Use fetchurl for amd-uprof

Enable parallelBuilding in jemalloc
Make bsc users trusted in nix-portable
2026-03-09 12:32:05 +01:00 · 2026-03-09 12:32:04 +01:00 · 2026-03-09 12:32:04 +01:00 · 2026-03-09 12:32:04 +01:00 · 2026-03-09 12:32:04 +01:00 · 2026-03-09 12:32:04 +01:00
33 changed files with 782 additions and 243 deletions
--- a/keys.nix
+++ b/keys.nix
@@ -22,9 +22,8 @@ rec {
    storage    = [ bay lake2 ];
    monitor    = [ hut ];
    login      = [ apex ];
-    services   = [ tent ];

-    system     = storage ++ monitor ++ login ++ services;
+    system     = storage ++ monitor ++ login;
    safe       = system ++ compute;
    all        = safe ++ playground;
  };
--- a/m/apex/nfs.nix
+++ b/m/apex/nfs.nix
@@ -7,7 +7,7 @@
    mountdPort = 4002;
    statdPort = 4000;
    exports = ''
-      /home 10.0.40.0/21(rw,async,no_subtree_check,no_root_squash)
+      /home 10.0.40.0/24(rw,async,no_subtree_check,no_root_squash)
      /home 10.106.0.0/24(rw,async,no_subtree_check,no_root_squash)
    '';
  };
@@ -15,19 +15,19 @@
    # Check with `rpcinfo -p`
    extraCommands = ''
      # Accept NFS traffic from compute nodes but not from the outside
-      iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 111   -j nixos-fw-accept
-      iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 2049  -j nixos-fw-accept
-      iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 4000  -j nixos-fw-accept
-      iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 4001  -j nixos-fw-accept
-      iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 4002  -j nixos-fw-accept
-      iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 20048 -j nixos-fw-accept
+      iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 111   -j nixos-fw-accept
+      iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 2049  -j nixos-fw-accept
+      iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4000  -j nixos-fw-accept
+      iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4001  -j nixos-fw-accept
+      iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4002  -j nixos-fw-accept
+      iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept
      # Same but UDP
-      iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 111   -j nixos-fw-accept
-      iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 2049  -j nixos-fw-accept
-      iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 4000  -j nixos-fw-accept
-      iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 4001  -j nixos-fw-accept
-      iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 4002  -j nixos-fw-accept
-      iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 20048 -j nixos-fw-accept
+      iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 111   -j nixos-fw-accept
+      iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 2049  -j nixos-fw-accept
+      iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4000  -j nixos-fw-accept
+      iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4001  -j nixos-fw-accept
+      iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4002  -j nixos-fw-accept
+      iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept

      # Accept NFS traffic from wg0
      iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 111   -j nixos-fw-accept
--- a/m/bay/configuration.nix
+++ b/m/bay/configuration.nix
@@ -35,7 +35,7 @@
        # Accept monitoring requests from hut
        iptables -A nixos-fw -p tcp -s hut -m multiport --dport 9283,9002 -j nixos-fw-accept
        # Accept all Ceph traffic from the local network
-        iptables -A nixos-fw -p tcp -s 10.0.40.0/21 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
+        iptables -A nixos-fw -p tcp -s 10.0.40.0/24 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
      '';
    };
  };
--- a/m/hut/gitlab-runner.nix
+++ b/m/hut/gitlab-runner.nix
@@ -51,7 +51,6 @@
          "/nix/store:/nix/store:ro"
          "/nix/var/nix/db:/nix/var/nix/db:ro"
          "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
-          "/var/run/postgresql/:/var/run/postgresql/"
        ];
        dockerExtraHosts = [
          # Required to pass the proxy via hut
--- a/m/hut/postgresql.nix
+++ b/m/hut/postgresql.nix
@@ -8,14 +8,12 @@
      { name = "anavarro"; ensureClauses.superuser = true; }
      { name = "rarias";   ensureClauses.superuser = true; }
      { name = "grafana"; }
-      { name = "gitlab-runner"; }
    ];
    authentication = ''
-      #type  database     DBuser         auth-method
-      local  perftestsdb  rarias         trust
-      local  perftestsdb  anavarro       trust
-      local  perftestsdb  grafana        trust
-      local  perftestsdb  gitlab-runner  trust
+      #type  database     DBuser    auth-method
+      local  perftestsdb  rarias    trust
+      local  perftestsdb  anavarro  trust
+      local  perftestsdb  grafana   trust
    '';
  };
 }
--- a/m/lake2/configuration.nix
+++ b/m/lake2/configuration.nix
@@ -57,7 +57,7 @@
        # Accept monitoring requests from hut
        iptables -A nixos-fw -p tcp -s hut --dport 9002 -j nixos-fw-accept
        # Accept all Ceph traffic from the local network
-        iptables -A nixos-fw -p tcp -s 10.0.40.0/21 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
+        iptables -A nixos-fw -p tcp -s 10.0.40.0/24 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
      '';
    };
  };
--- a/m/tent/configuration.nix
+++ b/m/tent/configuration.nix
@@ -11,14 +11,12 @@
    ./nix-serve.nix
    ./gitlab-runner.nix
    ./gitea.nix
-    ./nextcloud.nix
    ../hut/public-inbox.nix
    ../hut/msmtp.nix
    ../module/p.nix
    ../module/vpn-dac.nix
    ../module/hut-substituter.nix
    ../module/tc1-board.nix
-    ../module/ceph.nix
  ];

  # Select the this using the ID to avoid mismatches
@@ -66,13 +64,6 @@
    fsType = "ext4";
  };

-  # Mount the NFS home
-  fileSystems."/nfs/home" = {
-    device = "10.106.0.30:/home";
-    fsType = "nfs";
-    options = [ "nfsvers=3" "rsize=1024" "wsize=1024" "cto" "nofail" ];
-  };
-
  # Make a /vault/$USER directory for each user.
  systemd.services.create-vault-dirs = let
    # Take only normal users in tent
--- a/m/tent/gitea.nix
+++ b/m/tent/gitea.nix
@@ -1,7 +1,4 @@
 { config, lib, ... }:
-let
-  cfg = config.services.gitea;
-in
 {
  services.gitea = {
    enable = true;
@@ -29,52 +26,6 @@ in
        SENDMAIL_ARGS = "--";
      };
    };
-
-    dump = {
-      enable = false; # Do not enable NixOS module, use our custom systemd script below
-      backupDir = "/vault/backup/gitea";
-    };
-  };
-
-  systemd.services.gitea-backup = let
-    exe = lib.getExe cfg.package;
-  in {
-    description = "Gitea daily backup";
-    after = [ "gitea.service" ];
-    path = [ cfg.package ];
-
-    environment = {
-      USER = cfg.user;
-      HOME = cfg.stateDir;
-      GITEA_WORK_DIR = cfg.stateDir;
-      GITEA_CUSTOM = cfg.customDir;
-    };
-
-    serviceConfig = {
-      Type = "oneshot";
-      User = cfg.user;
-      WorkingDirectory = cfg.dump.backupDir;
-    };
-
-    script = ''
-      name="gitea-dump-$(date +%a).${cfg.dump.type}"
-      ${exe} dump --type ${cfg.dump.type} --file - >"$name.tmp"
-      mv "$name.tmp" "$name"
-      cp "$name" "/ceph/backup/gitea/$name"
-    '';
-  };
-
-  # Create also the /ceph directories if needed
-  systemd.tmpfiles.rules = [
-    "d /ceph/backup/gitea/ 0750 ${cfg.user} ${cfg.group} - -"
-    "z /ceph/backup/gitea/ 0750 ${cfg.user} ${cfg.group} - -"
-  ];
-
-  systemd.timers.gitea-backup = {
-    description = "Update timer for gitea-backup";
-    partOf = [ "gitea-backup.service" ];
-    wantedBy = [ "timers.target" ];
-    timerConfig.OnCalendar = cfg.dump.interval;
  };

  # Allow gitea user to send mail
--- a/m/tent/nextcloud.nix
+++ b/m/tent/nextcloud.nix
@@ -1,71 +0,0 @@
-{ pkgs, config, ... }:
-{
-  age.secrets.tent-nextcloud-admin-pass.file = ../../secrets/tent-nextcloud-admin-pass.age;
-
-  services.nextcloud = {
-    package = pkgs.nextcloud32;
-    enable = true;
-    hostName = "localhost";
-    config.adminpassFile = config.age.secrets.tent-nextcloud-admin-pass.path;
-    config.dbtype = "sqlite";
-    extraApps = {
-      inherit (config.services.nextcloud.package.packages.apps)
-        news
-        contacts
-        calendar
-        tasks;
-        # The app richdocuments (i.e. office) is not enabled yet as there are
-        # problems with the WOPI protocol in a subdir.
