diff --git a/spec/web/default.nix b/spec/web/default.nix new file mode 100644 index 00000000..8eb83f80 --- /dev/null +++ b/spec/web/default.nix @@ -0,0 +1,18 @@ +{ lib +, ... }: { + global = { + id = "63795fdf54e048dcbefcbc525ec3779d"; + auth.openssh.enable = true; + libvirt.enable = false; + fs.esp.uuid = "3838-0946"; + fs.type = "xfs"; + fs.store = "8476f738-b83b-4736-abd7-08a1943cf60a"; + lowmem.enable = true; + }; + + imports = lib.pipe ./. [ + builtins.readDir + (lib.filterAttrs (n: ty: ty == "regular" && n != "default.nix")) + (lib.mapAttrsToList (n: _: ./${n})) + ]; +} diff --git a/spec/web/google-compute-config.nix b/spec/web/google-compute-config.nix new file mode 100644 index 00000000..74f26982 --- /dev/null +++ b/spec/web/google-compute-config.nix @@ -0,0 +1,90 @@ +{ pkgs +, lib +, config +, modulesPath +, ... }: + +let + inherit (lib) + boolToString + mkDefault + mkIf + optional + readFile + ; +in + +{ + imports = [ + (modulesPath + "/profiles/headless.nix") + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + + boot.kernelParams = [ "console=ttyS0,115200n8" "panic=1" "boot.panic_on_fail" ]; + boot.initrd.kernelModules = [ "virtio_scsi" ]; + boot.kernelModules = [ "virtio_pci" "virtio_net" ]; + + # enable OS Login. This also requires setting enable-oslogin=TRUE metadata on + # instance or project level + security.googleOsLogin.enable = true; + + # Use GCE udev rules for dynamic disk volumes + services.udev.packages = [ pkgs.google-guest-configs ]; + services.udev.path = [ pkgs.google-guest-configs ]; + + # Configure default metadata hostnames + networking.extraHosts = '' + 169.254.169.254 metadata.google.internal metadata + ''; + + networking.timeServers = [ "metadata.google.internal" ]; + + networking.usePredictableInterfaceNames = false; + + # GC has 1460 MTU + networking.interfaces.eth0.mtu = 1460; + + systemd.packages = [ pkgs.google-guest-agent ]; + systemd.services.google-guest-agent = { + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ config.environment.etc."default/instance_configs.cfg".source ]; + path = optional config.users.mutableUsers pkgs.shadow; + }; + systemd.services.google-startup-scripts.wantedBy = [ "multi-user.target" ]; + systemd.services.google-shutdown-scripts.wantedBy = [ "multi-user.target" ]; + + security.sudo.extraRules = mkIf config.users.mutableUsers [ + { groups = [ "google-sudoers" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } + ]; + + security.sudo-rs.extraRules = mkIf config.users.mutableUsers [ + { groups = [ "google-sudoers" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } + ]; + + users.groups.google-sudoers = mkIf config.users.mutableUsers { }; + + boot.extraModprobeConfig = readFile "${pkgs.google-guest-configs}/etc/modprobe.d/gce-blacklist.conf"; + + environment.etc."sysctl.d/60-gce-network-security.conf".source = "${pkgs.google-guest-configs}/etc/sysctl.d/60-gce-network-security.conf"; + + environment.etc."default/instance_configs.cfg".text = '' + [Accounts] + useradd_cmd = useradd -m -s /run/current-system/sw/bin/bash -p * {user} + + [Daemons] + accounts_daemon = ${boolToString config.users.mutableUsers} + + [InstanceSetup] + # Make sure GCE image does not replace host key that NixOps sets. + set_host_keys = false + + [MetadataScripts] + default_shell = ${pkgs.stdenv.shell} + + [NetworkInterfaces] + dhclient_script = ${pkgs.google-guest-configs}/bin/google-dhclient-script + # We set up network interfaces declaratively. + setup = false + ''; +}