Monitor fox and gateway via ICMP

Fox should reply once the machine is connected to the UPC network. Monitoring also the gateway allows us to estimate if the whole network is down or just fox.
Update configuration for UPC network
2025-05-29 13:41:10 +02:00 · 2025-05-29 13:24:20 +02:00 · 2025-05-29 13:10:53 +02:00 · 2025-05-29 13:10:53 +02:00 · 2025-05-29 13:10:53 +02:00 · 2025-05-29 13:10:53 +02:00
55 changed files with 110 additions and 1028 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -18,7 +18,6 @@ in
  {
    nixosConfigurations = {
      hut     = mkConf "hut";
-      tent    = mkConf "tent";
      owl1    = mkConf "owl1";
      owl2    = mkConf "owl2";
      eudy    = mkConf "eudy";
--- a/keys.nix
+++ b/keys.nix
@@ -10,7 +10,6 @@ rec {
    bay   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvGBzpRQKuQYHdlUQeAk6jmdbkrhmdLwTBqf3el7IgU bay";
    lake2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINo66//S1yatpQHE/BuYD/Gfq64TY7ZN5XOGXmNchiO0 lake2";
    fox   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwItIk5uOJcQEVPoy/CVGRzfmE1ojrdDcI06FrU4NFT fox";
-    tent  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAtTpHtdYoelbknD/IcfBlThwLKJv/dSmylOgpg3FRM tent";
  };

  hostGroup = with hosts; rec {
@@ -26,8 +25,7 @@ rec {
  };

  admins = {
-    "rarias@hut"  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1oZTPtlEXdGt0Ak+upeCIiBdaDQtcmuWoTUCVuSVIR rarias@hut";
-    "rarias@tent" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwlWSBTZi74WTz5xn6gBvTmCoVltmtIAeM3RMmkh4QZ rarias@tent";
-    root          = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut";
+    rarias = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1oZTPtlEXdGt0Ak+upeCIiBdaDQtcmuWoTUCVuSVIR rarias@hut";
+    root   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut";
  };
 }
--- a/m/bay/configuration.nix
+++ b/m/bay/configuration.nix
@@ -2,7 +2,7 @@

 {
  imports = [
-    ../common/ssf.nix
+    ../common/xeon.nix
    ../module/monitoring.nix
  ];

--- a/m/common/base/env.nix
+++ b/m/common/base/env.nix
@@ -21,8 +21,6 @@
    }
  ];

-  environment.enableAllTerminfo = true;
-
  environment.variables = {
    EDITOR = "vim";
    VISUAL = "vim";
--- a/m/common/base/ssh.nix
+++ b/m/common/base/ssh.nix
@@ -8,6 +8,17 @@ in
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;

+  # Connect to intranet git hosts via proxy
+  programs.ssh.extraConfig = ''
+    Host bscpm02.bsc.es bscpm03.bsc.es bscpm04.bsc.es gitlab-internal.bsc.es alya.gitlab.bsc.es
+      User git
+      ProxyCommand nc -X connect -x hut:23080 %h %p
+
+    # Connect to BSC machines via hut proxy too
+    Host amdlogin1.bsc.es armlogin1.bsc.es hualogin1.bsc.es glogin1.bsc.es glogin2.bsc.es fpgalogin1.bsc.es
+      ProxyCommand nc -X connect -x hut:23080 %h %p
+  '';
+
  programs.ssh.knownHosts = hostsKeys // {
    "gitlab-internal.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3";
    "bscpm03.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2NuSUPsEhqz1j5b4Gqd+MWFnRqyqY57+xMvBUqHYUS";
--- a/m/common/base/users.nix
+++ b/m/common/base/users.nix
@@ -20,7 +20,6 @@
      rarias = {
        uid = 1880;
        isNormalUser = true;
-        linger = true;
        home = "/home/Computational/rarias";
        description = "Rodrigo Arias";
        group = "Computational";
@@ -40,7 +39,7 @@
        home = "/home/Computational/arocanon";
        description = "Aleix Roca";
        group = "Computational";
-        extraGroups = [ "wheel" "tracing" ];
+        extraGroups = [ "wheel" ];
        hashedPassword = "$6$hliZiW4tULC/tH7p$pqZarwJkNZ7vS0G5llWQKx08UFG9DxDYgad7jplMD8WkZh5k58i4dfPoWtnEShfjTO6JHiIin05ny5lmSXzGM/";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3zeB5KSimMBAjvzsp1GCkepVaquVZGPYwRIzyzaCba aleix@bsc"
@@ -56,7 +55,7 @@
        home = "/home/Computational/rpenacob";
        description = "Raúl Peñacoba";
        group = "Computational";
-        hosts = [ "owl1" "owl2" "hut" "tent" "fox" ];
+        hosts = [ "owl1" "owl2" "hut" ];
        hashedPassword = "$6$TZm3bDIFyPrMhj1E$uEDXoYYd1z2Wd5mMPfh3DZAjP7ztVjJ4ezIcn82C0ImqafPA.AnTmcVftHEzLB3tbe2O4SxDyPSDEQgJ4GOtj/";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYfXg37mauGeurqsLpedgA2XQ9d4Nm0ZGo/hI1f7wwH rpenacob@bsc"
@@ -69,7 +68,7 @@
        home = "/home/Computational/anavarro";
        description = "Antoni Navarro";
        group = "Computational";
-        hosts = [ "hut" "tent" "raccoon" "fox" ];
+        hosts = [ "hut" "raccoon" "fox" ];
        hashedPassword = "$6$QdNDsuLehoZTYZlb$CDhCouYDPrhoiB7/seu7RF.Gqg4zMQz0n5sA4U1KDgHaZOxy2as9pbIGeF8tOHJKRoZajk5GiaZv0rZMn7Oq31";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILWjRSlKgzBPZQhIeEtk6Lvws2XNcYwHcwPv4osSgst5 anavarro@ssfhead"
@@ -82,7 +81,7 @@
        home = "/home/Computational/abonerib";
        description = "Aleix Boné";
        group = "Computational";
-        hosts = [ "owl1" "owl2" "hut" "tent" "raccoon" "fox" ];
+        hosts = [ "owl1" "owl2" "hut" "raccoon" "fox" ];
        hashedPassword = "$6$V1EQWJr474whv7XJ$OfJ0wueM2l.dgiJiiah0Tip9ITcJ7S7qDvtSycsiQ43QBFyP4lU0e0HaXWps85nqB4TypttYR4hNLoz3bz662/";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIFiqXqt88VuUfyANkZyLJNiuroIITaGlOOTMhVDKjf abonerib@bsc"
@@ -108,7 +107,7 @@
        home = "/home/Computational/dbautist";
        description = "Dylan Bautista Cases";
        group = "Computational";
-        hosts = [ "hut" "tent" "raccoon" ];
+        hosts = [ "hut" ];
        hashedPassword = "$6$a2lpzMRVkG9nSgIm$12G6.ka0sFX1YimqJkBAjbvhRKZ.Hl090B27pdbnQOW0wzyxVWySWhyDDCILjQELky.HKYl9gqOeVXW49nW7q/";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAb+EQBoS98zrCwnGKkHKwMLdYABMTqv7q9E0+T0QmkS dbautist@bsc-848818791"
@@ -121,7 +120,7 @@
        home = "/home/Computational/dalvare1";
        description = "David Álvarez";
        group = "Computational";
-        hosts = [ "hut" "tent" "fox" ];
+        hosts = [ "hut" "fox" ];
        hashedPassword = "$6$mpyIsV3mdq.rK8$FvfZdRH5OcEkUt5PnIUijWyUYZvB1SgeqxpJ2p91TTe.3eQIDTcLEQ5rxeg.e5IEXAZHHQ/aMsR5kPEujEghx0";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGEfy6F4rF80r4Cpo2H5xaWqhuUZzUsVsILSKGJzt5jF dalvare1@ssfhead"
@@ -134,31 +133,16 @@
        home = "/home/Computational/varcila";
        description = "Vincent Arcila";
        group = "Computational";
-        hosts = [ "hut" "tent" "fox" ];
+        hosts = [ "hut" "fox" ];
        hashedPassword = "$6$oB0Tcn99DcM4Ch$Vn1A0ulLTn/8B2oFPi9wWl/NOsJzaFAWjqekwcuC9sMC7cgxEVb.Nk5XSzQ2xzYcNe5MLtmzkVYnRS1CqP39Y0";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGt0ESYxekBiHJQowmKpfdouw0hVm3N7tUMtAaeLejK vincent@varch"
        ];
      };
-
-      pmartin1 = {
-        # Arbitrary UID but large so it doesn't collide with other users on ssfhead.
-        uid = 9652;
-        isNormalUser = true;
-        home = "/home/Computational/pmartin1";
-        description = "Pedro J. Martinez-Ferrer";
-        group = "Computational";
-        hosts = [ "fox" ];
-        hashedPassword = "$6$nIgDMGnt4YIZl3G.$.JQ2jXLtDPRKsbsJfJAXdSvjDIzRrg7tNNjPkLPq3KJQhMjfDXRUvzagUHUU2TrE2hHM8/6uq8ex0UdxQ0ysl.";
-        openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIV5LEAII5rfe1hYqDYIIrhb1gOw7RcS1p2mhOTqG+zc pedro@pedro-ThinkPad-P14s-Gen-2a"
-        ];
-      };
    };