-    };
-    extraAppsEnable = true;
-    settings = let
-      prot = "https";
-      host = "jungle.bsc.es";
-      dir = "/nextcloud";
-    in {
-      overwriteprotocol = prot;
-      overwritehost = host;
-      overwritewebroot = dir;
-      overwrite.cli.url = "${prot}://${host}${dir}/";
-      htaccess.RewriteBase = dir;
-    };
-  };
-
-  services.nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [ {
-    addr = "127.0.0.1";
-    port = 8066; # NOT an exposed port
-  } ];
-
-  services.nginx.virtualHosts."jungle.bsc.es".locations = {
-    "^~ /.well-known" = {
-      priority = 9000;
-      extraConfig = ''
-              absolute_redirect off;
-              location ~ ^/\\.well-known/(?:carddav|caldav)$ {
-                return 301 /nextcloud/remote.php/dav;
-              }
-              location ~ ^/\\.well-known/host-meta(?:\\.json)?$ {
-                return 301 /nextcloud/public.php?service=host-meta-json;
-              }
-              location ~ ^/\\.well-known/(?!acme-challenge|pki-validation) {
-                return 301 /nextcloud/index.php$request_uri;
-              }
-              try_files $uri $uri/ =404;
-      '';
-    };
-
-    "/nextcloud/" = {
-      priority = 9999;
-      extraConfig = ''
-          proxy_set_header X-Real-IP $remote_addr;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header X-NginX-Proxy true;
-          proxy_set_header X-Forwarded-Proto http;
-          proxy_pass http://127.0.0.1:8066/; # tailing / is important!
-          proxy_set_header Host $host;
-          proxy_cache_bypass $http_upgrade;
-          proxy_redirect off;
-      '';
-    };
-  };
-}
--- a/overlay.nix
+++ b/overlay.nix
@@ -39,9 +39,16 @@ let
    nanos6Debug = final.nanos6.override { enableDebug = true; };
    nixtools = callPackage ./pkgs/nixtools/default.nix { };
    nixgen = callPackage ./pkgs/nixgen/default.nix { };
-    # Broken because of pkgsStatic.libcap
-    # See: https://github.com/NixOS/nixpkgs/pull/268791
-    #nix-wrap = callPackage ./pkgs/nix-wrap/default.nix { };
+    nix-portable = callPackage ./pkgs/nix-portable/default.nix {
+      busybox = final.pkgsStatic.busybox;
+      bwrap = final.pkgsStatic.bubblewrap;
+      gnutar = final.pkgsStatic.gnutar;
+      perl = final.pkgsBuildBuild.perl;
+      xz = final.pkgsStatic.xz;
+      zstd = final.pkgsStatic.zstd;
+      bashInteractive = final.pkgsStatic.bashInteractive;
+    };
+    nix-wrap = callPackage ./pkgs/nix-wrap/default.nix { };
    nodes = callPackage ./pkgs/nodes/default.nix { };
    nosv = callPackage ./pkgs/nosv/default.nix { };
    openmp = callPackage ./pkgs/llvm-ompss2/openmp.nix { monorepoSrc = final.clangOmpss2Unwrapped.src; version = final.clangOmpss2Unwrapped.version; };
--- a/pkgs/amd-uprof/default.nix
+++ b/pkgs/amd-uprof/default.nix
@@ -1,8 +1,6 @@
 { stdenv
 , lib
-, curl
-, cacert
-, runCommandLocal
+, fetchurl
 , autoPatchelfHook
 , elfutils
 , glib
@@ -26,26 +24,26 @@ let
  tarball = "AMDuProf_Linux_x64_${version}.tar.bz2";

  # NOTE: Remember to update the radare2 patch below if AMDuProfPcm changes.
-  uprofSrc = runCommandLocal tarball {
-    nativeBuildInputs = [ curl ];
-    outputHash = "sha256-j9gxcBcIg6Zhc5FglUXf/VV9bKSo+PAKeootbN7ggYk=";
-    SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt";
-  } ''
-    curl \
-    -o $out \
-    'https://download.amd.com/developer/eula/uprof/uprof-5-1/${tarball}' \
-    -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0' \
-    -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
-    -H 'Accept-Language: en-US,en;q=0.5' \
-    -H 'Accept-Encoding: gzip, deflate, br, zstd' \
-    -H 'Referer: https://www.amd.com/' 2>&1 | tr '\r' '\n'
-  '';
+  src = fetchurl {
+    url = "https://download.amd.com/developer/eula/uprof/uprof-5-1/${tarball}";
+    sha256 = "sha256-jAmsw/xmctJ2r7BKyuA+9exLgZbu3cvrYtyRUUTt8sM=";
+    curlOptsList = [
+      "-H" "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0"
+      "-H" "'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'"
+      "-H" "Accept-Language: en-US,en;q=0.5"
+      "-H" "Accept-Encoding: gzip, deflate, br, zstd"
+      "-H" "Referer: https://www.amd.com/"
+    ];
+    downloadToTemp = true;
+    postFetch = ''
+      cat "$downloadedFile" | tr '\r' '\n' > "$out"
+    '';
+  };

 in
  stdenv.mkDerivation {
    pname = "AMD-uProf";
-    inherit version;
-    src = uprofSrc;
+    inherit src version;
    dontStrip = true;
    phases = [ "installPhase" "fixupPhase" ];
    nativeBuildInputs = [ autoPatchelfHook radare2 ];
--- a/pkgs/nanos6/jemalloc.nix
+++ b/pkgs/nanos6/jemalloc.nix
@@ -5,6 +5,7 @@ jemalloc.overrideAttrs (old: {
    "--with-jemalloc-prefix=nanos6_je_"
    "--enable-stats"
  ];
+  enableParallelBuilding = true;
  hardeningDisable = [ "all" ];
  meta = old.meta // {
    description = old.meta.description + " (for Nanos6)";
--- a/pkgs/nix-portable/default.nix
+++ b/pkgs/nix-portable/default.nix
@@ -0,0 +1,671 @@
+with builtins;
+{
+  bwrap,
+  nix,
+  proot,
+  unzip,
+  zip,
+  unixtools,
+  stdenv,
+  buildPackages,
+  upx,
+
+  bootstrapPrograms ? [
+    "gitMinimal"
+    "netcat-openbsd"
+    "openssh"
+    "bashInteractive"
+  ],
+
+  busybox,
+  cacert ? pkgs.cacert,
+  compression ? "zstd -19 -T0",
+  gnutar ? pkgs.pkgsStatic.gnutar,
+  lib ? pkgs.lib,
+  perl ? pkgs.perl,
+  pkgs ? import <nixpkgs> {},
+  xz ? pkgs.pkgsStatic.xz,
+  zstd ? pkgs.pkgsStatic.zstd,
+  nixStatic,
+  # hardcode executable to run. Useful when creating a bundle.
+  bundledPackage ? null,
+  ...
