Compare commits
1470 Commits
add-tent-m
...
master
Author | SHA1 | Date | |
---|---|---|---|
ab86243a07 | |||
14f2393d30 | |||
f115d611e7 | |||
4261d327c6 | |||
4685c36e2f | |||
c6c788f1e2 | |||
606386d006 | |||
1fba0a14a8 | |||
d6621e939a | |||
67726c1d44 | |||
a971ed6a54 | |||
06581e455c | |||
dd7f24f455 | |||
64e2c39582 | |||
98d17b19d3 | |||
44cc60fcd8 | |||
ca48ce556c | |||
e8ac9dfb64 | |||
188ba6df0a | |||
b1a37ae1fe | |||
63822bb054 | |||
b94a1493d5 | |||
826d6a28ef | |||
ae6b0ae161 | |||
01986c376b | |||
e42058f08b | |||
f3bfe89f27 | |||
ee6f981006 | |||
92ee4a09d7 | |||
34f4b6aa37 | |||
2f2d6cbea8 | |||
69b09b6dda | |||
a737d725ed | |||
6c1d1f3b2b | |||
f338ef47d5 | |||
239e84c40c | |||
ed820e79f8 | |||
afeb415c98 | |||
256b24b97b | |||
492f73b600 | |||
76ddd85afe | |||
7affb8ef4b | |||
4ba823e5b7 | |||
51eecde59e | |||
9eb5c486ba | |||
5df49dcfab | |||
b040bebd1d | |||
f69629d2da | |||
0668f0db74 | |||
5fcd57a061 | |||
ad1544759f | |||
2ffdd53d86 | |||
e1c950a530 | |||
f9632c37f8 | |||
1f0cb4ae76 | |||
d49d078bed | |||
e98fdb89ab | |||
6afe05b5fd | |||
7d5aebf882 | |||
94cbfd38a6 | |||
4da7780472 | |||
a6dfc267fd | |||
d6126501ba | |||
ac0deb47b6 | |||
f7d676de77 | |||
cf1db201b2 | |||
e6e4846529 | |||
084d556c56 | |||
c7b5ec13b8 | |||
00dfe801f4 | |||
ff0fc18d0a | |||
19c7e32678 | |||
017c19e7d0 | |||
a36eff8749 | |||
df17b11458 | |||
0dc7b7eb3d | |||
dff6eaf587 | |||
4b6b67b587 | |||
20e7d244d1 | |||
c5d3b8e7f0 | |||
6bbfb0d124 | |||
46d03d5ca7 | |||
e366e6ce87 | |||
e415f70bbb | |||
200c727bbf | |||
7413021440 | |||
20b4805335 | |||
f7dff9deab | |||
f569933732 | |||
ee895d2e4f | |||
5ee8623af2 | |||
a0e4b209b0 | |||
ce25867421 | |||
f89bba35a6 | |||
2c8d7ed855 | |||
d591721a61 | |||
343b4f155e | |||
39a211a846 | |||
142985c505 | |||
3f3dc2d037 | |||
3269d763aa | |||
f2d8ee8552 | |||
8d984a0672 | |||
f3733418b2 | |||
1666c14a35 | |||
b29f03ba6e | |||
ae2ef1d2df | |||
9a48ae45bb | |||
ce8b05b142 | |||
974bb56dc3 | |||
88d4d8e317 | |||
885e04e446 | |||
4a5787e0c6 | |||
6c11093033 | |||
26f52aa27d | |||
52fe43bfe1 | |||
f0637b4569 | |||
6ddfea0a3a | |||
e7adef1ffa | |||
e82d3c3b9f | |||
4442b6a706 | |||
2d0b014dc7 | |||
867ba3ec5a | |||
2cacc2b265 | |||
e4abd8d8f6 | |||
750504744f | |||
c26ec1b6f1 | |||
2ef32f773c | |||
fc9fcd602a | |||
0e37ab5fe1 | |||
a1b387e454 | |||
380abe9957 | |||
37c12783bb | |||
7379e84e79 | |||
b802f88df9 | |||
bd94c4ad00 | |||
570c6e175d | |||
96661dd0d4 | |||
28db7799ea | |||
508059c99e | |||
b9f9cc7d7a | |||
eae0c7cb59 | |||
2280635cd6 | |||
16ada09600 | |||
0d291d715c | |||
66001f76f7 | |||
1e3b85067d | |||
36ee1f3adc | |||
25e9c071b0 | |||
80cee2dbd0 | |||
ee92934c74 | |||
db0f3fed91 | |||
adeaa0484d | |||
815810830e | |||
7a52e1907c | |||
22a2e1b9e8 | |||
f29461ae32 | |||
208197f099 | |||
479ca1b671 | |||
40529fbdcb | |||
9b0d3fb21e | |||
d8444131d8 | |||
af540456a6 | |||
42d6734da8 | |||
071a8084a0 | |||
24a0c58592 | |||
810a6dfcec | |||
47ad89dee1 | |||
8af1b259f5 | |||
560003d4fd | |||
68ff45075c | |||
fc68d16197 | |||
f6ec1293f4 | |||
4feeff978c | |||
7b19292912 | |||
0627db0eb9 | |||
ae2f6dde41 | |||
3bf70656dc | |||
1cf989d727 | |||
19f734e622 | |||
d6e3d9626c | |||
9c32e42dcc | |||
61e6d3232b | |||
a87b99d0a4 | |||
43d32ac16d | |||
d0fd8cde46 | |||
5223ea53f6 | |||
253426ce00 | |||
df67b6cd26 | |||
766da21097 | |||
18461c0d59 | |||
028b151c78 | |||
7176b066bb | |||
c3c3614f63 | |||
e13288fc29 | |||
9d1944c658 | |||
e9e3704b67 | |||
7d3c7342ae | |||
8f80ed2cce | |||
d00f996f59 | |||
e40fd24f26 | |||
83efd6c876 | |||
f0c4206ab8 | |||
8b43a6ffb6 | |||
2bca10b0e4 | |||
eec3e27d66 | |||
e51ef52721 | |||
9dc67d402f | |||
62ec4e014a | |||
4d03842f7c | |||
8fedc5518e | |||
43dc336638 | |||
2b08fcd21a | |||
557618d43f | |||
e8ac6cf0f3 | |||
f8fc391cae | |||
6c1afa3fd8 | |||
008584b465 | |||
a22c862192 | |||
cd0c070439 | |||
201ff64b25 | |||
9bee145e25 | |||
4528b7c2a6 | |||
1eac0fcad8 | |||
8e5b2dc5cc | |||
f89cd4d7e2 | |||
dd15f9c943 | |||
4048b3327a | |||
f4229e34f6 | |||
5208a3483b | |||
92eacfad20 | |||
80309d107b | |||
d0f151595f | |||
93f8d3aa89 | |||
d84645f3e1 | |||
55b71d6901 | |||
89c65ea578 | |||
129273e8d8 | |||
fdac196c6c | |||
3f4b4fb810 | |||
2c7211ffa3 | |||
18f25307ab | |||
7c55d10ceb | |||
5c549faaa8 | |||
9fd35a9ce4 | |||
5487a93972 | |||
fe16ea373f | |||
163434af09 | |||
71164400d4 | |||
f887dacdea | |||
4f5c8dbbaf | |||
14b192b1d9 | |||
2b04812320 | |||
f962816eab | |||
c4583f787d | |||
22e40db034 | |||
501f11a8e5 | |||
505f101e00 | |||
f44eebc133 | |||
2f6f6ba703 | |||
371b0c7e76 | |||
ae34eacf4a | |||
dab6f08d89 | |||
8190523c30 | |||
d335d69ba6 | |||
cec49eb5fc | |||
22db38c98f | |||
0d4eebbb59 | |||
025f6a0c0c | |||
abc74c5445 | |||
6942f09f69 | |||
56f6855af7 | |||
81c822e68e | |||
53e80b1f19 | |||
21feb01e7b | |||
9ea7b2b475 | |||
fce4d89e1d | |||
6b282375f8 | |||
6782fc6c5b | |||
73550ad5a9 | |||
48d67ef6c2 | |||
![]() |
73e30d20e9 | ||
5f85082553 | |||
46f15ac201 | |||
b442ddf1a4 | |||
b006538147 | |||
995aa0b2e2 | |||
896ec0ad0f | |||
2d9d2701a9 | |||
74e11db8b6 | |||
e046363e52 | |||
aa3f816388 | |||
3eff2662bb | |||
260986b9f2 | |||
15afbe94bd | |||
efd35a9cd1 | |||
50ad1d637c | |||
c299d53146 | |||
152b71e718 | |||
0911d5b92a | |||
5ddae068af | |||
d17be714ec | |||
28ce15d74d | |||
504f9bb570 | |||
f158cb63e8 | |||
8860f76cad | |||
b86798cd69 | |||
7ed74931cf | |||
6e9d33b483 | |||
58abaefbc4 | |||
5ea7827a8a | |||
b17e4a13f9 | |||
9c4e60c2c2 | |||
e7376917bd | |||
130e191d37 | |||
349f69e30a | |||
59ab6405c5 | |||
a0dab66aa5 | |||
525cad4117 | |||
24ee74d614 | |||
15b4b28d2c | |||
b1ce302e4b | |||
b8b85f55cd | |||
1189626a6f | |||
dbd95dd7b8 | |||
81b680a7d2 | |||
ba60e121df | |||
432e6c8521 | |||
c8160122b3 | |||
3863fc25a5 | |||
2b26cd2f46 | |||
30f2079f0b | |||
366436b6d3 | |||
9f1cd02144 | |||
de89197a4a | |||
5d3820631a | |||
9c8a077828 | |||
fce556cb28 | |||
82ccae1315 | |||
37ce5ef391 | |||
1df80460d2 | |||
7f17fe8874 | |||
![]() |
3b21a32d83 | ||
5880a6e5f6 | |||
c4d5135fde | |||
3f2b9a766b | |||
ecbb45d6ac | |||
c564d945d4 | |||
![]() |
3ed644b88f | ||
![]() |
8ceaddfea7 | ||
2a953d811c | |||
fec4ddf6ab | |||
9aaea0da0e | |||
ed887b0412 | |||
f55b48ec86 | |||
1e52075c18 | |||
062b1c3c77 | |||
1520eaa64e | |||
54b4448e4b | |||
28a7496fbd | |||
b5dae25e7f | |||
bdc3670ccc | |||
af590d5ace | |||
8a31895e48 | |||
d9ae85ce4b | |||
20ded0c0df | |||
fe1d3fbb80 | |||
5234ca32fd | |||
cfe0c0e6e6 | |||
7afe7344ac | |||
bd83ca53ab | |||
e148de50d6 | |||
ff34ab5732 | |||
3f17a489ef | |||
501a92376b | |||
4033854014 | |||
e6b4af4b16 | |||
cbf6f03a84 | |||
4316e7b12d | |||
e7bdc1595a | |||
f0f6b7c354 | |||
0086b9452a | |||
4111b22f57 | |||
![]() |
85c70a8d6b | ||
0d9c99a24e | |||
db98b1f698 | |||
84c4b6b81c | |||
f605f8e5e4 | |||
8d5714c67b | |||
4727c98354 | |||
bb1de835f7 | |||
ebeb2ff549 | |||
9f245946d7 | |||
19e195b894 | |||
54c2bd119f | |||
e5d85c1b38 | |||
f1486b84c1 | |||
51e331a9d9 | |||
472f4b0334 | |||
425dca3e00 | |||
e4080cf931 | |||
fc9285f89d | |||
fbe238f5b6 | |||
9874da566d | |||
91cdc91738 | |||
db391ee9c2 | |||
bab7a45587 | |||
8731a4797d | |||
9e889884c9 | |||
5412e14dba | |||
41a93cd176 | |||
873d2f1abc | |||
867e61acde | |||
7ace376e4e | |||
ce4b196010 | |||
f9c832654e | |||
4533c94b4f | |||
7b72b38023 | |||
779247691f | |||
c724ad2ad3 | |||
2a3b269b9c | |||
7f3d3b953d | |||
0184f5e382 | |||
916e4f49a6 | |||
8fe7458969 | |||
be25283da5 | |||
1864c08c95 | |||
bead8aea0a | |||
dd802e2ec9 | |||
8dbd1a3c34 | |||
ce7238c780 | |||
552ebdbede | |||
ebc5c4d84f | |||
8634a9e133 | |||
0ce79ed79e | |||
5f492ee1d7 | |||
9071a4de8b | |||
3040a803b2 | |||
70a9e855cf | |||
51dcc6896e | |||
fd766d8ff8 | |||
aa64e9ef24 | |||
ba2b74fd5a | |||
1ae5d9e25e | |||
ff98ba47c4 | |||
599b23ef52 | |||
3a4062ac04 | |||
a3e1047f51 | |||
8dbee06d1d | |||
d522113cb9 | |||
7bfd786c01 | |||
5a5f4672cd | |||
2646ad4b70 | |||
b120a7ca85 | |||
2a0254b684 | |||
e3e6e7662d | |||
868f825e26 | |||
f231dc81f1 | |||
a758eef354 | |||
9c9c41fb57 | |||
1a1708f16f | |||
efe1b7e399 | |||
6122fef927 | |||
![]() |
8597bb97ab | ||
7d4c9a57c6 | |||
3efc10e57d | |||
065ab83083 | |||
4883b750bd | |||
ee5cbd08dd | |||
61bd7ee947 | |||
abfd8484ee | |||
a63f578c99 | |||
01e07d559c | |||
4b06175b42 | |||
eb9876aff6 | |||
8d31c552f5 | |||
68f4d54dd1 | |||
2042d58b72 | |||
2c8c90e6e4 | |||
208dcb7dde | |||
e2f82a6383 | |||
d704816de9 | |||
74ec4eb22a | |||
0a5f9b55f5 | |||
900de39e2f | |||
1e466d07df | |||
13807c5e8f | |||
d8d6d6d421 | |||
a242ddd39c | |||
a2c5fe1f5e | |||
2c52ef9ff0 | |||
ee24b910a1 | |||
4b1d4c18af | |||
fd5fb5c055 | |||
acb91695ac | |||
18d64c352c | |||
124cb6a4c3 | |||
bcf2df64c8 | |||
c30851d6e9 | |||
9d93760e6f | |||
aad67b9d99 | |||
e1d406023d | |||
db6bb90af8 | |||
1266c8f04e | |||
2b7823788c | |||
86eacdd3e5 | |||
4fa074f893 | |||
a260a1bc1b | |||
8912d2b9bc | |||
b4015ded86 | |||
0f54d63a46 | |||
6c656182f1 | |||
be4187de3c | |||
0b22a1b8a4 | |||
f18f1937ae | |||
4b78ec9134 | |||
6c0c26b3aa | |||
fb1744306d | |||
394c7ecd7b | |||
3276f54e86 | |||
4c806b8ae9 | |||
832866cbfa | |||
9fc393bb6a | |||
d81d9d58e1 | |||
d54dcc8d8f | |||
a5fae4a289 | |||
a355926cf0 | |||
d7a4420205 | |||
0b55ce3d02 | |||
0ce574800e | |||
a7e09e55df | |||
1622b3e7fc | |||
3424cac761 | |||
f98af9aeef | |||
b4a20d7c3a | |||
8c14b75e44 | |||
e497e1b88b | |||
07411beb49 | |||
e8bab9928d | |||
544d5a3d69 | |||
976cdd5a4d | |||
312f2cb368 | |||
45ac6e95e9 | |||
e6bb6e735d | |||
cfbfcdbe8c | |||
c31bfd6b4d | |||
f015e5f71c | |||
534c5dd261 | |||
caf0e9545a | |||
d20fa359d9 | |||
9be15fdad2 | |||
f2f024b82d | |||
932d273ec7 | |||
13e365002c | |||
a38072762f | |||
adf1ff29a7 | |||
1ec8d7a625 | |||
f78f4f5822 | |||
67a57cb3e5 | |||
85896f8546 | |||
5e728773c3 | |||
0a06cf564b | |||
db26b2ae37 | |||
f7d00dec25 | |||
2053ec82b7 | |||
f2434a17c2 | |||
1f7045fcfe | |||
0c4a1efa27 | |||
530958496b | |||
df378a2933 | |||
2a0fe5a137 | |||
cbe9af5d04 | |||
b2283efd46 | |||
7f18deaf69 | |||
b953fd4b2f | |||
080811fe9d | |||
e7647f1d99 | |||
aad2c276aa | |||
ce5577f14e | |||
e23392fccd | |||
dfbeafa2b2 | |||
7d4281a5c1 | |||
dfea0be2d9 | |||
df91da8c34 | |||
30c21155af | |||
a43016ebee | |||
801bb4ba3c | |||
a9d740e95a | |||
08eaf312f2 | |||
0b57bbc6e3 | |||
6558a6ab77 | |||
0d196af473 | |||
d35becb663 | |||
5421eab09a | |||
1c7de2f7c9 | |||
c7692995f4 | |||
0af185afd8 | |||
470b3d2512 | |||
1bf6747b3a | |||
59bf51dfde | |||
f5dcaf831b | |||
feb39f404a | |||
11e897c10a | |||
1da216bab5 | |||
d8c19eb4b4 | |||
0e176cb2a9 | |||
3a249c5d88 | |||
df32aa62d0 | |||
b72d9936a2 | |||
5ebb57deff | |||
5b82a72647 | |||
a5c7205481 | |||
fd1b467a60 | |||
933cd1e3c7 | |||
5553ee79a9 | |||
bb6129a77e | |||
b8f7c16d1c | |||
3f4f3e1105 | |||
a34e619333 | |||
46a3465e78 | |||
1d788aeff2 | |||
9a500dd3d6 | |||
0605bc4ceb | |||
882161b21e | |||
5e8ff50c98 | |||
cdb0688ec1 | |||
ebb5e94416 | |||
89049d0b1f | |||
6d16772d07 | |||
e37f9e2b0f | |||
9767238c76 | |||
a5a0fd9b6f | |||
be69070f61 | |||
53f6dcec8d | |||
87c4521de3 | |||
461d6d2f34 | |||
ef2ffa61c3 | |||
c0b23ad450 | |||
f12ba9f8b0 | |||
a211e9ebee | |||
5dbbb27c43 | |||
69bb2128db | |||
c775ee4d6f | |||
de7cae6208 | |||
de4ac8cbd6 | |||
e1dcad50d0 | |||
0120be66fb | |||
6cb079a44e | |||
a5449067a7 | |||
1009736d81 | |||
a94765e8ae | |||
9630b23ce2 | |||
ed158ee87f | |||
480dd95d9b | |||
f7b18098b1 | |||
c580254dde | |||
7e6c395ff8 | |||
6978677cb5 | |||
f5b4580dae | |||
035becd018 | |||
a7fb69ab92 | |||
733eb93f23 | |||
b60e821eaa | |||
f43d549294 | |||
ef2631b699 | |||
9d2de00b0c | |||
2627552a0f | |||
03c7256767 | |||
a46a2ee794 | |||
94fa0de4fc | |||
054d70d23b | |||
91a5bdb344 | |||
f148a71c6c | |||
243ed2331a | |||
9fae434553 | |||
898534ee52 | |||
bf28263cc5 | |||
84623ea9d0 | |||
5753f0c312 | |||
b57a17dd52 | |||
115e9beb59 | |||
fd84af45f0 | |||
833d58a875 | |||
![]() |
5789b4a77a | ||
ef5e98e06d | |||
a6549c1908 | |||
180fa4c992 | |||
4cfad119ce | |||
a2e02bb136 | |||
246aa8e7d1 | |||
f28817c3bf | |||
bff0395872 | |||
d18a95f8ed | |||
1a99a7eb73 | |||
4b5a948918 | |||
7ef24b88e4 | |||
c28618b95c | |||
20c5446743 | |||
38220140ec | |||
f5987a0094 | |||
60b2f9f6cc | |||
b60698b791 | |||
e57107024e | |||
1ffca6c9e0 | |||
7d5e3f1845 | |||
df7c79f34b | |||
a2195aef43 | |||
6e7a7febd4 | |||
0b319b8a63 | |||
315cf1d0de | |||
3e3ce35237 | |||
2227f08814 | |||
f74446b225 | |||
a5af7890b8 | |||
![]() |
d2834624c2 | ||
35d19c262c | |||
c0362b6639 | |||
08aabfa657 | |||
762fe8b82c | |||
53d99d41cf | |||
9eb5c74cd6 | |||
aa083b1b66 | |||
58fab3b87e | |||
f2c6a3cb15 | |||
b6d742380b | |||
c083d96b79 | |||
1a9b8470bb | |||
f9581cfb59 | |||
3be896d90d | |||
4125e39ce0 | |||
11a521ff51 | |||
fb2b3cbe06 | |||
776a6ca1e4 | |||
83921d1788 | |||
b6f563f621 | |||
5d6f691045 | |||
3892167e7d | |||
6937ffcfe9 | |||
760787858a | |||
a4b8f8e94b | |||
df62451fcd | |||
a9e1579242 | |||
d5626851de | |||
5de45cb247 | |||
92cd88e365 | |||
5a49611bf6 | |||
9fc2a2025c | |||
2cc0c85635 | |||
c075498f71 | |||
![]() |
e0197950a6 | ||
cafc67d107 | |||
c0a0eeec7f | |||
fb1d50e9dd | |||
a359cc9d32 | |||
1402111e40 | |||
9377adf787 | |||
20e99f122f | |||
53c098d921 | |||
d2222f6868 | |||
dbdcfea019 | |||
375a79d27a | |||
2aa099f0e2 | |||
600e1b9987 | |||
a4752603e9 | |||
5b4bb30e55 | |||
e1433fedb8 | |||
f729fc4006 | |||
![]() |
03298228e4 | ||
![]() |
58294d4467 | ||
![]() |
48a61dc292 | ||
![]() |
5815a9af09 | ||
![]() |
ea66d7e4e0 | ||
3e197da8a3 | |||
866d4561d3 | |||
9a88319153 | |||
a96839d11a | |||
a71ae9c2c6 | |||
d490ef2694 | |||
b4e37a15a9 | |||
9bb570af7f | |||
![]() |
4d629fe8f7 | ||
![]() |
f5c8d0cb88 | ||
![]() |
cb6577b439 | ||
![]() |
b60a46b683 | ||
![]() |
1a6075a2b1 | ||
12ff1fd506 | |||
732b0c0e9c | |||
64f077c4f6 | |||
7c94997023 | |||
fb0dee4b61 | |||
bde54c69c5 | |||
2151e20bd6 | |||
886d16bcc6 | |||
5c0f179830 | |||
422d359b48 | |||
60248ab06b | |||
1cb63b464d | |||
821b4f0d15 | |||
0cf35decc5 | |||
26e3a86c78 | |||
b96c39e0ba | |||
f842f1e01d | |||
71c06d02da | |||
604cfd90a3 | |||
07253c3fa0 | |||
eab323a13a | |||
8ce2a68cd7 | |||
99c6196734 | |||
dd75a840ce | |||
e49e3b087f | |||
59040d9355 | |||
6422741cb7 | |||
99beac9b23 | |||
58dc277d3d | |||
47b326c646 | |||
419e7f95cc | |||
b0af9b8608 | |||
4afda7dbfb | |||
02a103565c | |||
788dd13ebd | |||
41665bc6fc | |||
9aa07993b2 | |||
e0a68c077c | |||
989f6ee018 | |||
3e5a56ebdb | |||
3ef4a505d3 | |||
aadce016e1 | |||
1d9a5c4721 | |||
11e400abb5 | |||
a8477b1b05 | |||
7a6cbd3a9e | |||
3de7b5a0b6 | |||
485b9150e5 | |||
fa0e9f591f | |||
de175b2380 | |||
bfbbc294ae | |||
9bea3cc264 | |||
f10f8472ac | |||
26ad3e49f7 | |||
312656ce54 | |||
63aa07dad5 | |||
d1c32869c1 | |||
3566cf0152 | |||
0b7e92b6f9 | |||
f8122f3c8b | |||
699404bafe | |||
d68ce914ba | |||
cb482fa3ea | |||
3c150d3910 | |||
8a97fefafa | |||
10b1ff8f7a | |||
0e0f1b265f | |||
5ea9ff5ad8 | |||
![]() |
2b36e33b7e | ||
![]() |
b64b864194 | ||
![]() |
72e7a8dab7 | ||
![]() |
46536548ca | ||
![]() |
8406c1c4e5 | ||
![]() |
bc912162a0 | ||
![]() |
4e727bf632 | ||
![]() |
5c7af00dfa | ||
![]() |
5caf2f79f3 | ||
![]() |
a90c044c3e | ||
![]() |
99532c9c60 | ||
![]() |
ddef901e2f | ||
![]() |
1ae5acfe6a | ||
d108306a29 | |||
e0fbbe32a6 | |||
![]() |
37e11c749f | ||
![]() |
02a62c18ac | ||
![]() |
0ac0205366 | ||
![]() |
a2306eb941 | ||
![]() |
38d4d0b48c | ||
63b08fa4e8 | |||
992af14c7f | |||
99f3326609 | |||
a4b2dfddb4 | |||
830d648925 | |||
e4ab177d6c | |||
b7dcf7bc69 | |||
5ac581b573 | |||
b900cb95f0 | |||
389d3f6310 | |||
76deac0a63 | |||
87f751185c | |||
ec056d97e5 | |||
872ad1a289 | |||
![]() |
617ef21d38 | ||
![]() |
5cd9894636 | ||
![]() |
bfc32ef4b7 | ||
![]() |
cb4d27aefb | ||
![]() |
d27c696259 | ||
![]() |
a55019c6ef | ||
8a81c6bfba | |||
c59f298ae2 | |||
6818b29d02 | |||
![]() |
8445fb0928 | ||
![]() |
1aa0e77157 | ||
![]() |
938246322f | ||
![]() |
6c0f4ec1b3 | ||
46f7add84c | |||
87fa3bb336 | |||
9c8282362a | |||
74cd3d4fbc | |||
c41456412c | |||
f0ae0df341 | |||
9d38a37787 | |||
7d66b34140 | |||
0781e8b28e | |||
88087bb4b7 | |||
637c57b388 | |||
26ab2d9bbd | |||
133ef50bb4 | |||
3a2694ad36 | |||
5804b167db | |||
425479c9fc | |||
a286488979 | |||
d70adae9ec | |||
854707103c | |||
972be56eed | |||
56c625bfe4 | |||
968accd552 | |||
3445a72686 | |||
f68564efe6 | |||
4780a81d70 | |||
b192fc44f5 | |||
7b4da07dbf | |||
3bcbc62a98 | |||
52360c9459 | |||
71a1396955 | |||
b600f64fcc | |||
14fbb1499b | |||
c1efba1e65 | |||
29d7245135 | |||
363700eb9a | |||
7e10a43b40 | |||
c4e49ea249 | |||
d4ca58db2c | |||
d5912c3889 | |||
cb12aa2d94 | |||
5fae560ce9 | |||
6b6b54f757 | |||
b79951c9fe | |||
c684b1870a | |||
5afe819724 | |||
651d91ef79 | |||
14211c9895 | |||
6973f48638 | |||
4786953eeb | |||
a6815dc7cf | |||
6f2375804d | |||
4ffb609261 | |||
1d015c7e1e | |||
ed932c9921 | |||
a36d912022 | |||
8373751f67 | |||
2f7032aca6 | |||
6dd41fd96f | |||
09a0348b0e | |||
051a74b85d | |||
8a77900201 | |||
1291b90b7f | |||
8e130604aa | |||
0015c7e4cd | |||
9612c69aec | |||
6e0e2f0bf6 | |||
48820ee2d3 | |||
9277e60079 | |||
c869b6e3b4 | |||
0b95ea20b7 | |||
ceb25e5d18 | |||
0c9e89dcc0 | |||
ebcbf91fbe | |||
3e2b369e3e | |||
d4947a40b9 | |||
243d022620 | |||
0ee2747215 | |||
5fd2a62684 | |||
0e0bf9e7a7 | |||
cb5bcd7097 | |||
d51fe5db48 | |||
c36b724e9a | |||
cdf48181e5 | |||
a6b7b14d5e | |||
2ca58c46b4 | |||
25208a8158 | |||
c46feb4bf2 | |||
4d626bff97 | |||
042876a287 | |||
edd71815eb | |||
39c360b413 | |||
3ce0d3934b | |||
60cab85fc4 | |||
95809bd2bf | |||
e5561b8735 | |||
ed1cd75d56 | |||
d4dfbb7501 | |||
b65a442cb0 | |||
9c6b7a9f87 | |||
d84ccf566b | |||
0faf22a43f | |||
e89139284a | |||
b453c12253 | |||
32d8636ae1 | |||
e4e427b7f6 | |||
fe760c0023 | |||
4591eca1fd | |||
9beda65778 | |||
0f62151dcf | |||
0bc81c8943 | |||
a3804e31f2 | |||
ed4a9e1bc3 | |||
57c60821ce | |||
1e84dc196a | |||
3d0e93b4d3 | |||
8262fd3104 | |||
2b9c3da911 | |||
aeac1a6068 | |||
130fe39c8e | |||
5c2bd13c3d | |||
140598a28b | |||
892fb35d27 | |||
afd333adef | |||
76f2ef4b95 | |||
ed5f6bc22b | |||
3b80c2fcb9 | |||
b5cadefca9 | |||
![]() |
203dc9f295 | ||
![]() |
2e18761b48 | ||
![]() |
748d335a39 | ||
9646a1298d | |||
5a8cc1e514 | |||
7d4db6b6de | |||
756c5dff92 | |||
9a0ea08d72 | |||
a8db596b35 | |||
90d7c83261 | |||
d70316a25a | |||
eb4adf9520 | |||
266fffdb5f | |||
f65e4d01c3 | |||
53d8e535b5 | |||
1bdeca9e7d | |||
5e9adf3fe6 | |||
c858f521bf | |||
bdaadd4ef7 | |||
b8a1ea3f72 | |||
eea9539258 | |||
3dbb24dd9e | |||
da4bbf8533 | |||
df1f22c122 | |||
f87d830218 | |||
3d352fee19 | |||
284662d6cd | |||
84a8060bc5 | |||
1340d1d2e8 | |||
1f841649f8 | |||
8d5853bba9 | |||
dd5832b39d | |||
ad7c04845b | |||
6483d645d1 | |||
4000dbd0b8 | |||
6fa3facfb1 | |||
ed95cb0a04 | |||
aca7e36fc7 | |||
0bb5c76aad | |||
2153e58baf | |||
ceeb0f7f41 | |||
a147a396d9 | |||
8bc5656461 | |||
d192a59fdc | |||
734d494d96 | |||
2863ab6ae1 | |||
4f0da10321 | |||
![]() |
0c438d4dac | ||
![]() |
a0dac209e3 | ||
![]() |
37bd4c33f2 | ||
e8f649327a | |||
daadcc93d0 | |||
e65c801a20 | |||
a076d7d3d0 | |||
d2d3ccf332 | |||
e1e34ddf75 | |||
33f6ae7e55 | |||
fe0bd8b200 | |||
bcb9cf31a3 | |||
dcb56643d5 | |||
ef4bb13a7d | |||
69af473241 | |||
016422cede | |||
5e50ef19fe | |||
641e752bd5 | |||
74537e682c | |||
433c8864ea | |||
e0ca33569b | |||
65918bca21 | |||
dea523460a | |||
b4a3bb0ede | |||
dabc6be640 | |||
2a42c1e53e | |||
18afcb1f44 | |||
3372f94855 | |||
288318b556 | |||
42f2227a9f | |||
![]() |
4ae66adb9a | ||
![]() |
86d1d426ec | ||
5333058741 | |||
9a7e59a076 | |||
0b0f6ac9f0 | |||
74ce07b193 | |||
f2610361a7 | |||
acc3390b6b | |||
9faa4ef101 | |||
cd3afe4ad6 | |||
4111535a9d | |||
09361fae77 | |||
dc3e84a148 | |||
1838178761 | |||
63f966e3c1 | |||
966606b62d | |||
5763b91d39 | |||
47f67dcd85 | |||
48869d6e4a | |||
92f58651b8 | |||
c0669d7dc8 | |||
31f7d17a41 | |||
538d595d30 | |||
dec183b221 | |||
92eee2ede8 | |||
a8208480c1 | |||
dd0823876a | |||
9d878eeb4a | |||
11ac02da08 | |||
074a75facb | |||
7a80d1ca98 | |||
9e477a2313 | |||
5bd042ef67 | |||
d7be13f88d | |||
476c2f20f0 | |||
de6b4864ee | |||
33682ef48d | |||
634d2040b5 | |||
df4d908f1c | |||
f0122d557f | |||
62c9da2474 | |||
0c58bb63b5 | |||
de46366985 | |||
376ab9b32a | |||
5eea48c5b0 | |||
f1f75c1c11 | |||
c3988dacd2 | |||
e778ad75b3 | |||
317409f6ac | |||
3eae92bdc4 | |||
8bc0dc202d | |||
6b40e6f9e9 | |||
d5d42b3c09 | |||
0bcfe5d25b | |||
5e2797bcde | |||
efd7df068e | |||
7c5345f4bc | |||
43991e9173 | |||
7b26b59988 | |||
a66cdb52fb | |||
3bd4e61f3f | |||
59346fa97e | |||
fd1229ddc0 | |||
8ce88ef046 | |||
06c29b573f | |||
7852d86a3f | |||
4beb069627 | |||
1321b6a888 | |||
ed8a6416a0 | |||
81d144d716 | |||
30ad4219d9 | |||
067fb0c0a2 | |||
308673f7f6 | |||
1bd9cb6c0f | |||
ede25b6736 | |||
2680dcb66f | |||
be0506bc21 | |||
f33137a55e | |||
65745e0aaf | |||
c3659d316d | |||
4f901c1b9c | |||
74f83b5c11 | |||
11601703ce | |||
6f60e3cab2 | |||
72ba080db1 | |||
dad70761ad | |||
![]() |
9c20537f91 | ||
![]() |
56584c9e97 | ||
![]() |
6a1375726f | ||
![]() |
d757332448 | ||
![]() |
58e3d48a16 | ||
![]() |
b856e2147a | ||
![]() |
22a294f9cc | ||
![]() |
ea0272c212 | ||
![]() |
e20061254b | ||
01b2584688 | |||
![]() |
7bf3e81233 | ||
![]() |
6bd7e12cff | ||
![]() |
b5fb3730ac | ||
![]() |
a44042615a | ||
![]() |
05ce36e158 | ||
![]() |
6ccc159487 | ||
![]() |
8b985de65d | ||
ae6a3f9206 | |||
327a155907 | |||
80ccd1240a | |||
9d8f7d9074 | |||
c7d2e2d866 | |||
148c614540 | |||
478535b4d1 | |||
7a37913b4e | |||
05b37aa11d | |||
04328d81ff | |||
a38ff31cca | |||
d0a259f15d | |||
f2b39decba | |||
251103ffd3 | |||
6ab448b10a | |||
aa1ffa5208 | |||
4de20d3aa5 | |||
27bc977590 | |||
1b703bd431 | |||
298c7362b3 | |||
9020f87765 | |||
53dca32469 | |||
9d2ce2a1c2 | |||
e6e42dcec9 | |||
332b738889 | |||
a576be8031 | |||
654e243735 | |||
45afe7d391 | |||
d599b8c52f | |||
697d4e652e | |||
26ea326ded | |||
66a5e06ada | |||
