diff options
| author | Florian Klink <flokli@flokli.de> | 2019-09-01 02:55:28 +0200 |
|---|---|---|
| committer | Florian Klink <flokli@flokli.de> | 2019-09-01 02:55:28 +0200 |
| commit | e95d4c734acf71813c33872c7f1a09bd13abd96d (patch) | |
| tree | 5d2f206fdbef32e80515bcd4662e0f8497860597 | |
| parent | d658dd4ce0bf1c9b0206b1cb737ea3bfb4fdd6dd (diff) | |
| download | nixpkgs-e95d4c734acf71813c33872c7f1a09bd13abd96d.tar nixpkgs-e95d4c734acf71813c33872c7f1a09bd13abd96d.tar.gz nixpkgs-e95d4c734acf71813c33872c7f1a09bd13abd96d.tar.bz2 nixpkgs-e95d4c734acf71813c33872c7f1a09bd13abd96d.tar.lz nixpkgs-e95d4c734acf71813c33872c7f1a09bd13abd96d.tar.xz nixpkgs-e95d4c734acf71813c33872c7f1a09bd13abd96d.tar.zst nixpkgs-e95d4c734acf71813c33872c7f1a09bd13abd96d.zip | |
google-compute-config.nix: use sysctl snippets from gce
We make them available at ${gce}/sysctl.d and add them to
environments.etc, like we do with the systemd ones.
| -rw-r--r-- | nixos/modules/virtualisation/google-compute-config.nix | 78 | ||||
| -rw-r--r-- | pkgs/tools/virtualization/google-compute-engine/default.nix | 4 |
2 files changed, 5 insertions, 77 deletions
diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index 41fbf4702e8..327324f2921 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -144,81 +144,5 @@ in wantedBy = [ "multi-user.target" ]; }; - - # Settings taken from https://github.com/GoogleCloudPlatform/compute-image-packages/blob/master/google_config/sysctl/11-gce-network-security.conf - boot.kernel.sysctl = { - # Turn on SYN-flood protections. Starting with 2.6.26, there is no loss - # of TCP functionality/features under normal conditions. When flood - # protections kick in under high unanswered-SYN load, the system - # should remain more stable, with a trade off of some loss of TCP - # functionality/features (e.g. TCP Window scaling). - "net.ipv4.tcp_syncookies" = mkDefault "1"; - - # ignores ICMP redirects - "net.ipv4.conf.all.accept_redirects" = mkDefault "0"; - - # ignores ICMP redirects - "net.ipv4.conf.default.accept_redirects" = mkDefault "0"; - - # ignores ICMP redirects from non-GW hosts - "net.ipv4.conf.all.secure_redirects" = mkDefault "1"; - - # ignores ICMP redirects from non-GW hosts - "net.ipv4.conf.default.secure_redirects" = mkDefault "1"; - - # don't allow traffic between networks or act as a router - "net.ipv4.ip_forward" = mkDefault "0"; - - # don't allow traffic between networks or act as a router - "net.ipv4.conf.all.send_redirects" = mkDefault "0"; - - # don't allow traffic between networks or act as a router - "net.ipv4.conf.default.send_redirects" = mkDefault "0"; - - # strict reverse path filtering - IP spoofing protection - "net.ipv4.conf.all.rp_filter" = mkDefault "1"; - - # strict path filtering - IP spoofing protection - "net.ipv4.conf.default.rp_filter" = mkDefault "1"; - - # ignores ICMP broadcasts to avoid participating in Smurf attacks - "net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault "1"; - - # ignores bad ICMP errors - "net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault "1"; - - # logs spoofed, source-routed, and redirect packets - "net.ipv4.conf.all.log_martians" = mkDefault "1"; - - # log spoofed, source-routed, and redirect packets - "net.ipv4.conf.default.log_martians" = mkDefault "1"; - - # implements RFC 1337 fix - "net.ipv4.tcp_rfc1337" = mkDefault "1"; - - # randomizes addresses of mmap base, heap, stack and VDSO page - "kernel.randomize_va_space" = mkDefault "2"; - - # Reboot the machine soon after a kernel panic. - "kernel.panic" = mkDefault "10"; - - ## Not part of the original config - - # provides protection from ToCToU races - "fs.protected_hardlinks" = mkDefault "1"; - - # provides protection from ToCToU races - "fs.protected_symlinks" = mkDefault "1"; - - # makes locating kernel addresses more difficult - "kernel.kptr_restrict" = mkDefault "1"; - - # set ptrace protections - "kernel.yama.ptrace_scope" = mkOverride 500 "1"; - - # set perf only available to root - "kernel.perf_event_paranoid" = mkDefault "2"; - - }; - + environment.etc."sysctl.d/11-gce-network-security.conf".source = "${gce}/sysctl.d/11-gce-network-security.conf"; } diff --git a/pkgs/tools/virtualization/google-compute-engine/default.nix b/pkgs/tools/virtualization/google-compute-engine/default.nix index d4c817b7ecb..48255ca68a7 100644 --- a/pkgs/tools/virtualization/google-compute-engine/default.nix +++ b/pkgs/tools/virtualization/google-compute-engine/default.nix @@ -46,6 +46,10 @@ buildPythonApplication rec { mkdir -p $out/lib/udev/rules.d cp -r google_config/udev/*.rules $out/lib/udev/rules.d + # sysctl snippets will be used by google-compute-config.nix + mkdir -p $out/sysctl.d + cp google_config/sysctl/*.conf $out/sysctl.d + patchShebangs $out/bin/* ''; |