+}@inp:
+with lib;
+let
+
+  pname =
+    if bundledPackage == null
+    then "nix-portable"
+    else lib.getName bundledPackage;
+
+  bundledExe = lib.getExe bundledPackage;
+
+  nixpkgsSrc = pkgs.path;
+
+  maketar = targets:
+    let
+      closureInfo = buildPackages.closureInfo { rootPaths = targets; };
+    in
+    stdenv.mkDerivation {
+      name = "nix-portable-store-tarball";
+      nativeBuildInputs = [ perl zstd ];
+      exportReferencesGraph = map (x: [("closure-" + baseNameOf x) x]) targets;
+      buildCommand = ''
+        storePaths=$(cat ${closureInfo}/store-paths)
+        mkdir $out
+        echo $storePaths > $out/index
+        cp -r ${closureInfo} $out/closureInfo
+
+        tar -cf - \
+          --owner=0 --group=0 --mode=u+rw,uga+r \
+          --hard-dereference \
+          $storePaths | ${compression} > $out/tar
+      '';
+    };
+
+  packStaticBin = binPath: let
+      binName = (last (splitString "/" binPath)); in
+    pkgs.runCommand
+    binName
+    { nativeBuildInputs = [ upx ]; }
+    ''
+      mkdir -p $out/bin
+      theBinPath=${binPath}
+
+      if [[ -L "$theBinPath" ]]; then
+        theBinPath=$(readlink -f "$theBinPath")
+      fi
+
+      upx -9 -o $out/bin/${binName} $theBinPath
+    '';
+
+  installBin = pkg: bin: ''
+    unzip -qqoj "\$self" ${ lib.removePrefix "/" "${pkg}/bin/${bin}"} -d \$dir/bin
+    chmod +wx \$dir/bin/${bin};
+  '';
+
+  installDynamic = pkgname: let
+    out = pkgs.${pkgname}.out;
+  in ''
+    if [ ! -e \$store${lib.removePrefix "/nix/store" pkgs.${pkgname}.out} ] ; then
+      debug "Installing ${pkgname}"
+      \$run \$store${lib.removePrefix "/nix/store" nix}/bin/nix build --impure --no-link --expr "
+        (import ${nixpkgsSrc} {}).${pkgname}.out
+      "
+    else
+      debug "${pkgname} already installed"
+    fi
+
+    export PATH="${out}/bin:\$PATH"
+  '';
+
+  caBundleZstd = pkgs.runCommand "cacerts" {} "cat ${cacert}/etc/ssl/certs/ca-bundle.crt | ${inp.zstd}/bin/zstd -19 > $out";
+
+  bwrap = packStaticBin "${inp.bwrap}/bin/bwrap";
+  nixStatic = packStaticBin "${inp.nixStatic}/bin/nix";
+  proot = packStaticBin "${inp.proot}/bin/proot";
+  zstd = packStaticBin "${inp.zstd}/bin/zstd";
+
+  # the default nix store contents to extract when first used
+  storeTar = maketar ([ cacert nix nixpkgsSrc ] ++ lib.optional (bundledPackage != null) bundledPackage);
+
+
+  # The runtime script which unpacks the necessary files to $HOME/.nix-portable
+  # and then executes nix via proot or bwrap
+  # Some shell expressions will be evaluated at build time and some at run time.
+  # Variables/expressions escaped via `\$` will be evaluated at run time
+  runtimeScript = ''
+    #!/usr/bin/env bash
+
+    set -eo pipefail
+
+    start=\$(date +%s%N)  # start time in nanoseconds
+
+    # dump environment on exit if debug is enabled
+    if [ -n "\$NP_DEBUG" ] && [ "\$NP_DEBUG" -ge 1 ]; then
+      trap "declare -p > \''${TMPDIR:-/tmp}/np_env" EXIT
+    fi
+
+    # there seem to be less issues with proot when disabling seccomp
+    # though on android it is needed
+    if [ -n "\$TERMUX_VERSION" ]; then
+      unset LD_PRELOAD
+      NP_RUNTIME=\''${NP_RUNTIME:-proot}
+      export PROOT_TMP_DIR="\$TMPDIR/proot"
+      mkdir -p "\$PROOT_TMP_DIR"
+    else
+      export PROOT_NO_SECCOMP=\''${PROOT_NO_SECCOMP:-1}
+    fi
+
+    set -e
+    if [ -n "\$NP_DEBUG" ] && [ "\$NP_DEBUG" -ge 2 ]; then
+      set -x
+    fi
+
+    # &3 is our error out which we either forward to &2 or to /dev/null
+    # depending on the setting
+    if [ -n "\$NP_DEBUG" ] && [ "\$NP_DEBUG" -ge 1 ]; then
+      debug(){
+        echo \$@ || true
+      }
+      exec 3>&2
+    else
+      debug(){
+        true
+      }
+      exec 3>/dev/null
+    fi
+
+    # to reference this script's file
+    self="\$(realpath \''${BASH_SOURCE[0]})"
+
+    # fingerprint will be inserted by builder
+    fingerprint="_FINGERPRINT_PLACEHOLDER_"
+
+    # user specified location for program files and nix store
+    [ -z "\$NP_LOCATION" ] && NP_LOCATION="\$HOME"
+    NP_LOCATION="\$(readlink -f "\$NP_LOCATION")"
+    dir="\$NP_LOCATION/.nix-portable"
+
+    # Create NP_LOCATION and remove sgid bit
+    mkdir -p \$dir
+    if [ ! -z "\$BSC_MACHINE" ]; then
+      # Attempt to avoid issues with sgid folders
+      chmod g-s \$dir
+      chgrp bsc \$dir
+    fi
+
+    store="\$dir/nix/store"
+    # create /nix/var/nix to prevent nix from falling back to chroot store.
+    mkdir -p \$dir/{bin,nix/var/nix,nix/store}
+
+    # create minimal drv file for nix to spawn a nix shell
+    echo 'builtins.derivation {name="foo"; builder="/bin/sh"; args = ["-c" "echo hello \> \\\$out"]; system=builtins.currentSystem;}' > "\$dir/mini-drv.nix"
+
+    # the fingerprint being present inside a file indicates that
+    # this version of nix-portable has already been initialized
+    if test -e \$dir/conf/fingerprint && [ "\$(cat \$dir/conf/fingerprint)" == "\$fingerprint" ]; then
+      newNPVersion=false
+    else
+      newNPVersion=true
+    fi
+
+    # Nix portable ships its own nix.conf
+    export NIX_CONF_DIR=\$dir/conf/
+
+    NP_CONF_SANDBOX=\''${NP_CONF_SANDBOX:-false}
+    NP_CONF_STORE=\''${NP_CONF_STORE:-auto}
+
+
+    recreate_nix_conf(){
+      mkdir -p "\$NIX_CONF_DIR"
+      rm -f "\$NIX_CONF_DIR/nix.conf"
+
+      # static config
+      echo "build-users-group = " >> \$dir/conf/nix.conf
+      echo "experimental-features = nix-command flakes" >> \$dir/conf/nix.conf
+      echo "ignored-acls = security.selinux system.nfs4_acl" >> \$dir/conf/nix.conf
+      echo "sandbox-paths = /bin/sh=\$dir/busybox/bin/busybox" >> \$dir/conf/nix.conf
+      echo "extra-substituters = https://jungle.bsc.es/cache">> \$dir/conf/nix.conf
+      echo "extra-trusted-public-keys = jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" >> \$dir/conf/nix.conf
+
+      echo "extra-system-features = sys-devices" >> \$dir/conf/nix.conf
+      echo "extra-sandbox-paths = /sys/devices/system/cpu=/sys/devices/system/cpu /sys/devices/system/node=/sys/devices/system/node" >> \$dir/conf/nix.conf
+      echo "extra-trusted-users = @bsc" >> \$dir/conf/nix.conf
+
+
+      # configurable config
+      echo "sandbox = \$NP_CONF_SANDBOX" >> \$dir/conf/nix.conf
+      echo "store = \$NP_CONF_STORE" >> \$dir/conf/nix.conf
+    }
+
+
+    ### install files
+
+    PATH_OLD="\$PATH"
+
+    # as soon as busybox is unpacked, restrict PATH to busybox to ensure reproducibility of this script
+    # only unpack binaries if necessary
+    if [ "\$newNPVersion" == "false" ]; then
+
+      debug "binaries already installed"
+      # our busybox does not run on termux, therefore we suffix the PATH only on termux
+      export PATH="\''${TERMUX_VERSION:+\$PATH:}\$dir/busybox/bin"
+
+    else
+
+      debug "installing files"
+
+      mkdir -p \$dir/emptyroot
+
+      # install busybox
+      mkdir -p \$dir/busybox/bin
+      (base64 -d> "\$dir/busybox/bin/busybox" && chmod +x "\$dir/busybox/bin/busybox") << END
+    $(cat ${busybox}/bin/busybox | base64)
+    END
+      busyBins="${toString (attrNames (filterAttrs (d: type: type == "symlink") (readDir "${inp.busybox}/bin")))}"
+      for bin in \$busyBins; do
+        [ ! -e "\$dir/busybox/bin/\$bin" ] && ln -s busybox "\$dir/busybox/bin/\$bin"
+      done
+
+      # our busybox does not run on termux, therefore we suffix the PATH only on termux
+      export PATH="\''${TERMUX_VERSION:+\$PATH:}\$dir/busybox/bin"
+
+      # install other binaries
+      ${installBin zstd "zstd"}
+      ${installBin proot "proot"}
+      ${installBin bwrap "bwrap"}
+      ${installBin nixStatic "nix"}
+
+      # install ssl cert bundle
+      unzip -poj "\$self" ${ lib.removePrefix "/" "${caBundleZstd}"} | \$dir/bin/zstd -d > \$dir/ca-bundle.crt
+
+      recreate_nix_conf
+    fi
+
+    # Override $SHELL with nix bashInteractive
+    export SHELL="${pkgs.bashInteractive.out}/bin/bash"
+    export PS1="\n\[\033[1;32m\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\$\[\033[0m\] "
+
+    ### setup SSL
+    # find ssl certs or use from nixpkgs
+    debug "figuring out ssl certs"
+    if [ -z "\$SSL_CERT_FILE" ]; then
+      debug "SSL_CERT_FILE not defined. trying to find certs automatically"
+      if [ -e /etc/ssl/certs/ca-bundle.crt ]; then
+        export SSL_CERT_FILE=\$(realpath /etc/ssl/certs/ca-bundle.crt)
+        debug "found /etc/ssl/certs/ca-bundle.crt with real path \$SSL_CERT_FILE"
+      elif [ -e /etc/ssl/certs/ca-certificates.crt ]; then
+        export SSL_CERT_FILE=\$(realpath /etc/ssl/certs/ca-certificates.crt)
+        debug "found /etc/ssl/certs/ca-certificates.crt with real path \$SSL_CERT_FILE"
+      elif [ ! -e /etc/ssl/certs ]; then
+        debug "/etc/ssl/certs does not exist. Will use certs from nixpkgs."