e8d884a627 | |||
81004b5ee6 | |||
4ea0d16926 | |||
ba221c5200 | |||
effcc2d20b | |||
2a01ee7f24 | |||
896ebd4ace | |||
0a26c72440 | |||
4ce514de9b | |||
![]() |
c36fc8a08b | ||
![]() |
ec555e59e7 | ||
![]() |
8f65030161 | ||
![]() |
30630a74be | ||
6d413c946c | |||
533d8e9768 | |||
d4ea0fe607 | |||
2f56488197 | |||
3dd609f7db | |||
368aa57cb7 | |||
18081b3485 | |||
![]() |
231672a222 | ||
![]() |
b403fbefe1 | ||
![]() |
c85b2976ef | ||
![]() |
6ae71cc5e9 | ||
![]() |
5cbc8e4fbb | ||
50eeca2257 | |||
61a2db03dc | |||
fd47044bfb | |||
![]() |
79a4a4d16b | ||
![]() |
cec7a280c0 | ||
![]() |
dcf64bd1f6 | ||
![]() |
ce7566cf7a | ||
![]() |
78b96c1bc6 | ||
![]() |
6a2d865225 | ||
![]() |
8f5c5146b3 | ||
![]() |
e3349bb864 | ||
![]() |
ef592c060f | ||
d210e96d18 | |||
35f4ba545a | |||
a227084e39 | |||
ec21ba98b5 | |||
69b1dcf08a | |||
eb46e8f41b | |||
fa734deaca | |||
f72a4e9bc8 | |||
ae2cdf8790 | |||
dadc02ca99 | |||
ff4d39233a | |||
985091130d | |||
724b8f232a | |||
![]() |
c1b64e8897 | ||
![]() |
c8915dfc89 | ||
![]() |
3419db1fc6 | ||
![]() |
32ac89b97f | ||
79fae204c2 | |||
ed7f6e3e97 | |||
1d5b528cd0 | |||
e3623b05fd | |||
ebd947c544 | |||
e044ce918e | |||
7de0593e4b | |||
58e6c76349 | |||
c5e225c778 | |||
edf429c932 | |||
cd37d513e8 | |||
ad4df5e05d | |||
5920c964d2 | |||
cc101ad1d3 | |||
126f05e92c | |||
dba1cc22bc | |||
847b5b3e0a | |||
c4dc42c2a4 | |||
be95827927 | |||
bdc221ba81 | |||
8110bc2976 | |||
d469ccd59d | |||
d05d32edbf | |||
68c8691916 | |||
4fa8d8f683 | |||
8613253395 | |||
0cc5fe92e5 | |||
196b681586 | |||
87809ef903 | |||
09c2b9005a | |||
cfa5187988 | |||
27fbecf970 | |||
839489d20f | |||
d1e152a917 | |||
f44f5b4338 | |||
fa1f06ce31 | |||
cff653d164 | |||
67ac951289 | |||
5b1a296640 | |||
76b0a239e3 | |||
1473874563 | |||
4b27ceec6d | |||
5314f343b6 | |||
14684040a5 | |||
c70d35cd50 | |||
1e07be863a | |||
ecc01e4314 | |||
23fa7d8654 | |||
01295487d8 | |||
df18435dfc | |||
338736d257 | |||
ef1aeb2cfa | |||
8db4ef2594 | |||
b777fbc6d5 | |||
b9e9409a59 | |||
f4cbd654e2 | |||
9631f4c223 | |||
bab4c696d8 | |||
39a639ac10 | |||
85c15e9f3f | |||
c7c8d858f4 | |||
7c92f713cd | |||
5df174f24e | |||
272511f058 | |||
f1e891b6bf | |||
f6137a7bc0 | |||
b93851ba93 | |||
b042e783e5 | |||
ea81c34f31 | |||
97d69d25ee | |||
0eec726335 | |||
76ec5d5f16 | |||
11901e77de | |||
979888eede | |||
bbc851db78 | |||
9cba2d609c | |||
bad6f3c761 | |||
ac1523d946 | |||
cf72d526ee | |||
419418781f | |||
f842b22330 | |||
215b104174 | |||
0a09affbc4 | |||
1e54fbdc43 | |||
10b061aa96 | |||
ab0aa74590 | |||
f07d87e97e | |||
ca0c1445ba | |||
b8d15e7d84 | |||
f20ef93c56 | |||
ba13d37694 | |||
528cd7d205 | |||
60fdba40ae | |||
c50158e3be | |||
81bcf20419 | |||
321bfa290c | |||
3b23b230ed | |||
11b1652617 | |||
d634538223 | |||
cd409677b0 | |||
0b2f9df3ea | |||
3298c5442c | |||
99b716db87 | |||
a78f0caec9 | |||
dc12cbe045 | |||
577a7c3190 | |||
7c68efe743 | |||
261d304961 | |||
0daa0b9c35 | |||
114a6b081f | |||
fdc8b68d9a | |||
5df94bfc66 | |||
![]() |
7b2c88be78 | ||
![]() |
6f06022aa5 | ||
599e504f1a | |||
c03ac6d05a | |||
a95f7fa35e | |||
018bebc264 | |||
ee5964a984 | |||
0f2b4754fd | |||
91c38d70a8 | |||
0663895b3f | |||
bdfcb65b7e | |||
7d8f86eaad | |||
1e02ac9023 | |||
e0c5a3ebca | |||
940c494d8e | |||
![]() |
8032825765 | ||
![]() |
2189436619 | ||
61f055e258 | |||
9662ff4138 | |||
1f36743459 | |||
9ca29d5cf8 | |||
9d65f2ae2c | |||
![]() |
61c799e7e4 | ||
33a46f41ce | |||
a1f33444b5 | |||
74222706bf | |||
5064170b31 | |||
3ddd1721f4 | |||
71430b3552 | |||
19c18627be | |||
d6093681cc | |||
08a3512bf1 | |||
9a5759c45e | |||
![]() |
a4d20edd8b | ||
![]() |
bd9788961b | ||
![]() |
67c692b648 | ||
![]() |
a83627890e | ||
![]() |
53aebe5846 | ||
![]() |
6b5e5aafa9 | ||
![]() |
6dc2f8045d | ||
![]() |
040f205538 | ||
![]() |
210e705653 | ||
![]() |
f5484cf5c3 | ||
![]() |
57f09c1967 | ||
![]() |
86b4b016b2 | ||
![]() |
ed829aace0 | ||
![]() |
d9ec42614c | ||
![]() |
19e4e12126 | ||
![]() |
a8523c4b4e | ||
![]() |
63c78f50de | ||
![]() |
cae91fdcc0 | ||
![]() |
fbbdf0740a | ||
![]() |
98b51cfa6d | ||
![]() |
5cec4b02de | ||
![]() |
ebea6f1e81 | ||
![]() |
2feaafb104 | ||
![]() |
3c2b7c163f | ||
![]() |
a331ec5f14 | ||
![]() |
ceaf273219 | ||
![]() |
3805eb0ceb | ||
![]() |
37b49e1dd3 | ||
![]() |
b600bb77d4 | ||
![]() |
20e3f4d4f0 | ||
![]() |
5a4068b497 | ||
![]() |
83770803e5 |
20
.gitea/workflows/ci.yaml
Normal file
20
.gitea/workflows/ci.yaml
Normal file
@ -0,0 +1,20 @@
|
||||
name: CI
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
branches:
|
||||
- master
|
||||
|
||||
jobs:
|
||||
build:all:
|
||||
runs-on: native
|
||||
steps:
|
||||
- uses: https://gitea.com/ScMi1/checkout@v1.4
|
||||
- run: nix build -L --no-link --print-out-paths .#bsc.ci.all
|
||||
build:cross:
|
||||
runs-on: native
|
||||
steps:
|
||||
- uses: https://gitea.com/ScMi1/checkout@v1.4
|
||||
- run: nix build -L --no-link --print-out-paths .#bsc.ci.cross
|
3
.gitignore
vendored
Normal file
3
.gitignore
vendored
Normal file
@ -0,0 +1,3 @@
|
||||
**.swp
|
||||
/result
|
||||
/misc
|
6
.gitlab-ci.yml
Normal file
6
.gitlab-ci.yml
Normal file
@ -0,0 +1,6 @@
|
||||
build:bsc-ci.all:
|
||||
stage: build
|
||||
tags:
|
||||
- nix
|
||||
script:
|
||||
- nix build -L --no-link --print-out-paths .#bsc-ci.all
|
21
COPYING
Normal file
21
COPYING
Normal file
@ -0,0 +1,21 @@
|
||||
Copyright (c) 2020-2025 Barcelona Supercomputing Center
|
||||
Copyright (c) 2003-2020 Eelco Dolstra and the Nixpkgs/NixOS contributors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining
|
||||
a copy of this software and associated documentation files (the
|
||||
"Software"), to deal in the Software without restriction, including
|
||||
without limitation the rights to use, copy, modify, merge, publish,
|
||||
distribute, sublicense, and/or sell copies of the Software, and to
|
||||
permit persons to whom the Software is furnished to do so, subject to
|
||||
the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be
|
||||
included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
||||
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
||||
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
||||
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
9
README.md
Normal file
9
README.md
Normal file
@ -0,0 +1,9 @@
|
||||
# Jungle
|
||||
|
||||
This repository provides two components that can be used independently:
|
||||
|
||||
- A Nix overlay with packages used at BSC (formerly known as bscpkgs). Access
|
||||
them directly with `nix shell .#<pkgname>`.
|
||||
|
||||
- NixOS configurations for jungle machines. Use `nixos-rebuild switch --flake .`
|
||||
to upgrade the current machine.
|
19
default.nix
Normal file
19
default.nix
Normal file
@ -0,0 +1,19 @@
|
||||
let
|
||||
bscOverlay = import ./overlay.nix;
|
||||
|
||||
# read flake.lock and determine revision from there
|
||||
lock = builtins.fromJSON (builtins.readFile ./flake.lock);
|
||||
inherit (lock.nodes.nixpkgs.locked) rev narHash;
|
||||
fetchedNixpkgs = builtins.fetchTarball {
|
||||
url = "https://github.com/NixOS/nixpkgs/archive/${rev}.tar.gz";
|
||||
sha256 = narHash;
|
||||
};
|
||||
in
|
||||
{ overlays ? [ ]
|
||||
, nixpkgs ? fetchedNixpkgs
|
||||
, ...
|
||||
}@attrs:
|
||||
import nixpkgs (
|
||||
(builtins.removeAttrs attrs [ "overlays" "nixpkgs" ]) //
|
||||
{ overlays = [ bscOverlay ] ++ overlays; }
|
||||
)
|
176
doc/install.md
Normal file
176
doc/install.md
Normal file
@ -0,0 +1,176 @@
|
||||
# Installing NixOS in a new node
|
||||
|
||||
This article shows the steps to install NixOS in a node following the
|
||||
configuration of the repo.
|
||||
|
||||
## Enable the serial console
|
||||
|
||||
By default, the nodes have the serial console disabled in the GRUB and also boot
|
||||
without the serial enabled.
|
||||
|
||||
To enable the serial console in the GRUB, set in /etc/default/grub the following
|
||||
lines:
|
||||
|
||||
```
|
||||
GRUB_TERMINAL="console serial"
|
||||
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
|
||||
```
|
||||
|
||||
To boot Linux with the serial enabled, so you can see the boot log and login via
|
||||
serial set:
|
||||
|
||||
```
|
||||
GRUB_CMDLINE_LINUX="console=ttyS0,115200n8 console=tty0"
|
||||
```
|
||||
|
||||
Then update the grub config:
|
||||
|
||||
```
|
||||
# grub2-mkconfig -o /boot/grub2/grub.cfg
|
||||
```
|
||||
|
||||
And reboot.
|
||||
|
||||
## Prepare the disk
|
||||
|
||||
Create a main partition and label it `nixos` following [the manual][1].
|
||||
|
||||
[1]: https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-partitioning.
|
||||
|
||||
```
|
||||
# disk=/dev/sdX
|
||||
# parted $disk -- mklabel msdos
|
||||
# parted $disk -- mkpart primary 1MB -8GB
|
||||
# parted $disk -- mkpart primary linux-swap -8GB 100%
|
||||
# parted $disk -- set 1 boot on
|
||||
```
|
||||
|
||||
Then create an etx4 filesystem, labeled `nixos` where the system will be
|
||||
installed. **Ensure that no other partition has the same label.**
|
||||
|
||||
```
|
||||
# mkfs.ext4 -L nixos "${disk}1"
|
||||
# mkswap -L swap "${disk}2"
|
||||
# mount ${disk}1 /mnt
|
||||
# lsblk -f $disk
|
||||
NAME FSTYPE LABEL UUID MOUNTPOINT
|
||||
sdX
|
||||
`-sdX1 ext4 nixos 10d73b75-809c-4fa3-b99d-4fab2f0d0d8e /mnt
|
||||
```
|
||||
|
||||
## Prepare nix and nixos-install
|
||||
|
||||
Mount the nix store from the hut node in read-only /nix.
|
||||
|
||||
```
|
||||
# mkdir /nix
|
||||
# mount -o ro hut:/nix /nix
|
||||
```
|
||||
|
||||
Get the nix binary and nixos-install tool from hut:
|
||||
|
||||
```
|
||||
# ssh hut 'readlink -f $(which nix)'
|
||||
/nix/store/0sxbaj71c4c4n43qhdxm31f56gjalksw-nix-2.13.3/bin/nix
|
||||
# ssh hut 'readlink -f $(which nixos-install)'
|
||||
/nix/store/9yq8ps06ysr2pfiwiij39ny56yk3pdcs-nixos-install/bin/nixos-install
|
||||
```
|
||||
|
||||
And add them to the PATH:
|
||||
|
||||
```
|
||||
# export PATH=$PATH:/nix/store/0sxbaj71c4c4n43qhdxm31f56gjalksw-nix-2.13.3/bin
|
||||
# export PATH=$PATH:/nix/store/9yq8ps06ysr2pfiwiij39ny56yk3pdcs-nixos-install/bin/
|
||||
# nix --version
|
||||
nix (Nix) 2.13.3
|
||||
```
|
||||
|
||||
## Adapt owl configuration
|
||||
|
||||
Clone owl repo:
|
||||
|
||||
```
|
||||
$ git clone git@bscpm03.bsc.es:rarias/owl.git
|
||||
$ cd owl
|
||||
```
|
||||
|
||||
Edit the configuration to your needs.
|
||||
|
||||
## Install from another Linux OS
|
||||
|
||||
Install nixOS into the storage drive.
|
||||
|
||||
```
|
||||
# nixos-install --flake --root /mnt .#xeon0X
|
||||
```
|
||||
|
||||
At this point, the nixOS grub has been installed into the nixos device, which
|
||||
is not the default boot device. To keep both the old Linux and NixOS grubs, add
|
||||
an entry into the old Linux grub to jump into the new grub.
|
||||
|
||||
```
|
||||
# echo "
|
||||
|
||||
menuentry 'NixOS' {
|
||||
insmod chain
|
||||
search --no-floppy --label nixos --set root
|
||||
configfile /boot/grub/grub.cfg
|
||||
} " >> /etc/grub.d/40_custom
|
||||
```
|
||||
|
||||
Rebuild grub config.
|
||||
|
||||
```
|
||||
# grub2-mkconfig -o /boot/grub/grub.cfg
|
||||
```
|
||||
|
||||
To boot into NixOS manually, reboot and select NixOS in the grub menu to boot
|
||||
into NixOS.
|
||||
|
||||
To temporarily boot into NixOS only on the next reboot run:
|
||||
|
||||
```
|
||||
# grub2-reboot 'NixOS'
|
||||
```
|
||||
|
||||
To permanently boot into NixOS as the default boot OS, edit `/etc/default/grub/`:
|
||||
|
||||
```
|
||||
GRUB_DEFAULT='NixOS'
|
||||
```
|
||||
|
||||
And update grub.
|
||||
|
||||
```
|
||||
# grub2-mkconfig -o /boot/grub/grub.cfg
|
||||
```
|
||||
|
||||
## Build the nixos kexec image
|
||||
|
||||
```
|
||||
# nix build .#nixosConfigurations.xeon02.config.system.build.kexecTree -v
|
||||
```
|
||||
|
||||
## Chain NixOS in same disk with other systems
|
||||
|
||||
To install NixOS on a partition along another system which controls the GRUB,
|
||||
first disable the grub device, so the GRUB is not installed in the disk by
|
||||
NixOS (only the /boot files will be generated):
|
||||
|
||||
```
|
||||
boot.loader.grub.device = "nodev";
|
||||
```
|
||||
|
||||
Then add the following entry to the old GRUB configuration:
|
||||
|
||||
```
|
||||
menuentry 'NixOS' {
|
||||
insmod chain
|
||||
search --no-floppy --label nixos --set root
|
||||
configfile /boot/grub/grub.cfg
|
||||
}
|
||||
```
|
||||
|
||||
The partition with NixOS must have the label "nixos" for it to be found. New
|
||||
system configuration entries will be stored in the GRUB configuration managed
|
||||
by NixOS, so there is no need to change the old GRUB settings.
|
30
doc/maintainers.md
Normal file
30
doc/maintainers.md
Normal file
@ -0,0 +1,30 @@
|
||||
# Maintainers
|
||||
|
||||
## Role of a maintainer
|
||||
The responsibilities of maintainers are quite lax, and similar in spirit to
|
||||
[nixpkgs' maintainers][1]:
|
||||
|
||||
The main responsibility of a maintainer is to keep the packages they
|
||||
maintain in a functioning state, and keep up with updates. In order to do
|
||||
that, they are empowered to make decisions over the packages they maintain.
|
||||
|
||||
That being said, the maintainer is not alone in proposing changes to the
|
||||
packages. Anybody (both bots and humans) can send PRs to bump or tweak the
|
||||
package.
|
||||
|
||||
In practice, this means that when updating or proposing changes to a package,
|
||||
we will notify maintainers by mentioning them in Gitea so they can test changes
|
||||
and give feedback.
|
||||
|
||||
Since we do bi-yearly release cycles, there is no expectation from maintainers
|
||||
to update packages at each upstream release. Nevertheless, on each release cycle
|
||||
we may request help from maintainers when updating or testing their packages.
|
||||
|
||||
## Becoming a maintainer
|
||||
|
||||
|
||||
You'll have to add yourself in the `maintainers.nix` list; your username should
|
||||
match your `bsc.es` email. Then you can add yourself to the `meta.maintainers`
|
||||
of any package you are interested in maintaining.
|
||||
|
||||
[1]: [https://github.com/NixOS/nixpkgs/tree/nixos-25.05/maintainers]
|
46
doc/trim.sh
Executable file
46
doc/trim.sh
Executable file
@ -0,0 +1,46 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Trims the jungle repository by moving the website to its own repository and
|
||||
# removing it from jungle. It also removes big pdf files and kernel
|
||||
# configurations so the jungle repository is small.
|
||||
|
||||
set -e
|
||||
|
||||
if [ -e oldjungle -o -e newjungle -o -e website ]; then
|
||||
echo "remove oldjungle/, newjungle/ and website/ first"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Clone the old jungle repo
|
||||
git clone gitea@tent:rarias/jungle.git oldjungle
|
||||
|
||||
# First split the website into a new repository
|
||||
mkdir website && git -C website init -b master
|
||||
git-filter-repo \
|
||||
--path web \
|
||||
--subdirectory-filter web \
|
||||
--source oldjungle \
|
||||
--target website
|
||||
|
||||
# Then remove the website, pdf files and big kernel configs
|
||||
mkdir newjungle && git -C newjungle init -b master
|
||||
git-filter-repo \
|
||||
--invert-paths \
|
||||
--path web \
|
||||
--path-glob 'doc*.pdf' \
|
||||
--path-glob '**/kernel/configs/lockdep' \
|
||||
--path-glob '**/kernel/configs/defconfig' \
|
||||
--source oldjungle \
|
||||
--target newjungle
|
||||
|
||||
set -x
|
||||
|
||||
du -sh oldjungle newjungle website
|
||||
# 57M oldjungle
|
||||
# 2,3M newjungle
|
||||
# 6,4M website
|
||||
|
||||
du -sh --exclude=.git oldjungle newjungle website
|
||||
# 30M oldjungle
|
||||
# 700K newjungle
|
||||
# 3,5M website
|
27
flake.lock
generated
Normal file
27
flake.lock
generated
Normal file
@ -0,0 +1,27 @@
|
||||
{
|
||||
"nodes": {
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1752436162,
|
||||
"narHash": "sha256-Kt1UIPi7kZqkSc5HVj6UY5YLHHEzPBkgpNUByuyxtlw=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "dfcd5b901dbab46c9c6e80b265648481aafb01f8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-25.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
52
flake.nix
Normal file
52
flake.nix
Normal file
@ -0,0 +1,52 @@
|
||||
{
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, ... }:
|
||||
let
|
||||
mkConf = name: nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
specialArgs = { inherit nixpkgs; theFlake = self; };
|
||||
modules = [ "${self.outPath}/m/${name}/configuration.nix" ];
|
||||
};
|
||||
# For now we only support x86
|
||||
system = "x86_64-linux";
|
||||
pkgs = import nixpkgs {
|
||||
inherit system;
|
||||
overlays = [ self.overlays.default ];
|
||||
config.allowUnfree = true;
|
||||
};
|
||||
in
|
||||
{
|
||||
nixosConfigurations = {
|
||||
hut = mkConf "hut";
|
||||
tent = mkConf "tent";
|
||||
owl1 = mkConf "owl1";
|
||||
owl2 = mkConf "owl2";
|
||||
eudy = mkConf "eudy";
|
||||
koro = mkConf "koro";
|
||||
bay = mkConf "bay";
|
||||
lake2 = mkConf "lake2";
|
||||
raccoon = mkConf "raccoon";
|
||||
fox = mkConf "fox";
|
||||
apex = mkConf "apex";
|
||||
weasel = mkConf "weasel";
|
||||
};
|
||||
|
||||
bscOverlay = import ./overlay.nix;
|
||||
overlays.default = self.bscOverlay;
|
||||
|
||||
# full nixpkgs with our overlay applied
|
||||
legacyPackages.${system} = pkgs;
|
||||
|
||||
hydraJobs = self.legacyPackages.${system}.bsc.hydraJobs;
|
||||
|
||||
# propagate nixpkgs lib, so we can do bscpkgs.lib
|
||||
lib = nixpkgs.lib // {
|
||||
maintainers = nixpkgs.lib.maintainers // {
|
||||
bsc = import ./pkgs/maintainers.nix;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
37
keys.nix
Normal file
37
keys.nix
Normal file
@ -0,0 +1,37 @@
|
||||
# As agenix needs to parse the secrets from a standalone .nix file, we describe
|
||||
# here all the public keys
|
||||
rec {
|
||||
hosts = {
|
||||
hut = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO7jIp6JRnRWTMDsTB/aiaICJCl4x8qmKMPSs4lCqP1 hut";
|
||||
owl1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqMEXO0ApVsBA6yjmb0xP2kWyoPDIWxBB0Q3+QbHVhv owl1";
|
||||
owl2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHurEYpQzNHqWYF6B9Pd7W8UPgF3BxEg0BvSbsA7BAdK owl2";
|
||||
eudy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+WYPRRvZupqLAG0USKmd/juEPmisyyJaP8hAgYwXsG eudy";
|
||||
koro = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImiTFDbxyUYPumvm8C4mEnHfuvtBY1H8undtd6oDd67 koro";
|
||||
bay = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvGBzpRQKuQYHdlUQeAk6jmdbkrhmdLwTBqf3el7IgU bay";
|
||||
lake2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINo66//S1yatpQHE/BuYD/Gfq64TY7ZN5XOGXmNchiO0 lake2";
|
||||
fox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwItIk5uOJcQEVPoy/CVGRzfmE1ojrdDcI06FrU4NFT fox";
|
||||
tent = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAtTpHtdYoelbknD/IcfBlThwLKJv/dSmylOgpg3FRM tent";
|
||||
apex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBvUFjSfoxXnKwXhEFXx5ckRKJ0oewJ82mRitSMNMKjh apex";
|
||||
weasel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLJrQ8BF6KcweQV8pLkSbFT+tbDxSG9qxrdQE65zJZp weasel";
|
||||
raccoon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGNQttFvL0dNEyy7klIhLoK4xXOeM2/K9R7lPMTG3qvK raccoon";
|
||||
};
|
||||
|
||||
hostGroup = with hosts; rec {
|
||||
compute = [ owl1 owl2 fox raccoon ];
|
||||
playground = [ eudy koro weasel ];
|
||||
storage = [ bay lake2 ];
|
||||
monitor = [ hut ];
|
||||
login = [ apex ];
|
||||
|
||||
system = storage ++ monitor ++ login;
|
||||
safe = system ++ compute;
|
||||
all = safe ++ playground;
|
||||
};
|
||||
|
||||
admins = {
|
||||
"rarias@hut" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1oZTPtlEXdGt0Ak+upeCIiBdaDQtcmuWoTUCVuSVIR rarias@hut";
|
||||
"rarias@tent" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwlWSBTZi74WTz5xn6gBvTmCoVltmtIAeM3RMmkh4QZ rarias@tent";
|
||||
"rarias@fox" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDSbw3REAKECV7E2c/e2XJITudJQWq2qDSe2N1JHqHZd rarias@fox";
|
||||
root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut";
|
||||
};
|
||||
}
|
69
m/apex/configuration.nix
Normal file
69
m/apex/configuration.nix
Normal file
@ -0,0 +1,69 @@
|
||||
{ lib, config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../common/xeon.nix
|
||||
../common/ssf/hosts.nix
|
||||
../module/ceph.nix
|
||||
../module/hut-substituter.nix
|
||||
../module/slurm-server.nix
|
||||
./nfs.nix
|
||||
./wireguard.nix
|
||||
];
|
||||
|
||||
# Don't install grub MBR for now
|
||||
boot.loader.grub.device = "nodev";
|
||||
|
||||
boot.initrd.kernelModules = [
|
||||
"megaraid_sas" # For HW RAID
|
||||
];
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
storcli # To manage HW RAID
|
||||
];
|
||||
|
||||
fileSystems."/home" = {
|
||||
device = "/dev/disk/by-label/home";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
# No swap, there is plenty of RAM
|
||||
swapDevices = lib.mkForce [];
|
||||
|
||||
networking = {
|
||||
hostName = "apex";
|
||||
defaultGateway = "84.88.53.233";
|
||||
nameservers = [ "8.8.8.8" ];
|
||||
|
||||
# Public facing interface
|
||||
interfaces.eno1.ipv4.addresses = [ {
|
||||
address = "84.88.53.236";
|
||||
prefixLength = 29;
|
||||
} ];
|
||||
|
||||
# Internal LAN to our Ethernet switch
|
||||
interfaces.eno2.ipv4.addresses = [ {
|
||||
address = "10.0.40.30";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
|
||||
# Infiniband over Omnipath switch (disconnected for now)
|
||||
# interfaces.ibp5s0 = {};
|
||||
|
||||
nat = {
|
||||
enable = true;
|
||||
internalInterfaces = [ "eno2" ];
|
||||
externalInterface = "eno1";
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
extraCommands = ''
