rarias/jungle
2
0
Fork 3
Code Issues 63 Pull Requests 10 Actions Packages Projects Releases Wiki Activity

Compare commits

base: rarias:master
Branches Tags
rarias:master rarias:pkgs/tasycl rarias:slurm-groups rarias:unlock-gitlab-runner rarias:add-nextcloud rarias:project-management rarias:enableStrictDeps rarias:fox-regression rarias:pkgs/tacuda rarias:robust-fetchGit rarias:old-master rarias:gitea-lfs rarias:only-restart-logins rarias:monitor-gpfs-home rarias:add-tent-machine rarias:m/raccoon rarias:add-fpga-u280 rarias:maintenance-purchase rarias:add-fox-machine rarias:share-files rarias:shared-nix-store rarias:intro-nix rarias:lake2-ipoib abonerib:llvm-intel abonerib:nix-portable abonerib:master abonerib:pkgs/pocl abonerib:pkgs/tasycl abonerib:nix-portable-riscv abonerib:weasel-gitea-test abonerib:fix/cross/ompss-2 abonerib:mega-merge abonerib:pkgs/tacuda abonerib:enableStrictDeps abonerib:upgrade/25.11 abonerib:fix/cross-clang abonerib:add-private abonerib:fix/paraver abonerib:pkgs/gromacs abonerib:pkgs/aocc abonerib:pkgs/clsparse abonerib:pkgs/taopencl abonerib:quick-shell abonerib:fix/gcc14 abonerib:remove-old abonerib:remove-inputs abonerib:weasel-hydra abonerib:feat/hydra
..
compare: abonerib:fix/gcc14
Branches Tags
abonerib:llvm-intel abonerib:nix-portable abonerib:master abonerib:pkgs/pocl abonerib:pkgs/tasycl abonerib:nix-portable-riscv abonerib:weasel-gitea-test abonerib:fix/cross/ompss-2 abonerib:mega-merge abonerib:pkgs/tacuda abonerib:enableStrictDeps abonerib:upgrade/25.11 abonerib:fix/cross-clang abonerib:add-private abonerib:fix/paraver abonerib:pkgs/gromacs abonerib:pkgs/aocc abonerib:pkgs/clsparse abonerib:pkgs/taopencl abonerib:quick-shell abonerib:fix/gcc14 abonerib:remove-old abonerib:remove-inputs abonerib:weasel-hydra abonerib:feat/hydra rarias:master rarias:pkgs/tasycl rarias:slurm-groups rarias:unlock-gitlab-runner rarias:add-nextcloud rarias:project-management rarias:enableStrictDeps rarias:fox-regression rarias:pkgs/tacuda rarias:robust-fetchGit rarias:old-master rarias:gitea-lfs rarias:only-restart-logins rarias:monitor-gpfs-home rarias:add-tent-machine rarias:m/raccoon rarias:add-fpga-u280 rarias:maintenance-purchase rarias:add-fox-machine rarias:share-files rarias:shared-nix-store rarias:intro-nix rarias:lake2-ipoib

2 Commits
master ... fix/gcc14

Author SHA1 Message Date
Aleix Boné
33f41340aa Use standard gcc for intel packages
All checks were successful
CI / build:cross (pull_request) Successful in 1m7s
Details
CI / build:all (pull_request) Successful in 52m27s
Details
2025-10-13 15:07:29 +02:00
Aleix Boné
87dd7018f8 Update nixpkgs (gcc 14.2.1.20250322 -> 14.3.0) 
See: dc2e7bea50
 2025-10-13 15:06:43 +02:00
90 changed files with 331 additions and 2061 deletions
Expand all files Collapse all files

90
flake.lock generated
View File

@@ -1,25 +1,107 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1750173260,
"narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1767634882,
"narHash": "sha256-2GffSfQxe3sedHzK+sTKlYo/NTIAGzbFCIsNMUPAAnk=",
"lastModified": 1760139962,
"narHash": "sha256-4xggC56Rub3WInz5eD7EZWXuLXpNvJiUPahGtMkwtuc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3c9db02515ef1d9b6b709fc60ba9a540957f661c",
"rev": "7e297ddff44a3cc93673bb38d0374df8d0ad73e4",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"nixpkgs": "nixpkgs"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

8
flake.nix
View File

@@ -1,13 +1,15 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { self, nixpkgs, ... }:
outputs = { self, nixpkgs, agenix, ... }:
let
mkConf = name: nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit nixpkgs; theFlake = self; };
specialArgs = { inherit nixpkgs agenix; theFlake = self; };
modules = [ "${self.outPath}/m/${name}/configuration.nix" ];
};
# For now we only support x86

3
keys.nix
View File

@@ -22,9 +22,8 @@ rec {
storage = [ bay lake2 ];
monitor = [ hut ];
login = [ apex ];
services = [ tent ];
system = storage ++ monitor ++ login ++ services;
system = storage ++ monitor ++ login;
safe = system ++ compute;
all = safe ++ playground;
};

12
m/apex/configuration.nix
View File

@@ -57,18 +57,6 @@
};
};
services.fail2ban = {
enable = true;
maxretry = 5;
bantime-increment = {
enable = true; # Double ban time on each attack
maxtime = "7d"; # Ban up to a week
};
};
# Disable SSH login with password, allow only keypair
services.openssh.settings.PasswordAuthentication = false;
networking.firewall = {
extraCommands = ''
# Blackhole BSC vulnerability scanner (OpenVAS) as it is spamming our

26
m/apex/nfs.nix
View File

@@ -7,7 +7,7 @@
mountdPort = 4002;
statdPort = 4000;
exports = ''
/home 10.0.40.0/21(rw,async,no_subtree_check,no_root_squash)
/home 10.0.40.0/24(rw,async,no_subtree_check,no_root_squash)
/home 10.106.0.0/24(rw,async,no_subtree_check,no_root_squash)
'';
};
@@ -15,19 +15,19 @@
# Check with `rpcinfo -p`
extraCommands = ''
# Accept NFS traffic from compute nodes but not from the outside
iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 111 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 2049 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 4000 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 4001 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 4002 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 20048 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 111 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 2049 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4000 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4001 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4002 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept
# Same but UDP
iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 111 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 2049 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 4000 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 4001 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 4002 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 20048 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 111 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 2049 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4000 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4001 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4002 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept
# Accept NFS traffic from wg0
iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 111 -j nixos-fw-accept

4
m/bay/configuration.nix
View File

@@ -24,7 +24,7 @@
address = "10.0.40.40";
prefixLength = 24;
} ];
interfaces.ibs785.ipv4.addresses = [ {
interfaces.ibp5s0.ipv4.addresses = [ {
address = "10.0.42.40";
prefixLength = 24;
} ];
@@ -35,7 +35,7 @@
# Accept monitoring requests from hut
iptables -A nixos-fw -p tcp -s hut -m multiport --dport 9283,9002 -j nixos-fw-accept
# Accept all Ceph traffic from the local network
iptables -A nixos-fw -p tcp -s 10.0.40.0/21 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
'';
};
};

9
m/common/base/agenix.nix
View File

@@ -1,8 +1,9 @@
{ pkgs, ... }:
{ agenix, ... }:
{
imports = [ ../../module/agenix.nix ];
imports = [ agenix.nixosModules.default ];
# Add agenix to system packages
environment.systemPackages = [ pkgs.agenix ];
environment.systemPackages = [
agenix.packages.x86_64-linux.default
];
}

35
m/common/base/env.nix
View File

@@ -1,36 +1,11 @@
{ pkgs, ... }:
{ pkgs, config, ... }:
{
environment.systemPackages = with pkgs; [
cmake
ethtool
file
freeipmi
git
gnumake
home-manager
htop
ipmitool
ldns
lm_sensors
ncdu
nix-diff
nix-index
nix-output-monitor
nixfmt-tree
nixos-option
pciutils
perf
pv
ripgrep
tcpdump
tmux
tree
vim
wget
# From jungle overlay
nixgen
vim wget git htop tmux pciutils tcpdump ripgrep nix-index nixos-option
nix-diff ipmitool freeipmi ethtool lm_sensors cmake gnumake file tree
ncdu config.boot.kernelPackages.perf ldns pv
# From bsckgs overlay
osumb
];

42
m/common/base/users.nix
View File

@@ -134,12 +134,11 @@
home = "/home/Computational/varcila";
description = "Vincent Arcila";
group = "Computational";
hosts = [ "apex" "hut" "tent" "fox" "owl1" "owl2" ];
hosts = [ "apex" "hut" "tent" "fox" ];
hashedPassword = "$6$oB0Tcn99DcM4Ch$Vn1A0ulLTn/8B2oFPi9wWl/NOsJzaFAWjqekwcuC9sMC7cgxEVb.Nk5XSzQ2xzYcNe5MLtmzkVYnRS1CqP39Y0";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGt0ESYxekBiHJQowmKpfdouw0hVm3N7tUMtAaeLejK vincent@varch"
];
shell = pkgs.zsh;
};
pmartin1 = {
@@ -181,45 +180,6 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFmMqKqPg4uocNOr3O41kLbZMOMJn3m2ZdN1JvTR96z3 bsccns@arnau-bsc"
];
};
aaguirre = {
uid = 9655;
isNormalUser = true;
home = "/home/Computational/aaguirre";
description = "Alejandro Aguirre";
group = "Computational";
hosts = [ "apex" "hut" ];
hashedPassword = "$6$TXRXQT6jjBvxkxU6$E.sh5KspAm1qeG5Ct7OPHpo8REmbGDwjFGvqeGgTVz3GASGOAnPL7UMZsMAsAKBoahOw.v8LNno6XGrTEPzZH1";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOlRX7ZCnqtUJYCxKgWmgSrFCYuA2LHY96rVwqxXPl86 aaguirre@BSC-8488184117"
];
};
emonteir = {
uid = 9656;
isNormalUser = true;
home = "/home/Computational/emonteir";
description = "Erwin Royson Monteiro";
group = "Computational";
hosts = [ "apex" "fox" ];
hashedPassword = "$6$0mU88zd3ZuK5NiJQ$DFWL5RMLH6esQM5UyhBCiiNryw4lDDmvJp7Usz3tmevnsiSJr6u0RsUKAnR/K8GRBFrV1.GocrgNjKjik5GY//";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOKZKot/Y3F5Wq9pQIXlCbyvQuVVeWMCsAC96Nd+LTcG erwin@Oreo"
];
};
ssanzmar = {
uid = 9657;
isNormalUser = true;
home = "/home/Computational/ssanzmar";
description = "Sergio Sanz Martínez";
group = "Computational";
hosts = [ "apex" "fox" ];
hashedPassword = "$6$HUjNDJeJMmNQ6M64$laXSOZcXg6o4v2r8Jm8Xj9kmqw7veCY32po3TVDPRR4WlyxvOeqwoKr4NjlUlPPpKN55Oot3ZYHi.9iNXsH5E1";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIELrsRRHXryrdA2ZBx5XmdGxL4DC5bmJydhBeTWQ0SQ sergio.sanz.martinez@estudiantat.upc.edu"
];
};
};
groups = {

2
m/common/base/watchdog.nix
View File

@@ -5,5 +5,5 @@
boot.kernelModules = [ "ipmi_watchdog" ];
# Enable systemd watchdog with 30 s interval
systemd.settings.Manager.RuntimeWatchdogSec = 30;
systemd.watchdog.runtimeTime = "30s";
}

7
m/eudy/kernel/perf.nix
View File

@@ -1,6 +1,11 @@
{ pkgs, lib, ... }:
{ config, pkgs, lib, ... }:
{
# add the perf tool
environment.systemPackages = with pkgs; [
config.boot.kernelPackages.perf
];
# allow non-root users to read tracing data from the kernel
boot.kernel.sysctl."kernel.perf_event_paranoid" = -2;
boot.kernel.sysctl."kernel.kptr_restrict" = 0;

16
m/fox/configuration.nix
View File

@@ -93,4 +93,20 @@
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = script;
};
# Only allow SSH connections from users who have a SLURM allocation
# See: https://slurm.schedmd.com/pam_slurm_adopt.html
security.pam.services.sshd.rules.account.slurm = {
control = "required";
enable = true;
modulePath = "${pkgs.slurm}/lib/security/pam_slurm_adopt.so";
args = [ "log_level=debug5" ];
order = 999999; # Make it last one
};
# Disable systemd session (pam_systemd.so) as it will conflict with the
# pam_slurm_adopt.so module. What happens is that the shell is first adopted
# into the slurmstepd task and then into the systemd session, which is not
# what we want, otherwise it will linger even if all jobs are gone.
security.pam.services.sshd.startSession = lib.mkForce false;
}

3
m/hut/configuration.nix
View File

@@ -17,7 +17,6 @@
./postgresql.nix
./nginx.nix
./p.nix
./ompss2-timer.nix
#./pxe.nix
];
@@ -45,7 +44,7 @@
address = "10.0.40.7";
prefixLength = 24;
} ];
interfaces.ibs785.ipv4.addresses = [ {
interfaces.ibp5s0.ipv4.addresses = [ {
address = "10.0.42.7";
prefixLength = 24;
} ];

3
m/hut/gitea.nix
View File

@@ -29,9 +29,6 @@
};
};
# Allow gitea user to send mail
users.users.gitea.extraGroups = [ "mail-robot" ];
services.gitea-actions-runner.instances = {
runrun = {
enable = true;

1
m/hut/gitlab-runner.nix
View File

@@ -51,7 +51,6 @@
"/nix/store:/nix/store:ro"
"/nix/var/nix/db:/nix/var/nix/db:ro"
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
"/var/run/postgresql/:/var/run/postgresql/"
];
dockerExtraHosts = [
# Required to pass the proxy via hut

19
m/hut/ssh-robot-probes.nix → m/hut/gpfs-probe.nix
View File

@@ -6,12 +6,6 @@ let
chmod +x $out
''
;
sblame-probe-script = pkgs.runCommand "sblame-probe.sh" { }
''
cp ${./sblame-probe.sh} $out;
chmod +x $out
''
;
in
{
# Use a new user to handle the SSH keys
@@ -34,17 +28,4 @@ in
Group = "ssh-robot";
};
};
systemd.services.sblame-probe = {
description = "Daemon to report SLURM statistics via SSH";
path = [ pkgs.openssh pkgs.netcat ];
after = [ "network.target" ];
wantedBy = [ "default.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.socat}/bin/socat TCP4-LISTEN:9967,fork EXEC:${sblame-probe-script}";
User = "ssh-robot";
Group = "ssh-robot";
};
};
}

