diff options
author | Nicolas B. Pierron <nicolas.b.pierron@gmail.com> | 2015-04-03 23:12:12 +0200 |
---|---|---|
committer | Nicolas B. Pierron <nicolas.b.pierron@gmail.com> | 2015-04-03 23:12:12 +0200 |
commit | 6de931a0f898bc132d73a67059326b6886cc84b1 (patch) | |
tree | a494d3f90da826fa983bfbd93e0ee2cff5f22ce8 /nixos/modules/virtualisation | |
parent | 7f1a782d91c537eb6972b8acd83e1957a65a93e4 (diff) | |
parent | a8d0614a602fd00d2e23e0e86fc748cc51c6f696 (diff) | |
download | nixlib-6de931a0f898bc132d73a67059326b6886cc84b1.tar nixlib-6de931a0f898bc132d73a67059326b6886cc84b1.tar.gz nixlib-6de931a0f898bc132d73a67059326b6886cc84b1.tar.bz2 nixlib-6de931a0f898bc132d73a67059326b6886cc84b1.tar.lz nixlib-6de931a0f898bc132d73a67059326b6886cc84b1.tar.xz nixlib-6de931a0f898bc132d73a67059326b6886cc84b1.tar.zst nixlib-6de931a0f898bc132d73a67059326b6886cc84b1.zip |
Merge rename.nix changes.
Diffstat (limited to 'nixos/modules/virtualisation')
-rw-r--r-- | nixos/modules/virtualisation/amazon-image.nix | 2 | ||||
-rw-r--r-- | nixos/modules/virtualisation/google-compute-image.nix | 81 | ||||
-rw-r--r-- | nixos/modules/virtualisation/nixos-container.pl | 1 | ||||
-rw-r--r-- | nixos/modules/virtualisation/qemu-vm.nix | 2 |
4 files changed, 83 insertions, 3 deletions
diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix index 0473c2454e22..600a29f31bc5 100644 --- a/nixos/modules/virtualisation/amazon-image.nix +++ b/nixos/modules/virtualisation/amazon-image.nix @@ -165,7 +165,7 @@ in boot.initrd.extraUtilsCommands = '' # We need swapon in the initrd. - cp --remove-destination ${pkgs.utillinux}/sbin/swapon $out/bin + copy_bin_and_libs ${pkgs.utillinux}/sbin/swapon ''; # Don't put old configurations in the GRUB menu. The user has no diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 98985d2d2c57..ee5485071a35 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -7,6 +7,9 @@ in { imports = [ ../profiles/headless.nix ../profiles/qemu-guest.nix ]; + # https://cloud.google.com/compute/docs/tutorials/building-images + networking.firewall.enable = mkDefault false; + system.build.googleComputeImage = pkgs.vmTools.runInLinuxVM ( pkgs.runCommand "google-compute-image" @@ -95,6 +98,7 @@ in boot.kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ]; boot.initrd.kernelModules = [ "virtio_scsi" ]; + boot.kernelModules = [ "virtio_pci" "virtio_net" ]; # Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd. boot.loader.grub.device = "/dev/sda"; @@ -108,6 +112,7 @@ in # at instance creation time. services.openssh.enable = true; services.openssh.permitRootLogin = "without-password"; + services.openssh.passwordAuthentication = mkDefault false; # Force getting the hostname from Google Compute. networking.hostName = mkDefault ""; @@ -178,5 +183,79 @@ in serviceConfig.RemainAfterExit = true; serviceConfig.StandardError = "journal+console"; serviceConfig.StandardOutput = "journal+console"; - }; + }; + + # Setings taken from https://cloud.google.com/compute/docs/tutorials/building-images#providedkernel + boot.kernel.sysctl = { + # enables syn flood protection + "net.ipv4.tcp_syncookies" = mkDefault "1"; + + # ignores source-routed packets + "net.ipv4.conf.all.accept_source_route" = mkDefault "0"; + + # ignores source-routed packets + "net.ipv4.conf.default.accept_source_route" = mkDefault "0"; + + # ignores ICMP redirects + "net.ipv4.conf.all.accept_redirects" = mkDefault "0"; + + # ignores ICMP redirects + "net.ipv4.conf.default.accept_redirects" = mkDefault "0"; + + # ignores ICMP redirects from non-GW hosts + "net.ipv4.conf.all.secure_redirects" = mkDefault "1"; + + # ignores ICMP redirects from non-GW hosts + "net.ipv4.conf.default.secure_redirects" = mkDefault "1"; + + # don't allow traffic between networks or act as a router + "net.ipv4.ip_forward" = mkDefault "0"; + + # don't allow traffic between networks or act as a router + "net.ipv4.conf.all.send_redirects" = mkDefault "0"; + + # don't allow traffic between networks or act as a router + "net.ipv4.conf.default.send_redirects" = mkDefault "0"; + + # reverse path filtering - IP spoofing protection + "net.ipv4.conf.all.rp_filter" = mkDefault "1"; + + # reverse path filtering - IP spoofing protection + "net.ipv4.conf.default.rp_filter" = mkDefault "1"; + + # ignores ICMP broadcasts to avoid participating in Smurf attacks + "net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault "1"; + + # ignores bad ICMP errors + "net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault "1"; + + # logs spoofed, source-routed, and redirect packets + "net.ipv4.conf.all.log_martians" = mkDefault "1"; + + # log spoofed, source-routed, and redirect packets + "net.ipv4.conf.default.log_martians" = mkDefault "1"; + + # implements RFC 1337 fix + "net.ipv4.tcp_rfc1337" = mkDefault "1"; + + # randomizes addresses of mmap base, heap, stack and VDSO page + "kernel.randomize_va_space" = mkDefault "2"; + + # provides protection from ToCToU races + "fs.protected_hardlinks" = mkDefault "1"; + + # provides protection from ToCToU races + "fs.protected_symlinks" = mkDefault "1"; + + # makes locating kernel addresses more difficult + "kernel.kptr_restrict" = mkDefault "1"; + + # set ptrace protections + "kernel.yama.ptrace_scope" = mkDefault "1"; + + # set perf only available to root + "kernel.perf_event_paranoid" = mkDefault "2"; + + }; + } diff --git a/nixos/modules/virtualisation/nixos-container.pl b/nixos/modules/virtualisation/nixos-container.pl index 1455f7143f13..f1d9e64ee38f 100644 --- a/nixos/modules/virtualisation/nixos-container.pl +++ b/nixos/modules/virtualisation/nixos-container.pl @@ -23,6 +23,7 @@ Usage: nixos-container list nixos-container start <container-name> nixos-container stop <container-name> nixos-container status <container-name> + nixos-container update <container-name> [--config <string>] nixos-container login <container-name> nixos-container root-login <container-name> nixos-container run <container-name> -- args... diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index a5a133dfa5dc..8c7e840910de 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -346,7 +346,7 @@ in boot.initrd.extraUtilsCommands = '' # We need mke2fs in the initrd. - cp -vf --remove-destination ${pkgs.e2fsprogs}/sbin/mke2fs $out/bin + copy_bin_and_libs ${pkgs.e2fsprogs}/sbin/mke2fs ''; boot.initrd.postDeviceCommands = |