Add AMD uProf package and driver

Load amd_hsmp kernel module in fox
Disable kptr_restrict in fox
2025-06-20 14:55:43 +02:00 · 2025-06-19 19:15:03 +02:00 · 2025-06-18 11:07:19 +02:00 · 2025-06-17 14:05:47 +02:00 · 2025-06-13 13:15:37 +02:00 · 2025-06-13 10:26:59 +02:00
57 changed files with 215 additions and 897 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -18,7 +18,6 @@ in
  {
    nixosConfigurations = {
      hut     = mkConf "hut";
      tent    = mkConf "tent";
      owl1    = mkConf "owl1";
      owl2    = mkConf "owl2";
      eudy    = mkConf "eudy";
--- a/keys.nix
+++ b/keys.nix
@@ -10,7 +10,6 @@ rec {
    bay   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvGBzpRQKuQYHdlUQeAk6jmdbkrhmdLwTBqf3el7IgU bay";
    lake2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINo66//S1yatpQHE/BuYD/Gfq64TY7ZN5XOGXmNchiO0 lake2";
    fox   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwItIk5uOJcQEVPoy/CVGRzfmE1ojrdDcI06FrU4NFT fox";
    tent  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAtTpHtdYoelbknD/IcfBlThwLKJv/dSmylOgpg3FRM tent";
  };
  hostGroup = with hosts; rec {
@@ -26,8 +25,7 @@ rec {
  };
  admins = {
-    "rarias@hut"  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1oZTPtlEXdGt0Ak+upeCIiBdaDQtcmuWoTUCVuSVIR rarias@hut";
+    rarias = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1oZTPtlEXdGt0Ak+upeCIiBdaDQtcmuWoTUCVuSVIR rarias@hut";
-    "rarias@tent" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwlWSBTZi74WTz5xn6gBvTmCoVltmtIAeM3RMmkh4QZ rarias@tent";
+    root   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut";
    root          = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut";
  };
 }
--- a/m/bay/configuration.nix
+++ b/m/bay/configuration.nix
@@ -2,7 +2,7 @@
 {
  imports = [
-    ../common/ssf.nix
+    ../common/xeon.nix
    ../module/monitoring.nix
  ];
--- a/m/common/base/env.nix
+++ b/m/common/base/env.nix
@@ -21,8 +21,6 @@
    }
  ];
  environment.enableAllTerminfo = true;
  environment.variables = {
    EDITOR = "vim";
    VISUAL = "vim";
--- a/m/common/base/ssh.nix
+++ b/m/common/base/ssh.nix
@@ -8,6 +8,13 @@ in
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  # Connect to intranet git hosts via proxy
  programs.ssh.extraConfig = ''
    Host bscpm02.bsc.es bscpm03.bsc.es bscpm04.bsc.es gitlab-internal.bsc.es alya.gitlab.bsc.es
      User git
      ProxyCommand nc -X connect -x hut:23080 %h %p
  '';
  programs.ssh.knownHosts = hostsKeys // {
    "gitlab-internal.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3";
    "bscpm03.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2NuSUPsEhqz1j5b4Gqd+MWFnRqyqY57+xMvBUqHYUS";
--- a/m/common/base/users.nix
+++ b/m/common/base/users.nix
@@ -56,7 +56,7 @@
        home = "/home/Computational/rpenacob";
        description = "Raúl Peñacoba";
        group = "Computational";
-        hosts = [ "owl1" "owl2" "hut" "tent" "fox" ];
+        hosts = [ "owl1" "owl2" "hut" ];
        hashedPassword = "$6$TZm3bDIFyPrMhj1E$uEDXoYYd1z2Wd5mMPfh3DZAjP7ztVjJ4ezIcn82C0ImqafPA.AnTmcVftHEzLB3tbe2O4SxDyPSDEQgJ4GOtj/";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYfXg37mauGeurqsLpedgA2XQ9d4Nm0ZGo/hI1f7wwH rpenacob@bsc"
@@ -69,7 +69,7 @@
        home = "/home/Computational/anavarro";
        description = "Antoni Navarro";
        group = "Computational";
-        hosts = [ "hut" "tent" "raccoon" "fox" ];
+        hosts = [ "hut" "raccoon" ];
        hashedPassword = "$6$QdNDsuLehoZTYZlb$CDhCouYDPrhoiB7/seu7RF.Gqg4zMQz0n5sA4U1KDgHaZOxy2as9pbIGeF8tOHJKRoZajk5GiaZv0rZMn7Oq31";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILWjRSlKgzBPZQhIeEtk6Lvws2XNcYwHcwPv4osSgst5 anavarro@ssfhead"
@@ -82,7 +82,7 @@
        home = "/home/Computational/abonerib";
        description = "Aleix Boné";
        group = "Computational";
-        hosts = [ "owl1" "owl2" "hut" "tent" "raccoon" "fox" ];
+        hosts = [ "owl1" "owl2" "hut" "raccoon" ];
        hashedPassword = "$6$V1EQWJr474whv7XJ$OfJ0wueM2l.dgiJiiah0Tip9ITcJ7S7qDvtSycsiQ43QBFyP4lU0e0HaXWps85nqB4TypttYR4hNLoz3bz662/";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIFiqXqt88VuUfyANkZyLJNiuroIITaGlOOTMhVDKjf abonerib@bsc"
@@ -108,7 +108,7 @@
        home = "/home/Computational/dbautist";
        description = "Dylan Bautista Cases";
        group = "Computational";
-        hosts = [ "hut" "tent" "raccoon" ];
+        hosts = [ "hut" "raccoon" ];
        hashedPassword = "$6$a2lpzMRVkG9nSgIm$12G6.ka0sFX1YimqJkBAjbvhRKZ.Hl090B27pdbnQOW0wzyxVWySWhyDDCILjQELky.HKYl9gqOeVXW49nW7q/";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAb+EQBoS98zrCwnGKkHKwMLdYABMTqv7q9E0+T0QmkS dbautist@bsc-848818791"
@@ -121,7 +121,7 @@
        home = "/home/Computational/dalvare1";
        description = "David Álvarez";
        group = "Computational";
-        hosts = [ "hut" "tent" "fox" ];
+        hosts = [ "hut" ];
        hashedPassword = "$6$mpyIsV3mdq.rK8$FvfZdRH5OcEkUt5PnIUijWyUYZvB1SgeqxpJ2p91TTe.3eQIDTcLEQ5rxeg.e5IEXAZHHQ/aMsR5kPEujEghx0";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGEfy6F4rF80r4Cpo2H5xaWqhuUZzUsVsILSKGJzt5jF dalvare1@ssfhead"
@@ -134,26 +134,12 @@
        home = "/home/Computational/varcila";
        description = "Vincent Arcila";
        group = "Computational";
-        hosts = [ "hut" "tent" "fox" ];
+        hosts = [ "hut" "fox" ];
        hashedPassword = "$6$oB0Tcn99DcM4Ch$Vn1A0ulLTn/8B2oFPi9wWl/NOsJzaFAWjqekwcuC9sMC7cgxEVb.Nk5XSzQ2xzYcNe5MLtmzkVYnRS1CqP39Y0";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGt0ESYxekBiHJQowmKpfdouw0hVm3N7tUMtAaeLejK vincent@varch"
        ];
      };
      pmartin1 = {
        # Arbitrary UID but large so it doesn't collide with other users on ssfhead.
        uid = 9652;
        isNormalUser = true;
        home = "/home/Computational/pmartin1";
        description = "Pedro J. Martinez-Ferrer";
        group = "Computational";
        hosts = [ "fox" ];
        hashedPassword = "$6$nIgDMGnt4YIZl3G.$.JQ2jXLtDPRKsbsJfJAXdSvjDIzRrg7tNNjPkLPq3KJQhMjfDXRUvzagUHUU2TrE2hHM8/6uq8ex0UdxQ0ysl.";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIV5LEAII5rfe1hYqDYIIrhb1gOw7RcS1p2mhOTqG+zc pedro@pedro-ThinkPad-P14s-Gen-2a"
        ];
      };
    };
    groups = {
--- a/m/common/ssf.nix
+++ b/m/common/ssf.nix
@@ -1,9 +0,0 @@
 {
  # Provides the base system for a xeon node in the SSF rack.
  imports = [
    ./xeon.nix
    ./ssf/fs.nix
    ./ssf/net.nix
    ./ssf/ssh.nix
  ];
 }
--- a/m/common/xeon.nix
+++ b/m/common/xeon.nix
@@ -1,7 +1,10 @@
 {
-  # Provides the base system for a xeon node, not necessarily in the SSF rack.
