Compare commits

..

No commits in common. "4bd164807436bfefe28a7ea8451fb4064364da89" and "1c5f3a856fcf83f6d2cc03c53077f3f80b865fed" have entirely different histories.

27 changed files with 73 additions and 125 deletions

View File

@ -151,26 +151,12 @@ And update grub.
# nix build .#nixosConfigurations.xeon02.config.system.build.kexecTree -v # nix build .#nixosConfigurations.xeon02.config.system.build.kexecTree -v
``` ```
## Chain NixOS in same disk with other systems ## Chain NixOS in same disk
To install NixOS on a partition along another system which controls the GRUB,
first disable the grub device, so the GRUB is not installed in the disk by
NixOS (only the /boot files will be generated):
```
boot.loader.grub.device = "nodev";
```
Then add the following entry to the old GRUB configuration:
``` ```
menuentry 'NixOS' { menuentry 'NixOS' {
insmod chain insmod chain
search --no-floppy --label nixos --set root set root=(hd3,1)
configfile /boot/grub/grub.cfg configfile /boot/grub/grub.cfg
} }
``` ```
The partition with NixOS must have the label "nixos" for it to be found. New
system configuration entries will be stored in the GRUB configuration managed
by NixOS, so there is no need to change the old GRUB settings.

View File

@ -10,11 +10,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1720546205, "lastModified": 1712079060,
"narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=", "narHash": "sha256-/JdiT9t+zzjChc5qQiF+jhrVhRt8figYH29rZO7pFe4=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6", "rev": "1381a759b205dff7a6818733118d02253340fd5e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -88,11 +88,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1720957393, "lastModified": 1713714899,
"narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", "narHash": "sha256-+z/XjO3QJs5rLE5UOf015gdVauVRQd2vZtsFkaXBq2Y=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "693bc46d169f5af9c992095736e82c3488bf7dbb", "rev": "6143fc5eeb9c4f00163267708e26191d1e918932",
"type": "github" "type": "github"
}, },
"original": { "original": {

View File

@ -9,10 +9,6 @@
# Select the this using the ID to avoid mismatches # Select the this using the ID to avoid mismatches
boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53562d"; boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53562d";
boot.kernel.sysctl = {
"kernel.yama.ptrace_scope" = lib.mkForce "1";
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
ceph ceph
]; ];

View File

@ -3,7 +3,6 @@
# Includes the basic configuration for an Intel server. # Includes the basic configuration for an Intel server.
imports = [ imports = [
./base/agenix.nix ./base/agenix.nix
./base/august-shutdown.nix
./base/boot.nix ./base/boot.nix
./base/env.nix ./base/env.nix
./base/fs.nix ./base/fs.nix

View File

