dbbe460ad0
Documents: - Server relationship clarification (ops-base → ops-jrz1 same VPS) - Analysis of 4 migration approaches (in-place, parallel, fresh, dual VPS) - Comprehensive 7-phase migration plan with rollback procedures - ops-base repository analysis (vultr-dev config, deployment patterns) - VM testing options and local validation strategies - Risk assessment and safety layers (build, VM, test mode, generations) Planning session: 100 minutes, 0 commits, strategic analysis only Next steps: Execute migration, VM test, Phase 4 docs, or pause |
||
|---|---|---|
| .claude/commands | ||
| .specify | ||
| configurations | ||
| docs | ||
| hosts | ||
| modules | ||
| scripts | ||
| secrets | ||
| specs/001-extract-matrix-platform | ||
| .gitignore | ||
| .pre-commit-config.yaml | ||
| CLAUDE.md | ||
| configuration.nix | ||
| flake.lock | ||
| flake.nix | ||
| LICENSE | ||
| README.md | ||
ops-jrz1 NixOS Server Configuration
Status: Work in Progress - Matrix Platform Extraction
This repository contains the NixOS configuration for the ops-jrz1 dev/test server, including extracted Matrix homeserver modules and bridge configurations from the ops-base production environment.
Overview
The ops-jrz1 server provides a Matrix homeserver (Continuwuity/Conduwuit) with bridges for:
- Slack (mautrix-slack)
- WhatsApp (mautrix-whatsapp)
- Google Messages (mautrix-gmessages)
Additional services:
- Security hardening (fail2ban, SSH hardening)
- Secrets management (sops-nix with age encryption)
Current Status
Phase: Extracting and sanitizing modules from ops-base
- Repository structure created
- Skeleton configuration files (flake.nix, configuration.nix, hosts/ops-jrz1.nix)
- Sanitization and validation scripts
- Git hooks for security validation
- Module extraction from ops-base
- Documentation (deployment guides, bridge setup)
- Server deployment and testing
Repository Structure
ops-jrz1/
├── flake.nix # Nix flake configuration
├── configuration.nix # Main NixOS configuration
├── hosts/
│ └── ops-jrz1.nix # Server-specific configuration
├── modules/ # Extracted Matrix platform modules (pending)
├── docs/ # Deployment and setup documentation (pending)
├── secrets/ # sops-nix encrypted secrets (gitignored)
├── scripts/ # Sanitization and validation scripts
│ ├── sanitize-files.sh
│ └── validate-sanitization.sh
└── specs/ # Project planning and specifications
└── 001-extract-matrix-platform/
Planned Features
Matrix Homeserver
- Continuwuity/Conduwuit: Lightweight Rust-based Matrix homeserver
- Federation support
- User registration with tokens
- Admin room for management
Bridges
- Slack: Socket Mode authentication, workspace integration
- WhatsApp: QR code pairing, message synchronization
- Google Messages: Pairing flow, SMS/MMS support
Security & Operations
- fail2ban: Intrusion prevention
- SSH hardening: Key-only authentication, restricted access
- sops-nix: Encrypted secrets management with age keys
- Git hooks: Pre-commit validation, pre-push build checks
Development Workflow
Prerequisites
- NixOS 24.05+ or Nix with flakes enabled
- SSH access to ops-jrz1 server
- Age encryption key for secrets management
Building Locally
# Check flake validity
nix flake check
# Build ops-jrz1 configuration
nix build .#nixosConfigurations.ops-jrz1
# Deploy to server (when ready)
nixos-rebuild switch --flake .#ops-jrz1 --target-host root@ops-jrz1
Sanitization Workflow
# Extract modules from ops-base
./scripts/sanitize-files.sh ~/proj/ops-base/modules staging/modules
# Validate sanitization
./scripts/validate-sanitization.sh staging/modules
# Move to permanent location
mv staging/modules/* modules/
Security Notes
- Never commit secrets: All secrets managed via sops-nix, encrypted with age keys
- Git hooks active: Pre-commit hooks validate for personal information leakage
- Sanitization enforced: All extracted code must pass validation before commit
License
MIT License (see LICENSE file)
Related Documentation
- Project Specification:
specs/001-extract-matrix-platform/spec.md - Implementation Plan:
specs/001-extract-matrix-platform/plan.md - Task Breakdown:
specs/001-extract-matrix-platform/tasks.md - Sanitization Rules:
specs/001-extract-matrix-platform/contracts/sanitization-rules.yaml
Note: This repository is currently in active development. Documentation and deployment guides will be added as modules are extracted and tested.