pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / virtualisation / google-compute-image.nix
at 16.09-beta 9.9 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4let 5 diskSize = "100G"; 6in 7{ 8 imports = [ ../profiles/headless.nix ../profiles/qemu-guest.nix ]; 9 10 # https://cloud.google.com/compute/docs/tutorials/building-images 11 networking.firewall.enable = mkDefault false; 12 13 system.build.googleComputeImage = 14 pkgs.vmTools.runInLinuxVM ( 15 pkgs.runCommand "google-compute-image" 16 { preVM = 17 '' 18 mkdir $out 19 diskImage=$out/$diskImageBase 20 truncate $diskImage --size ${diskSize} 21 mv closure xchg/ 22 ''; 23 24 postVM = 25 '' 26 PATH=$PATH:${stdenv.lib.makeBinPath [ pkgs.gnutar pkgs.gzip ]} 27 pushd $out 28 mv $diskImageBase disk.raw 29 tar -Szcf $diskImageBase.tar.gz disk.raw 30 rm $out/disk.raw 31 popd 32 ''; 33 diskImageBase = "nixos-image-${config.system.nixosLabel}-${pkgs.stdenv.system}.raw"; 34 buildInputs = [ pkgs.utillinux pkgs.perl ]; 35 exportReferencesGraph = 36 [ "closure" config.system.build.toplevel ]; 37 } 38 '' 39 # Create partition table 40 ${pkgs.parted}/sbin/parted /dev/vda mklabel msdos 41 ${pkgs.parted}/sbin/parted /dev/vda mkpart primary ext4 1 ${diskSize} 42 ${pkgs.parted}/sbin/parted /dev/vda print 43 . /sys/class/block/vda1/uevent 44 mknod /dev/vda1 b $MAJOR $MINOR 45 46 # Create an empty filesystem and mount it. 47 ${pkgs.e2fsprogs}/sbin/mkfs.ext4 -L nixos /dev/vda1 48 ${pkgs.e2fsprogs}/sbin/tune2fs -c 0 -i 0 /dev/vda1 49 50 mkdir /mnt 51 mount /dev/vda1 /mnt 52 53 # The initrd expects these directories to exist. 54 mkdir /mnt/dev /mnt/proc /mnt/sys 55 56 mount --bind /proc /mnt/proc 57 mount --bind /dev /mnt/dev 58 mount --bind /sys /mnt/sys 59 60 # Copy all paths in the closure to the filesystem. 61 storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure) 62 63 mkdir -p /mnt/nix/store 64 echo "copying everything (will take a while)..." 65 cp -prd $storePaths /mnt/nix/store/ 66 67 # Register the paths in the Nix database. 68 printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ 69 chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group "" 70 71 # Create the system profile to allow nixos-rebuild to work. 72 chroot /mnt ${config.nix.package.out}/bin/nix-env \ 73 -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} \ 74 --option build-users-group "" 75 76 # `nixos-rebuild' requires an /etc/NIXOS. 77 mkdir -p /mnt/etc 78 touch /mnt/etc/NIXOS 79 80 # `switch-to-configuration' requires a /bin/sh 81 mkdir -p /mnt/bin 82 ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh 83 84 # Install a configuration.nix. 85 mkdir -p /mnt/etc/nixos /mnt/boot/grub 86 cp ${./google-compute-config.nix} /mnt/etc/nixos/configuration.nix 87 88 # Generate the GRUB menu. 89 ln -s vda /dev/sda 90 chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot 91 92 umount /mnt/proc /mnt/dev /mnt/sys 93 umount /mnt 94 '' 95 ); 96 97 fileSystems."/".label = "nixos"; 98 99 boot.kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ]; 100 boot.initrd.kernelModules = [ "virtio_scsi" ]; 101 boot.kernelModules = [ "virtio_pci" "virtio_net" ]; 102 103 # Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd. 104 boot.loader.grub.device = "/dev/sda"; 105 boot.loader.timeout = 0; 106 107 # Don't put old configurations in the GRUB menu. The user has no 108 # way to select them anyway. 109 boot.loader.grub.configurationLimit = 0; 110 111 # Allow root logins only using the SSH key that the user specified 112 # at instance creation time. 113 services.openssh.enable = true; 114 services.openssh.permitRootLogin = "without-password"; 115 services.openssh.passwordAuthentication = mkDefault false; 116 117 # Force getting the hostname from Google Compute. 118 networking.hostName = mkDefault ""; 119 120 # Always include cryptsetup so that NixOps can use it. 121 environment.systemPackages = [ pkgs.cryptsetup ]; 122 123 # Configure default metadata hostnames 124 networking.extraHosts = '' 125 169.254.169.254 metadata.google.internal metadata 126 ''; 127 128 services.ntp.servers = [ "metadata.google.internal" ]; 129 130 networking.usePredictableInterfaceNames = false; 131 132 systemd.services.fetch-ssh-keys = 133 { description = "Fetch host keys and authorized_keys for root user"; 134 135 wantedBy = [ "sshd.service" ]; 136 before = [ "sshd.service" ]; 137 after = [ "network-online.target" "ip-up.target" ]; 138 wants = [ "network-online.target" "ip-up.target" ]; 139 140 script = let wget = "${pkgs.wget}/bin/wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google'"; 141 mktemp = "mktemp --tmpdir=/run"; in 142 '' 143 # When dealing with cryptographic keys, we want to keep things private. 