Do not force derviation inputs, use booleans instead

In order to send email, the gitea user needs to be in the mail-robot
group.

Fixes: #220
Reviewed-by: Aleix Boné <abonerib@bsc.es>

.gitea/workflows/ci.yaml

@@ -12,4 +12,9 @@ jobs:
     runs-on: native
     steps:
       - uses: https://gitea.com/ScMi1/checkout@v1.4
-      - run: nix build -L --no-link --print-out-paths .#bsc-ci.all
+      - run: nix build -L --no-link --print-out-paths .#bsc.ci.all
+  build:cross:
+    runs-on: native
+    steps:
+      - uses: https://gitea.com/ScMi1/checkout@v1.4
+      - run: nix build -L --no-link --print-out-paths .#bsc.ci.cross

doc/maintainers.md

@@ -0,0 +1,30 @@
+# Maintainers
+
+## Role of a maintainer
+The responsibilities of maintainers are quite lax, and similar in spirit to
+[nixpkgs' maintainers][1]:
+
+    The main responsibility of a maintainer is to keep the packages they
+    maintain in a functioning state, and keep up with updates. In order to do
+    that, they are empowered to make decisions over the packages they maintain.
+
+    That being said, the maintainer is not alone in proposing changes to the
+    packages. Anybody (both bots and humans) can send PRs to bump or tweak the
+    package.
+
+In practice, this means that when updating or proposing changes to a package,
+we will notify maintainers by mentioning them in Gitea so they can test changes
+and give feedback.
+
+Since we do bi-yearly release cycles, there is no expectation from maintainers
+to update packages at each upstream release. Nevertheless, on each release cycle
+we may request help from maintainers when updating or testing their packages.
+
+## Becoming a maintainer
+
+
+You'll have to add yourself in the `maintainers.nix` list; your username should
+match your `bsc.es` email. Then you can add yourself to the `meta.maintainers`
+of any package you are interested in maintaining.
+
+[1]: [https://github.com/NixOS/nixpkgs/tree/nixos-25.05/maintainers]

flake.lock

@@ -1,107 +1,25 @@
 {
   "nodes": {
-    "agenix": {
-      "inputs": {
-        "darwin": "darwin",
-        "home-manager": "home-manager",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1750173260,
-        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
-        "owner": "ryantm",
-        "repo": "agenix",
-        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ryantm",
-        "repo": "agenix",
-        "type": "github"
-      }
-    },
-    "darwin": {
-      "inputs": {
-        "nixpkgs": [
-          "agenix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1744478979,
-        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
-        "owner": "lnl7",
-        "repo": "nix-darwin",
-        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lnl7",
-        "ref": "master",
-        "repo": "nix-darwin",
-        "type": "github"
-      }
-    },
-    "home-manager": {
-      "inputs": {
-        "nixpkgs": [
-          "agenix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1745494811,
-        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1752436162,
-        "narHash": "sha256-Kt1UIPi7kZqkSc5HVj6UY5YLHHEzPBkgpNUByuyxtlw=",
+        "lastModified": 1767634882,
+        "narHash": "sha256-2GffSfQxe3sedHzK+sTKlYo/NTIAGzbFCIsNMUPAAnk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dfcd5b901dbab46c9c6e80b265648481aafb01f8",
+        "rev": "3c9db02515ef1d9b6b709fc60ba9a540957f661c",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-25.05",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "root": {
       "inputs": {
-        "agenix": "agenix",
         "nixpkgs": "nixpkgs"
       }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
     }
   },
   "root": "root",

flake.nix

@@ -1,15 +1,13 @@
 {
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
-    agenix.url = "github:ryantm/agenix";
-    agenix.inputs.nixpkgs.follows = "nixpkgs";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
   };
 
-  outputs = { self, nixpkgs, agenix, ... }:
+  outputs = { self, nixpkgs, ... }:
 let
   mkConf = name: nixpkgs.lib.nixosSystem {
     system = "x86_64-linux";
-    specialArgs = { inherit nixpkgs agenix; theFlake = self; };
+    specialArgs = { inherit nixpkgs; theFlake = self; };
     modules = [ "${self.outPath}/m/${name}/configuration.nix" ];
   };
   # For now we only support x86
@@ -42,11 +40,13 @@ in
     # full nixpkgs with our overlay applied
     legacyPackages.${system} = pkgs;
 
-    hydraJobs = {
-      inherit (self.legacyPackages.${system}.bsc-ci) tests pkgs cross;
-    };
+    hydraJobs = self.legacyPackages.${system}.bsc.hydraJobs;
 
     # propagate nixpkgs lib, so we can do bscpkgs.lib
-    inherit (nixpkgs) lib;
+    lib = nixpkgs.lib // {
+      maintainers = nixpkgs.lib.maintainers // {
+        bsc = import ./pkgs/maintainers.nix;
+      };
+    };
   };
 }

m/apex/configuration.nix

@@ -57,6 +57,18 @@
     };
   };
 
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    bantime-increment = {
+      enable = true; # Double ban time on each attack
+      maxtime = "7d"; # Ban up to a week
+    };
+  };
+
+  # Disable SSH login with password, allow only keypair
+  services.openssh.settings.PasswordAuthentication = false;
+
   networking.firewall = {
     extraCommands = ''
       # Blackhole BSC vulnerability scanner (OpenVAS) as it is spamming our

m/bay/configuration.nix

@@ -24,7 +24,7 @@
       address = "10.0.40.40";
       prefixLength = 24;
     } ];
-    interfaces.ibp5s0.ipv4.addresses = [ {
+    interfaces.ibs785.ipv4.addresses = [ {
       address = "10.0.42.40";
       prefixLength = 24;
     } ];

m/common/base.nix

@@ -11,6 +11,7 @@
     ./base/hw.nix
     ./base/net.nix
     ./base/nix.nix
+    ./base/sys-devices.nix
     ./base/ntp.nix
     ./base/rev.nix
     ./base/ssh.nix

m/common/base/agenix.nix

@@ -1,9 +1,8 @@
-{ agenix, ... }:
+{ pkgs, ... }:
 
 {
-  imports = [ agenix.nixosModules.default ];
+  imports = [ ../../module/agenix.nix ];
 
-  environment.systemPackages = [
-    agenix.packages.x86_64-linux.default
-  ];
+  # Add agenix to system packages
+  environment.systemPackages = [ pkgs.agenix ];
 }

m/common/base/env.nix

@@ -1,12 +1,12 @@
-{ pkgs, config, ... }:
+{ pkgs, ... }:
 
 {
   environment.systemPackages = with pkgs; [
     vim wget git htop tmux pciutils tcpdump ripgrep nix-index nixos-option
     nix-diff ipmitool freeipmi ethtool lm_sensors cmake gnumake file tree
-    ncdu config.boot.kernelPackages.perf ldns pv
-    # From bsckgs overlay
-    osumb
+    ncdu perf ldns pv
+    # From jungle overlay
+    osumb nixgen
   ];
 
   programs.direnv.enable = true;

m/common/base/sys-devices.nix

@@ -0,0 +1,9 @@
+{
+  nix.settings.system-features = [ "sys-devices" ];
+
+  programs.nix-required-mounts.enable = true;
+  programs.nix-required-mounts.allowedPatterns.sys-devices.paths = [
+    "/sys/devices/system/cpu"
+    "/sys/devices/system/node"
+  ];
+}

m/common/base/users.nix

@@ -139,6 +139,7 @@
         openssh.authorizedKeys.keys = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGt0ESYxekBiHJQowmKpfdouw0hVm3N7tUMtAaeLejK vincent@varch"
         ];
+        shell = pkgs.zsh;
       };
 
       pmartin1 = {
@@ -180,6 +181,19 @@
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFmMqKqPg4uocNOr3O41kLbZMOMJn3m2ZdN1JvTR96z3 bsccns@arnau-bsc"
         ];
       };
+
+      aaguirre = {
+        uid = 9655;
+        isNormalUser = true;
+        home = "/home/Computational/aaguirre";
+        description = "Alejandro Aguirre";
+        group = "Computational";
+        hosts = [ "apex" "hut" ];
+        hashedPassword = "$6$TXRXQT6jjBvxkxU6$E.sh5KspAm1qeG5Ct7OPHpo8REmbGDwjFGvqeGgTVz3GASGOAnPL7UMZsMAsAKBoahOw.v8LNno6XGrTEPzZH1";
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOlRX7ZCnqtUJYCxKgWmgSrFCYuA2LHY96rVwqxXPl86 aaguirre@BSC-8488184117"
+        ];
+      };
     };
 
     groups = {

m/common/base/watchdog.nix

@@ -5,5 +5,5 @@
   boot.kernelModules = [ "ipmi_watchdog" ];
 
   # Enable systemd watchdog with 30 s interval
-  systemd.watchdog.runtimeTime = "30s";
+  systemd.settings.Manager.RuntimeWatchdogSec = 30;
 }

m/eudy/kernel/perf.nix

@@ -1,11 +1,6 @@
-{ config, pkgs, lib, ... }:
+{ pkgs, lib, ... }:
 
 {
-  # add the perf tool
-  environment.systemPackages = with pkgs; [
-    config.boot.kernelPackages.perf
-  ];
-
   # allow non-root users to read tracing data from the kernel
   boot.kernel.sysctl."kernel.perf_event_paranoid" = -2;
   boot.kernel.sysctl."kernel.kptr_restrict" = 0;

m/fox/configuration.nix

@@ -93,20 +93,4 @@
     wantedBy = [ "multi-user.target" ];
     serviceConfig.ExecStart = script;
   };
-
-  # Only allow SSH connections from users who have a SLURM allocation
-  # See: https://slurm.schedmd.com/pam_slurm_adopt.html
-  security.pam.services.sshd.rules.account.slurm = {
-    control = "required";
-    enable = true;
-    modulePath = "${pkgs.slurm}/lib/security/pam_slurm_adopt.so";
-    args = [ "log_level=debug5" ];
-    order = 999999; # Make it last one
-  };
-
-  # Disable systemd session (pam_systemd.so) as it will conflict with the
-  # pam_slurm_adopt.so module. What happens is that the shell is first adopted
-  # into the slurmstepd task and then into the systemd session, which is not
-  # what we want, otherwise it will linger even if all jobs are gone.
-  security.pam.services.sshd.startSession = lib.mkForce false;
 }

m/hut/configuration.nix

@@ -17,6 +17,7 @@
     ./postgresql.nix
     ./nginx.nix
     ./p.nix
+    ./ompss2-timer.nix
     #./pxe.nix
   ];
 
@@ -44,7 +45,7 @@
       address = "10.0.40.7";
       prefixLength = 24;
     } ];
-    interfaces.ibp5s0.ipv4.addresses = [ {
+    interfaces.ibs785.ipv4.addresses = [ {
       address = "10.0.42.7";
       prefixLength = 24;
     } ];

m/hut/gitea.nix

@@ -29,6 +29,9 @@
     };
   };
 
+  # Allow gitea user to send mail
+  users.users.gitea.extraGroups = [ "mail-robot" ];
+
   services.gitea-actions-runner.instances = {
     runrun = {
       enable = true;

m/hut/msmtp.nix

@@ -1,8 +1,11 @@
 { config, lib, ... }:
 {
+  # Robot user that can see the password to send mail from jungle-robot
+  users.groups.mail-robot = {};
+
   age.secrets.jungleRobotPassword = {
     file = ../../secrets/jungle-robot-password.age;
-    group = "gitea";
+    group = "mail-robot";
     mode = "440";
   };
 

m/hut/nginx.nix

@@ -4,8 +4,8 @@ let
     name = "jungle-web";
     src = pkgs.fetchgit {
       url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
-      rev = "739bf0175a7f05380fe7ad7023ff1d60db1710e1";
-      hash = "sha256-ea5DzhYTzZ9TmqD+x95rdNdLbxPnBluqlYH2NmBYmc4=";
+      rev = "52abaf4d71652a9ef77a0b098db14ca33bffff4c";
+      hash = "sha256-/ul9GazbOrOkmlvSgDz/+2W+V+ir5725Y7mVLc3rb0M=";
     };
     buildInputs = [ pkgs.hugo ];
     buildPhase = ''

m/hut/ompss2-timer.nix

@@ -0,0 +1,85 @@
+{ config, pkgs, ... }:
+{
+  systemd.timers = {
+    "ompss2-closing" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        Unit = "ompss2-closing.service";
+        OnCalendar = [ "*-03-15 07:00:00" "*-09-15 07:00:00"];
+      };
+    };
+    "ompss2-freeze" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        Unit = "ompss2-freeze.service";
+        OnCalendar = [ "*-04-15 07:00:00" "*-10-15 07:00:00" ];
+      };
+    };
+    "ompss2-release" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        Unit = "ompss2-release.service";
+        OnCalendar = [ "*-05-15 07:00:00" "*-11-15 07:00:00" ];
+      };
+    };
+  };
+
+  systemd.services =
+  let
+    closing = pkgs.writeText "closing.txt"
+    ''
+      Subject: OmpSs-2 release enters closing period
+
+      Hi,
+
+      You have one month to merge the remaining features for the next OmpSs-2
+      release. Please, identify what needs to be merged and discuss it in the next
+      OmpSs-2 meeting.
+
+      Thanks!,
+      Jungle robot
+    '';
+    freeze = pkgs.writeText "freeze.txt"
+    ''
+      Subject: OmpSs-2 release enters freeze period
+
+      Hi,
+
+      The period to introduce new features or breaking changes is over, only bug
+      fixes are allowed now. During this time, please prepare the release notes
+      to be included in the next OmpSs-2 release.
+
+      Thanks!,
+      Jungle robot
+    '';
+    release = pkgs.writeText "release.txt"
+    ''
+      Subject: OmpSs-2 release now
+
+      Hi,
+
+      The period to introduce bug fixes is now over. Please, proceed to do the
+      OmpSs-2 release.
+
+      Thanks!,
+      Jungle robot
+    '';
+    mkServ = name: mail: {
+      "ompss2-${name}" = {
+        script = ''
+          set -eu
+          set -o pipefail
+          cat ${mail} | ${config.security.wrapperDir}/sendmail star@bsc.es
+        '';
+        serviceConfig = {
+          Type = "oneshot";
+          DynamicUser = true;
+          Group = "mail-robot";
+        };
+      };
+    };
+  in
+    (mkServ "closing" closing) //
+    (mkServ "freeze" freeze) //
+    (mkServ "release" release);
+}

