Add proxy configuration for internal hosts

Access internal hosts via apex proxy. From the compute nodes we first
open an SSH connection to apex, and then tunnel it through the HTTP
proxy with netcat.

This way we allow reaching internal GitLab repositories without
requiring the user to have credentials in the remote host, while we can
use multiple remotes to provide redundancy.

Reviewed-by: Aleix Boné <abonerib@bsc.es>

m/apex/configuration.nix

@@ -54,6 +54,17 @@
     };
   };
 
+  # Use SSH tunnel to reach internal hosts
+  programs.ssh.extraConfig = ''
+    Host bscpm04.bsc.es gitlab-internal.bsc.es knights3.bsc.es
+      ProxyCommand nc -X connect -x localhost:23080 %h %p
+    Host raccoon
+      HostName knights3.bsc.es
+      ProxyCommand nc -X connect -x localhost:23080 %h %p
+    Host tent
+      ProxyJump raccoon
+  '';
+
   # Use tent for cache
   nix.settings = {
     extra-substituters = [ "https://jungle.bsc.es/cache" ];

m/common/ssf.nix

@@ -3,7 +3,8 @@
   imports = [
     ./xeon.nix
     ./ssf/fs.nix
-    ./ssf/net.nix
     ./ssf/hosts.nix
+    ./ssf/net.nix
+    ./ssf/ssh.nix
   ];
 }

m/common/ssf/ssh.nix

@@ -0,0 +1,16 @@
+{
+  # Use SSH tunnel to apex to reach internal hosts
+  programs.ssh.extraConfig = ''
+    Host tent
+      ProxyJump raccoon
+
+    # Access raccoon via the HTTP proxy
+    Host raccoon knights3.bsc.es
+      HostName knights3.bsc.es
+      ProxyCommand=ssh apex 'nc -X connect -x localhost:23080 %h %p'
+
+    # Make sure we can reach gitlab even if we don't have SSH access to raccoon
+    Host bscpm04.bsc.es gitlab-internal.bsc.es
+      ProxyCommand=ssh apex 'nc -X connect -x localhost:23080 %h %p'
+  '';
+}