    groups = {
      Computational = { gid = 564; };
-      tracing = { };
    };
  };
 }
--- a/m/common/ssf.nix
+++ b/m/common/ssf.nix
@@ -1,9 +0,0 @@
-{
-  # Provides the base system for a xeon node in the SSF rack.
-  imports = [
-    ./xeon.nix
-    ./ssf/fs.nix
-    ./ssf/net.nix
-    ./ssf/ssh.nix
-  ];
-}
--- a/m/common/ssf/ssh.nix
+++ b/m/common/ssf/ssh.nix
@@ -1,8 +0,0 @@
-{
-  # Connect to intranet git hosts via proxy
-  programs.ssh.extraConfig = ''
-    # Connect to BSC machines via hut proxy too
-    Host amdlogin1.bsc.es armlogin1.bsc.es hualogin1.bsc.es glogin1.bsc.es glogin2.bsc.es fpgalogin1.bsc.es
-      ProxyCommand nc -X connect -x hut:23080 %h %p
-  '';
-}
--- a/m/common/xeon.nix
+++ b/m/common/xeon.nix
@@ -1,7 +1,9 @@
 {
-  # Provides the base system for a xeon node, not necessarily in the SSF rack.
+  # Provides the base system for a xeon node.
  imports = [
    ./base.nix
+    ./xeon/fs.nix
    ./xeon/console.nix
+    ./xeon/net.nix
  ];
 }
--- a/m/common/xeon/fs.nix
+++ b/m/common/xeon/fs.nix
--- a/m/common/xeon/net.nix
+++ b/m/common/xeon/net.nix
@@ -85,6 +85,10 @@
      10.0.40.8               eudy xeon08 xeon08-eth0
      10.0.42.8               eudy-ib xeon08-ib0
      10.0.40.108             eudy-ipmi xeon08-ipmi0 xeon08-ipmi
+
+      # fox
+      10.0.40.26              fox
+      10.0.40.126             fox-ipmi
    '';
  };
 }
--- a/m/eudy/configuration.nix
+++ b/m/eudy/configuration.nix
@@ -2,7 +2,7 @@

 {
  imports = [
-    ../common/ssf.nix
+    ../common/xeon.nix
    #(modulesPath + "/installer/netboot/netboot-minimal.nix")

    ./kernel/kernel.nix
--- a/m/fox/configuration.nix
+++ b/m/fox/configuration.nix
@@ -14,43 +14,40 @@
  swapDevices = lib.mkForce [];

  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
-  boot.kernelModules = [ "kvm-amd" "amd_uncore" ];
+  boot.kernelModules = [ "kvm-amd" ];

  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  hardware.cpu.intel.updateMicrocode = lib.mkForce false;

-  # Use performance for benchmarks
-  powerManagement.cpuFreqGovernor = "performance";
-
-  # Disable NUMA balancing
-  boot.kernel.sysctl."kernel.numa_balancing" = 0;
-
-  # Expose kernel addresses
-  boot.kernel.sysctl."kernel.kptr_restrict" = 0;
-
-  services.openssh.settings.X11Forwarding = true;
-
  networking = {
-    timeServers = [ "ntp1.upc.edu" "ntp2.upc.edu" ];
+    defaultGateway = "147.83.30.130";
+    nameservers = [ "8.8.8.8" ];
    hostName = "fox";
-    # UPC network (may change over time, use DHCP)
-    # Public IP configuration:
-    # - Hostname: fox.ac.upc.edu
-    # - IP: 147.83.30.141
-    # - Gateway: 147.83.30.130
-    # - NetMask: 255.255.255.192
-    # Private IP configuration for BMC:
-    # - Hostname: fox-ipmi.ac.upc.edu
-    # - IP: 147.83.35.27
-    # - Gateway: 147.83.35.2
-    # - NetMask: 255.255.255.0
-    interfaces.enp1s0f0np0.useDHCP = true;
-  };
-
-  # Use hut for cache
-  nix.settings = {
-    extra-substituters = [ "https://jungle.bsc.es/cache" ];
-    extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
+    interfaces.enp1s0f0np0.ipv4.addresses = [
+      {
+        # UPC network
+        # Public IP configuration:
+        # - Hostname: fox.ac.upc.edu
+        # - IP: 147.83.30.141
+        # - Gateway: 147.83.30.130
+        # - NetMask: 255.255.255.192
+        # Private IP configuration for BMC:
+        # - Hostname: fox-ipmi.ac.upc.edu
+        # - IP: 147.83.35.27
+        # - Gateway: 147.83.35.2
+        # - NetMask: 255.255.255.0
+        address = "147.83.30.141";
+        prefixLength = 26; # 255.255.255.192
+      }
+    ];
+    extraHosts = ''
+      # Fox UPC
+      147.83.30.141   fox.ac.upc.edu
+      147.83.35.27    fox-ipmi.ac.upc.edu
+      # Fox BSC
+      10.0.40.26      fox
+      10.0.40.126     fox-ipmi
+    '';
  };

  # Configure Nvidia driver to use with CUDA
--- a/m/hut/configuration.nix
+++ b/m/hut/configuration.nix
@@ -2,7 +2,7 @@

 {
  imports = [
-    ../common/ssf.nix
+    ../common/xeon.nix

    ../module/ceph.nix
    ../module/debuginfod.nix
--- a/m/hut/gpfs-probe.sh
+++ b/m/hut/gpfs-probe.sh
@@ -2,20 +2,10 @@

 N=500

-t_proj=$(timeout 5 ssh bsc015557@glogin2.bsc.es "timeout 3 command time -f %e touch /gpfs/projects/bsc15/bsc015557/gpfs.{1..$N} 2>&1; rm -f /gpfs/projects/bsc15/bsc015557/gpfs.{1..$N}")
-t_scratch=$(timeout 5 ssh bsc015557@glogin2.bsc.es "timeout 3 command time -f %e touch /gpfs/scratch/bsc15/rodrigo/probe/gpfs.{1..$N} 2>&1; rm -f /gpfs/scratch/bsc15/rodrigo/probe/gpfs.{1..$N}")
-t_home=$(timeout 5 ssh bsc015557@glogin2.bsc.es "timeout 3 command time -f %e touch /home/bsc/bsc015557/.gpfs/{1..$N} 2>&1; rm -f /home/bsc/bsc015557/.gpfs/{1..$N}")
+t=$(timeout 5 ssh bsc015557@glogin2.bsc.es "timeout 3 command time -f %e touch /gpfs/projects/bsc15/bsc015557/gpfs.{1..$N} 2>&1; rm -f /gpfs/projects/bsc15/bsc015557/gpfs.{1..$N}")

-if [ -z "$t_proj" ]; then
-  t_proj="5.00"
-fi
-
-if [ -z "$t_scratch" ]; then
-  t_scratch="5.00"
-fi
-
-if [ -z "$t_home" ]; then
-  t_home="5.00"
+if [ -z "$t" ]; then
+  t="5.00"
 fi

 cat <<EOF
@@ -24,7 +14,5 @@ Content-Type: text/plain; version=0.0.4; charset=utf-8; escaping=values

 # HELP gpfs_touch_latency Time to create $N files.
 # TYPE gpfs_touch_latency gauge
-gpfs_touch_latency{partition="projects"} $t_proj
-gpfs_touch_latency{partition="home"} $t_home
-gpfs_touch_latency{partition="scratch"} $t_scratch
+gpfs_touch_latency $t
 EOF
--- a/m/hut/monitoring.nix
+++ b/m/hut/monitoring.nix
@@ -6,7 +6,7 @@
    ../module/meteocat-exporter.nix
    ../module/upc-qaire-exporter.nix
    ./gpfs-probe.nix
-    ../module/nix-daemon-exporter.nix
+    ./nix-daemon-exporter.nix
  ];

  age.secrets.grafanaJungleRobotPassword = {
@@ -169,7 +169,6 @@
            "8.8.8.8"
            "ssfhead"
            "anella-bsc.cesca.cat"
-            "upc-anella.cesca.cat"
            "fox.ac.upc.edu"
            "arenys5.ac.upc.edu"
          ];
@@ -268,12 +267,15 @@
        ];
      }
      {
-        job_name = "tent";
+        job_name = "ipmi-fox";
+        metrics_path = "/ipmi";
        static_configs = [
-          {
-            targets = [ "127.0.0.1:29002" ]; # Node exporter
-          }
+          { targets = [ "127.0.0.1:9290" ]; }
        ];
+        params = {
+          target = [ "fox-ipmi" ];
+          module = [ "fox" ];
+        };
      }
    ];
  };
--- a/m/module/nix-daemon-builds.sh
+++ b/m/module/nix-daemon-builds.sh
--- a/m/module/nix-daemon-exporter.nix
+++ b/m/module/nix-daemon-exporter.nix
--- a/m/koro/configuration.nix
+++ b/m/koro/configuration.nix
@@ -2,7 +2,7 @@

 {
  imports = [
-    ../common/ssf.nix
+    ../common/xeon.nix
    #(modulesPath + "/installer/netboot/netboot-minimal.nix")

    ../eudy/cpufreq.nix
--- a/m/lake2/configuration.nix
+++ b/m/lake2/configuration.nix
@@ -2,7 +2,7 @@

 {
  imports = [
-    ../common/ssf.nix
+    ../common/xeon.nix
    ../module/monitoring.nix
  ];