144 umask 077 145 # Don't download the SSH key if it has already been downloaded 146 if ! [ -s /root/.ssh/authorized_keys ]; then 147 echo "obtaining SSH key..." 148 mkdir -m 0700 -p /root/.ssh 149 AUTH_KEYS=$(${mktemp}) 150 ${wget} -O $AUTH_KEYS http://metadata.google.internal/0.1/meta-data/authorized-keys 151 if [ -s $AUTH_KEYS ]; then 152 KEY_PUB=$(${mktemp}) 153 cat $AUTH_KEYS | cut -d: -f2- > $KEY_PUB 154 if ! grep -q -f $KEY_PUB /root/.ssh/authorized_keys; then 155 cat $KEY_PUB >> /root/.ssh/authorized_keys 156 echo "New key added to authorized_keys." 157 fi 158 chmod 600 /root/.ssh/authorized_keys 159 rm -f $KEY_PUB 160 else 161 echo "Downloading http://metadata.google.internal/0.1/meta-data/authorized-keys failed." 162 false 163 fi 164 rm -f $AUTH_KEYS 165 fi 166 167 countKeys=0 168 ${flip concatMapStrings config.services.openssh.hostKeys (k : 169 let kName = baseNameOf k.path; in '' 170 PRIV_KEY=$(${mktemp}) 171 echo "trying to obtain SSH private host key ${kName}" 172 ${wget} -O $PRIV_KEY http://metadata.google.internal/0.1/meta-data/attributes/${kName} && : 173 if [ $? -eq 0 -a -s $PRIV_KEY ]; then 174 countKeys=$((countKeys+1)) 175 mv -f $PRIV_KEY ${k.path} 176 echo "Downloaded ${k.path}" 177 chmod 600 ${k.path} 178 ${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub 179 chmod 644 ${k.path}.pub 180 else 181 echo "Downloading http://metadata.google.internal/0.1/meta-data/attributes/${kName} failed." 182 fi 183 rm -f $PRIV_KEY 184 '' 185 )} 186 187 if [[ $countKeys -le 0 ]]; then 188 echo "failed to obtain any SSH private host keys." 189 false 190 fi 191 ''; 192 serviceConfig.Type = "oneshot"; 193 serviceConfig.RemainAfterExit = true; 194 serviceConfig.StandardError = "journal+console"; 195 serviceConfig.StandardOutput = "journal+console"; 196 }; 197 198 # Setings taken from https://cloud.google.com/compute/docs/tutorials/building-images#providedkernel 199 boot.kernel.sysctl = { 200 # enables syn flood protection 201 "net.ipv4.tcp_syncookies" = mkDefault "1"; 202 203 # ignores source-routed packets 204 "net.ipv4.conf.all.accept_source_route" = mkDefault "0"; 205 206 # ignores source-routed packets 207 "net.ipv4.conf.default.accept_source_route" = mkDefault "0"; 208 209 # ignores ICMP redirects 210 "net.ipv4.conf.all.accept_redirects" = mkDefault "0"; 211 212 # ignores ICMP redirects 213 "net.ipv4.conf.default.accept_redirects" = mkDefault "0"; 214 215 # ignores ICMP redirects from non-GW hosts 216 "net.ipv4.conf.all.secure_redirects" = mkDefault "1"; 217 218 # ignores ICMP redirects from non-GW hosts 219 "net.ipv4.conf.default.secure_redirects" = mkDefault "1"; 220 221 # don't allow traffic between networks or act as a router 222 "net.ipv4.ip_forward" = mkDefault "0"; 223 224 # don't allow traffic between networks or act as a router 225 "net.ipv4.conf.all.send_redirects" = mkDefault "0"; 226 227 # don't allow traffic between networks or act as a router 228 "net.ipv4.conf.default.send_redirects" = mkDefault "0"; 229 230 # reverse path filtering - IP spoofing protection 231 "net.ipv4.conf.all.rp_filter" = mkDefault "1"; 232 233 # reverse path filtering - IP spoofing protection 234 "net.ipv4.conf.default.rp_filter" = mkDefault "1"; 235 236 # ignores ICMP broadcasts to avoid participating in Smurf attacks 237 "net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault "1"; 238 239 # ignores bad ICMP errors 240 "net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault "1"; 241 242 # logs spoofed, source-routed, and redirect packets 243 "net.ipv4.conf.all.log_martians" = mkDefault "1"; 244 245 # log spoofed, source-routed, and redirect packets 246 "net.ipv4.conf.default.log_martians" = mkDefault "1"; 247 248 # implements RFC 1337 fix 249 "net.ipv4.tcp_rfc1337" = mkDefault "1"; 250 251 # randomizes addresses of mmap base, heap, stack and VDSO page 252 "kernel.randomize_va_space" = mkDefault "2"; 253 254 # provides protection from ToCToU races 255 "fs.protected_hardlinks" = mkDefault "1"; 256 257 # provides protection from ToCToU races 258 "fs.protected_symlinks" = mkDefault "1"; 259 260 # makes locating kernel addresses more difficult 261 "kernel.kptr_restrict" = mkDefault "1"; 262 263 # set ptrace protections 264 "kernel.yama.ptrace_scope" = mkDefault "1"; 265 266 # set perf only available to root 267 "kernel.perf_event_paranoid" = mkDefault "2"; 268 269 }; 270 271}