weasel: enable hydra tcp port in firewall

/home is a nfs mount, which does not support extra filesystem arguments
needed to run podman. We need to have a local home.

.gitea/workflows/ci.yaml

@@ -1,20 +0,0 @@
-name: CI
-on:
-  push:
-    branches:
-      - master
-  pull_request:
-    branches:
-      - master
-
-jobs:
-  build:all:
-    runs-on: native
-    steps:
-      - uses: https://gitea.com/ScMi1/checkout@v1.4
-      - run: nix build -L --no-link --print-out-paths .#bsc.ci.all
-  build:cross:
-    runs-on: native
-    steps:
-      - uses: https://gitea.com/ScMi1/checkout@v1.4
-      - run: nix build -L --no-link --print-out-paths .#bsc.ci.cross

.gitignore

@@ -1,3 +1,3 @@
-**.swp
+*.swp
 /result
 /misc

.gitlab-ci.yml

@@ -1,6 +0,0 @@
-build:bsc-ci.all:
-  stage: build
-  tags:
-    - nix
-  script:
-    - nix build -L --no-link --print-out-paths .#bsc-ci.all

COPYING

@@ -1,21 +0,0 @@
-Copyright (c) 2020-2025 Barcelona Supercomputing Center
-Copyright (c) 2003-2020 Eelco Dolstra and the Nixpkgs/NixOS contributors
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -1,9 +0,0 @@
-# Jungle
-
-This repository provides two components that can be used independently:
-
-- A Nix overlay with packages used at BSC (formerly known as bscpkgs). Access
-  them directly with `nix shell .#<pkgname>`.
-
-- NixOS configurations for jungle machines. Use `nixos-rebuild switch --flake .`
-  to upgrade the current machine.

default.nix

@@ -1,19 +0,0 @@
-let
-  bscOverlay = import ./overlay.nix;
-
-  # read flake.lock and determine revision from there
-  lock = builtins.fromJSON (builtins.readFile ./flake.lock);
-  inherit (lock.nodes.nixpkgs.locked) rev narHash;
-  fetchedNixpkgs = builtins.fetchTarball {
-    url = "https://github.com/NixOS/nixpkgs/archive/${rev}.tar.gz";
-    sha256 = narHash;
-  };
-in
-{ overlays ? [ ]
-, nixpkgs ? fetchedNixpkgs
-, ...
-}@attrs:
-import nixpkgs (
-  (builtins.removeAttrs attrs [ "overlays" "nixpkgs" ]) //
-  { overlays = [ bscOverlay ] ++ overlays; }
-)

doc/maintainers.md

@@ -1,30 +0,0 @@
-# Maintainers
-
-## Role of a maintainer
-The responsibilities of maintainers are quite lax, and similar in spirit to
-[nixpkgs' maintainers][1]:
-
-    The main responsibility of a maintainer is to keep the packages they
-    maintain in a functioning state, and keep up with updates. In order to do
-    that, they are empowered to make decisions over the packages they maintain.
-
-    That being said, the maintainer is not alone in proposing changes to the
-    packages. Anybody (both bots and humans) can send PRs to bump or tweak the
-    package.
-
-In practice, this means that when updating or proposing changes to a package,
-we will notify maintainers by mentioning them in Gitea so they can test changes
-and give feedback.
-
-Since we do bi-yearly release cycles, there is no expectation from maintainers
-to update packages at each upstream release. Nevertheless, on each release cycle
-we may request help from maintainers when updating or testing their packages.
-
-## Becoming a maintainer
-
-
-You'll have to add yourself in the `maintainers.nix` list; your username should
-match your `bsc.es` email. Then you can add yourself to the `meta.maintainers`
-of any package you are interested in maintaining.
-
-[1]: [https://github.com/NixOS/nixpkgs/tree/nixos-25.05/maintainers]

doc/trim.sh

@@ -1,46 +0,0 @@
-#!/bin/sh
-
-# Trims the jungle repository by moving the website to its own repository and
-# removing it from jungle. It also removes big pdf files and kernel
-# configurations so the jungle repository is small.
-
-set -e
-
-if [ -e oldjungle -o -e newjungle -o -e website ]; then
-  echo "remove oldjungle/, newjungle/ and website/ first"
-  exit 1
-fi
-
-# Clone the old jungle repo
-git clone gitea@tent:rarias/jungle.git oldjungle
-
-# First split the website into a new repository
-mkdir website && git -C website init -b master
-git-filter-repo \
-  --path web \
-  --subdirectory-filter web \
-  --source oldjungle \
-  --target website
-
-# Then remove the website, pdf files and big kernel configs
-mkdir newjungle && git -C newjungle init -b master
-git-filter-repo \
-  --invert-paths \
-  --path web \
-  --path-glob 'doc*.pdf' \
-  --path-glob '**/kernel/configs/lockdep' \
-  --path-glob '**/kernel/configs/defconfig' \
-  --source oldjungle \
-  --target newjungle
-
-set -x
-
-du -sh oldjungle newjungle website
-#  57M  oldjungle
-# 2,3M  newjungle
-# 6,4M  website
-
-du -sh --exclude=.git oldjungle newjungle website
-#  30M  oldjungle
-# 700K  newjungle
-# 3,5M  website

flake.lock

@@ -1,25 +1,128 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1750173260,
+        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "bscpkgs": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1749650500,
+        "narHash": "sha256-2MHfVPV6RA7qPSCtXh4+KK0F0UjN+J4z8//+n6NK7Xs=",
+        "ref": "refs/heads/master",
+        "rev": "9d1944c658929b6f98b3f3803fead4d1b91c4405",
+        "revCount": 961,
+        "type": "git",
+        "url": "https://git.sr.ht/~rodarima/bscpkgs"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.sr.ht/~rodarima/bscpkgs"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1767634882,
-        "narHash": "sha256-2GffSfQxe3sedHzK+sTKlYo/NTIAGzbFCIsNMUPAAnk=",
+        "lastModified": 1752436162,
+        "narHash": "sha256-Kt1UIPi7kZqkSc5HVj6UY5YLHHEzPBkgpNUByuyxtlw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3c9db02515ef1d9b6b709fc60ba9a540957f661c",
+        "rev": "dfcd5b901dbab46c9c6e80b265648481aafb01f8",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-25.11",
+        "ref": "nixos-25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
+        "bscpkgs": "bscpkgs",
         "nixpkgs": "nixpkgs"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -1,22 +1,19 @@
 {
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    agenix.url = "github:ryantm/agenix";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
+    bscpkgs.url = "git+https://git.sr.ht/~rodarima/bscpkgs";
+    bscpkgs.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, ... }:
+  outputs = { self, nixpkgs, agenix, bscpkgs, ... }:
 let
   mkConf = name: nixpkgs.lib.nixosSystem {
     system = "x86_64-linux";
-    specialArgs = { inherit nixpkgs; theFlake = self; };
+    specialArgs = { inherit nixpkgs bscpkgs agenix; theFlake = self; };
     modules = [ "${self.outPath}/m/${name}/configuration.nix" ];
   };
-  # For now we only support x86
-  system = "x86_64-linux";
-  pkgs = import nixpkgs {
-    inherit system;
-    overlays = [ self.overlays.default ];
-    config.allowUnfree = true;
-  };
 in
   {
     nixosConfigurations = {
@@ -34,19 +31,9 @@ in
       weasel  = mkConf "weasel";
     };
 
-    bscOverlay = import ./overlay.nix;
-    overlays.default = self.bscOverlay;
-
-    # full nixpkgs with our overlay applied
-    legacyPackages.${system} = pkgs;
-
-    hydraJobs = self.legacyPackages.${system}.bsc.hydraJobs;
-
-    # propagate nixpkgs lib, so we can do bscpkgs.lib
-    lib = nixpkgs.lib // {
-      maintainers = nixpkgs.lib.maintainers // {
-        bsc = import ./pkgs/maintainers.nix;
-      };
+    packages.x86_64-linux = self.nixosConfigurations.hut.pkgs // {
+      bscpkgs = bscpkgs.packages.x86_64-linux;
+      nixpkgs = nixpkgs.legacyPackages.x86_64-linux;
     };
   };
 }

keys.nix

@@ -2,22 +2,21 @@
 # here all the public keys
 rec {
   hosts = {
-    hut     = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO7jIp6JRnRWTMDsTB/aiaICJCl4x8qmKMPSs4lCqP1 hut";
-    owl1    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqMEXO0ApVsBA6yjmb0xP2kWyoPDIWxBB0Q3+QbHVhv owl1";
-    owl2    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHurEYpQzNHqWYF6B9Pd7W8UPgF3BxEg0BvSbsA7BAdK owl2";
-    eudy    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+WYPRRvZupqLAG0USKmd/juEPmisyyJaP8hAgYwXsG eudy";
-    koro    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImiTFDbxyUYPumvm8C4mEnHfuvtBY1H8undtd6oDd67 koro";
-    bay     = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvGBzpRQKuQYHdlUQeAk6jmdbkrhmdLwTBqf3el7IgU bay";
-    lake2   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINo66//S1yatpQHE/BuYD/Gfq64TY7ZN5XOGXmNchiO0 lake2";
-    fox     = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwItIk5uOJcQEVPoy/CVGRzfmE1ojrdDcI06FrU4NFT fox";
-    tent    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAtTpHtdYoelbknD/IcfBlThwLKJv/dSmylOgpg3FRM tent";
-    apex    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBvUFjSfoxXnKwXhEFXx5ckRKJ0oewJ82mRitSMNMKjh apex";
-    weasel  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLJrQ8BF6KcweQV8pLkSbFT+tbDxSG9qxrdQE65zJZp weasel";
-    raccoon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGNQttFvL0dNEyy7klIhLoK4xXOeM2/K9R7lPMTG3qvK raccoon";
+    hut    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO7jIp6JRnRWTMDsTB/aiaICJCl4x8qmKMPSs4lCqP1 hut";
+    owl1   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqMEXO0ApVsBA6yjmb0xP2kWyoPDIWxBB0Q3+QbHVhv owl1";
+    owl2   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHurEYpQzNHqWYF6B9Pd7W8UPgF3BxEg0BvSbsA7BAdK owl2";
+    eudy   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+WYPRRvZupqLAG0USKmd/juEPmisyyJaP8hAgYwXsG eudy";
+    koro   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImiTFDbxyUYPumvm8C4mEnHfuvtBY1H8undtd6oDd67 koro";
+    bay    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvGBzpRQKuQYHdlUQeAk6jmdbkrhmdLwTBqf3el7IgU bay";
+    lake2  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINo66//S1yatpQHE/BuYD/Gfq64TY7ZN5XOGXmNchiO0 lake2";
+    fox    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwItIk5uOJcQEVPoy/CVGRzfmE1ojrdDcI06FrU4NFT fox";
+    tent   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAtTpHtdYoelbknD/IcfBlThwLKJv/dSmylOgpg3FRM tent";
+    apex   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBvUFjSfoxXnKwXhEFXx5ckRKJ0oewJ82mRitSMNMKjh apex";
+    weasel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLJrQ8BF6KcweQV8pLkSbFT+tbDxSG9qxrdQE65zJZp weasel";
   };
 
   hostGroup = with hosts; rec {
-    compute    = [ owl1 owl2 fox raccoon ];
+    compute    = [ owl1 owl2 fox ];
     playground = [ eudy koro weasel ];
     storage    = [ bay lake2 ];
     monitor    = [ hut ];

m/apex/configuration.nix

@@ -5,7 +5,6 @@
     ../common/xeon.nix
     ../common/ssf/hosts.nix
     ../module/ceph.nix
-    ../module/hut-substituter.nix
     ../module/slurm-server.nix
     ./nfs.nix
     ./wireguard.nix
@@ -57,17 +56,16 @@
     };
   };
 
-  services.fail2ban = {
-    enable = true;
-    maxretry = 5;
-    bantime-increment = {
-      enable = true; # Double ban time on each attack
-      maxtime = "7d"; # Ban up to a week
-    };
-  };
-
-  # Disable SSH login with password, allow only keypair
-  services.openssh.settings.PasswordAuthentication = false;
+  # Use SSH tunnel to reach internal hosts
+  programs.ssh.extraConfig = ''
+    Host bscpm04.bsc.es gitlab-internal.bsc.es knights3.bsc.es
+      ProxyCommand nc -X connect -x localhost:23080 %h %p
+    Host raccoon
+      HostName knights3.bsc.es
+      ProxyCommand nc -X connect -x localhost:23080 %h %p
+    Host tent
+      ProxyJump raccoon
+  '';
 
   networking.firewall = {
     extraCommands = ''
@@ -78,4 +76,10 @@
       iptables -I nixos-fw 2 -p tcp -s 84.88.52.176 -j nixos-fw-refuse
     '';
   };
+
+  # Use tent for cache
+  nix.settings = {
+    extra-substituters = [ "https://jungle.bsc.es/cache" ];
+    extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
+  };
 }

m/apex/wireguard.nix

@@ -18,25 +18,18 @@
       # Public key: VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA=
       peers = [
         {
-          name = "fox";
+          name = "Fox";
           publicKey = "VfMPBQLQTKeyXJSwv8wBhc6OV0j2qAxUpX3kLHunK2Y=";
-          allowedIPs = [ "10.106.0.1/32" ];
+          allowedIPs = [ "10.106.0.0/24" ];
           endpoint = "fox.ac.upc.edu:666";
           # Send keepalives every 25 seconds. Important to keep NAT tables alive.
           persistentKeepalive = 25;
         }
-        {
-          name = "raccoon";
-          publicKey = "QUfnGXSMEgu2bviglsaSdCjidB51oEDBFpnSFcKGfDI=";
-          allowedIPs = [ "10.106.0.236/32" "192.168.0.0/16" "10.0.44.0/24" ];
-        }
       ];
     };
   };
 
   networking.hosts = {
     "10.106.0.1" = [ "fox" ];
-    "10.106.0.236" = [ "raccoon" ];
-    "10.0.44.4" = [ "tent" ];
   };
 }

m/bay/configuration.nix

@@ -3,7 +3,6 @@
 {
   imports = [
     ../common/ssf.nix
-    ../module/hut-substituter.nix
     ../module/monitoring.nix
   ];
 
@@ -24,7 +23,7 @@
       address = "10.0.40.40";
       prefixLength = 24;
     } ];
-    interfaces.ibs785.ipv4.addresses = [ {
+    interfaces.ibp5s0.ipv4.addresses = [ {
       address = "10.0.42.40";
       prefixLength = 24;
     } ];

m/common/base.nix

@@ -11,12 +11,12 @@
     ./base/hw.nix
     ./base/net.nix
     ./base/nix.nix
-    ./base/sys-devices.nix
     ./base/ntp.nix
     ./base/rev.nix
     ./base/ssh.nix
     ./base/users.nix
     ./base/watchdog.nix
     ./base/zsh.nix
+    ./base/fish.nix
   ];
 }

m/common/base/agenix.nix

@@ -1,8 +1,9 @@
-{ pkgs, ... }:
+{ agenix, ... }:
 
