google-compute-config: update config · tjh.dev/nixpkgs@524aecf

+6 -3

nixos/modules/security/google_oslogin.nix

··· 5 let 6 7 cfg = config.security.googleOsLogin; 8 - package = pkgs.google-compute-engine-oslogin; 9 10 in 11 ··· 17 type = types.bool; 18 default = false; 19 description = '' 20 - Whether to enable Google OS Login 21 22 The OS Login package enables the following components: 23 AuthorizedKeysCommand to query valid SSH keys from the user's OS Login ··· 36 security.pam.services.sshd = { 37 makeHomeDir = true; 38 googleOsLoginAccountVerification = true; 39 - # disabled for now: googleOsLoginAuthentication = true; 40 }; 41 42 security.sudo.extraConfig = '' ··· 46 "d /run/google-sudoers.d 750 root root -" 47 "d /var/google-users.d 750 root root -" 48 ]; 49 50 # enable the nss module, so user lookups etc. work 51 system.nssModules = [ package ];

··· 5 let 6 7 cfg = config.security.googleOsLogin; 8 + package = pkgs.google-guest-oslogin; 9 10 in 11 ··· 17 type = types.bool; 18 default = false; 19 description = '' 20 + Whether to enable Google OS Login. 21 22 The OS Login package enables the following components: 23 AuthorizedKeysCommand to query valid SSH keys from the user's OS Login ··· 36 security.pam.services.sshd = { 37 makeHomeDir = true; 38 googleOsLoginAccountVerification = true; 39 + googleOsLoginAuthentication = true; 40 }; 41 42 security.sudo.extraConfig = '' ··· 46 "d /run/google-sudoers.d 750 root root -" 47 "d /var/google-users.d 750 root root -" 48 ]; 49 + 50 + systemd.packages = [ package ]; 51 + systemd.timers.google-oslogin-cache.wantedBy = [ "timers.target" ]; 52 53 # enable the nss module, so user lookups etc. work 54 system.nssModules = [ package ];

+6 -6

nixos/modules/security/pam.nix

··· 444 account sufficient ${pam_krb5}/lib/security/pam_krb5.so 445 '' + 446 optionalString cfg.googleOsLoginAccountVerification '' 447 - account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so 448 - account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so 449 '' + 450 '' 451 452 # Authentication management. 453 '' + 454 optionalString cfg.googleOsLoginAuthentication '' 455 - auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so 456 '' + 457 optionalString cfg.rootOK '' 458 auth sufficient pam_rootok.so ··· 1091 mr ${pam_ccreds}/lib/security/pam_ccreds.so, 1092 '' + 1093 optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) '' 1094 - mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, 1095 - mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so, 1096 '' + 1097 optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) '' 1098 - mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, 1099 '' + 1100 optionalString (config.security.pam.enableSSHAgentAuth 1101 && isEnabled (cfg: cfg.sshAgentAuth)) ''

··· 444 account sufficient ${pam_krb5}/lib/security/pam_krb5.so 445 '' + 446 optionalString cfg.googleOsLoginAccountVerification '' 447 + account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so 448 + account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so 449 '' + 450 '' 451 452 # Authentication management. 453 '' + 454 optionalString cfg.googleOsLoginAuthentication '' 455 + auth [success=done perm_denied=die default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so 456 '' + 457 optionalString cfg.rootOK '' 458 auth sufficient pam_rootok.so ··· 1091 mr ${pam_ccreds}/lib/security/pam_ccreds.so, 1092 '' + 1093 optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) '' 1094 + mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so, 1095 + mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so, 1096 '' + 1097 optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) '' 1098 + mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so, 1099 '' + 1100 optionalString (config.security.pam.enableSSHAgentAuth 1101 && isEnabled (cfg: cfg.sshAgentAuth)) ''

-36

nixos/modules/virtualisation/fetch-instance-ssh-keys.bash

··· 1 - #!/usr/bin/env bash 2 - 3 - set -euo pipefail 4 - 5 - WGET() { 6 - wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google' "$@" 7 - } 8 - 9 - # When dealing with cryptographic keys, we want to keep things private. 10 - umask 077 11 - mkdir -p /root/.ssh 12 - 13 - echo "Fetching authorized keys..." 14 - WGET -O /tmp/auth_keys http://metadata.google.internal/computeMetadata/v1/instance/attributes/sshKeys 15 - 16 - # Read keys one by one, split in case Google decided 17 - # to append metadata (it does sometimes) and add to 18 - # authorized_keys if not already present. 19 - touch /root/.ssh/authorized_keys 20 - while IFS='' read -r line || [[ -n "$line" ]]; do 21 - keyLine=$(echo -n "$line" | cut -d ':' -f2) 22 - IFS=' ' read -r -a array <<<"$keyLine" 23 - if [[ ${#array[@]} -ge 3 ]]; then 24 - echo "${array[@]:0:3}" >>/tmp/new_keys 25 - echo "Added ${array[*]:2} to authorized_keys" 26 - fi 27 - done </tmp/auth_keys 28 - mv /tmp/new_keys /root/.ssh/authorized_keys 29 - chmod 600 /root/.ssh/authorized_keys 30 - 31 - echo "Fetching host keys..." 32 - WGET -O /tmp/ssh_host_ed25519_key http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key 33 - WGET -O /tmp/ssh_host_ed25519_key.pub http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key_pub 34 - mv -f /tmp/ssh_host_ed25519_key* /etc/ssh/ 35 - chmod 600 /etc/ssh/ssh_host_ed25519_key 36 - chmod 644 /etc/ssh/ssh_host_ed25519_key.pub

