barrett/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

more updates

Browse source
This commit is contained in:
Barrett Ruth 2026-02-09 13:39:17 -05:00
parent 0416ecf1eb
commit e3ef4ee353
2 changed files with 291 additions and 277 deletions
Download patch file Download diff file Expand all files Collapse all files

292
MIGRATION-GUIDE.md
View file

@ -1,4 +1,290 @@
After migration is complete, undo the temporary access grants: # Migration Guide
sudo gpasswd -d frozen barrett ## Disaster recovery
sudo chmod 750 /home/barrett
If you lose your laptop, you need exactly two things from memory:
1. AWS root credentials (email + password) — gets you into the console,
which gets you to Lightsail, which means Vaultwarden at
git.barrettruth.com is reachable
2. Vaultwarden master password — unlocks everything else (GitHub, email,
etc.)
If you have 2FA on either of these via an authenticator app, you also
need recovery codes. Print them. Store them somewhere physical that
isn't your laptop.
All SSH keys, GPG keys, and .pem files are stored as attachments in
Vaultwarden. Restoring them is step 10 below.
## Pre-migration (do this on Arch before wiping)
### Upload keys to Vaultwarden
Open git.barrettruth.com and create a secure note entry for your keys.
Export your GPG private key:
```sh
gpg --export-secret-keys --armor A6C96C9349D2FC81 > /tmp/gpg-private.asc
```
Attach all seven files to the vault entry:
| File | Path |
|------|------|
| `id_ed25519` | `~/.ssh/id_ed25519` |
| `id_ed25519.pub` | `~/.ssh/id_ed25519.pub` |
| `git-keypair.pem` | `~/.ssh/git-keypair.pem` |
| `git-keypair-old.pem` | `~/.ssh/git-keypair-old.pem` |
| `uva_key` | `~/.ssh/uva_key` |
| `uva_key.pub` | `~/.ssh/uva_key.pub` |
| `gpg-private.asc` | `/tmp/gpg-private.asc` |
Verify all attachments are downloadable, then clean up:
```sh
rm /tmp/gpg-private.asc
```
By storing the same keys, the key IDs in `git.nix` stay valid, GitHub
doesn't need updating, and git signing works immediately after restore.
### Push this repo
```sh
cd ~/nix-config
git push
```
## Fresh install from zero
### 1. Flash the installer
Download the NixOS minimal ISO from https://nixos.org/download (x86_64).
```sh
dd bs=4M if=nixos-minimal-*.iso of=/dev/sdX status=progress oflag=sync
```
### 2. Boot and connect to WiFi
Boot from USB (F12 for boot menu on XPS 15).
```sh
iwctl
[iwd]# station wlan0 scan
[iwd]# station wlan0 get-networks
[iwd]# station wlan0 connect <SSID>
```
Verify: `ping nixos.org`
### 3. Partition
```sh
lsblk -f
```
#### Option A: fresh partition table
```sh
fdisk /dev/nvme0n1
# 1. EFI System partition — 512M
# 2. Linux swap — match your RAM
# 3. Linux filesystem — rest of disk
mkfs.fat -F 32 /dev/nvme0n1p1
mkswap /dev/nvme0n1p2
mkfs.ext4 -L nixos /dev/nvme0n1p3
mount /dev/nvme0n1p3 /mnt
mkdir -p /mnt/boot/efi
mount /dev/nvme0n1p1 /mnt/boot/efi
swapon /dev/nvme0n1p2
```
#### Option B: reuse existing partitions
```sh
mkfs.ext4 -L nixos /dev/nvme0n1pX # formats root, wipes the old OS
mount /dev/nvme0n1pX /mnt
mkdir -p /mnt/boot/efi
mount /dev/nvme0n1pY /mnt/boot/efi
swapon /dev/nvme0n1pZ
```
### 4. Generate hardware config
```sh
nixos-generate-config --root /mnt
```
This produces `/mnt/etc/nixos/hardware-configuration.nix`. You need this
file — it describes your specific disk UUIDs, kernel modules, and
firmware. The generated `configuration.nix` next to it is not used.