+  # Provides the base system for a xeon node.
  imports = [
    ./base.nix
    ./xeon/console.nix
    ./xeon/fs.nix
    ./xeon/net.nix
    ./xeon/ssh.nix
  ];
 }
--- a/m/common/xeon/fs.nix
+++ b/m/common/xeon/fs.nix
--- a/m/common/xeon/net.nix
+++ b/m/common/xeon/net.nix
--- a/m/common/xeon/ssh.nix
+++ b/m/common/xeon/ssh.nix
--- a/m/eudy/configuration.nix
+++ b/m/eudy/configuration.nix
@@ -2,7 +2,7 @@
 {
  imports = [
-    ../common/ssf.nix
+    ../common/xeon.nix
    #(modulesPath + "/installer/netboot/netboot-minimal.nix")
    ./kernel/kernel.nix
--- a/m/fox/configuration.nix
+++ b/m/fox/configuration.nix
@@ -14,7 +14,7 @@
  swapDevices = lib.mkForce [];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
-  boot.kernelModules = [ "kvm-amd" "amd_uncore" ];
+  boot.kernelModules = [ "kvm-amd" "amd_uncore" "amd_hsmp" ];
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  hardware.cpu.intel.updateMicrocode = lib.mkForce false;
--- a/m/hut/configuration.nix
+++ b/m/hut/configuration.nix
@@ -2,7 +2,7 @@
 {
  imports = [
-    ../common/ssf.nix
+    ../common/xeon.nix
    ../module/ceph.nix
    ../module/debuginfod.nix
--- a/m/hut/gpfs-probe.sh
+++ b/m/hut/gpfs-probe.sh
@@ -2,20 +2,10 @@
 N=500
-t_proj=$(timeout 5 ssh bsc015557@glogin2.bsc.es "timeout 3 command time -f %e touch /gpfs/projects/bsc15/bsc015557/gpfs.{1..$N} 2>&1; rm -f /gpfs/projects/bsc15/bsc015557/gpfs.{1..$N}")
+t=$(timeout 5 ssh bsc015557@glogin2.bsc.es "timeout 3 command time -f %e touch /gpfs/projects/bsc15/bsc015557/gpfs.{1..$N} 2>&1; rm -f /gpfs/projects/bsc15/bsc015557/gpfs.{1..$N}")
 t_scratch=$(timeout 5 ssh bsc015557@glogin2.bsc.es "timeout 3 command time -f %e touch /gpfs/scratch/bsc15/rodrigo/probe/gpfs.{1..$N} 2>&1; rm -f /gpfs/scratch/bsc15/rodrigo/probe/gpfs.{1..$N}")
 t_home=$(timeout 5 ssh bsc015557@glogin2.bsc.es "timeout 3 command time -f %e touch /home/bsc/bsc015557/.gpfs/{1..$N} 2>&1; rm -f /home/bsc/bsc015557/.gpfs/{1..$N}")
-if [ -z "$t_proj" ]; then
+if [ -z "$t" ]; then
-  t_proj="5.00"
+  t="5.00"
 fi
 if [ -z "$t_scratch" ]; then
  t_scratch="5.00"
 fi
 if [ -z "$t_home" ]; then
  t_home="5.00"
 fi
 cat <<EOF
@@ -24,7 +14,5 @@ Content-Type: text/plain; version=0.0.4; charset=utf-8; escaping=values
 # HELP gpfs_touch_latency Time to create $N files.
 # TYPE gpfs_touch_latency gauge
-gpfs_touch_latency{partition="projects"} $t_proj
+gpfs_touch_latency $t
 gpfs_touch_latency{partition="home"} $t_home
 gpfs_touch_latency{partition="scratch"} $t_scratch
 EOF
--- a/m/hut/monitoring.nix
+++ b/m/hut/monitoring.nix
@@ -6,7 +6,7 @@
    ../module/meteocat-exporter.nix
    ../module/upc-qaire-exporter.nix
    ./gpfs-probe.nix
-    ../module/nix-daemon-exporter.nix
+    ./nix-daemon-exporter.nix
  ];
  age.secrets.grafanaJungleRobotPassword = {
@@ -267,14 +267,6 @@
          }
        ];
      }
      {
        job_name = "tent";
        static_configs = [
          {
            targets = [ "127.0.0.1:29002" ]; # Node exporter
          }
        ];
      }
    ];
  };
 }
--- a/m/module/nix-daemon-builds.sh
+++ b/m/module/nix-daemon-builds.sh
--- a/m/module/nix-daemon-exporter.nix
+++ b/m/module/nix-daemon-exporter.nix
--- a/m/koro/configuration.nix
+++ b/m/koro/configuration.nix
@@ -2,7 +2,7 @@
 {
  imports = [
-    ../common/ssf.nix
+    ../common/xeon.nix
    #(modulesPath + "/installer/netboot/netboot-minimal.nix")
    ../eudy/cpufreq.nix
--- a/m/lake2/configuration.nix
+++ b/m/lake2/configuration.nix
@@ -2,7 +2,7 @@
 {
  imports = [
-    ../common/ssf.nix
+    ../common/xeon.nix
    ../module/monitoring.nix
  ];
--- a/m/map.nix
+++ b/m/map.nix
@@ -17,7 +17,7 @@
    owl1   = { pos=35; size=1; label="SSF-XEON01"; board="S2600WTTR"; sn="BQWL64954172"; contact="rodrigo.arias@bsc.es"; };
    owl2   = { pos=34; size=1; label="SSF-XEON02"; board="S2600WTTR"; sn="BQWL64756560"; contact="rodrigo.arias@bsc.es"; };
    xeon03 = { pos=33; size=1; label="SSF-XEON03"; board="S2600WTTR"; sn="BQWL64750826"; contact="rodrigo.arias@bsc.es"; };
-    # Slot 34 empty
+    xeon04 = { pos=32; size=1; label="SSF-XEON04"; board="S2600WTTR"; sn="BQWL64751229"; contact="rodrigo.arias@bsc.es"; };
    koro   = { pos=31; size=1; label="SSF-XEON05"; board="S2600WTTR"; sn="BQWL64954293"; contact="rodrigo.arias@bsc.es"; };
    xeon06 = { pos=30; size=1; label="SSF-XEON06"; board="S2600WTTR"; sn="BQWL64750846"; contact="antoni.navarro@bsc.es"; };
    hut    = { pos=29; size=1; label="SSF-XEON07"; board="S2600WTTR"; sn="BQWL64751184"; contact="rodrigo.arias@bsc.es"; };
@@ -48,7 +48,6 @@
  bsc2218 = {
    raccoon = { board="W2600CR"; sn="QSIP22500829"; contact="rodrigo.arias@bsc.es"; };
    tent    = { label="SSF-XEON04"; board="S2600WTTR"; sn="BQWL64751229"; contact="rodrigo.arias@bsc.es"; };
  };
  upc = {
--- a/m/module/p.nix
+++ b/m/module/p.nix
@@ -1,68 +0,0 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.p;
 in
 {
  options = {
    services.p = {
      enable = lib.mkOption {
        type = lib.types.bool;
        default = false;
        description = "Whether to enable the p service.";
      };
      path = lib.mkOption {
        type = lib.types.str;
        default = "/var/lib/p";
        description = "Where to save the pasted files on disk.";
      };
      url = lib.mkOption {
        type = lib.types.str;
        default = "https://jungle.bsc.es/p";
        description = "URL prefix for the printed file.";
      };
    };
  };
  config = lib.mkIf cfg.enable {
    environment.systemPackages = let 
      p = pkgs.writeShellScriptBin "p" ''
        set -e
        pastedir="${cfg.path}/$USER"
        cd "$pastedir"
        ext="txt"
        if [ -n "$1" ]; then
          ext="$1"
        fi
        out=$(mktemp "XXXXXXXX.$ext")
        cat > "$out"
        chmod go+r "$out"
        echo "${cfg.url}/$USER/$out"
      '';
    in [ p ];
    systemd.services.p = let
      # Take only normal users
      users = lib.filterAttrs (_: v: v.isNormalUser) config.users.users;
      # Create a directory for each user
      commands = lib.concatLists (lib.mapAttrsToList (_: user: [