+        export SSL_CERT_FILE=\$dir/ca-bundle.crt
+      else
+        debug "certs seem to reside in /etc/ssl/certs. No need to set up anything"
+      fi
+    fi
+    if [ -n "\$SSL_CERT_FILE" ]; then
+      sslBind="\$(realpath \$SSL_CERT_FILE) \$dir/ca-bundle.crt"
+      export SSL_CERT_FILE="\$dir/ca-bundle.crt"
+    else
+      sslBind="/etc/ssl /etc/ssl"
+    fi
+
+    if [ -n "\$NP_GIT" ]; then
+      echo "WARN: NP_GIT is not supported, using nix version instead"
+    fi
+
+
+
+    storePathOfFile(){
+      file=\$(realpath \$1)
+      sPath="\$(echo \$file | awk -F "/" 'BEGIN{OFS="/";}{print \$2,\$3,\$4}')"
+      echo "/\$sPath"
+    }
+
+
+    collectBinds(){
+      pathsTopLevel="/boot /run /sys \$PWD /gpfs /tmp /scratch"
+
+      toBind=""
+      for p in \$pathsTopLevel; do
+        if [ -e "\$p" ]; then
+          real=\$(realpath \$p)
+          if [ -e "\$real" ]; then
+            if [[ "\$real" == /nix/store/* ]]; then
+              storePath=\$(storePathOfFile \$real)
+              toBind="\$toBind \$storePath \$storePath"
+            else
+              toBind="\$toBind \$real \$p"
+            fi
+          fi
+        fi
+      done
+
+
+      # TODO: add /var/run/dbus/system_bus_socket
+      paths="/etc/host.conf /etc/hosts /etc/hosts.equiv /etc/mtab /etc/netgroup /etc/networks /etc/passwd /etc/group /etc/nsswitch.conf /etc/resolv.conf /etc/localtime \$HOME"
+
+      for p in \$paths; do
+        if [ -e "\$p" ]; then
+          real=\$(realpath \$p)
+          if [ -e "\$real" ]; then
+            if [[ "\$real" == /nix/store/* ]]; then
+              storePath=\$(storePathOfFile \$real)
+              toBind="\$toBind \$storePath \$storePath"
+            else
+              toBind="\$toBind \$real \$real"
+            fi
+          fi
+        fi
+      done
+
+      toBind="\$toBind \$dir/busybox/bin /bin"
+      # provide /bin/sh via the shipped busybox
+      toBind="\$toBind \$dir/busybox/bin/busybox /bin/sh"
+      toBind="\$toBind \$dir/busybox/bin/busybox /usr/bin/env"
+
+      # on termux, make sure termux packages still work inside the nix-portable environment
+      if [ -n "\$TERMUX_VERSION" ]; then
+        # binds required so termux native packages still run inside the nix-portable sandbox
+        # TODO: this doesn't quite work yet. debug and fix
+        toBind="\$toBind /system/lib64/libc.so /system/lib64/libc.so"
+        toBind="\$toBind /system/lib64/ld-android.so /system/lib64/ld-android.so"
+        toBind="\$toBind /system/lib64/libdl.so /system/lib64/libdl.so"
+        toBind="\$toBind /system/bin /system/bin"
+        toBind="\$toBind /system/lib64 /system/lib64"
+        toBind="\$toBind /apex/com.android.runtime/bin /apex/com.android.runtime/bin"
+        toBind="\$toBind /linkerconfig/ld.config.txt /linkerconfig/ld.config.txt"
+        toBind="\$toBind \$dir/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt"
+        toBind="\$toBind \$(realpath \$HOME/../usr/etc/resolv.conf) /etc/resolv.conf"
+      fi
+
+    }
+
+
+    makeBindArgs(){
+      arg=\$1; shift
+      sep=\$1; shift
+      binds=""
+      while :; do
+        if [ -n "\$1" ]; then
+          from="\$1"; shift
+          to="\$1"; shift || { echo "no bind destination provided for \$from!"; exit 3; }
+          binds="\$binds \$arg \$from\$sep\$to";
+        else
+          break
+        fi
+      done
+    }
+
+
+
+    ### select container runtime
+    debug "figuring out which runtime to use"
+    [ -z "\$NP_BWRAP" ] && NP_BWRAP=\$dir/bin/bwrap
+    debug "bwrap executable: \$NP_BWRAP"
+    [ -z "\$NP_NIX" ] && NP_NIX=\$dir/bin/nix
+    debug "nix executable: \$NP_NIX"
+    [ -z "\$NP_PROOT" ] && NP_PROOT=\$(PATH="\$PATH_OLD:\$PATH" which proot 2>/dev/null) || true
+    [ -z "\$NP_PROOT" ] && NP_PROOT=\$dir/bin/proot
+    debug "proot executable: \$NP_PROOT"
+    debug "testing all available runtimes..."
+    if [ -z "\$NP_RUNTIME" ]; then
+      # read last automatic selected runtime from disk
+      if [ "\$newNPVersion" == "true" ]; then
+        debug "removing cached auto selected runtime"
+        rm -f "\$dir/conf/last_auto_runtime"
+      fi
+      if [ -f "\$dir/conf/last_auto_runtime" ]; then
+        last_auto_runtime="\$(cat "\$dir/conf/last_auto_runtime")"
+      else
+        last_auto_runtime=
+      fi
+      debug "last auto selected runtime: \$last_auto_runtime"
+      if [ "\$last_auto_runtime" != "" ]; then
+        NP_RUNTIME="\$last_auto_runtime"
+      # check if nix --store works
+      elif \\
+          debug "testing nix --store" \\
+          && mkdir -p \$dir/tmp/ \\
+          && touch \$dir/tmp/testfile \\
+          && "\$NP_NIX" --store "\$dir/tmp/__store" shell -f "\$dir/mini-drv.nix" -c "\$dir/bin/nix" store add-file --store "\$dir/tmp/__store" "\$dir/tmp/testfile" >/dev/null 2>&3; then
+        chmod -R +w \$dir/tmp/__store
+        rm -r \$dir/tmp/__store
+        debug "nix --store works on this system -> will use nix as runtime"
+        NP_RUNTIME=nix
+      # check if bwrap works properly
+      elif \\
+          debug "nix --store failed -> testing bwrap" \\
+          && \$NP_BWRAP --bind \$dir/emptyroot / --bind \$dir/ /nix --bind \$dir/busybox/bin/busybox "\$dir/true" "\$dir/true" 2>&3 ; then
+        debug "bwrap seems to work on this system -> will use bwrap"
+        NP_RUNTIME=bwrap
+      else
+        debug "bwrap doesn't work on this system -> will use proot"
+        NP_RUNTIME=proot
+      fi
+      echo -n "\$NP_RUNTIME" > "\$dir/conf/last_auto_runtime"
+    else
+      debug "runtime selected via NP_RUNTIME: \$NP_RUNTIME"
+    fi
+    debug "NP_RUNTIME: \$NP_RUNTIME"
+    if [ "\$NP_RUNTIME" == "nix" ]; then
+      run="\$NP_NIX shell -f \$dir/mini-drv.nix -c"
+      export PATH="\$PATH:\$store${lib.removePrefix "/nix/store" nix}/bin"
+      NP_CONF_STORE="\$dir"
+      recreate_nix_conf
+    elif [ "\$NP_RUNTIME" == "bwrap" ]; then
+      collectBinds
+      makeBindArgs --bind " " \$toBind \$sslBind
+      run="\$NP_BWRAP \$BWRAP_ARGS \\
+        --bind \$dir/emptyroot /\\
+        --dev-bind /dev /dev\\
+        --proc /proc\\
+        --bind \$dir/nix /nix\\
+        \$binds"
+        # --bind \$dir/busybox/bin/busybox /bin/sh\\
+    else
+      # proot
+      collectBinds
+      makeBindArgs -b ":" \$toBind \$sslBind
+      run="\$NP_PROOT \$PROOT_ARGS\\
+        -r \$dir/emptyroot\\
+        -b /dev:/dev\\
+        -b \$dir/nix:/nix\\
+        \$binds"
+        # -b \$dir/busybox/bin/busybox:/bin/sh\\
+    fi
+    debug "base command will be: \$run"
+
+
+
+    ### setup environment
+    export NIX_PATH="\$dir/channels:nixpkgs=\$dir/channels/nixpkgs"
+    mkdir -p \$dir/channels
+    [ -h \$dir/channels/nixpkgs ] || ln -s ${nixpkgsSrc} \$dir/channels/nixpkgs
+
+
+    ### install nix store
+    # Install all the nix store paths necessary for the current nix-portable version
+    # We only unpack missing store paths from the tar archive.
