Add ssanzmar user to apex and fox

Reviewed-by: Aleix Boné <abonerib@bsc.es>
Update fox documentation in website
2026-02-24 14:06:12 +01:00 · 2026-02-04 15:08:13 +01:00 · 2026-02-04 15:08:08 +01:00 · 2026-02-03 15:17:30 +01:00 · 2026-02-03 15:17:29 +01:00 · 2026-02-03 15:17:24 +01:00
19 changed files with 112 additions and 162 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
  "nodes": {
    "nixpkgs": {
      "locked": {
-        "lastModified": 1764522689,
+        "lastModified": 1767634882,
-        "narHash": "sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD+/cTUzzgVFoaHrkqY=",
+        "narHash": "sha256-2GffSfQxe3sedHzK+sTKlYo/NTIAGzbFCIsNMUPAAnk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f",
+        "rev": "3c9db02515ef1d9b6b709fc60ba9a540957f661c",
        "type": "github"
      },
      "original": {
--- a/m/apex/configuration.nix
+++ b/m/apex/configuration.nix
@@ -57,6 +57,18 @@
    };
  };
  services.fail2ban = {
    enable = true;
    maxretry = 5;
    bantime-increment = {
      enable = true; # Double ban time on each attack
      maxtime = "7d"; # Ban up to a week
    };
  };
  # Disable SSH login with password, allow only keypair
  services.openssh.settings.PasswordAuthentication = false;
  networking.firewall = {
    extraCommands = ''
      # Blackhole BSC vulnerability scanner (OpenVAS) as it is spamming our
--- a/m/bay/configuration.nix
+++ b/m/bay/configuration.nix
@@ -24,7 +24,7 @@
      address = "10.0.40.40";
      prefixLength = 24;
    } ];
-    interfaces.ibp5s0.ipv4.addresses = [ {
+    interfaces.ibs785.ipv4.addresses = [ {
      address = "10.0.42.40";
      prefixLength = 24;
    } ];
--- a/m/common/base/env.nix
+++ b/m/common/base/env.nix
@@ -2,11 +2,36 @@
 {
  environment.systemPackages = with pkgs; [
-    vim wget git htop tmux pciutils tcpdump ripgrep nix-index nixos-option
+    cmake
-    nix-diff ipmitool freeipmi ethtool lm_sensors cmake gnumake file tree
+    ethtool
-    ncdu perf ldns pv
+    file
    freeipmi
    git
    gnumake
    home-manager
    htop
    ipmitool
    ldns
    lm_sensors
    ncdu
    nix-diff
    nix-index
    nix-output-monitor
    nixfmt-tree
    nixos-option
    pciutils
    perf
    pv
    ripgrep
    tcpdump
    tmux
    tree
    vim
    wget
    # From jungle overlay
-    osumb nixgen
+    nixgen
    osumb
  ];
  programs.direnv.enable = true;
--- a/m/common/base/users.nix
+++ b/m/common/base/users.nix
@@ -139,6 +139,7 @@
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGt0ESYxekBiHJQowmKpfdouw0hVm3N7tUMtAaeLejK vincent@varch"
        ];
        shell = pkgs.zsh;
      };
      pmartin1 = {
@@ -193,6 +194,32 @@
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOlRX7ZCnqtUJYCxKgWmgSrFCYuA2LHY96rVwqxXPl86 aaguirre@BSC-8488184117"
        ];
      };
      emonteir = {
        uid = 9656;
        isNormalUser = true;
        home = "/home/Computational/emonteir";
        description = "Erwin Royson Monteiro";
        group = "Computational";
        hosts = [ "apex" "fox" ];
        hashedPassword = "$6$0mU88zd3ZuK5NiJQ$DFWL5RMLH6esQM5UyhBCiiNryw4lDDmvJp7Usz3tmevnsiSJr6u0RsUKAnR/K8GRBFrV1.GocrgNjKjik5GY//";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOKZKot/Y3F5Wq9pQIXlCbyvQuVVeWMCsAC96Nd+LTcG erwin@Oreo"
        ];
      };
      ssanzmar = {
        uid = 9657;
        isNormalUser = true;
        home = "/home/Computational/ssanzmar";
        description = "Sergio Sanz Martínez";
        group = "Computational";
        hosts = [ "apex" "fox" ];