m/lake2/configuration.nix

@@ -46,7 +46,7 @@
       address = "10.0.40.42";
       prefixLength = 24;
     } ];
-    interfaces.ibp5s0.ipv4.addresses = [ {
+    interfaces.ibs785.ipv4.addresses = [ {
       address = "10.0.42.42";
       prefixLength = 24;
     } ];

m/module/agenix.nix

@@ -0,0 +1,357 @@
+{
+  config,
+  options,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+let
+  cfg = config.age;
+
+  isDarwin = lib.attrsets.hasAttrByPath [ "environment" "darwinConfig" ] options;
+
+  ageBin = config.age.ageBin;
+
+  users = config.users.users;
+
+  sysusersEnabled =
+    if isDarwin then
+      false
+    else
+      options.systemd ? sysusers && (config.systemd.sysusers.enable || config.services.userborn.enable);
+
+  mountCommand =
+    if isDarwin then
+      ''
+        if ! diskutil info "${cfg.secretsMountPoint}" &> /dev/null; then
+            num_sectors=1048576
+            dev=$(hdiutil attach -nomount ram://"$num_sectors" | sed 's/[[:space:]]*$//')
+            newfs_hfs -v agenix "$dev"
+            mount -t hfs -o nobrowse,nodev,nosuid,-m=0751 "$dev" "${cfg.secretsMountPoint}"
+        fi
+      ''
+    else
+      ''
+        grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts ||
+          mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
+      '';
+  newGeneration = ''
+    _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
+    (( ++_agenix_generation ))
+    echo "[agenix] creating new generation in ${cfg.secretsMountPoint}/$_agenix_generation"
+    mkdir -p "${cfg.secretsMountPoint}"
+    chmod 0751 "${cfg.secretsMountPoint}"
+    ${mountCommand}
+    mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
+    chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
+  '';
+
+  chownGroup = if isDarwin then "admin" else "keys";
+  # chown the secrets mountpoint and the current generation to the keys group
+  # instead of leaving it root:root.
+  chownMountPoint = ''
+    chown :${chownGroup} "${cfg.secretsMountPoint}" "${cfg.secretsMountPoint}/$_agenix_generation"
+  '';
+
+  setTruePath = secretType: ''
+    ${
+      if secretType.symlink then
+        ''
+          _truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
+        ''
+      else
+        ''
+          _truePath="${secretType.path}"
+        ''
+    }
+  '';
+
+  installSecret = secretType: ''
+    ${setTruePath secretType}
+    echo "decrypting '${secretType.file}' to '$_truePath'..."
+    TMP_FILE="$_truePath.tmp"
+
+    IDENTITIES=()
+    for identity in ${toString cfg.identityPaths}; do
+      test -r "$identity" || continue
+      test -s "$identity" || continue
+      IDENTITIES+=(-i)
+      IDENTITIES+=("$identity")
+    done
+
+    test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix] WARNING: no readable identities found!"
+
+    mkdir -p "$(dirname "$_truePath")"
+    [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
+    (
+      umask u=r,g=,o=
+      test -f "${secretType.file}" || echo '[agenix] WARNING: encrypted file ${secretType.file} does not exist!'
+      test -d "$(dirname "$TMP_FILE")" || echo "[agenix] WARNING: $(dirname "$TMP_FILE") does not exist!"
+      LANG=${
+        config.i18n.defaultLocale or "C"
+      } ${ageBin} --decrypt "''${IDENTITIES[@]}" -o "$TMP_FILE" "${secretType.file}"
+    )
+    chmod ${secretType.mode} "$TMP_FILE"
+    mv -f "$TMP_FILE" "$_truePath"
+
+    ${optionalString secretType.symlink ''
+      [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
+    ''}
+  '';
+
+  testIdentities = map (path: ''
+    test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!'
+  '') cfg.identityPaths;
+
+  cleanupAndLink = ''
+    _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
+    (( ++_agenix_generation ))
+    echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
+    ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
+
+    (( _agenix_generation > 1 )) && {
+    echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
+    rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))"
+    }
+  '';
+
+  installSecrets = builtins.concatStringsSep "\n" (
+    [ "echo '[agenix] decrypting secrets...'" ]
+    ++ testIdentities
+    ++ (map installSecret (builtins.attrValues cfg.secrets))
+    ++ [ cleanupAndLink ]
+  );
+
+  chownSecret = secretType: ''
+    ${setTruePath secretType}
+    chown ${secretType.owner}:${secretType.group} "$_truePath"
+  '';
+
+  chownSecrets = builtins.concatStringsSep "\n" (
+    [ "echo '[agenix] chowning...'" ]
+    ++ [ chownMountPoint ]
+    ++ (map chownSecret (builtins.attrValues cfg.secrets))
+  );
+
+  secretType = types.submodule (
+    { config, ... }:
+    {
+      options = {
+        name = mkOption {
+          type = types.str;
+          default = config._module.args.name;
+          defaultText = literalExpression "config._module.args.name";
+          description = ''
+            Name of the file used in {option}`age.secretsDir`
+          '';
+        };
+        file = mkOption {
+          type = types.path;
+          description = ''
+            Age file the secret is loaded from.
+          '';
+        };
+        path = mkOption {
+          type = types.str;
+          default = "${cfg.secretsDir}/${config.name}";
+          defaultText = literalExpression ''
+            "''${cfg.secretsDir}/''${config.name}"
+          '';
+          description = ''
+            Path where the decrypted secret is installed.
+          '';
+        };
+        mode = mkOption {
+          type = types.str;
+          default = "0400";
+          description = ''
+            Permissions mode of the decrypted secret in a format understood by chmod.
+          '';
+        };
+        owner = mkOption {
+          type = types.str;
+          default = "0";
+          description = ''
+            User of the decrypted secret.
+          '';
+        };
+        group = mkOption {
+          type = types.str;
+          default = users.${config.owner}.group or "0";
+          defaultText = literalExpression ''
+            users.''${config.owner}.group or "0"
+          '';
+          description = ''
+            Group of the decrypted secret.
+          '';
+        };
+        symlink = mkEnableOption "symlinking secrets to their destination" // {
+          default = true;
+        };
+      };
+    }
+  );
+in
+{
+  imports = [
+    (mkRenamedOptionModule [ "age" "sshKeyPaths" ] [ "age" "identityPaths" ])
+  ];
+
+  options.age = {
+    ageBin = mkOption {
+      type = types.str;
+      default = "${pkgs.age}/bin/age";
+      defaultText = literalExpression ''
+        "''${pkgs.age}/bin/age"
+      '';
+      description = ''
+        The age executable to use.
+      '';
+    };
+    secrets = mkOption {
+      type = types.attrsOf secretType;
+      default = { };
+      description = ''
+        Attrset of secrets.
+      '';
+    };
+    secretsDir = mkOption {
+      type = types.path;
+      default = "/run/agenix";
+      description = ''
+        Folder where secrets are symlinked to
+      '';
+    };
+    secretsMountPoint = mkOption {
+      type =
+        types.addCheck types.str (
+          s:
+          (builtins.match "[ \t\n]*" s) == null # non-empty
+          && (builtins.match ".+/" s) == null
+        ) # without trailing slash
+        // {
+          description = "${types.str.description} (with check: non-empty without trailing slash)";
+        };
+      default = "/run/agenix.d";
+      description = ''
+        Where secrets are created before they are symlinked to {option}`age.secretsDir`
+      '';
+    };
+    identityPaths = mkOption {
+      type = types.listOf types.path;
+      default =
+        if isDarwin then
+          [
+            "/etc/ssh/ssh_host_ed25519_key"
+            "/etc/ssh/ssh_host_rsa_key"
+          ]
+        else if (config.services.openssh.enable or false) then
+          map (e: e.path) (
+            lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys
+          )
+        else
+          [ ];
+      defaultText = literalExpression ''
+        if isDarwin
+        then [
+          "/etc/ssh/ssh_host_ed25519_key"
+          "/etc/ssh/ssh_host_rsa_key"
+        ]
+        else if (config.services.openssh.enable or false)
+        then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
+        else [];
+      '';
+      description = ''
+        Path to SSH keys to be used as identities in age decryption.
+      '';
+    };
+  };
+
+  config = mkIf (cfg.secrets != { }) (mkMerge [
+    {
+      assertions = [
+        {
+          assertion = cfg.identityPaths != [ ];
+          message = "age.identityPaths must be set, for example by enabling openssh.";
+        }
+      ];
+    }
+    (optionalAttrs (!isDarwin) {
+      # When using sysusers we no longer be started as an activation script
+      # because those are started in initrd while sysusers is started later.
+      systemd.services.agenix-install-secrets = mkIf sysusersEnabled {
+        wantedBy = [ "sysinit.target" ];
+        after = [ "systemd-sysusers.service" ];
+        unitConfig.DefaultDependencies = "no";
+
+        path = [ pkgs.mount ];
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = pkgs.writeShellScript "agenix-install" (concatLines [
+            newGeneration
+            installSecrets
+            chownSecrets
+          ]);
+          RemainAfterExit = true;
+        };
+      };
+
+      # Create a new directory full of secrets for symlinking (this helps
+      # ensure removed secrets are actually removed, or at least become
+      # invalid symlinks).
+      system.activationScripts = mkIf (!sysusersEnabled) {
+        agenixNewGeneration = {
+          text = newGeneration;
+          deps = [
+            "specialfs"
+          ];
+        };
+
+        agenixInstall = {
+          text = installSecrets;
+          deps = [
+            "agenixNewGeneration"
+            "specialfs"
+          ];
+        };
+
+        # So user passwords can be encrypted.
+        users.deps = [ "agenixInstall" ];
+
+        # Change ownership and group after users and groups are made.
+        agenixChown = {
+          text = chownSecrets;
+          deps = [
+            "users"
+            "groups"
+          ];
+        };
+
+        # So other activation scripts can depend on agenix being done.
+        agenix = {
+          text = "";
+          deps = [ "agenixChown" ];
+        };
+      };
+    })
+
+    (optionalAttrs isDarwin {
+      launchd.daemons.activate-agenix = {
+        script = ''
+          set -e
+          set -o pipefail
+          export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin"
+          ${newGeneration}
+          ${installSecrets}
+          ${chownSecrets}
+          exit 0
+        '';
+        serviceConfig = {
+          RunAtLoad = true;
+          KeepAlive.SuccessfulExit = false;
+        };
+      };
+    })
+  ]);
+}

m/module/debuginfod.nix

@@ -1,3 +1,10 @@
 {
-  services.nixseparatedebuginfod.enable = true;
+  services.nixseparatedebuginfod2 = {
+    enable = true;
+    substituters = [
+      "local:"
+      "https://cache.nixos.org"
+      "http://hut/cache"
+    ];
+  };
 }

m/module/slurm-client.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:
 
 {
   imports = [
@@ -21,4 +21,20 @@
   };
 
   services.slurm.client.enable = true;
+
+  # Only allow SSH connections from users who have a SLURM allocation
+  # See: https://slurm.schedmd.com/pam_slurm_adopt.html
+  security.pam.services.sshd.rules.account.slurm = {
+    control = "required";
+    enable = true;
+    modulePath = "${pkgs.slurm}/lib/security/pam_slurm_adopt.so";
+    args = [ "log_level=debug5" ];
+    order = 999999; # Make it last one
+  };
+
+  # Disable systemd session (pam_systemd.so) as it will conflict with the
+  # pam_slurm_adopt.so module. What happens is that the shell is first adopted
+  # into the slurmstepd task and then into the systemd session, which is not
+  # what we want, otherwise it will linger even if all jobs are gone.
+  security.pam.services.sshd.startSession = lib.mkForce false;
 }

m/module/slurm-common.nix

@@ -1,31 +1,6 @@
 { config, pkgs, ... }:
 
-let
-  suspendProgram = pkgs.writeShellScript "suspend.sh" ''
-    exec 1>>/var/log/power_save.log 2>>/var/log/power_save.log
-    set -x
-    export "PATH=/run/current-system/sw/bin:$PATH"
-    echo "$(date) Suspend invoked $0 $*" >> /var/log/power_save.log
-    hosts=$(scontrol show hostnames $1)
-    for host in $hosts; do
-      echo Shutting down host: $host
-      ipmitool -I lanplus -H ''${host}-ipmi -P "" -U "" chassis power off
-    done
-  '';
-
-  resumeProgram = pkgs.writeShellScript "resume.sh" ''
-    exec 1>>/var/log/power_save.log 2>>/var/log/power_save.log
-    set -x
-    export "PATH=/run/current-system/sw/bin:$PATH"
-    echo "$(date) Suspend invoked $0 $*" >> /var/log/power_save.log
-    hosts=$(scontrol show hostnames $1)
-    for host in $hosts; do
-      echo Starting host: $host
-      ipmitool -I lanplus -H ''${host}-ipmi -P "" -U "" chassis power on
-    done
-  '';
-
-in {
+{
   services.slurm = {
     controlMachine = "apex";
     clusterName = "jungle";
@@ -59,16 +34,6 @@ in {
       # the resources. Use the task/cgroup plugin to enable process containment.
       TaskPlugin=task/affinity,task/cgroup
 
-      # Power off unused nodes until they are requested
-      SuspendProgram=${suspendProgram}
-      SuspendTimeout=60
-      ResumeProgram=${resumeProgram}
-      ResumeTimeout=300
-      SuspendExcNodes=fox
-
-      # Turn the nodes off after 1 hour of inactivity
-      SuspendTime=3600
-
       # Reduce port range so we can allow only this range in the firewall
       SrunPortRange=60000-61000
 
@@ -86,9 +51,7 @@ in {
       # when a task runs (srun) so we can ssh early.
       PrologFlags=Alloc,Contain,X11
 
