Compare commits
	
		
			286 Commits
		
	
	
		
			master
			...
			add-fox-ma
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| b58370cf83 | |||
| 581efb4312 | |||
| c32c1bd03b | |||
| 1ddc5b7248 | |||
| 8968deb4db | |||
| 5a21baf2be | |||
| f4534e1e5a | |||
| d6ed4b4521 | |||
| 049ad4d062 | |||
| 07ab4018d8 | |||
| a1135306ed | |||
| 587caf262e | |||
| 2730404ca5 | |||
| 84db5e6fd6 | |||
| f4f34a3159 | |||
| 91b8b4a3c5 | |||
| 6cad205269 | |||
| c57bf76969 | |||
| ad4b615211 | |||
| b4518b59cf | |||
| 45dc4124a3 | |||
| bdfe9a48fd | |||
| 1b337d31f8 | |||
| 717cd5a21e | |||
| def5955614 | |||
| 0e3c975cb5 | |||
| 93189a575e | |||
| 36592c44eb | |||
| a34e3752a2 | |||
| 0d2dea94fb | |||
| 7f539d7e06 | |||
| f8ec090836 | |||
| 9a9161fc55 | |||
| 1a0cf96fc4 | |||
| 4bd1648074 | |||
| 15b114ffd6 | |||
| dd6d8c9735 | |||
| e15a3867d4 | |||
| 5cad208de6 | |||
| c8687f7e45 | |||
| d988ef2eff | |||
| b07929eab3 | |||
| b3e397eb4c | |||
| 5ad2c683ed | |||
| 1f06f0fa0c | |||
| 8ca1d84844 | |||
| 998f599be3 | |||
| fcfc6ac149 | |||
| 6e87130166 | |||
| 06f9e6ac6b | |||
| da07aedce2 | |||
| 61427a8bf9 | |||
| 958ad1f025 | |||
| 1c5f3a856f | |||
| 4e2b80defd | |||
| 1c8efd0877 | |||
| 4c5e85031b | |||
| 5688823fcc | |||
| 72faf8365b | |||
| 0e22d6def8 | |||
| 22cc1d33f7 | |||
| 15085c8a05 | |||
| 06748dac1d | |||
| 63851306ac | |||
| 2bdc793c8c | |||
| 85d1c5e34c | |||
| e6b7af5272 | |||
| c0ae8770bc | |||
| 5b51e8947f | |||
| db2c6f7e45 | |||
| 8e8f9e7adb | |||
| d2adc3a6d3 | |||
| 76cd9ea47f | |||
| 2f851bc216 | |||
| 834d3187e5 | |||
| 49be0f208c | |||
| fb23b41dae | |||
| 005a67deaf | |||
| f8097cb5cb | |||
| ff792f5f48 | |||
| 5c48b43ae0 | |||
| b299ead00b | |||
| a92432cf5a | |||
| 82f5d828c2 | |||
| 35a94a9b02 | |||
| b6bd31e159 | |||
| 1d4badda5b | |||
| bd5214a3b9 | |||
| c32f6dea97 | |||
| dd341902fc | |||
| 190e273112 | |||
| 268807d1d0 | |||
| 2953080fb8 | |||
| 9871517be2 | |||
| 736eacaac5 | |||
| 0e66aad099 | |||
| 67a4905a0a | |||
| d52d22e0db | |||
| 42920c2521 | |||
| 4acd35e036 | |||
| 621d20db3a | |||
| 0926f6ec1f | |||
| 61646cb3bd | |||
| c0066c4744 | |||
| ffd0593f51 | |||
| f49ae0773e | |||
| 8fa3fccecb | |||
| 9ee7111453 | |||
| 8de3d2b149 | |||
| bc62e28ca3 | |||
| d612a5453c | |||
| 653d411b9e | |||
| 51c57dbc41 | |||
| 33cd40160e | |||
| a1e8cfea47 | |||
| 5d72ee3da3 | |||
| fdc6445d47 | |||
| e88805947e | |||
| aaefddc44a | |||
| d9d249411d | |||
| c07f75c6bb | |||
| 8d449ba20c | |||
| 10ca572aec | |||
| 75b0f48715 | |||
| 19a451db77 | |||
| ec9be9bb62 | |||
| 7ddd1977f3 | |||
| 7050c505b5 | |||
| 033a1fe97b | |||
| 77cb3c494e | |||
| 6db5772ac4 | |||
| 3e347e673c | |||
| dca274d020 | |||
| c33909f32f | |||
| 64e856e8b9 | |||
| 02f40a8217 | |||
| 77d43b6da9 | |||
| ab55aac5ff | |||
| 9b5bfbb7a3 | |||
| a69a71d1b0 | |||
| 98374bd303 | |||
| 3b6be8a2fc | |||
| 2bb366b9ac | |||
| 2d16709648 | |||
| 9344daa31c | |||
| 80c98041b5 | |||
| 3418e57907 | |||
| 6848b58e39 | |||
| 13a70411aa | |||
| f9c77b433a | |||
| 9d487845f6 | |||
| 3c99c2a662 | |||
| 7d09108c9f | |||
| 0f0a861896 | |||
| beb0d5940e | |||
| 70321ce237 | |||
| 5bd1d67333 | |||
| fad9df61e1 | |||
| d2a80c8c18 | |||
| 599613d139 | |||
| ac4fa9abd4 | |||
| cb3a7b19f7 | |||
| f5d6bf627b | |||
| f1ce815edd | |||
| a2075cfd65 | |||
| 8f1f6f92a8 | |||
| 3416416864 | |||
| 815888fb07 | |||
| 029d9cb1db | |||
| 95fa67ede1 | |||
| a19347161f | |||
| 58c1cc1f7c | |||
| b06399dc70 | |||
| 077eece6b9 | |||
| b3ef53de51 | |||
| e0852ee89b | |||
| dfffc0bdce | |||
| 8257c245b1 | |||
| cd5853cf53 | |||
| b677b827d4 | |||
| b1d5185cca | |||
| a7e66e2246 | |||
| 480c97e952 | |||
| f8fb5fa4ff | |||
| acf9b71f04 | |||
| bf692e6e4e | |||
| c242b65e47 | |||
| 55d6c17776 | |||
| 14b173f67e | |||
| b9001cdf7d | |||
| f892d43b47 | |||
| d9e9ee6e3a | |||
| 79adbe76a8 | |||
| 66fb848ba8 | |||
| 40b1a8f0df | |||
| a0b9d10b14 | |||
| 4c309dea2f | |||
| b3a397eee4 | |||
| 7c1fe1455b | |||
| 2d4b178895 | |||
| 4dd25f2f89 | |||
| 6dcd9d8144 | |||
| 31be81d2b1 | |||
| 826cfdf43f | |||
| a1f258c5ce | |||
| 1c1d3f3231 | |||
| 623d46c03f | |||
| 518a4d6af3 | |||
| 60077948d6 | |||
| c76bfa7f86 | |||
| 6c10933e80 | |||
| 6402605b1f | |||
| 1724535495 | |||
| 5b41670f36 | |||
| ab04855382 | |||
| 684d5e41c5 | |||
| 316ea18e24 | |||
| c916157fcc | |||
| 4e9409db10 | |||
| 94320d9256 | |||
| 9f5941c2be | |||
| fba0f7b739 | |||
| 2e95281af5 | |||
| f4ac9f3186 | |||
| f787343f29 | |||
| 70304d26ff | |||
| 76c10ec22e | |||
| 011e8c2bf8 | |||
| c1f138a9c1 | |||
| 1552eeca12 | |||
| 8769f3d418 | |||
| a4c254fcd6 | |||
| 24fb1846d2 | |||
| 5e77d0b86c | |||
| 494fda126c | |||
| 5cfa2f9611 | |||
| 9539a24bdb | |||
| 98c4d924dd | |||
| 7aae967c65 | |||
| 49f7edddac | |||
| 2f055d9fc5 | |||
| 108abffd2a | |||
| 4c19ad66e3 | |||
| 19c01aeb1d | |||
| fc90b40310 | |||
| 81de0effb1 | |||
| 5ce93ff85a | |||
| c020b9f5d6 | |||
| f47734b524 | |||
| ca3a7d98f5 | |||
| 0d5609ecc2 | |||
| 818edccb34 | |||
| 2815f5bcfd | |||
| c1bbbd7793 | |||
| aa1dd14b62 | |||
| 399103a9b4 | |||
| 74639d3ece | |||
| 613a76ac29 | |||
| c3ea8864bb | |||
| 919f211536 | |||
| 141d77e2b6 | |||
| 44fcb97ec7 | |||
| 543983e9f3 | |||
| 95bbeeb646 | |||
| de2af79810 | |||
| b9aff1dba5 | |||
| 7da979bed2 | |||
| cfe37640ea | |||
| 096e407571 | |||
| ae31b546e7 | |||
| c3a2766bb7 | |||
| b568bb36d4 | |||
| 55f784e6b7 | |||
| dfab84b0ba | |||
| 8f66ba824a | |||
| 79bd4398f3 | |||
| b44afdaaa1 | |||
| 9528fab3ef | |||
| 7e82885d84 | |||
| 57ed0cf319 | |||
| b043ee3b1d | |||
| 9e3bdaabb6 | |||
| 77f72ac939 | |||
| fa25a68571 | |||
|   | ea0f406849 | ||
|   | 9df6be1b6b | 
| @ -1,20 +0,0 @@ | |||||||
| name: CI |  | ||||||
| on: |  | ||||||
|   push: |  | ||||||
|     branches: |  | ||||||
|       - master |  | ||||||
|   pull_request: |  | ||||||
|     branches: |  | ||||||
|       - master |  | ||||||
| 
 |  | ||||||
| jobs: |  | ||||||
|   build:all: |  | ||||||
|     runs-on: native |  | ||||||
|     steps: |  | ||||||
|       - uses: https://gitea.com/ScMi1/checkout@v1.4 |  | ||||||
|       - run: nix build -L --no-link --print-out-paths .#bsc.ci.all |  | ||||||
|   build:cross: |  | ||||||
|     runs-on: native |  | ||||||
|     steps: |  | ||||||
|       - uses: https://gitea.com/ScMi1/checkout@v1.4 |  | ||||||
|       - run: nix build -L --no-link --print-out-paths .#bsc.ci.cross |  | ||||||
							
								
								
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -1,3 +1,3 @@ | |||||||
| **.swp | *.swp | ||||||
| /result | /result | ||||||
| /misc | /misc | ||||||
|  | |||||||
| @ -1,6 +0,0 @@ | |||||||
| build:bsc-ci.all: |  | ||||||
|   stage: build |  | ||||||
|   tags: |  | ||||||
|     - nix |  | ||||||
|   script: |  | ||||||
|     - nix build -L --no-link --print-out-paths .#bsc-ci.all |  | ||||||
							
								
								
									
										21
									
								
								COPYING
									
									
									
									
									
								
							
							
						
						
									
										21
									
								
								COPYING
									
									
									
									
									
								
							| @ -1,21 +0,0 @@ | |||||||
| Copyright (c) 2020-2025 Barcelona Supercomputing Center |  | ||||||
| Copyright (c) 2003-2020 Eelco Dolstra and the Nixpkgs/NixOS contributors |  | ||||||
| 
 |  | ||||||
| Permission is hereby granted, free of charge, to any person obtaining |  | ||||||
| a copy of this software and associated documentation files (the |  | ||||||
| "Software"), to deal in the Software without restriction, including |  | ||||||
| without limitation the rights to use, copy, modify, merge, publish, |  | ||||||
| distribute, sublicense, and/or sell copies of the Software, and to |  | ||||||
| permit persons to whom the Software is furnished to do so, subject to |  | ||||||
| the following conditions: |  | ||||||
| 
 |  | ||||||
| The above copyright notice and this permission notice shall be |  | ||||||
| included in all copies or substantial portions of the Software. |  | ||||||
| 
 |  | ||||||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |  | ||||||
| EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF |  | ||||||
| MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |  | ||||||
| NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE |  | ||||||
| LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION |  | ||||||
| OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION |  | ||||||
| WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |  | ||||||
| @ -1,9 +0,0 @@ | |||||||
| # Jungle |  | ||||||
| 
 |  | ||||||
| This repository provides two components that can be used independently: |  | ||||||
| 
 |  | ||||||
| - A Nix overlay with packages used at BSC (formerly known as bscpkgs). Access |  | ||||||
|   them directly with `nix shell .#<pkgname>`. |  | ||||||
| 
 |  | ||||||
| - NixOS configurations for jungle machines. Use `nixos-rebuild switch --flake .` |  | ||||||
|   to upgrade the current machine. |  | ||||||
							
								
								
									
										19
									
								
								default.nix
									
									
									
									
									
								
							
							
						
						
									
										19
									
								
								default.nix
									
									
									
									
									
								
							| @ -1,19 +0,0 @@ | |||||||
| let |  | ||||||
|   bscOverlay = import ./overlay.nix; |  | ||||||
| 
 |  | ||||||
|   # read flake.lock and determine revision from there |  | ||||||
|   lock = builtins.fromJSON (builtins.readFile ./flake.lock); |  | ||||||
|   inherit (lock.nodes.nixpkgs.locked) rev narHash; |  | ||||||
|   fetchedNixpkgs = builtins.fetchTarball { |  | ||||||
|     url = "https://github.com/NixOS/nixpkgs/archive/${rev}.tar.gz"; |  | ||||||
|     sha256 = narHash; |  | ||||||
|   }; |  | ||||||
| in |  | ||||||
| { overlays ? [ ] |  | ||||||
| , nixpkgs ? fetchedNixpkgs |  | ||||||
| , ... |  | ||||||
| }@attrs: |  | ||||||
| import nixpkgs ( |  | ||||||
|   (builtins.removeAttrs attrs [ "overlays" "nixpkgs" ]) // |  | ||||||
|   { overlays = [ bscOverlay ] ++ overlays; } |  | ||||||
| ) |  | ||||||
							
								
								
									
										
											BIN
										
									
								
								doc/Intel_Server_Board_S2600WF_TPS_2_6.pdf
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								doc/Intel_Server_Board_S2600WF_TPS_2_6.pdf
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							
							
								
								
									
										
											BIN
										
									
								
								doc/R1000WF_SystemIntegration_and_ServiceGuide_Rev2_4.pdf
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								doc/R1000WF_SystemIntegration_and_ServiceGuide_Rev2_4.pdf
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							
							
								
								
									
										
											BIN
										
									
								
								doc/SEL_TroubleshootingGuide.pdf
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								doc/SEL_TroubleshootingGuide.pdf
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							
							
								
								
									
										
											BIN
										
									
								
								doc/bsc-ssf.pdf
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								doc/bsc-ssf.pdf
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| @ -1,30 +0,0 @@ | |||||||
| # Maintainers |  | ||||||
| 
 |  | ||||||
| ## Role of a maintainer |  | ||||||
| The responsibilities of maintainers are quite lax, and similar in spirit to |  | ||||||
| [nixpkgs' maintainers][1]: |  | ||||||
| 
 |  | ||||||
|     The main responsibility of a maintainer is to keep the packages they |  | ||||||
|     maintain in a functioning state, and keep up with updates. In order to do |  | ||||||
|     that, they are empowered to make decisions over the packages they maintain. |  | ||||||
| 
 |  | ||||||
|     That being said, the maintainer is not alone in proposing changes to the |  | ||||||
|     packages. Anybody (both bots and humans) can send PRs to bump or tweak the |  | ||||||
|     package. |  | ||||||
| 
 |  | ||||||
| In practice, this means that when updating or proposing changes to a package, |  | ||||||
| we will notify maintainers by mentioning them in Gitea so they can test changes |  | ||||||
| and give feedback. |  | ||||||
| 
 |  | ||||||
| Since we do bi-yearly release cycles, there is no expectation from maintainers |  | ||||||
| to update packages at each upstream release. Nevertheless, on each release cycle |  | ||||||
| we may request help from maintainers when updating or testing their packages. |  | ||||||
| 
 |  | ||||||
| ## Becoming a maintainer |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| You'll have to add yourself in the `maintainers.nix` list; your username should |  | ||||||
| match your `bsc.es` email. Then you can add yourself to the `meta.maintainers` |  | ||||||
| of any package you are interested in maintaining. |  | ||||||
| 
 |  | ||||||
| [1]: [https://github.com/NixOS/nixpkgs/tree/nixos-25.05/maintainers] |  | ||||||
							
								
								
									
										46
									
								
								doc/trim.sh
									
									
									
									
									
								
							
							
						
						
									
										46
									
								
								doc/trim.sh
									
									
									
									
									
								
							| @ -1,46 +0,0 @@ | |||||||
| #!/bin/sh |  | ||||||
| 
 |  | ||||||
| # Trims the jungle repository by moving the website to its own repository and |  | ||||||
| # removing it from jungle. It also removes big pdf files and kernel |  | ||||||
| # configurations so the jungle repository is small. |  | ||||||
| 
 |  | ||||||
| set -e |  | ||||||
| 
 |  | ||||||
| if [ -e oldjungle -o -e newjungle -o -e website ]; then |  | ||||||
|   echo "remove oldjungle/, newjungle/ and website/ first" |  | ||||||
|   exit 1 |  | ||||||
| fi |  | ||||||
| 
 |  | ||||||
| # Clone the old jungle repo |  | ||||||
| git clone gitea@tent:rarias/jungle.git oldjungle |  | ||||||
| 
 |  | ||||||
| # First split the website into a new repository |  | ||||||
| mkdir website && git -C website init -b master |  | ||||||
| git-filter-repo \ |  | ||||||
|   --path web \ |  | ||||||
|   --subdirectory-filter web \ |  | ||||||
|   --source oldjungle \ |  | ||||||
|   --target website |  | ||||||
| 
 |  | ||||||
| # Then remove the website, pdf files and big kernel configs |  | ||||||
| mkdir newjungle && git -C newjungle init -b master |  | ||||||
| git-filter-repo \ |  | ||||||
|   --invert-paths \ |  | ||||||
|   --path web \ |  | ||||||
|   --path-glob 'doc*.pdf' \ |  | ||||||
|   --path-glob '**/kernel/configs/lockdep' \ |  | ||||||
|   --path-glob '**/kernel/configs/defconfig' \ |  | ||||||
|   --source oldjungle \ |  | ||||||
|   --target newjungle |  | ||||||
| 
 |  | ||||||
| set -x |  | ||||||
| 
 |  | ||||||
| du -sh oldjungle newjungle website |  | ||||||
| #  57M  oldjungle |  | ||||||
| # 2,3M  newjungle |  | ||||||
| # 6,4M  website |  | ||||||
| 
 |  | ||||||
| du -sh --exclude=.git oldjungle newjungle website |  | ||||||
| #  30M  oldjungle |  | ||||||
| # 700K  newjungle |  | ||||||
| # 3,5M  website |  | ||||||
							
								
								
									
										111
									
								
								flake.lock
									
									
									
										generated
									
									
									
								
							
							
						
						
									
										111
									
								
								flake.lock
									
									
									
										generated
									
									
									
								
							| @ -1,25 +1,128 @@ | |||||||
| { | { | ||||||
|   "nodes": { |   "nodes": { | ||||||
|  |     "agenix": { | ||||||
|  |       "inputs": { | ||||||
|  |         "darwin": "darwin", | ||||||
|  |         "home-manager": "home-manager", | ||||||
|  |         "nixpkgs": [ | ||||||
|  |           "nixpkgs" | ||||||
|  |         ], | ||||||
|  |         "systems": "systems" | ||||||
|  |       }, | ||||||
|  |       "locked": { | ||||||
|  |         "lastModified": 1723293904, | ||||||
|  |         "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", | ||||||
|  |         "owner": "ryantm", | ||||||
|  |         "repo": "agenix", | ||||||
|  |         "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", | ||||||
|  |         "type": "github" | ||||||
|  |       }, | ||||||
|  |       "original": { | ||||||
|  |         "owner": "ryantm", | ||||||
|  |         "repo": "agenix", | ||||||
|  |         "type": "github" | ||||||
|  |       } | ||||||
|  |     }, | ||||||
|  |     "bscpkgs": { | ||||||
|  |       "inputs": { | ||||||
|  |         "nixpkgs": [ | ||||||
|  |           "nixpkgs" | ||||||
|  |         ] | ||||||
|  |       }, | ||||||
|  |       "locked": { | ||||||
|  |         "lastModified": 1732868163, | ||||||
|  |         "narHash": "sha256-qck4h298AgcNI6BnGhEwl26MTLXjumuJVr+9kak7uPo=", | ||||||
|  |         "ref": "refs/heads/master", | ||||||
|  |         "rev": "6782fc6c5b5a29e84a7f2c2d1064f4bcb1288c0f", | ||||||
|  |         "revCount": 952, | ||||||
|  |         "type": "git", | ||||||
|  |         "url": "https://git.sr.ht/~rodarima/bscpkgs" | ||||||
|  |       }, | ||||||
|  |       "original": { | ||||||
|  |         "type": "git", | ||||||
|  |         "url": "https://git.sr.ht/~rodarima/bscpkgs" | ||||||
|  |       } | ||||||
|  |     }, | ||||||
|  |     "darwin": { | ||||||
|  |       "inputs": { | ||||||
|  |         "nixpkgs": [ | ||||||
|  |           "agenix", | ||||||
|  |           "nixpkgs" | ||||||
|  |         ] | ||||||
|  |       }, | ||||||
|  |       "locked": { | ||||||
|  |         "lastModified": 1700795494, | ||||||
|  |         "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", | ||||||
|  |         "owner": "lnl7", | ||||||
|  |         "repo": "nix-darwin", | ||||||
|  |         "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", | ||||||
|  |         "type": "github" | ||||||
|  |       }, | ||||||
|  |       "original": { | ||||||
|  |         "owner": "lnl7", | ||||||
|  |         "ref": "master", | ||||||
|  |         "repo": "nix-darwin", | ||||||
|  |         "type": "github" | ||||||
|  |       } | ||||||
|  |     }, | ||||||
|  |     "home-manager": { | ||||||
|  |       "inputs": { | ||||||
|  |         "nixpkgs": [ | ||||||
|  |           "agenix", | ||||||
|  |           "nixpkgs" | ||||||
|  |         ] | ||||||
|  |       }, | ||||||
|  |       "locked": { | ||||||
|  |         "lastModified": 1703113217, | ||||||
|  |         "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", | ||||||
|  |         "owner": "nix-community", | ||||||
|  |         "repo": "home-manager", | ||||||
|  |         "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", | ||||||
|  |         "type": "github" | ||||||
|  |       }, | ||||||
|  |       "original": { | ||||||
|  |         "owner": "nix-community", | ||||||
|  |         "repo": "home-manager", | ||||||
|  |         "type": "github" | ||||||
|  |       } | ||||||
|  |     }, | ||||||
|     "nixpkgs": { |     "nixpkgs": { | ||||||
|       "locked": { |       "locked": { | ||||||
|         "lastModified": 1752436162, |         "lastModified": 1736867362, | ||||||
|         "narHash": "sha256-Kt1UIPi7kZqkSc5HVj6UY5YLHHEzPBkgpNUByuyxtlw=", |         "narHash": "sha256-i/UJ5I7HoqmFMwZEH6vAvBxOrjjOJNU739lnZnhUln8=", | ||||||
|         "owner": "NixOS", |         "owner": "NixOS", | ||||||
|         "repo": "nixpkgs", |         "repo": "nixpkgs", | ||||||
|         "rev": "dfcd5b901dbab46c9c6e80b265648481aafb01f8", |         "rev": "9c6b49aeac36e2ed73a8c472f1546f6d9cf1addc", | ||||||
|         "type": "github" |         "type": "github" | ||||||
|       }, |       }, | ||||||
|       "original": { |       "original": { | ||||||
|         "owner": "NixOS", |         "owner": "NixOS", | ||||||
|         "ref": "nixos-25.05", |         "ref": "nixos-24.11", | ||||||
|         "repo": "nixpkgs", |         "repo": "nixpkgs", | ||||||
|         "type": "github" |         "type": "github" | ||||||
|       } |       } | ||||||
|     }, |     }, | ||||||
|     "root": { |     "root": { | ||||||
|       "inputs": { |       "inputs": { | ||||||
|  |         "agenix": "agenix", | ||||||
|  |         "bscpkgs": "bscpkgs", | ||||||
|         "nixpkgs": "nixpkgs" |         "nixpkgs": "nixpkgs" | ||||||
|       } |       } | ||||||
|  |     }, | ||||||
|  |     "systems": { | ||||||
|  |       "locked": { | ||||||
|  |         "lastModified": 1681028828, | ||||||
|  |         "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", | ||||||
|  |         "owner": "nix-systems", | ||||||
|  |         "repo": "default", | ||||||
|  |         "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", | ||||||
|  |         "type": "github" | ||||||
|  |       }, | ||||||
|  |       "original": { | ||||||
|  |         "owner": "nix-systems", | ||||||
|  |         "repo": "default", | ||||||
|  |         "type": "github" | ||||||
|  |       } | ||||||
|     } |     } | ||||||
|   }, |   }, | ||||||
|   "root": "root", |   "root": "root", | ||||||
|  | |||||||
							
								
								
									
										36
									
								
								flake.nix
									
									
									
									
									
								
							
							
						
						
									
										36
									
								
								flake.nix
									
									
									
									
									
								
							| @ -1,27 +1,23 @@ | |||||||
| { | { | ||||||
|   inputs = { |   inputs = { | ||||||
|     nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; |     nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; | ||||||
|  |     agenix.url = "github:ryantm/agenix"; | ||||||
|  |     agenix.inputs.nixpkgs.follows = "nixpkgs"; | ||||||
|  |     bscpkgs.url = "git+https://git.sr.ht/~rodarima/bscpkgs"; | ||||||
|  |     bscpkgs.inputs.nixpkgs.follows = "nixpkgs"; | ||||||
|   }; |   }; | ||||||
| 
 | 
 | ||||||
|   outputs = { self, nixpkgs, ... }: |   outputs = { self, nixpkgs, agenix, bscpkgs, ... }: | ||||||
| let | let | ||||||
|   mkConf = name: nixpkgs.lib.nixosSystem { |   mkConf = name: nixpkgs.lib.nixosSystem { | ||||||
|     system = "x86_64-linux"; |     system = "x86_64-linux"; | ||||||
|     specialArgs = { inherit nixpkgs; theFlake = self; }; |     specialArgs = { inherit nixpkgs bscpkgs agenix; theFlake = self; }; | ||||||
|     modules = [ "${self.outPath}/m/${name}/configuration.nix" ]; |     modules = [ "${self.outPath}/m/${name}/configuration.nix" ]; | ||||||
|   }; |   }; | ||||||
|   # For now we only support x86 |  | ||||||
|   system = "x86_64-linux"; |  | ||||||
|   pkgs = import nixpkgs { |  | ||||||
|     inherit system; |  | ||||||
|     overlays = [ self.overlays.default ]; |  | ||||||
|     config.allowUnfree = true; |  | ||||||
|   }; |  | ||||||
| in | in | ||||||
|   { |   { | ||||||
|     nixosConfigurations = { |     nixosConfigurations = { | ||||||
|       hut     = mkConf "hut"; |       hut     = mkConf "hut"; | ||||||
|       tent    = mkConf "tent"; |  | ||||||
|       owl1    = mkConf "owl1"; |       owl1    = mkConf "owl1"; | ||||||
|       owl2    = mkConf "owl2"; |       owl2    = mkConf "owl2"; | ||||||
|       eudy    = mkConf "eudy"; |       eudy    = mkConf "eudy"; | ||||||
| @ -30,23 +26,11 @@ in | |||||||
|       lake2   = mkConf "lake2"; |       lake2   = mkConf "lake2"; | ||||||
|       raccoon = mkConf "raccoon"; |       raccoon = mkConf "raccoon"; | ||||||
|       fox     = mkConf "fox"; |       fox     = mkConf "fox"; | ||||||
|       apex    = mkConf "apex"; |  | ||||||
|       weasel  = mkConf "weasel"; |  | ||||||
|     }; |     }; | ||||||
| 
 | 
 | ||||||
|     bscOverlay = import ./overlay.nix; |     packages.x86_64-linux = self.nixosConfigurations.hut.pkgs // { | ||||||
|     overlays.default = self.bscOverlay; |       bscpkgs = bscpkgs.packages.x86_64-linux; | ||||||
| 
 |       nixpkgs = nixpkgs.legacyPackages.x86_64-linux; | ||||||
|     # full nixpkgs with our overlay applied |  | ||||||
|     legacyPackages.${system} = pkgs; |  | ||||||
| 
 |  | ||||||
|     hydraJobs = self.legacyPackages.${system}.bsc.hydraJobs; |  | ||||||
| 
 |  | ||||||
|     # propagate nixpkgs lib, so we can do bscpkgs.lib |  | ||||||
|     lib = nixpkgs.lib // { |  | ||||||
|       maintainers = nixpkgs.lib.maintainers // { |  | ||||||
|         bsc = import ./pkgs/maintainers.nix; |  | ||||||
|       }; |  | ||||||
|     }; |     }; | ||||||
|   }; |   }; | ||||||
| } | } | ||||||
|  | |||||||
							
								
								
									
										17
									
								
								keys.nix
									
									
									
									
									
								
							
							
						
						
									
										17
									
								
								keys.nix
									
									
									