--- a/m/map.nix
+++ b/m/map.nix
@@ -1,70 +0,0 @@
-{
-  # In physical order from top to bottom (see note below)
-  ssf = {
-    # Switches for Ethernet and OmniPath
-    switch-C6-S1A-05 = { pos=42; size=1; model="Dell S3048-ON"; };
-    switch-opa = { pos=41; size=1; };
-
-    # SSF login
-    ssfhead = { pos=39; size=2; label="SSFHEAD"; board="R2208WTTYSR"; contact="operations@bsc.es"; };
-
-    # Storage
-    bay   = { pos=38; size=1; label="MDS01"; board="S2600WT2R"; sn="BQWL64850303"; contact="rodrigo.arias@bsc.es"; };
-    lake1 = { pos=37; size=1; label="OSS01"; board="S2600WT2R"; sn="BQWL64850234"; contact="rodrigo.arias@bsc.es"; };
-    lake2 = { pos=36; size=1; label="OSS02"; board="S2600WT2R"; sn="BQWL64850266"; contact="rodrigo.arias@bsc.es"; };
-
-    # Compute xeon
-    owl1   = { pos=35; size=1; label="SSF-XEON01"; board="S2600WTTR"; sn="BQWL64954172"; contact="rodrigo.arias@bsc.es"; };
-    owl2   = { pos=34; size=1; label="SSF-XEON02"; board="S2600WTTR"; sn="BQWL64756560"; contact="rodrigo.arias@bsc.es"; };
-    xeon03 = { pos=33; size=1; label="SSF-XEON03"; board="S2600WTTR"; sn="BQWL64750826"; contact="rodrigo.arias@bsc.es"; };
-    # Slot 34 empty
-    koro   = { pos=31; size=1; label="SSF-XEON05"; board="S2600WTTR"; sn="BQWL64954293"; contact="rodrigo.arias@bsc.es"; };
-    xeon06 = { pos=30; size=1; label="SSF-XEON06"; board="S2600WTTR"; sn="BQWL64750846"; contact="antoni.navarro@bsc.es"; };
-    hut    = { pos=29; size=1; label="SSF-XEON07"; board="S2600WTTR"; sn="BQWL64751184"; contact="rodrigo.arias@bsc.es"; };
-    eudy   = { pos=28; size=1; label="SSF-XEON08"; board="S2600WTTR"; sn="BQWL64756586"; contact="aleix.rocanonell@bsc.es"; };
-
-    # 16 KNL nodes, 4 per chassis
-    knl01_04 = { pos=26; size=2; label="KNL01..KNL04"; board="HNS7200APX"; };
-    knl05_08 = { pos=24; size=2; label="KNL05..KNL18"; board="HNS7200APX"; };
-    knl09_12 = { pos=22; size=2; label="KNL09..KNL12"; board="HNS7200APX"; };
-    knl13_16 = { pos=20; size=2; label="KNL13..KNL16"; board="HNS7200APX"; };
-
-    # Slot 19 empty
-
-    # EPI (hw team, guessed order)
-    epi01 = { pos=18; size=1; contact="joan.cabre@bsc.es"; };
-    epi02 = { pos=17; size=1; contact="joan.cabre@bsc.es"; };
-    epi03 = { pos=16; size=1; contact="joan.cabre@bsc.es"; };
-    anon  = { pos=14; size=2; }; # Unlabeled machine. Operative
-
-    # These are old and decommissioned (off)
-    power8    = { pos=12; size=2; label="BSCPOWER8N3";   decommissioned=true; };
-    powern1   = { pos=8;  size=4; label="BSCPOWERN1";    decommissioned=true; };
-    gustafson = { pos=7;  size=1; label="gustafson";     decommissioned=true; };
-    odap01    = { pos=3;  size=4; label="ODAP01";        decommissioned=true; };
-    amhdal    = { pos=2;  size=1; label="AMHDAL";        decommissioned=true; }; # sic
-    moore     = { pos=1;  size=1; label="moore (earth)"; decommissioned=true; };
-  };
-
-  bsc2218 = {
-    raccoon = { board="W2600CR"; sn="QSIP22500829"; contact="rodrigo.arias@bsc.es"; };
-    tent    = { label="SSF-XEON04"; board="S2600WTTR"; sn="BQWL64751229"; contact="rodrigo.arias@bsc.es"; };
-  };
-
-  upc = {
-    fox = { board="H13DSG-O-CPU"; sn="UM24CS600392"; prod="AS-4125GS-TNRT"; prod_sn="E508839X5103339"; contact="rodrigo.arias@bsc.es"; };
-  };
-
-  # NOTE: Position is specified in "U" units (44.45 mm) and starts at 1 from the
-  # bottom. Example:
-  #
-  #  |   ...  | - [pos+size] <--- Label in chassis
-  #  +--------+
-  #  |  node  | - [pos+1]
-  #  |   2U   | - [pos]
-  #  +------- +
-  #  |   ...  | - [pos-1]
-  #
-  # NOTE: The board and sn refers to the FRU information (Board Product and
-  # Board Serial) via `ipmitool fru print 0`.
-}
--- a/m/module/hut-substituter.nix
+++ b/m/module/hut-substituter.nix
@@ -4,7 +4,7 @@
    # Don't add hut as a cache to itself
    assert config.networking.hostName != "hut";
    {
-      extra-substituters = [ "http://hut/cache" ];
-      extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
+      substituters = [ "http://hut/cache" ];
+      trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
    };
 }
--- a/m/module/p.nix
+++ b/m/module/p.nix
@@ -1,68 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  cfg = config.services.p;
-in
-{
-  options = {
-    services.p = {
-      enable = lib.mkOption {
-        type = lib.types.bool;
-        default = false;
-        description = "Whether to enable the p service.";
-      };
-      path = lib.mkOption {
-        type = lib.types.str;
-        default = "/var/lib/p";
-        description = "Where to save the pasted files on disk.";
-      };
-      url = lib.mkOption {
-        type = lib.types.str;
-        default = "https://jungle.bsc.es/p";
-        description = "URL prefix for the printed file.";
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    environment.systemPackages = let 
-      p = pkgs.writeShellScriptBin "p" ''
-        set -e
-        pastedir="${cfg.path}/$USER"
-        cd "$pastedir"
-
-        ext="txt"
-        if [ -n "$1" ]; then
-          ext="$1"
-        fi
-
-        out=$(mktemp "XXXXXXXX.$ext")
-        cat > "$out"
-        chmod go+r "$out"
-        echo "${cfg.url}/$USER/$out"
-      '';
-    in [ p ];
-
-    systemd.services.p = let
-      # Take only normal users
-      users = lib.filterAttrs (_: v: v.isNormalUser) config.users.users;
-      # Create a directory for each user
-      commands = lib.concatLists (lib.mapAttrsToList (_: user: [
-        "install -d -o ${user.name} -g ${user.group} -m 0755 ${cfg.path}/${user.name}"
-      ]) users);
-    in {
-      description = "P service setup";
-      requires = [ "network-online.target" ];
-      #wants = [ "remote-fs.target" ];
-      #after = [ "remote-fs.target" ];
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
-        ExecStart = pkgs.writeShellScript "p-init.sh" (''
-
-          install -d -o root -g root -m 0755 ${cfg.path}
-
-        '' + (lib.concatLines commands));
-      };
-    };
-  };
-}
--- a/m/module/ssh-hut-extern.nix
+++ b/m/module/ssh-hut-extern.nix
@@ -1,9 +0,0 @@
-{
-  programs.ssh.extraConfig = ''
-    Host ssfhead
-      HostName ssflogin.bsc.es
-    Host hut
-      ProxyJump ssfhead
-      HostName xeon07
-  '';
-}
--- a/m/module/vpn-dac.nix
+++ b/m/module/vpn-dac.nix
@@ -1,35 +0,0 @@
-{config, ...}:
-{
-  age.secrets.vpn-dac-login.file = ../../secrets/vpn-dac-login.age;
-  age.secrets.vpn-dac-client-key.file = ../../secrets/vpn-dac-client-key.age;
-
-  services.openvpn.servers = {
-    # systemctl status openvpn-dac.service
-    dac = {
-      config = ''
-        client
-        dev tun
-        proto tcp
-        remote vpn.ac.upc.edu 1194
-        remote vpn.ac.upc.edu 80
-        resolv-retry infinite
-        nobind
-        persist-key
-        persist-tun
-        ca ${./vpn-dac/ca.crt}
-        cert ${./vpn-dac/client.crt}
-        # Only key needs to be secret
-        key ${config.age.secrets.vpn-dac-client-key.path}
-        remote-cert-tls server
-        comp-lzo
-        verb 3
-        auth-user-pass ${config.age.secrets.vpn-dac-login.path}
-        reneg-sec 0
-
-        # Only route fox-ipmi
-        pull-filter ignore "route "
-        route 147.83.35.27 255.255.255.255
-      '';
-    };
-  };
-}
--- a/m/module/vpn-dac/ca.crt
+++ b/m/module/vpn-dac/ca.crt
@@ -1,31 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIFUjCCBDqgAwIBAgIJAJH118PApk5hMA0GCSqGSIb3DQEBCwUAMIHLMQswCQYD
-VQQGEwJFUzESMBAGA1UECBMJQmFyY2Vsb25hMRIwEAYDVQQHEwlCYXJjZWxvbmEx
-LTArBgNVBAoTJFVuaXZlcnNpdGF0IFBvbGl0ZWNuaWNhIGRlIENhdGFsdW55YTEk
-MCIGA1UECxMbQXJxdWl0ZWN0dXJhIGRlIENvbXB1dGFkb3JzMRAwDgYDVQQDEwdM
-Q0FDIENBMQ0wCwYDVQQpEwRMQ0FDMR4wHAYJKoZIhvcNAQkBFg9sY2FjQGFjLnVw
-Yy5lZHUwHhcNMTYwMTEyMTI0NDIxWhcNNDYwMTEyMTI0NDIxWjCByzELMAkGA1UE
-BhMCRVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMS0w
-KwYDVQQKEyRVbml2ZXJzaXRhdCBQb2xpdGVjbmljYSBkZSBDYXRhbHVueWExJDAi
-BgNVBAsTG0FycXVpdGVjdHVyYSBkZSBDb21wdXRhZG9yczEQMA4GA1UEAxMHTENB
-QyBDQTENMAsGA1UEKRMETENBQzEeMBwGCSqGSIb3DQEJARYPbGNhY0BhYy51cGMu
-ZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CteSeof7Xwi51kC
-F0nQ4E9iR5Lq7wtfRuVPn6JJcIxJJ6+F9gr4R/HIHTztW4XAzReE36DYfexupx3D
-6UgQIkMLlVyGqRbulNF+RnCx20GosF7Dm4RGBVvOxBP1PGjYq/A+XhaaDAFd0cOF
-LMNkzuYP7PF0bnBEaHnxmN8bPmuyDyas7fK9AAc3scyWT2jSBPbOVFvCJwPg8MH9
-V/h+hKwL/7hRt1MVfVv2qyIuKwTki8mUt0RcVbP7oJoRY5K1+R52phIz/GL/b4Fx
-L6MKXlQxLi8vzP4QZXgCMyV7oFNdU3VqCEXBA11YIRvsOZ4QS19otIk/ZWU5x+HH
-LAIJ7wIDAQABo4IBNTCCATEwHQYDVR0OBBYEFNyezX1cH1N4QR14ebBpljqmtE7q
-MIIBAAYDVR0jBIH4MIH1gBTcns19XB9TeEEdeHmwaZY6prRO6qGB0aSBzjCByzEL
-MAkGA1UEBhMCRVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vs
-b25hMS0wKwYDVQQKEyRVbml2ZXJzaXRhdCBQb2xpdGVjbmljYSBkZSBDYXRhbHVu
-eWExJDAiBgNVBAsTG0FycXVpdGVjdHVyYSBkZSBDb21wdXRhZG9yczEQMA4GA1UE
-AxMHTENBQyBDQTENMAsGA1UEKRMETENBQzEeMBwGCSqGSIb3DQEJARYPbGNhY0Bh
-Yy51cGMuZWR1ggkAkfXXw8CmTmEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF
-AAOCAQEAUAmOvVXIQrR+aZVO0bOTeugKBHB75eTIZSIHIn2oDUvDbAP5GXIJ56A1
-6mZXxemSMY8/9k+pRcwJhfat3IgvAN159XSqf9kRv0NHgc3FWUI1Qv/BsAn0vJO/
-oK0dbmbbRWqt86qNrCN+cUfz5aovvxN73jFfnvfDQFBk/8enj9wXxYfokjjLPR1Q
-+oTkH8dY68qf71oaUB9MndppPEPSz0K1S6h1XxvJoSu9MVSXOQHiq1cdZdxRazI3
-4f7q9sTCL+khwDAuZxAYzlEYxFFa/NN8PWU6xPw6V+t/aDhOiXUPJQB/O/K7mw3Z
-TQQx5NqM7B5jjak5fauR3/oRD8XXsA==
-----END CERTIFICATE-----
--- a/m/module/vpn-dac/client.crt
+++ b/m/module/vpn-dac/client.crt
@@ -1,100 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 2 (0x2)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=ES, ST=Barcelona, L=Barcelona, O=Universitat Politecnica de Catalunya, OU=Arquitectura de Computadors, CN=LCAC CA/name=LCAC/emailAddress=lcac@ac.upc.edu
-        Validity
-            Not Before: Jan 12 12:45:41 2016 GMT
-            Not After : Jan 12 12:45:41 2046 GMT
-        Subject: C=ES, ST=Barcelona, L=Barcelona, O=Universitat Politecnica de Catalunya, OU=Arquitectura de Computadors, CN=client/name=LCAC/emailAddress=lcac@ac.upc.edu
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:97:99:fa:7a:0e:4d:e2:1d:a5:b1:a8:14:18:64:
-                    c7:66:bf:de:99:1d:92:3b:86:82:4d:95:39:f7:a6:
-                    56:49:97:14:4f:e3:37:00:6c:f4:d0:1d:56:79:e7:
-                    19:b5:dd:36:15:8e:1d:57:7b:59:29:d2:11:bf:58:
-                    48:e0:f7:41:3d:16:64:8d:a2:0b:4a:ac:fa:c6:83:
-                    dc:10:2a:2c:d9:97:48:ee:11:2a:bc:4b:60:dd:b9:
-                    2e:8f:45:ca:87:0b:38:65:1c:f8:a2:1d:f9:50:aa:
-                    6e:60:f9:48:df:57:12:23:e1:e7:0c:81:5c:9f:c5:
-                    b2:e6:99:99:95:30:6d:57:36:06:8c:fd:fb:f9:4f:
-                    60:d2:3c:ba:ae:28:56:2f:da:58:5c:e8:c5:7b:ec:
-                    76:d9:28:6e:fb:8c:07:f9:d7:23:c3:72:76:3c:fa:
-                    dc:20:67:8f:cc:16:e0:91:07:d5:68:f9:20:4d:7d:
-                    5c:2d:02:04:16:76:52:f3:53:be:a3:dc:0d:d5:fb:
-                    6b:55:29:f3:52:35:c8:7d:99:d1:4a:94:be:b1:8e:
-                    fd:85:18:25:eb:41:e9:56:da:af:62:84:20:0a:00:
-                    17:94:92:94:91:6a:f8:54:37:17:ee:1e:bb:fb:93:
-                    71:91:d9:e4:e9:b8:3b:18:7d:6d:7d:4c:ce:58:55:
-                    f9:41
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            Netscape Comment: 
-                Easy-RSA Generated Certificate
-            X509v3 Subject Key Identifier: 
-                1B:88:06:D5:33:1D:5C:48:46:B5:DE:78:89:36:96:91:3A:74:43:18
-            X509v3 Authority Key Identifier: 
-                keyid:DC:9E:CD:7D:5C:1F:53:78:41:1D:78:79:B0:69:96:3A:A6:B4:4E:EA
-                DirName:/C=ES/ST=Barcelona/L=Barcelona/O=Universitat Politecnica de Catalunya/OU=Arquitectura de Computadors/CN=LCAC CA/name=LCAC/emailAddress=lcac@ac.upc.edu
-                serial:91:F5:D7:C3:C0:A6:4E:61
-
-            X509v3 Extended Key Usage: 
-                TLS Web Client Authentication
-            X509v3 Key Usage: 
-                Digital Signature
-            X509v3 Subject Alternative Name: 
-                DNS:client
-    Signature Algorithm: sha256WithRSAEncryption
-         42:e8:50:b2:e7:88:75:86:0b:bb:29:e3:aa:c6:0e:4c:e8:ea:
-         3d:0c:02:31:7f:3b:80:0c:3f:80:af:45:d6:62:27:a0:0e:e7:
-         26:09:12:97:95:f8:d9:9b:89:b5:ef:56:64:f1:de:82:74:e0:
-         31:0a:cc:90:0a:bd:50:b8:54:95:0a:ae:3b:40:df:76:b6:d1:
-         01:2e:f3:96:9f:52:d4:e9:14:6d:b7:14:9d:45:99:33:36:2a:
-         01:0b:15:1a:ed:55:dc:64:83:65:1a:06:42:d9:c7:dc:97:d4:
-         02:81:c2:58:2b:ea:e4:b7:ae:84:3a:e4:3f:f1:2e:fa:ec:f3:
-         40:5d:b8:6a:d5:5e:e1:e8:2f:e2:2f:48:a4:38:a1:4f:22:e3:
-         4f:66:94:aa:02:78:9a:2b:7a:5d:aa:aa:51:a5:e3:d0:91:e9:
-         1d:f9:08:ed:8b:51:c9:a6:af:46:85:b5:1c:ed:12:a1:28:33:
-         75:36:00:d8:5c:14:65:96:c0:28:7d:47:50:a4:89:5f:b0:72:
-         1a:4b:13:17:26:0f:f0:b8:65:3c:e9:96:36:f9:bf:90:59:33:
-         87:1f:01:03:25:f8:f0:3a:9b:33:02:d0:0a:43:b5:0a:cf:62:
-         a1:45:38:37:07:9d:9c:94:0b:31:c6:3c:34:b7:fc:5a:0c:e4:
-         bf:23:f6:7d
-----BEGIN CERTIFICATE-----
-MIIFqjCCBJKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCByzELMAkGA1UEBhMCRVMx
-EjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMS0wKwYDVQQK
-EyRVbml2ZXJzaXRhdCBQb2xpdGVjbmljYSBkZSBDYXRhbHVueWExJDAiBgNVBAsT
-G0FycXVpdGVjdHVyYSBkZSBDb21wdXRhZG9yczEQMA4GA1UEAxMHTENBQyBDQTEN
-MAsGA1UEKRMETENBQzEeMBwGCSqGSIb3DQEJARYPbGNhY0BhYy51cGMuZWR1MB4X
-DTE2MDExMjEyNDU0MVoXDTQ2MDExMjEyNDU0MVowgcoxCzAJBgNVBAYTAkVTMRIw
-EAYDVQQIEwlCYXJjZWxvbmExEjAQBgNVBAcTCUJhcmNlbG9uYTEtMCsGA1UEChMk
-VW5pdmVyc2l0YXQgUG9saXRlY25pY2EgZGUgQ2F0YWx1bnlhMSQwIgYDVQQLExtB
-cnF1aXRlY3R1cmEgZGUgQ29tcHV0YWRvcnMxDzANBgNVBAMTBmNsaWVudDENMAsG
-A1UEKRMETENBQzEeMBwGCSqGSIb3DQEJARYPbGNhY0BhYy51cGMuZWR1MIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl5n6eg5N4h2lsagUGGTHZr/emR2S
-O4aCTZU596ZWSZcUT+M3AGz00B1WeecZtd02FY4dV3tZKdIRv1hI4PdBPRZkjaIL
-Sqz6xoPcECos2ZdI7hEqvEtg3bkuj0XKhws4ZRz4oh35UKpuYPlI31cSI+HnDIFc
-n8Wy5pmZlTBtVzYGjP37+U9g0jy6rihWL9pYXOjFe+x22Shu+4wH+dcjw3J2PPrc
-IGePzBbgkQfVaPkgTX1cLQIEFnZS81O+o9wN1ftrVSnzUjXIfZnRSpS+sY79hRgl
-60HpVtqvYoQgCgAXlJKUkWr4VDcX7h67+5Nxkdnk6bg7GH1tfUzOWFX5QQIDAQAB
-o4IBljCCAZIwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2Vu
-ZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQbiAbVMx1cSEa13niJNpaROnRD
-GDCCAQAGA1UdIwSB+DCB9YAU3J7NfVwfU3hBHXh5sGmWOqa0TuqhgdGkgc4wgcsx
-CzAJBgNVBAYTAkVTMRIwEAYDVQQIEwlCYXJjZWxvbmExEjAQBgNVBAcTCUJhcmNl
-bG9uYTEtMCsGA1UEChMkVW5pdmVyc2l0YXQgUG9saXRlY25pY2EgZGUgQ2F0YWx1
-bnlhMSQwIgYDVQQLExtBcnF1aXRlY3R1cmEgZGUgQ29tcHV0YWRvcnMxEDAOBgNV
-BAMTB0xDQUMgQ0ExDTALBgNVBCkTBExDQUMxHjAcBgkqhkiG9w0BCQEWD2xjYWNA
-YWMudXBjLmVkdYIJAJH118PApk5hMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1Ud
-DwQEAwIHgDARBgNVHREECjAIggZjbGllbnQwDQYJKoZIhvcNAQELBQADggEBAELo
-ULLniHWGC7sp46rGDkzo6j0MAjF/O4AMP4CvRdZiJ6AO5yYJEpeV+NmbibXvVmTx
-3oJ04DEKzJAKvVC4VJUKrjtA33a20QEu85afUtTpFG23FJ1FmTM2KgELFRrtVdxk
-g2UaBkLZx9yX1AKBwlgr6uS3roQ65D/xLvrs80BduGrVXuHoL+IvSKQ4oU8i409m
-lKoCeJorel2qqlGl49CR6R35CO2LUcmmr0aFtRztEqEoM3U2ANhcFGWWwCh9R1Ck
-iV+wchpLExcmD/C4ZTzpljb5v5BZM4cfAQMl+PA6mzMC0ApDtQrPYqFFODcHnZyU
-CzHGPDS3/FoM5L8j9n0=
-----END CERTIFICATE-----
--- a/m/owl1/configuration.nix
+++ b/m/owl1/configuration.nix
@@ -2,7 +2,7 @@

