about summary refs log tree commit diff
path: root/nixos/modules/virtualisation
diff options
context:
space:
mode:
authorVladimír Čunát <v@cunat.cz>2019-09-02 23:25:24 +0200
committerVladimír Čunát <v@cunat.cz>2019-09-02 23:25:24 +0200
commitf21211ebfe21797c6f0444d42ec7cb835c737388 (patch)
tree816465981f650242d4b22e0f01b912917e7008f8 /nixos/modules/virtualisation
parentb291f2a9953d48d6edc5c73776db9ba289ccf213 (diff)
parent12ae04518b004adf949a43125954b99c05189e6f (diff)
downloadnixlib-f21211ebfe21797c6f0444d42ec7cb835c737388.tar
nixlib-f21211ebfe21797c6f0444d42ec7cb835c737388.tar.gz
nixlib-f21211ebfe21797c6f0444d42ec7cb835c737388.tar.bz2
nixlib-f21211ebfe21797c6f0444d42ec7cb835c737388.tar.lz
nixlib-f21211ebfe21797c6f0444d42ec7cb835c737388.tar.xz
nixlib-f21211ebfe21797c6f0444d42ec7cb835c737388.tar.zst
nixlib-f21211ebfe21797c6f0444d42ec7cb835c737388.zip
Merge branch 'master' into staging
Diffstat (limited to 'nixos/modules/virtualisation')
-rw-r--r--nixos/modules/virtualisation/anbox.nix2


-rw-r--r--nixos/modules/virtualisation/azure-agent.nix1


-rw-r--r--nixos/modules/virtualisation/azure-image.nix1


-rw-r--r--nixos/modules/virtualisation/containers.nix8


-rw-r--r--nixos/modules/virtualisation/google-compute-config.nix159


-rw-r--r--nixos/modules/virtualisation/kvmgt.nix4


-rw-r--r--nixos/modules/virtualisation/xen-dom0.nix2


7 files changed, 47 insertions, 130 deletions
diff --git a/nixos/modules/virtualisation/anbox.nix b/nixos/modules/virtualisation/anbox.nix
index c63b971ead02..da5df3580734 100644
--- a/nixos/modules/virtualisation/anbox.nix
+++ b/nixos/modules/virtualisation/anbox.nix
@@ -56,7 +56,7 @@ in
 
       dns = mkOption {
         default = "1.1.1.1";
-        type = types.string;
+        type = types.str;
         description = ''
           Container DNS server.
         '';
diff --git a/nixos/modules/virtualisation/azure-agent.nix b/nixos/modules/virtualisation/azure-agent.nix
index 770cefbcd511..036b1036f92a 100644
--- a/nixos/modules/virtualisation/azure-agent.nix
+++ b/nixos/modules/virtualisation/azure-agent.nix
@@ -166,7 +166,6 @@ in
 
       wantedBy = [ "sshd.service" "waagent.service" ];
       before = [ "sshd.service" "waagent.service" ];
-      after = [ "local-fs.target" ];
 
       path  = [ pkgs.coreutils ];
       script =
diff --git a/nixos/modules/virtualisation/azure-image.nix b/nixos/modules/virtualisation/azure-image.nix
index dd2108ccc379..e91dd72ff5d4 100644
--- a/nixos/modules/virtualisation/azure-image.nix
+++ b/nixos/modules/virtualisation/azure-image.nix
@@ -26,7 +26,6 @@ in
 
       wantedBy = [ "sshd.service" "waagent.service" ];
       before = [ "sshd.service" "waagent.service" ];
-      after = [ "local-fs.target" ];
 
       path  = [ pkgs.coreutils ];
       script =
diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix
index 510b91904c59..9c9f8fc0c215 100644
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@@ -337,7 +337,7 @@ let
 
   networkOptions = {
     hostBridge = mkOption {
-      type = types.nullOr types.string;
+      type = types.nullOr types.str;
       default = null;
       example = "br0";
       description = ''
@@ -387,7 +387,7 @@ let
     };
 
     hostAddress6 = mkOption {
-      type = types.nullOr types.string;
+      type = types.nullOr types.str;
       default = null;
       example = "fc00::1";
       description = ''
@@ -409,7 +409,7 @@ let
     };
 
     localAddress6 = mkOption {
-      type = types.nullOr types.string;
+      type = types.nullOr types.str;
       default = null;
       example = "fc00::2";
       description = ''
@@ -565,7 +565,7 @@ in
             };
 
             interfaces = mkOption {
-              type = types.listOf types.string;
+              type = types.listOf types.str;
               default = [];
               example = [ "eth1" "eth2" ];
               description = ''
diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix
index 79766970c757..327324f2921d 100644
--- a/nixos/modules/virtualisation/google-compute-config.nix
+++ b/nixos/modules/virtualisation/google-compute-config.nix
@@ -21,7 +21,7 @@ in
   boot.initrd.kernelModules = [ "virtio_scsi" ];
   boot.kernelModules = [ "virtio_pci" "virtio_net" ];
 