									
									
								
							| @ -9,29 +9,22 @@ rec { | |||||||
|     koro  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImiTFDbxyUYPumvm8C4mEnHfuvtBY1H8undtd6oDd67 koro"; |     koro  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImiTFDbxyUYPumvm8C4mEnHfuvtBY1H8undtd6oDd67 koro"; | ||||||
|     bay   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvGBzpRQKuQYHdlUQeAk6jmdbkrhmdLwTBqf3el7IgU bay"; |     bay   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvGBzpRQKuQYHdlUQeAk6jmdbkrhmdLwTBqf3el7IgU bay"; | ||||||
|     lake2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINo66//S1yatpQHE/BuYD/Gfq64TY7ZN5XOGXmNchiO0 lake2"; |     lake2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINo66//S1yatpQHE/BuYD/Gfq64TY7ZN5XOGXmNchiO0 lake2"; | ||||||
|     fox     = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwItIk5uOJcQEVPoy/CVGRzfmE1ojrdDcI06FrU4NFT fox"; |     fox   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDa9lId4rB/EKGkkCCVOy0cuId2SYLs+8W8kx0kmpO1y fox"; | ||||||
|     tent    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAtTpHtdYoelbknD/IcfBlThwLKJv/dSmylOgpg3FRM tent"; |  | ||||||
|     apex    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBvUFjSfoxXnKwXhEFXx5ckRKJ0oewJ82mRitSMNMKjh apex"; |  | ||||||
|     weasel  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLJrQ8BF6KcweQV8pLkSbFT+tbDxSG9qxrdQE65zJZp weasel"; |  | ||||||
|     raccoon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGNQttFvL0dNEyy7klIhLoK4xXOeM2/K9R7lPMTG3qvK raccoon"; |  | ||||||
|   }; |   }; | ||||||
| 
 | 
 | ||||||
|   hostGroup = with hosts; rec { |   hostGroup = with hosts; rec { | ||||||
|     compute    = [ owl1 owl2 fox raccoon ]; |     compute    = [ owl1 owl2 fox ]; | ||||||
|     playground = [ eudy koro weasel ]; |     playground = [ eudy koro ]; | ||||||
|     storage    = [ bay lake2 ]; |     storage    = [ bay lake2 ]; | ||||||
|     monitor    = [ hut ]; |     monitor    = [ hut ]; | ||||||
|     login      = [ apex ]; |  | ||||||
| 
 | 
 | ||||||
|     system     = storage ++ monitor ++ login; |     system     = storage ++ monitor; | ||||||
|     safe       = system ++ compute; |     safe       = system ++ compute; | ||||||
|     all        = safe ++ playground; |     all        = safe ++ playground; | ||||||
|   }; |   }; | ||||||
| 
 | 
 | ||||||
|   admins = { |   admins = { | ||||||
|     "rarias@hut"  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1oZTPtlEXdGt0Ak+upeCIiBdaDQtcmuWoTUCVuSVIR rarias@hut"; |     rarias = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1oZTPtlEXdGt0Ak+upeCIiBdaDQtcmuWoTUCVuSVIR rarias@hut"; | ||||||
|     "rarias@tent" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwlWSBTZi74WTz5xn6gBvTmCoVltmtIAeM3RMmkh4QZ rarias@tent"; |  | ||||||
|     "rarias@fox"  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDSbw3REAKECV7E2c/e2XJITudJQWq2qDSe2N1JHqHZd rarias@fox"; |  | ||||||
|     root   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut"; |     root   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut"; | ||||||
|   }; |   }; | ||||||
| } | } | ||||||
|  | |||||||
| @ -1,69 +0,0 @@ | |||||||
| { lib, config, pkgs, ... }: |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   imports = [ |  | ||||||
|     ../common/xeon.nix |  | ||||||
|     ../common/ssf/hosts.nix |  | ||||||
|     ../module/ceph.nix |  | ||||||
|     ../module/hut-substituter.nix |  | ||||||
|     ../module/slurm-server.nix |  | ||||||
|     ./nfs.nix |  | ||||||
|     ./wireguard.nix |  | ||||||
|   ]; |  | ||||||
| 
 |  | ||||||
|   # Don't install grub MBR for now |  | ||||||
|   boot.loader.grub.device = "nodev"; |  | ||||||
| 
 |  | ||||||
|   boot.initrd.kernelModules = [ |  | ||||||
|     "megaraid_sas" # For HW RAID |  | ||||||
|   ]; |  | ||||||
| 
 |  | ||||||
|   environment.systemPackages = with pkgs; [ |  | ||||||
|     storcli # To manage HW RAID |  | ||||||
|   ]; |  | ||||||
| 
 |  | ||||||
|   fileSystems."/home" = { |  | ||||||
|     device = "/dev/disk/by-label/home"; |  | ||||||
|     fsType = "ext4"; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   # No swap, there is plenty of RAM |  | ||||||
|   swapDevices = lib.mkForce []; |  | ||||||
| 
 |  | ||||||
|   networking = { |  | ||||||
|     hostName = "apex"; |  | ||||||
|     defaultGateway = "84.88.53.233"; |  | ||||||
|     nameservers = [ "8.8.8.8" ]; |  | ||||||
| 
 |  | ||||||
|     # Public facing interface |  | ||||||
|     interfaces.eno1.ipv4.addresses = [ { |  | ||||||
|       address = "84.88.53.236"; |  | ||||||
|       prefixLength = 29; |  | ||||||
|     } ]; |  | ||||||
| 
 |  | ||||||
|     # Internal LAN to our Ethernet switch |  | ||||||
|     interfaces.eno2.ipv4.addresses = [ { |  | ||||||
|       address = "10.0.40.30"; |  | ||||||
|       prefixLength = 24; |  | ||||||
|     } ]; |  | ||||||
| 
 |  | ||||||
|     # Infiniband over Omnipath switch (disconnected for now) |  | ||||||
|     # interfaces.ibp5s0 = {}; |  | ||||||
| 
 |  | ||||||
|     nat = { |  | ||||||
|       enable = true; |  | ||||||
|       internalInterfaces = [ "eno2" ]; |  | ||||||
|       externalInterface = "eno1"; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   networking.firewall = { |  | ||||||
|     extraCommands = '' |  | ||||||
|       # Blackhole BSC vulnerability scanner (OpenVAS) as it is spamming our |  | ||||||
|       # logs. Insert as first position so we also protect SSH. |  | ||||||
|       iptables -I nixos-fw 1 -p tcp -s 192.168.8.16 -j nixos-fw-refuse |  | ||||||
|       # Same with opsmonweb01.bsc.es which seems to be trying to access via SSH |  | ||||||
|       iptables -I nixos-fw 2 -p tcp -s 84.88.52.176 -j nixos-fw-refuse |  | ||||||
|     ''; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,48 +0,0 @@ | |||||||
| { ... }: |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   services.nfs.server = { |  | ||||||
|     enable = true; |  | ||||||
|     lockdPort = 4001; |  | ||||||
|     mountdPort = 4002; |  | ||||||
|     statdPort = 4000; |  | ||||||
|     exports = '' |  | ||||||
|       /home 10.0.40.0/24(rw,async,no_subtree_check,no_root_squash) |  | ||||||
|       /home 10.106.0.0/24(rw,async,no_subtree_check,no_root_squash) |  | ||||||
|     ''; |  | ||||||
|   }; |  | ||||||
|   networking.firewall = { |  | ||||||
|     # Check with `rpcinfo -p` |  | ||||||
|     extraCommands = '' |  | ||||||
|       # Accept NFS traffic from compute nodes but not from the outside |  | ||||||
|       iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 111   -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 2049  -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4000  -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4001  -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4002  -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept |  | ||||||
|       # Same but UDP |  | ||||||
|       iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 111   -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 2049  -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4000  -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4001  -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4002  -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept |  | ||||||
| 
 |  | ||||||
|       # Accept NFS traffic from wg0 |  | ||||||
|       iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 111   -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 2049  -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 4000  -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 4001  -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 4002  -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 20048 -j nixos-fw-accept |  | ||||||
|       # Same but UDP |  | ||||||
|       iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 111   -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 2049  -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 4000  -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 4001  -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 4002  -j nixos-fw-accept |  | ||||||
|       iptables -A nixos-fw -p udp -i wg0 -s 10.106.0.0/24 --dport 20048 -j nixos-fw-accept |  | ||||||
|     ''; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,42 +0,0 @@ | |||||||
| { config, ... }: |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   networking.firewall = { |  | ||||||
|     allowedUDPPorts = [ 666 ]; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   age.secrets.wgApex.file = ../../secrets/wg-apex.age; |  | ||||||
| 
 |  | ||||||
|   # Enable WireGuard |  | ||||||
|   networking.wireguard.enable = true; |  | ||||||
|   networking.wireguard.interfaces = { |  | ||||||
|     # "wg0" is the network interface name. You can name the interface arbitrarily. |  | ||||||
|     wg0 = { |  | ||||||
|       ips = [ "10.106.0.30/24" ]; |  | ||||||
|       listenPort = 666; |  | ||||||
|       privateKeyFile = config.age.secrets.wgApex.path; |  | ||||||
|       # Public key: VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA= |  | ||||||
|       peers = [ |  | ||||||
|         { |  | ||||||
|           name = "fox"; |  | ||||||
|           publicKey = "VfMPBQLQTKeyXJSwv8wBhc6OV0j2qAxUpX3kLHunK2Y="; |  | ||||||
|           allowedIPs = [ "10.106.0.1/32" ]; |  | ||||||
|           endpoint = "fox.ac.upc.edu:666"; |  | ||||||
|           # Send keepalives every 25 seconds. Important to keep NAT tables alive. |  | ||||||
|           persistentKeepalive = 25; |  | ||||||
|         } |  | ||||||
|         { |  | ||||||
|           name = "raccoon"; |  | ||||||
|           publicKey = "QUfnGXSMEgu2bviglsaSdCjidB51oEDBFpnSFcKGfDI="; |  | ||||||
|           allowedIPs = [ "10.106.0.236/32" "192.168.0.0/16" "10.0.44.0/24" ]; |  | ||||||
|         } |  | ||||||
|       ]; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   networking.hosts = { |  | ||||||
|     "10.106.0.1" = [ "fox" ]; |  | ||||||
|     "10.106.0.236" = [ "raccoon" ]; |  | ||||||
|     "10.0.44.4" = [ "tent" ]; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -2,8 +2,7 @@ | |||||||
| 
 | 
 | ||||||
| { | { | ||||||
|   imports = [ |   imports = [ | ||||||
|     ../common/ssf.nix |     ../common/xeon.nix | ||||||
|     ../module/hut-substituter.nix |  | ||||||
|     ../module/monitoring.nix |     ../module/monitoring.nix | ||||||
|   ]; |   ]; | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -3,7 +3,6 @@ | |||||||
|   # Includes the basic configuration for an Intel server. |   # Includes the basic configuration for an Intel server. | ||||||
|   imports = [ |   imports = [ | ||||||
|     ./base/agenix.nix |     ./base/agenix.nix | ||||||
|     ./base/always-power-on.nix |  | ||||||
|     ./base/august-shutdown.nix |     ./base/august-shutdown.nix | ||||||
|     ./base/boot.nix |     ./base/boot.nix | ||||||
|     ./base/env.nix |     ./base/env.nix | ||||||
| @ -11,7 +10,6 @@ | |||||||
|     ./base/hw.nix |     ./base/hw.nix | ||||||
|     ./base/net.nix |     ./base/net.nix | ||||||
|     ./base/nix.nix |     ./base/nix.nix | ||||||
|     ./base/sys-devices.nix |  | ||||||
|     ./base/ntp.nix |     ./base/ntp.nix | ||||||
|     ./base/rev.nix |     ./base/rev.nix | ||||||
|     ./base/ssh.nix |     ./base/ssh.nix | ||||||
|  | |||||||
| @ -1,8 +1,9 @@ | |||||||
| { pkgs, ... }: | { agenix, ... }: | ||||||
| 
 | 
 | ||||||
| { | { | ||||||
|   imports = [ ../../module/agenix.nix ]; |   imports = [ agenix.nixosModules.default ]; | ||||||
| 
 | 
 | ||||||
|   # Add agenix to system packages |   environment.systemPackages = [ | ||||||
|   environment.systemPackages = [ pkgs.agenix ]; |     agenix.packages.x86_64-linux.default | ||||||
|  |   ]; | ||||||
| } | } | ||||||
|  | |||||||
| @ -1,8 +0,0 @@ | |||||||
| { |  | ||||||
|   imports = [ |  | ||||||
|     ../../module/power-policy.nix |  | ||||||
|   ]; |  | ||||||
| 
 |  | ||||||
|   # Turn on as soon as we have power |  | ||||||
|   power.policy = "always-on"; |  | ||||||
| } |  | ||||||
| @ -1,12 +1,12 @@ | |||||||
| { | { | ||||||
|   # Shutdown all machines on August 3rd at 22:00, so we can protect the |   # Shutdown all machines on August 2nd at 11:00 AM, so we can protect the | ||||||
|   # hardware from spurious electrical peaks on the yearly electrical cut for |   # hardware from spurious electrical peaks on the yearly electrical cut for | ||||||
|   # manteinance that starts on August 4th. |   # manteinance that starts on August 4th. | ||||||
|   systemd.timers.august-shutdown = { |   systemd.timers.august-shutdown = { | ||||||
|     description = "Shutdown on August 3rd for maintenance"; |     description = "Shutdown on August 2nd for maintenance"; | ||||||
|     wantedBy = [ "timers.target" ]; |     wantedBy = [ "timers.target" ]; | ||||||
|     timerConfig = { |     timerConfig = { | ||||||
|       OnCalendar = "*-08-03 22:00:00"; |       OnCalendar = "*-08-02 11:00:00"; | ||||||
|       RandomizedDelaySec = "10min"; |       RandomizedDelaySec = "10min"; | ||||||
|       Unit = "systemd-poweroff.service"; |       Unit = "systemd-poweroff.service"; | ||||||
|     }; |     }; | ||||||
|  | |||||||
| @ -3,8 +3,8 @@ | |||||||
| { | { | ||||||
|   environment.systemPackages = with pkgs; [ |   environment.systemPackages = with pkgs; [ | ||||||
|     vim wget git htop tmux pciutils tcpdump ripgrep nix-index nixos-option |     vim wget git htop tmux pciutils tcpdump ripgrep nix-index nixos-option | ||||||
|     nix-diff ipmitool freeipmi ethtool lm_sensors cmake gnumake file tree |     nix-diff ipmitool freeipmi ethtool lm_sensors ix cmake gnumake file tree | ||||||
|     ncdu config.boot.kernelPackages.perf ldns pv |     ncdu config.boot.kernelPackages.perf ldns | ||||||
|     # From bsckgs overlay |     # From bsckgs overlay | ||||||
|     osumb |     osumb | ||||||
|   ]; |   ]; | ||||||
| @ -21,8 +21,6 @@ | |||||||
|     } |     } | ||||||
|   ]; |   ]; | ||||||
| 
 | 
 | ||||||
|   environment.enableAllTerminfo = true; |  | ||||||
| 
 |  | ||||||
|   environment.variables = { |   environment.variables = { | ||||||
|     EDITOR = "vim"; |     EDITOR = "vim"; | ||||||
|     VISUAL = "vim"; |     VISUAL = "vim"; | ||||||
|  | |||||||
| @ -1,4 +1,4 @@ | |||||||
| { pkgs, lib, ... }: | { pkgs, ... }: | ||||||
| 
 | 
 | ||||||
| { | { | ||||||
|   networking = { |   networking = { | ||||||
| @ -10,14 +10,10 @@ | |||||||
|       allowedTCPPorts = [ 22 ]; |       allowedTCPPorts = [ 22 ]; | ||||||
|     }; |     }; | ||||||
| 
 | 
 | ||||||
|     # Make sure we use iptables |  | ||||||
|     nftables.enable = lib.mkForce false; |  | ||||||
| 
 |  | ||||||
|     hosts = { |     hosts = { | ||||||
|       "84.88.53.236" = [ "ssfhead.bsc.es" "ssfhead" ]; |       "84.88.53.236" = [ "ssfhead.bsc.es" "ssfhead" ]; | ||||||
|  |       "84.88.51.152" = [ "raccoon" ]; | ||||||
|       "84.88.51.142" = [ "raccoon-ipmi" ]; |       "84.88.51.142" = [ "raccoon-ipmi" ]; | ||||||
|       "192.168.11.12" = [ "bscpm04.bsc.es" ]; |  | ||||||
|       "192.168.11.15" = [ "gitlab-internal.bsc.es" ]; |  | ||||||
|     }; |     }; | ||||||
|   }; |   }; | ||||||
| } | } | ||||||
|  | |||||||
| @ -1,12 +1,11 @@ | |||||||
| { pkgs, nixpkgs, theFlake,  ... }: | { pkgs, nixpkgs, bscpkgs, theFlake,  ... }: | ||||||
| 
 | 
 | ||||||
| { | { | ||||||
|   nixpkgs.overlays = [ |   nixpkgs.overlays = [ | ||||||
|     (import ../../../overlay.nix) |     bscpkgs.bscOverlay | ||||||
|  |     (import ../../../pkgs/overlay.nix) | ||||||
|   ]; |   ]; | ||||||
| 
 | 
 | ||||||
|   nixpkgs.config.allowUnfree = true; |  | ||||||
| 
 |  | ||||||
|   nix = { |   nix = { | ||||||
|     nixPath = [ |     nixPath = [ | ||||||
|       "nixpkgs=${nixpkgs}" |       "nixpkgs=${nixpkgs}" | ||||||
| @ -24,7 +23,6 @@ | |||||||
|       trusted-users = [ "@wheel" ]; |       trusted-users = [ "@wheel" ]; | ||||||
|       flake-registry = pkgs.writeText "global-registry.json" |       flake-registry = pkgs.writeText "global-registry.json" | ||||||
|         ''{"flakes":[],"version":2}''; |         ''{"flakes":[],"version":2}''; | ||||||
|       keep-outputs = true; |  | ||||||
|     }; |     }; | ||||||
| 
 | 
 | ||||||
|     gc = { |     gc = { | ||||||
|  | |||||||
| @ -8,10 +8,20 @@ in | |||||||
|   # Enable the OpenSSH daemon. |   # Enable the OpenSSH daemon. | ||||||
|   services.openssh.enable = true; |   services.openssh.enable = true; | ||||||
| 
 | 
 | ||||||
|  |   # Connect to intranet git hosts via proxy | ||||||
|  |   programs.ssh.extraConfig = '' | ||||||
|  |     Host bscpm02.bsc.es bscpm03.bsc.es gitlab-internal.bsc.es alya.gitlab.bsc.es | ||||||
|  |       User git | ||||||
|  |       ProxyCommand nc -X connect -x hut:23080 %h %p | ||||||
|  | 
 | ||||||
|  |     # Connect to BSC machines via hut proxy too | ||||||
|  |     Host amdlogin1.bsc.es armlogin1.bsc.es hualogin1.bsc.es glogin1.bsc.es glogin2.bsc.es fpgalogin1.bsc.es | ||||||
|  |       ProxyCommand nc -X connect -x hut:23080 %h %p | ||||||
|  |   ''; | ||||||
|  | 
 | ||||||
|   programs.ssh.knownHosts = hostsKeys // { |   programs.ssh.knownHosts = hostsKeys // { | ||||||
|     "gitlab-internal.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3"; |     "gitlab-internal.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3"; | ||||||
|     "bscpm03.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2NuSUPsEhqz1j5b4Gqd+MWFnRqyqY57+xMvBUqHYUS"; |     "bscpm03.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2NuSUPsEhqz1j5b4Gqd+MWFnRqyqY57+xMvBUqHYUS"; | ||||||
|     "bscpm04.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPx4mC0etyyjYUT2Ztc/bs4ZXSbVMrogs1ZTP924PDgT"; |  | ||||||
|     "glogin1.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsHsZGCrzpd4QDVn5xoDOtrNBkb0ylxKGlyBt6l9qCz"; |     "glogin1.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsHsZGCrzpd4QDVn5xoDOtrNBkb0ylxKGlyBt6l9qCz"; | ||||||
|     "glogin2.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsHsZGCrzpd4QDVn5xoDOtrNBkb0ylxKGlyBt6l9qCz"; |     "glogin2.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsHsZGCrzpd4QDVn5xoDOtrNBkb0ylxKGlyBt6l9qCz"; | ||||||
|   }; |   }; | ||||||
|  | |||||||
| @ -1,9 +0,0 @@ | |||||||
| { |  | ||||||
|   nix.settings.system-features = [ "sys-devices" ]; |  | ||||||
| 
 |  | ||||||
|   programs.nix-required-mounts.enable = true; |  | ||||||
|   programs.nix-required-mounts.allowedPatterns.sys-devices.paths = [ |  | ||||||
|     "/sys/devices/system/cpu" |  | ||||||
|     "/sys/devices/system/node" |  | ||||||
|   ]; |  | ||||||
| } |  | ||||||
| @ -20,7 +20,6 @@ | |||||||
|       rarias = { |       rarias = { | ||||||
|         uid = 1880; |         uid = 1880; | ||||||
|         isNormalUser = true; |         isNormalUser = true; | ||||||
|         linger = true; |  | ||||||
|         home = "/home/Computational/rarias"; |         home = "/home/Computational/rarias"; | ||||||
|         description = "Rodrigo Arias"; |         description = "Rodrigo Arias"; | ||||||
|         group = "Computational"; |         group = "Computational"; | ||||||
| @ -40,7 +39,7 @@ | |||||||
|         home = "/home/Computational/arocanon"; |         home = "/home/Computational/arocanon"; | ||||||
|         description = "Aleix Roca"; |         description = "Aleix Roca"; | ||||||
|         group = "Computational"; |         group = "Computational"; | ||||||
|         extraGroups = [ "wheel" "tracing" ]; |         extraGroups = [ "wheel" ]; | ||||||
|         hashedPassword = "$6$hliZiW4tULC/tH7p$pqZarwJkNZ7vS0G5llWQKx08UFG9DxDYgad7jplMD8WkZh5k58i4dfPoWtnEShfjTO6JHiIin05ny5lmSXzGM/"; |         hashedPassword = "$6$hliZiW4tULC/tH7p$pqZarwJkNZ7vS0G5llWQKx08UFG9DxDYgad7jplMD8WkZh5k58i4dfPoWtnEShfjTO6JHiIin05ny5lmSXzGM/"; | ||||||
|         openssh.authorizedKeys.keys = [ |         openssh.authorizedKeys.keys = [ | ||||||
|           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3zeB5KSimMBAjvzsp1GCkepVaquVZGPYwRIzyzaCba aleix@bsc" |           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3zeB5KSimMBAjvzsp1GCkepVaquVZGPYwRIzyzaCba aleix@bsc" | ||||||
| @ -56,7 +55,7 @@ | |||||||
|         home = "/home/Computational/rpenacob"; |         home = "/home/Computational/rpenacob"; | ||||||
|         description = "Raúl Peñacoba"; |         description = "Raúl Peñacoba"; | ||||||
|         group = "Computational"; |         group = "Computational"; | ||||||
|         hosts = [ "apex" "owl1" "owl2" "hut" "tent" "fox" ]; |         hosts = [ "owl1" "owl2" "hut" ]; | ||||||
|         hashedPassword = "$6$TZm3bDIFyPrMhj1E$uEDXoYYd1z2Wd5mMPfh3DZAjP7ztVjJ4ezIcn82C0ImqafPA.AnTmcVftHEzLB3tbe2O4SxDyPSDEQgJ4GOtj/"; |         hashedPassword = "$6$TZm3bDIFyPrMhj1E$uEDXoYYd1z2Wd5mMPfh3DZAjP7ztVjJ4ezIcn82C0ImqafPA.AnTmcVftHEzLB3tbe2O4SxDyPSDEQgJ4GOtj/"; | ||||||
|         openssh.authorizedKeys.keys = [ |         openssh.authorizedKeys.keys = [ | ||||||
|           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYfXg37mauGeurqsLpedgA2XQ9d4Nm0ZGo/hI1f7wwH rpenacob@bsc" |           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYfXg37mauGeurqsLpedgA2XQ9d4Nm0ZGo/hI1f7wwH rpenacob@bsc" | ||||||
| @ -69,10 +68,10 @@ | |||||||
|         home = "/home/Computational/anavarro"; |         home = "/home/Computational/anavarro"; | ||||||
|         description = "Antoni Navarro"; |         description = "Antoni Navarro"; | ||||||
|         group = "Computational"; |         group = "Computational"; | ||||||
|         hosts = [ "apex" "hut" "tent" "raccoon" "fox" "weasel" ]; |         hosts = [ "hut" "raccoon" "fox" ]; | ||||||
|         hashedPassword = "$6$EgturvVYXlKgP43g$gTN78LLHIhaF8hsrCXD.O6mKnZSASWSJmCyndTX8QBWT6wTlUhcWVAKz65lFJPXjlJA4u7G1ydYQ0GG6Wk07b1"; |         hashedPassword = "$6$QdNDsuLehoZTYZlb$CDhCouYDPrhoiB7/seu7RF.Gqg4zMQz0n5sA4U1KDgHaZOxy2as9pbIGeF8tOHJKRoZajk5GiaZv0rZMn7Oq31"; | ||||||
|         openssh.authorizedKeys.keys = [ |         openssh.authorizedKeys.keys = [ | ||||||
|           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMsbM21uepnJwPrRe6jYFz8zrZ6AYMtSEvvt4c9spmFP toni@delltoni" |           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILWjRSlKgzBPZQhIeEtk6Lvws2XNcYwHcwPv4osSgst5 anavarro@ssfhead" | ||||||
|         ]; |         ]; | ||||||
|       }; |       }; | ||||||
| 
 | 
 | ||||||
| @ -82,7 +81,7 @@ | |||||||
|         home = "/home/Computational/abonerib"; |         home = "/home/Computational/abonerib"; | ||||||
|         description = "Aleix Boné"; |         description = "Aleix Boné"; | ||||||
|         group = "Computational"; |         group = "Computational"; | ||||||
|         hosts = [ "apex" "owl1" "owl2" "hut" "tent" "raccoon" "fox" "weasel" ]; |         hosts = [ "owl1" "owl2" "hut" "raccoon" ]; | ||||||
|         hashedPassword = "$6$V1EQWJr474whv7XJ$OfJ0wueM2l.dgiJiiah0Tip9ITcJ7S7qDvtSycsiQ43QBFyP4lU0e0HaXWps85nqB4TypttYR4hNLoz3bz662/"; |         hashedPassword = "$6$V1EQWJr474whv7XJ$OfJ0wueM2l.dgiJiiah0Tip9ITcJ7S7qDvtSycsiQ43QBFyP4lU0e0HaXWps85nqB4TypttYR4hNLoz3bz662/"; | ||||||
|         openssh.authorizedKeys.keys = [ |         openssh.authorizedKeys.keys = [ | ||||||
|           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIFiqXqt88VuUfyANkZyLJNiuroIITaGlOOTMhVDKjf abonerib@bsc" |           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIFiqXqt88VuUfyANkZyLJNiuroIITaGlOOTMhVDKjf abonerib@bsc" | ||||||
| @ -95,7 +94,7 @@ | |||||||
|         home = "/home/Computational/vlopez"; |         home = "/home/Computational/vlopez"; | ||||||
|         description = "Victor López"; |         description = "Victor López"; | ||||||
|         group = "Computational"; |         group = "Computational"; | ||||||
|         hosts = [ "apex" "koro" ]; |         hosts = [ "koro" ]; | ||||||
|         hashedPassword = "$6$0ZBkgIYE/renVqtt$1uWlJsb0FEezRVNoETTzZMx4X2SvWiOsKvi0ppWCRqI66S6TqMBXBdP4fcQyvRRBt0e4Z7opZIvvITBsEtO0f0"; |         hashedPassword = "$6$0ZBkgIYE/renVqtt$1uWlJsb0FEezRVNoETTzZMx4X2SvWiOsKvi0ppWCRqI66S6TqMBXBdP4fcQyvRRBt0e4Z7opZIvvITBsEtO0f0"; | ||||||
|         openssh.authorizedKeys.keys = [ |         openssh.authorizedKeys.keys = [ | ||||||
|           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMwlUZRf9jfG666Qa5Sb+KtEhXqkiMlBV2su3x/dXHq victor@arch" |           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMwlUZRf9jfG666Qa5Sb+KtEhXqkiMlBV2su3x/dXHq victor@arch" | ||||||
| @ -108,7 +107,7 @@ | |||||||
|         home = "/home/Computational/dbautist"; |         home = "/home/Computational/dbautist"; | ||||||
|         description = "Dylan Bautista Cases"; |         description = "Dylan Bautista Cases"; | ||||||
|         group = "Computational"; |         group = "Computational"; | ||||||
|         hosts = [ "apex" "hut" "tent" "raccoon" ]; |         hosts = [ "hut" ]; | ||||||
|         hashedPassword = "$6$a2lpzMRVkG9nSgIm$12G6.ka0sFX1YimqJkBAjbvhRKZ.Hl090B27pdbnQOW0wzyxVWySWhyDDCILjQELky.HKYl9gqOeVXW49nW7q/"; |         hashedPassword = "$6$a2lpzMRVkG9nSgIm$12G6.ka0sFX1YimqJkBAjbvhRKZ.Hl090B27pdbnQOW0wzyxVWySWhyDDCILjQELky.HKYl9gqOeVXW49nW7q/"; | ||||||
|         openssh.authorizedKeys.keys = [ |         openssh.authorizedKeys.keys = [ | ||||||
|           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAb+EQBoS98zrCwnGKkHKwMLdYABMTqv7q9E0+T0QmkS dbautist@bsc-848818791" |           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAb+EQBoS98zrCwnGKkHKwMLdYABMTqv7q9E0+T0QmkS dbautist@bsc-848818791" | ||||||
| @ -121,83 +120,16 @@ | |||||||
|         home = "/home/Computational/dalvare1"; |         home = "/home/Computational/dalvare1"; | ||||||
|         description = "David Álvarez"; |         description = "David Álvarez"; | ||||||
|         group = "Computational"; |         group = "Computational"; | ||||||
|         hosts = [ "apex" "hut" "tent" "fox" ]; |         hosts = [ "hut" "fox" ]; | ||||||
|         hashedPassword = "$6$mpyIsV3mdq.rK8$FvfZdRH5OcEkUt5PnIUijWyUYZvB1SgeqxpJ2p91TTe.3eQIDTcLEQ5rxeg.e5IEXAZHHQ/aMsR5kPEujEghx0"; |         hashedPassword = "$6$mpyIsV3mdq.rK8$FvfZdRH5OcEkUt5PnIUijWyUYZvB1SgeqxpJ2p91TTe.3eQIDTcLEQ5rxeg.e5IEXAZHHQ/aMsR5kPEujEghx0"; | ||||||
|         openssh.authorizedKeys.keys = [ |         openssh.authorizedKeys.keys = [ | ||||||
|           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGEfy6F4rF80r4Cpo2H5xaWqhuUZzUsVsILSKGJzt5jF dalvare1@ssfhead" |           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGEfy6F4rF80r4Cpo2H5xaWqhuUZzUsVsILSKGJzt5jF dalvare1@ssfhead" | ||||||
|         ]; |         ]; | ||||||
|       }; |       }; | ||||||
| 
 |  | ||||||
|       varcila = { |  | ||||||
|         uid = 5650; |  | ||||||
|         isNormalUser = true; |  | ||||||
|         home = "/home/Computational/varcila"; |  | ||||||
|         description = "Vincent Arcila"; |  | ||||||
|         group = "Computational"; |  | ||||||
|         hosts = [ "apex" "hut" "tent" "fox" ]; |  | ||||||
|         hashedPassword = "$6$oB0Tcn99DcM4Ch$Vn1A0ulLTn/8B2oFPi9wWl/NOsJzaFAWjqekwcuC9sMC7cgxEVb.Nk5XSzQ2xzYcNe5MLtmzkVYnRS1CqP39Y0"; |  | ||||||
|         openssh.authorizedKeys.keys = [ |  | ||||||
|           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGt0ESYxekBiHJQowmKpfdouw0hVm3N7tUMtAaeLejK vincent@varch" |  | ||||||
|         ]; |  | ||||||
|       }; |  | ||||||
| 
 |  | ||||||
|       pmartin1 = { |  | ||||||
|         # Arbitrary UID but large so it doesn't collide with other users on ssfhead. |  | ||||||
|         uid = 9652; |  | ||||||
|         isNormalUser = true; |  | ||||||
|         home = "/home/Computational/pmartin1"; |  | ||||||
|         description = "Pedro J. Martinez-Ferrer"; |  | ||||||
|         group = "Computational"; |  | ||||||
|         hosts = [ "fox" ]; |  | ||||||
|         hashedPassword = "$6$nIgDMGnt4YIZl3G.$.JQ2jXLtDPRKsbsJfJAXdSvjDIzRrg7tNNjPkLPq3KJQhMjfDXRUvzagUHUU2TrE2hHM8/6uq8ex0UdxQ0ysl."; |  | ||||||
|         openssh.authorizedKeys.keys = [ |  | ||||||
|           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIV5LEAII5rfe1hYqDYIIrhb1gOw7RcS1p2mhOTqG+zc pedro@pedro-ThinkPad-P14s-Gen-2a" |  | ||||||
|         ]; |  | ||||||
|       }; |  | ||||||
| 
 |  | ||||||
|       csiringo = { |  | ||||||
|         uid = 9653; |  | ||||||
|         isNormalUser = true; |  | ||||||
|         home = "/home/Computational/csiringo"; |  | ||||||
|         description = "Cesare Siringo"; |  | ||||||
|         group = "Computational"; |  | ||||||
|         hosts = [ ]; |  | ||||||
|         hashedPassword = "$6$0IsZlju8jFukLlAw$VKm0FUXbS.mVmPm3rcJeizTNU4IM5Nmmy21BvzFL.cQwvlGwFI1YWRQm6gsbd4nbg47mPDvYkr/ar0SlgF6GO1"; |  | ||||||
|         openssh.authorizedKeys.keys = [ |  | ||||||
|           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHA65zvvG50iuFEMf+guRwZB65jlGXfGLF4HO+THFaed csiringo@bsc.es" |  | ||||||
|         ]; |  | ||||||
|       }; |  | ||||||
| 
 |  | ||||||
|       acinca = { |  | ||||||
|         uid = 9654; |  | ||||||
|         isNormalUser = true; |  | ||||||
|         home = "/home/Computational/acinca"; |  | ||||||
|         description = "Arnau Cinca"; |  | ||||||
|         group = "Computational"; |  | ||||||
|         hosts = [ "apex" "hut" "fox" "owl1" "owl2" ]; |  | ||||||
|         hashedPassword = "$6$S6PUeRpdzYlidxzI$szyvWejQ4hEN76yBYhp1diVO5ew1FFg.cz4lKiXt2Idy4XdpifwrFTCIzLTs5dvYlR62m7ekA5MrhcVxR5F/q/"; |  | ||||||
|         openssh.authorizedKeys.keys = [ |  | ||||||
|           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFmMqKqPg4uocNOr3O41kLbZMOMJn3m2ZdN1JvTR96z3 bsccns@arnau-bsc" |  | ||||||
|         ]; |  | ||||||
|       }; |  | ||||||
| 
 |  | ||||||
|       aaguirre = { |  | ||||||
|         uid = 9655; |  | ||||||
|         isNormalUser = true; |  | ||||||
|         home = "/home/Computational/aaguirre"; |  | ||||||
|         description = "Alejandro Aguirre"; |  | ||||||
|         group = "Computational"; |  | ||||||
|         hosts = [ "apex" "hut" ]; |  | ||||||
|         hashedPassword = "$6$TXRXQT6jjBvxkxU6$E.sh5KspAm1qeG5Ct7OPHpo8REmbGDwjFGvqeGgTVz3GASGOAnPL7UMZsMAsAKBoahOw.v8LNno6XGrTEPzZH1"; |  | ||||||
|         openssh.authorizedKeys.keys = [ |  | ||||||
|           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOlRX7ZCnqtUJYCxKgWmgSrFCYuA2LHY96rVwqxXPl86 aaguirre@BSC-8488184117" |  | ||||||
|         ]; |  | ||||||
|       }; |  | ||||||
|     }; |     }; | ||||||
| 
 | 
 | ||||||
|     groups = { |     groups = { | ||||||
|       Computational = { gid = 564; }; |       Computational = { gid = 564; }; | ||||||
|       tracing = { }; |  | ||||||
|     }; |     }; | ||||||
|   }; |   }; | ||||||
| } | } | ||||||
|  | |||||||
| @ -1,10 +0,0 @@ | |||||||
| { |  | ||||||
|   # Provides the base system for a xeon node in the SSF rack. |  | ||||||
|   imports = [ |  | ||||||
|     ./xeon.nix |  | ||||||
|     ./ssf/fs.nix |  | ||||||
|     ./ssf/hosts.nix |  | ||||||
|     ./ssf/hosts-remote.nix |  | ||||||
|     ./ssf/net.nix |  | ||||||
|   ]; |  | ||||||
| } |  | ||||||
| @ -1,9 +0,0 @@ | |||||||
| { pkgs, ... }: |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   networking.hosts = { |  | ||||||
|     # Remote hosts visible from compute nodes |  | ||||||
|     "10.106.0.236" = [ "raccoon" ]; |  | ||||||
|     "10.0.44.4" = [ "tent" ]; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,23 +0,0 @@ | |||||||
| { pkgs, ... }: |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   networking.hosts = { |  | ||||||
|     # Login |  | ||||||
|     "10.0.40.30" = [ "apex" ]; |  | ||||||
| 
 |  | ||||||
|     # Storage |  | ||||||
|     "10.0.40.40" = [ "bay" ];   "10.0.42.40" = [ "bay-ib" ];    "10.0.40.141" = [ "bay-ipmi" ]; |  | ||||||
|     "10.0.40.41" = [ "oss01" ]; "10.0.42.41" = [ "oss01-ib0" ]; "10.0.40.142" = [ "oss01-ipmi" ]; |  | ||||||
|     "10.0.40.42" = [ "lake2" ]; "10.0.42.42" = [ "lake2-ib" ];  "10.0.40.143" = [ "lake2-ipmi" ]; |  | ||||||
| 
 |  | ||||||
|     # Xeon compute |  | ||||||
|     "10.0.40.1" = [ "owl1" ];   "10.0.42.1" = [ "owl1-ib" ];   "10.0.40.101" = [ "owl1-ipmi" ]; |  | ||||||
|     "10.0.40.2" = [ "owl2" ];   "10.0.42.2" = [ "owl2-ib" ];   "10.0.40.102" = [ "owl2-ipmi" ]; |  | ||||||
|     "10.0.40.3" = [ "xeon03" ]; "10.0.42.3" = [ "xeon03-ib" ]; "10.0.40.103" = [ "xeon03-ipmi" ]; |  | ||||||
|     #"10.0.40.4" = [ "tent" ];   "10.0.42.4" = [ "tent-ib" ];   "10.0.40.104" = [ "tent-ipmi" ]; |  | ||||||
|     "10.0.40.5" = [ "koro" ];   "10.0.42.5" = [ "koro-ib" ];   "10.0.40.105" = [ "koro-ipmi" ]; |  | ||||||
|     "10.0.40.6" = [ "weasel" ]; "10.0.42.6" = [ "weasel-ib" ]; "10.0.40.106" = [ "weasel-ipmi" ]; |  | ||||||
|     "10.0.40.7" = [ "hut" ];    "10.0.42.7" = [ "hut-ib" ];    "10.0.40.107" = [ "hut-ipmi" ]; |  | ||||||
|     "10.0.40.8" = [ "eudy" ];   "10.0.42.8" = [ "eudy-ib" ];   "10.0.40.108" = [ "eudy-ipmi" ]; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,23 +0,0 @@ | |||||||
| { pkgs, ... }: |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   # Infiniband (IPoIB) |  | ||||||
|   environment.systemPackages = [ pkgs.rdma-core ]; |  | ||||||
|   boot.kernelModules = [ "ib_umad" "ib_ipoib" ]; |  | ||||||
| 
 |  | ||||||
|   networking = { |  | ||||||
|     defaultGateway = "10.0.40.30"; |  | ||||||
|     nameservers = ["8.8.8.8"]; |  | ||||||
| 
 |  | ||||||
|     firewall = { |  | ||||||
|       extraCommands = '' |  | ||||||
|         # Prevent ssfhead from contacting our slurmd daemon |  | ||||||
|         iptables -A nixos-fw -p tcp -s ssfhead --dport 6817:6819 -j nixos-fw-refuse |  | ||||||
|         # But accept traffic to slurm ports from any other node in the subnet |  | ||||||
|         iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 6817:6819 -j nixos-fw-accept |  | ||||||
|         # We also need to open the srun port range |  | ||||||
|         iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 60000:61000 -j nixos-fw-accept |  | ||||||
|       ''; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,7 +1,9 @@ | |||||||
| { | { | ||||||
|   # Provides the base system for a xeon node, not necessarily in the SSF rack. |   # Provides the base system for a xeon node. | ||||||
|   imports = [ |   imports = [ | ||||||
|     ./base.nix |     ./base.nix | ||||||
|  |     ./xeon/fs.nix | ||||||
|     ./xeon/console.nix |     ./xeon/console.nix | ||||||
|  |     ./xeon/net.nix | ||||||
|   ]; |   ]; | ||||||
| } | } | ||||||
|  | |||||||
							
