diff options
author | Nikolay Amiantov <ab@fmap.me> | 2021-03-18 20:02:07 +0300 |
---|---|---|
committer | Nikolay Amiantov <ab@fmap.me> | 2022-02-05 23:33:10 +0300 |
commit | 524aecf61e11663a3e841bee2e2b3a45a64ffdc2 (patch) | |
tree | e92e82fd434c0754e29bc83dacd98cf1fc981df7 /nixos/modules/virtualisation/google-compute-config.nix | |
parent | 077d0524ccfec44c00b469833ad7b5d8a984e7f6 (diff) | |
download | nixpkgs-524aecf61e11663a3e841bee2e2b3a45a64ffdc2.tar nixpkgs-524aecf61e11663a3e841bee2e2b3a45a64ffdc2.tar.gz nixpkgs-524aecf61e11663a3e841bee2e2b3a45a64ffdc2.tar.bz2 nixpkgs-524aecf61e11663a3e841bee2e2b3a45a64ffdc2.tar.lz nixpkgs-524aecf61e11663a3e841bee2e2b3a45a64ffdc2.tar.xz nixpkgs-524aecf61e11663a3e841bee2e2b3a45a64ffdc2.tar.zst nixpkgs-524aecf61e11663a3e841bee2e2b3a45a64ffdc2.zip |
google-compute-config: update config
Diffstat (limited to 'nixos/modules/virtualisation/google-compute-config.nix')
-rw-r--r-- | nixos/modules/virtualisation/google-compute-config.nix | 135 |
1 files changed, 32 insertions, 103 deletions
diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index cff48d20b2b..44d2a589511 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -1,8 +1,5 @@ { config, lib, pkgs, ... }: with lib; -let - gce = pkgs.google-compute-engine; -in { imports = [ ../profiles/headless.nix @@ -40,7 +37,8 @@ in security.googleOsLogin.enable = true; # Use GCE udev rules for dynamic disk volumes - services.udev.packages = [ gce ]; + services.udev.packages = [ pkgs.google-guest-configs ]; + services.udev.path = [ pkgs.google-guest-configs ]; # Force getting the hostname from Google Compute. networking.hostName = mkDefault ""; @@ -48,12 +46,6 @@ in # Always include cryptsetup so that NixOps can use it. environment.systemPackages = [ pkgs.cryptsetup ]; - # Make sure GCE image does not replace host key that NixOps sets - environment.etc."default/instance_configs.cfg".text = lib.mkDefault '' - [InstanceSetup] - set_host_keys = false - ''; - # Rely on GCP's firewall instead networking.firewall.enable = mkDefault false; @@ -69,105 +61,42 @@ in # GC has 1460 MTU networking.interfaces.eth0.mtu = 1460; - # Used by NixOps - systemd.services.fetch-instance-ssh-keys = { - description = "Fetch host keys and authorized_keys for root user"; - - wantedBy = [ "sshd.service" ]; - before = [ "sshd.service" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - path = [ pkgs.wget ]; - - serviceConfig = { - Type = "oneshot"; - ExecStart = pkgs.runCommand "fetch-instance-ssh-keys" { } '' - cp ${./fetch-instance-ssh-keys.bash} $out - chmod +x $out - ${pkgs.shfmt}/bin/shfmt -i 4 -d $out - ${pkgs.shellcheck}/bin/shellcheck $out - patchShebangs $out - ''; - PrivateTmp = true; - StandardError = "journal+console"; - StandardOutput = "journal+console"; - }; + systemd.packages = [ pkgs.google-guest-agent ]; + systemd.services.google-guest-agent = { + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ config.environment.etc."default/instance_configs.cfg".source ]; + path = lib.optional config.users.mutableUsers pkgs.shadow; }; + systemd.services.google-startup-scripts.wantedBy = [ "multi-user.target" ]; + systemd.services.google-shutdown-scripts.wantedBy = [ "multi-user.target" ]; - systemd.services.google-instance-setup = { - description = "Google Compute Engine Instance Setup"; - after = [ "network-online.target" "network.target" "rsyslog.service" ]; - before = [ "sshd.service" ]; - path = with pkgs; [ coreutils ethtool openssh ]; - serviceConfig = { - ExecStart = "${gce}/bin/google_instance_setup"; - StandardOutput="journal+console"; - Type = "oneshot"; - }; - wantedBy = [ "sshd.service" "multi-user.target" ]; - }; + security.sudo.extraRules = mkIf config.users.mutableUsers [ + { groups = [ "google-sudoers" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } + ]; - systemd.services.google-network-daemon = { - description = "Google Compute Engine Network Daemon"; - after = [ "network-online.target" "network.target" "google-instance-setup.service" ]; - path = with pkgs; [ iproute2 ]; - serviceConfig = { - ExecStart = "${gce}/bin/google_network_daemon"; - StandardOutput="journal+console"; - Type="simple"; - }; - wantedBy = [ "multi-user.target" ]; - }; + users.groups.google-sudoers = mkIf config.users.mutableUsers { }; - systemd.services.google-clock-skew-daemon = { - description = "Google Compute Engine Clock Skew Daemon"; - after = [ "network.target" "google-instance-setup.service" "google-network-daemon.service" ]; - serviceConfig = { - ExecStart = "${gce}/bin/google_clock_skew_daemon"; - StandardOutput="journal+console"; - Type = "simple"; - }; - wantedBy = ["multi-user.target"]; - }; + boot.extraModprobeConfig = lib.readFile "${pkgs.google-guest-configs}/etc/modprobe.d/gce-blacklist.conf"; + environment.etc."sysctl.d/60-gce-network-security.conf".source = "${pkgs.google-guest-configs}/etc/sysctl.d/60-gce-network-security.conf"; - systemd.services.google-shutdown-scripts = { - description = "Google Compute Engine Shutdown Scripts"; - after = [ - "network-online.target" - "network.target" - "rsyslog.service" - "google-instance-setup.service" - "google-network-daemon.service" - ]; - serviceConfig = { - ExecStart = "${pkgs.coreutils}/bin/true"; - ExecStop = "${gce}/bin/google_metadata_script_runner --script-type shutdown"; - RemainAfterExit = true; - StandardOutput="journal+console"; - TimeoutStopSec = "0"; - Type = "oneshot"; - }; - wantedBy = [ "multi-user.target" ]; - }; + environment.etc."default/instance_configs.cfg".text = '' + [Accounts] + useradd_cmd = useradd -m -s /run/current-system/sw/bin/bash -p * {user} - systemd.services.google-startup-scripts = { - description = "Google Compute Engine Startup Scripts"; - after = [ - "network-online.target" - "network.target" - "rsyslog.service" - "google-instance-setup.service" - "google-network-daemon.service" - ]; - serviceConfig = { - ExecStart = "${gce}/bin/google_metadata_script_runner --script-type startup"; - KillMode = "process"; - StandardOutput = "journal+console"; - Type = "oneshot"; - }; - wantedBy = [ "multi-user.target" ]; - }; + [Daemons] + accounts_daemon = ${boolToString config.users.mutableUsers} - environment.etc."sysctl.d/11-gce-network-security.conf".source = "${gce}/sysctl.d/11-gce-network-security.conf"; + [InstanceSetup] + # Make sure GCE image does not replace host key that NixOps sets. + set_host_keys = false + + [MetadataScripts] + default_shell = ${pkgs.stdenv.shell} + + [NetworkInterfaces] + dhclient_script = ${pkgs.google-guest-configs}/bin/google-dhclient-script + # We set up network interfaces declaratively. + setup = false + ''; } |