feat(tdx): add nix build for TDX google VMs

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
2025-07-21 23:23:57 +02:00 · 2025-01-08 08:59:23 +01:00 · 2025-01-08 08:59:23 +01:00 · dc1e756ec6
commit dc1e756ec6
parent 8270c389e4
11 changed files with 638 additions and 16 deletions
--- a/packages/tdx_google/google.nix
+++ b/packages/tdx_google/google.nix
@ -0,0 +1,33 @@
+{ lib
+, pkgs
+, modulesPath
+, ...
+}: {
+  imports = [
+    "${toString modulesPath}/profiles/headless.nix"
+  ];
+
+  system.image.id = "tdx_base";
+
+  boot.initrd.kernelModules = [ "virtio_scsi" ];
+  boot.kernelModules = [ "virtio_pci" "virtio_net" ];
+
+  # Force getting the hostname from Google Compute.
+  networking.hostName = lib.mkForce "";
+
+  # Configure default metadata hostnames
+  networking.extraHosts = ''
+    169.254.169.254 metadata.google.internal metadata
+  '';
+
+  networking.timeServers = [ "metadata.google.internal" ];
+
+  environment.etc."sysctl.d/60-gce-network-security.conf".source = "${pkgs.google-guest-configs}/etc/sysctl.d/60-gce-network-security.conf";
+
+  networking.usePredictableInterfaceNames = false;
+
+  # GC has 1460 MTU
+  networking.interfaces.eth0.mtu = 1460;
+
+  boot.extraModprobeConfig = lib.readFile "${pkgs.google-guest-configs}/etc/modprobe.d/gce-blacklist.conf";
+}