								
								
									
										94
									
								
								m/common/xeon/net.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										94
									
								
								m/common/xeon/net.nix
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,94 @@ | |||||||
|  | { pkgs, ... }: | ||||||
|  | 
 | ||||||
|  | { | ||||||
|  |   # Infiniband (IPoIB) | ||||||
|  |   environment.systemPackages = [ pkgs.rdma-core ]; | ||||||
|  |   boot.kernelModules = [ "ib_umad" "ib_ipoib" ]; | ||||||
|  | 
 | ||||||
|  |   networking = { | ||||||
|  |     defaultGateway = "10.0.40.30"; | ||||||
|  |     nameservers = ["8.8.8.8"]; | ||||||
|  | 
 | ||||||
|  |     proxy = { | ||||||
|  |       default = "http://hut:23080/"; | ||||||
|  |       noProxy = "127.0.0.1,localhost,internal.domain,10.0.40.40"; | ||||||
|  |       # Don't set all_proxy as go complains and breaks the gitlab runner, see: | ||||||
|  |       # https://github.com/golang/go/issues/16715 | ||||||
|  |       allProxy = null; | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |     firewall = { | ||||||
|  |       extraCommands = '' | ||||||
|  |         # Prevent ssfhead from contacting our slurmd daemon | ||||||
|  |         iptables -A nixos-fw -p tcp -s ssfhead --dport 6817:6819 -j nixos-fw-refuse | ||||||
|  |         # But accept traffic to slurm ports from any other node in the subnet | ||||||
|  |         iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 6817:6819 -j nixos-fw-accept | ||||||
|  |         # We also need to open the srun port range | ||||||
|  |         iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 60000:61000 -j nixos-fw-accept | ||||||
|  |       ''; | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |     extraHosts = '' | ||||||
|  |       10.0.40.30              ssfhead | ||||||
|  |        | ||||||
|  |       # Node Entry for node: mds01 (ID=72) | ||||||
|  |       10.0.40.40              bay mds01 mds01-eth0 | ||||||
|  |       10.0.42.40              bay-ib mds01-ib0 | ||||||
|  |       10.0.40.141             bay-ipmi mds01-ipmi0 mds01-ipmi | ||||||
|  |        | ||||||
|  |       # Node Entry for node: oss01 (ID=73) | ||||||
|  |       10.0.40.41              oss01 oss01-eth0 | ||||||
|  |       10.0.42.41              oss01-ib0 | ||||||
|  |       10.0.40.142             oss01-ipmi0 oss01-ipmi | ||||||
|  |        | ||||||
|  |       # Node Entry for node: oss02 (ID=74) | ||||||
|  |       10.0.40.42              lake2 oss02 oss02-eth0 | ||||||
|  |       10.0.42.42              lake2-ib oss02-ib0 | ||||||
|  |       10.0.40.143             lake2-ipmi oss02-ipmi0 oss02-ipmi | ||||||
|  |        | ||||||
|  |       # Node Entry for node: xeon01 (ID=15) | ||||||
|  |       10.0.40.1               owl1 xeon01 xeon01-eth0 | ||||||
|  |       10.0.42.1               owl1-ib xeon01-ib0 | ||||||
|  |       10.0.40.101             owl1-ipmi xeon01-ipmi0 xeon01-ipmi | ||||||
|  |        | ||||||
|  |       # Node Entry for node: xeon02 (ID=16) | ||||||
|  |       10.0.40.2               owl2 xeon02 xeon02-eth0 | ||||||
|  |       10.0.42.2               owl2-ib xeon02-ib0 | ||||||
|  |       10.0.40.102             owl2-ipmi xeon02-ipmi0 xeon02-ipmi | ||||||
|  |        | ||||||
|  |       # Node Entry for node: xeon03 (ID=17) | ||||||
|  |       10.0.40.3               xeon03 xeon03-eth0 | ||||||
|  |       10.0.42.3               xeon03-ib0 | ||||||
|  |       10.0.40.103             xeon03-ipmi0 xeon03-ipmi | ||||||
|  |        | ||||||
|  |       # Node Entry for node: xeon04 (ID=18) | ||||||
|  |       10.0.40.4               xeon04 xeon04-eth0 | ||||||
|  |       10.0.42.4               xeon04-ib0 | ||||||
|  |       10.0.40.104             xeon04-ipmi0 xeon04-ipmi | ||||||
|  |        | ||||||
|  |       # Node Entry for node: xeon05 (ID=19) | ||||||
|  |       10.0.40.5               koro xeon05 xeon05-eth0 | ||||||
|  |       10.0.42.5               koro-ib xeon05-ib0 | ||||||
|  |       10.0.40.105             koro-ipmi xeon05-ipmi0 | ||||||
|  |        | ||||||
|  |       # Node Entry for node: xeon06 (ID=20) | ||||||
|  |       10.0.40.6               xeon06 xeon06-eth0 | ||||||
|  |       10.0.42.6               xeon06-ib0 | ||||||
|  |       10.0.40.106             xeon06-ipmi0 xeon06-ipmi | ||||||
|  |        | ||||||
|  |       # Node Entry for node: xeon07 (ID=21) | ||||||
|  |       10.0.40.7               hut xeon07 xeon07-eth0 | ||||||
|  |       10.0.42.7               hut-ib xeon07-ib0 | ||||||
|  |       10.0.40.107             hut-ipmi xeon07-ipmi0 xeon07-ipmi | ||||||
|  |        | ||||||
|  |       # Node Entry for node: xeon08 (ID=22) | ||||||
|  |       10.0.40.8               eudy xeon08 xeon08-eth0 | ||||||
|  |       10.0.42.8               eudy-ib xeon08-ib0 | ||||||
|  |       10.0.40.108             eudy-ipmi xeon08-ipmi0 xeon08-ipmi | ||||||
|  | 
 | ||||||
|  |       # fox | ||||||
|  |       10.0.40.26              fox | ||||||
|  |       10.0.40.126             fox-ipmi | ||||||
|  |     ''; | ||||||
|  |   }; | ||||||
|  | } | ||||||
| @ -2,14 +2,13 @@ | |||||||
| 
 | 
 | ||||||
| { | { | ||||||
|   imports = [ |   imports = [ | ||||||
|     ../common/ssf.nix |     ../common/xeon.nix | ||||||
|     #(modulesPath + "/installer/netboot/netboot-minimal.nix") |     #(modulesPath + "/installer/netboot/netboot-minimal.nix") | ||||||
| 
 | 
 | ||||||
|     ./kernel/kernel.nix |     ./kernel/kernel.nix | ||||||
|     ./cpufreq.nix |     ./cpufreq.nix | ||||||
|     ./fs.nix |     ./fs.nix | ||||||
|     ./users.nix |     ./users.nix | ||||||
|     ../module/hut-substituter.nix |  | ||||||
|     ../module/debuginfod.nix |     ../module/debuginfod.nix | ||||||
|   ]; |   ]; | ||||||
| 
 | 
 | ||||||
|  | |||||||
							
								
								
									
										10326
									
								
								m/eudy/kernel/configs/defconfig
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										10326
									
								
								m/eudy/kernel/configs/defconfig
									
									
									
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
							
								
								
									
										10333
									
								
								m/eudy/kernel/configs/lockdep
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										10333
									
								
								m/eudy/kernel/configs/lockdep
									
									
									
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -2,20 +2,13 @@ | |||||||
| 
 | 
 | ||||||
| { | { | ||||||
|   imports = [ |   imports = [ | ||||||
|     ../common/base.nix |     ../common/xeon.nix | ||||||
|     ../common/xeon/console.nix |     ../module/ceph.nix | ||||||
|     ../module/amd-uprof.nix |  | ||||||
|     ../module/emulation.nix |     ../module/emulation.nix | ||||||
|     ../module/nvidia.nix |  | ||||||
|     ../module/slurm-client.nix |     ../module/slurm-client.nix | ||||||
|     ../module/hut-substituter.nix |     ../module/slurm-firewall.nix | ||||||
|     ./wireguard.nix |  | ||||||
|   ]; |   ]; | ||||||
| 
 | 
 | ||||||
|   # Don't turn off on August as UPC has different dates. |  | ||||||
|   # Fox works fine on power cuts. |  | ||||||
|   systemd.timers.august-shutdown.enable = false; |  | ||||||
| 
 |  | ||||||
|   # Select the this using the ID to avoid mismatches |   # Select the this using the ID to avoid mismatches | ||||||
|   boot.loader.grub.device = "/dev/disk/by-id/wwn-0x500a07514b0c1103"; |   boot.loader.grub.device = "/dev/disk/by-id/wwn-0x500a07514b0c1103"; | ||||||
| 
 | 
 | ||||||
| @ -23,60 +16,30 @@ | |||||||
|   swapDevices = lib.mkForce []; |   swapDevices = lib.mkForce []; | ||||||
| 
 | 
 | ||||||
|   boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; |   boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; | ||||||
|   boot.kernelModules = [ "kvm-amd" "amd_uncore" "amd_hsmp" ]; |   boot.kernelModules = [ "kvm-amd" ]; | ||||||
| 
 | 
 | ||||||
|   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; |   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; | ||||||
|   hardware.cpu.intel.updateMicrocode = lib.mkForce false; |   hardware.cpu.intel.updateMicrocode = lib.mkForce false; | ||||||
| 
 | 
 | ||||||
|   # Use performance for benchmarks |  | ||||||
|   powerManagement.cpuFreqGovernor = "performance"; |  | ||||||
| 
 |  | ||||||
|   services.amd-uprof.enable = true; |  | ||||||
| 
 |  | ||||||
|   # Disable NUMA balancing |  | ||||||
|   boot.kernel.sysctl."kernel.numa_balancing" = 0; |  | ||||||
| 
 |  | ||||||
|   # Expose kernel addresses |  | ||||||
|   boot.kernel.sysctl."kernel.kptr_restrict" = 0; |  | ||||||
| 
 |  | ||||||
|   # Disable NMI watchdog to save one hw counter (for AMD uProf) |  | ||||||
|   boot.kernel.sysctl."kernel.nmi_watchdog" = 0; |  | ||||||
| 
 |  | ||||||
|   services.openssh.settings.X11Forwarding = true; |  | ||||||
| 
 |  | ||||||
|   services.fail2ban.enable = true; |  | ||||||
| 
 |  | ||||||
|   networking = { |   networking = { | ||||||
|     timeServers = [ "ntp1.upc.edu" "ntp2.upc.edu" ]; |  | ||||||
|     hostName = "fox"; |     hostName = "fox"; | ||||||
|     # UPC network (may change over time, use DHCP) |     interfaces.enp1s0f0np0.ipv4.addresses = [ { | ||||||
|     # Public IP configuration: |       address = "10.0.40.26"; | ||||||
|     # - Hostname: fox.ac.upc.edu |       prefixLength = 24; | ||||||
|     # - IP: 147.83.30.141 |     } ]; | ||||||
|     # - Gateway: 147.83.30.130 |  | ||||||
|     # - NetMask: 255.255.255.192 |  | ||||||
|     # Private IP configuration for BMC: |  | ||||||
|     # - Hostname: fox-ipmi.ac.upc.edu |  | ||||||
|     # - IP: 147.83.35.27 |  | ||||||
|     # - Gateway: 147.83.35.2 |  | ||||||
|     # - NetMask: 255.255.255.0 |  | ||||||
|     interfaces.enp1s0f0np0.useDHCP = true; |  | ||||||
|   }; |   }; | ||||||
| 
 | 
 | ||||||
|   # Recommended for new graphics cards |   # Configure Nvidia driver to use with CUDA | ||||||
|   hardware.nvidia.open = true; |   hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.production; | ||||||
|  |   hardware.graphics.enable = true; | ||||||
|  |   nixpkgs.config.allowUnfree = true; | ||||||
|  |   nixpkgs.config.nvidia.acceptLicense = true; | ||||||
|  |   services.xserver.videoDrivers = [ "nvidia" ]; | ||||||
| 
 | 
 | ||||||
|   # Mount NVME disks |   # Mount NVME disks | ||||||
|   fileSystems."/nvme0" = { device = "/dev/disk/by-label/nvme0"; fsType = "ext4"; }; |   fileSystems."/nvme0" = { device = "/dev/disk/by-label/nvme0"; fsType = "ext4"; }; | ||||||
|   fileSystems."/nvme1" = { device = "/dev/disk/by-label/nvme1"; fsType = "ext4"; }; |   fileSystems."/nvme1" = { device = "/dev/disk/by-label/nvme1"; fsType = "ext4"; }; | ||||||
| 
 | 
 | ||||||
|   # Mount the NFS home |  | ||||||
|   fileSystems."/nfs/home" = { |  | ||||||
|     device = "10.106.0.30:/home"; |  | ||||||
|     fsType = "nfs"; |  | ||||||
|     options = [ "nfsvers=3" "rsize=1024" "wsize=1024" "cto" "nofail" ]; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   # Make a /nvme{0,1}/$USER directory for each user. |   # Make a /nvme{0,1}/$USER directory for each user. | ||||||
|   systemd.services.create-nvme-dirs = let |   systemd.services.create-nvme-dirs = let | ||||||
|     # Take only normal users in fox |     # Take only normal users in fox | ||||||
|  | |||||||
| @ -1,54 +0,0 @@ | |||||||
| { config, ... }: |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   networking.firewall = { |  | ||||||
|     allowedUDPPorts = [ 666 ]; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   age.secrets.wgFox.file = ../../secrets/wg-fox.age; |  | ||||||
| 
 |  | ||||||
|   networking.wireguard.enable = true; |  | ||||||
|   networking.wireguard.interfaces = { |  | ||||||
|     # "wg0" is the network interface name. You can name the interface arbitrarily. |  | ||||||
|     wg0 = { |  | ||||||
|       # Determines the IP address and subnet of the server's end of the tunnel interface. |  | ||||||
|       ips = [ "10.106.0.1/24" ]; |  | ||||||
| 
 |  | ||||||
|       # The port that WireGuard listens to. Must be accessible by the client. |  | ||||||
|       listenPort = 666; |  | ||||||
| 
 |  | ||||||
|       # Path to the private key file. |  | ||||||
|       privateKeyFile = config.age.secrets.wgFox.path; |  | ||||||
|       # Public key: VfMPBQLQTKeyXJSwv8wBhc6OV0j2qAxUpX3kLHunK2Y= |  | ||||||
| 
 |  | ||||||
|       peers = [ |  | ||||||
|         # List of allowed peers. |  | ||||||
|         { |  | ||||||
|           name = "apex"; |  | ||||||
|           publicKey = "VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA="; |  | ||||||
|           # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. |  | ||||||
|           allowedIPs = [ "10.106.0.30/32" "10.0.40.7/32" ]; |  | ||||||
|         } |  | ||||||
|         { |  | ||||||
|           name = "raccoon"; |  | ||||||
|           publicKey = "QUfnGXSMEgu2bviglsaSdCjidB51oEDBFpnSFcKGfDI="; |  | ||||||
|           allowedIPs = [ "10.106.0.236/32" "192.168.0.0/16" "10.0.44.0/24" ]; |  | ||||||
|         } |  | ||||||
|       ]; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   networking.hosts = { |  | ||||||
|     "10.106.0.30" = [ "apex" ]; |  | ||||||
|     "10.0.40.7" = [ "hut" ]; |  | ||||||
|     "10.106.0.236" = [ "raccoon" ]; |  | ||||||
|     "10.0.44.4" = [ "tent" ]; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   networking.firewall = { |  | ||||||
|     extraCommands = '' |  | ||||||
|       # Accept slurm connections to slurmd from apex (via wireguard) |  | ||||||
|       iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.30/32 -d 10.106.0.1/32 --dport 6818 -j nixos-fw-accept |  | ||||||
|     ''; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -3,12 +3,160 @@ modules: | |||||||
|     prober: http |     prober: http | ||||||
|     timeout: 5s |     timeout: 5s | ||||||
|     http: |     http: | ||||||
|  |       proxy_url: "http://127.0.0.1:23080" | ||||||
|  |       skip_resolve_phase_with_proxy: true | ||||||
|       follow_redirects: true |       follow_redirects: true | ||||||
|       preferred_ip_protocol: "ip4" |  | ||||||
|       valid_status_codes: []  # Defaults to 2xx |       valid_status_codes: []  # Defaults to 2xx | ||||||
|       method: GET |       method: GET | ||||||
|  |   http_with_proxy: | ||||||
|  |     prober: http | ||||||
|  |     http: | ||||||
|  |       proxy_url: "http://127.0.0.1:3128" | ||||||
|  |       skip_resolve_phase_with_proxy: true | ||||||
|  |   http_with_proxy_and_headers: | ||||||
|  |     prober: http | ||||||
|  |     http: | ||||||
|  |       proxy_url: "http://127.0.0.1:3128" | ||||||
|  |       proxy_connect_header: | ||||||
|  |         Proxy-Authorization: | ||||||
|  |           - Bearer token | ||||||
|  |   http_post_2xx: | ||||||
|  |     prober: http | ||||||
|  |     timeout: 5s | ||||||
|  |     http: | ||||||
|  |       method: POST | ||||||
|  |       headers: | ||||||
|  |         Content-Type: application/json | ||||||
|  |       body: '{}' | ||||||
|  |   http_post_body_file: | ||||||
|  |     prober: http | ||||||
|  |     timeout: 5s | ||||||
|  |     http: | ||||||
|  |       method: POST | ||||||
|  |       body_file: "/files/body.txt" | ||||||
|  |   http_basic_auth_example: | ||||||
|  |     prober: http | ||||||
|  |     timeout: 5s | ||||||
|  |     http: | ||||||
|  |       method: POST | ||||||
|  |       headers: | ||||||
|  |         Host: "login.example.com" | ||||||
|  |       basic_auth: | ||||||
|  |         username: "username" | ||||||
|  |         password: "mysecret" | ||||||
|  |   http_2xx_oauth_client_credentials: | ||||||
|  |     prober: http | ||||||
|  |     timeout: 5s | ||||||
|  |     http: | ||||||
|  |       valid_http_versions: ["HTTP/1.1", "HTTP/2"] | ||||||
|  |       follow_redirects: true | ||||||
|  |       preferred_ip_protocol: "ip4" | ||||||
|  |       valid_status_codes: | ||||||
|  |         - 200 | ||||||
|  |         - 201 | ||||||
|  |       oauth2: | ||||||
|  |         client_id: "client_id" | ||||||
|  |         client_secret: "client_secret" | ||||||
|  |         token_url: "https://api.example.com/token" | ||||||
|  |         endpoint_params: | ||||||
|  |           grant_type: "client_credentials" | ||||||
|  |   http_custom_ca_example: | ||||||
|  |     prober: http | ||||||
|  |     http: | ||||||
|  |       method: GET | ||||||
|  |       tls_config: | ||||||
|  |         ca_file: "/certs/my_cert.crt" | ||||||
|  |   http_gzip: | ||||||
|  |     prober: http | ||||||
|  |     http: | ||||||
|  |       method: GET | ||||||
|  |       compression: gzip | ||||||
|  |   http_gzip_with_accept_encoding: | ||||||
|  |     prober: http | ||||||
|  |     http: | ||||||
|  |       method: GET | ||||||
|  |       compression: gzip | ||||||
|  |       headers: | ||||||
|  |         Accept-Encoding: gzip | ||||||
|  |   tls_connect: | ||||||
|  |     prober: tcp | ||||||
|  |     timeout: 5s | ||||||
|  |     tcp: | ||||||
|  |       tls: true | ||||||
|  |   tcp_connect_example: | ||||||
|  |     prober: tcp | ||||||
|  |     timeout: 5s | ||||||
|  |   imap_starttls: | ||||||
|  |     prober: tcp | ||||||
|  |     timeout: 5s | ||||||
|  |     tcp: | ||||||
|  |       query_response: | ||||||
|  |         - expect: "OK.*STARTTLS" | ||||||
|  |         - send: ". STARTTLS" | ||||||
|  |         - expect: "OK" | ||||||
|  |         - starttls: true | ||||||
|  |         - send: ". capability" | ||||||
|  |         - expect: "CAPABILITY IMAP4rev1" | ||||||
|  |   smtp_starttls: | ||||||
|  |     prober: tcp | ||||||
|  |     timeout: 5s | ||||||
|  |     tcp: | ||||||
|  |       query_response: | ||||||
|  |         - expect: "^220 ([^ ]+) ESMTP (.+)$" | ||||||
|  |         - send: "EHLO prober\r" | ||||||
|  |         - expect: "^250-STARTTLS" | ||||||
|  |         - send: "STARTTLS\r" | ||||||
|  |         - expect: "^220" | ||||||
|  |         - starttls: true | ||||||
|  |         - send: "EHLO prober\r" | ||||||
|  |         - expect: "^250-AUTH" | ||||||
|  |         - send: "QUIT\r" | ||||||
|  |   irc_banner_example: | ||||||
|  |     prober: tcp | ||||||
|  |     timeout: 5s | ||||||
|  |     tcp: | ||||||
|  |       query_response: | ||||||
|  |         - send: "NICK prober" | ||||||
|  |         - send: "USER prober prober prober :prober" | ||||||
|  |         - expect: "PING :([^ ]+)" | ||||||
|  |           send: "PONG ${1}" | ||||||
|  |         - expect: "^:[^ ]+ 001" | ||||||
|   icmp: |   icmp: | ||||||
|     prober: icmp |     prober: icmp | ||||||
|     timeout: 5s |     timeout: 5s | ||||||
|     icmp: |     icmp: | ||||||
|       preferred_ip_protocol: "ip4" |       preferred_ip_protocol: "ip4" | ||||||
|  |   dns_udp_example: | ||||||
|  |     prober: dns | ||||||
|  |     timeout: 5s | ||||||
|  |     dns: | ||||||
|  |       query_name: "www.prometheus.io" | ||||||
|  |       query_type: "A" | ||||||
|  |       valid_rcodes: | ||||||
|  |         - NOERROR | ||||||
|  |       validate_answer_rrs: | ||||||
|  |         fail_if_matches_regexp: | ||||||
|  |           - ".*127.0.0.1" | ||||||
|  |         fail_if_all_match_regexp: | ||||||
|  |           - ".*127.0.0.1" | ||||||
|  |         fail_if_not_matches_regexp: | ||||||
|  |           - "www.prometheus.io.\t300\tIN\tA\t127.0.0.1" | ||||||
|  |         fail_if_none_matches_regexp: | ||||||
|  |           - "127.0.0.1" | ||||||
|  |       validate_authority_rrs: | ||||||
|  |         fail_if_matches_regexp: | ||||||
|  |           - ".*127.0.0.1" | ||||||
|  |       validate_additional_rrs: | ||||||
|  |         fail_if_matches_regexp: | ||||||
|  |           - ".*127.0.0.1" | ||||||
|  |   dns_soa: | ||||||
|  |     prober: dns | ||||||
|  |     dns: | ||||||
|  |       query_name: "prometheus.io" | ||||||
|  |       query_type: "SOA" | ||||||
|  |   dns_tcp_example: | ||||||
|  |     prober: dns | ||||||
|  |     dns: | ||||||
|  |       transport_protocol: "tcp" # defaults to "udp" | ||||||
|  |       preferred_ip_protocol: "ip4" # defaults to "ip6" | ||||||
|  |       query_name: "www.prometheus.io" | ||||||
|  | |||||||
| @ -2,14 +2,16 @@ | |||||||
| 
 | 
 | ||||||
| { | { | ||||||
|   imports = [ |   imports = [ | ||||||
|     ../common/ssf.nix |     ../common/xeon.nix | ||||||
| 
 | 
 | ||||||
|     ../module/ceph.nix |     ../module/ceph.nix | ||||||
|     ../module/debuginfod.nix |     ../module/debuginfod.nix | ||||||
|     ../module/emulation.nix |     ../module/emulation.nix | ||||||
|  |     ../module/slurm-client.nix | ||||||
|     ./gitlab-runner.nix |     ./gitlab-runner.nix | ||||||
|     ./monitoring.nix |     ./monitoring.nix | ||||||
|     ./nfs.nix |     ./nfs.nix | ||||||
|  |     ./slurm-server.nix | ||||||
|     ./nix-serve.nix |     ./nix-serve.nix | ||||||
|     ./public-inbox.nix |     ./public-inbox.nix | ||||||
|     ./gitea.nix |     ./gitea.nix | ||||||
| @ -54,11 +56,6 @@ | |||||||
|         iptables -A nixos-fw -p tcp -s 10.0.40.30 --dport 23080 -j nixos-fw-log-refuse |         iptables -A nixos-fw -p tcp -s 10.0.40.30 --dport 23080 -j nixos-fw-log-refuse | ||||||
|         iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 23080 -j nixos-fw-accept |         iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 23080 -j nixos-fw-accept | ||||||
|       ''; |       ''; | ||||||
|       # Flush all rules and chains on stop so it won't break on start |  | ||||||
|       extraStopCommands = '' |  | ||||||
|         iptables -F |  | ||||||
|         iptables -X |  | ||||||
|       ''; |  | ||||||
|     }; |     }; | ||||||
|   }; |   }; | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -22,8 +22,8 @@ | |||||||
|           "--docker-network-mode host" |           "--docker-network-mode host" | ||||||
|         ]; |         ]; | ||||||
|         environmentVariables = { |         environmentVariables = { | ||||||
|           https_proxy = "http://hut:23080"; |           https_proxy = "http://localhost:23080"; | ||||||
|           http_proxy = "http://hut:23080"; |           http_proxy = "http://localhost:23080"; | ||||||
|         }; |         }; | ||||||
|       }; |       }; | ||||||
|     in { |     in { | ||||||
| @ -38,13 +38,14 @@ | |||||||
|       gitlab-bsc-docker = { |       gitlab-bsc-docker = { | ||||||
|         # gitlab.bsc.es still uses the old token mechanism |         # gitlab.bsc.es still uses the old token mechanism | ||||||
|         registrationConfigFile = config.age.secrets.gitlab-bsc-docker.path; |         registrationConfigFile = config.age.secrets.gitlab-bsc-docker.path; | ||||||
|         tagList = [ "docker" "hut" ]; |  | ||||||
|         environmentVariables = { |         environmentVariables = { | ||||||
|           # We cannot access the hut local interface from docker, so we connect |           https_proxy = "http://localhost:23080"; | ||||||
|           # to hut directly via the ethernet one. |           http_proxy = "http://localhost:23080"; | ||||||
|           https_proxy = "http://hut:23080"; |  | ||||||
|           http_proxy = "http://hut:23080"; |  | ||||||
|         }; |         }; | ||||||
|  |         # FIXME | ||||||
|  |         registrationFlags = [ | ||||||
|  |           "--docker-network-mode host" | ||||||
|  |         ]; | ||||||
|         executor = "docker"; |         executor = "docker"; | ||||||
|         dockerImage = "alpine"; |         dockerImage = "alpine"; | ||||||
|         dockerVolumes = [ |         dockerVolumes = [ | ||||||
| @ -52,15 +53,7 @@ | |||||||
|           "/nix/var/nix/db:/nix/var/nix/db:ro" |           "/nix/var/nix/db:/nix/var/nix/db:ro" | ||||||
|           "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" |           "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" | ||||||
|         ]; |         ]; | ||||||
|         dockerExtraHosts = [ |  | ||||||
|           # Required to pass the proxy via hut |  | ||||||
|           "hut:10.0.40.7" |  | ||||||
|         ]; |  | ||||||
|         dockerDisableCache = true; |         dockerDisableCache = true; | ||||||
|         registrationFlags = [ |  | ||||||
|           # Increase build log length to 64 MiB |  | ||||||
|           "--output-limit 65536" |  | ||||||
|         ]; |  | ||||||
|         preBuildScript = pkgs.writeScript "setup-container" '' |         preBuildScript = pkgs.writeScript "setup-container" '' | ||||||
|           mkdir -p -m 0755 /nix/var/log/nix/drvs |           mkdir -p -m 0755 /nix/var/log/nix/drvs | ||||||
|           mkdir -p -m 0755 /nix/var/nix/gcroots |           mkdir -p -m 0755 /nix/var/nix/gcroots | ||||||
| @ -73,39 +66,32 @@ | |||||||
|           mkdir -p -m 0700 "$HOME/.nix-defexpr" |           mkdir -p -m 0700 "$HOME/.nix-defexpr" | ||||||
|           mkdir -p -m 0700 "$HOME/.ssh" |           mkdir -p -m 0700 "$HOME/.ssh" | ||||||
|           cat > "$HOME/.ssh/config" << EOF |           cat > "$HOME/.ssh/config" << EOF | ||||||
|           Host bscpm04.bsc.es gitlab-internal.bsc.es |           Host bscpm03.bsc.es gitlab-internal.bsc.es | ||||||
|             User git |             User git | ||||||
|             ProxyCommand nc -X connect -x hut:23080 %h %p |             ProxyCommand nc -X connect -x hut:23080 %h %p | ||||||
|           Host amdlogin1.bsc.es armlogin1.bsc.es hualogin1.bsc.es glogin1.bsc.es glogin2.bsc.es fpgalogin1.bsc.es |           Host amdlogin1.bsc.es armlogin1.bsc.es hualogin1.bsc.es glogin1.bsc.es glogin2.bsc.es fpgalogin1.bsc.es | ||||||
|             ProxyCommand nc -X connect -x hut:23080 %h %p |             ProxyCommand nc -X connect -x hut:23080 %h %p | ||||||
|           EOF |           EOF | ||||||
|           cat >> "$HOME/.ssh/known_hosts" << EOF |           cat >> "$HOME/.ssh/known_hosts" << EOF | ||||||
|           bscpm04.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPx4mC0etyyjYUT2Ztc/bs4ZXSbVMrogs1ZTP924PDgT |           bscpm03.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2NuSUPsEhqz1j5b4Gqd+MWFnRqyqY57+xMvBUqHYUS | ||||||
|           gitlab-internal.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3 |           gitlab-internal.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3 | ||||||
|           EOF |           EOF | ||||||
|           . ${pkgs.nix}/etc/profile.d/nix-daemon.sh |           . ${pkgs.nix}/etc/profile.d/nix-daemon.sh | ||||||
|           # Required to load SSL certificate paths |           ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-24.11 nixpkgs | ||||||
|           . ${pkgs.cacert}/nix-support/setup-hook |           ${pkgs.nix}/bin/nix-channel --update nixpkgs | ||||||
|  |           ${pkgs.nix}/bin/nix-env -i ${lib.concatStringsSep " " (with pkgs; [ nix cacert git openssh netcat curl ])} | ||||||
|         ''; |         ''; | ||||||
|         environmentVariables = { |         environmentVariables = { | ||||||
|           ENV = "/etc/profile"; |           ENV = "/etc/profile"; | ||||||
|           USER = "root"; |           USER = "root"; | ||||||
|           NIX_REMOTE = "daemon"; |           NIX_REMOTE = "daemon"; | ||||||
|           PATH = "${config.system.path}/bin:/bin:/sbin:/usr/bin:/usr/sbin"; |           PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; | ||||||
|  |           NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; | ||||||
|         }; |         }; | ||||||
|       }; |       }; | ||||||
|     }; |     }; | ||||||
|   }; |   }; | ||||||
| 
 | 
 | ||||||
|   # DOCKER* chains are useless, override at FORWARD and nixos-fw |  | ||||||
|   networking.firewall.extraCommands = '' |  | ||||||
|     # Don't forward any traffic from docker |  | ||||||
|     iptables -I FORWARD 1 -p all -i docker0 -j nixos-fw-log-refuse |  | ||||||
| 
 |  | ||||||
|     # Allow incoming traffic from docker to 23080 |  | ||||||
|     iptables -A nixos-fw -p tcp -i docker0 -d hut --dport 23080 -j ACCEPT |  | ||||||
|   ''; |  | ||||||
| 
 |  | ||||||
|   #systemd.services.gitlab-runner.serviceConfig.Shell = "${pkgs.bash}/bin/bash"; |   #systemd.services.gitlab-runner.serviceConfig.Shell = "${pkgs.bash}/bin/bash"; | ||||||
|   systemd.services.gitlab-runner.serviceConfig.DynamicUser = lib.mkForce false; |   systemd.services.gitlab-runner.serviceConfig.DynamicUser = lib.mkForce false; | ||||||
|   systemd.services.gitlab-runner.serviceConfig.User = "gitlab-runner"; |   systemd.services.gitlab-runner.serviceConfig.User = "gitlab-runner"; | ||||||
|  | |||||||
| @ -3,10 +3,7 @@ | |||||||
| { | { | ||||||
|   imports = [ |   imports = [ | ||||||
|     ../module/slurm-exporter.nix |     ../module/slurm-exporter.nix | ||||||
|     ../module/meteocat-exporter.nix |  | ||||||
|     ../module/upc-qaire-exporter.nix |  | ||||||
|     ./gpfs-probe.nix |     ./gpfs-probe.nix | ||||||
|     ../module/nix-daemon-exporter.nix |  | ||||||
|   ]; |   ]; | ||||||
| 
 | 
 | ||||||
|   age.secrets.grafanaJungleRobotPassword = { |   age.secrets.grafanaJungleRobotPassword = { | ||||||
| @ -49,7 +46,7 @@ | |||||||
|   services.prometheus = { |   services.prometheus = { | ||||||
|     enable = true; |     enable = true; | ||||||
|     port = 9001; |     port = 9001; | ||||||
|     retentionTime = "5y"; |     retentionTime = "1y"; | ||||||
|     listenAddress = "127.0.0.1"; |     listenAddress = "127.0.0.1"; | ||||||
|   }; |   }; | ||||||
| 
 | 
 | ||||||
| @ -79,7 +76,7 @@ | |||||||
|         group = "root"; |         group = "root"; | ||||||
|         user = "root"; |         user = "root"; | ||||||
|         configFile = config.age.secrets.ipmiYml.path; |         configFile = config.age.secrets.ipmiYml.path; | ||||||
|         # extraFlags = [ "--log.level=debug" ]; |         extraFlags = [ "--log.level=debug" ]; | ||||||
|         listenAddress = "127.0.0.1"; |         listenAddress = "127.0.0.1"; | ||||||
|       }; |       }; | ||||||
|       node = { |       node = { | ||||||
| @ -111,9 +108,6 @@ | |||||||
|             "127.0.0.1:${toString config.services.prometheus.exporters.smartctl.port}" |             "127.0.0.1:${toString config.services.prometheus.exporters.smartctl.port}" | ||||||
|             "127.0.0.1:9341" # Slurm exporter |             "127.0.0.1:9341" # Slurm exporter | ||||||
|             "127.0.0.1:9966" # GPFS custom exporter |             "127.0.0.1:9966" # GPFS custom exporter | ||||||
|             "127.0.0.1:9999" # Nix-daemon custom exporter |  | ||||||
|             "127.0.0.1:9929" # Meteocat custom exporter |  | ||||||
|             "127.0.0.1:9928" # UPC Qaire custom exporter |  | ||||||
|             "127.0.0.1:${toString config.services.prometheus.exporters.blackbox.port}" |             "127.0.0.1:${toString config.services.prometheus.exporters.blackbox.port}" | ||||||
|           ]; |           ]; | ||||||
|         }]; |         }]; | ||||||
| @ -169,9 +163,6 @@ | |||||||
|             "8.8.8.8" |             "8.8.8.8" | ||||||
|             "ssfhead" |             "ssfhead" | ||||||
|             "anella-bsc.cesca.cat" |             "anella-bsc.cesca.cat" | ||||||
|             "upc-anella.cesca.cat" |  | ||||||
|             "fox.ac.upc.edu" |  | ||||||
|             "arenys5.ac.upc.edu" |  | ||||||
|           ]; |           ]; | ||||||
|         }]; |         }]; | ||||||
|         relabel_configs = [ |         relabel_configs = [ | ||||||
| @ -260,12 +251,15 @@ | |||||||
|         }; |         }; | ||||||
|       } |       } | ||||||
|       { |       { | ||||||
|         job_name = "raccoon"; |         job_name = "ipmi-fox"; | ||||||
|  |         metrics_path = "/ipmi"; | ||||||
|         static_configs = [ |         static_configs = [ | ||||||
|           { |           { targets = [ "127.0.0.1:9290" ]; } | ||||||
|             targets = [ "127.0.0.1:19002" ]; # Node exporter |  | ||||||
|           } |  | ||||||
|         ]; |         ]; | ||||||
|  |         params = { | ||||||
|  |           target = [ "fox-ipmi" ]; | ||||||
|  |           module = [ "fox" ]; | ||||||
|  |         }; | ||||||
|       } |       } | ||||||
|     ]; |     ]; | ||||||
|   }; |   }; | ||||||
|  | |||||||
| @ -2,32 +2,26 @@ | |||||||
| let | let | ||||||
|   website = pkgs.stdenv.mkDerivation { |   website = pkgs.stdenv.mkDerivation { | ||||||
|     name = "jungle-web"; |     name = "jungle-web"; | ||||||
|     src = pkgs.fetchgit { |     src = theFlake; | ||||||
|       url = "https://jungle.bsc.es/git/rarias/jungle-website.git"; |  | ||||||
|       rev = "52abaf4d71652a9ef77a0b098db14ca33bffff4c"; |  | ||||||
|       hash = "sha256-/ul9GazbOrOkmlvSgDz/+2W+V+ir5725Y7mVLc3rb0M="; |  | ||||||
|     }; |  | ||||||
|     buildInputs = [ pkgs.hugo ]; |     buildInputs = [ pkgs.hugo ]; | ||||||
|     buildPhase = '' |     buildPhase = '' | ||||||
|  |       cd web | ||||||
|       rm -rf public/ |       rm -rf public/ | ||||||
|       hugo |       hugo | ||||||
|     ''; |     ''; | ||||||
|     installPhase = '' |     installPhase = '' | ||||||
|       cp -r public $out |       cp -r public $out | ||||||
|     ''; |     ''; | ||||||
|     # Don't mess doc/ |  | ||||||
|     dontFixup = true; |  | ||||||
|   }; |   }; | ||||||
| in | in | ||||||
| { | { | ||||||
|   networking.firewall.allowedTCPPorts = [ 80 ]; |  | ||||||
|   services.nginx = { |   services.nginx = { | ||||||
|     enable = true; |     enable = true; | ||||||
|     virtualHosts."jungle.bsc.es" = { |     virtualHosts."jungle.bsc.es" = { | ||||||
|       root = "${website}"; |       root = "${website}"; | ||||||
|       listen = [ |       listen = [ | ||||||
|         { |         { | ||||||
|           addr = "0.0.0.0"; |           addr = "127.0.0.1"; | ||||||
|           port = 80; |           port = 80; | ||||||
|         } |         } | ||||||
|       ]; |       ]; | ||||||
| @ -44,7 +38,7 @@ in | |||||||
|           proxy_redirect http:// $scheme://; |           proxy_redirect http:// $scheme://; | ||||||
|         } |         } | ||||||
|         location /cache { |         location /cache { | ||||||
|           rewrite ^/cache/(.*) /$1 break; |           rewrite ^/cache(.*) /$1 break; | ||||||
|           proxy_pass http://127.0.0.1:5000; |           proxy_pass http://127.0.0.1:5000; | ||||||
|           proxy_redirect http:// $scheme://; |           proxy_redirect http:// $scheme://; | ||||||
|         } |         } | ||||||
|  | |||||||
							
