Monitor fox and gateway via ICMP

Fox should reply once the machine is connected to the UPC network. Monitoring also the gateway allows us to estimate if the whole network is down or just fox.
Update configuration for UPC network
2025-05-29 13:41:10 +02:00 · 2025-05-29 13:24:20 +02:00 · 2025-05-29 13:10:53 +02:00 · 2025-05-29 13:10:53 +02:00 · 2025-05-29 13:10:53 +02:00 · 2025-05-29 13:10:53 +02:00
13 changed files with 60 additions and 56 deletions
--- a/keys.nix
+++ b/keys.nix
@@ -9,11 +9,12 @@ rec {
    koro  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImiTFDbxyUYPumvm8C4mEnHfuvtBY1H8undtd6oDd67 koro";
    bay   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvGBzpRQKuQYHdlUQeAk6jmdbkrhmdLwTBqf3el7IgU bay";
    lake2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINo66//S1yatpQHE/BuYD/Gfq64TY7ZN5XOGXmNchiO0 lake2";
-    fox   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDa9lId4rB/EKGkkCCVOy0cuId2SYLs+8W8kx0kmpO1y fox";
+    fox   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwItIk5uOJcQEVPoy/CVGRzfmE1ojrdDcI06FrU4NFT fox";
  };

  hostGroup = with hosts; rec {
-    compute    = [ owl1 owl2 fox ];
+    untrusted  = [ fox ];
+    compute    = [ owl1 owl2 ];
    playground = [ eudy koro ];
    storage    = [ bay lake2 ];
    monitor    = [ hut ];
--- a/m/fox/configuration.nix
+++ b/m/fox/configuration.nix
@@ -2,11 +2,9 @@

 {
  imports = [
-    ../common/xeon.nix
-    ../module/ceph.nix
+    ../common/base.nix
+    ../common/xeon/console.nix
    ../module/emulation.nix
-    ../module/slurm-client.nix
-    ../module/slurm-firewall.nix
  ];

  # Select the this using the ID to avoid mismatches
@@ -22,11 +20,34 @@
  hardware.cpu.intel.updateMicrocode = lib.mkForce false;

  networking = {
+    defaultGateway = "147.83.30.130";
+    nameservers = [ "8.8.8.8" ];
    hostName = "fox";
-    interfaces.enp1s0f0np0.ipv4.addresses = [ {
-      address = "10.0.40.26";
-      prefixLength = 24;
-    } ];
+    interfaces.enp1s0f0np0.ipv4.addresses = [
+      {
+        # UPC network
+        # Public IP configuration:
+        # - Hostname: fox.ac.upc.edu
+        # - IP: 147.83.30.141
+        # - Gateway: 147.83.30.130
+        # - NetMask: 255.255.255.192
+        # Private IP configuration for BMC:
+        # - Hostname: fox-ipmi.ac.upc.edu
+        # - IP: 147.83.35.27
+        # - Gateway: 147.83.35.2
+        # - NetMask: 255.255.255.0
+        address = "147.83.30.141";
+        prefixLength = 26; # 255.255.255.192
+      }
+    ];
+    extraHosts = ''
+      # Fox UPC
+      147.83.30.141   fox.ac.upc.edu
+      147.83.35.27    fox-ipmi.ac.upc.edu
+      # Fox BSC
+      10.0.40.26      fox
+      10.0.40.126     fox-ipmi
+    '';
  };

  # Configure Nvidia driver to use with CUDA
@@ -56,20 +77,4 @@
    wantedBy = [ "multi-user.target" ];
    serviceConfig.ExecStart = script;
  };
-
-  # Only allow SSH connections from users who have a SLURM allocation
-  # See: https://slurm.schedmd.com/pam_slurm_adopt.html
-  security.pam.services.sshd.rules.account.slurm = {
-    control = "required";
-    enable = true;
-    modulePath = "${pkgs.slurm}/lib/security/pam_slurm_adopt.so";
-    args = [ "log_level=debug5" ];
-    order = 999999; # Make it last one
-  };
-
-  # Disable systemd session (pam_systemd.so) as it will conflict with the
-  # pam_slurm_adopt.so module. What happens is that the shell is first adopted
-  # into the slurmstepd task and then into the systemd session, which is not
-  # what we want, otherwise it will linger even if all jobs are gone.
-  security.pam.services.sshd.startSession = lib.mkForce false;
 }
--- a/m/hut/monitoring.nix
+++ b/m/hut/monitoring.nix
@@ -169,6 +169,8 @@
            "8.8.8.8"
            "ssfhead"
            "anella-bsc.cesca.cat"
+            "fox.ac.upc.edu"
+            "arenys5.ac.upc.edu"
          ];
        }];
        relabel_configs = [
--- a/m/module/slurm-client.nix
+++ b/m/module/slurm-client.nix
@@ -43,13 +43,11 @@ in {
    clusterName = "jungle";
    nodeName = [
      "owl[1,2]  Sockets=2 CoresPerSocket=14 ThreadsPerCore=2 Feature=owl"
-      "fox       Sockets=2 CoresPerSocket=96 ThreadsPerCore=1 Feature=fox"
      "hut       Sockets=2 CoresPerSocket=14 ThreadsPerCore=2"
    ];

