mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-06-11 12:15:34 +03:00
374e6bcc40
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
144 lines
3.7 KiB
Nix
144 lines
3.7 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
|
|
let
|
|
inherit (lib)
|
|
boolToString
|
|
mkDefault
|
|
mkIf
|
|
optional
|
|
readFile
|
|
;
|
|
in
|
|
|
|
{
|
|
imports = [
|
|
../profiles/headless.nix
|
|
../profiles/qemu-guest.nix
|
|
];
|
|
|
|
fileSystems."/" = {
|
|
fsType = "ext4";
|
|
device = "/dev/disk/by-label/nixos";
|
|
autoResize = true;
|
|
};
|
|
|
|
boot.growPartition = true;
|
|
boot.kernelParams = [
|
|
"console=ttyS0"
|
|
"panic=1"
|
|
"boot.panic_on_fail"
|
|
];
|
|
boot.initrd.kernelModules = [ "virtio_scsi" ];
|
|
boot.kernelModules = [
|
|
"virtio_pci"
|
|
"virtio_net"
|
|
];
|
|
|
|
# Generate a GRUB menu.
|
|
boot.loader.grub.device = "/dev/sda";
|
|
boot.loader.timeout = 0;
|
|
|
|
# Don't put old configurations in the GRUB menu. The user has no
|
|
# way to select them anyway.
|
|
boot.loader.grub.configurationLimit = 0;
|
|
|
|
# Allow root logins only using SSH keys
|
|
# and disable password authentication in general
|
|
services.openssh.enable = true;
|
|
services.openssh.settings.PermitRootLogin = mkDefault "prohibit-password";
|
|
services.openssh.settings.PasswordAuthentication = mkDefault false;
|
|
|
|
# enable OS Login. This also requires setting enable-oslogin=TRUE metadata on
|
|
# instance or project level
|
|
security.googleOsLogin.enable = true;
|
|
|
|
# Use GCE udev rules for dynamic disk volumes
|
|
services.udev.packages = [ pkgs.google-guest-configs ];
|
|
services.udev.path = [ pkgs.google-guest-configs ];
|
|
|
|
# Force getting the hostname from Google Compute.
|
|
networking.hostName = mkDefault "";
|
|
|
|
# Always include cryptsetup so that NixOps can use it.
|
|
environment.systemPackages = [ pkgs.cryptsetup ];
|
|
|
|
# Rely on GCP's firewall instead
|
|
networking.firewall.enable = mkDefault false;
|
|
|
|
# Configure default metadata hostnames
|
|
networking.extraHosts = ''
|
|
169.254.169.254 metadata.google.internal metadata
|
|
'';
|
|
|
|
networking.timeServers = [ "metadata.google.internal" ];
|
|
|
|
networking.usePredictableInterfaceNames = false;
|
|
|
|
# GC has 1460 MTU
|
|
networking.interfaces.eth0.mtu = 1460;
|
|
|
|
systemd.packages = [ pkgs.google-guest-agent ];
|
|
systemd.services.google-guest-agent = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
restartTriggers = [ config.environment.etc."default/instance_configs.cfg".source ];
|
|
path = optional config.users.mutableUsers pkgs.shadow;
|
|
};
|
|
systemd.services.google-startup-scripts.wantedBy = [ "multi-user.target" ];
|
|
systemd.services.google-shutdown-scripts.wantedBy = [ "multi-user.target" ];
|
|
|
|
security.sudo.extraRules = mkIf config.users.mutableUsers [
|
|
{
|
|
groups = [ "google-sudoers" ];
|
|
commands = [
|
|
{
|
|
command = "ALL";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
];
|
|
}
|
|
];
|
|
|
|
security.sudo-rs.extraRules = mkIf config.users.mutableUsers [
|
|
{
|
|
groups = [ "google-sudoers" ];
|
|
commands = [
|
|
{
|
|
command = "ALL";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
];
|
|
}
|
|
];
|
|
|
|
users.groups.google-sudoers = mkIf config.users.mutableUsers { };
|
|
|
|
boot.extraModprobeConfig = readFile "${pkgs.google-guest-configs}/etc/modprobe.d/gce-blacklist.conf";
|
|
|
|
environment.etc."sysctl.d/60-gce-network-security.conf".source =
|
|
"${pkgs.google-guest-configs}/etc/sysctl.d/60-gce-network-security.conf";
|
|
|
|
environment.etc."default/instance_configs.cfg".text = ''
|
|
[Accounts]
|
|
useradd_cmd = useradd -m -s /run/current-system/sw/bin/bash -p * {user}
|
|
|
|
[Daemons]
|
|
accounts_daemon = ${boolToString config.users.mutableUsers}
|
|
|
|
[InstanceSetup]
|
|
# Make sure GCE image does not replace host key that NixOps sets.
|
|
set_host_keys = false
|
|
|
|
[MetadataScripts]
|
|
default_shell = ${pkgs.stdenv.shell}
|
|
|
|
[NetworkInterfaces]
|
|
dhclient_script = ${pkgs.google-guest-configs}/bin/google-dhclient-script
|
|
# We set up network interfaces declaratively.
|
|
setup = false
|
|
'';
|
|
}
|