Add nixgen to all machines

Reviewed-by: Aleix Boné <abonerib@bsc.es>
Add nixgen package
2025-10-29 16:28:05 +01:00 · 2025-10-29 16:27:56 +01:00 · 2025-10-29 16:22:57 +01:00 · 2025-10-29 16:21:46 +01:00 · 2025-10-29 16:21:43 +01:00 · 2025-10-29 16:21:32 +01:00
68 changed files with 1350 additions and 165 deletions
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@ -12,4 +12,9 @@ jobs:
    runs-on: native
    steps:
      - uses: https://gitea.com/ScMi1/checkout@v1.4
-      - run: nix build -L --no-link --print-out-paths .#bsc-ci.all
+      - run: nix build -L --no-link --print-out-paths .#bsc.ci.all
+  build:cross:
+    runs-on: native
+    steps:
+      - uses: https://gitea.com/ScMi1/checkout@v1.4
+      - run: nix build -L --no-link --print-out-paths .#bsc.ci.cross
--- a/doc/maintainers.md
+++ b/doc/maintainers.md
@ -0,0 +1,30 @@
+# Maintainers
+
+## Role of a maintainer
+The responsibilities of maintainers are quite lax, and similar in spirit to
+[nixpkgs' maintainers][1]:
+
+    The main responsibility of a maintainer is to keep the packages they
+    maintain in a functioning state, and keep up with updates. In order to do
+    that, they are empowered to make decisions over the packages they maintain.
+
+    That being said, the maintainer is not alone in proposing changes to the
+    packages. Anybody (both bots and humans) can send PRs to bump or tweak the
+    package.
+
+In practice, this means that when updating or proposing changes to a package,
+we will notify maintainers by mentioning them in Gitea so they can test changes
+and give feedback.
+
+Since we do bi-yearly release cycles, there is no expectation from maintainers
+to update packages at each upstream release. Nevertheless, on each release cycle
+we may request help from maintainers when updating or testing their packages.
+
+## Becoming a maintainer
+
+
+You'll have to add yourself in the `maintainers.nix` list; your username should
+match your `bsc.es` email. Then you can add yourself to the `meta.maintainers`
+of any package you are interested in maintaining.
+
+[1]: [https://github.com/NixOS/nixpkgs/tree/nixos-25.05/maintainers]
--- a/flake.lock
+++ b/flake.lock
@ -1,71 +1,5 @@
 {
  "nodes": {
-    "agenix": {
-      "inputs": {
-        "darwin": "darwin",
-        "home-manager": "home-manager",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1750173260,
-        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
-        "owner": "ryantm",
-        "repo": "agenix",
-        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ryantm",
-        "repo": "agenix",
-        "type": "github"
-      }
-    },
-    "darwin": {
-      "inputs": {
-        "nixpkgs": [
-          "agenix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1744478979,
-        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
-        "owner": "lnl7",
-        "repo": "nix-darwin",
-        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lnl7",
-        "ref": "master",
-        "repo": "nix-darwin",
-        "type": "github"
-      }
-    },
-    "home-manager": {
-      "inputs": {
-        "nixpkgs": [
-          "agenix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1745494811,
-        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1752436162,
@ -84,24 +18,8 @@
    },
    "root": {
      "inputs": {
-        "agenix": "agenix",
        "nixpkgs": "nixpkgs"
      }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -1,15 +1,13 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
-    agenix.url = "github:ryantm/agenix";
-    agenix.inputs.nixpkgs.follows = "nixpkgs";
  };

-  outputs = { self, nixpkgs, agenix, ... }:
+  outputs = { self, nixpkgs, ... }:
 let
  mkConf = name: nixpkgs.lib.nixosSystem {
    system = "x86_64-linux";
-    specialArgs = { inherit nixpkgs agenix; theFlake = self; };
+    specialArgs = { inherit nixpkgs; theFlake = self; };
    modules = [ "${self.outPath}/m/${name}/configuration.nix" ];
  };
  # For now we only support x86
@ -42,11 +40,13 @@ in
    # full nixpkgs with our overlay applied
    legacyPackages.${system} = pkgs;

-    hydraJobs = {
-      inherit (self.legacyPackages.${system}.bsc-ci) tests pkgs cross;
-    };
+    hydraJobs = self.legacyPackages.${system}.bsc.hydraJobs;