+    index="$(cat ${storeTar}/index)"
+
+    export missing=\$(
+      for path in \$index; do
+        basepath=\$(basename \$path)
+        if [ ! -e \$store/\$basepath ]; then
+          echo "nix/store/\$basepath"
+        fi
+      done
+    )
+
+    if [ -n "\$missing" ]; then
+      debug "extracting missing store paths"
+      (
+        mkdir -p \$dir/tmp \$store/
+        rm -rf \$dir/tmp/*
+        cd \$dir/tmp
+        unzip -qqp "\$self" ${ lib.removePrefix "/" "${storeTar}/tar"} \
+          | \$dir/bin/zstd -d \
+          | tar -x \$missing --strip-components 2
+        mv \$dir/tmp/* \$store/
+      )
+      rm -rf \$dir/tmp
+    fi
+
+    if [ -n "\$missing" ]; then
+      debug "registering new store paths to DB"
+      reg="$(cat ${storeTar}/closureInfo/registration)"
+      cmd="\$run \$store${lib.removePrefix "/nix/store" nix}/bin/nix-store --load-db"
+      debug "running command: \$cmd"
+      echo "\$reg" | \$cmd
+    fi
+
+
+    ### select executable
+    # the executable can either be selected by
+    # - executing './nix-portable BIN_NAME',
+    # - symlinking to nix-portable, in which case the name of the symlink selects the nix executable
+    # Alternatively the executable can be hardcoded by specifying the argument 'executable' of nix-portable's default.nix file.
+    executable="${if bundledPackage == null then "" else bundledExe}"
+    if [ "\$executable" != "" ]; then
+      bin="\$executable"
+      debug "executable is hardcoded to: \$bin"
+
+    elif [[ "\$(basename \$0)" == nix-portable* ]]; then\
+      if [ -z "\$1" ]; then
+        echo "Error: please specify the nix binary to execute"
+        echo "Alternatively symlink against \$0"
+        exit 1
+      elif [ "\$1" == "debug" ]; then
+        bin="\$(which \$2)"
+        shift; shift
+      else
+        bin="\$store${lib.removePrefix "/nix/store" nix}/bin/\$1"
+        shift
+      fi
+    # for binary selection via symlink
+    else
+      bin="\$store${lib.removePrefix "/nix/store" nix}/bin/\$(basename \$0)"
+    fi
+
+
+
+    ### check which runtime has been used previously
+    if [ -f "\$dir/conf/last_runtime" ]; then
+      lastRuntime=\$(cat "\$dir/conf/last_runtime")
+    else
+      lastRuntime=
+    fi
+
+
+
+    ### check if nix is functional with or without sandbox
+    # sandbox-fallback is not reliable: https://github.com/NixOS/nix/issues/4719
+    if [ "\$newNPVersion" == "true" ] || [ "\$lastRuntime" != "\$NP_RUNTIME" ]; then
+      nixBin="\$(dirname \$bin)/nix"
+      debug "Testing if nix can build stuff without sandbox"
+      if ! \$run "\$nixBin" build --no-link -f "\$dir/mini-drv.nix" --option sandbox false >&3 2>&3; then
+        echo "Fatal error: nix is unable to build packages"
+        exit 1
+      fi
+
+      debug "Testing if nix sandbox is functional"
+      if ! \$run "\$nixBin" build --no-link -f "\$dir/mini-drv.nix" --option sandbox true >&3 2>&3; then
+        debug "Sandbox doesn't work -> disabling sandbox"
+        NP_CONF_SANDBOX=false
+        recreate_nix_conf
+      else
+        debug "Sandboxed builds work -> enabling sandbox"
+        NP_CONF_SANDBOX=true
+        recreate_nix_conf
+      fi
+
+    fi
+
+
+    ### save fingerprint and lastRuntime
+    if [ "\$newNPVersion" == "true" ]; then
+      echo -n "\$fingerprint" > "\$dir/conf/fingerprint"
+    fi
+    if [ "\$lastRuntime" != \$NP_RUNTIME ]; then
+      echo -n \$NP_RUNTIME > "\$dir/conf/last_runtime"
+    fi
+
+
+
+    ### set PATH
+    # restore original PATH and append busybox
+    export PATH="\$PATH_OLD:\$dir/busybox/bin"
+
+    ### install programs via nix
+    ${concatMapStringsSep "\n" installDynamic bootstrapPrograms}
+
+    ### print elapsed time
+    end=\$(date +%s%N)  # end time in nanoseconds
+    # time elapsed in millis with two decimal places
+
+    # print stats about initialization time of nix-portable
+    # skipt for termux, as it doesn't have bc installed
+    if [ -z "\$TERMUX_VERSION" ]; then
+      elapsed=\$(echo "scale=2; (\$end - \$start)/1000000" | bc)
+      debug "Time to initialize nix-portable: \$elapsed millis"
+    fi
+
+
+    ### run commands
+    [ -z "\$NP_RUN" ] && NP_RUN="\$run"
+    if [ "\$NP_RUNTIME" == "proot" ]; then
+      debug "running command: \$NP_RUN \$bin \$@"
+      exec \$NP_RUN \$bin "\$@"
+    else
+      cmd="\$NP_RUN \$bin \$@"
+      debug "running command: \$cmd"
+      exec \$NP_RUN \$bin "\$@"
+    fi
+    exit
+  '';
+
+  runtimeScriptEscaped = replaceStrings ["\""] ["\\\""] runtimeScript;
+
+  nixPortable = pkgs.runCommand pname {
+    nativeBuildInputs = [unixtools.xxd unzip];
+
+    meta = {
+      homepage = "https://github.com/DavHau/nix-portable";
+      description = "Nix - Static, Permissionless, Installation-free, Pre-configured for mn5";
+      maintainers = with lib.maintainers.bsc; [ abonerib ];
+      platforms = lib.platforms.linux;
+      license = lib.licenses.mit;
+    };
+  } ''
+    mkdir -p $out/bin
+    echo "${runtimeScriptEscaped}" > $out/bin/nix-portable.zip
+    xxd $out/bin/nix-portable.zip | tail
+
+    sizeA=$(printf "%08x" `stat -c "%s" $out/bin/nix-portable.zip` | tac -rs ..)
+    echo 504b 0304 0000 0000 0000 0000 0000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
+    echo 0000 0000 0000 0000 0000 0200 0000 4242 | xxd -r -p >> $out/bin/nix-portable.zip
+
+    sizeB=$(printf "%08x" `stat -c "%s" $out/bin/nix-portable.zip` | tac -rs ..)