 {
  imports = [
-    ../common/ssf.nix
+    ../common/xeon.nix
    ../module/ceph.nix
    ../module/emulation.nix
    ../module/slurm-client.nix
--- a/m/owl2/configuration.nix
+++ b/m/owl2/configuration.nix
@@ -2,7 +2,7 @@

 {
  imports = [
-    ../common/ssf.nix
+    ../common/xeon.nix
    ../module/ceph.nix
    ../module/emulation.nix
    ../module/slurm-client.nix
--- a/m/raccoon/configuration.nix
+++ b/m/raccoon/configuration.nix
@@ -3,10 +3,6 @@
 {
  imports = [
    ../common/base.nix
-    ../module/emulation.nix
-    ../module/debuginfod.nix
-    ../module/ssh-hut-extern.nix
-    ../eudy/kernel/perf.nix
  ];

  # Don't install Grub on the disk yet
@@ -27,28 +23,13 @@
      address = "84.88.51.152";
      prefixLength = 25;
    } ];
-    interfaces.enp5s0f1.ipv4.addresses = [ {
-      address = "10.0.44.1";
-      prefixLength = 24;
-    } ];
-    nat = {
-      enable = true;
-      internalInterfaces = [ "enp5s0f1" ];
-      externalInterface = "eno0";
-    };
-    hosts = {
-      "10.0.44.4" = [ "tent" ];
-    };
  };

  nix.settings = {
-    extra-substituters = [ "https://jungle.bsc.es/cache" ];
-    extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
+    substituters = [ "https://jungle.bsc.es/cache" ];
+    trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
  };

-  # Enable performance governor
-  powerManagement.cpuFreqGovernor = "performance";
-
  # Configure Nvidia driver to use with CUDA
  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.production;
  hardware.graphics.enable = true;
@@ -56,18 +37,6 @@
  nixpkgs.config.nvidia.acceptLicense = true;
  services.xserver.videoDrivers = [ "nvidia" ];

