pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / virtualisation / google-compute-config.nix
at 25.11-pre 3.8 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7 8let 9 inherit (lib) 10 boolToString 11 mkDefault 12 mkIf 13 optional 14 readFile 15 ; 16in 17 18{ 19 imports = [ 20 ../profiles/headless.nix 21 ../profiles/qemu-guest.nix 22 ]; 23 24 fileSystems."/" = { 25 fsType = "ext4"; 26 device = "/dev/disk/by-label/nixos"; 27 autoResize = true; 28 }; 29 30 boot.growPartition = true; 31 boot.kernelParams = [ 32 "console=ttyS0" 33 "panic=1" 34 "boot.panic_on_fail" 35 ]; 36 boot.initrd.kernelModules = [ "virtio_scsi" ]; 37 boot.kernelModules = [ 38 "virtio_pci" 39 "virtio_net" 40 ]; 41 42 # Generate a GRUB menu. 43 boot.loader.grub.device = "/dev/sda"; 44 boot.loader.timeout = 0; 45 46 # Don't put old configurations in the GRUB menu. The user has no 47 # way to select them anyway. 48 boot.loader.grub.configurationLimit = 0; 49 50 # Allow root logins only using SSH keys 51 # and disable password authentication in general 52 services.openssh.enable = true; 53 services.openssh.settings.PermitRootLogin = mkDefault "prohibit-password"; 54 services.openssh.settings.PasswordAuthentication = mkDefault false; 55 56 # enable OS Login. This also requires setting enable-oslogin=TRUE metadata on 57 # instance or project level 58 security.googleOsLogin.enable = true; 59 60 # Use GCE udev rules for dynamic disk volumes 61 services.udev.packages = [ pkgs.google-guest-configs ]; 62 services.udev.path = [ pkgs.google-guest-configs ]; 63 64 # Force getting the hostname from Google Compute. 65 networking.hostName = mkDefault ""; 66 67 # Always include cryptsetup so that NixOps can use it. 68 environment.systemPackages = [ pkgs.cryptsetup ]; 69 70 # Rely on GCP's firewall instead 71 networking.firewall.enable = mkDefault false; 72 73 # Configure default metadata hostnames 74 networking.extraHosts = '' 75 169.254.169.254 metadata.google.internal metadata 76 ''; 77 78 networking.timeServers = [ "metadata.google.internal" ]; 79 80 networking.usePredictableInterfaceNames = false; 81 82 # GC has 1460 MTU 83 networking.interfaces.eth0.mtu = 1460; 84 85 systemd.packages = [ pkgs.google-guest-agent ]; 86 systemd.services.google-guest-agent = { 87 wantedBy = [ "multi-user.target" ]; 88 restartTriggers = [ config.environment.etc."default/instance_configs.cfg".source ]; 89 path = optional config.users.mutableUsers pkgs.shadow; 90 }; 91 systemd.services.google-startup-scripts.wantedBy = [ "multi-user.target" ]; 92 systemd.services.google-shutdown-scripts.wantedBy = [ "multi-user.target" ]; 93 94 security.sudo.extraRules = mkIf config.users.mutableUsers [ 95 { 96 groups = [ "google-sudoers" ]; 97 commands = [ 98 { 99 command = "ALL"; 100 options = [ "NOPASSWD" ]; 101 } 102 ]; 103 } 104 ]; 105 106 security.sudo-rs.extraRules = mkIf config.users.mutableUsers [ 107 { 108 groups = [ "google-sudoers" ]; 109 commands = [ 110 { 111 command = "ALL"; 112 options = [ "NOPASSWD" ]; 113 } 114 ]; 115 } 116 ]; 117 118 users.groups.google-sudoers = mkIf config.users.mutableUsers { }; 119 120 boot.extraModprobeConfig = readFile "${pkgs.google-guest-configs}/etc/modprobe.d/gce-blacklist.conf"; 121 122 environment.etc."sysctl.d/60-gce-network-security.conf".source = 123 "${pkgs.google-guest-configs}/etc/sysctl.d/60-gce-network-security.conf"; 124 125 environment.etc."default/instance_configs.cfg".text = '' 126 [Accounts] 127 useradd_cmd = useradd -m -s /run/current-system/sw/bin/bash -p * {user} 128 129 [Daemons] 130 accounts_daemon = ${boolToString config.users.mutableUsers} 131 132 [InstanceSetup] 133 # Make sure GCE image does not replace host key that NixOps sets. 134 set_host_keys = false 135 136 [MetadataScripts] 137 default_shell = ${pkgs.stdenv.shell} 138 139 [NetworkInterfaces] 140 dhclient_script = ${pkgs.google-guest-configs}/bin/google-dhclient-script 141 # We set up network interfaces declaratively. 142 setup = false 143 ''; 144}