rarias/jungle
2
0
Fork 3
Code Issues 57 Pull Requests 7 Actions Packages Projects Releases Wiki Activity

Compare commits

base: rarias:4e9be9a8d3a67e820ee9b6dabdcb1f2bd5fb9623
Branches Tags
rarias:master rarias:enableStrictDeps rarias:fox-regression rarias:pkgs/tacuda rarias:pkgs/tasycl rarias:robust-fetchGit rarias:old-master rarias:gitea-lfs rarias:only-restart-logins rarias:monitor-gpfs-home rarias:add-tent-machine rarias:m/raccoon rarias:add-fpga-u280 rarias:maintenance-purchase rarias:add-fox-machine rarias:share-files rarias:shared-nix-store rarias:intro-nix rarias:lake2-ipoib
...
compare: rarias:9e4072f0aa4b07cc071ed0d88c7f2888393b79af
Branches Tags
rarias:master rarias:enableStrictDeps rarias:fox-regression rarias:pkgs/tacuda rarias:pkgs/tasycl rarias:robust-fetchGit rarias:old-master rarias:gitea-lfs rarias:only-restart-logins rarias:monitor-gpfs-home rarias:add-tent-machine rarias:m/raccoon rarias:add-fpga-u280 rarias:maintenance-purchase rarias:add-fox-machine rarias:share-files rarias:shared-nix-store rarias:intro-nix rarias:lake2-ipoib

3 Commits
4e9be9a8d3 ... 9e4072f0aa

Author SHA1 Message Date
Rodrigo Arias Mallo
9e4072f0aa Remove extra flush commands on firewall stop 
They are not needed as they are already flushed when the firewall
starts or stops.
 2025-07-11 16:25:21 +02:00
Rodrigo Arias Mallo
7e3a48617b Prevent accidental use of nftables 2025-07-11 16:25:21 +02:00
Rodrigo Arias Mallo
de444dc007 Add proxy configuration for internal hosts 
Access internal hosts via apex proxy. From the compute nodes we first
open an SSH connection to apex, and then tunnel it through the HTTP
proxy with netcat.

This way we allow reaching internal GitLab repositories without
requiring the user to have credentials in the remote host, while we can
use multiple remotes to provide redundancy.
 2025-07-11 16:25:13 +02:00
5 changed files with 33 additions and 7 deletions
Expand all files Collapse all files

11
m/apex/configuration.nix
View File

@@ -54,6 +54,17 @@
};
};
# Use SSH tunnel to reach internal hosts
programs.ssh.extraConfig = ''
Host bscpm04.bsc.es gitlab-internal.bsc.es knights3.bsc.es
ProxyCommand nc -X connect -x localhost:23080 %h %p
Host raccoon
HostName knights3.bsc.es
ProxyCommand nc -X connect -x localhost:23080 %h %p
Host tent
ProxyJump raccoon
'';
# Use tent for cache
nix.settings = {
extra-substituters = [ "https://jungle.bsc.es/cache" ];

5
m/apex/nfs.nix
View File

@@ -28,10 +28,5 @@
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4002 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept
'';
# Flush all rules and chains on stop so it won't break on start
extraStopCommands = ''
iptables -F
iptables -X
'';
};
}

5
m/common/base/net.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, ... }:
{ pkgs, lib, ... }:
{
networking = {
@@ -10,6 +10,9 @@
allowedTCPPorts = [ 22 ];
};
# Make sure we use iptables
nftables.enable = lib.mkForce false;
hosts = {
"84.88.53.236" = [ "apex" "ssfhead.bsc.es" "ssfhead" ];
"84.88.51.152" = [ "raccoon" ];

3
m/common/ssf.nix
View File

@@ -3,7 +3,8 @@
imports = [
./xeon.nix
./ssf/fs.nix
./ssf/net.nix
./ssf/hosts.nix
./ssf/net.nix
./ssf/ssh.nix
];
}

16
m/common/ssf/ssh.nix Normal file
View File

@@ -0,0 +1,16 @@
{
# Use SSH tunnel to apex to reach internal hosts
programs.ssh.extraConfig = ''
Host tent
ProxyJump raccoon
# Access raccoon via the HTTP proxy
Host raccoon knights3.bsc.es
HostName knights3.bsc.es
ProxyCommand=ssh apex 'nc -X connect -x localhost:23080 %h %p'
# Make sure we can reach gitlab even if we don't have SSH access to raccoon
Host bscpm04.bsc.es gitlab-internal.bsc.es
ProxyCommand=ssh apex 'nc -X connect -x localhost:23080 %h %p'
'';
}