-  # Disable garbage collection for now
-  nix.gc.automatic = lib.mkForce false;
-
-  services.openssh.settings.X11Forwarding = true;
-
-  services.prometheus.exporters.node = {
-    enable = true;
-    enabledCollectors = [ "systemd" ];
-    port = 9002;
-    listenAddress = "127.0.0.1";
-  };
-
  users.motd = ''
    ⠀⠀⠀⠀⠀⠀⠀⣀⣀⣄⣠⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
    ⠀⠀⠀⠀⠀⠀⢰⠇⡀⠀⠙⠻⡿⣦⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡀⠀⠀⠀⠀
--- a/m/tent/blackbox.yml
+++ b/m/tent/blackbox.yml
@@ -1,14 +0,0 @@
-modules:
-  http_2xx:
-    prober: http
-    timeout: 5s
-    http:
-      preferred_ip_protocol: "ip4"
-      follow_redirects: true
-      valid_status_codes: []  # Defaults to 2xx
-      method: GET
-  icmp:
-    prober: icmp
-    timeout: 5s
-    icmp:
-      preferred_ip_protocol: "ip4"
--- a/m/tent/configuration.nix
+++ b/m/tent/configuration.nix
@@ -1,80 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-{
-  imports = [
-    ../common/xeon.nix
-    ../module/emulation.nix
-    ../module/debuginfod.nix
-    ../module/ssh-hut-extern.nix
-    ./monitoring.nix
-    ./nginx.nix
-    ./nix-serve.nix
-    ./gitlab-runner.nix
-    ./gitea.nix
-    ../hut/public-inbox.nix
-    ../hut/msmtp.nix
-    ../module/p.nix
-    ../module/vpn-dac.nix
-  ];
-
-  # Select the this using the ID to avoid mismatches
-  boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d537675";
-
-  networking = {
-    hostName = "tent";
-    interfaces.eno1.ipv4.addresses = [
-      {
-        address = "10.0.44.4";
-        prefixLength = 24;
-      }
-    ];
-
-    # Only BSC DNSs seem to be reachable from the office VLAN
-    nameservers = [ "84.88.52.35" "84.88.52.36" ];
-    search = [ "bsc.es" "ac.upc.edu" ];
-    defaultGateway = "10.0.44.1";
-  };
-
-  services.p.enable = true;
-
-  services.prometheus.exporters.node = {
-    enable = true;
-    enabledCollectors = [ "systemd" ];
-    port = 9002;
-    listenAddress = "127.0.0.1";
-  };
-
-  boot.swraid = {
-    enable = true;
-    mdadmConf = ''
-      DEVICE partitions
-      ARRAY /dev/md0 metadata=1.2 UUID=496db1e2:056a92aa:a544543f:40db379d
-      MAILADDR root
-    '';
-  };
-
-  fileSystems."/vault" = {
-    device = "/dev/disk/by-label/vault";
-    fsType = "ext4";
-  };
-
-  # Make a /vault/$USER directory for each user.
-  systemd.services.create-vault-dirs = let
-    # Take only normal users in tent
-    users = lib.filterAttrs (_: v: v.isNormalUser) config.users.users;
-    commands = lib.concatLists (lib.mapAttrsToList
-      (_: user: [
-        "install -d -o ${user.name} -g ${user.group} -m 0711 /vault/home/${user.name}"
-      ]) users);
-    script = pkgs.writeShellScript "create-vault-dirs.sh" (lib.concatLines commands);
-  in {
-    enable = true;
-    wants = [ "local-fs.target" ];
-    after = [ "local-fs.target" ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig.ExecStart = script;
-  };
-
-  # disable automatic garbage collector
-  nix.gc.automatic = lib.mkForce false;
-}
--- a/m/tent/gitea.nix
+++ b/m/tent/gitea.nix
@@ -1,30 +0,0 @@
-{ config, lib, ... }:
-{
-  services.gitea = {
-    enable = true;
-    appName = "Gitea in the jungle";
-
-    settings = {
-      server = {
-        ROOT_URL = "https://jungle.bsc.es/git/";
-        LOCAL_ROOT_URL = "https://jungle.bsc.es/git/";
-        LANDING_PAGE = "explore";
-      };
-      metrics.ENABLED = true;
-      service = {
-        DISABLE_REGISTRATION = true;
-        REGISTER_MANUAL_CONFIRM = true;
-        ENABLE_NOTIFY_MAIL = true;
-      };
-      log.LEVEL = "Warn";
-
-      mailer = {
-        ENABLED       = true;
-        FROM          = "jungle-robot@bsc.es";
-        PROTOCOL      = "sendmail";
-        SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
-        SENDMAIL_ARGS = "--";
-      };
-    };
-  };
-}
--- a/m/tent/gitlab-runner.nix
+++ b/m/tent/gitlab-runner.nix
@@ -1,93 +0,0 @@
-{ pkgs, lib, config, ... }:
-
-{
-  age.secrets.tent-gitlab-runner-pm-shell.file = ../../secrets/tent-gitlab-runner-pm-shell-token.age;
-  age.secrets.tent-gitlab-runner-pm-docker.file = ../../secrets/tent-gitlab-runner-pm-docker-token.age;
-  age.secrets.tent-gitlab-runner-bsc-docker.file = ../../secrets/tent-gitlab-runner-bsc-docker-token.age;
-
-  services.gitlab-runner = let sec = config.age.secrets; in {
-    enable = true;
-    settings.concurrent = 5;
-    services = {
-      # For gitlab.pm.bsc.es
-      gitlab-pm-shell = {
-        executor = "shell";
-        environmentVariables = {
-          SHELL = "${pkgs.bash}/bin/bash";
-        };
-        authenticationTokenConfigFile = sec.tent-gitlab-runner-pm-shell.path;
-        preGetSourcesScript = pkgs.writeScript "setup" ''
-          echo "This is the preGetSources script running, brace for impact"
-          env
-        '';
-      };
-      gitlab-pm-docker = {
-        authenticationTokenConfigFile = sec.tent-gitlab-runner-pm-docker.path;
-        executor = "docker";
-        dockerImage = "debian:stable";
-      };
-
-      # For gitlab.bsc.es
-      gitlab-bsc-docker = {
-        # gitlab.bsc.es still uses the old token mechanism
-        registrationConfigFile = sec.tent-gitlab-runner-bsc-docker.path;
-        tagList = [ "docker" "tent" "nix" ];
-        executor = "docker";
-        dockerImage = "alpine";
-        dockerVolumes = [
-          "/nix/store:/nix/store:ro"
-          "/nix/var/nix/db:/nix/var/nix/db:ro"
-          "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
-        ];
-        dockerDisableCache = true;
-        registrationFlags = [
-          # Increase build log length to 64 MiB
-          "--output-limit 65536"
-        ];
-        preBuildScript = pkgs.writeScript "setup-container" ''
-          mkdir -p -m 0755 /nix/var/log/nix/drvs
-          mkdir -p -m 0755 /nix/var/nix/gcroots
-          mkdir -p -m 0755 /nix/var/nix/profiles
-          mkdir -p -m 0755 /nix/var/nix/temproots
-          mkdir -p -m 0755 /nix/var/nix/userpool
-          mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
-          mkdir -p -m 1777 /nix/var/nix/profiles/per-user
-          mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
-          mkdir -p -m 0700 "$HOME/.nix-defexpr"
-          mkdir -p -m 0700 "$HOME/.ssh"
-          cat >> "$HOME/.ssh/known_hosts" << EOF
-          bscpm04.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPx4mC0etyyjYUT2Ztc/bs4ZXSbVMrogs1ZTP924PDgT
-          gitlab-internal.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3
-          EOF
-          . ${pkgs.nix}/etc/profile.d/nix-daemon.sh
-          # Required to load SSL certificate paths
-          . ${pkgs.cacert}/nix-support/setup-hook
-        '';
-        environmentVariables = {
-          ENV = "/etc/profile";
-          USER = "root";
-          NIX_REMOTE = "daemon";
-          PATH = "${config.system.path}/bin:/bin:/sbin:/usr/bin:/usr/sbin";
-        };
-      };
-    };
-  };
-
-  systemd.services.gitlab-runner.serviceConfig = {
-    DynamicUser = lib.mkForce false;
-    User = "gitlab-runner";
-    Group = "gitlab-runner";
-    ExecStart = lib.mkForce
-      ''${pkgs.gitlab-runner}/bin/gitlab-runner run --config ''${HOME}/.gitlab-runner/config.toml --listen-address "127.0.0.1:9252" --working-directory ''${HOME}'';
-  };
-
-  users.users.gitlab-runner = {
-    uid = config.ids.uids.gitlab-runner;
-    home = "/var/lib/gitlab-runner";
-    description = "Gitlab Runner";
-    group = "gitlab-runner";
-    extraGroups = [ "docker" ];
-    createHome = true;
-  };
-  users.groups.gitlab-runner.gid = config.ids.gids.gitlab-runner;
-}
--- a/m/tent/monitoring.nix
+++ b/m/tent/monitoring.nix
@@ -1,217 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  imports = [
-    ../module/meteocat-exporter.nix
-    ../module/upc-qaire-exporter.nix
-    ../module/nix-daemon-exporter.nix
-  ];
-
-  age.secrets.grafanaJungleRobotPassword = {
-    file = ../../secrets/jungle-robot-password.age;
-    owner = "grafana";
-    mode = "400";
-  };
-
-  services.grafana = {
-    enable = true;
-    settings = {
-      server = {
-        domain = "jungle.bsc.es";
-        root_url = "%(protocol)s://%(domain)s/grafana";
-        serve_from_sub_path = true;
-        http_port = 2342;
-        http_addr = "127.0.0.1";
-      };
-      smtp = {
-        enabled = true;
-        from_address = "jungle-robot@bsc.es";
-        user = "jungle-robot";
-        # Read the password from a file, which is only readable by grafana user
-        # https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
-        password = "$__file{${config.age.secrets.grafanaJungleRobotPassword.path}}";
-        host = "mail.bsc.es:465";
-        startTLS_policy = "NoStartTLS";
-      };
-      feature_toggles.publicDashboards = true;
-      "auth.anonymous".enabled = true;
-      log.level = "warn";
-    };
-  };
-
-  services.prometheus = {
-    enable = true;
-    port = 9001;
-    retentionTime = "5y";
-    listenAddress = "127.0.0.1";
-  };
-
-  # We need access to the devices to monitor the disk space
-  systemd.services.prometheus-node-exporter.serviceConfig.PrivateDevices = lib.mkForce false;
-  systemd.services.prometheus-node-exporter.serviceConfig.ProtectHome = lib.mkForce "read-only";
-
-  # Credentials for IPMI exporter
-  age.secrets.ipmiYml = {
-    file = ../../secrets/ipmi.yml.age;
-    owner = "ipmi-exporter";
-  };
-
-  # Create an IPMI group and assign the ipmi0 device
-  users.groups.ipmi = {};
-  services.udev.extraRules = ''
-    SUBSYSTEM=="ipmi", KERNEL=="ipmi0", GROUP="ipmi", MODE="0660"
-  '';
-
-  # Add a new ipmi-exporter user that can read the ipmi0 device
-  users.users.ipmi-exporter = {
-    isSystemUser = true;
-    group = "ipmi";
-  };
-
-  # Disable dynamic user so we have the ipmi-exporter user available for the credentials
-  systemd.services.prometheus-ipmi-exporter.serviceConfig = {
-    DynamicUser = lib.mkForce false;
