commit 14f53e5251b2cd91b69dcca2fbb11324b236e383 · tjh.dev/nixpkgs

+144 -5

nixos/modules/virtualisation/google-compute-image.nix

··· 3 with lib; 4 let 5 diskSize = 1024; # MB 6 in 7 { 8 imports = [ ../profiles/headless.nix ../profiles/qemu-guest.nix ./grow-partition.nix ]; 9 - 10 - # https://cloud.google.com/compute/docs/tutorials/building-images 11 - networking.firewall.enable = mkDefault false; 12 13 system.build.googleComputeImage = import ../../lib/make-disk-image.nix { 14 name = "google-compute-image"; ··· 49 services.openssh.permitRootLogin = "prohibit-password"; 50 services.openssh.passwordAuthentication = mkDefault false; 51 52 # Force getting the hostname from Google Compute. 53 networking.hostName = mkDefault ""; 54 55 # Always include cryptsetup so that NixOps can use it. 56 environment.systemPackages = [ pkgs.cryptsetup ]; 57 58 # Configure default metadata hostnames 59 networking.extraHosts = '' 60 169.254.169.254 metadata.google.internal metadata ··· 64 65 networking.usePredictableInterfaceNames = false; 66 67 systemd.services.fetch-ssh-keys = 68 { description = "Fetch host keys and authorized_keys for root user"; 69 ··· 113 serviceConfig.StandardOutput = "journal+console"; 114 }; 115 116 - # Setings taken from https://cloud.google.com/compute/docs/tutorials/building-images#providedkernel 117 boot.kernel.sysctl = { 118 - # enables syn flood protection 119 "net.ipv4.tcp_syncookies" = mkDefault "1"; 120 121 # ignores source-routed packets ··· 168 169 # randomizes addresses of mmap base, heap, stack and VDSO page 170 "kernel.randomize_va_space" = mkDefault "2"; 171 172 # provides protection from ToCToU races 173 "fs.protected_hardlinks" = mkDefault "1";

