Enhance deployment configuration with machine-specific templates and secrets management

Updated the .gitignore to include machine-specific configurations and secrets handling. Expanded the DEPLOYMENT-GUIDE.md to provide detailed instructions for adding new machines using a template, along with steps for managing encrypted secrets. Introduced example configuration files for boot settings and a sample WireGuard service, improving modularity and flexibility in the NixOS deployment process. Adjusted krops.nix to reference the correct path for machine-specific configurations.
2025-10-12 08:16:43 +02:00 · 2025-10-12 08:16:43 +02:00 · d794cf4394
commit d794cf4394
parent 78dcba25ec
5 changed files with 66 additions and 23 deletions
--- a/config/machines/example-machine/example-service.nix
+++ b/config/machines/example-machine/example-service.nix
@ -0,0 +1,71 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Example: WireGuard VPN Service
+  # This is a machine-specific service that can be imported in configuration.nix
+  # Only machines that need WireGuard should import this file
+
+  # Install WireGuard tools
+  environment.systemPackages = with pkgs; [
+    wireguard-tools
+  ];
+
+  # Configure WireGuard interface
+  networking.wireguard.interfaces = {
+    wg0 = {
+      # Generate keys with: wg genkey | tee privatekey | wg pubkey > publickey
+      # Store the private key securely on the target machine
+      privateKeyFile = "/etc/wireguard/privatekey";
+
+      # VPN IP address for this machine
+      ips = [ "10.0.0.2/24" ];
+
+      # VPN peers (other machines or VPN server)
+      peers = [
+        {
+          # Public key of the peer
+          publicKey = "PEER_PUBLIC_KEY_HERE";
+
+          # Which IPs should be routed through this peer
+          allowedIPs = [ "10.0.0.1/32" ];
+
+          # Endpoint address and port of the peer
+          endpoint = "vpn.example.com:51820";
+
+          # Send keepalive packets every 15 seconds
+          persistentKeepalive = 15;
+        }
+      ];
+    };
+  };
+
+  # Optional: Systemd service optimizations
+  systemd.services."wireguard-wg0".serviceConfig = {
+    # Restart the service if it fails
+    Restart = "on-failure";
+    RestartSec = "5s";
+  };
+
+  # Other example services you might add:
+
+  # Example: Custom backup service
+  # services.restic.backups.daily = {
+  #   user = "root";
+  #   repository = "s3:s3.amazonaws.com/my-backup-bucket";
+  #   passwordFile = "/etc/restic/password";
+  #   paths = [ "/var/lib" "/home" ];
+  #   timerConfig = { OnCalendar = "daily"; };
+  # };
+
+  # Example: Development tools (for staging environments)
+  # environment.systemPackages = with pkgs; [
+  #   vim
+  #   git
+  #   htop
+  #   tmux
+  # ];
+
+  # Example: Custom firewall rules
+  # networking.firewall.allowedTCPPorts = [ 8080 ];
+  # networking.firewall.allowedUDPPorts = [ 51820 ];
+}