Add machine-specific service configuration for WireGuard and related templates

Introduced a comprehensive guide for adding machine-specific services in the DEPLOYMENT-GUIDE.md, including steps to configure WireGuard for specific machines. Added example configuration files for boot settings, machine-specific configurations, and an example service for WireGuard. This enhances the modularity and flexibility of the NixOS deployment process, allowing for tailored configurations per machine.
2025-10-10 00:49:22 +02:00 · 2025-10-10 00:49:22 +02:00 · d27bdd3005
commit d27bdd3005
parent c2b9eac973
4 changed files with 199 additions and 0 deletions
--- a/config/example-machine/example-service.nix
+++ b/config/example-machine/example-service.nix
@ -0,0 +1,71 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Example: WireGuard VPN Service
+  # This is a machine-specific service that can be imported in configuration.nix
+  # Only machines that need WireGuard should import this file
+
+  # Install WireGuard tools
+  environment.systemPackages = with pkgs; [
+    wireguard-tools
+  ];
+
+  # Configure WireGuard interface
+  networking.wireguard.interfaces = {
+    wg0 = {
+      # Generate keys with: wg genkey | tee privatekey | wg pubkey > publickey
+      # Store the private key securely on the target machine
+      privateKeyFile = "/etc/wireguard/privatekey";
+
+      # VPN IP address for this machine
+      ips = [ "10.0.0.2/24" ];
+
+      # VPN peers (other machines or VPN server)
+      peers = [
+        {
+          # Public key of the peer
+          publicKey = "PEER_PUBLIC_KEY_HERE";
+
+          # Which IPs should be routed through this peer
+          allowedIPs = [ "10.0.0.1/32" ];
+
+          # Endpoint address and port of the peer
+          endpoint = "vpn.example.com:51820";
+
+          # Send keepalive packets every 15 seconds
+          persistentKeepalive = 15;
+        }
+      ];
+    };
+  };
+
+  # Optional: Systemd service optimizations
+  systemd.services."wireguard-wg0".serviceConfig = {
+    # Restart the service if it fails
+    Restart = "on-failure";
+    RestartSec = "5s";
+  };
+
+  # Other example services you might add:
+
+  # Example: Custom backup service
+  # services.restic.backups.daily = {
+  #   user = "root";
+  #   repository = "s3:s3.amazonaws.com/my-backup-bucket";
+  #   passwordFile = "/etc/restic/password";
+  #   paths = [ "/var/lib" "/home" ];
+  #   timerConfig = { OnCalendar = "daily"; };
+  # };
+
+  # Example: Development tools (for staging environments)
+  # environment.systemPackages = with pkgs; [
+  #   vim
+  #   git
+  #   htop
+  #   tmux
+  # ];
+
+  # Example: Custom firewall rules
+  # networking.firewall.allowedTCPPorts = [ 8080 ];
+  # networking.firewall.allowedUDPPorts = [ 51820 ];
+}