··· 3 with lib; 4 let 5 diskSize = 1024; # MB 6 + gce = pkgs.google-compute-engine; 7 in 8 { 9 imports = [ ../profiles/headless.nix ../profiles/qemu-guest.nix ./grow-partition.nix ]; 10 11 system.build.googleComputeImage = import ../../lib/make-disk-image.nix { 12 name = "google-compute-image"; ··· 47 services.openssh.permitRootLogin = "prohibit-password"; 48 services.openssh.passwordAuthentication = mkDefault false; 49 50 + # Use GCE udev rules for dynamic disk volumes 51 + services.udev.packages = [ gce ]; 52 + 53 # Force getting the hostname from Google Compute. 54 networking.hostName = mkDefault ""; 55 56 # Always include cryptsetup so that NixOps can use it. 57 environment.systemPackages = [ pkgs.cryptsetup ]; 58 59 + # Rely on GCP's firewall instead 60 + networking.firewall.enable = mkDefault false; 61 + 62 # Configure default metadata hostnames 63 networking.extraHosts = '' 64 169.254.169.254 metadata.google.internal metadata ··· 68 69 networking.usePredictableInterfaceNames = false; 70 71 + # allow the google-accounts-daemon to manage users 72 + users.mutableUsers = true; 73 + # and allow users to sudo without password 74 + security.sudo.enable = true; 75 + security.sudo.extraConfig = '' 76 + %google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL 77 + ''; 78 + 79 + # NOTE: google-accounts tries to write to /etc/sudoers.d but the folder doesn't exist 80 + # FIXME: not such file or directory on dynamic SSH provisioning 81 + systemd.services.google-accounts-daemon = { 82 + description = "Google Compute Engine Accounts Daemon"; 83 + # This daemon creates dynamic users 84 + enable = config.users.mutableUsers; 85 + after = [ 86 + "network.target" 87 + "google-instance-setup.service" 88 + "google-network-setup.service" 89 + ]; 90 + wantedBy = [ "multi-user.target" ]; 91 + requires = ["network.target"]; 92 + path = with pkgs; [ shadow ]; 93 + serviceConfig = { 94 + Type = "simple"; 95 + ExecStart = "${gce}/bin/google_accounts_daemon --debug"; 96 + }; 97 + }; 98 + 99 + systemd.services.google-clock-skew-daemon = { 100 + description = "Google Compute Engine Clock Skew Daemon"; 101 + after = [ 102 + "network.target" 103 + "google-instance-setup.service" 104 + "google-network-setup.service" 105 + ]; 106 + requires = [ "network.target" ]; 107 + wantedBy = [ "multi-user.target" ]; 108 + serviceConfig = { 109 + Type = "simple"; 110 + ExecStart = "${gce}/bin/google_clock_skew_daemon --debug"; 111 + }; 112 + }; 113 + 114 + systemd.services.google-instance-setup = { 115 + description = "Google Compute Engine Instance Setup"; 116 + after = ["fs.target" "network-online.target" "network.target" "rsyslog.service"]; 117 + before = ["sshd.service"]; 118 + wants = ["local-fs.target" "network-online.target" "network.target"]; 119 + wantedBy = [ "sshd.service" "multi-user.target" ]; 120 + path = with pkgs; [ ethtool ]; 121 + serviceConfig = { 122 + ExecStart = "${gce}/bin/google_instance_setup --debug"; 123 + Type = "oneshot"; 124 + }; 125 + }; 126 + 127 + systemd.services.google-ip-forwarding-daemon = { 128 + description = "Google Compute Engine IP Forwarding Daemon"; 129 + after = ["network.target" "google-instance-setup.service" "google-network-setup.service"]; 130 + requires = ["network.target"]; 131 + wantedBy = [ "multi-user.target" ]; 132 + path = with pkgs; [ iproute ]; 133 + serviceConfig = { 134 + Type = "simple"; 135 + ExecStart = "${gce}/bin/google_ip_forwarding_daemon --debug"; 136 + }; 137 + }; 138 + 139 + systemd.services.google-shutdown-scripts = { 140 + description = "Google Compute Engine Shutdown Scripts"; 141 + after = [ 142 + "local-fs.target" 143 + "network-online.target" 144 + "network.target" 145 + "rsyslog.service" 146 + "google-instance-setup.service" 147 + "google-network-setup.service" 148 + ]; 149 + wants = [ "local-fs.target" "network-online.target" "network.target"]; 150 + wantedBy = [ "multi-user.target" ]; 151 + serviceConfig = { 152 + ExecStart = "${pkgs.coreutils}/bin/true"; 153 + ExecStop = "${gce}/bin/google_metadata_script_runner --debug --script-type shutdown"; 154 + Type = "oneshot"; 155 + RemainAfterExit = true; 156 + TimeoutStopSec = 0; 157 + }; 158 + }; 159 + 160 + systemd.services.google-network-setup = { 161 + description = "Google Compute Engine Network Setup"; 162 + after = [ 163 + "local-fs.target" 164 + "network-online.target" 165 + "network.target" 166 + "rsyslog.service" 167 + ]; 168 + wants = [ "local-fs.target" "network-online.target" "network.target"]; 169 + wantedBy = [ "multi-user.target" ]; 170 + serviceConfig = { 171 + ExecStart = "${gce}/bin/google_network_setup --debug"; 172 + KillMode = "process"; 173 + Type = "oneshot"; 174 + }; 175 + }; 176 + 177 + systemd.services.google-startup-scripts = { 178 + description = "Google Compute Engine Startup Scripts"; 179 + after = [ 180 + "local-fs.target" 181 + "network-online.target" 182 + "network.target" 183 + "rsyslog.service" 184 + "google-instance-setup.service" 185 + "google-network-setup.service" 186 + ]; 187 + wants = [ "local-fs.target" "network-online.target" "network.target"]; 188 + wantedBy = [ "multi-user.target" ]; 189 + serviceConfig = { 190 + ExecStart = "${gce}/bin/google_metadata_script_runner --debug --script-type startup"; 191 + KillMode = "process"; 192 + Type = "oneshot"; 193 + }; 194 + }; 195 + 196 + # TODO: remove this 197 systemd.services.fetch-ssh-keys = 198 { description = "Fetch host keys and authorized_keys for root user"; 199 ··· 243 serviceConfig.StandardOutput = "journal+console"; 244 }; 245 246 + # Settings taken from https://github.com/GoogleCloudPlatform/compute-image-packages/blob/master/google_config/sysctl/11-gce-network-security.conf 247 boot.kernel.sysctl = { 248 + # Turn on SYN-flood protections. Starting with 2.6.26, there is no loss 249 + # of TCP functionality/features under normal conditions. When flood 250 + # protections kick in under high unanswered-SYN load, the system 251 + # should remain more stable, with a trade off of some loss of TCP 252 + # functionality/features (e.g. TCP Window scaling). 253 "net.ipv4.tcp_syncookies" = mkDefault "1"; 254 255 # ignores source-routed packets ··· 302 303 # randomizes addresses of mmap base, heap, stack and VDSO page 304 "kernel.randomize_va_space" = mkDefault "2"; 305 + 306 + # Reboot the machine soon after a kernel panic. 307 + "kernel.panic" = mkDefault "10"; 308 + 309 + ## Not part of the original config 310 311 # provides protection from ToCToU races 312 "fs.protected_hardlinks" = mkDefault "1";