    # propagate nixpkgs lib, so we can do bscpkgs.lib
-    inherit (nixpkgs) lib;
+    lib = nixpkgs.lib // {
+      maintainers = nixpkgs.lib.maintainers // {
+        bsc = import ./pkgs/maintainers.nix;
+      };
+    };
  };
 }
--- a/m/common/base.nix
+++ b/m/common/base.nix
@ -11,6 +11,7 @@
    ./base/hw.nix
    ./base/net.nix
    ./base/nix.nix
+    ./base/sys-devices.nix
    ./base/ntp.nix
    ./base/rev.nix
    ./base/ssh.nix
--- a/m/common/base/agenix.nix
+++ b/m/common/base/agenix.nix
@ -1,9 +1,8 @@
-{ agenix, ... }:
+{ pkgs, ... }:

 {
-  imports = [ agenix.nixosModules.default ];
+  imports = [ ../../module/agenix.nix ];

-  environment.systemPackages = [
-    agenix.packages.x86_64-linux.default
-  ];
+  # Add agenix to system packages
+  environment.systemPackages = [ pkgs.agenix ];
 }
--- a/m/common/base/env.nix
+++ b/m/common/base/env.nix
@ -5,8 +5,8 @@
    vim wget git htop tmux pciutils tcpdump ripgrep nix-index nixos-option
    nix-diff ipmitool freeipmi ethtool lm_sensors cmake gnumake file tree
    ncdu config.boot.kernelPackages.perf ldns pv
-    # From bsckgs overlay
-    osumb
+    # From jungle overlay
+    osumb nixgen
  ];

  programs.direnv.enable = true;
--- a/m/common/base/sys-devices.nix
+++ b/m/common/base/sys-devices.nix
@ -0,0 +1,9 @@
+{
+  nix.settings.system-features = [ "sys-devices" ];
+
+  programs.nix-required-mounts.enable = true;
+  programs.nix-required-mounts.allowedPatterns.sys-devices.paths = [
+    "/sys/devices/system/cpu"
+    "/sys/devices/system/node"
+  ];
+}
--- a/m/common/base/users.nix
+++ b/m/common/base/users.nix
@ -180,6 +180,19 @@
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFmMqKqPg4uocNOr3O41kLbZMOMJn3m2ZdN1JvTR96z3 bsccns@arnau-bsc"
        ];
      };
+
+      aaguirre = {
+        uid = 9655;
+        isNormalUser = true;
+        home = "/home/Computational/aaguirre";
+        description = "Alejandro Aguirre";
+        group = "Computational";
+        hosts = [ "apex" "hut" ];
+        hashedPassword = "$6$TXRXQT6jjBvxkxU6$E.sh5KspAm1qeG5Ct7OPHpo8REmbGDwjFGvqeGgTVz3GASGOAnPL7UMZsMAsAKBoahOw.v8LNno6XGrTEPzZH1";
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOlRX7ZCnqtUJYCxKgWmgSrFCYuA2LHY96rVwqxXPl86 aaguirre@BSC-8488184117"
+        ];
+      };
    };

    groups = {
--- a/m/hut/configuration.nix
+++ b/m/hut/configuration.nix
@ -17,6 +17,7 @@
    ./postgresql.nix
    ./nginx.nix
    ./p.nix
+    ./ompss2-timer.nix
    #./pxe.nix
  ];

--- a/m/hut/gitea.nix
+++ b/m/hut/gitea.nix
@ -29,6 +29,9 @@
    };
  };

+  # Allow gitea user to send mail
+  users.users.gitea.extraGroups = [ "mail-robot" ];
+
  services.gitea-actions-runner.instances = {
    runrun = {
      enable = true;
--- a/m/hut/msmtp.nix
+++ b/m/hut/msmtp.nix
@ -1,8 +1,11 @@
 { config, lib, ... }:
 {
+  # Robot user that can see the password to send mail from jungle-robot
+  users.groups.mail-robot = {};
+
  age.secrets.jungleRobotPassword = {
    file = ../../secrets/jungle-robot-password.age;
-    group = "gitea";
+    group = "mail-robot";
    mode = "440";
  };

