diff options
author | zimbatm <zimbatm@zimbatm.com> | 2017-07-19 09:49:20 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-07-19 09:49:20 +0100 |
commit | 14f53e5251b2cd91b69dcca2fbb11324b236e383 (patch) | |
tree | 2794a4b00e6ff4e1c4a740ff7302bd23e49efb9a /nixos/modules | |
parent | 1fef42dde9281810b2627158f18289f2ce528087 (diff) | |
parent | c93d68b6ed7704ecd93b7a734ab025d990a9b5b2 (diff) | |
download | nixpkgs-14f53e5251b2cd91b69dcca2fbb11324b236e383.tar nixpkgs-14f53e5251b2cd91b69dcca2fbb11324b236e383.tar.gz nixpkgs-14f53e5251b2cd91b69dcca2fbb11324b236e383.tar.bz2 nixpkgs-14f53e5251b2cd91b69dcca2fbb11324b236e383.tar.lz nixpkgs-14f53e5251b2cd91b69dcca2fbb11324b236e383.tar.xz nixpkgs-14f53e5251b2cd91b69dcca2fbb11324b236e383.tar.zst nixpkgs-14f53e5251b2cd91b69dcca2fbb11324b236e383.zip |
Merge pull request #26214 from zimbatm/google-compute-image
Google compute image
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/virtualisation/google-compute-image.nix | 149 |
1 files changed, 144 insertions, 5 deletions
diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 3943a62f8a4..4a8dadaa281 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -3,13 +3,11 @@ with lib; let diskSize = 1024; # MB + gce = pkgs.google-compute-engine; in { imports = [ ../profiles/headless.nix ../profiles/qemu-guest.nix ./grow-partition.nix ]; - # https://cloud.google.com/compute/docs/tutorials/building-images - networking.firewall.enable = mkDefault false; - system.build.googleComputeImage = import ../../lib/make-disk-image.nix { name = "google-compute-image"; postVM = '' @@ -49,12 +47,18 @@ in services.openssh.permitRootLogin = "prohibit-password"; services.openssh.passwordAuthentication = mkDefault false; + # Use GCE udev rules for dynamic disk volumes + services.udev.packages = [ gce ]; + # Force getting the hostname from Google Compute. networking.hostName = mkDefault ""; # Always include cryptsetup so that NixOps can use it. environment.systemPackages = [ pkgs.cryptsetup ]; + # Rely on GCP's firewall instead + networking.firewall.enable = mkDefault false; + # Configure default metadata hostnames networking.extraHosts = '' 169.254.169.254 metadata.google.internal metadata @@ -64,6 +68,132 @@ in networking.usePredictableInterfaceNames = false; + # allow the google-accounts-daemon to manage users + users.mutableUsers = true; + # and allow users to sudo without password + security.sudo.enable = true; + security.sudo.extraConfig = '' + %google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL + ''; + + # NOTE: google-accounts tries to write to /etc/sudoers.d but the folder doesn't exist + # FIXME: not such file or directory on dynamic SSH provisioning + systemd.services.google-accounts-daemon = { + description = "Google Compute Engine Accounts Daemon"; + # This daemon creates dynamic users + enable = config.users.mutableUsers; + after = [ + "network.target" + "google-instance-setup.service" + "google-network-setup.service" + ]; + wantedBy = [ "multi-user.target" ]; + requires = ["network.target"]; + path = with pkgs; [ shadow ]; + serviceConfig = { + Type = "simple"; + ExecStart = "${gce}/bin/google_accounts_daemon --debug"; + }; + }; + + systemd.services.google-clock-skew-daemon = { + description = "Google Compute Engine Clock Skew Daemon"; + after = [ + "network.target" + "google-instance-setup.service" + "google-network-setup.service" + ]; + requires = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + ExecStart = "${gce}/bin/google_clock_skew_daemon --debug"; + }; + }; + + systemd.services.google-instance-setup = { + description = "Google Compute Engine Instance Setup"; + after = ["fs.target" "network-online.target" "network.target" "rsyslog.service"]; + before = ["sshd.service"]; + wants = ["local-fs.target" "network-online.target" "network.target"]; + wantedBy = [ "sshd.service" "multi-user.target" ]; + path = with pkgs; [ ethtool ]; + serviceConfig = { + ExecStart = "${gce}/bin/google_instance_setup --debug"; + Type = "oneshot"; + }; + }; + + systemd.services.google-ip-forwarding-daemon = { + description = "Google Compute Engine IP Forwarding Daemon"; + after = ["network.target" "google-instance-setup.service" "google-network-setup.service"]; + requires = ["network.target"]; + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ iproute ]; + serviceConfig = { + Type = "simple"; + ExecStart = "${gce}/bin/google_ip_forwarding_daemon --debug"; + }; + }; + + systemd.services.google-shutdown-scripts = { + description = "Google Compute Engine Shutdown Scripts"; + after = [ + "local-fs.target" + "network-online.target" + "network.target" + "rsyslog.service" + "google-instance-setup.service" + "google-network-setup.service" + ]; + wants = [ "local-fs.target" "network-online.target" "network.target"]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.coreutils}/bin/true"; + ExecStop = "${gce}/bin/google_metadata_script_runner --debug --script-type shutdown"; + Type = "oneshot"; + RemainAfterExit = true; + TimeoutStopSec = 0; + }; + }; + + systemd.services.google-network-setup = { + description = "Google Compute Engine Network Setup"; + after = [ + "local-fs.target" + "network-online.target" + "network.target" + "rsyslog.service" + ]; + wants = [ "local-fs.target" "network-online.target" "network.target"]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${gce}/bin/google_network_setup --debug"; + KillMode = "process"; + Type = "oneshot"; + }; + }; + + systemd.services.google-startup-scripts = { + description = "Google Compute Engine Startup Scripts"; + after = [ + "local-fs.target" + "network-online.target" + "network.target" + "rsyslog.service" + "google-instance-setup.service" + "google-network-setup.service" + ]; + wants = [ "local-fs.target" "network-online.target" "network.target"]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${gce}/bin/google_metadata_script_runner --debug --script-type startup"; + KillMode = "process"; + Type = "oneshot"; + }; + }; + + # TODO: remove this systemd.services.fetch-ssh-keys = { description = "Fetch host keys and authorized_keys for root user"; @@ -113,9 +243,13 @@ in serviceConfig.StandardOutput = "journal+console"; }; - # Setings taken from https://cloud.google.com/compute/docs/tutorials/building-images#providedkernel + # Settings taken from https://github.com/GoogleCloudPlatform/compute-image-packages/blob/master/google_config/sysctl/11-gce-network-security.conf boot.kernel.sysctl = { - # enables syn flood protection + # Turn on SYN-flood protections. Starting with 2.6.26, there is no loss + # of TCP functionality/features under normal conditions. When flood + # protections kick in under high unanswered-SYN load, the system + # should remain more stable, with a trade off of some loss of TCP + # functionality/features (e.g. TCP Window scaling). "net.ipv4.tcp_syncookies" = mkDefault "1"; # ignores source-routed packets @@ -169,6 +303,11 @@ in # randomizes addresses of mmap base, heap, stack and VDSO page "kernel.randomize_va_space" = mkDefault "2"; + # Reboot the machine soon after a kernel panic. + "kernel.panic" = mkDefault "10"; + + ## Not part of the original config + # provides protection from ToCToU races "fs.protected_hardlinks" = mkDefault "1"; |