flake.lock: Update

Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/1381a759b205dff7a6818733118d02253340fd5e' (2024-04-02) → 'github:ryantm/agenix/de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6' (2024-07-09) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/6143fc5eeb9c4f00163267708e26191d1e918932' (2024-04-21) → 'github:NixOS/nixpkgs/693bc46d169f5af9c992095736e82c3488bf7dbb' (2024-07-14)
Allow ptrace to any process of the same user
2024-07-17 14:50:01 +02:00 · 2024-07-17 13:23:45 +02:00 · 2024-07-17 13:23:45 +02:00 · 2024-07-17 13:23:45 +02:00 · 2024-07-17 13:23:45 +02:00 · 2024-07-17 13:23:29 +02:00
6 changed files with 36 additions and 9 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -10,11 +10,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1712079060,
+        "lastModified": 1720546205,
-        "narHash": "sha256-/JdiT9t+zzjChc5qQiF+jhrVhRt8figYH29rZO7pFe4=",
+        "narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "1381a759b205dff7a6818733118d02253340fd5e",
+        "rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6",
        "type": "github"
      },
      "original": {
@@ -88,11 +88,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1713714899,
+        "lastModified": 1720957393,
-        "narHash": "sha256-+z/XjO3QJs5rLE5UOf015gdVauVRQd2vZtsFkaXBq2Y=",
+        "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "6143fc5eeb9c4f00163267708e26191d1e918932",
+        "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb",
        "type": "github"
      },
      "original": {
--- a/m/common/base/boot.nix
+++ b/m/common/base/boot.nix
@@ -19,6 +19,10 @@
  boot.kernel.sysctl = {
    "kernel.perf_event_paranoid" = lib.mkDefault "-1";
    # Allow ptracing (i.e. attach with GDB) any process of the same user, see:
    # https://www.kernel.org/doc/Documentation/security/Yama.txt
    "kernel.yama.ptrace_scope" = "0";
  };
  boot.kernelPackages = pkgs.linuxPackages_latest;
--- a/m/common/base/ssh.nix
+++ b/m/common/base/ssh.nix
@@ -12,7 +12,7 @@ in
  programs.ssh.extraConfig = ''
    Host bscpm02.bsc.es bscpm03.bsc.es gitlab-internal.bsc.es alya.gitlab.bsc.es
      User git
-      ProxyCommand nc -X connect -x localhost:23080 %h %p
+      ProxyCommand nc -X connect -x hut:23080 %h %p
  '';
  programs.ssh.knownHosts = hostsKeys // {
--- a/m/common/base/users.nix
+++ b/m/common/base/users.nix
@@ -55,7 +55,7 @@
        home = "/home/Computational/rpenacob";
        description = "Raúl Peñacoba";
        group = "Computational";
-        hosts = [ "hut" ];
+        hosts = [ "owl1" "owl2" "hut" ];
        hashedPassword = "$6$TZm3bDIFyPrMhj1E$uEDXoYYd1z2Wd5mMPfh3DZAjP7ztVjJ4ezIcn82C0ImqafPA.AnTmcVftHEzLB3tbe2O4SxDyPSDEQgJ4GOtj/";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYfXg37mauGeurqsLpedgA2XQ9d4Nm0ZGo/hI1f7wwH rpenacob@bsc"
@@ -75,6 +75,19 @@
        ];
      };
      abonerib = {
        uid = 4541;
        isNormalUser = true;
        home = "/home/Computational/abonerib";
        description = "Aleix Boné";
        group = "Computational";
        hosts = [ "owl1" "owl2" "hut" "raccoon" ];
        hashedPassword = "$6$V1EQWJr474whv7XJ$OfJ0wueM2l.dgiJiiah0Tip9ITcJ7S7qDvtSycsiQ43QBFyP4lU0e0HaXWps85nqB4TypttYR4hNLoz3bz662/";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIFiqXqt88VuUfyANkZyLJNiuroIITaGlOOTMhVDKjf abonerib@bsc"
        ];
      };
      vlopez = {
        uid = 4334;
        isNormalUser = true;
--- a/m/common/xeon/net.nix
+++ b/m/common/xeon/net.nix
@@ -10,7 +10,7 @@
    nameservers = ["8.8.8.8"];
    proxy = {
-      default = "http://localhost:23080/";
+      default = "http://hut:23080/";
      noProxy = "127.0.0.1,localhost,internal.domain,10.0.40.40";
      # Don't set all_proxy as go complains and breaks the gitlab runner, see:
      # https://github.com/golang/go/issues/16715
--- a/m/hut/configuration.nix
+++ b/m/hut/configuration.nix
@@ -34,5 +34,15 @@
      address = "10.0.42.7";
      prefixLength = 24;
    } ];
    firewall = {
      extraCommands = ''
        # Accept all proxy traffic from compute nodes but not the login
        iptables -A nixos-fw -p tcp -s 10.0.40.30 --dport 23080 -j nixos-fw-log-refuse
        iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 23080 -j nixos-fw-accept
      '';
    };
  };
  # Allow proxy to bind to the ethernet interface
  services.openssh.settings.GatewayPorts = "clientspecified";
 }
Author	SHA1	Message	Date
Rodrigo Arias Mallo	dba11ea88a	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/1381a759b205dff7a6818733118d02253340fd5e' (2024-04-02) → 'github:ryantm/agenix/de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6' (2024-07-09) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/6143fc5eeb9c4f00163267708e26191d1e918932' (2024-04-21) → 'github:NixOS/nixpkgs/693bc46d169f5af9c992095736e82c3488bf7dbb' (2024-07-14)	2024-07-17 14:50:01 +02:00
Rodrigo Arias Mallo	e3985b28a0	Allow ptrace to any process of the same user Allows users to attach GDB to their own processes, without requiring running the program with GDB from the start.	2024-07-17 13:23:45 +02:00
Rodrigo Arias Mallo	9fe29b864a	Add abonerib user to hut, raccon, owl1 and owl2	2024-07-17 13:23:45 +02:00
Rodrigo Arias Mallo	3ea7edf950	Grant rpenacob access to owl1 and owl2 nodes	2024-07-17 13:23:45 +02:00
Rodrigo Arias Mallo	53c200fbc5	Access private repositories via hut SSH proxy	2024-07-17 13:23:45 +02:00
Rodrigo Arias Mallo	f5ebf43019	Set the default proxy to point to hut	2024-07-17 13:23:29 +02:00
Rodrigo Arias Mallo	43e61a8da3	Allow incoming traffic to hut proxy	2024-07-17 12:56:59 +02:00