-      # LaunchParameters=ulimit_pam_adopt will set RLIMIT_RSS in processes
-      # adopted by the external step, similar to tasks running in regular steps
-      # LaunchParameters=ulimit_pam_adopt
+      LaunchParameters=use_interactive_step
       SlurmdDebug=debug5
       #DebugFlags=Protocol,Cgroup
     '';

m/owl1/configuration.nix

@@ -20,7 +20,7 @@
       address = "10.0.40.1";
       prefixLength = 24;
     } ];
-    interfaces.ibp5s0.ipv4.addresses = [ {
+    interfaces.ibs785.ipv4.addresses = [ {
       address = "10.0.42.1";
       prefixLength = 24;
     } ];

m/owl2/configuration.nix

@@ -21,7 +21,7 @@
       prefixLength = 24;
     } ];
     # Watch out! The OmniPath device is not in the same place here:
-    interfaces.ibp129s0.ipv4.addresses = [ {
+    interfaces.ibs801.ipv4.addresses = [ {
       address = "10.0.42.2";
       prefixLength = 24;
     } ];

m/tent/gitea.nix

@@ -27,4 +27,7 @@
       };
     };
   };
+
+  # Allow gitea user to send mail
+  users.users.gitea.extraGroups = [ "mail-robot" ];
 }

m/tent/nginx.nix

@@ -4,8 +4,8 @@ let
     name = "jungle-web";
     src = pkgs.fetchgit {
       url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
-      rev = "739bf0175a7f05380fe7ad7023ff1d60db1710e1";
-      hash = "sha256-ea5DzhYTzZ9TmqD+x95rdNdLbxPnBluqlYH2NmBYmc4=";
+      rev = "52abaf4d71652a9ef77a0b098db14ca33bffff4c";
+      hash = "sha256-/ul9GazbOrOkmlvSgDz/+2W+V+ir5725Y7mVLc3rb0M=";
     };
     buildInputs = [ pkgs.hugo ];
     buildPhase = ''

overlay.nix

@@ -7,13 +7,14 @@ let
   callPackage = final.callPackage;
 
   bscPkgs = {
+    agenix = prev.callPackage ./pkgs/agenix/default.nix { };
     amd-uprof = prev.callPackage ./pkgs/amd-uprof/default.nix { };
     bench6 = callPackage ./pkgs/bench6/default.nix { };
     bigotes = callPackage ./pkgs/bigotes/default.nix { };
     clangOmpss2 = callPackage ./pkgs/llvm-ompss2/default.nix { };
-    clangOmpss2Nanos6 = callPackage ./pkgs/llvm-ompss2/default.nix { ompss2rt = final.nanos6; };
-    clangOmpss2Nodes = callPackage ./pkgs/llvm-ompss2/default.nix { ompss2rt = final.nodes; openmp = final.openmp; };
-    clangOmpss2NodesOmpv = callPackage ./pkgs/llvm-ompss2/default.nix { ompss2rt = final.nodes; openmp = final.openmpv; };
+    clangOmpss2Nanos6 = callPackage ./pkgs/llvm-ompss2/default.nix { useNanos6 = true; };
+    clangOmpss2Nodes = callPackage ./pkgs/llvm-ompss2/default.nix { useNodes = true; useOpenmp = true; };
+    clangOmpss2NodesOmpv = callPackage ./pkgs/llvm-ompss2/default.nix { useNodes = true; useOpenmpV = true; };
     clangOmpss2Unwrapped = callPackage ./pkgs/llvm-ompss2/clang.nix { };
     cudainfo = prev.callPackage ./pkgs/cudainfo/default.nix { };
     #extrae = callPackage ./pkgs/extrae/default.nix { }; # Broken and outdated
@@ -29,13 +30,15 @@ let
       amd-uprof-driver = _prev.callPackage ./pkgs/amd-uprof/driver.nix { };
     });
     lmbench = callPackage ./pkgs/lmbench/default.nix { };
-    mcxx = callPackage ./pkgs/mcxx/default.nix { };
+    # Broken and unmantained
+    # mcxx = callPackage ./pkgs/mcxx/default.nix { };
     meteocat-exporter = prev.callPackage ./pkgs/meteocat-exporter/default.nix { };
     mpi = final.mpich; # Set MPICH as default
     mpich = callPackage ./pkgs/mpich/default.nix { mpich = prev.mpich; };
     nanos6 = callPackage ./pkgs/nanos6/default.nix { };
     nanos6Debug = final.nanos6.override { enableDebug = true; };
     nixtools = callPackage ./pkgs/nixtools/default.nix { };
+    nixgen = callPackage ./pkgs/nixgen/default.nix { };
     # Broken because of pkgsStatic.libcap
     # See: https://github.com/NixOS/nixpkgs/pull/268791
     #nix-wrap = callPackage ./pkgs/nix-wrap/default.nix { };
@@ -46,15 +49,17 @@ let
     osumb = callPackage ./pkgs/osu/default.nix { };
     ovni = callPackage ./pkgs/ovni/default.nix { };
     ovniGit = final.ovni.override { useGit = true; };
+    papi = callPackage ./pkgs/papi/default.nix { papi = prev.papi; };
     paraverKernel = callPackage ./pkgs/paraver/kernel.nix { };
     prometheus-slurm-exporter = prev.callPackage ./pkgs/slurm-exporter/default.nix { };
     #pscom = callPackage ./pkgs/parastation/pscom.nix { }; # Unmaintaned
     #psmpi = callPackage ./pkgs/parastation/psmpi.nix { }; # Unmaintaned
+    slurm = import ./pkgs/slurm/default.nix { slurm = prev.slurm; };
     sonar = callPackage ./pkgs/sonar/default.nix { };
-    stdenvClangOmpss2 = final.stdenv.override { cc = final.clangOmpss2; allowedRequisites = null; };
-    stdenvClangOmpss2Nanos6 = final.stdenv.override { cc = final.clangOmpss2Nanos6; allowedRequisites = null; };
-    stdenvClangOmpss2Nodes = final.stdenv.override { cc = final.clangOmpss2Nodes; allowedRequisites = null; };
-    stdenvClangOmpss2NodesOmpv = final.stdenv.override { cc = final.clangOmpss2NodesOmpv; allowedRequisites = null; };
+    stdenvClangOmpss2 = final.stdenv.override { cc = final.buildPackages.clangOmpss2; allowedRequisites = null; };
+    stdenvClangOmpss2Nanos6 = final.stdenv.override { cc = final.buildPackages.clangOmpss2Nanos6; allowedRequisites = null; };
+    stdenvClangOmpss2Nodes = final.stdenv.override { cc = final.buildPackages.clangOmpss2Nodes; allowedRequisites = null; };
+    stdenvClangOmpss2NodesOmpv = final.stdenv.override { cc = final.buildPackages.clangOmpss2NodesOmpv; allowedRequisites = null; };
     tagaspi = callPackage ./pkgs/tagaspi/default.nix { };
     tampi = callPackage ./pkgs/tampi/default.nix { };
     upc-qaire-exporter = prev.callPackage ./pkgs/upc-qaire-exporter/default.nix { };
@@ -62,7 +67,7 @@ let
   };
 
   tests = rec {
-    #hwloc = callPackage ./test/bugs/hwloc.nix { }; # Broken, no /sys
+    hwloc = callPackage ./test/bugs/hwloc.nix { };
     #sigsegv = callPackage ./test/reproducers/sigsegv.nix { };
     hello-c = callPackage ./test/compilers/hello-c.nix { };
     hello-cpp = callPackage ./test/compilers/hello-cpp.nix { };
@@ -94,12 +99,20 @@ let
     };
   };
 
-  pkgs = filterAttrs (_: isDerivation) bscPkgs;
+  # For now, only build toplevel packages in CI/Hydra
+  pkgsTopLevel = filterAttrs (_: isDerivation) bscPkgs;
 
-  crossTargets = [ "riscv64" ];
-  cross = prev.lib.genAttrs crossTargets (target:
-    final.pkgsCross.${target}.bsc-ci.pkgs
-  );
+  # Native build in that platform doesn't imply cross build works
+  canCrossCompile = platform: default: pkg:
+    (isDerivation pkg) &&
+    # If meta.cross is undefined, use default
+    (pkg.meta.cross or default) &&
+    (meta.availableOn final.pkgsCross.${platform}.stdenv.hostPlatform pkg);
+
+  # For now only RISC-V
+  crossSet = genAttrs [ "riscv64" ] (platform:
+    filterAttrs (_: canCrossCompile platform true)
+      final.pkgsCross.${platform}.bsc.pkgsTopLevel);
 
   buildList = name: paths:
     final.runCommandLocal name { } ''
@@ -113,22 +126,38 @@ let
       printf '%s\n' $deps >$out
     '';
 
-  crossList = builtins.mapAttrs (t: v: buildList t (builtins.attrValues v)) cross;
-
-  pkgsList = buildList "ci-pkgs" (builtins.attrValues pkgs);
-  testList = buildList "ci-tests" (collect isDerivation tests);
-
-  all = buildList' "ci-all" [ pkgsList testList ];
+  pkgsList = buildList "ci-pkgs" (builtins.attrValues pkgsTopLevel);
+  testsList = buildList "ci-tests" (collect isDerivation tests);
+  allList = buildList' "ci-all" [ pkgsList testsList ];
+  # For now only RISC-V
+  crossList = buildList "ci-cross"
+    (filter
+      (canCrossCompile "riscv64" false) # opt-in (pkgs with: meta.cross = true)
+        (builtins.attrValues crossSet.riscv64));
 
 in bscPkgs // {
-  # Prevent accidental usage of bsc attribute
-  bsc = throw "the bsc attribute is deprecated, packages are now in the root";
+
+  lib = prev.lib // {
+    maintainers = prev.lib.maintainers // {
+      bsc = import ./pkgs/maintainers.nix;
+    };
+  };
+
+  # Prevent accidental usage of bsc-ci attribute
+  bsc-ci = throw "the bsc-ci attribute is deprecated, use bsc.ci";
 
   # Internal for our CI tests
-  bsc-ci = {
-    inherit pkgs pkgsList;
-    inherit tests testList;
-    inherit cross crossList;
-    inherit all;
+  bsc = {
+    # CI targets for nix build
+    ci = { pkgs = pkgsList; tests = testsList; all = allList; cross = crossList; };
+
+    # Direct access to package sets
+    tests = tests;
+    pkgs = bscPkgs;
+    pkgsTopLevel = pkgsTopLevel;
+    cross = crossSet;
+
+    # Hydra uses attribute sets of pkgs
+    hydraJobs = { tests = tests; pkgs = pkgsTopLevel; cross = crossSet; };
   };
 }

pkgs/agenix/agenix.sh

@@ -0,0 +1,212 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+PACKAGE="agenix"
+
+function show_help () {
+  echo "$PACKAGE - edit and rekey age secret files"
+  echo " "
+  echo "$PACKAGE -e FILE [-i PRIVATE_KEY]"
+  echo "$PACKAGE -r [-i PRIVATE_KEY]"
+  echo ' '
+  echo 'options:'
+  echo '-h, --help                show help'
+  # shellcheck disable=SC2016
+  echo '-e, --edit FILE           edits FILE using $EDITOR'
+  echo '-r, --rekey               re-encrypts all secrets with specified recipients'
+  echo '-d, --decrypt FILE        decrypts FILE to STDOUT'
+  echo '-i, --identity            identity to use when decrypting'
+  echo '-v, --verbose             verbose output'
+  echo ' '
+  echo 'FILE an age-encrypted file'
+  echo ' '
+  echo 'PRIVATE_KEY a path to a private SSH key used to decrypt file'
+  echo ' '
+  echo 'EDITOR environment variable of editor to use when editing FILE'
+  echo ' '
+  echo 'If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"'
+  echo ' '
+  echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
+  echo "Defaults to './secrets.nix'"
+  echo ' '
+  echo "agenix version: @version@"
+  echo "age binary path: @ageBin@"
+  echo "age version: $(@ageBin@ --version)"
+}
+
+function warn() {
+  printf '%s\n' "$*" >&2
+}
+
+function err() {
+  warn "$*"
+  exit 1
+}
+
+test $# -eq 0 && (show_help && exit 1)
+
+REKEY=0
+DECRYPT_ONLY=0
+DEFAULT_DECRYPT=(--decrypt)
+
+while test $# -gt 0; do
+  case "$1" in
+    -h|--help)
+      show_help
+      exit 0
+      ;;
+    -e|--edit)
+      shift
+      if test $# -gt 0; then
+        export FILE=$1
+      else
+        echo "no FILE specified"
+        exit 1
+      fi
+      shift
+      ;;
+    -i|--identity)
+      shift
+      if test $# -gt 0; then
+        DEFAULT_DECRYPT+=(--identity "$1")
+      else
+        echo "no PRIVATE_KEY specified"
+        exit 1
+      fi
+      shift
+      ;;
+    -r|--rekey)
+      shift
+      REKEY=1
+      ;;
+    -d|--decrypt)
+      shift
+      DECRYPT_ONLY=1
+      if test $# -gt 0; then
+        export FILE=$1
+      else
+        echo "no FILE specified"
+        exit 1
+      fi
+      shift
+      ;;
+    -v|--verbose)
+      shift
+      set -x
+      ;;
+    *)
+      show_help
+      exit 1
+      ;;
+  esac
+done
+
+RULES=${RULES:-./secrets.nix}
+function cleanup {
+    if [ -n "${CLEARTEXT_DIR+x}" ]
+    then
+        rm -rf -- "$CLEARTEXT_DIR"
+    fi
+    if [ -n "${REENCRYPTED_DIR+x}" ]
+    then
+        rm -rf -- "$REENCRYPTED_DIR"
+    fi
+}
+trap "cleanup" 0 2 3 15
+
+function keys {
+    (@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in rules.\"$1\".publicKeys)" | @jqBin@ -r .[]) || exit 1
+}
+
+function armor {
+    (@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in (builtins.hasAttr \"armor\" rules.\"$1\" && rules.\"$1\".armor))") || exit 1
+}
+
+function decrypt {
+    FILE=$1
+    KEYS=$2
+    if [ -z "$KEYS" ]
+    then
+        err "There is no rule for $FILE in $RULES."
+    fi
+
+    if [ -f "$FILE" ]
+    then
+        DECRYPT=("${DEFAULT_DECRYPT[@]}")
+        if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
+            if [ -f "$HOME/.ssh/id_rsa" ]; then
+                DECRYPT+=(--identity "$HOME/.ssh/id_rsa")
+            fi
+            if [ -f "$HOME/.ssh/id_ed25519" ]; then
+                DECRYPT+=(--identity "$HOME/.ssh/id_ed25519")
+            fi
+        fi
+        if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
+          err "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file."
+        fi
+
+        @ageBin@ "${DECRYPT[@]}" -- "$FILE" || exit 1
+    fi
+}
+
+function edit {
+    FILE=$1
+    KEYS=$(keys "$FILE") || exit 1
+    ARMOR=$(armor "$FILE") || exit 1
+
+    CLEARTEXT_DIR=$(@mktempBin@ -d)
+    CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename -- "$FILE")"
+    DEFAULT_DECRYPT+=(-o "$CLEARTEXT_FILE")
+
+    decrypt "$FILE" "$KEYS" || exit 1
+
+    [ ! -f "$CLEARTEXT_FILE" ] || cp -- "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
+
+    [ -t 0 ] || EDITOR='cp -- /dev/stdin'
+
+    $EDITOR "$CLEARTEXT_FILE"
+
+    if [ ! -f "$CLEARTEXT_FILE" ]
+    then
+      warn "$FILE wasn't created."
+      return
+    fi
+    [ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q -- "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
+
+    ENCRYPT=()
+    if [[ "$ARMOR" == "true" ]]; then
+        ENCRYPT+=(--armor)
+    fi
+    while IFS= read -r key
+    do
+        if [ -n "$key" ]; then
+            ENCRYPT+=(--recipient "$key")
+        fi
+    done <<< "$KEYS"
+
+    REENCRYPTED_DIR=$(@mktempBin@ -d)
+    REENCRYPTED_FILE="$REENCRYPTED_DIR/$(basename -- "$FILE")"
+
+    ENCRYPT+=(-o "$REENCRYPTED_FILE")
+
+    @ageBin@ "${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
+
+    mkdir -p -- "$(dirname -- "$FILE")"
+
+    mv -f -- "$REENCRYPTED_FILE" "$FILE"
+}
+
+function rekey {
+    FILES=$( (@nixInstantiate@ --json --eval -E "(let rules = import $RULES; in builtins.attrNames rules)"  | @jqBin@ -r .[]) || exit 1)
+
+    for FILE in $FILES
+    do
+        warn "rekeying $FILE..."
+        EDITOR=: edit "$FILE"
+        cleanup
+    done
+}
+
+[ $REKEY -eq 1 ] && rekey && exit 0
+[ $DECRYPT_ONLY -eq 1 ] && DEFAULT_DECRYPT+=("-o" "-") && decrypt "${FILE}" "$(keys "$FILE")" && exit 0
+edit "$FILE" && cleanup && exit 0