        hashedPassword = "$6$HUjNDJeJMmNQ6M64$laXSOZcXg6o4v2r8Jm8Xj9kmqw7veCY32po3TVDPRR4WlyxvOeqwoKr4NjlUlPPpKN55Oot3ZYHi.9iNXsH5E1";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIELrsRRHXryrdA2ZBx5XmdGxL4DC5bmJydhBeTWQ0SQ sergio.sanz.martinez@estudiantat.upc.edu"
        ];
      };
    };
    groups = {
--- a/m/eudy/kernel/perf.nix
+++ b/m/eudy/kernel/perf.nix
@@ -1,11 +1,6 @@
-{ config, pkgs, lib, ... }:
+{ pkgs, lib, ... }:
 {
  # add the perf tool
  environment.systemPackages = with pkgs; [
    config.boot.kernelPackages.perf
  ];
  # allow non-root users to read tracing data from the kernel
  boot.kernel.sysctl."kernel.perf_event_paranoid" = -2;
  boot.kernel.sysctl."kernel.kptr_restrict" = 0;
--- a/m/hut/configuration.nix
+++ b/m/hut/configuration.nix
@@ -45,7 +45,7 @@
      address = "10.0.40.7";
      prefixLength = 24;
    } ];
-    interfaces.ibp5s0.ipv4.addresses = [ {
+    interfaces.ibs785.ipv4.addresses = [ {
      address = "10.0.42.7";
      prefixLength = 24;
    } ];
--- a/m/hut/nginx.nix
+++ b/m/hut/nginx.nix
@@ -4,8 +4,8 @@ let
    name = "jungle-web";
    src = pkgs.fetchgit {
      url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
-      rev = "52abaf4d71652a9ef77a0b098db14ca33bffff4c";
+      rev = "5f18335d14126d2fef134c0cd441771436f7dfa1";
-      hash = "sha256-/ul9GazbOrOkmlvSgDz/+2W+V+ir5725Y7mVLc3rb0M=";
+      hash = "sha256-s9VBF91sQ7hg9+lrwNFPYgoXTTyXaQcAulCiGJgWERo=";
    };
    buildInputs = [ pkgs.hugo ];
    buildPhase = ''
--- a/m/lake2/configuration.nix
+++ b/m/lake2/configuration.nix
@@ -46,7 +46,7 @@
      address = "10.0.40.42";
      prefixLength = 24;
    } ];
-    interfaces.ibp5s0.ipv4.addresses = [ {
+    interfaces.ibs785.ipv4.addresses = [ {
      address = "10.0.42.42";
      prefixLength = 24;
    } ];
--- a/m/module/tc1-board.nix
+++ b/m/module/tc1-board.nix
@@ -0,0 +1,27 @@
 { lib, pkgs, ... }:
 {
  # Allow user access to FTDI USB device
  services.udev.packages = lib.singleton (pkgs.writeTextFile {
    # Needs to be < 73
    name = "60-ftdi-tc1.rules";
    text = ''
      # Bus 003 Device 003: ID 0403:6011 Future Technology Devices International, Ltd FT4232H Quad HS USB-UART/FIFO IC
      # Use := to make sure it doesn't get changed later
      SUBSYSTEMS=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6011", MODE:="0666"
    '';
    destination = "/etc/udev/rules.d/60-ftdi-tc1.rules";
  });
  # Allow access to USB for docker in GitLab runner
  services.gitlab-runner = {
    services.gitlab-bsc-docker = {
      registrationFlags = [
        # We need raw access to the USB port to reboot the board
        "--docker-devices /dev/bus/usb/003/003"
        # And TTY access for the serial port
        "--docker-devices /dev/ttyUSB2"
      ];
    };
  };
 }
--- a/m/owl1/configuration.nix
+++ b/m/owl1/configuration.nix
@@ -20,7 +20,7 @@
      address = "10.0.40.1";
      prefixLength = 24;
    } ];
-    interfaces.ibp5s0.ipv4.addresses = [ {
+    interfaces.ibs785.ipv4.addresses = [ {
      address = "10.0.42.1";
      prefixLength = 24;
    } ];
--- a/m/owl2/configuration.nix
+++ b/m/owl2/configuration.nix
@@ -21,7 +21,7 @@
      prefixLength = 24;
    } ];
    # Watch out! The OmniPath device is not in the same place here:
-    interfaces.ibp129s0.ipv4.addresses = [ {
+    interfaces.ibs801.ipv4.addresses = [ {
      address = "10.0.42.2";
      prefixLength = 24;
    } ];
--- a/m/tent/configuration.nix
+++ b/m/tent/configuration.nix
@@ -16,6 +16,7 @@
    ../module/p.nix
    ../module/vpn-dac.nix
    ../module/hut-substituter.nix
    ../module/tc1-board.nix
  ];
  # Select the this using the ID to avoid mismatches
--- a/m/tent/gitea.nix
