diff --git a/MIGRATION-GUIDE.md b/MIGRATION-GUIDE.md index 999cbea..7d6f69f 100644 --- a/MIGRATION-GUIDE.md +++ b/MIGRATION-GUIDE.md @@ -1,4 +1,290 @@ -After migration is complete, undo the temporary access grants: +# Migration Guide - sudo gpasswd -d frozen barrett - sudo chmod 750 /home/barrett +## Disaster recovery + +If you lose your laptop, you need exactly two things from memory: + +1. AWS root credentials (email + password) — gets you into the console, + which gets you to Lightsail, which means Vaultwarden at + git.barrettruth.com is reachable +2. Vaultwarden master password — unlocks everything else (GitHub, email, + etc.) + +If you have 2FA on either of these via an authenticator app, you also +need recovery codes. Print them. Store them somewhere physical that +isn't your laptop. + +All SSH keys, GPG keys, and .pem files are stored as attachments in +Vaultwarden. Restoring them is step 10 below. + +## Pre-migration (do this on Arch before wiping) + +### Upload keys to Vaultwarden + +Open git.barrettruth.com and create a secure note entry for your keys. + +Export your GPG private key: + +```sh +gpg --export-secret-keys --armor A6C96C9349D2FC81 > /tmp/gpg-private.asc +``` + +Attach all seven files to the vault entry: + +| File | Path | +|------|------| +| `id_ed25519` | `~/.ssh/id_ed25519` | +| `id_ed25519.pub` | `~/.ssh/id_ed25519.pub` | +| `git-keypair.pem` | `~/.ssh/git-keypair.pem` | +| `git-keypair-old.pem` | `~/.ssh/git-keypair-old.pem` | +| `uva_key` | `~/.ssh/uva_key` | +| `uva_key.pub` | `~/.ssh/uva_key.pub` | +| `gpg-private.asc` | `/tmp/gpg-private.asc` | + +Verify all attachments are downloadable, then clean up: + +```sh +rm /tmp/gpg-private.asc +``` + +By storing the same keys, the key IDs in `git.nix` stay valid, GitHub +doesn't need updating, and git signing works immediately after restore. + +### Push this repo + +```sh +cd ~/nix-config +git push +``` + +## Fresh install from zero + +### 1. Flash the installer + +Download the NixOS minimal ISO from https://nixos.org/download (x86_64). + +```sh +dd bs=4M if=nixos-minimal-*.iso of=/dev/sdX status=progress oflag=sync +``` + +### 2. Boot and connect to WiFi + +Boot from USB (F12 for boot menu on XPS 15). + +```sh +iwctl +[iwd]# station wlan0 scan +[iwd]# station wlan0 get-networks +[iwd]# station wlan0 connect +``` + +Verify: `ping nixos.org` + +### 3. Partition + +```sh +lsblk -f +``` + +#### Option A: fresh partition table + +```sh +fdisk /dev/nvme0n1 + +# 1. EFI System partition — 512M +# 2. Linux swap — match your RAM +# 3. Linux filesystem — rest of disk + +mkfs.fat -F 32 /dev/nvme0n1p1 +mkswap /dev/nvme0n1p2 +mkfs.ext4 -L nixos /dev/nvme0n1p3 + +mount /dev/nvme0n1p3 /mnt +mkdir -p /mnt/boot/efi +mount /dev/nvme0n1p1 /mnt/boot/efi +swapon /dev/nvme0n1p2 +``` + +#### Option B: reuse existing partitions + +```sh +mkfs.ext4 -L nixos /dev/nvme0n1pX # formats root, wipes the old OS + +mount /dev/nvme0n1pX /mnt +mkdir -p /mnt/boot/efi +mount /dev/nvme0n1pY /mnt/boot/efi +swapon /dev/nvme0n1pZ +``` + +### 4. Generate hardware config + +```sh +nixos-generate-config --root /mnt +``` + +This produces `/mnt/etc/nixos/hardware-configuration.nix`. You need this +file — it describes your specific disk UUIDs, kernel modules, and +firmware. The generated `configuration.nix` next to it is not used. + +### 5. Clone the repo + +```sh +nix-shell -p git +git clone https://github.com/barrettruth/nix-config /mnt/home/barrett/nix-config +``` + +Copy the hardware config into place: + +```sh +cp /mnt/etc/nixos/hardware-configuration.nix /mnt/home/barrett/nix-config/hosts/xps15/ +``` + +### 6. Copy fonts (optional, can be done later) + +Fonts are proprietary and not in the repo. The build will succeed +without them — home-manager prints a warning