|
||||
# Blackhole BSC vulnerability scanner (OpenVAS) as it is spamming our
|
||||
# logs. Insert as first position so we also protect SSH.
|
||||
iptables -I nixos-fw 1 -p tcp -s 192.168.8.16 -j nixos-fw-refuse
|
||||
# Same with opsmonweb01.bsc.es which seems to be trying to access via SSH
|
||||
iptables -I nixos-fw 2 -p tcp -s 84.88.52.176 -j nixos-fw-refuse
|
||||
'';
|
||||
};
|
||||
}
|
48
m/apex/nfs.nix
Normal file
48
m/apex/nfs.nix
Normal file
@ -0,0 +1,48 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
services.nfs.server = {
|
||||
enable = true;
|
||||
lockdPort = 4001;
|
||||
mountdPort = 4002;
|
||||
statdPort = 4000;
|
||||
exports = ''
|
||||
/home 10.0.40.0/24(rw,async,no_subtree_check,no_root_squash)
|
||||
/home 10.106.0.0/24(rw,async,no_subtree_check,no_root_squash)
|
||||
'';
|
||||
};
|
||||
networking.firewall = {
|
||||
# Check with `rpcinfo -p`
|
||||
extraCommands = ''
|
||||
# Accept NFS traffic from compute nodes but not from the outside
|
||||
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 111 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 2049 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4000 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4001 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4002 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept
|
||||
# Same but UDP
|
||||
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 111 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 2049 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4000 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4001 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4002 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept
|
||||
|
||||
# Accept NFS traffic from wg0
|
||||
iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 111 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 2049 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 4000 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 4001 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 4002 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 20048 -j nixos-fw-accept
|
||||
# Same but UDP
|
||||
iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 111 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 2049 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 4000 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 4001 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 4002 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 20048 -j nixos-fw-accept
|
||||
'';
|
||||
};
|
||||
}
|
42
m/apex/wireguard.nix
Normal file
42
m/apex/wireguard.nix
Normal file
@ -0,0 +1,42 @@
|
||||
{ config, ... }:
|
||||
|
||||
{
|
||||
networking.firewall = {
|
||||
allowedUDPPorts = [ 666 ];
|
||||
};
|
||||
|
||||
age.secrets.wgApex.file = ../../secrets/wg-apex.age;
|
||||
|
||||
# Enable WireGuard
|
||||
networking.wireguard.enable = true;
|
||||
networking.wireguard.interfaces = {
|
||||
# "wg0" is the network interface name. You can name the interface arbitrarily.
|
||||
wg0 = {
|
||||
ips = [ "10.106.0.30/24" ];
|
||||
listenPort = 666;
|
||||
privateKeyFile = config.age.secrets.wgApex.path;
|
||||
# Public key: VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA=
|
||||
peers = [
|
||||
{
|
||||
name = "fox";
|
||||
publicKey = "VfMPBQLQTKeyXJSwv8wBhc6OV0j2qAxUpX3kLHunK2Y=";
|
||||
allowedIPs = [ "10.106.0.1/32" ];
|
||||
endpoint = "fox.ac.upc.edu:666";
|
||||
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
{
|
||||
name = "raccoon";
|
||||
publicKey = "QUfnGXSMEgu2bviglsaSdCjidB51oEDBFpnSFcKGfDI=";
|
||||
allowedIPs = [ "10.106.0.236/32" "192.168.0.0/16" "10.0.44.0/24" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
networking.hosts = {
|
||||
"10.106.0.1" = [ "fox" ];
|
||||
"10.106.0.236" = [ "raccoon" ];
|
||||
"10.0.44.4" = [ "tent" ];
|
||||
};
|
||||
}
|
108
m/bay/configuration.nix
Normal file
108
m/bay/configuration.nix
Normal file
@ -0,0 +1,108 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../common/ssf.nix
|
||||
../module/hut-substituter.nix
|
||||
../module/monitoring.nix
|
||||
];
|
||||
|
||||
# Select the this using the ID to avoid mismatches
|
||||
boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53562d";
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"kernel.yama.ptrace_scope" = lib.mkForce "1";
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
ceph
|
||||
];
|
||||
|
||||
networking = {
|
||||
hostName = "bay";
|
||||
interfaces.eno1.ipv4.addresses = [ {
|
||||
address = "10.0.40.40";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
interfaces.ibp5s0.ipv4.addresses = [ {
|
||||
address = "10.0.42.40";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
firewall = {
|
||||
extraCommands = ''
|
||||
# Accept all incoming TCP traffic from lake2
|
||||
iptables -A nixos-fw -p tcp -s lake2 -j nixos-fw-accept
|
||||
# Accept monitoring requests from hut
|
||||
iptables -A nixos-fw -p tcp -s hut -m multiport --dport 9283,9002 -j nixos-fw-accept
|
||||
# Accept all Ceph traffic from the local network
|
||||
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.ceph = {
|
||||
enable = true;
|
||||
global = {
|
||||
fsid = "9c8d06e0-485f-4aaf-b16b-06d6daf1232b";
|
||||
monHost = "10.0.40.40";
|
||||
monInitialMembers = "bay";
|
||||
clusterNetwork = "10.0.40.40/24"; # Use Ethernet only
|
||||
};
|
||||
extraConfig = {
|
||||
# Only log to stderr so it appears in the journal
|
||||
"log_file" = "/dev/null";
|
||||
"mon_cluster_log_file" = "/dev/null";
|
||||
"log_to_stderr" = "true";
|
||||
"err_to_stderr" = "true";
|
||||
"log_to_file" = "false";
|
||||
};
|
||||
mds = {
|
||||
enable = true;
|
||||
daemons = [ "mds0" "mds1" ];
|
||||
extraConfig = {
|
||||
"host" = "bay";
|
||||
};
|
||||
};
|
||||
mgr = {
|
||||
enable = true;
|
||||
daemons = [ "bay" ];
|
||||
};
|
||||
mon = {
|
||||
enable = true;
|
||||
daemons = [ "bay" ];
|
||||
};
|
||||
osd = {
|
||||
enable = true;
|
||||
# One daemon per NVME disk
|
||||
daemons = [ "0" "1" "2" "3" ];
|
||||
extraConfig = {
|
||||
"osd crush chooseleaf type" = "0";
|
||||
"osd journal size" = "10000";
|
||||
"osd pool default min size" = "2";
|
||||
"osd pool default pg num" = "200";
|
||||
"osd pool default pgp num" = "200";
|
||||
"osd pool default size" = "3";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Missing service for volumes, see:
|
||||
# https://www.reddit.com/r/ceph/comments/14otjyo/comment/jrd69vt/
|
||||
systemd.services.ceph-volume = {
|
||||
enable = true;
|
||||
description = "Ceph Volume activation";
|
||||
unitConfig = {
|
||||
Type = "oneshot";
|
||||
After = "local-fs.target";
|
||||
Wants = "local-fs.target";
|
||||
};
|
||||
path = [ pkgs.ceph pkgs.util-linux pkgs.lvm2 pkgs.cryptsetup ];
|
||||
serviceConfig = {
|
||||
KillMode = "none";
|
||||
Environment = "CEPH_VOLUME_TIMEOUT=10000";
|
||||
ExecStart = "/bin/sh -c 'timeout $CEPH_VOLUME_TIMEOUT ${pkgs.ceph}/bin/ceph-volume lvm activate --all --no-systemd'";
|
||||
TimeoutSec = "0";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
}
|
22
m/common/base.nix
Normal file
22
m/common/base.nix
Normal file
@ -0,0 +1,22 @@
|
||||
{
|
||||
# All machines should include this profile.
|
||||
# Includes the basic configuration for an Intel server.
|
||||
imports = [
|
||||
./base/agenix.nix
|
||||
./base/always-power-on.nix
|
||||
./base/august-shutdown.nix
|
||||
./base/boot.nix
|
||||
./base/env.nix
|
||||
./base/fs.nix
|
||||
./base/hw.nix
|
||||
./base/net.nix
|
||||
./base/nix.nix
|
||||
./base/sys-devices.nix
|
||||
./base/ntp.nix
|
||||
./base/rev.nix
|
||||
./base/ssh.nix
|
||||
./base/users.nix
|
||||
./base/watchdog.nix
|
||||
./base/zsh.nix
|
||||
];
|
||||
}
|
8
m/common/base/agenix.nix
Normal file
8
m/common/base/agenix.nix
Normal file
@ -0,0 +1,8 @@
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [ ../../module/agenix.nix ];
|
||||
|
||||
# Add agenix to system packages
|
||||
environment.systemPackages = [ pkgs.agenix ];
|
||||
}
|
8
m/common/base/always-power-on.nix
Normal file
8
m/common/base/always-power-on.nix
Normal file
@ -0,0 +1,8 @@
|
||||
{
|
||||
imports = [
|
||||
../../module/power-policy.nix
|
||||
];
|
||||
|
||||
# Turn on as soon as we have power
|
||||
power.policy = "always-on";
|
||||
}
|
14
m/common/base/august-shutdown.nix
Normal file
14
m/common/base/august-shutdown.nix
Normal file
@ -0,0 +1,14 @@
|
||||
{
|
||||
# Shutdown all machines on August 3rd at 22:00, so we can protect the
|
||||
# hardware from spurious electrical peaks on the yearly electrical cut for
|
||||
# manteinance that starts on August 4th.
|
||||
systemd.timers.august-shutdown = {
|
||||
description = "Shutdown on August 3rd for maintenance";
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnCalendar = "*-08-03 22:00:00";
|
||||
RandomizedDelaySec = "10min";
|
||||
Unit = "systemd-poweroff.service";
|
||||
};
|
||||
};
|
||||
}
|
37
m/common/base/boot.nix
Normal file
37
m/common/base/boot.nix
Normal file
@ -0,0 +1,37 @@
|
||||
{ lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
# Use the GRUB 2 boot loader.
|
||||
boot.loader.grub.enable = true;
|
||||
|
||||
# Enable GRUB2 serial console
|
||||
boot.loader.grub.extraConfig = ''
|
||||
serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
|
||||
terminal_input --append serial
|
||||
terminal_output --append serial
|
||||
'';
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"kernel.perf_event_paranoid" = lib.mkDefault "-1";
|
||||
|
||||
# Allow ptracing (i.e. attach with GDB) any process of the same user, see:
|
||||
# https://www.kernel.org/doc/Documentation/security/Yama.txt
|
||||
"kernel.yama.ptrace_scope" = "0";
|
||||
};
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
|
||||
#boot.kernelPatches = lib.singleton {
|
||||
# name = "osnoise-tracer";
|
||||
# patch = null;
|
||||
# extraStructuredConfig = with lib.kernel; {
|
||||
# OSNOISE_TRACER = yes;
|
||||
# HWLAT_TRACER = yes;
|
||||
# };
|
||||
#};
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "nvme" "usbhid" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
}
|
37
m/common/base/env.nix
Normal file
37
m/common/base/env.nix
Normal file
@ -0,0 +1,37 @@
|
||||
{ pkgs, config, ... }:
|
||||
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim wget git htop tmux pciutils tcpdump ripgrep nix-index nixos-option
|
||||
nix-diff ipmitool freeipmi ethtool lm_sensors cmake gnumake file tree
|
||||
ncdu config.boot.kernelPackages.perf ldns pv
|
||||
# From bsckgs overlay
|
||||
osumb
|
||||
];
|
||||
|
||||
programs.direnv.enable = true;
|
||||
|
||||
# Increase limits
|
||||
security.pam.loginLimits = [
|
||||
{
|
||||
domain = "*";
|
||||
type = "-";
|
||||
item = "memlock";
|
||||
value = "1048576"; # 1 GiB of mem locked
|
||||
}
|
||||
];
|
||||
|
||||
environment.enableAllTerminfo = true;
|
||||
|
||||
environment.variables = {
|
||||
EDITOR = "vim";
|
||||
VISUAL = "vim";
|
||||
};
|
||||
|
||||
programs.bash.promptInit = ''
|
||||
PS1="\h\\$ "
|
||||
'';
|
||||
|
||||
time.timeZone = "Europe/Madrid";
|
||||
i18n.defaultLocale = "en_DK.UTF-8";
|
||||
}
|
24
m/common/base/fs.nix
Normal file
24
m/common/base/fs.nix
Normal file
@ -0,0 +1,24 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-label/nixos";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
# Trim unused blocks weekly
|
||||
services.fstrim.enable = true;
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-label/swap"; }
|
||||
];
|
||||
|
||||
# Tracing
|
||||
fileSystems."/sys/kernel/tracing" = {
|
||||
device = "none";
|
||||
fsType = "tracefs";
|
||||
};
|
||||
|
||||
# Mount a tmpfs into /tmp
|
||||
boot.tmp.useTmpfs = true;
|
||||
}
|
14
m/common/base/hw.nix
Normal file
14
m/common/base/hw.nix
Normal file
@ -0,0 +1,14 @@
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
23
m/common/base/net.nix
Normal file
23
m/common/base/net.nix
Normal file
@ -0,0 +1,23 @@
|
||||
{ pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
networking = {
|
||||
enableIPv6 = false;
|
||||
useDHCP = false;
|
||||
|
||||
firewall = {
|
||||
enable = true;
|
||||
allowedTCPPorts = [ 22 ];
|
||||
};
|
||||
|
||||
# Make sure we use iptables
|
||||
nftables.enable = lib.mkForce false;
|
||||
|
||||
hosts = {
|
||||
"84.88.53.236" = [ "ssfhead.bsc.es" "ssfhead" ];
|
||||
"84.88.51.142" = [ "raccoon-ipmi" ];
|
||||
"192.168.11.12" = [ "bscpm04.bsc.es" ];
|
||||
"192.168.11.15" = [ "gitlab-internal.bsc.es" ];
|
||||
};
|
||||
};
|
||||
}
|
59
m/common/base/nix.nix
Normal file
59
m/common/base/nix.nix
Normal file
@ -0,0 +1,59 @@
|
||||
{ pkgs, nixpkgs, theFlake, ... }:
|
||||
|
||||
{
|
||||
nixpkgs.overlays = [
|
||||
(import ../../../overlay.nix)
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
nix = {
|
||||
nixPath = [
|
||||
"nixpkgs=${nixpkgs}"
|
||||
"jungle=${theFlake.outPath}"
|
||||
];
|
||||
|
||||
registry = {
|
||||
nixpkgs.flake = nixpkgs;
|
||||
jungle.flake = theFlake;
|
||||
};
|
||||
|
||||
settings = {
|
||||
experimental-features = [ "nix-command" "flakes" ];
|
||||
sandbox = "relaxed";
|
||||
trusted-users = [ "@wheel" ];
|
||||
flake-registry = pkgs.writeText "global-registry.json"
|
||||
''{"flakes":[],"version":2}'';
|
||||
keep-outputs = true;
|
||||
};
|
||||
|
||||
gc = {
|
||||
automatic = true;
|
||||
dates = "weekly";
|
||||
options = "--delete-older-than 30d";
|
||||
};
|
||||
};
|
||||
|
||||
# The nix-gc.service can begin its execution *before* /home is mounted,
|
||||
# causing it to remove all gcroots considering them as stale, as it cannot
|
||||
# access the symlink. To prevent this problem, we force the service to wait
|
||||
# until /home is mounted as well as other remote FS like /ceph.
|
||||
systemd.services.nix-gc = {
|
||||
# Start remote-fs.target if not already being started and fail if it fails
|
||||
# to start. It will also be stopped if the remote-fs.target fails after
|
||||
# starting successfully.
|
||||
bindsTo = [ "remote-fs.target" ];
|
||||
# Wait until remote-fs.target fully starts before starting this one.
|
||||
after = [ "remote-fs.target"];
|
||||
# Ensure we can access a remote path inside /home
|
||||
unitConfig.ConditionPathExists = "/home/Computational";
|
||||
};
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "22.11"; # Did you read the comment?
|
||||
}
|
9
m/common/base/ntp.nix
Normal file
9
m/common/base/ntp.nix
Normal file
@ -0,0 +1,9 @@
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
services.ntp.enable = true;
|
||||
|
||||
# Use the NTP server at BSC, as we don't have direct access
|
||||
# to the outside world
|
||||
networking.timeServers = [ "84.88.52.36" ];
|
||||
}
|
21
m/common/base/rev.nix
Normal file
21
m/common/base/rev.nix
Normal file
@ -0,0 +1,21 @@
|
||||
{ theFlake, ... }:
|
||||
|
||||
let
|
||||
# Prevent building a configuration without revision
|
||||
rev = if theFlake ? rev then theFlake.rev
|
||||
else throw ("Refusing to build from a dirty Git tree!");
|
||||
in {
|
||||
# Save the commit of the config in /etc/configrev
|
||||
environment.etc.configrev.text = rev + "\n";
|
||||
|
||||
# Keep a log with the config over time
|
||||
system.activationScripts.configRevLog.text = ''
|
||||
BOOTED=$(cat /run/booted-system/etc/configrev 2>/dev/null || echo unknown)
|
||||
CURRENT=$(cat /run/current-system/etc/configrev 2>/dev/null || echo unknown)
|
||||
NEXT=${rev}
|
||||
DATENOW=$(date --iso-8601=seconds)
|
||||
echo "$DATENOW booted=$BOOTED current=$CURRENT next=$NEXT" >> /var/configrev.log
|
||||
'';
|
||||
|
||||
system.configurationRevision = rev;
|
||||
}
|
18
m/common/base/ssh.nix
Normal file
18
m/common/base/ssh.nix
Normal file
@ -0,0 +1,18 @@
|
||||
{ lib, ... }:
|
||||
|
||||
let
|
||||
keys = import ../../../keys.nix;
|
||||
hostsKeys = lib.mapAttrs (name: value: { publicKey = value; }) keys.hosts;
|
||||
in
|
||||
{
|
||||
# Enable the OpenSSH daemon.
|
||||
services.openssh.enable = true;
|
||||
|
||||
programs.ssh.knownHosts = hostsKeys // {
|
||||
"gitlab-internal.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3";
|
||||
"bscpm03.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2NuSUPsEhqz1j5b4Gqd+MWFnRqyqY57+xMvBUqHYUS";
|
||||
"bscpm04.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPx4mC0etyyjYUT2Ztc/bs4ZXSbVMrogs1ZTP924PDgT";
|
||||
"glogin1.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsHsZGCrzpd4QDVn5xoDOtrNBkb0ylxKGlyBt6l9qCz";
|
||||
"glogin2.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsHsZGCrzpd4QDVn5xoDOtrNBkb0ylxKGlyBt6l9qCz";
|
||||
};
|
||||
}
|
9
m/common/base/sys-devices.nix
Normal file
9
m/common/base/sys-devices.nix
Normal file
@ -0,0 +1,9 @@
|
||||
{
|
||||
nix.settings.system-features = [ "sys-devices" ];
|
||||
|
||||
programs.nix-required-mounts.enable = true;
|
||||
programs.nix-required-mounts.allowedPatterns.sys-devices.paths = [
|
||||
"/sys/devices/system/cpu"
|
||||
"/sys/devices/system/node"
|
||||
];
|
||||
}
|
203
m/common/base/users.nix
Normal file
203
m/common/base/users.nix
Normal file
@ -0,0 +1,203 @@
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../module/jungle-users.nix
|
||||
];
|
||||
|
||||
users = {
|
||||
mutableUsers = false;
|
||||
users = {
|
||||
# Generate hashedPassword with `mkpasswd -m sha-512`
|
||||
|
||||
root.openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBOf4r4lzQfyO0bx5BaREePREw8Zw5+xYgZhXwOZoBO ram@hop"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINa0tvnNgwkc5xOwd6xTtaIdFi5jv0j2FrE7jl5MTLoE ram@mio"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3zeB5KSimMBAjvzsp1GCkepVaquVZGPYwRIzyzaCba aleix@bsc"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut"
|
||||
];
|
||||
|
||||
rarias = {
|
||||
uid = 1880;
|
||||
isNormalUser = true;
|
||||
linger = true;
|
||||
home = "/home/Computational/rarias";
|
||||
description = "Rodrigo Arias";
|
||||
group = "Computational";
|
||||
extraGroups = [ "wheel" ];
|
||||
hashedPassword = "$6$u06tkCy13enReBsb$xiI.twRvvTfH4jdS3s68NZ7U9PSbGKs5.LXU/UgoawSwNWhZo2hRAjNL5qG0/lAckzcho2LjD0r3NfVPvthY6/";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBOf4r4lzQfyO0bx5BaREePREw8Zw5+xYgZhXwOZoBO ram@hop"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINa0tvnNgwkc5xOwd6xTtaIdFi5jv0j2FrE7jl5MTLoE ram@mio"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYcXIxe0poOEGLpk8NjiRozls7fMRX0N3j3Ar94U+Gl rarias@hal"
|
||||
];
|
||||
shell = pkgs.zsh;
|
||||
};
|
||||
|
||||
arocanon = {
|
||||
uid = 1042;
|
||||
isNormalUser = true;
|
||||
home = "/home/Computational/arocanon";
|
||||
description = "Aleix Roca";
|
||||
group = "Computational";
|
||||
extraGroups = [ "wheel" "tracing" ];
|
||||
hashedPassword = "$6$hliZiW4tULC/tH7p$pqZarwJkNZ7vS0G5llWQKx08UFG9DxDYgad7jplMD8WkZh5k58i4dfPoWtnEShfjTO6JHiIin05ny5lmSXzGM/";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3zeB5KSimMBAjvzsp1GCkepVaquVZGPYwRIzyzaCba aleix@bsc"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGdphWxLAEekicZ/WBrvP7phMyxKSSuLAZBovNX+hZXQ aleix@kerneland"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
jungleUsers = {
|
||||
rpenacob = {
|
||||
uid = 2761;
|
||||
isNormalUser = true;
|
||||
home = "/home/Computational/rpenacob";
|
||||
description = "Raúl Peñacoba";
|
||||
group = "Computational";
|
||||
hosts = [ "apex" "owl1" "owl2" "hut" "tent" "fox" ];
|
||||
hashedPassword = "$6$TZm3bDIFyPrMhj1E$uEDXoYYd1z2Wd5mMPfh3DZAjP7ztVjJ4ezIcn82C0ImqafPA.AnTmcVftHEzLB3tbe2O4SxDyPSDEQgJ4GOtj/";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYfXg37mauGeurqsLpedgA2XQ9d4Nm0ZGo/hI1f7wwH rpenacob@bsc"
|
||||
];
|
||||
};
|
||||
|
||||
anavarro = {
|
||||
uid = 1037;
|
||||
isNormalUser = true;
|
||||
home = "/home/Computational/anavarro";
|
||||
description = "Antoni Navarro";
|
||||
group = "Computational";
|
||||
hosts = [ "apex" "hut" "tent" "raccoon" "fox" "weasel" ];
|
||||
hashedPassword = "$6$EgturvVYXlKgP43g$gTN78LLHIhaF8hsrCXD.O6mKnZSASWSJmCyndTX8QBWT6wTlUhcWVAKz65lFJPXjlJA4u7G1ydYQ0GG6Wk07b1";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMsbM21uepnJwPrRe6jYFz8zrZ6AYMtSEvvt4c9spmFP toni@delltoni"
|
||||
];
|
||||
};
|
||||
|
||||
abonerib = {
|
||||
uid = 4541;
|
||||
isNormalUser = true;
|
||||
home = "/home/Computational/abonerib";
|
||||
description = "Aleix Boné";
|
||||
group = "Computational";
|
||||
hosts = [ "apex" "owl1" "owl2" "hut" "tent" "raccoon" "fox" "weasel" ];
|
||||
hashedPassword = "$6$V1EQWJr474whv7XJ$OfJ0wueM2l.dgiJiiah0Tip9ITcJ7S7qDvtSycsiQ43QBFyP4lU0e0HaXWps85nqB4TypttYR4hNLoz3bz662/";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIFiqXqt88VuUfyANkZyLJNiuroIITaGlOOTMhVDKjf abonerib@bsc"
|
||||
];
|
||||
};
|
||||
|
||||
vlopez = {
|
||||
uid = 4334;
|
||||
isNormalUser = true;
|
||||
home = "/home/Computational/vlopez";
|
||||
description = "Victor López";
|
||||
group = "Computational";
|
||||
hosts = [ "apex" "koro" ];
|
||||
hashedPassword = "$6$0ZBkgIYE/renVqtt$1uWlJsb0FEezRVNoETTzZMx4X2SvWiOsKvi0ppWCRqI66S6TqMBXBdP4fcQyvRRBt0e4Z7opZIvvITBsEtO0f0";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMwlUZRf9jfG666Qa5Sb+KtEhXqkiMlBV2su3x/dXHq victor@arch"
|
||||
];
|
||||
};
|
||||
|
||||
dbautist = {
|
||||
uid = 5649;
|
||||
isNormalUser = true;
|
||||
home = "/home/Computational/dbautist";
|
||||
description = "Dylan Bautista Cases";
|
||||
group = "Computational";
|
||||
hosts = [ "apex" "hut" "tent" "raccoon" ];
|
||||
hashedPassword = "$6$a2lpzMRVkG9nSgIm$12G6.ka0sFX1YimqJkBAjbvhRKZ.Hl090B27pdbnQOW0wzyxVWySWhyDDCILjQELky.HKYl9gqOeVXW49nW7q/";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAb+EQBoS98zrCwnGKkHKwMLdYABMTqv7q9E0+T0QmkS dbautist@bsc-848818791"
|
||||
];
|
||||
};
|
||||
|
||||
dalvare1 = {
|
||||
uid = 2758;
|
||||
isNormalUser = true;
|
||||
home = "/home/Computational/dalvare1";
|
||||
description = "David Álvarez";
|
||||
group = "Computational";
|
||||
hosts = [ "apex" "hut" "tent" "fox" ];
|
||||
hashedPassword = "$6$mpyIsV3mdq.rK8$FvfZdRH5OcEkUt5PnIUijWyUYZvB1SgeqxpJ2p91TTe.3eQIDTcLEQ5rxeg.e5IEXAZHHQ/aMsR5kPEujEghx0";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGEfy6F4rF80r4Cpo2H5xaWqhuUZzUsVsILSKGJzt5jF dalvare1@ssfhead"
|
||||
];
|
||||
};
|
||||
|
||||
varcila = {
|
||||
uid = 5650;
|
||||
isNormalUser = true;
|
||||
home = "/home/Computational/varcila";
|
||||
description = "Vincent Arcila";
|
||||
group = "Computational";
|
||||
hosts = [ "apex" "hut" "tent" "fox" ];
|
||||
hashedPassword = "$6$oB0Tcn99DcM4Ch$Vn1A0ulLTn/8B2oFPi9wWl/NOsJzaFAWjqekwcuC9sMC7cgxEVb.Nk5XSzQ2xzYcNe5MLtmzkVYnRS1CqP39Y0";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGt0ESYxekBiHJQowmKpfdouw0hVm3N7tUMtAaeLejK vincent@varch"
|
||||
];
|
||||
};