--- a/m/hut/nginx.nix
+++ b/m/hut/nginx.nix
@ -4,8 +4,8 @@ let
    name = "jungle-web";
    src = pkgs.fetchgit {
      url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
-      rev = "739bf0175a7f05380fe7ad7023ff1d60db1710e1";
-      hash = "sha256-ea5DzhYTzZ9TmqD+x95rdNdLbxPnBluqlYH2NmBYmc4=";
+      rev = "52abaf4d71652a9ef77a0b098db14ca33bffff4c";
+      hash = "sha256-/ul9GazbOrOkmlvSgDz/+2W+V+ir5725Y7mVLc3rb0M=";
    };
    buildInputs = [ pkgs.hugo ];
    buildPhase = ''
--- a/m/hut/ompss2-timer.nix
+++ b/m/hut/ompss2-timer.nix
@ -0,0 +1,85 @@
+{ config, pkgs, ... }:
+{
+  systemd.timers = {
+    "ompss2-closing" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        Unit = "ompss2-closing.service";
+        OnCalendar = [ "*-03-15 07:00:00" "*-09-15 07:00:00"];
+      };
+    };
+    "ompss2-freeze" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        Unit = "ompss2-freeze.service";
+        OnCalendar = [ "*-04-15 07:00:00" "*-10-15 07:00:00" ];
+      };
+    };
+    "ompss2-release" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        Unit = "ompss2-release.service";
+        OnCalendar = [ "*-05-15 07:00:00" "*-11-15 07:00:00" ];
+      };
+    };
+  };
+
+  systemd.services =
+  let
+    closing = pkgs.writeText "closing.txt"
+    ''
+      Subject: OmpSs-2 release enters closing period
+
+      Hi,
+
+      You have one month to merge the remaining features for the next OmpSs-2
+      release. Please, identify what needs to be merged and discuss it in the next
+      OmpSs-2 meeting.
+
+      Thanks!,
+      Jungle robot
+    '';
+    freeze = pkgs.writeText "freeze.txt"
+    ''
+      Subject: OmpSs-2 release enters freeze period
+
+      Hi,
+
+      The period to introduce new features or breaking changes is over, only bug
+      fixes are allowed now. During this time, please prepare the release notes
+      to be included in the next OmpSs-2 release.
+
+      Thanks!,
+      Jungle robot
+    '';
+    release = pkgs.writeText "release.txt"
+    ''
+      Subject: OmpSs-2 release now
+
+      Hi,
+
+      The period to introduce bug fixes is now over. Please, proceed to do the
+      OmpSs-2 release.
+
+      Thanks!,
+      Jungle robot
+    '';
+    mkServ = name: mail: {
+      "ompss2-${name}" = {
+        script = ''
+          set -eu
+          set -o pipefail
+          cat ${mail} | ${config.security.wrapperDir}/sendmail star@bsc.es
+        '';
+        serviceConfig = {
+          Type = "oneshot";
+          DynamicUser = true;
+          Group = "mail-robot";
+        };
+      };
+    };
+  in
+    (mkServ "closing" closing) //
+    (mkServ "freeze" freeze) //
+    (mkServ "release" release);
+}
--- a/m/module/agenix.nix
+++ b/m/module/agenix.nix
@ -0,0 +1,357 @@
+{
+  config,
+  options,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+let
+  cfg = config.age;
+
+  isDarwin = lib.attrsets.hasAttrByPath [ "environment" "darwinConfig" ] options;
+
+  ageBin = config.age.ageBin;
+
+  users = config.users.users;
+
+  sysusersEnabled =
+    if isDarwin then
+      false
+    else
+      options.systemd ? sysusers && (config.systemd.sysusers.enable || config.services.userborn.enable);
+
+  mountCommand =
+    if isDarwin then
+      ''
+        if ! diskutil info "${cfg.secretsMountPoint}" &> /dev/null; then
+            num_sectors=1048576
+            dev=$(hdiutil attach -nomount ram://"$num_sectors" | sed 's/[[:space:]]*$//')
+            newfs_hfs -v agenix "$dev"
+            mount -t hfs -o nobrowse,nodev,nosuid,-m=0751 "$dev" "${cfg.secretsMountPoint}"
+        fi
+      ''
+    else
+      ''
+        grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts ||
+          mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
+      '';
+  newGeneration = ''
+    _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
+    (( ++_agenix_generation ))
+    echo "[agenix] creating new generation in ${cfg.secretsMountPoint}/$_agenix_generation"
+    mkdir -p "${cfg.secretsMountPoint}"
+    chmod 0751 "${cfg.secretsMountPoint}"
+    ${mountCommand}
+    mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
+    chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
+  '';
+
+  chownGroup = if isDarwin then "admin" else "keys";
+  # chown the secrets mountpoint and the current generation to the keys group
+  # instead of leaving it root:root.
+  chownMountPoint = ''
+    chown :${chownGroup} "${cfg.secretsMountPoint}" "${cfg.secretsMountPoint}/$_agenix_generation"
+  '';
+