								
								
									
										7
									
								
								m/hut/slurm-server.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								m/hut/slurm-server.nix
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,7 @@ | |||||||
|  | { ... }: | ||||||
|  | 
 | ||||||
|  | { | ||||||
|  |   services.slurm = { | ||||||
|  |     server.enable = true; | ||||||
|  |   }; | ||||||
|  | } | ||||||
| @ -4,7 +4,7 @@ | |||||||
|   - xeon03-ipmi |   - xeon03-ipmi | ||||||
|   - xeon04-ipmi |   - xeon04-ipmi | ||||||
|   - koro-ipmi |   - koro-ipmi | ||||||
|   - weasel-ipmi |   - xeon06-ipmi | ||||||
|   - hut-ipmi |   - hut-ipmi | ||||||
|   - eudy-ipmi |   - eudy-ipmi | ||||||
|   # Storage |   # Storage | ||||||
|  | |||||||
| @ -2,7 +2,7 @@ | |||||||
| 
 | 
 | ||||||
| { | { | ||||||
|   imports = [ |   imports = [ | ||||||
|     ../common/ssf.nix |     ../common/xeon.nix | ||||||
|     #(modulesPath + "/installer/netboot/netboot-minimal.nix") |     #(modulesPath + "/installer/netboot/netboot-minimal.nix") | ||||||
| 
 | 
 | ||||||
|     ../eudy/cpufreq.nix |     ../eudy/cpufreq.nix | ||||||
|  | |||||||
| @ -2,9 +2,8 @@ | |||||||
| 
 | 
 | ||||||
| { | { | ||||||
|   imports = [ |   imports = [ | ||||||
|     ../common/ssf.nix |     ../common/xeon.nix | ||||||
|     ../module/monitoring.nix |     ../module/monitoring.nix | ||||||
|     ../module/hut-substituter.nix |  | ||||||
|   ]; |   ]; | ||||||
| 
 | 
 | ||||||
|   boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53563a"; |   boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53563a"; | ||||||
|  | |||||||
							
								
								
									
										70
									
								
								m/map.nix
									
									
									
									
									
								
							
							
						
						
									
										70
									
								
								m/map.nix
									
									
									
									
									