3
m/hut/monitoring.nix
View File

@@ -5,7 +5,7 @@
../module/slurm-exporter.nix
../module/meteocat-exporter.nix
../module/upc-qaire-exporter.nix
./ssh-robot-probes.nix
./gpfs-probe.nix
../module/nix-daemon-exporter.nix
];
@@ -111,7 +111,6 @@
"127.0.0.1:${toString config.services.prometheus.exporters.smartctl.port}"
"127.0.0.1:9341" # Slurm exporter
"127.0.0.1:9966" # GPFS custom exporter
"127.0.0.1:9967" # SLURM custom exporter
"127.0.0.1:9999" # Nix-daemon custom exporter
"127.0.0.1:9929" # Meteocat custom exporter
"127.0.0.1:9928" # UPC Qaire custom exporter

5
m/hut/msmtp.nix
View File

@@ -1,11 +1,8 @@
{ config, lib, ... }:
{
# Robot user that can see the password to send mail from jungle-robot
users.groups.mail-robot = {};
age.secrets.jungleRobotPassword = {
file = ../../secrets/jungle-robot-password.age;
group = "mail-robot";
group = "gitea";
mode = "440";
};

4
m/hut/nginx.nix
View File

@@ -4,8 +4,8 @@ let
name = "jungle-web";
src = pkgs.fetchgit {
url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
rev = "5f18335d14126d2fef134c0cd441771436f7dfa1";
hash = "sha256-s9VBF91sQ7hg9+lrwNFPYgoXTTyXaQcAulCiGJgWERo=";
rev = "739bf0175a7f05380fe7ad7023ff1d60db1710e1";
hash = "sha256-ea5DzhYTzZ9TmqD+x95rdNdLbxPnBluqlYH2NmBYmc4=";
};
buildInputs = [ pkgs.hugo ];
buildPhase = ''

85
m/hut/ompss2-timer.nix
View File

@@ -1,85 +0,0 @@
{ config, pkgs, ... }:
{
systemd.timers = {
"ompss2-closing" = {
wantedBy = [ "timers.target" ];
timerConfig = {
Unit = "ompss2-closing.service";
OnCalendar = [ "*-03-15 07:00:00" "*-09-15 07:00:00"];
};
};
"ompss2-freeze" = {
wantedBy = [ "timers.target" ];
timerConfig = {
Unit = "ompss2-freeze.service";
OnCalendar = [ "*-04-15 07:00:00" "*-10-15 07:00:00" ];
};
};
"ompss2-release" = {
wantedBy = [ "timers.target" ];
timerConfig = {
Unit = "ompss2-release.service";
OnCalendar = [ "*-05-15 07:00:00" "*-11-15 07:00:00" ];
};
};
};
systemd.services =
let
closing = pkgs.writeText "closing.txt"
''
Subject: OmpSs-2 release enters closing period
Hi,
You have one month to merge the remaining features for the next OmpSs-2
release. Please, identify what needs to be merged and discuss it in the next
OmpSs-2 meeting.
Thanks!,
Jungle robot
'';
freeze = pkgs.writeText "freeze.txt"
''
Subject: OmpSs-2 release enters freeze period
Hi,
The period to introduce new features or breaking changes is over, only bug
fixes are allowed now. During this time, please prepare the release notes
to be included in the next OmpSs-2 release.
Thanks!,
Jungle robot
'';
release = pkgs.writeText "release.txt"
''
Subject: OmpSs-2 release now
Hi,
The period to introduce bug fixes is now over. Please, proceed to do the
OmpSs-2 release.
Thanks!,
Jungle robot
'';
mkServ = name: mail: {
"ompss2-${name}" = {
script = ''
set -eu
set -o pipefail
cat ${mail} | ${config.security.wrapperDir}/sendmail star@bsc.es
'';
serviceConfig = {
Type = "oneshot";
DynamicUser = true;
Group = "mail-robot";
};
};
};
in
(mkServ "closing" closing) //
(mkServ "freeze" freeze) //
(mkServ "release" release);
}

10
m/hut/postgresql.nix
View File

@@ -8,14 +8,12 @@
{ name = "anavarro"; ensureClauses.superuser = true; }
{ name = "rarias"; ensureClauses.superuser = true; }
{ name = "grafana"; }
{ name = "gitlab-runner"; }
];
authentication = ''
#type database DBuser auth-method
local perftestsdb rarias trust
local perftestsdb anavarro trust
local perftestsdb grafana trust
local perftestsdb gitlab-runner trust
#type database DBuser auth-method
local perftestsdb rarias trust
local perftestsdb anavarro trust
local perftestsdb grafana trust
'';
};
}

8
m/hut/sblame-probe.sh
View File

@@ -1,8 +0,0 @@
#!/bin/sh
cat <<EOF
HTTP/1.1 200 OK
Content-Type: text/plain; version=0.0.4; charset=utf-8; escaping=values
EOF
ssh bsc015557@glogin2.bsc.es "timeout 3 command sblame -E"

4
m/lake2/configuration.nix
View File

@@ -46,7 +46,7 @@
address = "10.0.40.42";
prefixLength = 24;
} ];
interfaces.ibs785.ipv4.addresses = [ {
interfaces.ibp5s0.ipv4.addresses = [ {
address = "10.0.42.42";
prefixLength = 24;
} ];
@@ -57,7 +57,7 @@
# Accept monitoring requests from hut
iptables -A nixos-fw -p tcp -s hut --dport 9002 -j nixos-fw-accept
# Accept all Ceph traffic from the local network
iptables -A nixos-fw -p tcp -s 10.0.40.0/21 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
'';
};
};

357
m/module/agenix.nix
View File

@@ -1,357 +0,0 @@
{
config,
options,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.age;
isDarwin = lib.attrsets.hasAttrByPath [ "environment" "darwinConfig" ] options;
ageBin = config.age.ageBin;
users = config.users.users;
sysusersEnabled =
if isDarwin then
false
else
options.systemd ? sysusers && (config.systemd.sysusers.enable || config.services.userborn.enable);
mountCommand =
if isDarwin then
''
if ! diskutil info "${cfg.secretsMountPoint}" &> /dev/null; then
num_sectors=1048576
dev=$(hdiutil attach -nomount ram://"$num_sectors" | sed 's/[[:space:]]*$//')
newfs_hfs -v agenix "$dev"
mount -t hfs -o nobrowse,nodev,nosuid,-m=0751 "$dev" "${cfg.secretsMountPoint}"
fi
''
else
''
grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts ||
mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
'';
newGeneration = ''
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
(( ++_agenix_generation ))
echo "[agenix] creating new generation in ${cfg.secretsMountPoint}/$_agenix_generation"
mkdir -p "${cfg.secretsMountPoint}"
chmod 0751 "${cfg.secretsMountPoint}"
${mountCommand}
mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
'';
chownGroup = if isDarwin then "admin" else "keys";
# chown the secrets mountpoint and the current generation to the keys group
# instead of leaving it root:root.
chownMountPoint = ''
chown :${chownGroup} "${cfg.secretsMountPoint}" "${cfg.secretsMountPoint}/$_agenix_generation"
'';
setTruePath = secretType: ''
${
if secretType.symlink then
''
_truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
''
else
''
_truePath="${secretType.path}"
''
}
'';
installSecret = secretType: ''
${setTruePath secretType}
echo "decrypting '${secretType.file}' to '$_truePath'..."
TMP_FILE="$_truePath.tmp"
IDENTITIES=()
for identity in ${toString cfg.identityPaths}; do
test -r "$identity" || continue
test -s "$identity" || continue
IDENTITIES+=(-i)
IDENTITIES+=("$identity")
done
test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix] WARNING: no readable identities found!"
mkdir -p "$(dirname "$_truePath")"
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
(
umask u=r,g=,o=
test -f "${secretType.file}" || echo '[agenix] WARNING: encrypted file ${secretType.file} does not exist!'
test -d "$(dirname "$TMP_FILE")" || echo "[agenix] WARNING: $(dirname "$TMP_FILE") does not exist!"
LANG=${
config.i18n.defaultLocale or "C"
} ${ageBin} --decrypt "''${IDENTITIES[@]}" -o "$TMP_FILE" "${secretType.file}"
)
chmod ${secretType.mode} "$TMP_FILE"
mv -f "$TMP_FILE" "$_truePath"
${optionalString secretType.symlink ''
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
''}
'';
testIdentities = map (path: ''
test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!'
'') cfg.identityPaths;
cleanupAndLink = ''
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
(( ++_agenix_generation ))
echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
(( _agenix_generation > 1 )) && {
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))"
}
'';
installSecrets = builtins.concatStringsSep "\n" (
[ "echo '[agenix] decrypting secrets...'" ]
++ testIdentities
++ (map installSecret (builtins.attrValues cfg.secrets))
++ [ cleanupAndLink ]
);
chownSecret = secretType: ''
${setTruePath secretType}
chown ${secretType.owner}:${secretType.group} "$_truePath"
'';
chownSecrets = builtins.concatStringsSep "\n" (
[ "echo '[agenix] chowning...'" ]
++ [ chownMountPoint ]
++ (map chownSecret (builtins.attrValues cfg.secrets))
);
secretType = types.submodule (
{ config, ... }:
{
options = {
name = mkOption {
type = types.str;
default = config._module.args.name;
defaultText = literalExpression "config._module.args.name";
description = ''
Name of the file used in {option}`age.secretsDir`
'';
};
file = mkOption {
type = types.path;
description = ''
Age file the secret is loaded from.
'';
};
path = mkOption {
type = types.str;
default = "${cfg.secretsDir}/${config.name}";
defaultText = literalExpression ''
"''${cfg.secretsDir}/''${config.name}"
'';
description = ''
Path where the decrypted secret is installed.
'';
};
mode = mkOption {
type = types.str;
default = "0400";
description = ''
Permissions mode of the decrypted secret in a format understood by chmod.
'';
};
owner = mkOption {
type = types.str;
default = "0";
description = ''
User of the decrypted secret.
'';
};
group = mkOption {
type = types.str;
default = users.${config.owner}.group or "0";
defaultText = literalExpression ''
users.''${config.owner}.group or "0"
'';
description = ''
Group of the decrypted secret.
'';
};
symlink = mkEnableOption "symlinking secrets to their destination" // {
default = true;
};
};
}
);
in
{
imports = [
(mkRenamedOptionModule [ "age" "sshKeyPaths" ] [ "age" "identityPaths" ])
];
options.age = {
ageBin = mkOption {
type = types.str;
default = "${pkgs.age}/bin/age";
defaultText = literalExpression ''
"''${pkgs.age}/bin/age"
'';
description = ''
The age executable to use.
'';
};
secrets = mkOption {
type = types.attrsOf secretType;
default = { };
description = ''
Attrset of secrets.
'';
};
secretsDir = mkOption {
type = types.path;
default = "/run/agenix";
description = ''
Folder where secrets are symlinked to
'';
};
secretsMountPoint = mkOption {
type =
types.addCheck types.str (
s:
(builtins.match "[ \t\n]*" s) == null # non-empty
&& (builtins.match ".+/" s) == null
) # without trailing slash
// {
description = "${types.str.description} (with check: non-empty without trailing slash)";
};
default = "/run/agenix.d";
description = ''
Where secrets are created before they are symlinked to {option}`age.secretsDir`
'';
};
identityPaths = mkOption {
type = types.listOf types.path;
default =
if isDarwin then
[
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_rsa_key"
]
else if (config.services.openssh.enable or false) then
map (e: e.path) (
lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys
)
else
[ ];
defaultText = literalExpression ''
if isDarwin
then [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_rsa_key"
]
else if (config.services.openssh.enable or false)
then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
else [];
'';
description = ''
Path to SSH keys to be used as identities in age decryption.
'';
};
};
config = mkIf (cfg.secrets != { }) (mkMerge [
{
assertions = [
{
assertion = cfg.identityPaths != [ ];
message = "age.identityPaths must be set, for example by enabling openssh.";
}
];
}
(optionalAttrs (!isDarwin) {
# When using sysusers we no longer be started as an activation script
# because those are started in initrd while sysusers is started later.
systemd.services.agenix-install-secrets = mkIf sysusersEnabled {
wantedBy = [ "sysinit.target" ];
after = [ "systemd-sysusers.service" ];
unitConfig.DefaultDependencies = "no";
path = [ pkgs.mount ];
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.writeShellScript "agenix-install" (concatLines [
newGeneration
installSecrets
chownSecrets
]);
RemainAfterExit = true;
};
};
# Create a new directory full of secrets for symlinking (this helps
# ensure removed secrets are actually removed, or at least become
# invalid symlinks).
system.activationScripts = mkIf (!sysusersEnabled) {
agenixNewGeneration = {
text = newGeneration;
deps = [
"specialfs"
];
};
agenixInstall = {
text = installSecrets;
deps = [
"agenixNewGeneration"
"specialfs"
];
};
# So user passwords can be encrypted.
users.deps = [ "agenixInstall" ];
# Change ownership and group after users and groups are made.
agenixChown = {
text = chownSecrets;
deps = [
"users"
"groups"
];
};
# So other activation scripts can depend on agenix being done.
agenix = {
text = "";
deps = [ "agenixChown" ];
};
};
})
(optionalAttrs isDarwin {
launchd.daemons.activate-agenix = {
script = ''
set -e
set -o pipefail
export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin"
${newGeneration}
${installSecrets}
${chownSecrets}
exit 0
'';
serviceConfig = {
RunAtLoad = true;
KeepAlive.SuccessfulExit = false;
};
};
})
]);
}

9
m/module/debuginfod.nix
View File

@@ -1,10 +1,3 @@
{
services.nixseparatedebuginfod2 = {
enable = true;
substituters = [
"local:"
"https://cache.nixos.org"
"http://hut/cache"
];
};
services.nixseparatedebuginfod.enable = true;
}

18
m/module/slurm-client.nix
View File

@@ -1,4 +1,4 @@
{ lib, pkgs, ... }:
{ lib, ... }:
{
imports = [
@@ -21,20 +21,4 @@
};
services.slurm.client.enable = true;
# Only allow SSH connections from users who have a SLURM allocation
# See: https://slurm.schedmd.com/pam_slurm_adopt.html
security.pam.services.sshd.rules.account.slurm = {
control = "required";
enable = true;
modulePath = "${pkgs.slurm}/lib/security/pam_slurm_adopt.so";
args = [ "log_level=debug5" ];
order = 999999; # Make it last one
};
# Disable systemd session (pam_systemd.so) as it will conflict with the
# pam_slurm_adopt.so module. What happens is that the shell is first adopted
# into the slurmstepd task and then into the systemd session, which is not
# what we want, otherwise it will linger even if all jobs are gone.
security.pam.services.sshd.startSession = lib.mkForce false;
}