+27

pkgs/tools/virtualization/google-compute-engine/0001-allow-nologin-other-paths.patch

···

··· 1 + From 2e9ac201af238b742c7032962b9b12a8b66bab0c Mon Sep 17 00:00:00 2001 2 + From: zimbatm <zimbatm@zimbatm.com> 3 + Date: Mon, 29 May 2017 22:36:15 +0100 4 + Subject: [PATCH] allow nologin on other paths 5 + 6 + --- 7 + google_compute_engine/accounts/accounts_utils.py | 4 ++-- 8 + 1 file changed, 2 insertions(+), 2 deletions(-) 9 + 10 + diff --git a/google_compute_engine/accounts/accounts_utils.py b/google_compute_engine/accounts/accounts_utils.py 11 + index 57e62be..d7eda06 100644 12 + --- a/google_compute_engine/accounts/accounts_utils.py 13 + +++ b/google_compute_engine/accounts/accounts_utils.py 14 + @@ -295,8 +295,8 @@ class AccountsUtils(object): 15 + # logins. This helps avoid problems caused by operator and root sharing 16 + # a home directory in CentOS and RHEL. 17 + pw_entry = self._GetUser(user) 18 + - if pw_entry and pw_entry.pw_shell == '/sbin/nologin': 19 + - message = 'Not updating user %s. User set /sbin/nologin as login shell.' 20 + + if pw_entry and os.path.basename(pw_entry.pw_shell) == 'nologin': 21 + + message = 'Not updating user %s. User set `nologin` as login shell.' 22 + self.logger.debug(message, user) 23 + return True 24 + 25 + -- 26 + 2.13.0 27 +

+55

pkgs/tools/virtualization/google-compute-engine/default.nix

···

··· 1 + { lib 2 + , fetchFromGitHub 3 + , pythonPackages 4 + , bash 5 + , shadow 6 + , systemd 7 + , utillinux 8 + }: 9 + let 10 + version = "20170523"; 11 + in 12 + pythonPackages.buildPythonApplication { 13 + name = "google-compute-engine-${version}"; 14 + namePrefix = ""; 15 + 16 + src = fetchFromGitHub { 17 + owner = "GoogleCloudPlatform"; 18 + repo = "compute-image-packages"; 19 + rev = version; 20 + sha256 = "1qxyj3lj9in6m8yi6y6wcmc3662h9z4qax07v97rdnay99mxdv68"; 21 + }; 22 + 23 + patches = [ ./0001-allow-nologin-other-paths.patch ]; 24 + 25 + postPatch = '' 26 + for file in $(find google_compute_engine -type f); do 27 + substituteInPlace "$file" \ 28 + --replace /bin/systemctl "${systemd}/bin/systemctl" \ 29 + --replace /bin/bash "${bash}/bin/bash" \ 30 + --replace /sbin/hwclock "${utillinux}/bin/hwclock" 31 + 32 + # SELinux tool ??? /sbin/restorecon 33 + done 34 + 35 + substituteInPlace google_config/udev/64-gce-disk-removal.rules \ 36 + --replace /bin/sh "${bash}/bin/sh" \ 37 + --replace /bin/umount "${utillinux}/bin/umount" \ 38 + --replace /usr/bin/logger "${utillinux}/bin/logger" 39 + ''; 40 + 41 + postInstall = '' 42 + # allows to install the package in `services.udev.packages` in NixOS 43 + mkdir -p $out/lib/udev/rules.d 44 + cp -r google_config/udev/*.rules $out/lib/udev/rules.d 45 + ''; 46 + 47 + propagatedBuildInputs = with pythonPackages; [ boto setuptools ]; 48 + 49 + meta = with lib; { 50 + description = "Google Compute Engine tools and services"; 51 + homepage = https://github.com/GoogleCloudPlatform/compute-image-packages; 52 + license = licenses.asl20; 53 + maintainers = with maintainers; [ zimbatm ]; 54 + }; 55 + }

+2

pkgs/top-level/all-packages.nix

··· 2199 2200 google-fonts = callPackage ../data/fonts/google-fonts { }; 2201 2202 gource = callPackage ../applications/version-management/gource { }; 2203 2204 gpart = callPackage ../tools/filesystems/gpart { };

··· 2199 2200 google-fonts = callPackage ../data/fonts/google-fonts { }; 2201 2202 + google-compute-engine = callPackage ../tools/virtualization/google-compute-engine { }; 2203 + 2204 gource = callPackage ../applications/version-management/gource { }; 2205 2206 gpart = callPackage ../tools/filesystems/gpart { };