+  setTruePath = secretType: ''
+    ${
+      if secretType.symlink then
+        ''
+          _truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
+        ''
+      else
+        ''
+          _truePath="${secretType.path}"
+        ''
+    }
+  '';
+
+  installSecret = secretType: ''
+    ${setTruePath secretType}
+    echo "decrypting '${secretType.file}' to '$_truePath'..."
+    TMP_FILE="$_truePath.tmp"
+
+    IDENTITIES=()
+    for identity in ${toString cfg.identityPaths}; do
+      test -r "$identity" || continue
+      test -s "$identity" || continue
+      IDENTITIES+=(-i)
+      IDENTITIES+=("$identity")
+    done
+
+    test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix] WARNING: no readable identities found!"
+
+    mkdir -p "$(dirname "$_truePath")"
+    [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
+    (
+      umask u=r,g=,o=
+      test -f "${secretType.file}" || echo '[agenix] WARNING: encrypted file ${secretType.file} does not exist!'
+      test -d "$(dirname "$TMP_FILE")" || echo "[agenix] WARNING: $(dirname "$TMP_FILE") does not exist!"
+      LANG=${
+        config.i18n.defaultLocale or "C"
+      } ${ageBin} --decrypt "''${IDENTITIES[@]}" -o "$TMP_FILE" "${secretType.file}"
+    )
+    chmod ${secretType.mode} "$TMP_FILE"
+    mv -f "$TMP_FILE" "$_truePath"
+
+    ${optionalString secretType.symlink ''
+      [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
+    ''}
+  '';
+
+  testIdentities = map (path: ''
+    test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!'
+  '') cfg.identityPaths;
+
+  cleanupAndLink = ''
+    _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
+    (( ++_agenix_generation ))
+    echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
+    ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
+
+    (( _agenix_generation > 1 )) && {
+    echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
+    rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))"
+    }
+  '';
+
+  installSecrets = builtins.concatStringsSep "\n" (
+    [ "echo '[agenix] decrypting secrets...'" ]
+    ++ testIdentities
+    ++ (map installSecret (builtins.attrValues cfg.secrets))
+    ++ [ cleanupAndLink ]
+  );
+
+  chownSecret = secretType: ''
+    ${setTruePath secretType}
+    chown ${secretType.owner}:${secretType.group} "$_truePath"
+  '';
+
+  chownSecrets = builtins.concatStringsSep "\n" (
+    [ "echo '[agenix] chowning...'" ]
+    ++ [ chownMountPoint ]
+    ++ (map chownSecret (builtins.attrValues cfg.secrets))
+  );
+
+  secretType = types.submodule (
+    { config, ... }:
+    {
+      options = {
+        name = mkOption {
+          type = types.str;
+          default = config._module.args.name;
+          defaultText = literalExpression "config._module.args.name";
+          description = ''
+            Name of the file used in {option}`age.secretsDir`
+          '';
+        };
+        file = mkOption {
+          type = types.path;
+          description = ''
+            Age file the secret is loaded from.
+          '';
+        };
+        path = mkOption {
+          type = types.str;
+          default = "${cfg.secretsDir}/${config.name}";
+          defaultText = literalExpression ''
+            "''${cfg.secretsDir}/''${config.name}"
+          '';
+          description = ''
+            Path where the decrypted secret is installed.
+          '';
+        };
+        mode = mkOption {
+          type = types.str;
+          default = "0400";
+          description = ''
+            Permissions mode of the decrypted secret in a format understood by chmod.
+          '';
+        };
+        owner = mkOption {
+          type = types.str;
+          default = "0";
+          description = ''
+            User of the decrypted secret.
+          '';
+        };
+        group = mkOption {
+          type = types.str;
+          default = users.${config.owner}.group or "0";
+          defaultText = literalExpression ''
+            users.''${config.owner}.group or "0"
+          '';
+          description = ''
+            Group of the decrypted secret.
+          '';
+        };
+        symlink = mkEnableOption "symlinking secrets to their destination" // {
+          default = true;
+        };
+      };
+    }
+  );
+in
+{
+  imports = [
+    (mkRenamedOptionModule [ "age" "sshKeyPaths" ] [ "age" "identityPaths" ])
+  ];
+
+  options.age = {
+    ageBin = mkOption {
+      type = types.str;
+      default = "${pkgs.age}/bin/age";
+      defaultText = literalExpression ''