### 5. Clone the repo
```sh
nix-shell -p git
git clone https://github.com/barrettruth/nix-config /mnt/home/barrett/nix-config
```
Copy the hardware config into place:
```sh
cp /mnt/etc/nixos/hardware-configuration.nix /mnt/home/barrett/nix-config/hosts/xps15/
```
### 6. Copy fonts (optional, can be done later)
Fonts are proprietary and not in the repo. The build will succeed
without them — home-manager prints a warning and fonts fall back to
system defaults. When you're ready, populate `~/nix-config/fonts/`:
- Copy from a USB drive
- Copy from a backup
- Download from wherever you originally purchased them
- Pull from another machine via scp
```sh
cp -r /path/to/your/fonts /mnt/home/barrett/nix-config/fonts/
```
The `fonts/` directory is gitignored and symlinked to
`~/.local/share/fonts` at activation time.
### 7. Install
```sh
nixos-install --flake /mnt/home/barrett/nix-config#xps15
```
This builds the entire system (kernel, drivers, services, user
environment, home-manager) in one shot. It will ask you to set the root
password at the end.
### 8. Reboot and set user password
```sh
reboot
```
Remove the USB. Log in as root, then:
```sh
passwd barrett
logout
```
Log in as barrett.
### 9. Fix ownership
The install created `~/nix-config` as root. Fix it:
```sh
sudo chown -R barrett:users ~/nix-config
```
### 10. Restore keys from Vaultwarden
Open Zen browser and go to git.barrettruth.com. Log in with your
master password. Open the vault entry containing your keys and download
all attachments.
#### SSH keys
```sh
mkdir -p ~/.ssh
cp ~/Downloads/id_ed25519 ~/.ssh/
cp ~/Downloads/id_ed25519.pub ~/.ssh/
cp ~/Downloads/git-keypair.pem ~/.ssh/
cp ~/Downloads/git-keypair-old.pem ~/.ssh/
cp ~/Downloads/uva_key ~/.ssh/
cp ~/Downloads/uva_key.pub ~/.ssh/
```
Permissions are fixed automatically by the activation script in
`git.nix` on the next rebuild. If you want them right now:
```sh
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519 ~/.ssh/git-keypair.pem ~/.ssh/git-keypair-old.pem ~/.ssh/uva_key
chmod 644 ~/.ssh/id_ed25519.pub ~/.ssh/uva_key.pub
```
Set the repo remote to SSH for push access:
```sh
cd ~/nix-config
git remote set-url origin git@github.com:barrettruth/nix-config.git
```
#### GPG key
```sh
gpg --import ~/Downloads/gpg-private.asc
gpg --edit-key A6C96C9349D2FC81 trust
```
Select trust level 5 (ultimate), then `quit`. The key ID matches what's
in `git.nix`, so git signing works immediately.
#### Clean up
Delete the downloaded key files from `~/Downloads/`.
### 11. Rebuild
After all manual steps are done:
```sh
sudo nixos-rebuild switch --flake ~/nix-config#xps15
```
### 12. Verify
- Terminal opens (ghostty)
- Neovim works and plugins install on first launch
- Browser opens (zen)
- Waybar shows at top
- Audio works (XF86 keys)
- Git push works (SSH)
- Git commits are signed (GPG)
## What's automated vs. what's manual
### Automated (handled by the flake)
- All packages and their exact versions
- Zsh, tmux, fzf, direnv, lf configuration
- Ghostty terminal configuration
- Hyprland, waybar, rofi, dunst, hypridle, hyprlock, hyprpaper
- Git config, aliases, ignore patterns
- SSH config (host definitions, not keys)
- GPG agent config (not the keys themselves)
- Keyd keyboard remapping
- NVIDIA drivers and prime offload
- Pipewire audio stack
- Docker and libvirt
- Systemd services and timers
- XDG directories and MIME associations
- Scripts symlinked to ~/.local/bin/scripts
- Directory creation (~/dev, ~/dl, ~/img, ~/wp)
- Cloning this repo to ~/nix-config on first activation
- Wallpaper symlinks from the repo to ~/img/screen
- Daily flake input updates
### Manual (you must do these yourself)
- Flash and boot the installer
- Partition and mount disks
- Generate hardware-configuration.nix
- Set root and user passwords
- Restore SSH keys, GPG key, and .pem files from Vaultwarden
- Copy fonts into nix-config/fonts/ (optional, can be done later)
- Restore browser profile (~/.zen) if you want tabs/extensions back

276
README.md
View file

@ -2,292 +2,20 @@
NixOS and home-manager configuration for a Dell XPS 15 9500. NixOS and home-manager configuration for a Dell XPS 15 9500.