+    echo 504b 0102 0000 0000 0000 0000 0000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
+    echo 0000 0000 0000 0000 0000 0000 0200 0000 | xxd -r -p >> $out/bin/nix-portable.zip
+    echo 0000 0000 0000 0000 0000 $sizeA 4242 | xxd -r -p >> $out/bin/nix-portable.zip
+
+    echo 504b 0506 0000 0000 0000 0100 3000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
+    echo $sizeB 0000 0000 0000 0000 0000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
+
+    unzip -vl $out/bin/nix-portable.zip
+
+    zip="${zip}/bin/zip -0"
+    $zip $out/bin/nix-portable.zip ${bwrap}/bin/bwrap
+    $zip $out/bin/nix-portable.zip ${nixStatic}/bin/nix
+    $zip $out/bin/nix-portable.zip ${proot}/bin/proot
+    $zip $out/bin/nix-portable.zip ${zstd}/bin/zstd
+    $zip $out/bin/nix-portable.zip ${storeTar}/tar
+    $zip $out/bin/nix-portable.zip ${caBundleZstd}
+
+    # create fingerprint
+    fp=$(sha256sum $out/bin/nix-portable.zip | cut -d " "  -f 1)
+    sed -i "s/_FINGERPRINT_PLACEHOLDER_/$fp/g" $out/bin/nix-portable.zip
+    # fix broken zip header due to manual modification
+    ${zip}/bin/zip -F $out/bin/nix-portable.zip --out $out/bin/nix-portable-fixed.zip
+
+    rm $out/bin/nix-portable.zip
+    executable=${if bundledPackage == null then "" else bundledExe}
+    if [ "$executable" == "" ]; then
+      target="$out/bin/nix-portable"
+    else
+      target="$out/bin/$(basename "$executable")"
+    fi
+    mv $out/bin/nix-portable-fixed.zip "$target"
+    chmod +x "$target"
+  '';
+in
+nixPortable.overrideAttrs (prev: {
+  passthru = (prev.passthru or {}) // {
+    inherit bwrap proot;
+  };
+})
--- a/pkgs/nix-wrap/default.nix
+++ b/pkgs/nix-wrap/default.nix
@@ -14,7 +14,7 @@ let
  nixConfDir = "share";
  nix_wrap_sh = writeText "nix-wrap.sh" ''
    #!/usr/bin/env bash
-    #
+
    busybox_bin="${nixPrefix}${busybox}/bin"
    bubblewrap_bin="${nixPrefix}/${bubblewrap}/bin"

@@ -69,7 +69,6 @@ stdenv.mkDerivation rec {
  name = "nix-wrap";
  buildInputs = [
    bashInteractive
-    busybox
    nix
  ];
  src = null;
@@ -92,7 +91,6 @@ stdenv.mkDerivation rec {
    homepage = null;
    description = "nix bubblewrap wrapper";
    maintainers = [ ];
-    broken = true;
    platforms = lib.platforms.linux;
    license = lib.licenses.mit;
  };
--- a/secrets/ceph-user.age
+++ b/secrets/ceph-user.age
@@ -1,29 +1,25 @@
 age-encryption.org/v1
-> ssh-ed25519 AY8zKw Crgof1PMHzv3jBw8VeJAst6FKSoyqPFdANFpf79CAgo
-7fagE5BmlWdTsdY/i3RbExu1KBcjW1LQXbYwu6chxlk
-> ssh-ed25519 sgAamA tGRCaK8mjvz65YziXjRcjMOHIRoyGNJFzBEEbivXPDo
-YLzE5a3J81r+gzkfZIeh9gS+mXzMooC82tBbZ+C3C8o
-> ssh-ed25519 HY2yRg +vhO1/vdGPM1JnZRsvVnViFWaFWUZ7MIqvWdePivkxA
-2K+JdN82DTeGh9QwZBTaghg8C5BCLoEsOgTCM64PU28
-> ssh-ed25519 fw2Xhg NHDn0dq32I/AVdUZlpzBX6retlEYEUipde7A9R90qW4
-SJO78ooqEwfHlBRW+YCzgSQJb1JHNo8jz37t3qvLClE
-> ssh-ed25519 G5LX5w d4HfLzI2623artkR2FIfRJgr5yb2BKZJUWqPnwOWDCk
-Kh50QESJZSjaJPyp3xroHGn0fD5pPNEYgKkDdqxGpjs
-> ssh-ed25519 tcumPQ wQyOKtT15Qezs3cyv5/xxIPVD7Jyk6N6ZLkfxxBHLTo
-rKlRBjJdfDVT6U8211+ssFF8yY9yRs1u3GhCSvsw2oE
-> ssh-ed25519 JJ1LWg 98tF1MdA244xNny4w3RnMFuubf4WcuQaZf2bN2Uq8Qc
-MA1Xh1H9vHisVYdqkxNeBkngtn8cYuT2eSimvooIXYo
-> ssh-ed25519 cDBabA imJ0rXLQETELP7yo3sArhqA9nJwY+S6gkC7tA7CJsQA
-pKMHW/KDAoEj5ZD64VKekg6et9hlS2PKSgDw3eB3eu8
-> ssh-ed25519 WY7yGw +2g5021/02HvLxLqq42ynr6qKgOKJ3J5GgB1a1bmFXg
-fYvj52R6bM6ngPOZ2lwVezTJnx+8LJBbdnaapKKbyd0
-> ssh-ed25519 cK5kHw fLZ6yF3NggJ724rjYqhs5ZZh1xUExuK+ITAyqONluzk
-NS9OMX70XEHrbPQnmC4KB/eoiHChIb8DwDLYJiwOLUU
-> ssh-ed25519 CAWG4Q tVduE/wMzdfS+DjNbU3Q4blNhL/A63IehNSZGJkJjD0
-jEBB5zG+gLA/88YF+KqWQsNH7lfCsWNvAkrgfbescFs
-> ssh-ed25519 xA739A ZhFvev77I+YOl1YSHKn2ZcEvGoLjWOILufjd4q/k8HM
-YXEtHHtjPQlgZW60zHgHm7CLI6vYiRo+AM8QERL9tCg
-> ssh-ed25519 MSF3dg 9DvLNheBU1vlfW2zNNxBrGnJ6k4P5ox7s+OGKlgRdyQ
-wseHfLGHz0huNi5sZsNOfeNkm6Kjjx0SZ8lK4/oXtUQ
--- bnJE+14onuSla0XmckD4z/wChWGZh6exbkcbyhcmNYU
-<EFBFBD><EFBFBD>t<>N猈<><10>U<EFBFBD>w▮i2<69><32>-<2D>iV'(<1E>IF<49><46>	S<><53>xs/s<><73>	<09><>NDm<44>Q<EFBFBD><51><EFBFBD>o<EFBFBD><6F><EFBFBD><EFBFBD>wZv<7F><76>.\
+-> ssh-ed25519 AY8zKw /gmhFOFqOs8IobAImvQVKeM5Y6k0FpuR61/Cu5drVVI
+g9FXJg2oIoien0zJ70FWHwSTM8SBwbpS188S3Swj7EM
+-> ssh-ed25519 sgAamA opPjlWPhSiI0Rd5l7kd204S5FXFLcQcQftyKb7MDmnU
+3XrRDVnglCP+vBwvfd1rP5gHttsGDHyXwbf10a8/kKY
+-> ssh-ed25519 HY2yRg QKZbubM76C3tobPoyCFDRclA9Pzb2fC7s4WOoIgdORc
+K5kckU0KhQFTE6SikJXFJgM41Tco5+VqOsaG0qLrY1Q
+-> ssh-ed25519 fw2Xhg +ohqts8dLFjvdHxrGHcOGxU0dm+V3N//giljHkobpDM
+jR/UzGrfS9lrJ/VeolKLxfzeJAf2fIB2pdIn/6ukqNk
+-> ssh-ed25519 tcumPQ 3DPkDPIQQSVtXSLzIRETsIyXQ0k1o18Evn6vf+l/6R8
+bLXF62OmJjnOT1vvgq3+AcOKKSG5NonrK5EqCVc0Mwo
+-> ssh-ed25519 JJ1LWg 2Wefc7eLolMU5InEmCNTq21Mf71mI0a2N1HgDrlHvy4
+qXFW9CQBnrzubZ0mzS0Io2WGRrwGBkmeYndBTcZn/fM
+-> ssh-ed25519 cDBabA oiH36AoIt/fFFYgnoxtH7OoetP+2/wjtn8qo3RJDSHc
+qKmkxy1aZGP4ZwC0iH7n7hiJ0+rFQYvjQb5O1a1Z0r4
