Add missing which in nodes checkPhase

When enabling checks, the build log is polluted with errors.

Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Tested-by: Aleix Boné <abonerib@bsc.es>

.gitea/workflows/ci.yaml

@@ -12,4 +12,9 @@ jobs:
     runs-on: native
     steps:
       - uses: https://gitea.com/ScMi1/checkout@v1.4
-      - run: nix build -L --no-link --print-out-paths .#bsc-ci.all
+      - run: nix build -L --no-link --print-out-paths .#bsc.ci.all
+  build:cross:
+    runs-on: native
+    steps:
+      - uses: https://gitea.com/ScMi1/checkout@v1.4
+      - run: nix build -L --no-link --print-out-paths .#bsc.ci.cross

doc/maintainers.md

@@ -0,0 +1,30 @@
+# Maintainers
+
+## Role of a maintainer
+The responsibilities of maintainers are quite lax, and similar in spirit to
+[nixpkgs' maintainers][1]:
+
+    The main responsibility of a maintainer is to keep the packages they
+    maintain in a functioning state, and keep up with updates. In order to do
+    that, they are empowered to make decisions over the packages they maintain.
+
+    That being said, the maintainer is not alone in proposing changes to the
+    packages. Anybody (both bots and humans) can send PRs to bump or tweak the
+    package.
+
+In practice, this means that when updating or proposing changes to a package,
+we will notify maintainers by mentioning them in Gitea so they can test changes
+and give feedback.
+
+Since we do bi-yearly release cycles, there is no expectation from maintainers
+to update packages at each upstream release. Nevertheless, on each release cycle
+we may request help from maintainers when updating or testing their packages.
+
+## Becoming a maintainer
+
+
+You'll have to add yourself in the `maintainers.nix` list; your username should
+match your `bsc.es` email. Then you can add yourself to the `meta.maintainers`
+of any package you are interested in maintaining.
+
+[1]: [https://github.com/NixOS/nixpkgs/tree/nixos-25.05/maintainers]

flake.lock

@@ -1,71 +1,5 @@
 {
   "nodes": {
-    "agenix": {
-      "inputs": {
-        "darwin": "darwin",
-        "home-manager": "home-manager",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1750173260,
-        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
-        "owner": "ryantm",
-        "repo": "agenix",
-        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ryantm",
-        "repo": "agenix",
-        "type": "github"
-      }
-    },
-    "darwin": {
-      "inputs": {
-        "nixpkgs": [
-          "agenix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1744478979,
-        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
-        "owner": "lnl7",
-        "repo": "nix-darwin",
-        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lnl7",
-        "ref": "master",
-        "repo": "nix-darwin",
-        "type": "github"
-      }
-    },
-    "home-manager": {
-      "inputs": {
-        "nixpkgs": [
-          "agenix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1745494811,
-        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1752436162,
@@ -84,24 +18,8 @@
     },
     "root": {
       "inputs": {
-        "agenix": "agenix",
         "nixpkgs": "nixpkgs"
       }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
     }
   },
   "root": "root",

flake.nix

@@ -1,15 +1,13 @@
 {
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
-    agenix.url = "github:ryantm/agenix";
-    agenix.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, agenix, ... }:
+  outputs = { self, nixpkgs, ... }:
 let
   mkConf = name: nixpkgs.lib.nixosSystem {
     system = "x86_64-linux";
-    specialArgs = { inherit nixpkgs agenix; theFlake = self; };
+    specialArgs = { inherit nixpkgs; theFlake = self; };
     modules = [ "${self.outPath}/m/${name}/configuration.nix" ];
   };
   # For now we only support x86
@@ -42,11 +40,13 @@ in
     # full nixpkgs with our overlay applied
     legacyPackages.${system} = pkgs;
 
-    hydraJobs = {
+    hydraJobs = self.legacyPackages.${system}.bsc.hydraJobs;
-      inherit (self.legacyPackages.${system}.bsc-ci) tests pkgs cross;
-    };
 
     # propagate nixpkgs lib, so we can do bscpkgs.lib
-    inherit (nixpkgs) lib;
+    lib = nixpkgs.lib // {
+      maintainers = nixpkgs.lib.maintainers // {
+        bsc = import ./pkgs/maintainers.nix;
+      };
+    };
   };
 }

m/common/base.nix

@@ -11,6 +11,7 @@
     ./base/hw.nix
     ./base/net.nix
     ./base/nix.nix
+    ./base/sys-devices.nix
     ./base/ntp.nix
     ./base/rev.nix
     ./base/ssh.nix

m/common/base/agenix.nix

@@ -1,9 +1,8 @@
-{ agenix, ... }:
+{ pkgs, ... }:
 
 {
-  imports = [ agenix.nixosModules.default ];
+  imports = [ ../../module/agenix.nix ];
 
-  environment.systemPackages = [
+  # Add agenix to system packages
-    agenix.packages.x86_64-linux.default
+  environment.systemPackages = [ pkgs.agenix ];
-  ];
 }

m/common/base/sys-devices.nix

@@ -0,0 +1,9 @@
+{
+  nix.settings.system-features = [ "sys-devices" ];
+
+  programs.nix-required-mounts.enable = true;
+  programs.nix-required-mounts.allowedPatterns.sys-devices.paths = [
+    "/sys/devices/system/cpu"
+    "/sys/devices/system/node"
+  ];
+}

m/common/base/users.nix

@@ -180,6 +180,19 @@
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFmMqKqPg4uocNOr3O41kLbZMOMJn3m2ZdN1JvTR96z3 bsccns@arnau-bsc"
         ];
       };
+
+      aaguirre = {
+        uid = 9655;
+        isNormalUser = true;
+        home = "/home/Computational/aaguirre";
+        description = "Alejandro Aguirre";
+        group = "Computational";
+        hosts = [ "apex" "hut" ];
+        hashedPassword = "$6$TXRXQT6jjBvxkxU6$E.sh5KspAm1qeG5Ct7OPHpo8REmbGDwjFGvqeGgTVz3GASGOAnPL7UMZsMAsAKBoahOw.v8LNno6XGrTEPzZH1";
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOlRX7ZCnqtUJYCxKgWmgSrFCYuA2LHY96rVwqxXPl86 aaguirre@BSC-8488184117"
+        ];
+      };
     };
 
     groups = {

m/hut/nginx.nix

@@ -4,8 +4,8 @@ let
     name = "jungle-web";
     src = pkgs.fetchgit {
       url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
-      rev = "739bf0175a7f05380fe7ad7023ff1d60db1710e1";
+      rev = "52abaf4d71652a9ef77a0b098db14ca33bffff4c";
-      hash = "sha256-ea5DzhYTzZ9TmqD+x95rdNdLbxPnBluqlYH2NmBYmc4=";
+      hash = "sha256-/ul9GazbOrOkmlvSgDz/+2W+V+ir5725Y7mVLc3rb0M=";
     };
     buildInputs = [ pkgs.hugo ];
     buildPhase = ''

