Enhance deployment configuration with machine-specific templates and secrets management

Updated the .gitignore to include machine-specific configurations and secrets handling. Expanded the DEPLOYMENT-GUIDE.md to provide detailed instructions for adding new machines using a template, along with steps for managing encrypted secrets. Introduced example configuration files for boot settings and a sample WireGuard service, improving modularity and flexibility in the NixOS deployment process. Adjusted krops.nix to reference the correct path for machine-specific configurations.
2025-10-12 08:16:43 +02:00 · 2025-10-12 08:16:43 +02:00 · d794cf4394
commit d794cf4394
parent 78dcba25ec
5 changed files with 66 additions and 23 deletions
--- a/.gitignore
+++ b/.gitignore
@ -5,3 +5,21 @@ result
 machine-specific
 web-app
 lnbits
+lnbits-extensions
+
+# Machine-specific configurations (user creates these)
+# Keep example-machine as a template
+config/machines/*
+!config/machines/example-machine/
+
+# Secrets - only ignore unencrypted secrets
+# Encrypted .age files are SAFE to commit
+secrets/**/!(*.age)
+secrets/**/*.txt
+secrets/**/*.key
+secrets/**/*.pem
+secrets/**/*.env
+
+# Age/Passage identity files (NEVER commit these!)
+.passage/
+identities
--- a/DEPLOYMENT-GUIDE.md
+++ b/DEPLOYMENT-GUIDE.md
@ -11,26 +11,30 @@ This setup builds the web-app **locally** with machine-specific configuration, t

 ```
 .
-├── web-app/                          # Shared web-app source code
-│   ├── package.json
-│   ├── index.html
-│   └── public/                       # Base public folder
-├── machine-specific/
-│   ├── machine1/
-│   │   ├── env/.env                  # Machine1's environment file
-│   │   └── images/                   # Machine1's images
-│   │       ├── logo.png
-│   │       └── banner.jpg
+├── config/                           # NixOS configuration files
+│   ├── shared.nix                    # Shared config for all machines
+│   ├── nginx.nix                     # Nginx configuration
+│   ├── lnbits.nix                    # LNBits configuration
+│   ├── pict-rs.nix                   # Pict-rs configuration
+│   └── machines/                     # Machine-specific configs (gitignored)
+│       ├── example-machine/          # Template (committed to git)
+│       │   ├── configuration.nix     # Main config entry point
+│       │   ├── boot.nix             # Bootloader settings
+│       │   └── example-service.nix  # Service examples
+│       ├── machine1/                 # Your machines (gitignored)
+│       └── machine2/                 # Your machines (gitignored)
+├── web-app/                          # Shared web-app source (symlink)
+├── machine-specific/                 # Machine-specific web-app assets (symlink)
+├── lnbits/                          # LNBits source (symlink)
+├── secrets/                         # Encrypted secrets
+│   ├── example-machine/
+│   │   └── README.md                # Secrets usage guide
+│   ├── machine1/                    # Machine-specific secrets
+│   │   └── *.age                    # Encrypted with age
 │   └── machine2/
-│       ├── env/.env                  # Machine2's environment file
-│       └── images/                   # Machine2's images
-│           ├── logo.png
-│           └── banner.jpg
-├── build/                            # Generated locally (gitignored)
-│   ├── machine1/dist/                # Built files for machine1
-│   └── machine2/dist/                # Built files for machine2
-├── build-local.nix                   # Local build scripts
-└── krops.nix                         # Deployment configuration
+├── build/                           # Generated locally (gitignored)
+├── build-local.nix                  # Local build scripts
+└── krops.nix                        # Deployment configuration
 ```

 ## How It Works
@ -83,10 +87,31 @@ nix-build ./krops.nix -A all && ./result

 ### Add a new machine

-1. Create directories: `machine-specific/machine3/env/` and `machine-specific/machine3/images/`
-2. Add `.env` file and images for machine3
-3. Create `config/machine3/configuration.nix`
-4. Add machine3 to `build-local.nix` and `krops.nix`
+1. **Copy the example template:**
+   ```bash
+   cp -r config/machines/example-machine config/machines/my-new-machine
+   ```
+
+2. **Edit the configuration:**
+   - Open `config/machines/my-new-machine/configuration.nix`
+   - Change `domain = "example.com"` to your domain
+   - Add your `hardware-configuration.nix` (from `nixos-generate-config`)
+
+3. **Create machine-specific web-app assets** (if using web-app):
+   ```bash
+   mkdir -p machine-specific/my-new-machine/env
+   mkdir -p machine-specific/my-new-machine/images
+   # Add .env file and images
+   ```
+
+4. **Add to krops.nix and build-local.nix:**
+   - Add `my-new-machine` configuration to both files
+
+5. **Build and deploy:**
+   ```bash
+   nix-build ./build-local.nix -A my-new-machine && ./result/bin/build-my-new-machine
+   nix-build ./krops.nix -A my-new-machine && ./result
+   ```

 ### Update environment variables

--- a/config/machines/example-machine/boot.nix
+++ b/config/machines/example-machine/boot.nix
--- a/config/machines/example-machine/configuration.nix
+++ b/config/machines/example-machine/configuration.nix
--- a/config/machines/example-machine/example-service.nix
+++ b/config/machines/example-machine/example-service.nix