rarias/jungle
rarias/jungle
2
0
Fork 3
Code Issues 53 Pull Requests 10 Actions Packages Projects Releases Wiki Activity
405 Commits 24 Branches 0 Tags
Commit Graph

405 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Aleix Boné
4e1fd7b0e0 Replace xeon07 by hut in ssh config 
The xeon07 machine has been renamed to hut.

Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
 2025-07-18 10:59:39 +02:00
Rodrigo Arias Mallo
4e24135d35 Enable automatic Nix GC in raccoon 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-18 13:43:58 +02:00
Rodrigo Arias Mallo
7131d82ba2 Select proprietary NVIDIA driver in raccoon 
The NVIDIA GTX 960 from 2016 has the Maxwell architecture, and NixOS
suggests using the proprietary driver for older than Turing:

> It is suggested to use the open source kernel modules on Turing or
> later GPUs (RTX series, GTX 16xx), and the closed source modules
> otherwise.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-18 13:00:03 +02:00
Rodrigo Arias Mallo
e8cd0d9f58 Enable open source NVidia driver in fox 
It is recommended for newer versions.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-17 11:32:35 +02:00
Rodrigo Arias Mallo
a9ba65cdca Remove option allowUnfree from fox and raccoon 
It is already set to true for all machines.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-17 11:26:27 +02:00
Rodrigo Arias Mallo
94f398e661 Ban another scanner trying to connect via SSH 
It is constantly spamming out logs:

apex# journalctl | grep 'Connection closed by 84.88.52.176' | wc -l
2255

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-16 16:59:29 +02:00
Rodrigo Arias Mallo
387e1cada7 Update weasel IPMI hostname for monitoring 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-15 18:48:08 +02:00
Rodrigo Arias Mallo
c6cc2a7638 Remove merged MPICH patch 
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-07-15 17:57:22 +02:00
Rodrigo Arias Mallo
29071a6020 Remove package ix as it is gone 
Fails with: "error: ix has been removed from Nixpkgs, as the ix.io
pastebin has been offline since Dec. 2023".

Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-07-15 17:50:12 +02:00
Rodrigo Arias Mallo
f59218c898 flake.lock: Update 
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41?narHash=sha256-b%2Buqzj%2BWa6xgMS9aNbX4I%2BsXeb5biPDi39VgvSFqFvU%3D' (2024-08-10)
  → 'github:ryantm/agenix/531beac616433bac6f9e2a19feb8e99a22a66baf?narHash=sha256-9P1FziAwl5%2B3edkfFcr5HeGtQUtrSdk/MksX39GieoA%3D' (2025-06-17)
• Updated input 'agenix/darwin':
    'github:lnl7/nix-darwin/4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d?narHash=sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0%3D' (2023-11-24)
  → 'github:lnl7/nix-darwin/43975d782b418ebf4969e9ccba82466728c2851b?narHash=sha256-dyN%2BteG9G82G%2Bm%2BPX/aSAagkC%2BvUv0SgUw3XkPhQodQ%3D' (2025-04-12)
• Updated input 'agenix/home-manager':
    'github:nix-community/home-manager/3bfaacf46133c037bb356193bd2f1765d9dc82c1?narHash=sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE%3D' (2023-12-20)
  → 'github:nix-community/home-manager/abfad3d2958c9e6300a883bd443512c55dfeb1be?narHash=sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs%3D' (2025-04-24)
• Updated input 'bscpkgs':
    'git+https://git.sr.ht/~rodarima/bscpkgs?ref=refs/heads/master&rev=6782fc6c5b5a29e84a7f2c2d1064f4bcb1288c0f' (2024-11-29)
  → 'git+https://git.sr.ht/~rodarima/bscpkgs?ref=refs/heads/master&rev=9d1944c658929b6f98b3f3803fead4d1b91c4405' (2025-06-11)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/9c6b49aeac36e2ed73a8c472f1546f6d9cf1addc?narHash=sha256-i/UJ5I7HoqmFMwZEH6vAvBxOrjjOJNU739lnZnhUln8%3D' (2025-01-14)
  → 'github:NixOS/nixpkgs/dfcd5b901dbab46c9c6e80b265648481aafb01f8?narHash=sha256-Kt1UIPi7kZqkSc5HVj6UY5YLHHEzPBkgpNUByuyxtlw%3D' (2025-07-13)

Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-07-15 17:46:48 +02:00
Rodrigo Arias Mallo
871515a736 Upgrade nixpkgs to nixos 25.05 
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-07-15 17:45:40 +02:00
Rodrigo Arias Mallo
ef65a49ed1 Silently ban OpenVAS BSC scanner from apex 
It is spamming our logs with refused connection lines:

apex% sudo journalctl -b0 | grep 'refused connection.*SRC=192.168.8.16' | wc -l
13945

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-15 17:30:20 +02:00
Rodrigo Arias Mallo
061bd24453 Rotate anavarro password and SSH key 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-15 17:15:59 +02:00
Rodrigo Arias Mallo
0a876e7a83 Add weasel machine configuration 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-15 15:07:52 +02:00
Rodrigo Arias Mallo
ba425f6647 Remove extra flush commands on firewall stop 
They are not needed as they are already flushed when the firewall
starts or stops.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-11 16:13:35 +02:00
Rodrigo Arias Mallo
5a4e7d2bdf Prevent accidental use of nftables 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-11 16:12:44 +02:00
Rodrigo Arias Mallo
998a7f839d Add proxy configuration for internal hosts 
Access internal hosts via apex proxy. From the compute nodes we first
open an SSH connection to apex, and then tunnel it through the HTTP
proxy with netcat.

