Merge weasel and gitea-dump

Proper override for haskell package

madness

Fix nix-serve-ng override

flake.lock

@@ -2,16 +2,16 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1752436162,
+        "lastModified": 1767634882,
-        "narHash": "sha256-Kt1UIPi7kZqkSc5HVj6UY5YLHHEzPBkgpNUByuyxtlw=",
+        "narHash": "sha256-2GffSfQxe3sedHzK+sTKlYo/NTIAGzbFCIsNMUPAAnk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dfcd5b901dbab46c9c6e80b265648481aafb01f8",
+        "rev": "3c9db02515ef1d9b6b709fc60ba9a540957f661c",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-25.05",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -1,6 +1,6 @@
 {
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
   };
 
   outputs = { self, nixpkgs, ... }:

m/apex/configuration.nix

@@ -57,6 +57,18 @@
     };
   };
 
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    bantime-increment = {
+      enable = true; # Double ban time on each attack
+      maxtime = "7d"; # Ban up to a week
+    };
+  };
+
+  # Disable SSH login with password, allow only keypair
+  services.openssh.settings.PasswordAuthentication = false;
+
   networking.firewall = {
     extraCommands = ''
       # Blackhole BSC vulnerability scanner (OpenVAS) as it is spamming our

m/bay/configuration.nix

@@ -24,7 +24,7 @@
       address = "10.0.40.40";
       prefixLength = 24;
     } ];
-    interfaces.ibp5s0.ipv4.addresses = [ {
+    interfaces.ibs785.ipv4.addresses = [ {
       address = "10.0.42.40";
       prefixLength = 24;
     } ];

m/common/base.nix

@@ -7,6 +7,7 @@
     ./base/august-shutdown.nix
     ./base/boot.nix
     ./base/env.nix
+    ./base/fish.nix
     ./base/fs.nix
     ./base/hw.nix
     ./base/net.nix

m/common/base/env.nix

@@ -1,12 +1,37 @@
-{ pkgs, config, ... }:
+{ pkgs, ... }:
 
 {
   environment.systemPackages = with pkgs; [
-    vim wget git htop tmux pciutils tcpdump ripgrep nix-index nixos-option
+    cmake
-    nix-diff ipmitool freeipmi ethtool lm_sensors cmake gnumake file tree
+    ethtool
-    ncdu config.boot.kernelPackages.perf ldns pv
+    file
+    freeipmi
+    git
+    gnumake
+    home-manager
+    htop
+    ipmitool
+    ldns
+    lm_sensors
+    ncdu
+    nix-diff
+    nix-index
+    nix-output-monitor
+    nixfmt-tree
+    nixos-option
+    pciutils
+    perf
+    pv
+    ripgrep
+    tcpdump
+    tmux
+    tree
+    vim
+    wget
+
     # From jungle overlay
-    osumb nixgen
+    nixgen
+    osumb
   ];
 
   programs.direnv.enable = true;
@@ -28,9 +53,22 @@
     VISUAL = "vim";
   };
 
-  programs.bash.promptInit = ''
+  programs.bash.promptInit = # bash
-    PS1="\h\\$ "
+    ''
-  '';
+      if echo "$PATH" | grep -qc '/nix/store'; then
+        # Inside a nix shell, dumb prompt
+        PS1="\h\\$ "
+      elif [ "$TERM" != "dumb" ] ; then
+        PROMPT_COLOR="1;31m"
+        ((UID)) && PROMPT_COLOR="1;32m"
+
+        PS1="\n\[\033[$PROMPT_COLOR\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\\$\[\033[0m\] "
+
+        if test "$TERM" = "xterm"; then
+          PS1="\[\033]2;\h:\u:\w\007\]$PS1"
+        fi
+      fi
+    '';
 
   time.timeZone = "Europe/Madrid";
   i18n.defaultLocale = "en_DK.UTF-8";

m/common/base/fish.nix

@@ -0,0 +1,3 @@
+{
+  programs.fish.enable = true;
+}

m/common/base/users.nix

@@ -87,6 +87,13 @@
         openssh.authorizedKeys.keys = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIFiqXqt88VuUfyANkZyLJNiuroIITaGlOOTMhVDKjf abonerib@bsc"
         ];
+        shell = pkgs.fish;
+        packages = with pkgs; [
+          fzf
+          jujutsu
+          neovim
+          starship
+        ];
       };
 
       vlopez = {
@@ -139,6 +146,7 @@
         openssh.authorizedKeys.keys = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGt0ESYxekBiHJQowmKpfdouw0hVm3N7tUMtAaeLejK vincent@varch"
         ];
+        shell = pkgs.zsh;
       };
 