41
m/module/slurm-common.nix
View File

@@ -1,6 +1,31 @@
{ config, pkgs, ... }:
{
let
suspendProgram = pkgs.writeShellScript "suspend.sh" ''
exec 1>>/var/log/power_save.log 2>>/var/log/power_save.log
set -x
export "PATH=/run/current-system/sw/bin:$PATH"
echo "$(date) Suspend invoked $0 $*" >> /var/log/power_save.log
hosts=$(scontrol show hostnames $1)
for host in $hosts; do
echo Shutting down host: $host
ipmitool -I lanplus -H ''${host}-ipmi -P "" -U "" chassis power off
done
'';
resumeProgram = pkgs.writeShellScript "resume.sh" ''
exec 1>>/var/log/power_save.log 2>>/var/log/power_save.log
set -x
export "PATH=/run/current-system/sw/bin:$PATH"
echo "$(date) Suspend invoked $0 $*" >> /var/log/power_save.log
hosts=$(scontrol show hostnames $1)
for host in $hosts; do
echo Starting host: $host
ipmitool -I lanplus -H ''${host}-ipmi -P "" -U "" chassis power on
done
'';
in {
services.slurm = {
controlMachine = "apex";
clusterName = "jungle";
@@ -34,6 +59,16 @@
# the resources. Use the task/cgroup plugin to enable process containment.
TaskPlugin=task/affinity,task/cgroup
# Power off unused nodes until they are requested
SuspendProgram=${suspendProgram}
SuspendTimeout=60
ResumeProgram=${resumeProgram}
ResumeTimeout=300
SuspendExcNodes=fox
# Turn the nodes off after 1 hour of inactivity
SuspendTime=3600
# Reduce port range so we can allow only this range in the firewall
SrunPortRange=60000-61000
@@ -51,7 +86,9 @@
# when a task runs (srun) so we can ssh early.
PrologFlags=Alloc,Contain,X11
LaunchParameters=use_interactive_step
# LaunchParameters=ulimit_pam_adopt will set RLIMIT_RSS in processes
# adopted by the external step, similar to tasks running in regular steps
# LaunchParameters=ulimit_pam_adopt
SlurmdDebug=debug5
#DebugFlags=Protocol,Cgroup
'';

27
m/module/tc1-board.nix
View File

@@ -1,27 +0,0 @@
{ lib, pkgs, ... }:
{
# Allow user access to FTDI USB device
services.udev.packages = lib.singleton (pkgs.writeTextFile {
# Needs to be < 73
name = "60-ftdi-tc1.rules";
text = ''
# Bus 003 Device 003: ID 0403:6011 Future Technology Devices International, Ltd FT4232H Quad HS USB-UART/FIFO IC
# Use := to make sure it doesn't get changed later
SUBSYSTEMS=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6011", MODE:="0666"
'';
destination = "/etc/udev/rules.d/60-ftdi-tc1.rules";
});
# Allow access to USB for docker in GitLab runner
services.gitlab-runner = {
services.gitlab-bsc-docker = {
registrationFlags = [
# We need raw access to the USB port to reboot the board
"--docker-devices /dev/bus/usb/003/003"
# And TTY access for the serial port
"--docker-devices /dev/ttyUSB2"
];
};
};
}

2
m/owl1/configuration.nix
View File

@@ -20,7 +20,7 @@
address = "10.0.40.1";
prefixLength = 24;
} ];
interfaces.ibs785.ipv4.addresses = [ {
interfaces.ibp5s0.ipv4.addresses = [ {
address = "10.0.42.1";
prefixLength = 24;
} ];

2
m/owl2/configuration.nix
View File

@@ -21,7 +21,7 @@
prefixLength = 24;
} ];
# Watch out! The OmniPath device is not in the same place here:
interfaces.ibs801.ipv4.addresses = [ {
interfaces.ibp129s0.ipv4.addresses = [ {
address = "10.0.42.2";
prefixLength = 24;
} ];

9
m/tent/configuration.nix
View File

@@ -16,8 +16,6 @@
../module/p.nix
../module/vpn-dac.nix
../module/hut-substituter.nix
../module/tc1-board.nix
../module/ceph.nix
];
# Select the this using the ID to avoid mismatches
@@ -65,13 +63,6 @@
fsType = "ext4";
};
# Mount the NFS home
fileSystems."/nfs/home" = {
device = "10.106.0.30:/home";
fsType = "nfs";
options = [ "nfsvers=3" "rsize=1024" "wsize=1024" "cto" "nofail" ];
};
# Make a /vault/$USER directory for each user.
systemd.services.create-vault-dirs = let
# Take only normal users in tent

52
m/tent/gitea.nix
View File

@@ -1,7 +1,4 @@
{ config, lib, ... }:
let
cfg = config.services.gitea;
in
{
services.gitea = {
enable = true;
@@ -29,54 +26,5 @@ in
SENDMAIL_ARGS = "--";
};
};
dump = {
enable = false; # Do not enable NixOS module, use our custom systemd script below
backupDir = "/vault/backup/gitea";
};
};
systemd.services.gitea-backup = let
exe = lib.getExe cfg.package;
in {
description = "Gitea daily backup";
after = [ "gitea.service" ];
path = [ cfg.package ];
environment = {
USER = cfg.user;
HOME = cfg.stateDir;
GITEA_WORK_DIR = cfg.stateDir;
GITEA_CUSTOM = cfg.customDir;
};
serviceConfig = {
Type = "oneshot";
User = cfg.user;
WorkingDirectory = cfg.dump.backupDir;
};
script = ''
name="gitea-dump-$(date +%a).${cfg.dump.type}"
${exe} dump --type ${cfg.dump.type} --file - >"$name.tmp"
mv "$name.tmp" "$name"
cp "$name" "/ceph/backup/gitea/$name"
'';
};
# Create also the /ceph directories if needed
systemd.tmpfiles.rules = [
"d /ceph/backup/gitea/ 0750 ${cfg.user} ${cfg.group} - -"
"z /ceph/backup/gitea/ 0750 ${cfg.user} ${cfg.group} - -"
];
systemd.timers.gitea-backup = {
description = "Update timer for gitea-backup";
partOf = [ "gitea-backup.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = cfg.dump.interval;
};
# Allow gitea user to send mail
users.users.gitea.extraGroups = [ "mail-robot" ];
}

1
m/tent/gitlab-runner.nix
View File

@@ -43,7 +43,6 @@
registrationFlags = [
# Increase build log length to 64 MiB
"--output-limit 65536"
"--docker-network-mode host"
];
preBuildScript = pkgs.writeScript "setup-container" ''
mkdir -p -m 0755 /nix/var/log/nix/drvs

4
m/tent/nginx.nix
View File

@@ -4,8 +4,8 @@ let
name = "jungle-web";
src = pkgs.fetchgit {
url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
rev = "5f18335d14126d2fef134c0cd441771436f7dfa1";
hash = "sha256-s9VBF91sQ7hg9+lrwNFPYgoXTTyXaQcAulCiGJgWERo=";
rev = "739bf0175a7f05380fe7ad7023ff1d60db1710e1";
hash = "sha256-ea5DzhYTzZ9TmqD+x95rdNdLbxPnBluqlYH2NmBYmc4=";
};
buildInputs = [ pkgs.hugo ];
buildPhase = ''

2
m/weasel/configuration.nix
View File

@@ -25,7 +25,7 @@
address = "10.0.40.6";
prefixLength = 24;
} ];
interfaces.ibs785.ipv4.addresses = [ {
interfaces.ibp5s0.ipv4.addresses = [ {
address = "10.0.42.6";
prefixLength = 24;
} ];

25
overlay.nix
View File

@@ -7,7 +7,6 @@ let
callPackage = final.callPackage;
bscPkgs = {
agenix = prev.callPackage ./pkgs/agenix/default.nix { };
amd-uprof = prev.callPackage ./pkgs/amd-uprof/default.nix { };
bench6 = callPackage ./pkgs/bench6/default.nix { };
bigotes = callPackage ./pkgs/bigotes/default.nix { };
@@ -30,17 +29,16 @@ let
amd-uprof-driver = _prev.callPackage ./pkgs/amd-uprof/driver.nix { };
});
lmbench = callPackage ./pkgs/lmbench/default.nix { };
# Broken and unmantained
# mcxx = callPackage ./pkgs/mcxx/default.nix { };
mcxx = callPackage ./pkgs/mcxx/default.nix { };
meteocat-exporter = prev.callPackage ./pkgs/meteocat-exporter/default.nix { };
mpi = final.mpich; # Set MPICH as default
mpich = callPackage ./pkgs/mpich/default.nix { mpich = prev.mpich; };
nanos6 = callPackage ./pkgs/nanos6/default.nix { };
nanos6Debug = final.nanos6.override { enableDebug = true; };
nixtools = callPackage ./pkgs/nixtools/default.nix { };
nixgen = callPackage ./pkgs/nixgen/default.nix { };
nix-portable = callPackage ./pkgs/nix-portable/default.nix { };
nix-wrap = callPackage ./pkgs/nix-wrap/default.nix { };
# Broken because of pkgsStatic.libcap
# See: https://github.com/NixOS/nixpkgs/pull/268791
#nix-wrap = callPackage ./pkgs/nix-wrap/default.nix { };
nodes = callPackage ./pkgs/nodes/default.nix { };
nosv = callPackage ./pkgs/nosv/default.nix { };
openmp = callPackage ./pkgs/llvm-ompss2/openmp.nix { monorepoSrc = final.clangOmpss2Unwrapped.src; version = final.clangOmpss2Unwrapped.version; };
@@ -52,7 +50,6 @@ let
prometheus-slurm-exporter = prev.callPackage ./pkgs/slurm-exporter/default.nix { };
#pscom = callPackage ./pkgs/parastation/pscom.nix { }; # Unmaintaned
#psmpi = callPackage ./pkgs/parastation/psmpi.nix { }; # Unmaintaned
slurm = import ./pkgs/slurm/default.nix { slurm = prev.slurm; };
sonar = callPackage ./pkgs/sonar/default.nix { };
stdenvClangOmpss2 = final.stdenv.override { cc = final.clangOmpss2; allowedRequisites = null; };
stdenvClangOmpss2Nanos6 = final.stdenv.override { cc = final.clangOmpss2Nanos6; allowedRequisites = null; };
@@ -101,16 +98,14 @@ let
pkgsTopLevel = filterAttrs (_: isDerivation) bscPkgs;
# Native build in that platform doesn't imply cross build works
canCrossCompile = platform: default: pkg:
canCrossCompile = platform: pkg:
(isDerivation pkg) &&
# If meta.cross is undefined, use default
(pkg.meta.cross or default) &&
(meta.availableOn final.pkgsCross.${platform}.stdenv.hostPlatform pkg);
# Must be defined explicitly
(pkg.meta.cross or false) &&
(meta.availableOn platform pkg);
# For now only RISC-V
crossSet = genAttrs [ "riscv64" ] (platform:
filterAttrs (_: canCrossCompile platform true)
final.pkgsCross.${platform}.bsc.pkgsTopLevel);
crossSet = { riscv64 = final.pkgsCross.riscv64.bsc.pkgsTopLevel; };
buildList = name: paths:
final.runCommandLocal name { } ''
@@ -130,7 +125,7 @@ let
# For now only RISC-V
crossList = buildList "ci-cross"
(filter
(canCrossCompile "riscv64" false) # opt-in (pkgs with: meta.cross = true)
(canCrossCompile final.pkgsCross.riscv64.stdenv.hostPlatform)
(builtins.attrValues crossSet.riscv64));
in bscPkgs // {

212
pkgs/agenix/agenix.sh
View File

@@ -1,212 +0,0 @@
#!/usr/bin/env bash
set -Eeuo pipefail
PACKAGE="agenix"
function show_help () {
echo "$PACKAGE - edit and rekey age secret files"
echo " "
echo "$PACKAGE -e FILE [-i PRIVATE_KEY]"
echo "$PACKAGE -r [-i PRIVATE_KEY]"
echo ' '
echo 'options:'
echo '-h, --help show help'
# shellcheck disable=SC2016
echo '-e, --edit FILE edits FILE using $EDITOR'
echo '-r, --rekey re-encrypts all secrets with specified recipients'
echo '-d, --decrypt FILE decrypts FILE to STDOUT'
echo '-i, --identity identity to use when decrypting'
echo '-v, --verbose verbose output'
echo ' '
echo 'FILE an age-encrypted file'
echo ' '
echo 'PRIVATE_KEY a path to a private SSH key used to decrypt file'
echo ' '
echo 'EDITOR environment variable of editor to use when editing FILE'
echo ' '
echo 'If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"'
echo ' '
echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
echo "Defaults to './secrets.nix'"
echo ' '
echo "agenix version: @version@"
echo "age binary path: @ageBin@"
echo "age version: $(@ageBin@ --version)"
}
function warn() {
printf '%s\n' "$*" >&2
}
function err() {
warn "$*"
exit 1
}
test $# -eq 0 && (show_help && exit 1)
REKEY=0
DECRYPT_ONLY=0
DEFAULT_DECRYPT=(--decrypt)
while test $# -gt 0; do
case "$1" in
-h|--help)
show_help
exit 0
;;
-e|--edit)
shift
if test $# -gt 0; then
export FILE=$1
else
echo "no FILE specified"
exit 1
fi
shift
;;
-i|--identity)
shift
if test $# -gt 0; then
DEFAULT_DECRYPT+=(--identity "$1")
else
echo "no PRIVATE_KEY specified"
exit 1
fi
shift
;;
-r|--rekey)
shift
REKEY=1
;;
-d|--decrypt)
shift
DECRYPT_ONLY=1
if test $# -gt 0; then
export FILE=$1
else
echo "no FILE specified"
exit 1
fi
shift
;;
-v|--verbose)
shift
set -x
;;
*)
show_help
exit 1
;;
esac
done
RULES=${RULES:-./secrets.nix}
function cleanup {
if [ -n "${CLEARTEXT_DIR+x}" ]
then
rm -rf -- "$CLEARTEXT_DIR"
fi
if [ -n "${REENCRYPTED_DIR+x}" ]
then
rm -rf -- "$REENCRYPTED_DIR"
fi
}
trap "cleanup" 0 2 3 15
function keys {
(@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in rules.\"$1\".publicKeys)" | @jqBin@ -r .[]) || exit 1
}
function armor {
(@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in (builtins.hasAttr \"armor\" rules.\"$1\" && rules.\"$1\".armor))") || exit 1
}
function decrypt {
FILE=$1
KEYS=$2
if [ -z "$KEYS" ]
then
err "There is no rule for $FILE in $RULES."
fi
if [ -f "$FILE" ]
then
DECRYPT=("${DEFAULT_DECRYPT[@]}")
if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
if [ -f "$HOME/.ssh/id_rsa" ]; then
DECRYPT+=(--identity "$HOME/.ssh/id_rsa")
fi
if [ -f "$HOME/.ssh/id_ed25519" ]; then
DECRYPT+=(--identity "$HOME/.ssh/id_ed25519")
fi
fi
if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
err "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file."
fi
@ageBin@ "${DECRYPT[@]}" -- "$FILE" || exit 1
fi
}
function edit {
FILE=$1
KEYS=$(keys "$FILE") || exit 1
ARMOR=$(armor "$FILE") || exit 1
CLEARTEXT_DIR=$(@mktempBin@ -d)
CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename -- "$FILE")"
DEFAULT_DECRYPT+=(-o "$CLEARTEXT_FILE")
decrypt "$FILE" "$KEYS" || exit 1
[ ! -f "$CLEARTEXT_FILE" ] || cp -- "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
[ -t 0 ] || EDITOR='cp -- /dev/stdin'
$EDITOR "$CLEARTEXT_FILE"
if [ ! -f "$CLEARTEXT_FILE" ]
then
warn "$FILE wasn't created."
return
fi
[ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q -- "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
ENCRYPT=()
if [[ "$ARMOR" == "true" ]]; then
ENCRYPT+=(--armor)
fi
while IFS= read -r key
do
if [ -n "$key" ]; then
ENCRYPT+=(--recipient "$key")
fi
done <<< "$KEYS"
REENCRYPTED_DIR=$(@mktempBin@ -d)
REENCRYPTED_FILE="$REENCRYPTED_DIR/$(basename -- "$FILE")"
ENCRYPT+=(-o "$REENCRYPTED_FILE")
@ageBin@ "${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
mkdir -p -- "$(dirname -- "$FILE")"
mv -f -- "$REENCRYPTED_FILE" "$FILE"
}
function rekey {
FILES=$( (@nixInstantiate@ --json --eval -E "(let rules = import $RULES; in builtins.attrNames rules)" | @jqBin@ -r .[]) || exit 1)
for FILE in $FILES
do
warn "rekeying $FILE..."
EDITOR=: edit "$FILE"
cleanup
done
}
[ $REKEY -eq 1 ] && rekey && exit 0
[ $DECRYPT_ONLY -eq 1 ] && DEFAULT_DECRYPT+=("-o" "-") && decrypt "${FILE}" "$(keys "$FILE")" && exit 0
edit "$FILE" && cleanup && exit 0