+        "''${pkgs.age}/bin/age"
+      '';
+      description = ''
+        The age executable to use.
+      '';
+    };
+    secrets = mkOption {
+      type = types.attrsOf secretType;
+      default = { };
+      description = ''
+        Attrset of secrets.
+      '';
+    };
+    secretsDir = mkOption {
+      type = types.path;
+      default = "/run/agenix";
+      description = ''
+        Folder where secrets are symlinked to
+      '';
+    };
+    secretsMountPoint = mkOption {
+      type =
+        types.addCheck types.str (
+          s:
+          (builtins.match "[ \t\n]*" s) == null # non-empty
+          && (builtins.match ".+/" s) == null
+        ) # without trailing slash
+        // {
+          description = "${types.str.description} (with check: non-empty without trailing slash)";
+        };
+      default = "/run/agenix.d";
+      description = ''
+        Where secrets are created before they are symlinked to {option}`age.secretsDir`
+      '';
+    };
+    identityPaths = mkOption {
+      type = types.listOf types.path;
+      default =
+        if isDarwin then
+          [
+            "/etc/ssh/ssh_host_ed25519_key"
+            "/etc/ssh/ssh_host_rsa_key"
+          ]
+        else if (config.services.openssh.enable or false) then
+          map (e: e.path) (
+            lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys
+          )
+        else
+          [ ];
+      defaultText = literalExpression ''
+        if isDarwin
+        then [
+          "/etc/ssh/ssh_host_ed25519_key"
+          "/etc/ssh/ssh_host_rsa_key"
+        ]
+        else if (config.services.openssh.enable or false)
+        then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
+        else [];
+      '';
+      description = ''
+        Path to SSH keys to be used as identities in age decryption.
+      '';
+    };
+  };
+
+  config = mkIf (cfg.secrets != { }) (mkMerge [
+    {
+      assertions = [
+        {
+          assertion = cfg.identityPaths != [ ];
+          message = "age.identityPaths must be set, for example by enabling openssh.";
+        }
+      ];
+    }
+    (optionalAttrs (!isDarwin) {
+      # When using sysusers we no longer be started as an activation script
+      # because those are started in initrd while sysusers is started later.
+      systemd.services.agenix-install-secrets = mkIf sysusersEnabled {
+        wantedBy = [ "sysinit.target" ];
+        after = [ "systemd-sysusers.service" ];
+        unitConfig.DefaultDependencies = "no";
+
+        path = [ pkgs.mount ];
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = pkgs.writeShellScript "agenix-install" (concatLines [
+            newGeneration
+            installSecrets
+            chownSecrets
+          ]);
+          RemainAfterExit = true;
+        };
+      };
+
+      # Create a new directory full of secrets for symlinking (this helps
+      # ensure removed secrets are actually removed, or at least become
+      # invalid symlinks).
+      system.activationScripts = mkIf (!sysusersEnabled) {
+        agenixNewGeneration = {
+          text = newGeneration;
+          deps = [
+            "specialfs"
+          ];
+        };
+
+        agenixInstall = {
+          text = installSecrets;
+          deps = [
+            "agenixNewGeneration"
+            "specialfs"
+          ];
+        };
+
+        # So user passwords can be encrypted.
+        users.deps = [ "agenixInstall" ];
+
+        # Change ownership and group after users and groups are made.
+        agenixChown = {
+          text = chownSecrets;
+          deps = [
+            "users"
+            "groups"
+          ];
+        };
+
+        # So other activation scripts can depend on agenix being done.
+        agenix = {
+          text = "";
+          deps = [ "agenixChown" ];
+        };
+      };
+    })
+
+    (optionalAttrs isDarwin {
+      launchd.daemons.activate-agenix = {
+        script = ''
+          set -e
+          set -o pipefail
+          export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin"
+          ${newGeneration}
+          ${installSecrets}
+          ${chownSecrets}
+          exit 0
+        '';
+        serviceConfig = {
+          RunAtLoad = true;
+          KeepAlive.SuccessfulExit = false;
+        };
+      };
+    })
+  ]);
+}
--- a/m/module/slurm-common.nix
+++ b/m/module/slurm-common.nix
@ -86,9 +86,7 @@ in {
      # when a task runs (srun) so we can ssh early.
      PrologFlags=Alloc,Contain,X11