        "install -d -o ${user.name} -g ${user.group} -m 0755 ${cfg.path}/${user.name}"
      ]) users);
    in {
      description = "P service setup";
      requires = [ "network-online.target" ];
      #wants = [ "remote-fs.target" ];
      #after = [ "remote-fs.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = pkgs.writeShellScript "p-init.sh" (''
          install -d -o root -g root -m 0755 ${cfg.path}
        '' + (lib.concatLines commands));
      };
    };
  };
 }
--- a/m/module/ssh-hut-extern.nix
+++ b/m/module/ssh-hut-extern.nix
@@ -1,9 +0,0 @@
 {
  programs.ssh.extraConfig = ''
    Host ssfhead
      HostName ssflogin.bsc.es
    Host hut
      ProxyJump ssfhead
      HostName xeon07
  '';
 }
--- a/m/module/vpn-dac.nix
+++ b/m/module/vpn-dac.nix
@@ -1,35 +0,0 @@
 {config, ...}:
 {
  age.secrets.vpn-dac-login.file = ../../secrets/vpn-dac-login.age;
  age.secrets.vpn-dac-client-key.file = ../../secrets/vpn-dac-client-key.age;
  services.openvpn.servers = {
    # systemctl status openvpn-dac.service
    dac = {
      config = ''
        client
        dev tun
        proto tcp
        remote vpn.ac.upc.edu 1194
        remote vpn.ac.upc.edu 80
        resolv-retry infinite
        nobind
        persist-key
        persist-tun
        ca ${./vpn-dac/ca.crt}
        cert ${./vpn-dac/client.crt}
        # Only key needs to be secret
        key ${config.age.secrets.vpn-dac-client-key.path}
        remote-cert-tls server
        comp-lzo
        verb 3
        auth-user-pass ${config.age.secrets.vpn-dac-login.path}
        reneg-sec 0
        # Only route fox-ipmi
        pull-filter ignore "route "
        route 147.83.35.27 255.255.255.255
      '';
    };
  };
 }
--- a/m/module/vpn-dac/ca.crt
+++ b/m/module/vpn-dac/ca.crt
@@ -1,31 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIFUjCCBDqgAwIBAgIJAJH118PApk5hMA0GCSqGSIb3DQEBCwUAMIHLMQswCQYD
 VQQGEwJFUzESMBAGA1UECBMJQmFyY2Vsb25hMRIwEAYDVQQHEwlCYXJjZWxvbmEx
 LTArBgNVBAoTJFVuaXZlcnNpdGF0IFBvbGl0ZWNuaWNhIGRlIENhdGFsdW55YTEk
 MCIGA1UECxMbQXJxdWl0ZWN0dXJhIGRlIENvbXB1dGFkb3JzMRAwDgYDVQQDEwdM
 Q0FDIENBMQ0wCwYDVQQpEwRMQ0FDMR4wHAYJKoZIhvcNAQkBFg9sY2FjQGFjLnVw
 Yy5lZHUwHhcNMTYwMTEyMTI0NDIxWhcNNDYwMTEyMTI0NDIxWjCByzELMAkGA1UE
 BhMCRVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMS0w
 KwYDVQQKEyRVbml2ZXJzaXRhdCBQb2xpdGVjbmljYSBkZSBDYXRhbHVueWExJDAi
 BgNVBAsTG0FycXVpdGVjdHVyYSBkZSBDb21wdXRhZG9yczEQMA4GA1UEAxMHTENB
 QyBDQTENMAsGA1UEKRMETENBQzEeMBwGCSqGSIb3DQEJARYPbGNhY0BhYy51cGMu
 ZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CteSeof7Xwi51kC
 F0nQ4E9iR5Lq7wtfRuVPn6JJcIxJJ6+F9gr4R/HIHTztW4XAzReE36DYfexupx3D
 6UgQIkMLlVyGqRbulNF+RnCx20GosF7Dm4RGBVvOxBP1PGjYq/A+XhaaDAFd0cOF
 LMNkzuYP7PF0bnBEaHnxmN8bPmuyDyas7fK9AAc3scyWT2jSBPbOVFvCJwPg8MH9
 V/h+hKwL/7hRt1MVfVv2qyIuKwTki8mUt0RcVbP7oJoRY5K1+R52phIz/GL/b4Fx
 L6MKXlQxLi8vzP4QZXgCMyV7oFNdU3VqCEXBA11YIRvsOZ4QS19otIk/ZWU5x+HH
 LAIJ7wIDAQABo4IBNTCCATEwHQYDVR0OBBYEFNyezX1cH1N4QR14ebBpljqmtE7q
 MIIBAAYDVR0jBIH4MIH1gBTcns19XB9TeEEdeHmwaZY6prRO6qGB0aSBzjCByzEL
 MAkGA1UEBhMCRVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vs
 b25hMS0wKwYDVQQKEyRVbml2ZXJzaXRhdCBQb2xpdGVjbmljYSBkZSBDYXRhbHVu
 eWExJDAiBgNVBAsTG0FycXVpdGVjdHVyYSBkZSBDb21wdXRhZG9yczEQMA4GA1UE
 AxMHTENBQyBDQTENMAsGA1UEKRMETENBQzEeMBwGCSqGSIb3DQEJARYPbGNhY0Bh
 Yy51cGMuZWR1ggkAkfXXw8CmTmEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF
 AAOCAQEAUAmOvVXIQrR+aZVO0bOTeugKBHB75eTIZSIHIn2oDUvDbAP5GXIJ56A1
 6mZXxemSMY8/9k+pRcwJhfat3IgvAN159XSqf9kRv0NHgc3FWUI1Qv/BsAn0vJO/
 oK0dbmbbRWqt86qNrCN+cUfz5aovvxN73jFfnvfDQFBk/8enj9wXxYfokjjLPR1Q
 +oTkH8dY68qf71oaUB9MndppPEPSz0K1S6h1XxvJoSu9MVSXOQHiq1cdZdxRazI3
 4f7q9sTCL+khwDAuZxAYzlEYxFFa/NN8PWU6xPw6V+t/aDhOiXUPJQB/O/K7mw3Z
 TQQx5NqM7B5jjak5fauR3/oRD8XXsA==
 -----END CERTIFICATE-----
--- a/m/module/vpn-dac/client.crt
+++ b/m/module/vpn-dac/client.crt
@@ -1,100 +0,0 @@
 Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=ES, ST=Barcelona, L=Barcelona, O=Universitat Politecnica de Catalunya, OU=Arquitectura de Computadors, CN=LCAC CA/name=LCAC/emailAddress=lcac@ac.upc.edu
        Validity
            Not Before: Jan 12 12:45:41 2016 GMT
            Not After : Jan 12 12:45:41 2046 GMT
        Subject: C=ES, ST=Barcelona, L=Barcelona, O=Universitat Politecnica de Catalunya, OU=Arquitectura de Computadors, CN=client/name=LCAC/emailAddress=lcac@ac.upc.edu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:97:99:fa:7a:0e:4d:e2:1d:a5:b1:a8:14:18:64:
                    c7:66:bf:de:99:1d:92:3b:86:82:4d:95:39:f7:a6:
                    56:49:97:14:4f:e3:37:00:6c:f4:d0:1d:56:79:e7:
                    19:b5:dd:36:15:8e:1d:57:7b:59:29:d2:11:bf:58:
                    48:e0:f7:41:3d:16:64:8d:a2:0b:4a:ac:fa:c6:83:
                    dc:10:2a:2c:d9:97:48:ee:11:2a:bc:4b:60:dd:b9:
                    2e:8f:45:ca:87:0b:38:65:1c:f8:a2:1d:f9:50:aa:
                    6e:60:f9:48:df:57:12:23:e1:e7:0c:81:5c:9f:c5:
                    b2:e6:99:99:95:30:6d:57:36:06:8c:fd:fb:f9:4f:
                    60:d2:3c:ba:ae:28:56:2f:da:58:5c:e8:c5:7b:ec:
                    76:d9:28:6e:fb:8c:07:f9:d7:23:c3:72:76:3c:fa:
                    dc:20:67:8f:cc:16:e0:91:07:d5:68:f9:20:4d:7d:
                    5c:2d:02:04:16:76:52:f3:53:be:a3:dc:0d:d5:fb:
                    6b:55:29:f3:52:35:c8:7d:99:d1:4a:94:be:b1:8e:
                    fd:85:18:25:eb:41:e9:56:da:af:62:84:20:0a:00:
                    17:94:92:94:91:6a:f8:54:37:17:ee:1e:bb:fb:93:
                    71:91:d9:e4:e9:b8:3b:18:7d:6d:7d:4c:ce:58:55:
                    f9:41
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                Easy-RSA Generated Certificate
            X509v3 Subject Key Identifier: 
                1B:88:06:D5:33:1D:5C:48:46:B5:DE:78:89:36:96:91:3A:74:43:18
            X509v3 Authority Key Identifier: 
                keyid:DC:9E:CD:7D:5C:1F:53:78:41:1D:78:79:B0:69:96:3A:A6:B4:4E:EA
                DirName:/C=ES/ST=Barcelona/L=Barcelona/O=Universitat Politecnica de Catalunya/OU=Arquitectura de Computadors/CN=LCAC CA/name=LCAC/emailAddress=lcac@ac.upc.edu
