From 29daa3c364fb01d8965d765d97da64fcd9753dd6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aleix=20Bon=C3=A9?= <aleix.boneribo@bsc.es>
Date: Wed, 26 Feb 2025 16:03:26 +0100
Subject: [PATCH] Use hut nix cache in owl1, owl2 and raccoon

For owl1 and owl2 directly connect to hut via LAN with HTTP, but for
raccoon pass via the proxy using jungle.bsc.es with HTTPS. There is no
risk of tampering as packages are signed.

Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
---
 m/common/xeon/net.nix        |  2 +-
 m/module/hut-substituter.nix | 10 ++++++++++
 m/owl1/configuration.nix     |  1 +
 m/owl2/configuration.nix     |  1 +
 m/raccoon/configuration.nix  |  5 +++++
 5 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 m/module/hut-substituter.nix

diff --git a/m/common/xeon/net.nix b/m/common/xeon/net.nix
index 965bc1f2..09e83edf 100644
--- a/m/common/xeon/net.nix
+++ b/m/common/xeon/net.nix
@@ -11,7 +11,7 @@
 
     proxy = {
       default = "http://hut:23080/";
-      noProxy = "127.0.0.1,localhost,internal.domain,10.0.40.40";
+      noProxy = "127.0.0.1,localhost,internal.domain,10.0.40.40,hut";
       # Don't set all_proxy as go complains and breaks the gitlab runner, see:
       # https://github.com/golang/go/issues/16715
       allProxy = null;
diff --git a/m/module/hut-substituter.nix b/m/module/hut-substituter.nix
new file mode 100644
index 00000000..9b871f64
--- /dev/null
+++ b/m/module/hut-substituter.nix
@@ -0,0 +1,10 @@
+{ config, ... }:
+{
+  nix.settings =
+    # Don't add hut as a cache to itself
+    assert config.networking.hostName != "hut";
+    {
+      substituters = [ "http://hut/cache" ];
+      trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
+    };
+}
diff --git a/m/owl1/configuration.nix b/m/owl1/configuration.nix
index 7fc4a8fb..20e3cf57 100644
--- a/m/owl1/configuration.nix
+++ b/m/owl1/configuration.nix
@@ -8,6 +8,7 @@
     ../module/slurm-client.nix
     ../module/slurm-firewall.nix
     ../module/debuginfod.nix
+    ../module/hut-substituter.nix
   ];
 
   # Select the this using the ID to avoid mismatches
diff --git a/m/owl2/configuration.nix b/m/owl2/configuration.nix
index 3ea94130..54849f6a 100644
--- a/m/owl2/configuration.nix
+++ b/m/owl2/configuration.nix
@@ -8,6 +8,7 @@
     ../module/slurm-client.nix
     ../module/slurm-firewall.nix
     ../module/debuginfod.nix
+    ../module/hut-substituter.nix
   ];
 
   # Select the this using the ID to avoid mismatches
diff --git a/m/raccoon/configuration.nix b/m/raccoon/configuration.nix
index be9b10cd..dd15a82b 100644
--- a/m/raccoon/configuration.nix
+++ b/m/raccoon/configuration.nix
@@ -25,6 +25,11 @@
     } ];
   };
 
+  nix.settings = {
+    substituters = [ "https://jungle.bsc.es/cache" ];
+    trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
+  };
+
   # Configure Nvidia driver to use with CUDA
   hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.production;
   hardware.graphics.enable = true;