-  # Generate a GRUB menu.  Amazon's pv-grub uses this to boot our kernel/initrd.
+  # Generate a GRUB menu.
   boot.loader.grub.device = "/dev/sda";
   boot.loader.timeout = 0;
 
@@ -29,12 +29,16 @@ in
   # way to select them anyway.
   boot.loader.grub.configurationLimit = 0;
 
-  # Allow root logins only using the SSH key that the user specified
-  # at instance creation time.
+  # Allow root logins only using SSH keys
+  # and disable password authentication in general
   services.openssh.enable = true;
   services.openssh.permitRootLogin = "prohibit-password";
   services.openssh.passwordAuthentication = mkDefault false;
 
+  # enable OS Login. This also requires setting enable-oslogin=TRUE metadata on
+  # instance or project level
+  security.googleOsLogin.enable = true;
+
   # Use GCE udev rules for dynamic disk volumes
   services.udev.packages = [ gce ];
 
@@ -65,165 +69,80 @@ in
   # GC has 1460 MTU
   networking.interfaces.eth0.mtu = 1460;
 
-  security.googleOsLogin.enable = true;
-
-  systemd.services.google-clock-skew-daemon = {
-    description = "Google Compute Engine Clock Skew Daemon";
-    after = [
-      "network.target"
-      "google-instance-setup.service"
-      "google-network-setup.service"
-    ];
-    requires = ["network.target"];
-    wantedBy = ["multi-user.target"];
-    serviceConfig = {
-      Type = "simple";
-      ExecStart = "${gce}/bin/google_clock_skew_daemon --debug";
-    };
-  };
-
   systemd.services.google-instance-setup = {
     description = "Google Compute Engine Instance Setup";
-    after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service"];
-    before = ["sshd.service"];
-    wants = ["local-fs.target" "network-online.target" "network.target"];
-    wantedBy = [ "sshd.service" "multi-user.target" ];
-    path = with pkgs; [ ethtool openssh ];
+    after = [ "network-online.target" "network.target" "rsyslog.service" ];
+    before = [ "sshd.service" ];
+    path = with pkgs; [ coreutils ethtool openssh ];
     serviceConfig = {
-      ExecStart = "${gce}/bin/google_instance_setup --debug";
+      ExecStart = "${gce}/bin/google_instance_setup";
+      StandardOutput="journal+console";
       Type = "oneshot";
     };
+    wantedBy = [ "sshd.service" "multi-user.target" ];
   };
 
   systemd.services.google-network-daemon = {
     description = "Google Compute Engine Network Daemon";
-    after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service" "google-instance-setup.service"];
-    wants = ["local-fs.target" "network-online.target" "network.target"];
-    requires = ["network.target"];
-    partOf = ["network.target"];
-    wantedBy = [ "multi-user.target" ];
+    after = [ "network-online.target" "network.target" "google-instance-setup.service" ];
     path = with pkgs; [ iproute ];
     serviceConfig = {
-      ExecStart = "${gce}/bin/google_network_daemon --debug";
+      ExecStart = "${gce}/bin/google_network_daemon";
+      StandardOutput="journal+console";
+      Type="simple";
     };
+    wantedBy = [ "multi-user.target" ];
   };
 
+  systemd.services.google-clock-skew-daemon = {
+    description = "Google Compute Engine Clock Skew Daemon";
+    after = [ "network.target" "google-instance-setup.service" "google-network-daemon.service" ];
+    serviceConfig = {
+      ExecStart = "${gce}/bin/google_clock_skew_daemon";
+      StandardOutput="journal+console";
+      Type = "simple";
+    };
+    wantedBy = ["multi-user.target"];
+  };
+
+
   systemd.services.google-shutdown-scripts = {
     description = "Google Compute Engine Shutdown Scripts";
     after = [
-      "local-fs.target"
       "network-online.target"
       "network.target"
       "rsyslog.service"
-      "systemd-resolved.service"
       "google-instance-setup.service"
       "google-network-daemon.service"
     ];
-    wants = [ "local-fs.target" "network-online.target" "network.target"];
-    wantedBy = [ "multi-user.target" ];
     serviceConfig = {
       ExecStart = "${pkgs.coreutils}/bin/true";
-      ExecStop = "${gce}/bin/google_metadata_script_runner --debug --script-type shutdown";
-      Type = "oneshot";
+      ExecStop = "${gce}/bin/google_metadata_script_runner --script-type shutdown";
       RemainAfterExit = true;
-      TimeoutStopSec = "infinity";
+      StandardOutput="journal+console";
+      TimeoutStopSec = "0";
+      Type = "oneshot";
     };
+    wantedBy = [ "multi-user.target" ];
   };
 
   systemd.services.google-startup-scripts = {
     description = "Google Compute Engine Startup Scripts";
     after = [
-      "local-fs.target"
       "network-online.target"
       "network.target"
       "rsyslog.service"
       "google-instance-setup.service"
       "google-network-daemon.service"
     ];
-    wants = ["local-fs.target" "network-online.target" "network.target"];
-    wantedBy = [ "multi-user.target" ];
     serviceConfig = {
-      ExecStart = "${gce}/bin/google_metadata_script_runner --debug --script-type startup";
+      ExecStart = "${gce}/bin/google_metadata_script_runner --script-type startup";
       KillMode = "process";
+      StandardOutput = "journal+console";
       Type = "oneshot";
     };
+    wantedBy = [ "multi-user.target" ];
   };
 