                serial:91:F5:D7:C3:C0:A6:4E:61
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Subject Alternative Name: 
                DNS:client
    Signature Algorithm: sha256WithRSAEncryption
         42:e8:50:b2:e7:88:75:86:0b:bb:29:e3:aa:c6:0e:4c:e8:ea:
         3d:0c:02:31:7f:3b:80:0c:3f:80:af:45:d6:62:27:a0:0e:e7:
         26:09:12:97:95:f8:d9:9b:89:b5:ef:56:64:f1:de:82:74:e0:
         31:0a:cc:90:0a:bd:50:b8:54:95:0a:ae:3b:40:df:76:b6:d1:
         01:2e:f3:96:9f:52:d4:e9:14:6d:b7:14:9d:45:99:33:36:2a:
         01:0b:15:1a:ed:55:dc:64:83:65:1a:06:42:d9:c7:dc:97:d4:
         02:81:c2:58:2b:ea:e4:b7:ae:84:3a:e4:3f:f1:2e:fa:ec:f3:
         40:5d:b8:6a:d5:5e:e1:e8:2f:e2:2f:48:a4:38:a1:4f:22:e3:
         4f:66:94:aa:02:78:9a:2b:7a:5d:aa:aa:51:a5:e3:d0:91:e9:
         1d:f9:08:ed:8b:51:c9:a6:af:46:85:b5:1c:ed:12:a1:28:33:
         75:36:00:d8:5c:14:65:96:c0:28:7d:47:50:a4:89:5f:b0:72:
         1a:4b:13:17:26:0f:f0:b8:65:3c:e9:96:36:f9:bf:90:59:33:
         87:1f:01:03:25:f8:f0:3a:9b:33:02:d0:0a:43:b5:0a:cf:62:
         a1:45:38:37:07:9d:9c:94:0b:31:c6:3c:34:b7:fc:5a:0c:e4:
         bf:23:f6:7d
 -----BEGIN CERTIFICATE-----
 MIIFqjCCBJKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCByzELMAkGA1UEBhMCRVMx
 EjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMS0wKwYDVQQK
 EyRVbml2ZXJzaXRhdCBQb2xpdGVjbmljYSBkZSBDYXRhbHVueWExJDAiBgNVBAsT
 G0FycXVpdGVjdHVyYSBkZSBDb21wdXRhZG9yczEQMA4GA1UEAxMHTENBQyBDQTEN
 MAsGA1UEKRMETENBQzEeMBwGCSqGSIb3DQEJARYPbGNhY0BhYy51cGMuZWR1MB4X
 DTE2MDExMjEyNDU0MVoXDTQ2MDExMjEyNDU0MVowgcoxCzAJBgNVBAYTAkVTMRIw
 EAYDVQQIEwlCYXJjZWxvbmExEjAQBgNVBAcTCUJhcmNlbG9uYTEtMCsGA1UEChMk
 VW5pdmVyc2l0YXQgUG9saXRlY25pY2EgZGUgQ2F0YWx1bnlhMSQwIgYDVQQLExtB
 cnF1aXRlY3R1cmEgZGUgQ29tcHV0YWRvcnMxDzANBgNVBAMTBmNsaWVudDENMAsG
 A1UEKRMETENBQzEeMBwGCSqGSIb3DQEJARYPbGNhY0BhYy51cGMuZWR1MIIBIjAN
 BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl5n6eg5N4h2lsagUGGTHZr/emR2S
 O4aCTZU596ZWSZcUT+M3AGz00B1WeecZtd02FY4dV3tZKdIRv1hI4PdBPRZkjaIL
 Sqz6xoPcECos2ZdI7hEqvEtg3bkuj0XKhws4ZRz4oh35UKpuYPlI31cSI+HnDIFc
 n8Wy5pmZlTBtVzYGjP37+U9g0jy6rihWL9pYXOjFe+x22Shu+4wH+dcjw3J2PPrc
 IGePzBbgkQfVaPkgTX1cLQIEFnZS81O+o9wN1ftrVSnzUjXIfZnRSpS+sY79hRgl
 60HpVtqvYoQgCgAXlJKUkWr4VDcX7h67+5Nxkdnk6bg7GH1tfUzOWFX5QQIDAQAB
 o4IBljCCAZIwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2Vu
 ZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQbiAbVMx1cSEa13niJNpaROnRD
 GDCCAQAGA1UdIwSB+DCB9YAU3J7NfVwfU3hBHXh5sGmWOqa0TuqhgdGkgc4wgcsx
 CzAJBgNVBAYTAkVTMRIwEAYDVQQIEwlCYXJjZWxvbmExEjAQBgNVBAcTCUJhcmNl
 bG9uYTEtMCsGA1UEChMkVW5pdmVyc2l0YXQgUG9saXRlY25pY2EgZGUgQ2F0YWx1
 bnlhMSQwIgYDVQQLExtBcnF1aXRlY3R1cmEgZGUgQ29tcHV0YWRvcnMxEDAOBgNV
 BAMTB0xDQUMgQ0ExDTALBgNVBCkTBExDQUMxHjAcBgkqhkiG9w0BCQEWD2xjYWNA
 YWMudXBjLmVkdYIJAJH118PApk5hMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1Ud
 DwQEAwIHgDARBgNVHREECjAIggZjbGllbnQwDQYJKoZIhvcNAQELBQADggEBAELo
 ULLniHWGC7sp46rGDkzo6j0MAjF/O4AMP4CvRdZiJ6AO5yYJEpeV+NmbibXvVmTx
 3oJ04DEKzJAKvVC4VJUKrjtA33a20QEu85afUtTpFG23FJ1FmTM2KgELFRrtVdxk
 g2UaBkLZx9yX1AKBwlgr6uS3roQ65D/xLvrs80BduGrVXuHoL+IvSKQ4oU8i409m
 lKoCeJorel2qqlGl49CR6R35CO2LUcmmr0aFtRztEqEoM3U2ANhcFGWWwCh9R1Ck
 iV+wchpLExcmD/C4ZTzpljb5v5BZM4cfAQMl+PA6mzMC0ApDtQrPYqFFODcHnZyU
 CzHGPDS3/FoM5L8j9n0=
 -----END CERTIFICATE-----
--- a/m/owl1/configuration.nix
+++ b/m/owl1/configuration.nix
@@ -2,7 +2,7 @@
 {
  imports = [
-    ../common/ssf.nix
+    ../common/xeon.nix
    ../module/ceph.nix
    ../module/emulation.nix
    ../module/slurm-client.nix
--- a/m/owl2/configuration.nix
+++ b/m/owl2/configuration.nix
@@ -2,7 +2,7 @@
 {
  imports = [
-    ../common/ssf.nix
+    ../common/xeon.nix
    ../module/ceph.nix
    ../module/emulation.nix
    ../module/slurm-client.nix
--- a/m/raccoon/configuration.nix
+++ b/m/raccoon/configuration.nix
@@ -5,7 +5,6 @@
    ../common/base.nix
    ../module/emulation.nix
    ../module/debuginfod.nix
    ../module/ssh-hut-extern.nix
    ../eudy/kernel/perf.nix
  ];
@@ -27,18 +26,6 @@
      address = "84.88.51.152";
      prefixLength = 25;
    } ];
    interfaces.enp5s0f1.ipv4.addresses = [ {
      address = "10.0.44.1";
      prefixLength = 24;
    } ];
    nat = {
      enable = true;
      internalInterfaces = [ "enp5s0f1" ];
      externalInterface = "eno0";
    };
    hosts = {
      "10.0.44.4" = [ "tent" ];
    };
  };
  nix.settings = {
--- a/m/tent/blackbox.yml
+++ b/m/tent/blackbox.yml
@@ -1,14 +0,0 @@
 modules:
  http_2xx:
    prober: http
    timeout: 5s
    http:
      preferred_ip_protocol: "ip4"
      follow_redirects: true
      valid_status_codes: []  # Defaults to 2xx
      method: GET
  icmp:
    prober: icmp
    timeout: 5s
    icmp:
      preferred_ip_protocol: "ip4"
--- a/m/tent/configuration.nix
+++ b/m/tent/configuration.nix
@@ -1,80 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports = [
    ../common/xeon.nix
    ../module/emulation.nix
    ../module/debuginfod.nix
    ../module/ssh-hut-extern.nix
    ./monitoring.nix
    ./nginx.nix
    ./nix-serve.nix
    ./gitlab-runner.nix
    ./gitea.nix
    ../hut/public-inbox.nix
    ../hut/msmtp.nix
    ../module/p.nix
    ../module/vpn-dac.nix
  ];
  # Select the this using the ID to avoid mismatches
  boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d537675";
  networking = {
    hostName = "tent";
    interfaces.eno1.ipv4.addresses = [
      {
        address = "10.0.44.4";
        prefixLength = 24;
      }
    ];
    # Only BSC DNSs seem to be reachable from the office VLAN
    nameservers = [ "84.88.52.35" "84.88.52.36" ];
    search = [ "bsc.es" "ac.upc.edu" ];
    defaultGateway = "10.0.44.1";
  };
  services.p.enable = true;
  services.prometheus.exporters.node = {
    enable = true;
    enabledCollectors = [ "systemd" ];
    port = 9002;
    listenAddress = "127.0.0.1";
  };
  boot.swraid = {
    enable = true;
    mdadmConf = ''
      DEVICE partitions
      ARRAY /dev/md0 metadata=1.2 UUID=496db1e2:056a92aa:a544543f:40db379d
      MAILADDR root
    '';
  };
  fileSystems."/vault" = {
    device = "/dev/disk/by-label/vault";
    fsType = "ext4";
  };