|
||||
|
||||
pmartin1 = {
|
||||
# Arbitrary UID but large so it doesn't collide with other users on ssfhead.
|
||||
uid = 9652;
|
||||
isNormalUser = true;
|
||||
home = "/home/Computational/pmartin1";
|
||||
description = "Pedro J. Martinez-Ferrer";
|
||||
group = "Computational";
|
||||
hosts = [ "fox" ];
|
||||
hashedPassword = "$6$nIgDMGnt4YIZl3G.$.JQ2jXLtDPRKsbsJfJAXdSvjDIzRrg7tNNjPkLPq3KJQhMjfDXRUvzagUHUU2TrE2hHM8/6uq8ex0UdxQ0ysl.";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIV5LEAII5rfe1hYqDYIIrhb1gOw7RcS1p2mhOTqG+zc pedro@pedro-ThinkPad-P14s-Gen-2a"
|
||||
];
|
||||
};
|
||||
|
||||
csiringo = {
|
||||
uid = 9653;
|
||||
isNormalUser = true;
|
||||
home = "/home/Computational/csiringo";
|
||||
description = "Cesare Siringo";
|
||||
group = "Computational";
|
||||
hosts = [ ];
|
||||
hashedPassword = "$6$0IsZlju8jFukLlAw$VKm0FUXbS.mVmPm3rcJeizTNU4IM5Nmmy21BvzFL.cQwvlGwFI1YWRQm6gsbd4nbg47mPDvYkr/ar0SlgF6GO1";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHA65zvvG50iuFEMf+guRwZB65jlGXfGLF4HO+THFaed csiringo@bsc.es"
|
||||
];
|
||||
};
|
||||
|
||||
acinca = {
|
||||
uid = 9654;
|
||||
isNormalUser = true;
|
||||
home = "/home/Computational/acinca";
|
||||
description = "Arnau Cinca";
|
||||
group = "Computational";
|
||||
hosts = [ "apex" "hut" "fox" "owl1" "owl2" ];
|
||||
hashedPassword = "$6$S6PUeRpdzYlidxzI$szyvWejQ4hEN76yBYhp1diVO5ew1FFg.cz4lKiXt2Idy4XdpifwrFTCIzLTs5dvYlR62m7ekA5MrhcVxR5F/q/";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFmMqKqPg4uocNOr3O41kLbZMOMJn3m2ZdN1JvTR96z3 bsccns@arnau-bsc"
|
||||
];
|
||||
};
|
||||
|
||||
aaguirre = {
|
||||
uid = 9655;
|
||||
isNormalUser = true;
|
||||
home = "/home/Computational/aaguirre";
|
||||
description = "Alejandro Aguirre";
|
||||
group = "Computational";
|
||||
hosts = [ "apex" "hut" ];
|
||||
hashedPassword = "$6$TXRXQT6jjBvxkxU6$E.sh5KspAm1qeG5Ct7OPHpo8REmbGDwjFGvqeGgTVz3GASGOAnPL7UMZsMAsAKBoahOw.v8LNno6XGrTEPzZH1";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOlRX7ZCnqtUJYCxKgWmgSrFCYuA2LHY96rVwqxXPl86 aaguirre@BSC-8488184117"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
groups = {
|
||||
Computational = { gid = 564; };
|
||||
tracing = { };
|
||||
};
|
||||
};
|
||||
}
|
9
m/common/base/watchdog.nix
Normal file
9
m/common/base/watchdog.nix
Normal file
@ -0,0 +1,9 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
# The boards have a BMC watchdog controlled by IPMI
|
||||
boot.kernelModules = [ "ipmi_watchdog" ];
|
||||
|
||||
# Enable systemd watchdog with 30 s interval
|
||||
systemd.watchdog.runtimeTime = "30s";
|
||||
}
|
91
m/common/base/zsh.nix
Normal file
91
m/common/base/zsh.nix
Normal file
@ -0,0 +1,91 @@
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
zsh-completions
|
||||
nix-zsh-completions
|
||||
];
|
||||
|
||||
programs.zsh = {
|
||||
enable = true;
|
||||
histSize = 1000000;
|
||||
|
||||
shellInit = ''
|
||||
# Disable new user prompt
|
||||
if [ ! -e ~/.zshrc ]; then
|
||||
touch ~/.zshrc
|
||||
fi
|
||||
'';
|
||||
|
||||
promptInit = ''
|
||||
# Note that to manually override this in ~/.zshrc you should run `prompt off`
|
||||
# before setting your PS1 and etc. Otherwise this will likely to interact with
|
||||
# your ~/.zshrc configuration in unexpected ways as the default prompt sets
|
||||
# a lot of different prompt variables.
|
||||
autoload -U promptinit && promptinit && prompt default && setopt prompt_sp
|
||||
'';
|
||||
|
||||
# Taken from Ulli Kehrle config:
|
||||
# https://git.hrnz.li/Ulli/nixos/src/commit/2e203b8d8d671f4e3ced0f1744a51d5c6ee19846/profiles/shell.nix#L199-L205
|
||||
interactiveShellInit = ''
|
||||
source "${pkgs.zsh-history-substring-search}/share/zsh-history-substring-search/zsh-history-substring-search.zsh"
|
||||
|
||||
# Save history immediately, but only load it when the shell starts
|
||||
setopt inc_append_history
|
||||
|
||||
# dircolors doesn't support alacritty:
|
||||
# https://lists.gnu.org/archive/html/bug-coreutils/2019-05/msg00029.html
|
||||
export LS_COLORS='rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=00:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.avif=01;35:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:*~=00;90:*#=00;90:*.bak=00;90:*.old=00;90:*.orig=00;90:*.part=00;90:*.rej=00;90:*.swp=00;90:*.tmp=00;90:*.dpkg-dist=00;90:*.dpkg-old=00;90:*.ucf-dist=00;90:*.ucf-new=00;90:*.ucf-old=00;90:*.rpmnew=00;90:*.rpmorig=00;90:*.rpmsave=00;90:';
|
||||
|
||||
# From Arch Linux and GRML
|
||||
bindkey "^R" history-incremental-pattern-search-backward
|
||||
bindkey "^S" history-incremental-pattern-search-forward
|
||||
|
||||
# Auto rehash for new binaries
|
||||
zstyle ':completion:*' rehash true
|
||||
# show a nice menu with the matches
|
||||
zstyle ':completion:*' menu yes select
|
||||
|
||||
bindkey '^[OA' history-substring-search-up # Up
|
||||
bindkey '^[[A' history-substring-search-up # Up
|
||||
|
||||
bindkey '^[OB' history-substring-search-down # Down
|
||||
bindkey '^[[B' history-substring-search-down # Down
|
||||
|
||||
bindkey '\e[1~' beginning-of-line # Home
|
||||
bindkey '\e[7~' beginning-of-line # Home
|
||||
bindkey '\e[H' beginning-of-line # Home
|
||||
bindkey '\eOH' beginning-of-line # Home
|
||||
|
||||
bindkey '\e[4~' end-of-line # End
|
||||
bindkey '\e[8~' end-of-line # End
|
||||
bindkey '\e[F ' end-of-line # End
|
||||
bindkey '\eOF' end-of-line # End
|
||||
|
||||
bindkey '^?' backward-delete-char # Backspace
|
||||
bindkey '\e[3~' delete-char # Del
|
||||
# bindkey '\e[3;5~' delete-char # sometimes Del, sometimes C-Del
|
||||
bindkey '\e[2~' overwrite-mode # Ins
|
||||
|
||||
bindkey '^H' backward-kill-word # C-Backspace
|
||||
|
||||
bindkey '5~' kill-word # C-Del
|
||||
bindkey '^[[3;5~' kill-word # C-Del
|
||||
bindkey '^[[3^' kill-word # C-Del
|
||||
|
||||
bindkey "^[[1;5H" backward-kill-line # C-Home
|
||||
bindkey "^[[7^" backward-kill-line # C-Home
|
||||
|
||||
bindkey "^[[1;5F" kill-line # C-End
|
||||
bindkey "^[[8^" kill-line # C-End
|
||||
|
||||
bindkey '^[[1;5C' forward-word # C-Right
|
||||
bindkey '^[0c' forward-word # C-Right
|
||||
bindkey '^[[5C' forward-word # C-Right
|
||||
|
||||
bindkey '^[[1;5D' backward-word # C-Left
|
||||
bindkey '^[0d' backward-word # C-Left
|
||||
bindkey '^[[5D' backward-word # C-Left
|
||||
'';
|
||||
};
|
||||
}
|
10
m/common/ssf.nix
Normal file
10
m/common/ssf.nix
Normal file
@ -0,0 +1,10 @@
|
||||
{
|
||||
# Provides the base system for a xeon node in the SSF rack.
|
||||
imports = [
|
||||
./xeon.nix
|
||||
./ssf/fs.nix
|
||||
./ssf/hosts.nix
|
||||
./ssf/hosts-remote.nix
|
||||
./ssf/net.nix
|
||||
];
|
||||
}
|
@ -1,5 +1,3 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
# Mount the home via NFS
|
||||
fileSystems."/home" = {
|
||||
@ -7,10 +5,4 @@
|
||||
fsType = "nfs";
|
||||
options = [ "nfsvers=3" "rsize=1024" "wsize=1024" "cto" "nofail" ];
|
||||
};
|
||||
|
||||
# Tracing
|
||||
fileSystems."/sys/kernel/tracing" = {
|
||||
device = "none";
|
||||
fsType = "tracefs";
|
||||
};
|
||||
}
|
9
m/common/ssf/hosts-remote.nix
Normal file
9
m/common/ssf/hosts-remote.nix
Normal file
@ -0,0 +1,9 @@
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
networking.hosts = {
|
||||
# Remote hosts visible from compute nodes
|
||||
"10.106.0.236" = [ "raccoon" ];
|
||||
"10.0.44.4" = [ "tent" ];
|
||||
};
|
||||
}
|
23
m/common/ssf/hosts.nix
Normal file
23
m/common/ssf/hosts.nix
Normal file
@ -0,0 +1,23 @@
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
networking.hosts = {
|
||||
# Login
|
||||
"10.0.40.30" = [ "apex" ];
|
||||
|
||||
# Storage
|
||||
"10.0.40.40" = [ "bay" ]; "10.0.42.40" = [ "bay-ib" ]; "10.0.40.141" = [ "bay-ipmi" ];
|
||||
"10.0.40.41" = [ "oss01" ]; "10.0.42.41" = [ "oss01-ib0" ]; "10.0.40.142" = [ "oss01-ipmi" ];
|
||||
"10.0.40.42" = [ "lake2" ]; "10.0.42.42" = [ "lake2-ib" ]; "10.0.40.143" = [ "lake2-ipmi" ];
|
||||
|
||||
# Xeon compute
|
||||
"10.0.40.1" = [ "owl1" ]; "10.0.42.1" = [ "owl1-ib" ]; "10.0.40.101" = [ "owl1-ipmi" ];
|
||||
"10.0.40.2" = [ "owl2" ]; "10.0.42.2" = [ "owl2-ib" ]; "10.0.40.102" = [ "owl2-ipmi" ];
|
||||
"10.0.40.3" = [ "xeon03" ]; "10.0.42.3" = [ "xeon03-ib" ]; "10.0.40.103" = [ "xeon03-ipmi" ];
|
||||
#"10.0.40.4" = [ "tent" ]; "10.0.42.4" = [ "tent-ib" ]; "10.0.40.104" = [ "tent-ipmi" ];
|
||||
"10.0.40.5" = [ "koro" ]; "10.0.42.5" = [ "koro-ib" ]; "10.0.40.105" = [ "koro-ipmi" ];
|
||||
"10.0.40.6" = [ "weasel" ]; "10.0.42.6" = [ "weasel-ib" ]; "10.0.40.106" = [ "weasel-ipmi" ];
|
||||
"10.0.40.7" = [ "hut" ]; "10.0.42.7" = [ "hut-ib" ]; "10.0.40.107" = [ "hut-ipmi" ];
|
||||
"10.0.40.8" = [ "eudy" ]; "10.0.42.8" = [ "eudy-ib" ]; "10.0.40.108" = [ "eudy-ipmi" ];
|
||||
};
|
||||
}
|
23
m/common/ssf/net.nix
Normal file
23
m/common/ssf/net.nix
Normal file
@ -0,0 +1,23 @@
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
# Infiniband (IPoIB)
|
||||
environment.systemPackages = [ pkgs.rdma-core ];
|
||||
boot.kernelModules = [ "ib_umad" "ib_ipoib" ];
|
||||
|
||||
networking = {
|
||||
defaultGateway = "10.0.40.30";
|
||||
nameservers = ["8.8.8.8"];
|
||||
|
||||
firewall = {
|
||||
extraCommands = ''
|
||||
# Prevent ssfhead from contacting our slurmd daemon
|
||||
iptables -A nixos-fw -p tcp -s ssfhead --dport 6817:6819 -j nixos-fw-refuse
|
||||
# But accept traffic to slurm ports from any other node in the subnet
|
||||
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 6817:6819 -j nixos-fw-accept
|
||||
# We also need to open the srun port range
|
||||
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 60000:61000 -j nixos-fw-accept
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
7
m/common/xeon.nix
Normal file
7
m/common/xeon.nix
Normal file
@ -0,0 +1,7 @@
|
||||
{
|
||||
# Provides the base system for a xeon node, not necessarily in the SSF rack.
|
||||
imports = [
|
||||
./base.nix
|
||||
./xeon/console.nix
|
||||
];
|
||||
}
|
14
m/common/xeon/console.nix
Normal file
14
m/common/xeon/console.nix
Normal file
@ -0,0 +1,14 @@
|
||||
{
|
||||
# Restart the serial console
|
||||
systemd.services."serial-getty@ttyS0" = {
|
||||
enable = true;
|
||||
wantedBy = [ "getty.target" ];
|
||||
serviceConfig.Restart = "always";
|
||||
};
|
||||
|
||||
# Enable serial console
|
||||
boot.kernelParams = [
|
||||
"console=tty1"
|
||||
"console=ttyS0,115200"
|
||||
];
|
||||
}
|
38
m/eudy/configuration.nix
Normal file
38
m/eudy/configuration.nix
Normal file
@ -0,0 +1,38 @@
|
||||
{ config, pkgs, lib, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../common/ssf.nix
|
||||
#(modulesPath + "/installer/netboot/netboot-minimal.nix")
|
||||
|
||||
./kernel/kernel.nix
|
||||
./cpufreq.nix
|
||||
./fs.nix
|
||||
./users.nix
|
||||
../module/hut-substituter.nix
|
||||
../module/debuginfod.nix
|
||||
];
|
||||
|
||||
# Select this using the ID to avoid mismatches
|
||||
boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53564b";
|
||||
|
||||
# disable automatic garbage collector
|
||||
nix.gc.automatic = lib.mkForce false;
|
||||
|
||||
# members of the tracing group can use the lttng-provided kernel events
|
||||
# without root permissions
|
||||
users.groups.tracing.members = [ "arocanon" ];
|
||||
|
||||
# set up both ethernet and infiniband ips
|
||||
networking = {
|
||||
hostName = "eudy";
|
||||
interfaces.eno1.ipv4.addresses = [ {
|
||||
address = "10.0.40.8";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
interfaces.ibp5s0.ipv4.addresses = [ {
|
||||
address = "10.0.42.8";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
};
|
||||
}
|
40
m/eudy/cpufreq.nix
Normal file
40
m/eudy/cpufreq.nix
Normal file
@ -0,0 +1,40 @@
|
||||
{ lib, ... }:
|
||||
|
||||
{
|
||||
# Disable frequency boost by default. Use the intel_pstate driver instead of
|
||||
# acpi_cpufreq driver because the acpi_cpufreq driver does not read the
|
||||
# complete range of P-States [1]. Use the intel_pstate passive mode [2] to
|
||||
# disable HWP, which allows a core to "select P-states by itself". Also, this
|
||||
# disables intel governors, which confusingly, have the same names as the
|
||||
# generic ones but behave differently [3].
|
||||
|
||||
# Essentially, we use the generic governors, but use the intel driver to read
|
||||
# the P-state list.
|
||||
|
||||
# [1] - https://www.kernel.org/doc/html/latest/admin-guide/pm/intel_pstate.html#intel-pstate-vs-acpi-cpufreq
|
||||
# [2] - https://www.kernel.org/doc/html/latest/admin-guide/pm/intel_pstate.html#passive-mode
|
||||
# [3] - https://www.kernel.org/doc/html/latest/admin-guide/pm/intel_pstate.html#active-mode
|
||||
# https://www.kernel.org/doc/html/latest/admin-guide/pm/cpufreq.html
|
||||
|
||||
# set intel_pstate to passive mode
|
||||
boot.kernelParams = [
|
||||
"intel_pstate=passive"
|
||||
];
|
||||
# Disable frequency boost
|
||||
system.activationScripts = {
|
||||
disableFrequencyBoost.text = ''
|
||||
echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo
|
||||
'';
|
||||
};
|
||||
|
||||
## disable intel_pstate
|
||||
#boot.kernelParams = [
|
||||
# "intel_pstate=disable"
|
||||
#];
|
||||
## Disable frequency boost
|
||||
#system.activationScripts = {
|
||||
# disableFrequencyBoost.text = ''
|
||||
# echo 0 > /sys/devices/system/cpu/cpufreq/boost
|
||||
# '';
|
||||
#};
|
||||
}
|
13
m/eudy/fs.nix
Normal file
13
m/eudy/fs.nix
Normal file
@ -0,0 +1,13 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
fileSystems."/nix" = {
|
||||
device = "/dev/disk/by-label/optane";
|
||||
fsType = "ext4";
|
||||
neededForBoot = true;
|
||||
};
|
||||
fileSystems."/mnt/data" = {
|
||||
device = "/dev/disk/by-label/data";
|
||||
fsType = "ext4";
|
||||
};
|
||||
}
|
70
m/eudy/kernel/kernel.nix
Normal file
70
m/eudy/kernel/kernel.nix
Normal file
@ -0,0 +1,70 @@
|
||||
{ pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
#fcs-devel = pkgs.linuxPackages_custom {
|
||||
# version = "6.2.8";
|
||||
# src = /mnt/data/kernel/fcs/kernel/src;
|
||||
# configfile = /mnt/data/kernel/fcs/kernel/configs/defconfig;
|
||||
#};
|
||||
|
||||
#fcsv1 = fcs-kernel "bc11660676d3d68ce2459b9fb5d5e654e3f413be" false;
|
||||
#fcsv2 = fcs-kernel "db0f2eca0cd57a58bf456d7d2c7d5d8fdb25dfb1" false;
|
||||
#fcsv1-lockdep = fcs-kernel "bc11660676d3d68ce2459b9fb5d5e654e3f413be" true;
|
||||
#fcsv2-lockdep = fcs-kernel "db0f2eca0cd57a58bf456d7d2c7d5d8fdb25dfb1" true;
|
||||
#fcs-kernel = gitCommit: lockdep: pkgs.linuxPackages_custom {
|
||||
# version = "6.2.8";
|
||||
# src = builtins.fetchGit {
|
||||
# url = "git@bscpm03.bsc.es:ompss-kernel/linux.git";
|
||||
# rev = gitCommit;
|
||||
# ref = "fcs";
|
||||
# };
|
||||
# configfile = if lockdep then ./configs/lockdep else ./configs/defconfig;
|
||||
#};
|
||||
|
||||
kernel = nixos-fcs;
|
||||
|
||||
nixos-fcs-kernel = lib.makeOverridable ({gitCommit, lockStat ? false, preempt ? false, branch ? "fcs"}: pkgs.linuxPackagesFor (pkgs.buildLinux rec {
|
||||
version = "6.2.8";
|
||||
src = builtins.fetchGit {
|
||||
url = "git@bscpm03.bsc.es:ompss-kernel/linux.git";
|
||||
rev = gitCommit;
|
||||
ref = branch;
|
||||
};
|
||||
structuredExtraConfig = with lib.kernel; {
|
||||
# add general custom kernel options here
|
||||
} // lib.optionalAttrs lockStat {
|
||||
LOCK_STAT = yes;
|
||||
} // lib.optionalAttrs preempt {
|
||||
PREEMPT = lib.mkForce yes;
|
||||
PREEMPT_VOLUNTARY = lib.mkForce no;
|
||||
};
|
||||
kernelPatches = [];
|
||||
extraMeta.branch = lib.versions.majorMinor version;
|
||||
}));
|
||||
|
||||
nixos-fcs = nixos-fcs-kernel {gitCommit = "8a09822dfcc8f0626b209d6d2aec8b5da459dfee";};
|
||||
nixos-fcs-lockstat = nixos-fcs.override {
|
||||
lockStat = true;
|
||||
};
|
||||
nixos-fcs-lockstat-preempt = nixos-fcs.override {
|
||||
lockStat = true;
|
||||
preempt = true;
|
||||
};
|
||||
latest = pkgs.linuxPackages_latest;
|
||||
|
||||
in {
|
||||
imports = [
|
||||
./lttng.nix
|
||||
./perf.nix
|
||||
];
|
||||
boot.kernelPackages = lib.mkForce kernel;
|
||||
|
||||
# disable all cpu mitigations
|
||||
boot.kernelParams = [
|
||||
"mitigations=off"
|
||||
];
|
||||
|
||||
# enable memory overcommit, needed to build a taglibc system using nix after
|
||||
# increasing the openblas memory footprint
|
||||
boot.kernel.sysctl."vm.overcommit_memory" = 1;
|
||||
}
|
43
m/eudy/kernel/lttng.nix
Normal file
43
m/eudy/kernel/lttng.nix
Normal file
@ -0,0 +1,43 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
|
||||
# The lttng btrfs probe crashes at compile time because of an undefined
|
||||
# function. This disables the btrfs tracepoints to avoid the issue.
|
||||
|
||||
# Also enable lockdep tracepoints, this is disabled by default because it
|
||||
# does not work well on architectures other than x86_64 (i think that arm) as
|
||||
# I was told on the mailing list.
|
||||
lttng-modules-fixed = config.boot.kernelPackages.lttng-modules.overrideAttrs (finalAttrs: previousAttrs: {
|
||||
patchPhase = (lib.optionalString (previousAttrs ? patchPhase) previousAttrs.patchPhase) + ''
|
||||
# disable btrfs
|
||||
substituteInPlace src/probes/Kbuild \
|
||||
--replace " obj-\$(CONFIG_LTTNG) += lttng-probe-btrfs.o" " #obj-\$(CONFIG_LTTNG) += lttng-probe-btrfs.o"
|
||||
|
||||
# enable lockdep tracepoints
|
||||
substituteInPlace src/probes/Kbuild \
|
||||
--replace "#ifneq (\$(CONFIG_LOCKDEP),)" "ifneq (\$(CONFIG_LOCKDEP),)" \
|
||||
--replace "# obj-\$(CONFIG_LTTNG) += lttng-probe-lock.o" " obj-\$(CONFIG_LTTNG) += lttng-probe-lock.o" \
|
||||
--replace "#endif # CONFIG_LOCKDEP" "endif # CONFIG_LOCKDEP"
|
||||
'';
|
||||
});
|
||||
in {
|
||||
|
||||
# add the lttng tools and modules to the system environment
|
||||
boot.extraModulePackages = [ lttng-modules-fixed ];
|
||||
environment.systemPackages = with pkgs; [
|
||||
lttng-tools lttng-ust babeltrace
|
||||
];
|
||||
|
||||
# start the lttng root daemon to manage kernel events
|
||||
systemd.services.lttng-sessiond = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
description = "LTTng session daemon for the root user";
|
||||
serviceConfig = {
|
||||
User = "root";
|
||||
ExecStart = ''
|
||||
${pkgs.lttng-tools}/bin/lttng-sessiond
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
22
m/eudy/kernel/perf.nix
Normal file
22
m/eudy/kernel/perf.nix
Normal file
@ -0,0 +1,22 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
# add the perf tool
|
||||
environment.systemPackages = with pkgs; [
|
||||
config.boot.kernelPackages.perf
|
||||
];
|
||||
|
||||
# allow non-root users to read tracing data from the kernel
|
||||
boot.kernel.sysctl."kernel.perf_event_paranoid" = -2;
|
||||
boot.kernel.sysctl."kernel.kptr_restrict" = 0;
|
||||
|
||||
# specify additionl options to the tracefs directory to allow members of the
|
||||
# tracing group to access tracefs.
|
||||
fileSystems."/sys/kernel/tracing" = {
|
||||
options = [
|
||||
"mode=755"
|
||||
"gid=tracing"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
11
m/eudy/users.nix
Normal file
11
m/eudy/users.nix
Normal file
@ -0,0 +1,11 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
security.sudo.extraRules= [{
|
||||
users = [ "arocanon" ];
|
||||
commands = [{
|
||||
command = "ALL" ;
|
||||
options= [ "NOPASSWD" ]; # "SETENV" # Adding the following could be a good idea
|
||||
}];
|
||||
}];
|
||||
}
|
112
m/fox/configuration.nix
Normal file
112
m/fox/configuration.nix
Normal file
@ -0,0 +1,112 @@
|
||||
{ lib, config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../common/base.nix
|
||||
../common/xeon/console.nix
|
||||
../module/amd-uprof.nix
|
||||
../module/emulation.nix
|
||||
../module/nvidia.nix
|
||||
../module/slurm-client.nix
|
||||
../module/hut-substituter.nix
|
||||
./wireguard.nix
|
||||
];
|
||||
|
||||
# Don't turn off on August as UPC has different dates.
|
||||
# Fox works fine on power cuts.
|
||||
systemd.timers.august-shutdown.enable = false;
|
||||
|
||||
# Select the this using the ID to avoid mismatches
|
||||
boot.loader.grub.device = "/dev/disk/by-id/wwn-0x500a07514b0c1103";
|
||||
|
||||
# No swap, there is plenty of RAM
|
||||
swapDevices = lib.mkForce [];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
|
||||
boot.kernelModules = [ "kvm-amd" "amd_uncore" "amd_hsmp" ];
|
||||
|
||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkForce false;
|
||||
|
||||
# Use performance for benchmarks
|
||||
powerManagement.cpuFreqGovernor = "performance";
|
||||
|
||||
services.amd-uprof.enable = true;
|
||||
|
||||
# Disable NUMA balancing
|
||||
boot.kernel.sysctl."kernel.numa_balancing" = 0;
|
||||
|
||||
# Expose kernel addresses
|
||||
boot.kernel.sysctl."kernel.kptr_restrict" = 0;
|
||||
|
||||
# Disable NMI watchdog to save one hw counter (for AMD uProf)
|
||||
boot.kernel.sysctl."kernel.nmi_watchdog" = 0;
|
||||
|
||||
services.openssh.settings.X11Forwarding = true;
|
||||
|
||||
services.fail2ban.enable = true;
|
||||
|
||||
networking = {
|
||||
timeServers = [ "ntp1.upc.edu" "ntp2.upc.edu" ];
|
||||
hostName = "fox";
|
||||
# UPC network (may change over time, use DHCP)
|
||||
# Public IP configuration:
|
||||
# - Hostname: fox.ac.upc.edu
|
||||
# - IP: 147.83.30.141
|
||||
# - Gateway: 147.83.30.130
|
||||
# - NetMask: 255.255.255.192
|
||||
# Private IP configuration for BMC:
|
||||
# - Hostname: fox-ipmi.ac.upc.edu
|
||||
# - IP: 147.83.35.27
|
||||
# - Gateway: 147.83.35.2
|
||||
# - NetMask: 255.255.255.0
|
||||
interfaces.enp1s0f0np0.useDHCP = true;
|
||||
};
|
||||
|
||||
# Recommended for new graphics cards
|
||||
hardware.nvidia.open = true;
|
||||
|
||||
# Mount NVME disks
|
||||
fileSystems."/nvme0" = { device = "/dev/disk/by-label/nvme0"; fsType = "ext4"; };
|
||||
fileSystems."/nvme1" = { device = "/dev/disk/by-label/nvme1"; fsType = "ext4"; };
|
||||
|
||||
# Mount the NFS home
|
||||
fileSystems."/nfs/home" = {
|
||||
device = "10.106.0.30:/home";
|
||||
fsType = "nfs";
|
||||
options = [ "nfsvers=3" "rsize=1024" "wsize=1024" "cto" "nofail" ];
|
||||
};
|
||||
|
||||
# Make a /nvme{0,1}/$USER directory for each user.
|
||||
systemd.services.create-nvme-dirs = let
|
||||
# Take only normal users in fox
|
||||
users = lib.filterAttrs (_: v: v.isNormalUser) config.users.users;
|
||||
commands = lib.concatLists (lib.mapAttrsToList
|
||||
(_: user: [
|
||||
"install -d -o ${user.name} -g ${user.group} -m 0755 /nvme{0,1}/${user.name}"
|
||||
]) users);
|
||||
script = pkgs.writeShellScript "create-nvme-dirs.sh" (lib.concatLines commands);
|
||||
in {
|
||||
enable = true;
|
||||
wants = [ "local-fs.target" ];
|
||||
after = [ "local-fs.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig.ExecStart = script;
|
||||
};
|
||||
|
||||
# Only allow SSH connections from users who have a SLURM allocation
|
||||
# See: https://slurm.schedmd.com/pam_slurm_adopt.html
|
||||
security.pam.services.sshd.rules.account.slurm = {
|
||||
control = "required";
|
||||
enable = true;
|
||||
modulePath = "${pkgs.slurm}/lib/security/pam_slurm_adopt.so";
|
||||
args = [ "log_level=debug5" ];
|
||||
order = 999999; # Make it last one
|
||||
};
|
||||
|
||||
# Disable systemd session (pam_systemd.so) as it will conflict with the
|
||||
# pam_slurm_adopt.so module. What happens is that the shell is first adopted
|
||||
# into the slurmstepd task and then into the systemd session, which is not
|
||||
# what we want, otherwise it will linger even if all jobs are gone.
|
||||
security.pam.services.sshd.startSession = lib.mkForce false;
|
||||
}
|
54
m/fox/wireguard.nix
Normal file
54
m/fox/wireguard.nix
Normal file
@ -0,0 +1,54 @@
|
||||
{ config, ... }:
|
||||
|
||||
{
|
||||
networking.firewall = {
|
||||
allowedUDPPorts = [ 666 ];
|
||||
};
|
||||
|
||||
age.secrets.wgFox.file = ../../secrets/wg-fox.age;
|
||||
|
||||
networking.wireguard.enable = true;
|
||||
networking.wireguard.interfaces = {
|
||||
# "wg0" is the network interface name. You can name the interface arbitrarily.
|
||||
wg0 = {
|
||||
# Determines the IP address and subnet of the server's end of the tunnel interface.
|
||||
ips = [ "10.106.0.1/24" ];
|
||||
|
||||
# The port that WireGuard listens to. Must be accessible by the client.
|
||||
listenPort = 666;
