From d794cf4394f4b32796da95127266c02d20cb52df Mon Sep 17 00:00:00 2001 From: padreug Date: Sun, 12 Oct 2025 08:16:43 +0200 Subject: [PATCH] Enhance deployment configuration with machine-specific templates and secrets management Updated the .gitignore to include machine-specific configurations and secrets handling. Expanded the DEPLOYMENT-GUIDE.md to provide detailed instructions for adding new machines using a template, along with steps for managing encrypted secrets. Introduced example configuration files for boot settings and a sample WireGuard service, improving modularity and flexibility in the NixOS deployment process. Adjusted krops.nix to reference the correct path for machine-specific configurations. --- .gitignore | 18 +++++ DEPLOYMENT-GUIDE.md | 71 +++++++++++++------ .../{ => machines}/example-machine/boot.nix | 0 .../example-machine/configuration.nix | 0 .../example-machine/example-service.nix | 0 5 files changed, 66 insertions(+), 23 deletions(-) rename config/{ => machines}/example-machine/boot.nix (100%) rename config/{ => machines}/example-machine/configuration.nix (100%) rename config/{ => machines}/example-machine/example-service.nix (100%) diff --git a/.gitignore b/.gitignore index d291262..41ea1dc 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,21 @@ result machine-specific web-app lnbits +lnbits-extensions + +# Machine-specific configurations (user creates these) +# Keep example-machine as a template +config/machines/* +!config/machines/example-machine/ + +# Secrets - only ignore unencrypted secrets +# Encrypted .age files are SAFE to commit +secrets/**/!(*.age) +secrets/**/*.txt +secrets/**/*.key +secrets/**/*.pem +secrets/**/*.env + +# Age/Passage identity files (NEVER commit these!) +.passage/ +identities diff --git a/DEPLOYMENT-GUIDE.md b/DEPLOYMENT-GUIDE.md index fb27809..3ee36f5 100644 --- a/DEPLOYMENT-GUIDE.md +++ b/DEPLOYMENT-GUIDE.md @@ -11,26 +11,30 @@ This setup builds the web-app **locally** with machine-specific configuration, t ``` . -├── web-app/ # Shared web-app source code -│ ├── package.json -│ ├── index.html -│ └── public/ # Base public folder -├── machine-specific/ -│ ├── machine1/ -│ │ ├── env/.env # Machine1's environment file -│ │ └── images/ # Machine1's images -│ │ ├── logo.png -│ │ └── banner.jpg +├── config/ # NixOS configuration files +│ ├── shared.nix # Shared config for all machines +│ ├── nginx.nix # Nginx configuration +│ ├── lnbits.nix # LNBits configuration +│ ├── pict-rs.nix # Pict-rs configuration +│ └── machines/ # Machine-specific configs (gitignored) +│ ├── example-machine/ # Template (committed to git) +│ │ ├── configuration.nix # Main config entry point +│ │ ├── boot.nix # Bootloader settings +│ │ └── example-service.nix # Service examples +│ ├── machine1/ # Your machines (gitignored) +│ └── machine2/ # Your machines (gitignored) +├── web-app/ # Shared web-app source (symlink) +├── machine-specific/ # Machine-specific web-app assets (symlink) +├── lnbits/ # LNBits source (symlink) +├── secrets/ # Encrypted secrets +│ ├── example-machine/ +│ │ └── README.md # Secrets usage guide +│ ├── machine1/ # Machine-specific secrets +│ │ └── *.age # Encrypted with age │ └── machine2/ -│ ├── env/.env # Machine2's environment file -│ └── images/ # Machine2's images -│ ├── logo.png -│ └── banner.jpg -├── build/ # Generated locally (gitignored) -│ ├── machine1/dist/ # Built files for machine1 -│ └── machine2/dist/ # Built files for machine2 -├── build-local.nix # Local build scripts -└── krops.nix # Deployment configuration +├── build/ # Generated locally (gitignored) +├── build-local.nix # Local build scripts +└── krops.nix # Deployment configuration ``` ## How It Works @@ -83,10 +87,31 @@ nix-build ./krops.nix -A all && ./result ### Add a new machine -1. Create directories: `machine-specific/machine3/env/` and `machine-specific/machine3/images/` -2. Add `.env` file and images for machine3 -3. Create `config/machine3/configuration.nix` -4. Add machine3 to `build-local.nix` and `krops.nix` +1. **Copy the example template:** + ```bash + cp -r config/machines/example-machine config/machines/my-new-machine + ``` + +2. **Edit the configuration:** + - Open `config/machines/my-new-machine/configuration.nix` + - Change `domain = "example.com"` to your domain + - Add your `hardware-configuration.nix` (from `nixos-generate-config`) + +3. **Create machine-specific web-app assets** (if using web-app): + ```bash + mkdir -p machine-specific/my-new-machine/env + mkdir -p machine-specific/my-new-machine/images + # Add .env file and images + ``` + +4. **Add to krops.nix and build-local.nix:** + - Add `my-new-machine` configuration to both files + +5. **Build and deploy:** + ```bash + nix-build ./build-local.nix -A my-new-machine && ./result/bin/build-my-new-machine + nix-build ./krops.nix -A my-new-machine && ./result + ``` ### Update environment variables diff --git a/config/example-machine/boot.nix b/config/machines/example-machine/boot.nix similarity index 100% rename from config/example-machine/boot.nix rename to config/machines/example-machine/boot.nix diff --git a/config/example-machine/configuration.nix b/config/machines/example-machine/configuration.nix similarity index 100% rename from config/example-machine/configuration.nix rename to config/machines/example-machine/configuration.nix diff --git a/config/example-machine/example-service.nix b/config/machines/example-machine/example-service.nix similarity index 100% rename from config/example-machine/example-service.nix rename to config/machines/example-machine/example-service.nix