@ -1,14 +0,0 @@
{
# Shutdown all machines on August 2nd at 11:00 AM, so we can protect the
# hardware from spurious electrical peaks on the yearly electrical cut for
# manteinance that starts on August 4th.
systemd.timers.august-shutdown = {
description = "Shutdown on August 2nd for maintenance";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*-08-02 11:00:00";
RandomizedDelaySec = "10min";
Unit = "systemd-poweroff.service";
};
};
}

View File

@ -11,12 +11,14 @@
terminal_output --append serial terminal_output --append serial
''; '';
# Enable serial console
boot.kernelParams = [
"console=tty1"
"console=ttyS0,115200"
];
boot.kernel.sysctl = { boot.kernel.sysctl = {
"kernel.perf_event_paranoid" = lib.mkDefault "-1"; "kernel.perf_event_paranoid" = lib.mkDefault "-1";
# Allow ptracing (i.e. attach with GDB) any process of the same user, see:
# https://www.kernel.org/doc/Documentation/security/Yama.txt
"kernel.yama.ptrace_scope" = "0";
}; };
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;

View File

@ -12,7 +12,7 @@ in
programs.ssh.extraConfig = '' programs.ssh.extraConfig = ''
Host bscpm02.bsc.es bscpm03.bsc.es gitlab-internal.bsc.es alya.gitlab.bsc.es Host bscpm02.bsc.es bscpm03.bsc.es gitlab-internal.bsc.es alya.gitlab.bsc.es
User git User git
ProxyCommand nc -X connect -x hut:23080 %h %p ProxyCommand nc -X connect -x localhost:23080 %h %p
''; '';
programs.ssh.knownHosts = hostsKeys // { programs.ssh.knownHosts = hostsKeys // {

View File

@ -55,7 +55,7 @@
home = "/home/Computational/rpenacob"; home = "/home/Computational/rpenacob";
description = "Raúl Peñacoba"; description = "Raúl Peñacoba";
group = "Computational"; group = "Computational";
hosts = [ "owl1" "owl2" "hut" ]; hosts = [ "hut" ];
hashedPassword = "$6$TZm3bDIFyPrMhj1E$uEDXoYYd1z2Wd5mMPfh3DZAjP7ztVjJ4ezIcn82C0ImqafPA.AnTmcVftHEzLB3tbe2O4SxDyPSDEQgJ4GOtj/"; hashedPassword = "$6$TZm3bDIFyPrMhj1E$uEDXoYYd1z2Wd5mMPfh3DZAjP7ztVjJ4ezIcn82C0ImqafPA.AnTmcVftHEzLB3tbe2O4SxDyPSDEQgJ4GOtj/";
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYfXg37mauGeurqsLpedgA2XQ9d4Nm0ZGo/hI1f7wwH rpenacob@bsc" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYfXg37mauGeurqsLpedgA2XQ9d4Nm0ZGo/hI1f7wwH rpenacob@bsc"
@ -75,19 +75,6 @@
]; ];
}; };
abonerib = {
uid = 4541;
isNormalUser = true;
home = "/home/Computational/abonerib";
description = "Aleix Boné";
group = "Computational";
hosts = [ "owl1" "owl2" "hut" "raccoon" ];
hashedPassword = "$6$V1EQWJr474whv7XJ$OfJ0wueM2l.dgiJiiah0Tip9ITcJ7S7qDvtSycsiQ43QBFyP4lU0e0HaXWps85nqB4TypttYR4hNLoz3bz662/";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIFiqXqt88VuUfyANkZyLJNiuroIITaGlOOTMhVDKjf abonerib@bsc"
];
};
vlopez = { vlopez = {
uid = 4334; uid = 4334;
isNormalUser = true; isNormalUser = true;

View File

@ -3,7 +3,7 @@
imports = [ imports = [
./base.nix ./base.nix
./xeon/fs.nix ./xeon/fs.nix
./xeon/console.nix ./xeon/getty.nix
./xeon/net.nix ./xeon/net.nix
]; ];
} }

View File

@ -5,10 +5,4 @@
wantedBy = [ "getty.target" ]; wantedBy = [ "getty.target" ];
serviceConfig.Restart = "always"; serviceConfig.Restart = "always";
}; };
# Enable serial console
boot.kernelParams = [
"console=tty1"
"console=ttyS0,115200"
];
} }

View File

@ -10,7 +10,7 @@
nameservers = ["8.8.8.8"]; nameservers = ["8.8.8.8"];
proxy = { proxy = {
default = "http://hut:23080/"; default = "http://localhost:23080/";
noProxy = "127.0.0.1,localhost,internal.domain,10.0.40.40"; noProxy = "127.0.0.1,localhost,internal.domain,10.0.40.40";
# Don't set all_proxy as go complains and breaks the gitlab runner, see: # Don't set all_proxy as go complains and breaks the gitlab runner, see:
# https://github.com/golang/go/issues/16715 # https://github.com/golang/go/issues/16715

View File

@ -6,7 +6,6 @@
../module/ceph.nix ../module/ceph.nix
../module/debuginfod.nix ../module/debuginfod.nix
../module/emulation.nix
../module/slurm-client.nix ../module/slurm-client.nix
./gitlab-runner.nix ./gitlab-runner.nix
./monitoring.nix ./monitoring.nix
@ -20,6 +19,8 @@
#./pxe.nix #./pxe.nix
]; ];
boot.binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" "powerpc64le-linux" "riscv64-linux" ];