66
pkgs/agenix/default.nix
View File

@@ -1,66 +0,0 @@
{
lib,
stdenv,
age,
jq,
nix,
mktemp,
diffutils,
replaceVars,
ageBin ? "${age}/bin/age",
shellcheck,
}:
let
bin = "${placeholder "out"}/bin/agenix";
in
stdenv.mkDerivation rec {
pname = "agenix";
version = "0.15.0";
src = replaceVars ./agenix.sh {
inherit ageBin version;
jqBin = "${jq}/bin/jq";
nixInstantiate = "${nix}/bin/nix-instantiate";
mktempBin = "${mktemp}/bin/mktemp";
diffBin = "${diffutils}/bin/diff";
};
dontUnpack = true;
doInstallCheck = true;
installCheckInputs = [ shellcheck ];
postInstallCheck = ''
shellcheck ${bin}
${bin} -h | grep ${version}
test_tmp=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
export HOME="$test_tmp/home"
export NIX_STORE_DIR="$test_tmp/nix/store"
export NIX_STATE_DIR="$test_tmp/nix/var"
mkdir -p "$HOME" "$NIX_STORE_DIR" "$NIX_STATE_DIR"
function cleanup {
rm -rf "$test_tmp"
}
trap "cleanup" 0 2 3 15
mkdir -p $HOME/.ssh
cp -r "${./example}" $HOME/secrets
chmod -R u+rw $HOME/secrets
(
umask u=rw,g=r,o=r
cp ${./example_keys/user1.pub} $HOME/.ssh/id_ed25519.pub
chown $UID $HOME/.ssh/id_ed25519.pub
)
(
umask u=rw,g=,o=
cp ${./example_keys/user1} $HOME/.ssh/id_ed25519
chown $UID $HOME/.ssh/id_ed25519
)
cd $HOME/secrets
test $(${bin} -d secret1.age) = "hello"
'';
installPhase = ''
install -D $src ${bin}
'';
meta.description = "age-encrypted secrets for NixOS";
}

7
pkgs/agenix/example/-leading-hyphen-filename.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 V3XmEA zirqdzZZ1E+sedBn7fbEHq4ntLEkokZ4GctarBBOHXY
Rvs5YHaAUeCZyNwPedubPcHClWYIuXXWA5zadXPWY6w
-> ssh-ed25519 KLPP8w BVp4rDkOYSQyn8oVeHFeinSqW+pdVtxBF9+5VM1yORY
bMwppAi8Nhz0328taU4AzUkTVyWtSLvFZG6c5W/Fs78
--- xCbqLhXAcOziO2wmbjTiSQfZvt5Rlsc4SCvF+iEzpQA
<EFBFBD>KB<EFBFBD><EFBFBD>/<2F>Z<><5A>r<EFBFBD>%<01><>4<EFBFBD><34><EFBFBD>Mq5<71><35>_<EFBFBD><5F>ݒ<><DD92><EFBFBD><EFBFBD><EFBFBD>11 ܨqM;& <20><>Lr<4C><72><EFBFBD>f<EFBFBD><66><EFBFBD>]>N

7
pkgs/agenix/example/armored-secret.age
View File

@@ -1,7 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFYzWG1FQSBpZkZW
aFpLNnJxc0VUMHRmZ2dZS0pjMGVENnR3OHd5K0RiT1RjRUhibFZBCnN5UG5vUjA3
SXpsNGtiVUw4T0tIVFo5Wkk5QS9NQlBndzVvektiQ0ozc0kKLS0tIGxyY1Q4dEZ1
VGZEanJyTFNta2JNRmpZb2FnK2JyS1hSVml1UGdMNWZKQXMKYla+wTXcRedyZoEb
LVWaSx49WoUTU0KBPJg9RArxaeC23GoCDzR/aM/1DvYU
-----END AGE ENCRYPTED FILE-----

9
pkgs/agenix/example/passwordfile-user1.age
View File

@@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 KLPP8w s1DYZRlZuSsyhmZCF1lFB+E9vB8bZ/+ZhBRlx8nprwE
nmYVCsVBrX2CFXXPU+D+bbkkIe/foofp+xoUrg9DHZw
-> ssh-ed25519 V3XmEA Pwv3oCwcY0DX8rY48UNfsj9RumWsn4dbgorYHCwObgI
FKxRYkL3JHtJxUwymWDF0rAtJ33BivDI6IfPsfumM90
-> V'v(/u$-grease em/Vgf 2qDuk
7I3iiQLPGi1COML9u/JeYkr7EqbSLoU
--- 57WJRigUGtmcObrssS3s4PvmR8wgh1AOC/ijJn1s3xI
<EFBFBD>'K<>ƷY&<26>7G<37>O<EFBFBD><4F>Fj<13>k<EFBFBD>X<EFBFBD><58>BnuJ<75><4A>:9<>(<><7F><EFBFBD>X<EFBFBD>#<23>A<EFBFBD><41><EFBFBD><EFBFBD>ڧj<DAA7>,<02>_<17><><EFBFBD>?<3F>Z<EFBFBD><17>v<EFBFBD><76>V<EFBFBD>96]oks~%<25>c <04>e^C<>%JQ5<51><H<>z}<7D>C<EFBFBD>,<2C>p<EFBFBD><70>*!W<><57><EFBFBD>A<EFBFBD><41><EFBFBD>҅dC<15>K)<10><>-<2D>y

BIN
pkgs/agenix/example/secret1.age
View File

Binary file not shown.

5
pkgs/agenix/example/secret2.age
View File

@@ -1,5 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 V3XmEA OB4+1FbPhQ3r6iGksM7peWX5it8NClpXIq/o5nnP7GA
FmHVUj+A5i5+bDFgySQskmlvynnosJiWUTJmBRiNA9I
--- tP+3mFVtd7ogVu1Lkboh55zoi5a77Ht08Uc/QuIviv4
<EFBFBD><EFBFBD>X<EFBFBD>{<7B><>O<EFBFBD><4F><1F><04>tMXx<58>vӪ(<28>I<EFBFBD>myP<79><50><EFBFBD><EFBFBD>+3<>S3i

23
pkgs/agenix/example/secrets.nix
View File

@@ -1,23 +0,0 @@
let
user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
in
{
"secret1.age".publicKeys = [
user1
system1
];
"secret2.age".publicKeys = [ user1 ];
"passwordfile-user1.age".publicKeys = [
user1
system1
];
"-leading-hyphen-filename.age".publicKeys = [
user1
system1
];
"armored-secret.age" = {
publicKeys = [ user1 ];
armor = true;
};
}

7
pkgs/agenix/example_keys/system1
View File

@@ -1,7 +0,0 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDyQ8iK/xUs9XCXXKFuvUfja1s8Biv/t4Caag9bfC9sxAAAAJA3yvCWN8rw
lgAAAAtzc2gtZWQyNTUxOQAAACDyQ8iK/xUs9XCXXKFuvUfja1s8Biv/t4Caag9bfC9sxA
AAAEA+J2V6AG1NriAIvnNKRauIEh1JE9HSdhvKJ68a5Fm0w/JDyIr/FSz1cJdcoW69R+Nr
WzwGK/+3gJpqD1t8L2zEAAAADHJ5YW50bUBob21lMQE=
-----END OPENSSH PRIVATE KEY-----

1
pkgs/agenix/example_keys/system1.pub
View File

@@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE

7
pkgs/agenix/example_keys/user1
View File

@@ -1,7 +0,0 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACC9InTb4BornFoLqf5j+/M8gtt7hY2KtHr3FnYxkFGgRwAAAJC2JJ8htiSf
IQAAAAtzc2gtZWQyNTUxOQAAACC9InTb4BornFoLqf5j+/M8gtt7hY2KtHr3FnYxkFGgRw
AAAEDxt5gC/s53IxiKAjfZJVCCcFIsdeERdIgbYhLO719+Kb0idNvgGiucWgup/mP78zyC
23uFjYq0evcWdjGQUaBHAAAADHJ5YW50bUBob21lMQE=
-----END OPENSSH PRIVATE KEY-----

1
pkgs/agenix/example_keys/user1.pub
View File

@@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH

23
pkgs/agenix/update.sh
View File

@@ -1,23 +0,0 @@
#!/bin/sh
set -e
# All operations are done relative to root
GITROOT=$(git rev-parse --show-toplevel)
cd "$GITROOT"
REVISION=${1:-main}
TMPCLONE=$(mktemp -d)
trap "rm -rf ${TMPCLONE}" EXIT
git clone https://github.com/ryantm/agenix.git --revision="$REVISION" "$TMPCLONE" --depth=1
cp "${TMPCLONE}/pkgs/agenix.sh" pkgs/agenix/agenix.sh
cp "${TMPCLONE}/pkgs/agenix.nix" pkgs/agenix/default.nix
sed -i 's#../example#./example#' pkgs/agenix/default.nix
cp "${TMPCLONE}/example/"* pkgs/agenix/example/
cp "${TMPCLONE}/example_keys/"* pkgs/agenix/example_keys/
cp "${TMPCLONE}/modules/age.nix" m/module/agenix.nix

34
pkgs/amd-uprof/default.nix
View File

@@ -1,6 +1,8 @@
{ stdenv
, lib
, fetchurl
, curl
, cacert
, runCommandLocal
, autoPatchelfHook
, elfutils
, glib
@@ -24,22 +26,26 @@ let
tarball = "AMDuProf_Linux_x64_${version}.tar.bz2";
# NOTE: Remember to update the radare2 patch below if AMDuProfPcm changes.
src = fetchurl {
url = "https://download.amd.com/developer/eula/uprof/uprof-5-1/${tarball}";
sha256 = "sha256-j9gxcBcIg6Zhc5FglUXf/VV9bKSo+PAKeootbN7ggYk=";
curlOptsList = [
"-H" "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0"
"-H" "'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'"
"-H" "Accept-Language: en-US,en;q=0.5"
"-H" "Accept-Encoding: gzip, deflate, br, zstd"
"-H" "Referer: https://www.amd.com/"
];
};
uprofSrc = runCommandLocal tarball {
nativeBuildInputs = [ curl ];
outputHash = "sha256-j9gxcBcIg6Zhc5FglUXf/VV9bKSo+PAKeootbN7ggYk=";
SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt";
} ''
curl \
-o $out \
'https://download.amd.com/developer/eula/uprof/uprof-5-1/${tarball}' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
-H 'Accept-Language: en-US,en;q=0.5' \
-H 'Accept-Encoding: gzip, deflate, br, zstd' \
-H 'Referer: https://www.amd.com/' 2>&1 | tr '\r' '\n'
'';
in
stdenv.mkDerivation {
pname = "AMD-uProf";
inherit src version;
inherit version;
src = uprofSrc;
dontStrip = true;
phases = [ "installPhase" "fixupPhase" ];
nativeBuildInputs = [ autoPatchelfHook radare2 ];
@@ -84,7 +90,7 @@ in
meta = {
description = "Performance analysis tool-suite for x86 based applications";
homepage = "https://www.amd.com/es/developer/uprof.html";
platforms = [ "x86_64-linux" ];
platforms = lib.platforms.linux;
license = lib.licenses.unfree;
maintainers = with lib.maintainers.bsc; [ rarias varcila ];
};

2
pkgs/amd-uprof/driver.nix
View File

@@ -19,7 +19,7 @@ in stdenv.mkDerivation {
'';
hardeningDisable = [ "pic" "format" ];
nativeBuildInputs = kernel.moduleBuildDependencies;
patches = [ ./makefile.patch ./hrtimer.patch ./remove-wr-rdmsrq.patch ];
patches = [ ./makefile.patch ./hrtimer.patch ];
makeFlags = [
"KERNEL_VERSION=${kernel.modDirVersion}"
"KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"

20
pkgs/amd-uprof/remove-wr-rdmsrq.patch
View File

@@ -1,20 +0,0 @@
diff --git a/inc/PwrProfAsm.h b/inc/PwrProfAsm.h
index d77770a..c93a0e9 100644
--- a/inc/PwrProfAsm.h
+++ b/inc/PwrProfAsm.h
@@ -347,6 +347,7 @@
#endif
+/*
#define rdmsrq(msr,val1,val2,val3,val4) ({ \
__asm__ __volatile__( \
"rdmsr\n" \
@@ -362,6 +363,7 @@
:"c"(msr), "a"(val1), "d"(val2), "S"(val3), "D"(val4) \
); \
})
+*/
#define rdmsrpw(msr,val1,val2,val3,val4) ({ \
__asm__ __volatile__( \

8
pkgs/cudainfo/default.nix
View File

@@ -1,6 +1,5 @@
{
stdenv
, lib
, cudatoolkit
, cudaPackages
, autoAddDriverRunpath
@@ -12,7 +11,7 @@ stdenv.mkDerivation (finalAttrs: {
src = ./.;
buildInputs = [
cudatoolkit # Required for nvcc
(lib.getOutput "static" cudaPackages.cuda_cudart) # Required for -lcudart_static
cudaPackages.cuda_cudart.static # Required for -lcudart_static
autoAddDriverRunpath
];
installPhase = ''
@@ -41,9 +40,4 @@ stdenv.mkDerivation (finalAttrs: {
'';
installPhase = "touch $out";
};
meta = {
platforms = [ "x86_64-linux" ];
maintainers = with lib.maintainers.bsc; [ rarias ];
};
})