 {
-  imports = [ ../../module/agenix.nix ];
+  imports = [ agenix.nixosModules.default ];
 
-  # Add agenix to system packages
-  environment.systemPackages = [ pkgs.agenix ];
+  environment.systemPackages = [
+    agenix.packages.x86_64-linux.default
+  ];
 }

m/common/base/boot.nix

@@ -4,6 +4,13 @@
   # Use the GRUB 2 boot loader.
   boot.loader.grub.enable = true;
 
+  # Enable GRUB2 serial console
+  boot.loader.grub.extraConfig = ''
+    serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
+    terminal_input --append serial
+    terminal_output --append serial
+  '';
+
   boot.kernel.sysctl = {
     "kernel.perf_event_paranoid" = lib.mkDefault "-1";
 

m/common/base/env.nix

@@ -1,12 +1,14 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 
 {
   environment.systemPackages = with pkgs; [
     vim wget git htop tmux pciutils tcpdump ripgrep nix-index nixos-option
     nix-diff ipmitool freeipmi ethtool lm_sensors cmake gnumake file tree
-    ncdu perf ldns pv
-    # From jungle overlay
-    osumb nixgen
+    ncdu config.boot.kernelPackages.perf ldns pv
+    nix-output-monitor
+    nixfmt-rfc-style
+    # From bsckgs overlay
+    osumb
   ];
 
   programs.direnv.enable = true;

m/common/base/fish.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  programs.fish.enable = true;
+}

m/common/base/net.nix

@@ -15,9 +15,8 @@
 
     hosts = {
       "84.88.53.236" = [ "ssfhead.bsc.es" "ssfhead" ];
+      "84.88.51.152" = [ "raccoon" ];
       "84.88.51.142" = [ "raccoon-ipmi" ];
-      "192.168.11.12" = [ "bscpm04.bsc.es" ];
-      "192.168.11.15" = [ "gitlab-internal.bsc.es" ];
     };
   };
 }

m/common/base/nix.nix

@@ -1,8 +1,9 @@
-{ pkgs, nixpkgs, theFlake,  ... }:
+{ pkgs, nixpkgs, bscpkgs, theFlake,  ... }:
 
 {
   nixpkgs.overlays = [
-    (import ../../../overlay.nix)
+    bscpkgs.bscOverlay
+    (import ../../../pkgs/overlay.nix)
   ];
 
   nixpkgs.config.allowUnfree = true;

m/common/base/sys-devices.nix

@@ -1,9 +0,0 @@
-{
-  nix.settings.system-features = [ "sys-devices" ];
-
-  programs.nix-required-mounts.enable = true;
-  programs.nix-required-mounts.allowedPatterns.sys-devices.paths = [
-    "/sys/devices/system/cpu"
-    "/sys/devices/system/node"
-  ];
-}

m/common/base/users.nix

@@ -87,6 +87,12 @@
         openssh.authorizedKeys.keys = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIFiqXqt88VuUfyANkZyLJNiuroIITaGlOOTMhVDKjf abonerib@bsc"
         ];
+        shell = pkgs.fish;
+        packages = with pkgs; [
+          starship
+          jujutsu
+          neovim
+        ];
       };
 
       vlopez = {
@@ -139,7 +145,6 @@
         openssh.authorizedKeys.keys = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGt0ESYxekBiHJQowmKpfdouw0hVm3N7tUMtAaeLejK vincent@varch"
         ];
-        shell = pkgs.zsh;
       };
 
       pmartin1 = {
@@ -157,43 +162,18 @@
       };
 
       csiringo = {
+        # Arbitrary UID but large so it doesn't collide with other users on ssfhead.
         uid = 9653;
         isNormalUser = true;
         home = "/home/Computational/csiringo";
         description = "Cesare Siringo";
         group = "Computational";
-        hosts = [ ];
+        hosts = [ "apex" "weasel" ];
         hashedPassword = "$6$0IsZlju8jFukLlAw$VKm0FUXbS.mVmPm3rcJeizTNU4IM5Nmmy21BvzFL.cQwvlGwFI1YWRQm6gsbd4nbg47mPDvYkr/ar0SlgF6GO1";
         openssh.authorizedKeys.keys = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHA65zvvG50iuFEMf+guRwZB65jlGXfGLF4HO+THFaed csiringo@bsc.es"
         ];
       };
-
-      acinca = {
-        uid = 9654;
-        isNormalUser = true;
-        home = "/home/Computational/acinca";
-        description = "Arnau Cinca";
-        group = "Computational";
-        hosts = [ "apex" "hut" "fox" "owl1" "owl2" ];
-        hashedPassword = "$6$S6PUeRpdzYlidxzI$szyvWejQ4hEN76yBYhp1diVO5ew1FFg.cz4lKiXt2Idy4XdpifwrFTCIzLTs5dvYlR62m7ekA5MrhcVxR5F/q/";
-        openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFmMqKqPg4uocNOr3O41kLbZMOMJn3m2ZdN1JvTR96z3 bsccns@arnau-bsc"
-        ];
-      };
-
-      aaguirre = {
-        uid = 9655;
-        isNormalUser = true;
-        home = "/home/Computational/aaguirre";
-        description = "Alejandro Aguirre";
-        group = "Computational";
-        hosts = [ "apex" "hut" ];
-        hashedPassword = "$6$TXRXQT6jjBvxkxU6$E.sh5KspAm1qeG5Ct7OPHpo8REmbGDwjFGvqeGgTVz3GASGOAnPL7UMZsMAsAKBoahOw.v8LNno6XGrTEPzZH1";
-        openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOlRX7ZCnqtUJYCxKgWmgSrFCYuA2LHY96rVwqxXPl86 aaguirre@BSC-8488184117"
-        ];
-      };
     };
 
     groups = {

m/common/base/watchdog.nix

@@ -5,5 +5,5 @@
   boot.kernelModules = [ "ipmi_watchdog" ];
 
   # Enable systemd watchdog with 30 s interval
-  systemd.settings.Manager.RuntimeWatchdogSec = 30;
+  systemd.watchdog.runtimeTime = "30s";
 }

m/common/ssf.nix

@@ -4,7 +4,7 @@
     ./xeon.nix
     ./ssf/fs.nix
     ./ssf/hosts.nix
-    ./ssf/hosts-remote.nix
     ./ssf/net.nix
+    ./ssf/ssh.nix
   ];
 }

m/common/ssf/hosts-remote.nix

@@ -1,9 +0,0 @@
-{ pkgs, ... }:
-
-{
-  networking.hosts = {
-    # Remote hosts visible from compute nodes
-    "10.106.0.236" = [ "raccoon" ];
-    "10.0.44.4" = [ "tent" ];
-  };
-}

m/common/ssf/ssh.nix

@@ -0,0 +1,16 @@
+{
+  # Use SSH tunnel to apex to reach internal hosts
+  programs.ssh.extraConfig = ''
+    Host tent
+      ProxyJump raccoon
+
+    # Access raccoon via the HTTP proxy
+    Host raccoon knights3.bsc.es
+      HostName knights3.bsc.es
+      ProxyCommand=ssh apex 'nc -X connect -x localhost:23080 %h %p'
+
+    # Make sure we can reach gitlab even if we don't have SSH access to raccoon
+    Host bscpm04.bsc.es gitlab-internal.bsc.es
+      ProxyCommand=ssh apex 'nc -X connect -x localhost:23080 %h %p'
+  '';
+}

m/common/xeon/console.nix

@@ -11,11 +11,4 @@
     "console=tty1"
     "console=ttyS0,115200"
   ];
-
-  # Enable GRUB2 serial console
-  boot.loader.grub.extraConfig = ''
-    serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
-    terminal_input --append serial
-    terminal_output --append serial
-  '';
 }

m/eudy/configuration.nix

@@ -9,7 +9,6 @@
     ./cpufreq.nix
     ./fs.nix
     ./users.nix
-    ../module/hut-substituter.nix
     ../module/debuginfod.nix
   ];
 

m/eudy/kernel/perf.nix

@@ -1,6 +1,11 @@
-{ pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:
 
 {
+  # add the perf tool
+  environment.systemPackages = with pkgs; [
+    config.boot.kernelPackages.perf
+  ];
+
   # allow non-root users to read tracing data from the kernel
   boot.kernel.sysctl."kernel.perf_event_paranoid" = -2;
   boot.kernel.sysctl."kernel.kptr_restrict" = 0;

m/fox/configuration.nix

@@ -3,13 +3,12 @@
 {
   imports = [
     ../common/base.nix
+    ../common/xeon/console.nix
     ../module/amd-uprof.nix
     ../module/emulation.nix
     ../module/nvidia.nix
     ../module/slurm-client.nix
-    ../module/hut-substituter.nix
     ./wireguard.nix
-    ./serial-console.nix
   ];
 
   # Don't turn off on August as UPC has different dates.
@@ -19,9 +18,6 @@
   # Select the this using the ID to avoid mismatches
   boot.loader.grub.device = "/dev/disk/by-id/wwn-0x500a07514b0c1103";
 
-  # Increase time so we can boot other entries
-  boot.loader.timeout = 60;
-
   # No swap, there is plenty of RAM
   swapDevices = lib.mkForce [];
 
@@ -34,10 +30,7 @@
   # Use performance for benchmarks
   powerManagement.cpuFreqGovernor = "performance";
 
-  # Enable amd-uprof in >= 6.15 kernels only
-  services.amd-uprof.enable =
-    let ver = config.boot.kernelPackages.kernel.version;
-    in (lib.strings.compareVersions ver "6.15") >= 0;
+  services.amd-uprof.enable = true;
 
   # Disable NUMA balancing
   boot.kernel.sysctl."kernel.numa_balancing" = 0;
@@ -48,15 +41,20 @@
   # Disable NMI watchdog to save one hw counter (for AMD uProf)
   boot.kernel.sysctl."kernel.nmi_watchdog" = 0;
 
-  specialisation.oldKernel.configuration = {
-    system.nixos.tags = [ "old-kernel" ];
-    boot.kernelPackages = lib.mkForce pkgs.linuxPackages_6_12;
-  };
-
   services.openssh.settings.X11Forwarding = true;
 
   services.fail2ban.enable = true;
 
+  # Use SSH tunnel to reach internal hosts
+  programs.ssh.extraConfig = ''
+    Host bscpm04.bsc.es gitlab-internal.bsc.es tent
+      ProxyJump raccoon
+    Host raccoon
+      ProxyJump apex
+      HostName 127.0.0.1
+      Port 22022
+  '';
+
   networking = {
     timeServers = [ "ntp1.upc.edu" "ntp2.upc.edu" ];
     hostName = "fox";
@@ -74,6 +72,12 @@
     interfaces.enp1s0f0np0.useDHCP = true;
   };
 
+  # Use hut for cache
+  nix.settings = {
+    extra-substituters = [ "https://jungle.bsc.es/cache" ];
+    extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
+  };
+
   # Recommended for new graphics cards
   hardware.nvidia.open = true;
 
@@ -104,4 +108,20 @@
     wantedBy = [ "multi-user.target" ];
     serviceConfig.ExecStart = script;
   };
+
+  # Only allow SSH connections from users who have a SLURM allocation
+  # See: https://slurm.schedmd.com/pam_slurm_adopt.html
+  security.pam.services.sshd.rules.account.slurm = {
+    control = "required";
+    enable = true;
+    modulePath = "${pkgs.slurm}/lib/security/pam_slurm_adopt.so";
+    args = [ "log_level=debug5" ];
+    order = 999999; # Make it last one
+  };
+
+  # Disable systemd session (pam_systemd.so) as it will conflict with the
+  # pam_slurm_adopt.so module. What happens is that the shell is first adopted
+  # into the slurmstepd task and then into the systemd session, which is not
+  # what we want, otherwise it will linger even if all jobs are gone.
+  security.pam.services.sshd.startSession = lib.mkForce false;
 }

m/fox/serial-console.nix

@@ -1,21 +0,0 @@
-{
-  # Restart the serial console
-  systemd.services."serial-getty@ttyS1" = {
-    enable = true;
-    wantedBy = [ "getty.target" ];
-    serviceConfig.Restart = "always";
-  };
-
-  # Enable serial console
-  boot.kernelParams = [
-    "console=tty1"
-    "console=ttyS1,115200"
-  ];
-
-  # Enable GRUB2 serial console
-  boot.loader.grub.extraConfig = ''
-    serial --unit=1 --speed=115200 --word=8 --parity=no --stop=1
-    terminal_input --append serial
-    terminal_output --append serial
-  '';
-}

m/fox/wireguard.nix

@@ -23,16 +23,11 @@
 
       peers = [
         # List of allowed peers.
-        {
-          name = "apex";
+        { 
+          name = "Apex";
           publicKey = "VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA=";
           # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
-          allowedIPs = [ "10.106.0.30/32" "10.0.40.7/32" ];
-        }
-        {
-          name = "raccoon";
-          publicKey = "QUfnGXSMEgu2bviglsaSdCjidB51oEDBFpnSFcKGfDI=";
-          allowedIPs = [ "10.106.0.236/32" "192.168.0.0/16" "10.0.44.0/24" ];
+          allowedIPs = [ "10.106.0.30/32" ];
         }
       ];
     };
@@ -40,9 +35,6 @@
 
   networking.hosts = {
     "10.106.0.30" = [ "apex" ];
-    "10.0.40.7" = [ "hut" ];
-    "10.106.0.236" = [ "raccoon" ];
-    "10.0.44.4" = [ "tent" ];
   };
 
   networking.firewall = {

m/hut/configuration.nix

@@ -17,7 +17,6 @@
     ./postgresql.nix
     ./nginx.nix
     ./p.nix
-    ./ompss2-timer.nix
     #./pxe.nix
   ];
 
@@ -45,7 +44,7 @@
       address = "10.0.40.7";
       prefixLength = 24;
     } ];
-    interfaces.ibs785.ipv4.addresses = [ {
+    interfaces.ibp5s0.ipv4.addresses = [ {
       address = "10.0.42.7";
       prefixLength = 24;
     } ];

m/hut/gitea.nix

@@ -29,9 +29,6 @@
     };
   };
 