       pmartin1 = {
@@ -193,6 +201,32 @@
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOlRX7ZCnqtUJYCxKgWmgSrFCYuA2LHY96rVwqxXPl86 aaguirre@BSC-8488184117"
         ];
       };
+
+      emonteir = {
+        uid = 9656;
+        isNormalUser = true;
+        home = "/home/Computational/emonteir";
+        description = "Erwin Royson Monteiro";
+        group = "Computational";
+        hosts = [ "apex" "fox" ];
+        hashedPassword = "$6$0mU88zd3ZuK5NiJQ$DFWL5RMLH6esQM5UyhBCiiNryw4lDDmvJp7Usz3tmevnsiSJr6u0RsUKAnR/K8GRBFrV1.GocrgNjKjik5GY//";
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOKZKot/Y3F5Wq9pQIXlCbyvQuVVeWMCsAC96Nd+LTcG erwin@Oreo"
+        ];
+      };
+
+      ssanzmar = {
+        uid = 9657;
+        isNormalUser = true;
+        home = "/home/Computational/ssanzmar";
+        description = "Sergio Sanz Martínez";
+        group = "Computational";
+        hosts = [ "apex" "fox" ];
+        hashedPassword = "$6$HUjNDJeJMmNQ6M64$laXSOZcXg6o4v2r8Jm8Xj9kmqw7veCY32po3TVDPRR4WlyxvOeqwoKr4NjlUlPPpKN55Oot3ZYHi.9iNXsH5E1";
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIELrsRRHXryrdA2ZBx5XmdGxL4DC5bmJydhBeTWQ0SQ sergio.sanz.martinez@estudiantat.upc.edu"
+        ];
+      };
     };
 
     groups = {

m/common/base/watchdog.nix

@@ -5,5 +5,5 @@
   boot.kernelModules = [ "ipmi_watchdog" ];
 
   # Enable systemd watchdog with 30 s interval
-  systemd.watchdog.runtimeTime = "30s";
+  systemd.settings.Manager.RuntimeWatchdogSec = 30;
 }

m/eudy/kernel/perf.nix

@@ -1,11 +1,6 @@
-{ config, pkgs, lib, ... }:
+{ pkgs, lib, ... }:
 
 {
-  # add the perf tool
-  environment.systemPackages = with pkgs; [
-    config.boot.kernelPackages.perf
-  ];
-
   # allow non-root users to read tracing data from the kernel
   boot.kernel.sysctl."kernel.perf_event_paranoid" = -2;
   boot.kernel.sysctl."kernel.kptr_restrict" = 0;

m/hut/configuration.nix

@@ -45,7 +45,7 @@
       address = "10.0.40.7";
       prefixLength = 24;
     } ];
-    interfaces.ibp5s0.ipv4.addresses = [ {
+    interfaces.ibs785.ipv4.addresses = [ {
       address = "10.0.42.7";
       prefixLength = 24;
     } ];

m/hut/nginx.nix

@@ -4,8 +4,8 @@ let
     name = "jungle-web";
     src = pkgs.fetchgit {
       url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
-      rev = "52abaf4d71652a9ef77a0b098db14ca33bffff4c";
+      rev = "5f18335d14126d2fef134c0cd441771436f7dfa1";
-      hash = "sha256-/ul9GazbOrOkmlvSgDz/+2W+V+ir5725Y7mVLc3rb0M=";
+      hash = "sha256-s9VBF91sQ7hg9+lrwNFPYgoXTTyXaQcAulCiGJgWERo=";
     };
     buildInputs = [ pkgs.hugo ];
     buildPhase = ''

m/lake2/configuration.nix

@@ -46,7 +46,7 @@
       address = "10.0.40.42";
       prefixLength = 24;
     } ];
-    interfaces.ibp5s0.ipv4.addresses = [ {
+    interfaces.ibs785.ipv4.addresses = [ {
       address = "10.0.42.42";
       prefixLength = 24;
     } ];

m/module/debuginfod.nix

@@ -1,3 +1,10 @@
 {
-  services.nixseparatedebuginfod.enable = true;
+  services.nixseparatedebuginfod2 = {
+    enable = true;
+    substituters = [
+      "local:"
+      "https://cache.nixos.org"
+      "http://hut/cache"
+    ];
+  };
 }