  # Make a /vault/$USER directory for each user.
  systemd.services.create-vault-dirs = let
    # Take only normal users in tent
    users = lib.filterAttrs (_: v: v.isNormalUser) config.users.users;
    commands = lib.concatLists (lib.mapAttrsToList
      (_: user: [
        "install -d -o ${user.name} -g ${user.group} -m 0711 /vault/home/${user.name}"
      ]) users);
    script = pkgs.writeShellScript "create-vault-dirs.sh" (lib.concatLines commands);
  in {
    enable = true;
    wants = [ "local-fs.target" ];
    after = [ "local-fs.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig.ExecStart = script;
  };
  # disable automatic garbage collector
  nix.gc.automatic = lib.mkForce false;
 }
--- a/m/tent/gitea.nix
+++ b/m/tent/gitea.nix
@@ -1,30 +0,0 @@
 { config, lib, ... }:
 {
  services.gitea = {
    enable = true;
    appName = "Gitea in the jungle";
    settings = {
      server = {
        ROOT_URL = "https://jungle.bsc.es/git/";
        LOCAL_ROOT_URL = "https://jungle.bsc.es/git/";
        LANDING_PAGE = "explore";
      };
      metrics.ENABLED = true;
      service = {
        DISABLE_REGISTRATION = true;
        REGISTER_MANUAL_CONFIRM = true;
        ENABLE_NOTIFY_MAIL = true;
      };
      log.LEVEL = "Warn";
      mailer = {
        ENABLED       = true;
        FROM          = "jungle-robot@bsc.es";
        PROTOCOL      = "sendmail";
        SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
        SENDMAIL_ARGS = "--";
      };
    };
  };
 }
--- a/m/tent/gitlab-runner.nix
+++ b/m/tent/gitlab-runner.nix
@@ -1,93 +0,0 @@
 { pkgs, lib, config, ... }:
 {
  age.secrets.tent-gitlab-runner-pm-shell.file = ../../secrets/tent-gitlab-runner-pm-shell-token.age;
  age.secrets.tent-gitlab-runner-pm-docker.file = ../../secrets/tent-gitlab-runner-pm-docker-token.age;
  age.secrets.tent-gitlab-runner-bsc-docker.file = ../../secrets/tent-gitlab-runner-bsc-docker-token.age;
  services.gitlab-runner = let sec = config.age.secrets; in {
    enable = true;
    settings.concurrent = 5;
    services = {
      # For gitlab.pm.bsc.es
      gitlab-pm-shell = {
        executor = "shell";
        environmentVariables = {
          SHELL = "${pkgs.bash}/bin/bash";
        };
        authenticationTokenConfigFile = sec.tent-gitlab-runner-pm-shell.path;
        preGetSourcesScript = pkgs.writeScript "setup" ''
          echo "This is the preGetSources script running, brace for impact"
          env
        '';
      };
      gitlab-pm-docker = {
        authenticationTokenConfigFile = sec.tent-gitlab-runner-pm-docker.path;
        executor = "docker";
        dockerImage = "debian:stable";
      };
      # For gitlab.bsc.es
      gitlab-bsc-docker = {
        # gitlab.bsc.es still uses the old token mechanism
        registrationConfigFile = sec.tent-gitlab-runner-bsc-docker.path;
        tagList = [ "docker" "tent" "nix" ];
        executor = "docker";
        dockerImage = "alpine";
        dockerVolumes = [
          "/nix/store:/nix/store:ro"
          "/nix/var/nix/db:/nix/var/nix/db:ro"
          "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
        ];
        dockerDisableCache = true;
        registrationFlags = [
          # Increase build log length to 64 MiB
          "--output-limit 65536"
        ];
        preBuildScript = pkgs.writeScript "setup-container" ''
          mkdir -p -m 0755 /nix/var/log/nix/drvs
          mkdir -p -m 0755 /nix/var/nix/gcroots
          mkdir -p -m 0755 /nix/var/nix/profiles
          mkdir -p -m 0755 /nix/var/nix/temproots
          mkdir -p -m 0755 /nix/var/nix/userpool
          mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
          mkdir -p -m 1777 /nix/var/nix/profiles/per-user
          mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
          mkdir -p -m 0700 "$HOME/.nix-defexpr"
          mkdir -p -m 0700 "$HOME/.ssh"
          cat >> "$HOME/.ssh/known_hosts" << EOF
          bscpm04.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPx4mC0etyyjYUT2Ztc/bs4ZXSbVMrogs1ZTP924PDgT
          gitlab-internal.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3
          EOF
          . ${pkgs.nix}/etc/profile.d/nix-daemon.sh
          # Required to load SSL certificate paths
          . ${pkgs.cacert}/nix-support/setup-hook
        '';
        environmentVariables = {
          ENV = "/etc/profile";
          USER = "root";
          NIX_REMOTE = "daemon";
          PATH = "${config.system.path}/bin:/bin:/sbin:/usr/bin:/usr/sbin";
        };
      };
    };
  };
  systemd.services.gitlab-runner.serviceConfig = {
    DynamicUser = lib.mkForce false;
    User = "gitlab-runner";
    Group = "gitlab-runner";
    ExecStart = lib.mkForce
      ''${pkgs.gitlab-runner}/bin/gitlab-runner run --config ''${HOME}/.gitlab-runner/config.toml --listen-address "127.0.0.1:9252" --working-directory ''${HOME}'';
  };
  users.users.gitlab-runner = {
    uid = config.ids.uids.gitlab-runner;
    home = "/var/lib/gitlab-runner";
    description = "Gitlab Runner";
    group = "gitlab-runner";
    extraGroups = [ "docker" ];
    createHome = true;
  };
  users.groups.gitlab-runner.gid = config.ids.gids.gitlab-runner;
 }
--- a/m/tent/monitoring.nix
+++ b/m/tent/monitoring.nix
@@ -1,217 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  imports = [
    ../module/meteocat-exporter.nix
    ../module/upc-qaire-exporter.nix
    ../module/nix-daemon-exporter.nix
  ];
  age.secrets.grafanaJungleRobotPassword = {
    file = ../../secrets/jungle-robot-password.age;
    owner = "grafana";
    mode = "400";
  };
  services.grafana = {
    enable = true;
    settings = {
      server = {
        domain = "jungle.bsc.es";
        root_url = "%(protocol)s://%(domain)s/grafana";
        serve_from_sub_path = true;
        http_port = 2342;
        http_addr = "127.0.0.1";
      };
      smtp = {
        enabled = true;
        from_address = "jungle-robot@bsc.es";
        user = "jungle-robot";
        # Read the password from a file, which is only readable by grafana user
        # https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
        password = "$__file{${config.age.secrets.grafanaJungleRobotPassword.path}}";
        host = "mail.bsc.es:465";
        startTLS_policy = "NoStartTLS";
      };
      feature_toggles.publicDashboards = true;
      "auth.anonymous".enabled = true;
      log.level = "warn";
    };
  };
  services.prometheus = {
    enable = true;
    port = 9001;
    retentionTime = "5y";
    listenAddress = "127.0.0.1";
  };
  # We need access to the devices to monitor the disk space
  systemd.services.prometheus-node-exporter.serviceConfig.PrivateDevices = lib.mkForce false;
  systemd.services.prometheus-node-exporter.serviceConfig.ProtectHome = lib.mkForce "read-only";
  # Credentials for IPMI exporter
  age.secrets.ipmiYml = {
    file = ../../secrets/ipmi.yml.age;
    owner = "ipmi-exporter";
  };
  # Create an IPMI group and assign the ipmi0 device
  users.groups.ipmi = {};
  services.udev.extraRules = ''
    SUBSYSTEM=="ipmi", KERNEL=="ipmi0", GROUP="ipmi", MODE="0660"
  '';
  # Add a new ipmi-exporter user that can read the ipmi0 device
  users.users.ipmi-exporter = {
    isSystemUser = true;
    group = "ipmi";
  };
  # Disable dynamic user so we have the ipmi-exporter user available for the credentials
  systemd.services.prometheus-ipmi-exporter.serviceConfig = {
    DynamicUser = lib.mkForce false;
    PrivateDevices = lib.mkForce false;
    User = lib.mkForce "ipmi-exporter";
    Group = lib.mkForce "ipmi";
    RestrictNamespaces = lib.mkForce false;
    # Fake uid to 0 so it shuts up
    ExecStart = let
      cfg = config.services.prometheus.exporters.ipmi;
    in lib.mkForce (lib.concatStringsSep " " ([
      "${pkgs.util-linux}/bin/unshare --map-user 0"
      "${pkgs.prometheus-ipmi-exporter}/bin/ipmi_exporter"
      "--web.listen-address ${cfg.listenAddress}:${toString cfg.port}"
      "--config.file ${lib.escapeShellArg cfg.configFile}"
    ] ++ cfg.extraFlags));
  };
  services.prometheus = {
    exporters = {
      ipmi = {
        enable = true;
        configFile = config.age.secrets.ipmiYml.path;
        #extraFlags = [ "--log.level=debug" ];
        listenAddress = "127.0.0.1";
      };
      node = {
        enable = true;
        enabledCollectors = [ "logind" ];
        port = 9002;
        listenAddress = "127.0.0.1";
      };
      blackbox = {
        enable = true;
        listenAddress = "127.0.0.1";