m/module/agenix.nix

@@ -0,0 +1,357 @@
+{
+  config,
+  options,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+let
+  cfg = config.age;
+
+  isDarwin = lib.attrsets.hasAttrByPath [ "environment" "darwinConfig" ] options;
+
+  ageBin = config.age.ageBin;
+
+  users = config.users.users;
+
+  sysusersEnabled =
+    if isDarwin then
+      false
+    else
+      options.systemd ? sysusers && (config.systemd.sysusers.enable || config.services.userborn.enable);
+
+  mountCommand =
+    if isDarwin then
+      ''
+        if ! diskutil info "${cfg.secretsMountPoint}" &> /dev/null; then
+            num_sectors=1048576
+            dev=$(hdiutil attach -nomount ram://"$num_sectors" | sed 's/[[:space:]]*$//')
+            newfs_hfs -v agenix "$dev"
+            mount -t hfs -o nobrowse,nodev,nosuid,-m=0751 "$dev" "${cfg.secretsMountPoint}"
+        fi
+      ''
+    else
+      ''
+        grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts ||
+          mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
+      '';
+  newGeneration = ''
+    _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
+    (( ++_agenix_generation ))
+    echo "[agenix] creating new generation in ${cfg.secretsMountPoint}/$_agenix_generation"
+    mkdir -p "${cfg.secretsMountPoint}"
+    chmod 0751 "${cfg.secretsMountPoint}"
+    ${mountCommand}
+    mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
+    chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
+  '';
+
+  chownGroup = if isDarwin then "admin" else "keys";
+  # chown the secrets mountpoint and the current generation to the keys group
+  # instead of leaving it root:root.
+  chownMountPoint = ''
+    chown :${chownGroup} "${cfg.secretsMountPoint}" "${cfg.secretsMountPoint}/$_agenix_generation"
+  '';
+
+  setTruePath = secretType: ''
+    ${
+      if secretType.symlink then
+        ''
+          _truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
+        ''
+      else
+        ''
+          _truePath="${secretType.path}"
+        ''
+    }
+  '';
+
+  installSecret = secretType: ''
+    ${setTruePath secretType}
+    echo "decrypting '${secretType.file}' to '$_truePath'..."
+    TMP_FILE="$_truePath.tmp"
+
+    IDENTITIES=()
+    for identity in ${toString cfg.identityPaths}; do
+      test -r "$identity" || continue
+      test -s "$identity" || continue
+      IDENTITIES+=(-i)
+      IDENTITIES+=("$identity")
+    done
+
+    test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix] WARNING: no readable identities found!"
+
+    mkdir -p "$(dirname "$_truePath")"
+    [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
+    (
+      umask u=r,g=,o=
+      test -f "${secretType.file}" || echo '[agenix] WARNING: encrypted file ${secretType.file} does not exist!'
+      test -d "$(dirname "$TMP_FILE")" || echo "[agenix] WARNING: $(dirname "$TMP_FILE") does not exist!"
+      LANG=${
+        config.i18n.defaultLocale or "C"
+      } ${ageBin} --decrypt "''${IDENTITIES[@]}" -o "$TMP_FILE" "${secretType.file}"
+    )
+    chmod ${secretType.mode} "$TMP_FILE"
+    mv -f "$TMP_FILE" "$_truePath"
+
+    ${optionalString secretType.symlink ''
+      [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
+    ''}
+  '';
+
+  testIdentities = map (path: ''
+    test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!'
+  '') cfg.identityPaths;
+
+  cleanupAndLink = ''
+    _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
+    (( ++_agenix_generation ))
+    echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
+    ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
+
+    (( _agenix_generation > 1 )) && {
+    echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
+    rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))"
+    }
+  '';
+
+  installSecrets = builtins.concatStringsSep "\n" (
+    [ "echo '[agenix] decrypting secrets...'" ]
+    ++ testIdentities
+    ++ (map installSecret (builtins.attrValues cfg.secrets))
+    ++ [ cleanupAndLink ]
+  );
+
+  chownSecret = secretType: ''
+    ${setTruePath secretType}
+    chown ${secretType.owner}:${secretType.group} "$_truePath"
+  '';
+
+  chownSecrets = builtins.concatStringsSep "\n" (
+    [ "echo '[agenix] chowning...'" ]
+    ++ [ chownMountPoint ]
+    ++ (map chownSecret (builtins.attrValues cfg.secrets))
+  );
+
+  secretType = types.submodule (
+    { config, ... }:
+    {
+      options = {
+        name = mkOption {
+          type = types.str;
+          default = config._module.args.name;
+          defaultText = literalExpression "config._module.args.name";
+          description = ''
+            Name of the file used in {option}`age.secretsDir`
+          '';
+        };
+        file = mkOption {
+          type = types.path;
+          description = ''
+            Age file the secret is loaded from.
+          '';
+        };
+        path = mkOption {
+          type = types.str;
+          default = "${cfg.secretsDir}/${config.name}";
+          defaultText = literalExpression ''
+            "''${cfg.secretsDir}/''${config.name}"
+          '';
+          description = ''
+            Path where the decrypted secret is installed.
+          '';
+        };
+        mode = mkOption {
+          type = types.str;
+          default = "0400";
+          description = ''
+            Permissions mode of the decrypted secret in a format understood by chmod.
+          '';
+        };
+        owner = mkOption {
+          type = types.str;
+          default = "0";
+          description = ''
+            User of the decrypted secret.
+          '';
+        };
+        group = mkOption {
+          type = types.str;
+          default = users.${config.owner}.group or "0";
+          defaultText = literalExpression ''
+            users.''${config.owner}.group or "0"
+          '';
+          description = ''
+            Group of the decrypted secret.
+          '';
+        };
+        symlink = mkEnableOption "symlinking secrets to their destination" // {
+          default = true;
+        };
+      };
+    }
+  );
+in
+{
+  imports = [
+    (mkRenamedOptionModule [ "age" "sshKeyPaths" ] [ "age" "identityPaths" ])
+  ];
+
+  options.age = {
+    ageBin = mkOption {
+      type = types.str;
+      default = "${pkgs.age}/bin/age";
+      defaultText = literalExpression ''
+        "''${pkgs.age}/bin/age"
+      '';
+      description = ''
+        The age executable to use.
+      '';
+    };
+    secrets = mkOption {
+      type = types.attrsOf secretType;
+      default = { };
+      description = ''
+        Attrset of secrets.
+      '';
+    };
+    secretsDir = mkOption {
+      type = types.path;
+      default = "/run/agenix";
+      description = ''
+        Folder where secrets are symlinked to
+      '';
+    };
+    secretsMountPoint = mkOption {
+      type =
+        types.addCheck types.str (
+          s:
+          (builtins.match "[ \t\n]*" s) == null # non-empty
+          && (builtins.match ".+/" s) == null
+        ) # without trailing slash
+        // {
+          description = "${types.str.description} (with check: non-empty without trailing slash)";
+        };
+      default = "/run/agenix.d";
+      description = ''
+        Where secrets are created before they are symlinked to {option}`age.secretsDir`
+      '';
+    };
+    identityPaths = mkOption {
+      type = types.listOf types.path;
+      default =
+        if isDarwin then
+          [
+            "/etc/ssh/ssh_host_ed25519_key"
+            "/etc/ssh/ssh_host_rsa_key"
+          ]
+        else if (config.services.openssh.enable or false) then
+          map (e: e.path) (
+            lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys
+          )
+        else
+          [ ];
+      defaultText = literalExpression ''
+        if isDarwin
+        then [
+          "/etc/ssh/ssh_host_ed25519_key"
+          "/etc/ssh/ssh_host_rsa_key"
+        ]
+        else if (config.services.openssh.enable or false)
+        then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
+        else [];
+      '';
+      description = ''
+        Path to SSH keys to be used as identities in age decryption.
+      '';
+    };
+  };
+
+  config = mkIf (cfg.secrets != { }) (mkMerge [
+    {
+      assertions = [
+        {
+          assertion = cfg.identityPaths != [ ];
+          message = "age.identityPaths must be set, for example by enabling openssh.";
+        }
+      ];
+    }
+    (optionalAttrs (!isDarwin) {
+      # When using sysusers we no longer be started as an activation script
+      # because those are started in initrd while sysusers is started later.
+      systemd.services.agenix-install-secrets = mkIf sysusersEnabled {
+        wantedBy = [ "sysinit.target" ];
+        after = [ "systemd-sysusers.service" ];
+        unitConfig.DefaultDependencies = "no";
+
+        path = [ pkgs.mount ];
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = pkgs.writeShellScript "agenix-install" (concatLines [
+            newGeneration
+            installSecrets
+            chownSecrets
+          ]);
+          RemainAfterExit = true;
+        };
+      };
+
+      # Create a new directory full of secrets for symlinking (this helps
+      # ensure removed secrets are actually removed, or at least become
+      # invalid symlinks).
+      system.activationScripts = mkIf (!sysusersEnabled) {
+        agenixNewGeneration = {
+          text = newGeneration;
+          deps = [
+            "specialfs"
+          ];
+        };
+
+        agenixInstall = {
+          text = installSecrets;
+          deps = [
+            "agenixNewGeneration"
+            "specialfs"
+          ];
+        };
+
+        # So user passwords can be encrypted.
+        users.deps = [ "agenixInstall" ];
+
+        # Change ownership and group after users and groups are made.
+        agenixChown = {
+          text = chownSecrets;
+          deps = [
+            "users"
+            "groups"
+          ];
+        };
+
+        # So other activation scripts can depend on agenix being done.
+        agenix = {
+          text = "";
+          deps = [ "agenixChown" ];
+        };
+      };
+    })
+
+    (optionalAttrs isDarwin {
+      launchd.daemons.activate-agenix = {
+        script = ''
+          set -e
+          set -o pipefail
+          export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin"
+          ${newGeneration}
+          ${installSecrets}
+          ${chownSecrets}
+          exit 0
+        '';
+        serviceConfig = {
+          RunAtLoad = true;
+          KeepAlive.SuccessfulExit = false;
+        };
+      };
+    })
+  ]);
+}

