rarias/jungle
rarias/jungle
2
0
Fork 2
Code Issues 52 Pull Requests 8 Actions Packages Projects Releases Wiki Activity
405 Commits 23 Branches 0 Tags
Commit Graph

405 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Aleix Boné
af0f87ccd2 Replace xeon07 by hut in ssh config 
The xeon07 machine has been renamed to hut.

Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
1145dc28a4 Enable automatic Nix GC in raccoon 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
31c4fab9a0 Select proprietary NVIDIA driver in raccoon 
The NVIDIA GTX 960 from 2016 has the Maxwell architecture, and NixOS
suggests using the proprietary driver for older than Turing:

> It is suggested to use the open source kernel modules on Turing or
> later GPUs (RTX series, GTX 16xx), and the closed source modules
> otherwise.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
4c9e197a27 Enable open source NVidia driver in fox 
It is recommended for newer versions.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
b77fc54e8a Remove option allowUnfree from fox and raccoon 
It is already set to true for all machines.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
16f1a65d33 Ban another scanner trying to connect via SSH 
It is constantly spamming out logs:

apex# journalctl | grep 'Connection closed by 84.88.52.176' | wc -l
2255

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
4fd103a489 Update weasel IPMI hostname for monitoring 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
1a4411d529 Remove merged MPICH patch 
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
00a2da0ede Remove package ix as it is gone 
Fails with: "error: ix has been removed from Nixpkgs, as the ix.io
pastebin has been offline since Dec. 2023".

Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
1285a47b68 flake.lock: Update 
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41?narHash=sha256-b%2Buqzj%2BWa6xgMS9aNbX4I%2BsXeb5biPDi39VgvSFqFvU%3D' (2024-08-10)
  → 'github:ryantm/agenix/531beac616433bac6f9e2a19feb8e99a22a66baf?narHash=sha256-9P1FziAwl5%2B3edkfFcr5HeGtQUtrSdk/MksX39GieoA%3D' (2025-06-17)
• Updated input 'agenix/darwin':
    'github:lnl7/nix-darwin/4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d?narHash=sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0%3D' (2023-11-24)
  → 'github:lnl7/nix-darwin/43975d782b418ebf4969e9ccba82466728c2851b?narHash=sha256-dyN%2BteG9G82G%2Bm%2BPX/aSAagkC%2BvUv0SgUw3XkPhQodQ%3D' (2025-04-12)
• Updated input 'agenix/home-manager':
    'github:nix-community/home-manager/3bfaacf46133c037bb356193bd2f1765d9dc82c1?narHash=sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE%3D' (2023-12-20)
  → 'github:nix-community/home-manager/abfad3d2958c9e6300a883bd443512c55dfeb1be?narHash=sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs%3D' (2025-04-24)
• Updated input 'bscpkgs':
    'git+https://git.sr.ht/~rodarima/bscpkgs?ref=refs/heads/master&rev=6782fc6c5b5a29e84a7f2c2d1064f4bcb1288c0f' (2024-11-29)
  → 'git+https://git.sr.ht/~rodarima/bscpkgs?ref=refs/heads/master&rev=9d1944c658929b6f98b3f3803fead4d1b91c4405' (2025-06-11)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/9c6b49aeac36e2ed73a8c472f1546f6d9cf1addc?narHash=sha256-i/UJ5I7HoqmFMwZEH6vAvBxOrjjOJNU739lnZnhUln8%3D' (2025-01-14)
  → 'github:NixOS/nixpkgs/dfcd5b901dbab46c9c6e80b265648481aafb01f8?narHash=sha256-Kt1UIPi7kZqkSc5HVj6UY5YLHHEzPBkgpNUByuyxtlw%3D' (2025-07-13)

Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
6479c667ba Upgrade nixpkgs to nixos 25.05 
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
77a9e5f4be Silently ban OpenVAS BSC scanner from apex 
It is spamming our logs with refused connection lines:

apex% sudo journalctl -b0 | grep 'refused connection.*SRC=192.168.8.16' | wc -l
13945

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
4a951d14ef Rotate anavarro password and SSH key 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
c20aba8580 Add weasel machine configuration 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
65cda794be Remove extra flush commands on firewall stop 
They are not needed as they are already flushed when the firewall
starts or stops.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
b4762b2470 Prevent accidental use of nftables 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
10adc7cbed Add proxy configuration for internal hosts 
Access internal hosts via apex proxy. From the compute nodes we first
open an SSH connection to apex, and then tunnel it through the HTTP
proxy with netcat.

This way we allow reaching internal GitLab repositories without
requiring the user to have credentials in the remote host, while we can
use multiple remotes to provide redundancy.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
d80fe93e88 Remove unused blackbox configuration modules 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
46bbcf7fac Use IPv4 in blackbox probes 
Otherwise they simply fail as IPv6 doesn't work.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
847709b209 Make NFS mount async to improve latency 
Don't wait to flush writes, as we don't care about consistency on a
crash:

> This option allows the NFS server to violate the NFS protocol and
> reply to requests before any changes made by that request have been
> committed to stable storage (e.g. disc drive).
>
> Using this option usually improves performance, but at the cost that
> an unclean server restart (i.e. a crash) can cause data to be lost or
> corrupted.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
6551dce813 Disable root_squash from NFS 
Allows root to read files in the NFS export, so we can directly run
`nixos-rebuild switch` from /home.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
b8561dbc44 Remove SSH proxy to access BSC clusters 
We now have direct connection to them.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
298028c803 Add users to apex machine 
They need to be able to login to apex to access any other machine from
the SSF rack.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
983336b6f6 Remove proxy from hut HTTP probes 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
2649ef4c0d Remove proxy configuration from environment 
All machines have now direct connection with the outside world.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
9ae2c79202 Add storcli utility to apex 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
4fcdcd064d Add new configuration for apex 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
598cd43520 Add pmartin1 user with access to fox 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
0c8e2ed8f8 Add access to fox for rpenacob user 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
6ed558877c Revert "Only allow Vincent to access fox for now" 
This reverts commit efac36b186efe6c3814278ae0a284ae346ff9d83.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Aleix Boné
247fd56571 Add all terminfo files in environment 
Fixes problems with the kitty terminal when opening vim or kakoune.

Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
cb05eb36e6 Monitor Fox BMC with ICMP probes too 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
70da31ed03 Restrict DAC VPN to fox-ipmi machine only 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
3672c04980 Monitor fox via VPN 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
1511a0a739 Add OpenVPN service to connect to fox BMC 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
23fa1bf52c Add ac.upc.edu as name search server 
Allows referring to fox.ac.upc.edu directly as fox.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
e59e89c6f1 Disable kptr_restrict in fox 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
41962ba34f Disable NUMA balancing in fox 
See: https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#numa-balancing

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
70c9338076 Load amd_uncore module in fox 
Needed for L3 events in perf.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
3db4bd811c Enable SSH X11 forwarding 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
a6b532a6d9 Disable registration in Gitea 
Get rid of all the spam accounts they are trying to register.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
7771717d1e Enable msmtp configuration in tent 
Allows gitea to send notifications via email.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
c931e0f9bb Add GitLab runner with debian docker for PM 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
1f9b48cc9a Monitor nix-daemon in tent 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
20bc2612fa Move nix-daemon exporter to modules 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
da02c4290c Add p service for pastes 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
3a25d7e798 Enable public-inbox service in tent 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
f7db23eaee Enable gitea in tent 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
892489a02f Add bsc.es to resolve domain names 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00
Rodrigo Arias Mallo
b1e93332fc Monitor AXLE machine too 
Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
 2025-10-01 16:40:17 +02:00