        configFile = ./blackbox.yml;
      };
    };
    scrapeConfigs = [
      {
        job_name = "local";
        static_configs = [{
          targets = [
            "127.0.0.1:9002" # Node exporter
            #"127.0.0.1:9115" # Blackbox exporter
            "127.0.0.1:9290" # IPMI exporter for local node
            "127.0.0.1:9928" # UPC Qaire custom exporter
            "127.0.0.1:9929" # Meteocat custom exporter
            "127.0.0.1:9999" # Nix-daemon custom exporter
          ];
        }];
      }
      {
        job_name = "blackbox-http";
        metrics_path = "/probe";
        params = { module = [ "http_2xx" ]; };
        static_configs = [{
          targets = [
            "https://www.google.com/robots.txt"
            "https://pm.bsc.es/"
            "https://pm.bsc.es/gitlab/"
            "https://jungle.bsc.es/"
            "https://gitlab.bsc.es/"
          ];
        }];
        relabel_configs = [
          {
            # Takes the address and sets it in the "target=<xyz>" URL parameter
            source_labels = [ "__address__" ];
            target_label = "__param_target";
          }
          {
            # Sets the "instance" label with the remote host we are querying
            source_labels = [ "__param_target" ];
            target_label = "instance";
          }
          {
            # Shows the host target address instead of the blackbox address
            target_label = "__address__";
            replacement = "127.0.0.1:9115";
          }
        ];
      }
      {
        job_name = "blackbox-icmp";
        metrics_path = "/probe";
        params = { module = [ "icmp" ]; };
        static_configs = [{
          targets = [
            "1.1.1.1"
            "8.8.8.8"
            "ssfhead"
            "raccoon"
            "anella-bsc.cesca.cat"
            "upc-anella.cesca.cat"
            "fox.ac.upc.edu"
            "fox-ipmi.ac.upc.edu"
            "arenys5.ac.upc.edu"
            "arenys0-2.ac.upc.edu"
            "epi01.bsc.es"
            "axle.bsc.es"
          ];
        }];
        relabel_configs = [
          {
            # Takes the address and sets it in the "target=<xyz>" URL parameter
            source_labels = [ "__address__" ];
            target_label = "__param_target";
          }
          {
            # Sets the "instance" label with the remote host we are querying
            source_labels = [ "__param_target" ];
            target_label = "instance";
          }
          {
            # Shows the host target address instead of the blackbox address
            target_label = "__address__";
            replacement = "127.0.0.1:9115";
          }
        ];
      }
      {
        job_name = "ipmi-raccoon";
        metrics_path = "/ipmi";
        static_configs = [
          { targets = [ "127.0.0.1:9290" ]; }
        ];
        params = {
          target = [ "raccoon-ipmi" ];
          module = [ "raccoon" ];
        };
      }
      {
        job_name = "ipmi-fox";
        metrics_path = "/ipmi";
        static_configs = [
          { targets = [ "127.0.0.1:9290" ]; }
        ];
        params = {
          target = [ "fox-ipmi.ac.upc.edu" ];
          module = [ "fox" ];
        };
      }
    ];
  };
 }
--- a/m/tent/nginx.nix
+++ b/m/tent/nginx.nix
@@ -1,73 +0,0 @@
 { theFlake, pkgs, ... }:
 let
  website = pkgs.stdenv.mkDerivation {
    name = "jungle-web";
    src = theFlake;
    buildInputs = [ pkgs.hugo ];
    buildPhase = ''
      cd web
      rm -rf public/
      hugo
    '';
    installPhase = ''
      cp -r public $out
    '';
    # Don't mess doc/
    dontFixup = true;
  };
 in
 {
  networking.firewall.allowedTCPPorts = [ 80 ];
  services.nginx = {
    enable = true;
    virtualHosts."jungle.bsc.es" = {
      root = "${website}";
      listen = [
        {
          addr = "0.0.0.0";
          port = 80;
        }
      ];
      extraConfig = ''
        set_real_ip_from 127.0.0.1;
        set_real_ip_from 84.88.52.107;
        real_ip_recursive on;
        real_ip_header X-Forwarded-For;
        location /git {
          rewrite ^/git$ / break;
          rewrite ^/git/(.*) /$1 break;
          proxy_pass http://127.0.0.1:3000;
          proxy_redirect http:// $scheme://;
        }
        location /cache {
          rewrite ^/cache/(.*) /$1 break;
          proxy_pass http://127.0.0.1:5000;
          proxy_redirect http:// $scheme://;
        }
        location /lists {
          proxy_pass http://127.0.0.1:8081;
          proxy_redirect http:// $scheme://;
        }
        location /grafana {
          proxy_pass http://127.0.0.1:2342;
          proxy_redirect http:// $scheme://;
          proxy_set_header Host $host;
          # Websockets
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
        }
        location ~ ^/~(.+?)(/.*)?$ {
          alias /vault/home/$1/public_html$2;
          index  index.html index.htm;
          autoindex on;
          absolute_redirect off;
        }
        location /p/ {
          alias /var/lib/p/;
        }
      '';
    };
  };
 }
--- a/m/tent/nix-serve.nix
+++ b/m/tent/nix-serve.nix
@@ -1,16 +0,0 @@
 { config, ... }:
 {
  age.secrets.nixServe.file = ../../secrets/nix-serve.age;
  services.nix-serve = {
    enable = true;
    # Only listen locally, as we serve it via ssh
    bindAddress = "127.0.0.1";
    port = 5000;
    secretKeyFile = config.age.secrets.nixServe.path;
    # Public key:
    # jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=
  };
 }
--- a/pkgs/amd-uprof/default.nix
+++ b/pkgs/amd-uprof/default.nix
@@ -0,0 +1,41 @@
 { stdenv
 , lib
 , curl
 , cacert
 , runCommandLocal
 }:
 let
  version = "5.1.701";
  tarball = "AMDuProf_Linux_x64_${version}.tar.bz2";
  uprofSrc = runCommandLocal tarball {
    nativeBuildInputs = [ curl ];
    outputHash = "sha256-j9gxcBcIg6Zhc5FglUXf/VV9bKSo+PAKeootbN7ggYk=";
    SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt";
  } ''
    curl \
    -o $out \
    'https://download.amd.com/developer/eula/uprof/uprof-5-1/${tarball}' \
    -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0' \
    -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
    -H 'Accept-Language: en-US,en;q=0.5' \
    -H 'Accept-Encoding: gzip, deflate, br, zstd' \
    -H 'Referer: https://www.amd.com/' 2>&1 | tr '\r' '\n'
  '';
 in
  stdenv.mkDerivation {
    pname = "AMD-uProf";
    inherit version;
    src = uprofSrc;
    dontStrip = true;
    phases = [ "installPhase" "fixupPhase" ];
    installPhase = ''
      set -x
      mkdir -p $out
      tar -x -v -C $out --strip-components=1 -f $src
      rm $out/bin/AMDPowerProfilerDriverSource.tar.gz
      set +x
    '';
  }
--- a/pkgs/amd-uprof/driver.nix
+++ b/pkgs/amd-uprof/driver.nix
@@ -0,0 +1,35 @@
 { stdenv
 , lib
 , amd-uprof
 , curl
 , cacert
 , kernel
 , runCommandLocal
 }:
 let
  version = amd-uprof.version;
  tarball = amd-uprof.src;
 in stdenv.mkDerivation {
  pname = "AMDPowerProfilerDriver";
  inherit version;
  src = runCommandLocal "AMDPowerProfilerDriverSource.tar.gz" { } ''
    set -x
    tar -x -f ${tarball} AMDuProf_Linux_x64_${version}/bin/AMDPowerProfilerDriverSource.tar.gz
    mv AMDuProf_Linux_x64_${version}/bin/AMDPowerProfilerDriverSource.tar.gz $out
    set +x
  '';
  hardeningDisable = [ "pic" "format" ];
  nativeBuildInputs = kernel.moduleBuildDependencies;
  patches = [ ./makefile.patch ];
  makeFlags = [
    "KERNEL_VERSION=${kernel.modDirVersion}"
    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
    "INSTALL_MOD_PATH=$(out)"
  ];
  meta = {
    description = "AMD Power Profiler Driver";
    homepage = "https://www.amd.com/es/developer/uprof.html";
    platforms = lib.platforms.linux;
  };
 }
--- a/pkgs/amd-uprof/makefile.patch
+++ b/pkgs/amd-uprof/makefile.patch
@@ -0,0 +1,66 @@
 --- a/Makefile	2025-06-19 20:36:49.346693267 +0200
 +++ b/Makefile	2025-06-19 20:42:29.778088660 +0200
@@ -27,7 +27,7 @@ MODULE_VERSION=$(shell cat AMDPowerProfi
 MODULE_NAME_KO=$(MODULE_NAME).ko
 # check is module inserted
 -MODPROBE_OUTPUT=$(shell lsmod | grep $(MODULE_NAME))
 +#MODPROBE_OUTPUT=$(shell lsmod | grep $(MODULE_NAME))
 # check pcore dkms status
 PCORE_DKMS_STATUS=$(shell dkms status | grep $(MODULE_NAME) | grep $(MODULE_VERSION))
@@ -50,7 +50,7 @@ endif
 # “-Wno-missing-attributes” is added for GCC version >= 9.0 and kernel version <= 5.00
 G_VERSION=9
 K_VERSION=5
 -KERNEL_MAJOR_VERSION=$(shell uname -r | cut -f1 -d.)
