Add nix cache documentation section

Include usage from NixOS and non-NixOS hosts and a test with curl to ensure it can be reached.
Use hut nix cache in owl1, owl2 and raccoon
2025-04-11 11:59:08 +02:00 · 2025-04-11 11:57:59 +02:00 · 2025-04-11 11:10:57 +02:00 · 2025-04-11 11:10:57 +02:00
6 changed files with 15 additions and 5 deletions
--- a/m/common/xeon/net.nix
+++ b/m/common/xeon/net.nix
@ -11,7 +11,7 @@

    proxy = {
      default = "http://hut:23080/";
-      noProxy = "127.0.0.1,localhost,internal.domain,10.0.40.40";
+      noProxy = "127.0.0.1,localhost,internal.domain,10.0.40.40,hut";
      # Don't set all_proxy as go complains and breaks the gitlab runner, see:
      # https://github.com/golang/go/issues/16715
      allProxy = null;
--- a/m/hut/configuration.nix
+++ b/m/hut/configuration.nix
@ -56,6 +56,11 @@
        iptables -A nixos-fw -p tcp -s 10.0.40.30 --dport 23080 -j nixos-fw-log-refuse
        iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 23080 -j nixos-fw-accept
      '';
+      # Flush all rules and chains on stop so it won't break on start
+      extraStopCommands = ''
+        iptables -F
+        iptables -X
+      '';
    };
  };

--- a/m/hut/nginx.nix
+++ b/m/hut/nginx.nix
@ -17,13 +17,14 @@ let
  };
 in
 {
+  networking.firewall.allowedTCPPorts = [ 80 ];
  services.nginx = {
    enable = true;
    virtualHosts."jungle.bsc.es" = {
      root = "${website}";
      listen = [
        {
-          addr = "127.0.0.1";
+          addr = "0.0.0.0";
          port = 80;
        }
      ];
--- a/m/module/hut-substituter.nix
+++ b/m/module/hut-substituter.nix
@ -4,7 +4,7 @@
    # Don't add hut as a cache to itself
    assert config.networking.hostName != "hut";
    {
-      substituters = [ "https://jungle.bsc.es/cache" ];
+      substituters = [ "http://hut/cache" ];
      trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
    };
 }
--- a/m/raccoon/configuration.nix
+++ b/m/raccoon/configuration.nix
@ -3,7 +3,6 @@
 {
  imports = [
    ../common/base.nix
-    ../module/hut-substituter.nix
  ];

  # Don't install Grub on the disk yet
@ -26,6 +25,11 @@
    } ];
  };

+  nix.settings = {
+    substituters = [ "https://jungle.bsc.es/cache" ];
+    trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
+  };
+
  # Configure Nvidia driver to use with CUDA
  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.production;
  hardware.graphics.enable = true;
--- a/web/content/hut/_index.md
+++ b/web/content/hut/_index.md
@ -57,7 +57,7 @@ Note: you'll have to be a trusted user.

 ### Nix configuration file (non-nixos)

-If using nix outside of NixOS, you'll have to update `nix.conf`
+If using nix outside of NixOS, you'll have to update `/etc/nix/nix.conf`

 ```
 # echo "substituters = https://jungle.bsc.es/cache" >> /etc/nix/nix.conf
Author	SHA1	Message	Date
Aleix Boné	fc2367f909	Add nix cache documentation section Include usage from NixOS and non-NixOS hosts and a test with curl to ensure it can be reached.	2025-04-11 11:59:08 +02:00
Aleix Boné	6d62bbacba	Use hut nix cache in owl1, owl2 and raccoon For owl1 and owl2 directly connect to hut via LAN with HTTP, but for raccoon pass via the proxy using jungle.bsc.es with HTTPS. There is no risk of tampering as packages are signed.	2025-04-11 11:57:59 +02:00
Rodrigo Arias Mallo	64208d9568	Clean all iptables rules on stop Prevents the "iptables: Chain already exists." error by making sure that we don't leave any chain on start. The ideal solution is to use iptables-restore instead, which will do the right job. But this needs to be changed in NixOS entirely.	2025-04-11 11:10:57 +02:00
Rodrigo Arias Mallo	3619f09c78	Make nginx listen on all interfaces Needed for local hosts to contact the nix cache via HTTP directly. We also allow the incoming traffic on port 80.	2025-04-11 11:10:57 +02:00