## Disaster recovery See [MIGRATION-GUIDE.md](MIGRATION-GUIDE.md) for install, disaster
recovery, and key restore instructions.
If you lose your laptop, you need exactly two things from memory:
1. AWS root credentials (email + password) — gets you into the console,
which gets you to Lightsail, which means Vaultwarden at
git.barrettruth.com is reachable
2. Vaultwarden master password — unlocks everything else (GitHub, email,
etc.)
If you have 2FA on either of these via an authenticator app, you also
need recovery codes. Print them. Store them somewhere physical that
isn't your laptop.
All SSH keys, GPG keys, and .pem files are stored as attachments in
Vaultwarden. Restoring them is step 10 below.
### Before you migrate: upload keys to Vaultwarden
Do this now, while you still have a working machine. Create a vault
entry (e.g. "keys") and attach:
- `~/.ssh/id_ed25519`
- `~/.ssh/id_ed25519.pub`
- `~/.ssh/git-keypair.pem`
- `~/.ssh/git-keypair-old.pem`
- `~/.ssh/uva_key` (if still needed)
- GPG private key (export first):
```sh
gpg --export-secret-keys --armor A6C96C9349D2FC81 > /tmp/gpg-private.asc
```
Attach `/tmp/gpg-private.asc`, then delete the temp file.
By storing the same keys, the key IDs in `git.nix` stay valid, GitHub
doesn't need updating, and git signing works immediately after restore.
## Manual steps (fresh install from zero)
### 1. Flash the installer
Download the NixOS minimal ISO from https://nixos.org/download (x86_64).
```sh
dd bs=4M if=nixos-minimal-*.iso of=/dev/sdX status=progress oflag=sync
```
### 2. Boot and connect to WiFi
Boot from USB (F12 for boot menu on XPS 15).
```sh
iwctl
[iwd]# station wlan0 scan
[iwd]# station wlan0 get-networks
[iwd]# station wlan0 connect <SSID>
```
Verify: `ping nixos.org`
### 3. Partition
```sh
lsblk -f
```
#### Option A: fresh partition table
```sh
fdisk /dev/nvme0n1
# 1. EFI System partition — 512M
# 2. Linux swap — match your RAM
# 3. Linux filesystem — rest of disk
mkfs.fat -F 32 /dev/nvme0n1p1
mkswap /dev/nvme0n1p2
mkfs.ext4 -L nixos /dev/nvme0n1p3
mount /dev/nvme0n1p3 /mnt
mkdir -p /mnt/boot/efi
mount /dev/nvme0n1p1 /mnt/boot/efi
swapon /dev/nvme0n1p2
```
#### Option B: reuse existing partitions
```sh
mkfs.ext4 -L nixos /dev/nvme0n1pX # formats root, wipes the old OS
mount /dev/nvme0n1pX /mnt
mkdir -p /mnt/boot/efi
mount /dev/nvme0n1pY /mnt/boot/efi
swapon /dev/nvme0n1pZ
```
### 4. Generate hardware config
```sh
nixos-generate-config --root /mnt
```
This produces `/mnt/etc/nixos/hardware-configuration.nix`. You need this
file — it describes your specific disk UUIDs, kernel modules, and
firmware. The generated `configuration.nix` next to it is not used.
### 5. Clone the repo
```sh
nix-shell -p git
git clone https://github.com/barrettruth/nix-config /mnt/home/barrett/nix-config
```
Copy the hardware config into place:
```sh
cp /mnt/etc/nixos/hardware-configuration.nix /mnt/home/barrett/nix-config/hosts/xps15/
```
### 6. Copy fonts (optional, can be done later)
Fonts are proprietary and not in the repo. The build will succeed
without them — home-manager prints a warning and fonts fall back to
system defaults. When you're ready, populate `~/nix-config/fonts/`:
- Copy from a USB drive
- Copy from a backup
- Download from wherever you originally purchased them
- Pull from another machine via scp
```sh
cp -r /path/to/your/fonts /mnt/home/barrett/nix-config/fonts/
```
The `fonts/` directory is gitignored and symlinked to
`~/.local/share/fonts` at activation time.