|
||||
|
||||
# Path to the private key file.
|
||||
privateKeyFile = config.age.secrets.wgFox.path;
|
||||
# Public key: VfMPBQLQTKeyXJSwv8wBhc6OV0j2qAxUpX3kLHunK2Y=
|
||||
|
||||
peers = [
|
||||
# List of allowed peers.
|
||||
{
|
||||
name = "apex";
|
||||
publicKey = "VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA=";
|
||||
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
|
||||
allowedIPs = [ "10.106.0.30/32" "10.0.40.7/32" ];
|
||||
}
|
||||
{
|
||||
name = "raccoon";
|
||||
publicKey = "QUfnGXSMEgu2bviglsaSdCjidB51oEDBFpnSFcKGfDI=";
|
||||
allowedIPs = [ "10.106.0.236/32" "192.168.0.0/16" "10.0.44.0/24" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
networking.hosts = {
|
||||
"10.106.0.30" = [ "apex" ];
|
||||
"10.0.40.7" = [ "hut" ];
|
||||
"10.106.0.236" = [ "raccoon" ];
|
||||
"10.0.44.4" = [ "tent" ];
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
extraCommands = ''
|
||||
# Accept slurm connections to slurmd from apex (via wireguard)
|
||||
iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.30/32 -d 10.106.0.1/32 --dport 6818 -j nixos-fw-accept
|
||||
'';
|
||||
};
|
||||
}
|
14
m/hut/blackbox.yml
Normal file
14
m/hut/blackbox.yml
Normal file
@ -0,0 +1,14 @@
|
||||
modules:
|
||||
http_2xx:
|
||||
prober: http
|
||||
timeout: 5s
|
||||
http:
|
||||
follow_redirects: true
|
||||
preferred_ip_protocol: "ip4"
|
||||
valid_status_codes: [] # Defaults to 2xx
|
||||
method: GET
|
||||
icmp:
|
||||
prober: icmp
|
||||
timeout: 5s
|
||||
icmp:
|
||||
preferred_ip_protocol: "ip4"
|
67
m/hut/configuration.nix
Normal file
67
m/hut/configuration.nix
Normal file
@ -0,0 +1,67 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../common/ssf.nix
|
||||
|
||||
../module/ceph.nix
|
||||
../module/debuginfod.nix
|
||||
../module/emulation.nix
|
||||
./gitlab-runner.nix
|
||||
./monitoring.nix
|
||||
./nfs.nix
|
||||
./nix-serve.nix
|
||||
./public-inbox.nix
|
||||
./gitea.nix
|
||||
./msmtp.nix
|
||||
./postgresql.nix
|
||||
./nginx.nix
|
||||
./p.nix
|
||||
#./pxe.nix
|
||||
];
|
||||
|
||||
# Select the this using the ID to avoid mismatches
|
||||
boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53567f";
|
||||
|
||||
fileSystems = {
|
||||
"/" = lib.mkForce {
|
||||
device = "/dev/disk/by-label/nvme";
|
||||
fsType = "ext4";
|
||||
neededForBoot = true;
|
||||
options = [ "noatime" ];
|
||||
};
|
||||
|
||||
"/boot" = lib.mkForce {
|
||||
device = "/dev/disk/by-label/nixos-boot";
|
||||
fsType = "ext4";
|
||||
neededForBoot = true;
|
||||
};
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "hut";
|
||||
interfaces.eno1.ipv4.addresses = [ {
|
||||
address = "10.0.40.7";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
interfaces.ibp5s0.ipv4.addresses = [ {
|
||||
address = "10.0.42.7";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
firewall = {
|
||||
extraCommands = ''
|
||||
# Accept all proxy traffic from compute nodes but not the login
|
||||
iptables -A nixos-fw -p tcp -s 10.0.40.30 --dport 23080 -j nixos-fw-log-refuse
|
||||
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 23080 -j nixos-fw-accept
|
||||
'';
|
||||
# Flush all rules and chains on stop so it won't break on start
|
||||
extraStopCommands = ''
|
||||
iptables -F
|
||||
iptables -X
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
# Allow proxy to bind to the ethernet interface
|
||||
services.openssh.settings.GatewayPorts = "clientspecified";
|
||||
}
|
63
m/hut/gitea.nix
Normal file
63
m/hut/gitea.nix
Normal file
@ -0,0 +1,63 @@
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
age.secrets.giteaRunnerToken.file = ../../secrets/gitea-runner-token.age;
|
||||
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
appName = "Gitea in the jungle";
|
||||
|
||||
settings = {
|
||||
server = {
|
||||
ROOT_URL = "https://jungle.bsc.es/git/";
|
||||
LOCAL_ROOT_URL = "https://jungle.bsc.es/git/";
|
||||
LANDING_PAGE = "explore";
|
||||
};
|
||||
metrics.ENABLED = true;
|
||||
service = {
|
||||
REGISTER_MANUAL_CONFIRM = true;
|
||||
ENABLE_NOTIFY_MAIL = true;
|
||||
};
|
||||
log.LEVEL = "Warn";
|
||||
|
||||
mailer = {
|
||||
ENABLED = true;
|
||||
FROM = "jungle-robot@bsc.es";
|
||||
PROTOCOL = "sendmail";
|
||||
SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
|
||||
SENDMAIL_ARGS = "--";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.gitea-actions-runner.instances = {
|
||||
runrun = {
|
||||
enable = true;
|
||||
name = "runrun";
|
||||
url = "https://jungle.bsc.es/git/";
|
||||
tokenFile = config.age.secrets.giteaRunnerToken.path;
|
||||
labels = [ "native:host" ];
|
||||
settings.runner.capacity = 8;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.gitea-runner-runrun = {
|
||||
path = [ "/run/current-system/sw" ];
|
||||
serviceConfig = {
|
||||
# DynamicUser doesn't work well with SSH
|
||||
DynamicUser = lib.mkForce false;
|
||||
User = "gitea-runner";
|
||||
Group = "gitea-runner";
|
||||
};
|
||||
};
|
||||
|
||||
users.users.gitea-runner = {
|
||||
isSystemUser = true;
|
||||
home = "/var/lib/gitea-runner";
|
||||
description = "Gitea Runner";
|
||||
group = "gitea-runner";
|
||||
extraGroups = [ "docker" ];
|
||||
createHome = true;
|
||||
};
|
||||
users.groups.gitea-runner = {};
|
||||
}
|
||||
|
126
m/hut/gitlab-runner.nix
Normal file
126
m/hut/gitlab-runner.nix
Normal file
@ -0,0 +1,126 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
{
|
||||
age.secrets.gitlab-pm-shell.file = ../../secrets/gitlab-runner-shell-token.age;
|
||||
age.secrets.gitlab-pm-docker.file = ../../secrets/gitlab-runner-docker-token.age;
|
||||
age.secrets.gitlab-bsc-docker.file = ../../secrets/gitlab-bsc-docker-token.age;
|
||||
|
||||
services.gitlab-runner = {
|
||||
enable = true;
|
||||
settings.concurrent = 5;
|
||||
services = let
|
||||
common-shell = {
|
||||
executor = "shell";
|
||||
environmentVariables = {
|
||||
SHELL = "${pkgs.bash}/bin/bash";
|
||||
};
|
||||
};
|
||||
common-docker = {
|
||||
executor = "docker";
|
||||
dockerImage = "debian:stable";
|
||||
registrationFlags = [
|
||||
"--docker-network-mode host"
|
||||
];
|
||||
environmentVariables = {
|
||||
https_proxy = "http://hut:23080";
|
||||
http_proxy = "http://hut:23080";
|
||||
};
|
||||
};
|
||||
in {
|
||||
# For pm.bsc.es/gitlab
|
||||
gitlab-pm-shell = common-shell // {
|
||||
authenticationTokenConfigFile = config.age.secrets.gitlab-pm-shell.path;
|
||||
};
|
||||
gitlab-pm-docker = common-docker // {
|
||||
authenticationTokenConfigFile = config.age.secrets.gitlab-pm-docker.path;
|
||||
};
|
||||
|
||||
gitlab-bsc-docker = {
|
||||
# gitlab.bsc.es still uses the old token mechanism
|
||||
registrationConfigFile = config.age.secrets.gitlab-bsc-docker.path;
|
||||
tagList = [ "docker" "hut" ];
|
||||
environmentVariables = {
|
||||
# We cannot access the hut local interface from docker, so we connect
|
||||
# to hut directly via the ethernet one.
|
||||
https_proxy = "http://hut:23080";
|
||||
http_proxy = "http://hut:23080";
|
||||
};
|
||||
executor = "docker";
|
||||
dockerImage = "alpine";
|
||||
dockerVolumes = [
|
||||
"/nix/store:/nix/store:ro"
|
||||
"/nix/var/nix/db:/nix/var/nix/db:ro"
|
||||
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
|
||||
];
|
||||
dockerExtraHosts = [
|
||||
# Required to pass the proxy via hut
|
||||
"hut:10.0.40.7"
|
||||
];
|
||||
dockerDisableCache = true;
|
||||
registrationFlags = [
|
||||
# Increase build log length to 64 MiB
|
||||
"--output-limit 65536"
|
||||
];
|
||||
preBuildScript = pkgs.writeScript "setup-container" ''
|
||||
mkdir -p -m 0755 /nix/var/log/nix/drvs
|
||||
mkdir -p -m 0755 /nix/var/nix/gcroots
|
||||
mkdir -p -m 0755 /nix/var/nix/profiles
|
||||
mkdir -p -m 0755 /nix/var/nix/temproots
|
||||
mkdir -p -m 0755 /nix/var/nix/userpool
|
||||
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
|
||||
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
|
||||
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
|
||||
mkdir -p -m 0700 "$HOME/.nix-defexpr"
|
||||
mkdir -p -m 0700 "$HOME/.ssh"
|
||||
cat > "$HOME/.ssh/config" << EOF
|
||||
Host bscpm04.bsc.es gitlab-internal.bsc.es
|
||||
User git
|
||||
ProxyCommand nc -X connect -x hut:23080 %h %p
|
||||
Host amdlogin1.bsc.es armlogin1.bsc.es hualogin1.bsc.es glogin1.bsc.es glogin2.bsc.es fpgalogin1.bsc.es
|
||||
ProxyCommand nc -X connect -x hut:23080 %h %p
|
||||
EOF
|
||||
cat >> "$HOME/.ssh/known_hosts" << EOF
|
||||
bscpm04.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPx4mC0etyyjYUT2Ztc/bs4ZXSbVMrogs1ZTP924PDgT
|
||||
gitlab-internal.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3
|
||||
EOF
|
||||
. ${pkgs.nix}/etc/profile.d/nix-daemon.sh
|
||||
# Required to load SSL certificate paths
|
||||
. ${pkgs.cacert}/nix-support/setup-hook
|
||||
'';
|
||||
environmentVariables = {
|
||||
ENV = "/etc/profile";
|
||||
USER = "root";
|
||||
NIX_REMOTE = "daemon";
|
||||
PATH = "${config.system.path}/bin:/bin:/sbin:/usr/bin:/usr/sbin";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# DOCKER* chains are useless, override at FORWARD and nixos-fw
|
||||
networking.firewall.extraCommands = ''
|
||||
# Don't forward any traffic from docker
|
||||
iptables -I FORWARD 1 -p all -i docker0 -j nixos-fw-log-refuse
|
||||
|
||||
# Allow incoming traffic from docker to 23080
|
||||
iptables -A nixos-fw -p tcp -i docker0 -d hut --dport 23080 -j ACCEPT
|
||||
'';
|
||||
|
||||
#systemd.services.gitlab-runner.serviceConfig.Shell = "${pkgs.bash}/bin/bash";
|
||||
systemd.services.gitlab-runner.serviceConfig.DynamicUser = lib.mkForce false;
|
||||
systemd.services.gitlab-runner.serviceConfig.User = "gitlab-runner";
|
||||
systemd.services.gitlab-runner.serviceConfig.Group = "gitlab-runner";
|
||||
systemd.services.gitlab-runner.serviceConfig.ExecStart = lib.mkForce
|
||||
''${pkgs.gitlab-runner}/bin/gitlab-runner run --config ''${HOME}/.gitlab-runner/config.toml --listen-address "127.0.0.1:9252" --working-directory ''${HOME}'';
|
||||
|
||||
users.users.gitlab-runner = {
|
||||
uid = config.ids.uids.gitlab-runner;
|
||||
#isNormalUser = true;
|
||||
home = "/var/lib/gitlab-runner";
|
||||
description = "Gitlab Runner";
|
||||
group = "gitlab-runner";
|
||||
extraGroups = [ "docker" ];
|
||||
createHome = true;
|
||||
};
|
||||
users.groups.gitlab-runner.gid = config.ids.gids.gitlab-runner;
|
||||
}
|
31
m/hut/gpfs-probe.nix
Normal file
31
m/hut/gpfs-probe.nix
Normal file
@ -0,0 +1,31 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
let
|
||||
gpfs-probe-script = pkgs.runCommand "gpfs-probe.sh" { }
|
||||
''
|
||||
cp ${./gpfs-probe.sh} $out;
|
||||
chmod +x $out
|
||||
''
|
||||
;
|
||||
in
|
||||
{
|
||||
# Use a new user to handle the SSH keys
|
||||
users.groups.ssh-robot = { };
|
||||
users.users.ssh-robot = {
|
||||
description = "SSH Robot";
|
||||
isNormalUser = true;
|
||||
home = "/var/lib/ssh-robot";
|
||||
};
|
||||
|
||||
systemd.services.gpfs-probe = {
|
||||
description = "Daemon to report GPFS latency via SSH";
|
||||
path = [ pkgs.openssh pkgs.netcat ];
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "default.target" ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStart = "${pkgs.socat}/bin/socat TCP4-LISTEN:9966,fork EXEC:${gpfs-probe-script}";
|
||||
User = "ssh-robot";
|
||||
Group = "ssh-robot";
|
||||
};
|
||||
};
|
||||
}
|
18
m/hut/gpfs-probe.sh
Executable file
18
m/hut/gpfs-probe.sh
Executable file
@ -0,0 +1,18 @@
|
||||
#!/bin/sh
|
||||
|
||||
N=500
|
||||
|
||||
t=$(timeout 5 ssh bsc015557@glogin2.bsc.es "timeout 3 command time -f %e touch /gpfs/projects/bsc15/bsc015557/gpfs.{1..$N} 2>&1; rm -f /gpfs/projects/bsc15/bsc015557/gpfs.{1..$N}")
|
||||
|
||||
if [ -z "$t" ]; then
|
||||
t="5.00"
|
||||
fi
|
||||
|
||||
cat <<EOF
|
||||
HTTP/1.1 200 OK
|
||||
Content-Type: text/plain; version=0.0.4; charset=utf-8; escaping=values
|
||||
|
||||
# HELP gpfs_touch_latency Time to create $N files.
|
||||
# TYPE gpfs_touch_latency gauge
|
||||
gpfs_touch_latency $t
|
||||
EOF
|
272
m/hut/monitoring.nix
Normal file
272
m/hut/monitoring.nix
Normal file
@ -0,0 +1,272 @@
|
||||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../module/slurm-exporter.nix
|
||||
../module/meteocat-exporter.nix
|
||||
../module/upc-qaire-exporter.nix
|
||||
./gpfs-probe.nix
|
||||
../module/nix-daemon-exporter.nix
|
||||
];
|
||||
|
||||
age.secrets.grafanaJungleRobotPassword = {
|
||||
file = ../../secrets/jungle-robot-password.age;
|
||||
owner = "grafana";
|
||||
mode = "400";
|
||||
};
|
||||
|
||||
age.secrets.ipmiYml.file = ../../secrets/ipmi.yml.age;
|
||||
|
||||
services.grafana = {
|
||||
enable = true;
|
||||
settings = {
|
||||
server = {
|
||||
domain = "jungle.bsc.es";
|
||||
root_url = "%(protocol)s://%(domain)s/grafana";
|
||||
serve_from_sub_path = true;
|
||||
http_port = 2342;
|
||||
http_addr = "127.0.0.1";
|
||||
};
|
||||
smtp = {
|
||||
enabled = true;
|
||||
from_address = "jungle-robot@bsc.es";
|
||||
user = "jungle-robot";
|
||||
# Read the password from a file, which is only readable by grafana user
|
||||
# https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
|
||||
password = "$__file{${config.age.secrets.grafanaJungleRobotPassword.path}}";
|
||||
host = "mail.bsc.es:465";
|
||||
startTLS_policy = "NoStartTLS";
|
||||
};
|
||||
feature_toggles.publicDashboards = true;
|
||||
"auth.anonymous".enabled = true;
|
||||
log.level = "warn";
|
||||
};
|
||||
};
|
||||
|
||||
# Make grafana alerts also use the proxy
|
||||
systemd.services.grafana.environment = config.networking.proxy.envVars;
|
||||
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
port = 9001;
|
||||
retentionTime = "5y";
|
||||
listenAddress = "127.0.0.1";
|
||||
};
|
||||
|
||||
systemd.services.prometheus-ipmi-exporter.serviceConfig.DynamicUser = lib.mkForce false;
|
||||
systemd.services.prometheus-ipmi-exporter.serviceConfig.PrivateDevices = lib.mkForce false;
|
||||
|
||||
# We need access to the devices to monitor the disk space
|
||||
systemd.services.prometheus-node-exporter.serviceConfig.PrivateDevices = lib.mkForce false;
|
||||
systemd.services.prometheus-node-exporter.serviceConfig.ProtectHome = lib.mkForce "read-only";
|
||||
|
||||
virtualisation.docker.daemon.settings = {
|
||||
metrics-addr = "127.0.0.1:9323";
|
||||
};
|
||||
|
||||
# Required to allow the smartctl exporter to read the nvme0 character device,
|
||||
# see the commit message on:
|
||||
# https://github.com/NixOS/nixpkgs/commit/12c26aca1fd55ab99f831bedc865a626eee39f80
|
||||
services.udev.extraRules = ''
|
||||
SUBSYSTEM=="nvme", KERNEL=="nvme[0-9]*", GROUP="disk"
|
||||
'';
|
||||
|
||||
services.prometheus = {
|
||||
|
||||
exporters = {
|
||||
ipmi = {
|
||||
enable = true;
|
||||
group = "root";
|
||||
user = "root";
|
||||
configFile = config.age.secrets.ipmiYml.path;
|
||||
# extraFlags = [ "--log.level=debug" ];
|
||||
listenAddress = "127.0.0.1";
|
||||
};
|
||||
node = {
|
||||
enable = true;
|
||||
enabledCollectors = [ "systemd" "logind" ];
|
||||
port = 9002;
|
||||
listenAddress = "127.0.0.1";
|
||||
};
|
||||
smartctl = {
|
||||
enable = true;
|
||||
listenAddress = "127.0.0.1";
|
||||
};
|
||||
blackbox = {
|
||||
enable = true;
|
||||
listenAddress = "127.0.0.1";
|
||||
configFile = ./blackbox.yml;
|
||||
};
|
||||
};
|
||||
|
||||
scrapeConfigs = [
|
||||
{
|
||||
job_name = "xeon07";
|
||||
static_configs = [{
|
||||
targets = [
|
||||
"127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
|
||||
"127.0.0.1:${toString config.services.prometheus.exporters.ipmi.port}"
|
||||
"127.0.0.1:9323"
|
||||
"127.0.0.1:9252"
|
||||
"127.0.0.1:${toString config.services.prometheus.exporters.smartctl.port}"
|
||||
"127.0.0.1:9341" # Slurm exporter
|
||||
"127.0.0.1:9966" # GPFS custom exporter
|
||||
"127.0.0.1:9999" # Nix-daemon custom exporter
|
||||
"127.0.0.1:9929" # Meteocat custom exporter
|
||||
"127.0.0.1:9928" # UPC Qaire custom exporter
|
||||
"127.0.0.1:${toString config.services.prometheus.exporters.blackbox.port}"
|
||||
];
|
||||
}];
|
||||
}
|
||||
{
|
||||
job_name = "ceph";
|
||||
static_configs = [{
|
||||
targets = [
|
||||
"10.0.40.40:9283" # Ceph statistics
|
||||
"10.0.40.40:9002" # Node exporter
|
||||
"10.0.40.42:9002" # Node exporter
|
||||
];
|
||||
}];
|
||||
}
|
||||
{
|
||||
job_name = "blackbox-http";
|
||||
metrics_path = "/probe";
|
||||
params = { module = [ "http_2xx" ]; };
|
||||
static_configs = [{
|
||||
targets = [
|
||||
"https://www.google.com/robots.txt"
|
||||
"https://pm.bsc.es/"
|
||||
"https://pm.bsc.es/gitlab/"
|
||||
"https://jungle.bsc.es/"
|
||||
"https://gitlab.bsc.es/"
|
||||
];
|
||||
}];
|
||||
relabel_configs = [
|
||||
{
|
||||
# Takes the address and sets it in the "target=<xyz>" URL parameter
|
||||
source_labels = [ "__address__" ];
|
||||
target_label = "__param_target";
|
||||
}
|
||||
{
|
||||
# Sets the "instance" label with the remote host we are querying
|
||||
source_labels = [ "__param_target" ];
|
||||
target_label = "instance";
|
||||
}
|
||||
{
|
||||
# Shows the host target address instead of the blackbox address
|
||||
target_label = "__address__";
|
||||
replacement = "127.0.0.1:${toString config.services.prometheus.exporters.blackbox.port}";
|
||||
}
|
||||
];
|
||||
}
|
||||
{
|
||||
job_name = "blackbox-icmp";
|
||||
metrics_path = "/probe";
|
||||
params = { module = [ "icmp" ]; };
|
||||
static_configs = [{
|
||||
targets = [
|
||||
"1.1.1.1"
|
||||
"8.8.8.8"
|
||||
"ssfhead"
|
||||
"anella-bsc.cesca.cat"
|
||||
"upc-anella.cesca.cat"
|
||||
"fox.ac.upc.edu"
|
||||
"arenys5.ac.upc.edu"
|
||||
];
|
||||
}];
|
||||
relabel_configs = [
|
||||
{
|
||||
# Takes the address and sets it in the "target=<xyz>" URL parameter
|
||||
source_labels = [ "__address__" ];
|
||||
target_label = "__param_target";
|
||||
}
|
||||
{
|
||||
# Sets the "instance" label with the remote host we are querying
|
||||
source_labels = [ "__param_target" ];
|
||||
target_label = "instance";
|
||||
}
|
||||
{
|
||||
# Shows the host target address instead of the blackbox address
|
||||
target_label = "__address__";
|
||||
replacement = "127.0.0.1:${toString config.services.prometheus.exporters.blackbox.port}";
|
||||
}
|
||||
];
|
||||
}
|
||||
{
|
||||
job_name = "gitea";
|
||||
static_configs = [{ targets = [ "127.0.0.1:3000" ]; }];
|
||||
}
|
||||
{
|
||||
# Scrape the IPMI info of the hosts remotely via LAN
|
||||
job_name = "ipmi-lan";
|
||||
scrape_interval = "1m";
|
||||
scrape_timeout = "30s";
|
||||
metrics_path = "/ipmi";
|
||||
scheme = "http";
|
||||
relabel_configs = [
|
||||
{
|
||||
# Takes the address and sets it in the "target=<xyz>" URL parameter
|
||||
source_labels = [ "__address__" ];
|
||||
separator = ";";
|
||||
regex = "(.*)(:80)?";
|
||||
target_label = "__param_target";
|
||||
replacement = "\${1}";
|
||||
action = "replace";
|
||||
}
|
||||
{
|
||||
# Sets the "instance" label with the remote host we are querying
|
||||
source_labels = [ "__param_target" ];
|
||||
separator = ";";
|
||||
regex = "(.*)-ipmi"; # Remove "-ipm̀i" at the end
|
||||
target_label = "instance";
|
||||
replacement = "\${1}";
|
||||
action = "replace";
|
||||
}
|
||||
{
|
||||
# Sets the fixed "module=lan" URL param
|
||||
separator = ";";
|
||||
regex = "(.*)";
|
||||
target_label = "__param_module";
|
||||
replacement = "lan";
|
||||
action = "replace";
|
||||
}
|
||||
{
|
||||
# Sets the target to query as the localhost IPMI exporter
|
||||
separator = ";";
|
||||
regex = ".*";
|
||||
target_label = "__address__";
|
||||
replacement = "127.0.0.1:9290";
|
||||
action = "replace";
|
||||
}
|
||||
];
|
||||
|
||||
# Load the list of targets from another file
|
||||
file_sd_configs = [
|
||||
{
|
||||
files = [ "${./targets.yml}" ];
|
||||
refresh_interval = "30s";
|
||||
}
|
||||
];
|
||||
}
|
||||
{
|
||||
job_name = "ipmi-raccoon";
|
||||
metrics_path = "/ipmi";
|
||||
static_configs = [
|
||||
{ targets = [ "127.0.0.1:9291" ]; }
|
||||
];
|
||||
params = {
|
||||
target = [ "84.88.51.142" ];
|
||||
module = [ "raccoon" ];
|
||||
};
|
||||
}
|
||||
{
|
||||
job_name = "raccoon";
|
||||
static_configs = [
|
||||
{
|
||||
targets = [ "127.0.0.1:19002" ]; # Node exporter
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
24
m/hut/msmtp.nix
Normal file
24
m/hut/msmtp.nix
Normal file
@ -0,0 +1,24 @@
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
age.secrets.jungleRobotPassword = {
|
||||
file = ../../secrets/jungle-robot-password.age;
|
||||
group = "gitea";
|
||||
mode = "440";
|
||||
};
|
||||
|
||||
programs.msmtp = {
|
||||
enable = true;
|
||||
accounts = {
|
||||
default = {
|
||||
auth = true;
|
||||
tls = true;
|
||||
tls_starttls = false;
|
||||
port = 465;
|
||||
host = "mail.bsc.es";
|
||||
user = "jungle-robot";
|
||||
passwordeval = "cat ${config.age.secrets.jungleRobotPassword.path}";
|
||||
from = "jungle-robot@bsc.es";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
76
m/hut/nginx.nix
Normal file
76
m/hut/nginx.nix
Normal file
@ -0,0 +1,76 @@
|
||||
{ theFlake, pkgs, ... }:
|
||||
let
|
||||
website = pkgs.stdenv.mkDerivation {
|
||||
name = "jungle-web";
|
||||
src = pkgs.fetchgit {
|
||||
url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
|
||||
rev = "52abaf4d71652a9ef77a0b098db14ca33bffff4c";
|
||||
hash = "sha256-/ul9GazbOrOkmlvSgDz/+2W+V+ir5725Y7mVLc3rb0M=";
|
||||
};
|
||||
buildInputs = [ pkgs.hugo ];
|
||||
buildPhase = ''
|
||||
rm -rf public/
|
||||
hugo
|
||||
'';
|
||||
installPhase = ''
|
||||
cp -r public $out
|
||||
'';
|
||||
# Don't mess doc/
|
||||
dontFixup = true;
|
||||
};
|
||||
in
|
||||
{
|
||||
networking.firewall.allowedTCPPorts = [ 80 ];
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."jungle.bsc.es" = {
|
||||
root = "${website}";
|
||||
listen = [
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
port = 80;
|
||||
}
|
||||
];
|
||||
extraConfig = ''
|
||||
set_real_ip_from 127.0.0.1;
|
||||
set_real_ip_from 84.88.52.107;
|
||||
real_ip_recursive on;
|
||||
real_ip_header X-Forwarded-For;
|
||||
|
||||
location /git {
|
||||
rewrite ^/git$ / break;
|
||||
rewrite ^/git/(.*) /$1 break;
|
||||
proxy_pass http://127.0.0.1:3000;
|
||||
proxy_redirect http:// $scheme://;
|
||||
}
|
||||
location /cache {
|
||||
rewrite ^/cache/(.*) /$1 break;
|
||||
proxy_pass http://127.0.0.1:5000;
|
||||
proxy_redirect http:// $scheme://;
|
||||
}
|
||||
location /lists {
|
||||
proxy_pass http://127.0.0.1:8081;
|
||||
proxy_redirect http:// $scheme://;
|
||||
}
|
||||
location /grafana {
|
||||
proxy_pass http://127.0.0.1:2342;
|
||||
proxy_redirect http:// $scheme://;
|
||||
proxy_set_header Host $host;
|
||||
# Websockets
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
location ~ ^/~(.+?)(/.*)?$ {
|
||||
alias /ceph/home/$1/public_html$2;
|
||||
index index.html index.htm;
|
||||
autoindex on;
|
||||
absolute_redirect off;
|
||||
}
|
||||
location /p/ {
|
||||
alias /ceph/p/;
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
16
m/hut/nix-serve.nix
Normal file
16
m/hut/nix-serve.nix
Normal file
@ -0,0 +1,16 @@
|
||||
{ config, ... }:
|
||||
|
||||
{
|
||||
age.secrets.nixServe.file = ../../secrets/nix-serve.age;
|
||||
|
||||
services.nix-serve = {
|
||||
enable = true;
|
||||
# Only listen locally, as we serve it via ssh
|
||||
bindAddress = "127.0.0.1";
|
||||
port = 5000;
|
||||
|
||||
secretKeyFile = config.age.secrets.nixServe.path;
|
||||
# Public key:
|
||||
# jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=
|
||||
};
|
||||
}
|
43
m/hut/p.nix
Normal file
43
m/hut/p.nix
Normal file
@ -0,0 +1,43 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
let
|
||||
p = pkgs.writeShellScriptBin "p" ''
|
||||
set -e
|
||||
cd /ceph
|
||||
pastedir="p/$USER"
|
||||
mkdir -p "$pastedir"
|
||||
|
||||
ext="txt"
|
||||
|
||||
if [ -n "$1" ]; then
|
||||
ext="$1"
|
||||
fi
|
||||
|
||||
out=$(mktemp "$pastedir/XXXXXXXX.$ext")
|
||||
|
||||
cat > "$out"
|
||||
chmod go+r "$out"
|
||||
echo "https://jungle.bsc.es/$out"
|
||||
'';
|
||||
in
|
||||
{
|
||||
environment.systemPackages = with pkgs; [ p ];
|
||||
|
||||
# Make sure we have a directory per user. We cannot use the nice
|
||||
# systemd-tmpfiles-setup.service service because this is a remote FS, and it
|
||||
# may not be mounted when it runs.
|
||||
systemd.services.create-paste-dirs = let
|
||||
# Take only normal users in hut
|
||||
users = lib.filterAttrs (_: v: v.isNormalUser) config.users.users;
|
||||
commands = lib.concatLists (lib.mapAttrsToList
|
||||
(_: user: [
|
||||
"install -d -o ${user.name} -g ${user.group} -m 0755 /ceph/p/${user.name}"
|
||||
]) users);
|
||||
script = pkgs.writeShellScript "create-paste-dirs.sh" (lib.concatLines commands);
|
||||
in {
|
||||
enable = true;
|
||||
wants = [ "remote-fs.target" ];
|
||||
after = [ "remote-fs.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig.ExecStart = script;
|
||||
};
|
||||
}
|
19
m/hut/postgresql.nix
Normal file
19
m/hut/postgresql.nix
Normal file
@ -0,0 +1,19 @@
|
||||
{ lib, ... }:
|
||||
|
||||
{
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "perftestsdb" ];
|
||||
ensureUsers = [
|
||||
{ name = "anavarro"; ensureClauses.superuser = true; }
|
||||
{ name = "rarias"; ensureClauses.superuser = true; }
|
||||
{ name = "grafana"; }
|
||||
];
|
||||
authentication = ''
|
||||
#type database DBuser auth-method
|
||||
local perftestsdb rarias trust
|
||||
local perftestsdb anavarro trust
|
||||
local perftestsdb grafana trust
|
||||
'';
|
||||
};
|
||||
}
|
79
m/hut/public-inbox.css
Normal file
79
m/hut/public-inbox.css
Normal file
@ -0,0 +1,79 @@
|
||||
/*
|
||||
* CC0-1.0 <https://creativecommons.org/publicdomain/zero/1.0/legalcode>
|
||||
* Dark color scheme using 216 web-safe colors, inspired
|
||||
* somewhat by the default color scheme in mutt.