-  # Allow gitea user to send mail
-  users.users.gitea.extraGroups = [ "mail-robot" ];
-
   services.gitea-actions-runner.instances = {
     runrun = {
       enable = true;

m/hut/msmtp.nix

@@ -1,11 +1,8 @@
 { config, lib, ... }:
 {
-  # Robot user that can see the password to send mail from jungle-robot
-  users.groups.mail-robot = {};
-
   age.secrets.jungleRobotPassword = {
     file = ../../secrets/jungle-robot-password.age;
-    group = "mail-robot";
+    group = "gitea";
     mode = "440";
   };
 

m/hut/nginx.nix

@@ -2,13 +2,10 @@
 let
   website = pkgs.stdenv.mkDerivation {
     name = "jungle-web";
-    src = pkgs.fetchgit {
-      url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
-      rev = "52abaf4d71652a9ef77a0b098db14ca33bffff4c";
-      hash = "sha256-/ul9GazbOrOkmlvSgDz/+2W+V+ir5725Y7mVLc3rb0M=";
-    };
+    src = theFlake;
     buildInputs = [ pkgs.hugo ];
     buildPhase = ''
+      cd web
       rm -rf public/
       hugo
     '';

m/hut/ompss2-timer.nix

@@ -1,85 +0,0 @@
-{ config, pkgs, ... }:
-{
-  systemd.timers = {
-    "ompss2-closing" = {
-      wantedBy = [ "timers.target" ];
-      timerConfig = {
-        Unit = "ompss2-closing.service";
-        OnCalendar = [ "*-03-15 07:00:00" "*-09-15 07:00:00"];
-      };
-    };
-    "ompss2-freeze" = {
-      wantedBy = [ "timers.target" ];
-      timerConfig = {
-        Unit = "ompss2-freeze.service";
-        OnCalendar = [ "*-04-15 07:00:00" "*-10-15 07:00:00" ];
-      };
-    };
-    "ompss2-release" = {
-      wantedBy = [ "timers.target" ];
-      timerConfig = {
-        Unit = "ompss2-release.service";
-        OnCalendar = [ "*-05-15 07:00:00" "*-11-15 07:00:00" ];
-      };
-    };
-  };
-
-  systemd.services =
-  let
-    closing = pkgs.writeText "closing.txt"
-    ''
-      Subject: OmpSs-2 release enters closing period
-
-      Hi,
-
-      You have one month to merge the remaining features for the next OmpSs-2
-      release. Please, identify what needs to be merged and discuss it in the next
-      OmpSs-2 meeting.
-
-      Thanks!,
-      Jungle robot
-    '';
-    freeze = pkgs.writeText "freeze.txt"
-    ''
-      Subject: OmpSs-2 release enters freeze period
-
-      Hi,
-
-      The period to introduce new features or breaking changes is over, only bug
-      fixes are allowed now. During this time, please prepare the release notes
-      to be included in the next OmpSs-2 release.
-
-      Thanks!,
-      Jungle robot
-    '';
-    release = pkgs.writeText "release.txt"
-    ''
-      Subject: OmpSs-2 release now
-
-      Hi,
-
-      The period to introduce bug fixes is now over. Please, proceed to do the
-      OmpSs-2 release.
-
-      Thanks!,
-      Jungle robot
-    '';
-    mkServ = name: mail: {
-      "ompss2-${name}" = {
-        script = ''
-          set -eu
-          set -o pipefail
-          cat ${mail} | ${config.security.wrapperDir}/sendmail star@bsc.es
-        '';
-        serviceConfig = {
-          Type = "oneshot";
-          DynamicUser = true;
-          Group = "mail-robot";
-        };
-      };
-    };
-  in
-    (mkServ "closing" closing) //
-    (mkServ "freeze" freeze) //
-    (mkServ "release" release);
-}

m/lake2/configuration.nix

@@ -4,7 +4,6 @@
   imports = [
     ../common/ssf.nix
     ../module/monitoring.nix
-    ../module/hut-substituter.nix
   ];
 
   boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53563a";
@@ -46,7 +45,7 @@
       address = "10.0.40.42";
       prefixLength = 24;
     } ];
-    interfaces.ibs785.ipv4.addresses = [ {
+    interfaces.ibp5s0.ipv4.addresses = [ {
       address = "10.0.42.42";
       prefixLength = 24;
     } ];

m/module/agenix.nix

@@ -1,357 +0,0 @@
-{
-  config,
-  options,
-  lib,
-  pkgs,
-  ...
-}:
-with lib;
-let
-  cfg = config.age;
-
-  isDarwin = lib.attrsets.hasAttrByPath [ "environment" "darwinConfig" ] options;
-
-  ageBin = config.age.ageBin;
-
-  users = config.users.users;
-
-  sysusersEnabled =
-    if isDarwin then
-      false
-    else
-      options.systemd ? sysusers && (config.systemd.sysusers.enable || config.services.userborn.enable);
-
-  mountCommand =
-    if isDarwin then
-      ''
-        if ! diskutil info "${cfg.secretsMountPoint}" &> /dev/null; then
-            num_sectors=1048576
-            dev=$(hdiutil attach -nomount ram://"$num_sectors" | sed 's/[[:space:]]*$//')
-            newfs_hfs -v agenix "$dev"
-            mount -t hfs -o nobrowse,nodev,nosuid,-m=0751 "$dev" "${cfg.secretsMountPoint}"
-        fi
-      ''
-    else
-      ''
-        grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts ||
-          mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
-      '';
-  newGeneration = ''
-    _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
-    (( ++_agenix_generation ))
-    echo "[agenix] creating new generation in ${cfg.secretsMountPoint}/$_agenix_generation"
-    mkdir -p "${cfg.secretsMountPoint}"
-    chmod 0751 "${cfg.secretsMountPoint}"
-    ${mountCommand}
-    mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
-    chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
-  '';
-
-  chownGroup = if isDarwin then "admin" else "keys";
-  # chown the secrets mountpoint and the current generation to the keys group
-  # instead of leaving it root:root.
-  chownMountPoint = ''
-    chown :${chownGroup} "${cfg.secretsMountPoint}" "${cfg.secretsMountPoint}/$_agenix_generation"
-  '';
-
-  setTruePath = secretType: ''
-    ${
-      if secretType.symlink then
-        ''
-          _truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
-        ''
-      else
-        ''
-          _truePath="${secretType.path}"
-        ''
-    }
-  '';
-
-  installSecret = secretType: ''
-    ${setTruePath secretType}
-    echo "decrypting '${secretType.file}' to '$_truePath'..."
-    TMP_FILE="$_truePath.tmp"
-
-    IDENTITIES=()
-    for identity in ${toString cfg.identityPaths}; do
-      test -r "$identity" || continue
-      test -s "$identity" || continue
-      IDENTITIES+=(-i)
-      IDENTITIES+=("$identity")
-    done
-
-    test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix] WARNING: no readable identities found!"
-
-    mkdir -p "$(dirname "$_truePath")"
-    [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
-    (
-      umask u=r,g=,o=
-      test -f "${secretType.file}" || echo '[agenix] WARNING: encrypted file ${secretType.file} does not exist!'
-      test -d "$(dirname "$TMP_FILE")" || echo "[agenix] WARNING: $(dirname "$TMP_FILE") does not exist!"
-      LANG=${
-        config.i18n.defaultLocale or "C"
-      } ${ageBin} --decrypt "''${IDENTITIES[@]}" -o "$TMP_FILE" "${secretType.file}"
-    )
-    chmod ${secretType.mode} "$TMP_FILE"
-    mv -f "$TMP_FILE" "$_truePath"
-
-    ${optionalString secretType.symlink ''
-      [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
-    ''}
-  '';
-
-  testIdentities = map (path: ''
-    test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!'
-  '') cfg.identityPaths;
-
-  cleanupAndLink = ''
-    _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
-    (( ++_agenix_generation ))
-    echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
-    ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
-
-    (( _agenix_generation > 1 )) && {
-    echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
-    rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))"
-    }
-  '';
-
-  installSecrets = builtins.concatStringsSep "\n" (
-    [ "echo '[agenix] decrypting secrets...'" ]
-    ++ testIdentities
-    ++ (map installSecret (builtins.attrValues cfg.secrets))
-    ++ [ cleanupAndLink ]
-  );
-
-  chownSecret = secretType: ''
-    ${setTruePath secretType}
-    chown ${secretType.owner}:${secretType.group} "$_truePath"
-  '';
-
-  chownSecrets = builtins.concatStringsSep "\n" (
-    [ "echo '[agenix] chowning...'" ]
-    ++ [ chownMountPoint ]
-    ++ (map chownSecret (builtins.attrValues cfg.secrets))
-  );
-
-  secretType = types.submodule (
-    { config, ... }:
-    {
-      options = {
-        name = mkOption {
-          type = types.str;
-          default = config._module.args.name;
-          defaultText = literalExpression "config._module.args.name";
-          description = ''
-            Name of the file used in {option}`age.secretsDir`
-          '';
-        };
-        file = mkOption {
-          type = types.path;
-          description = ''
-            Age file the secret is loaded from.
-          '';
-        };
-        path = mkOption {
-          type = types.str;
-          default = "${cfg.secretsDir}/${config.name}";
-          defaultText = literalExpression ''
-            "''${cfg.secretsDir}/''${config.name}"
-          '';
-          description = ''
-            Path where the decrypted secret is installed.
-          '';
-        };
-        mode = mkOption {
-          type = types.str;
-          default = "0400";
-          description = ''
-            Permissions mode of the decrypted secret in a format understood by chmod.
-          '';
-        };
-        owner = mkOption {
-          type = types.str;
-          default = "0";
-          description = ''
-            User of the decrypted secret.
-          '';
-        };
-        group = mkOption {
-          type = types.str;
-          default = users.${config.owner}.group or "0";
-          defaultText = literalExpression ''
-            users.''${config.owner}.group or "0"
-          '';
-          description = ''
-            Group of the decrypted secret.
-          '';
-        };
-        symlink = mkEnableOption "symlinking secrets to their destination" // {
-          default = true;
-        };
-      };
-    }
-  );
-in
-{
-  imports = [
-    (mkRenamedOptionModule [ "age" "sshKeyPaths" ] [ "age" "identityPaths" ])
-  ];
-
-  options.age = {
-    ageBin = mkOption {
-      type = types.str;
-      default = "${pkgs.age}/bin/age";
-      defaultText = literalExpression ''
-        "''${pkgs.age}/bin/age"
-      '';
-      description = ''
-        The age executable to use.
-      '';
-    };
-    secrets = mkOption {
-      type = types.attrsOf secretType;
-      default = { };
-      description = ''
-        Attrset of secrets.
-      '';
-    };
-    secretsDir = mkOption {
-      type = types.path;
-      default = "/run/agenix";
-      description = ''
-        Folder where secrets are symlinked to
-      '';
-    };
-    secretsMountPoint = mkOption {
-      type =
-        types.addCheck types.str (
-          s:
-          (builtins.match "[ \t\n]*" s) == null # non-empty
-          && (builtins.match ".+/" s) == null
-        ) # without trailing slash
-        // {
-          description = "${types.str.description} (with check: non-empty without trailing slash)";
-        };
-      default = "/run/agenix.d";
-      description = ''
-        Where secrets are created before they are symlinked to {option}`age.secretsDir`
-      '';
-    };
-    identityPaths = mkOption {
-      type = types.listOf types.path;
-      default =
-        if isDarwin then
-          [
-            "/etc/ssh/ssh_host_ed25519_key"
-            "/etc/ssh/ssh_host_rsa_key"
-          ]
-        else if (config.services.openssh.enable or false) then
-          map (e: e.path) (
-            lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys
-          )
-        else
-          [ ];
-      defaultText = literalExpression ''
-        if isDarwin
-        then [
-          "/etc/ssh/ssh_host_ed25519_key"
-          "/etc/ssh/ssh_host_rsa_key"
-        ]
-        else if (config.services.openssh.enable or false)
-        then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
-        else [];
-      '';
-      description = ''
-        Path to SSH keys to be used as identities in age decryption.
-      '';
-    };
-  };
-
-  config = mkIf (cfg.secrets != { }) (mkMerge [
-    {
-      assertions = [
-        {
-          assertion = cfg.identityPaths != [ ];
-          message = "age.identityPaths must be set, for example by enabling openssh.";
-        }
-      ];
-    }
-    (optionalAttrs (!isDarwin) {
-      # When using sysusers we no longer be started as an activation script
-      # because those are started in initrd while sysusers is started later.
-      systemd.services.agenix-install-secrets = mkIf sysusersEnabled {
-        wantedBy = [ "sysinit.target" ];
-        after = [ "systemd-sysusers.service" ];
-        unitConfig.DefaultDependencies = "no";
-
-        path = [ pkgs.mount ];
-        serviceConfig = {
-          Type = "oneshot";
-          ExecStart = pkgs.writeShellScript "agenix-install" (concatLines [
-            newGeneration
-            installSecrets
-            chownSecrets
-          ]);
-          RemainAfterExit = true;
-        };
-      };
-
-      # Create a new directory full of secrets for symlinking (this helps
-      # ensure removed secrets are actually removed, or at least become
-      # invalid symlinks).
-      system.activationScripts = mkIf (!sysusersEnabled) {
-        agenixNewGeneration = {
-          text = newGeneration;
-          deps = [
-            "specialfs"
-          ];
-        };
-
-        agenixInstall = {
-          text = installSecrets;
-          deps = [
-            "agenixNewGeneration"
-            "specialfs"
-          ];
-        };
-
-        # So user passwords can be encrypted.
-        users.deps = [ "agenixInstall" ];
-
-        # Change ownership and group after users and groups are made.
-        agenixChown = {
-          text = chownSecrets;
-          deps = [
-            "users"
-            "groups"
-          ];
-        };
-
-        # So other activation scripts can depend on agenix being done.
-        agenix = {
-          text = "";
-          deps = [ "agenixChown" ];
-        };
-      };
-    })
-
-    (optionalAttrs isDarwin {
-      launchd.daemons.activate-agenix = {
-        script = ''
-          set -e
-          set -o pipefail
-          export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin"
-          ${newGeneration}
-          ${installSecrets}
-          ${chownSecrets}
-          exit 0
-        '';
-        serviceConfig = {
-          RunAtLoad = true;
-          KeepAlive.SuccessfulExit = false;
-        };
-      };
-    })
-  ]);
-}

m/module/debuginfod.nix

@@ -1,10 +1,3 @@
 {
-  services.nixseparatedebuginfod2 = {
-    enable = true;
-    substituters = [
-      "local:"
-      "https://cache.nixos.org"
-      "http://hut/cache"
-    ];
-  };
+  services.nixseparatedebuginfod.enable = true;
 }

m/module/hut-substituter.nix

@@ -6,8 +6,5 @@
     {
       extra-substituters = [ "http://hut/cache" ];
       extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
-
-      # Set a low timeout in case hut is down
-      connect-timeout = 3; # seconds
     };
 }

m/module/slurm-client.nix

@@ -1,4 +1,4 @@
-{ lib, pkgs, ... }:
+{ lib, ... }:
 