+++ b/m/tent/gitea.nix
@@ -27,4 +27,7 @@
      };
    };
  };
  # Allow gitea user to send mail
  users.users.gitea.extraGroups = [ "mail-robot" ];
 }
--- a/m/tent/nginx.nix
+++ b/m/tent/nginx.nix
@@ -4,8 +4,8 @@ let
    name = "jungle-web";
    src = pkgs.fetchgit {
      url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
-      rev = "52abaf4d71652a9ef77a0b098db14ca33bffff4c";
+      rev = "5f18335d14126d2fef134c0cd441771436f7dfa1";
-      hash = "sha256-/ul9GazbOrOkmlvSgDz/+2W+V+ir5725Y7mVLc3rb0M=";
+      hash = "sha256-s9VBF91sQ7hg9+lrwNFPYgoXTTyXaQcAulCiGJgWERo=";
    };
    buildInputs = [ pkgs.hugo ];
    buildPhase = ''
--- a/overlay.nix
+++ b/overlay.nix
@@ -62,14 +62,7 @@ let
    tagaspi = callPackage ./pkgs/tagaspi/default.nix { };
    tampi = callPackage ./pkgs/tampi/default.nix { };
    upc-qaire-exporter = prev.callPackage ./pkgs/upc-qaire-exporter/default.nix { };
    taopencl = callPackage ./pkgs/taopencl/default.nix { };
    wxparaver = callPackage ./pkgs/paraver/default.nix { };
    _cuda = prev._cuda.extend (_: _prev: final.lib.recursiveUpdate _prev {
      extensions = _prev.extensions ++ [(finalAttrs: _: {
        tacuda = finalAttrs.callPackage ./pkgs/tacuda/default.nix { };
      })];
    });
  };
  tests = rec {
--- a/pkgs/tacuda/default.nix
+++ b/pkgs/tacuda/default.nix
@@ -1,72 +0,0 @@
 {
  backendStdenv,
  fetchFromGitHub,
  automake,
  autoconf,
  libtool,
  gnumake,
  autoreconfHook,
  boost,
  cudatoolkit,
  libcublas,
  cuda_cudart,
  useGit ? false,
  gitUrl ? "git@gitlab-internal.bsc.es:task-awareness/tacuda/tacuda.git",
  gitBranch ? "main",
  gitCommit ? "35234f9445e6149a2bd38d119841e2485d6ee05e",
 }:
 let
  release_ver = "2.1.0";
  release = {
    version = release_ver;
    src = fetchFromGitHub {
      owner = "bsc-pm";
      repo = "tacuda";
      rev = release_ver;
      hash = "sha256-Cj3EiLVJSLvRv0ydeg7Vp4SpkniEqHkcWF+YOJQ8EcM=";
    };
  };
  git = rec {
    version = src.shortRev;
    src = builtins.fetchGit {
      url = gitUrl;
      ref = gitBranch;
      rev = gitCommit;
    };
  };
  source = if (useGit) then git else release;
 in
 backendStdenv.mkDerivation {
  pname = "tacuda";
  inherit (source) src version;
  enableParallelBuilding = true;
  separateDebugInfo = true;
  strictDeps = true;
  nativeBuildInputs = [
    autoreconfHook
    automake
    autoconf
    libtool
    gnumake
  ];
  patches = [ ./fix_config.patch ];
  configureFlags = [ "--with-cuda-include=${cudatoolkit}/include" ];
  buildInputs = [
    boost
    libcublas
    cuda_cudart
  ];
 }
--- a/pkgs/tacuda/fix_config.patch
+++ b/pkgs/tacuda/fix_config.patch
@@ -1,13 +0,0 @@
 diff --git a/m4/cuda.m4 b/m4/cuda.m4
 index 23f5c94..8f9b534 100644
 --- a/m4/cuda.m4
 +++ b/m4/cuda.m4
@@ -40,7 +40,7 @@ search_libs="cuda cublas cudart"
 required_libs=""
 m4_foreach([function],
 -           [cuInit,
 +           [
 	    cublasSgemm,
             cudaStreamCreate,
             cudaLaunchKernel,
--- a/pkgs/taopencl/default.nix
+++ b/pkgs/taopencl/default.nix
@@ -1,48 +0,0 @@
 {
  stdenv,
  automake,
  autoconf,
  libtool,
  gnumake,
  boost,
  mpi,
  autoreconfHook,
  ocl-icd,
  opencl-headers,
 }:
 stdenv.mkDerivation (finalAttrs: {
  pname = "taopencl";
  version = finalAttrs.src.shortRev;
  src = builtins.fetchGit {
    url = "git@gitlab-internal.bsc.es:task-awareness/taopencl/taopencl.git";
    ref = "master";
    rev = "c3b7b32ae8fa4af7ceff598532a881f8f1490aaf";
  };
  enableParallelBuilding = true;
  separateDebugInfo = true;
  strictDeps = true;
  configureFlags = [
