dan/ops-jrz1
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
ops-jrz1/specs/001-extract-matrix-platform/plan.md
Dan 894e7241f1 Initialize ops-jrz1 repository with Matrix platform extraction foundation 
- Add speckit workflow infrastructure (.claude, .specify)
- Create NixOS configuration skeleton (flake.nix, configuration.nix, hosts/ops-jrz1.nix)
- Add sanitization scripts with 22 rules for personal info removal
- Add validation scripts with gitleaks integration
- Configure git hooks (pre-commit, pre-push) for security validation
- Add project documentation (README, LICENSE)
- Add comprehensive .gitignore for Nix, secrets, staging

Phase 1 and Phase 2 complete. Foundation ready for module extraction from ops-base.
2025-10-13 13:37:17 -07:00

191 lines
8.4 KiB
Markdown
Raw Blame History

# Implementation Plan: Extract Matrix Platform Modules for ops-jrz1 Server
**Branch**: `001-extract-matrix-platform` | **Date**: 2025-10-11 | **Spec**: [spec.md](./spec.md)
**Input**: Feature specification from `/specs/001-extract-matrix-platform/spec.md`
## Summary
Extract production-tested NixOS modules for Matrix homeserver (Continuwuity), mautrix bridges (Slack, WhatsApp, Google Messages), and security hardening from ops-base repository. Sanitize personal information (domains, IPs, secrets, paths) and place in this repository to configure the ops-jrz1 dev/test server. Include deployment documentation and secrets management setup using sops-nix.
**Note**: This is a single-repository project. All extracted modules, configuration, and documentation live in ops-jrz1 repository. Public template sharing is deferred for future.
## Technical Context
**Language/Version**: Nix 2.x, NixOS 24.05+, Bash 5.x (for scripts)
**Primary Dependencies**:
- nixpkgs (pinned for reproducibility)
- sops-nix (secrets management)
- gitleaks (secret scanning via git hooks)
- age (encryption)
- pre-commit framework (git hooks orchestration)
**Storage**: Git repository (Forgejo for development, GitHub/tangl.sh for publication), filesystem-based (NixOS modules as .nix files)
**Testing & Validation**:
- Git pre-commit hooks (block commits with syntax errors or secrets)
- Git pre-push hooks (validate builds before push)
- nix flake check (syntax and build validation)
- gitleaks (secret scanning via hooks)
- Integration testing (deploy to test VPS)
- Manual validation (sanitization review)
**Target Platform**: Linux (NixOS), x86_64-linux architecture
**Project Type**: NixOS server configuration (modules + configuration + documentation)
**Performance Goals**:
- Template clone to working deployment: <30 minutes
- Git pre-commit hook execution: <30 seconds
- Git pre-push hook validation (full build): <5 minutes
- nix flake check: <2 minutes
**Constraints**:
- Zero secrets in published repository (gitleaks must return 0 findings)
- All example configurations must build successfully
- Fresh git history (no ops-base history)
- Manual sync process (scripted helpers only)
**Scale/Scope**:
- 6+ core NixOS modules to extract (matrix-continuwuity, 3 bridges, 2 security)
- Core documentation (README, deployment guide, secrets-management)
- Configuration for ops-jrz1 dev/test server
- 29 functional requirements (some deferred for public sharing)
- 5 user stories (US3 deferred, US1/US2/US4/US5 active)
## Constitution Check
*GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.*
**Status**: No project constitution defined yet. This is an infrastructure extraction project with established RFC.
**Key Constraints Derived from Feature Spec**:
1. **Security First**: Zero tolerance for secret leakage (gitleaks validation mandatory)
2. **Reproducibility**: All builds must be deterministic (pinned nixpkgs)
3. **Testability**: All configurations must validate before publication
4. **Documentation Quality**: Extracted patterns must be comprehensive and sanitized
5. **Community Governance**: Clear contribution and security policies required
**No violations identified** - This is a one-time extraction project following established RFC guidelines.
## Project Structure
### Documentation (this feature)
```
specs/001-extract-matrix-platform/
├── spec.md # Feature specification (completed)
├── plan.md # This file (/speckit.plan command output)