-    PrivateDevices = lib.mkForce false;
-    User = lib.mkForce "ipmi-exporter";
-    Group = lib.mkForce "ipmi";
-    RestrictNamespaces = lib.mkForce false;
-    # Fake uid to 0 so it shuts up
-    ExecStart = let
-      cfg = config.services.prometheus.exporters.ipmi;
-    in lib.mkForce (lib.concatStringsSep " " ([
-      "${pkgs.util-linux}/bin/unshare --map-user 0"
-      "${pkgs.prometheus-ipmi-exporter}/bin/ipmi_exporter"
-      "--web.listen-address ${cfg.listenAddress}:${toString cfg.port}"
-      "--config.file ${lib.escapeShellArg cfg.configFile}"
-    ] ++ cfg.extraFlags));
-  };
-
-  services.prometheus = {
-    exporters = {
-      ipmi = {
-        enable = true;
-        configFile = config.age.secrets.ipmiYml.path;
-        #extraFlags = [ "--log.level=debug" ];
-        listenAddress = "127.0.0.1";
-      };
-      node = {
-        enable = true;
-        enabledCollectors = [ "logind" ];
-        port = 9002;
-        listenAddress = "127.0.0.1";
-      };
-      blackbox = {
-        enable = true;
-        listenAddress = "127.0.0.1";
-        configFile = ./blackbox.yml;
-      };
-    };
-
-    scrapeConfigs = [
-      {
-        job_name = "local";
-        static_configs = [{
-          targets = [
-            "127.0.0.1:9002" # Node exporter
-            #"127.0.0.1:9115" # Blackbox exporter
-            "127.0.0.1:9290" # IPMI exporter for local node
-            "127.0.0.1:9928" # UPC Qaire custom exporter
-            "127.0.0.1:9929" # Meteocat custom exporter
-            "127.0.0.1:9999" # Nix-daemon custom exporter
-          ];
-        }];
-      }
-      {
-        job_name = "blackbox-http";
-        metrics_path = "/probe";
-        params = { module = [ "http_2xx" ]; };
-        static_configs = [{
-          targets = [
-            "https://www.google.com/robots.txt"
-            "https://pm.bsc.es/"
-            "https://pm.bsc.es/gitlab/"
-            "https://jungle.bsc.es/"
-            "https://gitlab.bsc.es/"
-          ];
-        }];
-        relabel_configs = [
-          {
-            # Takes the address and sets it in the "target=<xyz>" URL parameter
-            source_labels = [ "__address__" ];
-            target_label = "__param_target";
-          }
-          {
-            # Sets the "instance" label with the remote host we are querying
-            source_labels = [ "__param_target" ];
-            target_label = "instance";
-          }
-          {
-            # Shows the host target address instead of the blackbox address
-            target_label = "__address__";
-            replacement = "127.0.0.1:9115";
-          }
-        ];
-      }
-      {
-        job_name = "blackbox-icmp";
-        metrics_path = "/probe";
-        params = { module = [ "icmp" ]; };
-        static_configs = [{
-          targets = [
-            "1.1.1.1"
-            "8.8.8.8"
-            "ssfhead"
-            "raccoon"
-            "anella-bsc.cesca.cat"
-            "upc-anella.cesca.cat"
-            "fox.ac.upc.edu"
-            "fox-ipmi.ac.upc.edu"
-            "arenys5.ac.upc.edu"
-            "arenys0-2.ac.upc.edu"
-            "epi01.bsc.es"
-            "axle.bsc.es"
-          ];
-        }];
-        relabel_configs = [
-          {
-            # Takes the address and sets it in the "target=<xyz>" URL parameter
-            source_labels = [ "__address__" ];
-            target_label = "__param_target";
-          }
-          {
-            # Sets the "instance" label with the remote host we are querying
-            source_labels = [ "__param_target" ];
-            target_label = "instance";
-          }
-          {
-            # Shows the host target address instead of the blackbox address
-            target_label = "__address__";
-            replacement = "127.0.0.1:9115";
-          }
-        ];
-      }
-      {
-        job_name = "ipmi-raccoon";
-        metrics_path = "/ipmi";
-        static_configs = [
-          { targets = [ "127.0.0.1:9290" ]; }
-        ];
-        params = {
-          target = [ "raccoon-ipmi" ];
-          module = [ "raccoon" ];
-        };
-      }
-      {
-        job_name = "ipmi-fox";
-        metrics_path = "/ipmi";
-        static_configs = [
-          { targets = [ "127.0.0.1:9290" ]; }
-        ];
-        params = {
-          target = [ "fox-ipmi.ac.upc.edu" ];
-          module = [ "fox" ];
-        };
-      }
-    ];
-  };
-}
--- a/m/tent/nginx.nix
+++ b/m/tent/nginx.nix
@@ -1,73 +0,0 @@
-{ theFlake, pkgs, ... }:
-let
-  website = pkgs.stdenv.mkDerivation {
-    name = "jungle-web";
-    src = theFlake;
-    buildInputs = [ pkgs.hugo ];
-    buildPhase = ''
-      cd web
-      rm -rf public/
-      hugo
-    '';
-    installPhase = ''
-      cp -r public $out
-    '';
-    # Don't mess doc/
-    dontFixup = true;
-  };
-in
-{
-  networking.firewall.allowedTCPPorts = [ 80 ];
-  services.nginx = {
-    enable = true;
-    virtualHosts."jungle.bsc.es" = {
-      root = "${website}";
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 80;
-        }
-      ];
-      extraConfig = ''
-        set_real_ip_from 127.0.0.1;
-        set_real_ip_from 84.88.52.107;
-        real_ip_recursive on;
-        real_ip_header X-Forwarded-For;
-
-        location /git {
-          rewrite ^/git$ / break;
-          rewrite ^/git/(.*) /$1 break;
-          proxy_pass http://127.0.0.1:3000;
-          proxy_redirect http:// $scheme://;
-        }
-        location /cache {
-          rewrite ^/cache/(.*) /$1 break;
-          proxy_pass http://127.0.0.1:5000;
-          proxy_redirect http:// $scheme://;
-        }
-        location /lists {
-          proxy_pass http://127.0.0.1:8081;
-          proxy_redirect http:// $scheme://;
-        }
-        location /grafana {
-          proxy_pass http://127.0.0.1:2342;
-          proxy_redirect http:// $scheme://;
-          proxy_set_header Host $host;
-          # Websockets
-          proxy_http_version 1.1;
-          proxy_set_header Upgrade $http_upgrade;
-          proxy_set_header Connection "upgrade";
-        }
-        location ~ ^/~(.+?)(/.*)?$ {
-          alias /vault/home/$1/public_html$2;
-          index  index.html index.htm;
-          autoindex on;
-          absolute_redirect off;
-        }
-        location /p/ {
-          alias /var/lib/p/;
-        }
-      '';
-    };
-  };
-}
--- a/m/tent/nix-serve.nix
+++ b/m/tent/nix-serve.nix
@@ -1,16 +0,0 @@
-{ config, ... }:
-
-{
-  age.secrets.nixServe.file = ../../secrets/nix-serve.age;
-
-  services.nix-serve = {
-    enable = true;
-    # Only listen locally, as we serve it via ssh
-    bindAddress = "127.0.0.1";
-    port = 5000;
-
-    secretKeyFile = config.age.secrets.nixServe.path;
-    # Public key:
-    # jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=
-  };
-}
--- a/secrets/ceph-user.age
+++ b/secrets/ceph-user.age
--- a/secrets/gitea-runner-token.age
+++ b/secrets/gitea-runner-token.age
--- a/secrets/gitlab-bsc-docker-token.age
+++ b/secrets/gitlab-bsc-docker-token.age
--- a/secrets/gitlab-runner-docker-token.age
+++ b/secrets/gitlab-runner-docker-token.age
@@ -1,11 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 HY2yRg 6C5Cv7ILdBrpMkCTT/insUY0kyQWbfgU500Ai8ePOXY
-tMw6ehFrsq2dvDEXkLOJwrNZfI28trlr9uy3xW/fzpA
-> ssh-ed25519 CAWG4Q x/j+364IYURgt7fhIPBzabbWMEg08nX8MRrJM/1Q6RU
-AL5Ut2rDr3UXcQXMZJ53ZMf5wMHmT83whx0ntJfW/WU
-> ssh-ed25519 xA739A QjXftBsoGV1rVeHSKcsjp+HMpRVsaHOeeGdDcF6ZWg4
-ovVoYPaPn3liGPAxHWY37CBIUFjAXurv6jMWs2He3HQ
-> ssh-ed25519 MSF3dg FG0CQOj9fRlneW5QrWiy5ksRpicUwHqX9QMpZWhDImw
-L20n1vZRepsRPT4xM6TO6PcI/MJxw4mBLUF0EPv9Uhs
--- DEi7iuzkniq0JPatJ5f2KhrhxWid7ojHpvNfUCGxFtk
-<EFBFBD><EFBFBD>%	n<><6E>!;^Q<>rqG<71>:<3A>jC.8l<38>|<7C><>o<EFBFBD><1E><>$LYy<59>N<EFBFBD>b<EFBFBD><1E><>:<14>{<7B><><EFBFBD>fާxTS\<5C>t<04>U<EFBFBD><55>\F<>)%<25><><EFBFBD>KL<4B>㙇p<E39987>:><3E><><EFBFBD><EFBFBD>&<1B>)<0B>Q<EFBFBD>1<>H܃V<DC83>Sޑ<53>n<>
+-> ssh-ed25519 HY2yRg pXNTB/ailRwSEJG1pXvrzzpz5HqkDZdWVWnOH7JGeQ4
+NzA+2fxfkNRy/u+Zq96A02K1Vxy0ETYZjMkDVTKyCY8
+-> ssh-ed25519 CAWG4Q 7CLJWn+EAxoWDduXaOSrHaBFHQ4GIpYP/62FFTj3ZTI
+vSYV1pQg2qI2ngCzM0nCZAnqdz1tbT4hM5m+/TyGU2c
+-> ssh-ed25519 MSF3dg Akmp4NcZcDuaYHta/Vej6zulNSrAOCd5lmSV+OiBGC4
+qTxqVzTyywur+GjtUQdbaIUdH1fqCqPe6qPf8iHRa4w
+--- uCKNqD1TmZZThOzlpsecBKx/k+noIWhCVMr/pzNwBr8
+r'<27>Ƌs4<15>˺<EFBFBD>Aĥ<41>P<05>L<EFBFBD><4C>7`	<09><02><>)H<><48>-<2D>0<EFBFBD>AH<41>5<16><><1F><>L<EFBFBD>Qe<51><65>H2b<32><1D>B޲<42>CJG<4A>"-S<><1C>\<5C><><0C>H<n<>V
--- a/secrets/gitlab-runner-shell-token.age
+++ b/secrets/gitlab-runner-shell-token.age
--- a/secrets/ipmi.yml.age
+++ b/secrets/ipmi.yml.age
--- a/secrets/jungle-robot-password.age
+++ b/secrets/jungle-robot-password.age
--- a/secrets/munge-key.age
+++ b/secrets/munge-key.age
--- a/secrets/nix-serve.age
+++ b/secrets/nix-serve.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -2,8 +2,6 @@ let
  keys = import ../keys.nix;
  adminsKeys = builtins.attrValues keys.admins;
  hut = [ keys.hosts.hut ] ++ adminsKeys;
-  mon = [ keys.hosts.hut keys.hosts.tent ] ++ adminsKeys;
-  tent = [ keys.hosts.tent ] ++ adminsKeys;
  # Only expose ceph keys to safe nodes and admins
  safe = keys.hostGroup.safe ++ adminsKeys;
 in
@@ -12,15 +10,9 @@ in
  "gitlab-runner-docker-token.age".publicKeys = hut;
  "gitlab-runner-shell-token.age".publicKeys = hut;
  "gitlab-bsc-docker-token.age".publicKeys = hut;
-  "nix-serve.age".publicKeys = mon;
-  "jungle-robot-password.age".publicKeys = mon;
-  "ipmi.yml.age".publicKeys = mon;
-
-  "tent-gitlab-runner-pm-docker-token.age".publicKeys = tent;
-  "tent-gitlab-runner-pm-shell-token.age".publicKeys = tent;
-  "tent-gitlab-runner-bsc-docker-token.age".publicKeys = tent;
-  "vpn-dac-login.age".publicKeys = tent;
-  "vpn-dac-client-key.age".publicKeys = tent;
+  "nix-serve.age".publicKeys = hut;
+  "jungle-robot-password.age".publicKeys = hut;
+  "ipmi.yml.age".publicKeys = hut;