    "--with-opencl-lib=${ocl-icd}/lib"
    "--with-opencl-include=${opencl-headers}/include"
  ];
  nativeBuildInputs = [
    autoreconfHook
    automake
    autoconf
    libtool
    gnumake
  ];
  buildInputs = [
    boost
    mpi
  ];
  dontDisableStatic = true;
  hardeningDisable = [ "all" ];
 })
Author	SHA1	Message	Date
Rodrigo Arias Mallo	76cd6d64b2	Add ssanzmar user to apex and fox All checks were successful CI / build:cross (pull_request) Successful in 8s Details CI / build:all (pull_request) Successful in 16s Details CI / build:all (push) Successful in 4s Details CI / build:cross (push) Successful in 8s Details Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-02-24 14:06:12 +01:00
Rodrigo Arias Mallo	8dab0d82ba	Update fox documentation in website All checks were successful CI / build:cross (pull_request) Successful in 8s Details CI / build:all (pull_request) Successful in 16s Details CI / build:all (push) Successful in 3s Details CI / build:cross (push) Successful in 8s Details Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-02-04 15:08:13 +01:00
Rodrigo Arias Mallo	958dcd4774	Add emonteir user to apex and fox Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-02-04 15:08:08 +01:00
Aleix Boné	7a6e4232de	Add nom and nixfmt-tree to system packages All checks were successful CI / build:all (pull_request) Successful in 55m38s Details CI / build:all (push) Successful in 27m13s Details CI / build:cross (push) Successful in 55m5s Details CI / build:cross (pull_request) Successful in 8s Details Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2026-02-03 15:17:30 +01:00
Aleix Boné	3b56e905e5	Add standalone home-manager to system packages Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2026-02-03 15:17:29 +01:00
Aleix Boné	2d41309466	Format and sort default package list Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2026-02-03 15:17:24 +01:00
Rodrigo Arias Mallo	deb0cd1488	Allow USB access to TC1 from Gitlab Runner All checks were successful CI / build:cross (pull_request) Successful in 8s Details CI / build:all (pull_request) Successful in 16s Details CI / build:all (push) Successful in 4s Details CI / build:cross (push) Successful in 8s Details Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-01-23 17:56:16 +01:00
Rodrigo Arias Mallo	cd1f502ecc	Allow user USB access to FTDI device in tent Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-01-23 17:56:11 +01:00
Rodrigo Arias Mallo	dda6a66782	Fix gitea user to allow sending email All checks were successful CI / build:cross (pull_request) Successful in 8s Details CI / build:all (pull_request) Successful in 16s Details CI / build:all (push) Successful in 4s Details CI / build:cross (push) Successful in 8s Details In order to send email, the gitea user needs to be in the mail-robot group. Fixes: #220 Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-01-20 12:18:52 +01:00
Rodrigo Arias Mallo	22420e6ac8	Remove unneeded perf package from eudy It is already included in the base list of packages, which is now only "perf" and doesn't depend on the kernel version. Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-01-20 12:18:49 +01:00
Rodrigo Arias Mallo	a71cd78b4c	Fix infiniband interface names Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-01-20 12:18:46 +01:00
Rodrigo Arias Mallo	e84a2cadbb	flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f?narHash=sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD%2B/cTUzzgVFoaHrkqY%3D' (2025-11-30) → 'github:NixOS/nixpkgs/3c9db02515ef1d9b6b709fc60ba9a540957f661c?narHash=sha256-2GffSfQxe3sedHzK%2BsTKlYo/NTIAGzbFCIsNMUPAAnk%3D' (2026-01-05) Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-01-20 12:18:41 +01:00