···

+31 -102

nixos/modules/virtualisation/google-compute-config.nix

··· 1 { config, lib, pkgs, ... }: 2 with lib; 3 - let 4 - gce = pkgs.google-compute-engine; 5 - in 6 { 7 imports = [ 8 ../profiles/headless.nix ··· 40 security.googleOsLogin.enable = true; 41 42 # Use GCE udev rules for dynamic disk volumes 43 - services.udev.packages = [ gce ]; 44 45 # Force getting the hostname from Google Compute. 46 networking.hostName = mkDefault ""; 47 48 # Always include cryptsetup so that NixOps can use it. 49 environment.systemPackages = [ pkgs.cryptsetup ]; 50 - 51 - # Make sure GCE image does not replace host key that NixOps sets 52 - environment.etc."default/instance_configs.cfg".text = lib.mkDefault '' 53 - [InstanceSetup] 54 - set_host_keys = false 55 - ''; 56 57 # Rely on GCP's firewall instead 58 networking.firewall.enable = mkDefault false; ··· 69 # GC has 1460 MTU 70 networking.interfaces.eth0.mtu = 1460; 71 72 - # Used by NixOps 73 - systemd.services.fetch-instance-ssh-keys = { 74 - description = "Fetch host keys and authorized_keys for root user"; 75 76 - wantedBy = [ "sshd.service" ]; 77 - before = [ "sshd.service" ]; 78 - after = [ "network-online.target" ]; 79 - wants = [ "network-online.target" ]; 80 - path = [ pkgs.wget ]; 81 82 - serviceConfig = { 83 - Type = "oneshot"; 84 - ExecStart = pkgs.runCommand "fetch-instance-ssh-keys" { } '' 85 - cp ${./fetch-instance-ssh-keys.bash} $out 86 - chmod +x $out 87 - ${pkgs.shfmt}/bin/shfmt -i 4 -d $out 88 - ${pkgs.shellcheck}/bin/shellcheck $out 89 - patchShebangs $out 90 - ''; 91 - PrivateTmp = true; 92 - StandardError = "journal+console"; 93 - StandardOutput = "journal+console"; 94 - }; 95 - }; 96 97 - systemd.services.google-instance-setup = { 98 - description = "Google Compute Engine Instance Setup"; 99 - after = [ "network-online.target" "network.target" "rsyslog.service" ]; 100 - before = [ "sshd.service" ]; 101 - path = with pkgs; [ coreutils ethtool openssh ]; 102 - serviceConfig = { 103 - ExecStart = "${gce}/bin/google_instance_setup"; 104 - StandardOutput="journal+console"; 105 - Type = "oneshot"; 106 - }; 107 - wantedBy = [ "sshd.service" "multi-user.target" ]; 108 - }; 109 110 - systemd.services.google-network-daemon = { 111 - description = "Google Compute Engine Network Daemon"; 112 - after = [ "network-online.target" "network.target" "google-instance-setup.service" ]; 113 - path = with pkgs; [ iproute2 ]; 114 - serviceConfig = { 115 - ExecStart = "${gce}/bin/google_network_daemon"; 116 - StandardOutput="journal+console"; 117 - Type="simple"; 118 - }; 119 - wantedBy = [ "multi-user.target" ]; 120 - }; 121 122 - systemd.services.google-clock-skew-daemon = { 123 - description = "Google Compute Engine Clock Skew Daemon"; 124 - after = [ "network.target" "google-instance-setup.service" "google-network-daemon.service" ]; 125 - serviceConfig = { 126 - ExecStart = "${gce}/bin/google_clock_skew_daemon"; 127 - StandardOutput="journal+console"; 128 - Type = "simple"; 129 - }; 130 - wantedBy = ["multi-user.target"]; 131 - }; 132 133 134 - systemd.services.google-shutdown-scripts = { 135 - description = "Google Compute Engine Shutdown Scripts"; 136 - after = [ 137 - "network-online.target" 138 - "network.target" 139 - "rsyslog.service" 140 - "google-instance-setup.service" 141 - "google-network-daemon.service" 142 - ]; 143 - serviceConfig = { 144 - ExecStart = "${pkgs.coreutils}/bin/true"; 145 - ExecStop = "${gce}/bin/google_metadata_script_runner --script-type shutdown"; 146 - RemainAfterExit = true; 147 - StandardOutput="journal+console"; 148 - TimeoutStopSec = "0"; 149 - Type = "oneshot"; 150 - }; 151 - wantedBy = [ "multi-user.target" ]; 152 - }; 153 154 - systemd.services.google-startup-scripts = { 155 - description = "Google Compute Engine Startup Scripts"; 156 - after = [ 157 - "network-online.target" 158 - "network.target" 159 - "rsyslog.service" 160 - "google-instance-setup.service" 161 - "google-network-daemon.service" 162 - ]; 163 - serviceConfig = { 164 - ExecStart = "${gce}/bin/google_metadata_script_runner --script-type startup"; 165 - KillMode = "process"; 166 - StandardOutput = "journal+console"; 167 - Type = "oneshot"; 168 - }; 169 - wantedBy = [ "multi-user.target" ]; 170 - }; 171 172 - environment.etc."sysctl.d/11-gce-network-security.conf".source = "${gce}/sysctl.d/11-gce-network-security.conf"; 173 }

