diff options
author | Vladimír Čunát <v@cunat.cz> | 2019-09-02 23:25:24 +0200 |
---|---|---|
committer | Vladimír Čunát <v@cunat.cz> | 2019-09-02 23:25:24 +0200 |
commit | f21211ebfe21797c6f0444d42ec7cb835c737388 (patch) | |
tree | 816465981f650242d4b22e0f01b912917e7008f8 /nixos/modules/virtualisation | |
parent | b291f2a9953d48d6edc5c73776db9ba289ccf213 (diff) | |
parent | 12ae04518b004adf949a43125954b99c05189e6f (diff) | |
download | nixlib-f21211ebfe21797c6f0444d42ec7cb835c737388.tar nixlib-f21211ebfe21797c6f0444d42ec7cb835c737388.tar.gz nixlib-f21211ebfe21797c6f0444d42ec7cb835c737388.tar.bz2 nixlib-f21211ebfe21797c6f0444d42ec7cb835c737388.tar.lz nixlib-f21211ebfe21797c6f0444d42ec7cb835c737388.tar.xz nixlib-f21211ebfe21797c6f0444d42ec7cb835c737388.tar.zst nixlib-f21211ebfe21797c6f0444d42ec7cb835c737388.zip |
Merge branch 'master' into staging
Diffstat (limited to 'nixos/modules/virtualisation')
-rw-r--r-- | nixos/modules/virtualisation/anbox.nix | 2 | ||||
-rw-r--r-- | nixos/modules/virtualisation/azure-agent.nix | 1 | ||||
-rw-r--r-- | nixos/modules/virtualisation/azure-image.nix | 1 | ||||
-rw-r--r-- | nixos/modules/virtualisation/containers.nix | 8 | ||||
-rw-r--r-- | nixos/modules/virtualisation/google-compute-config.nix | 159 | ||||
-rw-r--r-- | nixos/modules/virtualisation/kvmgt.nix | 4 | ||||
-rw-r--r-- | nixos/modules/virtualisation/xen-dom0.nix | 2 |
7 files changed, 47 insertions, 130 deletions
diff --git a/nixos/modules/virtualisation/anbox.nix b/nixos/modules/virtualisation/anbox.nix index c63b971ead02..da5df3580734 100644 --- a/nixos/modules/virtualisation/anbox.nix +++ b/nixos/modules/virtualisation/anbox.nix @@ -56,7 +56,7 @@ in dns = mkOption { default = "1.1.1.1"; - type = types.string; + type = types.str; description = '' Container DNS server. ''; diff --git a/nixos/modules/virtualisation/azure-agent.nix b/nixos/modules/virtualisation/azure-agent.nix index 770cefbcd511..036b1036f92a 100644 --- a/nixos/modules/virtualisation/azure-agent.nix +++ b/nixos/modules/virtualisation/azure-agent.nix @@ -166,7 +166,6 @@ in wantedBy = [ "sshd.service" "waagent.service" ]; before = [ "sshd.service" "waagent.service" ]; - after = [ "local-fs.target" ]; path = [ pkgs.coreutils ]; script = diff --git a/nixos/modules/virtualisation/azure-image.nix b/nixos/modules/virtualisation/azure-image.nix index dd2108ccc379..e91dd72ff5d4 100644 --- a/nixos/modules/virtualisation/azure-image.nix +++ b/nixos/modules/virtualisation/azure-image.nix @@ -26,7 +26,6 @@ in wantedBy = [ "sshd.service" "waagent.service" ]; before = [ "sshd.service" "waagent.service" ]; - after = [ "local-fs.target" ]; path = [ pkgs.coreutils ]; script = diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 510b91904c59..9c9f8fc0c215 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -337,7 +337,7 @@ let networkOptions = { hostBridge = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; example = "br0"; description = '' @@ -387,7 +387,7 @@ let }; hostAddress6 = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; example = "fc00::1"; description = '' @@ -409,7 +409,7 @@ let }; localAddress6 = mkOption { - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; example = "fc00::2"; description = '' @@ -565,7 +565,7 @@ in }; interfaces = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = []; example = [ "eth1" "eth2" ]; description = '' diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index 79766970c757..327324f2921d 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -21,7 +21,7 @@ in boot.initrd.kernelModules = [ "virtio_scsi" ]; boot.kernelModules = [ "virtio_pci" "virtio_net" ]; - # Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd. + # Generate a GRUB menu. boot.loader.grub.device = "/dev/sda"; boot.loader.timeout = 0; @@ -29,12 +29,16 @@ in # way to select them anyway. boot.loader.grub.configurationLimit = 0; - # Allow root logins only using the SSH key that the user specified - # at instance creation time. + # Allow root logins only using SSH keys + # and disable password authentication in