    partitionName = [
      "owl Nodes=owl[1-2]     Default=YES DefaultTime=01:00:00 MaxTime=INFINITE State=UP"
-      "fox Nodes=fox          Default=NO  DefaultTime=01:00:00 MaxTime=INFINITE State=UP"
    ];

    # See slurm.conf(5) for more details about these options.
@@ -77,7 +75,7 @@ in {
      SuspendTimeout=60
      ResumeProgram=${resumeProgram}
      ResumeTimeout=300
-      SuspendExcNodes=hut,fox
+      SuspendExcNodes=hut

      # Turn the nodes off after 1 hour of inactivity
      SuspendTime=3600
--- a/secrets/ceph-user.age
+++ b/secrets/ceph-user.age
--- a/secrets/gitea-runner-token.age
+++ b/secrets/gitea-runner-token.age
--- a/secrets/gitlab-bsc-docker-token.age
+++ b/secrets/gitlab-bsc-docker-token.age
@@ -1,11 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 HY2yRg WSdjyQPzBJ4JbzQpGeq1AAYpWKoXmLI1ZtmNmM5QOzs
-qGDlDT31DQF1DdHen0+5+52DdsQlabJdA2pOB5O1I6g
-> ssh-ed25519 CAWG4Q wioWMDxQjN+d4JdIbCwZg0DLQu1OH2mV6gukRprjuAs
-670fE61hidOEh20hHiQAhP0+CjDF0WMBNzgwkGT8Yqg
-> ssh-ed25519 MSF3dg DN19uvAEtqq4708P6HpuX9i/o/qAvHX6dj69dCF2H1o
-4Lu9GnjiFLMeXJ2C7aVPJsCHCQVlhylNWJi896Av92s
--- 7cKBwOYNOUZ2h3/kAY09aSMASZSxX7hZIT4kvlIiT6w
-<EFBFBD>6<EFBFBD><02><><EFBFBD><06>fQF5=<3D>bX+<2B>v e`<60>7/<2F><05>A~P<><50>Ѧ7<15><>
-<EFBFBD><EFBFBD>A<EFBFBD>)<29>h<05><>=oZ<6F>$<24>^<5E>V0<56>/܅<>r
-k<EFBFBD>u<EFBFBD>bĶ:R<><52>>^g<><67><06>ik_*%<0B>a7<61>KG<4B><47><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&<26>PI<50><49>n
+-> ssh-ed25519 HY2yRg XPOFoZqY+AnKC77jrgNqAm1ADphurfuhO4NRrfiuUDc
+iCfMMpGHyaYHGy6ci8sqjUtcPeteLlyvLGEF79VPOEc
+-> ssh-ed25519 CAWG4Q 6OsGrnM+/c5lTN81Rvp166K+ygmSIFeSYzXxYg25KGE
+Av1zTw2zK4Gufzti9kQaye7C362GCiDRRHzCqBLR33g
+-> ssh-ed25519 MSF3dg 8CHqJ7mEDvjvqbmF+eE6Em1Wi6eHAzEUpiExC1gm7S0
+bdwzYHw3RAbdHq+RsiFUP++sQ586VUlSnAzAOhiQUjI
+--- gA5XSUfjUBol938sC5DbUf8PvQUIr2pNkS2nL95OF9c
+<EFBFBD><EFBFBD><EFBFBD>Ea1G7<47><37>ݩ[R<><52>\{~$Go<47>cQ<63>wKP&<26><><EFBFBD>w<EFBFBD><77><EFBFBD>6]
+<EFBFBD><EFBFBD>ѣ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>^z<7A>̄ 1k<31><6B><03><><EFBFBD><EFBFBD><EFBFBD>Y<EFBFBD><59>2<15>p<>2<EFBFBD><32>K<EFBFBD><4B><EFBFBD><EFBFBD>nok<>/X<><58>pt''<27><>$0co=<3D><EFBFBD>
--- a/secrets/gitlab-runner-docker-token.age
+++ b/secrets/gitlab-runner-docker-token.age
@@ -1,10 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 HY2yRg GdmdkW+BqqwBgu30b846jv3J7jtCM+a3rgOERuA050A