 {
   imports = [
@@ -12,29 +12,7 @@
     # https://github.com/NixOS/nixpkgs/commit/ae93ed0f0d4e7be0a286d1fca86446318c0c6ffb
     # https://bugs.schedmd.com/show_bug.cgi?id=2095#c24
     KillMode = lib.mkForce "control-group";
-
-    # If slurmd fails to contact the control server it will fail, causing the
-    # node to remain out of service until manually restarted. Always try to
-    # restart it.
-    Restart = "always";
-    RestartSec = "30s";
   };
 
   services.slurm.client.enable = true;
-
-  # Only allow SSH connections from users who have a SLURM allocation
-  # See: https://slurm.schedmd.com/pam_slurm_adopt.html
-  security.pam.services.sshd.rules.account.slurm = {
-    control = "required";
-    enable = true;
-    modulePath = "${pkgs.slurm}/lib/security/pam_slurm_adopt.so";
-    args = [ "log_level=debug5" ];
-    order = 999999; # Make it last one
-  };
-
-  # Disable systemd session (pam_systemd.so) as it will conflict with the
-  # pam_slurm_adopt.so module. What happens is that the shell is first adopted
-  # into the slurmstepd task and then into the systemd session, which is not
-  # what we want, otherwise it will linger even if all jobs are gone.
-  security.pam.services.sshd.startSession = lib.mkForce false;
 }

m/module/slurm-common.nix

@@ -1,6 +1,31 @@
 { config, pkgs, ... }:
 
-{
+let
+  suspendProgram = pkgs.writeShellScript "suspend.sh" ''
+    exec 1>>/var/log/power_save.log 2>>/var/log/power_save.log
+    set -x
+    export "PATH=/run/current-system/sw/bin:$PATH"
+    echo "$(date) Suspend invoked $0 $*" >> /var/log/power_save.log
+    hosts=$(scontrol show hostnames $1)
+    for host in $hosts; do
+      echo Shutting down host: $host
+      ipmitool -I lanplus -H ''${host}-ipmi -P "" -U "" chassis power off
+    done
+  '';
+
+  resumeProgram = pkgs.writeShellScript "resume.sh" ''
+    exec 1>>/var/log/power_save.log 2>>/var/log/power_save.log
+    set -x
+    export "PATH=/run/current-system/sw/bin:$PATH"
+    echo "$(date) Suspend invoked $0 $*" >> /var/log/power_save.log
+    hosts=$(scontrol show hostnames $1)
+    for host in $hosts; do
+      echo Starting host: $host
+      ipmitool -I lanplus -H ''${host}-ipmi -P "" -U "" chassis power on
+    done
+  '';
+
+in {
   services.slurm = {
     controlMachine = "apex";
     clusterName = "jungle";
@@ -34,6 +59,16 @@
       # the resources. Use the task/cgroup plugin to enable process containment.
       TaskPlugin=task/affinity,task/cgroup
 
+      # Power off unused nodes until they are requested
+      SuspendProgram=${suspendProgram}
+      SuspendTimeout=60
+      ResumeProgram=${resumeProgram}
+      ResumeTimeout=300
+      SuspendExcNodes=fox
+
+      # Turn the nodes off after 1 hour of inactivity
+      SuspendTime=3600
+
       # Reduce port range so we can allow only this range in the firewall
       SrunPortRange=60000-61000
 
@@ -51,7 +86,9 @@
       # when a task runs (srun) so we can ssh early.
       PrologFlags=Alloc,Contain,X11
 
-      LaunchParameters=use_interactive_step
+      # LaunchParameters=ulimit_pam_adopt will set RLIMIT_RSS in processes
+      # adopted by the external step, similar to tasks running in regular steps
+      # LaunchParameters=ulimit_pam_adopt
       SlurmdDebug=debug5
       #DebugFlags=Protocol,Cgroup
     '';

m/module/ssh-hut-extern.nix

@@ -0,0 +1,8 @@
+{
+  programs.ssh.extraConfig = ''
+    Host apex ssfhead
+      HostName ssflogin.bsc.es
+    Host hut
+      ProxyJump apex
+  '';
+}

m/owl1/configuration.nix

@@ -20,7 +20,7 @@
       address = "10.0.40.1";
       prefixLength = 24;
     } ];
-    interfaces.ibs785.ipv4.addresses = [ {
+    interfaces.ibp5s0.ipv4.addresses = [ {
       address = "10.0.42.1";
       prefixLength = 24;
     } ];

m/owl2/configuration.nix

@@ -21,7 +21,7 @@
       prefixLength = 24;
     } ];
     # Watch out! The OmniPath device is not in the same place here:
-    interfaces.ibs801.ipv4.addresses = [ {
+    interfaces.ibp129s0.ipv4.addresses = [ {
       address = "10.0.42.2";
       prefixLength = 24;
     } ];

m/raccoon/configuration.nix

@@ -3,14 +3,11 @@
 {
   imports = [
     ../common/base.nix
-    ../common/ssf/hosts.nix
-    ../common/xeon/console.nix
     ../module/emulation.nix
     ../module/debuginfod.nix
+    ../module/ssh-hut-extern.nix
     ../module/nvidia.nix
     ../eudy/kernel/perf.nix
-    ./wireguard.nix
-    ../module/hut-substituter.nix
   ];
 
   # Don't install Grub on the disk yet
@@ -46,11 +43,9 @@
     };
   };
 
-  # Mount the NFS home
-  fileSystems."/nfs/home" = {
-    device = "10.106.0.30:/home";
-    fsType = "nfs";
-    options = [ "nfsvers=3" "rsize=1024" "wsize=1024" "cto" "nofail" ];
+  nix.settings = {
+    extra-substituters = [ "https://jungle.bsc.es/cache" ];
+    extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
   };
 
   # Enable performance governor

m/raccoon/wireguard.nix

@@ -1,48 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  networking.nat = {
-    enable = true;
-    enableIPv6 = false;
-    externalInterface = "eno0";
-    internalInterfaces = [ "wg0" ];
-  };
-
-  networking.firewall = {
-    allowedUDPPorts = [ 666 ];
-  };
-
-  age.secrets.wgRaccoon.file = ../../secrets/wg-raccoon.age;
-
-  # Enable WireGuard
-  networking.wireguard.enable = true;
-  networking.wireguard.interfaces = {
-    wg0 = {
-      ips = [ "10.106.0.236/24" ];
-      listenPort = 666;
-      privateKeyFile = config.age.secrets.wgRaccoon.path;
-      # Public key: QUfnGXSMEgu2bviglsaSdCjidB51oEDBFpnSFcKGfDI=
-      peers = [
-        {
-          name = "fox";
-          publicKey = "VfMPBQLQTKeyXJSwv8wBhc6OV0j2qAxUpX3kLHunK2Y=";
-          allowedIPs = [ "10.106.0.1/32" ];
-          endpoint = "fox.ac.upc.edu:666";
-          persistentKeepalive = 25;
-        }
-        {
-          name = "apex";
-          publicKey = "VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA=";
-          allowedIPs = [ "10.106.0.30/32" "10.0.40.0/24" ];
-          endpoint = "ssfhead.bsc.es:666";
-          persistentKeepalive = 25;
-        }
-      ];
-    };
-  };
-
-  networking.hosts = {
-    "10.106.0.1"  = [ "fox.wg" ];
-    "10.106.0.30" = [ "apex.wg" ];
-  };
-}

m/tent/configuration.nix

@@ -3,9 +3,9 @@
 {
   imports = [
     ../common/xeon.nix
-    ../common/ssf/hosts.nix
     ../module/emulation.nix
     ../module/debuginfod.nix
+    ../module/ssh-hut-extern.nix
     ./monitoring.nix
     ./nginx.nix
     ./nix-serve.nix
@@ -15,7 +15,6 @@
     ../hut/msmtp.nix
     ../module/p.nix
     ../module/vpn-dac.nix
-    ../module/hut-substituter.nix
   ];
 
   # Select the this using the ID to avoid mismatches
@@ -36,7 +35,6 @@
     defaultGateway = "10.0.44.1";
     hosts = {
       "84.88.53.236" = [ "apex" ];
-      "10.0.44.1" = [ "raccoon" ];
     };
   };
 

m/tent/gitea.nix

@@ -27,7 +27,4 @@
       };
     };
   };
-
-  # Allow gitea user to send mail
-  users.users.gitea.extraGroups = [ "mail-robot" ];
 }

m/tent/nginx.nix

@@ -2,13 +2,10 @@
 let
   website = pkgs.stdenv.mkDerivation {
     name = "jungle-web";
-    src = pkgs.fetchgit {
-      url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
-      rev = "52abaf4d71652a9ef77a0b098db14ca33bffff4c";
-      hash = "sha256-/ul9GazbOrOkmlvSgDz/+2W+V+ir5725Y7mVLc3rb0M=";
-    };
+    src = theFlake;
     buildInputs = [ pkgs.hugo ];
     buildPhase = ''
+      cd web
       rm -rf public/
       hugo
     '';

m/weasel/configuration.nix

@@ -3,7 +3,8 @@
 {
   imports = [
     ../common/ssf.nix
-    ../module/hut-substituter.nix
+    ./virtualization.nix
+    ./hydra.nix
   ];
 
   # Select this using the ID to avoid mismatches
@@ -30,4 +31,10 @@
       prefixLength = 24;
     } ];
   };
+
+  # Use tent for cache
+  nix.settings = {
+    extra-substituters = [ "https://jungle.bsc.es/cache" ];
+    extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
+  };
 }

m/weasel/hydra.nix

@@ -0,0 +1,15 @@
+{ config, ... }:
+{
+  services.hydra = {
+    enable = true;
+    hydraURL = "http://localhost:3001"; # externally visible URL
+    notificationSender = "hydra@jungle.bsc.es"; # e-mail of Hydra service
+    port = 3001;
+    # a standalone Hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
+    buildMachinesFiles = [ ];
+    # you will probably also want, otherwise *everything* will be built from scratch
+    useSubstitutes = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ config.services.hydra.port ];
+}

m/weasel/virtualization.nix

@@ -0,0 +1,40 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+
+{
+  # Enable common container config files in /etc/containers
+  virtualisation.containers.enable = true;
+  virtualisation = {
+    podman = {
+      enable = true;
+
+      # Required for containers under podman-compose to be able to talk to each other.
+      defaultNetwork.settings.dns_enabled = true;
+    };
+  };
+
+  # We cannot use /home since nfs does not support fileattrs needed by podman
+  systemd.tmpfiles.settings = {
+    "podman-users" = lib.mapAttrs' (
+      name: value:
+      lib.nameValuePair ("/var/lib/podman-users/" + name) {
+        d = {
+          group = value.group;
+          mode = value.homeMode;
+          user = name;
+        };
+      }
+    ) (lib.filterAttrs (_: x: x.isNormalUser) config.users.users);
+  };
+
+  # Useful other development tools
+  environment.systemPackages = with pkgs; [
+    dive # look into docker image layers
+    podman-tui # status of containers in the terminal
+    podman-compose # start group of containers for dev
+  ];
+}