 +KERNEL_MAJOR_VERSION=$(shell echo "$(KERNEL_VERSION)" | cut -f1 -d.)
 GCCVERSION = $(shell gcc -dumpversion | cut -f1 -d.)
 ifeq ($(G_VERSION),$(firstword $(sort $(GCCVERSION) $(G_VERSION))))
 	ifeq ($(K_VERSION),$(lastword $(sort $(KERNEL_MAJOR_VERSION) $(K_VERSION))))
@@ -66,17 +66,7 @@ ${MODULE_NAME}-objs :=  src/PmcDataBuffe
 # make
 all:
 -	@chmod a+x ./AMDPPcert.sh
 -	@./AMDPPcert.sh 0 1; echo $$? > $(PWD)/sign_status;
 -	@SIGSTATUS1=`cat $(PWD)/sign_status | tr -d '\n'`; \
 -                if [ $$SIGSTATUS1 -eq 1 ]; then \
 -			exit 1; \
 -		fi
 -	@make -C /lib/modules/$(KERNEL_VERSION)/build M=$(PWD) $(MAKE_OPTS) EXTRA_CFLAGS="$(EXTRA_CFLAGS)" modules
 -	@SIGSTATUS3=`cat $(PWD)/sign_status | tr -d '\n'`; \
 -                if [ $$SIGSTATUS3 -eq 0 ]; then \
 -			./AMDPPcert.sh 1 $(MODULE_NAME_KO); \
 -		fi
 +	make -C $(KERNEL_DIR) M=$(PWD) $(MAKE_OPTS) EXTRA_CFLAGS="$(EXTRA_CFLAGS)" modules
 # make clean
 clean:
@@ -84,23 +74,9 @@ clean:
 # make install
 install:
 -	@mkdir -p /lib/modules/`uname -r`/kernel/drivers/extra
 -	@rm  -f /lib/modules/`uname -r`/kernel/drivers/extra/$(MODULE_NAME_KO)
 -	@cp $(MODULE_NAME_KO) /lib/modules/`uname -r`/kernel/drivers/extra/
 -	@depmod -a
 -	@if [ ! -z "$(MODPROBE_OUTPUT)" ]; then \
 -		echo "Uninstalling AMDPowerProfiler Linux kernel module.";\
 -		rmmod $(MODULE_NAME);\
 -	fi
 -	@modprobe $(MODULE_NAME) 2> $(PWD)/sign_status1; \
 -		cat $(PWD)/sign_status1 | grep "Key was rejected by service"; \
 -		echo $$? > $(PWD)/sign_status; SIGSTATUS1=`cat $(PWD)/sign_status | tr -d '\n'`; \
 -                if [ $$SIGSTATUS1 -eq 0 ]; then \
 -			echo "ERROR: Secure Boot enabled, correct key is not yet enrolled in BIOS key table"; \
 -			exit 1; \
 -		else \
 -			cat $(PWD)/sign_status1; \
 -		fi
 +	mkdir -p $(INSTALL_MOD_PATH)/lib/modules/$(KERNEL_VERSION)/kernel/drivers/extra/
 +	cp -a $(MODULE_NAME_KO) $(INSTALL_MOD_PATH)/lib/modules/$(KERNEL_VERSION)/kernel/drivers/extra/
 +
 # make dkms
 dkms:
 	@chmod a+x ./AMDPPcert.sh
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -56,4 +56,15 @@ final: prev:
  prometheus-slurm-exporter = prev.callPackage ./slurm-exporter.nix { };
  meteocat-exporter = prev.callPackage ./meteocat-exporter/default.nix { };
  upc-qaire-exporter = prev.callPackage ./upc-qaire-exporter/default.nix { };
  amd-uprof = prev.callPackage ./amd-uprof/default.nix { };
  # FIXME: Extend this to all linuxPackages variants. Open problem, see:
  # https://discourse.nixos.org/t/whats-the-right-way-to-make-a-custom-kernel-module-available/4636
  linuxPackages = prev.linuxPackages.extend (_final: _prev: {
    amd-uprof-driver = _prev.callPackage ./amd-uprof/driver.nix { };
  });
  linuxPackages_latest = prev.linuxPackages_latest.extend(_final: _prev: {
    amd-uprof-driver = _prev.callPackage ./amd-uprof/driver.nix { };
  });
 }
--- a/secrets/ceph-user.age
+++ b/secrets/ceph-user.age
--- a/secrets/gitea-runner-token.age
+++ b/secrets/gitea-runner-token.age
--- a/secrets/gitlab-bsc-docker-token.age
+++ b/secrets/gitlab-bsc-docker-token.age
--- a/secrets/gitlab-runner-docker-token.age
+++ b/secrets/gitlab-runner-docker-token.age
@@ -1,11 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 HY2yRg 6C5Cv7ILdBrpMkCTT/insUY0kyQWbfgU500Ai8ePOXY
+-> ssh-ed25519 HY2yRg pXNTB/ailRwSEJG1pXvrzzpz5HqkDZdWVWnOH7JGeQ4
-tMw6ehFrsq2dvDEXkLOJwrNZfI28trlr9uy3xW/fzpA
+NzA+2fxfkNRy/u+Zq96A02K1Vxy0ETYZjMkDVTKyCY8
-> ssh-ed25519 CAWG4Q x/j+364IYURgt7fhIPBzabbWMEg08nX8MRrJM/1Q6RU
+-> ssh-ed25519 CAWG4Q 7CLJWn+EAxoWDduXaOSrHaBFHQ4GIpYP/62FFTj3ZTI
-AL5Ut2rDr3UXcQXMZJ53ZMf5wMHmT83whx0ntJfW/WU
+vSYV1pQg2qI2ngCzM0nCZAnqdz1tbT4hM5m+/TyGU2c
-> ssh-ed25519 xA739A QjXftBsoGV1rVeHSKcsjp+HMpRVsaHOeeGdDcF6ZWg4
+-> ssh-ed25519 MSF3dg Akmp4NcZcDuaYHta/Vej6zulNSrAOCd5lmSV+OiBGC4
-ovVoYPaPn3liGPAxHWY37CBIUFjAXurv6jMWs2He3HQ
+qTxqVzTyywur+GjtUQdbaIUdH1fqCqPe6qPf8iHRa4w
-> ssh-ed25519 MSF3dg FG0CQOj9fRlneW5QrWiy5ksRpicUwHqX9QMpZWhDImw
+--- uCKNqD1TmZZThOzlpsecBKx/k+noIWhCVMr/pzNwBr8
-L20n1vZRepsRPT4xM6TO6PcI/MJxw4mBLUF0EPv9Uhs
+r'<27>Ƌs4<15>˺<EFBFBD>Aĥ<41>P<05>L<EFBFBD><4C>7`	<09><02><>)H<><48>-<2D>0<EFBFBD>AH<41>5<16><><1F><>L<EFBFBD>Qe<51><65>H2b<32><1D>B޲<42>CJG<4A>"-S<><1C>\<5C><><0C>H<n<>V
 --- DEi7iuzkniq0JPatJ5f2KhrhxWid7ojHpvNfUCGxFtk
 <EFBFBD><EFBFBD>%	n<><6E>!;^Q<>rqG<71>:<3A>jC.8l<38>|<7C><>o<EFBFBD><1E><>$LYy<59>N<EFBFBD>b<EFBFBD><1E><>:<14>{<7B><><EFBFBD>fާxTS\<5C>t<04>U<EFBFBD><55>\F<>)%<25><><EFBFBD>KL<4B>㙇p<E39987>:><3E><><EFBFBD><EFBFBD>&<1B>)<0B>Q<EFBFBD>1<>H܃V<DC83>Sޑ<53>n<>
--- a/secrets/gitlab-runner-shell-token.age
+++ b/secrets/gitlab-runner-shell-token.age
--- a/secrets/ipmi.yml.age
+++ b/secrets/ipmi.yml.age
--- a/secrets/jungle-robot-password.age
+++ b/secrets/jungle-robot-password.age
--- a/secrets/munge-key.age
+++ b/secrets/munge-key.age
--- a/secrets/nix-serve.age
+++ b/secrets/nix-serve.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -2,8 +2,6 @@ let
  keys = import ../keys.nix;
  adminsKeys = builtins.attrValues keys.admins;
  hut = [ keys.hosts.hut ] ++ adminsKeys;
  mon = [ keys.hosts.hut keys.hosts.tent ] ++ adminsKeys;
  tent = [ keys.hosts.tent ] ++ adminsKeys;
  # Only expose ceph keys to safe nodes and admins
  safe = keys.hostGroup.safe ++ adminsKeys;
 in
@@ -12,15 +10,9 @@ in
  "gitlab-runner-docker-token.age".publicKeys = hut;
  "gitlab-runner-shell-token.age".publicKeys = hut;
  "gitlab-bsc-docker-token.age".publicKeys = hut;
-  "nix-serve.age".publicKeys = mon;