-FeGqM75jG9egesR+yyVKHm0/M+uBBp5Hclg4+qN0BR8
-> ssh-ed25519 CAWG4Q a0wTWHgulQUYDAMZmXf3dOf6PdYgCqNtSylzWVVRNVM
-Bx+WSYaiY4ZwlSZJo2a1XPMQmbKOU7F0tKAqVRLBOPo
-> ssh-ed25519 MSF3dg KccUvZZUbxbCrRWUWrX8KcHF6vQ5FV/BqUqI59G7dj4
-CFr7GXpZ9rPgy7HBfOyiYF9FnZUw6KcZwq9f7/0KaU8
--- E0Rp6RR/8+o0jvB1lRdhnlabxvI6uu/IgL2ZpPXzTc8
-<EFBFBD><13>#<23><>H<EFBFBD>$<24>F;<3B><EFBFBD><7F>%<25><>6<><02>2<EFBFBD><32>rfX<66>\Dn <20>ш<EFBFBD>ȉ<EFBFBD>x<EFBFBD><EFBFBD>><EFBFBD><EFBFBD>&;<3B>c<EFBFBD>U<EFBFBD>I=<3D><>M<EFBFBD><4D><EFBFBD>?T<><54>Ǹ<EFBFBD><16>"px<70>ӭ\s<><73><EFBFBD>bF<62><46><EFBFBD><EFBFBD>WD<>{<7B>
-AW>?U<><55><EFBFBD><17><>HԳ
+-> ssh-ed25519 HY2yRg pXNTB/ailRwSEJG1pXvrzzpz5HqkDZdWVWnOH7JGeQ4
+NzA+2fxfkNRy/u+Zq96A02K1Vxy0ETYZjMkDVTKyCY8
+-> ssh-ed25519 CAWG4Q 7CLJWn+EAxoWDduXaOSrHaBFHQ4GIpYP/62FFTj3ZTI
+vSYV1pQg2qI2ngCzM0nCZAnqdz1tbT4hM5m+/TyGU2c
+-> ssh-ed25519 MSF3dg Akmp4NcZcDuaYHta/Vej6zulNSrAOCd5lmSV+OiBGC4
+qTxqVzTyywur+GjtUQdbaIUdH1fqCqPe6qPf8iHRa4w
+--- uCKNqD1TmZZThOzlpsecBKx/k+noIWhCVMr/pzNwBr8
+r'<27>Ƌs4<15>˺<EFBFBD>Aĥ<41>P<05>L<EFBFBD><4C>7`	<09><02><>)H<><48>-<2D>0<EFBFBD>AH<41>5<EFBFBD><EFBFBD><EFBFBD><EFBFBD>L<EFBFBD>Qe<EFBFBD><EFBFBD>H2b<EFBFBD><1D>B޲<42>CJG<4A>"-S<><1C>\<5C><><0C>H<n<>V
--- a/secrets/gitlab-runner-shell-token.age
+++ b/secrets/gitlab-runner-shell-token.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 HY2yRg xWRxJGWSzA5aplRYCYLB6aBwrUrQQJ2MtDYaD75V5nI
-J07XF3NQiaYKKKNRcNWi9MloJD2wXHd+2K7bo6lF+QU
-> ssh-ed25519 CAWG4Q jNWymbyCczcm8RcaIEbFQBlOMALsuxTl4+pLUi0aR20
-z5NixlrRD+Y7Z/aFPs6hiDW4/lp8CBQCeJYpbuG9yYM
-> ssh-ed25519 MSF3dg QsUQloEKN3k1G49FQnNR/Do6ILgGpjFcw3zu5kk1Ako
-IHwyFWUEWqCStNcFprnpBa8L5J6zKIsn+7HcgGRv3sM
--- oUia0fsL6opeYWACyXtHAu/Ld+bUIt/7S1VszYTvwgU
-<EFBFBD><EFBFBD>V<EFBFBD><16>*<2A>t<1B>2-<2D>7<><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>h<EFBFBD>&<26><>͢_!տ+<2B><><EFBFBD><EFBFBD>(<28><0F><11>n<EFBFBD><6E>	<09><>(<28><19><>/}<7D><><EFBFBD><EFBFBD>C<EFBFBD>Nͷ|<04>N<>u<EFBFBD>5<EFBFBD>ù勚K<E58B9A><EFBFBD>l<EFBFBD>"<EFBFBD><EFBFBD>klOX<EFBFBD>y<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>A<EFBFBD><EFBFBD>e<><65>$
+-> ssh-ed25519 HY2yRg s6iI9f25xulF4KXt+XY07kXXPKxXo7f2Ql/OTHN55Hk
+WO4Fd2H9c+HL3+XhUF3BmEZVILlcchGxSrSmL2OEdGw
+-> ssh-ed25519 CAWG4Q TBkdpx8k8K1NvW3wcvaF7omKFwEJ2DxWJp3tIOTjwCA
