update

README.md

@@ -1,9 +1,17 @@
-# Nix Config
+# nix
 
-## New Machine
+nix-darwin + NixOS + Home Manager config.
 
-### Darwin
+## machines
 
+| name | type | manage |
+|------|------|--------|
+| darwin | MacBook Pro (aarch64) | `just switch` |
+| netty | NixOS VPS (x86_64) | `just switch-netty` |
+
+## new machine setup
+
+**darwin:**
 ```bash
 curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
 git clone https://github.com/harivansh-afk/nix.git ~/Documents/GitHub/nix
@@ -12,51 +20,32 @@ sudo nix --extra-experimental-features 'nix-command flakes' run github:nix-darwi
 exec zsh -l
 bw login
 export BW_SESSION="$(bw unlock --raw)"
-just secrets-sync
+just secrets-sync && just secrets-restore-files
-just secrets-restore-files
 exec zsh -l
 ```
 
-### Linux
+**netty (from mac):**
-
 ```bash
-curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
+nix run github:nix-community/nixos-anywhere -- --flake .#netty --target-host netty --build-on-remote
-git clone https://github.com/harivansh-afk/nix.git ~/Documents/GitHub/nix
-cd ~/Documents/GitHub/nix
-nix run github:nix-community/home-manager -- switch --flake path:.#linux -b hm-bak
-exec zsh -l
 ```
 
-## Layout
+## secrets
 
-- `flake.nix`: top-level flake and host wiring
+SSH keys and credentials are stored in Bitwarden. After unlocking:
-- `hosts/darwin/default.nix`: macOS nix-darwin host config
+```bash
-- `hosts/linux/default.nix`: standalone Linux Home Manager host config
+export BW_SESSION="$(bw unlock --raw)"
-- `modules/base.nix`: Nix settings and core packages
+just secrets-sync          # shell env vars -> ~/.config/secrets/shell.zsh
-- `modules/macos.nix`: macOS defaults and host-level settings
+just secrets-restore-files # SSH keys, AWS, GCloud, Codex, GitHub CLI
-- `modules/packages.nix`: system packages and fonts
+```
-- `modules/homebrew.nix`: the remaining Homebrew-managed GUI apps
-- `home/`: Home Manager modules for shell, editor, CLI tools, and app config
-- `home/common.nix`: shared Home Manager imports used by macOS and Linux
-- `home/linux.nix`: Linux Home Manager entrypoint
-- `home/migration.nix`: transitional cleanup for old `~/dots` symlinks
-- `config/`: repo-owned config files consumed by Home Manager
 
-## Ownership Boundaries
+## layout
 
-- Nix owns packages, dotfiles, shell/editor config, launchd services, and
+```
-  selected macOS defaults
+hosts/darwin/   - macOS nix-darwin config
-- Homebrew is retained only for a narrow GUI cask boundary
+hosts/netty/    - NixOS VPS config (disko + hardware)
-- Keychain items, TCC/privacy permissions, browser history, and most
+modules/        - system-level modules (packages, macos defaults, homebrew)
-  `~/Library/Application Support` state are intentionally outside declarative
+home/           - Home Manager modules (shell, editor, tools)
-  Nix ownership
+lib/            - shared package sets and theme system
-
+config/         - repo-owned config files (nvim, tmux, etc.)
-## Bitwarden note:
+scripts/        - secret management and utility scripts
-
+```
-- `bw` is installed via Homebrew as `bitwarden-cli`
-- `bws` is not currently managed in this repo because I did not find a
-  supported nixpkgs or Homebrew package for it on macOS during verification
-- daily shell secrets are synced from Bitwarden into `~/.config/secrets/shell.zsh`
-  via `just secrets-sync`
-- vault items are currently the source of truth for imported machine secrets and
-  SSH material

justfile

@@ -30,4 +30,4 @@ secrets-restore-files:
   ./scripts/restore-bw-files.sh
 
 switch-netty:
-  nixos-rebuild switch --flake path:.#netty --target-host rathi@152.53.195.59 --build-on-remote --use-remote-sudo
+  ssh rathi@152.53.195.59 "sudo nixos-rebuild switch --flake github:harivansh-afk/nix#netty"