pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / virtualisation / google-compute-config.nix
at 24.11-pre 3.6 kB view raw
1{ config, lib, pkgs, ... }: 2 3let 4 inherit (lib) 5 boolToString 6 mkDefault 7 mkIf 8 optional 9 readFile 10 ; 11in 12 13{ 14 imports = [ 15 ../profiles/headless.nix 16 ../profiles/qemu-guest.nix 17 ]; 18 19 20 fileSystems."/" = { 21 fsType = "ext4"; 22 device = "/dev/disk/by-label/nixos"; 23 autoResize = true; 24 }; 25 26 boot.growPartition = true; 27 boot.kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ]; 28 boot.initrd.kernelModules = [ "virtio_scsi" ]; 29 boot.kernelModules = [ "virtio_pci" "virtio_net" ]; 30 31 # Generate a GRUB menu. 32 boot.loader.grub.device = "/dev/sda"; 33 boot.loader.timeout = 0; 34 35 # Don't put old configurations in the GRUB menu. The user has no 36 # way to select them anyway. 37 boot.loader.grub.configurationLimit = 0; 38 39 # Allow root logins only using SSH keys 40 # and disable password authentication in general 41 services.openssh.enable = true; 42 services.openssh.settings.PermitRootLogin = mkDefault "prohibit-password"; 43 services.openssh.settings.PasswordAuthentication = mkDefault false; 44 45 # enable OS Login. This also requires setting enable-oslogin=TRUE metadata on 46 # instance or project level 47 security.googleOsLogin.enable = true; 48 49 # Use GCE udev rules for dynamic disk volumes 50 services.udev.packages = [ pkgs.google-guest-configs ]; 51 services.udev.path = [ pkgs.google-guest-configs ]; 52 53 # Force getting the hostname from Google Compute. 54 networking.hostName = mkDefault ""; 55 56 # Always include cryptsetup so that NixOps can use it. 57 environment.systemPackages = [ pkgs.cryptsetup ]; 58 59 # Rely on GCP's firewall instead 60 networking.firewall.enable = mkDefault false; 61 62 # Configure default metadata hostnames 63 networking.extraHosts = '' 64 169.254.169.254 metadata.google.internal metadata 65 ''; 66 67 networking.timeServers = [ "metadata.google.internal" ]; 68 69 networking.usePredictableInterfaceNames = false; 70 71 # GC has 1460 MTU 72 networking.interfaces.eth0.mtu = 1460; 73 74 systemd.packages = [ pkgs.google-guest-agent ]; 75 systemd.services.google-guest-agent = { 76 wantedBy = [ "multi-user.target" ]; 77 restartTriggers = [ config.environment.etc."default/instance_configs.cfg".source ]; 78 path = optional config.users.mutableUsers pkgs.shadow; 79 }; 80 systemd.services.google-startup-scripts.wantedBy = [ "multi-user.target" ]; 81 systemd.services.google-shutdown-scripts.wantedBy = [ "multi-user.target" ]; 82 83 security.sudo.extraRules = mkIf config.users.mutableUsers [ 84 { groups = [ "google-sudoers" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } 85 ]; 86 87 security.sudo-rs.extraRules = mkIf config.users.mutableUsers [ 88 { groups = [ "google-sudoers" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } 89 ]; 90 91 users.groups.google-sudoers = mkIf config.users.mutableUsers { }; 92 93 boot.extraModprobeConfig = readFile "${pkgs.google-guest-configs}/etc/modprobe.d/gce-blacklist.conf"; 94 95 environment.etc."sysctl.d/60-gce-network-security.conf".source = "${pkgs.google-guest-configs}/etc/sysctl.d/60-gce-network-security.conf"; 96 97 environment.etc."default/instance_configs.cfg".text = '' 98 [Accounts] 99 useradd_cmd = useradd -m -s /run/current-system/sw/bin/bash -p * {user} 100 101 [Daemons] 102 accounts_daemon = ${boolToString config.users.mutableUsers} 103 104 [InstanceSetup] 105 # Make sure GCE image does not replace host key that NixOps sets. 106 set_host_keys = false 107 108 [MetadataScripts] 109 default_shell = ${pkgs.stdenv.shell} 110 111 [NetworkInterfaces] 112 dhclient_script = ${pkgs.google-guest-configs}/bin/google-dhclient-script 113 # We set up network interfaces declaratively. 114 setup = false 115 ''; 116}