m/tent/nginx.nix

@@ -4,8 +4,8 @@ let
     name = "jungle-web";
     src = pkgs.fetchgit {
       url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
-      rev = "739bf0175a7f05380fe7ad7023ff1d60db1710e1";
+      rev = "52abaf4d71652a9ef77a0b098db14ca33bffff4c";
-      hash = "sha256-ea5DzhYTzZ9TmqD+x95rdNdLbxPnBluqlYH2NmBYmc4=";
+      hash = "sha256-/ul9GazbOrOkmlvSgDz/+2W+V+ir5725Y7mVLc3rb0M=";
     };
     buildInputs = [ pkgs.hugo ];
     buildPhase = ''

overlay.nix

@@ -7,6 +7,7 @@ let
   callPackage = final.callPackage;
 
   bscPkgs = {
+    agenix = prev.callPackage ./pkgs/agenix/default.nix { };
     amd-uprof = prev.callPackage ./pkgs/amd-uprof/default.nix { };
     bench6 = callPackage ./pkgs/bench6/default.nix { };
     bigotes = callPackage ./pkgs/bigotes/default.nix { };
@@ -62,7 +63,7 @@ let
   };
 
   tests = rec {
-    #hwloc = callPackage ./test/bugs/hwloc.nix { }; # Broken, no /sys
+    hwloc = callPackage ./test/bugs/hwloc.nix { };
     #sigsegv = callPackage ./test/reproducers/sigsegv.nix { };
     hello-c = callPackage ./test/compilers/hello-c.nix { };
     hello-cpp = callPackage ./test/compilers/hello-cpp.nix { };
@@ -94,12 +95,18 @@ let
     };
   };
 
-  pkgs = filterAttrs (_: isDerivation) bscPkgs;
+  # For now, only build toplevel packages in CI/Hydra
+  pkgsTopLevel = filterAttrs (_: isDerivation) bscPkgs;
 
-  crossTargets = [ "riscv64" ];
+  # Native build in that platform doesn't imply cross build works
-  cross = prev.lib.genAttrs crossTargets (target:
+  canCrossCompile = platform: pkg:
-    final.pkgsCross.${target}.bsc-ci.pkgs
+    (isDerivation pkg) &&
-  );
+    # Must be defined explicitly
+    (pkg.meta.cross or false) &&
+    (meta.availableOn platform pkg);
+
+  # For now only RISC-V
+  crossSet = { riscv64 = final.pkgsCross.riscv64.bsc.pkgsTopLevel; };
 
   buildList = name: paths:
     final.runCommandLocal name { } ''
@@ -113,22 +120,38 @@ let
       printf '%s\n' $deps >$out
     '';
 
-  crossList = builtins.mapAttrs (t: v: buildList t (builtins.attrValues v)) cross;
+  pkgsList = buildList "ci-pkgs" (builtins.attrValues pkgsTopLevel);
-
+  testsList = buildList "ci-tests" (collect isDerivation tests);
-  pkgsList = buildList "ci-pkgs" (builtins.attrValues pkgs);
+  allList = buildList' "ci-all" [ pkgsList testsList ];
-  testList = buildList "ci-tests" (collect isDerivation tests);
+  # For now only RISC-V
-
+  crossList = buildList "ci-cross"
-  all = buildList' "ci-all" [ pkgsList testList ];
+    (filter
+      (canCrossCompile final.pkgsCross.riscv64.stdenv.hostPlatform)
+        (builtins.attrValues crossSet.riscv64));
 
 in bscPkgs // {
-  # Prevent accidental usage of bsc attribute
+
-  bsc = throw "the bsc attribute is deprecated, packages are now in the root";
+  lib = prev.lib // {
+    maintainers = prev.lib.maintainers // {
+      bsc = import ./pkgs/maintainers.nix;
+    };
+  };
+
+  # Prevent accidental usage of bsc-ci attribute
+  bsc-ci = throw "the bsc-ci attribute is deprecated, use bsc.ci";
 
   # Internal for our CI tests
-  bsc-ci = {
+  bsc = {
-    inherit pkgs pkgsList;
+    # CI targets for nix build
-    inherit tests testList;
+    ci = { pkgs = pkgsList; tests = testsList; all = allList; cross = crossList; };
-    inherit cross crossList;
+
-    inherit all;
+    # Direct access to package sets
+    tests = tests;
+    pkgs = bscPkgs;
+    pkgsTopLevel = pkgsTopLevel;
+    cross = crossSet;
+
+    # Hydra uses attribute sets of pkgs
+    hydraJobs = { tests = tests; pkgs = pkgsTopLevel; cross = crossSet; };
   };
 }

