From 55b71d690192d3c7d3dc78e86c1763fc02b99542 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aleix=20Bon=C3=A9?= <aleix.boneribo@bsc.es>
Date: Wed, 26 Feb 2025 16:03:26 +0100
Subject: [PATCH] Use hut nix cache in owl1, owl2 and raccoon

For owl1 and owl2 directly connect to hut via LAN with HTTP, but for
raccoon pass via the proxy using jungle.bsc.es with HTTPS. There is no
risk of tampering as packages are signed.

Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
---
 m/common/xeon/net.nix        |  2 +-
 m/module/hut-substituter.nix | 10 ++++++++++
 m/owl1/configuration.nix     |  1 +
 m/owl2/configuration.nix     |  1 +
 m/raccoon/configuration.nix  |  5 +++++
 5 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 m/module/hut-substituter.nix

diff --git a/m/common/xeon/net.nix b/m/common/xeon/net.nix
index 965bc1f..09e83ed 100644
--- a/m/common/xeon/net.nix
+++ b/m/common/xeon/net.nix
@@ -11,7 +11,7 @@
 
     proxy = {
       default = "http://hut:23080/";
-      noProxy = "127.0.0.1,localhost,internal.domain,10.0.40.40";
+      noProxy = "127.0.0.1,localhost,internal.domain,10.0.40.40,hut";
       # Don't set all_proxy as go complains and breaks the gitlab runner, see:
       # https://github.com/golang/go/issues/16715
       allProxy = null;
diff --git a/m/module/hut-substituter.nix b/m/module/hut-substituter.nix
new file mode 100644
index 0000000..9b871f6
--- /dev/null
+++ b/m/module/hut-substituter.nix
@@ -0,0 +1,10 @@
+{ config, ... }:
+{
+  nix.settings =
+    # Don't add hut as a cache to itself
+    assert config.networking.hostName != "hut";
+    {
+      substituters = [ "http://hut/cache" ];
+      trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
+    };
+}
diff --git a/m/owl1/configuration.nix b/m/owl1/configuration.nix
index 7fc4a8f..20e3cf5 100644
--- a/m/owl1/configuration.nix
+++ b/m/owl1/configuration.nix
@@ -8,6 +8,7 @@
     ../module/slurm-client.nix
     ../module/slurm-firewall.nix
     ../module/debuginfod.nix
+    ../module/hut-substituter.nix
   ];
 
   # Select the this using the ID to avoid mismatches
diff --git a/m/owl2/configuration.nix b/m/owl2/configuration.nix
index 3ea9413..54849f6 100644
--- a/m/owl2/configuration.nix
+++ b/m/owl2/configuration.nix
@@ -8,6 +8,7 @@
     ../module/slurm-client.nix
     ../module/slurm-firewall.nix
     ../module/debuginfod.nix
+    ../module/hut-substituter.nix
   ];
 
   # Select the this using the ID to avoid mismatches
diff --git a/m/raccoon/configuration.nix b/m/raccoon/configuration.nix
index be9b10c..dd15a82 100644
--- a/m/raccoon/configuration.nix
+++ b/m/raccoon/configuration.nix
@@ -25,6 +25,11 @@
     } ];
   };
 
+  nix.settings = {
+    substituters = [ "https://jungle.bsc.es/cache" ];
+    trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
+  };
+
   # Configure Nvidia driver to use with CUDA
   hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.production;
   hardware.graphics.enable = true;