pkgs/agenix/default.nix

@@ -0,0 +1,66 @@
+{
+  lib,
+  stdenv,
+  age,
+  jq,
+  nix,
+  mktemp,
+  diffutils,
+  replaceVars,
+  ageBin ? "${age}/bin/age",
+  shellcheck,
+}:
+let
+  bin = "${placeholder "out"}/bin/agenix";
+in
+stdenv.mkDerivation rec {
+  pname = "agenix";
+  version = "0.15.0";
+  src = replaceVars ./agenix.sh {
+    inherit ageBin version;
+    jqBin = "${jq}/bin/jq";
+    nixInstantiate = "${nix}/bin/nix-instantiate";
+    mktempBin = "${mktemp}/bin/mktemp";
+    diffBin = "${diffutils}/bin/diff";
+  };
+  dontUnpack = true;
+  doInstallCheck = true;
+  installCheckInputs = [ shellcheck ];
+  postInstallCheck = ''
+    shellcheck ${bin}
+    ${bin} -h | grep ${version}
+
+    test_tmp=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
+    export HOME="$test_tmp/home"
+    export NIX_STORE_DIR="$test_tmp/nix/store"
+    export NIX_STATE_DIR="$test_tmp/nix/var"
+    mkdir -p "$HOME" "$NIX_STORE_DIR" "$NIX_STATE_DIR"
+    function cleanup {
+      rm -rf "$test_tmp"
+    }
+    trap "cleanup" 0 2 3 15
+
+    mkdir -p $HOME/.ssh
+    cp -r "${./example}" $HOME/secrets
+    chmod -R u+rw $HOME/secrets
+    (
+    umask u=rw,g=r,o=r
+    cp ${./example_keys/user1.pub} $HOME/.ssh/id_ed25519.pub
+    chown $UID $HOME/.ssh/id_ed25519.pub
+    )
+    (
+    umask u=rw,g=,o=
+    cp ${./example_keys/user1} $HOME/.ssh/id_ed25519
+    chown $UID $HOME/.ssh/id_ed25519
+    )
+
+    cd $HOME/secrets
+    test $(${bin} -d secret1.age) = "hello"
+  '';
+
+  installPhase = ''
+    install -D $src ${bin}
+  '';
+
+  meta.description = "age-encrypted secrets for NixOS";
+}

pkgs/agenix/example/-leading-hyphen-filename.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 V3XmEA zirqdzZZ1E+sedBn7fbEHq4ntLEkokZ4GctarBBOHXY
+Rvs5YHaAUeCZyNwPedubPcHClWYIuXXWA5zadXPWY6w
+-> ssh-ed25519 KLPP8w BVp4rDkOYSQyn8oVeHFeinSqW+pdVtxBF9+5VM1yORY
+bMwppAi8Nhz0328taU4AzUkTVyWtSLvFZG6c5W/Fs78
+--- xCbqLhXAcOziO2wmbjTiSQfZvt5Rlsc4SCvF+iEzpQA
+<EFBFBD>KB<EFBFBD><EFBFBD>/<2F>Z<><5A>r<EFBFBD>%
<01><>4<EFBFBD><34><EFBFBD>Mq5<71><35>_<EFBFBD><5F>ݒ<><DD92><EFBFBD><EFBFBD><EFBFBD>11ܨqM;& <20><>Lr<4C><72><EFBFBD>f<EFBFBD><66><EFBFBD>]>N

pkgs/agenix/example/armored-secret.age

@@ -0,0 +1,7 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFYzWG1FQSBpZkZW
+aFpLNnJxc0VUMHRmZ2dZS0pjMGVENnR3OHd5K0RiT1RjRUhibFZBCnN5UG5vUjA3
+SXpsNGtiVUw4T0tIVFo5Wkk5QS9NQlBndzVvektiQ0ozc0kKLS0tIGxyY1Q4dEZ1
+VGZEanJyTFNta2JNRmpZb2FnK2JyS1hSVml1UGdMNWZKQXMKYla+wTXcRedyZoEb
+LVWaSx49WoUTU0KBPJg9RArxaeC23GoCDzR/aM/1DvYU
+-----END AGE ENCRYPTED FILE-----

pkgs/agenix/example/passwordfile-user1.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 KLPP8w s1DYZRlZuSsyhmZCF1lFB+E9vB8bZ/+ZhBRlx8nprwE
+nmYVCsVBrX2CFXXPU+D+bbkkIe/foofp+xoUrg9DHZw
+-> ssh-ed25519 V3XmEA Pwv3oCwcY0DX8rY48UNfsj9RumWsn4dbgorYHCwObgI
+FKxRYkL3JHtJxUwymWDF0rAtJ33BivDI6IfPsfumM90
+-> V'v(/u$-grease em/Vgf 2qDuk
+7I3iiQLPGi1COML9u/JeYkr7EqbSLoU
+--- 57WJRigUGtmcObrssS3s4PvmR8wgh1AOC/ijJn1s3xI
+<EFBFBD>'K<>ƷY&<26>7G<37>O<EFBFBD><4F>Fj
<13>k<EFBFBD>X<EFBFBD><58>BnuJ<75><4A>:9<>(<><7F><EFBFBD>X<EFBFBD>#<23>A<EFBFBD><41><EFBFBD><EFBFBD>ڧj<DAA7>,<02>_<17><><EFBFBD>?<3F>Z<EFBFBD><17>v<EFBFBD><76>V<EFBFBD>96]oks~%<25>c	<04>e^C<>%JQ5<51><H<>z}<7D>C<EFBFBD>,<2C>p<EFBFBD><70>*!W<><57><EFBFBD>A<EFBFBD><41><EFBFBD>҅dC<15>K)<10><>-<2D>y

pkgs/agenix/example/secret2.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 V3XmEA OB4+1FbPhQ3r6iGksM7peWX5it8NClpXIq/o5nnP7GA
+FmHVUj+A5i5+bDFgySQskmlvynnosJiWUTJmBRiNA9I
+--- tP+3mFVtd7ogVu1Lkboh55zoi5a77Ht08Uc/QuIviv4
+<EFBFBD><EFBFBD>X<EFBFBD>{<7B><>O<EFBFBD><4F><1F><04>tMXx<58>vӪ(<28>I<EFBFBD>myP<79><50><EFBFBD><EFBFBD>+3<>S3i

pkgs/agenix/example/secrets.nix

@@ -0,0 +1,23 @@
+let
+  user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
+  system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
+in
+{
+  "secret1.age".publicKeys = [
+    user1
+    system1
+  ];
+  "secret2.age".publicKeys = [ user1 ];
+  "passwordfile-user1.age".publicKeys = [
+    user1
+    system1
+  ];
+  "-leading-hyphen-filename.age".publicKeys = [
+    user1
+    system1
+  ];
+  "armored-secret.age" = {
+    publicKeys = [ user1 ];
+    armor = true;
+  };
+}

pkgs/agenix/example_keys/system1

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACDyQ8iK/xUs9XCXXKFuvUfja1s8Biv/t4Caag9bfC9sxAAAAJA3yvCWN8rw
+lgAAAAtzc2gtZWQyNTUxOQAAACDyQ8iK/xUs9XCXXKFuvUfja1s8Biv/t4Caag9bfC9sxA
+AAAEA+J2V6AG1NriAIvnNKRauIEh1JE9HSdhvKJ68a5Fm0w/JDyIr/FSz1cJdcoW69R+Nr
+WzwGK/+3gJpqD1t8L2zEAAAADHJ5YW50bUBob21lMQE=
+-----END OPENSSH PRIVATE KEY-----

pkgs/agenix/example_keys/system1.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE

pkgs/agenix/example_keys/user1

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACC9InTb4BornFoLqf5j+/M8gtt7hY2KtHr3FnYxkFGgRwAAAJC2JJ8htiSf
+IQAAAAtzc2gtZWQyNTUxOQAAACC9InTb4BornFoLqf5j+/M8gtt7hY2KtHr3FnYxkFGgRw
+AAAEDxt5gC/s53IxiKAjfZJVCCcFIsdeERdIgbYhLO719+Kb0idNvgGiucWgup/mP78zyC
+23uFjYq0evcWdjGQUaBHAAAADHJ5YW50bUBob21lMQE=
+-----END OPENSSH PRIVATE KEY-----

pkgs/agenix/example_keys/user1.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH

pkgs/agenix/update.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -e
+
+# All operations are done relative to root
+GITROOT=$(git rev-parse --show-toplevel)
+cd "$GITROOT"
+
+REVISION=${1:-main}
+
+TMPCLONE=$(mktemp -d)
+trap "rm -rf ${TMPCLONE}" EXIT
+
+git clone https://github.com/ryantm/agenix.git --revision="$REVISION" "$TMPCLONE" --depth=1
+
+cp "${TMPCLONE}/pkgs/agenix.sh" pkgs/agenix/agenix.sh
+cp "${TMPCLONE}/pkgs/agenix.nix" pkgs/agenix/default.nix
+sed -i 's#../example#./example#' pkgs/agenix/default.nix
+
+cp "${TMPCLONE}/example/"* pkgs/agenix/example/
+cp "${TMPCLONE}/example_keys/"* pkgs/agenix/example_keys/
+
+cp "${TMPCLONE}/modules/age.nix" m/module/agenix.nix

pkgs/amd-uprof/default.nix

@@ -47,6 +47,7 @@ in
     inherit version;
     src = uprofSrc;
     dontStrip = true;
+    strictDeps = true;
     phases = [ "installPhase" "fixupPhase" ];
     nativeBuildInputs = [ autoPatchelfHook radare2 ];
     buildInputs = [
@@ -86,4 +87,13 @@ in
       patchelf --add-needed libnuma.so $out/bin/AMDuProfPcm
       set +x
     '';
+
+    meta = {
+      description = "Performance analysis tool-suite for x86 based applications";
+      homepage = "https://www.amd.com/es/developer/uprof.html";
+      platforms = [ "x86_64-linux" ];
+      license = lib.licenses.unfree;
+      maintainers = with lib.maintainers.bsc; [ rarias varcila ];
+    };
+
   }

pkgs/amd-uprof/driver.nix

@@ -18,8 +18,9 @@ in stdenv.mkDerivation {
     set +x
   '';
   hardeningDisable = [ "pic" "format" ];
+  strictDeps = true;
   nativeBuildInputs = kernel.moduleBuildDependencies;
-  patches = [ ./makefile.patch ./hrtimer.patch ];
+  patches = [ ./makefile.patch ./hrtimer.patch ./remove-wr-rdmsrq.patch ];
   makeFlags = [
     "KERNEL_VERSION=${kernel.modDirVersion}"
     "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
@@ -29,5 +30,7 @@ in stdenv.mkDerivation {
     description = "AMD Power Profiler Driver";
     homepage = "https://www.amd.com/es/developer/uprof.html";
     platforms = lib.platforms.linux;
+    license = lib.licenses.unfree;
+    maintainers = with lib.maintainers.bsc; [ rarias varcila ];
   };
 }

pkgs/amd-uprof/remove-wr-rdmsrq.patch

@@ -0,0 +1,20 @@
+diff --git a/inc/PwrProfAsm.h b/inc/PwrProfAsm.h
+index d77770a..c93a0e9 100644
+--- a/inc/PwrProfAsm.h
++++ b/inc/PwrProfAsm.h
+@@ -347,6 +347,7 @@
+ 
+ #endif
+ 
++/*
+ #define rdmsrq(msr,val1,val2,val3,val4) ({ \
+         __asm__ __volatile__( \
+                               "rdmsr\n" \
+@@ -362,6 +363,7 @@
+                               :"c"(msr), "a"(val1), "d"(val2), "S"(val3), "D"(val4) \
+                             ); \
+     })
++*/
+ 
+ #define rdmsrpw(msr,val1,val2,val3,val4) ({ \
+         __asm__ __volatile__( \

pkgs/bench6/default.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , bigotes
 , cmake
 , clangOmpss2
@@ -58,4 +59,13 @@ stdenv.mkDerivation rec {
   ];
   hardeningDisable = [ "all" ];
   dontStrip = true;
+  strictDeps = true;
+
+  meta = {
+    homepage = "https://gitlab.pm.bsc.es/rarias/bench6";
+    description = "Set of micro-benchmarks for OmpSs-2 and several mini-apps";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }

pkgs/bigotes/default.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , fetchFromGitHub
 , cmake
 }:
@@ -14,4 +15,14 @@ stdenv.mkDerivation {
     sha256 = "sha256-ktxM3pXiL8YXSK+/IKWYadijhYXqGoLY6adLk36iigE=";
   };
   nativeBuildInputs = [ cmake ];
+
+  strictDeps = true;
+
+  meta = {
+    homepage = "https://github.com/rodarima/bigotes";
+    description = "Versatile benchmark tool";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }

pkgs/cudainfo/default.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , cudatoolkit
 , cudaPackages
 , autoAddDriverRunpath
@@ -9,11 +10,14 @@
 stdenv.mkDerivation (finalAttrs: {
   name = "cudainfo";
   src = ./.;
-  buildInputs = [
+  strictDeps = true;
+  nativeBuildInputs = [
     cudatoolkit # Required for nvcc
-    cudaPackages.cuda_cudart.static # Required for -lcudart_static
     autoAddDriverRunpath
   ];
+  buildInputs = [
+    (lib.getOutput "static" cudaPackages.cuda_cudart) # Required for -lcudart_static
+  ];
   installPhase = ''
     mkdir -p $out/bin
     cp -a cudainfo $out/bin
@@ -22,6 +26,7 @@ stdenv.mkDerivation (finalAttrs: {
     name = "cudainfo-test";
     requiredSystemFeatures = [ "cuda" ];
     dontBuild = true;
+    strictDeps = true;
     nativeCheckInputs = [
       finalAttrs.finalPackage # The cudainfo package from above
       strace # When it fails, it will show the trace
@@ -40,4 +45,9 @@ stdenv.mkDerivation (finalAttrs: {
     '';
     installPhase = "touch $out";
   };
+
+  meta = {
+    platforms = [ "x86_64-linux" ];
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+  };
 })

pkgs/extrae/default.nix

@@ -20,6 +20,7 @@
 #, python3Packages
 , installShellFiles
 , symlinkJoin
+, enablePapi ? true
 }:
 
 let
@@ -87,7 +88,7 @@ stdenv.mkDerivation rec {
       --enable-sampling
       --with-unwind=${libunwind.dev}
       --with-xml-prefix=${libxml2.dev}
-      --with-papi=${papi}
+      ${lib.optionalString enablePapi "--with-papi=${papi}"}
       ${if (mpi != null) then ''--with-mpi=${mpi}''
         else ''--without-mpi''}
       --without-dyninst)
@@ -110,4 +111,13 @@ stdenv.mkDerivation rec {
 #    then [ "--enable-openmp" ]
 #    else []
 #  );
+
+  meta = {
+    homepage = "https://github.com/bsc-performance-tools/extrae";
+    description = "Instrumentation framework to generate execution traces of the most used parallel runtimes";
+    maintainers = [ ];
+    broken = true;
+    platforms = lib.platforms.linux;
+    license = lib.licenses.lgpl21Plus;
+  };
 }

pkgs/gpi-2/default.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , fetchurl
 , symlinkJoin
 , slurm
@@ -8,7 +9,6 @@
 , automake
 , libtool
 , mpi
-, rsync
 , gfortran
 }:
 
@@ -33,6 +33,7 @@ stdenv.mkDerivation rec {
   };
 
   enableParallelBuilding = true;
+  strictDeps = true;
 
   patches = [ ./rdma-core.patch ./max-mem.patch ];
 
@@ -43,13 +44,33 @@ stdenv.mkDerivation rec {
 
   configureFlags = [
     "--with-infiniband=${rdma-core-all}"
-    "--with-mpi=${mpiAll}"
+    "--with-mpi=yes" # fixes mpi detection when cross-compiling
     "--with-slurm"
     "CFLAGS=-fPIC"
     "CXXFLAGS=-fPIC"
   ];
 
-  buildInputs = [ slurm mpiAll rdma-core-all autoconf automake libtool rsync gfortran ];
+  nativeBuildInputs = [
+    autoconf
+    automake
+    gfortran
+    libtool
+  ];
+
+  buildInputs = [
+    slurm
+    mpiAll
+    rdma-core-all
+  ];
 
   hardeningDisable = [ "all" ];
+
+  meta = {
+    homepage = "https://pm.bsc.es/gitlab/interoperability/extern/GPI-2";
+    description = "GPI-2 extended for supporting Task-Aware GASPI (TAGASPI) library";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+    cross = false; # infiniband detection does not work
+  };
 }

pkgs/intel-compiler/icc2020.nix

@@ -1,4 +1,5 @@
 { stdenv
+, lib
 , fetchurl
 , rpmextract
 , autoPatchelfHook
@@ -59,4 +60,12 @@ stdenv.mkDerivation rec {
       rm $out/lib/*.dbg
     popd
   '';
+
+  meta = {
+    homepage = "https://www.intel.com/content/www/us/en/developer/tools/overview.html";
+    description = "Intel compiler";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.unfree;
+  };
 }

pkgs/intel-compiler/icc2021.nix

@@ -145,4 +145,12 @@ in
       popd
     '';
 
+    meta = {
+      homepage = "https://www.intel.com/content/www/us/en/developer/tools/overview.html";
+      description = "Intel compiler";
+      maintainers = with lib.maintainers.bsc; [ rarias ];
+      platforms = lib.platforms.linux;
+      license = lib.licenses.unfree;
+    };
+
   }

pkgs/intel-mpi/default.nix

@@ -1,4 +1,5 @@
 { stdenv
+, lib
 , rpmextract
 , gcc
 , zlib
@@ -101,4 +102,12 @@ stdenv.mkDerivation rec {
     patchelf --set-rpath "$out/lib:${rdma-core}/lib:${libpsm2}/lib" $out/lib/libfabric.so
     echo "Patched RPATH in libfabric.so to: $(patchelf --print-rpath $out/lib/libfabric.so)"
   '';
+
+  meta = {
+    homepage = "https://www.intel.com/content/www/us/en/developer/tools/overview.html";
+    description = "Intel MPI";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.unfree;
+  };
 }

pkgs/intel-oneapi/2023.nix

@@ -10,7 +10,7 @@
 , zlib
 , autoPatchelfHook
 , libfabric
-, gcc13
+, gcc
 , wrapCCWith
 }:
 
@@ -26,7 +26,12 @@
 
 let
 
-  gcc = gcc13;
+  meta = {
+    description = "Intel oneapi hpckit package component";
+    homepage = "https://www.intel.com/content/www/us/en/developer/tools/oneapi/hpc-toolkit-download.html";
+    license = lib.licenses.unfree;
+    maintainers = with lib.maintainers.bsc; [ abonerib ];
+  };
 
   v = {
     hpckit   = "2023.1.0";
@@ -87,6 +92,8 @@ let
         dpkg -x $src $out
       done
     '';
+
+    inherit meta;
   };
 
   joinDebs = name: names:
@@ -121,6 +128,7 @@ let
 
     phases = [ "installPhase" "fixupPhase" ];
     dontStrip = true;
+    strictDeps = true;
     installPhase = ''
       mkdir -p $out/{bin,etc,lib,include}
       mkdir -p $out/share/man
@@ -145,6 +153,8 @@ let
         sed -i "s:I_MPI_SUBSTITUTE_INSTALLDIR:$out:g" "$i"
       done
     '';
+
+    inherit meta;
   };
 
   intel-tbb = stdenv.mkDerivation rec {
@@ -170,6 +180,7 @@ let
     ];
     phases = [ "installPhase" "fixupPhase" ];
     dontStrip = true;
+    strictDeps = true;
 
     autoPatchelfIgnoreMissingDeps = [ "libhwloc.so.5" ];
 
@@ -183,6 +194,8 @@ let
         rsync -a lib/intel64/gcc4.8/ $out/lib/
       popd
     '';
+
+    inherit meta;
   };
 
   intel-compiler-shared = stdenv.mkDerivation rec {
@@ -211,6 +224,7 @@ let
     ];
     phases = [ "installPhase" "fixupPhase" ];
     dontStrip = true;
+    strictDeps = true;
 
     autoPatchelfIgnoreMissingDeps = [ "libsycl.so.6" ];
 
@@ -240,6 +254,8 @@ let
         popd
       popd
     '';
+
+    inherit meta;
   };
 
 
@@ -276,6 +292,7 @@ let
     phases = [ "installPhase" "fixupPhase" ];
 
     dontStrip = true;
+    strictDeps = true;
 
     installPhase = ''
       mkdir -p $out/{bin,lib,include}
@@ -305,6 +322,8 @@ let
         ln -s $out/lib $out/lib_lin
       popd
     '';
+
+    inherit meta;
   };
 
   intel-compiler = stdenv.mkDerivation rec {
@@ -362,6 +381,7 @@ let
     phases = [ "installPhase" "fixupPhase" ];
 
     dontStrip = true;
+    strictDeps = true;
 
     installPhase = ''
       mkdir -p $out/{bin,lib}
@@ -392,6 +412,8 @@ let
         rsync -a documentation/en/man/common/ $out/share/man/
       popd
     '';
+
+    inherit meta;
   };
 
   wrapIntel = { cc, mygcc, extraBuild ? "", extraInstall ? "" }:

pkgs/llvm-ompss2/clang.nix

@@ -1,9 +1,9 @@
 {
-  llvmPackages_latest
+  stdenv
+, llvmPackages_latest
 , lib
 , fetchFromGitHub
 , cmake
-, bash
 , python3
 , perl
 , which
@@ -11,24 +11,26 @@
 , libffi
 , zlib
 , pkg-config
-, gcc # needed to set the rpath of libstdc++ for clang-tblgen
 , enableDebug ? false
 , useGit ? false
 , gitUrl ? "ssh://git@bscpm04.bsc.es/llvm-ompss/llvm-mono.git"
 , gitBranch ? "master"
-, gitCommit ? "880e2341c56bad1dc14e8c369fb3356bec19018e"
+, gitCommit ? "872ba63f86edaefc9787984ef3fae9f2f94e0124" # github-release-2025.11
 }:
 
 let
-  stdenv = llvmPackages_latest.stdenv;
+  llvmPackages = llvmPackages_latest;
+  llvmStdenv = llvmPackages.stdenv;
+  # needed to set the rpath of libstdc++ for clang-tblgen
+  gcc = stdenv.cc;
 
   release = rec {
-    version = "2025.06";
+    version = "2025.11";
     src = fetchFromGitHub {
       owner = "bsc-pm";
       repo = "llvm";
       rev = "refs/tags/github-release-${version}";
-      hash = "sha256-ww9PpRmtz/M9IyLiZ8rAehx2UW4VpQt+svf4XfKBzKo=";
+      hash = "sha256-UgwMTUkM9Z87dDH205swZFBeFhrcbLAxginViG40pBM=";
     };
   };
 
@@ -43,11 +45,12 @@ let
 
   source = if (useGit) then git else release;
 
-in stdenv.mkDerivation {
+in llvmStdenv.mkDerivation {
   pname = "clang-ompss2";
   inherit (source) src version;
 
   enableParallelBuilding = true;
+  strictDeps = true;
 
   passthru = {
     CC = "clang";
@@ -60,13 +63,12 @@ in stdenv.mkDerivation {
   };
 
   nativeBuildInputs = [
-    bash
     cmake
     elfutils
-    llvmPackages_latest.lld
+    llvmPackages.lld
+    perl
     pkg-config
     python3
-    perl
     which
     zlib
   ];
@@ -97,8 +99,13 @@ in stdenv.mkDerivation {
     cd build
     cmakeDir="../llvm"
     cmakeFlagsArray=(
-      "-DLLVM_HOST_TRIPLE=${stdenv.targetPlatform.config}"
+      "-DLLVM_HOST_TRIPLE=${llvmStdenv.targetPlatform.config}"
+    '' + (if "${llvmStdenv.targetPlatform.config}" == "riscv64-unknown-linux-gnu" then ''
+      "-DLLVM_DEFAULT_TARGET_TRIPLE=riscv64-unknown-linux-gnu"
+      "-DLLVM_TARGETS_TO_BUILD=RISCV"
+    '' else ''
       "-DLLVM_TARGETS_TO_BUILD=host"
+    '') + ''
       "-DLLVM_BUILD_LLVM_DYLIB=ON"
       "-DLLVM_LINK_LLVM_DYLIB=ON"
       # Required to run clang-ast-dump and clang-tblgen during build
@@ -107,7 +114,8 @@ in stdenv.mkDerivation {
       "-DCMAKE_CXX_FLAGS_DEBUG=-g -ggnu-pubnames"
       "-DCMAKE_EXE_LINKER_FLAGS_DEBUG=-Wl,--gdb-index"
       "-DLLVM_LIT_ARGS=-sv --xunit-xml-output=xunit.xml"
-      "-DLLVM_ENABLE_PROJECTS=clang;compiler-rt;lld"
+      "-DLLVM_ENABLE_PROJECTS=clang;lld"
+      "-DLLVM_ENABLE_RUNTIMES=compiler-rt"
       "-DLLVM_ENABLE_ASSERTIONS=ON"
       "-DLLVM_INSTALL_TOOLCHAIN_ONLY=ON"
       "-DCMAKE_INSTALL_BINDIR=bin"
@@ -126,4 +134,12 @@ in stdenv.mkDerivation {
 # nanos6 installation, but this is would require a recompilation of clang each
 # time nanos6 is changed. Better to use the environment variable NANOS6_HOME,
 # and specify nanos6 at run time.
+
+  meta = {
+    homepage = "https://gitlab.pm.bsc.es/llvm-ompss/llvm-mono";
+    description = "C language family frontend for LLVM (for OmpSs-2)";
+    maintainers = with lib.maintainers.bsc; [ rpenacob ];
+    platforms = lib.platforms.linux;
+    license = [ lib.licenses.asl20 lib.licenses.llvm-exception ];
+  };
 }

pkgs/llvm-ompss2/default.nix

@@ -3,44 +3,61 @@
 , lib
 , gcc
 , clangOmpss2Unwrapped
-, openmp ? null
+
+, openmp
+, useOpenmp  ? false
+, openmpv
+, useOpenmpV ? false
+, nanos6
+, useNanos6 ? false
+, nodes
+, useNodes ? false
+
 , wrapCCWith
 , llvmPackages_latest
-, ompss2rt ? null
 }:
 
 with lib;
 
 let
-  usingNodesAndOmpv = (openmp.pname == "openmp-v" && ompss2rt.pname == "nodes");
-  sameNosv = openmp.nosv == ompss2rt.nosv;
+  getSplice = target: pkg: if pkg ? "__spliced" && pkg.__spliced ? target then pkg.__spliced."${target}" else pkg;
+  getSpliceTargetTarget = getSplice "targetTarget";
+  omp = if useOpenmp then openmp else if useOpenmpV then openmpv else null;
+  ompss2rtUnspliced = if useNanos6 then nanos6 else if useNodes then nodes else null;
+  ompss2rt = getSpliceTargetTarget ompss2rtUnspliced;
+  usingNodesAndOmpv = omp != null && ompss2rt != null && (omp.pname == "openmp-v" && ompss2rt.pname == "nodes");
+  sameNosvUnspliced = omp != null && ompss2rtUnspliced != null && omp.nosv == ompss2rtUnspliced.nosv;
+  sameNosvSpliced = (getSpliceTargetTarget omp.nosv) == ompss2rt.nosv;
 in
 