pkgs/agenix/agenix.sh

@@ -0,0 +1,212 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+PACKAGE="agenix"
+
+function show_help () {
+  echo "$PACKAGE - edit and rekey age secret files"
+  echo " "
+  echo "$PACKAGE -e FILE [-i PRIVATE_KEY]"
+  echo "$PACKAGE -r [-i PRIVATE_KEY]"
+  echo ' '
+  echo 'options:'
+  echo '-h, --help                show help'
+  # shellcheck disable=SC2016
+  echo '-e, --edit FILE           edits FILE using $EDITOR'
+  echo '-r, --rekey               re-encrypts all secrets with specified recipients'
+  echo '-d, --decrypt FILE        decrypts FILE to STDOUT'
+  echo '-i, --identity            identity to use when decrypting'
+  echo '-v, --verbose             verbose output'
+  echo ' '
+  echo 'FILE an age-encrypted file'
+  echo ' '
+  echo 'PRIVATE_KEY a path to a private SSH key used to decrypt file'
+  echo ' '
+  echo 'EDITOR environment variable of editor to use when editing FILE'
+  echo ' '
+  echo 'If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"'
+  echo ' '
+  echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
+  echo "Defaults to './secrets.nix'"
+  echo ' '
+  echo "agenix version: @version@"
+  echo "age binary path: @ageBin@"
+  echo "age version: $(@ageBin@ --version)"
+}
+
+function warn() {
+  printf '%s\n' "$*" >&2
+}
+
+function err() {
+  warn "$*"
+  exit 1
+}
+
+test $# -eq 0 && (show_help && exit 1)
+
+REKEY=0
+DECRYPT_ONLY=0
+DEFAULT_DECRYPT=(--decrypt)
+
+while test $# -gt 0; do
+  case "$1" in
+    -h|--help)
+      show_help
+      exit 0
+      ;;
+    -e|--edit)
+      shift
+      if test $# -gt 0; then
+        export FILE=$1
+      else
+        echo "no FILE specified"
+        exit 1
+      fi
+      shift
+      ;;
+    -i|--identity)
+      shift
+      if test $# -gt 0; then
+        DEFAULT_DECRYPT+=(--identity "$1")
+      else
+        echo "no PRIVATE_KEY specified"
+        exit 1
+      fi
+      shift
+      ;;
+    -r|--rekey)
+      shift
+      REKEY=1
+      ;;
+    -d|--decrypt)
+      shift
+      DECRYPT_ONLY=1
+      if test $# -gt 0; then
+        export FILE=$1
+      else
+        echo "no FILE specified"
+        exit 1
+      fi
+      shift
+      ;;
+    -v|--verbose)
+      shift
+      set -x
+      ;;
+    *)
+      show_help
+      exit 1
+      ;;
+  esac
+done
+
+RULES=${RULES:-./secrets.nix}
+function cleanup {
+    if [ -n "${CLEARTEXT_DIR+x}" ]
+    then
+        rm -rf -- "$CLEARTEXT_DIR"
+    fi
+    if [ -n "${REENCRYPTED_DIR+x}" ]
+    then
+        rm -rf -- "$REENCRYPTED_DIR"
+    fi
+}
+trap "cleanup" 0 2 3 15
+
+function keys {
+    (@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in rules.\"$1\".publicKeys)" | @jqBin@ -r .[]) || exit 1
+}
+
+function armor {
+    (@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in (builtins.hasAttr \"armor\" rules.\"$1\" && rules.\"$1\".armor))") || exit 1
+}
+
+function decrypt {
+    FILE=$1
+    KEYS=$2
+    if [ -z "$KEYS" ]
+    then
+        err "There is no rule for $FILE in $RULES."
+    fi
+
+    if [ -f "$FILE" ]
+    then
+        DECRYPT=("${DEFAULT_DECRYPT[@]}")
+        if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
+            if [ -f "$HOME/.ssh/id_rsa" ]; then
+                DECRYPT+=(--identity "$HOME/.ssh/id_rsa")
+            fi
+            if [ -f "$HOME/.ssh/id_ed25519" ]; then
+                DECRYPT+=(--identity "$HOME/.ssh/id_ed25519")
+            fi
+        fi
+        if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
+          err "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file."
+        fi
+
+        @ageBin@ "${DECRYPT[@]}" -- "$FILE" || exit 1
+    fi
+}
+
+function edit {
+    FILE=$1
+    KEYS=$(keys "$FILE") || exit 1
+    ARMOR=$(armor "$FILE") || exit 1
+
+    CLEARTEXT_DIR=$(@mktempBin@ -d)
+    CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename -- "$FILE")"
+    DEFAULT_DECRYPT+=(-o "$CLEARTEXT_FILE")
+
+    decrypt "$FILE" "$KEYS" || exit 1
+
+    [ ! -f "$CLEARTEXT_FILE" ] || cp -- "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
+
+    [ -t 0 ] || EDITOR='cp -- /dev/stdin'
+
+    $EDITOR "$CLEARTEXT_FILE"
+
+    if [ ! -f "$CLEARTEXT_FILE" ]
+    then
+      warn "$FILE wasn't created."
+      return
+    fi
+    [ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q -- "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
+
+    ENCRYPT=()
+    if [[ "$ARMOR" == "true" ]]; then
+        ENCRYPT+=(--armor)
+    fi
+    while IFS= read -r key
+    do
+        if [ -n "$key" ]; then
+            ENCRYPT+=(--recipient "$key")
+        fi
+    done <<< "$KEYS"
+
+    REENCRYPTED_DIR=$(@mktempBin@ -d)
+    REENCRYPTED_FILE="$REENCRYPTED_DIR/$(basename -- "$FILE")"
+
+    ENCRYPT+=(-o "$REENCRYPTED_FILE")
+
+    @ageBin@ "${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
+
+    mkdir -p -- "$(dirname -- "$FILE")"
+
+    mv -f -- "$REENCRYPTED_FILE" "$FILE"
+}
+
+function rekey {
+    FILES=$( (@nixInstantiate@ --json --eval -E "(let rules = import $RULES; in builtins.attrNames rules)"  | @jqBin@ -r .[]) || exit 1)
+
+    for FILE in $FILES
+    do
+        warn "rekeying $FILE..."
+        EDITOR=: edit "$FILE"
+        cleanup
+    done
+}
+
+[ $REKEY -eq 1 ] && rekey && exit 0
+[ $DECRYPT_ONLY -eq 1 ] && DEFAULT_DECRYPT+=("-o" "-") && decrypt "${FILE}" "$(keys "$FILE")" && exit 0
+edit "$FILE" && cleanup && exit 0

pkgs/agenix/default.nix

@@ -0,0 +1,66 @@
+{
+  lib,
+  stdenv,
+  age,
+  jq,
+  nix,
+  mktemp,
+  diffutils,
+  replaceVars,
+  ageBin ? "${age}/bin/age",
+  shellcheck,
+}:
+let
+  bin = "${placeholder "out"}/bin/agenix";
+in
+stdenv.mkDerivation rec {
+  pname = "agenix";
+  version = "0.15.0";
+  src = replaceVars ./agenix.sh {
+    inherit ageBin version;
+    jqBin = "${jq}/bin/jq";
+    nixInstantiate = "${nix}/bin/nix-instantiate";
+    mktempBin = "${mktemp}/bin/mktemp";
+    diffBin = "${diffutils}/bin/diff";
+  };
+  dontUnpack = true;
+  doInstallCheck = true;
+  installCheckInputs = [ shellcheck ];
+  postInstallCheck = ''
+    shellcheck ${bin}
+    ${bin} -h | grep ${version}
+
+    test_tmp=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
+    export HOME="$test_tmp/home"
+    export NIX_STORE_DIR="$test_tmp/nix/store"
+    export NIX_STATE_DIR="$test_tmp/nix/var"
+    mkdir -p "$HOME" "$NIX_STORE_DIR" "$NIX_STATE_DIR"
+    function cleanup {
+      rm -rf "$test_tmp"
+    }
+    trap "cleanup" 0 2 3 15
+
+    mkdir -p $HOME/.ssh
+    cp -r "${./example}" $HOME/secrets
+    chmod -R u+rw $HOME/secrets
+    (
+    umask u=rw,g=r,o=r
+    cp ${./example_keys/user1.pub} $HOME/.ssh/id_ed25519.pub
+    chown $UID $HOME/.ssh/id_ed25519.pub
+    )
+    (
+    umask u=rw,g=,o=
+    cp ${./example_keys/user1} $HOME/.ssh/id_ed25519
+    chown $UID $HOME/.ssh/id_ed25519
+    )
+
+    cd $HOME/secrets
+    test $(${bin} -d secret1.age) = "hello"
+  '';
+
+  installPhase = ''
+    install -D $src ${bin}
+  '';
+
+  meta.description = "age-encrypted secrets for NixOS";
+}

pkgs/agenix/example/-leading-hyphen-filename.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 V3XmEA zirqdzZZ1E+sedBn7fbEHq4ntLEkokZ4GctarBBOHXY
+Rvs5YHaAUeCZyNwPedubPcHClWYIuXXWA5zadXPWY6w
+-> ssh-ed25519 KLPP8w BVp4rDkOYSQyn8oVeHFeinSqW+pdVtxBF9+5VM1yORY
+bMwppAi8Nhz0328taU4AzUkTVyWtSLvFZG6c5W/Fs78
+--- xCbqLhXAcOziO2wmbjTiSQfZvt5Rlsc4SCvF+iEzpQA
+ôKB£î/²ZÅÈrÙ%
¾à4¡´—Mq5×Ô_ÌÂÝ’‹†ã„Ò11ܨqM;& ¢‡LríÂÒføû”]>N