+  "nix-serve.age".publicKeys = hut;
-  "jungle-robot-password.age".publicKeys = mon;
+  "jungle-robot-password.age".publicKeys = hut;
-  "ipmi.yml.age".publicKeys = mon;
+  "ipmi.yml.age".publicKeys = hut;
  "tent-gitlab-runner-pm-docker-token.age".publicKeys = tent;
  "tent-gitlab-runner-pm-shell-token.age".publicKeys = tent;
  "tent-gitlab-runner-bsc-docker-token.age".publicKeys = tent;
  "vpn-dac-login.age".publicKeys = tent;
  "vpn-dac-client-key.age".publicKeys = tent;
  "ceph-user.age".publicKeys = safe;
  "munge-key.age".publicKeys = safe;
--- a/secrets/tent-gitlab-runner-bsc-docker-token.age
+++ b/secrets/tent-gitlab-runner-bsc-docker-token.age
--- a/secrets/tent-gitlab-runner-pm-docker-token.age
+++ b/secrets/tent-gitlab-runner-pm-docker-token.age
--- a/secrets/tent-gitlab-runner-pm-shell-token.age
+++ b/secrets/tent-gitlab-runner-pm-shell-token.age
@@ -1,13 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 G5LX5w V9bHLoGuY4stRwbzVS9Qa0L9yoY+UoCoXc+dJJQW/Ag
 2ut9GfdJ3KBCqZRaloZCQsl8MLfaZAZxqj6JtPJzu2k
 -> ssh-ed25519 CAWG4Q OAqnIfMECpKglZ7aF9tv/PQinG1Ou2+IEZ+nf4dtQjg
 dANdMLe4iI0d6Xd/dIMpZK+mgw2+VmJFQScHaIxD7WI
 -> ssh-ed25519 xA739A nVNF4Y6VSa5PP6FFBJpVmoFYYseoFx5F2wJU+Pwk+Xk
 A5CiuTSNlX9Y76qhYgblBdJl3zPhtjWho2oL5/sIKu0
 -> ssh-ed25519 MSF3dg /WMsGnBGzquIMyw06gHKpSS4OUxheulT59kxi+/pxxU
 ppwcv7RLzUbQUM7j0Tb9rRVT9XyPMhqYr2fr4S0nTJY
 --- zOe0Ko0oxArbmxePMPDVAT0pDju7IeOAih7sNrDcoVs
 i<EFBFBD>k<EFBFBD>A
 hODV<44>w!<21><0C><>E݈<45><DD88>+<2B><>`<60><><EFBFBD><EFBFBD>C<><43>5<EFBFBD>L<EFBFBD>A<EFBFBD>t<1A>M^<01>E<<1B>HI<48>_<EFBFBD>nn<6E><6E><EFBFBD>o<EFBFBD>?<3F>j-<05>
 A<1B>nԔί<1B>>Z<><5A>z<EFBFBD><7A><EFBFBD>dT<64><54>b"<22>(@<40><>{_ځC
--- a/secrets/vpn-dac-client-key.age
+++ b/secrets/vpn-dac-client-key.age
--- a/secrets/vpn-dac-login.age
+++ b/secrets/vpn-dac-login.age
--- a/web/content/access/index.md
+++ b/web/content/access/index.md
@@ -5,12 +5,18 @@ description: "Request access to the machines"
 ![Cave](./cave.jpg)
-To request access to the machines we will need some information:
+Before requesting access to the jungle machines, you must be able to access the
 `ssfhead.bsc.es` node (only available via the intranet or VPN). You can request
 access to the login machine using a resource petition in the BSC intranet.
 Then, to request access to the machines we will need some information about you:
 1. Which machines you want access to ([hut](/hut), [fox](/fox), owl1, owl2, eudy, koro...)
-1. Your user name (make sure it matches the one you use for the BSC intranet)
+1. Your user name and user id (to match the NFS permissions)
 1. Your real name and surname (for identification purposes)
 1. The salted hash of your login password, generated with `mkpasswd -m sha-512`
 1. An SSH public key of type Ed25519 (can be generated with `ssh-keygen -t ed25519`)
-Send an email to <jungle@bsc.es> with the details.
+Send an email to <jungle@bsc.es> with the details, or directly open a
 merge request in the [jungle
 repository](https://pm.bsc.es/gitlab/rarias/jungle/).
--- a/web/content/paste/_index.md
+++ b/web/content/paste/_index.md
@@ -5,13 +5,13 @@ author: "Rodrigo Arias Mallo"
 date: 2024-09-20
 ---
-The tent machine provides a paste service using the program `p` (as in paste).
+The hut machine provides a paste service using the program `p` (as in paste).
-You can use it directly from the tent machine or remotely if you have [SSH
+You can use it directly from the hut machine or remotely if you have [SSH
-access](/access) to tent using the following alias:
+access](/access) to hut using the following alias:
 ```
-alias p="ssh tent p"
+alias p="ssh hut p"
 ```
 You can add it to bashrc or zshrc for persistent installation.
@@ -19,7 +19,7 @@ You can add it to bashrc or zshrc for persistent installation.
 ## Usage
 The `p` command reads from the standard input, uploads the content to a file
-in the local filesystem and prints the URL to access it. It only accepts an
+in the ceph filesystem and prints the URL to access it. It only accepts an
 optional argument, which is the extension of the file that will be stored on
 disk (without the dot). By default it uses the `txt` extension, so plain text
 can be read in the browser directly.
@@ -28,21 +28,21 @@ can be read in the browser directly.
 p [extension]
 ```
-To remove files, go to `/var/lib/p/$USER` and remove them manually.
+To remove files, go to `/ceph/p/$USER` and remove them manually.
 ## Examples
 Share a text file, in this case the source of p itself:
 ```
-tent% p < m/tent/p.nix
+hut% p < m/hut/p.nix
 https://jungle.bsc.es/p/rarias/okbtG130.txt
 ```
 Paste the last dmesg lines directly from a pipe:
 ```
-tent% dmesg | tail -5 | p
+hut% dmesg | tail -5 | p
 https://jungle.bsc.es/p/rarias/luX4STm9.txt
 ```
Author	SHA1	Message	Date
Rodrigo Arias Mallo	3d12842e0d	Add AMD uProf package and driver	2025-06-20 14:55:43 +02:00
Rodrigo Arias Mallo	a51c77a806	Load amd_hsmp kernel module in fox	2025-06-19 19:15:03 +02:00
Rodrigo Arias Mallo	f5b1690e5d	Disable kptr_restrict in fox	2025-06-18 11:07:19 +02:00
Rodrigo Arias Mallo	45e8c2078c	Disable NUMA balancing in fox See: https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#numa-balancing	2025-06-17 14:05:47 +02:00
Rodrigo Arias Mallo	9589070ff7	Load amd_uncore module in fox Needed for L3 events in perf.	2025-06-13 13:15:37 +02:00
Rodrigo Arias Mallo	41113e7f5b	Enable SSH X11 forwaring	2025-06-13 10:26:59 +02:00