|
||||
* It reduces eyestrain for me, and energy usage for all:
|
||||
* https://en.wikipedia.org/wiki/Light-on-dark_color_scheme
|
||||
*/
|
||||
|
||||
* {
|
||||
font-size: 14px;
|
||||
font-family: monospace;
|
||||
}
|
||||
|
||||
pre {
|
||||
white-space: pre-wrap;
|
||||
padding: 10px;
|
||||
background: #f5f5f5;
|
||||
}
|
||||
|
||||
hr {
|
||||
margin: 30px 0;
|
||||
}
|
||||
|
||||
body {
|
||||
max-width: 120ex; /* 120 columns wide */
|
||||
margin: 50px auto;
|
||||
}
|
||||
|
||||
/*
|
||||
* Underlined links add visual noise which make them hard-to-read.
|
||||
* Use colors to make them stand out, instead.
|
||||
*/
|
||||
a:link {
|
||||
color: #007;
|
||||
text-decoration: none;
|
||||
}
|
||||
a:visited {
|
||||
color:#504;
|
||||
}
|
||||
a:hover {
|
||||
text-decoration: underline;
|
||||
}
|
||||
|
||||
/* quoted text in emails gets a different color */
|
||||
*.q { color:gray }
|
||||
|
||||
/*
|
||||
* these may be used with cgit <https://git.zx2c4.com/cgit/>, too.
|
||||
* (cgit uses <div>, public-inbox uses <span>)
|
||||
*/
|
||||
*.add { color:darkgreen } /* diff post-image lines */
|
||||
*.del { color:darkred } /* diff pre-image lines */
|
||||
*.head { color:black } /* diff header (metainformation) */
|
||||
*.hunk { color:gray } /* diff hunk-header */
|
||||
|
||||
/*
|
||||
* highlight 3.x colors (tested 3.18) for displaying blobs.
|
||||
* This doesn't use most of the colors available, as I find too
|
||||
* many colors overwhelming, so the default is commented out.
|
||||
*/
|
||||
.hl.num { color:#f30 } /* number */
|
||||
.hl.esc { color:#f0f } /* escape character */
|
||||
.hl.str { color:#f30 } /* string */
|
||||
.hl.ppc { color:#f0f } /* preprocessor */
|
||||
.hl.pps { color:#f30 } /* preprocessor string */
|
||||
.hl.slc { color:#09f } /* single-line comment */
|
||||
.hl.com { color:#09f } /* multi-line comment */
|
||||
/* .hl.opt { color:#ccc } */ /* operator */
|
||||
/* .hl.ipl { color:#ccc } */ /* interpolation */
|
||||
|
||||
/* keyword groups kw[a-z] */
|
||||
.hl.kwa { color:#ff0 }
|
||||
.hl.kwb { color:#0f0 }
|
||||
.hl.kwc { color:#ff0 }
|
||||
/* .hl.kwd { color:#ccc } */
|
||||
|
||||
/* line-number (unused by public-inbox) */
|
||||
/* .hl.lin { color:#ccc } */
|
||||
|
47
m/hut/public-inbox.nix
Normal file
47
m/hut/public-inbox.nix
Normal file
@ -0,0 +1,47 @@
|
||||
{ lib, ... }:
|
||||
|
||||
{
|
||||
services.public-inbox = {
|
||||
enable = true;
|
||||
http = {
|
||||
enable = true;
|
||||
port = 8081;
|
||||
mounts = [ "/lists" ];
|
||||
};
|
||||
settings.publicinbox = {
|
||||
css = [ "${./public-inbox.css}" ];
|
||||
wwwlisting = "all";
|
||||
};
|
||||
inboxes = {
|
||||
bscpkgs = {
|
||||
url = "https://jungle.bsc.es/lists/bscpkgs";
|
||||
address = [ "~rodarima/bscpkgs@lists.sr.ht" ];
|
||||
watch = [ "imaps://jungle-robot%40gmx.com@imap.gmx.com/INBOX" ];
|
||||
description = "Patches for bscpkgs";
|
||||
listid = "~rodarima/bscpkgs.lists.sr.ht";
|
||||
};
|
||||
jungle = {
|
||||
url = "https://jungle.bsc.es/lists/jungle";
|
||||
address = [ "~rodarima/jungle@lists.sr.ht" ];
|
||||
watch = [ "imaps://jungle-robot%40gmx.com@imap.gmx.com/INBOX" ];
|
||||
description = "Patches for jungle";
|
||||
listid = "~rodarima/jungle.lists.sr.ht";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# We need access to the network for the watch service, as we will fetch the
|
||||
# emails directly from the IMAP server.
|
||||
systemd.services.public-inbox-watch.serviceConfig = {
|
||||
PrivateNetwork = lib.mkForce false;
|
||||
RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" ];
|
||||
KillSignal = "SIGKILL"; # Avoid slow shutdown
|
||||
|
||||
# Required for chmod(..., 02750) on directories by git, from
|
||||
# systemd.exec(8):
|
||||
# > Note that this restricts marking of any type of file system object with
|
||||
# > these bits, including both regular files and directories (where the SGID
|
||||
# > is a different meaning than for files, see documentation).
|
||||
RestrictSUIDSGID = lib.mkForce false;
|
||||
};
|
||||
}
|
35
m/hut/pxe.nix
Normal file
35
m/hut/pxe.nix
Normal file
@ -0,0 +1,35 @@
|
||||
{ theFlake, pkgs, ... }:
|
||||
|
||||
# This module describes a script that can launch the pixiecore daemon to serve a
|
||||
# NixOS image via PXE to a node to directly boot from there, without requiring a
|
||||
# working disk.
|
||||
|
||||
let
|
||||
# The host config must have the netboot-minimal.nix module too
|
||||
host = theFlake.nixosConfigurations.lake2;
|
||||
sys = host.config.system;
|
||||
build = sys.build;
|
||||
kernel = "${build.kernel}/bzImage";
|
||||
initrd = "${build.netbootRamdisk}/initrd";
|
||||
init = "${build.toplevel}/init";
|
||||
|
||||
script = pkgs.writeShellScriptBin "pixiecore-helper" ''
|
||||
#!/usr/bin/env bash -x
|
||||
|
||||
${pkgs.pixiecore}/bin/pixiecore \
|
||||
boot ${kernel} ${initrd} --cmdline "init=${init} loglevel=4" \
|
||||
--debug --dhcp-no-bind --port 64172 --status-port 64172 "$@"
|
||||
'';
|
||||
in
|
||||
{
|
||||
## We need a DHCP server to provide the IP
|
||||
#services.dnsmasq = {
|
||||
# enable = true;
|
||||
# settings = {
|
||||
# domain-needed = true;
|
||||
# dhcp-range = [ "192.168.0.2,192.168.0.254" ];
|
||||
# };
|
||||
#};
|
||||
|
||||
environment.systemPackages = [ script ];
|
||||
}
|
15
m/hut/targets.yml
Normal file
15
m/hut/targets.yml
Normal file
@ -0,0 +1,15 @@
|
||||
- targets:
|
||||
- owl1-ipmi
|
||||
- owl2-ipmi
|
||||
- xeon03-ipmi
|
||||
- xeon04-ipmi
|
||||
- koro-ipmi
|
||||
- weasel-ipmi
|
||||
- hut-ipmi
|
||||
- eudy-ipmi
|
||||
# Storage
|
||||
- bay-ipmi
|
||||
- oss01-ipmi
|
||||
- lake2-ipmi
|
||||
labels:
|
||||
job: ipmi-lan
|
35
m/koro/configuration.nix
Normal file
35
m/koro/configuration.nix
Normal file
@ -0,0 +1,35 @@
|
||||
{ config, pkgs, lib, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../common/ssf.nix
|
||||
#(modulesPath + "/installer/netboot/netboot-minimal.nix")
|
||||
|
||||
../eudy/cpufreq.nix
|
||||
../eudy/users.nix
|
||||
./kernel.nix
|
||||
];
|
||||
|
||||
# Select this using the ID to avoid mismatches
|
||||
boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d5376d2";
|
||||
|
||||
# disable automatic garbage collector
|
||||
nix.gc.automatic = lib.mkForce false;
|
||||
|
||||
# members of the tracing group can use the lttng-provided kernel events
|
||||
# without root permissions
|
||||
users.groups.tracing.members = [ "arocanon" "vlopez" ];
|
||||
|
||||
# set up both ethernet and infiniband ips
|
||||
networking = {
|
||||
hostName = "koro";
|
||||
interfaces.eno1.ipv4.addresses = [ {
|
||||
address = "10.0.40.5";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
interfaces.ibp5s0.ipv4.addresses = [ {
|
||||
address = "10.0.42.5";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
};
|
||||
}
|
70
m/koro/kernel.nix
Normal file
70
m/koro/kernel.nix
Normal file
@ -0,0 +1,70 @@
|
||||
{ pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
#fcs-devel = pkgs.linuxPackages_custom {
|
||||
# version = "6.2.8";
|
||||
# src = /mnt/data/kernel/fcs/kernel/src;
|
||||
# configfile = /mnt/data/kernel/fcs/kernel/configs/defconfig;
|
||||
#};
|
||||
|
||||
#fcsv1 = fcs-kernel "bc11660676d3d68ce2459b9fb5d5e654e3f413be" false;
|
||||
#fcsv2 = fcs-kernel "db0f2eca0cd57a58bf456d7d2c7d5d8fdb25dfb1" false;
|
||||
#fcsv1-lockdep = fcs-kernel "bc11660676d3d68ce2459b9fb5d5e654e3f413be" true;
|
||||
#fcsv2-lockdep = fcs-kernel "db0f2eca0cd57a58bf456d7d2c7d5d8fdb25dfb1" true;
|
||||
#fcs-kernel = gitCommit: lockdep: pkgs.linuxPackages_custom {
|
||||
# version = "6.2.8";
|
||||
# src = builtins.fetchGit {
|
||||
# url = "git@bscpm03.bsc.es:ompss-kernel/linux.git";
|
||||
# rev = gitCommit;
|
||||
# ref = "fcs";
|
||||
# };
|
||||
# configfile = if lockdep then ./configs/lockdep else ./configs/defconfig;
|
||||
#};
|
||||
|
||||
kernel = nixos-fcs;
|
||||
|
||||
nixos-fcs-kernel = lib.makeOverridable ({gitCommit, lockStat ? false, preempt ? false, branch ? "fcs"}: pkgs.linuxPackagesFor (pkgs.buildLinux rec {
|
||||
version = "6.2.8";
|
||||
src = builtins.fetchGit {
|
||||
url = "git@bscpm03.bsc.es:ompss-kernel/linux.git";
|
||||
rev = gitCommit;
|
||||
ref = branch;
|
||||
};
|
||||
structuredExtraConfig = with lib.kernel; {
|
||||
# add general custom kernel options here
|
||||
} // lib.optionalAttrs lockStat {
|
||||
LOCK_STAT = yes;
|
||||
} // lib.optionalAttrs preempt {
|
||||
PREEMPT = lib.mkForce yes;
|
||||
PREEMPT_VOLUNTARY = lib.mkForce no;
|
||||
};
|
||||
kernelPatches = [];
|
||||
extraMeta.branch = lib.versions.majorMinor version;
|
||||
}));
|
||||
|
||||
nixos-fcs = nixos-fcs-kernel {gitCommit = "8a09822dfcc8f0626b209d6d2aec8b5da459dfee";};
|
||||
nixos-fcs-lockstat = nixos-fcs.override {
|
||||
lockStat = true;
|
||||
};
|
||||
nixos-fcs-lockstat-preempt = nixos-fcs.override {
|
||||
lockStat = true;
|
||||
preempt = true;
|
||||
};
|
||||
latest = pkgs.linuxPackages_latest;
|
||||
|
||||
in {
|
||||
imports = [
|
||||
../eudy/kernel/lttng.nix
|
||||
../eudy/kernel/perf.nix
|
||||
];
|
||||
boot.kernelPackages = lib.mkForce kernel;
|
||||
|
||||
# disable all cpu mitigations
|
||||
boot.kernelParams = [
|
||||
"mitigations=off"
|
||||
];
|
||||
|
||||
# enable memory overcommit, needed to build a taglibc system using nix after
|
||||
# increasing the openblas memory footprint
|
||||
boot.kernel.sysctl."vm.overcommit_memory" = 1;
|
||||
}
|
84
m/lake2/configuration.nix
Normal file
84
m/lake2/configuration.nix
Normal file
@ -0,0 +1,84 @@
|
||||
{ config, pkgs, lib, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../common/ssf.nix
|
||||
../module/monitoring.nix
|
||||
../module/hut-substituter.nix
|
||||
];
|
||||
|
||||
boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53563a";
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"kernel.yama.ptrace_scope" = lib.mkForce "1";
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
ceph
|
||||
];
|
||||
|
||||
services.ceph = {
|
||||
enable = true;
|
||||
global = {
|
||||
fsid = "9c8d06e0-485f-4aaf-b16b-06d6daf1232b";
|
||||
monHost = "10.0.40.40";
|
||||
monInitialMembers = "bay";
|
||||
clusterNetwork = "10.0.40.40/24"; # Use Ethernet only
|
||||
};
|
||||
osd = {
|
||||
enable = true;
|
||||
# One daemon per NVME disk
|
||||
daemons = [ "4" "5" "6" "7" ];
|
||||
extraConfig = {
|
||||
"osd crush chooseleaf type" = "0";
|
||||
"osd journal size" = "10000";
|
||||
"osd pool default min size" = "2";
|
||||
"osd pool default pg num" = "200";
|
||||
"osd pool default pgp num" = "200";
|
||||
"osd pool default size" = "3";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "lake2";
|
||||
interfaces.eno1.ipv4.addresses = [ {
|
||||
address = "10.0.40.42";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
interfaces.ibp5s0.ipv4.addresses = [ {
|
||||
address = "10.0.42.42";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
firewall = {
|
||||
extraCommands = ''
|
||||
# Accept all incoming TCP traffic from bay
|
||||
iptables -A nixos-fw -p tcp -s bay -j nixos-fw-accept
|
||||
# Accept monitoring requests from hut
|
||||
iptables -A nixos-fw -p tcp -s hut --dport 9002 -j nixos-fw-accept
|
||||
# Accept all Ceph traffic from the local network
|
||||
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
# Missing service for volumes, see:
|
||||
# https://www.reddit.com/r/ceph/comments/14otjyo/comment/jrd69vt/
|
||||
systemd.services.ceph-volume = {
|
||||
enable = true;
|
||||
description = "Ceph Volume activation";
|
||||
unitConfig = {
|
||||
Type = "oneshot";
|
||||
After = "local-fs.target";
|
||||
Wants = "local-fs.target";
|
||||
};
|
||||
path = [ pkgs.ceph pkgs.util-linux pkgs.lvm2 pkgs.cryptsetup ];
|
||||
serviceConfig = {
|
||||
KillMode = "none";
|
||||
Environment = "CEPH_VOLUME_TIMEOUT=10000";
|
||||
ExecStart = "/bin/sh -c 'timeout $CEPH_VOLUME_TIMEOUT ${pkgs.ceph}/bin/ceph-volume lvm activate --all --no-systemd'";
|
||||
TimeoutSec = "0";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
}
|
70
m/map.nix
Normal file
70
m/map.nix
Normal file
@ -0,0 +1,70 @@
|
||||
{
|
||||
# In physical order from top to bottom (see note below)
|
||||
ssf = {
|
||||
# Switches for Ethernet and OmniPath
|
||||
switch-C6-S1A-05 = { pos=42; size=1; model="Dell S3048-ON"; };
|
||||
switch-opa = { pos=41; size=1; };
|
||||
|
||||
# SSF login
|
||||
apex = { pos=39; size=2; label="SSFHEAD"; board="R2208WTTYSR"; contact="rodrigo.arias@bsc.es"; };
|
||||
|
||||
# Storage
|
||||
bay = { pos=38; size=1; label="MDS01"; board="S2600WT2R"; sn="BQWL64850303"; contact="rodrigo.arias@bsc.es"; };
|
||||
lake1 = { pos=37; size=1; label="OSS01"; board="S2600WT2R"; sn="BQWL64850234"; contact="rodrigo.arias@bsc.es"; };
|
||||
lake2 = { pos=36; size=1; label="OSS02"; board="S2600WT2R"; sn="BQWL64850266"; contact="rodrigo.arias@bsc.es"; };
|
||||
|
||||
# Compute xeon
|
||||
owl1 = { pos=35; size=1; label="SSF-XEON01"; board="S2600WTTR"; sn="BQWL64954172"; contact="rodrigo.arias@bsc.es"; };
|
||||
owl2 = { pos=34; size=1; label="SSF-XEON02"; board="S2600WTTR"; sn="BQWL64756560"; contact="rodrigo.arias@bsc.es"; };
|
||||
xeon03 = { pos=33; size=1; label="SSF-XEON03"; board="S2600WTTR"; sn="BQWL64750826"; contact="rodrigo.arias@bsc.es"; };
|
||||
# Slot 34 empty
|
||||
koro = { pos=31; size=1; label="SSF-XEON05"; board="S2600WTTR"; sn="BQWL64954293"; contact="rodrigo.arias@bsc.es"; };
|
||||
weasel = { pos=30; size=1; label="SSF-XEON06"; board="S2600WTTR"; sn="BQWL64750846"; contact="antoni.navarro@bsc.es"; };
|
||||
hut = { pos=29; size=1; label="SSF-XEON07"; board="S2600WTTR"; sn="BQWL64751184"; contact="rodrigo.arias@bsc.es"; };
|
||||
eudy = { pos=28; size=1; label="SSF-XEON08"; board="S2600WTTR"; sn="BQWL64756586"; contact="aleix.rocanonell@bsc.es"; };
|
||||
|
||||
# 16 KNL nodes, 4 per chassis
|
||||
knl01_04 = { pos=26; size=2; label="KNL01..KNL04"; board="HNS7200APX"; };
|
||||
knl05_08 = { pos=24; size=2; label="KNL05..KNL18"; board="HNS7200APX"; };
|
||||
knl09_12 = { pos=22; size=2; label="KNL09..KNL12"; board="HNS7200APX"; };
|
||||
knl13_16 = { pos=20; size=2; label="KNL13..KNL16"; board="HNS7200APX"; };
|
||||
|
||||
# Slot 19 empty
|
||||
|
||||
# EPI (hw team, guessed order)
|
||||
epi01 = { pos=18; size=1; contact="joan.cabre@bsc.es"; };
|
||||
epi02 = { pos=17; size=1; contact="joan.cabre@bsc.es"; };
|
||||
epi03 = { pos=16; size=1; contact="joan.cabre@bsc.es"; };
|
||||
anon = { pos=14; size=2; }; # Unlabeled machine. Operative
|
||||
|
||||
# These are old and decommissioned (off)
|
||||
power8 = { pos=12; size=2; label="BSCPOWER8N3"; decommissioned=true; };
|
||||
powern1 = { pos=8; size=4; label="BSCPOWERN1"; decommissioned=true; };
|
||||
gustafson = { pos=7; size=1; label="gustafson"; decommissioned=true; };
|
||||
odap01 = { pos=3; size=4; label="ODAP01"; decommissioned=true; };
|
||||
amhdal = { pos=2; size=1; label="AMHDAL"; decommissioned=true; }; # sic
|
||||
moore = { pos=1; size=1; label="moore (earth)"; decommissioned=true; };
|
||||
};
|
||||
|
||||
bsc2218 = {
|
||||
raccoon = { board="W2600CR"; sn="QSIP22500829"; contact="rodrigo.arias@bsc.es"; };
|
||||
tent = { label="SSF-XEON04"; board="S2600WTTR"; sn="BQWL64751229"; contact="rodrigo.arias@bsc.es"; };
|
||||
};
|
||||
|
||||
upc = {
|
||||
fox = { board="H13DSG-O-CPU"; sn="UM24CS600392"; prod="AS-4125GS-TNRT"; prod_sn="E508839X5103339"; contact="rodrigo.arias@bsc.es"; };
|
||||
};
|
||||
|
||||
# NOTE: Position is specified in "U" units (44.45 mm) and starts at 1 from the
|
||||
# bottom. Example:
|
||||
#
|
||||
# | ... | - [pos+size] <--- Label in chassis
|
||||
# +--------+
|
||||
# | node | - [pos+1]
|
||||
# | 2U | - [pos]
|
||||
# +------- +
|
||||
# | ... | - [pos-1]
|
||||
#
|
||||
# NOTE: The board and sn refers to the FRU information (Board Product and
|
||||
# Board Serial) via `ipmitool fru print 0`.
|
||||
}
|
357
m/module/agenix.nix
Normal file
357
m/module/agenix.nix
Normal file
@ -0,0 +1,357 @@
|
||||
{
|
||||
config,
|
||||
options,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.age;
|
||||
|
||||
isDarwin = lib.attrsets.hasAttrByPath [ "environment" "darwinConfig" ] options;
|
||||
|
||||
ageBin = config.age.ageBin;
|
||||
|
||||
users = config.users.users;
|
||||
|
||||
sysusersEnabled =
|
||||
if isDarwin then
|
||||
false
|
||||
else
|
||||
options.systemd ? sysusers && (config.systemd.sysusers.enable || config.services.userborn.enable);
|
||||
|
||||
mountCommand =
|
||||
if isDarwin then
|
||||
''
|
||||
if ! diskutil info "${cfg.secretsMountPoint}" &> /dev/null; then
|
||||
num_sectors=1048576
|
||||
dev=$(hdiutil attach -nomount ram://"$num_sectors" | sed 's/[[:space:]]*$//')
|
||||
newfs_hfs -v agenix "$dev"
|
||||
mount -t hfs -o nobrowse,nodev,nosuid,-m=0751 "$dev" "${cfg.secretsMountPoint}"
|
||||
fi
|
||||
''
|
||||
else
|
||||
''
|
||||
grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts ||
|
||||
mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
|
||||
'';
|
||||
newGeneration = ''
|
||||
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
|
||||
(( ++_agenix_generation ))
|
||||
echo "[agenix] creating new generation in ${cfg.secretsMountPoint}/$_agenix_generation"
|
||||
mkdir -p "${cfg.secretsMountPoint}"
|
||||
chmod 0751 "${cfg.secretsMountPoint}"
|
||||
${mountCommand}
|
||||
mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
|
||||
chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
|
||||
'';
|
||||
|
||||
chownGroup = if isDarwin then "admin" else "keys";
|
||||
# chown the secrets mountpoint and the current generation to the keys group
|
||||
# instead of leaving it root:root.
|
||||
chownMountPoint = ''
|
||||
chown :${chownGroup} "${cfg.secretsMountPoint}" "${cfg.secretsMountPoint}/$_agenix_generation"
|
||||
'';
|
||||
|
||||
setTruePath = secretType: ''
|
||||
${
|
||||
if secretType.symlink then
|
||||
''
|
||||
_truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
|
||||
''
|
||||
else
|
||||
''
|
||||
_truePath="${secretType.path}"
|
||||
''
|
||||
}
|
||||
'';
|
||||
|
||||
installSecret = secretType: ''
|
||||
${setTruePath secretType}
|
||||
echo "decrypting '${secretType.file}' to '$_truePath'..."
|
||||
TMP_FILE="$_truePath.tmp"
|
||||
|
||||
IDENTITIES=()
|
||||
for identity in ${toString cfg.identityPaths}; do
|
||||
test -r "$identity" || continue
|
||||
test -s "$identity" || continue
|
||||
IDENTITIES+=(-i)
|
||||
IDENTITIES+=("$identity")
|
||||
done
|
||||
|
||||
test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix] WARNING: no readable identities found!"
|
||||
|
||||
mkdir -p "$(dirname "$_truePath")"
|
||||
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
|
||||
(
|
||||
umask u=r,g=,o=
|
||||
test -f "${secretType.file}" || echo '[agenix] WARNING: encrypted file ${secretType.file} does not exist!'
|
||||
test -d "$(dirname "$TMP_FILE")" || echo "[agenix] WARNING: $(dirname "$TMP_FILE") does not exist!"
|
||||
LANG=${
|
||||
config.i18n.defaultLocale or "C"
|
||||
} ${ageBin} --decrypt "''${IDENTITIES[@]}" -o "$TMP_FILE" "${secretType.file}"
|
||||
)
|
||||
chmod ${secretType.mode} "$TMP_FILE"
|
||||
mv -f "$TMP_FILE" "$_truePath"
|
||||
|
||||
${optionalString secretType.symlink ''
|
||||
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
|
||||
''}
|
||||
'';
|
||||
|
||||
testIdentities = map (path: ''
|
||||
test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!'
|
||||
'') cfg.identityPaths;
|
||||
|
||||
cleanupAndLink = ''
|
||||
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
|
||||
(( ++_agenix_generation ))
|
||||
echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
|
||||
ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
|
||||
|
||||
(( _agenix_generation > 1 )) && {
|
||||
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
|
||||
rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))"
|
||||
}
|
||||
'';
|
||||
|
||||
installSecrets = builtins.concatStringsSep "\n" (
|
||||
[ "echo '[agenix] decrypting secrets...'" ]
|
||||
++ testIdentities
|
||||
++ (map installSecret (builtins.attrValues cfg.secrets))
|
||||
++ [ cleanupAndLink ]
|
||||
);
|
||||
|
||||
chownSecret = secretType: ''
|
||||
${setTruePath secretType}
|
||||
chown ${secretType.owner}:${secretType.group} "$_truePath"
|
||||
'';
|
||||
|
||||
chownSecrets = builtins.concatStringsSep "\n" (
|
||||
[ "echo '[agenix] chowning...'" ]
|
||||
++ [ chownMountPoint ]
|
||||
++ (map chownSecret (builtins.attrValues cfg.secrets))
|
||||
);
|
||||
|
||||
secretType = types.submodule (
|
||||
{ config, ... }:
|
||||
{
|
||||
options = {
|
||||
name = mkOption {
|
||||
type = types.str;
|
||||
default = config._module.args.name;
|
||||
defaultText = literalExpression "config._module.args.name";
|
||||
description = ''
|
||||
Name of the file used in {option}`age.secretsDir`
|
||||
'';
|
||||
};
|
||||
file = mkOption {
|
||||
type = types.path;
|
||||
description = ''
|
||||
Age file the secret is loaded from.
|
||||
'';
|
||||
};
|
||||
path = mkOption {
|
||||
type = types.str;
|
||||
default = "${cfg.secretsDir}/${config.name}";
|
||||
defaultText = literalExpression ''
|
||||
"''${cfg.secretsDir}/''${config.name}"
|
||||
'';
|
||||
description = ''
|
||||
Path where the decrypted secret is installed.
|
||||
'';
|
||||
};
|
||||
mode = mkOption {
|
||||
type = types.str;
|
||||
default = "0400";
|
||||
description = ''
|
||||
Permissions mode of the decrypted secret in a format understood by chmod.
|
||||
'';
|
||||
};
|
||||
owner = mkOption {
|
||||
type = types.str;
|
||||
default = "0";
|
||||
description = ''
|
||||
User of the decrypted secret.
|
||||
'';
|
||||
};
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = users.${config.owner}.group or "0";
|
||||
defaultText = literalExpression ''
|
||||
users.''${config.owner}.group or "0"
|
||||
'';
|
||||
description = ''
|
||||
Group of the decrypted secret.
|
||||
'';
|
||||
};
|
||||
symlink = mkEnableOption "symlinking secrets to their destination" // {
|
||||
default = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
);
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
(mkRenamedOptionModule [ "age" "sshKeyPaths" ] [ "age" "identityPaths" ])
|
||||
];
|
||||
|
||||
options.age = {
|
||||
ageBin = mkOption {
|
||||
type = types.str;
|
||||
default = "${pkgs.age}/bin/age";
|
||||
defaultText = literalExpression ''
|
||||
"''${pkgs.age}/bin/age"
|
||||
'';
|
||||
description = ''
|
||||
The age executable to use.
|
||||
'';
|
||||
};
|
||||
secrets = mkOption {
|
||||
type = types.attrsOf secretType;
|
||||
default = { };
|
||||
description = ''
|
||||
Attrset of secrets.
