padreug/krops-multi-deploy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
krops-multi-deploy/config/machines/example-machine/example-service.nix
padreug d794cf4394 Enhance deployment configuration with machine-specific templates and secrets management 
Updated the .gitignore to include machine-specific configurations and secrets handling. Expanded the DEPLOYMENT-GUIDE.md to provide detailed instructions for adding new machines using a template, along with steps for managing encrypted secrets. Introduced example configuration files for boot settings and a sample WireGuard service, improving modularity and flexibility in the NixOS deployment process. Adjusted krops.nix to reference the correct path for machine-specific configurations.
2025-10-12 08:16:43 +02:00

71 lines
1.9 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
{
# Example: WireGuard VPN Service
# This is a machine-specific service that can be imported in configuration.nix
# Only machines that need WireGuard should import this file
# Install WireGuard tools
environment.systemPackages = with pkgs; [
wireguard-tools
];
# Configure WireGuard interface
networking.wireguard.interfaces = {
wg0 = {
# Generate keys with: wg genkey | tee privatekey | wg pubkey > publickey
# Store the private key securely on the target machine
privateKeyFile = "/etc/wireguard/privatekey";
# VPN IP address for this machine
ips = [ "10.0.0.2/24" ];
# VPN peers (other machines or VPN server)
peers = [
{
# Public key of the peer
publicKey = "PEER_PUBLIC_KEY_HERE";
# Which IPs should be routed through this peer
allowedIPs = [ "10.0.0.1/32" ];
# Endpoint address and port of the peer
endpoint = "vpn.example.com:51820";
# Send keepalive packets every 15 seconds
persistentKeepalive = 15;
}
];
};
};
# Optional: Systemd service optimizations
systemd.services."wireguard-wg0".serviceConfig = {
# Restart the service if it fails
Restart = "on-failure";
RestartSec = "5s";
};
# Other example services you might add:
# Example: Custom backup service
# services.restic.backups.daily = {
# user = "root";
# repository = "s3:s3.amazonaws.com/my-backup-bucket";
# passwordFile = "/etc/restic/password";
# paths = [ "/var/lib" "/home" ];
# timerConfig = { OnCalendar = "daily"; };
# };
# Example: Development tools (for staging environments)
# environment.systemPackages = with pkgs; [
# vim
# git
# htop
# tmux
# ];
# Example: Custom firewall rules
# networking.firewall.allowedTCPPorts = [ 8080 ];
# networking.firewall.allowedUDPPorts = [ 51820 ];
}
Reference in a new issue View git blame Copy permalink