overlay.nix

@@ -1,162 +0,0 @@
-final: /* Future last stage */
-prev:  /* Previous stage */
-
-with final.lib;
-
-let
-  callPackage = final.callPackage;
-
-  bscPkgs = {
-    agenix = prev.callPackage ./pkgs/agenix/default.nix { };
-    amd-uprof = prev.callPackage ./pkgs/amd-uprof/default.nix { };
-    bench6 = callPackage ./pkgs/bench6/default.nix { };
-    bigotes = callPackage ./pkgs/bigotes/default.nix { };
-    clangOmpss2 = callPackage ./pkgs/llvm-ompss2/default.nix { };
-    clangOmpss2Nanos6 = callPackage ./pkgs/llvm-ompss2/default.nix { ompss2rt = final.nanos6; };
-    clangOmpss2Nodes = callPackage ./pkgs/llvm-ompss2/default.nix { ompss2rt = final.nodes; openmp = final.openmp; };
-    clangOmpss2NodesOmpv = callPackage ./pkgs/llvm-ompss2/default.nix { ompss2rt = final.nodes; openmp = final.openmpv; };
-    clangOmpss2Unwrapped = callPackage ./pkgs/llvm-ompss2/clang.nix { };
-    cudainfo = prev.callPackage ./pkgs/cudainfo/default.nix { };
-    #extrae = callPackage ./pkgs/extrae/default.nix { }; # Broken and outdated
-    gpi-2 = callPackage ./pkgs/gpi-2/default.nix { };
-    intelPackages_2023 = callPackage ./pkgs/intel-oneapi/2023.nix { };
-    jemallocNanos6 = callPackage ./pkgs/nanos6/jemalloc.nix { };
-    # FIXME: Extend this to all linuxPackages variants. Open problem, see:
-    # https://discourse.nixos.org/t/whats-the-right-way-to-make-a-custom-kernel-module-available/4636
-    linuxPackages = prev.linuxPackages.extend (_final: _prev: {
-      amd-uprof-driver = _prev.callPackage ./pkgs/amd-uprof/driver.nix { };
-    });
-    linuxPackages_latest = prev.linuxPackages_latest.extend(_final: _prev: {
-      amd-uprof-driver = _prev.callPackage ./pkgs/amd-uprof/driver.nix { };
-    });
-    lmbench = callPackage ./pkgs/lmbench/default.nix { };
-    # Broken and unmantained
-    # mcxx = callPackage ./pkgs/mcxx/default.nix { };
-    meteocat-exporter = prev.callPackage ./pkgs/meteocat-exporter/default.nix { };
-    mpi = final.mpich; # Set MPICH as default
-    mpich = callPackage ./pkgs/mpich/default.nix { mpich = prev.mpich; };
-    nanos6 = callPackage ./pkgs/nanos6/default.nix { };
-    nanos6Debug = final.nanos6.override { enableDebug = true; };
-    nixtools = callPackage ./pkgs/nixtools/default.nix { };
-    nixgen = callPackage ./pkgs/nixgen/default.nix { };
-    # Broken because of pkgsStatic.libcap
-    # See: https://github.com/NixOS/nixpkgs/pull/268791
-    #nix-wrap = callPackage ./pkgs/nix-wrap/default.nix { };
-    nodes = callPackage ./pkgs/nodes/default.nix { };
-    nosv = callPackage ./pkgs/nosv/default.nix { };
-    openmp = callPackage ./pkgs/llvm-ompss2/openmp.nix { monorepoSrc = final.clangOmpss2Unwrapped.src; version = final.clangOmpss2Unwrapped.version; };
-    openmpv = final.openmp.override { enableNosv = true; enableOvni = true; };
-    osumb = callPackage ./pkgs/osu/default.nix { };
-    ovni = callPackage ./pkgs/ovni/default.nix { };
-    ovniGit = final.ovni.override { useGit = true; };
-    paraverKernel = callPackage ./pkgs/paraver/kernel.nix { };
-    prometheus-slurm-exporter = prev.callPackage ./pkgs/slurm-exporter/default.nix { };
-    #pscom = callPackage ./pkgs/parastation/pscom.nix { }; # Unmaintaned
-    #psmpi = callPackage ./pkgs/parastation/psmpi.nix { }; # Unmaintaned
-    slurm = import ./pkgs/slurm/default.nix { slurm = prev.slurm; };
-    sonar = callPackage ./pkgs/sonar/default.nix { };
-    stdenvClangOmpss2 = final.stdenv.override { cc = final.clangOmpss2; allowedRequisites = null; };
-    stdenvClangOmpss2Nanos6 = final.stdenv.override { cc = final.clangOmpss2Nanos6; allowedRequisites = null; };
-    stdenvClangOmpss2Nodes = final.stdenv.override { cc = final.clangOmpss2Nodes; allowedRequisites = null; };
-    stdenvClangOmpss2NodesOmpv = final.stdenv.override { cc = final.clangOmpss2NodesOmpv; allowedRequisites = null; };
-    tagaspi = callPackage ./pkgs/tagaspi/default.nix { };
-    tampi = callPackage ./pkgs/tampi/default.nix { };
-    upc-qaire-exporter = prev.callPackage ./pkgs/upc-qaire-exporter/default.nix { };
-    wxparaver = callPackage ./pkgs/paraver/default.nix { };
-  };
-
-  tests = rec {
-    hwloc = callPackage ./test/bugs/hwloc.nix { };
-    #sigsegv = callPackage ./test/reproducers/sigsegv.nix { };
-    hello-c = callPackage ./test/compilers/hello-c.nix { };
-    hello-cpp = callPackage ./test/compilers/hello-cpp.nix { };
-    lto = callPackage ./test/compilers/lto.nix { };
-    asan = callPackage ./test/compilers/asan.nix { };
-    intel2023-icx-c   = hello-c.override   { stdenv = final.intelPackages_2023.stdenv; };
-    intel2023-icc-c   = hello-c.override   { stdenv = final.intelPackages_2023.stdenv-icc; };
-    intel2023-icx-cpp = hello-cpp.override { stdenv = final.intelPackages_2023.stdenv; };
-    intel2023-icc-cpp = hello-cpp.override { stdenv = final.intelPackages_2023.stdenv-icc; };
-    intel2023-ifort   = callPackage ./test/compilers/hello-f.nix {
-      stdenv = final.intelPackages_2023.stdenv-ifort;
-    };
-    clangOmpss2-lto   = lto.override       { stdenv = final.stdenvClangOmpss2Nanos6; };
-    clangOmpss2-asan  = asan.override      { stdenv = final.stdenvClangOmpss2Nanos6; };
-    clangOmpss2-task  = callPackage ./test/compilers/ompss2.nix {
-      stdenv = final.stdenvClangOmpss2Nanos6;
-    };
-    clangNodes-task = callPackage ./test/compilers/ompss2.nix {
-      stdenv = final.stdenvClangOmpss2Nodes;
-    };
-    clangNosvOpenmp-task = callPackage ./test/compilers/clang-openmp.nix {
-      stdenv = final.stdenvClangOmpss2Nodes;
-    };
-    clangNosvOmpv-nosv = callPackage ./test/compilers/clang-openmp-nosv.nix {
-      stdenv = final.stdenvClangOmpss2NodesOmpv;
-    };
-    clangNosvOmpv-ld = callPackage ./test/compilers/clang-openmp-ld.nix {
-      stdenv = final.stdenvClangOmpss2NodesOmpv;
-    };
-  };
-
-  # For now, only build toplevel packages in CI/Hydra
-  pkgsTopLevel = filterAttrs (_: isDerivation) bscPkgs;
-
-  # Native build in that platform doesn't imply cross build works
-  canCrossCompile = platform: default: pkg:
-    (isDerivation pkg) &&
-    # If meta.cross is undefined, use default
-    (pkg.meta.cross or default) &&
-    (meta.availableOn final.pkgsCross.${platform}.stdenv.hostPlatform pkg);
-
-  # For now only RISC-V
-  crossSet = genAttrs [ "riscv64" ] (platform:
-    filterAttrs (_: canCrossCompile platform true)
-      final.pkgsCross.${platform}.bsc.pkgsTopLevel);
-
-  buildList = name: paths:
-    final.runCommandLocal name { } ''
-      printf '%s\n' ${toString paths} | tee $out
-    '';
-
-  buildList' = name: paths:
-    final.runCommandLocal name { } ''
-      deps="${toString paths}"
-      cat $deps
-      printf '%s\n' $deps >$out
-    '';
-
-  pkgsList = buildList "ci-pkgs" (builtins.attrValues pkgsTopLevel);
-  testsList = buildList "ci-tests" (collect isDerivation tests);
-  allList = buildList' "ci-all" [ pkgsList testsList ];
-  # For now only RISC-V
-  crossList = buildList "ci-cross"
-    (filter
-      (canCrossCompile "riscv64" false) # opt-in (pkgs with: meta.cross = true)
-        (builtins.attrValues crossSet.riscv64));
-
-in bscPkgs // {
-
-  lib = prev.lib // {
-    maintainers = prev.lib.maintainers // {
-      bsc = import ./pkgs/maintainers.nix;
-    };
-  };
-
-  # Prevent accidental usage of bsc-ci attribute
-  bsc-ci = throw "the bsc-ci attribute is deprecated, use bsc.ci";
-
-  # Internal for our CI tests
-  bsc = {
-    # CI targets for nix build
-    ci = { pkgs = pkgsList; tests = testsList; all = allList; cross = crossList; };
-
-    # Direct access to package sets
-    tests = tests;
-    pkgs = bscPkgs;
-    pkgsTopLevel = pkgsTopLevel;
-    cross = crossSet;
-
-    # Hydra uses attribute sets of pkgs
-    hydraJobs = { tests = tests; pkgs = pkgsTopLevel; cross = crossSet; };
-  };
-}

pkgs/agenix/agenix.sh

@@ -1,212 +0,0 @@
-#!/usr/bin/env bash
-set -Eeuo pipefail
-
-PACKAGE="agenix"
-
-function show_help () {
-  echo "$PACKAGE - edit and rekey age secret files"
-  echo " "
-  echo "$PACKAGE -e FILE [-i PRIVATE_KEY]"
-  echo "$PACKAGE -r [-i PRIVATE_KEY]"
-  echo ' '
-  echo 'options:'
-  echo '-h, --help                show help'
-  # shellcheck disable=SC2016
-  echo '-e, --edit FILE           edits FILE using $EDITOR'
-  echo '-r, --rekey               re-encrypts all secrets with specified recipients'
-  echo '-d, --decrypt FILE        decrypts FILE to STDOUT'
-  echo '-i, --identity            identity to use when decrypting'
-  echo '-v, --verbose             verbose output'
-  echo ' '
-  echo 'FILE an age-encrypted file'
-  echo ' '
-  echo 'PRIVATE_KEY a path to a private SSH key used to decrypt file'
-  echo ' '
-  echo 'EDITOR environment variable of editor to use when editing FILE'
-  echo ' '
-  echo 'If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"'
-  echo ' '
-  echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
-  echo "Defaults to './secrets.nix'"
-  echo ' '
-  echo "agenix version: @version@"
-  echo "age binary path: @ageBin@"
-  echo "age version: $(@ageBin@ --version)"
-}
-
-function warn() {
-  printf '%s\n' "$*" >&2
-}
-
-function err() {
-  warn "$*"
-  exit 1
-}
-
-test $# -eq 0 && (show_help && exit 1)
-
-REKEY=0
-DECRYPT_ONLY=0
-DEFAULT_DECRYPT=(--decrypt)
-
-while test $# -gt 0; do
-  case "$1" in
-    -h|--help)
-      show_help
-      exit 0
-      ;;
-    -e|--edit)
-      shift
-      if test $# -gt 0; then
-        export FILE=$1
-      else
-        echo "no FILE specified"
-        exit 1
-      fi
-      shift
-      ;;
-    -i|--identity)
-      shift
-      if test $# -gt 0; then
-        DEFAULT_DECRYPT+=(--identity "$1")
-      else
-        echo "no PRIVATE_KEY specified"
-        exit 1
-      fi
-      shift
-      ;;
-    -r|--rekey)
-      shift
-      REKEY=1
-      ;;
-    -d|--decrypt)
-      shift
-      DECRYPT_ONLY=1
-      if test $# -gt 0; then
-        export FILE=$1
-      else
-        echo "no FILE specified"
-        exit 1
-      fi
-      shift
-      ;;
-    -v|--verbose)
-      shift
-      set -x
-      ;;
-    *)
-      show_help
-      exit 1
-      ;;
-  esac
-done
-
-RULES=${RULES:-./secrets.nix}
-function cleanup {
-    if [ -n "${CLEARTEXT_DIR+x}" ]
-    then
-        rm -rf -- "$CLEARTEXT_DIR"
-    fi
-    if [ -n "${REENCRYPTED_DIR+x}" ]
-    then
-        rm -rf -- "$REENCRYPTED_DIR"
-    fi
-}
-trap "cleanup" 0 2 3 15
-
-function keys {
-    (@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in rules.\"$1\".publicKeys)" | @jqBin@ -r .[]) || exit 1
-}
-
-function armor {
-    (@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in (builtins.hasAttr \"armor\" rules.\"$1\" && rules.\"$1\".armor))") || exit 1
-}
-
-function decrypt {
-    FILE=$1
-    KEYS=$2
-    if [ -z "$KEYS" ]
-    then
-        err "There is no rule for $FILE in $RULES."
-    fi
-
-    if [ -f "$FILE" ]
-    then
-        DECRYPT=("${DEFAULT_DECRYPT[@]}")
-        if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
-            if [ -f "$HOME/.ssh/id_rsa" ]; then
-                DECRYPT+=(--identity "$HOME/.ssh/id_rsa")
-            fi
-            if [ -f "$HOME/.ssh/id_ed25519" ]; then
-                DECRYPT+=(--identity "$HOME/.ssh/id_ed25519")
-            fi
-        fi
-        if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
-          err "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file."
-        fi
-
-        @ageBin@ "${DECRYPT[@]}" -- "$FILE" || exit 1
-    fi
-}
-
-function edit {
-    FILE=$1
-    KEYS=$(keys "$FILE") || exit 1
-    ARMOR=$(armor "$FILE") || exit 1
-
-    CLEARTEXT_DIR=$(@mktempBin@ -d)
-    CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename -- "$FILE")"
-    DEFAULT_DECRYPT+=(-o "$CLEARTEXT_FILE")
-
-    decrypt "$FILE" "$KEYS" || exit 1
-
-    [ ! -f "$CLEARTEXT_FILE" ] || cp -- "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
-
-    [ -t 0 ] || EDITOR='cp -- /dev/stdin'
-
-    $EDITOR "$CLEARTEXT_FILE"
-
-    if [ ! -f "$CLEARTEXT_FILE" ]
-    then
-      warn "$FILE wasn't created."
-      return
-    fi
-    [ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q -- "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
-
-    ENCRYPT=()
-    if [[ "$ARMOR" == "true" ]]; then
-        ENCRYPT+=(--armor)
-    fi
-    while IFS= read -r key
-    do
-        if [ -n "$key" ]; then
-            ENCRYPT+=(--recipient "$key")
-        fi
-    done <<< "$KEYS"
-
-    REENCRYPTED_DIR=$(@mktempBin@ -d)
-    REENCRYPTED_FILE="$REENCRYPTED_DIR/$(basename -- "$FILE")"
-
-    ENCRYPT+=(-o "$REENCRYPTED_FILE")
-
-    @ageBin@ "${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
-
-    mkdir -p -- "$(dirname -- "$FILE")"
-
-    mv -f -- "$REENCRYPTED_FILE" "$FILE"
-}
-
-function rekey {
-    FILES=$( (@nixInstantiate@ --json --eval -E "(let rules = import $RULES; in builtins.attrNames rules)"  | @jqBin@ -r .[]) || exit 1)
-
-    for FILE in $FILES
-    do
-        warn "rekeying $FILE..."
-        EDITOR=: edit "$FILE"
-        cleanup
-    done
-}
-
-[ $REKEY -eq 1 ] && rekey && exit 0
-[ $DECRYPT_ONLY -eq 1 ] && DEFAULT_DECRYPT+=("-o" "-") && decrypt "${FILE}" "$(keys "$FILE")" && exit 0
-edit "$FILE" && cleanup && exit 0

pkgs/agenix/default.nix

@@ -1,66 +0,0 @@
-{
-  lib,
-  stdenv,
-  age,
-  jq,
-  nix,
-  mktemp,
-  diffutils,
-  replaceVars,
-  ageBin ? "${age}/bin/age",
-  shellcheck,
-}:
-let
-  bin = "${placeholder "out"}/bin/agenix";
-in
-stdenv.mkDerivation rec {
-  pname = "agenix";
-  version = "0.15.0";
-  src = replaceVars ./agenix.sh {
-    inherit ageBin version;
-    jqBin = "${jq}/bin/jq";
-    nixInstantiate = "${nix}/bin/nix-instantiate";
-    mktempBin = "${mktemp}/bin/mktemp";
-    diffBin = "${diffutils}/bin/diff";
-  };
-  dontUnpack = true;
-  doInstallCheck = true;
-  installCheckInputs = [ shellcheck ];
-  postInstallCheck = ''
-    shellcheck ${bin}
-    ${bin} -h | grep ${version}
-
-    test_tmp=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
-    export HOME="$test_tmp/home"
-    export NIX_STORE_DIR="$test_tmp/nix/store"
-    export NIX_STATE_DIR="$test_tmp/nix/var"
-    mkdir -p "$HOME" "$NIX_STORE_DIR" "$NIX_STATE_DIR"
-    function cleanup {
-      rm -rf "$test_tmp"
-    }
-    trap "cleanup" 0 2 3 15
-
-    mkdir -p $HOME/.ssh
-    cp -r "${./example}" $HOME/secrets
-    chmod -R u+rw $HOME/secrets
-    (
-    umask u=rw,g=r,o=r
-    cp ${./example_keys/user1.pub} $HOME/.ssh/id_ed25519.pub
-    chown $UID $HOME/.ssh/id_ed25519.pub
-    )
-    (
-    umask u=rw,g=,o=
-    cp ${./example_keys/user1} $HOME/.ssh/id_ed25519
-    chown $UID $HOME/.ssh/id_ed25519
-    )
-
-    cd $HOME/secrets
-    test $(${bin} -d secret1.age) = "hello"
-  '';
-
-  installPhase = ''
-    install -D $src ${bin}
-  '';
-
-  meta.description = "age-encrypted secrets for NixOS";
-}

pkgs/agenix/example/-leading-hyphen-filename.age

@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 V3XmEA zirqdzZZ1E+sedBn7fbEHq4ntLEkokZ4GctarBBOHXY
-Rvs5YHaAUeCZyNwPedubPcHClWYIuXXWA5zadXPWY6w
--> ssh-ed25519 KLPP8w BVp4rDkOYSQyn8oVeHFeinSqW+pdVtxBF9+5VM1yORY
-bMwppAi8Nhz0328taU4AzUkTVyWtSLvFZG6c5W/Fs78
---- xCbqLhXAcOziO2wmbjTiSQfZvt5Rlsc4SCvF+iEzpQA
-<EFBFBD>KB<EFBFBD><EFBFBD>/<2F>Z<><5A>r<EFBFBD>%
<01><>4<EFBFBD><34><EFBFBD>Mq5<71><35>_<EFBFBD><5F>ݒ<><DD92><EFBFBD><EFBFBD><EFBFBD>11ܨqM;& <20><>Lr<4C><72><EFBFBD>f<EFBFBD><66><EFBFBD>]>N