|
||||
'';
|
||||
};
|
||||
secretsDir = mkOption {
|
||||
type = types.path;
|
||||
default = "/run/agenix";
|
||||
description = ''
|
||||
Folder where secrets are symlinked to
|
||||
'';
|
||||
};
|
||||
secretsMountPoint = mkOption {
|
||||
type =
|
||||
types.addCheck types.str (
|
||||
s:
|
||||
(builtins.match "[ \t\n]*" s) == null # non-empty
|
||||
&& (builtins.match ".+/" s) == null
|
||||
) # without trailing slash
|
||||
// {
|
||||
description = "${types.str.description} (with check: non-empty without trailing slash)";
|
||||
};
|
||||
default = "/run/agenix.d";
|
||||
description = ''
|
||||
Where secrets are created before they are symlinked to {option}`age.secretsDir`
|
||||
'';
|
||||
};
|
||||
identityPaths = mkOption {
|
||||
type = types.listOf types.path;
|
||||
default =
|
||||
if isDarwin then
|
||||
[
|
||||
"/etc/ssh/ssh_host_ed25519_key"
|
||||
"/etc/ssh/ssh_host_rsa_key"
|
||||
]
|
||||
else if (config.services.openssh.enable or false) then
|
||||
map (e: e.path) (
|
||||
lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys
|
||||
)
|
||||
else
|
||||
[ ];
|
||||
defaultText = literalExpression ''
|
||||
if isDarwin
|
||||
then [
|
||||
"/etc/ssh/ssh_host_ed25519_key"
|
||||
"/etc/ssh/ssh_host_rsa_key"
|
||||
]
|
||||
else if (config.services.openssh.enable or false)
|
||||
then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
|
||||
else [];
|
||||
'';
|
||||
description = ''
|
||||
Path to SSH keys to be used as identities in age decryption.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf (cfg.secrets != { }) (mkMerge [
|
||||
{
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.identityPaths != [ ];
|
||||
message = "age.identityPaths must be set, for example by enabling openssh.";
|
||||
}
|
||||
];
|
||||
}
|
||||
(optionalAttrs (!isDarwin) {
|
||||
# When using sysusers we no longer be started as an activation script
|
||||
# because those are started in initrd while sysusers is started later.
|
||||
systemd.services.agenix-install-secrets = mkIf sysusersEnabled {
|
||||
wantedBy = [ "sysinit.target" ];
|
||||
after = [ "systemd-sysusers.service" ];
|
||||
unitConfig.DefaultDependencies = "no";
|
||||
|
||||
path = [ pkgs.mount ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
ExecStart = pkgs.writeShellScript "agenix-install" (concatLines [
|
||||
newGeneration
|
||||
installSecrets
|
||||
chownSecrets
|
||||
]);
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
};
|
||||
|
||||
# Create a new directory full of secrets for symlinking (this helps
|
||||
# ensure removed secrets are actually removed, or at least become
|
||||
# invalid symlinks).
|
||||
system.activationScripts = mkIf (!sysusersEnabled) {
|
||||
agenixNewGeneration = {
|
||||
text = newGeneration;
|
||||
deps = [
|
||||
"specialfs"
|
||||
];
|
||||
};
|
||||
|
||||
agenixInstall = {
|
||||
text = installSecrets;
|
||||
deps = [
|
||||
"agenixNewGeneration"
|
||||
"specialfs"
|
||||
];
|
||||
};
|
||||
|
||||
# So user passwords can be encrypted.
|
||||
users.deps = [ "agenixInstall" ];
|
||||
|
||||
# Change ownership and group after users and groups are made.
|
||||
agenixChown = {
|
||||
text = chownSecrets;
|
||||
deps = [
|
||||
"users"
|
||||
"groups"
|
||||
];
|
||||
};
|
||||
|
||||
# So other activation scripts can depend on agenix being done.
|
||||
agenix = {
|
||||
text = "";
|
||||
deps = [ "agenixChown" ];
|
||||
};
|
||||
};
|
||||
})
|
||||
|
||||
(optionalAttrs isDarwin {
|
||||
launchd.daemons.activate-agenix = {
|
||||
script = ''
|
||||
set -e
|
||||
set -o pipefail
|
||||
export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin"
|
||||
${newGeneration}
|
||||
${installSecrets}
|
||||
${chownSecrets}
|
||||
exit 0
|
||||
'';
|
||||
serviceConfig = {
|
||||
RunAtLoad = true;
|
||||
KeepAlive.SuccessfulExit = false;
|
||||
};
|
||||
};
|
||||
})
|
||||
]);
|
||||
}
|
49
m/module/amd-uprof.nix
Normal file
49
m/module/amd-uprof.nix
Normal file
@ -0,0 +1,49 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
options = {
|
||||
services.amd-uprof = {
|
||||
enable = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = "Whether to enable AMD uProf.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Only setup amd-uprof if enabled
|
||||
config = lib.mkIf config.services.amd-uprof.enable {
|
||||
|
||||
# First make sure that we add the module to the list of available modules
|
||||
# in the kernel matching the same kernel version of this configuration.
|
||||
boot.extraModulePackages = with config.boot.kernelPackages; [ amd-uprof-driver ];
|
||||
boot.kernelModules = [ "AMDPowerProfiler" ];
|
||||
|
||||
# Make the userspace tools available in $PATH.
|
||||
environment.systemPackages = with pkgs; [ amd-uprof ];
|
||||
|
||||
# The AMDPowerProfiler module doesn't create the /dev device nor it emits
|
||||
# any uevents, so we cannot use udev rules to automatically create the
|
||||
# device. Instead, we run a systemd unit that does it after loading the
|
||||
# modules.
|
||||
systemd.services.amd-uprof-device = {
|
||||
description = "Create /dev/AMDPowerProfiler device";
|
||||
after = [ "systemd-modules-load.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
unitConfig.ConditionPathExists = [
|
||||
"/proc/AMDPowerProfiler/device"
|
||||
"!/dev/AMDPowerProfiler"
|
||||
];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStart = pkgs.writeShellScript "add-amd-uprof-dev.sh" ''
|
||||
mknod /dev/AMDPowerProfiler -m 666 c $(< /proc/AMDPowerProfiler/device) 0
|
||||
'';
|
||||
ExecStop = pkgs.writeShellScript "remove-amd-uprof-dev.sh" ''
|
||||
rm -f /dev/AMDPowerProfiler
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
24
m/module/ceph.nix
Normal file
24
m/module/ceph.nix
Normal file
@ -0,0 +1,24 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
# Mounts the /ceph filesystem at boot
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
ceph-client
|
||||
fio # For benchmarks
|
||||
];
|
||||
|
||||
# We need the ceph module loaded as the mount.ceph binary fails to run the
|
||||
# modprobe command.
|
||||
boot.kernelModules = [ "ceph" ];
|
||||
|
||||
age.secrets.cephUser.file = ../../secrets/ceph-user.age;
|
||||
|
||||
fileSystems."/ceph" = {
|
||||
fsType = "ceph";
|
||||
device = "user@9c8d06e0-485f-4aaf-b16b-06d6daf1232b.cephfs=/";
|
||||
options = [
|
||||
"mon_addr=10.0.40.40"
|
||||
"secretfile=${config.age.secrets.cephUser.path}"
|
||||
];
|
||||
};
|
||||
}
|
3
m/module/debuginfod.nix
Normal file
3
m/module/debuginfod.nix
Normal file
@ -0,0 +1,3 @@
|
||||
{
|
||||
services.nixseparatedebuginfod.enable = true;
|
||||
}
|
3
m/module/emulation.nix
Normal file
3
m/module/emulation.nix
Normal file
@ -0,0 +1,3 @@
|
||||
{
|
||||
boot.binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" "powerpc64le-linux" "riscv64-linux" ];
|
||||
}
|
13
m/module/hut-substituter.nix
Normal file
13
m/module/hut-substituter.nix
Normal file
@ -0,0 +1,13 @@
|
||||
{ config, ... }:
|
||||
{
|
||||
nix.settings =
|
||||
# Don't add hut as a cache to itself
|
||||
assert config.networking.hostName != "hut";
|
||||
{
|
||||
extra-substituters = [ "http://hut/cache" ];
|
||||
extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
|
||||
|
||||
# Set a low timeout in case hut is down
|
||||
connect-timeout = 3; # seconds
|
||||
};
|
||||
}
|
24
m/module/jungle-users.nix
Normal file
24
m/module/jungle-users.nix
Normal file
@ -0,0 +1,24 @@
|
||||
{ config, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
options = {
|
||||
users.jungleUsers = mkOption {
|
||||
type = types.attrsOf (types.anything // { check = (x: x ? "hosts"); });
|
||||
description = ''
|
||||
Same as users.users but with the extra `hosts` attribute, which controls
|
||||
access to the nodes by `networking.hostName`.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = let
|
||||
allowedUser = host: userConf: builtins.elem host userConf.hosts;
|
||||
filterUsers = host: users: filterAttrs (n: v: allowedUser host v) users;
|
||||
removeHosts = users: mapAttrs (n: v: builtins.removeAttrs v [ "hosts" ]) users;
|
||||
currentHost = config.networking.hostName;
|
||||
in {
|
||||
users.users = removeHosts (filterUsers currentHost config.users.jungleUsers);
|
||||
};
|
||||
}
|
17
m/module/meteocat-exporter.nix
Normal file
17
m/module/meteocat-exporter.nix
Normal file
@ -0,0 +1,17 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
systemd.services."prometheus-meteocat-exporter" = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Restart = mkDefault "always";
|
||||
PrivateTmp = mkDefault true;
|
||||
WorkingDirectory = mkDefault "/tmp";
|
||||
DynamicUser = mkDefault true;
|
||||
ExecStart = "${pkgs.meteocat-exporter}/bin/meteocat-exporter";
|
||||
};
|
||||
};
|
||||
}
|
25
m/module/monitoring.nix
Normal file
25
m/module/monitoring.nix
Normal file
@ -0,0 +1,25 @@
|
||||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
# We need access to the devices to monitor the disk space
|
||||
systemd.services.prometheus-node-exporter.serviceConfig.PrivateDevices = lib.mkForce false;
|
||||
systemd.services.prometheus-node-exporter.serviceConfig.ProtectHome = lib.mkForce "read-only";
|
||||
|
||||
# Required to allow the smartctl exporter to read the nvme0 character device,
|
||||
# see the commit message on:
|
||||
# https://github.com/NixOS/nixpkgs/commit/12c26aca1fd55ab99f831bedc865a626eee39f80
|
||||
services.udev.extraRules = ''
|
||||
SUBSYSTEM=="nvme", KERNEL=="nvme[0-9]*", GROUP="disk"
|
||||
'';
|
||||
|
||||
services.prometheus = {
|
||||
exporters = {
|
||||
node = {
|
||||
enable = true;
|
||||
enabledCollectors = [ "systemd" ];
|
||||
port = 9002;
|
||||
};
|
||||
smartctl.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
26
m/module/nix-daemon-builds.sh
Executable file
26
m/module/nix-daemon-builds.sh
Executable file
@ -0,0 +1,26 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Locate nix daemon pid
|
||||
nd=$(pgrep -o nix-daemon)
|
||||
|
||||
# Locate children of nix-daemon
|
||||
pids1=$(tr ' ' '\n' < "/proc/$nd/task/$nd/children")
|
||||
|
||||
# For each children, locate 2nd level children
|
||||
pids2=$(echo "$pids1" | xargs -I @ /bin/sh -c 'cat /proc/@/task/*/children' | tr ' ' '\n')
|
||||
|
||||
cat <<EOF
|
||||
HTTP/1.1 200 OK
|
||||
Content-Type: text/plain; version=0.0.4; charset=utf-8; escaping=values
|
||||
|
||||
# HELP nix_daemon_build Nix daemon derivation build state.
|
||||
# TYPE nix_daemon_build gauge
|
||||
EOF
|
||||
|
||||
for pid in $pids2; do
|
||||
name=$(cat /proc/$pid/environ 2>/dev/null | tr '\0' '\n' | rg "^name=(.+)" - --replace '$1' | tr -dc ' [:alnum:]_\-\.')
|
||||
user=$(ps -o uname= -p "$pid")
|
||||
if [ -n "$name" -a -n "$user" ]; then
|
||||
printf 'nix_daemon_build{user="%s",name="%s"} 1\n' "$user" "$name"
|
||||
fi
|
||||
done
|
23
m/module/nix-daemon-exporter.nix
Normal file
23
m/module/nix-daemon-exporter.nix
Normal file
@ -0,0 +1,23 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
let
|
||||
script = pkgs.runCommand "nix-daemon-exporter.sh" { }
|
||||
''
|
||||
cp ${./nix-daemon-builds.sh} $out;
|
||||
chmod +x $out
|
||||
''
|
||||
;
|
||||
in
|
||||
{
|
||||
systemd.services.nix-daemon-exporter = {
|
||||
description = "Daemon to export nix-daemon metrics";
|
||||
path = [ pkgs.procps pkgs.ripgrep ];
|
||||
wantedBy = [ "default.target" ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStart = "${pkgs.socat}/bin/socat TCP4-LISTEN:9999,fork EXEC:${script}";
|
||||
# Needed root to read the environment, potentially unsafe
|
||||
User = "root";
|
||||
Group = "root";
|
||||
};
|
||||
};
|
||||
}
|
20
m/module/nvidia.nix
Normal file
20
m/module/nvidia.nix
Normal file
@ -0,0 +1,20 @@
|
||||
{ lib, config, pkgs, ... }:
|
||||
{
|
||||
# Configure Nvidia driver to use with CUDA
|
||||
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.production;
|
||||
hardware.nvidia.open = lib.mkDefault (builtins.abort "hardware.nvidia.open not set");
|
||||
hardware.graphics.enable = true;
|
||||
nixpkgs.config.nvidia.acceptLicense = true;
|
||||
services.xserver.videoDrivers = [ "nvidia" ];
|
||||
|
||||
# enable support for derivations which require nvidia-gpu to be available
|
||||
# > requiredSystemFeatures = [ "cuda" ];
|
||||
programs.nix-required-mounts.enable = true;
|
||||
programs.nix-required-mounts.presets.nvidia-gpu.enable = true;
|
||||
# They forgot to add the symlink
|
||||
programs.nix-required-mounts.allowedPatterns.nvidia-gpu.paths = [
|
||||
config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver"."L+".argument
|
||||
];
|
||||
|
||||
environment.systemPackages = [ pkgs.cudainfo ];
|
||||
}
|
68
m/module/p.nix
Normal file
68
m/module/p.nix
Normal file
@ -0,0 +1,68 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.services.p;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
services.p = {
|
||||
enable = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = "Whether to enable the p service.";
|
||||
};
|
||||
path = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/lib/p";
|
||||
description = "Where to save the pasted files on disk.";
|
||||
};
|
||||
url = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "https://jungle.bsc.es/p";
|
||||
description = "URL prefix for the printed file.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
environment.systemPackages = let
|
||||
p = pkgs.writeShellScriptBin "p" ''
|
||||
set -e
|
||||
pastedir="${cfg.path}/$USER"
|
||||
cd "$pastedir"
|
||||
|
||||
ext="txt"
|
||||
if [ -n "$1" ]; then
|
||||
ext="$1"
|
||||
fi
|
||||
|
||||
out=$(mktemp "XXXXXXXX.$ext")
|
||||
cat > "$out"
|
||||
chmod go+r "$out"
|
||||
echo "${cfg.url}/$USER/$out"
|
||||
'';
|
||||
in [ p ];
|
||||
|
||||
systemd.services.p = let
|
||||
# Take only normal users
|
||||
users = lib.filterAttrs (_: v: v.isNormalUser) config.users.users;
|
||||
# Create a directory for each user
|
||||
commands = lib.concatLists (lib.mapAttrsToList (_: user: [
|
||||
"install -d -o ${user.name} -g ${user.group} -m 0755 ${cfg.path}/${user.name}"
|
||||
]) users);
|
||||
in {
|
||||
description = "P service setup";
|
||||
requires = [ "network-online.target" ];
|
||||
#wants = [ "remote-fs.target" ];
|
||||
#after = [ "remote-fs.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = pkgs.writeShellScript "p-init.sh" (''
|
||||
|
||||
install -d -o root -g root -m 0755 ${cfg.path}
|
||||
|
||||
'' + (lib.concatLines commands));
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
33
m/module/power-policy.nix
Normal file
33
m/module/power-policy.nix
Normal file
@ -0,0 +1,33 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.power.policy;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
power.policy = mkOption {
|
||||
type = types.nullOr (types.enum [ "always-on" "previous" "always-off" ]);
|
||||
default = null;
|
||||
description = "Set power policy to use via IPMI.";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf (cfg != null) {
|
||||
systemd.services."power-policy" = {
|
||||
description = "Set power policy to use via IPMI";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
unitConfig = {
|
||||
StartLimitBurst = "10";
|
||||
StartLimitIntervalSec = "10m";
|
||||
};
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.ipmitool}/bin/ipmitool chassis policy ${cfg}";
|
||||
Type = "oneshot";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "5s";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
24
m/module/slurm-client.nix
Normal file
24
m/module/slurm-client.nix
Normal file
@ -0,0 +1,24 @@
|
||||
{ lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./slurm-common.nix
|
||||
];
|
||||
|
||||
systemd.services.slurmd.serviceConfig = {
|
||||
# Kill all processes in the control group on stop/restart. This will kill
|
||||
# all the jobs running, so ensure that we only upgrade when the nodes are
|
||||
# not in use. See:
|
||||
# https://github.com/NixOS/nixpkgs/commit/ae93ed0f0d4e7be0a286d1fca86446318c0c6ffb
|
||||
# https://bugs.schedmd.com/show_bug.cgi?id=2095#c24
|
||||
KillMode = lib.mkForce "control-group";
|
||||
|
||||
# If slurmd fails to contact the control server it will fail, causing the
|
||||
# node to remain out of service until manually restarted. Always try to
|
||||
# restart it.
|
||||
Restart = "always";
|
||||
RestartSec = "30s";
|
||||
};
|
||||
|
||||
services.slurm.client.enable = true;
|
||||
}
|
115
m/module/slurm-common.nix
Normal file
115
m/module/slurm-common.nix
Normal file
@ -0,0 +1,115 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
suspendProgram = pkgs.writeShellScript "suspend.sh" ''
|
||||
exec 1>>/var/log/power_save.log 2>>/var/log/power_save.log
|
||||
set -x
|
||||
export "PATH=/run/current-system/sw/bin:$PATH"
|
||||
echo "$(date) Suspend invoked $0 $*" >> /var/log/power_save.log
|
||||
hosts=$(scontrol show hostnames $1)
|
||||
for host in $hosts; do
|
||||
echo Shutting down host: $host
|
||||
ipmitool -I lanplus -H ''${host}-ipmi -P "" -U "" chassis power off
|
||||
done
|
||||
'';
|
||||
|
||||
resumeProgram = pkgs.writeShellScript "resume.sh" ''
|
||||
exec 1>>/var/log/power_save.log 2>>/var/log/power_save.log
|
||||
set -x
|
||||
export "PATH=/run/current-system/sw/bin:$PATH"
|
||||
echo "$(date) Suspend invoked $0 $*" >> /var/log/power_save.log
|
||||
hosts=$(scontrol show hostnames $1)
|
||||
for host in $hosts; do
|
||||
echo Starting host: $host
|
||||
ipmitool -I lanplus -H ''${host}-ipmi -P "" -U "" chassis power on
|
||||
done
|
||||
'';
|
||||
|
||||
in {
|
||||
services.slurm = {
|
||||
controlMachine = "apex";
|
||||
clusterName = "jungle";
|
||||
nodeName = [
|
||||
"owl[1,2] Sockets=2 CoresPerSocket=14 ThreadsPerCore=2 Feature=owl"
|
||||
"fox Sockets=8 CoresPerSocket=24 ThreadsPerCore=1"
|
||||
];
|
||||
|
||||
partitionName = [
|
||||
"owl Nodes=owl[1-2] Default=YES DefaultTime=01:00:00 MaxTime=INFINITE State=UP"
|
||||
"fox Nodes=fox Default=NO DefaultTime=01:00:00 MaxTime=INFINITE State=UP"
|
||||
];
|
||||
|
||||
# See slurm.conf(5) for more details about these options.
|
||||
extraConfig = ''
|
||||
# Use PMIx for MPI by default. It works okay with MPICH and OpenMPI, but
|
||||
# not with Intel MPI. For that use the compatibility shim libpmi.so
|
||||
# setting I_MPI_PMI_LIBRARY=$pmix/lib/libpmi.so while maintaining the PMIx
|
||||
# library in SLURM (--mpi=pmix). See more details here:
|
||||
# https://pm.bsc.es/gitlab/rarias/jungle/-/issues/16
|
||||
MpiDefault=pmix
|
||||
|
||||
# When a node reboots return that node to the slurm queue as soon as it
|
||||
# becomes operative again.
|
||||
ReturnToService=2
|
||||
|
||||
# Track all processes by using a cgroup
|
||||
ProctrackType=proctrack/cgroup
|
||||
|
||||
# Enable task/affinity to allow the jobs to run in a specified subset of
|
||||
# the resources. Use the task/cgroup plugin to enable process containment.
|
||||
TaskPlugin=task/affinity,task/cgroup
|
||||
|
||||
# Power off unused nodes until they are requested
|
||||
SuspendProgram=${suspendProgram}
|
||||
SuspendTimeout=60
|
||||
ResumeProgram=${resumeProgram}
|
||||
ResumeTimeout=300
|
||||
SuspendExcNodes=fox
|
||||
|
||||
# Turn the nodes off after 1 hour of inactivity
|
||||
SuspendTime=3600
|
||||
|
||||
# Reduce port range so we can allow only this range in the firewall
|
||||
SrunPortRange=60000-61000
|
||||
|
||||
# Use cores as consumable resources. In SLURM terms, a core may have
|
||||
# multiple hardware threads (or CPUs).
|
||||
SelectType=select/cons_tres
|
||||
|
||||
# Ignore memory constraints and only use unused cores to share a node with
|
||||
# other jobs.
|
||||
SelectTypeParameters=CR_Core
|
||||
|
||||
# Required for pam_slurm_adopt, see https://slurm.schedmd.com/pam_slurm_adopt.html
|
||||
# This sets up the "extern" step into which ssh-launched processes will be
|
||||
# adopted. Alloc runs the prolog at job allocation (salloc) rather than
|
||||
# when a task runs (srun) so we can ssh early.
|
||||
PrologFlags=Alloc,Contain,X11
|
||||
|
||||
# LaunchParameters=ulimit_pam_adopt will set RLIMIT_RSS in processes
|
||||
# adopted by the external step, similar to tasks running in regular steps
|
||||
# LaunchParameters=ulimit_pam_adopt
|
||||
SlurmdDebug=debug5
|
||||
#DebugFlags=Protocol,Cgroup
|
||||
'';
|
||||
|
||||
extraCgroupConfig = ''
|
||||
CgroupPlugin=cgroup/v2
|
||||
#ConstrainCores=yes
|
||||
'';
|
||||
};
|
||||
|
||||
# Place the slurm config in /etc as this will be required by PAM
|
||||
environment.etc.slurm.source = config.services.slurm.etcSlurm;
|
||||
|
||||
age.secrets.mungeKey = {
|
||||
file = ../../secrets/munge-key.age;
|
||||
owner = "munge";
|
||||
group = "munge";
|
||||
};
|
||||
|
||||
services.munge = {
|
||||
enable = true;
|
||||
password = config.age.secrets.mungeKey.path;
|
||||
};
|
||||
}
|
28
m/module/slurm-exporter.nix
Normal file
28
m/module/slurm-exporter.nix
Normal file
@ -0,0 +1,28 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
# See also: https://github.com/NixOS/nixpkgs/pull/112010
|
||||
# And: https://github.com/NixOS/nixpkgs/pull/115839
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
systemd.services."prometheus-slurm-exporter" = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Restart = mkDefault "always";
|
||||
PrivateTmp = mkDefault true;
|
||||
WorkingDirectory = mkDefault "/tmp";
|
||||
DynamicUser = mkDefault true;
|
||||
ExecStart = ''
|
||||
${pkgs.prometheus-slurm-exporter}/bin/prometheus-slurm-exporter --listen-address "127.0.0.1:9341"
|
||||
'';
|
||||
Environment = [
|
||||
"PATH=${pkgs.slurm}/bin"
|
||||
# We need to specify the slurm config to be able to talk to the slurmd
|
||||
# daemon.
|
||||
"SLURM_CONF=${config.services.slurm.etcSlurm}/slurm.conf"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
8
m/module/slurm-firewall.nix
Normal file
8
m/module/slurm-firewall.nix
Normal file
@ -0,0 +1,8 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
networking.firewall = {
|
||||
# Required for PMIx in SLURM, we should find a better way
|
||||
allowedTCPPortRanges = [ { from=1024; to=65535; } ];
|
||||
};
|
||||
}
|
19
m/module/slurm-hut-nix-store.nix
Normal file
19
m/module/slurm-hut-nix-store.nix
Normal file
@ -0,0 +1,19 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
# Mount the hut nix store via NFS
|
||||
fileSystems."/mnt/hut-nix-store" = {
|
||||
device = "hut:/nix/store";
|
||||
fsType = "nfs";
|
||||
options = [ "ro" ];
|
||||
};