								
							| @ -1,70 +0,0 @@ | |||||||
| { |  | ||||||
|   # In physical order from top to bottom (see note below) |  | ||||||
|   ssf = { |  | ||||||
|     # Switches for Ethernet and OmniPath |  | ||||||
|     switch-C6-S1A-05 = { pos=42; size=1; model="Dell S3048-ON"; }; |  | ||||||
|     switch-opa = { pos=41; size=1; }; |  | ||||||
| 
 |  | ||||||
|     # SSF login |  | ||||||
|     apex = { pos=39; size=2; label="SSFHEAD"; board="R2208WTTYSR"; contact="rodrigo.arias@bsc.es"; }; |  | ||||||
| 
 |  | ||||||
|     # Storage |  | ||||||
|     bay   = { pos=38; size=1; label="MDS01"; board="S2600WT2R"; sn="BQWL64850303"; contact="rodrigo.arias@bsc.es"; }; |  | ||||||
|     lake1 = { pos=37; size=1; label="OSS01"; board="S2600WT2R"; sn="BQWL64850234"; contact="rodrigo.arias@bsc.es"; }; |  | ||||||
|     lake2 = { pos=36; size=1; label="OSS02"; board="S2600WT2R"; sn="BQWL64850266"; contact="rodrigo.arias@bsc.es"; }; |  | ||||||
| 
 |  | ||||||
|     # Compute xeon |  | ||||||
|     owl1   = { pos=35; size=1; label="SSF-XEON01"; board="S2600WTTR"; sn="BQWL64954172"; contact="rodrigo.arias@bsc.es"; }; |  | ||||||
|     owl2   = { pos=34; size=1; label="SSF-XEON02"; board="S2600WTTR"; sn="BQWL64756560"; contact="rodrigo.arias@bsc.es"; }; |  | ||||||
|     xeon03 = { pos=33; size=1; label="SSF-XEON03"; board="S2600WTTR"; sn="BQWL64750826"; contact="rodrigo.arias@bsc.es"; }; |  | ||||||
|     # Slot 34 empty |  | ||||||
|     koro   = { pos=31; size=1; label="SSF-XEON05"; board="S2600WTTR"; sn="BQWL64954293"; contact="rodrigo.arias@bsc.es"; }; |  | ||||||
|     weasel = { pos=30; size=1; label="SSF-XEON06"; board="S2600WTTR"; sn="BQWL64750846"; contact="antoni.navarro@bsc.es"; }; |  | ||||||
|     hut    = { pos=29; size=1; label="SSF-XEON07"; board="S2600WTTR"; sn="BQWL64751184"; contact="rodrigo.arias@bsc.es"; }; |  | ||||||
|     eudy   = { pos=28; size=1; label="SSF-XEON08"; board="S2600WTTR"; sn="BQWL64756586"; contact="aleix.rocanonell@bsc.es"; }; |  | ||||||
| 
 |  | ||||||
|     # 16 KNL nodes, 4 per chassis |  | ||||||
|     knl01_04 = { pos=26; size=2; label="KNL01..KNL04"; board="HNS7200APX"; }; |  | ||||||
|     knl05_08 = { pos=24; size=2; label="KNL05..KNL18"; board="HNS7200APX"; }; |  | ||||||
|     knl09_12 = { pos=22; size=2; label="KNL09..KNL12"; board="HNS7200APX"; }; |  | ||||||
|     knl13_16 = { pos=20; size=2; label="KNL13..KNL16"; board="HNS7200APX"; }; |  | ||||||
| 
 |  | ||||||
|     # Slot 19 empty |  | ||||||
| 
 |  | ||||||
|     # EPI (hw team, guessed order) |  | ||||||
|     epi01 = { pos=18; size=1; contact="joan.cabre@bsc.es"; }; |  | ||||||
|     epi02 = { pos=17; size=1; contact="joan.cabre@bsc.es"; }; |  | ||||||
|     epi03 = { pos=16; size=1; contact="joan.cabre@bsc.es"; }; |  | ||||||
|     anon  = { pos=14; size=2; }; # Unlabeled machine. Operative |  | ||||||
| 
 |  | ||||||
|     # These are old and decommissioned (off) |  | ||||||
|     power8    = { pos=12; size=2; label="BSCPOWER8N3";   decommissioned=true; }; |  | ||||||
|     powern1   = { pos=8;  size=4; label="BSCPOWERN1";    decommissioned=true; }; |  | ||||||
|     gustafson = { pos=7;  size=1; label="gustafson";     decommissioned=true; }; |  | ||||||
|     odap01    = { pos=3;  size=4; label="ODAP01";        decommissioned=true; }; |  | ||||||
|     amhdal    = { pos=2;  size=1; label="AMHDAL";        decommissioned=true; }; # sic |  | ||||||
|     moore     = { pos=1;  size=1; label="moore (earth)"; decommissioned=true; }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   bsc2218 = { |  | ||||||
|     raccoon = { board="W2600CR"; sn="QSIP22500829"; contact="rodrigo.arias@bsc.es"; }; |  | ||||||
|     tent    = { label="SSF-XEON04"; board="S2600WTTR"; sn="BQWL64751229"; contact="rodrigo.arias@bsc.es"; }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   upc = { |  | ||||||
|     fox = { board="H13DSG-O-CPU"; sn="UM24CS600392"; prod="AS-4125GS-TNRT"; prod_sn="E508839X5103339"; contact="rodrigo.arias@bsc.es"; }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   # NOTE: Position is specified in "U" units (44.45 mm) and starts at 1 from the |  | ||||||
|   # bottom. Example: |  | ||||||
|   # |  | ||||||
|   #  |   ...  | - [pos+size] <--- Label in chassis |  | ||||||
|   #  +--------+ |  | ||||||
|   #  |  node  | - [pos+1] |  | ||||||
|   #  |   2U   | - [pos] |  | ||||||
|   #  +------- + |  | ||||||
|   #  |   ...  | - [pos-1] |  | ||||||
|   # |  | ||||||
|   # NOTE: The board and sn refers to the FRU information (Board Product and |  | ||||||
|   # Board Serial) via `ipmitool fru print 0`. |  | ||||||
| } |  | ||||||
| @ -1,357 +0,0 @@ | |||||||
| { |  | ||||||
|   config, |  | ||||||
|   options, |  | ||||||
|   lib, |  | ||||||
|   pkgs, |  | ||||||
|   ... |  | ||||||
| }: |  | ||||||
| with lib; |  | ||||||
| let |  | ||||||
|   cfg = config.age; |  | ||||||
| 
 |  | ||||||
|   isDarwin = lib.attrsets.hasAttrByPath [ "environment" "darwinConfig" ] options; |  | ||||||
| 
 |  | ||||||
|   ageBin = config.age.ageBin; |  | ||||||
| 
 |  | ||||||
|   users = config.users.users; |  | ||||||
| 
 |  | ||||||
|   sysusersEnabled = |  | ||||||
|     if isDarwin then |  | ||||||
|       false |  | ||||||
|     else |  | ||||||
|       options.systemd ? sysusers && (config.systemd.sysusers.enable || config.services.userborn.enable); |  | ||||||
| 
 |  | ||||||
|   mountCommand = |  | ||||||
|     if isDarwin then |  | ||||||
|       '' |  | ||||||
|         if ! diskutil info "${cfg.secretsMountPoint}" &> /dev/null; then |  | ||||||
|             num_sectors=1048576 |  | ||||||
|             dev=$(hdiutil attach -nomount ram://"$num_sectors" | sed 's/[[:space:]]*$//') |  | ||||||
|             newfs_hfs -v agenix "$dev" |  | ||||||
|             mount -t hfs -o nobrowse,nodev,nosuid,-m=0751 "$dev" "${cfg.secretsMountPoint}" |  | ||||||
|         fi |  | ||||||
|       '' |  | ||||||
|     else |  | ||||||
|       '' |  | ||||||
|         grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || |  | ||||||
|           mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751 |  | ||||||
|       ''; |  | ||||||
|   newGeneration = '' |  | ||||||
|     _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)" |  | ||||||
|     (( ++_agenix_generation )) |  | ||||||
|     echo "[agenix] creating new generation in ${cfg.secretsMountPoint}/$_agenix_generation" |  | ||||||
|     mkdir -p "${cfg.secretsMountPoint}" |  | ||||||
|     chmod 0751 "${cfg.secretsMountPoint}" |  | ||||||
|     ${mountCommand} |  | ||||||
|     mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation" |  | ||||||
|     chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation" |  | ||||||
|   ''; |  | ||||||
| 
 |  | ||||||
|   chownGroup = if isDarwin then "admin" else "keys"; |  | ||||||
|   # chown the secrets mountpoint and the current generation to the keys group |  | ||||||
|   # instead of leaving it root:root. |  | ||||||
|   chownMountPoint = '' |  | ||||||
|     chown :${chownGroup} "${cfg.secretsMountPoint}" "${cfg.secretsMountPoint}/$_agenix_generation" |  | ||||||
|   ''; |  | ||||||
| 
 |  | ||||||
|   setTruePath = secretType: '' |  | ||||||
|     ${ |  | ||||||
|       if secretType.symlink then |  | ||||||
|         '' |  | ||||||
|           _truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}" |  | ||||||
|         '' |  | ||||||
|       else |  | ||||||
|         '' |  | ||||||
|           _truePath="${secretType.path}" |  | ||||||
|         '' |  | ||||||
|     } |  | ||||||
|   ''; |  | ||||||
| 
 |  | ||||||
|   installSecret = secretType: '' |  | ||||||
|     ${setTruePath secretType} |  | ||||||
|     echo "decrypting '${secretType.file}' to '$_truePath'..." |  | ||||||
|     TMP_FILE="$_truePath.tmp" |  | ||||||
| 
 |  | ||||||
|     IDENTITIES=() |  | ||||||
|     for identity in ${toString cfg.identityPaths}; do |  | ||||||
|       test -r "$identity" || continue |  | ||||||
|       test -s "$identity" || continue |  | ||||||
|       IDENTITIES+=(-i) |  | ||||||
|       IDENTITIES+=("$identity") |  | ||||||
|     done |  | ||||||
| 
 |  | ||||||
|     test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix] WARNING: no readable identities found!" |  | ||||||
| 
 |  | ||||||
|     mkdir -p "$(dirname "$_truePath")" |  | ||||||
|     [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")" |  | ||||||
|     ( |  | ||||||
|       umask u=r,g=,o= |  | ||||||
|       test -f "${secretType.file}" || echo '[agenix] WARNING: encrypted file ${secretType.file} does not exist!' |  | ||||||
|       test -d "$(dirname "$TMP_FILE")" || echo "[agenix] WARNING: $(dirname "$TMP_FILE") does not exist!" |  | ||||||
|       LANG=${ |  | ||||||
|         config.i18n.defaultLocale or "C" |  | ||||||
|       } ${ageBin} --decrypt "''${IDENTITIES[@]}" -o "$TMP_FILE" "${secretType.file}" |  | ||||||
|     ) |  | ||||||
|     chmod ${secretType.mode} "$TMP_FILE" |  | ||||||
|     mv -f "$TMP_FILE" "$_truePath" |  | ||||||
| 
 |  | ||||||
|     ${optionalString secretType.symlink '' |  | ||||||
|       [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}" |  | ||||||
|     ''} |  | ||||||
|   ''; |  | ||||||
| 
 |  | ||||||
|   testIdentities = map (path: '' |  | ||||||
|     test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!' |  | ||||||
|   '') cfg.identityPaths; |  | ||||||
| 
 |  | ||||||
|   cleanupAndLink = '' |  | ||||||
|     _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)" |  | ||||||
|     (( ++_agenix_generation )) |  | ||||||
|     echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..." |  | ||||||
|     ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir} |  | ||||||
| 
 |  | ||||||
|     (( _agenix_generation > 1 )) && { |  | ||||||
|     echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..." |  | ||||||
|     rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))" |  | ||||||
|     } |  | ||||||
|   ''; |  | ||||||
| 
 |  | ||||||
|   installSecrets = builtins.concatStringsSep "\n" ( |  | ||||||
|     [ "echo '[agenix] decrypting secrets...'" ] |  | ||||||
|     ++ testIdentities |  | ||||||
|     ++ (map installSecret (builtins.attrValues cfg.secrets)) |  | ||||||
|     ++ [ cleanupAndLink ] |  | ||||||
|   ); |  | ||||||
| 
 |  | ||||||
|   chownSecret = secretType: '' |  | ||||||
|     ${setTruePath secretType} |  | ||||||
|     chown ${secretType.owner}:${secretType.group} "$_truePath" |  | ||||||
|   ''; |  | ||||||
| 
 |  | ||||||
|   chownSecrets = builtins.concatStringsSep "\n" ( |  | ||||||
|     [ "echo '[agenix] chowning...'" ] |  | ||||||
|     ++ [ chownMountPoint ] |  | ||||||
|     ++ (map chownSecret (builtins.attrValues cfg.secrets)) |  | ||||||
|   ); |  | ||||||
| 
 |  | ||||||
|   secretType = types.submodule ( |  | ||||||
|     { config, ... }: |  | ||||||
|     { |  | ||||||
|       options = { |  | ||||||
|         name = mkOption { |  | ||||||
|           type = types.str; |  | ||||||
|           default = config._module.args.name; |  | ||||||
|           defaultText = literalExpression "config._module.args.name"; |  | ||||||
|           description = '' |  | ||||||
|             Name of the file used in {option}`age.secretsDir` |  | ||||||
|           ''; |  | ||||||
|         }; |  | ||||||
|         file = mkOption { |  | ||||||
|           type = types.path; |  | ||||||
|           description = '' |  | ||||||
|             Age file the secret is loaded from. |  | ||||||
|           ''; |  | ||||||
|         }; |  | ||||||
|         path = mkOption { |  | ||||||
|           type = types.str; |  | ||||||
|           default = "${cfg.secretsDir}/${config.name}"; |  | ||||||
|           defaultText = literalExpression '' |  | ||||||
|             "''${cfg.secretsDir}/''${config.name}" |  | ||||||
|           ''; |  | ||||||
|           description = '' |  | ||||||
|             Path where the decrypted secret is installed. |  | ||||||
|           ''; |  | ||||||
|         }; |  | ||||||
|         mode = mkOption { |  | ||||||
|           type = types.str; |  | ||||||
|           default = "0400"; |  | ||||||
|           description = '' |  | ||||||
|             Permissions mode of the decrypted secret in a format understood by chmod. |  | ||||||
|           ''; |  | ||||||
|         }; |  | ||||||
|         owner = mkOption { |  | ||||||
|           type = types.str; |  | ||||||
|           default = "0"; |  | ||||||
|           description = '' |  | ||||||
|             User of the decrypted secret. |  | ||||||
|           ''; |  | ||||||
|         }; |  | ||||||
|         group = mkOption { |  | ||||||
|           type = types.str; |  | ||||||
|           default = users.${config.owner}.group or "0"; |  | ||||||
|           defaultText = literalExpression '' |  | ||||||
|             users.''${config.owner}.group or "0" |  | ||||||
|           ''; |  | ||||||
|           description = '' |  | ||||||
|             Group of the decrypted secret. |  | ||||||
|           ''; |  | ||||||
|         }; |  | ||||||
|         symlink = mkEnableOption "symlinking secrets to their destination" // { |  | ||||||
|           default = true; |  | ||||||
|         }; |  | ||||||
|       }; |  | ||||||
|     } |  | ||||||
|   ); |  | ||||||
| in |  | ||||||
| { |  | ||||||
|   imports = [ |  | ||||||
|     (mkRenamedOptionModule [ "age" "sshKeyPaths" ] [ "age" "identityPaths" ]) |  | ||||||
|   ]; |  | ||||||
| 
 |  | ||||||
|   options.age = { |  | ||||||
|     ageBin = mkOption { |  | ||||||
|       type = types.str; |  | ||||||
|       default = "${pkgs.age}/bin/age"; |  | ||||||
|       defaultText = literalExpression '' |  | ||||||
|         "''${pkgs.age}/bin/age" |  | ||||||
|       ''; |  | ||||||
|       description = '' |  | ||||||
|         The age executable to use. |  | ||||||
|       ''; |  | ||||||
|     }; |  | ||||||
|     secrets = mkOption { |  | ||||||
|       type = types.attrsOf secretType; |  | ||||||
|       default = { }; |  | ||||||
|       description = '' |  | ||||||
|         Attrset of secrets. |  | ||||||
|       ''; |  | ||||||
|     }; |  | ||||||
|     secretsDir = mkOption { |  | ||||||
|       type = types.path; |  | ||||||
|       default = "/run/agenix"; |  | ||||||
|       description = '' |  | ||||||
|         Folder where secrets are symlinked to |  | ||||||
|       ''; |  | ||||||
|     }; |  | ||||||
|     secretsMountPoint = mkOption { |  | ||||||
|       type = |  | ||||||
|         types.addCheck types.str ( |  | ||||||
|           s: |  | ||||||
|           (builtins.match "[ \t\n]*" s) == null # non-empty |  | ||||||
|           && (builtins.match ".+/" s) == null |  | ||||||
|         ) # without trailing slash |  | ||||||
|         // { |  | ||||||
|           description = "${types.str.description} (with check: non-empty without trailing slash)"; |  | ||||||
|         }; |  | ||||||
|       default = "/run/agenix.d"; |  | ||||||
|       description = '' |  | ||||||
|         Where secrets are created before they are symlinked to {option}`age.secretsDir` |  | ||||||
|       ''; |  | ||||||
|     }; |  | ||||||
|     identityPaths = mkOption { |  | ||||||
|       type = types.listOf types.path; |  | ||||||
|       default = |  | ||||||
|         if isDarwin then |  | ||||||
|           [ |  | ||||||
|             "/etc/ssh/ssh_host_ed25519_key" |  | ||||||
|             "/etc/ssh/ssh_host_rsa_key" |  | ||||||
|           ] |  | ||||||
|         else if (config.services.openssh.enable or false) then |  | ||||||
|           map (e: e.path) ( |  | ||||||
|             lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys |  | ||||||
|           ) |  | ||||||
|         else |  | ||||||
|           [ ]; |  | ||||||
|       defaultText = literalExpression '' |  | ||||||
|         if isDarwin |  | ||||||
|         then [ |  | ||||||
|           "/etc/ssh/ssh_host_ed25519_key" |  | ||||||
|           "/etc/ssh/ssh_host_rsa_key" |  | ||||||
|         ] |  | ||||||
|         else if (config.services.openssh.enable or false) |  | ||||||
|         then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys) |  | ||||||
|         else []; |  | ||||||
|       ''; |  | ||||||
|       description = '' |  | ||||||
|         Path to SSH keys to be used as identities in age decryption. |  | ||||||
|       ''; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   config = mkIf (cfg.secrets != { }) (mkMerge [ |  | ||||||
|     { |  | ||||||
|       assertions = [ |  | ||||||
|         { |  | ||||||
|           assertion = cfg.identityPaths != [ ]; |  | ||||||
|           message = "age.identityPaths must be set, for example by enabling openssh."; |  | ||||||
|         } |  | ||||||
|       ]; |  | ||||||
|     } |  | ||||||
|     (optionalAttrs (!isDarwin) { |  | ||||||
|       # When using sysusers we no longer be started as an activation script |  | ||||||
|       # because those are started in initrd while sysusers is started later. |  | ||||||
|       systemd.services.agenix-install-secrets = mkIf sysusersEnabled { |  | ||||||
|         wantedBy = [ "sysinit.target" ]; |  | ||||||
|         after = [ "systemd-sysusers.service" ]; |  | ||||||
|         unitConfig.DefaultDependencies = "no"; |  | ||||||
| 
 |  | ||||||
|         path = [ pkgs.mount ]; |  | ||||||
|         serviceConfig = { |  | ||||||
|           Type = "oneshot"; |  | ||||||
|           ExecStart = pkgs.writeShellScript "agenix-install" (concatLines [ |  | ||||||
|             newGeneration |  | ||||||
|             installSecrets |  | ||||||
|             chownSecrets |  | ||||||
|           ]); |  | ||||||
|           RemainAfterExit = true; |  | ||||||
|         }; |  | ||||||
|       }; |  | ||||||
| 
 |  | ||||||
|       # Create a new directory full of secrets for symlinking (this helps |  | ||||||
|       # ensure removed secrets are actually removed, or at least become |  | ||||||
|       # invalid symlinks). |  | ||||||
|       system.activationScripts = mkIf (!sysusersEnabled) { |  | ||||||
|         agenixNewGeneration = { |  | ||||||
|           text = newGeneration; |  | ||||||
|           deps = [ |  | ||||||
|             "specialfs" |  | ||||||
|           ]; |  | ||||||
|         }; |  | ||||||
| 
 |  | ||||||
|         agenixInstall = { |  | ||||||
|           text = installSecrets; |  | ||||||
|           deps = [ |  | ||||||
|             "agenixNewGeneration" |  | ||||||
|             "specialfs" |  | ||||||
|           ]; |  | ||||||
|         }; |  | ||||||
| 
 |  | ||||||
|         # So user passwords can be encrypted. |  | ||||||
|         users.deps = [ "agenixInstall" ]; |  | ||||||
| 
 |  | ||||||
|         # Change ownership and group after users and groups are made. |  | ||||||
|         agenixChown = { |  | ||||||
|           text = chownSecrets; |  | ||||||
|           deps = [ |  | ||||||
|             "users" |  | ||||||
|             "groups" |  | ||||||
|           ]; |  | ||||||
|         }; |  | ||||||
| 
 |  | ||||||
|         # So other activation scripts can depend on agenix being done. |  | ||||||
|         agenix = { |  | ||||||
|           text = ""; |  | ||||||
|           deps = [ "agenixChown" ]; |  | ||||||
|         }; |  | ||||||
|       }; |  | ||||||
|     }) |  | ||||||
| 
 |  | ||||||
|     (optionalAttrs isDarwin { |  | ||||||
|       launchd.daemons.activate-agenix = { |  | ||||||
|         script = '' |  | ||||||
|           set -e |  | ||||||
|           set -o pipefail |  | ||||||
|           export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin" |  | ||||||
|           ${newGeneration} |  | ||||||
|           ${installSecrets} |  | ||||||
|           ${chownSecrets} |  | ||||||
|           exit 0 |  | ||||||
|         ''; |  | ||||||
|         serviceConfig = { |  | ||||||
|           RunAtLoad = true; |  | ||||||
|           KeepAlive.SuccessfulExit = false; |  | ||||||
|         }; |  | ||||||
|       }; |  | ||||||
|     }) |  | ||||||
|   ]); |  | ||||||
| } |  | ||||||
| @ -1,49 +0,0 @@ | |||||||
| { config, lib, pkgs, ... }: |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   options = { |  | ||||||
|     services.amd-uprof = { |  | ||||||
|       enable = lib.mkOption { |  | ||||||
|         type = lib.types.bool; |  | ||||||
|         default = false; |  | ||||||
|         description = "Whether to enable AMD uProf."; |  | ||||||
|       }; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   # Only setup amd-uprof if enabled |  | ||||||
|   config = lib.mkIf config.services.amd-uprof.enable { |  | ||||||
| 
 |  | ||||||
|     # First make sure that we add the module to the list of available modules |  | ||||||
|     # in the kernel matching the same kernel version of this configuration. |  | ||||||
|     boot.extraModulePackages = with config.boot.kernelPackages; [ amd-uprof-driver ]; |  | ||||||
|     boot.kernelModules = [ "AMDPowerProfiler" ]; |  | ||||||
| 
 |  | ||||||
|     # Make the userspace tools available in $PATH. |  | ||||||
|     environment.systemPackages = with pkgs; [ amd-uprof ]; |  | ||||||
| 
 |  | ||||||
|     # The AMDPowerProfiler module doesn't create the /dev device nor it emits |  | ||||||
|     # any uevents, so we cannot use udev rules to automatically create the |  | ||||||
|     # device. Instead, we run a systemd unit that does it after loading the |  | ||||||
|     # modules. |  | ||||||
|     systemd.services.amd-uprof-device = { |  | ||||||
|       description = "Create /dev/AMDPowerProfiler device"; |  | ||||||
|       after = [ "systemd-modules-load.service" ]; |  | ||||||
|       wantedBy = [ "multi-user.target" ]; |  | ||||||
|       unitConfig.ConditionPathExists = [ |  | ||||||
|           "/proc/AMDPowerProfiler/device" |  | ||||||
|           "!/dev/AMDPowerProfiler" |  | ||||||
|       ]; |  | ||||||
|       serviceConfig = { |  | ||||||
|         Type = "oneshot"; |  | ||||||
|         RemainAfterExit = true; |  | ||||||
|         ExecStart = pkgs.writeShellScript "add-amd-uprof-dev.sh" '' |  | ||||||
|           mknod /dev/AMDPowerProfiler -m 666 c $(< /proc/AMDPowerProfiler/device) 0 |  | ||||||
|         ''; |  | ||||||
|         ExecStop = pkgs.writeShellScript "remove-amd-uprof-dev.sh" '' |  | ||||||
|           rm -f /dev/AMDPowerProfiler |  | ||||||
|         ''; |  | ||||||
|       }; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,13 +0,0 @@ | |||||||
| { config, ... }: |  | ||||||
| { |  | ||||||
|   nix.settings = |  | ||||||
|     # Don't add hut as a cache to itself |  | ||||||
|     assert config.networking.hostName != "hut"; |  | ||||||
|     { |  | ||||||
|       extra-substituters = [ "http://hut/cache" ]; |  | ||||||
|       extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ]; |  | ||||||
| 
 |  | ||||||
|       # Set a low timeout in case hut is down |  | ||||||
|       connect-timeout = 3; # seconds |  | ||||||
|     }; |  | ||||||
| } |  | ||||||
| @ -1,17 +0,0 @@ | |||||||
| { config, lib, pkgs, ... }: |  | ||||||
| 
 |  | ||||||
| with lib; |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   systemd.services."prometheus-meteocat-exporter" = { |  | ||||||
|     wantedBy = [ "multi-user.target" ]; |  | ||||||
|     after = [ "network.target" ]; |  | ||||||
|     serviceConfig = { |  | ||||||
|       Restart = mkDefault "always"; |  | ||||||
|       PrivateTmp = mkDefault true; |  | ||||||
|       WorkingDirectory = mkDefault "/tmp"; |  | ||||||
|       DynamicUser = mkDefault true; |  | ||||||
|       ExecStart = "${pkgs.meteocat-exporter}/bin/meteocat-exporter"; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,26 +0,0 @@ | |||||||
| #!/bin/sh |  | ||||||
| 
 |  | ||||||
| # Locate nix daemon pid |  | ||||||
| nd=$(pgrep -o nix-daemon) |  | ||||||
| 
 |  | ||||||
| # Locate children of nix-daemon |  | ||||||
| pids1=$(tr ' ' '\n' < "/proc/$nd/task/$nd/children") |  | ||||||
| 
 |  | ||||||
| # For each children, locate 2nd level children |  | ||||||
| pids2=$(echo "$pids1" | xargs -I @ /bin/sh -c 'cat /proc/@/task/*/children' | tr ' ' '\n') |  | ||||||
| 
 |  | ||||||
| cat <<EOF |  | ||||||
| HTTP/1.1 200 OK |  | ||||||
| Content-Type: text/plain; version=0.0.4; charset=utf-8; escaping=values |  | ||||||
| 
 |  | ||||||
| # HELP nix_daemon_build Nix daemon derivation build state. |  | ||||||
| # TYPE nix_daemon_build gauge |  | ||||||
| EOF |  | ||||||
| 
 |  | ||||||
| for pid in $pids2; do |  | ||||||
|   name=$(cat /proc/$pid/environ 2>/dev/null | tr '\0' '\n' | rg "^name=(.+)" - --replace '$1' | tr -dc ' [:alnum:]_\-\.') |  | ||||||
|   user=$(ps -o uname= -p "$pid") |  | ||||||
|   if [ -n "$name" -a -n "$user" ]; then |  | ||||||
|     printf 'nix_daemon_build{user="%s",name="%s"} 1\n' "$user" "$name" |  | ||||||
|   fi |  | ||||||
| done |  | ||||||
| @ -1,23 +0,0 @@ | |||||||
| { pkgs, config, lib, ... }: |  | ||||||
| let |  | ||||||
|   script = pkgs.runCommand "nix-daemon-exporter.sh" { } |  | ||||||
|     '' |  | ||||||
|       cp ${./nix-daemon-builds.sh} $out; |  | ||||||
|       chmod +x $out |  | ||||||
|     '' |  | ||||||
|   ; |  | ||||||
| in |  | ||||||
| { |  | ||||||
|   systemd.services.nix-daemon-exporter = { |  | ||||||
|     description = "Daemon to export nix-daemon metrics"; |  | ||||||
|     path = [ pkgs.procps pkgs.ripgrep ]; |  | ||||||
|     wantedBy = [ "default.target" ]; |  | ||||||
|     serviceConfig = { |  | ||||||
|       Type = "simple"; |  | ||||||
|       ExecStart = "${pkgs.socat}/bin/socat TCP4-LISTEN:9999,fork EXEC:${script}"; |  | ||||||
|       # Needed root to read the environment, potentially unsafe |  | ||||||
|       User = "root"; |  | ||||||
|       Group = "root"; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,20 +0,0 @@ | |||||||
| { lib, config, pkgs, ... }: |  | ||||||
| { |  | ||||||
|   # Configure Nvidia driver to use with CUDA |  | ||||||
|   hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.production; |  | ||||||
|   hardware.nvidia.open = lib.mkDefault (builtins.abort "hardware.nvidia.open not set"); |  | ||||||
|   hardware.graphics.enable = true; |  | ||||||
|   nixpkgs.config.nvidia.acceptLicense = true; |  | ||||||
|   services.xserver.videoDrivers = [ "nvidia" ]; |  | ||||||
| 
 |  | ||||||
|   # enable support for derivations which require nvidia-gpu to be available |  | ||||||
|   # > requiredSystemFeatures = [ "cuda" ]; |  | ||||||
|   programs.nix-required-mounts.enable = true; |  | ||||||
|   programs.nix-required-mounts.presets.nvidia-gpu.enable = true; |  | ||||||
|   # They forgot to add the symlink |  | ||||||
|   programs.nix-required-mounts.allowedPatterns.nvidia-gpu.paths = [ |  | ||||||
|     config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver"."L+".argument |  | ||||||
|   ]; |  | ||||||
| 
 |  | ||||||
|   environment.systemPackages = [ pkgs.cudainfo ]; |  | ||||||
| } |  | ||||||
| @ -1,68 +0,0 @@ | |||||||
| { config, lib, pkgs, ... }: |  | ||||||
| 
 |  | ||||||
| let |  | ||||||
|   cfg = config.services.p; |  | ||||||
| in |  | ||||||
| { |  | ||||||
|   options = { |  | ||||||
|     services.p = { |  | ||||||
|       enable = lib.mkOption { |  | ||||||
|         type = lib.types.bool; |  | ||||||
|         default = false; |  | ||||||
|         description = "Whether to enable the p service."; |  | ||||||
|       }; |  | ||||||
|       path = lib.mkOption { |  | ||||||
|         type = lib.types.str; |  | ||||||
|         default = "/var/lib/p"; |  | ||||||
|         description = "Where to save the pasted files on disk."; |  | ||||||
|       }; |  | ||||||
|       url = lib.mkOption { |  | ||||||
|         type = lib.types.str; |  | ||||||
|         default = "https://jungle.bsc.es/p"; |  | ||||||
|         description = "URL prefix for the printed file."; |  | ||||||
|       }; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   config = lib.mkIf cfg.enable { |  | ||||||
|     environment.systemPackages = let  |  | ||||||
|       p = pkgs.writeShellScriptBin "p" '' |  | ||||||
|         set -e |  | ||||||
|         pastedir="${cfg.path}/$USER" |  | ||||||
|         cd "$pastedir" |  | ||||||
| 
 |  | ||||||
|         ext="txt" |  | ||||||
|         if [ -n "$1" ]; then |  | ||||||
|           ext="$1" |  | ||||||
|         fi |  | ||||||
| 
 |  | ||||||
|         out=$(mktemp "XXXXXXXX.$ext") |  | ||||||
|         cat > "$out" |  | ||||||
|         chmod go+r "$out" |  | ||||||
|         echo "${cfg.url}/$USER/$out" |  | ||||||
|       ''; |  | ||||||
|     in [ p ]; |  | ||||||
| 
 |  | ||||||
|     systemd.services.p = let |  | ||||||
|       # Take only normal users |  | ||||||
|       users = lib.filterAttrs (_: v: v.isNormalUser) config.users.users; |  | ||||||
|       # Create a directory for each user |  | ||||||
|       commands = lib.concatLists (lib.mapAttrsToList (_: user: [ |  | ||||||
|         "install -d -o ${user.name} -g ${user.group} -m 0755 ${cfg.path}/${user.name}" |  | ||||||
|       ]) users); |  | ||||||
|     in { |  | ||||||
|       description = "P service setup"; |  | ||||||
|       requires = [ "network-online.target" ]; |  | ||||||
|       #wants = [ "remote-fs.target" ]; |  | ||||||
|       #after = [ "remote-fs.target" ]; |  | ||||||
|       wantedBy = [ "multi-user.target" ]; |  | ||||||
|       serviceConfig = { |  | ||||||
|         ExecStart = pkgs.writeShellScript "p-init.sh" ('' |  | ||||||
| 
 |  | ||||||
|           install -d -o root -g root -m 0755 ${cfg.path} |  | ||||||
| 
 |  | ||||||
|         '' + (lib.concatLines commands)); |  | ||||||
|       }; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,33 +0,0 @@ | |||||||
| { config, lib, pkgs, ... }: |  | ||||||
| 
 |  | ||||||
| with lib; |  | ||||||
| 
 |  | ||||||
| let |  | ||||||
|   cfg = config.power.policy; |  | ||||||
| in |  | ||||||
| { |  | ||||||
|   options = { |  | ||||||
|     power.policy = mkOption { |  | ||||||
|       type = types.nullOr (types.enum [ "always-on" "previous" "always-off" ]); |  | ||||||
|       default = null; |  | ||||||
|       description = "Set power policy to use via IPMI."; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   config = mkIf (cfg != null) { |  | ||||||
|     systemd.services."power-policy" = { |  | ||||||
|       description = "Set power policy to use via IPMI"; |  | ||||||
|       wantedBy = [ "multi-user.target" ]; |  | ||||||
|       unitConfig = { |  | ||||||
|         StartLimitBurst = "10"; |  | ||||||
|         StartLimitIntervalSec = "10m"; |  | ||||||
|       }; |  | ||||||
|       serviceConfig = { |  | ||||||
|         ExecStart = "${pkgs.ipmitool}/bin/ipmitool chassis policy ${cfg}"; |  | ||||||
|         Type = "oneshot"; |  | ||||||
|         Restart = "on-failure"; |  | ||||||
|         RestartSec = "5s"; |  | ||||||
|       }; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,10 +1,49 @@ | |||||||
| { lib, ... }: | { config, pkgs, lib, ... }: | ||||||
| 
 | 
 | ||||||
| { | let | ||||||
|   imports = [ |   suspendProgram = pkgs.writeScript "suspend.sh" '' | ||||||
|     ./slurm-common.nix |     #!/usr/bin/env bash | ||||||
|   ]; |     exec 1>>/var/log/power_save.log 2>>/var/log/power_save.log | ||||||
|  |     set -x | ||||||
|  |     export "PATH=/run/current-system/sw/bin:$PATH" | ||||||
|  |     echo "$(date) Suspend invoked $0 $*" >> /var/log/power_save.log | ||||||
|  |     hosts=$(scontrol show hostnames $1) | ||||||
|  |     for host in $hosts; do | ||||||
|  |       echo Shutting down host: $host | ||||||
|  |       ipmitool -I lanplus -H ''${host}-ipmi -P "" -U "" chassis power off | ||||||
|  |     done | ||||||
|  |   ''; | ||||||
| 
 | 
 | ||||||
|  |   resumeProgram = pkgs.writeScript "resume.sh" '' | ||||||
|  |     #!/usr/bin/env bash | ||||||
|  |     exec 1>>/var/log/power_save.log 2>>/var/log/power_save.log | ||||||
|  |     set -x | ||||||
|  |     export "PATH=/run/current-system/sw/bin:$PATH" | ||||||
|  |     echo "$(date) Suspend invoked $0 $*" >> /var/log/power_save.log | ||||||
|  |     hosts=$(scontrol show hostnames $1) | ||||||
|  |     for host in $hosts; do | ||||||
|  |       echo Starting host: $host | ||||||
|  |       ipmitool -I lanplus -H ''${host}-ipmi -P "" -U "" chassis power on | ||||||
|  |     done | ||||||
|  |   ''; | ||||||
|  | 
 | ||||||
|  |   prolog = pkgs.writeScript "prolog.sh" '' | ||||||
|  |     #!/usr/bin/env bash | ||||||
|  | 
 | ||||||
|  |     echo "hello from the prolog" | ||||||
|  | 
 | ||||||
|  |     exit 0 | ||||||
|  |   ''; | ||||||
|  | 
 | ||||||
|  |   epilog = pkgs.writeScript "epilog.sh" '' | ||||||
|  |     #!/usr/bin/env bash | ||||||
|  | 
 | ||||||
|  |     echo "hello from the epilog" | ||||||
|  | 
 | ||||||
|  |     exit 0 | ||||||
|  |   ''; | ||||||
|  | 
 | ||||||
|  | in { | ||||||
|   systemd.services.slurmd.serviceConfig = { |   systemd.services.slurmd.serviceConfig = { | ||||||
|     # Kill all processes in the control group on stop/restart. This will kill |     # Kill all processes in the control group on stop/restart. This will kill | ||||||
|     # all the jobs running, so ensure that we only upgrade when the nodes are |     # all the jobs running, so ensure that we only upgrade when the nodes are | ||||||
| @ -12,13 +51,95 @@ | |||||||
|     # https://github.com/NixOS/nixpkgs/commit/ae93ed0f0d4e7be0a286d1fca86446318c0c6ffb |     # https://github.com/NixOS/nixpkgs/commit/ae93ed0f0d4e7be0a286d1fca86446318c0c6ffb | ||||||
|     # https://bugs.schedmd.com/show_bug.cgi?id=2095#c24 |     # https://bugs.schedmd.com/show_bug.cgi?id=2095#c24 | ||||||
|     KillMode = lib.mkForce "control-group"; |     KillMode = lib.mkForce "control-group"; | ||||||
| 
 |  | ||||||
|     # If slurmd fails to contact the control server it will fail, causing the |  | ||||||
|     # node to remain out of service until manually restarted. Always try to |  | ||||||
|     # restart it. |  | ||||||
|     Restart = "always"; |  | ||||||
|     RestartSec = "30s"; |  | ||||||
|   }; |   }; | ||||||
| 
 | 
 | ||||||
|   services.slurm.client.enable = true; |   services.slurm = { | ||||||
|  |     client.enable = true; | ||||||
|  |     controlMachine = "hut"; | ||||||
|  |     clusterName = "jungle"; | ||||||
|  |     nodeName = [ | ||||||
|  |       "owl[1,2]  Sockets=2 CoresPerSocket=14 ThreadsPerCore=2 Feature=owl" | ||||||
|  |       "fox       Sockets=2 CoresPerSocket=96 ThreadsPerCore=2 Feature=fox" | ||||||
|  |       "hut       Sockets=2 CoresPerSocket=14 ThreadsPerCore=2" | ||||||
|  |     ]; | ||||||
|  | 
 | ||||||
|  |     partitionName = [ | ||||||
|  |       "owl Nodes=owl[1-2]     Default=YES DefaultTime=01:00:00 MaxTime=INFINITE State=UP" | ||||||
|  |       "fox Nodes=fox          Default=NO  DefaultTime=01:00:00 MaxTime=INFINITE State=UP" | ||||||
|  |       "all Nodes=owl[1-2],hut Default=NO  DefaultTime=01:00:00 MaxTime=INFINITE State=UP" | ||||||
|  |     ]; | ||||||
|  | 
 | ||||||
|  |     # See slurm.conf(5) for more details about these options. | ||||||
|  |     extraConfig = '' | ||||||
|  |       # Use PMIx for MPI by default. It works okay with MPICH and OpenMPI, but | ||||||
|  |       # not with Intel MPI. For that use the compatibility shim libpmi.so | ||||||
|  |       # setting I_MPI_PMI_LIBRARY=$pmix/lib/libpmi.so while maintaining the PMIx | ||||||
|  |       # library in SLURM (--mpi=pmix). See more details here: | ||||||
|  |       # https://pm.bsc.es/gitlab/rarias/jungle/-/issues/16 | ||||||
|  |       MpiDefault=pmix | ||||||
|  | 
 | ||||||
|  |       # When a node reboots return that node to the slurm queue as soon as it | ||||||
|  |       # becomes operative again. | ||||||
|  |       ReturnToService=2 | ||||||
|  | 
 | ||||||
|  |       # Track all processes by using a cgroup | ||||||
|  |       ProctrackType=proctrack/cgroup | ||||||
|  | 
 | ||||||
|  |       # Enable task/affinity to allow the jobs to run in a specified subset of | ||||||
|  |       # the resources. Use the task/cgroup plugin to enable process containment. | ||||||
|  |       TaskPlugin=task/affinity,task/cgroup | ||||||
|  | 
 | ||||||
|  |       # Power off unused nodes until they are requested | ||||||
|  |       SuspendProgram=${suspendProgram} | ||||||
|  |       SuspendTimeout=60 | ||||||
|  |       ResumeProgram=${resumeProgram} | ||||||
|  |       ResumeTimeout=300 | ||||||
|  |       SuspendExcNodes=hut,fox | ||||||
|  | 
 | ||||||
|  |       # Turn the nodes off after 1 hour of inactivity | ||||||
|  |       SuspendTime=3600 | ||||||
|  | 
 | ||||||
|  |       # Reduce port range so we can allow only this range in the firewall | ||||||
|  |       SrunPortRange=60000-61000 | ||||||
|  | 
 | ||||||
|  |       # Use cores as consumable resources. In SLURM terms, a core may have | ||||||
|  |       # multiple hardware threads (or CPUs). | ||||||
|  |       SelectType=select/cons_tres | ||||||
|  | 
 | ||||||
|  |       # Ignore memory constraints and only use unused cores to share a node with | ||||||
|  |       # other jobs. | ||||||
|  |       SelectTypeParameters=CR_Core | ||||||
|  | 
 | ||||||
|  |       # Required for pam_slurm_adopt, see https://slurm.schedmd.com/pam_slurm_adopt.html | ||||||
|  |       # This sets up the "extern" step into which ssh-launched processes will be | ||||||
|  |       # adopted. Alloc runs the prolog at job allocation (salloc) rather than | ||||||
|  |       # when a task runs (srun) so we can ssh early. | ||||||
|  |       PrologFlags=Alloc,Contain,X11 | ||||||
|  | 
 | ||||||
|  |       # LaunchParameters=ulimit_pam_adopt will set RLIMIT_RSS in processes | ||||||
|  |       # adopted by the external step, similar to tasks running in regular steps | ||||||
|  |       # LaunchParameters=ulimit_pam_adopt | ||||||
|  |       SlurmdDebug=debug5 | ||||||
|  |       #DebugFlags=Protocol,Cgroup | ||||||
|  |     ''; | ||||||
|  | 
 | ||||||
|  |     extraCgroupConfig = '' | ||||||
|  |       CgroupPlugin=cgroup/v2 | ||||||
|  |       #ConstrainCores=yes | ||||||
|  |     ''; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   # Place the slurm config in /etc as this will be required by PAM | ||||||
|  |   environment.etc.slurm.source = config.services.slurm.etcSlurm; | ||||||
|  | 
 | ||||||
|  |   age.secrets.mungeKey = { | ||||||
|  |     file = ../../secrets/munge-key.age; | ||||||
|  |     owner = "munge"; | ||||||
|  |     group = "munge"; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   services.munge = { | ||||||
|  |     enable = true; | ||||||
|  |     password = config.age.secrets.mungeKey.path; | ||||||
|  |   }; | ||||||
| } | } | ||||||
|  | |||||||
| @ -1,115 +0,0 @@ | |||||||
| { config, pkgs, ... }: |  | ||||||
| 
 |  | ||||||
| let |  | ||||||
|   suspendProgram = pkgs.writeShellScript "suspend.sh" '' |  | ||||||
|     exec 1>>/var/log/power_save.log 2>>/var/log/power_save.log |  | ||||||
|     set -x |  | ||||||
|     export "PATH=/run/current-system/sw/bin:$PATH" |  | ||||||
|     echo "$(date) Suspend invoked $0 $*" >> /var/log/power_save.log |  | ||||||
|     hosts=$(scontrol show hostnames $1) |  | ||||||
|     for host in $hosts; do |  | ||||||
|       echo Shutting down host: $host |  | ||||||
|       ipmitool -I lanplus -H ''${host}-ipmi -P "" -U "" chassis power off |  | ||||||
|     done |  | ||||||
|   ''; |  | ||||||
| 
 |  | ||||||
|   resumeProgram = pkgs.writeShellScript "resume.sh" '' |  | ||||||
|     exec 1>>/var/log/power_save.log 2>>/var/log/power_save.log |  | ||||||
|     set -x |  | ||||||
|     export "PATH=/run/current-system/sw/bin:$PATH" |  | ||||||
|     echo "$(date) Suspend invoked $0 $*" >> /var/log/power_save.log |  | ||||||
|     hosts=$(scontrol show hostnames $1) |  | ||||||
|     for host in $hosts; do |  | ||||||
|       echo Starting host: $host |  | ||||||
|       ipmitool -I lanplus -H ''${host}-ipmi -P "" -U "" chassis power on |  | ||||||
|     done |  | ||||||
|   ''; |  | ||||||
| 
 |  | ||||||
| in { |  | ||||||
|   services.slurm = { |  | ||||||
|     controlMachine = "apex"; |  | ||||||
|     clusterName = "jungle"; |  | ||||||
|     nodeName = [ |  | ||||||
|       "owl[1,2]  Sockets=2 CoresPerSocket=14 ThreadsPerCore=2 Feature=owl" |  | ||||||
|       "fox       Sockets=8 CoresPerSocket=24 ThreadsPerCore=1" |  | ||||||
|     ]; |  | ||||||
| 
 |  | ||||||
|     partitionName = [ |  | ||||||
|       "owl Nodes=owl[1-2]     Default=YES DefaultTime=01:00:00 MaxTime=INFINITE State=UP" |  | ||||||
|       "fox Nodes=fox          Default=NO  DefaultTime=01:00:00 MaxTime=INFINITE State=UP" |  | ||||||
|     ]; |  | ||||||
| 
 |  | ||||||
|     # See slurm.conf(5) for more details about these options. |  | ||||||
|     extraConfig = '' |  | ||||||
|       # Use PMIx for MPI by default. It works okay with MPICH and OpenMPI, but |  | ||||||
|       # not with Intel MPI. For that use the compatibility shim libpmi.so |  | ||||||
|       # setting I_MPI_PMI_LIBRARY=$pmix/lib/libpmi.so while maintaining the PMIx |  | ||||||
|       # library in SLURM (--mpi=pmix). See more details here: |  | ||||||
|       # https://pm.bsc.es/gitlab/rarias/jungle/-/issues/16 |  | ||||||
|       MpiDefault=pmix |  | ||||||
| 
 |  | ||||||
|       # When a node reboots return that node to the slurm queue as soon as it |  | ||||||
|       # becomes operative again. |  | ||||||
|       ReturnToService=2 |  | ||||||
| 
 |  | ||||||
|       # Track all processes by using a cgroup |  | ||||||
|       ProctrackType=proctrack/cgroup |  | ||||||
| 
 |  | ||||||
|       # Enable task/affinity to allow the jobs to run in a specified subset of |  | ||||||
|       # the resources. Use the task/cgroup plugin to enable process containment. |  | ||||||
|       TaskPlugin=task/affinity,task/cgroup |  | ||||||
| 
 |  | ||||||
|       # Power off unused nodes until they are requested |  | ||||||
|       SuspendProgram=${suspendProgram} |  | ||||||
|       SuspendTimeout=60 |  | ||||||
|       ResumeProgram=${resumeProgram} |  | ||||||
|       ResumeTimeout=300 |  | ||||||
|       SuspendExcNodes=fox |  | ||||||
| 
 |  | ||||||
|       # Turn the nodes off after 1 hour of inactivity |  | ||||||
|       SuspendTime=3600 |  | ||||||
| 
 |  | ||||||
|       # Reduce port range so we can allow only this range in the firewall |  | ||||||
|       SrunPortRange=60000-61000 |  | ||||||
| 
 |  | ||||||
|       # Use cores as consumable resources. In SLURM terms, a core may have |  | ||||||
|       # multiple hardware threads (or CPUs). |  | ||||||
|       SelectType=select/cons_tres |  | ||||||
| 
 |  | ||||||
|       # Ignore memory constraints and only use unused cores to share a node with |  | ||||||
|       # other jobs. |  | ||||||
|       SelectTypeParameters=CR_Core |  | ||||||
| 
 |  | ||||||
|       # Required for pam_slurm_adopt, see https://slurm.schedmd.com/pam_slurm_adopt.html |  | ||||||
|       # This sets up the "extern" step into which ssh-launched processes will be |  | ||||||
|       # adopted. Alloc runs the prolog at job allocation (salloc) rather than |  | ||||||
|       # when a task runs (srun) so we can ssh early. |  | ||||||
|       PrologFlags=Alloc,Contain,X11 |  | ||||||
| 
 |  | ||||||
|       # LaunchParameters=ulimit_pam_adopt will set RLIMIT_RSS in processes |  | ||||||
|       # adopted by the external step, similar to tasks running in regular steps |  | ||||||
|       # LaunchParameters=ulimit_pam_adopt |  | ||||||
|       SlurmdDebug=debug5 |  | ||||||
|       #DebugFlags=Protocol,Cgroup |  | ||||||
|     ''; |  | ||||||
| 
 |  | ||||||
|     extraCgroupConfig = '' |  | ||||||
|       CgroupPlugin=cgroup/v2 |  | ||||||
|       #ConstrainCores=yes |  | ||||||
|     ''; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   # Place the slurm config in /etc as this will be required by PAM |  | ||||||
|   environment.etc.slurm.source = config.services.slurm.etcSlurm; |  | ||||||
| 
 |  | ||||||
|   age.secrets.mungeKey = { |  | ||||||
|     file = ../../secrets/munge-key.age; |  | ||||||