+-> ssh-ed25519 cK5kHw bX3RtO5StMejUYWAaA37fjHA5nO7Xs1vWDQk3yOjs2o
+Egxmcf8FKAd+E5hMLmhV1yQsCo5rJyUazf1szOvpTAM
+-> ssh-ed25519 CAWG4Q oKqqRDJH0w8lsoQBQk0w8PO+z5gFNmSaGBUSumvDp1I
+m1zWp9MfViAmtpbJhqOHraIokDaPKb0DvvO4vAGCTWI
+-> ssh-ed25519 xA739A G26kPOz6sbFATs+KAr7gbDvji13eA1smFusQAOJXMwA
+Sppvz7A103kZoNxoGsd6eXeCvVh7mBE2MRwLFj9O1dY
+-> ssh-ed25519 MSF3dg 55ekNcp+inbUd+GQ/VZ7BoBASaJ8YDqF74CVXy1PUxQ
+aTHLLAbzQPWWld/OT3BKebc6FcmsqMTaWCPBGm1UHic
+--- mVkAMnI9XQhS3fMiFuuXP/yLR9wEG9+Rr8pA4Uc0avY
+<04>DU <20><>s<EFBFBD><73><EFBFBD><EFBFBD>j<EFBFBD><6A>M<EFBFBD><4D>$<24>[<5B>M<EFBFBD><4D><EFBFBD><03>[_<>K7s<37>ju<>v<EFBFBD>D<EFBFBD>4<EFBFBD>g<EFBFBD><67>܄3<>Gn<47><6E><EFBFBD> ɽ<>P<EFBFBD>7~rZs<><73>
--- a/secrets/gitea-runner-token.age
+++ b/secrets/gitea-runner-token.age
--- a/secrets/gitlab-bsc-docker-token.age
+++ b/secrets/gitlab-bsc-docker-token.age
--- a/secrets/gitlab-runner-docker-token.age
+++ b/secrets/gitlab-runner-docker-token.age
@@ -1,13 +1,13 @@
 age-encryption.org/v1
-> ssh-ed25519 HY2yRg eHM55QsHK1ca9b5nP3EoVUZYu0w2d4B5tkilNK0j/lw
-6Na6lkMe0fOd7+vNP1fLIaVEQDUw5m65Wh8jUH1I6C0
-> ssh-ed25519 cK5kHw 0ekhoBYwF7OSWwn4P5f/J4gXb9UHJAWGKV0yI7HCzzE
-2Q+Tt5jXAB9ip9jf1z+jeM4FSiqd1w5DNtbqtacuOcM
-> ssh-ed25519 CAWG4Q Jmw4v9efOFXHjjNky96q/d6vGBP5dNM4wK9zoGrwOh8
-u5I17wcIq8/2ARWckDXsYckhfX0jWE4AEm5mip/KHws
-> ssh-ed25519 xA739A 10pPeC2YG9DJzaQlt7p+fGo27VDiL2dN6JmvY2npcUw
-4aRV8DekYeL9HagGWgOSjlYnPKmYdKZH8Aw4lRdm+r8
-> ssh-ed25519 MSF3dg hDwIE3Su6cN3sq2E5v/oy6vTNfxTT1ZPts85//gIhwY
-aoiaGjQYJB1ededhIuVBCKDRLIOVThWz1pSTvg65J3Y
--- OYPAGb5U/nwLOIV5VchSvxhChjNnwzbEgU9glSkWCl4
-<EFBFBD>=<EFBFBD><EFBFBD><EFBFBD>c<EFBFBD>WȟJSaІ&<26><1F>ቧ)E<><0B> C<><43>J~u<>c<63><7F>2<EFBFBD><32>v<EFBFBD><76><EFBFBD><03><>s<EFBFBD><73><EFBFBD>vf<76><10><>X7(<28>~<7E><1A>=XCi;<3B>״<EFBFBD>\ߢ<><DFA2><EFBFBD>ܣ<EFBFBD><10><><07>ɳCe<43>D;;X*<2A>3<EFBFBD>i<EFBFBD><69>r<EFBFBD>Em<45><6D><
+-> ssh-ed25519 HY2yRg U2KQWviZIVNemm9e8h7H+eOzoYNxXgLLS3hsZLMAuGk
+6n5dH1McNzk3rscP4v2pqZYDWtUFMd15rZsEd/mqIFM
+-> ssh-ed25519 cK5kHw Ebrj/cpz1cFWAYAV9OxgyyH85OEMUnfUIV66p7jaoFY
+6J7hWqODtS/fIF4BpxhxbrxZq5vbolvbLqRKqazT02M
+-> ssh-ed25519 CAWG4Q mXqoQH9ycHF7u0y8mazCgynHxNLxTnrmQHke+2a5QCc
+mq6PdSF+KOqthuXwzTCsOQsi5KG0z1wHUck+bSTyOBY
+-> ssh-ed25519 xA739A TADeswueqDEroZWLjMw3RDNwVQ2xRD+JUMVZENovn0M
+KFlnSjVFbjc+ZsbY8Ed7edC5B01TJGzd/dSryiLArPc
+-> ssh-ed25519 MSF3dg Pq+ZD8AqJGDHDbd4PO1ngNFST8+6C2ghZkO/knKzzEc
+wyiL/u38hdQMokmfTsBrY7CtYwc+31FG4EDaqVEn31U
+--- 1z4cOipayh0zYkvasEVEvGreajegE/dqBV7b6E7aFh0
+<EFBFBD><EFBFBD><EFBFBD><EFBFBD>R<EFBFBD>@<40>/i<>I'<27><><EFBFBD>Nx<4E>r"<1D>`<1E>O<EFBFBD><4F><EFBFBD>y<><79>8<EFBFBD><38> \/<2F><>I<19><17>D<EFBFBD>`<60>ߓ<EFBFBD><DF93><EFBFBD><1E><04>uy<75><79><EFBFBD>:9Lt<4C><1D><><EFBFBD>؋<EFBFBD><D88B><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>AU<41><55><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>`<60>;<3B>q8<71>GLU#<23>i<EFBFBD>y<EFBFBD><79>i<03>ڜ
--- a/secrets/gitlab-runner-shell-token.age
+++ b/secrets/gitlab-runner-shell-token.age
--- a/secrets/ipmi.yml.age
+++ b/secrets/ipmi.yml.age
--- a/secrets/jungle-robot-password.age
+++ b/secrets/jungle-robot-password.age
--- a/secrets/munge-key.age
+++ b/secrets/munge-key.age
--- a/secrets/nix-serve.age
+++ b/secrets/nix-serve.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -22,7 +22,6 @@ in
  "tent-gitlab-runner-pm-docker-token.age".publicKeys = tent;
  "tent-gitlab-runner-pm-shell-token.age".publicKeys = tent;
  "tent-gitlab-runner-bsc-docker-token.age".publicKeys = tent;
-  "tent-nextcloud-admin-pass.age".publicKeys = tent;
  "vpn-dac-login.age".publicKeys = tent;
  "vpn-dac-client-key.age".publicKeys = tent;

--- a/secrets/tent-gitlab-runner-bsc-docker-token.age
+++ b/secrets/tent-gitlab-runner-bsc-docker-token.age
--- a/secrets/tent-gitlab-runner-pm-docker-token.age
+++ b/secrets/tent-gitlab-runner-pm-docker-token.age
--- a/secrets/tent-gitlab-runner-pm-shell-token.age
+++ b/secrets/tent-gitlab-runner-pm-shell-token.age
--- a/secrets/tent-nextcloud-admin-pass.age
+++ b/secrets/tent-nextcloud-admin-pass.age
--- a/secrets/vpn-dac-client-key.age
+++ b/secrets/vpn-dac-client-key.age
--- a/secrets/vpn-dac-login.age
+++ b/secrets/vpn-dac-login.age
@@ -1,13 +1,14 @@
 age-encryption.org/v1
-> ssh-ed25519 G5LX5w /9lcJOXC9CN02+XLswUaJ0H7jU6Xhjd8Xg4+KY0l1Vc
-fCLzsLc9zrocM8SHOKyZwt6eUEr8r1WLug9RLi63KU0
-> ssh-ed25519 cK5kHw 1qza6h2NRSs4g8LYdFU7E+Dn1CgdtCU7DPdYInP1GwM
-/6uk7pTFkNTRTI7nA+x4y4CyOBVQVXX2lnpOg3ktPe4
-> ssh-ed25519 CAWG4Q o+vyzcejSaNVYPSGzzOdzaqPByZ6zA1uaJf4KOg+wQA
-wfZmWrDSfRV8C+Hu+SeZDcomf/qigBqxuQK77SfnuEo
-> ssh-ed25519 xA739A +rBsOC+IBE3lmc/pfrziftLIqMSyaGMsggRjC5Pqwl0
-xa7ulLz2+YC3g2hu7e9XhRYDIUb2sriaaigJRYF2oB8
-> ssh-ed25519 MSF3dg TK6PmKjjQt8ni0mJLCt7P41lUsgimlj3o5Q6n3N+DE4
-ne+s3ctcg8cBjY06LY2lrW7wcxomvKHxu6MlirEA8Kg