pkgs/agenix/example/armored-secret.age

@@ -1,7 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFYzWG1FQSBpZkZW
-aFpLNnJxc0VUMHRmZ2dZS0pjMGVENnR3OHd5K0RiT1RjRUhibFZBCnN5UG5vUjA3
-SXpsNGtiVUw4T0tIVFo5Wkk5QS9NQlBndzVvektiQ0ozc0kKLS0tIGxyY1Q4dEZ1
-VGZEanJyTFNta2JNRmpZb2FnK2JyS1hSVml1UGdMNWZKQXMKYla+wTXcRedyZoEb
-LVWaSx49WoUTU0KBPJg9RArxaeC23GoCDzR/aM/1DvYU
------END AGE ENCRYPTED FILE-----

pkgs/agenix/example/passwordfile-user1.age

@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 KLPP8w s1DYZRlZuSsyhmZCF1lFB+E9vB8bZ/+ZhBRlx8nprwE
-nmYVCsVBrX2CFXXPU+D+bbkkIe/foofp+xoUrg9DHZw
--> ssh-ed25519 V3XmEA Pwv3oCwcY0DX8rY48UNfsj9RumWsn4dbgorYHCwObgI
-FKxRYkL3JHtJxUwymWDF0rAtJ33BivDI6IfPsfumM90
--> V'v(/u$-grease em/Vgf 2qDuk
-7I3iiQLPGi1COML9u/JeYkr7EqbSLoU
---- 57WJRigUGtmcObrssS3s4PvmR8wgh1AOC/ijJn1s3xI
-<EFBFBD>'K<>ƷY&<26>7G<37>O<EFBFBD><4F>Fj
<13>k<EFBFBD>X<EFBFBD><58>BnuJ<75><4A>:9<>(<><7F><EFBFBD>X<EFBFBD>#<23>A<EFBFBD><41><EFBFBD><EFBFBD>ڧj<DAA7>,<02>_<17><><EFBFBD>?<3F>Z<EFBFBD><17>v<EFBFBD><76>V<EFBFBD>96]oks~%<25>c	<04>e^C<>%JQ5<51><H<>z}<7D>C<EFBFBD>,<2C>p<EFBFBD><70>*!W<><57><EFBFBD>A<EFBFBD><41><EFBFBD>҅dC<15>K)<10><>-<2D>y

pkgs/agenix/example/secret2.age

@@ -1,5 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 V3XmEA OB4+1FbPhQ3r6iGksM7peWX5it8NClpXIq/o5nnP7GA
-FmHVUj+A5i5+bDFgySQskmlvynnosJiWUTJmBRiNA9I
---- tP+3mFVtd7ogVu1Lkboh55zoi5a77Ht08Uc/QuIviv4
-<EFBFBD><EFBFBD>X<EFBFBD>{<7B><>O<EFBFBD><4F><1F><04>tMXx<58>vӪ(<28>I<EFBFBD>myP<79><50><EFBFBD><EFBFBD>+3<>S3i

pkgs/agenix/example/secrets.nix

@@ -1,23 +0,0 @@
-let
-  user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
-  system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
-in
-{
-  "secret1.age".publicKeys = [
-    user1
-    system1
-  ];
-  "secret2.age".publicKeys = [ user1 ];
-  "passwordfile-user1.age".publicKeys = [
-    user1
-    system1
-  ];
-  "-leading-hyphen-filename.age".publicKeys = [
-    user1
-    system1
-  ];
-  "armored-secret.age" = {
-    publicKeys = [ user1 ];
-    armor = true;
-  };
-}

pkgs/agenix/example_keys/system1

@@ -1,7 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-QyNTUxOQAAACDyQ8iK/xUs9XCXXKFuvUfja1s8Biv/t4Caag9bfC9sxAAAAJA3yvCWN8rw
-lgAAAAtzc2gtZWQyNTUxOQAAACDyQ8iK/xUs9XCXXKFuvUfja1s8Biv/t4Caag9bfC9sxA
-AAAEA+J2V6AG1NriAIvnNKRauIEh1JE9HSdhvKJ68a5Fm0w/JDyIr/FSz1cJdcoW69R+Nr
-WzwGK/+3gJpqD1t8L2zEAAAADHJ5YW50bUBob21lMQE=
------END OPENSSH PRIVATE KEY-----

pkgs/agenix/example_keys/system1.pub

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE

pkgs/agenix/example_keys/user1

@@ -1,7 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-QyNTUxOQAAACC9InTb4BornFoLqf5j+/M8gtt7hY2KtHr3FnYxkFGgRwAAAJC2JJ8htiSf
-IQAAAAtzc2gtZWQyNTUxOQAAACC9InTb4BornFoLqf5j+/M8gtt7hY2KtHr3FnYxkFGgRw
-AAAEDxt5gC/s53IxiKAjfZJVCCcFIsdeERdIgbYhLO719+Kb0idNvgGiucWgup/mP78zyC
-23uFjYq0evcWdjGQUaBHAAAADHJ5YW50bUBob21lMQE=
------END OPENSSH PRIVATE KEY-----

pkgs/agenix/example_keys/user1.pub

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH

pkgs/agenix/update.sh

@@ -1,23 +0,0 @@
-#!/bin/sh
-
-set -e
-
-# All operations are done relative to root
-GITROOT=$(git rev-parse --show-toplevel)
-cd "$GITROOT"
-
-REVISION=${1:-main}
-
-TMPCLONE=$(mktemp -d)
-trap "rm -rf ${TMPCLONE}" EXIT
-
-git clone https://github.com/ryantm/agenix.git --revision="$REVISION" "$TMPCLONE" --depth=1
-
-cp "${TMPCLONE}/pkgs/agenix.sh" pkgs/agenix/agenix.sh
-cp "${TMPCLONE}/pkgs/agenix.nix" pkgs/agenix/default.nix
-sed -i 's#../example#./example#' pkgs/agenix/default.nix
-
-cp "${TMPCLONE}/example/"* pkgs/agenix/example/
-cp "${TMPCLONE}/example_keys/"* pkgs/agenix/example_keys/
-
-cp "${TMPCLONE}/modules/age.nix" m/module/agenix.nix

pkgs/amd-uprof/default.nix

@@ -86,13 +86,4 @@ in
       patchelf --add-needed libnuma.so $out/bin/AMDuProfPcm
       set +x
     '';
-
-    meta = {
-      description = "Performance analysis tool-suite for x86 based applications";
-      homepage = "https://www.amd.com/es/developer/uprof.html";
-      platforms = [ "x86_64-linux" ];
-      license = lib.licenses.unfree;
-      maintainers = with lib.maintainers.bsc; [ rarias varcila ];
-    };
-
   }

pkgs/amd-uprof/driver.nix

@@ -19,7 +19,7 @@ in stdenv.mkDerivation {
   '';
   hardeningDisable = [ "pic" "format" ];
   nativeBuildInputs = kernel.moduleBuildDependencies;
-  patches = [ ./makefile.patch ./hrtimer.patch ./remove-wr-rdmsrq.patch ];
+  patches = [ ./makefile.patch ./hrtimer.patch ];
   makeFlags = [
     "KERNEL_VERSION=${kernel.modDirVersion}"
     "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
@@ -29,7 +29,5 @@ in stdenv.mkDerivation {
     description = "AMD Power Profiler Driver";
     homepage = "https://www.amd.com/es/developer/uprof.html";
     platforms = lib.platforms.linux;
-    license = lib.licenses.unfree;
-    maintainers = with lib.maintainers.bsc; [ rarias varcila ];
   };
 }

pkgs/amd-uprof/remove-wr-rdmsrq.patch

@@ -1,20 +0,0 @@
-diff --git a/inc/PwrProfAsm.h b/inc/PwrProfAsm.h
-index d77770a..c93a0e9 100644
---- a/inc/PwrProfAsm.h
-+++ b/inc/PwrProfAsm.h
-@@ -347,6 +347,7 @@
- 
- #endif
- 
-+/*
- #define rdmsrq(msr,val1,val2,val3,val4) ({ \
-         __asm__ __volatile__( \
-                               "rdmsr\n" \
-@@ -362,6 +363,7 @@
-                               :"c"(msr), "a"(val1), "d"(val2), "S"(val3), "D"(val4) \
-                             ); \
-     })
-+*/
- 
- #define rdmsrpw(msr,val1,val2,val3,val4) ({ \
-         __asm__ __volatile__( \

pkgs/babeltrace/default.nix

@@ -1,25 +0,0 @@
-{ stdenv, lib, fetchurl, pkg-config, glib, libuuid, popt, elfutils, swig4, python3 }:
-
-stdenv.mkDerivation rec {
-  name = "babeltrace-1.5.8";
-
-  src = fetchurl {
-    url = "https://www.efficios.com/files/babeltrace/${name}.tar.bz2";
-    sha256 = "1hkg3phnamxfrhwzmiiirbhdgckzfkqwhajl0lmr1wfps7j47wcz";
-  };
-
-  nativeBuildInputs = [ pkg-config ];
-  buildInputs = [ glib libuuid popt elfutils swig4 python3 ];
-
-  meta = with lib; {
-    description = "Command-line tool and library to read and convert LTTng tracefiles";
-    homepage = "https://www.efficios.com/babeltrace";
-    license = licenses.mit;
-    platforms = platforms.linux;
-    maintainers = [ maintainers.bjornfor ];
-  };
-
-  configureFlags = [
-    "--enable-python-bindings"
-  ];
-}

pkgs/babeltrace2/default.nix

@@ -1,34 +0,0 @@
-{
-  stdenv
-, fetchurl
-, pkg-config
-, glib
-, libuuid
-, popt
-, elfutils
-, python3
-, swig4
-, ncurses
-, breakpointHook
-}:
-
-stdenv.mkDerivation rec {
-  pname = "babeltrace2";
-  version = "2.0.3";
-
-  src = fetchurl {
-    url = "https://www.efficios.com/files/babeltrace/${pname}-${version}.tar.bz2";
-    sha256 = "1804pyq7fz6rkcz4r1abkkn0pfnss13m6fd8if32s42l4lajadm5";
-  };
-
-  enableParallelBuilding = true;
-  nativeBuildInputs = [ pkg-config ];
-  buildInputs = [ glib libuuid popt elfutils python3 swig4 ncurses breakpointHook ];
-  hardeningDisable = [ "all" ];
-
-  configureFlags = [
-    "--enable-python-plugins"
-    "--enable-python-bindings"
-  ];
-
-}

pkgs/bench6/default.nix

@@ -1,75 +0,0 @@
-{
-  stdenv
-, lib
-, bigotes
-, cmake
-, clangOmpss2
-, openmp
-, openmpv
-, nanos6
-, nodes
-, nosv
-, mkl
-, mpi
-, tampi
-, openblas
-, ovni
-, gitBranch ? "master"
-, gitURL ? "ssh://git@bscpm04.bsc.es/rarias/bench6.git"
-, gitCommit ? "fe30c2cfe36b535ef26a0054e010bc005e88ba04"
-, useMkl ? true
-}:
-
-stdenv.mkDerivation rec {
-  pname = "bench6";
-  version = "${src.shortRev}";
-
-  src = builtins.fetchGit {
-    url = gitURL;
-    ref = gitBranch;
-    rev = gitCommit;
-  };
-
-  nativeBuildInputs = [
-    cmake
-    clangOmpss2
-  ];
-
-  buildInputs = [
-    bigotes
-    openmp
-    openmpv
-    nanos6
-    nodes
-    nosv
-    mpi
-    tampi
-    ovni
-  ] ++ (if (useMkl) then [
-    mkl
-  ] else [
-    openblas
-    openblas.dev
-  ]);
-
-  env = {
-    NANOS6_HOME = nanos6;
-    NODES_HOME = nodes;
-    NOSV_HOME = nosv;
-  };
-
-  cmakeFlags = [
-    "-DCMAKE_C_COMPILER=clang"
-    "-DCMAKE_CXX_COMPILER=clang++"
-  ];
-  hardeningDisable = [ "all" ];
-  dontStrip = true;
-
-  meta = {
-    homepage = "https://gitlab.pm.bsc.es/rarias/bench6";
-    description = "Set of micro-benchmarks for OmpSs-2 and several mini-apps";
-    maintainers = with lib.maintainers.bsc; [ rarias ];
-    platforms = lib.platforms.linux;
-    license = lib.licenses.gpl3Plus;
-  };
-}

pkgs/bigotes/default.nix

@@ -1,26 +0,0 @@
-{
-  stdenv
-, lib
-, fetchFromGitHub
-, cmake
-}:
-
-stdenv.mkDerivation {
-  pname = "bigotes";
-  version = "9dce13";
-  src = fetchFromGitHub {
-    owner = "rodarima";
-    repo = "bigotes";
-    rev = "9dce13446a8da30bea552d569d260d54e0188518";
-    sha256 = "sha256-ktxM3pXiL8YXSK+/IKWYadijhYXqGoLY6adLk36iigE=";
-  };
-  nativeBuildInputs = [ cmake ];
-
-  meta = {
-    homepage = "https://github.com/rodarima/bigotes";
-    description = "Versatile benchmark tool";
-    maintainers = with lib.maintainers.bsc; [ rarias ];
-    platforms = lib.platforms.linux;
-    license = lib.licenses.gpl3Plus;
-  };
-}

pkgs/clsync/default.nix

@@ -1,54 +0,0 @@
-{ stdenv
-, fetchFromGitHub
-, libcap
-, libcgroup
-, libmhash
-, doxygen
-, graphviz
-, autoreconfHook
-, pkg-config
-, glib
-}:
-
-let
-  version = "0.4.4";
-
-in stdenv.mkDerivation {
-  pname = "clsync";
-  inherit version;
-
-  src = fetchFromGitHub {
-    repo = "clsync";
-    owner = "clsync";
-    rev = "v${version}";
-    sha256 = "0sdiyfwp0iqr6l1sirm51pirzmhi4jzgky5pzfj24nn71q3fwqgz";
-  };
-
-  outputs = [ "out" "dev" ];
-
-  buildInputs = [
-    autoreconfHook
-    libcap
-    libcgroup
-    libmhash
-    doxygen
-    graphviz
-    pkg-config
-    glib
-  ];
-
-  preConfigure = ''
-    ./configure --help
-  '';
-
-  enableParallelBuilding = true;
-
-  meta = with lib; {
-    description = "File live sync daemon based on inotify/kqueue/bsm (Linux, FreeBSD), written in GNU C";
-    homepage = "https://github.com/clsync/clsync";
-    license = licenses.gpl3Plus;
-    maintainers = [ ];
-    platforms = platforms.linux;
-  };
-}
-