general services.openssh.enable = true; services.openssh.permitRootLogin = "prohibit-password"; services.openssh.passwordAuthentication = mkDefault false; + # enable OS Login. This also requires setting enable-oslogin=TRUE metadata on + # instance or project level + security.googleOsLogin.enable = true; + # Use GCE udev rules for dynamic disk volumes services.udev.packages = [ gce ]; @@ -65,165 +69,80 @@ in # GC has 1460 MTU networking.interfaces.eth0.mtu = 1460; - security.googleOsLogin.enable = true; - - systemd.services.google-clock-skew-daemon = { - description = "Google Compute Engine Clock Skew Daemon"; - after = [ - "network.target" - "google-instance-setup.service" - "google-network-setup.service" - ]; - requires = ["network.target"]; - wantedBy = ["multi-user.target"]; - serviceConfig = { - Type = "simple"; - ExecStart = "${gce}/bin/google_clock_skew_daemon --debug"; - }; - }; - systemd.services.google-instance-setup = { description = "Google Compute Engine Instance Setup"; - after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service"]; - before = ["sshd.service"]; - wants = ["local-fs.target" "network-online.target" "network.target"]; - wantedBy = [ "sshd.service" "multi-user.target" ]; - path = with pkgs; [ ethtool openssh ]; + after = [ "network-online.target" "network.target" "rsyslog.service" ]; + before = [ "sshd.service" ]; + path = with pkgs; [ coreutils ethtool openssh ]; serviceConfig = { - ExecStart = "${gce}/bin/google_instance_setup --debug"; + ExecStart = "${gce}/bin/google_instance_setup"; + StandardOutput="journal+console"; Type = "oneshot"; }; + wantedBy = [ "sshd.service" "multi-user.target" ]; }; systemd.services.google-network-daemon = { description = "Google Compute Engine Network Daemon"; - after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service" "google-instance-setup.service"]; - wants = ["local-fs.target" "network-online.target" "network.target"]; - requires = ["network.target"]; - partOf = ["network.target"]; - wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" "network.target" "google-instance-setup.service" ]; path = with pkgs; [ iproute ]; serviceConfig = { - ExecStart = "${gce}/bin/google_network_daemon --debug"; + ExecStart = "${gce}/bin/google_network_daemon"; + StandardOutput="journal+console"; + Type="simple"; }; + wantedBy = [ "multi-user.target" ]; }; + systemd.services.google-clock-skew-daemon = { + description = "Google Compute Engine Clock Skew Daemon"; + after = [ "network.target" "google-instance-setup.service" "google-network-daemon.service" ]; + serviceConfig = { + ExecStart = "${gce}/bin/google_clock_skew_daemon"; + StandardOutput="journal+console"; + Type = "simple"; + }; + wantedBy = ["multi-user.target"]; + }; + + systemd.services.google-shutdown-scripts = { description = "Google Compute Engine Shutdown Scripts"; after = [ - "local-fs.target" "network-online.target" "network.target" "rsyslog.service" - "systemd-resolved.service" "google-instance-setup.service" "google-network-daemon.service" ]; - wants = [ "local-fs.target" "network-online.target" "network.target"]; - wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = "${pkgs.coreutils}/bin/true"; - ExecStop = "${gce}/bin/google_metadata_script_runner --debug --script-type shutdown"; - Type = "oneshot"; + ExecStop = "${gce}/bin/google_metadata_script_runner --script-type shutdown"; RemainAfterExit = true; - TimeoutStopSec = "infinity"; + StandardOutput="journal+console"; + TimeoutStopSec = "0"; + Type = "oneshot"; }; + wantedBy = [ "multi-user.target" ]; }; systemd.services.google-startup-scripts = { description = "Google Compute Engine Startup Scripts"; after = [ - "local-fs.target" "network-online.target" "network.target" "rsyslog.service" "google-instance-setup.service" "google-network-daemon.service" ]; - wants = ["local-fs.target" "network-online.target" "network.target"]; - wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${gce}/bin/google_metadata_script_runner --debug --script-type startup"; + ExecStart = "${gce}/bin/google_metadata_script_runner --script-type startup"; KillMode = "process"; + StandardOutput = "journal+console"; Type = "oneshot"; }; + wantedBy = [ "multi-user.target" ]; }; - - # Settings taken from https://github.com/GoogleCloudPlatform/compute-image-packages/blob/master/google_config/sysctl/11-gce-network-security.conf - boot.kernel.sysctl = { - # Turn on SYN-flood protections. Starting with 2.6.26, there is no loss - # of TCP functionality/features under normal conditions. When flood - # protections kick in under high unanswered-SYN load, the system - # should remain more stable, with a trade off of some loss of TCP - # functionality/features (e.g. TCP Window scaling). - "net.ipv4.tcp_syncookies" = mkDefault "1"; - - # ignores ICMP redirects - "net.ipv4.conf.all.accept_redirects" = mkDefault "0"; - - # ignores ICMP redirects - "net.ipv4.conf.default.accept_redirects" = mkDefault "0"; - - # ignores ICMP redirects from non-GW hosts - "net.ipv4.conf.all.secure_redirects" = mkDefault "1"; - - # ignores ICMP redirects from non-GW hosts - "net.ipv4.conf.default.secure_redirects" = mkDefault "1"; - - # don't allow traffic between networks or act as a router - "net.ipv4.ip_forward" = mkDefault "0"; - - # don't allow traffic between networks or act as a router - "net.ipv4.conf.all.send_redirects" = mkDefault "0"; - - # don't allow traffic between networks or act as a router - "net.ipv4.conf.default.send_redirects" = mkDefault "0"; - - # strict reverse path filtering - IP spoofing protection - "net.ipv4.conf.all.rp_filter" = mkDefault "1"; - - # strict path filtering - IP spoofing protection - "net.ipv4.conf.default.rp_filter" = mkDefault "1"; - - # ignores ICMP broadcasts to avoid participating in Smurf attacks - "net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault "1"; - - # ignores bad ICMP errors - "net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault "1"; - - # logs spoofed, source-routed, and redirect packets - "net.ipv4.conf.all.log_martians" = mkDefault "1"; - - # log spoofed, source-routed, and redirect packets - "net.ipv4.conf.default.log_martians" = mkDefault "1"; - - # implements RFC 1337 fix - "net.ipv4.tcp_rfc1337" = mkDefault "1"; - - # randomizes addresses of mmap base, heap, stack and VDSO page - "kernel.randomize_va_space" = mkDefault "2"; - - # Reboot the machine soon after a kernel panic. - "kernel.panic" = mkDefault "10"; - - ## Not part of the original config - - # provides protection from ToCToU races - "fs.protected_hardlinks" = mkDefault "1"; - - # provides protection from ToCToU races - "fs.protected_symlinks" = mkDefault "1"; - - # makes locating kernel addresses more difficult - "kernel.kptr_restrict" = mkDefault "1"; - - # set ptrace protections - "kernel.yama.ptrace_scope" = mkOverride 500 "1"; - - # set perf only available to root - "kernel.perf_event_paranoid" = mkDefault "2"; - - }; - + environment.etc."sysctl.d/11-gce-network-security.conf".source = "${gce}/sysctl.d/11-gce-network-security.conf"; } diff --git a/nixos/modules/virtualisation/kvmgt.nix b/nixos/modules/virtualisation/kvmgt.nix index df4c5678fd19..36ef6d17df69 100644 --- a/nixos/modules/virtualisation/kvmgt.nix +++ b/nixos/modules/virtualisation/kvmgt.nix @@ -9,7 +9,7 @@ let vgpuOptions = { uuid = mkOption { - type = types.string; + type = types.str; description = "UUID of VGPU device. You can generate one with <package>libossp_uuid</package>."; }; }; @@ -23,7 +23,7 @@ in { ''; # multi GPU support is under the question device = mkOption { - type = types.string; + type = types.str; default = "0000:00:02.0"; description = "PCI ID of graphics card. You can figure it with <command>ls /sys/class/mdev_bus</command>."; }; diff --git a/nixos/modules/virtualisation/xen-dom0.nix b/nixos/modules/virtualisation/xen-dom0.nix index 70e575b6c0d2..06d5c63476f9 100644 --- a/nixos/modules/virtualisation/xen-dom0.nix +++ b/nixos/modules/virtualisation/xen-dom0.nix @@ -119,7 +119,7 @@ in virtualisation.xen.domains = { extraConfig = mkOption { - type = types.string; + type = types.lines; default = ""; description = '' |