Aleix Boné	d3e43eb651	Remove conflicting definitions in amd-uprof-driver See: https://lkml.org/lkml/2025/4/9/1709 Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2026-01-20 12:15:18 +01:00
Aleix Boné	a491546ffb	Mark mcxx as broken and remove from package list Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2026-01-20 12:15:14 +01:00
Aleix Boné	933c78a80b	Fix moved package linuxPackages.perf is now perf Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2026-01-20 12:15:10 +01:00
Aleix Boné	150969be9b	Fix replaced nixseparatedebuginfod nixseparatedebuginfod has been replaced by nixseparatedebuginfod2 Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2026-01-20 12:15:06 +01:00
Aleix Boné	9097729759	Use standard gcc for intel packages This reverts `26f52aa27d` Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2026-01-20 12:15:02 +01:00
Aleix Boné	779449f1db	Fix renamed option watchdog.runtimeTime The option 'systemd.watchdog.runtimeTime' has been renamed to 'systemd.settings.Manager.RuntimeWatchdogSec'. Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2026-01-20 12:14:59 +01:00
Aleix Boné	6cbe33bd80	Replace wrapGAppsHook with wrapGAppsHook3 Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2026-01-20 12:14:56 +01:00
Aleix Boné	3f1f5ae8f2	Fix changed cudaPackages.cuda_cudart output See: https://github.com/NixOS/nixpkgs/pull/437723 Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2026-01-20 12:14:49 +01:00
Aleix Boné	fe8586e780	Set pyproject=true in buildPythonApplication The buildPythonPackage and buildPythonApplication functions now require an explicit format attribute. Previously the default format used setuptools and called setup.py from the source tree, which is deprecated. The modern alternative is to configure pyproject = true with build-system = [ setuptools ]. Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2026-01-20 12:14:31 +01:00
Aleix Boné	8677adba27	Fix renamed llvm bintools Moved from llvmPackages_latest.tools.bintools to llvmPackages_latest.bintools Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2026-01-20 12:14:27 +01:00
Aleix Boné	f614149edf	Upgrade nixpkgs to 25.11 Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2026-01-20 12:14:11 +01:00
Vincent A. Arcila	859eebda98	Change varcila shell to zsh All checks were successful CI / build:all (push) Successful in 59m37s Details CI / build:cross (push) Successful in 1h27m33s Details CI / build:cross (pull_request) Successful in 1h29m20s Details CI / build:all (pull_request) Successful in 1h29m22s Details Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2026-01-07 13:22:17 +01:00
Rodrigo Arias Mallo	c2a201b085	Increase fail2ban ban time on each attempt Some checks failed CI / build:all (push) Has been cancelled Details CI / build:cross (push) Has been cancelled Details CI / build:all (pull_request) Successful in 1h38m5s Details CI / build:cross (pull_request) Successful in 1h38m3s Details Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-01-07 13:14:34 +01:00
Rodrigo Arias Mallo	f921f0a4bd	Disable password login via SSH in apex Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-01-07 13:14:30 +01:00
Rodrigo Arias Mallo	aa16bfc0bc	Enable fail2ban in apex login node We are seeing a lot of failed attempts from the same IPs: apex% sudo journalctl -u sshd -b0 \| grep 'Failed password' \| wc -l 2441 Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-01-07 13:14:22 +01:00