rarias/jungle
rarias/jungle
2
0
Fork 3
Code Issues 53 Pull Requests 10 Actions Packages Projects Releases Wiki Activity
424 Commits 24 Branches 0 Tags
Commit Graph

424 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rodrigo Arias Mallo
4db07cb9c3 Add missing symlink in cuda sandbox 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Aleix Boné
e2d8a17fad Enable cuda systemFeature in raccoon and fox 
This allows running derivations which depend on cuda runtime without
breaking the sandbox. We only need to add `requiredSystemFeatures = [ "cuda" ];`
to the derivation.

Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
 2025-10-01 16:40:17 +02:00
Aleix Boné
a05ef0c3eb Move shared nvidia settings to a separate module 
Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
 2025-10-01 16:40:17 +02:00
Aleix Boné
ef2f2115de Replace xeon07 by hut in ssh config 
The xeon07 machine has been renamed to hut.

Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
deb3370cdc Enable automatic Nix GC in raccoon 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
1d2dca5869 Select proprietary NVIDIA driver in raccoon 
The NVIDIA GTX 960 from 2016 has the Maxwell architecture, and NixOS
suggests using the proprietary driver for older than Turing:

> It is suggested to use the open source kernel modules on Turing or
> later GPUs (RTX series, GTX 16xx), and the closed source modules
> otherwise.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
111c13d200 Enable open source NVidia driver in fox 
It is recommended for newer versions.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
ef166563d8 Remove option allowUnfree from fox and raccoon 
It is already set to true for all machines.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
9e5ce89600 Ban another scanner trying to connect via SSH 
It is constantly spamming out logs:

apex# journalctl | grep 'Connection closed by 84.88.52.176' | wc -l
2255

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
9c11076a43 Update weasel IPMI hostname for monitoring 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
a81aebc788 Remove merged MPICH patch 
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
0a39169d17 Remove package ix as it is gone 
Fails with: "error: ix has been removed from Nixpkgs, as the ix.io
pastebin has been offline since Dec. 2023".

Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
957da4b1fd flake.lock: Update 
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41?narHash=sha256-b%2Buqzj%2BWa6xgMS9aNbX4I%2BsXeb5biPDi39VgvSFqFvU%3D' (2024-08-10)
  → 'github:ryantm/agenix/531beac616433bac6f9e2a19feb8e99a22a66baf?narHash=sha256-9P1FziAwl5%2B3edkfFcr5HeGtQUtrSdk/MksX39GieoA%3D' (2025-06-17)
• Updated input 'agenix/darwin':
    'github:lnl7/nix-darwin/4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d?narHash=sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0%3D' (2023-11-24)
  → 'github:lnl7/nix-darwin/43975d782b418ebf4969e9ccba82466728c2851b?narHash=sha256-dyN%2BteG9G82G%2Bm%2BPX/aSAagkC%2BvUv0SgUw3XkPhQodQ%3D' (2025-04-12)
• Updated input 'agenix/home-manager':
    'github:nix-community/home-manager/3bfaacf46133c037bb356193bd2f1765d9dc82c1?narHash=sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE%3D' (2023-12-20)
  → 'github:nix-community/home-manager/abfad3d2958c9e6300a883bd443512c55dfeb1be?narHash=sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs%3D' (2025-04-24)
• Updated input 'bscpkgs':
    'git+https://git.sr.ht/~rodarima/bscpkgs?ref=refs/heads/master&rev=6782fc6c5b5a29e84a7f2c2d1064f4bcb1288c0f' (2024-11-29)
  → 'git+https://git.sr.ht/~rodarima/bscpkgs?ref=refs/heads/master&rev=9d1944c658929b6f98b3f3803fead4d1b91c4405' (2025-06-11)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/9c6b49aeac36e2ed73a8c472f1546f6d9cf1addc?narHash=sha256-i/UJ5I7HoqmFMwZEH6vAvBxOrjjOJNU739lnZnhUln8%3D' (2025-01-14)
  → 'github:NixOS/nixpkgs/dfcd5b901dbab46c9c6e80b265648481aafb01f8?narHash=sha256-Kt1UIPi7kZqkSc5HVj6UY5YLHHEzPBkgpNUByuyxtlw%3D' (2025-07-13)

Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
acd8fd6c51 Upgrade nixpkgs to nixos 25.05 
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
99741382ab Silently ban OpenVAS BSC scanner from apex 
It is spamming our logs with refused connection lines:

apex% sudo journalctl -b0 | grep 'refused connection.*SRC=192.168.8.16' | wc -l
13945

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
d487241db2 Rotate anavarro password and SSH key 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
24128e22f4 Add weasel machine configuration 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
a36b403bd4 Remove extra flush commands on firewall stop 
They are not needed as they are already flushed when the firewall
starts or stops.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
c7a52e2999 Prevent accidental use of nftables 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
88d2de454b Add proxy configuration for internal hosts 
Access internal hosts via apex proxy. From the compute nodes we first
open an SSH connection to apex, and then tunnel it through the HTTP
proxy with netcat.

This way we allow reaching internal GitLab repositories without
requiring the user to have credentials in the remote host, while we can
use multiple remotes to provide redundancy.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
1899ad89db Remove unused blackbox configuration modules 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
cd37f86b09 Use IPv4 in blackbox probes 
Otherwise they simply fail as IPv6 doesn't work.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
d5a9086afa Make NFS mount async to improve latency 
Don't wait to flush writes, as we don't care about consistency on a
crash:

> This option allows the NFS server to violate the NFS protocol and
> reply to requests before any changes made by that request have been
> committed to stable storage (e.g. disc drive).
>
> Using this option usually improves performance, but at the cost that
> an unclean server restart (i.e. a crash) can cause data to be lost or
> corrupted.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
7be793da3d Disable root_squash from NFS 
Allows root to read files in the NFS export, so we can directly run
`nixos-rebuild switch` from /home.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
327c0d61a2 Remove SSH proxy to access BSC clusters 
We now have direct connection to them.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
f70074b216 Add users to apex machine 
They need to be able to login to apex to access any other machine from
the SSF rack.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
fd99204913 Remove proxy from hut HTTP probes 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
6826a372d5 Remove proxy configuration from environment 
All machines have now direct connection with the outside world.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
3d02a231a5 Add storcli utility to apex 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
52bd019cdd Add new configuration for apex 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
57b9450a59 Add pmartin1 user with access to fox 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
daba3eca18 Add access to fox for rpenacob user 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
c47c880ff2 Revert "Only allow Vincent to access fox for now" 
This reverts commit efac36b186efe6c3814278ae0a284ae346ff9d83.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Aleix Boné
5318fb1a0d Add all terminfo files in environment 
Fixes problems with the kitty terminal when opening vim or kakoune.

Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
ad834cebd6 Monitor Fox BMC with ICMP probes too 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
43c20c544d Restrict DAC VPN to fox-ipmi machine only 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
5928c68720 Monitor fox via VPN 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
8eb14acdf9 Add OpenVPN service to connect to fox BMC 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
d83ad5decb Add ac.upc.edu as name search server 
Allows referring to fox.ac.upc.edu directly as fox.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
bc64d62a7f Update access instructions 
We no longer need to request a petition through BSC, as we will be in
charge of the login. Remove link to the old repository as well and
prefer only email.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
d07855e5c5 Disable kptr_restrict in fox 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
98b882507b Disable NUMA balancing in fox 
See: https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#numa-balancing

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
e6f526bbc6 Load amd_uncore module in fox 
Needed for L3 events in perf.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
df70515bc8 Enable SSH X11 forwarding 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
dfee33038b Disable registration in Gitea 
Get rid of all the spam accounts they are trying to register.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
6e316e57be Enable msmtp configuration in tent 
Allows gitea to send notifications via email.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
28e094d4c1 Add GitLab runner with debian docker for PM 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
1210d96ae9 Monitor nix-daemon in tent 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
d5227db996 Move nix-daemon exporter to modules 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
eeb8557b96 Add p service for pastes 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00