and fonts fall back to +system defaults. When you're ready, populate `~/nix-config/fonts/`: + +- Copy from a USB drive +- Copy from a backup +- Download from wherever you originally purchased them +- Pull from another machine via scp + +```sh +cp -r /path/to/your/fonts /mnt/home/barrett/nix-config/fonts/ +``` + +The `fonts/` directory is gitignored and symlinked to +`~/.local/share/fonts` at activation time. + +### 7. Install + +```sh +nixos-install --flake /mnt/home/barrett/nix-config#xps15 +``` + +This builds the entire system (kernel, drivers, services, user +environment, home-manager) in one shot. It will ask you to set the root +password at the end. + +### 8. Reboot and set user password + +```sh +reboot +``` + +Remove the USB. Log in as root, then: + +```sh +passwd barrett +logout +``` + +Log in as barrett. + +### 9. Fix ownership + +The install created `~/nix-config` as root. Fix it: + +```sh +sudo chown -R barrett:users ~/nix-config +``` + +### 10. Restore keys from Vaultwarden + +Open Zen browser and go to git.barrettruth.com. Log in with your +master password. Open the vault entry containing your keys and download +all attachments. + +#### SSH keys + +```sh +mkdir -p ~/.ssh +cp ~/Downloads/id_ed25519 ~/.ssh/ +cp ~/Downloads/id_ed25519.pub ~/.ssh/ +cp ~/Downloads/git-keypair.pem ~/.ssh/ +cp ~/Downloads/git-keypair-old.pem ~/.ssh/ +cp ~/Downloads/uva_key ~/.ssh/ +cp ~/Downloads/uva_key.pub ~/.ssh/ +``` + +Permissions are fixed automatically by the activation script in +`git.nix` on the next rebuild. If you want them right now: + +```sh +chmod 700 ~/.ssh +chmod 600 ~/.ssh/id_ed25519 ~/.ssh/git-keypair.pem ~/.ssh/git-keypair-old.pem ~/.ssh/uva_key +chmod 644 ~/.ssh/id_ed25519.pub ~/.ssh/uva_key.pub +``` + +Set the repo remote to SSH for push access: + +```sh +cd ~/nix-config +git remote set-url origin git@github.com:barrettruth/nix-config.git +``` + +#### GPG key + +```sh +gpg --import ~/Downloads/gpg-private.asc +gpg --edit-key A6C96C9349D2FC81 trust +``` + +Select trust level 5 (ultimate), then `quit`. The key ID matches what's +in `git.nix`, so git signing works immediately. + +#### Clean up + +Delete the downloaded key files from `~/Downloads/`. + +### 11. Rebuild + +After all manual steps are done: + +```sh +sudo nixos-rebuild switch --flake ~/nix-config#xps15 +``` + +### 12. Verify + +- Terminal opens (ghostty) +- Neovim works and plugins install on first launch +- Browser opens (zen) +- Waybar shows at top +- Audio works (XF86 keys) +- Git push works (SSH) +- Git commits are signed (GPG) + +## What's automated vs. what's manual + +### Automated (handled by the flake) + +- All packages and their exact versions +- Zsh, tmux, fzf, direnv, lf configuration +- Ghostty terminal configuration +- Hyprland, waybar, rofi, dunst, hypridle, hyprlock, hyprpaper +- Git config, aliases, ignore patterns +- SSH config (host definitions, not keys) +- GPG agent config (not the keys themselves) +- Keyd keyboard remapping +- NVIDIA drivers and prime offload +- Pipewire audio stack +- Docker and libvirt +- Systemd services and timers +- XDG directories and MIME associations +- Scripts symlinked to ~/.local/bin/scripts +- Directory creation (~/dev, ~/dl, ~/img, ~/wp) +- Cloning this repo to ~/nix-config on first activation +- Wallpaper symlinks from the repo to ~/img/screen +- Daily flake input updates + +### Manual (you must do these yourself) + +- Flash and boot the installer +- Partition and mount disks +- Generate hardware-configuration.nix +- Set root and user passwords +- Restore SSH keys, GPG key, and .pem files from Vaultwarden +- Copy fonts into nix-config/fonts/ (optional, can be done later) +- Restore browser profile (~/.zen) if you want tabs/extensions back diff --git a/README.md b/README.md index 