From 10adc7cbed3086b6b06257f1c01001b8e42cc410 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Fri, 11 Jul 2025 12:29:52 +0200
Subject: [PATCH] Add proxy configuration for internal hosts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Access internal hosts via apex proxy. From the compute nodes we first
open an SSH connection to apex, and then tunnel it through the HTTP
proxy with netcat.

This way we allow reaching internal GitLab repositories without
requiring the user to have credentials in the remote host, while we can
use multiple remotes to provide redundancy.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
---
 m/apex/configuration.nix | 11 +++++++++++
 m/common/ssf.nix         |  3 ++-
 m/common/ssf/ssh.nix     | 16 ++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 m/common/ssf/ssh.nix

diff --git a/m/apex/configuration.nix b/m/apex/configuration.nix
index a36a9657..0f59f8fb 100644
--- a/m/apex/configuration.nix
+++ b/m/apex/configuration.nix
@@ -54,6 +54,17 @@
     };
   };
 
+  # Use SSH tunnel to reach internal hosts
+  programs.ssh.extraConfig = ''
+    Host bscpm04.bsc.es gitlab-internal.bsc.es knights3.bsc.es
+      ProxyCommand nc -X connect -x localhost:23080 %h %p
+    Host raccoon
+      HostName knights3.bsc.es
+      ProxyCommand nc -X connect -x localhost:23080 %h %p
+    Host tent
+      ProxyJump raccoon
+  '';
+
   # Use tent for cache
   nix.settings = {
     extra-substituters = [ "https://jungle.bsc.es/cache" ];
diff --git a/m/common/ssf.nix b/m/common/ssf.nix
index 60fbb044..8e8dc6b4 100644
--- a/m/common/ssf.nix
+++ b/m/common/ssf.nix
@@ -3,7 +3,8 @@
   imports = [
     ./xeon.nix
     ./ssf/fs.nix
-    ./ssf/net.nix
     ./ssf/hosts.nix
+    ./ssf/net.nix
+    ./ssf/ssh.nix
   ];
 }
diff --git a/m/common/ssf/ssh.nix b/m/common/ssf/ssh.nix
new file mode 100644
index 00000000..b73abd79
--- /dev/null
+++ b/m/common/ssf/ssh.nix
@@ -0,0 +1,16 @@
+{
+  # Use SSH tunnel to apex to reach internal hosts
+  programs.ssh.extraConfig = ''
+    Host tent
+      ProxyJump raccoon
+
+    # Access raccoon via the HTTP proxy
+    Host raccoon knights3.bsc.es
+      HostName knights3.bsc.es
+      ProxyCommand=ssh apex 'nc -X connect -x localhost:23080 %h %p'
+
+    # Make sure we can reach gitlab even if we don't have SSH access to raccoon
+    Host bscpm04.bsc.es gitlab-internal.bsc.es
+      ProxyCommand=ssh apex 'nc -X connect -x localhost:23080 %h %p'
+  '';
+}