-      # LaunchParameters=ulimit_pam_adopt will set RLIMIT_RSS in processes
-      # adopted by the external step, similar to tasks running in regular steps
-      # LaunchParameters=ulimit_pam_adopt
+      LaunchParameters=use_interactive_step
      SlurmdDebug=debug5
      #DebugFlags=Protocol,Cgroup
    '';
--- a/m/tent/nginx.nix
+++ b/m/tent/nginx.nix
@ -4,8 +4,8 @@ let
    name = "jungle-web";
    src = pkgs.fetchgit {
      url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
-      rev = "739bf0175a7f05380fe7ad7023ff1d60db1710e1";
-      hash = "sha256-ea5DzhYTzZ9TmqD+x95rdNdLbxPnBluqlYH2NmBYmc4=";
+      rev = "52abaf4d71652a9ef77a0b098db14ca33bffff4c";
+      hash = "sha256-/ul9GazbOrOkmlvSgDz/+2W+V+ir5725Y7mVLc3rb0M=";
    };
    buildInputs = [ pkgs.hugo ];
    buildPhase = ''
--- a/overlay.nix
+++ b/overlay.nix
@ -7,6 +7,7 @@ let
  callPackage = final.callPackage;

  bscPkgs = {
+    agenix = prev.callPackage ./pkgs/agenix/default.nix { };
    amd-uprof = prev.callPackage ./pkgs/amd-uprof/default.nix { };
    bench6 = callPackage ./pkgs/bench6/default.nix { };
    bigotes = callPackage ./pkgs/bigotes/default.nix { };
@ -36,6 +37,7 @@ let
    nanos6 = callPackage ./pkgs/nanos6/default.nix { };
    nanos6Debug = final.nanos6.override { enableDebug = true; };
    nixtools = callPackage ./pkgs/nixtools/default.nix { };
+    nixgen = callPackage ./pkgs/nixgen/default.nix { };
    # Broken because of pkgsStatic.libcap
    # See: https://github.com/NixOS/nixpkgs/pull/268791
    #nix-wrap = callPackage ./pkgs/nix-wrap/default.nix { };
@ -50,6 +52,7 @@ let
    prometheus-slurm-exporter = prev.callPackage ./pkgs/slurm-exporter/default.nix { };
    #pscom = callPackage ./pkgs/parastation/pscom.nix { }; # Unmaintaned
    #psmpi = callPackage ./pkgs/parastation/psmpi.nix { }; # Unmaintaned
+    slurm = import ./pkgs/slurm/default.nix { slurm = prev.slurm; };
    sonar = callPackage ./pkgs/sonar/default.nix { };
    stdenvClangOmpss2 = final.stdenv.override { cc = final.clangOmpss2; allowedRequisites = null; };
    stdenvClangOmpss2Nanos6 = final.stdenv.override { cc = final.clangOmpss2Nanos6; allowedRequisites = null; };
@ -62,7 +65,7 @@ let
  };