pkgs/cn6/default.nix

@@ -1,51 +0,0 @@
-{
-  stdenv
-, lib
-, babeltrace2
-, pkg-config
-, uthash
-, enableTest ? false
-, mpi ? null
-, clangOmpss2 ? null
-, tampi ? null
-}:
-
-with lib;
-
-assert (enableTest -> (mpi != null));
-assert (enableTest -> (clangOmpss2 != null));
-assert (enableTest -> (tampi != null));
-
-stdenv.mkDerivation rec {
-  pname = "cn6";
-  version = "${src.shortRev}";
-
-  buildInputs = [
-    babeltrace2
-    pkg-config
-    uthash
-    mpi
-  ] ++ optionals (enableTest) [ mpi clangOmpss2 tampi ];
-
-  src = builtins.fetchGit {
-    url = "ssh://git@bscpm04.bsc.es/rarias/cn6.git";
-    ref = "master";
-    rev = "c72c3b66b720c2a33950f536fc819051c8f20a69";
-  };
-
-  makeFlags = [ "PREFIX=$(out)" ];
-
-  postBuild = optionalString (enableTest) ''
-    (
-      cd test
-      make timediff timediff_mpi
-    )
-  '';
-
-  postInstall = optionalString (enableTest) ''
-    (
-      cd test
-      cp timediff timediff_mpi sync-err.sh $out/bin/
-    )
-  '';
-}

pkgs/cpuid/default.nix

@@ -1,21 +0,0 @@
-{
-  stdenv
-, perl # For the pod2man command
-}:
-
-stdenv.mkDerivation rec {
-  version = "20201006";
-  pname = "cpuid";
-
-  buildInputs = [ perl ];
-
-  # Replace /usr install directory for $out
-  postPatch = ''
-    sed -i "s@/usr@$out@g" Makefile
-  '';
-
-  src = builtins.fetchTarball {
-    url = "http://www.etallen.com/cpuid/${pname}-${version}.src.tar.gz";
-    sha256 = "04qhs938gs1kjxpsrnfy6lbsircsprfyh4db62s5cf83a1nrwn9w";
-  };
-}

pkgs/cudainfo/default.nix

@@ -1,6 +1,5 @@
 {
   stdenv
-, lib
 , cudatoolkit
 , cudaPackages
 , autoAddDriverRunpath
@@ -12,7 +11,7 @@ stdenv.mkDerivation (finalAttrs: {
   src = ./.;
   buildInputs = [
     cudatoolkit # Required for nvcc
-    (lib.getOutput "static" cudaPackages.cuda_cudart) # Required for -lcudart_static
+    cudaPackages.cuda_cudart.static # Required for -lcudart_static
     autoAddDriverRunpath
   ];
   installPhase = ''
@@ -41,9 +40,4 @@ stdenv.mkDerivation (finalAttrs: {
     '';
     installPhase = "touch $out";
   };
-
-  meta = {
-    platforms = [ "x86_64-linux" ];
-    maintainers = with lib.maintainers.bsc; [ rarias ];
-  };
 })

pkgs/dummy/default.nix

@@ -1,25 +0,0 @@
-{
-  stdenv
-}:
-
-stdenv.mkDerivation rec {
-  name = "dummy";
-
-  src = null;
-  dontUnpack = true;
-  dontBuild = true;
-
-  programPath = "/bin/dummy";
-
-  installPhase = ''
-    mkdir -p $out/bin
-
-    cat > $out/bin/dummy <<EOF
-    #!/bin/sh
-    echo Hello worlda!
-
-    EOF
-
-    chmod +x $out/bin/dummy
-  '';
-}

pkgs/extrae/PTR.patch

@@ -1,13 +0,0 @@
-diff --git a/src/merger/common/bfd_manager.c b/src/merger/common/bfd_manager.c
-index 5f9dacf9..5231e3eb 100644
---- a/src/merger/common/bfd_manager.c
-+++ b/src/merger/common/bfd_manager.c
-@@ -225,7 +225,7 @@ asymbol **BFDmanager_getDefaultSymbols (void)
-  *
-  * @return No return value.
-  */
--static void BFDmanager_findAddressInSection (bfd * abfd, asection * section, PTR data)
-+static void BFDmanager_findAddressInSection (bfd * abfd, asection * section, void * data)
- {
- #if HAVE_BFD_GET_SECTION_SIZE || HAVE_BFD_SECTION_SIZE || HAVE_BFD_GET_SECTION_SIZE_BEFORE_RELOC
- 	bfd_size_type size;

pkgs/extrae/default.nix

@@ -1,123 +0,0 @@
-{ stdenv
-, lib
-, fetchFromGitHub
-, boost
-, libdwarf
-, libelf
-, libxml2
-, libunwind
-, papi
-, binutils-unwrapped
-, libiberty
-, gfortran
-, xml2
-, which
-, libbfd
-, mpi ? null
-, cuda ? null
-, llvmPackages
-, autoreconfHook
-#, python3Packages
-, installShellFiles
-, symlinkJoin
-, enablePapi ? stdenv.hostPlatform == stdenv.buildPlatform # Disabled when cross-compiling
-}:
-
-let
-  libdwarfBundle = symlinkJoin {
-    name = "libdwarfBundle";
-    paths = [ libdwarf.dev libdwarf.lib libdwarf.out ];
-  };
-in
-
-stdenv.mkDerivation rec {
-  pname = "extrae";
-  version = "4.0.1";
-  src = fetchFromGitHub {
-    owner = "bsc-performance-tools";
-    repo = "extrae";
-    rev = "${version}";
-    sha256 = "SlMYxNQXJ0Xg90HmpnotUR3tEPVVBXhk1NtEBJwGBR4=";
-  };
-
-  patches = [
-    # FIXME: Waiting for German to merge this patch. Still not in master, merged
-    # on 2023-03-01 in devel branch (after 3 years), see:
-    # https://github.com/bsc-performance-tools/extrae/pull/45
-    ./use-command.patch
-    # https://github.com/bsc-performance-tools/extrae/issues/71
-    ./PTR.patch
-  ];
-
-  enableParallelBuilding = true;
-  hardeningDisable = [ "all" ];
-
-  nativeBuildInputs = [ installShellFiles ];
-
-  buildInputs = [
-    autoreconfHook
-    gfortran
-    libunwind
-    binutils-unwrapped
-    boost
-    boost.dev
-    libiberty
-    mpi
-    xml2
-    which
-    libxml2.dev
-    libbfd
-    #python3Packages.sphinx
-  ]
-  ++ lib.optional stdenv.cc.isClang llvmPackages.openmp;
-    
-  preConfigure = ''
-    configureFlagsArray=(
-      --enable-posix-clock
-      --with-binutils="${binutils-unwrapped} ${libiberty}"
-      --with-dwarf=${libdwarfBundle}
-      --with-elf=${libelf}
-      --with-boost=${boost.dev}
-      --enable-instrument-io
-      --enable-instrument-dynamic-memory
-      --without-memkind
-      --enable-merge-in-trace
-      --disable-online
-      --without-opencl
-      --enable-pebs-sampling
-      --enable-sampling
-      --with-unwind=${libunwind.dev}
-      --with-xml-prefix=${libxml2.dev}
-      ${lib.optionalString enablePapi "--with-papi=${papi}"}
-      ${if (mpi != null) then ''--with-mpi=${mpi}''
-        else ''--without-mpi''}
-      --without-dyninst)
-  '';
-
-  # Install the manuals only by hand, as we don't want to pull the complete
-  # LaTeX world
-
-  # FIXME: sphinx is broken
-  #postBuild = ''
-  #  make -C docs man
-  #'';
-  #
-  #postInstall = ''
-  #  installManPage docs/builds/man/*/*
-  #'';
-
-#  ++ (
-#    if (openmp)
-#    then [ "--enable-openmp" ]
-#    else []
-#  );
-
-  meta = {
-    homepage = "https://github.com/bsc-performance-tools/extrae";
-    description = "Instrumentation framework to generate execution traces of the most used parallel runtimes";
-    maintainers = [ ];
-    broken = true;
-    platforms = lib.platforms.linux;
-    license = lib.licenses.lgpl21Plus;
-  };
-}

pkgs/extrae/use-command.patch

@@ -1,24 +0,0 @@
-diff --git a/substitute b/substitute
-index d5615606..82ca91a5 100755
---- a/substitute
-+++ b/substitute
-@@ -16,7 +16,7 @@ UNAME=`uname`
- if [ "${UNAME}" = "Darwin" -o "${UNAME}" = "AIX" ] ; then
- 	TMPFILE=substitute-$$
- 	${SED} "s|${KEY}|${VALUE}|g" < ${FILE} >${TMPFILE}
--	/bin/mv -f ${TMPFILE} ${FILE}
-+	command mv -f ${TMPFILE} ${FILE}
- else
- 	${SED} "s|${KEY}|${VALUE}|g" -i ${FILE}
- fi
-diff --git a/substitute-all b/substitute-all
-index 48c6b76a..eda7a0f2 100755
---- a/substitute-all
-+++ b/substitute-all
-@@ -23,5 +23,5 @@ fi
- 
- echo "Applying modification in ${PATHTOCHANGE} - Key = ${KEY} for value = ${VALUE}"
- 
--/usr/bin/find ${PATHTOCHANGE} -type f -exec ${SCRIPT_LOCATION} "${SED}" "${KEY}" "${VALUE}" {} \;
-+command find ${PATHTOCHANGE} -type f -exec ${SCRIPT_LOCATION} "${SED}" "${KEY}" "${VALUE}" {} \;
- 

pkgs/fftw/default.nix

@@ -1,58 +0,0 @@
-{ fetchurl, stdenv, lib, llvmPackages ? null, precision ? "double", perl, mpi }:
-
-with lib;
-
-assert stdenv.cc.isClang -> llvmPackages != null;
-assert elem precision [ "single" "double" "long-double" "quad-precision" ];
-
-let
-  version = "3.3.8";
-  withDoc = stdenv.cc.isGNU;
-in
-
-stdenv.mkDerivation {
-  name = "fftw-${precision}-${version}";
-
-  src = fetchurl {
-    urls = [
-      "http://fftw.org/fftw-${version}.tar.gz"
-      "ftp://ftp.fftw.org/pub/fftw/fftw-${version}.tar.gz"
-    ];
-    sha256 = "00z3k8fq561wq2khssqg0kallk0504dzlx989x3vvicjdqpjc4v1";
-  };
-
-  outputs = [ "out" "dev" "man" ]
-    ++ optional withDoc "info"; # it's dev-doc only
-  outputBin = "dev"; # fftw-wisdom
-
-  buildInputs = [ mpi ]
-  ++ lib.optionals stdenv.cc.isClang [
-    # TODO: This may mismatch the LLVM version sin the stdenv, see #79818.
-    llvmPackages.openmp
-  ];
-
-  configureFlags =
-    [ "--enable-shared"
-      "--enable-threads"
-      "--enable-mpi"
-      "--disable-openmp"
-    ]
-    ++ optional (precision != "double") "--enable-${precision}"
-    # all x86_64 have sse2
-    # however, not all float sizes fit
-    ++ optional (stdenv.isx86_64 && (precision == "single" || precision == "double") )  "--enable-sse2"
-    # doc generation causes Fortran wrapper generation which hard-codes gcc
-    ++ optional (!withDoc) "--disable-doc";
-
-  enableParallelBuilding = true;
-
-  checkInputs = [ perl ];
-
-  meta = with lib; {
-    description = "Fastest Fourier Transform in the West library";
-    homepage = "http://www.fftw.org/";
-    license = licenses.gpl2Plus;
-    maintainers = [ maintainers.spwhitt ];
-    platforms = platforms.unix;
-  };
-}

pkgs/gpi-2/default.nix

@@ -1,75 +0,0 @@
-{
-  stdenv
-, lib
-, fetchurl
-, symlinkJoin
-, slurm
-, rdma-core
-, autoconf
-, automake
-, libtool
-, mpi
-, gfortran
-}:
-
-let
-  rdma-core-all = symlinkJoin {
-    name ="rdma-core-all";
-    paths = [ rdma-core.dev rdma-core.out ];
-  };
-  mpiAll = symlinkJoin {
-    name = "mpi-all";
-    paths = [ mpi.all ];
-  };
-in
-
-stdenv.mkDerivation rec {
-  pname = "GPI-2";
-  version = "tagaspi-2021.11";
-
-  src = fetchurl {
-    url = "https://pm.bsc.es/gitlab/interoperability/extern/GPI-2/-/archive/${version}/GPI-2-${version}.tar.gz";
-    hash = "sha256-eY2wpyTpnOXRoAcYoAP82Jq9Q7p5WwDpMj+f1vEX5zw=";
-  };
-
-  enableParallelBuilding = true;
-
-  patches = [ ./rdma-core.patch ./max-mem.patch ];
-
-  preConfigure = ''
-    patchShebangs autogen.sh
-    ./autogen.sh
-  '';
-
-  configureFlags = [
-    "--with-infiniband=${rdma-core-all}"
-    "--with-mpi=yes" # fixes mpi detection when cross-compiling
-    "--with-slurm"
-    "CFLAGS=-fPIC"
-    "CXXFLAGS=-fPIC"
-  ];
-
-  nativeBuildInputs = [
-    autoconf
-    automake
-    gfortran
-    libtool
-  ];
-
-  buildInputs = [
-    slurm
-    mpiAll
-    rdma-core-all
-  ];
-
-  hardeningDisable = [ "all" ];
-
-  meta = {
-    homepage = "https://pm.bsc.es/gitlab/interoperability/extern/GPI-2";
-    description = "GPI-2 extended for supporting Task-Aware GASPI (TAGASPI) library";
-    maintainers = with lib.maintainers.bsc; [ rarias ];
-    platforms = lib.platforms.linux;
-    license = lib.licenses.gpl3Plus;
-    cross = false; # infiniband detection does not work
-  };
-}

pkgs/gpi-2/max-mem.patch

@@ -1,10 +0,0 @@
---- a/tests/tests/segments/max_mem.c	2025-09-12 13:30:53.449353591 +0200
-+++ b/tests/tests/segments/max_mem.c	2025-09-12 13:33:49.750352401 +0200
-@@ -1,5 +1,7 @@
- #include <test_utils.h>
- 
-+gaspi_size_t gaspi_get_system_mem (void);
-+
- /* Test allocates 45% of system memory and creates a segment that
-    large or if several ranks per node exist, divided among that
-    number */

pkgs/gpi-2/rdma-core.patch

@@ -1,12 +0,0 @@
---- a/src/devices/ib/GPI2_IB.h	2025-09-12 13:25:31.564181121 +0200
-+++ b/src/devices/ib/GPI2_IB.h	2025-09-12 13:24:49.105422150 +0200
-@@ -26,6 +26,9 @@ along with GPI-2. If not, see <http://ww
- 
- #include "GPI2_Dev.h"
- 
-+/* Missing prototype as driver.h is now private */
-+int ibv_read_sysfs_file(const char *dir, const char *file, char *buf, size_t size);
-+
- #define GASPI_GID_INDEX   (0)
- #define PORT_LINK_UP      (5)
- #define MAX_INLINE_BYTES  (128)