|     owner = "munge"; |  | ||||||
|     group = "munge"; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   services.munge = { |  | ||||||
|     enable = true; |  | ||||||
|     password = config.age.secrets.mungeKey.path; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,23 +0,0 @@ | |||||||
| { ... }: |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   imports = [ |  | ||||||
|     ./slurm-common.nix |  | ||||||
|   ]; |  | ||||||
| 
 |  | ||||||
|   services.slurm.server.enable = true; |  | ||||||
| 
 |  | ||||||
|   networking.firewall = { |  | ||||||
|     extraCommands = '' |  | ||||||
|       # Accept slurm connections to controller from compute nodes |  | ||||||
|       iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 6817 -j nixos-fw-accept |  | ||||||
|       # Accept slurm connections from compute nodes for srun |  | ||||||
|       iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 60000:61000 -j nixos-fw-accept |  | ||||||
| 
 |  | ||||||
|       # Accept slurm connections to controller from fox (via wireguard) |  | ||||||
|       iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.1/32 --dport 6817 -j nixos-fw-accept |  | ||||||
|       # Accept slurm connections from fox for srun (via wireguard) |  | ||||||
|       iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.1/32 --dport 60000:61000 -j nixos-fw-accept |  | ||||||
|     ''; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,17 +0,0 @@ | |||||||
| { config, lib, pkgs, ... }: |  | ||||||
| 
 |  | ||||||
| with lib; |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   systemd.services."prometheus-upc-qaire-exporter" = { |  | ||||||
|     wantedBy = [ "multi-user.target" ]; |  | ||||||
|     after = [ "network.target" ]; |  | ||||||
|     serviceConfig = { |  | ||||||
|       Restart = mkDefault "always"; |  | ||||||
|       PrivateTmp = mkDefault true; |  | ||||||
|       WorkingDirectory = mkDefault "/tmp"; |  | ||||||
|       DynamicUser = mkDefault true; |  | ||||||
|       ExecStart = "${pkgs.upc-qaire-exporter}/bin/upc-qaire-exporter"; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,35 +0,0 @@ | |||||||
| {config, ...}: |  | ||||||
| { |  | ||||||
|   age.secrets.vpn-dac-login.file = ../../secrets/vpn-dac-login.age; |  | ||||||
|   age.secrets.vpn-dac-client-key.file = ../../secrets/vpn-dac-client-key.age; |  | ||||||
| 
 |  | ||||||
|   services.openvpn.servers = { |  | ||||||
|     # systemctl status openvpn-dac.service |  | ||||||
|     dac = { |  | ||||||
|       config = '' |  | ||||||
|         client |  | ||||||
|         dev tun |  | ||||||
|         proto tcp |  | ||||||
|         remote vpn.ac.upc.edu 1194 |  | ||||||
|         remote vpn.ac.upc.edu 80 |  | ||||||
|         resolv-retry infinite |  | ||||||
|         nobind |  | ||||||
|         persist-key |  | ||||||
|         persist-tun |  | ||||||
|         ca ${./vpn-dac/ca.crt} |  | ||||||
|         cert ${./vpn-dac/client.crt} |  | ||||||
|         # Only key needs to be secret |  | ||||||
|         key ${config.age.secrets.vpn-dac-client-key.path} |  | ||||||
|         remote-cert-tls server |  | ||||||
|         comp-lzo |  | ||||||
|         verb 3 |  | ||||||
|         auth-user-pass ${config.age.secrets.vpn-dac-login.path} |  | ||||||
|         reneg-sec 0 |  | ||||||
| 
 |  | ||||||
|         # Only route fox-ipmi |  | ||||||
|         pull-filter ignore "route " |  | ||||||
|         route 147.83.35.27 255.255.255.255 |  | ||||||
|       ''; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,31 +0,0 @@ | |||||||
| -----BEGIN CERTIFICATE----- |  | ||||||
| MIIFUjCCBDqgAwIBAgIJAJH118PApk5hMA0GCSqGSIb3DQEBCwUAMIHLMQswCQYD |  | ||||||
| VQQGEwJFUzESMBAGA1UECBMJQmFyY2Vsb25hMRIwEAYDVQQHEwlCYXJjZWxvbmEx |  | ||||||
| LTArBgNVBAoTJFVuaXZlcnNpdGF0IFBvbGl0ZWNuaWNhIGRlIENhdGFsdW55YTEk |  | ||||||
| MCIGA1UECxMbQXJxdWl0ZWN0dXJhIGRlIENvbXB1dGFkb3JzMRAwDgYDVQQDEwdM |  | ||||||
| Q0FDIENBMQ0wCwYDVQQpEwRMQ0FDMR4wHAYJKoZIhvcNAQkBFg9sY2FjQGFjLnVw |  | ||||||
| Yy5lZHUwHhcNMTYwMTEyMTI0NDIxWhcNNDYwMTEyMTI0NDIxWjCByzELMAkGA1UE |  | ||||||
| BhMCRVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMS0w |  | ||||||
| KwYDVQQKEyRVbml2ZXJzaXRhdCBQb2xpdGVjbmljYSBkZSBDYXRhbHVueWExJDAi |  | ||||||
| BgNVBAsTG0FycXVpdGVjdHVyYSBkZSBDb21wdXRhZG9yczEQMA4GA1UEAxMHTENB |  | ||||||
| QyBDQTENMAsGA1UEKRMETENBQzEeMBwGCSqGSIb3DQEJARYPbGNhY0BhYy51cGMu |  | ||||||
| ZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CteSeof7Xwi51kC |  | ||||||
| F0nQ4E9iR5Lq7wtfRuVPn6JJcIxJJ6+F9gr4R/HIHTztW4XAzReE36DYfexupx3D |  | ||||||
| 6UgQIkMLlVyGqRbulNF+RnCx20GosF7Dm4RGBVvOxBP1PGjYq/A+XhaaDAFd0cOF |  | ||||||
| LMNkzuYP7PF0bnBEaHnxmN8bPmuyDyas7fK9AAc3scyWT2jSBPbOVFvCJwPg8MH9 |  | ||||||
| V/h+hKwL/7hRt1MVfVv2qyIuKwTki8mUt0RcVbP7oJoRY5K1+R52phIz/GL/b4Fx |  | ||||||
| L6MKXlQxLi8vzP4QZXgCMyV7oFNdU3VqCEXBA11YIRvsOZ4QS19otIk/ZWU5x+HH |  | ||||||
| LAIJ7wIDAQABo4IBNTCCATEwHQYDVR0OBBYEFNyezX1cH1N4QR14ebBpljqmtE7q |  | ||||||
| MIIBAAYDVR0jBIH4MIH1gBTcns19XB9TeEEdeHmwaZY6prRO6qGB0aSBzjCByzEL |  | ||||||
| MAkGA1UEBhMCRVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vs |  | ||||||
| b25hMS0wKwYDVQQKEyRVbml2ZXJzaXRhdCBQb2xpdGVjbmljYSBkZSBDYXRhbHVu |  | ||||||
| eWExJDAiBgNVBAsTG0FycXVpdGVjdHVyYSBkZSBDb21wdXRhZG9yczEQMA4GA1UE |  | ||||||
| AxMHTENBQyBDQTENMAsGA1UEKRMETENBQzEeMBwGCSqGSIb3DQEJARYPbGNhY0Bh |  | ||||||
| Yy51cGMuZWR1ggkAkfXXw8CmTmEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF |  | ||||||
| AAOCAQEAUAmOvVXIQrR+aZVO0bOTeugKBHB75eTIZSIHIn2oDUvDbAP5GXIJ56A1 |  | ||||||
| 6mZXxemSMY8/9k+pRcwJhfat3IgvAN159XSqf9kRv0NHgc3FWUI1Qv/BsAn0vJO/ |  | ||||||
| oK0dbmbbRWqt86qNrCN+cUfz5aovvxN73jFfnvfDQFBk/8enj9wXxYfokjjLPR1Q |  | ||||||
| +oTkH8dY68qf71oaUB9MndppPEPSz0K1S6h1XxvJoSu9MVSXOQHiq1cdZdxRazI3 |  | ||||||
| 4f7q9sTCL+khwDAuZxAYzlEYxFFa/NN8PWU6xPw6V+t/aDhOiXUPJQB/O/K7mw3Z |  | ||||||
| TQQx5NqM7B5jjak5fauR3/oRD8XXsA== |  | ||||||
| -----END CERTIFICATE----- |  | ||||||
| @ -1,100 +0,0 @@ | |||||||
| Certificate: |  | ||||||
|     Data: |  | ||||||
|         Version: 3 (0x2) |  | ||||||
|         Serial Number: 2 (0x2) |  | ||||||
|     Signature Algorithm: sha256WithRSAEncryption |  | ||||||
|         Issuer: C=ES, ST=Barcelona, L=Barcelona, O=Universitat Politecnica de Catalunya, OU=Arquitectura de Computadors, CN=LCAC CA/name=LCAC/emailAddress=lcac@ac.upc.edu |  | ||||||
|         Validity |  | ||||||
|             Not Before: Jan 12 12:45:41 2016 GMT |  | ||||||
|             Not After : Jan 12 12:45:41 2046 GMT |  | ||||||
|         Subject: C=ES, ST=Barcelona, L=Barcelona, O=Universitat Politecnica de Catalunya, OU=Arquitectura de Computadors, CN=client/name=LCAC/emailAddress=lcac@ac.upc.edu |  | ||||||
|         Subject Public Key Info: |  | ||||||
|             Public Key Algorithm: rsaEncryption |  | ||||||
|                 Public-Key: (2048 bit) |  | ||||||
|                 Modulus: |  | ||||||
|                     00:97:99:fa:7a:0e:4d:e2:1d:a5:b1:a8:14:18:64: |  | ||||||
|                     c7:66:bf:de:99:1d:92:3b:86:82:4d:95:39:f7:a6: |  | ||||||
|                     56:49:97:14:4f:e3:37:00:6c:f4:d0:1d:56:79:e7: |  | ||||||
|                     19:b5:dd:36:15:8e:1d:57:7b:59:29:d2:11:bf:58: |  | ||||||
|                     48:e0:f7:41:3d:16:64:8d:a2:0b:4a:ac:fa:c6:83: |  | ||||||
|                     dc:10:2a:2c:d9:97:48:ee:11:2a:bc:4b:60:dd:b9: |  | ||||||
|                     2e:8f:45:ca:87:0b:38:65:1c:f8:a2:1d:f9:50:aa: |  | ||||||
|                     6e:60:f9:48:df:57:12:23:e1:e7:0c:81:5c:9f:c5: |  | ||||||
|                     b2:e6:99:99:95:30:6d:57:36:06:8c:fd:fb:f9:4f: |  | ||||||
|                     60:d2:3c:ba:ae:28:56:2f:da:58:5c:e8:c5:7b:ec: |  | ||||||
|                     76:d9:28:6e:fb:8c:07:f9:d7:23:c3:72:76:3c:fa: |  | ||||||
|                     dc:20:67:8f:cc:16:e0:91:07:d5:68:f9:20:4d:7d: |  | ||||||
|                     5c:2d:02:04:16:76:52:f3:53:be:a3:dc:0d:d5:fb: |  | ||||||
|                     6b:55:29:f3:52:35:c8:7d:99:d1:4a:94:be:b1:8e: |  | ||||||
|                     fd:85:18:25:eb:41:e9:56:da:af:62:84:20:0a:00: |  | ||||||
|                     17:94:92:94:91:6a:f8:54:37:17:ee:1e:bb:fb:93: |  | ||||||
|                     71:91:d9:e4:e9:b8:3b:18:7d:6d:7d:4c:ce:58:55: |  | ||||||
|                     f9:41 |  | ||||||
|                 Exponent: 65537 (0x10001) |  | ||||||
|         X509v3 extensions: |  | ||||||
|             X509v3 Basic Constraints:  |  | ||||||
|                 CA:FALSE |  | ||||||
|             Netscape Comment:  |  | ||||||
|                 Easy-RSA Generated Certificate |  | ||||||
|             X509v3 Subject Key Identifier:  |  | ||||||
|                 1B:88:06:D5:33:1D:5C:48:46:B5:DE:78:89:36:96:91:3A:74:43:18 |  | ||||||
|             X509v3 Authority Key Identifier:  |  | ||||||
|                 keyid:DC:9E:CD:7D:5C:1F:53:78:41:1D:78:79:B0:69:96:3A:A6:B4:4E:EA |  | ||||||
|                 DirName:/C=ES/ST=Barcelona/L=Barcelona/O=Universitat Politecnica de Catalunya/OU=Arquitectura de Computadors/CN=LCAC CA/name=LCAC/emailAddress=lcac@ac.upc.edu |  | ||||||
|                 serial:91:F5:D7:C3:C0:A6:4E:61 |  | ||||||
| 
 |  | ||||||
|             X509v3 Extended Key Usage:  |  | ||||||
|                 TLS Web Client Authentication |  | ||||||
|             X509v3 Key Usage:  |  | ||||||
|                 Digital Signature |  | ||||||
|             X509v3 Subject Alternative Name:  |  | ||||||
|                 DNS:client |  | ||||||
|     Signature Algorithm: sha256WithRSAEncryption |  | ||||||
|          42:e8:50:b2:e7:88:75:86:0b:bb:29:e3:aa:c6:0e:4c:e8:ea: |  | ||||||
|          3d:0c:02:31:7f:3b:80:0c:3f:80:af:45:d6:62:27:a0:0e:e7: |  | ||||||
|          26:09:12:97:95:f8:d9:9b:89:b5:ef:56:64:f1:de:82:74:e0: |  | ||||||
|          31:0a:cc:90:0a:bd:50:b8:54:95:0a:ae:3b:40:df:76:b6:d1: |  | ||||||
|          01:2e:f3:96:9f:52:d4:e9:14:6d:b7:14:9d:45:99:33:36:2a: |  | ||||||
|          01:0b:15:1a:ed:55:dc:64:83:65:1a:06:42:d9:c7:dc:97:d4: |  | ||||||
|          02:81:c2:58:2b:ea:e4:b7:ae:84:3a:e4:3f:f1:2e:fa:ec:f3: |  | ||||||
|          40:5d:b8:6a:d5:5e:e1:e8:2f:e2:2f:48:a4:38:a1:4f:22:e3: |  | ||||||
|          4f:66:94:aa:02:78:9a:2b:7a:5d:aa:aa:51:a5:e3:d0:91:e9: |  | ||||||
|          1d:f9:08:ed:8b:51:c9:a6:af:46:85:b5:1c:ed:12:a1:28:33: |  | ||||||
|          75:36:00:d8:5c:14:65:96:c0:28:7d:47:50:a4:89:5f:b0:72: |  | ||||||
|          1a:4b:13:17:26:0f:f0:b8:65:3c:e9:96:36:f9:bf:90:59:33: |  | ||||||
|          87:1f:01:03:25:f8:f0:3a:9b:33:02:d0:0a:43:b5:0a:cf:62: |  | ||||||
|          a1:45:38:37:07:9d:9c:94:0b:31:c6:3c:34:b7:fc:5a:0c:e4: |  | ||||||
|          bf:23:f6:7d |  | ||||||
| -----BEGIN CERTIFICATE----- |  | ||||||
| MIIFqjCCBJKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCByzELMAkGA1UEBhMCRVMx |  | ||||||
| EjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMS0wKwYDVQQK |  | ||||||
| EyRVbml2ZXJzaXRhdCBQb2xpdGVjbmljYSBkZSBDYXRhbHVueWExJDAiBgNVBAsT |  | ||||||
| G0FycXVpdGVjdHVyYSBkZSBDb21wdXRhZG9yczEQMA4GA1UEAxMHTENBQyBDQTEN |  | ||||||
| MAsGA1UEKRMETENBQzEeMBwGCSqGSIb3DQEJARYPbGNhY0BhYy51cGMuZWR1MB4X |  | ||||||
| DTE2MDExMjEyNDU0MVoXDTQ2MDExMjEyNDU0MVowgcoxCzAJBgNVBAYTAkVTMRIw |  | ||||||
| EAYDVQQIEwlCYXJjZWxvbmExEjAQBgNVBAcTCUJhcmNlbG9uYTEtMCsGA1UEChMk |  | ||||||
| VW5pdmVyc2l0YXQgUG9saXRlY25pY2EgZGUgQ2F0YWx1bnlhMSQwIgYDVQQLExtB |  | ||||||
| cnF1aXRlY3R1cmEgZGUgQ29tcHV0YWRvcnMxDzANBgNVBAMTBmNsaWVudDENMAsG |  | ||||||
| A1UEKRMETENBQzEeMBwGCSqGSIb3DQEJARYPbGNhY0BhYy51cGMuZWR1MIIBIjAN |  | ||||||
| BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl5n6eg5N4h2lsagUGGTHZr/emR2S |  | ||||||
| O4aCTZU596ZWSZcUT+M3AGz00B1WeecZtd02FY4dV3tZKdIRv1hI4PdBPRZkjaIL |  | ||||||
| Sqz6xoPcECos2ZdI7hEqvEtg3bkuj0XKhws4ZRz4oh35UKpuYPlI31cSI+HnDIFc |  | ||||||
| n8Wy5pmZlTBtVzYGjP37+U9g0jy6rihWL9pYXOjFe+x22Shu+4wH+dcjw3J2PPrc |  | ||||||
| IGePzBbgkQfVaPkgTX1cLQIEFnZS81O+o9wN1ftrVSnzUjXIfZnRSpS+sY79hRgl |  | ||||||
| 60HpVtqvYoQgCgAXlJKUkWr4VDcX7h67+5Nxkdnk6bg7GH1tfUzOWFX5QQIDAQAB |  | ||||||
| o4IBljCCAZIwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2Vu |  | ||||||
| ZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQbiAbVMx1cSEa13niJNpaROnRD |  | ||||||
| GDCCAQAGA1UdIwSB+DCB9YAU3J7NfVwfU3hBHXh5sGmWOqa0TuqhgdGkgc4wgcsx |  | ||||||
| CzAJBgNVBAYTAkVTMRIwEAYDVQQIEwlCYXJjZWxvbmExEjAQBgNVBAcTCUJhcmNl |  | ||||||
| bG9uYTEtMCsGA1UEChMkVW5pdmVyc2l0YXQgUG9saXRlY25pY2EgZGUgQ2F0YWx1 |  | ||||||
| bnlhMSQwIgYDVQQLExtBcnF1aXRlY3R1cmEgZGUgQ29tcHV0YWRvcnMxEDAOBgNV |  | ||||||
| BAMTB0xDQUMgQ0ExDTALBgNVBCkTBExDQUMxHjAcBgkqhkiG9w0BCQEWD2xjYWNA |  | ||||||
| YWMudXBjLmVkdYIJAJH118PApk5hMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1Ud |  | ||||||
| DwQEAwIHgDARBgNVHREECjAIggZjbGllbnQwDQYJKoZIhvcNAQELBQADggEBAELo |  | ||||||
| ULLniHWGC7sp46rGDkzo6j0MAjF/O4AMP4CvRdZiJ6AO5yYJEpeV+NmbibXvVmTx |  | ||||||
| 3oJ04DEKzJAKvVC4VJUKrjtA33a20QEu85afUtTpFG23FJ1FmTM2KgELFRrtVdxk |  | ||||||
| g2UaBkLZx9yX1AKBwlgr6uS3roQ65D/xLvrs80BduGrVXuHoL+IvSKQ4oU8i409m |  | ||||||
| lKoCeJorel2qqlGl49CR6R35CO2LUcmmr0aFtRztEqEoM3U2ANhcFGWWwCh9R1Ck |  | ||||||
| iV+wchpLExcmD/C4ZTzpljb5v5BZM4cfAQMl+PA6mzMC0ApDtQrPYqFFODcHnZyU |  | ||||||
| CzHGPDS3/FoM5L8j9n0= |  | ||||||
| -----END CERTIFICATE----- |  | ||||||
| @ -2,13 +2,12 @@ | |||||||
| 
 | 
 | ||||||
| { | { | ||||||
|   imports = [ |   imports = [ | ||||||
|     ../common/ssf.nix |     ../common/xeon.nix | ||||||
|     ../module/ceph.nix |     ../module/ceph.nix | ||||||
|     ../module/emulation.nix |     ../module/emulation.nix | ||||||
|     ../module/slurm-client.nix |     ../module/slurm-client.nix | ||||||
|     ../module/slurm-firewall.nix |     ../module/slurm-firewall.nix | ||||||
|     ../module/debuginfod.nix |     ../module/debuginfod.nix | ||||||
|     ../module/hut-substituter.nix |  | ||||||
|   ]; |   ]; | ||||||
| 
 | 
 | ||||||
|   # Select the this using the ID to avoid mismatches |   # Select the this using the ID to avoid mismatches | ||||||
|  | |||||||
| @ -2,13 +2,12 @@ | |||||||
| 
 | 
 | ||||||
| { | { | ||||||
|   imports = [ |   imports = [ | ||||||
|     ../common/ssf.nix |     ../common/xeon.nix | ||||||
|     ../module/ceph.nix |     ../module/ceph.nix | ||||||
|     ../module/emulation.nix |     ../module/emulation.nix | ||||||
|     ../module/slurm-client.nix |     ../module/slurm-client.nix | ||||||
|     ../module/slurm-firewall.nix |     ../module/slurm-firewall.nix | ||||||
|     ../module/debuginfod.nix |     ../module/debuginfod.nix | ||||||
|     ../module/hut-substituter.nix |  | ||||||
|   ]; |   ]; | ||||||
| 
 | 
 | ||||||
|   # Select the this using the ID to avoid mismatches |   # Select the this using the ID to avoid mismatches | ||||||
|  | |||||||
| @ -3,13 +3,6 @@ | |||||||
| { | { | ||||||
|   imports = [ |   imports = [ | ||||||
|     ../common/base.nix |     ../common/base.nix | ||||||
|     ../common/ssf/hosts.nix |  | ||||||
|     ../module/emulation.nix |  | ||||||
|     ../module/debuginfod.nix |  | ||||||
|     ../module/nvidia.nix |  | ||||||
|     ../eudy/kernel/perf.nix |  | ||||||
|     ./wireguard.nix |  | ||||||
|     ../module/hut-substituter.nix |  | ||||||
|   ]; |   ]; | ||||||
| 
 | 
 | ||||||
|   # Don't install Grub on the disk yet |   # Don't install Grub on the disk yet | ||||||
| @ -30,41 +23,14 @@ | |||||||
|       address = "84.88.51.152"; |       address = "84.88.51.152"; | ||||||
|       prefixLength = 25; |       prefixLength = 25; | ||||||
|     } ]; |     } ]; | ||||||
|     interfaces.enp5s0f1.ipv4.addresses = [ { |  | ||||||
|       address = "10.0.44.1"; |  | ||||||
|       prefixLength = 24; |  | ||||||
|     } ]; |  | ||||||
|     nat = { |  | ||||||
|       enable = true; |  | ||||||
|       internalInterfaces = [ "enp5s0f1" ]; |  | ||||||
|       externalInterface = "eno0"; |  | ||||||
|     }; |  | ||||||
|     hosts = { |  | ||||||
|       "10.0.44.4" = [ "tent" ]; |  | ||||||
|       "84.88.53.236" = [ "apex" ]; |  | ||||||
|     }; |  | ||||||
|   }; |   }; | ||||||
| 
 | 
 | ||||||
|   # Mount the NFS home |   # Configure Nvidia driver to use with CUDA | ||||||
|   fileSystems."/nfs/home" = { |   hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.production; | ||||||
|     device = "10.106.0.30:/home"; |   hardware.graphics.enable = true; | ||||||
|     fsType = "nfs"; |   nixpkgs.config.allowUnfree = true; | ||||||
|     options = [ "nfsvers=3" "rsize=1024" "wsize=1024" "cto" "nofail" ]; |   nixpkgs.config.nvidia.acceptLicense = true; | ||||||
|   }; |   services.xserver.videoDrivers = [ "nvidia" ]; | ||||||
| 
 |  | ||||||
|   # Enable performance governor |  | ||||||
|   powerManagement.cpuFreqGovernor = "performance"; |  | ||||||
| 
 |  | ||||||
|   hardware.nvidia.open = false; # Maxwell is older than Turing architecture |  | ||||||
| 
 |  | ||||||
|   services.openssh.settings.X11Forwarding = true; |  | ||||||
| 
 |  | ||||||
|   services.prometheus.exporters.node = { |  | ||||||
|     enable = true; |  | ||||||
|     enabledCollectors = [ "systemd" ]; |  | ||||||
|     port = 9002; |  | ||||||
|     listenAddress = "127.0.0.1"; |  | ||||||
|   }; |  | ||||||
| 
 | 
 | ||||||
|   users.motd = '' |   users.motd = '' | ||||||
|     ⠀⠀⠀⠀⠀⠀⠀⣀⣀⣄⣠⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ |     ⠀⠀⠀⠀⠀⠀⠀⣀⣀⣄⣠⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ | ||||||
|  | |||||||
| @ -1,48 +0,0 @@ | |||||||
| { config, pkgs, ... }: |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   networking.nat = { |  | ||||||
|     enable = true; |  | ||||||
|     enableIPv6 = false; |  | ||||||
|     externalInterface = "eno0"; |  | ||||||
|     internalInterfaces = [ "wg0" ]; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   networking.firewall = { |  | ||||||
|     allowedUDPPorts = [ 666 ]; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   age.secrets.wgRaccoon.file = ../../secrets/wg-raccoon.age; |  | ||||||
| 
 |  | ||||||
|   # Enable WireGuard |  | ||||||
|   networking.wireguard.enable = true; |  | ||||||
|   networking.wireguard.interfaces = { |  | ||||||
|     wg0 = { |  | ||||||
|       ips = [ "10.106.0.236/24" ]; |  | ||||||
|       listenPort = 666; |  | ||||||
|       privateKeyFile = config.age.secrets.wgRaccoon.path; |  | ||||||
|       # Public key: QUfnGXSMEgu2bviglsaSdCjidB51oEDBFpnSFcKGfDI= |  | ||||||
|       peers = [ |  | ||||||
|         { |  | ||||||
|           name = "fox"; |  | ||||||
|           publicKey = "VfMPBQLQTKeyXJSwv8wBhc6OV0j2qAxUpX3kLHunK2Y="; |  | ||||||
|           allowedIPs = [ "10.106.0.1/32" ]; |  | ||||||
|           endpoint = "fox.ac.upc.edu:666"; |  | ||||||
|           persistentKeepalive = 25; |  | ||||||
|         } |  | ||||||
|         { |  | ||||||
|           name = "apex"; |  | ||||||
|           publicKey = "VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA="; |  | ||||||
|           allowedIPs = [ "10.106.0.30/32" "10.0.40.0/24" ]; |  | ||||||
|           endpoint = "ssfhead.bsc.es:666"; |  | ||||||
|           persistentKeepalive = 25; |  | ||||||
|         } |  | ||||||
|       ]; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   networking.hosts = { |  | ||||||
|     "10.106.0.1"  = [ "fox.wg" ]; |  | ||||||
|     "10.106.0.30" = [ "apex.wg" ]; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,14 +0,0 @@ | |||||||
| modules: |  | ||||||
|   http_2xx: |  | ||||||
|     prober: http |  | ||||||
|     timeout: 5s |  | ||||||
|     http: |  | ||||||
|       preferred_ip_protocol: "ip4" |  | ||||||
|       follow_redirects: true |  | ||||||
|       valid_status_codes: []  # Defaults to 2xx |  | ||||||
|       method: GET |  | ||||||
|   icmp: |  | ||||||
|     prober: icmp |  | ||||||
|     timeout: 5s |  | ||||||
|     icmp: |  | ||||||
|       preferred_ip_protocol: "ip4" |  | ||||||
| @ -1,85 +0,0 @@ | |||||||
| { config, pkgs, lib, ... }: |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   imports = [ |  | ||||||
|     ../common/xeon.nix |  | ||||||
|     ../common/ssf/hosts.nix |  | ||||||
|     ../module/emulation.nix |  | ||||||
|     ../module/debuginfod.nix |  | ||||||
|     ./monitoring.nix |  | ||||||
|     ./nginx.nix |  | ||||||
|     ./nix-serve.nix |  | ||||||
|     ./gitlab-runner.nix |  | ||||||
|     ./gitea.nix |  | ||||||
|     ../hut/public-inbox.nix |  | ||||||
|     ../hut/msmtp.nix |  | ||||||
|     ../module/p.nix |  | ||||||
|     ../module/vpn-dac.nix |  | ||||||
|     ../module/hut-substituter.nix |  | ||||||
|   ]; |  | ||||||
| 
 |  | ||||||
|   # Select the this using the ID to avoid mismatches |  | ||||||
|   boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d537675"; |  | ||||||
| 
 |  | ||||||
|   networking = { |  | ||||||
|     hostName = "tent"; |  | ||||||
|     interfaces.eno1.ipv4.addresses = [ |  | ||||||
|       { |  | ||||||
|         address = "10.0.44.4"; |  | ||||||
|         prefixLength = 24; |  | ||||||
|       } |  | ||||||
|     ]; |  | ||||||
| 
 |  | ||||||
|     # Only BSC DNSs seem to be reachable from the office VLAN |  | ||||||
|     nameservers = [ "84.88.52.35" "84.88.52.36" ]; |  | ||||||
|     search = [ "bsc.es" "ac.upc.edu" ]; |  | ||||||
|     defaultGateway = "10.0.44.1"; |  | ||||||
|     hosts = { |  | ||||||
|       "84.88.53.236" = [ "apex" ]; |  | ||||||
|       "10.0.44.1" = [ "raccoon" ]; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   services.p.enable = true; |  | ||||||
| 
 |  | ||||||
|   services.prometheus.exporters.node = { |  | ||||||
|     enable = true; |  | ||||||
|     enabledCollectors = [ "systemd" ]; |  | ||||||
|     port = 9002; |  | ||||||
|     listenAddress = "127.0.0.1"; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   boot.swraid = { |  | ||||||
|     enable = true; |  | ||||||
|     mdadmConf = '' |  | ||||||
|       DEVICE partitions |  | ||||||
|       ARRAY /dev/md0 metadata=1.2 UUID=496db1e2:056a92aa:a544543f:40db379d |  | ||||||
|       MAILADDR root |  | ||||||
|     ''; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   fileSystems."/vault" = { |  | ||||||
|     device = "/dev/disk/by-label/vault"; |  | ||||||
|     fsType = "ext4"; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   # Make a /vault/$USER directory for each user. |  | ||||||
|   systemd.services.create-vault-dirs = let |  | ||||||
|     # Take only normal users in tent |  | ||||||
|     users = lib.filterAttrs (_: v: v.isNormalUser) config.users.users; |  | ||||||
|     commands = lib.concatLists (lib.mapAttrsToList |  | ||||||
|       (_: user: [ |  | ||||||
|         "install -d -o ${user.name} -g ${user.group} -m 0711 /vault/home/${user.name}" |  | ||||||
|       ]) users); |  | ||||||
|     script = pkgs.writeShellScript "create-vault-dirs.sh" (lib.concatLines commands); |  | ||||||
|   in { |  | ||||||
|     enable = true; |  | ||||||
|     wants = [ "local-fs.target" ]; |  | ||||||
|     after = [ "local-fs.target" ]; |  | ||||||
|     wantedBy = [ "multi-user.target" ]; |  | ||||||
|     serviceConfig.ExecStart = script; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   # disable automatic garbage collector |  | ||||||
|   nix.gc.automatic = lib.mkForce false; |  | ||||||
| } |  | ||||||
| @ -1,30 +0,0 @@ | |||||||
| { config, lib, ... }: |  | ||||||
| { |  | ||||||
|   services.gitea = { |  | ||||||
|     enable = true; |  | ||||||
|     appName = "Gitea in the jungle"; |  | ||||||
| 
 |  | ||||||
|     settings = { |  | ||||||
|       server = { |  | ||||||
|         ROOT_URL = "https://jungle.bsc.es/git/"; |  | ||||||
|         LOCAL_ROOT_URL = "https://jungle.bsc.es/git/"; |  | ||||||
|         LANDING_PAGE = "explore"; |  | ||||||
|       }; |  | ||||||
|       metrics.ENABLED = true; |  | ||||||
|       service = { |  | ||||||
|         DISABLE_REGISTRATION = true; |  | ||||||
|         REGISTER_MANUAL_CONFIRM = true; |  | ||||||
|         ENABLE_NOTIFY_MAIL = true; |  | ||||||
|       }; |  | ||||||
|       log.LEVEL = "Warn"; |  | ||||||
| 
 |  | ||||||
|       mailer = { |  | ||||||
|         ENABLED       = true; |  | ||||||
|         FROM          = "jungle-robot@bsc.es"; |  | ||||||
|         PROTOCOL      = "sendmail"; |  | ||||||
|         SENDMAIL_PATH = "/run/wrappers/bin/sendmail"; |  | ||||||
|         SENDMAIL_ARGS = "--"; |  | ||||||
|       }; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,93 +0,0 @@ | |||||||
| { pkgs, lib, config, ... }: |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   age.secrets.tent-gitlab-runner-pm-shell.file = ../../secrets/tent-gitlab-runner-pm-shell-token.age; |  | ||||||
|   age.secrets.tent-gitlab-runner-pm-docker.file = ../../secrets/tent-gitlab-runner-pm-docker-token.age; |  | ||||||
|   age.secrets.tent-gitlab-runner-bsc-docker.file = ../../secrets/tent-gitlab-runner-bsc-docker-token.age; |  | ||||||
| 
 |  | ||||||
|   services.gitlab-runner = let sec = config.age.secrets; in { |  | ||||||
|     enable = true; |  | ||||||
|     settings.concurrent = 5; |  | ||||||
|     services = { |  | ||||||
|       # For gitlab.pm.bsc.es |  | ||||||
|       gitlab-pm-shell = { |  | ||||||
|         executor = "shell"; |  | ||||||
|         environmentVariables = { |  | ||||||
|           SHELL = "${pkgs.bash}/bin/bash"; |  | ||||||
|         }; |  | ||||||
|         authenticationTokenConfigFile = sec.tent-gitlab-runner-pm-shell.path; |  | ||||||
|         preGetSourcesScript = pkgs.writeScript "setup" '' |  | ||||||
|           echo "This is the preGetSources script running, brace for impact" |  | ||||||
|           env |  | ||||||
|         ''; |  | ||||||
|       }; |  | ||||||
|       gitlab-pm-docker = { |  | ||||||
|         authenticationTokenConfigFile = sec.tent-gitlab-runner-pm-docker.path; |  | ||||||
|         executor = "docker"; |  | ||||||
|         dockerImage = "debian:stable"; |  | ||||||
|       }; |  | ||||||
| 
 |  | ||||||
|       # For gitlab.bsc.es |  | ||||||
|       gitlab-bsc-docker = { |  | ||||||
|         # gitlab.bsc.es still uses the old token mechanism |  | ||||||
|         registrationConfigFile = sec.tent-gitlab-runner-bsc-docker.path; |  | ||||||
|         tagList = [ "docker" "tent" "nix" ]; |  | ||||||
|         executor = "docker"; |  | ||||||
|         dockerImage = "alpine"; |  | ||||||
|         dockerVolumes = [ |  | ||||||
|           "/nix/store:/nix/store:ro" |  | ||||||
|           "/nix/var/nix/db:/nix/var/nix/db:ro" |  | ||||||
|           "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" |  | ||||||
|         ]; |  | ||||||
|         dockerDisableCache = true; |  | ||||||
|         registrationFlags = [ |  | ||||||
|           # Increase build log length to 64 MiB |  | ||||||
|           "--output-limit 65536" |  | ||||||
|         ]; |  | ||||||
|         preBuildScript = pkgs.writeScript "setup-container" '' |  | ||||||
|           mkdir -p -m 0755 /nix/var/log/nix/drvs |  | ||||||
|           mkdir -p -m 0755 /nix/var/nix/gcroots |  | ||||||
|           mkdir -p -m 0755 /nix/var/nix/profiles |  | ||||||
|           mkdir -p -m 0755 /nix/var/nix/temproots |  | ||||||
|           mkdir -p -m 0755 /nix/var/nix/userpool |  | ||||||
|           mkdir -p -m 1777 /nix/var/nix/gcroots/per-user |  | ||||||
|           mkdir -p -m 1777 /nix/var/nix/profiles/per-user |  | ||||||
|           mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root |  | ||||||
|           mkdir -p -m 0700 "$HOME/.nix-defexpr" |  | ||||||
|           mkdir -p -m 0700 "$HOME/.ssh" |  | ||||||
|           cat >> "$HOME/.ssh/known_hosts" << EOF |  | ||||||
|           bscpm04.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPx4mC0etyyjYUT2Ztc/bs4ZXSbVMrogs1ZTP924PDgT |  | ||||||
|           gitlab-internal.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3 |  | ||||||
|           EOF |  | ||||||
|           . ${pkgs.nix}/etc/profile.d/nix-daemon.sh |  | ||||||
|           # Required to load SSL certificate paths |  | ||||||
|           . ${pkgs.cacert}/nix-support/setup-hook |  | ||||||
|         ''; |  | ||||||
|         environmentVariables = { |  | ||||||
|           ENV = "/etc/profile"; |  | ||||||
|           USER = "root"; |  | ||||||
|           NIX_REMOTE = "daemon"; |  | ||||||
|           PATH = "${config.system.path}/bin:/bin:/sbin:/usr/bin:/usr/sbin"; |  | ||||||
|         }; |  | ||||||
|       }; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   systemd.services.gitlab-runner.serviceConfig = { |  | ||||||
|     DynamicUser = lib.mkForce false; |  | ||||||
|     User = "gitlab-runner"; |  | ||||||
|     Group = "gitlab-runner"; |  | ||||||
|     ExecStart = lib.mkForce |  | ||||||
|       ''${pkgs.gitlab-runner}/bin/gitlab-runner run --config ''${HOME}/.gitlab-runner/config.toml --listen-address "127.0.0.1:9252" --working-directory ''${HOME}''; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   users.users.gitlab-runner = { |  | ||||||
|     uid = config.ids.uids.gitlab-runner; |  | ||||||
|     home = "/var/lib/gitlab-runner"; |  | ||||||
|     description = "Gitlab Runner"; |  | ||||||
|     group = "gitlab-runner"; |  | ||||||
|     extraGroups = [ "docker" ]; |  | ||||||
|     createHome = true; |  | ||||||
|   }; |  | ||||||
|   users.groups.gitlab-runner.gid = config.ids.gids.gitlab-runner; |  | ||||||
| } |  | ||||||
| @ -1,217 +0,0 @@ | |||||||
| { config, lib, pkgs, ... }: |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   imports = [ |  | ||||||
|     ../module/meteocat-exporter.nix |  | ||||||
|     ../module/upc-qaire-exporter.nix |  | ||||||
|     ../module/nix-daemon-exporter.nix |  | ||||||
|   ]; |  | ||||||
| 
 |  | ||||||
|   age.secrets.grafanaJungleRobotPassword = { |  | ||||||
|     file = ../../secrets/jungle-robot-password.age; |  | ||||||
|     owner = "grafana"; |  | ||||||
|     mode = "400"; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   services.grafana = { |  | ||||||
|     enable = true; |  | ||||||
|     settings = { |  | ||||||
|       server = { |  | ||||||
|         domain = "jungle.bsc.es"; |  | ||||||
|         root_url = "%(protocol)s://%(domain)s/grafana"; |  | ||||||
|         serve_from_sub_path = true; |  | ||||||
|         http_port = 2342; |  | ||||||
|         http_addr = "127.0.0.1"; |  | ||||||
|       }; |  | ||||||
|       smtp = { |  | ||||||
|         enabled = true; |  | ||||||
|         from_address = "jungle-robot@bsc.es"; |  | ||||||
|         user = "jungle-robot"; |  | ||||||
|         # Read the password from a file, which is only readable by grafana user |  | ||||||
|         # https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider |  | ||||||
|         password = "$__file{${config.age.secrets.grafanaJungleRobotPassword.path}}"; |  | ||||||
|         host = "mail.bsc.es:465"; |  | ||||||
|         startTLS_policy = "NoStartTLS"; |  | ||||||
|       }; |  | ||||||
|       feature_toggles.publicDashboards = true; |  | ||||||
|       "auth.anonymous".enabled = true; |  | ||||||
|       log.level = "warn"; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   services.prometheus = { |  | ||||||
|     enable = true; |  | ||||||
|     port = 9001; |  | ||||||
|     retentionTime = "5y"; |  | ||||||
|     listenAddress = "127.0.0.1"; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   # We need access to the devices to monitor the disk space |  | ||||||
|   systemd.services.prometheus-node-exporter.serviceConfig.PrivateDevices = lib.mkForce false; |  | ||||||
|   systemd.services.prometheus-node-exporter.serviceConfig.ProtectHome = lib.mkForce "read-only"; |  | ||||||
| 
 |  | ||||||
|   # Credentials for IPMI exporter |  | ||||||
|   age.secrets.ipmiYml = { |  | ||||||
|     file = ../../secrets/ipmi.yml.age; |  | ||||||
|     owner = "ipmi-exporter"; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   # Create an IPMI group and assign the ipmi0 device |  | ||||||
|   users.groups.ipmi = {}; |  | ||||||
|   services.udev.extraRules = '' |  | ||||||
|     SUBSYSTEM=="ipmi", KERNEL=="ipmi0", GROUP="ipmi", MODE="0660" |  | ||||||
|   ''; |  | ||||||
| 
 |  | ||||||
|   # Add a new ipmi-exporter user that can read the ipmi0 device |  | ||||||
|   users.users.ipmi-exporter = { |  | ||||||
|     isSystemUser = true; |  | ||||||
|     group = "ipmi"; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   # Disable dynamic user so we have the ipmi-exporter user available for the credentials |  | ||||||
|   systemd.services.prometheus-ipmi-exporter.serviceConfig = { |  | ||||||
|     DynamicUser = lib.mkForce false; |  | ||||||
|     PrivateDevices = lib.mkForce false; |  | ||||||
|     User = lib.mkForce "ipmi-exporter"; |  | ||||||
|     Group = lib.mkForce "ipmi"; |  | ||||||
|     RestrictNamespaces = lib.mkForce false; |  | ||||||
|     # Fake uid to 0 so it shuts up |  | ||||||
|     ExecStart = let |  | ||||||
|       cfg = config.services.prometheus.exporters.ipmi; |  | ||||||
|     in lib.mkForce (lib.concatStringsSep " " ([ |  | ||||||
|       "${pkgs.util-linux}/bin/unshare --map-user 0" |  | ||||||
|       "${pkgs.prometheus-ipmi-exporter}/bin/ipmi_exporter" |  | ||||||
|       "--web.listen-address ${cfg.listenAddress}:${toString cfg.port}" |  | ||||||
|       "--config.file ${lib.escapeShellArg cfg.configFile}" |  | ||||||
|     ] ++ cfg.extraFlags)); |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   services.prometheus = { |  | ||||||
|     exporters = { |  | ||||||
|       ipmi = { |  | ||||||
|         enable = true; |  | ||||||
|         configFile = config.age.secrets.ipmiYml.path; |  | ||||||
|         #extraFlags = [ "--log.level=debug" ]; |  | ||||||
|         listenAddress = "127.0.0.1"; |  | ||||||
|       }; |  | ||||||
|       node = { |  | ||||||
|         enable = true; |  | ||||||
|         enabledCollectors = [ "logind" ]; |  | ||||||
|         port = 9002; |  | ||||||
|         listenAddress = "127.0.0.1"; |  | ||||||
|       }; |  | ||||||
|       blackbox = { |  | ||||||
|         enable = true; |  | ||||||
|         listenAddress = "127.0.0.1"; |  | ||||||
|         configFile = ./blackbox.yml; |  | ||||||
|       }; |  | ||||||
|     }; |  | ||||||
| 
 |  | ||||||
|     scrapeConfigs = [ |  | ||||||
|       { |  | ||||||
|         job_name = "local"; |  | ||||||
|         static_configs = [{ |  | ||||||
|           targets = [ |  | ||||||
|             "127.0.0.1:9002" # Node exporter |  | ||||||
|             #"127.0.0.1:9115" # Blackbox exporter |  | ||||||
|             "127.0.0.1:9290" # IPMI exporter for local node |  | ||||||
|             "127.0.0.1:9928" # UPC Qaire custom exporter |  | ||||||
|             "127.0.0.1:9929" # Meteocat custom exporter |  | ||||||
|             "127.0.0.1:9999" # Nix-daemon custom exporter |  | ||||||
|           ]; |  | ||||||
|         }]; |  | ||||||
|       } |  | ||||||
|       { |  | ||||||
|         job_name = "blackbox-http"; |  | ||||||
|         metrics_path = "/probe"; |  | ||||||
|         params = { module = [ "http_2xx" ]; }; |  | ||||||
|         static_configs = [{ |  | ||||||
|           targets = [ |  | ||||||
|             "https://www.google.com/robots.txt" |  | ||||||
|             "https://pm.bsc.es/" |  | ||||||
|             "https://pm.bsc.es/gitlab/" |  | ||||||
|             "https://jungle.bsc.es/" |  | ||||||
|             "https://gitlab.bsc.es/" |  | ||||||
|           ]; |  | ||||||
|         }]; |  | ||||||
|         relabel_configs = [ |  | ||||||
|           { |  | ||||||
|             # Takes the address and sets it in the "target=<xyz>" URL parameter |  | ||||||
|             source_labels = [ "__address__" ]; |  | ||||||
|             target_label = "__param_target"; |  | ||||||
|           } |  | ||||||
|           { |  | ||||||
|             # Sets the "instance" label with the remote host we are querying |  | ||||||
|             source_labels = [ "__param_target" ]; |  | ||||||
|             target_label = "instance"; |  | ||||||
|           } |  | ||||||
|           { |  | ||||||
|             # Shows the host target address instead of the blackbox address |  | ||||||
|             target_label = "__address__"; |  | ||||||
|             replacement = "127.0.0.1:9115"; |  | ||||||
|           } |  | ||||||
|         ]; |  | ||||||
|       } |  | ||||||
|       { |  | ||||||
|         job_name = "blackbox-icmp"; |  | ||||||
|         metrics_path = "/probe"; |  | ||||||
|         params = { module = [ "icmp" ]; }; |  | ||||||
|         static_configs = [{ |  | ||||||
|           targets = [ |  | ||||||
|             "1.1.1.1" |  | ||||||
|             "8.8.8.8" |  | ||||||
|             "ssfhead" |  | ||||||
|             "raccoon" |  | ||||||
|             "anella-bsc.cesca.cat" |  | ||||||
|             "upc-anella.cesca.cat" |  | ||||||
|             "fox.ac.upc.edu" |  | ||||||
|             "fox-ipmi.ac.upc.edu" |  | ||||||
|             "arenys5.ac.upc.edu" |  | ||||||
|             "arenys0-2.ac.upc.edu" |  | ||||||
|             "epi01.bsc.es" |  | ||||||
|             "axle.bsc.es" |  | ||||||
|           ]; |  | ||||||
|         }]; |  | ||||||
|         relabel_configs = [ |  | ||||||
|           { |  | ||||||
|             # Takes the address and sets it in the "target=<xyz>" URL parameter |  | ||||||
|             source_labels = [ "__address__" ]; |  | ||||||
|             target_label = "__param_target"; |  | ||||||
|           } |  | ||||||
|           { |  | ||||||
|             # Sets the "instance" label with the remote host we are querying |  | ||||||
|             source_labels = [ "__param_target" ]; |  | ||||||
|             target_label = "instance"; |  | ||||||
|           } |  | ||||||
|           { |  | ||||||
|             # Shows the host target address instead of the blackbox address |  | ||||||
|             target_label = "__address__"; |  | ||||||
|             replacement = "127.0.0.1:9115"; |  | ||||||
|           } |  | ||||||
|         ]; |  | ||||||
|       } |  | ||||||
|       { |  | ||||||
|         job_name = "ipmi-raccoon"; |  | ||||||
|         metrics_path = "/ipmi"; |  | ||||||
|         static_configs = [ |  | ||||||
|           { targets = [ "127.0.0.1:9290" ]; } |  | ||||||
|         ]; |  | ||||||
|         params = { |  | ||||||
|           target = [ "raccoon-ipmi" ]; |  | ||||||
|           module = [ "raccoon" ]; |  | ||||||
|         }; |  | ||||||
|       } |  | ||||||
|       { |  | ||||||
|         job_name = "ipmi-fox"; |  | ||||||
|         metrics_path = "/ipmi"; |  | ||||||
|         static_configs = [ |  | ||||||
|           { targets = [ "127.0.0.1:9290" ]; } |  | ||||||
|         ]; |  | ||||||
|         params = { |  | ||||||
|           target = [ "fox-ipmi.ac.upc.edu" ]; |  | ||||||
|           module = [ "fox" ]; |  | ||||||
|         }; |  | ||||||
|       } |  | ||||||
|     ]; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,79 +0,0 @@ | |||||||
| { theFlake, pkgs, ... }: |  | ||||||
| let |  | ||||||
|   website = pkgs.stdenv.mkDerivation { |  | ||||||
|     name = "jungle-web"; |  | ||||||
|     src = pkgs.fetchgit { |  | ||||||
|       url = "https://jungle.bsc.es/git/rarias/jungle-website.git"; |  | ||||||
|       rev = "52abaf4d71652a9ef77a0b098db14ca33bffff4c"; |  | ||||||
|       hash = "sha256-/ul9GazbOrOkmlvSgDz/+2W+V+ir5725Y7mVLc3rb0M="; |  | ||||||
|     }; |  | ||||||
|     buildInputs = [ pkgs.hugo ]; |  | ||||||
|     buildPhase = '' |  | ||||||
|       rm -rf public/ |  | ||||||
|       hugo |  | ||||||
|     ''; |  | ||||||
|     installPhase = '' |  | ||||||
|       cp -r public $out |  | ||||||
|     ''; |  | ||||||
|     # Don't mess doc/ |  | ||||||
|     dontFixup = true; |  | ||||||
|   }; |  | ||||||
| in |  | ||||||
| { |  | ||||||
|   networking.firewall.allowedTCPPorts = [ 80 ]; |  | ||||||
|   services.nginx = { |  | ||||||
|     enable = true; |  | ||||||
|     virtualHosts."jungle.bsc.es" = { |  | ||||||
|       root = "${website}"; |  | ||||||
|       listen = [ |  | ||||||
|         { |  | ||||||
|           addr = "0.0.0.0"; |  | ||||||
|           port = 80; |  | ||||||
|         } |  | ||||||
|       ]; |  | ||||||
|       extraConfig = '' |  | ||||||
|         set_real_ip_from 127.0.0.1; |  | ||||||
|         set_real_ip_from 84.88.52.107; |  | ||||||
|         real_ip_recursive on; |  | ||||||
|         real_ip_header X-Forwarded-For; |  | ||||||
| 
 |  | ||||||
|         location /git { |  | ||||||
|           rewrite ^/git$ / break; |  | ||||||
|           rewrite ^/git/(.*) /$1 break; |  | ||||||
|           proxy_pass http://127.0.0.1:3000; |  | ||||||
|           proxy_redirect http:// $scheme://; |  | ||||||
|         } |  | ||||||
|         location /cache { |  | ||||||
|           rewrite ^/cache/(.*) /$1 break; |  | ||||||
|           proxy_pass http://127.0.0.1:5000; |  | ||||||
|           proxy_redirect http:// $scheme://; |  | ||||||
|         } |  | ||||||
|         location /lists { |  | ||||||
|           proxy_pass http://127.0.0.1:8081; |  | ||||||
|           proxy_redirect http:// $scheme://; |  | ||||||
|         } |  | ||||||
|         location /grafana { |  | ||||||
|           proxy_pass http://127.0.0.1:2342; |  | ||||||
|           proxy_redirect http:// $scheme://; |  | ||||||
|           proxy_set_header Host $host; |  | ||||||
|           # Websockets |  | ||||||
|           proxy_http_version 1.1; |  | ||||||
|           proxy_set_header Upgrade $http_upgrade; |  | ||||||
|           proxy_set_header Connection "upgrade"; |  | ||||||
|         } |  | ||||||
|         location ~ ^/~(.+?)(/.*)?$ { |  | ||||||
|           alias /vault/home/$1/public_html$2; |  | ||||||
|           index  index.html index.htm; |  | ||||||
|           autoindex on; |  | ||||||
|           absolute_redirect off; |  | ||||||
|         } |  | ||||||
|         location /p/ { |  | ||||||
|           alias /var/lib/p/; |  | ||||||
|         } |  | ||||||
|         location /pub/ { |  | ||||||
|           alias /vault/pub/; |  | ||||||
|         } |  | ||||||
|       ''; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,16 +0,0 @@ | |||||||
| { config, ... }: |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   age.secrets.nixServe.file = ../../secrets/nix-serve.age; |  | ||||||
| 
 |  | ||||||
|   services.nix-serve = { |  | ||||||
|     enable = true; |  | ||||||
|     # Only listen locally, as we serve it via ssh |  | ||||||
|     bindAddress = "127.0.0.1"; |  | ||||||
|     port = 5000; |  | ||||||
| 
 |  | ||||||
|     secretKeyFile = config.age.secrets.nixServe.path; |  | ||||||
|     # Public key: |  | ||||||
|     # jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0= |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,33 +0,0 @@ | |||||||
| { lib, ... }: |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   imports = [ |  | ||||||
|     ../common/ssf.nix |  | ||||||
|     ../module/hut-substituter.nix |  | ||||||
|   ]; |  | ||||||
| 
 |  | ||||||
|   # Select this using the ID to avoid mismatches |  | ||||||
|   boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d5356ca"; |  | ||||||
| 
 |  | ||||||
|   # No swap, there is plenty of RAM |  | ||||||
|   swapDevices = lib.mkForce []; |  | ||||||
| 
 |  | ||||||
|   # Users with sudo access |  | ||||||
|   users.groups.wheel.members = [ "abonerib" "anavarro" ]; |  | ||||||
| 
 |  | ||||||
|   # Run julia installed with juliaup using julia's own libraries: |  | ||||||
|   # NIX_LD_LIBRARY_PATH=~/.julia/juliaup/${VERS}/lib/julia ~/.juliaup/bin/julia |  | ||||||
|   programs.nix-ld.enable = true; |  | ||||||
| 
 |  | ||||||
|   networking = { |  | ||||||
|     hostName = "weasel"; |  | ||||||
|     interfaces.eno1.ipv4.addresses = [ { |  | ||||||
|       address = "10.0.40.6"; |  | ||||||
|       prefixLength = 24; |  | ||||||
|     } ]; |  | ||||||
|     interfaces.ibp5s0.ipv4.addresses = [ { |  | ||||||
|       address = "10.0.42.6"; |  | ||||||
|       prefixLength = 24; |  | ||||||
|     } ]; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
							
