Enhance deployment configuration with machine-specific templates and secrets management

Updated the .gitignore to include machine-specific configurations and secrets handling. Expanded the DEPLOYMENT-GUIDE.md to provide detailed instructions for adding new machines using a template, along with steps for managing encrypted secrets. Introduced example configuration files for boot settings and a sample WireGuard service, improving modularity and flexibility in the NixOS deployment process. Adjusted krops.nix to reference the correct path for machine-specific configurations.

config/machines/example-machine/boot.nix

@@ -0,0 +1,13 @@
+{
+  # Bootloader configuration
+  # This example uses systemd-boot for UEFI systems
+  # For BIOS systems, use GRUB instead
+
+  # UEFI boot loader (systemd-boot)
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # Alternative: GRUB for BIOS systems
+  # boot.loader.grub.enable = true;
+  # boot.loader.grub.device = "/dev/sda"; # or "nodev" for UEFI
+}

config/machines/example-machine/configuration.nix

@@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+
+{
+  # Import shared configuration and machine-specific modules
+  imports = [
+    # Import shared.nix with your domain parameter
+    # Replace "example.com" with your actual domain
+    (import /var/src/config-shared {
+      inherit config pkgs;
+      domain = "example.com";
+    })
+
+    # Import hardware-specific configuration
+    # This file is typically generated by nixos-generate-config
+    ./hardware-configuration.nix
+
+    # Import boot configuration (bootloader settings)
+    ./boot.nix
+
+    # Import any machine-specific services
+    # Comment out or remove if not needed
+    # ./example-service.nix
+  ];
+}

config/machines/example-machine/example-service.nix

@@ -0,0 +1,71 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Example: WireGuard VPN Service
+  # This is a machine-specific service that can be imported in configuration.nix
+  # Only machines that need WireGuard should import this file
+
+  # Install WireGuard tools
+  environment.systemPackages = with pkgs; [
+    wireguard-tools
+  ];
+
+  # Configure WireGuard interface
+  networking.wireguard.interfaces = {
+    wg0 = {
+      # Generate keys with: wg genkey | tee privatekey | wg pubkey > publickey
+      # Store the private key securely on the target machine
+      privateKeyFile = "/etc/wireguard/privatekey";
+
+      # VPN IP address for this machine
+      ips = [ "10.0.0.2/24" ];
+
+      # VPN peers (other machines or VPN server)
+      peers = [
+        {
+          # Public key of the peer
+          publicKey = "PEER_PUBLIC_KEY_HERE";
+
+          # Which IPs should be routed through this peer
+          allowedIPs = [ "10.0.0.1/32" ];
+
+          # Endpoint address and port of the peer
+          endpoint = "vpn.example.com:51820";
+
+          # Send keepalive packets every 15 seconds
+          persistentKeepalive = 15;
+        }
+      ];
+    };
+  };
+
+  # Optional: Systemd service optimizations
+  systemd.services."wireguard-wg0".serviceConfig = {
+    # Restart the service if it fails
+    Restart = "on-failure";
+    RestartSec = "5s";
+  };
+
+  # Other example services you might add:
+
+  # Example: Custom backup service
+  # services.restic.backups.daily = {
+  #   user = "root";
+  #   repository = "s3:s3.amazonaws.com/my-backup-bucket";
+  #   passwordFile = "/etc/restic/password";
+  #   paths = [ "/var/lib" "/home" ];
+  #   timerConfig = { OnCalendar = "daily"; };
+  # };
+
+  # Example: Development tools (for staging environments)
+  # environment.systemPackages = with pkgs; [
+  #   vim
+  #   git
+  #   htop
+  #   tmux
+  # ];
+
+  # Example: Custom firewall rules
+  # networking.firewall.allowedTCPPorts = [ 8080 ];
+  # networking.firewall.allowedUDPPorts = [ 51820 ];
+}