--- eorg2ckkUZ1Ogi4iTTg2MoiVBwl1F0RCmH2D8N1d1So
-<EFBFBD><EFBFBD><EFBFBD>8<1C><><EFBFBD><EFBFBD><EFBFBD><12>i<17>$]K<>J=2Z<1D><>ӼF<D3BC>][<14><><EFBFBD>8<EFBFBD><38>ޤ<12>	<09>=<3D><>LD/<2F>gz
+-> ssh-ed25519 G5LX5w SRJhNenoQXbT1FgX3TMPnVH5P6oe2eHot+M1YsEjsEk
+hfTSLgKi98Eh7JK5o7x2POpTEtQlQCpEa3keUFYCuME
+-> ssh-ed25519 cK5kHw z5TwWJTkvx7HztjXHJW/aCOtOfPrQaLP0gyIT7rXcyU
+b4NCpHfasgvkLLr+6LcWUl60p59aSNnfp3bl2OFYXo0
+-> ssh-ed25519 CAWG4Q 4VpS1/OnFe8nxcQbRTKNhjsh/ZQ5cbhSMXwK/jjQ+3o
+WF9wvOkqVml4UcEzyzeumKuUwCwwr2zvKLMg+PCB8nk
+-> ssh-ed25519 xA739A 67FhuJ070jBVMt/xbKHWhfri6iIm0FyaFvzQabsvFBM
+1G5/913dDv/r/6p1x/c5YiUnZzrX/LvIj33KW+PN0KU
+-> ssh-ed25519 MSF3dg Bj/yB4N2wkyHCHC22tcjjJAA4ebSamN0Z4UVX3ZnryI
+6D/ZgTs+j+MGDAbPU5zyK0i9zN6tQy68IcOnQZ27mYg
+--- 169erk3ICSYLs4FPEuXCn7QlekWhsmSn0Lr+/R14I5Q
+<EFBFBD><EFBFBD><EFBFBD><EFBFBD><05>ҽ3<D2BD>s<EFBFBD>
+w<EFBFBD><EFBFBD>4D<EFBFBD><EFBFBD>b.<2E><><EFBFBD>"|<7C><><EFBFBD>)"<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;<3B>.<2E>ɫ7)<29>LeC<05>=S؟
--- a/secrets/wg-apex.age
+++ b/secrets/wg-apex.age
--- a/secrets/wg-fox.age
+++ b/secrets/wg-fox.age
@@ -1,13 +1,14 @@
 age-encryption.org/v1
-> ssh-ed25519 cDBabA So/Tqwdwd7G0PbE4RwH2qDrNcdqTkhFjF4IJrLKKpkM
-MEA5dzlUeFXm3pa+ndxrcE0ZWdO00Xf98+Q8U9LZ+cQ
-> ssh-ed25519 cK5kHw sCHD/hHBOfMBUQXkLG3MBPNC4ebLOXW37OlF/C8FEjU
-4TFbKoy23Ic2vteXZ02fMrFxyb4NxyWaSo5I8dn48mI
-> ssh-ed25519 CAWG4Q KYGPAXTx8H5cBC3YIBxi5B7OeF15C9rEIPFCcG0vEDw
-9LC2Zvp1Oiau1/hfPf+nJknl6BUSr+lzTn6TozZNxJg
-> ssh-ed25519 xA739A hpvNBHPgYRtUx0HyUAdCW8s7QTmGyPXwzRHb8qYoeG0
-QkUZINY7Fr7HpyY6lbIMcP+hGO3oCmLL6N+yDN4weyk
-> ssh-ed25519 MSF3dg P9TmEfXS+hyxsbVKja58UWAFpad0ZS3LhwrMkLnSNAY
-hiHuh7HhoYwHi2KFbCczXJoF3On9eqjD1Wsp9Q1NW/w
--- SN3peoDvjXuD/Q4DdebQFam1CE22NyGZlMmnKyCTuX8
-s<0F><><14><>&׳֦<D7B3><D6A6><EFBFBD><EFBFBD>}<7D>#In0&<26><1F>{<7B>1<EFBFBD><31>.
+-> ssh-ed25519 cDBabA heyW9/cxgwFX9IexQIXjAQDWGQPNcMXcArQp2Rxsqx4
+o9MQ7EH8PDDjsJdpH9F3Xq2zUoaDAJQlfFmYucSFs6Y
+-> ssh-ed25519 cK5kHw Sza4pos7K3qW3omEeyidI/jszJNf9smemSZnUJfCIww
+D6vazXki7hIYraIuSiGPS+FPbkFUwHhHWDf52OhEIMg
+-> ssh-ed25519 CAWG4Q YexIHueOIMmIN8JIDyNUOKBkyz/k18HqV3hTXh48KlM
+xh8UJzzWT6ByN+Dpn4JrMNsjGC/uc/v6LynwjBDz9NQ
+-> ssh-ed25519 xA739A KySG3TXdqfCMUkVEDGa74B0op745s3XGYxFLyAXSQAc
+5EI/yb5ctW9Qu18bHm3/sK97kwGcKzzmWvPSCWm89XA
+-> ssh-ed25519 MSF3dg MNxnNj0fHmri8ophexXPNjRUBUWrzcuk5S1mucxUMTE
+GVFWXtISEU8ZmlwL4nh4weAgfGrt2GHX0DTzbpS6zg8
+--- UdrqkYG2ZApAuwdZeNhC50NP2rkD/Ol6y8nJa4RHx7Y
+<EFBFBD>ܻ<EFBFBD>m(<28><><EFBFBD>><3E>H<48>Y87<><37>G<0F>+*<12><><EFBFBD><EFBFBD>9V<>.<2E><><EFBFBD><EFBFBD><03><><EFBFBD>p<EFBFBD>Oo<4F>=+哇<>P0<50><30>{<7B>)<29><17><><EFBFBD><EFBFBD>><3E>z3P^
+u
--- a/secrets/wg-raccoon.age
+++ b/secrets/wg-raccoon.age
Author	SHA1	Message	Date
Aleix Boné	dcdbcc5afa	Use fetchurl for amd-uprof Some checks failed CI / build:cross (pull_request) Successful in 8s Details CI / build:all (pull_request) Failing after 48s Details	2026-03-09 12:32:05 +01:00
Aleix Boné	8cf6101ffe	Enable parallelBuilding in jemalloc	2026-03-09 12:32:04 +01:00
Aleix Boné	1216a5b93c	Make bsc users trusted in nix-portable	2026-03-09 12:32:04 +01:00
Aleix Boné	9678247cbb	Add sys-devices feature to nix-portable nix.conf	2026-03-09 12:32:04 +01:00
Aleix Boné	3ff503fa6e	Add meta with license to nix-portable	2026-03-09 12:32:04 +01:00
Aleix Boné	143c0d1b39	Bind /usr/bin/env in nix-portable	2026-03-09 12:32:04 +01:00
Aleix Boné	85f49b17ac	Add jungle cache to nix-portable nix.conf	2026-03-09 12:32:04 +01:00
Aleix Boné	8df96f3cf6	Use nix bwrap in nix-portable	2026-03-09 12:32:04 +01:00
Aleix Boné	a4757a0050	Remove nix-portable tmpbin feature It will not work without the host /lib64/ld	2026-03-09 12:32:03 +01:00
Aleix Boné	29a531b906	Add bashInteractive in nix-portable bwrap	2026-03-09 12:32:03 +01:00
Aleix Boné	5f0aeed3c0	Install netcat, ssh and git in nix-portable These are needed by nix in order to properly download and build stuff. busybox's netcat does not work since it doesn't support -X.	2026-03-06 17:31:11 +01:00
Aleix Boné	951cd9bc11	Bind to busybox to /bin/sh in nix-portable	2026-03-06 17:31:11 +01:00
Aleix Boné	75c02153a3	Remove sgid from .nix-portable and set group This should prevent issues when putting it under /gpfs/{projects,scratch} that have sgid and group=nobody.	2026-03-06 17:31:10 +01:00
Aleix Boné	e14225a447	Restrict paths added to bwrap in nix-portable	2026-03-06 17:31:10 +01:00
Aleix Boné	24a35583af	Bind proc using --proc in nix-portable	2026-03-06 17:31:10 +01:00
Aleix Boné	35df90594e	Fix nix-portable pkgStatic symlink handling	2026-03-06 17:31:10 +01:00
Aleix Boné	57077e0276	Add nix-portable repo: https://github.com/DavHau/nix-portable rev: 91122e3d94ba51d7d83fe990fa81d3de0968fb32	2026-03-06 17:31:10 +01:00
Aleix Boné	30bd998114	Re-enable nix-wrap libcap is no longer broken upstream	2026-03-06 17:31:10 +01:00