  "ceph-user.age".publicKeys = safe;
  "munge-key.age".publicKeys = safe;
--- a/secrets/tent-gitlab-runner-bsc-docker-token.age
+++ b/secrets/tent-gitlab-runner-bsc-docker-token.age
--- a/secrets/tent-gitlab-runner-pm-docker-token.age
+++ b/secrets/tent-gitlab-runner-pm-docker-token.age
--- a/secrets/tent-gitlab-runner-pm-shell-token.age
+++ b/secrets/tent-gitlab-runner-pm-shell-token.age
@@ -1,13 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 G5LX5w V9bHLoGuY4stRwbzVS9Qa0L9yoY+UoCoXc+dJJQW/Ag
-2ut9GfdJ3KBCqZRaloZCQsl8MLfaZAZxqj6JtPJzu2k
-> ssh-ed25519 CAWG4Q OAqnIfMECpKglZ7aF9tv/PQinG1Ou2+IEZ+nf4dtQjg
-dANdMLe4iI0d6Xd/dIMpZK+mgw2+VmJFQScHaIxD7WI
-> ssh-ed25519 xA739A nVNF4Y6VSa5PP6FFBJpVmoFYYseoFx5F2wJU+Pwk+Xk
-A5CiuTSNlX9Y76qhYgblBdJl3zPhtjWho2oL5/sIKu0
-> ssh-ed25519 MSF3dg /WMsGnBGzquIMyw06gHKpSS4OUxheulT59kxi+/pxxU
-ppwcv7RLzUbQUM7j0Tb9rRVT9XyPMhqYr2fr4S0nTJY
--- zOe0Ko0oxArbmxePMPDVAT0pDju7IeOAih7sNrDcoVs
-i<EFBFBD>k<EFBFBD>A
-hODV<44>w!<21><0C><>E݈<45><DD88>+<2B><>`<60><><EFBFBD><EFBFBD>C<><43>5<EFBFBD>L<EFBFBD>A<EFBFBD>t<1A>M^<01>E<<1B>HI<48>_<EFBFBD>nn<6E><6E><EFBFBD>o<EFBFBD>?<3F>j-<05>
-A<1B>nԔί<1B>>Z<><5A>z<EFBFBD><7A><EFBFBD>dT<64><54>b"<22>(@<40><>{_ځC
--- a/secrets/vpn-dac-client-key.age
+++ b/secrets/vpn-dac-client-key.age
--- a/secrets/vpn-dac-login.age
+++ b/secrets/vpn-dac-login.age
--- a/web/content/access/index.md
+++ b/web/content/access/index.md
@@ -5,12 +5,18 @@ description: "Request access to the machines"

