From d27bdd3005b0982c3bc3eef09e7eee6b28ecd366 Mon Sep 17 00:00:00 2001 From: padreug Date: Fri, 10 Oct 2025 00:49:22 +0200 Subject: [PATCH] Add machine-specific service configuration for WireGuard and related templates Introduced a comprehensive guide for adding machine-specific services in the DEPLOYMENT-GUIDE.md, including steps to configure WireGuard for specific machines. Added example configuration files for boot settings, machine-specific configurations, and an example service for WireGuard. This enhances the modularity and flexibility of the NixOS deployment process, allowing for tailored configurations per machine. --- DEPLOYMENT-GUIDE.md | 91 ++++++++++++++++++++++ config/example-machine/boot.nix | 13 ++++ config/example-machine/configuration.nix | 24 ++++++ config/example-machine/example-service.nix | 71 +++++++++++++++++ 4 files changed, 199 insertions(+) create mode 100644 config/example-machine/boot.nix create mode 100644 config/example-machine/configuration.nix create mode 100644 config/example-machine/example-service.nix diff --git a/DEPLOYMENT-GUIDE.md b/DEPLOYMENT-GUIDE.md index e27c199..eaab454 100644 --- a/DEPLOYMENT-GUIDE.md +++ b/DEPLOYMENT-GUIDE.md @@ -102,3 +102,94 @@ Edit files in `web-app/`, then rebuild locally After any changes: rebuild locally, then redeploy. +## Adding Machine-Specific Services + +Sometimes you need services that only run on certain machines (e.g., WireGuard on machine1 but not machine2). + +### Using the Example Template + +A complete example machine configuration is provided in `config/example-machine/`: + +``` +config/example-machine/ + ├── configuration.nix # Template with domain parameter + ├── boot.nix # Bootloader configuration examples + └── example-service.nix # WireGuard and other service examples +``` + +**To use the template:** +1. Copy the `example-machine` directory to your new machine name: + ```bash + cp -r config/example-machine config/my-new-machine + ``` +2. Edit `configuration.nix` to set your domain +3. Copy your `hardware-configuration.nix` from `nixos-generate-config` +4. Customize `boot.nix` for your bootloader (UEFI or BIOS) +5. Modify or remove `example-service.nix` as needed +6. Add the machine to `build-local.nix` and `krops.nix` + +### Example: Machine1 has WireGuard + +**Structure:** +``` +config/ + ├── shared.nix # Shared config for all machines + ├── machine1/ + │ ├── configuration.nix # Imports shared.nix + machine-specific modules + │ ├── wireguard.nix # Machine1-specific service + │ ├── hardware-configuration.nix + │ └── boot.nix + └── machine2/ + ├── configuration.nix # Only imports shared.nix + ├── hardware-configuration.nix + └── boot.nix +``` + +### Steps to Add a Machine-Specific Service + +1. **Create a service configuration file** in the machine's directory: + ```bash + # Example: config/machine1/wireguard.nix + { config, lib, pkgs, ... }: + { + networking.wireguard.interfaces = { + wg0 = { + privateKeyFile = "/etc/wireguard/privatekey"; + ips = [ "10.0.0.2/24" ]; + peers = [ ... ]; + }; + }; + } + ``` + +2. **Import it in the machine's configuration.nix**: + ```nix + # config/machine1/configuration.nix + { config, pkgs, ... }: + { + imports = [ + (import /var/src/config-shared { + inherit config pkgs; + domain = "4lpaca.io"; + }) + ./hardware-configuration.nix + ./boot.nix + ./wireguard.nix # ← Add your service here + ]; + } + ``` + +3. **Deploy** - the service will only be deployed to that specific machine: + ```bash + nix-build ./krops.nix -A machine1 && ./result + ``` + +### Common Machine-Specific Services + +- **WireGuard VPN** - Only on machines that need VPN access +- **Backup services** - Different backup targets per machine +- **Development tools** - Extra packages for staging vs production +- **Custom hardware drivers** - GPU drivers, specific hardware support + +The key is that each machine's `configuration.nix` can import different modules while still sharing common configuration through `shared.nix`. + diff --git a/config/example-machine/boot.nix b/config/example-machine/boot.nix new file mode 100644 index 0000000..b313ef9 --- /dev/null +++ b/config/example-machine/boot.nix @@ -0,0 +1,13 @@ +{ + # Bootloader configuration + # This example uses systemd-boot for UEFI systems + # For BIOS systems, use GRUB instead + + # UEFI boot loader (systemd-boot) + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Alternative: GRUB for BIOS systems + # boot.loader.grub.enable = true; + # boot.loader.grub.device = "/dev/sda"; # or "nodev" for UEFI +} diff --git a/config/example-machine/configuration.nix b/config/example-machine/configuration.nix new file mode 100644 index 0000000..26514b4 --- /dev/null +++ b/config/example-machine/configuration.nix @@ -0,0 +1,24 @@ +{ config, pkgs, ... }: + +{ + # Import shared configuration and machine-specific modules + imports = [ + # Import shared.nix with your domain parameter + # Replace "example.com" with your actual domain + (import /var/src/config-shared { + inherit config pkgs; + domain = "example.com"; + }) + + # Import hardware-specific configuration + # This file is typically generated by nixos-generate-config + ./hardware-configuration.nix + + # Import boot configuration (bootloader settings) + ./boot.nix + + # Import any machine-specific services + # Comment out or remove if not needed + # ./example-service.nix + ]; +} diff --git a/config/example-machine/example-service.nix b/config/example-machine/example-service.nix new file mode 100644 index 0000000..283b697 --- /dev/null +++ b/config/example-machine/example-service.nix @@ -0,0 +1,71 @@ +{ config, lib, pkgs, ... }: + +{ + # Example: WireGuard VPN Service + # This is a machine-specific service that can be imported in configuration.nix + # Only machines that need WireGuard should import this file + + # Install WireGuard tools + environment.systemPackages = with pkgs; [ + wireguard-tools + ]; + + # Configure WireGuard interface + networking.wireguard.interfaces = { + wg0 = { + # Generate keys with: wg genkey | tee privatekey | wg pubkey > publickey + # Store the private key securely on the target machine + privateKeyFile = "/etc/wireguard/privatekey"; + + # VPN IP address for this machine + ips = [ "10.0.0.2/24" ]; + + # VPN peers (other machines or VPN server) + peers = [ + { + # Public key of the peer + publicKey = "PEER_PUBLIC_KEY_HERE"; + + # Which IPs should be routed through this peer + allowedIPs = [ "10.0.0.1/32" ]; + + # Endpoint address and port of the peer + endpoint = "vpn.example.com:51820"; + + # Send keepalive packets every 15 seconds + persistentKeepalive = 15; + } + ]; + }; + }; + + # Optional: Systemd service optimizations + systemd.services."wireguard-wg0".serviceConfig = { + # Restart the service if it fails + Restart = "on-failure"; + RestartSec = "5s"; + }; + + # Other example services you might add: + + # Example: Custom backup service + # services.restic.backups.daily = { + # user = "root"; + # repository = "s3:s3.amazonaws.com/my-backup-bucket"; + # passwordFile = "/etc/restic/password"; + # paths = [ "/var/lib" "/home" ]; + # timerConfig = { OnCalendar = "daily"; }; + # }; + + # Example: Development tools (for staging environments) + # environment.systemPackages = with pkgs; [ + # vim + # git + # htop + # tmux + # ]; + + # Example: Custom firewall rules + # networking.firewall.allowedTCPPorts = [ 8080 ]; + # networking.firewall.allowedUDPPorts = [ 51820 ]; +}