-assert assertMsg (usingNodesAndOmpv -> sameNosv) "OpenMP-V and NODES must share the same nOS-V";
+assert assertMsg (usingNodesAndOmpv -> sameNosvUnspliced) "OpenMP-V and NODES must share the same nOS-V before splice";
+assert assertMsg (usingNodesAndOmpv -> sameNosvSpliced) "OpenMP-V and NODES must share the same nOS-V after splice";
+assert assertMsg (useOpenmp -> !useOpenmpV) "Either OpenMP or OpenMP-V may be enabled, but not both";
+assert assertMsg (useNanos6 -> !useNodes) "Either Nanos6 or NODES may be enabled, but not both";
 
 let
   homevar = if ompss2rt.pname == "nanos6" then "NANOS6_HOME" else "NODES_HOME";
   rtname  = if ompss2rt.pname == "nanos6" then "libnanos6" else "libnodes";
-  ompname = if openmp.pname == "openmp-v" then  "libompv" else "libomp";
+  ompname = if omp.pname == "openmp-v" then  "libompv" else "libomp";
 
 
   # We need to replace the lld linker from bintools with our linker just built,
   # otherwise we run into incompatibility issues when mixing compiler and linker
   # versions.
-  bintools-unwrapped = llvmPackages_latest.tools.bintools-unwrapped.override {
+  bintools-unwrapped = llvmPackages_latest.bintools-unwrapped.override {
     lld = clangOmpss2Unwrapped;
   };
-  bintools = llvmPackages_latest.tools.bintools.override {
+  bintools = llvmPackages_latest.bintools.override {
     bintools = bintools-unwrapped;
   };
   targetConfig = stdenv.targetPlatform.config;
   inherit gcc;
   cc = clangOmpss2Unwrapped;
   gccVersion = with versions; let v = gcc.version; in concatStringsSep "." [(major v) (minor v) (patch v)];
-in wrapCCWith {
+in (wrapCCWith {
   inherit cc bintools;
   # extraPackages adds packages to depsTargetTargetPropagated
-  extraPackages = optional (openmp != null) openmp;
+  extraPackages = optional (omp != null) omp;
   extraBuildCommands = ''
     echo "-target ${targetConfig}" >> $out/nix-support/cc-cflags
     echo "-B${gcc.cc}/lib/gcc/${targetConfig}/${gccVersion}" >> $out/nix-support/cc-cflags
@@ -56,15 +73,15 @@ in wrapCCWith {
 
     echo "--gcc-toolchain=${gcc}" >> $out/nix-support/cc-cflags
 
-    wrap clang++  $wrapper $ccPath/clang++
+    wrap ${targetConfig}clang++  $wrapper $ccPath/clang++
+    wrap ${targetConfig}clang    $wrapper $ccPath/clang
 
-  '' + optionalString (openmp != null) ''
+  '' + optionalString (omp != null) ''
     echo "export OPENMP_RUNTIME=${ompname}" >> $out/nix-support/cc-wrapper-hook
   '' + optionalString (ompss2rt != null) ''
     echo "export OMPSS2_RUNTIME=${rtname}" >> $out/nix-support/cc-wrapper-hook
     echo "export ${homevar}=${ompss2rt}"   >> $out/nix-support/cc-wrapper-hook
   '' + optionalString (ompss2rt != null && ompss2rt.pname == "nodes") ''
-    echo "export NOSV_HOME=${ompss2rt.nosv}" >> $out/nix-support/cc-wrapper-hook
+    echo "export NOSV_HOME=${ompss2rt}" >> $out/nix-support/cc-wrapper-hook
   '';
-}
-
+}).overrideAttrs (prev: { passthru = (prev.passthru or {}) // { inherit ompss2rt; }; })

pkgs/llvm-ompss2/openmp.nix

@@ -39,7 +39,9 @@ stdenv.mkDerivation rec {
     perl
     pkg-config
     python3
-  ] ++ lib.optionals enableNosv [
+  ];
+
+  buildInputs = lib.optionals enableNosv [
     nosv
   ] ++ lib.optionals enableOvni [
     ovni
@@ -54,6 +56,7 @@ stdenv.mkDerivation rec {
   dontStrip = enableDebug;
 
   separateDebugInfo = true;
+  strictDeps = true;
 
   cmakeFlags = [
     "-DLIBOMP_OMPD_SUPPORT=OFF"
@@ -71,8 +74,38 @@ stdenv.mkDerivation rec {
     rm -f $out/libllvmrt/libomp.*
   '';
 
+  doInstallCheck = true;
+  # There are not cmake flags to force nOS-V, it enables it when found through
+  # pkg-config. If enableNosv is set, but we fail to find it at build time,
+  # the build will succeed but won't use nOS-V (libompv won't be created).
+  # This is a sanity check to ensure that after install we have the proper
+  # files.
+  installCheckPhase =
+    if enableNosv then
+      ''
+        test -f $out/lib/libompv.so
+        test -f $out/libllvmrt/libompv.so
+        test ! -f $out/lib/libomp.so
+        test ! -f $out/libllvmrt/libomp.so
+      ''
+    else
+      ''
+        test -f $out/lib/libomp.so
+        test -f $out/libllvmrt/libomp.so
+        test ! -f $out/lib/libompv.so
+        test ! -f $out/libllvmrt/libompv.so
+      '';
+
   passthru = {
     inherit nosv;
   };
+
+  meta = {
+    homepage = "https://gitlab.pm.bsc.es/llvm-ompss/llvm-mono";
+    description = "Support for the OpenMP language (with nOS-V)";
+    maintainers = with lib.maintainers.bsc; [ rpenacob ];
+    platforms = lib.platforms.linux;
+    license = [ lib.licenses.asl20 lib.licenses.llvm-exception ];
+  };
 }
 

pkgs/lmbench/default.nix

@@ -27,6 +27,7 @@ stdenv.mkDerivation rec {
   hardeningDisable = [ "all" ];
 
   enableParallelBuilding = false;
+  strictDeps = true;
 
   preBuild = ''
     makeFlagsArray+=(
@@ -35,13 +36,16 @@ stdenv.mkDerivation rec {
       CFLAGS=-Wno-implicit-int
       CPPFLAGS=-I${libtirpc.dev}/include/tirpc
       LDFLAGS=-ltirpc
+      CC=$CC
+      AR=$AR
     )
   '';
 
   meta = {
     description = "lmbench";
-    homepage = "http://www.bitmover.com/lmbench/";
-    maintainers = [ ];
+    homepage = "https://github.com/intel/lmbench";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
     platforms = lib.platforms.all;
+    license = lib.licenses.gpl2Plus;
   };
 }

pkgs/maintainers.nix

@@ -0,0 +1,7 @@
+builtins.mapAttrs (name: value: { email = name + "@bsc.es"; } // value) {
+  abonerib.name = "Aleix Boné";
+  arocanon.name = "Aleix Roca";
+  rarias.name = "Rodrigo Arias";
+  rpenacob.name = "Raúl Peñacoba";
+  varcila.name = "Vincent Arcila";
+}

pkgs/mcxx/default.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , fetchFromGitHub
 , autoreconfHook
 , nanos6
@@ -62,4 +63,13 @@ stdenv.mkDerivation rec {
 # Fails with "memory exhausted" with bison 3.7.1
 #    "--enable-bison-regeneration"
   ];
+
+  meta = {
+    broken = true;
+    homepage = "https://github.com/bsc-pm/mcxx";
+    description = "C/C++/Fortran source-to-source compilation infrastructure aimed at fast prototyping";
+    maintainers = with lib.maintainers.bsc; [ rpenacob ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }

pkgs/mcxx/git.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , fetchFromGitHub
 , autoreconfHook
 , nanos6
@@ -57,4 +58,12 @@ stdenv.mkDerivation rec {
 # Fails with "memory exhausted" with bison 3.7.1
 #    "--enable-bison-regeneration"
   ];
+
+  meta = {
+    homepage = "https://github.com/bsc-pm/mcxx";
+    description = "C/C++/Fortran source-to-source compilation infrastructure aimed at fast prototyping";
+    maintainers = with lib.maintainers.bsc; [ rpenacob ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }

pkgs/mcxx/rarias.nix

@@ -1,4 +1,5 @@
 { stdenv
+, lib
 , fetchgit
 , autoreconfHook
 , nanos6
@@ -56,4 +57,12 @@ stdenv.mkDerivation rec {
   #preBuild = ''
   #  make generate_builtins_ia32 GXX_X86_BUILTINS=${gcc}/bin/g++
   #'';
+  #
+  meta = {
+    homepage = "https://github.com/bsc-pm/mcxx";
+    description = "C/C++/Fortran source-to-source compilation infrastructure aimed at fast prototyping";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }

pkgs/meteocat-exporter/default.nix

@@ -1,12 +1,15 @@
 { python3Packages, lib }:
 
-python3Packages.buildPythonApplication rec {
+python3Packages.buildPythonApplication {
   pname = "meteocat-exporter";
   version = "1.0";
 
+  pyproject = true;
+
   src = ./.;
 
   doCheck = false;
+  strictDeps = true;
 
   build-system = with python3Packages; [
     setuptools

pkgs/mpich/default.nix

@@ -6,6 +6,13 @@
 , pmix
 , gfortran
 , symlinkJoin
+# Disabled when cross-compiling
+# To fix cross compilation, we should fill the values in:
+# https://github.com/pmodels/mpich/blob/main/maint/fcrosscompile/cross_values.txt.in
+# For each arch
+, enableFortran ? stdenv.hostPlatform == stdenv.buildPlatform
+, perl
+, targetPackages
 }:
 
 let
@@ -15,10 +22,13 @@ let
     paths = [ pmix.dev pmix.out ];
   };
 in mpich.overrideAttrs (old: {
-  buildInput = old.buildInputs ++ [
+  buildInputs = old.buildInputs ++ [
     libfabric
     pmixAll
   ];
+  nativeBuildInputs = old.nativeBuildInputs ++ [
+    perl
+  ];
   configureFlags = [
     "--enable-shared"
     "--enable-sharedlib"
@@ -31,6 +41,22 @@ in mpich.overrideAttrs (old: {
   ] ++ lib.optionals (lib.versionAtLeast gfortran.version "10") [
     "FFLAGS=-fallow-argument-mismatch" # https://github.com/pmodels/mpich/issues/4300
     "FCFLAGS=-fallow-argument-mismatch"
+  ] ++ lib.optionals (!enableFortran) [
+    "--disable-fortran"
   ];
+
+  preFixup = ''
+    sed -i 's:^CC=.*:CC=${targetPackages.stdenv.cc}/bin/${targetPackages.stdenv.cc.targetPrefix}cc:' $out/bin/mpicc
+    sed -i 's:^CXX=.*:CXX=${targetPackages.stdenv.cc}/bin/${targetPackages.stdenv.cc.targetPrefix}c++:' $out/bin/mpicxx
+  '' + lib.optionalString enableFortran ''
+    sed -i 's:^FC=.*:FC=${targetPackages.gfortran or gfortran}/bin/${targetPackages.gfortran.targetPrefix or gfortran.targetPrefix}gfortran:' $out/bin/mpifort
+  '';
+
   hardeningDisable = [ "all" ];
+  strictDeps = true;
+
+  meta = old.meta // {
+    maintainers = old.meta.maintainers ++ (with lib.maintainers.bsc; [ rarias ]);
+    cross = true;
+  };
 })

pkgs/nanos6/default.nix

@@ -16,6 +16,7 @@
 , jemallocNanos6 ? null
 , cachelineBytes ? 64
 , enableGlibcxxDebug ? false
+, enablePapi ? true
 , useGit ? false
 , gitUrl ? "ssh://git@bscpm04.bsc.es/nanos6/nanos6"
 , gitBranch ? "master"
@@ -47,6 +48,8 @@ let
   };
 
   source = if (useGit) then git else release;
+
+  isCross = stdenv.hostPlatform != stdenv.buildPlatform;
 in
   stdenv.mkDerivation (source // {
     pname = "nanos6";
@@ -71,9 +74,14 @@ in
       "--disable-all-instrumentations"
       "--enable-ovni-instrumentation"
       "--with-ovni=${ovni}"
+      "--with-boost=${boost.dev}"
     ] ++
       (optional enableJemalloc "--with-jemalloc=${jemallocNanos6}") ++
-      (optional enableGlibcxxDebug "CXXFLAGS=-D_GLIBCXX_DEBUG");
+      (optional enableGlibcxxDebug "CXXFLAGS=-D_GLIBCXX_DEBUG") ++
+      # Most nanos6 api symbols are resolved at runtime, so prefer
+      # ifunc by default
+      (optional isCross "--with-symbol-resolution=ifunc") ++
+      (optional enablePapi "--with-papi=${papi}");
 
     postConfigure = lib.optionalString (!enableDebug) ''
       # Disable debug
@@ -88,25 +96,21 @@ in
     dontStrip = enableDebug;
     separateDebugInfo = true;
 
+    strictDeps = true;
+
     nativeBuildInputs = [
       autoconf
       automake
       libtool
       pkg-config
-
-      # TODO: papi_version is needed for configure:
-      # ./configure: line 27378: papi_version: command not found
-      # This probably breaks cross-compilation
-      papi
     ];
 
     buildInputs = [
       boost
       numactl
       hwloc
-      papi
       ovni
-    ];
+    ] ++ lib.optionals enablePapi [ papi ];
 
     # Create a script that sets NANOS6_HOME
     postInstall = ''
@@ -114,11 +118,12 @@ in
       echo "export NANOS6_HOME=$out" >> $out/nix-support/setup-hook
     '';
 
