- Create reverse-proxy machine configuration for VPS edge server
- Configure SSH access only via Tailscale (100.96.189.104)
- Implement strict DMZ firewall rules (HTTP/HTTPS only externally)
- Add enhanced fail2ban settings for DMZ environment
- Include sma user with SSH key management
- Configure Nginx reverse proxy with Let's Encrypt SSL
- Add reverse-proxy to flake.nix nixosConfigurations
Security features:
- SSH only accessible through Tailscale interface
- Aggressive fail2ban settings (24h ban, 3 max retries)
- Firewall rejects all non-essential traffic
- No common network config to avoid security conflicts
- Add reverse-proxy machine for SSL/TLS termination and external routing
- Add grey-area application server with Forgejo as primary service
- Create comprehensive About.org documentation for both machines
- Update plan.md with detailed infrastructure notes and service modules
New Infrastructure:
✅ reverse-proxy: Edge server with Nginx/Traefik, Let's Encrypt, security
✅ grey-area: Multi-purpose app server (Culture GCU name)
- Primary: Forgejo Git hosting and CI/CD
- Secondary: Jellyfin, Nextcloud, Grafana
- Container-focused architecture with PostgreSQL
Updated service modules planning:
- reverse-proxy.nix, forgejo.nix, media.nix, applications.nix
- Central Git hosting for all home lab development projects
- Complete CI/CD pipeline integration
Ready for NixOS configuration implementation in next phase.
