Add machine-specific service configuration for WireGuard and related templates

Introduced a comprehensive guide for adding machine-specific services in the DEPLOYMENT-GUIDE.md, including steps to configure WireGuard for specific machines. Added example configuration files for boot settings, machine-specific configurations, and an example service for WireGuard. This enhances the modularity and flexibility of the NixOS deployment process, allowing for tailored configurations per machine.
2025-10-10 00:49:22 +02:00 · 2025-10-10 00:49:22 +02:00 · d27bdd3005
commit d27bdd3005
parent c2b9eac973
4 changed files with 199 additions and 0 deletions
--- a/DEPLOYMENT-GUIDE.md
+++ b/DEPLOYMENT-GUIDE.md
@ -102,3 +102,94 @@ Edit files in `web-app/`, then rebuild locally

 After any changes: rebuild locally, then redeploy.

+## Adding Machine-Specific Services
+
+Sometimes you need services that only run on certain machines (e.g., WireGuard on machine1 but not machine2).
+
+### Using the Example Template
+
+A complete example machine configuration is provided in `config/example-machine/`:
+
+```
+config/example-machine/
+  ├── configuration.nix      # Template with domain parameter
+  ├── boot.nix              # Bootloader configuration examples
+  └── example-service.nix   # WireGuard and other service examples
+```
+
+**To use the template:**
+1. Copy the `example-machine` directory to your new machine name:
+   ```bash
+   cp -r config/example-machine config/my-new-machine
+   ```
+2. Edit `configuration.nix` to set your domain
+3. Copy your `hardware-configuration.nix` from `nixos-generate-config`
+4. Customize `boot.nix` for your bootloader (UEFI or BIOS)
+5. Modify or remove `example-service.nix` as needed
+6. Add the machine to `build-local.nix` and `krops.nix`
+
+### Example: Machine1 has WireGuard
+
+**Structure:**
+```
+config/
+  ├── shared.nix                    # Shared config for all machines
+  ├── machine1/
+  │   ├── configuration.nix         # Imports shared.nix + machine-specific modules
+  │   ├── wireguard.nix            # Machine1-specific service
+  │   ├── hardware-configuration.nix
+  │   └── boot.nix
+  └── machine2/
+      ├── configuration.nix         # Only imports shared.nix
+      ├── hardware-configuration.nix
+      └── boot.nix
+```
+
+### Steps to Add a Machine-Specific Service
+
+1. **Create a service configuration file** in the machine's directory:
+   ```bash
+   # Example: config/machine1/wireguard.nix
+   { config, lib, pkgs, ... }:
+   {
+     networking.wireguard.interfaces = {
+       wg0 = {
+         privateKeyFile = "/etc/wireguard/privatekey";
+         ips = [ "10.0.0.2/24" ];
+         peers = [ ... ];
+       };
+     };
+   }
+   ```
+
+2. **Import it in the machine's configuration.nix**:
+   ```nix
+   # config/machine1/configuration.nix
+   { config, pkgs, ... }:
+   {
+     imports = [
+       (import /var/src/config-shared {
+         inherit config pkgs;
+         domain = "4lpaca.io";
+       })
+       ./hardware-configuration.nix
+       ./boot.nix
+       ./wireguard.nix        # ← Add your service here
+     ];
+   }
+   ```
+
+3. **Deploy** - the service will only be deployed to that specific machine:
+   ```bash
+   nix-build ./krops.nix -A machine1 && ./result
+   ```
+
+### Common Machine-Specific Services
+
+- **WireGuard VPN** - Only on machines that need VPN access
+- **Backup services** - Different backup targets per machine
+- **Development tools** - Extra packages for staging vs production
+- **Custom hardware drivers** - GPU drivers, specific hardware support
+
+The key is that each machine's `configuration.nix` can import different modules while still sharing common configuration through `shared.nix`.
+
--- a/config/example-machine/boot.nix
+++ b/config/example-machine/boot.nix
@ -0,0 +1,13 @@
+{
+  # Bootloader configuration
+  # This example uses systemd-boot for UEFI systems
+  # For BIOS systems, use GRUB instead
+
+  # UEFI boot loader (systemd-boot)
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # Alternative: GRUB for BIOS systems
+  # boot.loader.grub.enable = true;
+  # boot.loader.grub.device = "/dev/sda"; # or "nodev" for UEFI
+}
--- a/config/example-machine/configuration.nix
+++ b/config/example-machine/configuration.nix
@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+
+{
+  # Import shared configuration and machine-specific modules
+  imports = [
+    # Import shared.nix with your domain parameter
+    # Replace "example.com" with your actual domain
+    (import /var/src/config-shared {
+      inherit config pkgs;
+      domain = "example.com";
+    })
+
+    # Import hardware-specific configuration
+    # This file is typically generated by nixos-generate-config
+    ./hardware-configuration.nix
+
+    # Import boot configuration (bootloader settings)
+    ./boot.nix
+
+    # Import any machine-specific services
+    # Comment out or remove if not needed
+    # ./example-service.nix
+  ];
+}
--- a/config/example-machine/example-service.nix
+++ b/config/example-machine/example-service.nix
@ -0,0 +1,71 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Example: WireGuard VPN Service
+  # This is a machine-specific service that can be imported in configuration.nix
+  # Only machines that need WireGuard should import this file
+
+  # Install WireGuard tools
+  environment.systemPackages = with pkgs; [
+    wireguard-tools
+  ];
+
+  # Configure WireGuard interface
+  networking.wireguard.interfaces = {
+    wg0 = {
+      # Generate keys with: wg genkey | tee privatekey | wg pubkey > publickey
+      # Store the private key securely on the target machine
+      privateKeyFile = "/etc/wireguard/privatekey";
+
+      # VPN IP address for this machine
+      ips = [ "10.0.0.2/24" ];
+
+      # VPN peers (other machines or VPN server)
+      peers = [
+        {
+          # Public key of the peer
+          publicKey = "PEER_PUBLIC_KEY_HERE";
+
+          # Which IPs should be routed through this peer
+          allowedIPs = [ "10.0.0.1/32" ];
+
+          # Endpoint address and port of the peer
+          endpoint = "vpn.example.com:51820";
+
+          # Send keepalive packets every 15 seconds
+          persistentKeepalive = 15;
+        }
+      ];
+    };
+  };
+
+  # Optional: Systemd service optimizations
+  systemd.services."wireguard-wg0".serviceConfig = {
+    # Restart the service if it fails
+    Restart = "on-failure";
+    RestartSec = "5s";
+  };
+
+  # Other example services you might add:
+
+  # Example: Custom backup service
+  # services.restic.backups.daily = {
+  #   user = "root";
+  #   repository = "s3:s3.amazonaws.com/my-backup-bucket";
+  #   passwordFile = "/etc/restic/password";
+  #   paths = [ "/var/lib" "/home" ];
+  #   timerConfig = { OnCalendar = "daily"; };
+  # };
+
+  # Example: Development tools (for staging environments)
+  # environment.systemPackages = with pkgs; [
+  #   vim
+  #   git
+  #   htop
+  #   tmux
+  # ];
+
+  # Example: Custom firewall rules
+  # networking.firewall.allowedTCPPorts = [ 8080 ];
+  # networking.firewall.allowedUDPPorts = [ 51820 ];
+}