								
								
									
										157
									
								
								overlay.nix
									
									
									
									
									
								
							
							
						
						
									
										157
									
								
								overlay.nix
									
									
									
									
									
								
							| @ -1,157 +0,0 @@ | |||||||
| final: /* Future last stage */ |  | ||||||
| prev:  /* Previous stage */ |  | ||||||
| 
 |  | ||||||
| with final.lib; |  | ||||||
| 
 |  | ||||||
| let |  | ||||||
|   callPackage = final.callPackage; |  | ||||||
| 
 |  | ||||||
|   bscPkgs = { |  | ||||||
|     agenix = prev.callPackage ./pkgs/agenix/default.nix { }; |  | ||||||
|     amd-uprof = prev.callPackage ./pkgs/amd-uprof/default.nix { }; |  | ||||||
|     bench6 = callPackage ./pkgs/bench6/default.nix { }; |  | ||||||
|     bigotes = callPackage ./pkgs/bigotes/default.nix { }; |  | ||||||
|     clangOmpss2 = callPackage ./pkgs/llvm-ompss2/default.nix { }; |  | ||||||
|     clangOmpss2Nanos6 = callPackage ./pkgs/llvm-ompss2/default.nix { ompss2rt = final.nanos6; }; |  | ||||||
|     clangOmpss2Nodes = callPackage ./pkgs/llvm-ompss2/default.nix { ompss2rt = final.nodes; openmp = final.openmp; }; |  | ||||||
|     clangOmpss2NodesOmpv = callPackage ./pkgs/llvm-ompss2/default.nix { ompss2rt = final.nodes; openmp = final.openmpv; }; |  | ||||||
|     clangOmpss2Unwrapped = callPackage ./pkgs/llvm-ompss2/clang.nix { }; |  | ||||||
|     cudainfo = prev.callPackage ./pkgs/cudainfo/default.nix { }; |  | ||||||
|     #extrae = callPackage ./pkgs/extrae/default.nix { }; # Broken and outdated |  | ||||||
|     gpi-2 = callPackage ./pkgs/gpi-2/default.nix { }; |  | ||||||
|     intelPackages_2023 = callPackage ./pkgs/intel-oneapi/2023.nix { }; |  | ||||||
|     jemallocNanos6 = callPackage ./pkgs/nanos6/jemalloc.nix { }; |  | ||||||
|     # FIXME: Extend this to all linuxPackages variants. Open problem, see: |  | ||||||
|     # https://discourse.nixos.org/t/whats-the-right-way-to-make-a-custom-kernel-module-available/4636 |  | ||||||
|     linuxPackages = prev.linuxPackages.extend (_final: _prev: { |  | ||||||
|       amd-uprof-driver = _prev.callPackage ./pkgs/amd-uprof/driver.nix { }; |  | ||||||
|     }); |  | ||||||
|     linuxPackages_latest = prev.linuxPackages_latest.extend(_final: _prev: { |  | ||||||
|       amd-uprof-driver = _prev.callPackage ./pkgs/amd-uprof/driver.nix { }; |  | ||||||
|     }); |  | ||||||
|     lmbench = callPackage ./pkgs/lmbench/default.nix { }; |  | ||||||
|     mcxx = callPackage ./pkgs/mcxx/default.nix { }; |  | ||||||
|     meteocat-exporter = prev.callPackage ./pkgs/meteocat-exporter/default.nix { }; |  | ||||||
|     mpi = final.mpich; # Set MPICH as default |  | ||||||
|     mpich = callPackage ./pkgs/mpich/default.nix { mpich = prev.mpich; }; |  | ||||||
|     nanos6 = callPackage ./pkgs/nanos6/default.nix { }; |  | ||||||
|     nanos6Debug = final.nanos6.override { enableDebug = true; }; |  | ||||||
|     nixtools = callPackage ./pkgs/nixtools/default.nix { }; |  | ||||||
|     # Broken because of pkgsStatic.libcap |  | ||||||
|     # See: https://github.com/NixOS/nixpkgs/pull/268791 |  | ||||||
|     #nix-wrap = callPackage ./pkgs/nix-wrap/default.nix { }; |  | ||||||
|     nodes = callPackage ./pkgs/nodes/default.nix { }; |  | ||||||
|     nosv = callPackage ./pkgs/nosv/default.nix { }; |  | ||||||
|     openmp = callPackage ./pkgs/llvm-ompss2/openmp.nix { monorepoSrc = final.clangOmpss2Unwrapped.src; version = final.clangOmpss2Unwrapped.version; }; |  | ||||||
|     openmpv = final.openmp.override { enableNosv = true; enableOvni = true; }; |  | ||||||
|     osumb = callPackage ./pkgs/osu/default.nix { }; |  | ||||||
|     ovni = callPackage ./pkgs/ovni/default.nix { }; |  | ||||||
|     ovniGit = final.ovni.override { useGit = true; }; |  | ||||||
|     paraverKernel = callPackage ./pkgs/paraver/kernel.nix { }; |  | ||||||
|     prometheus-slurm-exporter = prev.callPackage ./pkgs/slurm-exporter/default.nix { }; |  | ||||||
|     #pscom = callPackage ./pkgs/parastation/pscom.nix { }; # Unmaintaned |  | ||||||
|     #psmpi = callPackage ./pkgs/parastation/psmpi.nix { }; # Unmaintaned |  | ||||||
|     sonar = callPackage ./pkgs/sonar/default.nix { }; |  | ||||||
|     stdenvClangOmpss2 = final.stdenv.override { cc = final.clangOmpss2; allowedRequisites = null; }; |  | ||||||
|     stdenvClangOmpss2Nanos6 = final.stdenv.override { cc = final.clangOmpss2Nanos6; allowedRequisites = null; }; |  | ||||||
|     stdenvClangOmpss2Nodes = final.stdenv.override { cc = final.clangOmpss2Nodes; allowedRequisites = null; }; |  | ||||||
|     stdenvClangOmpss2NodesOmpv = final.stdenv.override { cc = final.clangOmpss2NodesOmpv; allowedRequisites = null; }; |  | ||||||
|     tagaspi = callPackage ./pkgs/tagaspi/default.nix { }; |  | ||||||
|     tampi = callPackage ./pkgs/tampi/default.nix { }; |  | ||||||
|     upc-qaire-exporter = prev.callPackage ./pkgs/upc-qaire-exporter/default.nix { }; |  | ||||||
|     wxparaver = callPackage ./pkgs/paraver/default.nix { }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   tests = rec { |  | ||||||
|     hwloc = callPackage ./test/bugs/hwloc.nix { }; |  | ||||||
|     #sigsegv = callPackage ./test/reproducers/sigsegv.nix { }; |  | ||||||
|     hello-c = callPackage ./test/compilers/hello-c.nix { }; |  | ||||||
|     hello-cpp = callPackage ./test/compilers/hello-cpp.nix { }; |  | ||||||
|     lto = callPackage ./test/compilers/lto.nix { }; |  | ||||||
|     asan = callPackage ./test/compilers/asan.nix { }; |  | ||||||
|     intel2023-icx-c   = hello-c.override   { stdenv = final.intelPackages_2023.stdenv; }; |  | ||||||
|     intel2023-icc-c   = hello-c.override   { stdenv = final.intelPackages_2023.stdenv-icc; }; |  | ||||||
|     intel2023-icx-cpp = hello-cpp.override { stdenv = final.intelPackages_2023.stdenv; }; |  | ||||||
|     intel2023-icc-cpp = hello-cpp.override { stdenv = final.intelPackages_2023.stdenv-icc; }; |  | ||||||
|     intel2023-ifort   = callPackage ./test/compilers/hello-f.nix { |  | ||||||
|       stdenv = final.intelPackages_2023.stdenv-ifort; |  | ||||||
|     }; |  | ||||||
|     clangOmpss2-lto   = lto.override       { stdenv = final.stdenvClangOmpss2Nanos6; }; |  | ||||||
|     clangOmpss2-asan  = asan.override      { stdenv = final.stdenvClangOmpss2Nanos6; }; |  | ||||||
|     clangOmpss2-task  = callPackage ./test/compilers/ompss2.nix { |  | ||||||
|       stdenv = final.stdenvClangOmpss2Nanos6; |  | ||||||
|     }; |  | ||||||
|     clangNodes-task = callPackage ./test/compilers/ompss2.nix { |  | ||||||
|       stdenv = final.stdenvClangOmpss2Nodes; |  | ||||||
|     }; |  | ||||||
|     clangNosvOpenmp-task = callPackage ./test/compilers/clang-openmp.nix { |  | ||||||
|       stdenv = final.stdenvClangOmpss2Nodes; |  | ||||||
|     }; |  | ||||||
|     clangNosvOmpv-nosv = callPackage ./test/compilers/clang-openmp-nosv.nix { |  | ||||||
|       stdenv = final.stdenvClangOmpss2NodesOmpv; |  | ||||||
|     }; |  | ||||||
|     clangNosvOmpv-ld = callPackage ./test/compilers/clang-openmp-ld.nix { |  | ||||||
|       stdenv = final.stdenvClangOmpss2NodesOmpv; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   # For now, only build toplevel packages in CI/Hydra |  | ||||||
|   pkgsTopLevel = filterAttrs (_: isDerivation) bscPkgs; |  | ||||||
| 
 |  | ||||||
|   # Native build in that platform doesn't imply cross build works |  | ||||||
|   canCrossCompile = platform: pkg: |  | ||||||
|     (isDerivation pkg) && |  | ||||||
|     # Must be defined explicitly |  | ||||||
|     (pkg.meta.cross or false) && |  | ||||||
|     (meta.availableOn platform pkg); |  | ||||||
| 
 |  | ||||||
|   # For now only RISC-V |  | ||||||
|   crossSet = { riscv64 = final.pkgsCross.riscv64.bsc.pkgsTopLevel; }; |  | ||||||
| 
 |  | ||||||
|   buildList = name: paths: |  | ||||||
|     final.runCommandLocal name { } '' |  | ||||||
|       printf '%s\n' ${toString paths} | tee $out |  | ||||||
|     ''; |  | ||||||
| 
 |  | ||||||
|   buildList' = name: paths: |  | ||||||
|     final.runCommandLocal name { } '' |  | ||||||
|       deps="${toString paths}" |  | ||||||
|       cat $deps |  | ||||||
|       printf '%s\n' $deps >$out |  | ||||||
|     ''; |  | ||||||
| 
 |  | ||||||
|   pkgsList = buildList "ci-pkgs" (builtins.attrValues pkgsTopLevel); |  | ||||||
|   testsList = buildList "ci-tests" (collect isDerivation tests); |  | ||||||
|   allList = buildList' "ci-all" [ pkgsList testsList ]; |  | ||||||
|   # For now only RISC-V |  | ||||||
|   crossList = buildList "ci-cross" |  | ||||||
|     (filter |  | ||||||
|       (canCrossCompile final.pkgsCross.riscv64.stdenv.hostPlatform) |  | ||||||
|         (builtins.attrValues crossSet.riscv64)); |  | ||||||
| 
 |  | ||||||
| in bscPkgs // { |  | ||||||
| 
 |  | ||||||
|   lib = prev.lib // { |  | ||||||
|     maintainers = prev.lib.maintainers // { |  | ||||||
|       bsc = import ./pkgs/maintainers.nix; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   # Prevent accidental usage of bsc-ci attribute |  | ||||||
|   bsc-ci = throw "the bsc-ci attribute is deprecated, use bsc.ci"; |  | ||||||
| 
 |  | ||||||
|   # Internal for our CI tests |  | ||||||
|   bsc = { |  | ||||||
|     # CI targets for nix build |  | ||||||
|     ci = { pkgs = pkgsList; tests = testsList; all = allList; cross = crossList; }; |  | ||||||
| 
 |  | ||||||
|     # Direct access to package sets |  | ||||||
|     tests = tests; |  | ||||||
|     pkgs = bscPkgs; |  | ||||||
|     pkgsTopLevel = pkgsTopLevel; |  | ||||||
|     cross = crossSet; |  | ||||||
| 
 |  | ||||||
|     # Hydra uses attribute sets of pkgs |  | ||||||
|     hydraJobs = { tests = tests; pkgs = pkgsTopLevel; cross = crossSet; }; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,212 +0,0 @@ | |||||||
| #!/usr/bin/env bash |  | ||||||
| set -Eeuo pipefail |  | ||||||
| 
 |  | ||||||
| PACKAGE="agenix" |  | ||||||
| 
 |  | ||||||
| function show_help () { |  | ||||||
|   echo "$PACKAGE - edit and rekey age secret files" |  | ||||||
|   echo " " |  | ||||||
|   echo "$PACKAGE -e FILE [-i PRIVATE_KEY]" |  | ||||||
|   echo "$PACKAGE -r [-i PRIVATE_KEY]" |  | ||||||
|   echo ' ' |  | ||||||
|   echo 'options:' |  | ||||||
|   echo '-h, --help                show help' |  | ||||||
|   # shellcheck disable=SC2016 |  | ||||||
|   echo '-e, --edit FILE           edits FILE using $EDITOR' |  | ||||||
|   echo '-r, --rekey               re-encrypts all secrets with specified recipients' |  | ||||||
|   echo '-d, --decrypt FILE        decrypts FILE to STDOUT' |  | ||||||
|   echo '-i, --identity            identity to use when decrypting' |  | ||||||
|   echo '-v, --verbose             verbose output' |  | ||||||
|   echo ' ' |  | ||||||
|   echo 'FILE an age-encrypted file' |  | ||||||
|   echo ' ' |  | ||||||
|   echo 'PRIVATE_KEY a path to a private SSH key used to decrypt file' |  | ||||||
|   echo ' ' |  | ||||||
|   echo 'EDITOR environment variable of editor to use when editing FILE' |  | ||||||
|   echo ' ' |  | ||||||
|   echo 'If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"' |  | ||||||
|   echo ' ' |  | ||||||
|   echo 'RULES environment variable with path to Nix file specifying recipient public keys.' |  | ||||||
|   echo "Defaults to './secrets.nix'" |  | ||||||
|   echo ' ' |  | ||||||
|   echo "agenix version: @version@" |  | ||||||
|   echo "age binary path: @ageBin@" |  | ||||||
|   echo "age version: $(@ageBin@ --version)" |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| function warn() { |  | ||||||
|   printf '%s\n' "$*" >&2 |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| function err() { |  | ||||||
|   warn "$*" |  | ||||||
|   exit 1 |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| test $# -eq 0 && (show_help && exit 1) |  | ||||||
| 
 |  | ||||||
| REKEY=0 |  | ||||||
| DECRYPT_ONLY=0 |  | ||||||
| DEFAULT_DECRYPT=(--decrypt) |  | ||||||
| 
 |  | ||||||
| while test $# -gt 0; do |  | ||||||
|   case "$1" in |  | ||||||
|     -h|--help) |  | ||||||
|       show_help |  | ||||||
|       exit 0 |  | ||||||
|       ;; |  | ||||||
|     -e|--edit) |  | ||||||
|       shift |  | ||||||
|       if test $# -gt 0; then |  | ||||||
|         export FILE=$1 |  | ||||||
|       else |  | ||||||
|         echo "no FILE specified" |  | ||||||
|         exit 1 |  | ||||||
|       fi |  | ||||||
|       shift |  | ||||||
|       ;; |  | ||||||
|     -i|--identity) |  | ||||||
|       shift |  | ||||||
|       if test $# -gt 0; then |  | ||||||
|         DEFAULT_DECRYPT+=(--identity "$1") |  | ||||||
|       else |  | ||||||
|         echo "no PRIVATE_KEY specified" |  | ||||||
|         exit 1 |  | ||||||
|       fi |  | ||||||
|       shift |  | ||||||
|       ;; |  | ||||||
|     -r|--rekey) |  | ||||||
|       shift |  | ||||||
|       REKEY=1 |  | ||||||
|       ;; |  | ||||||
|     -d|--decrypt) |  | ||||||
|       shift |  | ||||||
|       DECRYPT_ONLY=1 |  | ||||||
|       if test $# -gt 0; then |  | ||||||
|         export FILE=$1 |  | ||||||
|       else |  | ||||||
|         echo "no FILE specified" |  | ||||||
|         exit 1 |  | ||||||
|       fi |  | ||||||
|       shift |  | ||||||
|       ;; |  | ||||||
|     -v|--verbose) |  | ||||||
|       shift |  | ||||||
|       set -x |  | ||||||
|       ;; |  | ||||||
|     *) |  | ||||||
|       show_help |  | ||||||
|       exit 1 |  | ||||||
|       ;; |  | ||||||
|   esac |  | ||||||
| done |  | ||||||
| 
 |  | ||||||
| RULES=${RULES:-./secrets.nix} |  | ||||||
| function cleanup { |  | ||||||
|     if [ -n "${CLEARTEXT_DIR+x}" ] |  | ||||||
|     then |  | ||||||
|         rm -rf -- "$CLEARTEXT_DIR" |  | ||||||
|     fi |  | ||||||
|     if [ -n "${REENCRYPTED_DIR+x}" ] |  | ||||||
|     then |  | ||||||
|         rm -rf -- "$REENCRYPTED_DIR" |  | ||||||
|     fi |  | ||||||
| } |  | ||||||
| trap "cleanup" 0 2 3 15 |  | ||||||
| 
 |  | ||||||
| function keys { |  | ||||||
|     (@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in rules.\"$1\".publicKeys)" | @jqBin@ -r .[]) || exit 1 |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| function armor { |  | ||||||
|     (@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in (builtins.hasAttr \"armor\" rules.\"$1\" && rules.\"$1\".armor))") || exit 1 |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| function decrypt { |  | ||||||
|     FILE=$1 |  | ||||||
|     KEYS=$2 |  | ||||||
|     if [ -z "$KEYS" ] |  | ||||||
|     then |  | ||||||
|         err "There is no rule for $FILE in $RULES." |  | ||||||
|     fi |  | ||||||
| 
 |  | ||||||
|     if [ -f "$FILE" ] |  | ||||||
|     then |  | ||||||
|         DECRYPT=("${DEFAULT_DECRYPT[@]}") |  | ||||||
|         if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then |  | ||||||
|             if [ -f "$HOME/.ssh/id_rsa" ]; then |  | ||||||
|                 DECRYPT+=(--identity "$HOME/.ssh/id_rsa") |  | ||||||
|             fi |  | ||||||
|             if [ -f "$HOME/.ssh/id_ed25519" ]; then |  | ||||||
|                 DECRYPT+=(--identity "$HOME/.ssh/id_ed25519") |  | ||||||
|             fi |  | ||||||
|         fi |  | ||||||
|         if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then |  | ||||||
|           err "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file." |  | ||||||
|         fi |  | ||||||
| 
 |  | ||||||
|         @ageBin@ "${DECRYPT[@]}" -- "$FILE" || exit 1 |  | ||||||
|     fi |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| function edit { |  | ||||||
|     FILE=$1 |  | ||||||
|     KEYS=$(keys "$FILE") || exit 1 |  | ||||||
|     ARMOR=$(armor "$FILE") || exit 1 |  | ||||||
| 
 |  | ||||||
|     CLEARTEXT_DIR=$(@mktempBin@ -d) |  | ||||||
|     CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename -- "$FILE")" |  | ||||||
|     DEFAULT_DECRYPT+=(-o "$CLEARTEXT_FILE") |  | ||||||
| 
 |  | ||||||
|     decrypt "$FILE" "$KEYS" || exit 1 |  | ||||||
| 
 |  | ||||||
|     [ ! -f "$CLEARTEXT_FILE" ] || cp -- "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before" |  | ||||||
| 
 |  | ||||||
|     [ -t 0 ] || EDITOR='cp -- /dev/stdin' |  | ||||||
| 
 |  | ||||||
|     $EDITOR "$CLEARTEXT_FILE" |  | ||||||
| 
 |  | ||||||
|     if [ ! -f "$CLEARTEXT_FILE" ] |  | ||||||
|     then |  | ||||||
|       warn "$FILE wasn't created." |  | ||||||
|       return |  | ||||||
|     fi |  | ||||||
|     [ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q -- "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return |  | ||||||
| 
 |  | ||||||
|     ENCRYPT=() |  | ||||||
|     if [[ "$ARMOR" == "true" ]]; then |  | ||||||
|         ENCRYPT+=(--armor) |  | ||||||
|     fi |  | ||||||
|     while IFS= read -r key |  | ||||||
|     do |  | ||||||
|         if [ -n "$key" ]; then |  | ||||||
|             ENCRYPT+=(--recipient "$key") |  | ||||||
|         fi |  | ||||||
|     done <<< "$KEYS" |  | ||||||
| 
 |  | ||||||
|     REENCRYPTED_DIR=$(@mktempBin@ -d) |  | ||||||
|     REENCRYPTED_FILE="$REENCRYPTED_DIR/$(basename -- "$FILE")" |  | ||||||
| 
 |  | ||||||
|     ENCRYPT+=(-o "$REENCRYPTED_FILE") |  | ||||||
| 
 |  | ||||||
|     @ageBin@ "${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1 |  | ||||||
| 
 |  | ||||||
|     mkdir -p -- "$(dirname -- "$FILE")" |  | ||||||
| 
 |  | ||||||
|     mv -f -- "$REENCRYPTED_FILE" "$FILE" |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| function rekey { |  | ||||||
|     FILES=$( (@nixInstantiate@ --json --eval -E "(let rules = import $RULES; in builtins.attrNames rules)"  | @jqBin@ -r .[]) || exit 1) |  | ||||||
| 
 |  | ||||||
|     for FILE in $FILES |  | ||||||
|     do |  | ||||||
|         warn "rekeying $FILE..." |  | ||||||
|         EDITOR=: edit "$FILE" |  | ||||||
|         cleanup |  | ||||||
|     done |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| [ $REKEY -eq 1 ] && rekey && exit 0 |  | ||||||
| [ $DECRYPT_ONLY -eq 1 ] && DEFAULT_DECRYPT+=("-o" "-") && decrypt "${FILE}" "$(keys "$FILE")" && exit 0 |  | ||||||
| edit "$FILE" && cleanup && exit 0 |  | ||||||
| @ -1,66 +0,0 @@ | |||||||
| { |  | ||||||
|   lib, |  | ||||||
|   stdenv, |  | ||||||
|   age, |  | ||||||
|   jq, |  | ||||||
|   nix, |  | ||||||
|   mktemp, |  | ||||||
|   diffutils, |  | ||||||
|   replaceVars, |  | ||||||
|   ageBin ? "${age}/bin/age", |  | ||||||
|   shellcheck, |  | ||||||
| }: |  | ||||||
| let |  | ||||||
|   bin = "${placeholder "out"}/bin/agenix"; |  | ||||||
| in |  | ||||||
| stdenv.mkDerivation rec { |  | ||||||
|   pname = "agenix"; |  | ||||||
|   version = "0.15.0"; |  | ||||||
|   src = replaceVars ./agenix.sh { |  | ||||||
|     inherit ageBin version; |  | ||||||
|     jqBin = "${jq}/bin/jq"; |  | ||||||
|     nixInstantiate = "${nix}/bin/nix-instantiate"; |  | ||||||
|     mktempBin = "${mktemp}/bin/mktemp"; |  | ||||||
|     diffBin = "${diffutils}/bin/diff"; |  | ||||||
|   }; |  | ||||||
|   dontUnpack = true; |  | ||||||
|   doInstallCheck = true; |  | ||||||
|   installCheckInputs = [ shellcheck ]; |  | ||||||
|   postInstallCheck = '' |  | ||||||
|     shellcheck ${bin} |  | ||||||
|     ${bin} -h | grep ${version} |  | ||||||
| 
 |  | ||||||
|     test_tmp=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir') |  | ||||||
|     export HOME="$test_tmp/home" |  | ||||||
|     export NIX_STORE_DIR="$test_tmp/nix/store" |  | ||||||
|     export NIX_STATE_DIR="$test_tmp/nix/var" |  | ||||||
|     mkdir -p "$HOME" "$NIX_STORE_DIR" "$NIX_STATE_DIR" |  | ||||||
|     function cleanup { |  | ||||||
|       rm -rf "$test_tmp" |  | ||||||
|     } |  | ||||||
|     trap "cleanup" 0 2 3 15 |  | ||||||
| 
 |  | ||||||
|     mkdir -p $HOME/.ssh |  | ||||||
|     cp -r "${./example}" $HOME/secrets |  | ||||||
|     chmod -R u+rw $HOME/secrets |  | ||||||
|     ( |  | ||||||
|     umask u=rw,g=r,o=r |  | ||||||
|     cp ${./example_keys/user1.pub} $HOME/.ssh/id_ed25519.pub |  | ||||||
|     chown $UID $HOME/.ssh/id_ed25519.pub |  | ||||||
|     ) |  | ||||||
|     ( |  | ||||||
|     umask u=rw,g=,o= |  | ||||||
|     cp ${./example_keys/user1} $HOME/.ssh/id_ed25519 |  | ||||||
|     chown $UID $HOME/.ssh/id_ed25519 |  | ||||||
|     ) |  | ||||||
| 
 |  | ||||||
|     cd $HOME/secrets |  | ||||||
|     test $(${bin} -d secret1.age) = "hello" |  | ||||||
|   ''; |  | ||||||
| 
 |  | ||||||
|   installPhase = '' |  | ||||||
|     install -D $src ${bin} |  | ||||||
|   ''; |  | ||||||
| 
 |  | ||||||
|   meta.description = "age-encrypted secrets for NixOS"; |  | ||||||
| } |  | ||||||
| @ -1,7 +0,0 @@ | |||||||
| age-encryption.org/v1 |  | ||||||
| -> ssh-ed25519 V3XmEA zirqdzZZ1E+sedBn7fbEHq4ntLEkokZ4GctarBBOHXY |  | ||||||
| Rvs5YHaAUeCZyNwPedubPcHClWYIuXXWA5zadXPWY6w |  | ||||||
| -> ssh-ed25519 KLPP8w BVp4rDkOYSQyn8oVeHFeinSqW+pdVtxBF9+5VM1yORY |  | ||||||
| bMwppAi8Nhz0328taU4AzUkTVyWtSLvFZG6c5W/Fs78 |  | ||||||
| --- xCbqLhXAcOziO2wmbjTiSQfZvt5Rlsc4SCvF+iEzpQA |  | ||||||
| ôKB£î/²ZÅÈrÙ%¾à4¡´—Mq5×Ô_ÌÂÝ’‹†ã„Ò11ܨqM;& ¢‡LríÂÒføû”]>N |  | ||||||
| @ -1,7 +0,0 @@ | |||||||
| -----BEGIN AGE ENCRYPTED FILE----- |  | ||||||
| YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFYzWG1FQSBpZkZW |  | ||||||
| aFpLNnJxc0VUMHRmZ2dZS0pjMGVENnR3OHd5K0RiT1RjRUhibFZBCnN5UG5vUjA3 |  | ||||||
| SXpsNGtiVUw4T0tIVFo5Wkk5QS9NQlBndzVvektiQ0ozc0kKLS0tIGxyY1Q4dEZ1 |  | ||||||
| VGZEanJyTFNta2JNRmpZb2FnK2JyS1hSVml1UGdMNWZKQXMKYla+wTXcRedyZoEb |  | ||||||
| LVWaSx49WoUTU0KBPJg9RArxaeC23GoCDzR/aM/1DvYU |  | ||||||
| -----END AGE ENCRYPTED FILE----- |  | ||||||
| @ -1,9 +0,0 @@ | |||||||
| age-encryption.org/v1 |  | ||||||
| -> ssh-ed25519 KLPP8w s1DYZRlZuSsyhmZCF1lFB+E9vB8bZ/+ZhBRlx8nprwE |  | ||||||
| nmYVCsVBrX2CFXXPU+D+bbkkIe/foofp+xoUrg9DHZw |  | ||||||
| -> ssh-ed25519 V3XmEA Pwv3oCwcY0DX8rY48UNfsj9RumWsn4dbgorYHCwObgI |  | ||||||
| FKxRYkL3JHtJxUwymWDF0rAtJ33BivDI6IfPsfumM90 |  | ||||||
| -> V'v(/u$-grease em/Vgf 2qDuk |  | ||||||
| 7I3iiQLPGi1COML9u/JeYkr7EqbSLoU |  | ||||||
| --- 57WJRigUGtmcObrssS3s4PvmR8wgh1AOC/ijJn1s3xI |  | ||||||
| <EFBFBD>'K©Æ·Y&‘7GÆOÝòFj±kÆXç«BnuJöê:9Ê(’ÙÏX¬#¼AíÄÞÃÚ§j’,ê_ÈþÝ?ÝZ“¥vœ¹V’96]oks~%£c	Îe^CÅ%JQ5€<H¢z}îCý,°pŒ¿*!W§§ÈA±ºÒ…dC¼K)¿¢-žy |  | ||||||
										