# Select the this using the ID to avoid mismatches # Select the this using the ID to avoid mismatches
boot.loader.grub.device = "/dev/disk/by-id/ata-INTEL_SSDSC2BB240G7_PHDV6462004Y240AGN"; boot.loader.grub.device = "/dev/disk/by-id/ata-INTEL_SSDSC2BB240G7_PHDV6462004Y240AGN";
@ -33,15 +34,5 @@
address = "10.0.42.7"; address = "10.0.42.7";
prefixLength = 24; prefixLength = 24;
} ]; } ];
firewall = {
extraCommands = ''
# Accept all proxy traffic from compute nodes but not the login
iptables -A nixos-fw -p tcp -s 10.0.40.30 --dport 23080 -j nixos-fw-log-refuse
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 23080 -j nixos-fw-accept
'';
};
}; };
# Allow proxy to bind to the ethernet interface
services.openssh.settings.GatewayPorts = "clientspecified";
} }

View File

@ -17,7 +17,6 @@
REGISTER_MANUAL_CONFIRM = true; REGISTER_MANUAL_CONFIRM = true;
ENABLE_NOTIFY_MAIL = true; ENABLE_NOTIFY_MAIL = true;
}; };
log.LEVEL = "Warn";
mailer = { mailer = {
ENABLED = true; ENABLED = true;

View File

@ -1,8 +1,9 @@
{ pkgs, lib, config, ... }: { pkgs, lib, config, ... }:
{ {
age.secrets.gitlabRunnerShellToken.file = ../../secrets/gitlab-runner-shell-token.age; age.secrets.ovniToken.file = ../../secrets/ovni-token.age;
age.secrets.gitlabRunnerDockerToken.file = ../../secrets/gitlab-runner-docker-token.age; age.secrets.gitlabToken.file = ../../secrets/gitlab-bsc-es-token.age;
age.secrets.nosvToken.file = ../../secrets/nosv-token.age;
services.gitlab-runner = { services.gitlab-runner = {
enable = true; enable = true;
@ -10,14 +11,20 @@
services = let services = let
common-shell = { common-shell = {
executor = "shell"; executor = "shell";
tagList = [ "nix" "xeon" ];
registrationFlags = [
# Using space doesn't work, and causes it to misread the next flag
"--locked='false'"
];
environmentVariables = { environmentVariables = {
SHELL = "${pkgs.bash}/bin/bash"; SHELL = "${pkgs.bash}/bin/bash";
}; };
}; };
common-docker = { common-docker = {
executor = "docker";
dockerImage = "debian:stable"; dockerImage = "debian:stable";
tagList = [ "docker" "xeon" ];
registrationFlags = [ registrationFlags = [
"--locked='false'"
"--docker-network-mode host" "--docker-network-mode host"
]; ];
environmentVariables = { environmentVariables = {
@ -26,12 +33,19 @@
}; };
}; };
in { in {
# For gitlab.bsc.es
gitlab-bsc-es-shell = common-shell // {
registrationConfigFile = config.age.secrets.gitlabToken.path;
};
gitlab-bsc-es-docker = common-docker // {
registrationConfigFile = config.age.secrets.gitlabToken.path;
};
# For pm.bsc.es/gitlab # For pm.bsc.es/gitlab
gitlab-pm-shell = common-shell // { gitlab-pm-shell = common-shell // {
authenticationTokenConfigFile = config.age.secrets.gitlabRunnerShellToken.path; registrationConfigFile = config.age.secrets.ovniToken.path;
}; };
gitlab-pm-docker = common-docker // { gitlab-pm-docker = common-docker // {
authenticationTokenConfigFile = config.age.secrets.gitlabRunnerDockerToken.path; registrationConfigFile = config.age.secrets.ovniToken.path;
}; };
}; };
}; };

View File

@ -31,7 +31,6 @@
}; };
feature_toggles.publicDashboards = true; feature_toggles.publicDashboards = true;
"auth.anonymous".enabled = true; "auth.anonymous".enabled = true;
log.level = "warn";
}; };
}; };

View File

@ -8,10 +8,6 @@
boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53563a"; boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53563a";
boot.kernel.sysctl = {
"kernel.yama.ptrace_scope" = lib.mkForce "1";
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
ceph ceph
]; ];

View File

@ -1,3 +0,0 @@
{
boot.binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" "powerpc64le-linux" "riscv64-linux" ];
}

View File

@ -47,8 +47,8 @@ in {
]; ];
partitionName = [ partitionName = [
"owl Nodes=owl[1-2] Default=YES DefaultTime=01:00:00 MaxTime=INFINITE State=UP" "owl Nodes=owl[1-2] Default=YES MaxTime=INFINITE State=UP"
"all Nodes=owl[1-2],hut Default=NO DefaultTime=01:00:00 MaxTime=INFINITE State=UP" "all Nodes=owl[1-2],hut Default=NO MaxTime=INFINITE State=UP"
]; ];
