66100e22f6
This commit makes the OpenSSH option `PermitRootLogin` available to be configured by other NixOS modules when using the Google Cloud Engine (GCE) NixOS image builder. Other options like `PasswordAuthentication` were already configurable, so I think it makes sense to make `PermitRootLogin` configurable as well is order to disable it completely, for example.
112 lines
3.4 KiB
Nix
112 lines
3.4 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
inherit (lib)
|
|
boolToString
|
|
mkDefault
|
|
mkIf
|
|
optional
|
|
readFile
|
|
;
|
|
in
|
|
|
|
{
|
|
imports = [
|
|
../profiles/headless.nix
|
|
../profiles/qemu-guest.nix
|
|
];
|
|
|
|
|
|
fileSystems."/" = {
|
|
fsType = "ext4";
|
|
device = "/dev/disk/by-label/nixos";
|
|
autoResize = true;
|
|
};
|
|
|
|
boot.growPartition = true;
|
|
boot.kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ];
|
|
boot.initrd.kernelModules = [ "virtio_scsi" ];
|
|
boot.kernelModules = [ "virtio_pci" "virtio_net" ];
|
|
|
|
# Generate a GRUB menu.
|
|
boot.loader.grub.device = "/dev/sda";
|
|
boot.loader.timeout = 0;
|
|
|
|
# Don't put old configurations in the GRUB menu. The user has no
|
|
# way to select them anyway.
|
|
boot.loader.grub.configurationLimit = 0;
|
|
|
|
# Allow root logins only using SSH keys
|
|
# and disable password authentication in general
|
|
services.openssh.enable = true;
|
|
services.openssh.settings.PermitRootLogin = mkDefault "prohibit-password";
|
|
services.openssh.settings.PasswordAuthentication = mkDefault false;
|
|
|
|
# enable OS Login. This also requires setting enable-oslogin=TRUE metadata on
|
|
# instance or project level
|
|
security.googleOsLogin.enable = true;
|
|
|
|
# Use GCE udev rules for dynamic disk volumes
|
|
services.udev.packages = [ pkgs.google-guest-configs ];
|
|
services.udev.path = [ pkgs.google-guest-configs ];
|
|
|
|
# Force getting the hostname from Google Compute.
|
|
networking.hostName = mkDefault "";
|
|
|
|
# Always include cryptsetup so that NixOps can use it.
|
|
environment.systemPackages = [ pkgs.cryptsetup ];
|
|
|
|
# Rely on GCP's firewall instead
|
|
networking.firewall.enable = mkDefault false;
|
|
|
|
# Configure default metadata hostnames
|
|
networking.extraHosts = ''
|
|
169.254.169.254 metadata.google.internal metadata
|
|
'';
|
|
|
|
networking.timeServers = [ "metadata.google.internal" ];
|
|
|
|
networking.usePredictableInterfaceNames = false;
|
|
|
|
# GC has 1460 MTU
|
|
networking.interfaces.eth0.mtu = 1460;
|
|
|
|
systemd.packages = [ pkgs.google-guest-agent ];
|
|
systemd.services.google-guest-agent = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
restartTriggers = [ config.environment.etc."default/instance_configs.cfg".source ];
|
|
path = optional config.users.mutableUsers pkgs.shadow;
|
|
};
|
|
systemd.services.google-startup-scripts.wantedBy = [ "multi-user.target" ];
|
|
systemd.services.google-shutdown-scripts.wantedBy = [ "multi-user.target" ];
|
|
|
|
security.sudo.extraRules = mkIf config.users.mutableUsers [
|
|
{ groups = [ "google-sudoers" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
|
|
];
|
|
|
|
users.groups.google-sudoers = mkIf config.users.mutableUsers { };
|
|
|
|
boot.extraModprobeConfig = readFile "${pkgs.google-guest-configs}/etc/modprobe.d/gce-blacklist.conf";
|
|
|
|
environment.etc."sysctl.d/60-gce-network-security.conf".source = "${pkgs.google-guest-configs}/etc/sysctl.d/60-gce-network-security.conf";
|
|
|
|
environment.etc."default/instance_configs.cfg".text = ''
|
|
[Accounts]
|
|
useradd_cmd = useradd -m -s /run/current-system/sw/bin/bash -p * {user}
|
|
|
|
[Daemons]
|
|
accounts_daemon = ${boolToString config.users.mutableUsers}
|
|
|
|
[InstanceSetup]
|
|
# Make sure GCE image does not replace host key that NixOps sets.
|
|
set_host_keys = false
|
|
|
|
[MetadataScripts]
|
|
default_shell = ${pkgs.stdenv.shell}
|
|
|
|
[NetworkInterfaces]
|
|
dhclient_script = ${pkgs.google-guest-configs}/bin/google-dhclient-script
|
|
# We set up network interfaces declaratively.
|
|
setup = false
|
|
'';
|
|
}
|