diff options
author | Alyssa Ross <hi@alyssa.is> | 2023-09-27 18:40:33 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2023-09-27 18:40:41 +0000 |
commit | 030c5028b07afcedce7c5956015c629486cc79d9 (patch) | |
tree | 4c3cb9c6cff0e30919a97fc0c1d3203446696f4e /nixos/modules/virtualisation | |
parent | 4b852f7ef3cb92277f212ba7dc168da1073e65cc (diff) | |
parent | 04c0744afbab2369baf4f134c544db3f24164d80 (diff) | |
download | nixpkgs-030c5028b07afcedce7c5956015c629486cc79d9.tar nixpkgs-030c5028b07afcedce7c5956015c629486cc79d9.tar.gz nixpkgs-030c5028b07afcedce7c5956015c629486cc79d9.tar.bz2 nixpkgs-030c5028b07afcedce7c5956015c629486cc79d9.tar.lz nixpkgs-030c5028b07afcedce7c5956015c629486cc79d9.tar.xz nixpkgs-030c5028b07afcedce7c5956015c629486cc79d9.tar.zst nixpkgs-030c5028b07afcedce7c5956015c629486cc79d9.zip |
Rebase onto c1a53897ad4290a1cbfa02fbe6f3869577b93744
Signed-off-by: Alyssa Ross <hi@alyssa.is>
Diffstat (limited to 'nixos/modules/virtualisation')
-rw-r--r-- | nixos/modules/virtualisation/google-compute-config.nix | 2 | ||||
-rw-r--r-- | nixos/modules/virtualisation/oci-common.nix | 60 | ||||
-rw-r--r-- | nixos/modules/virtualisation/oci-config-user.nix | 12 | ||||
-rw-r--r-- | nixos/modules/virtualisation/oci-image.nix | 50 | ||||
-rw-r--r-- | nixos/modules/virtualisation/oci-options.nix | 14 |
5 files changed, 137 insertions, 1 deletions
diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index cf94ce0faf3..3c503f027d7 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -39,7 +39,7 @@ in # Allow root logins only using SSH keys # and disable password authentication in general services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "prohibit-password"; + services.openssh.settings.PermitRootLogin = mkDefault "prohibit-password"; services.openssh.settings.PasswordAuthentication = mkDefault false; # enable OS Login. This also requires setting enable-oslogin=TRUE metadata on diff --git a/nixos/modules/virtualisation/oci-common.nix b/nixos/modules/virtualisation/oci-common.nix new file mode 100644 index 00000000000..ac9405e3ecf --- /dev/null +++ b/nixos/modules/virtualisation/oci-common.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.oci; +in +{ + imports = [ ../profiles/qemu-guest.nix ]; + + # Taken from /proc/cmdline of Ubuntu 20.04.2 LTS on OCI + boot.kernelParams = [ + "nvme.shutdown_timeout=10" + "nvme_core.shutdown_timeout=10" + "libiscsi.debug_libiscsi_eh=1" + "crash_kexec_post_notifiers" + + # VNC console + "console=tty1" + + # x86_64-linux + "console=ttyS0" + + # aarch64-linux + "console=ttyAMA0,115200" + ]; + + boot.growPartition = true; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + autoResize = true; + }; + + fileSystems."/boot" = lib.mkIf cfg.efi { + device = "/dev/disk/by-label/ESP"; + fsType = "vfat"; + }; + + boot.loader.efi.canTouchEfiVariables = false; + boot.loader.grub = { + device = if cfg.efi then "nodev" else "/dev/sda"; + splashImage = null; + extraConfig = '' + serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 + terminal_input --append serial + terminal_output --append serial + ''; + efiInstallAsRemovable = cfg.efi; + efiSupport = cfg.efi; + }; + + # https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/configuringntpservice.htm#Configuring_the_Oracle_Cloud_Infrastructure_NTP_Service_for_an_Instance + networking.timeServers = [ "169.254.169.254" ]; + + services.openssh.enable = true; + + # Otherwise the instance may not have a working network-online.target, + # making the fetch-ssh-keys.service fail + networking.useNetworkd = true; +} diff --git a/nixos/modules/virtualisation/oci-config-user.nix b/nixos/modules/virtualisation/oci-config-user.nix new file mode 100644 index 00000000000..70c0b34efe7 --- /dev/null +++ b/nixos/modules/virtualisation/oci-config-user.nix @@ -0,0 +1,12 @@ +{ modulesPath, ... }: + +{ + # To build the configuration or use nix-env, you need to run + # either nixos-rebuild --upgrade or nix-channel --update + # to fetch the nixos channel. + + # This configures everything but bootstrap services, + # which only need to be run once and have already finished + # if you are able to see this comment. + imports = [ "${modulesPath}/virtualisation/oci-common.nix" ]; +} diff --git a/nixos/modules/virtualisation/oci-image.nix b/nixos/modules/virtualisation/oci-image.nix new file mode 100644 index 00000000000..d4af5016dd7 --- /dev/null +++ b/nixos/modules/virtualisation/oci-image.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.oci; +in +{ + imports = [ ./oci-common.nix ]; + + config = { + system.build.OCIImage = import ../../lib/make-disk-image.nix { + inherit config lib pkgs; + name = "oci-image"; + configFile = ./oci-config-user.nix; + format = "qcow2"; + diskSize = 8192; + partitionTableType = if cfg.efi then "efi" else "legacy"; + }; + + systemd.services.fetch-ssh-keys = { + description = "Fetch authorized_keys for root user"; + + wantedBy = [ "sshd.service" ]; + before = [ "sshd.service" ]; + + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + + path = [ pkgs.coreutils pkgs.curl ]; + script = '' + mkdir -m 0700 -p /root/.ssh + if [ -f /root/.ssh/authorized_keys ]; then + echo "Authorized keys have already been downloaded" + else + echo "Downloading authorized keys from Instance Metadata Service v2" + curl -s -S -L \ + -H "Authorization: Bearer Oracle" \ + -o /root/.ssh/authorized_keys \ + http://169.254.169.254/opc/v2/instance/metadata/ssh_authorized_keys + chmod 600 /root/.ssh/authorized_keys + fi + ''; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + StandardError = "journal+console"; + StandardOutput = "journal+console"; + }; + }; + }; +} diff --git a/nixos/modules/virtualisation/oci-options.nix b/nixos/modules/virtualisation/oci-options.nix new file mode 100644 index 00000000000..0dfedc6a530 --- /dev/null +++ b/nixos/modules/virtualisation/oci-options.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, ... }: +{ + options = { + oci = { + efi = lib.mkOption { + default = true; + internal = true; + description = '' + Whether the OCI instance is using EFI. + ''; + }; + }; + }; +} |