 ![Cave](./cave.jpg)

-To request access to the machines we will need some information:
+Before requesting access to the jungle machines, you must be able to access the
+`ssfhead.bsc.es` node (only available via the intranet or VPN). You can request
+access to the login machine using a resource petition in the BSC intranet.
+
+Then, to request access to the machines we will need some information about you:

 1. Which machines you want access to ([hut](/hut), [fox](/fox), owl1, owl2, eudy, koro...)
-1. Your user name (make sure it matches the one you use for the BSC intranet)
+1. Your user name and user id (to match the NFS permissions)
 1. Your real name and surname (for identification purposes)
 1. The salted hash of your login password, generated with `mkpasswd -m sha-512`
 1. An SSH public key of type Ed25519 (can be generated with `ssh-keygen -t ed25519`)

-Send an email to <jungle@bsc.es> with the details.
+Send an email to <jungle@bsc.es> with the details, or directly open a
+merge request in the [jungle
+repository](https://pm.bsc.es/gitlab/rarias/jungle/).
--- a/web/content/hut/_index.md
+++ b/web/content/hut/_index.md
@@ -38,8 +38,8 @@ enable it for all builds in the system.
 ```nix
 { ... }: {
  nix.settings = {
-    extra-substituters = [ "https://jungle.bsc.es/cache" ];
-    extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
+    substituters = [ "https://jungle.bsc.es/cache" ];
+    trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
  };
 }
 ```
@@ -60,8 +60,8 @@ Note: you'll have to be a trusted user.
 If using nix outside of NixOS, you'll have to update `/etc/nix/nix.conf`

 ```
-# echo "extra-substituters = https://jungle.bsc.es/cache" >> /etc/nix/nix.conf
-# echo "extra-trusted-public-keys = jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" >> /etc/nix/nix.conf
+# echo "substituters = https://jungle.bsc.es/cache" >> /etc/nix/nix.conf
+# echo "trusted-public-keys = jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" >> /etc/nix/nix.conf
 ```

 ### Hint in flakes
--- a/web/content/paste/_index.md
+++ b/web/content/paste/_index.md
@@ -5,13 +5,13 @@ author: "Rodrigo Arias Mallo"
 date: 2024-09-20
 ---

-The tent machine provides a paste service using the program `p` (as in paste).
+The hut machine provides a paste service using the program `p` (as in paste).

-You can use it directly from the tent machine or remotely if you have [SSH
-access](/access) to tent using the following alias:
+You can use it directly from the hut machine or remotely if you have [SSH
+access](/access) to hut using the following alias:

 ```
-alias p="ssh tent p"
+alias p="ssh hut p"
 ```

 You can add it to bashrc or zshrc for persistent installation.
@@ -19,7 +19,7 @@ You can add it to bashrc or zshrc for persistent installation.
 ## Usage

 The `p` command reads from the standard input, uploads the content to a file
-in the local filesystem and prints the URL to access it. It only accepts an
+in the ceph filesystem and prints the URL to access it. It only accepts an
 optional argument, which is the extension of the file that will be stored on
 disk (without the dot). By default it uses the `txt` extension, so plain text
 can be read in the browser directly.
@@ -28,21 +28,21 @@ can be read in the browser directly.
 p [extension]
 ```

-To remove files, go to `/var/lib/p/$USER` and remove them manually.
+To remove files, go to `/ceph/p/$USER` and remove them manually.

 ## Examples

 Share a text file, in this case the source of p itself:

 ```
-tent% p < m/tent/p.nix
+hut% p < m/hut/p.nix
 https://jungle.bsc.es/p/rarias/okbtG130.txt
 ```

 Paste the last dmesg lines directly from a pipe:

 ```
-tent% dmesg | tail -5 | p
+hut% dmesg | tail -5 | p
 https://jungle.bsc.es/p/rarias/luX4STm9.txt
 ```
Author	SHA1	Message	Date
Rodrigo Arias Mallo	677dc27c47	Monitor fox and gateway via ICMP Fox should reply once the machine is connected to the UPC network. Monitoring also the gateway allows us to estimate if the whole network is down or just fox.	2025-05-29 13:41:10 +02:00
Rodrigo Arias Mallo	c265b37572	Update configuration for UPC network The fox machine will be placed in the UPC network, so we update the configuration with the new IP and gateway. We won't be able to reach hut directly so we also remove the host entry and proxy.	2025-05-29 13:24:20 +02:00
Rodrigo Arias Mallo	b0783b8117	Disable home via NFS in fox It won't be accesible anymore as we won't be in the same LAN.	2025-05-29 13:10:53 +02:00
Rodrigo Arias Mallo	40cb289b50	Rekey all secrets Fox is no longer able to use munge or ceph, so we remove the key and rekey them.	2025-05-29 13:10:53 +02:00
Rodrigo Arias Mallo	1cbf0cd0b1	Rotate fox SSH host key Prevent decrypting old secrets by reading the git history.	2025-05-29 13:10:53 +02:00
Rodrigo Arias Mallo	73ae589303	Distrust fox SSH key We no longer will share secrets with fox until we can regain our trust.	2025-05-29 13:10:53 +02:00
Rodrigo Arias Mallo	1e3c2c02f3	Remove Ceph module from fox It will no longer be accesible from the UPC.	2025-05-29 13:10:53 +02:00
Rodrigo Arias Mallo	ec0daef96c	Remove fox from SLURM	2025-05-29 13:10:53 +02:00
Rodrigo Arias Mallo	5486d3d6f3	Remove pam_slurm_adopt from fox We no longer will be able to use SLURM from jungle.	2025-05-29 13:10:53 +02:00