17
pkgs/gpi-2/default.nix
View File

@@ -9,6 +9,7 @@
, automake
, libtool
, mpi
, rsync
, gfortran
}:
@@ -43,24 +44,13 @@ stdenv.mkDerivation rec {
configureFlags = [
"--with-infiniband=${rdma-core-all}"
"--with-mpi=yes" # fixes mpi detection when cross-compiling
"--with-mpi=${mpiAll}"
"--with-slurm"
"CFLAGS=-fPIC"
"CXXFLAGS=-fPIC"
];
nativeBuildInputs = [
autoconf
automake
gfortran
libtool
];
buildInputs = [
slurm
mpiAll
rdma-core-all
];
buildInputs = [ slurm mpiAll rdma-core-all autoconf automake libtool rsync gfortran ];
hardeningDisable = [ "all" ];
@@ -70,6 +60,5 @@ stdenv.mkDerivation rec {
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.gpl3Plus;
cross = false; # infiniband detection does not work
};
}

6
pkgs/llvm-ompss2/clang.nix
View File

@@ -16,19 +16,19 @@
, useGit ? false
, gitUrl ? "ssh://git@bscpm04.bsc.es/llvm-ompss/llvm-mono.git"
, gitBranch ? "master"
, gitCommit ? "872ba63f86edaefc9787984ef3fae9f2f94e0124" # github-release-2025.11
, gitCommit ? "880e2341c56bad1dc14e8c369fb3356bec19018e"
}:
let
stdenv = llvmPackages_latest.stdenv;
release = rec {
version = "2025.11";
version = "2025.06";
src = fetchFromGitHub {
owner = "bsc-pm";
repo = "llvm";
rev = "refs/tags/github-release-${version}";
hash = "sha256-UgwMTUkM9Z87dDH205swZFBeFhrcbLAxginViG40pBM=";
hash = "sha256-ww9PpRmtz/M9IyLiZ8rAehx2UW4VpQt+svf4XfKBzKo=";
};
};

4
pkgs/llvm-ompss2/default.nix
View File

@@ -27,10 +27,10 @@ let
# We need to replace the lld linker from bintools with our linker just built,
# otherwise we run into incompatibility issues when mixing compiler and linker
# versions.
bintools-unwrapped = llvmPackages_latest.bintools-unwrapped.override {
bintools-unwrapped = llvmPackages_latest.tools.bintools-unwrapped.override {
lld = clangOmpss2Unwrapped;
};
bintools = llvmPackages_latest.bintools.override {
bintools = llvmPackages_latest.tools.bintools.override {
bintools = bintools-unwrapped;
};
targetConfig = stdenv.targetPlatform.config;

1
pkgs/mcxx/default.nix
View File

@@ -65,7 +65,6 @@ stdenv.mkDerivation rec {
];
meta = {
broken = true;
homepage = "https://github.com/bsc-pm/mcxx";
description = "C/C++/Fortran source-to-source compilation infrastructure aimed at fast prototyping";
maintainers = with lib.maintainers.bsc; [ rpenacob ];

4
pkgs/meteocat-exporter/default.nix
View File

@@ -1,11 +1,9 @@
{ python3Packages, lib }:
python3Packages.buildPythonApplication {
python3Packages.buildPythonApplication rec {
pname = "meteocat-exporter";
version = "1.0";
pyproject = true;
src = ./.;
doCheck = false;

23
pkgs/mpich/default.nix
View File

@@ -6,13 +6,6 @@
, pmix
, gfortran
, symlinkJoin
# Disabled when cross-compiling
# To fix cross compilation, we should fill the values in:
# https://github.com/pmodels/mpich/blob/main/maint/fcrosscompile/cross_values.txt.in
# For each arch
, enableFortran ? stdenv.hostPlatform == stdenv.buildPlatform
, perl
, targetPackages
}:
let
@@ -22,13 +15,10 @@ let
paths = [ pmix.dev pmix.out ];
};
in mpich.overrideAttrs (old: {
buildInputs = old.buildInputs ++ [
buildInput = old.buildInputs ++ [
libfabric
pmixAll
];
nativeBuildInputs = old.nativeBuildInputs ++ [
perl
];
configureFlags = [
"--enable-shared"
"--enable-sharedlib"
@@ -41,21 +31,10 @@ in mpich.overrideAttrs (old: {
] ++ lib.optionals (lib.versionAtLeast gfortran.version "10") [
"FFLAGS=-fallow-argument-mismatch" # https://github.com/pmodels/mpich/issues/4300
"FCFLAGS=-fallow-argument-mismatch"
] ++ lib.optionals (!enableFortran) [
"--disable-fortran"
];
preFixup = ''
sed -i 's:^CC=.*:CC=${targetPackages.stdenv.cc}/bin/${targetPackages.stdenv.cc.targetPrefix}cc:' $out/bin/mpicc
sed -i 's:^CXX=.*:CXX=${targetPackages.stdenv.cc}/bin/${targetPackages.stdenv.cc.targetPrefix}c++:' $out/bin/mpicxx
'' + lib.optionalString enableFortran ''
sed -i 's:^FC=.*:FC=${targetPackages.gfortran or gfortran}/bin/${targetPackages.gfortran.targetPrefix or gfortran.targetPrefix}gfortran:' $out/bin/mpifort
'';
hardeningDisable = [ "all" ];
meta = old.meta // {
maintainers = old.meta.maintainers ++ (with lib.maintainers.bsc; [ rarias ]);
cross = true;
};
})

1
pkgs/nanos6/jemalloc.nix
View File

@@ -5,7 +5,6 @@ jemalloc.overrideAttrs (old: {
"--with-jemalloc-prefix=nanos6_je_"
"--enable-stats"
];
enableParallelBuilding = true;
hardeningDisable = [ "all" ];
meta = old.meta // {
description = old.meta.description + " (for Nanos6)";

