13 Commits

Author SHA1 Message Date
67a3f57362 Use 10.106.0.0/24 subnet to avoid collisions
The 106 byte is the code for 'j' (jungle) in ASCII:

	% printf j | od -t d
	0000000         106
	0000001
2025-09-03 11:12:25 +02:00
6f3d3db996 Update fox documentation for SLURM and FS 2025-09-02 17:21:37 +02:00
d7411159d2 Revert "Remove pam_slurm_adopt from fox"
This reverts commit 64a52801ed.
2025-09-02 17:12:56 +02:00
84b60eed04 Enable fail2ban in fox
Protect fox against ssh bruteforce attacks:

fox% sudo lastb | head
root     ssh:notty    200.124.28.102   Mon Sep  1 11:25 - 11:25  (00:00)
root     ssh:notty    200.124.28.102   Mon Sep  1 11:25 - 11:25  (00:00)
root     ssh:notty    200.124.28.102   Mon Sep  1 11:25 - 11:25  (00:00)
root     ssh:notty    200.124.28.102   Mon Sep  1 11:25 - 11:25  (00:00)
root     ssh:notty    200.124.28.102   Mon Sep  1 11:25 - 11:25  (00:00)
root     ssh:notty    200.124.28.102   Mon Sep  1 11:25 - 11:25  (00:00)
root     ssh:notty    200.124.28.102   Mon Sep  1 11:25 - 11:25  (00:00)
root     ssh:notty    200.124.28.102   Mon Sep  1 11:25 - 11:25  (00:00)
root     ssh:notty    200.124.28.102   Mon Sep  1 11:24 - 11:24  (00:00)
root     ssh:notty    200.124.28.102   Mon Sep  1 11:24 - 11:24  (00:00)
2025-09-01 12:34:54 +02:00
3195952f5a Accept connections from apex to fox slurmd 2025-09-01 12:34:54 +02:00
578869ce4c Accept fox connection to slurm controller 2025-09-01 12:34:54 +02:00
9f82ac3ec7 Add fox machine to SLURM 2025-09-01 12:34:54 +02:00
7cc52b7f76 Rekey secrets with trusted fox key 2025-09-01 12:34:54 +02:00
642840a405 Trust fox for compute node secrets 2025-09-01 12:34:54 +02:00
79f6e0613e Make apex host specific to each machine
Allows direct contact via the VPN when accessing from fox, but use
Internet when using the rest of the machines.
2025-09-01 12:34:50 +02:00
fc112b92e6 Add local host fox in apex 2025-09-01 12:34:21 +02:00
b5de3dc483 Enable wireguard in apex 2025-09-01 12:34:17 +02:00
9b2587d0d6 Add wireguard server in fox 2025-09-01 12:34:10 +02:00
12 changed files with 1 additions and 32 deletions

1
.gitattributes vendored
View File

@@ -1 +0,0 @@
*.pdf filter=lfs diff=lfs merge=lfs -text

Binary file not shown.

Binary file not shown.

View File

@@ -5,7 +5,6 @@
agenix.inputs.nixpkgs.follows = "nixpkgs";
bscpkgs.url = "git+https://git.sr.ht/~rodarima/bscpkgs";
bscpkgs.inputs.nixpkgs.follows = "nixpkgs";
self.lfs = false;
};
outputs = { self, nixpkgs, agenix, bscpkgs, ... }:

View File

@@ -8,7 +8,6 @@
statdPort = 4000;
exports = ''
/home 10.0.40.0/24(rw,async,no_subtree_check,no_root_squash)
/home 10.106.0.0/24(rw,async,no_subtree_check,no_root_squash)
'';
};
networking.firewall = {
@@ -28,21 +27,6 @@
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4001 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4002 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept
# Accept NFS traffic from wg0
iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 111 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 2049 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 4000 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 4001 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 4002 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 20048 -j nixos-fw-accept
# Same but UDP
iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 111 -j nixos-fw-accept
iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 2049 -j nixos-fw-accept
iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 4000 -j nixos-fw-accept
iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 4001 -j nixos-fw-accept
iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 4002 -j nixos-fw-accept
iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 20048 -j nixos-fw-accept
'';
};
}

View File

@@ -4,7 +4,7 @@
environment.systemPackages = with pkgs; [
vim wget git htop tmux pciutils tcpdump ripgrep nix-index nixos-option
nix-diff ipmitool freeipmi ethtool lm_sensors cmake gnumake file tree
ncdu config.boot.kernelPackages.perf ldns pv git-lfs
ncdu config.boot.kernelPackages.perf ldns pv
# From bsckgs overlay
osumb
];

View File

@@ -79,13 +79,6 @@
fileSystems."/nvme0" = { device = "/dev/disk/by-label/nvme0"; fsType = "ext4"; };
fileSystems."/nvme1" = { device = "/dev/disk/by-label/nvme1"; fsType = "ext4"; };
# Mount the NFS home
fileSystems."/nfs/home" = {
device = "10.106.0.30:/home";
fsType = "nfs";
options = [ "nfsvers=3" "rsize=1024" "wsize=1024" "cto" "nofail" ];
};
# Make a /nvme{0,1}/$USER directory for each user.
systemd.services.create-nvme-dirs = let
# Take only normal users in fox

View File

@@ -26,7 +26,5 @@
SENDMAIL_ARGS = "--";
};
};
lfs.enable = true;
};
}

View File

@@ -39,7 +39,6 @@ in
rewrite ^/git/(.*) /$1 break;
proxy_pass http://127.0.0.1:3000;
proxy_redirect http:// $scheme://;
client_max_body_size 64M;
}
location /cache {
rewrite ^/cache/(.*) /$1 break;

View File

@@ -100,8 +100,5 @@ Then just run `nix develop` from the same directory:
The machine has several file systems available.
- `/nfs/home`: The `/home` from apex via NFS, which is also shared with other
xeon machines. It has about 2 ms of latency, so not suitable for quick random
access.
- `/nvme{0,1}/$USER`: The two local NVME disks, very fast and large capacity.
- `/tmp`: tmpfs, fast but not backed by a disk. Will be erased on reboot.