pkgs/groff/0001-Fix-cross-compilation-by-looking-for-ar.patch

@@ -1,46 +0,0 @@
-From 1454525f70b43a6957b7c9e1870e997368787da3 Mon Sep 17 00:00:00 2001
-From: Samuel Dionne-Riel <samuel@dionne-riel.com>
-Date: Fri, 8 Nov 2019 21:59:21 -0500
-Subject: [PATCH] Fix cross-compilation by looking for `ar`.
-
----
- Makefile.am  | 2 +-
- configure.ac | 2 ++
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/Makefile.am b/Makefile.am
-index d18c49b8..b1b53338 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -494,7 +494,7 @@ CCC=@CXX@
- # INSTALL_INFO
- # LN_S
- 
--AR=ar
-+AR=@AR@
- ETAGS=etags
- ETAGSFLAGS=
- # Flag that tells etags to assume C++.
-diff --git a/configure.ac b/configure.ac
-index 28e75f17..2449b9f5 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -37,6 +37,7 @@ AC_CONFIG_AUX_DIR([build-aux])
- 
- AC_CONFIG_HEADERS([src/include/config.h:src/include/config.hin])
- AC_CONFIG_SRCDIR([src/roff/groff/groff.cpp])
-+AC_CONFIG_MACRO_DIR([m4])
- 
- AC_USE_SYSTEM_EXTENSIONS
- 
-@@ -72,6 +73,7 @@ GROFF_DOC_CHECK
- GROFF_MAKEINFO
- GROFF_TEXI2DVI
- AC_PROG_RANLIB
-+AC_CHECK_TOOL([AR], [ar], [ar])
- GROFF_INSTALL_SH
- GROFF_INSTALL_INFO
- AC_PROG_INSTALL
--- 
-2.23.0
-

pkgs/groff/default.nix

@@ -1,127 +0,0 @@
-{ stdenv, lib, fetchurl, perl
-, ghostscript #for postscript and html output
-, psutils, netpbm #for html output
-, buildPackages
-, autoreconfHook
-, pkg-config
-, texinfo
-}:
-
-stdenv.mkDerivation rec {
-  pname = "groff";
-  version = "1.22.4";
-
-  src = fetchurl {
-    url = "mirror://gnu/groff/${pname}-${version}.tar.gz";
-    sha256 = "14q2mldnr1vx0l9lqp9v2f6iww24gj28iyh4j2211hyynx67p3p7";
-  };
-
-  enableParallelBuilding = false;
-
-  patches = [
-    ./0001-Fix-cross-compilation-by-looking-for-ar.patch
-  ];
-
-  postPatch = lib.optionalString (psutils != null) ''
-    substituteInPlace src/preproc/html/pre-html.cpp \
-      --replace "psselect" "${psutils}/bin/psselect"
-  '' + lib.optionalString (netpbm != null) ''
-    substituteInPlace src/preproc/html/pre-html.cpp \
-      --replace "pnmcut" "${lib.getBin netpbm}/bin/pnmcut" \
-      --replace "pnmcrop" "${lib.getBin netpbm}/bin/pnmcrop" \
-      --replace "pnmtopng" "${lib.getBin netpbm}/bin/pnmtopng"
-    substituteInPlace tmac/www.tmac.in \
-      --replace "pnmcrop" "${lib.getBin netpbm}/bin/pnmcrop" \
-      --replace "pngtopnm" "${lib.getBin netpbm}/bin/pngtopnm" \
-      --replace "@PNMTOPS_NOSETPAGE@" "${lib.getBin netpbm}/bin/pnmtops -nosetpage"
-  '';
-
-  buildInputs = [ ghostscript psutils netpbm perl ];
-  nativeBuildInputs = [ autoreconfHook pkg-config texinfo ];
-
-  # Builds running without a chroot environment may detect the presence
-  # of /usr/X11 in the host system, leading to an impure build of the
-  # package. To avoid this issue, X11 support is explicitly disabled.
-  # Note: If we ever want to *enable* X11 support, then we'll probably
-  # have to pass "--with-appresdir", too.
-  configureFlags = [
-    "--without-x"
-  ] ++ lib.optionals (ghostscript != null) [
-    "--with-gs=${ghostscript}/bin/gs"
-  ] ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
-    "ac_cv_path_PERL=${buildPackages.perl}/bin/perl"
-  ];
-
-  makeFlags = lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
-    # Trick to get the build system find the proper 'native' groff
-    # http://www.mail-archive.com/bug-groff@gnu.org/msg01335.html
-    "GROFF_BIN_PATH=${buildPackages.groff}/bin"
-    "GROFFBIN=${buildPackages.groff}/bin/groff"
-  ];
-
-  doCheck = true;
-
-  postInstall = ''
-    for f in 'man.local' 'mdoc.local'; do
-        cat '${./site.tmac}' >>"$out/share/groff/site-tmac/$f"
-    done
-
-    moveToOutput bin/gropdf $out
-    moveToOutput bin/pdfmom $out
-    moveToOutput bin/roff2text $out
-    moveToOutput bin/roff2pdf $out
-    moveToOutput bin/roff2ps $out
-    moveToOutput bin/roff2dvi $out
-    moveToOutput bin/roff2ps $out
-    moveToOutput bin/roff2html $out
-    moveToOutput bin/glilypond $out
-    moveToOutput bin/mmroff $out
-    moveToOutput bin/roff2x $out
-    moveToOutput bin/afmtodit $out
-    moveToOutput bin/gperl $out
-    moveToOutput bin/chem $out
-    moveToOutput share/groff/${version}/font/devpdf $out
-
-    # idk if this is needed, but Fedora does it
-    moveToOutput share/groff/${version}/tmac/pdf.tmac $out
-
-    moveToOutput bin/gpinyin $out
-    moveToOutput lib/groff/gpinyin $out
-    substituteInPlace $out/bin/gpinyin \
-      --replace $out/lib/groff/gpinyin $out/lib/groff/gpinyin
-
-    moveToOutput bin/groffer $out
-    moveToOutput lib/groff/groffer $out
-    substituteInPlace $out/bin/groffer \
-      --replace $out/lib/groff/groffer $out/lib/groff/groffer
-
-    moveToOutput bin/grog $out
-    moveToOutput lib/groff/grog $out
-    substituteInPlace $out/bin/grog \
-      --replace $out/lib/groff/grog $out/lib/groff/grog
-
-  '' + lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform) ''
-    find $out/ -type f -print0 | xargs --null sed -i 's|${buildPackages.perl}|${perl}|'
-  '';
-
-  meta = with lib; {
-    homepage = "https://www.gnu.org/software/groff/";
-    description = "GNU Troff, a typesetting package that reads plain text and produces formatted output";
-    license = licenses.gpl3Plus;
-    platforms = platforms.all;
-    maintainers = with maintainers; [ pSub ];
-
-    longDescription = ''
-      groff is the GNU implementation of troff, a document formatting
-      system.  Included in this release are implementations of troff,
-      pic, eqn, tbl, grn, refer, -man, -mdoc, -mom, and -ms macros,
-      and drivers for PostScript, TeX dvi format, HP LaserJet 4
-      printers, Canon CAPSL printers, HTML and XHTML format (beta
-      status), and typewriter-like devices.  Also included is a
-      modified version of the Berkeley -me macros, the enhanced
-      version gxditview of the X11 xditview previewer, and an
-      implementation of the -mm macros.
-    '';
-
-  };
-}

pkgs/groff/site.tmac

@@ -1,16 +0,0 @@
-.
-.if n \{\
-.  \" Character translations for non-keyboard
-.  \" characters - to make them searchable
-.  if '\*[.T]'utf8' \{\
-.    char \- \N'45'
-.    char - \N'45'
-.    char ' \N'39'
-.    char \' \N'39'
-.  \}
-.
-.  \" Shut off SGR by default (groff colors)
-.  \" Require GROFF_SGR envvar defined to turn it on
-.  if '\V[GROFF_SGR]'' \
-.    output x X tty: sgr 0
-.\}

pkgs/hwloc/1.11.6/default.nix

@@ -1,70 +0,0 @@
-{ stdenv, lib, fetchurl, pkg-config, expat, ncurses
-, pciutils, numactl }:
-
-with lib;
-
-stdenv.mkDerivation rec {
-  name = "hwloc-1.11.6";
-
-  src = fetchurl {
-    url = "http://www.open-mpi.org/software/hwloc/v1.11/downloads/${name}.tar.bz2";
-    sha256 = "1yl7dm2qplwmnidd712zy12qfvxk28k8ccs694n42ybwdjwzg1bn";
-  };
-
-  nativeBuildInputs = [ pkg-config ];
-
-  # Filter out `null' inputs.  This allows users to `.override' the
-  # derivation and set optional dependencies to `null'.
-  buildInputs = filter (x: x != null)
-   ([ expat ncurses ]
-     ++  (optionals stdenv.isLinux [ numactl ]));
-
-  propagatedBuildInputs =
-    # Since `libpci' appears in `hwloc.pc', it must be propagated.
-    optional stdenv.isLinux pciutils;
-
-  enableParallelBuilding = true;
-
-  postInstall =
-    optionalString (stdenv.isLinux && numactl != null)
-      '' if [ -d "${numactl}/lib64" ]
-         then
-             numalibdir="${numactl}/lib64"
-         else
-             numalibdir="${numactl}/lib"
-             test -d "$numalibdir"
-         fi
-
-         sed -i "$out/lib/libhwloc.la" \
-             -e "s|-lnuma|-L$numalibdir -lnuma|g"
-      '';
-
-  # Checks disabled because they're impure (hardware dependent) and
-  # fail on some build machines.
-  doCheck = false;
-
-  meta = {
-    description = "Portable abstraction of hierarchical architectures for high-performance computing";
-    longDescription = ''
-       hwloc provides a portable abstraction (across OS,
-       versions, architectures, ...) of the hierarchical topology of
-       modern architectures, including NUMA memory nodes, sockets,
-       shared caches, cores and simultaneous multithreading.  It also
-       gathers various attributes such as cache and memory
-       information.  It primarily aims at helping high-performance
-       computing applications with gathering information about the
-       hardware so as to exploit it accordingly and efficiently.
-
-       hwloc may display the topology in multiple convenient
-       formats.  It also offers a powerful programming interface to
-       gather information about the hardware, bind processes, and much
-       more.
-    '';
-
-    # http://www.open-mpi.org/projects/hwloc/license.php
-    license = licenses.bsd3;
-    homepage = http://www.open-mpi.org/projects/hwloc/;
-    maintainers = [ ];
-    platforms = platforms.all;
-  };
-}

pkgs/intel-compiler/default.nix

@@ -1,40 +0,0 @@
-{
-  stdenv
-, gcc
-, iccUnwrapped
-, wrapCCWith
-, intelLicense
-}:
-
-let
-  targetConfig = stdenv.targetPlatform.config;
-  inherit gcc;
-in wrapCCWith rec {
-  cc = iccUnwrapped;
-  extraBuildCommands = ''
-    echo "-B${gcc.cc}/lib/gcc/${targetConfig}/${gcc.version}" >> $out/nix-support/cc-cflags
-    echo "-isystem ${iccUnwrapped}/include" >> $out/nix-support/cc-cflags
-    echo "-isystem ${iccUnwrapped}/include/intel64" >> $out/nix-support/cc-cflags
-    echo "-L${gcc.cc}/lib/gcc/${targetConfig}/${gcc.version}" >> $out/nix-support/cc-ldflags
-    echo "-L${gcc.cc.lib}/lib" >> $out/nix-support/cc-ldflags
-
-    cat "${iccUnwrapped}/nix-support/propagated-build-inputs" >> \
-      $out/nix-support/propagated-build-inputs
-
-    echo "export INTEL_LICENSE_FILE=${intelLicense}" \
-      >> $out/nix-support/setup-hook
-
-    # Create the wrappers for icc and icpc
-    if [ -e $ccPath/icc ]; then
-      wrap icc  $wrapper $ccPath/icc
-    fi
-
-    if [ -e $ccPath/icpc ]; then
-      wrap icpc $wrapper $ccPath/icpc
-    fi
-
-    if [ -e $ccPath/ifort ]; then
-      wrap ifort $wrapper $ccPath/ifort
-    fi
-  '';
-}

pkgs/intel-compiler/icc2020.nix

@@ -1,71 +0,0 @@
-{ stdenv
-, lib
-, fetchurl
-, rpmextract
-, autoPatchelfHook
-, gcc
-, intel-mpi
-}:
-
-stdenv.mkDerivation rec {
-  version = "${year}.${v_a}.${v_b}";
-  name = "intel-compiler-${version}";
-
-  passthru = {
-    CC = "icc";
-    CXX = "icpc";
-  };
-
-  # From Arch Linux PKGBUILD
-  dir_nr="17114";
-  year="2020";
-  v_a="4";
-  v_b="304";
-  update="4";
-  composer_xe_dir="compilers_and_libraries_${year}.${v_a}.${v_b}";
-  tgz="parallel_studio_xe_2020_update${update}_professional_edition.tgz";
-
-  src = fetchurl {
-    url = "https://registrationcenter-download.intel.com/akdlm/irc_nas/tec/${dir_nr}/${tgz}";
-    sha256 = "1rn9kk5bjj0jfv853b09dxrx7kzvv8dlyzw3hl9ijx9mqr09lrzr";
-  };
-
-  buildInputs = [
-    rpmextract
-    autoPatchelfHook
-    gcc.cc.lib
-    gcc
-    intel-mpi
-  ];
-
-  # The gcc package is required for building other programs
-  propagatedBuildInputs = [ gcc ];
-
-  installPhase = ''
-    pwd
-    ls -l rpm
-    rpmextract rpm/intel-icc-*.rpm
-    rpmextract rpm/intel-comp-*.rpm
-    rpmextract rpm/intel-c-comp-*.rpm
-    rpmextract rpm/intel-openmp*.rpm
-    rpmextract rpm/intel-ifort*.rpm
-
-    mkdir -p $out/{bin,lib,include}
-
-    pushd ./opt/intel/${composer_xe_dir}/linux/
-      cp -a bin/intel64/* $out/bin/
-      cp -a compiler/include/* $out/include/
-      cp -a compiler/lib/intel64_lin/* $out/lib/
-      ln -s lib $out/lib_lin
-      rm $out/lib/*.dbg
-    popd
-  '';
-
-  meta = {
-    homepage = "https://www.intel.com/content/www/us/en/developer/tools/overview.html";
-    description = "Intel compiler";
-    maintainers = with lib.maintainers.bsc; [ rarias ];
-    platforms = lib.platforms.linux;
-    license = lib.licenses.unfree;
-  };
-}