What would you recommend that is not NixOS or a Bash script and can be used agnostic of distro?

This is not correct as pass uses GPG, and you can do symmetric encryption with it, it is just a different parameter in the command.

You can use a different password per file, or the same one

I use qtpass as a GUI for pass

Can I use it fully offline?

Yes, it is fully offline, you can back it up by any mean you could any other file, and it should be fine as the files are encrypted (should store the keys separated), can be a USB, an external drive, another computer in your LAN, a git repo, nextcloud, syncthing.

How do I back it up to USB drive?

You copy and paste the files

What does the day-to-day operation of Pass compared to Keepass look like?

As I said I use qtpass as a GUI so, open qtpass, search for the specific password file, double click, put the password for my gpg key and then the password I need is stored in clipboard for 30sec (this is customizable or can be disabled) and I paste it where I need it.

If I need to store a new password, just use the add password button, and input the data, it is that simple.

I’m going to mention Ansible as I haven’t seen it mentioned, and it can be used to locally manage a reproducible build.

It has already been mentioned, but as a minimum to replicate your system you need two things:

• Transfer/copy your entire /home directory as there is where the majority of the configuration files of your system pertaining the software you use (there could be configs you could need on /etc and on /usr/local or other dir), that is why it is recommended to partition your disk on installation of your distro, so the /home directory is already separated, as if you reinstall in the same machine you don’t lose any configuration in addition to your personal documents/pictures/etc
• Have a way to automatically install a list of programs/apps/drivers/libraries, and that is what something like a bash script, Ansible, nixOs, etc. could help you with.

The truth is that using any of the tools in the second point requires learning a bunch, so if your skill level is still not there, there is some work to do to get there.

Old laptop, Debian with docker running nextcloud, navidrome, jellyfin, gitea, librespeed, wireguard, dnsmasq, and nginx as a reverse proxy.

adding Quillpad, as another alternative

QR is just image to text, most QR reading apps I have used, show you the QR content before going to the website (or let you disable opening the link directly) so you should be able to check the URL or content and see if the link is legit or not.

But let’s be honest most people don’t know or don’t even bother and that’s the real problem.

I recommend DuckDNS as well, you can run it both sides and set up a daemon to update the domain when there is an IP change automatically.

And with Wireguard you can set up a tunnel between both locations so you can share anything you need.

I’m using Debian, with Docker and running Jellyfin, Nextcloud, Navidrome and Wireguard on Containers on my old laptop. So that would be my suggestion.

You could install CasaOS and/or Portainer, on top of Debian if you want an easier way to manage your server and containers.

If you are not behind a CGNAT, it should be as easy as opening the necessary ports.

I have a reverse proxy running in ports 80, 443 and can safely access Jellyfin on a subdomain without issues from outside my LAN.

Markdown (there are plenty of editors to chose from) + Pandoc (to generate the output in multiple formats), would be my recommendation.

Been doing the same, just leaving my password-store offline, for me this is enough.

Just so you know it is possible, you can probably disable sleep or other things the laptop does by default when you close the lid, so you can leave it running while the lid is closed.

Did this with my old Dell laptop (that is running Debian server now), and now I access it over ssh while the lid is closed and very rarely open the lid and do stuff on the actual device directly.