|
||||
|
||||
systemd.services.slurmd.serviceConfig = {
|
||||
# When running a job, bind the hut store in /nix/store so the paths are
|
||||
# available too.
|
||||
# FIXME: This doesn't keep the programs in /run/current-system/sw/bin
|
||||
# available in the store. Ideally they should be merged but the overlay FS
|
||||
# doesn't work when the underlying directories change.
|
||||
BindReadOnlyPaths = "/mnt/hut-nix-store:/nix/store";
|
||||
};
|
||||
}
|
23
m/module/slurm-server.nix
Normal file
23
m/module/slurm-server.nix
Normal file
@ -0,0 +1,23 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./slurm-common.nix
|
||||
];
|
||||
|
||||
services.slurm.server.enable = true;
|
||||
|
||||
networking.firewall = {
|
||||
extraCommands = ''
|
||||
# Accept slurm connections to controller from compute nodes
|
||||
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 6817 -j nixos-fw-accept
|
||||
# Accept slurm connections from compute nodes for srun
|
||||
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 60000:61000 -j nixos-fw-accept
|
||||
|
||||
# Accept slurm connections to controller from fox (via wireguard)
|
||||
iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.1/32 --dport 6817 -j nixos-fw-accept
|
||||
# Accept slurm connections from fox for srun (via wireguard)
|
||||
iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.1/32 --dport 60000:61000 -j nixos-fw-accept
|
||||
'';
|
||||
};
|
||||
}
|
17
m/module/upc-qaire-exporter.nix
Normal file
17
m/module/upc-qaire-exporter.nix
Normal file
@ -0,0 +1,17 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
systemd.services."prometheus-upc-qaire-exporter" = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Restart = mkDefault "always";
|
||||
PrivateTmp = mkDefault true;
|
||||
WorkingDirectory = mkDefault "/tmp";
|
||||
DynamicUser = mkDefault true;
|
||||
ExecStart = "${pkgs.upc-qaire-exporter}/bin/upc-qaire-exporter";
|
||||
};
|
||||
};
|
||||
}
|
35
m/module/vpn-dac.nix
Normal file
35
m/module/vpn-dac.nix
Normal file
@ -0,0 +1,35 @@
|
||||
{config, ...}:
|
||||
{
|
||||
age.secrets.vpn-dac-login.file = ../../secrets/vpn-dac-login.age;
|
||||
age.secrets.vpn-dac-client-key.file = ../../secrets/vpn-dac-client-key.age;
|
||||
|
||||
services.openvpn.servers = {
|
||||
# systemctl status openvpn-dac.service
|
||||
dac = {
|
||||
config = ''
|
||||
client
|
||||
dev tun
|
||||
proto tcp
|
||||
remote vpn.ac.upc.edu 1194
|
||||
remote vpn.ac.upc.edu 80
|
||||
resolv-retry infinite
|
||||
nobind
|
||||
persist-key
|
||||
persist-tun
|
||||
ca ${./vpn-dac/ca.crt}
|
||||
cert ${./vpn-dac/client.crt}
|
||||
# Only key needs to be secret
|
||||
key ${config.age.secrets.vpn-dac-client-key.path}
|
||||
remote-cert-tls server
|
||||
comp-lzo
|
||||
verb 3
|
||||
auth-user-pass ${config.age.secrets.vpn-dac-login.path}
|
||||
reneg-sec 0
|
||||
|
||||
# Only route fox-ipmi
|
||||
pull-filter ignore "route "
|
||||
route 147.83.35.27 255.255.255.255
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
31
m/module/vpn-dac/ca.crt
Normal file
31
m/module/vpn-dac/ca.crt
Normal file
@ -0,0 +1,31 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIFUjCCBDqgAwIBAgIJAJH118PApk5hMA0GCSqGSIb3DQEBCwUAMIHLMQswCQYD
|
||||
VQQGEwJFUzESMBAGA1UECBMJQmFyY2Vsb25hMRIwEAYDVQQHEwlCYXJjZWxvbmEx
|
||||
LTArBgNVBAoTJFVuaXZlcnNpdGF0IFBvbGl0ZWNuaWNhIGRlIENhdGFsdW55YTEk
|
||||
MCIGA1UECxMbQXJxdWl0ZWN0dXJhIGRlIENvbXB1dGFkb3JzMRAwDgYDVQQDEwdM
|
||||
Q0FDIENBMQ0wCwYDVQQpEwRMQ0FDMR4wHAYJKoZIhvcNAQkBFg9sY2FjQGFjLnVw
|
||||
Yy5lZHUwHhcNMTYwMTEyMTI0NDIxWhcNNDYwMTEyMTI0NDIxWjCByzELMAkGA1UE
|
||||
BhMCRVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMS0w
|
||||
KwYDVQQKEyRVbml2ZXJzaXRhdCBQb2xpdGVjbmljYSBkZSBDYXRhbHVueWExJDAi
|
||||
BgNVBAsTG0FycXVpdGVjdHVyYSBkZSBDb21wdXRhZG9yczEQMA4GA1UEAxMHTENB
|
||||
QyBDQTENMAsGA1UEKRMETENBQzEeMBwGCSqGSIb3DQEJARYPbGNhY0BhYy51cGMu
|
||||
ZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CteSeof7Xwi51kC
|
||||
F0nQ4E9iR5Lq7wtfRuVPn6JJcIxJJ6+F9gr4R/HIHTztW4XAzReE36DYfexupx3D
|
||||
6UgQIkMLlVyGqRbulNF+RnCx20GosF7Dm4RGBVvOxBP1PGjYq/A+XhaaDAFd0cOF
|
||||
LMNkzuYP7PF0bnBEaHnxmN8bPmuyDyas7fK9AAc3scyWT2jSBPbOVFvCJwPg8MH9
|
||||
V/h+hKwL/7hRt1MVfVv2qyIuKwTki8mUt0RcVbP7oJoRY5K1+R52phIz/GL/b4Fx
|
||||
L6MKXlQxLi8vzP4QZXgCMyV7oFNdU3VqCEXBA11YIRvsOZ4QS19otIk/ZWU5x+HH
|
||||
LAIJ7wIDAQABo4IBNTCCATEwHQYDVR0OBBYEFNyezX1cH1N4QR14ebBpljqmtE7q
|
||||
MIIBAAYDVR0jBIH4MIH1gBTcns19XB9TeEEdeHmwaZY6prRO6qGB0aSBzjCByzEL
|
||||
MAkGA1UEBhMCRVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vs
|
||||
b25hMS0wKwYDVQQKEyRVbml2ZXJzaXRhdCBQb2xpdGVjbmljYSBkZSBDYXRhbHVu
|
||||
eWExJDAiBgNVBAsTG0FycXVpdGVjdHVyYSBkZSBDb21wdXRhZG9yczEQMA4GA1UE
|
||||
AxMHTENBQyBDQTENMAsGA1UEKRMETENBQzEeMBwGCSqGSIb3DQEJARYPbGNhY0Bh
|
||||
Yy51cGMuZWR1ggkAkfXXw8CmTmEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF
|
||||
AAOCAQEAUAmOvVXIQrR+aZVO0bOTeugKBHB75eTIZSIHIn2oDUvDbAP5GXIJ56A1
|
||||
6mZXxemSMY8/9k+pRcwJhfat3IgvAN159XSqf9kRv0NHgc3FWUI1Qv/BsAn0vJO/
|
||||
oK0dbmbbRWqt86qNrCN+cUfz5aovvxN73jFfnvfDQFBk/8enj9wXxYfokjjLPR1Q
|
||||
+oTkH8dY68qf71oaUB9MndppPEPSz0K1S6h1XxvJoSu9MVSXOQHiq1cdZdxRazI3
|
||||
4f7q9sTCL+khwDAuZxAYzlEYxFFa/NN8PWU6xPw6V+t/aDhOiXUPJQB/O/K7mw3Z
|
||||
TQQx5NqM7B5jjak5fauR3/oRD8XXsA==
|
||||
-----END CERTIFICATE-----
|
100
m/module/vpn-dac/client.crt
Normal file
100
m/module/vpn-dac/client.crt
Normal file
@ -0,0 +1,100 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 2 (0x2)
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Issuer: C=ES, ST=Barcelona, L=Barcelona, O=Universitat Politecnica de Catalunya, OU=Arquitectura de Computadors, CN=LCAC CA/name=LCAC/emailAddress=lcac@ac.upc.edu
|
||||
Validity
|
||||
Not Before: Jan 12 12:45:41 2016 GMT
|
||||
Not After : Jan 12 12:45:41 2046 GMT
|
||||
Subject: C=ES, ST=Barcelona, L=Barcelona, O=Universitat Politecnica de Catalunya, OU=Arquitectura de Computadors, CN=client/name=LCAC/emailAddress=lcac@ac.upc.edu
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
Public-Key: (2048 bit)
|
||||
Modulus:
|
||||
00:97:99:fa:7a:0e:4d:e2:1d:a5:b1:a8:14:18:64:
|
||||
c7:66:bf:de:99:1d:92:3b:86:82:4d:95:39:f7:a6:
|
||||
56:49:97:14:4f:e3:37:00:6c:f4:d0:1d:56:79:e7:
|
||||
19:b5:dd:36:15:8e:1d:57:7b:59:29:d2:11:bf:58:
|
||||
48:e0:f7:41:3d:16:64:8d:a2:0b:4a:ac:fa:c6:83:
|
||||
dc:10:2a:2c:d9:97:48:ee:11:2a:bc:4b:60:dd:b9:
|
||||
2e:8f:45:ca:87:0b:38:65:1c:f8:a2:1d:f9:50:aa:
|
||||
6e:60:f9:48:df:57:12:23:e1:e7:0c:81:5c:9f:c5:
|
||||
b2:e6:99:99:95:30:6d:57:36:06:8c:fd:fb:f9:4f:
|
||||
60:d2:3c:ba:ae:28:56:2f:da:58:5c:e8:c5:7b:ec:
|
||||
76:d9:28:6e:fb:8c:07:f9:d7:23:c3:72:76:3c:fa:
|
||||
dc:20:67:8f:cc:16:e0:91:07:d5:68:f9:20:4d:7d:
|
||||
5c:2d:02:04:16:76:52:f3:53:be:a3:dc:0d:d5:fb:
|
||||
6b:55:29:f3:52:35:c8:7d:99:d1:4a:94:be:b1:8e:
|
||||
fd:85:18:25:eb:41:e9:56:da:af:62:84:20:0a:00:
|
||||
17:94:92:94:91:6a:f8:54:37:17:ee:1e:bb:fb:93:
|
||||
71:91:d9:e4:e9:b8:3b:18:7d:6d:7d:4c:ce:58:55:
|
||||
f9:41
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
Netscape Comment:
|
||||
Easy-RSA Generated Certificate
|
||||
X509v3 Subject Key Identifier:
|
||||
1B:88:06:D5:33:1D:5C:48:46:B5:DE:78:89:36:96:91:3A:74:43:18
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:DC:9E:CD:7D:5C:1F:53:78:41:1D:78:79:B0:69:96:3A:A6:B4:4E:EA
|
||||
DirName:/C=ES/ST=Barcelona/L=Barcelona/O=Universitat Politecnica de Catalunya/OU=Arquitectura de Computadors/CN=LCAC CA/name=LCAC/emailAddress=lcac@ac.upc.edu
|
||||
serial:91:F5:D7:C3:C0:A6:4E:61
|
||||
|
||||
X509v3 Extended Key Usage:
|
||||
TLS Web Client Authentication
|
||||
X509v3 Key Usage:
|
||||
Digital Signature
|
||||
X509v3 Subject Alternative Name:
|
||||
DNS:client
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
42:e8:50:b2:e7:88:75:86:0b:bb:29:e3:aa:c6:0e:4c:e8:ea:
|
||||
3d:0c:02:31:7f:3b:80:0c:3f:80:af:45:d6:62:27:a0:0e:e7:
|
||||
26:09:12:97:95:f8:d9:9b:89:b5:ef:56:64:f1:de:82:74:e0:
|
||||
31:0a:cc:90:0a:bd:50:b8:54:95:0a:ae:3b:40:df:76:b6:d1:
|
||||
01:2e:f3:96:9f:52:d4:e9:14:6d:b7:14:9d:45:99:33:36:2a:
|
||||
01:0b:15:1a:ed:55:dc:64:83:65:1a:06:42:d9:c7:dc:97:d4:
|
||||
02:81:c2:58:2b:ea:e4:b7:ae:84:3a:e4:3f:f1:2e:fa:ec:f3:
|
||||
40:5d:b8:6a:d5:5e:e1:e8:2f:e2:2f:48:a4:38:a1:4f:22:e3:
|
||||
4f:66:94:aa:02:78:9a:2b:7a:5d:aa:aa:51:a5:e3:d0:91:e9:
|
||||
1d:f9:08:ed:8b:51:c9:a6:af:46:85:b5:1c:ed:12:a1:28:33:
|
||||
75:36:00:d8:5c:14:65:96:c0:28:7d:47:50:a4:89:5f:b0:72:
|
||||
1a:4b:13:17:26:0f:f0:b8:65:3c:e9:96:36:f9:bf:90:59:33:
|
||||
87:1f:01:03:25:f8:f0:3a:9b:33:02:d0:0a:43:b5:0a:cf:62:
|
||||
a1:45:38:37:07:9d:9c:94:0b:31:c6:3c:34:b7:fc:5a:0c:e4:
|
||||
bf:23:f6:7d
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIFqjCCBJKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCByzELMAkGA1UEBhMCRVMx
|
||||
EjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMS0wKwYDVQQK
|
||||
EyRVbml2ZXJzaXRhdCBQb2xpdGVjbmljYSBkZSBDYXRhbHVueWExJDAiBgNVBAsT
|
||||
G0FycXVpdGVjdHVyYSBkZSBDb21wdXRhZG9yczEQMA4GA1UEAxMHTENBQyBDQTEN
|
||||
MAsGA1UEKRMETENBQzEeMBwGCSqGSIb3DQEJARYPbGNhY0BhYy51cGMuZWR1MB4X
|
||||
DTE2MDExMjEyNDU0MVoXDTQ2MDExMjEyNDU0MVowgcoxCzAJBgNVBAYTAkVTMRIw
|
||||
EAYDVQQIEwlCYXJjZWxvbmExEjAQBgNVBAcTCUJhcmNlbG9uYTEtMCsGA1UEChMk
|
||||
VW5pdmVyc2l0YXQgUG9saXRlY25pY2EgZGUgQ2F0YWx1bnlhMSQwIgYDVQQLExtB
|
||||
cnF1aXRlY3R1cmEgZGUgQ29tcHV0YWRvcnMxDzANBgNVBAMTBmNsaWVudDENMAsG
|
||||
A1UEKRMETENBQzEeMBwGCSqGSIb3DQEJARYPbGNhY0BhYy51cGMuZWR1MIIBIjAN
|
||||
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl5n6eg5N4h2lsagUGGTHZr/emR2S
|
||||
O4aCTZU596ZWSZcUT+M3AGz00B1WeecZtd02FY4dV3tZKdIRv1hI4PdBPRZkjaIL
|
||||
Sqz6xoPcECos2ZdI7hEqvEtg3bkuj0XKhws4ZRz4oh35UKpuYPlI31cSI+HnDIFc
|
||||
n8Wy5pmZlTBtVzYGjP37+U9g0jy6rihWL9pYXOjFe+x22Shu+4wH+dcjw3J2PPrc
|
||||
IGePzBbgkQfVaPkgTX1cLQIEFnZS81O+o9wN1ftrVSnzUjXIfZnRSpS+sY79hRgl
|
||||
60HpVtqvYoQgCgAXlJKUkWr4VDcX7h67+5Nxkdnk6bg7GH1tfUzOWFX5QQIDAQAB
|
||||
o4IBljCCAZIwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2Vu
|
||||
ZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQbiAbVMx1cSEa13niJNpaROnRD
|
||||
GDCCAQAGA1UdIwSB+DCB9YAU3J7NfVwfU3hBHXh5sGmWOqa0TuqhgdGkgc4wgcsx
|
||||
CzAJBgNVBAYTAkVTMRIwEAYDVQQIEwlCYXJjZWxvbmExEjAQBgNVBAcTCUJhcmNl
|
||||
bG9uYTEtMCsGA1UEChMkVW5pdmVyc2l0YXQgUG9saXRlY25pY2EgZGUgQ2F0YWx1
|
||||
bnlhMSQwIgYDVQQLExtBcnF1aXRlY3R1cmEgZGUgQ29tcHV0YWRvcnMxEDAOBgNV
|
||||
BAMTB0xDQUMgQ0ExDTALBgNVBCkTBExDQUMxHjAcBgkqhkiG9w0BCQEWD2xjYWNA
|
||||
YWMudXBjLmVkdYIJAJH118PApk5hMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1Ud
|
||||
DwQEAwIHgDARBgNVHREECjAIggZjbGllbnQwDQYJKoZIhvcNAQELBQADggEBAELo
|
||||
ULLniHWGC7sp46rGDkzo6j0MAjF/O4AMP4CvRdZiJ6AO5yYJEpeV+NmbibXvVmTx
|
||||
3oJ04DEKzJAKvVC4VJUKrjtA33a20QEu85afUtTpFG23FJ1FmTM2KgELFRrtVdxk
|
||||
g2UaBkLZx9yX1AKBwlgr6uS3roQ65D/xLvrs80BduGrVXuHoL+IvSKQ4oU8i409m
|
||||
lKoCeJorel2qqlGl49CR6R35CO2LUcmmr0aFtRztEqEoM3U2ANhcFGWWwCh9R1Ck
|
||||
iV+wchpLExcmD/C4ZTzpljb5v5BZM4cfAQMl+PA6mzMC0ApDtQrPYqFFODcHnZyU
|
||||
CzHGPDS3/FoM5L8j9n0=
|
||||
-----END CERTIFICATE-----
|
28
m/owl1/configuration.nix
Normal file
28
m/owl1/configuration.nix
Normal file
@ -0,0 +1,28 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../common/ssf.nix
|
||||
../module/ceph.nix
|
||||
../module/emulation.nix
|
||||
../module/slurm-client.nix
|
||||
../module/slurm-firewall.nix
|
||||
../module/debuginfod.nix
|
||||
../module/hut-substituter.nix
|
||||
];
|
||||
|
||||
# Select the this using the ID to avoid mismatches
|
||||
boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53566c";
|
||||
|
||||
networking = {
|
||||
hostName = "owl1";
|
||||
interfaces.eno1.ipv4.addresses = [ {
|
||||
address = "10.0.40.1";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
interfaces.ibp5s0.ipv4.addresses = [ {
|
||||
address = "10.0.42.1";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
};
|
||||
}
|
29
m/owl2/configuration.nix
Normal file
29
m/owl2/configuration.nix
Normal file
@ -0,0 +1,29 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../common/ssf.nix
|
||||
../module/ceph.nix
|
||||
../module/emulation.nix
|
||||
../module/slurm-client.nix
|
||||
../module/slurm-firewall.nix
|
||||
../module/debuginfod.nix
|
||||
../module/hut-substituter.nix
|
||||
];
|
||||
|
||||
# Select the this using the ID to avoid mismatches
|
||||
boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d535629";
|
||||
|
||||
networking = {
|
||||
hostName = "owl2";
|
||||
interfaces.eno1.ipv4.addresses = [ {
|
||||
address = "10.0.40.2";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
# Watch out! The OmniPath device is not in the same place here:
|
||||
interfaces.ibp129s0.ipv4.addresses = [ {
|
||||
address = "10.0.42.2";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
};
|
||||
}
|
98
m/raccoon/configuration.nix
Normal file
98
m/raccoon/configuration.nix
Normal file
@ -0,0 +1,98 @@
|
||||
{ config, pkgs, lib, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../common/base.nix
|
||||
../common/ssf/hosts.nix
|
||||
../module/emulation.nix
|
||||
../module/debuginfod.nix
|
||||
../module/nvidia.nix
|
||||
../eudy/kernel/perf.nix
|
||||
./wireguard.nix
|
||||
../module/hut-substituter.nix
|
||||
];
|
||||
|
||||
# Don't install Grub on the disk yet
|
||||
boot.loader.grub.device = "nodev";
|
||||
|
||||
# Enable serial console
|
||||
boot.kernelParams = [
|
||||
"console=tty1"
|
||||
"console=ttyS1,115200"
|
||||
];
|
||||
|
||||
networking = {
|
||||
hostName = "raccoon";
|
||||
# Only BSC DNSs seem to be reachable from the office VLAN
|
||||
nameservers = [ "84.88.52.35" "84.88.52.36" ];
|
||||
defaultGateway = "84.88.51.129";
|
||||
interfaces.eno0.ipv4.addresses = [ {
|
||||
address = "84.88.51.152";
|
||||
prefixLength = 25;
|
||||
} ];
|
||||
interfaces.enp5s0f1.ipv4.addresses = [ {
|
||||
address = "10.0.44.1";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
nat = {
|
||||
enable = true;
|
||||
internalInterfaces = [ "enp5s0f1" ];
|
||||
externalInterface = "eno0";
|
||||
};
|
||||
hosts = {
|
||||
"10.0.44.4" = [ "tent" ];
|
||||
"84.88.53.236" = [ "apex" ];
|
||||
};
|
||||
};
|
||||
|
||||
# Mount the NFS home
|
||||
fileSystems."/nfs/home" = {
|
||||
device = "10.106.0.30:/home";
|
||||
fsType = "nfs";
|
||||
options = [ "nfsvers=3" "rsize=1024" "wsize=1024" "cto" "nofail" ];
|
||||
};
|
||||
|
||||
# Enable performance governor
|
||||
powerManagement.cpuFreqGovernor = "performance";
|
||||
|
||||
hardware.nvidia.open = false; # Maxwell is older than Turing architecture
|
||||
|
||||
services.openssh.settings.X11Forwarding = true;
|
||||
|
||||
services.prometheus.exporters.node = {
|
||||
enable = true;
|
||||
enabledCollectors = [ "systemd" ];
|
||||
port = 9002;
|
||||
listenAddress = "127.0.0.1";
|
||||
};
|
||||
|
||||
users.motd = ''
|
||||
⠀⠀⠀⠀⠀⠀⠀⣀⣀⣄⣠⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
|
||||
⠀⠀⠀⠀⠀⠀⢰⠇⡀⠀⠙⠻⡿⣦⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡀⠀⠀⠀⠀
|
||||
⠀⠀⠀⠀⠀⠀⡎⢰⣧⠀⠀⠀⠁⠈⠛⢿⣦⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣴⡦⠶⠟⠓⠚⠻⡄⠀
|
||||
⠀⠀⠀⠀⠀⠀⣧⠀⣱⣀⣰⣧⠀⢀⠀⣘⣿⣿⣦⣶⣄⣠⡀⠀⠀⣀⣀⣤⣴⣄⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⣿⠿⠏⠁⠀⣀⣠⣶⣿⡶⣿⠀
|
||||
⠀⠀⠀⠀⠀⠀⣹⣆⠘⣿⣿⣿⣇⢸⣷⣿⣿⣿⣿⣿⣿⣿⣿⣿⣾⣿⣿⣿⣿⣿⣿⣿⣿⣶⣶⣦⡀⣀⣤⣠⣤⡾⠋⠀⢀⣤⣶⣿⣿⣿⣿⣿⣿⣿⡀
|
||||
⠀⠀⠀⠀⠀⠀⠘⢿⡄⢼⣿⣿⣿⣿⣿⡟⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣵⣾⡾⠙⣋⣩⣽⣿⣿⣿⣿⢋⡼⠁
|
||||
⠀⠀⠀⠀⠀⠀⠀⠈⢻⣄⠸⢿⣿⣿⠿⠷⠀⠈⠀⣭⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣾⣿⣿⣿⣿⣿⣿⠇⡼⠁⠀
|
||||
⠀⠀⠀⠀⠀⠀⠀⠀⢾⣯⡀⠀⢼⡿⠀⠀⠀⢼⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⣿⡿⣿⣿⣿⠿⣿⣯⣼⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⢋⡼⠁⠀⠀
|
||||
⠀⠀⠀⠀⠀⠀⠀⠀⠀⢻⡏⠠⣦⠁⠀⠀⠀⠀⠀⠟⠛⠛⣿⣿⣿⣿⣿⠿⠁⠀⠁⢿⠙⠁⠀⠛⠹⣿⣏⣾⣿⣿⣿⣿⣿⣿⣿⣿⠿⠃⣹⠁⠀⠀⠀
|
||||
⠀⠀⠀⠀⠀⠀⠀⠀⠀⣘⣧⠀⠙⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⣿⡿⡿⠀⠀⠀⠀⠈⠀⠀⠀⠀⠀⠀⢹⣿⠿⢿⣿⣿⣿⣿⣿⠋⢀⡤⠛⠀⠀⠀⠀
|
||||
⠀⠀⠀⠀⠀⠀⠀⠀⠀⢹⡯⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⣿⣿⣿⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠁⠀⢸⣿⣿⣿⠛⠉⠀⣰⠷⠀⠀⠀⠀⠀
|
||||
⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⠇⠀⠀⠀⠀⠀⢀⣿⡇⠀⠀⢻⣿⣿⠁⠀⠀⢠⣾⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⠟⢿⣿⣄⡀⢸⣿⡀⠀⠀⠀⠀⠀
|
||||
⠀⠀⠀⠀⠀⠀⠀⠀⢀⣿⠀⠀⠀⢰⣿⣿⡛⣿⣿⡄⢠⡺⠿⡍⠁⢀⣤⣿⣿⣿⠿⣷⣮⣉⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠈⣿⠀⠀⠈⣧⠀⠀⠀⠀⠀
|
||||
⠀⠀⠀⠀⠀⠀⠀⠀⢾⠉⠃⠀⣴⣿⣟⠻⣿⣿⣿⡇⢸⣿⣶⠀⢀⣾⣿⣿⣟⠿⣷⣾⣿⣿⣿⣿⣦⣤⣤⡤⠀⠀⠀⠀⠀⠁⠀⠀⠀⣼⠗⠀⠀⠀⠀
|
||||
⠀⠀⠐⢄⡀⠀⠀⠀⢘⡀⠀⢶⣾⣿⣿⣿⣿⡿⠋⠁⠈⠻⠉⠀⠚⠻⣿⣿⣿⣶⣾⣿⣿⣿⣿⣿⣿⣷⣬⣤⣶⣦⡀⣾⣶⣇⠀⠀⠈⢉⣷⠀⠀⠀⠀
|
||||
⠀⠀⠀⠀⠈⠓⠶⢦⡽⠄⣈⣿⣿⣿⣿⣿⠏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠹⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡓⠙⣿⡟⠀⠀⠀⠈⠛⣷⣶⡄⠀
|
||||
⠀⠀⠀⠀⠀⠀⠀⢀⣬⠆⢠⣍⣛⠻⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣉⣀⡀⠀⠀⠈⠛⢿⣦⡀
|
||||
⠐⠒⠒⠶⠶⠶⢦⣬⣟⣥⣀⡉⠛⠻⠶⢁⣤⣾⣿⣿⣿⣷⡄⠀⠀⠀⠀⠀⢸⣿⣿⣿⣿⣿⣟⡛⠿⠭⠭⠭⠭⠭⠿⠿⠿⢿⣿⣟⠃⠀⠀⠀⠹⣟⠓
|
||||
⠀⣀⣠⠤⠤⢤⣤⣾⣤⡄⣉⣉⣙⣓⡂⣿⣿⣭⣹⣿⣿⣿⣿⡰⣂⣀⢀⠀⠻⣿⠛⠻⠟⠡⣶⣾⣿⣿⣿⣿⣿⣿⣿⡖⠒⠒⠒⠛⠷⢤⡀⢰⣴⣿⡆
|
||||
⠀⠀⠀⢀⣠⡴⠾⠟⠻⣟⡉⠉⠉⠉⢁⢿⣿⣿⣿⣿⣿⣿⡿⣱⣿⣭⡌⠤⠀⠀⠐⣶⣌⡻⣶⣭⡻⢿⣿⣿⣿⣿⣿⣯⣥⣤⣦⠀⠠⣴⣶⣶⣿⡟⢿
|
||||
⢀⠔⠊⠉⠀⠀⠀⠀⢸⣯⣤⠀⠀⠠⣼⣮⣟⣿⣿⣿⣻⣭⣾⣿⣿⣷⣶⣦⠶⣚⣾⣿⣿⣷⣜⣿⣿⣶⣝⢿⣿⣿⣿⣿⣷⣦⣄⣰⡄⠈⢿⣿⡿⣇⠀
|
||||
⠀⠀⠀⠀⠀⠀⠀⠀⠈⢡⢇⠀⠀⣠⣿⣿⣿⣯⣟⣛⣛⣛⣛⣛⣩⣭⣴⣶⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⣻⣿⣧⠀⠀
|
||||
⠀⠀⠀⠀⠀⠀⠀⠀⠀⣾⠏⠀⢹⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⣍⣿⣿⣿⣿⡄⠀
|
||||
⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣾⡁⢈⣾⣿⡿⠛⣛⣿⣿⣿⣿ DO YOU BRING FEEDS? ⣿⣿⣿⣿⣿⣿⡏⠈⠙⠈⠁⠀
|
||||
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠛⡿⠛⠉⣽⣿⣷⣾⡿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠷⠌⠛⠉⠀⠁⠀⠀⠀⠀⠀
|
||||
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠀⠀⠹⠋⠀⢻⣿⣿⣿⣿⠿⢿⣿⣿⣿⣿⣿⣿⠿⣿⣿⣿⣿⠿⠛⠋⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
|
||||
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠉⠁⠀⠀⠀⠀⠀⠈⠉⠉⠀⠀⠈⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
|
||||
'';
|
||||
}
|
48
m/raccoon/wireguard.nix
Normal file
48
m/raccoon/wireguard.nix
Normal file
@ -0,0 +1,48 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
networking.nat = {
|
||||
enable = true;
|
||||
enableIPv6 = false;
|
||||
externalInterface = "eno0";
|
||||
internalInterfaces = [ "wg0" ];
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
allowedUDPPorts = [ 666 ];
|
||||
};
|
||||
|
||||
age.secrets.wgRaccoon.file = ../../secrets/wg-raccoon.age;
|
||||
|
||||
# Enable WireGuard
|
||||
networking.wireguard.enable = true;
|
||||
networking.wireguard.interfaces = {
|
||||
wg0 = {
|
||||
ips = [ "10.106.0.236/24" ];
|
||||
listenPort = 666;
|
||||
privateKeyFile = config.age.secrets.wgRaccoon.path;
|
||||
# Public key: QUfnGXSMEgu2bviglsaSdCjidB51oEDBFpnSFcKGfDI=
|
||||
peers = [
|
||||
{
|
||||
name = "fox";
|
||||
publicKey = "VfMPBQLQTKeyXJSwv8wBhc6OV0j2qAxUpX3kLHunK2Y=";
|
||||
allowedIPs = [ "10.106.0.1/32" ];
|
||||
endpoint = "fox.ac.upc.edu:666";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
{
|
||||
name = "apex";
|
||||
publicKey = "VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA=";
|
||||
allowedIPs = [ "10.106.0.30/32" "10.0.40.0/24" ];
|
||||
endpoint = "ssfhead.bsc.es:666";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
networking.hosts = {
|
||||
"10.106.0.1" = [ "fox.wg" ];
|
||||
"10.106.0.30" = [ "apex.wg" ];
|
||||
};
|
||||
}
|
14
m/tent/blackbox.yml
Normal file
14
m/tent/blackbox.yml
Normal file
@ -0,0 +1,14 @@
|
||||
modules:
|
||||
http_2xx:
|
||||
prober: http
|
||||
timeout: 5s
|
||||
http:
|
||||
preferred_ip_protocol: "ip4"
|
||||
follow_redirects: true
|
||||
valid_status_codes: [] # Defaults to 2xx
|
||||
method: GET
|
||||
icmp:
|
||||
prober: icmp
|
||||
timeout: 5s
|
||||
icmp:
|
||||
preferred_ip_protocol: "ip4"
|
85
m/tent/configuration.nix
Normal file
85
m/tent/configuration.nix
Normal file
@ -0,0 +1,85 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../common/xeon.nix
|
||||
../common/ssf/hosts.nix
|
||||
../module/emulation.nix
|
||||
../module/debuginfod.nix
|
||||
./monitoring.nix
|
||||
./nginx.nix
|
||||
./nix-serve.nix
|
||||
./gitlab-runner.nix
|
||||
./gitea.nix
|
||||
../hut/public-inbox.nix
|
||||
../hut/msmtp.nix
|
||||
../module/p.nix
|
||||
../module/vpn-dac.nix
|
||||
../module/hut-substituter.nix
|
||||
];
|
||||
|
||||
# Select the this using the ID to avoid mismatches
|
||||
boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d537675";
|
||||
|
||||
networking = {
|
||||
hostName = "tent";
|
||||
interfaces.eno1.ipv4.addresses = [
|
||||
{
|
||||
address = "10.0.44.4";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
||||
# Only BSC DNSs seem to be reachable from the office VLAN
|
||||
nameservers = [ "84.88.52.35" "84.88.52.36" ];
|
||||
search = [ "bsc.es" "ac.upc.edu" ];
|
||||
defaultGateway = "10.0.44.1";
|
||||
hosts = {
|
||||
"84.88.53.236" = [ "apex" ];
|
||||
"10.0.44.1" = [ "raccoon" ];
|
||||
};
|
||||
};
|
||||
|
||||
services.p.enable = true;
|
||||
|
||||
services.prometheus.exporters.node = {
|
||||
enable = true;
|
||||
enabledCollectors = [ "systemd" ];
|
||||
port = 9002;
|
||||
listenAddress = "127.0.0.1";
|
||||
};
|
||||
|
||||
boot.swraid = {
|
||||
enable = true;
|
||||
mdadmConf = ''
|
||||
DEVICE partitions
|
||||
ARRAY /dev/md0 metadata=1.2 UUID=496db1e2:056a92aa:a544543f:40db379d
|
||||
MAILADDR root
|
||||
'';
|
||||
};
|
||||
|
||||
fileSystems."/vault" = {
|
||||
device = "/dev/disk/by-label/vault";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
# Make a /vault/$USER directory for each user.
|
||||
systemd.services.create-vault-dirs = let
|
||||
# Take only normal users in tent
|
||||
users = lib.filterAttrs (_: v: v.isNormalUser) config.users.users;
|
||||
commands = lib.concatLists (lib.mapAttrsToList
|
||||
(_: user: [
|
||||
"install -d -o ${user.name} -g ${user.group} -m 0711 /vault/home/${user.name}"
|
||||
]) users);
|
||||
script = pkgs.writeShellScript "create-vault-dirs.sh" (lib.concatLines commands);
|
||||
in {
|
||||
enable = true;
|
||||
wants = [ "local-fs.target" ];
|
||||
after = [ "local-fs.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig.ExecStart = script;
|
||||
};
|
||||
|
||||
# disable automatic garbage collector
|
||||
nix.gc.automatic = lib.mkForce false;
|
||||
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user