From 3f8e6b9fcdd57953540e4150b1c2abec0c6f05ca Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Thu, 25 Sep 2025 15:15:43 +0200 Subject: [PATCH] Remove extra SSH jump configuration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We now have direct visibility among nodes so we don't need any extra SSH configuration to reach them. Reviewed-by: Aleix Boné --- m/apex/configuration.nix | 11 ----------- m/common/base/net.nix | 2 ++ m/common/ssf.nix | 1 - m/common/ssf/ssh.nix | 16 ---------------- m/fox/configuration.nix | 10 ---------- m/module/ssh-hut-extern.nix | 8 -------- m/raccoon/configuration.nix | 2 +- m/tent/configuration.nix | 2 +- 8 files changed, 4 insertions(+), 48 deletions(-) delete mode 100644 m/common/ssf/ssh.nix delete mode 100644 m/module/ssh-hut-extern.nix diff --git a/m/apex/configuration.nix b/m/apex/configuration.nix index 17828a32..82d38422 100644 --- a/m/apex/configuration.nix +++ b/m/apex/configuration.nix @@ -56,17 +56,6 @@ }; }; - # Use SSH tunnel to reach internal hosts - programs.ssh.extraConfig = '' - Host bscpm04.bsc.es gitlab-internal.bsc.es knights3.bsc.es - ProxyCommand nc -X connect -x localhost:23080 %h %p - Host raccoon - HostName knights3.bsc.es - ProxyCommand nc -X connect -x localhost:23080 %h %p - Host tent - ProxyJump raccoon - ''; - networking.firewall = { extraCommands = '' # Blackhole BSC vulnerability scanner (OpenVAS) as it is spamming our diff --git a/m/common/base/net.nix b/m/common/base/net.nix index 88c8c00f..9fe6c4db 100644 --- a/m/common/base/net.nix +++ b/m/common/base/net.nix @@ -16,6 +16,8 @@ hosts = { "84.88.53.236" = [ "ssfhead.bsc.es" "ssfhead" ]; "84.88.51.142" = [ "raccoon-ipmi" ]; + "192.168.11.12" = [ "bscpm04.bsc.es" ]; + "192.168.11.15" = [ "gitlab-internal.bsc.es" ]; }; }; } diff --git a/m/common/ssf.nix b/m/common/ssf.nix index 98a98e52..ef74da30 100644 --- a/m/common/ssf.nix +++ b/m/common/ssf.nix @@ -6,6 +6,5 @@ ./ssf/hosts.nix ./ssf/hosts-remote.nix ./ssf/net.nix - ./ssf/ssh.nix ]; } diff --git a/m/common/ssf/ssh.nix b/m/common/ssf/ssh.nix deleted file mode 100644 index b73abd79..00000000 --- a/m/common/ssf/ssh.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ - # Use SSH tunnel to apex to reach internal hosts - programs.ssh.extraConfig = '' - Host tent - ProxyJump raccoon - - # Access raccoon via the HTTP proxy - Host raccoon knights3.bsc.es - HostName knights3.bsc.es - ProxyCommand=ssh apex 'nc -X connect -x localhost:23080 %h %p' - - # Make sure we can reach gitlab even if we don't have SSH access to raccoon - Host bscpm04.bsc.es gitlab-internal.bsc.es - ProxyCommand=ssh apex 'nc -X connect -x localhost:23080 %h %p' - ''; -} diff --git a/m/fox/configuration.nix b/m/fox/configuration.nix index 3f6742b1..e890ba54 100644 --- a/m/fox/configuration.nix +++ b/m/fox/configuration.nix @@ -45,16 +45,6 @@ services.fail2ban.enable = true; - # Use SSH tunnel to reach internal hosts - programs.ssh.extraConfig = '' - Host bscpm04.bsc.es gitlab-internal.bsc.es tent - ProxyJump raccoon - Host raccoon - ProxyJump apex - HostName 127.0.0.1 - Port 22022 - ''; - networking = { timeServers = [ "ntp1.upc.edu" "ntp2.upc.edu" ]; hostName = "fox"; diff --git a/m/module/ssh-hut-extern.nix b/m/module/ssh-hut-extern.nix deleted file mode 100644 index cc6b26ac..00000000 --- a/m/module/ssh-hut-extern.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - programs.ssh.extraConfig = '' - Host apex ssfhead - HostName ssflogin.bsc.es - Host hut - ProxyJump apex - ''; -} diff --git a/m/raccoon/configuration.nix b/m/raccoon/configuration.nix index 7a608e20..b68b5193 100644 --- a/m/raccoon/configuration.nix +++ b/m/raccoon/configuration.nix @@ -3,9 +3,9 @@ { imports = [ ../common/base.nix + ../common/ssf/hosts.nix ../module/emulation.nix ../module/debuginfod.nix - ../module/ssh-hut-extern.nix ../module/nvidia.nix ../eudy/kernel/perf.nix ./wireguard.nix diff --git a/m/tent/configuration.nix b/m/tent/configuration.nix index 9d56ba70..79c9f458 100644 --- a/m/tent/configuration.nix +++ b/m/tent/configuration.nix @@ -3,9 +3,9 @@ { imports = [ ../common/xeon.nix + ../common/ssf/hosts.nix ../module/emulation.nix ../module/debuginfod.nix - ../module/ssh-hut-extern.nix ./monitoring.nix ./nginx.nix ./nix-serve.nix