7998c1c..5df14b4 100644 --- a/README.md +++ b/README.md @@ -2,292 +2,20 @@ NixOS and home-manager configuration for a Dell XPS 15 9500. -## Disaster recovery - -If you lose your laptop, you need exactly two things from memory: - -1. AWS root credentials (email + password) — gets you into the console, - which gets you to Lightsail, which means Vaultwarden at - git.barrettruth.com is reachable -2. Vaultwarden master password — unlocks everything else (GitHub, email, - etc.) - -If you have 2FA on either of these via an authenticator app, you also -need recovery codes. Print them. Store them somewhere physical that -isn't your laptop. - -All SSH keys, GPG keys, and .pem files are stored as attachments in -Vaultwarden. Restoring them is step 10 below. - -### Before you migrate: upload keys to Vaultwarden - -Do this now, while you still have a working machine. Create a vault -entry (e.g. "keys") and attach: - -- `~/.ssh/id_ed25519` -- `~/.ssh/id_ed25519.pub` -- `~/.ssh/git-keypair.pem` -- `~/.ssh/git-keypair-old.pem` -- `~/.ssh/uva_key` (if still needed) -- GPG private key (export first): - -```sh -gpg --export-secret-keys --armor A6C96C9349D2FC81 > /tmp/gpg-private.asc -``` - -Attach `/tmp/gpg-private.asc`, then delete the temp file. - -By storing the same keys, the key IDs in `git.nix` stay valid, GitHub -doesn't need updating, and git signing works immediately after restore. - -## Manual steps (fresh install from zero) - -### 1. Flash the installer - -Download the NixOS minimal ISO from https://nixos.org/download (x86_64). - -```sh -dd bs=4M if=nixos-minimal-*.iso of=/dev/sdX status=progress oflag=sync -``` - -### 2. Boot and connect to WiFi - -Boot from USB (F12 for boot menu on XPS 15). - -```sh -iwctl -[iwd]# station wlan0 scan -[iwd]# station wlan0 get-networks -[iwd]# station wlan0 connect -``` - -Verify: `ping nixos.org` - -### 3. Partition - -```sh -lsblk -f -``` - -#### Option A: fresh partition table - -```sh -fdisk /dev/nvme0n1 - -# 1. EFI System partition — 512M -# 2. Linux swap — match your RAM -# 3. Linux filesystem — rest of disk - -mkfs.fat -F 32 /dev/nvme0n1p1 -mkswap /dev/nvme0n1p2 -mkfs.ext4 -L nixos /dev/nvme0n1p3 - -mount /dev/nvme0n1p3 /mnt -mkdir -p /mnt/boot/efi -mount /dev/nvme0n1p1 /mnt/boot/efi -swapon /dev/nvme0n1p2 -``` - -#### Option B: reuse existing partitions - -```sh -mkfs.ext4 -L nixos /dev/nvme0n1pX # formats root, wipes the old OS - -mount /dev/nvme0n1pX /mnt -mkdir -p /mnt/boot/efi -mount /dev/nvme0n1pY /mnt/boot/efi -swapon /dev/nvme0n1pZ -``` - -### 4. Generate hardware config - -```sh -nixos-generate-config --root /mnt -``` - -This produces `/mnt/etc/nixos/hardware-configuration.nix`. You need this -file — it describes your specific disk UUIDs, kernel modules, and -firmware. The generated `configuration.nix` next to it is not used. - -### 5. Clone the repo - -```sh -nix-shell -p git -git clone https://github.com/barrettruth/nix-config /mnt/home/barrett/nix-config -``` - -Copy the hardware config into place: - -```sh -cp /mnt/etc/nixos/hardware-configuration.nix /mnt/home/barrett/nix-config/hosts/xps15/ -``` - -### 6. Copy fonts (optional, can be done later) - -Fonts are proprietary and not in the repo. The build will succeed -without them — home-manager prints a warning and fonts fall back to -system defaults. When you're ready, populate `~/nix-config/fonts/`: - -- Copy from a USB drive -- Copy from a backup -- Download from wherever you originally purchased them -- Pull from another machine via scp - -```sh -cp -r /path/to/your/fonts /mnt/home/barrett/nix-config/fonts/ -``` - -The `fonts/` directory is gitignored and symlinked to -`~/.local/share/fonts` at activation time. - -### 7. Install - -```sh -nixos-install --flake /mnt/home/barrett/nix-config#xps15 -``` - -This builds the entire system (kernel, drivers, services, user -environment, home-manager) in one shot. It will ask you to set the root -password at the end. - -### 8. Reboot and set user password - -```sh -reboot -``` - -Remove the USB. Log in as root, then: - -```sh -passwd barrett -logout -``` - -Log in as barrett. - -### 9. Fix ownership - -The install created `~/nix-config` as root. Fix it: - -```sh -sudo chown -R barrett:users ~/nix-config -``` - -### 10. Restore keys from Vaultwarden - -Open Zen browser and go to git.barrettruth.com. Log in with your -master password. Open the vault entry containing your keys and download -all attachments. - -#### SSH keys - -```sh -mkdir -p ~/.ssh -cp ~/Downloads/id_ed25519 ~/.ssh/ -cp ~/Downloads/id_ed25519.pub ~/.ssh/ -cp ~/Downloads/git-keypair.pem ~/.ssh/ -cp ~/Downloads/git-keypair-old.pem ~/.ssh/ -``` - -Permissions are fixed automatically by the activation script in -`git.nix` on the next rebuild. If you want them right now: - -```sh -chmod 700 ~/.ssh -chmod 600 ~/.ssh/id_ed25519 ~/.ssh/git-keypair.pem ~/.ssh/git-keypair-old.pem -chmod 644 ~/.ssh/id_ed25519.pub -``` - -Set the repo remote to SSH for push access: - -```sh -cd ~/nix-config -git remote set-url origin git@github.com:barrettruth/nix-config.git -``` - -#### GPG key - -```sh -gpg --import ~/Downloads/gpg-private.asc -gpg --edit-key A6C96C9349D2FC81 trust -``` - -Select trust level 5 (ultimate), then `quit`. The key ID matches what's -in `git.nix`, so git signing works immediately. - -#### Clean up - -Delete the downloaded key files from `~/Downloads/`. - -### 11. Rebuild - -After all manual steps are done: - -```sh -sudo nixos-rebuild switch --flake ~/nix-config#xps15 -``` - -### 12. Verify - -- Terminal opens (ghostty) -- Neovim works and plugins install on first launch -- Browser opens (zen) -- Waybar shows at top -- Audio works (XF86 keys) -- Git push works (SSH) -- Git commits are signed (GPG) - -## What's automated vs. what's manual - -### Automated (handled by the flake) - -- All packages and their exact versions -- Zsh, tmux, fzf, direnv, lf configuration -- Ghostty terminal configuration -- Hyprland, waybar, rofi, dunst, hypridle, hyprlock, hyprpaper -- Git config, aliases, ignore patterns -- SSH config (host definitions, not keys) -- GPG agent config (not the keys themselves) -- Keyd keyboard remapping -- NVIDIA drivers and prime offload -- Pipewire audio stack -- Docker and libvirt -- Systemd services and timers -- XDG directories and MIME associations -- Scripts symlinked to ~/.local/bin/scripts -- Directory creation (~/dev, ~/dl, ~/img, ~/wp) -- Cloning this repo to ~/nix-config on first activation -- Wallpaper symlinks from the repo to ~/img/screen -- Daily flake input updates - -### Manual (you must do these yourself) - -- Flash and boot the installer -- Partition and mount disks -- Generate hardware-configuration.nix -- Set root and user passwords -- Restore SSH keys, GPG key, and .pem files from Vaultwarden -- Copy fonts into nix-config/fonts/ (optional, can be done later) -- Restore browser profile (~/.zen) if you want tabs/extensions back +See [MIGRATION-GUIDE.md](MIGRATION-GUIDE.md) for install, disaster +recovery, and key restore instructions. ## Day-to-day ```sh -# edit config, rebuild sudo nixos-rebuild switch --flake ~/nix-config#xps15 -# update all inputs (nixpkgs, home-manager, etc.) nix flake update --flake ~/nix-config sudo nixos-rebuild switch --flake ~/nix-config#xps15 -# rollback sudo nixos-rebuild switch --flake ~/nix-config#xps15 --rollback -# or pick a previous generation from GRUB at boot -# garbage collect old generations sudo nix-collect-garbage -d - -# home-manager is integrated into nixos-rebuild, no separate command needed ``` ## Architecture