650
pkgs/nix-portable/default.nix
View File

@@ -1,650 +0,0 @@
with builtins;
{
nix,
unzip,
zip,
unixtools,
stdenv,
buildPackages,
upx,
bootstrapPrograms ? [
"gitMinimal"
"netcat-openbsd"
"openssh"
"bashInteractive"
],
cacert ? pkgs.cacert,
compression ? "zstd -19 -T0",
lib ? pkgs.lib,
pkgs ? import <nixpkgs> {},
# hardcode executable to run. Useful when creating a bundle.
bundledPackage ? null,
nixStatic,
busyboxStatic ? pkgs.pkgsStatic.busybox,
bwrapStatic ? pkgs.pkgsStatic.bubblewrap,
zstdStatic ? pkgs.pkgsStatic.zstd,
perlBuildBuild ? pkgs.pkgsBuildBuild.perl,
}@inp:
with lib;
let
perl = perlBuildBuild;
pname =
if bundledPackage == null
then "nix-portable"
else lib.getName bundledPackage;
bundledExe = lib.getExe bundledPackage;
nixpkgsSrc = pkgs.path;
maketar = targets:
let
closureInfo = buildPackages.closureInfo { rootPaths = targets; };
in
stdenv.mkDerivation {
name = "nix-portable-store-tarball";
nativeBuildInputs = [ perl zstd ];
exportReferencesGraph = map (x: [("closure-" + baseNameOf x) x]) targets;
buildCommand = ''
storePaths=$(cat ${closureInfo}/store-paths)
mkdir $out
echo $storePaths > $out/index
cp -r ${closureInfo} $out/closureInfo
tar -cf - \
--owner=0 --group=0 --mode=u+rw,uga+r \
--hard-dereference \
$storePaths | ${compression} > $out/tar
'';
};
packStaticBin = binPath: let
binName = (last (splitString "/" binPath)); in
pkgs.runCommand
binName
{ nativeBuildInputs = [ upx ]; }
''
mkdir -p $out/bin
theBinPath=${binPath}
if [[ -L "$theBinPath" ]]; then
theBinPath=$(readlink -f "$theBinPath")
fi
upx -9 -o $out/bin/${binName} $theBinPath
'';
installBin = pkg: bin: ''
unzip -qqoj "\$self" ${ lib.removePrefix "/" "${pkg}/bin/${bin}"} -d \$dir/bin
chmod +wx \$dir/bin/${bin};
'';
installDynamic = pkgname: let
out = pkgs.${pkgname}.out;
in ''
if [ ! -e \$store${lib.removePrefix "/nix/store" pkgs.${pkgname}.out} ] ; then
debug "Installing ${pkgname}"
\$run \$store${lib.removePrefix "/nix/store" nix}/bin/nix build --impure --no-link --expr "
(import ${nixpkgsSrc} {}).${pkgname}.out
"
else
debug "${pkgname} already installed"
fi
export PATH="${out}/bin:\$PATH"
'';
caBundleZstd = pkgs.runCommand "cacerts" {} "cat ${cacert}/etc/ssl/certs/ca-bundle.crt | ${zstd}/bin/zstd -19 > $out";
bwrap = packStaticBin "${bwrapStatic}/bin/bwrap";
nixStatic = packStaticBin "${inp.nixStatic}/bin/nix";
zstd = packStaticBin "${zstdStatic}/bin/zstd";
# the default nix store contents to extract when first used
storeTar = maketar ([ cacert nix nixpkgsSrc ] ++ lib.optional (bundledPackage != null) bundledPackage);
# The runtime script which unpacks the necessary files to $HOME/.nix-portable
# and then executes nix via bwrap
# Some shell expressions will be evaluated at build time and some at run time.
# Variables/expressions escaped via `\$` will be evaluated at run time
runtimeScript = ''
#!/usr/bin/env bash
set -eo pipefail
start=\$(date +%s%N) # start time in nanoseconds
# dump environment on exit if debug is enabled
if [ -n "\$NP_DEBUG" ] && [ "\$NP_DEBUG" -ge 1 ]; then
trap "declare -p > \''${TMPDIR:-/tmp}/np_env" EXIT
fi
set -e
if [ -n "\$NP_DEBUG" ] && [ "\$NP_DEBUG" -ge 2 ]; then
set -x
fi
# &3 is our error out which we either forward to &2 or to /dev/null
# depending on the setting
if [ -n "\$NP_DEBUG" ] && [ "\$NP_DEBUG" -ge 1 ]; then
debug(){
echo \$@ || true
}
exec 3>&2
else
debug(){
true
}
exec 3>/dev/null
fi
# to reference this script's file
self="\$(realpath \''${BASH_SOURCE[0]})"
# fingerprint will be inserted by builder
fingerprint="_FINGERPRINT_PLACEHOLDER_"
# user specified location for program files and nix store
[ -z "\$NP_LOCATION" ] && NP_LOCATION="\$HOME"
NP_LOCATION="\$(readlink -f "\$NP_LOCATION")"
dir="\$NP_LOCATION/.nix-portable"
# Create NP_LOCATION and remove sgid bit
mkdir -p \$dir
if [ ! -z "\$BSC_MACHINE" ]; then
# Attempt to avoid issues with sgid folders
chmod g-s \$dir
chgrp bsc \$dir
fi
store="\$dir/nix/store"
# create /nix/var/nix to prevent nix from falling back to chroot store.
mkdir -p \$dir/{bin,nix/var/nix,nix/store}
# create minimal drv file for nix to spawn a nix shell
echo 'builtins.derivation {name="foo"; builder="/bin/sh"; args = ["-c" "echo hello \> \\\$out"]; system=builtins.currentSystem;}' > "\$dir/mini-drv.nix"
# the fingerprint being present inside a file indicates that
# this version of nix-portable has already been initialized
if test -e \$dir/conf/fingerprint && [ "\$(cat \$dir/conf/fingerprint)" == "\$fingerprint" ]; then
newNPVersion=false
else
newNPVersion=true
fi
# Nix portable ships its own nix.conf
export NIX_CONF_DIR=\$dir/conf/
NP_CONF_SANDBOX=\''${NP_CONF_SANDBOX:-false}
NP_CONF_STORE=\''${NP_CONF_STORE:-auto}
recreate_nix_conf(){
mkdir -p "\$NIX_CONF_DIR"
rm -f "\$NIX_CONF_DIR/nix.conf"
# static config
echo "build-users-group = " >> \$dir/conf/nix.conf
echo "experimental-features = nix-command flakes" >> \$dir/conf/nix.conf
echo "ignored-acls = security.selinux system.nfs4_acl" >> \$dir/conf/nix.conf
echo "sandbox-paths = /bin/sh=\$dir/busybox/bin/busybox" >> \$dir/conf/nix.conf
echo "extra-substituters = https://jungle.bsc.es/cache">> \$dir/conf/nix.conf
echo "extra-trusted-public-keys = jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" >> \$dir/conf/nix.conf
echo "extra-system-features = sys-devices" >> \$dir/conf/nix.conf
echo "extra-sandbox-paths = /sys/devices/system/cpu=/sys/devices/system/cpu /sys/devices/system/node=/sys/devices/system/node" >> \$dir/conf/nix.conf
echo "extra-trusted-users = @bsc" >> \$dir/conf/nix.conf
# configurable config
echo "sandbox = \$NP_CONF_SANDBOX" >> \$dir/conf/nix.conf
echo "store = \$NP_CONF_STORE" >> \$dir/conf/nix.conf
}
### install files
PATH_OLD="\$PATH"
# as soon as busybox is unpacked, restrict PATH to busybox to ensure reproducibility of this script
# only unpack binaries if necessary
if [ "\$newNPVersion" == "false" ]; then
debug "binaries already installed"
# our busybox does not run on termux, therefore we suffix the PATH only on termux
export PATH="\''${TERMUX_VERSION:+\$PATH:}\$dir/busybox/bin"
else
debug "installing files"
mkdir -p \$dir/emptyroot
# install busybox
mkdir -p \$dir/busybox/bin
(base64 -d> "\$dir/busybox/bin/busybox" && chmod +x "\$dir/busybox/bin/busybox") << END
$(cat ${busyboxStatic}/bin/busybox | base64)
END
busyBins="${toString (attrNames (filterAttrs (d: type: type == "symlink") (readDir "${busyboxStatic}/bin")))}"
for bin in \$busyBins; do
[ ! -e "\$dir/busybox/bin/\$bin" ] && ln -s busybox "\$dir/busybox/bin/\$bin"
done
# our busybox does not run on termux, therefore we suffix the PATH only on termux
export PATH="\''${TERMUX_VERSION:+\$PATH:}\$dir/busybox/bin"
# install other binaries
${installBin zstd "zstd"}
${installBin bwrap "bwrap"}
${installBin nixStatic "nix"}
# install ssl cert bundle
unzip -poj "\$self" ${ lib.removePrefix "/" "${caBundleZstd}"} | \$dir/bin/zstd -d > \$dir/ca-bundle.crt
recreate_nix_conf
fi
# Override $SHELL with nix bashInteractive
export SHELL="${pkgs.bashInteractive.out}/bin/bash"
export PS1="\n\[\033[1;32m\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\$\[\033[0m\] "
# unset bash function aliases
unset -f which ml module
### setup SSL
# find ssl certs or use from nixpkgs
debug "figuring out ssl certs"
if [ -z "\$SSL_CERT_FILE" ]; then
debug "SSL_CERT_FILE not defined. trying to find certs automatically"
if [ -e /etc/ssl/certs/ca-bundle.crt ]; then
export SSL_CERT_FILE=\$(realpath /etc/ssl/certs/ca-bundle.crt)
debug "found /etc/ssl/certs/ca-bundle.crt with real path \$SSL_CERT_FILE"
elif [ -e /etc/ssl/certs/ca-certificates.crt ]; then
export SSL_CERT_FILE=\$(realpath /etc/ssl/certs/ca-certificates.crt)
debug "found /etc/ssl/certs/ca-certificates.crt with real path \$SSL_CERT_FILE"
elif [ ! -e /etc/ssl/certs ]; then
debug "/etc/ssl/certs does not exist. Will use certs from nixpkgs."
export SSL_CERT_FILE=\$dir/ca-bundle.crt
else
debug "certs seem to reside in /etc/ssl/certs. No need to set up anything"
fi
fi
if [ -n "\$SSL_CERT_FILE" ]; then
sslBind="\$(realpath \$SSL_CERT_FILE) \$dir/ca-bundle.crt"
export SSL_CERT_FILE="\$dir/ca-bundle.crt"
else
sslBind="/etc/ssl /etc/ssl"
fi
if [ -n "\$NP_GIT" ]; then
echo "WARN: NP_GIT is not supported, using nix version instead"
fi
storePathOfFile(){
file=\$(realpath \$1)
sPath="\$(echo \$file | awk -F "/" 'BEGIN{OFS="/";}{print \$2,\$3,\$4}')"
echo "/\$sPath"
}
collectBinds(){
pathsTopLevel="/boot /run /sys \$PWD /gpfs /tmp /scratch"
toBind=""
for p in \$pathsTopLevel; do
if [ -e "\$p" ]; then
real=\$(realpath \$p)
if [ -e "\$real" ]; then
if [[ "\$real" == /nix/store/* ]]; then
storePath=\$(storePathOfFile \$real)
toBind="\$toBind \$storePath \$storePath"
else
toBind="\$toBind \$real \$p"
fi
fi
fi
done
# TODO: add /var/run/dbus/system_bus_socket
paths="/etc/host.conf /etc/hosts /etc/hosts.equiv /etc/mtab /etc/netgroup /etc/networks /etc/passwd /etc/group /etc/nsswitch.conf /etc/resolv.conf /etc/localtime \$HOME"
for p in \$paths; do
if [ -e "\$p" ]; then
real=\$(realpath \$p)
if [ -e "\$real" ]; then
if [[ "\$real" == /nix/store/* ]]; then
storePath=\$(storePathOfFile \$real)
toBind="\$toBind \$storePath \$storePath"
else
toBind="\$toBind \$real \$real"
fi
fi
fi
done
# provide /bin/sh via the shipped busybox
toBind="\$toBind \$dir/busybox/bin/busybox /bin/sh"
toBind="\$toBind \$dir/busybox/bin/busybox /usr/bin/env"
# on termux, make sure termux packages still work inside the nix-portable environment
if [ -n "\$TERMUX_VERSION" ]; then
# binds required so termux native packages still run inside the nix-portable sandbox
# TODO: this doesn't quite work yet. debug and fix
toBind="\$toBind /system/lib64/libc.so /system/lib64/libc.so"
toBind="\$toBind /system/lib64/ld-android.so /system/lib64/ld-android.so"
toBind="\$toBind /system/lib64/libdl.so /system/lib64/libdl.so"
toBind="\$toBind /system/bin /system/bin"
toBind="\$toBind /system/lib64 /system/lib64"
toBind="\$toBind /apex/com.android.runtime/bin /apex/com.android.runtime/bin"
toBind="\$toBind /linkerconfig/ld.config.txt /linkerconfig/ld.config.txt"
toBind="\$toBind \$dir/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt"
toBind="\$toBind \$(realpath \$HOME/../usr/etc/resolv.conf) /etc/resolv.conf"
fi
}
makeBindArgs(){
arg=\$1; shift
sep=\$1; shift
binds=""
while :; do
if [ -n "\$1" ]; then
from="\$1"; shift
to="\$1"; shift || { echo "no bind destination provided for \$from!"; exit 3; }
binds="\$binds \$arg \$from\$sep\$to";
else
break
fi
done
}
### select container runtime
debug "figuring out which runtime to use"
[ -z "\$NP_BWRAP" ] && NP_BWRAP=\$dir/bin/bwrap
debug "bwrap executable: \$NP_BWRAP"
[ -z "\$NP_NIX" ] && NP_NIX=\$dir/bin/nix
debug "nix executable: \$NP_NIX"
debug "testing all available runtimes..."
if [ -z "\$NP_RUNTIME" ]; then
# read last automatic selected runtime from disk
if [ "\$newNPVersion" == "true" ]; then
debug "removing cached auto selected runtime"
rm -f "\$dir/conf/last_auto_runtime"
fi
if [ -f "\$dir/conf/last_auto_runtime" ]; then
last_auto_runtime="\$(cat "\$dir/conf/last_auto_runtime")"
else
last_auto_runtime=
fi
debug "last auto selected runtime: \$last_auto_runtime"
if [ "\$last_auto_runtime" != "" ]; then
NP_RUNTIME="\$last_auto_runtime"
# check if nix --store works
elif \\
debug "testing nix --store" \\
&& mkdir -p \$dir/tmp/ \\
&& touch \$dir/tmp/testfile \\
&& "\$NP_NIX" --store "\$dir/tmp/__store" shell -f "\$dir/mini-drv.nix" -c "\$dir/bin/nix" store add-file --store "\$dir/tmp/__store" "\$dir/tmp/testfile" >/dev/null 2>&3; then
chmod -R +w \$dir/tmp/__store
rm -r \$dir/tmp/__store
debug "nix --store works on this system -> will use nix as runtime"
NP_RUNTIME=nix
# check if bwrap works properly
elif \\
debug "nix --store failed -> testing bwrap" \\
&& \$NP_BWRAP --bind \$dir/emptyroot / --bind \$dir/ /nix --bind \$dir/busybox/bin/busybox "\$dir/true" "\$dir/true" 2>&3 ; then
debug "bwrap seems to work on this system -> will use bwrap"
NP_RUNTIME=bwrap
else
debug "bwrap doesn't work on this system -> will use proot"
NP_RUNTIME=proot
fi
echo -n "\$NP_RUNTIME" > "\$dir/conf/last_auto_runtime"
else
debug "runtime selected via NP_RUNTIME: \$NP_RUNTIME"
fi
debug "NP_RUNTIME: \$NP_RUNTIME"
if [ "\$NP_RUNTIME" == "nix" ]; then
run="\$NP_NIX shell -f \$dir/mini-drv.nix -c"
export PATH="\$PATH:\$store${lib.removePrefix "/nix/store" nix}/bin"
NP_CONF_STORE="\$dir"
recreate_nix_conf
elif [ "\$NP_RUNTIME" == "bwrap" ]; then
collectBinds
makeBindArgs --bind " " \$toBind \$sslBind
run="\$NP_BWRAP \$BWRAP_ARGS \\
--bind \$dir/emptyroot /\\
--dev-bind /dev /dev\\
--proc /proc\\
--bind \$dir/nix /nix\\
\$binds"
# --bind \$dir/busybox/bin/busybox /bin/sh\\
else
# proot
echo Unsupported runtime: $NP_RUNTIME
exit 1
fi
debug "base command will be: \$run"
### setup environment
export NIX_PATH="\$dir/channels:nixpkgs=\$dir/channels/nixpkgs"
mkdir -p \$dir/channels
[ -h \$dir/channels/nixpkgs ] || ln -s ${nixpkgsSrc} \$dir/channels/nixpkgs
### install nix store
# Install all the nix store paths necessary for the current nix-portable version
# We only unpack missing store paths from the tar archive.
index="$(cat ${storeTar}/index)"
export missing=\$(
for path in \$index; do
basepath=\$(basename \$path)
if [ ! -e \$store/\$basepath ]; then
echo "nix/store/\$basepath"
fi
done
)
if [ -n "\$missing" ]; then
debug "extracting missing store paths"
(
mkdir -p \$dir/tmp \$store/
rm -rf \$dir/tmp/*
cd \$dir/tmp
unzip -qqp "\$self" ${ lib.removePrefix "/" "${storeTar}/tar"} \
| \$dir/bin/zstd -d \
| tar -x \$missing --strip-components 2
mv \$dir/tmp/* \$store/
)
rm -rf \$dir/tmp
fi
if [ -n "\$missing" ]; then
debug "registering new store paths to DB"
reg="$(cat ${storeTar}/closureInfo/registration)"
cmd="\$run \$store${lib.removePrefix "/nix/store" nix}/bin/nix-store --load-db"
debug "running command: \$cmd"
echo "\$reg" | \$cmd
fi
### select executable
# the executable can either be selected by
# - executing './nix-portable BIN_NAME',
# - symlinking to nix-portable, in which case the name of the symlink selects the nix executable
# Alternatively the executable can be hardcoded by specifying the argument 'executable' of nix-portable's default.nix file.
executable="${if bundledPackage == null then "" else bundledExe}"
if [ "\$executable" != "" ]; then
bin="\$executable"
debug "executable is hardcoded to: \$bin"
elif [[ "\$(basename \$0)" == nix-portable* ]]; then\
if [ -z "\$1" ]; then
echo "Error: please specify the nix binary to execute"
echo "Alternatively symlink against \$0"
exit 1
elif [ "\$1" == "debug" ]; then
bin="\$(which \$2)"
shift; shift
else
bin="\$store${lib.removePrefix "/nix/store" nix}/bin/\$1"
shift
fi
# for binary selection via symlink
else
bin="\$store${lib.removePrefix "/nix/store" nix}/bin/\$(basename \$0)"
fi
### check which runtime has been used previously
if [ -f "\$dir/conf/last_runtime" ]; then
lastRuntime=\$(cat "\$dir/conf/last_runtime")
else
lastRuntime=
fi
### check if nix is functional with or without sandbox
# sandbox-fallback is not reliable: https://github.com/NixOS/nix/issues/4719
if [ "\$newNPVersion" == "true" ] || [ "\$lastRuntime" != "\$NP_RUNTIME" ]; then
nixBin="\$(dirname \$bin)/nix"
debug "Testing if nix can build stuff without sandbox"
if ! \$run "\$nixBin" build --no-link -f "\$dir/mini-drv.nix" --option sandbox false >&3 2>&3; then
echo "Fatal error: nix is unable to build packages"
exit 1
fi
debug "Testing if nix sandbox is functional"
if ! \$run "\$nixBin" build --no-link -f "\$dir/mini-drv.nix" --option sandbox true >&3 2>&3; then
debug "Sandbox doesn't work -> disabling sandbox"
NP_CONF_SANDBOX=false
recreate_nix_conf
else
debug "Sandboxed builds work -> enabling sandbox"
NP_CONF_SANDBOX=true
recreate_nix_conf
fi
fi
### save fingerprint and lastRuntime
if [ "\$newNPVersion" == "true" ]; then
echo -n "\$fingerprint" > "\$dir/conf/fingerprint"
fi
if [ "\$lastRuntime" != \$NP_RUNTIME ]; then
echo -n \$NP_RUNTIME > "\$dir/conf/last_runtime"
fi
### set PATH
export PATH="\$dir/busybox/bin"
export PATH="\$PATH:\$store${lib.removePrefix "/nix/store" nix}/bin"
### install programs via nix
${concatMapStringsSep "\n" installDynamic bootstrapPrograms}
### print elapsed time
end=\$(date +%s%N) # end time in nanoseconds
# time elapsed in millis with two decimal places
# print stats about initialization time of nix-portable
# skipt for termux, as it doesn't have bc installed
if [ -z "\$TERMUX_VERSION" ]; then
elapsed=\$(echo "scale=2; (\$end - \$start)/1000000" | bc)
debug "Time to initialize nix-portable: \$elapsed millis"
fi
### run commands
[ -z "\$NP_RUN" ] && NP_RUN="\$run"
if [ "\$NP_RUNTIME" == "proot" ]; then
debug "running command: \$NP_RUN \$bin \$@"
exec \$NP_RUN \$bin "\$@"
else
cmd="\$NP_RUN \$bin \$@"
debug "running command: \$cmd"
exec \$NP_RUN \$bin "\$@"
fi
exit
'';
runtimeScriptEscaped = replaceStrings ["\""] ["\\\""] runtimeScript;
nixPortable = pkgs.runCommand pname {
nativeBuildInputs = [unixtools.xxd unzip];
meta = {
homepage = "https://github.com/DavHau/nix-portable";
description = "Nix - Static, Permissionless, Installation-free, Pre-configured for mn5";
maintainers = with lib.maintainers.bsc; [ abonerib ];
platforms = lib.platforms.linux;
license = lib.licenses.mit;
};
} ''
mkdir -p $out/bin
echo "${runtimeScriptEscaped}" > $out/bin/nix-portable.zip
xxd $out/bin/nix-portable.zip | tail
sizeA=$(printf "%08x" `stat -c "%s" $out/bin/nix-portable.zip` | tac -rs ..)
echo 504b 0304 0000 0000 0000 0000 0000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
echo 0000 0000 0000 0000 0000 0200 0000 4242 | xxd -r -p >> $out/bin/nix-portable.zip
sizeB=$(printf "%08x" `stat -c "%s" $out/bin/nix-portable.zip` | tac -rs ..)
echo 504b 0102 0000 0000 0000 0000 0000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
echo 0000 0000 0000 0000 0000 0000 0200 0000 | xxd -r -p >> $out/bin/nix-portable.zip
echo 0000 0000 0000 0000 0000 $sizeA 4242 | xxd -r -p >> $out/bin/nix-portable.zip
echo 504b 0506 0000 0000 0000 0100 3000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
echo $sizeB 0000 0000 0000 0000 0000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
unzip -vl $out/bin/nix-portable.zip
zip="${zip}/bin/zip -0"
$zip $out/bin/nix-portable.zip ${bwrap}/bin/bwrap
$zip $out/bin/nix-portable.zip ${nixStatic}/bin/nix
$zip $out/bin/nix-portable.zip ${zstd}/bin/zstd
$zip $out/bin/nix-portable.zip ${storeTar}/tar
$zip $out/bin/nix-portable.zip ${caBundleZstd}
# create fingerprint
fp=$(sha256sum $out/bin/nix-portable.zip | cut -d " " -f 1)
sed -i "s/_FINGERPRINT_PLACEHOLDER_/$fp/g" $out/bin/nix-portable.zip
# fix broken zip header due to manual modification
${zip}/bin/zip -F $out/bin/nix-portable.zip --out $out/bin/nix-portable-fixed.zip
rm $out/bin/nix-portable.zip
executable=${if bundledPackage == null then "" else bundledExe}
if [ "$executable" == "" ]; then
target="$out/bin/nix-portable"
else
target="$out/bin/$(basename "$executable")"
fi
mv $out/bin/nix-portable-fixed.zip "$target"
chmod +x "$target"
'';
in
nixPortable.overrideAttrs (prev: {
passthru = (prev.passthru or {}) // {
inherit bwrap;
};
})

