";

      # Maubot management interface admin password
      maubot-admin-password.mode = "0400";

      # Maubot session secret key
      maubot-secret-key.mode = "0400";

      # Slack dev tokens - shared with devs group for learner bot development
      slack-bot-token = {
        owner = "root";
        group = "devs";
        mode = "0440";
      };
      slack-app-token = {
        owner = "root";
        group = "devs";
        mode = "0440";
      };

      # Forgejo API token for dev user provisioning (root only)
      forgejo-api-token.mode = "0400";

      # Matrix token for MusicLink bot
      musiclink-matrix-token.mode = "0400";
    };
  };

  # Matrix homeserver configuration
  # NOTE: Disabled in favor of dev-platform.matrix which provides integrated
  # bridge coordination and systemd credential-based secrets management
  # services.matrix-homeserver = {
  #   enable = true;
  #   domain = "clarun.xyz";
  #   port = 8008;
  #   enableRegistration = true;
  #   enableFederation = false;
  # };

  # Development platform services (Matrix, Forgejo, bridges)
  services.dev-platform = {
    enable = true;
    domain = "clarun.xyz";

    matrix = {
      enable = true;
      serverName = "clarun.xyz";
      port = 8008;
    };

    forgejo = {
      enable = true;
      subdomain = "git";
      port = 3000;
    };

    slackBridge = {
      enable = true;
      workspace = "chochacho";
      port = 29319;
    };

    maubot = {
      enable = false;
      port = 29316;
      plugins = [ ../modules/plugins/sna-instagram-bot.mbp ];
    };

    musiclink = {
      enable = true;
      matrix = {
        server = "http://127.0.0.1:8008";
        userId = "@musiclink:clarun.xyz";
        rooms = [
          "!whU7Geg7JPrBL5wHcW:clarun.xyz"
          "!dT40EUcemb8e6bPiig:clarun.xyz"
          "!DPQveBnfuDrbgOe6dm:clarun.xyz"
        ];
        shadow = false;
        healthAddr = "127.0.0.1:8080";
        stateStorePath = "data/matrix-state.db";
      };
    };
  };

  # Local backup service (Phase 1: manual trigger)
  services.backup.enable = true;

  # B2 offsite backup (daily automated via restic)
  services.backup-b2.enable = true;

  # Security hardening - DISABLED pending fixes
  # security.fail2ban-enhanced.enable = true;
  # security.ssh-hardening.enable = true;

  # SSH known hosts for git.clarun.xyz (prevents interactive prompt for devs/agents)
  programs.ssh.knownHosts = {
    "git.clarun.xyz" = {
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINs/geVYoQh1ldL2TgyAJy+ErCxaJt91ocgpFRvHDUXl";
    };
  };

  # nix-ld for VS Code Remote-SSH (runs pre-compiled VS Code Server binary)
  programs.nix-ld.enable = true;
  programs.nix-ld.libraries = with pkgs; [
    stdenv.cc.cc.lib
    zlib
    openssl
  ];

  system.stateVersion = "24.05";
}