+LcYgWRix23AQnw0OQ7f8+8S3J84CHUElX1vKZSETiLE
+-> ssh-ed25519 MSF3dg WzrF8kjTP7BXXDjmUp7kPCKguthAW12RPo6Vy2RMmh4
+8C3mT9ktudCTANDxhyNszUkbeDG6X4wOJdx825++dYM
+--- /w3YQ2UeTi67H1JR0GsdPz2KoLN2Y7BIZfFY+//AWjY
+<EFBFBD>ӣ-`P<>@<40><>ބ<><DE84><EFBFBD>)9<>9l<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Zf<EFBFBD><EFBFBD>V?I>΍<>w鉐<77>z40 <20>2{i@<40>Z<EFBFBD><5A>x<EFBFBD><78>AHn<48>%<25><><0C>ʤ<>/W<><57>Ĕ<EFBFBD>l<EFBFBD><EFBFBD><EFBFBD><EFBFBD>}<7D>&<08>얶<EFBFBD>(<EFBFBD><EFBFBD><EFBFBD>K<EFBFBD><EFBFBD><EFBFBD>S<EFBFBD><EFBFBD>o<EFBFBD>z<EFBFBD>=<1F>d
--- a/secrets/ipmi.yml.age
+++ b/secrets/ipmi.yml.age
--- a/secrets/jungle-robot-password.age
+++ b/secrets/jungle-robot-password.age
--- a/secrets/munge-key.age
+++ b/secrets/munge-key.age
--- a/secrets/nix-serve.age
+++ b/secrets/nix-serve.age
Author	SHA1	Message	Date
Rodrigo Arias Mallo	677dc27c47	Monitor fox and gateway via ICMP Fox should reply once the machine is connected to the UPC network. Monitoring also the gateway allows us to estimate if the whole network is down or just fox.	2025-05-29 13:41:10 +02:00
Rodrigo Arias Mallo	c265b37572	Update configuration for UPC network The fox machine will be placed in the UPC network, so we update the configuration with the new IP and gateway. We won't be able to reach hut directly so we also remove the host entry and proxy.	2025-05-29 13:24:20 +02:00
Rodrigo Arias Mallo	b0783b8117	Disable home via NFS in fox It won't be accesible anymore as we won't be in the same LAN.	2025-05-29 13:10:53 +02:00
Rodrigo Arias Mallo	40cb289b50	Rekey all secrets Fox is no longer able to use munge or ceph, so we remove the key and rekey them.	2025-05-29 13:10:53 +02:00
Rodrigo Arias Mallo	1cbf0cd0b1	Rotate fox SSH host key Prevent decrypting old secrets by reading the git history.	2025-05-29 13:10:53 +02:00
Rodrigo Arias Mallo	73ae589303	Distrust fox SSH key We no longer will share secrets with fox until we can regain our trust.	2025-05-29 13:10:53 +02:00
Rodrigo Arias Mallo	1e3c2c02f3	Remove Ceph module from fox It will no longer be accesible from the UPC.	2025-05-29 13:10:53 +02:00
Rodrigo Arias Mallo	ec0daef96c	Remove fox from SLURM	2025-05-29 13:10:53 +02:00
Rodrigo Arias Mallo	5486d3d6f3	Remove pam_slurm_adopt from fox We no longer will be able to use SLURM from jungle.	2025-05-29 13:10:53 +02:00