pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / virtualisation / google-compute-config.nix
at 23.11-pre 3.4 kB view raw
1{ config, lib, pkgs, ... }: 2with lib; 3{ 4 imports = [ 5 ../profiles/headless.nix 6 ../profiles/qemu-guest.nix 7 ]; 8 9 10 fileSystems."/" = { 11 fsType = "ext4"; 12 device = "/dev/disk/by-label/nixos"; 13 autoResize = true; 14 }; 15 16 boot.growPartition = true; 17 boot.kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ]; 18 boot.initrd.kernelModules = [ "virtio_scsi" ]; 19 boot.kernelModules = [ "virtio_pci" "virtio_net" ]; 20 21 # Generate a GRUB menu. 22 boot.loader.grub.device = "/dev/sda"; 23 boot.loader.timeout = 0; 24 25 # Don't put old configurations in the GRUB menu. The user has no 26 # way to select them anyway. 27 boot.loader.grub.configurationLimit = 0; 28 29 # Allow root logins only using SSH keys 30 # and disable password authentication in general 31 services.openssh.enable = true; 32 services.openssh.settings.PermitRootLogin = "prohibit-password"; 33 services.openssh.settings.PasswordAuthentication = mkDefault false; 34 35 # enable OS Login. This also requires setting enable-oslogin=TRUE metadata on 36 # instance or project level 37 security.googleOsLogin.enable = true; 38 39 # Use GCE udev rules for dynamic disk volumes 40 services.udev.packages = [ pkgs.google-guest-configs ]; 41 services.udev.path = [ pkgs.google-guest-configs ]; 42 43 # Force getting the hostname from Google Compute. 44 networking.hostName = mkDefault ""; 45 46 # Always include cryptsetup so that NixOps can use it. 47 environment.systemPackages = [ pkgs.cryptsetup ]; 48 49 # Rely on GCP's firewall instead 50 networking.firewall.enable = mkDefault false; 51 52 # Configure default metadata hostnames 53 networking.extraHosts = '' 54 169.254.169.254 metadata.google.internal metadata 55 ''; 56 57 networking.timeServers = [ "metadata.google.internal" ]; 58 59 networking.usePredictableInterfaceNames = false; 60 61 # GC has 1460 MTU 62 networking.interfaces.eth0.mtu = 1460; 63 64 systemd.packages = [ pkgs.google-guest-agent ]; 65 systemd.services.google-guest-agent = { 66 wantedBy = [ "multi-user.target" ]; 67 restartTriggers = [ config.environment.etc."default/instance_configs.cfg".source ]; 68 path = lib.optional config.users.mutableUsers pkgs.shadow; 69 }; 70 systemd.services.google-startup-scripts.wantedBy = [ "multi-user.target" ]; 71 systemd.services.google-shutdown-scripts.wantedBy = [ "multi-user.target" ]; 72 73 security.sudo.extraRules = mkIf config.users.mutableUsers [ 74 { groups = [ "google-sudoers" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } 75 ]; 76 77 users.groups.google-sudoers = mkIf config.users.mutableUsers { }; 78 79 boot.extraModprobeConfig = lib.readFile "${pkgs.google-guest-configs}/etc/modprobe.d/gce-blacklist.conf"; 80 81 environment.etc."sysctl.d/60-gce-network-security.conf".source = "${pkgs.google-guest-configs}/etc/sysctl.d/60-gce-network-security.conf"; 82 83 environment.etc."default/instance_configs.cfg".text = '' 84 [Accounts] 85 useradd_cmd = useradd -m -s /run/current-system/sw/bin/bash -p * {user} 86 87 [Daemons] 88 accounts_daemon = ${boolToString config.users.mutableUsers} 89 90 [InstanceSetup] 91 # Make sure GCE image does not replace host key that NixOps sets. 92 set_host_keys = false 93 94 [MetadataScripts] 95 default_shell = ${pkgs.stdenv.shell} 96 97 [NetworkInterfaces] 98 dhclient_script = ${pkgs.google-guest-configs}/bin/google-dhclient-script 99 # We set up network interfaces declaratively. 100 setup = false 101 ''; 102}