1 files changed, 56 insertions, 3 deletions

diff --git a/README.md b/README.md
index 897dce3..06c4933 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,7 @@
 # VPS
 
-## Re-creating everything from scratch
+## Workflow
+### Re-creating everything from scratch
 
 ```shell
 git crypt unlock
@@ -10,10 +11,62 @@ direnv allow
 ./nixos-update.sh
 ```
 
-## After an update on `vps.tf`
+### After an update on `vps.tf`
 
 Same as above.
 
-## After editing `vps-configuration.nix` or other OS files
+### After editing `vps-configuration.nix` or other OS files
 
 Just run the `./nixos-update.sh` script.
+
+## Base image
+The basic `configuration.nix` file in the current snapshots looks just like this:
+
+```nix
+{ config, pkgs, ... }:
+
+{
+  imports = [ # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+  ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
+
+  networking.useDHCP = false;
+  networking.interfaces.ens3.useDHCP = true;
+
+  environment.systemPackages = with pkgs; [ vim ];
+
+  services.openssh.enable = true;
+  services.openssh.permitRootLogin = "no";
+
+  users.extraUsers.andreh = {
+    uid = 1000;
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    password = "...password...";
+    openssh.authorizedKeys.keys = [
+      "...ssh public key..."
+    ];
+  };
+
+  system.stateVersion = "19.09";
+}
+```
+
+This basic setup allows it to boot, starts the OpenSSH server agent and allows
+the listed `openssh.authorizedKeys.keys` to login.
+
+I've also changed the nix-channel to the `nixos-unstable` imperatively before
+creating the image snapshot:
+
+```shell
+sudo nix-channel --remove nixos
+sudo nix-channel --add https://nixos.org/channels/nixos-unstable nixos
+```
+
+So the first run of `./nixos-update.sh` will already get the latest channel from
+unstable, which makes this image not tied to the particular original 19.09 NixOS
+distribution.