ops-jrz1/README.md

# ops-jrz1 NixOS Server Configuration

**Status**: Work in Progress - Matrix Platform Extraction

This repository contains the NixOS configuration for the ops-jrz1 dev/test server, including extracted Matrix homeserver modules and bridge configurations from the ops-base production environment.

## Overview

The ops-jrz1 server provides a Matrix homeserver (Continuwuity/Conduwuit) with bridges for:
- Slack (mautrix-slack)
- WhatsApp (mautrix-whatsapp)
- Google Messages (mautrix-gmessages)

Additional services:
- Security hardening (fail2ban, SSH hardening)
- Secrets management (sops-nix with age encryption)

## Current Status

**Phase**: Extracting and sanitizing modules from ops-base

- [x] Repository structure created
- [x] Skeleton configuration files (flake.nix, configuration.nix, hosts/ops-jrz1.nix)
- [x] Sanitization and validation scripts
- [x] Git hooks for security validation
- [ ] Module extraction from ops-base
- [ ] Documentation (deployment guides, bridge setup)
- [ ] Server deployment and testing

## Repository Structure

```
ops-jrz1/
├── flake.nix              # Nix flake configuration
├── configuration.nix       # Main NixOS configuration
├── hosts/
│   └── ops-jrz1.nix       # Server-specific configuration
├── modules/               # Extracted Matrix platform modules (pending)
├── docs/                  # Deployment and setup documentation (pending)
├── secrets/               # sops-nix encrypted secrets (gitignored)
├── scripts/               # Sanitization and validation scripts
│   ├── sanitize-files.sh
│   └── validate-sanitization.sh
└── specs/                 # Project planning and specifications
    └── 001-extract-matrix-platform/

```

## Planned Features

### Matrix Homeserver
- **Continuwuity/Conduwuit**: Lightweight Rust-based Matrix homeserver
- Federation support
- User registration with tokens
- Admin room for management

### Bridges
- **Slack**: Socket Mode authentication, workspace integration
- **WhatsApp**: QR code pairing, message synchronization
- **Google Messages**: Pairing flow, SMS/MMS support

### Security & Operations
- **fail2ban**: Intrusion prevention
- **SSH hardening**: Key-only authentication, restricted access
- **sops-nix**: Encrypted secrets management with age keys
- **Git hooks**: Pre-commit validation, pre-push build checks

## Development Workflow

### Prerequisites
- NixOS 24.05+ or Nix with flakes enabled
- SSH access to ops-jrz1 server
- Age encryption key for secrets management

### Building Locally
```bash
# Check flake validity
nix flake check

# Build ops-jrz1 configuration
nix build .#nixosConfigurations.ops-jrz1

# Deploy to server (when ready)
nixos-rebuild switch --flake .#ops-jrz1 --target-host root@ops-jrz1
```

### Sanitization Workflow
```bash
# Extract modules from ops-base
./scripts/sanitize-files.sh ~/proj/ops-base/modules staging/modules

# Validate sanitization
./scripts/validate-sanitization.sh staging/modules

# Move to permanent location
mv staging/modules/* modules/
```

## Security Notes

- **Never commit secrets**: All secrets managed via sops-nix, encrypted with age keys
- **Git hooks active**: Pre-commit hooks validate for personal information leakage
- **Sanitization enforced**: All extracted code must pass validation before commit

## License

MIT License (see LICENSE file)

## Related Documentation

- Project Specification: `specs/001-extract-matrix-platform/spec.md`
- Implementation Plan: `specs/001-extract-matrix-platform/plan.md`
- Task Breakdown: `specs/001-extract-matrix-platform/tasks.md`
- Sanitization Rules: `specs/001-extract-matrix-platform/contracts/sanitization-rules.yaml`

---

**Note**: This repository is currently in active development. Documentation and deployment guides will be added as modules are extracted and tested.