pkgs/agenix/example/armored-secret.age

@@ -0,0 +1,7 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFYzWG1FQSBpZkZW
+aFpLNnJxc0VUMHRmZ2dZS0pjMGVENnR3OHd5K0RiT1RjRUhibFZBCnN5UG5vUjA3
+SXpsNGtiVUw4T0tIVFo5Wkk5QS9NQlBndzVvektiQ0ozc0kKLS0tIGxyY1Q4dEZ1
+VGZEanJyTFNta2JNRmpZb2FnK2JyS1hSVml1UGdMNWZKQXMKYla+wTXcRedyZoEb
+LVWaSx49WoUTU0KBPJg9RArxaeC23GoCDzR/aM/1DvYU
+-----END AGE ENCRYPTED FILE-----

pkgs/agenix/example/passwordfile-user1.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 KLPP8w s1DYZRlZuSsyhmZCF1lFB+E9vB8bZ/+ZhBRlx8nprwE
+nmYVCsVBrX2CFXXPU+D+bbkkIe/foofp+xoUrg9DHZw
+-> ssh-ed25519 V3XmEA Pwv3oCwcY0DX8rY48UNfsj9RumWsn4dbgorYHCwObgI
+FKxRYkL3JHtJxUwymWDF0rAtJ33BivDI6IfPsfumM90
+-> V'v(/u$-grease em/Vgf 2qDuk
+7I3iiQLPGi1COML9u/JeYkr7EqbSLoU
+--- 57WJRigUGtmcObrssS3s4PvmR8wgh1AOC/ijJn1s3xI
+<EFBFBD>'K©Æ·Y&‘7GÆOÝòFj
±kÆXç«BnuJöê:9Ê(’ÙÏX¬#¼AíÄÞÃÚ§j’,ê_ÈþÝ?ÝZ“¥vœ¹V’96]oks~%£c	Îe^CÅ%JQ5€<H¢z}îCý,°pŒ¿*!W§§ÈA±º­Ò…dC¼K)¿¢-žy

pkgs/agenix/example/secret2.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 V3XmEA OB4+1FbPhQ3r6iGksM7peWX5it8NClpXIq/o5nnP7GA
+FmHVUj+A5i5+bDFgySQskmlvynnosJiWUTJmBRiNA9I
+--- tP+3mFVtd7ogVu1Lkboh55zoi5a77Ht08Uc/QuIviv4
+¤¬Xæ{”ïOŠ£èätMXxÔvÓª(¬IÁmyPÇï¸è+3²S3i

pkgs/agenix/example/secrets.nix

@@ -0,0 +1,23 @@
+let
+  user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
+  system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
+in
+{
+  "secret1.age".publicKeys = [
+    user1
+    system1
+  ];
+  "secret2.age".publicKeys = [ user1 ];
+  "passwordfile-user1.age".publicKeys = [
+    user1
+    system1
+  ];
+  "-leading-hyphen-filename.age".publicKeys = [
+    user1
+    system1
+  ];
+  "armored-secret.age" = {
+    publicKeys = [ user1 ];
+    armor = true;
+  };
+}

pkgs/agenix/example_keys/system1

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACDyQ8iK/xUs9XCXXKFuvUfja1s8Biv/t4Caag9bfC9sxAAAAJA3yvCWN8rw
+lgAAAAtzc2gtZWQyNTUxOQAAACDyQ8iK/xUs9XCXXKFuvUfja1s8Biv/t4Caag9bfC9sxA
+AAAEA+J2V6AG1NriAIvnNKRauIEh1JE9HSdhvKJ68a5Fm0w/JDyIr/FSz1cJdcoW69R+Nr
+WzwGK/+3gJpqD1t8L2zEAAAADHJ5YW50bUBob21lMQE=
+-----END OPENSSH PRIVATE KEY-----

pkgs/agenix/example_keys/system1.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE

pkgs/agenix/example_keys/user1

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACC9InTb4BornFoLqf5j+/M8gtt7hY2KtHr3FnYxkFGgRwAAAJC2JJ8htiSf
+IQAAAAtzc2gtZWQyNTUxOQAAACC9InTb4BornFoLqf5j+/M8gtt7hY2KtHr3FnYxkFGgRw
+AAAEDxt5gC/s53IxiKAjfZJVCCcFIsdeERdIgbYhLO719+Kb0idNvgGiucWgup/mP78zyC
+23uFjYq0evcWdjGQUaBHAAAADHJ5YW50bUBob21lMQE=
+-----END OPENSSH PRIVATE KEY-----

pkgs/agenix/example_keys/user1.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH

pkgs/agenix/update.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -e
+
+# All operations are done relative to root
+GITROOT=$(git rev-parse --show-toplevel)
+cd "$GITROOT"
+
+REVISION=${1:-main}
+
+TMPCLONE=$(mktemp -d)
+trap "rm -rf ${TMPCLONE}" EXIT
+
+git clone https://github.com/ryantm/agenix.git --revision="$REVISION" "$TMPCLONE" --depth=1
+
+cp "${TMPCLONE}/pkgs/agenix.sh" pkgs/agenix/agenix.sh
+cp "${TMPCLONE}/pkgs/agenix.nix" pkgs/agenix/default.nix
+sed -i 's#../example#./example#' pkgs/agenix/default.nix
+
+cp "${TMPCLONE}/example/"* pkgs/agenix/example/
+cp "${TMPCLONE}/example_keys/"* pkgs/agenix/example_keys/
+
+cp "${TMPCLONE}/modules/age.nix" m/module/agenix.nix

pkgs/amd-uprof/default.nix

@@ -86,4 +86,13 @@ in
       patchelf --add-needed libnuma.so $out/bin/AMDuProfPcm
       set +x
     '';
+
+    meta = {
+      description = "Performance analysis tool-suite for x86 based applications";
+      homepage = "https://www.amd.com/es/developer/uprof.html";
+      platforms = lib.platforms.linux;
+      license = lib.licenses.unfree;
+      maintainers = with lib.maintainers.bsc; [ rarias varcila ];
+    };
+
   }

pkgs/amd-uprof/driver.nix

@@ -29,5 +29,7 @@ in stdenv.mkDerivation {
     description = "AMD Power Profiler Driver";
     homepage = "https://www.amd.com/es/developer/uprof.html";
     platforms = lib.platforms.linux;
+    license = lib.licenses.unfree;
+    maintainers = with lib.maintainers.bsc; [ rarias varcila ];
   };
 }

pkgs/bench6/default.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , bigotes
 , cmake
 , clangOmpss2
@@ -58,4 +59,12 @@ stdenv.mkDerivation rec {
   ];
   hardeningDisable = [ "all" ];
   dontStrip = true;
+
+  meta = {
+    homepage = "https://gitlab.pm.bsc.es/rarias/bench6";
+    description = "Set of micro-benchmarks for OmpSs-2 and several mini-apps";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }

pkgs/bigotes/default.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , fetchFromGitHub
 , cmake
 }:
@@ -14,4 +15,12 @@ stdenv.mkDerivation {
     sha256 = "sha256-ktxM3pXiL8YXSK+/IKWYadijhYXqGoLY6adLk36iigE=";
   };
   nativeBuildInputs = [ cmake ];
+
+  meta = {
+    homepage = "https://github.com/rodarima/bigotes";
+    description = "Versatile benchmark tool";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }

pkgs/extrae/default.nix

@@ -20,6 +20,7 @@
 #, python3Packages
 , installShellFiles
 , symlinkJoin
+, enablePapi ? stdenv.hostPlatform == stdenv.buildPlatform # Disabled when cross-compiling
 }:
 