4
pkgs/nix-wrap/default.nix
View File

@@ -14,7 +14,7 @@ let
nixConfDir = "share";
nix_wrap_sh = writeText "nix-wrap.sh" ''
#!/usr/bin/env bash
#
busybox_bin="${nixPrefix}${busybox}/bin"
bubblewrap_bin="${nixPrefix}/${bubblewrap}/bin"
@@ -69,6 +69,7 @@ stdenv.mkDerivation rec {
name = "nix-wrap";
buildInputs = [
bashInteractive
busybox
nix
];
src = null;
@@ -91,6 +92,7 @@ stdenv.mkDerivation rec {
homepage = null;
description = "nix bubblewrap wrapper";
maintainers = [ ];
broken = true;
platforms = lib.platforms.linux;
license = lib.licenses.mit;
};

22
pkgs/nixgen/default.nix
View File

@@ -1,22 +0,0 @@
{
stdenv
, lib
}:
stdenv.mkDerivation {
pname = "nixgen";
version = "0.0.1";
src = ./nixgen;
dontUnpack = true;
phases = [ "installPhase" ];
installPhase = ''
mkdir -p $out/bin
cp -a $src $out/bin/nixgen
'';
meta = {
description = "Quickly generate flake.nix from command line";
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.gpl3Plus;
};
}

97
pkgs/nixgen/nixgen
View File

@@ -1,97 +0,0 @@
#!/bin/sh
#
# Copyright (c) 2025, Barcelona Supercomputing Center (BSC)
# SPDX-License-Identifier: GPL-3.0+
# Author: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
function usage() {
echo "USAGE: nixgen [-f] [package [...]] [-b package [...]]" >&2
echo " Generates a flake.nix file with the given packages." >&2
echo " After flake.nix is created, use 'nix develop' to enter the shell." >&2
echo "OPTIONS" >&2
echo " -f Overwrite existing flake.nix (default: no)." >&2
echo " packages... Add these packages to the shell." >&2
echo " -b packages... Add the dependencies needed to build these packages." >&2
echo "EXAMPLE" >&2
echo " $ nixgen ovni bigotes -b nosv tampi" >&2
echo " Adds the packages ovni and bigotes as well as all required dependencies" >&2
echo " to build nosv and tampi." >&2
echo "AUTHOR" >&2
echo " Rodrigo Arias Mallo <rodrigo.arias@bsc.es>" >&2
exit 1
}
mode=package
packages=
inputsFrom=
force=
if [[ $# -eq 0 ]]; then
usage
fi
while [[ $# -gt 0 ]]; do
case $1 in -b)
mode=build
shift
;;
-f)
force=1
shift
;;
-h)
usage
;;
-*|--*)
echo "error: unknown option $1" >&2
exit 1
;;
*)
if [ "$mode" == "package" ]; then
packages+="${packages:+ }$1"
else
inputsFrom+="${inputsFrom:+ }$1"
fi
shift
;;
esac
done
if [ ! "$force" -a -e flake.nix ]; then
echo "error: flake.nix exists, force overwrite with -f" >&2
exit 1
fi
cat > flake.nix <<EOF
{
inputs.jungle.url = "git+https://jungle.bsc.es/git/rarias/jungle";
outputs = { self, jungle }:
let
nixpkgs = jungle.inputs.nixpkgs;
customOverlay = (final: prev: {
# Example overlay, for now empty
});
pkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [
# Apply jungle overlay to get our BSC custom packages
jungle.outputs.bscOverlay
# And on top apply our local changes to customize for cluster
customOverlay
];
};
in {
devShells.x86_64-linux.default = pkgs.mkShell {
pname = "devshell";
# Include these packages in the shell
packages = with pkgs; [
$packages
];
# The dependencies needed to build these packages will be also included
inputsFrom = with pkgs; [
$inputsFrom
];
};
};
}
EOF

9
pkgs/nodes/default.nix
View File

@@ -3,6 +3,7 @@
, lib
, fetchFromGitHub
, pkg-config
, perl
, numactl
, hwloc
, boost
@@ -10,23 +11,22 @@
, ovni
, nosv
, clangOmpss2
, which
, useGit ? false
, gitUrl ? "ssh://git@gitlab-internal.bsc.es/nos-v/nodes.git"
, gitBranch ? "master"
, gitCommit ? "511489e71504a44381e0930562e7ac80ac69a848" # version-1.4
, gitCommit ? "6002ec9ae6eb876d962cc34366952a3b26599ba6"
}:
with lib;
let
release = rec {
version = "1.4";
version = "1.3";
src = fetchFromGitHub {
owner = "bsc-pm";
repo = "nodes";
rev = "version-${version}";
hash = "sha256-+lR/R0l3fGZO3XG7whMorFW2y2YZ0ZFnLeOHyQYrAsQ=";
hash = "sha256-cFb9pxcjtkMmH0CsGgUO9LTdXDNh7MCqicgGWawLrsU=";
};
};
@@ -59,7 +59,6 @@ in
doCheck = false;
nativeCheckInputs = [
clangOmpss2
which
];
# The "bindnow" flags are incompatible with ifunc resolution mechanism. We

6
pkgs/nosv/default.nix
View File

@@ -13,19 +13,19 @@
, useGit ? false
, gitUrl ? "git@gitlab-internal.bsc.es:nos-v/nos-v.git"
, gitBranch ? "master"
, gitCommit ? "1108e4786b58e0feb9a16fa093010b763eb2f8e8" # version 4.0.0
, gitCommit ? "9f47063873c3aa9d6a47482a82c5000a8c813dd8"
}:
with lib;
let
release = rec {
version = "4.0.0";
version = "3.2.0";
src = fetchFromGitHub {
owner = "bsc-pm";
repo = "nos-v";
rev = "${version}";
hash = "sha256-llaq73bd/YxLVKNlMebnUHKa4z3sdcsuDUoVwUxNuw8=";
hash = "sha256-yaz92426EM8trdkBJlISmAoG9KJCDTvoAW/HKrasvOw=";
};
};

6
pkgs/osu/default.nix
View File

@@ -32,11 +32,6 @@ stdenv.mkDerivation rec {
"CXX=mpicxx"
];
env = {
MPICH_CC="${stdenv.cc}/bin/${stdenv.cc.targetPrefix}cc";
MPICH_CXX="${stdenv.cc}/bin/${stdenv.cc.targetPrefix}c++";
};
postInstall = ''
mkdir -p $out/bin
for f in $(find $out -executable -type f); do
@@ -49,6 +44,5 @@ stdenv.mkDerivation rec {
homepage = "http://mvapich.cse.ohio-state.edu/benchmarks/";
maintainers = [ ];
platforms = lib.platforms.all;
cross = true;
};
}

8
pkgs/ovni/default.nix
View File

@@ -7,7 +7,7 @@
, useGit ? false
, gitBranch ? "master"
, gitUrl ? "ssh://git@bscpm04.bsc.es/rarias/ovni.git"
, gitCommit ? "06432668f346c8bdc1006fabc23e94ccb81b0d8b" # version 1.13.0
, gitCommit ? "e4f62382076f0cf0b1d08175cf57cc0bc51abc61"
, enableDebug ? false
# Only enable MPI if the build is native (fails on cross-compilation)
, useMpi ? (stdenv.buildPlatform.canExecute stdenv.hostPlatform)
@@ -15,13 +15,13 @@
let
release = rec {
version = "1.13.0";
version = "1.12.0";
src = fetchFromGitHub {
owner = "bsc-pm";
repo = "ovni";
rev = "${version}";
hash = "sha256-0l2ryIyWNiZqeYdVlnj/WnQGS3xFCY4ICG8JedX424w=";
} // { shortRev = "0643266"; };
hash = "sha256-H04JvsVKrdqr3ON7JhU0g17jjlg/jzQ7eTfx9vUNd3E=";
} // { shortRev = "a73afcf"; };
};
git = rec {

4
pkgs/paraver/default.nix
View File

@@ -12,7 +12,7 @@
, paraverKernel
, openssl
, glibcLocales
, wrapGAppsHook3
, wrapGAppsHook
}:
let
@@ -64,7 +64,7 @@ stdenv.mkDerivation rec {
autoconf
automake
autoreconfHook
wrapGAppsHook3
wrapGAppsHook
];
buildInputs = [

1
pkgs/sonar/default.nix
View File

@@ -35,6 +35,5 @@ stdenv.mkDerivation rec {
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.mit;
cross = true;
};
}

18
pkgs/tagaspi/default.nix
View File

@@ -5,14 +5,23 @@
, automake
, autoconf
, libtool
, mpi
, autoreconfHook
, gpi-2
, boost
, numactl
, rdma-core
, gfortran
, symlinkJoin
}:
let
mpiAll = symlinkJoin {
name = "mpi-all";
paths = [ mpi.all ];
};
in
stdenv.mkDerivation rec {
pname = "tagaspi";
enableParallelBuilding = true;
@@ -26,18 +35,16 @@ stdenv.mkDerivation rec {
hash = "sha256-RGG/Re2uM293HduZfGzKUWioDtwnSYYdfeG9pVrX9EM=";
};
nativeBuildInputs = [
buildInputs = [
autoreconfHook
automake
autoconf
libtool
gfortran
];
buildInputs = [
boost
numactl
rdma-core
gfortran
mpiAll
];
dontDisableStatic = true;
@@ -56,6 +63,5 @@ stdenv.mkDerivation rec {
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.gpl3Plus;
cross = false; # gpi-2 cannot cross
};
}

1
pkgs/tampi/default.nix
View File

@@ -68,6 +68,5 @@ in stdenv.mkDerivation {
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.gpl3Plus;
cross = true;
};
}

4
pkgs/upc-qaire-exporter/default.nix
View File

@@ -1,11 +1,9 @@
{ python3Packages, lib }:
python3Packages.buildPythonApplication {
python3Packages.buildPythonApplication rec {
pname = "upc-qaire-exporter";
version = "1.0";
pyproject = true;
src = ./.;
doCheck = false;

52
secrets/ceph-user.age
View File

@@ -1,29 +1,25 @@
age-encryption.org/v1
-> ssh-ed25519 AY8zKw Crgof1PMHzv3jBw8VeJAst6FKSoyqPFdANFpf79CAgo
7fagE5BmlWdTsdY/i3RbExu1KBcjW1LQXbYwu6chxlk
-> ssh-ed25519 sgAamA tGRCaK8mjvz65YziXjRcjMOHIRoyGNJFzBEEbivXPDo
YLzE5a3J81r+gzkfZIeh9gS+mXzMooC82tBbZ+C3C8o
-> ssh-ed25519 HY2yRg +vhO1/vdGPM1JnZRsvVnViFWaFWUZ7MIqvWdePivkxA
2K+JdN82DTeGh9QwZBTaghg8C5BCLoEsOgTCM64PU28
-> ssh-ed25519 fw2Xhg NHDn0dq32I/AVdUZlpzBX6retlEYEUipde7A9R90qW4
SJO78ooqEwfHlBRW+YCzgSQJb1JHNo8jz37t3qvLClE
-> ssh-ed25519 G5LX5w d4HfLzI2623artkR2FIfRJgr5yb2BKZJUWqPnwOWDCk
Kh50QESJZSjaJPyp3xroHGn0fD5pPNEYgKkDdqxGpjs
-> ssh-ed25519 tcumPQ wQyOKtT15Qezs3cyv5/xxIPVD7Jyk6N6ZLkfxxBHLTo
rKlRBjJdfDVT6U8211+ssFF8yY9yRs1u3GhCSvsw2oE
-> ssh-ed25519 JJ1LWg 98tF1MdA244xNny4w3RnMFuubf4WcuQaZf2bN2Uq8Qc
MA1Xh1H9vHisVYdqkxNeBkngtn8cYuT2eSimvooIXYo
-> ssh-ed25519 cDBabA imJ0rXLQETELP7yo3sArhqA9nJwY+S6gkC7tA7CJsQA
pKMHW/KDAoEj5ZD64VKekg6et9hlS2PKSgDw3eB3eu8
-> ssh-ed25519 WY7yGw +2g5021/02HvLxLqq42ynr6qKgOKJ3J5GgB1a1bmFXg
fYvj52R6bM6ngPOZ2lwVezTJnx+8LJBbdnaapKKbyd0
-> ssh-ed25519 cK5kHw fLZ6yF3NggJ724rjYqhs5ZZh1xUExuK+ITAyqONluzk
NS9OMX70XEHrbPQnmC4KB/eoiHChIb8DwDLYJiwOLUU
-> ssh-ed25519 CAWG4Q tVduE/wMzdfS+DjNbU3Q4blNhL/A63IehNSZGJkJjD0
jEBB5zG+gLA/88YF+KqWQsNH7lfCsWNvAkrgfbescFs
-> ssh-ed25519 xA739A ZhFvev77I+YOl1YSHKn2ZcEvGoLjWOILufjd4q/k8HM
YXEtHHtjPQlgZW60zHgHm7CLI6vYiRo+AM8QERL9tCg
-> ssh-ed25519 MSF3dg 9DvLNheBU1vlfW2zNNxBrGnJ6k4P5ox7s+OGKlgRdyQ
wseHfLGHz0huNi5sZsNOfeNkm6Kjjx0SZ8lK4/oXtUQ
--- bnJE+14onuSla0XmckD4z/wChWGZh6exbkcbyhcmNYU
<EFBFBD><EFBFBD>t<>N<><10>U<EFBFBD>wi2<69><32>-<2D>iV'(<1E>IF<49><46> S<><53>xs/s<><73> <09><>NDm<44>Q<EFBFBD><51><EFBFBD>o<EFBFBD><6F><EFBFBD><EFBFBD>wZv<7F><76>.\
-> ssh-ed25519 AY8zKw /gmhFOFqOs8IobAImvQVKeM5Y6k0FpuR61/Cu5drVVI
g9FXJg2oIoien0zJ70FWHwSTM8SBwbpS188S3Swj7EM
-> ssh-ed25519 sgAamA opPjlWPhSiI0Rd5l7kd204S5FXFLcQcQftyKb7MDmnU
3XrRDVnglCP+vBwvfd1rP5gHttsGDHyXwbf10a8/kKY
-> ssh-ed25519 HY2yRg QKZbubM76C3tobPoyCFDRclA9Pzb2fC7s4WOoIgdORc
K5kckU0KhQFTE6SikJXFJgM41Tco5+VqOsaG0qLrY1Q
-> ssh-ed25519 fw2Xhg +ohqts8dLFjvdHxrGHcOGxU0dm+V3N//giljHkobpDM
jR/UzGrfS9lrJ/VeolKLxfzeJAf2fIB2pdIn/6ukqNk
-> ssh-ed25519 tcumPQ 3DPkDPIQQSVtXSLzIRETsIyXQ0k1o18Evn6vf+l/6R8
bLXF62OmJjnOT1vvgq3+AcOKKSG5NonrK5EqCVc0Mwo
-> ssh-ed25519 JJ1LWg 2Wefc7eLolMU5InEmCNTq21Mf71mI0a2N1HgDrlHvy4
qXFW9CQBnrzubZ0mzS0Io2WGRrwGBkmeYndBTcZn/fM
-> ssh-ed25519 cDBabA oiH36AoIt/fFFYgnoxtH7OoetP+2/wjtn8qo3RJDSHc
qKmkxy1aZGP4ZwC0iH7n7hiJ0+rFQYvjQb5O1a1Z0r4
-> ssh-ed25519 cK5kHw bX3RtO5StMejUYWAaA37fjHA5nO7Xs1vWDQk3yOjs2o
Egxmcf8FKAd+E5hMLmhV1yQsCo5rJyUazf1szOvpTAM
-> ssh-ed25519 CAWG4Q oKqqRDJH0w8lsoQBQk0w8PO+z5gFNmSaGBUSumvDp1I
m1zWp9MfViAmtpbJhqOHraIokDaPKb0DvvO4vAGCTWI
-> ssh-ed25519 xA739A G26kPOz6sbFATs+KAr7gbDvji13eA1smFusQAOJXMwA
Sppvz7A103kZoNxoGsd6eXeCvVh7mBE2MRwLFj9O1dY
-> ssh-ed25519 MSF3dg 55ekNcp+inbUd+GQ/VZ7BoBASaJ8YDqF74CVXy1PUxQ
aTHLLAbzQPWWld/OT3BKebc6FcmsqMTaWCPBGm1UHic
--- mVkAMnI9XQhS3fMiFuuXP/yLR9wEG9+Rr8pA4Uc0avY
<04>DU <20><>s<EFBFBD><73><EFBFBD><EFBFBD>j<EFBFBD><6A>M<EFBFBD><4D>$<24>[<5B>M<EFBFBD><4D><EFBFBD><03>[_<>K7s<37>ju<>v<EFBFBD>D<EFBFBD>4<EFBFBD>g<EFBFBD><67>܄3<>Gn<47><6E><EFBFBD> ɽ<>P<EFBFBD>7~rZs<><73>