··· 1 { config, lib, pkgs, ... }: 2 with lib; 3 { 4 imports = [ 5 ../profiles/headless.nix ··· 37 security.googleOsLogin.enable = true; 38 39 # Use GCE udev rules for dynamic disk volumes 40 + services.udev.packages = [ pkgs.google-guest-configs ]; 41 + services.udev.path = [ pkgs.google-guest-configs ]; 42 43 # Force getting the hostname from Google Compute. 44 networking.hostName = mkDefault ""; 45 46 # Always include cryptsetup so that NixOps can use it. 47 environment.systemPackages = [ pkgs.cryptsetup ]; 48 49 # Rely on GCP's firewall instead 50 networking.firewall.enable = mkDefault false; ··· 61 # GC has 1460 MTU 62 networking.interfaces.eth0.mtu = 1460; 63 64 + systemd.packages = [ pkgs.google-guest-agent ]; 65 + systemd.services.google-guest-agent = { 66 + wantedBy = [ "multi-user.target" ]; 67 + restartTriggers = [ config.environment.etc."default/instance_configs.cfg".source ]; 68 + path = lib.optional config.users.mutableUsers pkgs.shadow; 69 + }; 70 + systemd.services.google-startup-scripts.wantedBy = [ "multi-user.target" ]; 71 + systemd.services.google-shutdown-scripts.wantedBy = [ "multi-user.target" ]; 72 73 + security.sudo.extraRules = mkIf config.users.mutableUsers [ 74 + { groups = [ "google-sudoers" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } 75 + ]; 76 77 + users.groups.google-sudoers = mkIf config.users.mutableUsers { }; 78 79 + boot.extraModprobeConfig = lib.readFile "${pkgs.google-guest-configs}/etc/modprobe.d/gce-blacklist.conf"; 80 81 + environment.etc."sysctl.d/60-gce-network-security.conf".source = "${pkgs.google-guest-configs}/etc/sysctl.d/60-gce-network-security.conf"; 82 83 + environment.etc."default/instance_configs.cfg".text = '' 84 + [Accounts] 85 + useradd_cmd = useradd -m -s /run/current-system/sw/bin/bash -p * {user} 86 87 + [Daemons] 88 + accounts_daemon = ${boolToString config.users.mutableUsers} 89 90 + [InstanceSetup] 91 + # Make sure GCE image does not replace host key that NixOps sets. 92 + set_host_keys = false 93 94 + [MetadataScripts] 95 + default_shell = ${pkgs.stdenv.shell} 96 97 + [NetworkInterfaces] 98 + dhclient_script = ${pkgs.google-guest-configs}/bin/google-dhclient-script 99 + # We set up network interfaces declaratively. 100 + setup = false 101 + ''; 102 }

+2 -2

nixos/tests/google-oslogin/default.nix

··· 31 32 # mockserver should return a non-expired ssh key for both mockuser and mockadmin 33 server.succeed( 34 - f'${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"' 35 ) 36 server.succeed( 37 - f'${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"' 38 ) 39 40 # install snakeoil ssh key on the client, and provision .ssh/config file

··· 31 32 # mockserver should return a non-expired ssh key for both mockuser and mockadmin 33 server.succeed( 34 + f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"' 35 ) 36 server.succeed( 37 + f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"' 38 ) 39 40 # install snakeoil ssh key on the client, and provision .ssh/config file

+1 -3

nixos/tests/google-oslogin/server.nix

··· 23 security.googleOsLogin.enable = true; 24 25 # Mock google service 26 - networking.extraHosts = '' 27 - 127.0.0.1 metadata.google.internal 28 - ''; 29 }

··· 23 security.googleOsLogin.enable = true; 24 25 # Mock google service 26 + networking.interfaces.lo.ipv4.addresses = [ { address = "169.254.169.254"; prefixLength = 32; } ]; 27 }

nixos/tests/google-oslogin/server.py

+1 -1

nixos/tests/ssh-keys.nix

··· 10 snakeOilPublicKey = pkgs.lib.concatStrings [ 11 "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA" 12 "yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa" 13 - "9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= sakeoil" 14 ]; 15 }

··· 10 snakeOilPublicKey = pkgs.lib.concatStrings [ 11 "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA" 12 "yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa" 13 + "9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= snakeoil" 14 ]; 15 }