m/module/tc1-board.nix

@@ -0,0 +1,27 @@
+{ lib, pkgs, ... }:
+
+{
+  # Allow user access to FTDI USB device
+  services.udev.packages = lib.singleton (pkgs.writeTextFile {
+    # Needs to be < 73
+    name = "60-ftdi-tc1.rules";
+    text = ''
+      # Bus 003 Device 003: ID 0403:6011 Future Technology Devices International, Ltd FT4232H Quad HS USB-UART/FIFO IC
+      # Use := to make sure it doesn't get changed later
+      SUBSYSTEMS=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6011", MODE:="0666"
+    '';
+    destination = "/etc/udev/rules.d/60-ftdi-tc1.rules";
+  });
+
+  # Allow access to USB for docker in GitLab runner
+  services.gitlab-runner = {
+    services.gitlab-bsc-docker = {
+      registrationFlags = [
+        # We need raw access to the USB port to reboot the board
+        "--docker-devices /dev/bus/usb/003/003"
+        # And TTY access for the serial port
+        "--docker-devices /dev/ttyUSB2"
+      ];
+    };
+  };
+}

m/owl1/configuration.nix

@@ -20,7 +20,7 @@
       address = "10.0.40.1";
       prefixLength = 24;
     } ];
-    interfaces.ibp5s0.ipv4.addresses = [ {
+    interfaces.ibs785.ipv4.addresses = [ {
       address = "10.0.42.1";
       prefixLength = 24;
     } ];

m/owl2/configuration.nix

@@ -21,7 +21,7 @@
       prefixLength = 24;
     } ];
     # Watch out! The OmniPath device is not in the same place here:
-    interfaces.ibp129s0.ipv4.addresses = [ {
+    interfaces.ibs801.ipv4.addresses = [ {
       address = "10.0.42.2";
       prefixLength = 24;
     } ];

m/tent/configuration.nix

@@ -16,6 +16,7 @@
     ../module/p.nix
     ../module/vpn-dac.nix
     ../module/hut-substituter.nix
+    ../module/tc1-board.nix
   ];
 
   # Select the this using the ID to avoid mismatches

m/tent/gitea.nix

@@ -6,25 +6,62 @@
 
     settings = {
       server = {
-        ROOT_URL = "https://jungle.bsc.es/git/";
-        LOCAL_ROOT_URL = "https://jungle.bsc.es/git/";
         LANDING_PAGE = "explore";
       };
-      metrics.ENABLED = true;
       service = {
-        DISABLE_REGISTRATION = true;
-        REGISTER_MANUAL_CONFIRM = true;
-        ENABLE_NOTIFY_MAIL = true;
       };
       log.LEVEL = "Warn";
 
       mailer = {
-        ENABLED       = true;
+        ENABLED       = false;
         FROM          = "jungle-robot@bsc.es";
         PROTOCOL      = "sendmail";
         SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
         SENDMAIL_ARGS = "--";
       };
     };
+
+    dump = {
+      enable = false; # Do not enable NixOS module, use our custom systemd script below
+      backupDir = "/vault/gitea";
+    };
   };
+
+  systemd.services.gitea-dump-rotating = let
+    cfg = config.services.gitea;
+    exe = lib.getExe cfg.package;
+  in {
+    description = "gitea dump rotation";
+    after = [ "gitea.service" ];
+    path = [ cfg.package ];
+
+    environment = {
+      USER = cfg.user;
+      HOME = cfg.stateDir;
+      GITEA_WORK_DIR = cfg.stateDir;
+      GITEA_CUSTOM = cfg.customDir;
+    };
+
+    serviceConfig = {
+      Type = "oneshot";
+      User = cfg.user;
+      WorkingDirectory = cfg.dump.backupDir;
+    };
+
+    script = ''
+      name="gitea-dump-$(date +%a).${cfg.dump.type}"
+      ${exe} dump --type ${cfg.dump.type} --file - >"$name.tmp"
+      mv "$name.tmp" "$name"
+    '';
+  };
+
+  systemd.timers.gitea-dump-rotating = {
+    description = "Update timer for gitea-dump-rotating";
+    partOf = [ "gitea-dump-rotating.service" ];
+    wantedBy = [ "timers.target" ];
+    timerConfig.OnCalendar = config.services.gitea.dump.interval;
+  };
+
+  # Allow gitea user to send mail
+  users.users.gitea.extraGroups = [ "mail-robot" ];
 }

m/tent/gitlab-runner.nix

@@ -43,6 +43,7 @@
         registrationFlags = [
           # Increase build log length to 64 MiB
           "--output-limit 65536"
+          "--docker-network-mode host"
         ];
         preBuildScript = pkgs.writeScript "setup-container" ''
           mkdir -p -m 0755 /nix/var/log/nix/drvs

m/tent/nginx.nix

@@ -4,8 +4,8 @@ let
     name = "jungle-web";
     src = pkgs.fetchgit {
       url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
-      rev = "52abaf4d71652a9ef77a0b098db14ca33bffff4c";
+      rev = "5f18335d14126d2fef134c0cd441771436f7dfa1";
-      hash = "sha256-/ul9GazbOrOkmlvSgDz/+2W+V+ir5725Y7mVLc3rb0M=";
+      hash = "sha256-s9VBF91sQ7hg9+lrwNFPYgoXTTyXaQcAulCiGJgWERo=";
     };
     buildInputs = [ pkgs.hugo ];
     buildPhase = ''

m/weasel/configuration.nix

@@ -1,9 +1,11 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:
 