├── research.md # Phase 0 output (technical decisions & patterns)
├── data-model.md # Phase 1 output (entities: modules, configs, secrets)
├── quickstart.md # Phase 1 output (developer quick start)
├── contracts/ # Phase 1 output (sanitization rules, CI contracts)
│ ├── sanitization-rules.yaml
│ └── ci-validation.yaml
└── tasks.md # Phase 2 output (/speckit.tasks command)
```
### Source Code (repository root)
Single repository structure (ops-jrz1). Everything lives here:
```
# ops-jrz1 (this repo): Server config + planning + extracted modules
specs/001-extract-matrix-platform/ # Planning docs (speckit workflow)
├── spec.md, plan.md, tasks.md
├── research.md, data-model.md
└── contracts/
staging/ # Temporary extraction workspace
├── modules/ # Copied from ops-base (unsanitized)
├── configurations/
└── docs/
modules/ # Extracted & sanitized modules
├── matrix-continuwuity.nix
├── mautrix-slack.nix
├── mautrix-whatsapp.nix
├── mautrix-gmessages.nix
├── security/
│ ├── fail2ban.nix
│ └── ssh-hardening.nix
└── matrix-secrets/
└── default.nix
hosts/ # Server-specific configs
└── ops-jrz1.nix # ops-jrz1 server configuration
docs/ # Deployment documentation
├── deployment.md
├── secrets-management.md
└── bridges/ # Optional bridge setup notes
├── slack-setup.md
├── whatsapp-setup.md
└── gmessages-setup.md
secrets/ # sops-nix encrypted secrets
├── secrets.yaml # Encrypted (gitignored)
└── .sops.yaml # sops configuration
scripts/ # Helper scripts
├── sanitize-files.sh # Apply sanitization rules
└── validate-config.sh # Pre-deploy validation
flake.nix # Server flake configuration
flake.lock # Locked dependencies
configuration.nix # Main server configuration
README.md # Repository overview
LICENSE # MIT license (optional)
```
**Structure Decision**: Single-repository approach where ops-jrz1 contains planning docs, extracted modules, and server configuration. Public template sharing is deferred - focus is on getting ops-jrz1 server working.
## Complexity Tracking
*No constitution violations - this section not applicable*
## Phase 0: Research & Decision Points ✅ COMPLETE
**Status**: All research completed and documented in `research.md`
**Decisions Made**:
1. **Sanitization Strategy**: Hybrid approach (automated + manual validation)
2. **Worklog Extraction**: LLM-assisted selective extraction with manual review
3. **Validation Strategy**: Git hooks (pre-commit/pre-push) with gitleaks + nix flake check
4. **Sync Workflow Design**: Git tags + sync-log.md + quarterly calendar
5. **Testing Strategy**: Build validation + selective VPS integration testing
**Artifacts Generated**:
- `research.md` - 6 major decisions documented with rationale
- Technology stack defined (Nix, NixOS, sops-nix, gitleaks, pre-commit framework)
- Risk mitigations documented
- Success metrics defined
---
## Phase 1: Design & Contracts ✅ COMPLETE
**Status**: All design artifacts created and validated
**Artifacts Generated**:
- `data-model.md` - 8 core entities with lifecycle states, relationships, validation rules
- `contracts/sanitization-rules.yaml` - 22 sanitization rules (critical, high, medium priority)
- `contracts/ci-validation.yaml` - CI/CD pipeline specification with job contracts
- `quickstart.md` - 4-week implementation guide with day-by-day breakdown
- `CLAUDE.md` - Agent context updated with Nix, NixOS, Git repository stack
**Design Highlights**:
- **Data Model**: Module, Configuration, Secret, Sanitization Rule, Pattern Document, Sync Checkpoint, Bridge Setup Guide, CI/CD Pipeline
- **22 Sanitization Rules**: Domains (clarun.xyzexample.com), IPs (192.168.1.x10.0.0.x), paths, secrets, personal references
- **CI Contracts**: nix flake check, gitleaks scan, build validation for example configs
- **Validation Pipeline**: 5-step process from automated replacement to manual review
---
## Phase 2: Task Generation (Next Step)
**Status**: Ready for `/speckit.tasks` command
Use `/speckit.tasks` to generate actionable task breakdown from the design artifacts above. This will create `tasks.md` with dependency-ordered implementation tasks organized by:
- Repository setup and sanitization
- Documentation extraction
- Testing and validation
- Sync workflow and publication
Reference in a new issue View git blame Copy permalink