This way we allow reaching internal GitLab repositories without
requiring the user to have credentials in the remote host, while we can
use multiple remotes to provide redundancy.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-11 12:29:52 +02:00
Rodrigo Arias Mallo
cdad30dd55 Remove unused blackbox configuration modules 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-11 11:34:08 +02:00
Rodrigo Arias Mallo
bffa8d94a9 Use IPv4 in blackbox probes 
Otherwise they simply fail as IPv6 doesn't work.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-11 11:33:04 +02:00
Rodrigo Arias Mallo
8e80ed7034 Make NFS mount async to improve latency 
Don't wait to flush writes, as we don't care about consistency on a
crash:

> This option allows the NFS server to violate the NFS protocol and
> reply to requests before any changes made by that request have been
> committed to stable storage (e.g. disc drive).
>
> Using this option usually improves performance, but at the cost that
> an unclean server restart (i.e. a crash) can cause data to be lost or
> corrupted.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-11 11:10:07 +02:00
Rodrigo Arias Mallo
71e1562a0b Disable root_squash from NFS 
Allows root to read files in the NFS export, so we can directly run
`nixos-rebuild switch` from /home.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-11 10:35:38 +02:00
Rodrigo Arias Mallo
8623e7c2bc Remove SSH proxy to access BSC clusters 
We now have direct connection to them.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-11 10:22:04 +02:00
Rodrigo Arias Mallo
b10504cb59 Add users to apex machine 
They need to be able to login to apex to access any other machine from
the SSF rack.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-09 11:59:36 +02:00
Rodrigo Arias Mallo
ba66cb0b71 Remove proxy from hut HTTP probes 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-09 11:26:22 +02:00
Rodrigo Arias Mallo
bb779a9630 Remove proxy configuration from environment 
All machines have now direct connection with the outside world.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-09 11:24:22 +02:00
Rodrigo Arias Mallo
76ce684be4 Add storcli utility to apex 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-09 11:11:22 +02:00
Rodrigo Arias Mallo
eebcf2f239 Add new configuration for apex 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-09 11:02:11 +02:00
Rodrigo Arias Mallo
69b7be9026 Add pmartin1 user with access to fox 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-03 10:26:44 +02:00
Rodrigo Arias Mallo
a1e45941cc Add access to fox for rpenacob user 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-02 15:20:51 +02:00
Rodrigo Arias Mallo
9c5c26e94d Revert "Only allow Vincent to access fox for now" 
This reverts commit efac36b186efe6c3814278ae0a284ae346ff9d83.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-07-02 15:20:05 +02:00
Aleix Boné
df2f25873f Add all terminfo files in environment 
Fixes problems with the kitty terminal when opening vim or kakoune.

Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
 2025-07-01 14:59:39 +02:00
Rodrigo Arias Mallo
7304c60a98 Monitor Fox BMC with ICMP probes too 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-06-20 16:06:50 +02:00
Rodrigo Arias Mallo
904bb5f2ba Restrict DAC VPN to fox-ipmi machine only 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-06-20 14:47:55 +02:00
Rodrigo Arias Mallo
55b2860b67 Monitor fox via VPN 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-06-17 16:41:25 +02:00
Rodrigo Arias Mallo
23310cbfa9 Add OpenVPN service to connect to fox BMC 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-06-17 14:29:15 +02:00
Rodrigo Arias Mallo
fd49be6033 Add ac.upc.edu as name search server 
Allows referring to fox.ac.upc.edu directly as fox.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-06-18 16:36:34 +02:00
Rodrigo Arias Mallo
b9ca4fcca3 Disable kptr_restrict in fox 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-06-18 11:07:19 +02:00
Rodrigo Arias Mallo
0baec02de3 Disable NUMA balancing in fox 
See: https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#numa-balancing

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-06-17 14:04:46 +02:00
Rodrigo Arias Mallo
39f6455d8c Load amd_uncore module in fox 
Needed for L3 events in perf.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-06-13 13:14:47 +02:00
Rodrigo Arias Mallo
ce5228f696 Enable SSH X11 forwarding 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-06-13 10:26:59 +02:00
Rodrigo Arias Mallo
b097cbfe2f Disable registration in Gitea 
Get rid of all the spam accounts they are trying to register.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-06-16 15:55:53 +02:00
Rodrigo Arias Mallo
926d443e24 Enable msmtp configuration in tent 
Allows gitea to send notifications via email.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-06-16 15:40:06 +02:00
Rodrigo Arias Mallo
9f0deec40a Add GitLab runner with debian docker for PM 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-06-13 15:52:31 +02:00
Rodrigo Arias Mallo
415d09600a Monitor nix-daemon in tent 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-06-13 15:11:24 +02:00
Rodrigo Arias Mallo
02da9f1847 Move nix-daemon exporter to modules 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-06-13 15:09:54 +02:00
Rodrigo Arias Mallo
996602845c Add p service for pastes 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-06-13 12:53:58 +02:00
Rodrigo Arias Mallo
3cc2ed1d18 Enable public-inbox service in tent 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-06-13 11:52:10 +02:00
Rodrigo Arias Mallo
54c595fa62 Enable gitea in tent 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-06-13 11:10:39 +02:00
Rodrigo Arias Mallo
7a7b847cb9 Add bsc.es to resolve domain names 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-06-13 09:40:17 +02:00
Rodrigo Arias Mallo
dec3ab49a7 Monitor AXLE machine too 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-06-12 16:47:40 +02:00