 {
   imports = [
     ../common/ssf.nix
     ../module/hut-substituter.nix
+    ./hydra.nix
+    ../tent/gitea.nix
   ];
 
   # Select this using the ID to avoid mismatches
@@ -25,9 +27,27 @@
       address = "10.0.40.6";
       prefixLength = 24;
     } ];
-    interfaces.ibp5s0.ipv4.addresses = [ {
+    interfaces.ibs785.ipv4.addresses = [ {
       address = "10.0.42.6";
       prefixLength = 24;
     } ];
   };
+
+  services.nix-serve = {
+    enable = true;
+    bindAddress = "0.0.0.0";
+    port = 5000;
+    package = pkgs.haskell.lib.overrideSrc (pkgs.haskell.packages.ghc96.nix-serve-ng.override { nix = pkgs.nixVersions.nix_2_28; }) {
+      src = pkgs.fetchgit {
+        url = "https://jungle.bsc.es/git/abonerib/nix-serve-ng.git";
+        rev = "9c056641300a826db66b66d7e584b2541d38927a";
+        hash = "sha256-y69ZchFiZOU71eyeljcQgLxkLk5JUzZfanq8Yzw4MkI=";
+      };
+      version = "unstable";
+    };
+
+    secretKeyFile = "/var/cache-priv-key.pem";
+    # Public key:
+    # 10.0.40.6:8jBhIdXEBap+Qo+vc1/fnV9vj43A2oDk839EEheRr/U=
+  };
 }

m/weasel/hydra.nix

@@ -0,0 +1,57 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  services.hydra = {
+    enable = true;
+
+    # Wrap hydra so it puts quiet flag every time... This is dumb and annoying,
+    # but i can't override the systemd ExecStart without running into infinite
+    # recursion.
+    package = pkgs.symlinkJoin {
+      name = "hydra-quiet";
+      paths = [ pkgs.hydra ];
+      postBuild = ''
+        for prog in hydra-queue-runner hydra-evaluator ; do
+          prev=$(realpath $out/bin/$prog)
+          rm $out/bin/$prog
+          cat >$out/bin/$prog <<EOF
+        #!/bin/sh
+        args=()
+        for arg in "\$@"; do
+          if [ "\$arg" != "-v" ]; then
+            args+=("\$arg")
+          fi
+        done
+        exec $prev --quiet "\''${args[@]}"
+        EOF
+
+          chmod +x $out/bin/$prog
+        done
+      '';
+    };
+
+    hydraURL = "http://localhost:3001"; # externally visible URL
+    notificationSender = "hydra@jungle.bsc.es"; # e-mail of Hydra service
+    port = 3001;
+    # a standalone Hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
+    buildMachinesFiles = [ ];
+    # you will probably also want, otherwise *everything* will be built from scratch
+    useSubstitutes = true;
+    listenHost = "0.0.0.0"; # Force IPv4
+  };
+
+  systemd.services.hydra-send-stats.enable = lib.mkForce false;
+
+  networking.firewall.allowedTCPPorts = [ config.services.hydra.port ];
+
+  nix.settings.extra-allowed-uris = [
+    "git+ssh://git@bscpm04.bsc.es"
+    "git+ssh://git@gitlab-internal.bsc.es"
+    "https://github.com"
+    "git+ssh://github.com"
+  ];
+}

overlay.nix

@@ -30,7 +30,8 @@ let
       amd-uprof-driver = _prev.callPackage ./pkgs/amd-uprof/driver.nix { };
     });
     lmbench = callPackage ./pkgs/lmbench/default.nix { };
-    mcxx = callPackage ./pkgs/mcxx/default.nix { };
+    # Broken and unmantained
+    # mcxx = callPackage ./pkgs/mcxx/default.nix { };
     meteocat-exporter = prev.callPackage ./pkgs/meteocat-exporter/default.nix { };
     mpi = final.mpich; # Set MPICH as default
     mpich = callPackage ./pkgs/mpich/default.nix { mpich = prev.mpich; };