  tests = rec {
-    #hwloc = callPackage ./test/bugs/hwloc.nix { }; # Broken, no /sys
+    hwloc = callPackage ./test/bugs/hwloc.nix { };
    #sigsegv = callPackage ./test/reproducers/sigsegv.nix { };
    hello-c = callPackage ./test/compilers/hello-c.nix { };
    hello-cpp = callPackage ./test/compilers/hello-cpp.nix { };
@ -94,12 +97,18 @@ let
    };
  };

-  pkgs = filterAttrs (_: isDerivation) bscPkgs;
+  # For now, only build toplevel packages in CI/Hydra
+  pkgsTopLevel = filterAttrs (_: isDerivation) bscPkgs;

-  crossTargets = [ "riscv64" ];
-  cross = prev.lib.genAttrs crossTargets (target:
-    final.pkgsCross.${target}.bsc-ci.pkgs
-  );
+  # Native build in that platform doesn't imply cross build works
+  canCrossCompile = platform: pkg:
+    (isDerivation pkg) &&
+    # Must be defined explicitly
+    (pkg.meta.cross or false) &&
+    (meta.availableOn platform pkg);
+
+  # For now only RISC-V
+  crossSet = { riscv64 = final.pkgsCross.riscv64.bsc.pkgsTopLevel; };

  buildList = name: paths:
    final.runCommandLocal name { } ''
@ -113,22 +122,38 @@ let
      printf '%s\n' $deps >$out
    '';

-  crossList = builtins.mapAttrs (t: v: buildList t (builtins.attrValues v)) cross;
-
-  pkgsList = buildList "ci-pkgs" (builtins.attrValues pkgs);
-  testList = buildList "ci-tests" (collect isDerivation tests);
-
-  all = buildList' "ci-all" [ pkgsList testList ];
+  pkgsList = buildList "ci-pkgs" (builtins.attrValues pkgsTopLevel);
+  testsList = buildList "ci-tests" (collect isDerivation tests);
+  allList = buildList' "ci-all" [ pkgsList testsList ];
+  # For now only RISC-V
+  crossList = buildList "ci-cross"
+    (filter
+      (canCrossCompile final.pkgsCross.riscv64.stdenv.hostPlatform)
+        (builtins.attrValues crossSet.riscv64));

 in bscPkgs // {
-  # Prevent accidental usage of bsc attribute
-  bsc = throw "the bsc attribute is deprecated, packages are now in the root";
+
+  lib = prev.lib // {
+    maintainers = prev.lib.maintainers // {
+      bsc = import ./pkgs/maintainers.nix;
+    };
+  };
+
+  # Prevent accidental usage of bsc-ci attribute
+  bsc-ci = throw "the bsc-ci attribute is deprecated, use bsc.ci";