### 7. Install
```sh
nixos-install --flake /mnt/home/barrett/nix-config#xps15
```
This builds the entire system (kernel, drivers, services, user
environment, home-manager) in one shot. It will ask you to set the root
password at the end.
### 8. Reboot and set user password
```sh
reboot
```
Remove the USB. Log in as root, then:
```sh
passwd barrett
logout
```
Log in as barrett.
### 9. Fix ownership
The install created `~/nix-config` as root. Fix it:
```sh
sudo chown -R barrett:users ~/nix-config
```
### 10. Restore keys from Vaultwarden
Open Zen browser and go to git.barrettruth.com. Log in with your
master password. Open the vault entry containing your keys and download
all attachments.
#### SSH keys
```sh
mkdir -p ~/.ssh
cp ~/Downloads/id_ed25519 ~/.ssh/
cp ~/Downloads/id_ed25519.pub ~/.ssh/
cp ~/Downloads/git-keypair.pem ~/.ssh/
cp ~/Downloads/git-keypair-old.pem ~/.ssh/
```
Permissions are fixed automatically by the activation script in
`git.nix` on the next rebuild. If you want them right now:
```sh
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519 ~/.ssh/git-keypair.pem ~/.ssh/git-keypair-old.pem
chmod 644 ~/.ssh/id_ed25519.pub
```
Set the repo remote to SSH for push access:
```sh
cd ~/nix-config
git remote set-url origin git@github.com:barrettruth/nix-config.git
```
#### GPG key
```sh
gpg --import ~/Downloads/gpg-private.asc
gpg --edit-key A6C96C9349D2FC81 trust
```
Select trust level 5 (ultimate), then `quit`. The key ID matches what's
in `git.nix`, so git signing works immediately.
#### Clean up
Delete the downloaded key files from `~/Downloads/`.
### 11. Rebuild
After all manual steps are done:
```sh
sudo nixos-rebuild switch --flake ~/nix-config#xps15
```
### 12. Verify
- Terminal opens (ghostty)
- Neovim works and plugins install on first launch
- Browser opens (zen)
- Waybar shows at top
- Audio works (XF86 keys)
- Git push works (SSH)
- Git commits are signed (GPG)
## What's automated vs. what's manual
### Automated (handled by the flake)
- All packages and their exact versions
- Zsh, tmux, fzf, direnv, lf configuration
- Ghostty terminal configuration
- Hyprland, waybar, rofi, dunst, hypridle, hyprlock, hyprpaper
- Git config, aliases, ignore patterns
- SSH config (host definitions, not keys)
- GPG agent config (not the keys themselves)
- Keyd keyboard remapping
- NVIDIA drivers and prime offload
- Pipewire audio stack
- Docker and libvirt
- Systemd services and timers
- XDG directories and MIME associations
- Scripts symlinked to ~/.local/bin/scripts
- Directory creation (~/dev, ~/dl, ~/img, ~/wp)
- Cloning this repo to ~/nix-config on first activation
- Wallpaper symlinks from the repo to ~/img/screen
- Daily flake input updates
### Manual (you must do these yourself)
- Flash and boot the installer
- Partition and mount disks
- Generate hardware-configuration.nix
- Set root and user passwords
- Restore SSH keys, GPG key, and .pem files from Vaultwarden
- Copy fonts into nix-config/fonts/ (optional, can be done later)
- Restore browser profile (~/.zen) if you want tabs/extensions back
## Day-to-day ## Day-to-day
```sh ```sh
# edit config, rebuild
sudo nixos-rebuild switch --flake ~/nix-config#xps15 sudo nixos-rebuild switch --flake ~/nix-config#xps15
# update all inputs (nixpkgs, home-manager, etc.)
nix flake update --flake ~/nix-config nix flake update --flake ~/nix-config
sudo nixos-rebuild switch --flake ~/nix-config#xps15 sudo nixos-rebuild switch --flake ~/nix-config#xps15
# rollback
sudo nixos-rebuild switch --flake ~/nix-config#xps15 --rollback sudo nixos-rebuild switch --flake ~/nix-config#xps15 --rollback
# or pick a previous generation from GRUB at boot
# garbage collect old generations
sudo nix-collect-garbage -d sudo nix-collect-garbage -d
# home-manager is integrated into nixos-rebuild, no separate command needed
``` ```
## Architecture ## Architecture