											Binary file not shown.
										
									
								
							| @ -1,5 +0,0 @@ | |||||||
| age-encryption.org/v1 |  | ||||||
| -> ssh-ed25519 V3XmEA OB4+1FbPhQ3r6iGksM7peWX5it8NClpXIq/o5nnP7GA |  | ||||||
| FmHVUj+A5i5+bDFgySQskmlvynnosJiWUTJmBRiNA9I |  | ||||||
| --- tP+3mFVtd7ogVu1Lkboh55zoi5a77Ht08Uc/QuIviv4 |  | ||||||
| ¤¬Xæ{”ïOŠ£èätMXxÔvÓª(¬IÁmyPÇï¸è+3²S3i |  | ||||||
| @ -1,23 +0,0 @@ | |||||||
| let |  | ||||||
|   user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH"; |  | ||||||
|   system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE"; |  | ||||||
| in |  | ||||||
| { |  | ||||||
|   "secret1.age".publicKeys = [ |  | ||||||
|     user1 |  | ||||||
|     system1 |  | ||||||
|   ]; |  | ||||||
|   "secret2.age".publicKeys = [ user1 ]; |  | ||||||
|   "passwordfile-user1.age".publicKeys = [ |  | ||||||
|     user1 |  | ||||||
|     system1 |  | ||||||
|   ]; |  | ||||||
|   "-leading-hyphen-filename.age".publicKeys = [ |  | ||||||
|     user1 |  | ||||||
|     system1 |  | ||||||
|   ]; |  | ||||||
|   "armored-secret.age" = { |  | ||||||
|     publicKeys = [ user1 ]; |  | ||||||
|     armor = true; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,7 +0,0 @@ | |||||||
| -----BEGIN OPENSSH PRIVATE KEY----- |  | ||||||
| b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW |  | ||||||
| QyNTUxOQAAACDyQ8iK/xUs9XCXXKFuvUfja1s8Biv/t4Caag9bfC9sxAAAAJA3yvCWN8rw |  | ||||||
| lgAAAAtzc2gtZWQyNTUxOQAAACDyQ8iK/xUs9XCXXKFuvUfja1s8Biv/t4Caag9bfC9sxA |  | ||||||
| AAAEA+J2V6AG1NriAIvnNKRauIEh1JE9HSdhvKJ68a5Fm0w/JDyIr/FSz1cJdcoW69R+Nr |  | ||||||
| WzwGK/+3gJpqD1t8L2zEAAAADHJ5YW50bUBob21lMQE= |  | ||||||
| -----END OPENSSH PRIVATE KEY----- |  | ||||||
| @ -1 +0,0 @@ | |||||||
| ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE |  | ||||||
| @ -1,7 +0,0 @@ | |||||||
| -----BEGIN OPENSSH PRIVATE KEY----- |  | ||||||
| b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW |  | ||||||
| QyNTUxOQAAACC9InTb4BornFoLqf5j+/M8gtt7hY2KtHr3FnYxkFGgRwAAAJC2JJ8htiSf |  | ||||||
| IQAAAAtzc2gtZWQyNTUxOQAAACC9InTb4BornFoLqf5j+/M8gtt7hY2KtHr3FnYxkFGgRw |  | ||||||
| AAAEDxt5gC/s53IxiKAjfZJVCCcFIsdeERdIgbYhLO719+Kb0idNvgGiucWgup/mP78zyC |  | ||||||
| 23uFjYq0evcWdjGQUaBHAAAADHJ5YW50bUBob21lMQE= |  | ||||||
| -----END OPENSSH PRIVATE KEY----- |  | ||||||
| @ -1 +0,0 @@ | |||||||
| ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH |  | ||||||
| @ -1,23 +0,0 @@ | |||||||
| #!/bin/sh |  | ||||||
| 
 |  | ||||||
| set -e |  | ||||||
| 
 |  | ||||||
| # All operations are done relative to root |  | ||||||
| GITROOT=$(git rev-parse --show-toplevel) |  | ||||||
| cd "$GITROOT" |  | ||||||
| 
 |  | ||||||
| REVISION=${1:-main} |  | ||||||
| 
 |  | ||||||
| TMPCLONE=$(mktemp -d) |  | ||||||
| trap "rm -rf ${TMPCLONE}" EXIT |  | ||||||
| 
 |  | ||||||
| git clone https://github.com/ryantm/agenix.git --revision="$REVISION" "$TMPCLONE" --depth=1 |  | ||||||
| 
 |  | ||||||
| cp "${TMPCLONE}/pkgs/agenix.sh" pkgs/agenix/agenix.sh |  | ||||||
| cp "${TMPCLONE}/pkgs/agenix.nix" pkgs/agenix/default.nix |  | ||||||
| sed -i 's#../example#./example#' pkgs/agenix/default.nix |  | ||||||
| 
 |  | ||||||
| cp "${TMPCLONE}/example/"* pkgs/agenix/example/ |  | ||||||
| cp "${TMPCLONE}/example_keys/"* pkgs/agenix/example_keys/ |  | ||||||
| 
 |  | ||||||
| cp "${TMPCLONE}/modules/age.nix" m/module/agenix.nix |  | ||||||
| @ -1,98 +0,0 @@ | |||||||
| { stdenv |  | ||||||
| , lib |  | ||||||
| , curl |  | ||||||
| , cacert |  | ||||||
| , runCommandLocal |  | ||||||
| , autoPatchelfHook |  | ||||||
| , elfutils |  | ||||||
| , glib |  | ||||||
| , libGL |  | ||||||
| , ncurses5 |  | ||||||
| , xorg |  | ||||||
| , zlib |  | ||||||
| , libxkbcommon |  | ||||||
| , freetype |  | ||||||
| , fontconfig |  | ||||||
| , libGLU |  | ||||||
| , dbus |  | ||||||
| , rocmPackages |  | ||||||
| , libxcrypt-legacy |  | ||||||
| , numactl |  | ||||||
| , radare2 |  | ||||||
| }: |  | ||||||
| 
 |  | ||||||
| let |  | ||||||
|   version = "5.1.701"; |  | ||||||
|   tarball = "AMDuProf_Linux_x64_${version}.tar.bz2"; |  | ||||||
| 
 |  | ||||||
|   # NOTE: Remember to update the radare2 patch below if AMDuProfPcm changes. |  | ||||||
|   uprofSrc = runCommandLocal tarball { |  | ||||||
|     nativeBuildInputs = [ curl ]; |  | ||||||
|     outputHash = "sha256-j9gxcBcIg6Zhc5FglUXf/VV9bKSo+PAKeootbN7ggYk="; |  | ||||||
|     SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt"; |  | ||||||
|   } '' |  | ||||||
|     curl \ |  | ||||||
|     -o $out \ |  | ||||||
|     'https://download.amd.com/developer/eula/uprof/uprof-5-1/${tarball}' \ |  | ||||||
|     -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0' \ |  | ||||||
|     -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ |  | ||||||
|     -H 'Accept-Language: en-US,en;q=0.5' \ |  | ||||||
|     -H 'Accept-Encoding: gzip, deflate, br, zstd' \ |  | ||||||
|     -H 'Referer: https://www.amd.com/' 2>&1 | tr '\r' '\n' |  | ||||||
|   ''; |  | ||||||
| 
 |  | ||||||
| in |  | ||||||
|   stdenv.mkDerivation { |  | ||||||
|     pname = "AMD-uProf"; |  | ||||||
|     inherit version; |  | ||||||
|     src = uprofSrc; |  | ||||||
|     dontStrip = true; |  | ||||||
|     phases = [ "installPhase" "fixupPhase" ]; |  | ||||||
|     nativeBuildInputs = [ autoPatchelfHook radare2 ]; |  | ||||||
|     buildInputs = [ |  | ||||||
|       stdenv.cc.cc.lib |  | ||||||
|       ncurses5 |  | ||||||
|       elfutils |  | ||||||
|       glib |  | ||||||
|       libGL |  | ||||||
|       libGLU |  | ||||||
|       libxcrypt-legacy |  | ||||||
|       xorg.libX11 |  | ||||||
|       xorg.libXext |  | ||||||
|       xorg.libXi |  | ||||||
|       xorg.libXmu |  | ||||||
|       xorg.libxcb |  | ||||||
|       xorg.xcbutilwm |  | ||||||
|       xorg.xcbutilrenderutil |  | ||||||
|       xorg.xcbutilkeysyms |  | ||||||
|       xorg.xcbutilimage |  | ||||||
|       fontconfig.lib |  | ||||||
|       libxkbcommon |  | ||||||
|       zlib |  | ||||||
|       freetype |  | ||||||
|       dbus |  | ||||||
|       rocmPackages.rocprofiler |  | ||||||
|       numactl |  | ||||||
|     ]; |  | ||||||
|     installPhase = '' |  | ||||||
|       set -x |  | ||||||
|       mkdir -p $out |  | ||||||
|       tar -x -v -C $out --strip-components=1 -f $src |  | ||||||
|       rm $out/bin/AMDPowerProfilerDriverSource.tar.gz |  | ||||||
|       patchelf --replace-needed libroctracer64.so.1 libroctracer64.so $out/bin/ProfileAgents/x64/libAMDGpuAgent.so |  | ||||||
|       patchelf --add-needed libcrypt.so.1 --add-needed libstdc++.so.6 $out/bin/AMDuProfSys |  | ||||||
|       echo "16334a51fcc48668307ad94e20482ca4  $out/bin/AMDuProfPcm" | md5sum -c - |  | ||||||
|       radare2 -w -q -i ${./libnuma.r2} $out/bin/AMDuProfPcm |  | ||||||
|       patchelf --add-needed libnuma.so $out/bin/AMDuProfPcm |  | ||||||
|       set +x |  | ||||||
|     ''; |  | ||||||
| 
 |  | ||||||
|     meta = { |  | ||||||
|       description = "Performance analysis tool-suite for x86 based applications"; |  | ||||||
|       homepage = "https://www.amd.com/es/developer/uprof.html"; |  | ||||||
|       platforms = lib.platforms.linux; |  | ||||||
|       license = lib.licenses.unfree; |  | ||||||
|       maintainers = with lib.maintainers.bsc; [ rarias varcila ]; |  | ||||||
|     }; |  | ||||||
| 
 |  | ||||||
|   } |  | ||||||
| @ -1,35 +0,0 @@ | |||||||
| { stdenv |  | ||||||
| , lib |  | ||||||
| , amd-uprof |  | ||||||
| , kernel |  | ||||||
| , runCommandLocal |  | ||||||
| }: |  | ||||||
| 
 |  | ||||||
| let |  | ||||||
|   version = amd-uprof.version; |  | ||||||
|   tarball = amd-uprof.src; |  | ||||||
| in stdenv.mkDerivation { |  | ||||||
|   pname = "AMDPowerProfilerDriver"; |  | ||||||
|   inherit version; |  | ||||||
|   src = runCommandLocal "AMDPowerProfilerDriverSource.tar.gz" { } '' |  | ||||||
|     set -x |  | ||||||
|     tar -x -f ${tarball} AMDuProf_Linux_x64_${version}/bin/AMDPowerProfilerDriverSource.tar.gz |  | ||||||
|     mv AMDuProf_Linux_x64_${version}/bin/AMDPowerProfilerDriverSource.tar.gz $out |  | ||||||
|     set +x |  | ||||||
|   ''; |  | ||||||
|   hardeningDisable = [ "pic" "format" ]; |  | ||||||
|   nativeBuildInputs = kernel.moduleBuildDependencies; |  | ||||||
|   patches = [ ./makefile.patch ./hrtimer.patch ]; |  | ||||||
|   makeFlags = [ |  | ||||||
|     "KERNEL_VERSION=${kernel.modDirVersion}" |  | ||||||
|     "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" |  | ||||||
|     "INSTALL_MOD_PATH=$(out)" |  | ||||||
|   ]; |  | ||||||
|   meta = { |  | ||||||
|     description = "AMD Power Profiler Driver"; |  | ||||||
|     homepage = "https://www.amd.com/es/developer/uprof.html"; |  | ||||||
|     platforms = lib.platforms.linux; |  | ||||||
|     license = lib.licenses.unfree; |  | ||||||
|     maintainers = with lib.maintainers.bsc; [ rarias varcila ]; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @ -1,31 +0,0 @@ | |||||||
| --- a/src/PmcTimerConfig.c	2025-09-04 12:17:16.771707049 +0200
 |  | ||||||
| +++ b/src/PmcTimerConfig.c	2025-09-04 12:17:04.878515468 +0200
 |  | ||||||
| @@ -99,7 +99,7 @@ static void PmcInitTimer(void* pInfo)
 |  | ||||||
|   |  | ||||||
|      DRVPRINT("pTimerConfig(%p)", pTimerConfig); |  | ||||||
|   |  | ||||||
| -    hrtimer_init(&pTimerConfig->m_hrTimer, CLOCK_MONOTONIC, HRTIMER_MODE_REL_PINNED);
 |  | ||||||
| +    hrtimer_setup(&pTimerConfig->m_hrTimer, PmcTimerCallback, CLOCK_MONOTONIC, HRTIMER_MODE_REL_PINNED);
 |  | ||||||
|  } |  | ||||||
|   |  | ||||||
|  int PmcSetupTimer(ClientContext* pClientCtx) |  | ||||||
| @@ -157,7 +157,6 @@ int PmcSetupTimer(ClientContext* pClient
 |  | ||||||
|                  { |  | ||||||
|                      /* Interval in ms */ |  | ||||||
|                      pTimerConfig->m_time = ktime_set(interval / 1000, interval * 1000000); |  | ||||||
| -                    pTimerConfig->m_hrTimer.function = PmcTimerCallback;
 |  | ||||||
|   |  | ||||||
|                      DRVPRINT("retVal(%d) m_time(%lld)", retVal, (long long int) pTimerConfig->m_time); |  | ||||||
|                  } |  | ||||||
| --- a/src/PwrProfTimer.c	2025-09-04 12:18:08.750544327 +0200
 |  | ||||||
| +++ b/src/PwrProfTimer.c	2025-09-04 12:18:28.557863382 +0200
 |  | ||||||
| @@ -573,8 +573,7 @@ void InitHrTimer(uint32 cpu)
 |  | ||||||
|      pCoreClientData = &per_cpu(g_coreClientData, cpu); |  | ||||||
|   |  | ||||||
|      // initialize HR timer |  | ||||||
| -    hrtimer_init(&pCoreClientData->m_hrTimer, CLOCK_MONOTONIC, HRTIMER_MODE_REL_PINNED);
 |  | ||||||
| -    pCoreClientData->m_hrTimer.function = &HrTimerCallback;
 |  | ||||||
| +    hrtimer_setup(&pCoreClientData->m_hrTimer, &HrTimerCallback, CLOCK_MONOTONIC, HRTIMER_MODE_REL_PINNED);
 |  | ||||||
|   |  | ||||||
|      return; |  | ||||||
|  } // InitHrTimer |  | ||||||
| @ -1,10 +0,0 @@ | |||||||
| # Patch arguments to call sym std::string::find(char const*, unsigned long, unsigned long) |  | ||||||
| # so it matches NixOS: |  | ||||||
| # |  | ||||||
| # Change OS name to NixOS |  | ||||||
| wz NixOS @ 0x00550a43 |  | ||||||
| # And set the length to 5 characters |  | ||||||
| wa mov ecx, 5 @0x00517930 |  | ||||||
| # |  | ||||||
| # Then change the argument to dlopen() so it only uses libnuma.so |  | ||||||
| wz libnuma.so @ 0x00562940 |  | ||||||
| @ -1,66 +0,0 @@ | |||||||
| --- a/Makefile	2025-06-19 20:36:49.346693267 +0200
 |  | ||||||
| +++ b/Makefile	2025-06-19 20:42:29.778088660 +0200
 |  | ||||||
| @@ -27,7 +27,7 @@ MODULE_VERSION=$(shell cat AMDPowerProfi
 |  | ||||||
|  MODULE_NAME_KO=$(MODULE_NAME).ko |  | ||||||
|   |  | ||||||
|  # check is module inserted |  | ||||||
| -MODPROBE_OUTPUT=$(shell lsmod | grep $(MODULE_NAME))
 |  | ||||||
| +#MODPROBE_OUTPUT=$(shell lsmod | grep $(MODULE_NAME))
 |  | ||||||
|   |  | ||||||
|  # check pcore dkms status |  | ||||||
|  PCORE_DKMS_STATUS=$(shell dkms status | grep $(MODULE_NAME) | grep $(MODULE_VERSION)) |  | ||||||
| @@ -50,7 +50,7 @@ endif
 |  | ||||||
|  # “-Wno-missing-attributes” is added for GCC version >= 9.0 and kernel version <= 5.00 |  | ||||||
|  G_VERSION=9 |  | ||||||
|  K_VERSION=5 |  | ||||||
| -KERNEL_MAJOR_VERSION=$(shell uname -r | cut -f1 -d.)
 |  | ||||||
| +KERNEL_MAJOR_VERSION=$(shell echo "$(KERNEL_VERSION)" | cut -f1 -d.)
 |  | ||||||
|  GCCVERSION = $(shell gcc -dumpversion | cut -f1 -d.) |  | ||||||
|  ifeq ($(G_VERSION),$(firstword $(sort $(GCCVERSION) $(G_VERSION)))) |  | ||||||
|  	ifeq ($(K_VERSION),$(lastword $(sort $(KERNEL_MAJOR_VERSION) $(K_VERSION)))) |  | ||||||
| @@ -66,17 +66,7 @@ ${MODULE_NAME}-objs :=  src/PmcDataBuffe
 |  | ||||||
|   |  | ||||||
|  # make |  | ||||||
|  all: |  | ||||||
| -	@chmod a+x ./AMDPPcert.sh
 |  | ||||||
| -	@./AMDPPcert.sh 0 1; echo $$? > $(PWD)/sign_status;
 |  | ||||||
| -	@SIGSTATUS1=`cat $(PWD)/sign_status | tr -d '\n'`; \
 |  | ||||||
| -                if [ $$SIGSTATUS1 -eq 1 ]; then \
 |  | ||||||
| -			exit 1; \
 |  | ||||||
| -		fi
 |  | ||||||
| -	@make -C /lib/modules/$(KERNEL_VERSION)/build M=$(PWD) $(MAKE_OPTS) EXTRA_CFLAGS="$(EXTRA_CFLAGS)" modules
 |  | ||||||
| -	@SIGSTATUS3=`cat $(PWD)/sign_status | tr -d '\n'`; \
 |  | ||||||
| -                if [ $$SIGSTATUS3 -eq 0 ]; then \
 |  | ||||||
| -			./AMDPPcert.sh 1 $(MODULE_NAME_KO); \
 |  | ||||||
| -		fi
 |  | ||||||
| +	make -C $(KERNEL_DIR) M=$(PWD) $(MAKE_OPTS) CFLAGS_MODULE="$(EXTRA_CFLAGS)" modules
 |  | ||||||
|   |  | ||||||
|  # make clean |  | ||||||
|  clean: |  | ||||||
| @@ -84,23 +74,9 @@ clean:
 |  | ||||||
|   |  | ||||||
|  # make install |  | ||||||
|  install: |  | ||||||
| -	@mkdir -p /lib/modules/`uname -r`/kernel/drivers/extra
 |  | ||||||
| -	@rm  -f /lib/modules/`uname -r`/kernel/drivers/extra/$(MODULE_NAME_KO)
 |  | ||||||
| -	@cp $(MODULE_NAME_KO) /lib/modules/`uname -r`/kernel/drivers/extra/
 |  | ||||||
| -	@depmod -a
 |  | ||||||
| -	@if [ ! -z "$(MODPROBE_OUTPUT)" ]; then \
 |  | ||||||
| -		echo "Uninstalling AMDPowerProfiler Linux kernel module.";\
 |  | ||||||
| -		rmmod $(MODULE_NAME);\
 |  | ||||||
| -	fi
 |  | ||||||
| -	@modprobe $(MODULE_NAME) 2> $(PWD)/sign_status1; \
 |  | ||||||
| -		cat $(PWD)/sign_status1 | grep "Key was rejected by service"; \
 |  | ||||||
| -		echo $$? > $(PWD)/sign_status; SIGSTATUS1=`cat $(PWD)/sign_status | tr -d '\n'`; \
 |  | ||||||
| -                if [ $$SIGSTATUS1 -eq 0 ]; then \
 |  | ||||||
| -			echo "ERROR: Secure Boot enabled, correct key is not yet enrolled in BIOS key table"; \
 |  | ||||||
| -			exit 1; \
 |  | ||||||
| -		else \
 |  | ||||||
| -			cat $(PWD)/sign_status1; \
 |  | ||||||
| -		fi
 |  | ||||||
| +	mkdir -p $(INSTALL_MOD_PATH)/lib/modules/$(KERNEL_VERSION)/kernel/drivers/extra/
 |  | ||||||
| +	cp -a $(MODULE_NAME_KO) $(INSTALL_MOD_PATH)/lib/modules/$(KERNEL_VERSION)/kernel/drivers/extra/
 |  | ||||||
| +
 |  | ||||||
|  # make dkms |  | ||||||
|  dkms: |  | ||||||
|  	@chmod a+x ./AMDPPcert.sh |  | ||||||
| @ -1,25 +0,0 @@ | |||||||
| { stdenv, lib, fetchurl, pkg-config, glib, libuuid, popt, elfutils, swig4, python3 }: |  | ||||||
| 
 |  | ||||||
| stdenv.mkDerivation rec { |  | ||||||
|   name = "babeltrace-1.5.8"; |  | ||||||
| 
 |  | ||||||
|   src = fetchurl { |  | ||||||
|     url = "https://www.efficios.com/files/babeltrace/${name}.tar.bz2"; |  | ||||||
|     sha256 = "1hkg3phnamxfrhwzmiiirbhdgckzfkqwhajl0lmr1wfps7j47wcz"; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   nativeBuildInputs = [ pkg-config ]; |  | ||||||
|   buildInputs = [ glib libuuid popt elfutils swig4 python3 ]; |  | ||||||
| 
 |  | ||||||
|   meta = with lib; { |  | ||||||
|     description = "Command-line tool and library to read and convert LTTng tracefiles"; |  | ||||||
|     homepage = "https://www.efficios.com/babeltrace"; |  | ||||||
|     license = licenses.mit; |  | ||||||
|     platforms = platforms.linux; |  | ||||||
|     maintainers = [ maintainers.bjornfor ]; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   configureFlags = [ |  | ||||||
|     "--enable-python-bindings" |  | ||||||
|   ]; |  | ||||||
| } |  | ||||||
| @ -1,34 +0,0 @@ | |||||||
| { |  | ||||||
|   stdenv |  | ||||||
| , fetchurl |  | ||||||
| , pkg-config |  | ||||||
| , glib |  | ||||||
| , libuuid |  | ||||||
| , popt |  | ||||||
| , elfutils |  | ||||||
| , python3 |  | ||||||
| , swig4 |  | ||||||
| , ncurses |  | ||||||
| , breakpointHook |  | ||||||
| }: |  | ||||||
| 
 |  | ||||||
| stdenv.mkDerivation rec { |  | ||||||
|   pname = "babeltrace2"; |  | ||||||
|   version = "2.0.3"; |  | ||||||
| 
 |  | ||||||
|   src = fetchurl { |  | ||||||
|     url = "https://www.efficios.com/files/babeltrace/${pname}-${version}.tar.bz2"; |  | ||||||
|     sha256 = "1804pyq7fz6rkcz4r1abkkn0pfnss13m6fd8if32s42l4lajadm5"; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   enableParallelBuilding = true; |  | ||||||
|   nativeBuildInputs = [ pkg-config ]; |  | ||||||
|   buildInputs = [ glib libuuid popt elfutils python3 swig4 ncurses breakpointHook ]; |  | ||||||
|   hardeningDisable = [ "all" ]; |  | ||||||
| 
 |  | ||||||
|   configureFlags = [ |  | ||||||
|     "--enable-python-plugins" |  | ||||||
|     "--enable-python-bindings" |  | ||||||
|   ]; |  | ||||||
| 
 |  | ||||||
| } |  | ||||||
Some files were not shown because too many files have changed in this diff Show More
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user