-    meta = with lib; {
+    meta = {
       homepage = "https://github.com/bsc-pm/nanos6";
       description = "Nanos6 runtime for OmpSs-2" +
         optionalString (enableDebug) " (with debug symbols)";
-      platforms = platforms.linux;
-      license = licenses.gpl3;
+      maintainers = with lib.maintainers.bsc; [ rarias ];
+      platforms = lib.platforms.linux;
+      license = lib.licenses.gpl3Plus;
     };
   })

pkgs/nanos6/jemalloc.nix

@@ -1,4 +1,4 @@
-{ jemalloc }:
+{ jemalloc, lib }:
 
 jemalloc.overrideAttrs (old: {
   configureFlags = old.configureFlags ++ [
@@ -8,5 +8,6 @@ jemalloc.overrideAttrs (old: {
   hardeningDisable = [ "all" ];
   meta = old.meta // {
     description = old.meta.description + " (for Nanos6)";
+    maintainers = (old.meta.maintainers or []) ++ (with lib.maintainers.bsc; [ rarias ]);
   };
 })

pkgs/nix-wrap/default.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , bashInteractive
 , busybox
 , nix
@@ -86,5 +87,14 @@ stdenv.mkDerivation rec {
     mkdir -p $out/share
     cp ${nix_conf} $out/share/nix.conf
   '';
+
+  meta = {
+    homepage = null;
+    description = "nix bubblewrap wrapper";
+    maintainers = [ ];
+    broken = true;
+    platforms = lib.platforms.linux;
+    license = lib.licenses.mit;
+  };
 }
 

pkgs/nixgen/default.nix

@@ -0,0 +1,23 @@
+{
+  stdenv
+, lib
+}:
+
+stdenv.mkDerivation {
+  pname = "nixgen";
+  version = "0.0.1";
+  src = ./nixgen;
+  dontUnpack = true;
+  strictDeps = true;
+  phases = [ "installPhase" ];
+  installPhase = ''
+    mkdir -p $out/bin
+    cp -a $src $out/bin/nixgen
+  '';
+  meta = {
+    description = "Quickly generate flake.nix from command line";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
+}

pkgs/nixgen/nixgen

@@ -0,0 +1,97 @@
+#!/bin/sh
+#
+# Copyright (c) 2025, Barcelona Supercomputing Center (BSC)
+# SPDX-License-Identifier: GPL-3.0+
+# Author: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
+
+function usage() {
+  echo "USAGE: nixgen [-f] [package [...]] [-b package [...]]" >&2
+  echo "  Generates a flake.nix file with the given packages." >&2
+  echo "  After flake.nix is created, use 'nix develop' to enter the shell." >&2
+  echo "OPTIONS" >&2
+  echo "  -f               Overwrite existing flake.nix (default: no)." >&2
+  echo "  packages...      Add these packages to the shell." >&2
+  echo "  -b packages...   Add the dependencies needed to build these packages." >&2
+  echo "EXAMPLE" >&2
+  echo "  $ nixgen ovni bigotes -b nosv tampi" >&2
+  echo "  Adds the packages ovni and bigotes as well as all required dependencies" >&2
+  echo "  to build nosv and tampi." >&2
+  echo "AUTHOR" >&2
+  echo "  Rodrigo Arias Mallo <rodrigo.arias@bsc.es>" >&2
+  exit 1
+}
+
+mode=package
+packages=
+inputsFrom=
+force=
+
+if [[ $# -eq 0 ]]; then
+  usage
+fi
+
+while [[ $# -gt 0 ]]; do
+    case $1 in -b)
+      mode=build
+      shift
+      ;;
+    -f)
+      force=1
+      shift
+      ;;
+    -h)
+      usage
+      ;;
+    -*|--*)
+      echo "error: unknown option $1" >&2
+      exit 1
+      ;;
+    *)
+      if [ "$mode" == "package" ]; then
+        packages+="${packages:+ }$1"
+      else
+        inputsFrom+="${inputsFrom:+ }$1"
+      fi
+      shift
+      ;;
+  esac
+done
+
+if [ ! "$force" -a -e flake.nix ]; then
+  echo "error: flake.nix exists, force overwrite with -f" >&2
+  exit 1
+fi
+
+cat > flake.nix <<EOF
+{
+  inputs.jungle.url = "git+https://jungle.bsc.es/git/rarias/jungle";
+  outputs = { self, jungle }:
+  let
+    nixpkgs = jungle.inputs.nixpkgs;
+    customOverlay = (final: prev: {
+      # Example overlay, for now empty
+    });
+    pkgs = import nixpkgs {
+      system = "x86_64-linux";
+      overlays = [
+        # Apply jungle overlay to get our BSC custom packages
+        jungle.outputs.bscOverlay
+        # And on top apply our local changes to customize for cluster
+        customOverlay
+      ];
+    };
+  in {
+    devShells.x86_64-linux.default = pkgs.mkShell {
+      pname = "devshell";
+      # Include these packages in the shell
+      packages = with pkgs; [
+        $packages
+      ];
+      # The dependencies needed to build these packages will be also included
+      inputsFrom = with pkgs; [
+        $inputsFrom
+      ];
+    };
+  };
+}
+EOF

pkgs/nixtools/default.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , glibc
 }:
 
@@ -15,4 +16,12 @@ stdenv.mkDerivation rec {
   makeFlags = [ "DESTDIR=$(out)" ];
   preBuild = "env";
   dontPatchShebangs = true;
+  strictDeps = true;
+
+  meta = {
+    homepage = "https://gitlab.pm.bsc.es/rarias/nixtools";
+    description = "nix bubblewrap wrapper";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+  };
 }

pkgs/nodes/default.nix

@@ -3,7 +3,6 @@
 , lib
 , fetchFromGitHub
 , pkg-config
-, perl
 , numactl
 , hwloc
 , boost
@@ -11,22 +10,23 @@
 , ovni
 , nosv
 , clangOmpss2
+, which
 , useGit ? false
 , gitUrl ? "ssh://git@gitlab-internal.bsc.es/nos-v/nodes.git"
 , gitBranch ? "master"
-, gitCommit ? "6002ec9ae6eb876d962cc34366952a3b26599ba6"
+, gitCommit ? "511489e71504a44381e0930562e7ac80ac69a848" # version-1.4
 }:
 
 with lib;
 
 let
   release = rec {
-    version = "1.3";
+    version = "1.4";
     src = fetchFromGitHub {
       owner = "bsc-pm";
       repo = "nodes";
       rev = "version-${version}";
-      hash = "sha256-cFb9pxcjtkMmH0CsGgUO9LTdXDNh7MCqicgGWawLrsU=";
+      hash = "sha256-+lR/R0l3fGZO3XG7whMorFW2y2YZ0ZFnLeOHyQYrAsQ=";
     };
   };
 
@@ -48,6 +48,7 @@ in
     enableParallelBuilding = true;
     dontStrip = true;
     separateDebugInfo = true;
+    strictDeps = true;
 
     configureFlags = [
       "--with-nosv=${nosv}"
@@ -59,6 +60,7 @@ in
     doCheck = false;
     nativeCheckInputs = [
       clangOmpss2
+      which
     ];
 
     # The "bindnow" flags are incompatible with ifunc resolution mechanism. We
@@ -81,4 +83,12 @@ in
     passthru = {
       inherit nosv;
     };
+
+    meta = {
+      homepage = "https://gitlab.bsc.es/nos-v/nodes";
+      description = "Runtime library designed to work on top of the nOS-V runtime";
+      maintainers = with lib.maintainers.bsc; [ abonerib rarias ];
+      platforms = lib.platforms.linux;
+      license = lib.licenses.gpl3Plus;
+    };
   }

pkgs/nosv/default.nix

@@ -13,19 +13,19 @@
 , useGit ? false
 , gitUrl ? "git@gitlab-internal.bsc.es:nos-v/nos-v.git"
 , gitBranch ? "master"
-, gitCommit ? "9f47063873c3aa9d6a47482a82c5000a8c813dd8"
+, gitCommit ? "1108e4786b58e0feb9a16fa093010b763eb2f8e8" # version 4.0.0
 }:
 
 with lib;
 
 let
   release = rec {
-    version = "3.2.0";
+    version = "4.0.0";
     src = fetchFromGitHub {
       owner = "bsc-pm";
       repo = "nos-v";
       rev = "${version}";
-      hash = "sha256-yaz92426EM8trdkBJlISmAoG9KJCDTvoAW/HKrasvOw=";
+      hash = "sha256-llaq73bd/YxLVKNlMebnUHKa4z3sdcsuDUoVwUxNuw8=";
     };
   };
 
@@ -40,16 +40,17 @@ let
 
   source = if (useGit) then git else release;
 in
-  stdenv.mkDerivation rec {
+  stdenv.mkDerivation {
     pname = "nosv";
     inherit (source) src version;
     hardeningDisable = [ "all" ];
     dontStrip = true;
     separateDebugInfo = true;
+    strictDeps = true;
     configureFlags = [
       "--with-ovni=${ovni}"
       "CACHELINE_WIDTH=${toString cacheline}"
-    ];
+    ] ++ lib.optionals enablePapi [ "--with-papi=${papi}" ];
     nativeBuildInputs = [
       autoreconfHook
       pkg-config
@@ -59,4 +60,13 @@ in
       hwloc
       ovni
     ] ++ lib.optionals enablePapi [ papi ];
+    patches = [ ./fix-papi.patch ];
+
+    meta = {
+      homepage = "https://gitlab.bsc.es/nos-v/nos-v";
+      description = "Tasking library enables the co-execution of multiple applications with system-wide scheduling and a centralized management of resources";
+      maintainers = with lib.maintainers.bsc; [ abonerib rarias ];
+      platforms = lib.platforms.linux;
+      license = lib.licenses.gpl3Plus;
+    };
   }

pkgs/nosv/fix-papi.patch

@@ -0,0 +1,136 @@
+Commit ID: c09633f172ce4075e0a05a33f6dcbe8e03e1202a
+Change ID: onmwypnnrysktutwsvotqovzponvwrxs
+Bookmarks: fix/papi fix/papi@git fix/papi@origin
+Author   : Aleix Boné <aleix.boneribo@bsc.es> (2025-12-10 11:14:14)
+Committer: Aleix Boné <aleix.boneribo@bsc.es> (2025-12-12 12:56:48)
+
+    Improve PAPI m4 module for cross compilation
+
+diff --git a/m4/papi.m4 b/m4/papi.m4
+index de90584870..8398f856f5 100644
+--- a/m4/papi.m4
++++ b/m4/papi.m4
+@@ -1,6 +1,6 @@
+ #	This file is part of Nanos6 and is licensed under the terms contained in the COPYING file.
+ #
+-#	Copyright (C) 2021-2022 Barcelona Supercomputing Center (BSC)
++#	Copyright (C) 2021-2025 Barcelona Supercomputing Center (BSC)
+ 
+ AC_DEFUN([AC_CHECK_PAPI],
+ 	[
+@@ -8,34 +8,38 @@
+ 			[papi],
+ 			[AS_HELP_STRING([--with-papi=prefix], [specify the installation prefix of PAPI])],
+ 			[ ac_cv_use_papi_prefix=$withval ],
+-			[ ac_cv_use_papi_prefix="" ]
++			[ ac_cv_use_papi_prefix="check" ]
+ 		)
+ 
+ 		if test x"${ac_cv_use_papi_prefix}" = x"no"; then
+ 			AC_MSG_CHECKING([the PAPI installation prefix])
+ 			AC_MSG_RESULT([${ac_cv_use_papi_prefix}])
+ 			ac_use_papi=no
+-		elif test x"${ac_cv_use_papi_prefix}" != x"" ; then
+-			AC_MSG_CHECKING([the PAPI installation prefix])
+-			AC_MSG_RESULT([${ac_cv_use_papi_prefix}])
+-			papi_LIBS="-L${ac_cv_use_papi_prefix}/lib -lpapi -Wl,-rpath,${ac_cv_use_papi_prefix}/lib"
+-			papi_CFLAGS="-I$ac_cv_use_papi_prefix/include"
+-			ac_use_papi=yes
+-		else
++		elif test x"${ac_cv_use_papi_prefix}" = x""; then
++			AC_MSG_RESULT([invalid prefix])
++			AC_MSG_ERROR([papi prefix specified but empty])
++		elif test x"${ac_cv_use_papi_prefix}" = x"yes" -o x"${ac_cv_use_papi_prefix}" = x"check"; then
+ 			PKG_CHECK_MODULES(
+ 				[papi],
+-				[papi],
++				[papi >= 5.6.0],
+ 				[
+ 					AC_MSG_CHECKING([the PAPI installation prefix])
+ 					AC_MSG_RESULT([retrieved from pkg-config])
+ 					papi_CFLAGS="${papi_CFLAGS}"
+ 					ac_use_papi=yes
++					ac_papi_version_correct=yes
+ 				], [
+ 					AC_MSG_CHECKING([the PAPI installation prefix])
+ 					AC_MSG_RESULT([not available])
+ 					ac_use_papi=no
+ 				]
+ 			)
++		else
++			AC_MSG_CHECKING([the PAPI installation prefix])
++			AC_MSG_RESULT([${ac_cv_use_papi_prefix}])
++			papi_LIBS="-L${ac_cv_use_papi_prefix}/lib -lpapi -Wl,-rpath,${ac_cv_use_papi_prefix}/lib"
++			papi_CFLAGS="-I$ac_cv_use_papi_prefix/include"
++			ac_use_papi=yes
+ 		fi
+ 
+ 		if test x"${ac_use_papi}" = x"yes" ; then
+@@ -53,10 +57,10 @@
+ 					ac_use_papi=yes
+ 				],
+ 				[
+-					if test x"${ac_cv_use_papi_prefix}" != x"" ; then
+-						AC_MSG_ERROR([PAPI cannot be found.])
++					if test x"${ac_cv_use_papi_prefix}" = x"yes" ; then
++						AC_MSG_ERROR([PAPI >= 5.6.0 cannot be found.])
+ 					else
+-						AC_MSG_WARN([PAPI cannot be found.])
++						AC_MSG_WARN([PAPI >= 5.6.0 not available.])
+ 					fi
+ 					ac_use_papi=no
+ 				]
+@@ -64,30 +68,38 @@
+ 
+ 			CFLAGS="${ac_save_CFLAGS}"
+ 			LIBS="${ac_save_LIBS}"
++		elif test x"${ac_cv_use_papi_prefix}" = x"yes" ; then
++			AC_MSG_ERROR([PAPI >= 5.6.0 cannot be found.])
+ 		fi
+ 
+-		if test x"${ac_use_papi}" = x"yes" ; then
+-			if test x"${ac_cv_use_papi_prefix}" != x"" ; then
++		if test x"${ac_use_papi}" = x"yes" -a x"${ac_papi_version_correct}" != x"yes" ; then
++			if test x"${ac_cv_use_papi_prefix}" != x"yes" -a x"${ac_cv_use_papi_prefix}" != x"check" ; then
+ 				papiBinary=${ac_cv_use_papi_prefix}/bin/papi_version
+ 			else
+ 				papiBinary=papi_version
+ 			fi
+-			papiVersion=`$papiBinary | sed 's/[[^0-9.]]*\([[0-9.]]*\).*/\1/'`
+ 
+-			AX_COMPARE_VERSION(
+-				[[${papiVersion}]],
+-				[[ge]],
+-				[[5.6.0]],
+-				[[ac_papi_version_correct=yes]],
+-				[[ac_papi_version_correct=no]]
+-			)
+ 
+-			if test x"${ac_papi_version_correct}" != x"yes" ; then
+-				AC_MSG_ERROR([PAPI version must be >= 5.6.0.])
+-				ac_use_papi=no
++			if test x"$cross_compiling" = x"yes" ; then
++				AC_MSG_WARN([Cross-compiling detected, skipping PAPI version check])
+ 			else
+-				AC_MSG_CHECKING([if the PAPI version >= 5.6.0.])
+-				AC_MSG_RESULT([${ac_papi_version_correct}])
++				papiVersion=`$papiBinary | sed 's/[[^0-9.]]*\([[0-9.]]*\).*/\1/'`
++
++				AX_COMPARE_VERSION(
++					[[${papiVersion}]],
++					[[ge]],
++					[[5.6.0]],
++					[[ac_papi_version_correct=yes]],
++					[[ac_papi_version_correct=no]]
++				)
++
++				if test x"${ac_papi_version_correct}" != x"yes" ; then
++					AC_MSG_ERROR([PAPI version must be >= 5.6.0.])
++					ac_use_papi=no
++				else
++					AC_MSG_CHECKING([if the PAPI version >= 5.6.0.])
++					AC_MSG_RESULT([${ac_papi_version_correct}])
++				fi
+ 			fi
+ 		fi
+ 

pkgs/osu/default.nix

@@ -24,6 +24,7 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
   enableParallelBuilding = true;
+  strictDeps = true;
   nativeBuildInputs = [ mpiAll ];
   buildInputs = [ mpiAll ];
   hardeningDisable = [ "all" ];
@@ -32,6 +33,11 @@ stdenv.mkDerivation rec {
       "CXX=mpicxx"
   ];
 