 let
@@ -87,7 +88,7 @@ stdenv.mkDerivation rec {
       --enable-sampling
       --with-unwind=${libunwind.dev}
       --with-xml-prefix=${libxml2.dev}
-      --with-papi=${papi}
+      ${lib.optionalString enablePapi "--with-papi=${papi}"}
       ${if (mpi != null) then ''--with-mpi=${mpi}''
         else ''--without-mpi''}
       --without-dyninst)
@@ -110,4 +111,13 @@ stdenv.mkDerivation rec {
 #    then [ "--enable-openmp" ]
 #    else []
 #  );
+
+  meta = {
+    homepage = "https://github.com/bsc-performance-tools/extrae";
+    description = "Instrumentation framework to generate execution traces of the most used parallel runtimes";
+    maintainers = [ ];
+    broken = true;
+    platforms = lib.platforms.linux;
+    license = lib.licenses.lgpl21Plus;
+  };
 }

pkgs/gpi-2/default.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , fetchurl
 , symlinkJoin
 , slurm
@@ -52,4 +53,12 @@ stdenv.mkDerivation rec {
   buildInputs = [ slurm mpiAll rdma-core-all autoconf automake libtool rsync gfortran ];
 
   hardeningDisable = [ "all" ];
+
+  meta = {
+    homepage = "https://pm.bsc.es/gitlab/interoperability/extern/GPI-2";
+    description = "GPI-2 extended for supporting Task-Aware GASPI (TAGASPI) library";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }

pkgs/intel-compiler/icc2020.nix

@@ -1,4 +1,5 @@
 { stdenv
+, lib
 , fetchurl
 , rpmextract
 , autoPatchelfHook
@@ -59,4 +60,12 @@ stdenv.mkDerivation rec {
       rm $out/lib/*.dbg
     popd
   '';
+
+  meta = {
+    homepage = "https://www.intel.com/content/www/us/en/developer/tools/overview.html";
+    description = "Intel compiler";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.unfree;
+  };
 }

pkgs/intel-compiler/icc2021.nix

@@ -145,4 +145,12 @@ in
       popd
     '';
 
+    meta = {
+      homepage = "https://www.intel.com/content/www/us/en/developer/tools/overview.html";
+      description = "Intel compiler";
+      maintainers = with lib.maintainers.bsc; [ rarias ];
+      platforms = lib.platforms.linux;
+      license = lib.licenses.unfree;
+    };
+
   }

pkgs/intel-mpi/default.nix

@@ -1,4 +1,5 @@
 { stdenv
+, lib
 , rpmextract
 , gcc
 , zlib
@@ -101,4 +102,12 @@ stdenv.mkDerivation rec {
     patchelf --set-rpath "$out/lib:${rdma-core}/lib:${libpsm2}/lib" $out/lib/libfabric.so
     echo "Patched RPATH in libfabric.so to: $(patchelf --print-rpath $out/lib/libfabric.so)"
   '';
+
+  meta = {
+    homepage = "https://www.intel.com/content/www/us/en/developer/tools/overview.html";
+    description = "Intel MPI";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.unfree;
+  };
 }

pkgs/intel-oneapi/2023.nix

@@ -26,6 +26,13 @@
 
 let
 
+  meta = {
+    description = "Intel oneapi hpckit package component";
+    homepage = "https://www.intel.com/content/www/us/en/developer/tools/oneapi/hpc-toolkit-download.html";
+    license = lib.licenses.unfree;
+    maintainers = with lib.maintainers.bsc; [ abonerib ];
+  };
+
   gcc = gcc13;
 
   v = {
@@ -87,6 +94,8 @@ let
         dpkg -x $src $out
       done
     '';
+
+    inherit meta;
   };
 
   joinDebs = name: names:
@@ -145,6 +154,8 @@ let
         sed -i "s:I_MPI_SUBSTITUTE_INSTALLDIR:$out:g" "$i"
       done
     '';
+
+    inherit meta;
   };
 
   intel-tbb = stdenv.mkDerivation rec {
@@ -183,6 +194,8 @@ let
         rsync -a lib/intel64/gcc4.8/ $out/lib/
       popd
     '';
+
+    inherit meta;
   };
 
   intel-compiler-shared = stdenv.mkDerivation rec {
@@ -240,6 +253,8 @@ let
         popd
       popd
     '';
+
+    inherit meta;
   };
 
 
@@ -305,6 +320,8 @@ let
         ln -s $out/lib $out/lib_lin
       popd
     '';
+
+    inherit meta;
   };
 
   intel-compiler = stdenv.mkDerivation rec {
@@ -392,6 +409,8 @@ let
         rsync -a documentation/en/man/common/ $out/share/man/
       popd
     '';
+
+    inherit meta;
   };
 
   wrapIntel = { cc, mygcc, extraBuild ? "", extraInstall ? "" }:

pkgs/llvm-ompss2/clang.nix

@@ -126,4 +126,12 @@ in stdenv.mkDerivation {
 # nanos6 installation, but this is would require a recompilation of clang each
 # time nanos6 is changed. Better to use the environment variable NANOS6_HOME,
 # and specify nanos6 at run time.
+
+  meta = {
+    homepage = "https://gitlab.pm.bsc.es/llvm-ompss/llvm-mono";
+    description = "C language family frontend for LLVM (for OmpSs-2)";
+    maintainers = with lib.maintainers.bsc; [ rpenacob ];
+    platforms = lib.platforms.linux;
+    license = [ lib.licenses.asl20 lib.licenses.llvm-exception ];
+  };
 }

pkgs/llvm-ompss2/openmp.nix

@@ -74,5 +74,13 @@ stdenv.mkDerivation rec {
   passthru = {
     inherit nosv;
   };
+
+  meta = {
+    homepage = "https://gitlab.pm.bsc.es/llvm-ompss/llvm-mono";
+    description = "Support for the OpenMP language (with nOS-V)";
+    maintainers = with lib.maintainers.bsc; [ rpenacob ];
+    platforms = lib.platforms.linux;
+    license = [ lib.licenses.asl20 lib.licenses.llvm-exception ];
+  };
 }
 

pkgs/lmbench/default.nix

@@ -35,13 +35,16 @@ stdenv.mkDerivation rec {
       CFLAGS=-Wno-implicit-int
       CPPFLAGS=-I${libtirpc.dev}/include/tirpc
       LDFLAGS=-ltirpc
+      CC=$CC
+      AR=$AR
     )
   '';
 
   meta = {
     description = "lmbench";
-    homepage = "http://www.bitmover.com/lmbench/";
+    homepage = "https://github.com/intel/lmbench";
-    maintainers = [ ];
+    maintainers = with lib.maintainers.bsc; [ rarias ];
     platforms = lib.platforms.all;
+    license = lib.licenses.gpl2Plus;
   };
 }

pkgs/maintainers.nix

@@ -0,0 +1,7 @@
+builtins.mapAttrs (name: value: { email = name + "@bsc.es"; } // value) {
+  abonerib.name = "Aleix Boné";
+  arocanon.name = "Aleix Roca";
+  rarias.name = "Rodrigo Arias";
+  rpenacob.name = "Raúl Peñacoba";
+  varcila.name = "Vincent Arcila";
+}

pkgs/mcxx/default.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , fetchFromGitHub
 , autoreconfHook
 , nanos6
@@ -62,4 +63,12 @@ stdenv.mkDerivation rec {
 # Fails with "memory exhausted" with bison 3.7.1
 #    "--enable-bison-regeneration"
   ];
+
+  meta = {
+    homepage = "https://github.com/bsc-pm/mcxx";
+    description = "C/C++/Fortran source-to-source compilation infrastructure aimed at fast prototyping";
+    maintainers = with lib.maintainers.bsc; [ rpenacob ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }

pkgs/mcxx/git.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , fetchFromGitHub
 , autoreconfHook
 , nanos6
@@ -57,4 +58,12 @@ stdenv.mkDerivation rec {
 # Fails with "memory exhausted" with bison 3.7.1
 #    "--enable-bison-regeneration"
   ];
+
+  meta = {
+    homepage = "https://github.com/bsc-pm/mcxx";
+    description = "C/C++/Fortran source-to-source compilation infrastructure aimed at fast prototyping";
+    maintainers = with lib.maintainers.bsc; [ rpenacob ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }

pkgs/mcxx/rarias.nix

@@ -1,4 +1,5 @@
 { stdenv
+, lib
 , fetchgit
 , autoreconfHook
 , nanos6
@@ -56,4 +57,12 @@ stdenv.mkDerivation rec {
   #preBuild = ''
   #  make generate_builtins_ia32 GXX_X86_BUILTINS=${gcc}/bin/g++
   #'';
+  #
+  meta = {
+    homepage = "https://github.com/bsc-pm/mcxx";
+    description = "C/C++/Fortran source-to-source compilation infrastructure aimed at fast prototyping";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }

pkgs/mpich/default.nix

@@ -33,4 +33,8 @@ in mpich.overrideAttrs (old: {
     "FCFLAGS=-fallow-argument-mismatch"
   ];
   hardeningDisable = [ "all" ];
+
+  meta = old.meta // {
+    maintainers = old.meta.maintainers ++ (with lib.maintainers.bsc; [ rarias ]);
+  };
 })

pkgs/nanos6/default.nix

@@ -16,6 +16,7 @@
 , jemallocNanos6 ? null
 , cachelineBytes ? 64
 , enableGlibcxxDebug ? false
+, enablePapi ? stdenv.hostPlatform == stdenv.buildPlatform # Disabled when cross-compiling
 , useGit ? false
 , gitUrl ? "ssh://git@bscpm04.bsc.es/nanos6/nanos6"
 , gitBranch ? "master"
@@ -47,6 +48,8 @@ let
   };
 
   source = if (useGit) then git else release;
+
+  isCross = stdenv.hostPlatform != stdenv.buildPlatform;
 in
   stdenv.mkDerivation (source // {
     pname = "nanos6";
@@ -71,9 +74,13 @@ in
       "--disable-all-instrumentations"
       "--enable-ovni-instrumentation"
       "--with-ovni=${ovni}"
+      "--with-boost=${boost.dev}"
     ] ++
       (optional enableJemalloc "--with-jemalloc=${jemallocNanos6}") ++
-      (optional enableGlibcxxDebug "CXXFLAGS=-D_GLIBCXX_DEBUG");
+      (optional enableGlibcxxDebug "CXXFLAGS=-D_GLIBCXX_DEBUG") ++
+      # Most nanos6 api symbols are resolved at runtime, so prefer
+      # ifunc by default
+      (optional isCross "--with-symbol-resolution=ifunc");
 
     postConfigure = lib.optionalString (!enableDebug) ''
       # Disable debug
@@ -97,16 +104,14 @@ in
       # TODO: papi_version is needed for configure:
       # ./configure: line 27378: papi_version: command not found
       # This probably breaks cross-compilation
-      papi
+    ] ++ lib.optionals enablePapi [ papi ];
-    ];
 
     buildInputs = [
       boost
       numactl
       hwloc
-      papi
       ovni
-    ];
+    ] ++ lib.optionals enablePapi [ papi ];
 
     # Create a script that sets NANOS6_HOME
     postInstall = ''
@@ -114,11 +119,12 @@ in
       echo "export NANOS6_HOME=$out" >> $out/nix-support/setup-hook
     '';
 
-    meta = with lib; {
+    meta = {
       homepage = "https://github.com/bsc-pm/nanos6";
       description = "Nanos6 runtime for OmpSs-2" +
         optionalString (enableDebug) " (with debug symbols)";
-      platforms = platforms.linux;
+      maintainers = with lib.maintainers.bsc; [ rarias ];
-      license = licenses.gpl3;
+      platforms = lib.platforms.linux;
+      license = lib.licenses.gpl3Plus;
     };
   })

pkgs/nanos6/jemalloc.nix

@@ -1,4 +1,4 @@
-{ jemalloc }:
+{ jemalloc, lib }:
 
 jemalloc.overrideAttrs (old: {
   configureFlags = old.configureFlags ++ [
@@ -8,5 +8,6 @@ jemalloc.overrideAttrs (old: {
   hardeningDisable = [ "all" ];
   meta = old.meta // {
     description = old.meta.description + " (for Nanos6)";
+    maintainers = (old.meta.maintainers or []) ++ (with lib.maintainers.bsc; [ rarias ]);
   };
 })

pkgs/nix-wrap/default.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , bashInteractive
 , busybox
 , nix
@@ -86,5 +87,14 @@ stdenv.mkDerivation rec {
     mkdir -p $out/share
     cp ${nix_conf} $out/share/nix.conf
   '';
+
+  meta = {
+    homepage = null;
+    description = "nix bubblewrap wrapper";
+    maintainers = [ ];
+    broken = true;
+    platforms = lib.platforms.linux;
+    license = lib.licenses.mit;
+  };
 }
 

pkgs/nixtools/default.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , glibc
 }:
 
@@ -15,4 +16,11 @@ stdenv.mkDerivation rec {
   makeFlags = [ "DESTDIR=$(out)" ];
   preBuild = "env";
   dontPatchShebangs = true;
+
+  meta = {
+    homepage = "https://gitlab.pm.bsc.es/rarias/nixtools";
+    description = "nix bubblewrap wrapper";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+  };
 }

pkgs/nodes/default.nix

@@ -3,7 +3,6 @@
 , lib
 , fetchFromGitHub
 , pkg-config
-, perl
 , numactl
 , hwloc
 , boost
@@ -11,6 +10,7 @@
 , ovni
 , nosv
 , clangOmpss2
+, which
 , useGit ? false
 , gitUrl ? "ssh://git@gitlab-internal.bsc.es/nos-v/nodes.git"
 , gitBranch ? "master"
@@ -59,6 +59,7 @@ in
     doCheck = false;
     nativeCheckInputs = [
       clangOmpss2
+      which
     ];
 
     # The "bindnow" flags are incompatible with ifunc resolution mechanism. We
@@ -81,4 +82,12 @@ in
     passthru = {
       inherit nosv;
     };
+
+    meta = {
+      homepage = "https://gitlab.bsc.es/nos-v/nodes";
+      description = "Runtime library designed to work on top of the nOS-V runtime";
+      maintainers = with lib.maintainers.bsc; [ abonerib rarias ];
+      platforms = lib.platforms.linux;
+      license = lib.licenses.gpl3Plus;
+    };
   }

pkgs/nosv/default.nix

@@ -7,7 +7,7 @@
 , numactl
 , hwloc
 , papi
-, enablePapi ? true
+, enablePapi ? stdenv.hostPlatform == stdenv.buildPlatform # Disabled when cross-compiling
 , cacheline ? 64 # bits
 , ovni ? null
 , useGit ? false
@@ -59,4 +59,12 @@ in
       hwloc
       ovni
     ] ++ lib.optionals enablePapi [ papi ];
+
+    meta = {
+      homepage = "https://gitlab.bsc.es/nos-v/nos-v";
+      description = "Tasking library enables the co-execution of multiple applications with system-wide scheduling and a centralized management of resources";
+      maintainers = with lib.maintainers.bsc; [ abonerib rarias ];
+      platforms = lib.platforms.linux;
+      license = lib.licenses.gpl3Plus;
+    };
   }

pkgs/ovni/default.nix

@@ -55,4 +55,13 @@ in
     doCheck = true;
     checkTarget = "test";
     hardeningDisable = [ "all" ];
+
+    meta = {
+      homepage = "https://ovni.readthedocs.io";
+      description = "Obtuse but Versatile Nanoscale Instrumentation";
+      maintainers = with lib.maintainers.bsc; [ rarias ];
+      platforms = lib.platforms.linux;
+      license = lib.licenses.gpl3Plus;
+      cross = true;
+    };
   }

pkgs/paraver/default.nix

@@ -1,4 +1,6 @@
-{ stdenv
+{
+  stdenv
+, lib
 , fetchFromGitHub
 , autoreconfHook
 , boost
@@ -11,17 +13,14 @@
 , openssl
 , glibcLocales
 , wrapGAppsHook
-
-, enableDebug ? false
 }:
 
 let
   wx = wxGTK32;
-  version = "4.12.0";
 in
-stdenv.mkDerivation {
+stdenv.mkDerivation rec {
   pname = "wxparaver";
-  inherit version;
+  version = "4.12.0";
 
   src = fetchFromGitHub {
     owner = "bsc-performance-tools";
@@ -38,26 +37,21 @@ stdenv.mkDerivation {
     ./fix-boost-87.patch
   ];
 
