xref: /freebsd/release/tools/gce.conf (revision 63d1fd5970ec814904aa0f4580b10a0d302d08b2)
1#!/bin/sh
2#
3# $FreeBSD$
4#
5
6# Set to a list of packages to install.
7export VM_EXTRA_PACKAGES="firstboot-freebsd-update firstboot-pkgs \
8	google-cloud-sdk google-daemon panicmail sudo firstboot-growfs \
9	google-startup-scripts"
10
11# Set to a list of third-party software to enable in rc.conf(5).
12export VM_RC_LIST="google_accounts_manager ntpd sshd firstboot_growfs \
13	firstboot_pkgs firstboot_freebsd_update google_startup"
14
15vm_extra_install_base() {
16	echo 'search google.internal' > ${DESTDIR}/etc/resolv.conf
17	echo 'nameserver 169.254.169.254' >> ${DESTDIR}/etc/resolv.conf
18	echo 'nameserver 8.8.8.8' >> ${DESTDIR}/etc/resolv.conf
19}
20
21vm_extra_pre_umount() {
22	cat << EOF >> ${DESTDIR}/etc/rc.conf
23dumpdev="AUTO"
24ifconfig_DEFAULT="SYNCDHCP mtu 1460"
25ntpd_sync_on_start="YES"
26# need to fill in something here
27#firstboot_pkgs_list=""
28panicmail_autosubmit="YES"
29EOF
30
31	cat << EOF >> ${DESTDIR}/boot/loader.conf
32autoboot_delay="-1"
33beastie_disable="YES"
34loader_logo="none"
35hw.memtest.tests="0"
36console="comconsole,vidconsole"
37hw.vtnet.mq_disable=1
38kern.timecounter.hardware=ACPI-safe
39aesni_load="YES"
40nvme_load="YES"
41EOF
42
43	echo '169.254.169.254 metadata.google.internal metadata' > \
44		${DESTDIR}/etc/hosts
45
46        # overwrite ntp.conf
47	cat << EOF > ${DESTDIR}/etc/ntp.conf
48server metadata.google.internal iburst
49
50restrict default kod nomodify notrap nopeer noquery
51restrict -6 default kod nomodify notrap nopeer noquery
52
53restrict 127.0.0.1
54restrict -6 ::1
55restrict 127.127.1.0
56EOF
57
58	cat << EOF >> ${DESTDIR}/etc/syslog.conf
59*.err;kern.warning;auth.notice;mail.crit                /dev/console
60EOF
61
62	cat << EOF >> ${DESTDIR}/etc/ssh/sshd_config
63ChallengeResponseAuthentication no
64X11Forwarding no
65AcceptEnv LANG
66Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
67AllowAgentForwarding no
68ClientAliveInterval 420
69EOF
70
71	cat << EOF >> ${DESTDIR}/etc/crontab
720       3       *       *       *       root    /usr/sbin/freebsd-update cron
73EOF
74
75	cat << EOF >> ${DESTDIR}/etc/sysctl.conf
76net.inet.icmp.drop_redirect=1
77net.inet.ip.redirect=0
78net.inet.tcp.blackhole=2
79net.inet.udp.blackhole=1
80kern.ipc.somaxconn=1024
81debug.trace_on_panic=1
82debug.debugger_on_panic=0
83EOF
84
85	## XXX: Verify this is needed.  I do not see this requirement
86	## in the docs, and it impairs the ability to boot-test a copy
87	## of the image prior to packaging for upload to GCE.
88	#sed -E -i '' 's/^([^#].*[[:space:]])on/\1off/' ${DESTDIR}/etc/ttys
89
90	touch ${DESTDIR}/firstboot
91
92	return 0
93}
94