+  env = {
+    MPICH_CC="${stdenv.cc}/bin/${stdenv.cc.targetPrefix}cc";
+    MPICH_CXX="${stdenv.cc}/bin/${stdenv.cc.targetPrefix}c++";
+  };
+
   postInstall = ''
     mkdir -p $out/bin
     for f in $(find $out -executable -type f); do
@@ -44,5 +50,6 @@ stdenv.mkDerivation rec {
     homepage = "http://mvapich.cse.ohio-state.edu/benchmarks/";
     maintainers = [ ];
     platforms = lib.platforms.all;
+    cross = true;
   };
 }

pkgs/ovni/default.nix

@@ -7,7 +7,7 @@
 , useGit ? false
 , gitBranch ? "master"
 , gitUrl ? "ssh://git@bscpm04.bsc.es/rarias/ovni.git"
-, gitCommit ? "e4f62382076f0cf0b1d08175cf57cc0bc51abc61"
+, gitCommit ? "06432668f346c8bdc1006fabc23e94ccb81b0d8b" # version 1.13.0
 , enableDebug ? false
 # Only enable MPI if the build is native (fails on cross-compilation)
 , useMpi ? (stdenv.buildPlatform.canExecute stdenv.hostPlatform)
@@ -15,13 +15,13 @@
 
 let
   release = rec {
-    version = "1.12.0";
+    version = "1.13.0";
     src = fetchFromGitHub {
       owner = "bsc-pm";
       repo = "ovni";
       rev = "${version}";
-      hash = "sha256-H04JvsVKrdqr3ON7JhU0g17jjlg/jzQ7eTfx9vUNd3E=";
-    } // { shortRev = "a73afcf"; };
+      hash = "sha256-0l2ryIyWNiZqeYdVlnj/WnQGS3xFCY4ICG8JedX424w=";
+    } // { shortRev = "0643266"; };
   };
 
   git = rec {
@@ -40,6 +40,7 @@ in
     inherit (source) src version;
     dontStrip = true;
     separateDebugInfo = true;
+    strictDeps = true;
     postPatch = ''
       patchShebangs --build test/
     '';
@@ -55,4 +56,13 @@ in
     doCheck = true;
     checkTarget = "test";
     hardeningDisable = [ "all" ];
+
+    meta = {
+      homepage = "https://ovni.readthedocs.io";
+      description = "Obtuse but Versatile Nanoscale Instrumentation";
+      maintainers = with lib.maintainers.bsc; [ rarias ];
+      platforms = lib.platforms.linux;
+      license = lib.licenses.gpl3Plus;
+      cross = true;
+    };
   }

pkgs/papi/default.nix

@@ -0,0 +1,22 @@
+{
+  stdenv,
+  papi,
+}:
+
+if stdenv.hostPlatform == stdenv.buildPlatform then
+  papi
+else
+  papi.overrideAttrs (old: {
+    configureFlags = (old.configureFlags or [ ]) ++ [
+      "--enable-perf_event_uncore=no"
+      "--with-sysdetect=no"
+      "--with-ffsll"
+      "--with-tls=__thread"
+      "--with-virtualtimer=clock_thread_cputime_id"
+      "--with-walltimer=clock_realtime"
+      "--with-perf-events"
+      "--with-CPU=${stdenv.hostPlatform.uname.processor}"
+      "--with-arch=${stdenv.hostPlatform.uname.processor}"
+    ];
+    patches = (old.patches or [ ]) ++ [ ./fix-ar-cross.patch ];
+  })

pkgs/papi/fix-ar-cross.patch

@@ -0,0 +1,19 @@
+diff --git a/sde_lib/Makefile b/sde_lib/Makefile
+index 8518f92..90a9953 100644
+--- a/sde_lib/Makefile
++++ b/sde_lib/Makefile
+@@ -1,4 +1,5 @@
+ CC ?= gcc
++AR ?= ar
+ SDE_INC = -I. -I..
+ SDE_LD = -ldl -pthread
+ CFLAGS += -Wextra -Wall -O2
+@@ -18,7 +19,7 @@ dynamic: $(DOBJS)
+ 	rm -f *_d.o
+ 
+ static: $(SOBJS)
+-	ar rs libsde.a $(SOBJS)
++	$(AR) rs libsde.a $(SOBJS)
+ 	rm -f *_s.o
+ 
+ clean:

pkgs/paraver/default.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , fetchFromGitHub
 , autoreconfHook
 , boost
@@ -11,7 +12,7 @@
 , paraverKernel
 , openssl
 , glibcLocales
-, wrapGAppsHook
+, wrapGAppsHook3
 }:
 
 let
@@ -46,6 +47,7 @@ stdenv.mkDerivation rec {
 
   dontStrip = true;
   enableParallelBuilding = true;
+  strictDeps = true;
 
   preConfigure = ''
     export CFLAGS="-O3"
@@ -63,7 +65,7 @@ stdenv.mkDerivation rec {
     autoconf
     automake
     autoreconfHook
-    wrapGAppsHook
+    wrapGAppsHook3
   ];
 
   buildInputs = [
@@ -88,4 +90,18 @@ stdenv.mkDerivation rec {
     mkdir -p $out/share/man
     mv $out/share/doc/wxparaver_help_contents/man $out/share/man/man1
   '';
+
+  meta = {
+    homepage = "https://tools.bsc.es/paraver";
+    downloadPage = "https://github.com/bsc-performance-tools/wxparaver";
+    description = "Performance analyzer based on event traces";
+    longDescription = ''
+      Trace-based visualization and analysis tool designed to study quantitative
+      detailed metrics and obtain qualitative knowledge of the performance of
+      applications, libraries, processors and whole architectures
+    '';
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.lgpl21Plus;
+  };
 }

pkgs/paraver/kernel.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , fetchFromGitHub
 , autoreconfHook
 , boost
@@ -33,6 +34,7 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
 
   dontStrip = true;
+  strictDeps = true;
 
   preConfigure = ''
     export CFLAGS="-O3 -DPARALLEL_ENABLED"
@@ -57,4 +59,13 @@ stdenv.mkDerivation rec {
     xml2
     zlib
   ];
+
+  meta = {
+    homepage = "https://tools.bsc.es/paraver";
+    downloadPage = "https://github.com/bsc-performance-tools/paraver-kernel";
+    description = "Kernel library used by wxparaver";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.lgpl21Plus;
+  };
 }

pkgs/slurm-exporter/default.nix

@@ -13,6 +13,7 @@ buildGoModule rec {
 
   vendorHash = "sha256-A1dd9T9SIEHDCiVT2UwV6T02BSLh9ej6LC/2l54hgwI=";
   doCheck = false;
+  strictDeps = true;
 
   meta = with lib; {
     description = "Prometheus SLURM Exporter";

pkgs/sonar/default.nix

@@ -1,5 +1,6 @@
 {
   stdenv
+, lib
 , autoreconfHook
 , fetchFromGitHub
 , ovni
@@ -17,6 +18,7 @@ stdenv.mkDerivation rec {
   };
   hardeningDisable = [ "all" ];
   dontStrip = true;
+  strictDeps = true;
   configureFlags = [ "--with-ovni=${ovni}" ];
 
   nativeBuildInputs = [
@@ -27,4 +29,13 @@ stdenv.mkDerivation rec {
     ovni
     mpi
   ];
+
+  meta = {
+    homepage = "https://github.com/bsc-pm/sonar";
+    description = "Set of runtime libraries which instrument parallel programming models through the ovni instrumentation library";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.mit;
+    cross = true;
+  };
 }

pkgs/tagaspi/default.nix

@@ -1,30 +1,23 @@
 {
   stdenv
+, lib
 , fetchFromGitHub
 , automake
 , autoconf
 , libtool
-, mpi
 , autoreconfHook
 , gpi-2
 , boost
 , numactl
 , rdma-core
 , gfortran
-, symlinkJoin
 }:
 
-let
-  mpiAll = symlinkJoin {
-    name = "mpi-all";
-    paths = [ mpi.all ];
-  };
-in
-
 stdenv.mkDerivation rec {
   pname = "tagaspi";
   enableParallelBuilding = true;
   separateDebugInfo = true;
+  strictDeps = true;
 
   version = "2.0";
   src = fetchFromGitHub {
@@ -34,16 +27,18 @@ stdenv.mkDerivation rec {
     hash = "sha256-RGG/Re2uM293HduZfGzKUWioDtwnSYYdfeG9pVrX9EM=";
   };
 
-  buildInputs = [
+  nativeBuildInputs = [
     autoreconfHook
     automake
     autoconf
     libtool
+    gfortran
+  ];
+
+  buildInputs = [
     boost
     numactl
     rdma-core
-    gfortran
-    mpiAll
   ];
 
   dontDisableStatic = true;
@@ -55,4 +50,13 @@ stdenv.mkDerivation rec {
   ];
 
   hardeningDisable = [ "all" ];
+
+  meta = {
+    homepage = "https://github.com/bsc-pm/tagaspi";
+    description = "Task-Aware GASPI";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+    cross = false; # gpi-2 cannot cross
+  };
 }

pkgs/tampi/default.nix

@@ -45,6 +45,7 @@ in stdenv.mkDerivation {
   inherit (source) src version;
   enableParallelBuilding = true;
   separateDebugInfo = true;
+  strictDeps = true;
 
   nativeBuildInputs = [
     autoconf
@@ -61,4 +62,13 @@ in stdenv.mkDerivation {
   configureFlags = optional (enableOvni) "--with-ovni=${ovni}";
   dontDisableStatic = true;
   hardeningDisable = [ "all" ];
+
+  meta = {
+    homepage = "https://github.com/bsc-pm/tampi";
+    description = "Task-Aware MPI";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+    cross = true;
+  };
 }

pkgs/upc-qaire-exporter/default.nix

@@ -1,12 +1,15 @@
 { python3Packages, lib }:
 
-python3Packages.buildPythonApplication rec {
+python3Packages.buildPythonApplication {
   pname = "upc-qaire-exporter";
   version = "1.0";
 
+  pyproject = true;
+
   src = ./.;
 
   doCheck = false;
+  strictDeps = true;
 
   build-system = with python3Packages; [
     setuptools

test/bugs/hwloc.nix

@@ -6,6 +6,7 @@
 
 stdenv.mkDerivation {
   name = "hwloc-test";
+  requiredSystemFeatures = [ "sys-devices" ];
 
   src = ./.;
 
@@ -14,7 +15,7 @@ stdenv.mkDerivation {
   buildPhase = ''
     ls -l /sys
     gcc -lhwloc hwloc.c -o hwloc
-    strace ./hwloc
+    strace ./hwloc > $out
   '';
 
 }

test/compilers/clang-openmp-ld.nix

@@ -23,10 +23,6 @@ in stdenv.mkDerivation {
   dontUnpack = true;
   dontConfigure = true;
 
-  # nOS-V requires access to /sys/devices to request NUMA information. It will
-  # fail to run otherwise, so we disable the sandbox for this test.
-  __noChroot = true;
-
   buildInputs = [ openmp ];
 
   buildPhase = ''

test/compilers/clang-openmp-nosv.nix

@@ -36,9 +36,8 @@ in stdenv.mkDerivation {
   dontUnpack = true;
   dontConfigure = true;
 
-  # nOS-V requires access to /sys/devices to request NUMA information. It will
-  # fail to run otherwise, so we disable the sandbox for this test.
-  __noChroot = true;
+  # nOS-V requires access to /sys/devices to request NUMA information
+  requiredSystemFeatures = [ "sys-devices" ];
 
   buildInputs = [ nosv ];
 

test/compilers/clang-openmp.nix

@@ -24,9 +24,8 @@ in stdenv.mkDerivation {
   dontUnpack = true;
   dontConfigure = true;
 
-  # nOS-V requires access to /sys/devices to request NUMA information. It will
-  # fail to run otherwise, so we disable the sandbox for this test.
-  __noChroot = true;
+  # nOS-V requires access to /sys/devices to request NUMA information
+  requiredSystemFeatures = [ "sys-devices" ];
 
   buildPhase = ''
     set -x

test/compilers/ompss2.nix

@@ -25,9 +25,10 @@ stdenv.mkDerivation rec {
   hardeningDisable = [ "all" ];
   #NIX_DEBUG = 1;
   buildInputs = [ ]; #strace gdb;
-  # NODES requires access to /sys/devices to request NUMA information. It will
-  # fail to run otherwise, so we disable the sandbox for this test.
-  __noChroot = true;
+
+  # NODES requires access to /sys/devices to request NUMA information
+  requiredSystemFeatures = [ "sys-devices" ];
+
   buildPhase = ''
     set -x
     #$CC -v