BIN
secrets/gitea-runner-token.age
View File

Binary file not shown.

BIN
secrets/gitlab-bsc-docker-token.age
View File

Binary file not shown.

24
secrets/gitlab-runner-docker-token.age
View File

@@ -1,13 +1,13 @@
age-encryption.org/v1
-> ssh-ed25519 HY2yRg eHM55QsHK1ca9b5nP3EoVUZYu0w2d4B5tkilNK0j/lw
6Na6lkMe0fOd7+vNP1fLIaVEQDUw5m65Wh8jUH1I6C0
-> ssh-ed25519 cK5kHw 0ekhoBYwF7OSWwn4P5f/J4gXb9UHJAWGKV0yI7HCzzE
2Q+Tt5jXAB9ip9jf1z+jeM4FSiqd1w5DNtbqtacuOcM
-> ssh-ed25519 CAWG4Q Jmw4v9efOFXHjjNky96q/d6vGBP5dNM4wK9zoGrwOh8
u5I17wcIq8/2ARWckDXsYckhfX0jWE4AEm5mip/KHws
-> ssh-ed25519 xA739A 10pPeC2YG9DJzaQlt7p+fGo27VDiL2dN6JmvY2npcUw
4aRV8DekYeL9HagGWgOSjlYnPKmYdKZH8Aw4lRdm+r8
-> ssh-ed25519 MSF3dg hDwIE3Su6cN3sq2E5v/oy6vTNfxTT1ZPts85//gIhwY
aoiaGjQYJB1ededhIuVBCKDRLIOVThWz1pSTvg65J3Y
--- OYPAGb5U/nwLOIV5VchSvxhChjNnwzbEgU9glSkWCl4
<EFBFBD>=<EFBFBD><EFBFBD><EFBFBD>c<EFBFBD>WȟJSaІ&<26><1F>ቧ)E<> <0B> C<><43>J~u<>c<63><7F>2<EFBFBD><32>v<EFBFBD><76><EFBFBD><03><>s<EFBFBD><73><EFBFBD>vf<76><10><>X7(<28>~<7E><1A>=XCi;<3B>״<EFBFBD><><DFA2><EFBFBD>ܣ<EFBFBD><10><><07>ɳCe<43>D;;X*<2A>3<EFBFBD>i<EFBFBD><69>r<EFBFBD>Em<45><6D><
-> ssh-ed25519 HY2yRg U2KQWviZIVNemm9e8h7H+eOzoYNxXgLLS3hsZLMAuGk
6n5dH1McNzk3rscP4v2pqZYDWtUFMd15rZsEd/mqIFM
-> ssh-ed25519 cK5kHw Ebrj/cpz1cFWAYAV9OxgyyH85OEMUnfUIV66p7jaoFY
6J7hWqODtS/fIF4BpxhxbrxZq5vbolvbLqRKqazT02M
-> ssh-ed25519 CAWG4Q mXqoQH9ycHF7u0y8mazCgynHxNLxTnrmQHke+2a5QCc
mq6PdSF+KOqthuXwzTCsOQsi5KG0z1wHUck+bSTyOBY
-> ssh-ed25519 xA739A TADeswueqDEroZWLjMw3RDNwVQ2xRD+JUMVZENovn0M
KFlnSjVFbjc+ZsbY8Ed7edC5B01TJGzd/dSryiLArPc
-> ssh-ed25519 MSF3dg Pq+ZD8AqJGDHDbd4PO1ngNFST8+6C2ghZkO/knKzzEc
wyiL/u38hdQMokmfTsBrY7CtYwc+31FG4EDaqVEn31U
--- 1z4cOipayh0zYkvasEVEvGreajegE/dqBV7b6E7aFh0
<EFBFBD><EFBFBD><EFBFBD><EFBFBD>R<EFBFBD>@<40>/i<>I'<27><><EFBFBD>Nx<4E>r"<1D>`<1E>O<EFBFBD><4F><EFBFBD>y<><79>8<EFBFBD><38> \/<2F><>I<19><17>D<EFBFBD>`<60>ߓ<EFBFBD><DF93><EFBFBD><1E><04>uy<75><79><EFBFBD>:9Lt<4C><1D><><EFBFBD>؋<EFBFBD><D88B><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>AU<41><55><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>`<60>;<3B>q8<71>GLU#<23>i<EFBFBD>y<EFBFBD><79>i<03>ڜ

BIN
secrets/gitlab-runner-shell-token.age
View File

Binary file not shown.

BIN
secrets/ipmi.yml.age
View File

Binary file not shown.

BIN
secrets/jungle-robot-password.age
View File

Binary file not shown.

BIN
secrets/munge-key.age
View File

Binary file not shown.

BIN
secrets/nix-serve.age
View File

Binary file not shown.

BIN
secrets/tent-gitlab-runner-bsc-docker-token.age
View File

Binary file not shown.

BIN
secrets/tent-gitlab-runner-pm-docker-token.age
View File

Binary file not shown.

BIN
secrets/tent-gitlab-runner-pm-shell-token.age
View File

Binary file not shown.

BIN
secrets/vpn-dac-client-key.age
View File

Binary file not shown.

25
secrets/vpn-dac-login.age
View File

@@ -1,13 +1,14 @@
age-encryption.org/v1
-> ssh-ed25519 G5LX5w /9lcJOXC9CN02+XLswUaJ0H7jU6Xhjd8Xg4+KY0l1Vc
fCLzsLc9zrocM8SHOKyZwt6eUEr8r1WLug9RLi63KU0
-> ssh-ed25519 cK5kHw 1qza6h2NRSs4g8LYdFU7E+Dn1CgdtCU7DPdYInP1GwM
/6uk7pTFkNTRTI7nA+x4y4CyOBVQVXX2lnpOg3ktPe4
-> ssh-ed25519 CAWG4Q o+vyzcejSaNVYPSGzzOdzaqPByZ6zA1uaJf4KOg+wQA
wfZmWrDSfRV8C+Hu+SeZDcomf/qigBqxuQK77SfnuEo
-> ssh-ed25519 xA739A +rBsOC+IBE3lmc/pfrziftLIqMSyaGMsggRjC5Pqwl0
xa7ulLz2+YC3g2hu7e9XhRYDIUb2sriaaigJRYF2oB8
-> ssh-ed25519 MSF3dg TK6PmKjjQt8ni0mJLCt7P41lUsgimlj3o5Q6n3N+DE4
ne+s3ctcg8cBjY06LY2lrW7wcxomvKHxu6MlirEA8Kg
--- eorg2ckkUZ1Ogi4iTTg2MoiVBwl1F0RCmH2D8N1d1So
<EFBFBD><EFBFBD><EFBFBD>8<1C><><EFBFBD><EFBFBD><EFBFBD><12>i<17>$]K<>J=2Z<1D><>ӼF<D3BC>][<14><><EFBFBD>8<EFBFBD><38>ޤ<12> <09>=<3D><>LD/<2F>gz
-> ssh-ed25519 G5LX5w SRJhNenoQXbT1FgX3TMPnVH5P6oe2eHot+M1YsEjsEk
hfTSLgKi98Eh7JK5o7x2POpTEtQlQCpEa3keUFYCuME
-> ssh-ed25519 cK5kHw z5TwWJTkvx7HztjXHJW/aCOtOfPrQaLP0gyIT7rXcyU
b4NCpHfasgvkLLr+6LcWUl60p59aSNnfp3bl2OFYXo0
-> ssh-ed25519 CAWG4Q 4VpS1/OnFe8nxcQbRTKNhjsh/ZQ5cbhSMXwK/jjQ+3o
WF9wvOkqVml4UcEzyzeumKuUwCwwr2zvKLMg+PCB8nk
-> ssh-ed25519 xA739A 67FhuJ070jBVMt/xbKHWhfri6iIm0FyaFvzQabsvFBM
1G5/913dDv/r/6p1x/c5YiUnZzrX/LvIj33KW+PN0KU
-> ssh-ed25519 MSF3dg Bj/yB4N2wkyHCHC22tcjjJAA4ebSamN0Z4UVX3ZnryI
6D/ZgTs+j+MGDAbPU5zyK0i9zN6tQy68IcOnQZ27mYg
--- 169erk3ICSYLs4FPEuXCn7QlekWhsmSn0Lr+/R14I5Q
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><05>ҽ3<D2BD>s<EFBFBD>
w<EFBFBD><EFBFBD>4D<EFBFBD><EFBFBD>b.<2E><><EFBFBD>"|<7C><><EFBFBD>)"<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;<3B>.<2E>ɫ7)<29>LeC<05>=S؟

BIN
secrets/wg-apex.age
View File

Binary file not shown.

25
secrets/wg-fox.age
View File

@@ -1,13 +1,14 @@
age-encryption.org/v1
-> ssh-ed25519 cDBabA So/Tqwdwd7G0PbE4RwH2qDrNcdqTkhFjF4IJrLKKpkM
MEA5dzlUeFXm3pa+ndxrcE0ZWdO00Xf98+Q8U9LZ+cQ
-> ssh-ed25519 cK5kHw sCHD/hHBOfMBUQXkLG3MBPNC4ebLOXW37OlF/C8FEjU
4TFbKoy23Ic2vteXZ02fMrFxyb4NxyWaSo5I8dn48mI
-> ssh-ed25519 CAWG4Q KYGPAXTx8H5cBC3YIBxi5B7OeF15C9rEIPFCcG0vEDw
9LC2Zvp1Oiau1/hfPf+nJknl6BUSr+lzTn6TozZNxJg
-> ssh-ed25519 xA739A hpvNBHPgYRtUx0HyUAdCW8s7QTmGyPXwzRHb8qYoeG0
QkUZINY7Fr7HpyY6lbIMcP+hGO3oCmLL6N+yDN4weyk
-> ssh-ed25519 MSF3dg P9TmEfXS+hyxsbVKja58UWAFpad0ZS3LhwrMkLnSNAY
hiHuh7HhoYwHi2KFbCczXJoF3On9eqjD1Wsp9Q1NW/w
--- SN3peoDvjXuD/Q4DdebQFam1CE22NyGZlMmnKyCTuX8
s<0F><><14><>&׳֦<D7B3><D6A6><EFBFBD><EFBFBD>}<7D>#In0&<26><1F>{<7B>1<EFBFBD><31>.
-> ssh-ed25519 cDBabA heyW9/cxgwFX9IexQIXjAQDWGQPNcMXcArQp2Rxsqx4
o9MQ7EH8PDDjsJdpH9F3Xq2zUoaDAJQlfFmYucSFs6Y
-> ssh-ed25519 cK5kHw Sza4pos7K3qW3omEeyidI/jszJNf9smemSZnUJfCIww
D6vazXki7hIYraIuSiGPS+FPbkFUwHhHWDf52OhEIMg
-> ssh-ed25519 CAWG4Q YexIHueOIMmIN8JIDyNUOKBkyz/k18HqV3hTXh48KlM
xh8UJzzWT6ByN+Dpn4JrMNsjGC/uc/v6LynwjBDz9NQ
-> ssh-ed25519 xA739A KySG3TXdqfCMUkVEDGa74B0op745s3XGYxFLyAXSQAc
5EI/yb5ctW9Qu18bHm3/sK97kwGcKzzmWvPSCWm89XA
-> ssh-ed25519 MSF3dg MNxnNj0fHmri8ophexXPNjRUBUWrzcuk5S1mucxUMTE
GVFWXtISEU8ZmlwL4nh4weAgfGrt2GHX0DTzbpS6zg8
--- UdrqkYG2ZApAuwdZeNhC50NP2rkD/Ol6y8nJa4RHx7Y
<EFBFBD>ܻ<EFBFBD>m(<28><><EFBFBD>><3E>H<48>Y87<><37>G<0F>+*<12><><EFBFBD><EFBFBD>9V<>.<2E><><EFBFBD><EFBFBD><03><><EFBFBD>p<EFBFBD>Oo<4F>=+哇<>P0<50><30>{<7B>)<29><17><><EFBFBD><EFBFBD>><3E>z3P^
u

BIN
secrets/wg-raccoon.age
View File

Binary file not shown.