···
6
+
gce = pkgs.google-compute-engine;
imports = [ ../profiles/headless.nix ../profiles/qemu-guest.nix ./grow-partition.nix ];
10
-
# https://cloud.google.com/compute/docs/tutorials/building-images
11
-
networking.firewall.enable = mkDefault false;
system.build.googleComputeImage = import ../../lib/make-disk-image.nix {
name = "google-compute-image";
···
services.openssh.permitRootLogin = "prohibit-password";
services.openssh.passwordAuthentication = mkDefault false;
50
+
# Use GCE udev rules for dynamic disk volumes
51
+
services.udev.packages = [ gce ];
# Force getting the hostname from Google Compute.
networking.hostName = mkDefault "";
# Always include cryptsetup so that NixOps can use it.
environment.systemPackages = [ pkgs.cryptsetup ];
59
+
# Rely on GCP's firewall instead
60
+
networking.firewall.enable = mkDefault false;
# Configure default metadata hostnames
networking.extraHosts = ''
169.254.169.254 metadata.google.internal metadata
···
networking.usePredictableInterfaceNames = false;
71
+
# allow the google-accounts-daemon to manage users
72
+
users.mutableUsers = true;
73
+
# and allow users to sudo without password
74
+
security.sudo.enable = true;
75
+
security.sudo.extraConfig = ''
76
+
%google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL
79
+
# NOTE: google-accounts tries to write to /etc/sudoers.d but the folder doesn't exist
80
+
# FIXME: not such file or directory on dynamic SSH provisioning
81
+
systemd.services.google-accounts-daemon = {
82
+
description = "Google Compute Engine Accounts Daemon";
83
+
# This daemon creates dynamic users
84
+
enable = config.users.mutableUsers;
87
+
"google-instance-setup.service"
88
+
"google-network-setup.service"
90
+
wantedBy = [ "multi-user.target" ];
91
+
requires = ["network.target"];
92
+
path = with pkgs; [ shadow ];
95
+
ExecStart = "${gce}/bin/google_accounts_daemon --debug";
99
+
systemd.services.google-clock-skew-daemon = {
100
+
description = "Google Compute Engine Clock Skew Daemon";
103
+
"google-instance-setup.service"
104
+
"google-network-setup.service"
106
+
requires = [ "network.target" ];
107
+
wantedBy = [ "multi-user.target" ];
110
+
ExecStart = "${gce}/bin/google_clock_skew_daemon --debug";
114
+
systemd.services.google-instance-setup = {
115
+
description = "Google Compute Engine Instance Setup";
116
+
after = ["fs.target" "network-online.target" "network.target" "rsyslog.service"];
117
+
before = ["sshd.service"];
118
+
wants = ["local-fs.target" "network-online.target" "network.target"];
119
+
wantedBy = [ "sshd.service" "multi-user.target" ];
120
+
path = with pkgs; [ ethtool ];
122
+
ExecStart = "${gce}/bin/google_instance_setup --debug";
127
+
systemd.services.google-ip-forwarding-daemon = {
128
+
description = "Google Compute Engine IP Forwarding Daemon";
129
+
after = ["network.target" "google-instance-setup.service" "google-network-setup.service"];
130
+
requires = ["network.target"];
131
+
wantedBy = [ "multi-user.target" ];
132
+
path = with pkgs; [ iproute ];
135
+
ExecStart = "${gce}/bin/google_ip_forwarding_daemon --debug";
139
+
systemd.services.google-shutdown-scripts = {
140
+
description = "Google Compute Engine Shutdown Scripts";
143
+
"network-online.target"
146
+
"google-instance-setup.service"
147
+
"google-network-setup.service"
149
+
wants = [ "local-fs.target" "network-online.target" "network.target"];
150
+
wantedBy = [ "multi-user.target" ];
152
+
ExecStart = "${pkgs.coreutils}/bin/true";
153
+
ExecStop = "${gce}/bin/google_metadata_script_runner --debug --script-type shutdown";
155
+
RemainAfterExit = true;
156
+
TimeoutStopSec = 0;
160
+
systemd.services.google-network-setup = {
161
+
description = "Google Compute Engine Network Setup";
164
+
"network-online.target"
168
+
wants = [ "local-fs.target" "network-online.target" "network.target"];
169
+
wantedBy = [ "multi-user.target" ];
171
+
ExecStart = "${gce}/bin/google_network_setup --debug";
172
+
KillMode = "process";
177
+
systemd.services.google-startup-scripts = {
178
+
description = "Google Compute Engine Startup Scripts";
181
+
"network-online.target"
184
+
"google-instance-setup.service"
185
+
"google-network-setup.service"
187
+
wants = [ "local-fs.target" "network-online.target" "network.target"];
188
+
wantedBy = [ "multi-user.target" ];
190
+
ExecStart = "${gce}/bin/google_metadata_script_runner --debug --script-type startup";
191
+
KillMode = "process";
196
+
# TODO: remove this
systemd.services.fetch-ssh-keys =
{ description = "Fetch host keys and authorized_keys for root user";
···
serviceConfig.StandardOutput = "journal+console";
116
-
# Setings taken from https://cloud.google.com/compute/docs/tutorials/building-images#providedkernel
246
+
# Settings taken from https://github.com/GoogleCloudPlatform/compute-image-packages/blob/master/google_config/sysctl/11-gce-network-security.conf
118
-
# enables syn flood protection
248
+
# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss
249
+
# of TCP functionality/features under normal conditions. When flood
250
+
# protections kick in under high unanswered-SYN load, the system
251
+
# should remain more stable, with a trade off of some loss of TCP
252
+
# functionality/features (e.g. TCP Window scaling).
"net.ipv4.tcp_syncookies" = mkDefault "1";
# ignores source-routed packets
···
# randomizes addresses of mmap base, heap, stack and VDSO page
"kernel.randomize_va_space" = mkDefault "2";
306
+
# Reboot the machine soon after a kernel panic.
307
+
"kernel.panic" = mkDefault "10";
309
+
## Not part of the original config
# provides protection from ToCToU races
"fs.protected_hardlinks" = mkDefault "1";
pyrox.dev