# See slurm.conf(5) for more details about these options. # See slurm.conf(5) for more details about these options.
@ -83,14 +83,6 @@ in {
# Reduce port range so we can allow only this range in the firewall # Reduce port range so we can allow only this range in the firewall
SrunPortRange=60000-61000 SrunPortRange=60000-61000
# Use cores as consumable resources. In SLURM terms, a core may have
# multiple hardware threads (or CPUs).
SelectType=select/cons_tres
# Ignore memory constraints and only use unused cores to share a node with
# other jobs.
SelectTypeParameters=CR_Core
''; '';
}; };

View File

@ -4,10 +4,9 @@
imports = [ imports = [
../common/xeon.nix ../common/xeon.nix
../module/ceph.nix ../module/ceph.nix
../module/emulation.nix
../module/slurm-client.nix ../module/slurm-client.nix
../module/slurm-firewall.nix ../module/slurm-firewall.nix
../module/debuginfod.nix ../module/slurm-hut-nix-store.nix
]; ];
# Select the this using the ID to avoid mismatches # Select the this using the ID to avoid mismatches

View File

@ -4,10 +4,9 @@
imports = [ imports = [
../common/xeon.nix ../common/xeon.nix
../module/ceph.nix ../module/ceph.nix
../module/emulation.nix
../module/slurm-client.nix ../module/slurm-client.nix
../module/slurm-firewall.nix ../module/slurm-firewall.nix
../module/debuginfod.nix ../module/slurm-hut-nix-store.nix
]; ];
# Select the this using the ID to avoid mismatches # Select the this using the ID to avoid mismatches

View File

@ -8,12 +8,6 @@
# Don't install Grub on the disk yet # Don't install Grub on the disk yet
boot.loader.grub.device = "nodev"; boot.loader.grub.device = "nodev";
# Enable serial console
boot.kernelParams = [
"console=tty1"
"console=ttyS1,115200"
];
networking = { networking = {
hostName = "raccoon"; hostName = "raccoon";
# Only BSC DNSs seem to be reachable from the office VLAN # Only BSC DNSs seem to be reachable from the office VLAN
@ -27,7 +21,11 @@
# Configure Nvidia driver to use with CUDA # Configure Nvidia driver to use with CUDA
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.production; hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.production;
hardware.graphics.enable = true; hardware.opengl = {
enable = true;
driSupport = true;
setLdLibraryPath = true;
};
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
nixpkgs.config.nvidia.acceptLicense = true; nixpkgs.config.nvidia.acceptLicense = true;
services.xserver.videoDrivers = [ "nvidia" ]; services.xserver.videoDrivers = [ "nvidia" ];