+  hardeningDisable = [ "all" ];
+
   # Fix the PARAVER_HOME variable
   postPatch = ''
     sed -i 's@^PARAVER_HOME=.*$@PARAVER_HOME='$out'@g' docs/wxparaver
     sed -i '1aexport LOCALE_ARCHIVE="${glibcLocales}/lib/locale/locale-archive"' docs/wxparaver
   '';
 
+  dontStrip = true;
   enableParallelBuilding = true;
 
-  hardeningDisable = [ "all" ];
+  preConfigure = ''
-
+    export CFLAGS="-O3"
-  dontStrip = true;
+    export CXXFLAGS="-O3"
-
+  '';
-  env =
-    let
-      flags = if enableDebug then "-ggdb -Og" else "-O3";
-    in
-    {
-      CFLAGS = flags;
-      CXXFLAGS = flags;
-    };
 
   configureFlags = [
     "--with-boost=${boost}"
@@ -75,11 +69,11 @@ stdenv.mkDerivation {
 
   buildInputs = [
     boost
-    libxml2
+    libxml2.dev
     xml2
     wx
     paraverKernel
-    openssl
+    openssl.dev
   ];
 
   postInstall = ''
@@ -95,4 +89,18 @@ stdenv.mkDerivation {
     mkdir -p $out/share/man
     mv $out/share/doc/wxparaver_help_contents/man $out/share/man/man1
   '';
+
+  meta = {
+    homepage = "https://tools.bsc.es/paraver";
+    downloadPage = "https://github.com/bsc-performance-tools/wxparaver";
+    description = "Performance analyzer based on event traces";
+    longDescription = ''
+      Trace-based visualization and analysis tool designed to study quantitative
+      detailed metrics and obtain qualitative knowledge of the performance of
+      applications, libraries, processors and whole architectures
+    '';
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.lgpl21Plus;
+  };
 }

pkgs/paraver/kernel.nix

@@ -1,4 +1,6 @@
-{ stdenv
+{
+  stdenv
+, lib
 , fetchFromGitHub
 , autoreconfHook
 , boost
@@ -8,16 +10,11 @@
 , automake
 , pkg-config
 , zlib
-
-, enableDebug ? false
 }:
 
-let
+stdenv.mkDerivation rec {
-  version = "4.12.0";
-in
-stdenv.mkDerivation {
   pname = "paraver-kernel";
-  inherit version;
+  version = "4.12.0";
 
   src = fetchFromGitHub {
     owner = "bsc-performance-tools";
@@ -38,14 +35,10 @@ stdenv.mkDerivation {
 
   dontStrip = true;
 
-  env =
+  preConfigure = ''
-    let
+    export CFLAGS="-O3 -DPARALLEL_ENABLED"
-      flags = "-DPARALLEL_ENABLED " + (if enableDebug then "-ggdb -Og" else "-O3");
+    export CXXFLAGS="-O3 -DPARALLEL_ENABLED"
-    in
+  '';
-    {
-      CFLAGS = flags;
-      CXXFLAGS = flags;
-    };
 
   configureFlags = [
     "--with-boost=${boost}"
@@ -65,4 +58,13 @@ stdenv.mkDerivation {
     xml2
     zlib
   ];
+
+  meta = {
+    homepage = "https://tools.bsc.es/paraver";
+    downloadPage = "https://github.com/bsc-performance-tools/paraver-kernel";
+    description = "Kernel library used by wxparaver";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.lgpl21Plus;
+  };
 }

pkgs/sonar/default.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , autoreconfHook
 , fetchFromGitHub
 , ovni
@@ -27,4 +28,12 @@ stdenv.mkDerivation rec {
     ovni
     mpi
   ];
+
+  meta = {
+    homepage = "https://github.com/bsc-pm/sonar";
+    description = "Set of runtime libraries which instrument parallel programming models through the ovni instrumentation library";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.mit;
+  };
 }

pkgs/tagaspi/default.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , fetchFromGitHub
 , automake
 , autoconf
@@ -55,4 +56,12 @@ stdenv.mkDerivation rec {
   ];
 
   hardeningDisable = [ "all" ];
+
+  meta = {
+    homepage = "https://github.com/bsc-pm/tagaspi";
+    description = "Task-Aware GASPI";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }

pkgs/tampi/default.nix

@@ -61,4 +61,12 @@ in stdenv.mkDerivation {
   configureFlags = optional (enableOvni) "--with-ovni=${ovni}";
   dontDisableStatic = true;
   hardeningDisable = [ "all" ];
+
+  meta = {
+    homepage = "https://github.com/bsc-pm/tampi";
+    description = "Task-Aware MPI";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }

test/bugs/hwloc.nix

@@ -6,6 +6,7 @@
 
 stdenv.mkDerivation {
   name = "hwloc-test";
+  requiredSystemFeatures = [ "sys-devices" ];
 
   src = ./.;
 
@@ -14,7 +15,7 @@ stdenv.mkDerivation {
   buildPhase = ''
     ls -l /sys
     gcc -lhwloc hwloc.c -o hwloc
-    strace ./hwloc
+    strace ./hwloc > $out
   '';
 
 }

test/compilers/clang-openmp-ld.nix

@@ -23,9 +23,8 @@ in stdenv.mkDerivation {
   dontUnpack = true;
   dontConfigure = true;
 
-  # nOS-V requires access to /sys/devices to request NUMA information. It will
+  # nOS-V requires access to /sys/devices to request NUMA information
-  # fail to run otherwise, so we disable the sandbox for this test.
+  requiredSystemFeatures = [ "sys-devices" ];
-  __noChroot = true;
 
   buildInputs = [ openmp ];
 

test/compilers/clang-openmp-nosv.nix

@@ -36,9 +36,8 @@ in stdenv.mkDerivation {
   dontUnpack = true;
   dontConfigure = true;
 
-  # nOS-V requires access to /sys/devices to request NUMA information. It will
+  # nOS-V requires access to /sys/devices to request NUMA information
-  # fail to run otherwise, so we disable the sandbox for this test.
+  requiredSystemFeatures = [ "sys-devices" ];
-  __noChroot = true;
 
   buildInputs = [ nosv ];
 

test/compilers/clang-openmp.nix

@@ -24,9 +24,8 @@ in stdenv.mkDerivation {
   dontUnpack = true;
   dontConfigure = true;
 
-  # nOS-V requires access to /sys/devices to request NUMA information. It will
+  # nOS-V requires access to /sys/devices to request NUMA information
-  # fail to run otherwise, so we disable the sandbox for this test.
+  requiredSystemFeatures = [ "sys-devices" ];
-  __noChroot = true;
 
   buildPhase = ''
     set -x

test/compilers/ompss2.nix

@@ -25,9 +25,10 @@ stdenv.mkDerivation rec {
   hardeningDisable = [ "all" ];
   #NIX_DEBUG = 1;
   buildInputs = [ ]; #strace gdb;
-  # NODES requires access to /sys/devices to request NUMA information. It will
+
-  # fail to run otherwise, so we disable the sandbox for this test.
+  # NODES requires access to /sys/devices to request NUMA information
-  __noChroot = true;
+  requiredSystemFeatures = [ "sys-devices" ];
+
   buildPhase = ''
     set -x
     #$CC -v