diff options
Diffstat (limited to 'nixpkgs/nixos/modules/virtualisation/google-compute-config.nix')
-rw-r--r-- | nixpkgs/nixos/modules/virtualisation/google-compute-config.nix | 148 |
1 files changed, 148 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/virtualisation/google-compute-config.nix b/nixpkgs/nixos/modules/virtualisation/google-compute-config.nix new file mode 100644 index 00000000000..327324f2921 --- /dev/null +++ b/nixpkgs/nixos/modules/virtualisation/google-compute-config.nix @@ -0,0 +1,148 @@ +{ config, lib, pkgs, ... }: +with lib; +let + gce = pkgs.google-compute-engine; +in +{ + imports = [ + ../profiles/headless.nix + ../profiles/qemu-guest.nix + ]; + + + fileSystems."/" = { + fsType = "ext4"; + device = "/dev/disk/by-label/nixos"; + autoResize = true; + }; + + boot.growPartition = true; + boot.kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ]; + boot.initrd.kernelModules = [ "virtio_scsi" ]; + boot.kernelModules = [ "virtio_pci" "virtio_net" ]; + + # Generate a GRUB menu. + boot.loader.grub.device = "/dev/sda"; + boot.loader.timeout = 0; + + # Don't put old configurations in the GRUB menu. The user has no + # way to select them anyway. + boot.loader.grub.configurationLimit = 0; + + # Allow root logins only using SSH keys + # and disable password authentication in general + services.openssh.enable = true; + services.openssh.permitRootLogin = "prohibit-password"; + services.openssh.passwordAuthentication = mkDefault false; + + # enable OS Login. This also requires setting enable-oslogin=TRUE metadata on + # instance or project level + security.googleOsLogin.enable = true; + + # Use GCE udev rules for dynamic disk volumes + services.udev.packages = [ gce ]; + + # Force getting the hostname from Google Compute. + networking.hostName = mkDefault ""; + + # Always include cryptsetup so that NixOps can use it. + environment.systemPackages = [ pkgs.cryptsetup ]; + + # Make sure GCE image does not replace host key that NixOps sets + environment.etc."default/instance_configs.cfg".text = lib.mkDefault '' + [InstanceSetup] + set_host_keys = false + ''; + + # Rely on GCP's firewall instead + networking.firewall.enable = mkDefault false; + + # Configure default metadata hostnames + networking.extraHosts = '' + 169.254.169.254 metadata.google.internal metadata + ''; + + networking.timeServers = [ "metadata.google.internal" ]; + + networking.usePredictableInterfaceNames = false; + + # GC has 1460 MTU + networking.interfaces.eth0.mtu = 1460; + + systemd.services.google-instance-setup = { + description = "Google Compute Engine Instance Setup"; + after = [ "network-online.target" "network.target" "rsyslog.service" ]; + before = [ "sshd.service" ]; + path = with pkgs; [ coreutils ethtool openssh ]; + serviceConfig = { + ExecStart = "${gce}/bin/google_instance_setup"; + StandardOutput="journal+console"; + Type = "oneshot"; + }; + wantedBy = [ "sshd.service" "multi-user.target" ]; + }; + + systemd.services.google-network-daemon = { + description = "Google Compute Engine Network Daemon"; + after = [ "network-online.target" "network.target" "google-instance-setup.service" ]; + path = with pkgs; [ iproute ]; + serviceConfig = { + ExecStart = "${gce}/bin/google_network_daemon"; + StandardOutput="journal+console"; + Type="simple"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + systemd.services.google-clock-skew-daemon = { + description = "Google Compute Engine Clock Skew Daemon"; + after = [ "network.target" "google-instance-setup.service" "google-network-daemon.service" ]; + serviceConfig = { + ExecStart = "${gce}/bin/google_clock_skew_daemon"; + StandardOutput="journal+console"; + Type = "simple"; + }; + wantedBy = ["multi-user.target"]; + }; + + + systemd.services.google-shutdown-scripts = { + description = "Google Compute Engine Shutdown Scripts"; + after = [ + "network-online.target" + "network.target" + "rsyslog.service" + "google-instance-setup.service" + "google-network-daemon.service" + ]; + serviceConfig = { + ExecStart = "${pkgs.coreutils}/bin/true"; + ExecStop = "${gce}/bin/google_metadata_script_runner --script-type shutdown"; + RemainAfterExit = true; + StandardOutput="journal+console"; + TimeoutStopSec = "0"; + Type = "oneshot"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + systemd.services.google-startup-scripts = { + description = "Google Compute Engine Startup Scripts"; + after = [ + "network-online.target" + "network.target" + "rsyslog.service" + "google-instance-setup.service" + "google-network-daemon.service" + ]; + serviceConfig = { + ExecStart = "${gce}/bin/google_metadata_script_runner --script-type startup"; + KillMode = "process"; + StandardOutput = "journal+console"; + Type = "oneshot"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + environment.etc."sysctl.d/11-gce-network-security.conf".source = "${gce}/sysctl.d/11-gce-network-security.conf"; +} |