View File

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 HY2yRg caTbx0NBmsTSmZH4HtBaxhsauWqWUDTesJqT08UsoEQ
8ND31xuco+H8d5SKg8xsCFRPVDhU4d8UKwV1BnmKVjQ
-> ssh-ed25519 CAWG4Q 4ETYuhCwHHECkut4DWDknMMgpAvFqtzLWVC2Wi2L8FM
BGMvRnAfd8qZG5hzLefmk32FkGvwzE9pqBUyx4JY0co
-> ssh-ed25519 MSF3dg hj5QL4ZfylN8/W/MXQHvVqtI7mRvlQOYr8HsaQEmPB0
kvB7sljmmkswSGZDQnrwdTbTsN78EAwH3pz1pPe0Hu0
-> )Q-grease vHF} [8p1> @7z;C"/
tgSUKFyyrf2jLXZp+pakigwB2fRO/WFj2Qnt1aPjtVPEK92JbJ4
--- xzM0AhV4gTQE0Q7inJNo9vFj+crJQxWeI7u9pl7bqAI
á6nGJÖ0Bˆ7F° bßÙ½2®L³äÇ]²2zl<7A>À&e†KÄx®àé9SWNàV"MfŽ€ëÙKHUC:1b;9St‰ëõ±DuѧçÏ¢žÌŸ¡<02>èÐéîÀ<C380>ÔfÕ7¨î1§I(õdÓþô‡ï ó

View File

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 HY2yRg WvKK6U1wQtx2pbUDfuaUIXTQiCulDkz7hgUCSwMfMzQ
jLktUMqKuVxukqzz++pHOKvmucUQqeKYy5IwBma7KxY
-> ssh-ed25519 CAWG4Q XKGuNNoYFl9bdZzsqYYTY7GsEt5sypLW4R+1uk78NmU
8dIA2GzRAwTGM5CDHSM2BUBsbXzEAUssWUz2PY2PaTg
-> ssh-ed25519 MSF3dg T630RsKuZIF/bp+KITnIIWWHsg6M/VQGqbWQZxqT+AA
SraZcgZJVtmUzHF/XR9J7aK5t5EDNpkC/av/WJUT/G8
--- /12G8pj9sbs591OM/ryhoLnSWWmzYcoqprk9uN/3g18
ä·ù¼Â‡%å]yi"ô<>»LÓ âùH`ªa$Æþ)¦9ve<76>.0úmÉK<EFBFBD>vƒÀ ïu"|1cÞ-%ÔÕ"åWFï¡ÞA«<41>hº$•ºj<eñ¶xÅLx«ç.?œÈâ:L…¬ƒ,ëu»|³F|Õi²äÔ

11
secrets/nosv-token.age Normal file
View File

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 HY2yRg hrdS7Dl/j+u3XVfM79ZJpZSlre9TcD7DTQ+EEAT6kEE
avUO96P1h7w2BYWgrQ7GpUgdaCV9AZL7eOTTcF9gfro
-> ssh-ed25519 CAWG4Q A5raRY1CAgFYZgoQ92GMyNejYNdHx/7Y6uTS+EjLPWA
FRFqT2Jz7qRcybaxkQTKHGl797LVXoHpYG4RZSrX/70
-> ssh-ed25519 MSF3dg D+R80Bg7W9AuiOMAqtGFZQl994dRBIegYRLmmTaeZ3o
BHvZsugRiuZ91b4jk91h30o3eF3hadSnVCwxXge95T8
-> BT/El`a-grease W{nq|Vm )bld 2Nl}4 N$#JGB4t
oLG+0S1aGfO/ohCfgGmhDhwwLi4H
--- 2I5C+FvBG/K1ZHh7C5QD39feTSLoFGwcTeZAmeILNsI
¹õW©ÙÄd;ËÐC¾.¹¡_(“u G¡€‰#ìvâœgÉ<67>†õõy¹Y‰žl9ŒÈ¡Ïµ.Œé0x<30>Þ½úN. <>tB×b‡ü¼K¼ì:Q×—È\¹ÀÍT_´»Átxïm——_JñÞž-š

BIN
secrets/ovni-token.age Normal file

Binary file not shown.

View File

@ -6,9 +6,10 @@ let
safe = keys.hostGroup.safe ++ adminsKeys; safe = keys.hostGroup.safe ++ adminsKeys;
in in
{ {
"gitlab-bsc-es-token.age".publicKeys = hut;
"gitea-runner-token.age".publicKeys = hut; "gitea-runner-token.age".publicKeys = hut;
"gitlab-runner-docker-token.age".publicKeys = hut; "ovni-token.age".publicKeys = hut;
"gitlab-runner-shell-token.age".publicKeys = hut; "nosv-token.age".publicKeys = hut;
"nix-serve.age".publicKeys = hut; "nix-serve.age".publicKeys = hut;
"jungle-robot-password.age".publicKeys = hut; "jungle-robot-password.age".publicKeys = hut;