Appendix: Deviations from Plan

Deviations from Plan

Where the actual deployment diverged from the documented phases:

Phase Expected Actual

Phase	Expected	Actual
0	Ventoy USB (copy ISO)	Blank USB — used `dd` instead (no Ventoy installed, AUR only)
0	Borg via SSH transport	Borg via NFS mount + dsource for passphrase
1	Simple `ip link \| awk` for MAC	Needed `for` loop awk — `altname` field shifts column positions
2	ext4 XBOOTLDR `/boot` partition (type ea00)	ext4 XBOOTLDR doesn’t work — Boot Loader Spec requires VFAT. Kernels copied to ESP instead.
3	Hostname `modestus-t16g`	WRONG MODEL — machine is ThinkPad P16g Gen 3, not T16g. Corrected to `modestus-p16g` post-install.
4	Boot entries at `/boot/loader/entries/`	Must be at `/boot/efi/loader/entries/` — entries + kernels must be on SAME partition (ESP)
4	`bootctl --boot-path=/boot install`	`--boot-path` not needed — everything on ESP. Just `bootctl --esp-path=/boot/efi install`
4	Fallback images generated by default	Arch ships with fallback commented out in presets. Must uncomment manually.
6	`sudo pacman -S nvidia`	Package doesn’t exist for RTX 5090. Use `nvidia-open` + `nvidia-open-lts`.
7	rsync keys, clone dots-quantum, stow	Massive bootstrap needed: rsync 6 directories, fix gopass config, GPG lock cleanup, port 443 workaround, NVIM_APPNAME discovery, private packages (gpg/hosts/secrets are gitignored)
7	`ln -sf domus-nvim ~/.config/nvim`	Wrong — `.zshrc` exports `NVIM_APPNAME="nvim-domus"`. Symlink must be `~/.config/nvim-domus`.
8b	Issue cert from installed system	Issued from Razer — `$(cat /etc/hostname)` returned Razer’s hostname. Must set `HOSTNAME="modestus-p16g"` explicitly.
8b	Port 22 works after EAP-TLS	Yes — DOMUS-Secure VLAN has port 22 open. iPSK VLAN blocks it.

Ventoy USB (copy ISO)

Blank USB — used dd instead (no Ventoy installed, AUR only)

Borg via SSH transport

Borg via NFS mount + dsource for passphrase

Simple ip link | awk for MAC

Needed for loop awk — altname field shifts column positions

ext4 XBOOTLDR /boot partition (type ea00)

ext4 XBOOTLDR doesn’t work — Boot Loader Spec requires VFAT. Kernels copied to ESP instead.

Hostname modestus-t16g

WRONG MODEL — machine is ThinkPad P16g Gen 3, not T16g. Corrected to modestus-p16g post-install.

Boot entries at /boot/loader/entries/

Must be at /boot/efi/loader/entries/ — entries + kernels must be on SAME partition (ESP)

bootctl --boot-path=/boot install

--boot-path not needed — everything on ESP. Just bootctl --esp-path=/boot/efi install

Fallback images generated by default

Arch ships with fallback commented out in presets. Must uncomment manually.

sudo pacman -S nvidia

Package doesn’t exist for RTX 5090. Use nvidia-open + nvidia-open-lts.

rsync keys, clone dots-quantum, stow

Massive bootstrap needed: rsync 6 directories, fix gopass config, GPG lock cleanup, port 443 workaround, NVIM_APPNAME discovery, private packages (gpg/hosts/secrets are gitignored)

ln -sf domus-nvim ~/.config/nvim

Wrong — .zshrc exports NVIM_APPNAME="nvim-domus". Symlink must be ~/.config/nvim-domus.

Issue cert from installed system

Issued from Razer — $(cat /etc/hostname) returned Razer’s hostname. Must set HOSTNAME="modestus-p16g" explicitly.

Port 22 works after EAP-TLS

Yes — DOMUS-Secure VLAN has port 22 open. iPSK VLAN blocks it.