pkgs/amd-uprof/driver.nix

@@ -19,7 +19,7 @@ in stdenv.mkDerivation {
   '';
   hardeningDisable = [ "pic" "format" ];
   nativeBuildInputs = kernel.moduleBuildDependencies;
-  patches = [ ./makefile.patch ./hrtimer.patch ];
+  patches = [ ./makefile.patch ./hrtimer.patch ./remove-wr-rdmsrq.patch ];
   makeFlags = [
     "KERNEL_VERSION=${kernel.modDirVersion}"
     "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"

pkgs/amd-uprof/remove-wr-rdmsrq.patch

@@ -0,0 +1,20 @@
+diff --git a/inc/PwrProfAsm.h b/inc/PwrProfAsm.h
+index d77770a..c93a0e9 100644
+--- a/inc/PwrProfAsm.h
++++ b/inc/PwrProfAsm.h
+@@ -347,6 +347,7 @@
+ 
+ #endif
+ 
++/*
+ #define rdmsrq(msr,val1,val2,val3,val4) ({ \
+         __asm__ __volatile__( \
+                               "rdmsr\n" \
+@@ -362,6 +363,7 @@
+                               :"c"(msr), "a"(val1), "d"(val2), "S"(val3), "D"(val4) \
+                             ); \
+     })
++*/
+ 
+ #define rdmsrpw(msr,val1,val2,val3,val4) ({ \
+         __asm__ __volatile__( \

pkgs/cudainfo/default.nix

@@ -12,7 +12,7 @@ stdenv.mkDerivation (finalAttrs: {
   src = ./.;
   buildInputs = [
     cudatoolkit # Required for nvcc
-    cudaPackages.cuda_cudart.static # Required for -lcudart_static
+    (lib.getOutput "static" cudaPackages.cuda_cudart) # Required for -lcudart_static
     autoAddDriverRunpath
   ];
   installPhase = ''

pkgs/intel-oneapi/2023.nix

@@ -10,7 +10,7 @@
 , zlib
 , autoPatchelfHook
 , libfabric
-, gcc13
+, gcc
 , wrapCCWith
 }:
 
@@ -33,8 +33,6 @@ let
     maintainers = with lib.maintainers.bsc; [ abonerib ];
   };
 
-  gcc = gcc13;
-
   v = {
     hpckit   = "2023.1.0";
     compiler = "2023.1.0";

pkgs/llvm-ompss2/default.nix

@@ -27,10 +27,10 @@ let
   # We need to replace the lld linker from bintools with our linker just built,
   # otherwise we run into incompatibility issues when mixing compiler and linker
   # versions.
-  bintools-unwrapped = llvmPackages_latest.tools.bintools-unwrapped.override {
+  bintools-unwrapped = llvmPackages_latest.bintools-unwrapped.override {
     lld = clangOmpss2Unwrapped;
   };
-  bintools = llvmPackages_latest.tools.bintools.override {
+  bintools = llvmPackages_latest.bintools.override {
     bintools = bintools-unwrapped;
   };
   targetConfig = stdenv.targetPlatform.config;

pkgs/mcxx/default.nix

@@ -65,6 +65,7 @@ stdenv.mkDerivation rec {
   ];
 
   meta = {
+    broken = true;
     homepage = "https://github.com/bsc-pm/mcxx";
     description = "C/C++/Fortran source-to-source compilation infrastructure aimed at fast prototyping";
     maintainers = with lib.maintainers.bsc; [ rpenacob ];

pkgs/meteocat-exporter/default.nix

@@ -1,9 +1,11 @@
 { python3Packages, lib }:
 
-python3Packages.buildPythonApplication rec {
+python3Packages.buildPythonApplication {
   pname = "meteocat-exporter";
   version = "1.0";
 
+  pyproject = true;
+
   src = ./.;
 
   doCheck = false;

pkgs/paraver/default.nix

@@ -12,7 +12,7 @@
 , paraverKernel
 , openssl
 , glibcLocales
-, wrapGAppsHook
+, wrapGAppsHook3
 }:
 
 let
@@ -64,7 +64,7 @@ stdenv.mkDerivation rec {
     autoconf
     automake
     autoreconfHook
-    wrapGAppsHook
+    wrapGAppsHook3
   ];
 
   buildInputs = [

pkgs/upc-qaire-exporter/default.nix

@@ -1,9 +1,11 @@
 { python3Packages, lib }:
 
-python3Packages.buildPythonApplication rec {
+python3Packages.buildPythonApplication {
   pname = "upc-qaire-exporter";
   version = "1.0";
 
+  pyproject = true;
+
   src = ./.;
 
   doCheck = false;