NixOS configuration for ops-jrz1 VPS with Matrix platform

Find a file

Dan df2cb13f9b Remove redundant olm permission from VM config VM imports configuration.nix which already has the permission. Clarified comments explaining why both flake.nix and configuration.nix need the permission (different pkgs sources). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>		2026-01-05 22:53:07 -08:00
.beads	Remove unused Nix lambda patterns (deadnix cleanup)	2026-01-05 18:23:54 -08:00
.claude	Add learner dev environment, testing infrastructure, and skills	2025-12-28 22:23:06 -05:00
docs	Add mosh alternative to dev onboarding doc	2026-01-05 17:38:42 -08:00
hosts	Remove redundant olm permission from VM config	2026-01-05 22:53:07 -08:00
modules	Remove unused Nix lambda patterns (deadnix cleanup)	2026-01-05 18:23:54 -08:00
scripts	Make dev-add.sh idempotent	2026-01-05 20:35:10 -08:00
secrets	Add maubot integration and infrastructure updates	2025-12-08 15:55:12 -08:00
specs	Rename learner to dev across codebase	2026-01-03 10:42:34 -08:00
templates/plugin-skeleton	Add learner dev environment, testing infrastructure, and skills	2025-12-28 22:23:06 -05:00
tests	Rename learner to dev across codebase	2026-01-03 10:42:34 -08:00
.gitattributes	Add learner dev environment, testing infrastructure, and skills	2025-12-28 22:23:06 -05:00
.gitignore	Add learner dev environment, testing infrastructure, and skills	2025-12-28 22:23:06 -05:00
.pre-commit-config.yaml	Initialize ops-jrz1 repository with Matrix platform extraction foundation	2025-10-13 13:37:17 -07:00
AGENTS.md	Rename learner to dev across codebase	2026-01-03 10:42:34 -08:00
CLAUDE.md	refactor: standardize agent instruction files	2025-12-23 01:12:27 -05:00
configuration.nix	Remove redundant olm permission from VM config	2026-01-05 22:53:07 -08:00
flake.lock	Pin beads and opencode flake inputs to commit hashes	2026-01-05 20:56:25 -08:00
flake.nix	Pin beads and opencode flake inputs to commit hashes	2026-01-05 20:56:25 -08:00
GEMINI.md	refactor: standardize agent instruction files	2025-12-23 01:12:27 -05:00
hardware-configuration.nix	Remove unused Nix lambda patterns (deadnix cleanup)	2026-01-05 18:23:54 -08:00
LICENSE	Initialize ops-jrz1 repository with Matrix platform extraction foundation	2025-10-13 13:37:17 -07:00
README.md	Initialize ops-jrz1 repository with Matrix platform extraction foundation	2025-10-13 13:37:17 -07:00
SETUP-VERIFICATION.md	Add docs, ignore local dev config	2025-12-08 16:31:40 -08:00

README.md

ops-jrz1 NixOS Server Configuration

Status: Work in Progress - Matrix Platform Extraction

This repository contains the NixOS configuration for the ops-jrz1 dev/test server, including extracted Matrix homeserver modules and bridge configurations from the ops-base production environment.

Overview

The ops-jrz1 server provides a Matrix homeserver (Continuwuity/Conduwuit) with bridges for:

Slack (mautrix-slack)
WhatsApp (mautrix-whatsapp)
Google Messages (mautrix-gmessages)

Additional services:

Security hardening (fail2ban, SSH hardening)
Secrets management (sops-nix with age encryption)

Current Status

Phase: Extracting and sanitizing modules from ops-base

Repository structure created
Skeleton configuration files (flake.nix, configuration.nix, hosts/ops-jrz1.nix)
Sanitization and validation scripts
Git hooks for security validation
Module extraction from ops-base
Documentation (deployment guides, bridge setup)
Server deployment and testing

Repository Structure

ops-jrz1/
├── flake.nix              # Nix flake configuration
├── configuration.nix       # Main NixOS configuration
├── hosts/
│   └── ops-jrz1.nix       # Server-specific configuration
├── modules/               # Extracted Matrix platform modules (pending)
├── docs/                  # Deployment and setup documentation (pending)
├── secrets/               # sops-nix encrypted secrets (gitignored)
├── scripts/               # Sanitization and validation scripts
│   ├── sanitize-files.sh
│   └── validate-sanitization.sh
└── specs/                 # Project planning and specifications
    └── 001-extract-matrix-platform/

Planned Features

Matrix Homeserver

Continuwuity/Conduwuit: Lightweight Rust-based Matrix homeserver
Federation support
User registration with tokens
Admin room for management

Bridges

Slack: Socket Mode authentication, workspace integration
WhatsApp: QR code pairing, message synchronization
Google Messages: Pairing flow, SMS/MMS support

Security & Operations

fail2ban: Intrusion prevention
SSH hardening: Key-only authentication, restricted access
sops-nix: Encrypted secrets management with age keys
Git hooks: Pre-commit validation, pre-push build checks

Development Workflow

Prerequisites

NixOS 24.05+ or Nix with flakes enabled
SSH access to ops-jrz1 server
Age encryption key for secrets management

Building Locally

# Check flake validity
nix flake check

# Build ops-jrz1 configuration
nix build .#nixosConfigurations.ops-jrz1

# Deploy to server (when ready)
nixos-rebuild switch --flake .#ops-jrz1 --target-host root@ops-jrz1

Sanitization Workflow

# Extract modules from ops-base
./scripts/sanitize-files.sh ~/proj/ops-base/modules staging/modules

# Validate sanitization
./scripts/validate-sanitization.sh staging/modules

# Move to permanent location
mv staging/modules/* modules/

Security Notes

Never commit secrets: All secrets managed via sops-nix, encrypted with age keys
Git hooks active: Pre-commit hooks validate for personal information leakage
Sanitization enforced: All extracted code must pass validation before commit

License

MIT License (see LICENSE file)

Project Specification: specs/001-extract-matrix-platform/spec.md
Implementation Plan: specs/001-extract-matrix-platform/plan.md
Task Breakdown: specs/001-extract-matrix-platform/tasks.md
Sanitization Rules: specs/001-extract-matrix-platform/contracts/sanitization-rules.yaml

Note: This repository is currently in active development. Documentation and deployment guides will be added as modules are extracted and tested.