CR-2026-03-12: P50 Migration from Arch to Ubuntu
Change Summary
| Field | Value |
|---|---|
Change ID |
CR-2026-03-12-P50-UBUNTU |
System |
Lenovo ThinkPad P50 (modestus-p50) |
Current State |
Arch Linux (rolling release) |
Target State |
Ubuntu 25.10 with LUKS full disk encryption |
Requestor |
Evan Rosado |
Scheduled |
2026-03-12 |
Risk Level |
Medium (data loss if backup fails) |
Context |
Personal infrastructure |
Business Justification
Why Ubuntu over Arch?
| Factor | Arch Linux | Ubuntu 25.10 |
|---|---|---|
Stability |
Rolling release, occasional breakage |
Interim release - 9 months support, newer packages |
Gaming |
Manual Steam/Proton setup |
Steam officially supported, easier NVIDIA |
Maintenance |
Frequent updates, manual intervention |
Automatic security updates |
Learning Curve |
High (user maintains everything) |
Lower (good for student handoff) |
Secure Browser |
May have compatibility issues |
Better school software support |
Use Case
This P50 will be used by a student who needs:
-
School secure browser software
-
Gaming (Steam, Proton)
-
Stable, low-maintenance system
-
Full disk encryption for data protection
Pre-Change Checklist
Backup Verification
| Item | Command/Action | Status |
|---|---|---|
Home directory backup |
|
[ ] PENDING |
Package list |
|
[ ] PENDING |
Dotfiles |
Verify dotfiles repo is current |
[ ] PENDING |
SSH keys |
Copy |
[ ] PENDING |
GPG keys |
|
[ ] PENDING |
Browser bookmarks |
Export from Firefox/Chrome |
[ ] PENDING |
Game saves |
|
[ ] PENDING |
802.1X certificates |
Backup client cert, key, CA cert (see below) |
[ ] PENDING |
NetworkManager 802.1X profiles |
Export connection profiles (see below) |
[ ] PENDING |
802.1X Certificate Backup
CRITICAL: EAP-TLS certificates must be backed up OR reissued from Vault.
# List current 802.1X connections
nmcli -t -f NAME,TYPE connection show | grep -E "Domus-Wired|DomusWifi"
# Find certificate paths in connection profile
sudo cat /etc/NetworkManager/system-connections/Domus-Wired-EAP-TLS.nmconnection | grep -E "ca-cert|client-cert|private-key"
# Backup certificates (typical locations)
mkdir -p /mnt/backup/p50-$(date +%Y-%m-%d)/certs
sudo cp /etc/ssl/certs/domus-ca.crt /mnt/backup/p50-$(date +%Y-%m-%d)/certs/
sudo cp /etc/ssl/certs/p50-client.crt /mnt/backup/p50-$(date +%Y-%m-%d)/certs/
sudo cp /etc/ssl/private/p50-client.key /mnt/backup/p50-$(date +%Y-%m-%d)/certs/
# Backup NetworkManager connection profiles
sudo cp /etc/NetworkManager/system-connections/Domus-Wired*.nmconnection /mnt/backup/p50-$(date +%Y-%m-%d)/certs/
sudo cp /etc/NetworkManager/system-connections/DomusWifi*.nmconnection /mnt/backup/p50-$(date +%Y-%m-%d)/certs/Option: Reissue from Vault (if certs expired or prefer fresh):
# On admin workstation with Vault access
vault write pki_int/issue/domus-client \
common_name="p50.inside.domusdigitalis.dev" \
ttl="8760h"Hardware Verification
| Item | Expected | Status |
|---|---|---|
UEFI Mode |
Enabled |
[ ] VERIFY |
Secure Boot |
Disabled (for initial install) |
[ ] VERIFY |
Drive |
NVMe SSD |
[ ] VERIFY |
RAM |
16GB+ recommended |
[ ] VERIFY |