-
-  # Settings taken from https://github.com/GoogleCloudPlatform/compute-image-packages/blob/master/google_config/sysctl/11-gce-network-security.conf
-  boot.kernel.sysctl = {
-    # Turn on SYN-flood protections.  Starting with 2.6.26, there is no loss
-    # of TCP functionality/features under normal conditions.  When flood
-    # protections kick in under high unanswered-SYN load, the system
-    # should remain more stable, with a trade off of some loss of TCP
-    # functionality/features (e.g. TCP Window scaling).
-    "net.ipv4.tcp_syncookies" = mkDefault "1";
-
-    # ignores ICMP redirects
-    "net.ipv4.conf.all.accept_redirects" = mkDefault "0";
-
-    # ignores ICMP redirects
-    "net.ipv4.conf.default.accept_redirects" = mkDefault "0";
-
-    # ignores ICMP redirects from non-GW hosts
-    "net.ipv4.conf.all.secure_redirects" = mkDefault "1";
-
-    # ignores ICMP redirects from non-GW hosts
-    "net.ipv4.conf.default.secure_redirects" = mkDefault "1";
-
-    # don't allow traffic between networks or act as a router
-    "net.ipv4.ip_forward" = mkDefault "0";
-
-    # don't allow traffic between networks or act as a router
-    "net.ipv4.conf.all.send_redirects" = mkDefault "0";
-
-    # don't allow traffic between networks or act as a router
-    "net.ipv4.conf.default.send_redirects" = mkDefault "0";
-
-    # strict reverse path filtering - IP spoofing protection
-    "net.ipv4.conf.all.rp_filter" = mkDefault "1";
-
-    # strict path filtering - IP spoofing protection
-    "net.ipv4.conf.default.rp_filter" = mkDefault "1";
-
-    # ignores ICMP broadcasts to avoid participating in Smurf attacks
-    "net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault "1";
-
-    # ignores bad ICMP errors
-    "net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault "1";
-
-    # logs spoofed, source-routed, and redirect packets
-    "net.ipv4.conf.all.log_martians" = mkDefault "1";
-
-    # log spoofed, source-routed, and redirect packets
-    "net.ipv4.conf.default.log_martians" = mkDefault "1";
-
-    # implements RFC 1337 fix
-    "net.ipv4.tcp_rfc1337" = mkDefault "1";
-
-    # randomizes addresses of mmap base, heap, stack and VDSO page
-    "kernel.randomize_va_space" = mkDefault "2";
-
-    # Reboot the machine soon after a kernel panic.
-    "kernel.panic" = mkDefault "10";
-
-    ## Not part of the original config
-
-    # provides protection from ToCToU races
-    "fs.protected_hardlinks" = mkDefault "1";
-
-    # provides protection from ToCToU races
-    "fs.protected_symlinks" = mkDefault "1";
-
-    # makes locating kernel addresses more difficult
-    "kernel.kptr_restrict" = mkDefault "1";
-
-    # set ptrace protections
-    "kernel.yama.ptrace_scope" = mkOverride 500 "1";
-
-    # set perf only available to root
-    "kernel.perf_event_paranoid" = mkDefault "2";
-
-  };
-
+  environment.etc."sysctl.d/11-gce-network-security.conf".source = "${gce}/sysctl.d/11-gce-network-security.conf";
 }
diff --git a/nixos/modules/virtualisation/kvmgt.nix b/nixos/modules/virtualisation/kvmgt.nix
index df4c5678fd19..36ef6d17df69 100644
--- a/nixos/modules/virtualisation/kvmgt.nix
+++ b/nixos/modules/virtualisation/kvmgt.nix
@@ -9,7 +9,7 @@ let
 
   vgpuOptions = {
     uuid = mkOption {
-      type = types.string;
+      type = types.str;
       description = "UUID of VGPU device. You can generate one with <package>libossp_uuid</package>.";
     };
   };
@@ -23,7 +23,7 @@ in {
       '';
       # multi GPU support is under the question
       device = mkOption {
-        type = types.string;
+        type = types.str;
         default = "0000:00:02.0";
         description = "PCI ID of graphics card. You can figure it with <command>ls /sys/class/mdev_bus</command>.";
       };
diff --git a/nixos/modules/virtualisation/xen-dom0.nix b/nixos/modules/virtualisation/xen-dom0.nix
index 70e575b6c0d2..06d5c63476f9 100644
--- a/nixos/modules/virtualisation/xen-dom0.nix
+++ b/nixos/modules/virtualisation/xen-dom0.nix
@@ -119,7 +119,7 @@ in
 
     virtualisation.xen.domains = {
         extraConfig = mkOption {
-          type = types.string;
+          type = types.lines;
           default = "";
           description =
             ''

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-11 15:24:07 +0000