  # Internal for our CI tests
-  bsc-ci = {
-    inherit pkgs pkgsList;
-    inherit tests testList;
-    inherit cross crossList;
-    inherit all;
+  bsc = {
+    # CI targets for nix build
+    ci = { pkgs = pkgsList; tests = testsList; all = allList; cross = crossList; };
+
+    # Direct access to package sets
+    tests = tests;
+    pkgs = bscPkgs;
+    pkgsTopLevel = pkgsTopLevel;
+    cross = crossSet;
+
+    # Hydra uses attribute sets of pkgs
+    hydraJobs = { tests = tests; pkgs = pkgsTopLevel; cross = crossSet; };
  };
 }
--- a/pkgs/agenix/agenix.sh
+++ b/pkgs/agenix/agenix.sh
@ -0,0 +1,212 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+PACKAGE="agenix"
+
+function show_help () {
+  echo "$PACKAGE - edit and rekey age secret files"
+  echo " "
+  echo "$PACKAGE -e FILE [-i PRIVATE_KEY]"
+  echo "$PACKAGE -r [-i PRIVATE_KEY]"
+  echo ' '
+  echo 'options:'
+  echo '-h, --help                show help'
+  # shellcheck disable=SC2016
+  echo '-e, --edit FILE           edits FILE using $EDITOR'
+  echo '-r, --rekey               re-encrypts all secrets with specified recipients'
+  echo '-d, --decrypt FILE        decrypts FILE to STDOUT'
+  echo '-i, --identity            identity to use when decrypting'
+  echo '-v, --verbose             verbose output'
+  echo ' '
+  echo 'FILE an age-encrypted file'
+  echo ' '
+  echo 'PRIVATE_KEY a path to a private SSH key used to decrypt file'
+  echo ' '
+  echo 'EDITOR environment variable of editor to use when editing FILE'
+  echo ' '
+  echo 'If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"'
+  echo ' '
+  echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
+  echo "Defaults to './secrets.nix'"
+  echo ' '
+  echo "agenix version: @version@"
+  echo "age binary path: @ageBin@"
+  echo "age version: $(@ageBin@ --version)"
+}
+
+function warn() {
+  printf '%s\n' "$*" >&2
+}
+
+function err() {
+  warn "$*"
+  exit 1
+}
+
+test $# -eq 0 && (show_help && exit 1)
+
+REKEY=0
+DECRYPT_ONLY=0
+DEFAULT_DECRYPT=(--decrypt)
+
+while test $# -gt 0; do
+  case "$1" in
+    -h|--help)
+      show_help
+      exit 0
+      ;;
+    -e|--edit)
+      shift
+      if test $# -gt 0; then
+        export FILE=$1
+      else
+        echo "no FILE specified"
+        exit 1
+      fi
+      shift
+      ;;
+    -i|--identity)
+      shift
+      if test $# -gt 0; then
+        DEFAULT_DECRYPT+=(--identity "$1")
+      else
+        echo "no PRIVATE_KEY specified"
+        exit 1
+      fi
+      shift
+      ;;
+    -r|--rekey)
+      shift
+      REKEY=1
+      ;;
+    -d|--decrypt)
+      shift
+      DECRYPT_ONLY=1
+      if test $# -gt 0; then
+        export FILE=$1
+      else
+        echo "no FILE specified"
+        exit 1
+      fi
+      shift
+      ;;
+    -v|--verbose)
+      shift
+      set -x
+      ;;
+    *)
+      show_help
+      exit 1
+      ;;
+  esac
+done
+
+RULES=${RULES:-./secrets.nix}
+function cleanup {
+    if [ -n "${CLEARTEXT_DIR+x}" ]
+    then
+        rm -rf -- "$CLEARTEXT_DIR"
+    fi
+    if [ -n "${REENCRYPTED_DIR+x}" ]
+    then
+        rm -rf -- "$REENCRYPTED_DIR"
+    fi
+}
+trap "cleanup" 0 2 3 15
+
+function keys {
+    (@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in rules.\"$1\".publicKeys)" | @jqBin@ -r .[]) || exit 1
+}
+
+function armor {
+    (@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in (builtins.hasAttr \"armor\" rules.\"$1\" && rules.\"$1\".armor))") || exit 1
+}
+
+function decrypt {
+    FILE=$1
+    KEYS=$2
+    if [ -z "$KEYS" ]
+    then
+        err "There is no rule for $FILE in $RULES."
+    fi
+
+    if [ -f "$FILE" ]
+    then
+        DECRYPT=("${DEFAULT_DECRYPT[@]}")
+        if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
+            if [ -f "$HOME/.ssh/id_rsa" ]; then
+                DECRYPT+=(--identity "$HOME/.ssh/id_rsa")
+            fi
+            if [ -f "$HOME/.ssh/id_ed25519" ]; then
+                DECRYPT+=(--identity "$HOME/.ssh/id_ed25519")
+            fi
+        fi
+        if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
+          err "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file."
+        fi
+
+        @ageBin@ "${DECRYPT[@]}" -- "$FILE" || exit 1
+    fi
+}
+
+function edit {
+    FILE=$1
+    KEYS=$(keys "$FILE") || exit 1
+    ARMOR=$(armor "$FILE") || exit 1
+
+    CLEARTEXT_DIR=$(@mktempBin@ -d)
+    CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename -- "$FILE")"
+    DEFAULT_DECRYPT+=(-o "$CLEARTEXT_FILE")
+
+    decrypt "$FILE" "$KEYS" || exit 1
+
+    [ ! -f "$CLEARTEXT_FILE" ] || cp -- "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
+
+    [ -t 0 ] || EDITOR='cp -- /dev/stdin'
+
+    $EDITOR "$CLEARTEXT_FILE"
+
+    if [ ! -f "$CLEARTEXT_FILE" ]
+    then
+      warn "$FILE wasn't created."
+      return
+    fi
+    [ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q -- "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
+
+    ENCRYPT=()
+    if [[ "$ARMOR" == "true" ]]; then
+        ENCRYPT+=(--armor)
+    fi
+    while IFS= read -r key
+    do
+        if [ -n "$key" ]; then
+            ENCRYPT+=(--recipient "$key")
+        fi
+    done <<< "$KEYS"
+
+    REENCRYPTED_DIR=$(@mktempBin@ -d)
+    REENCRYPTED_FILE="$REENCRYPTED_DIR/$(basename -- "$FILE")"
+
+    ENCRYPT+=(-o "$REENCRYPTED_FILE")
+
+    @ageBin@ "${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
+
+    mkdir -p -- "$(dirname -- "$FILE")"
+
+    mv -f -- "$REENCRYPTED_FILE" "$FILE"
+}
+
+function rekey {
+    FILES=$( (@nixInstantiate@ --json --eval -E "(let rules = import $RULES; in builtins.attrNames rules)"  | @jqBin@ -r .[]) || exit 1)
+
+    for FILE in $FILES
+    do
+        warn "rekeying $FILE..."
+        EDITOR=: edit "$FILE"
+        cleanup
+    done
+}
+
+[ $REKEY -eq 1 ] && rekey && exit 0
+[ $DECRYPT_ONLY -eq 1 ] && DEFAULT_DECRYPT+=("-o" "-") && decrypt "${FILE}" "$(keys "$FILE")" && exit 0
+edit "$FILE" && cleanup && exit 0
--- a/pkgs/agenix/default.nix
+++ b/pkgs/agenix/default.nix
@ -0,0 +1,66 @@
+{
+  lib,
+  stdenv,
+  age,
+  jq,
+  nix,
+  mktemp,
+  diffutils,
+  replaceVars,
+  ageBin ? "${age}/bin/age",
+  shellcheck,
+}:
+let
+  bin = "${placeholder "out"}/bin/agenix";
+in
+stdenv.mkDerivation rec {
+  pname = "agenix";
+  version = "0.15.0";
+  src = replaceVars ./agenix.sh {
+    inherit ageBin version;
+    jqBin = "${jq}/bin/jq";
+    nixInstantiate = "${nix}/bin/nix-instantiate";
+    mktempBin = "${mktemp}/bin/mktemp";
+    diffBin = "${diffutils}/bin/diff";
+  };
+  dontUnpack = true;
+  doInstallCheck = true;
+  installCheckInputs = [ shellcheck ];
+  postInstallCheck = ''
+    shellcheck ${bin}
+    ${bin} -h | grep ${version}
+
+    test_tmp=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
+    export HOME="$test_tmp/home"
+    export NIX_STORE_DIR="$test_tmp/nix/store"
+    export NIX_STATE_DIR="$test_tmp/nix/var"
+    mkdir -p "$HOME" "$NIX_STORE_DIR" "$NIX_STATE_DIR"
+    function cleanup {
+      rm -rf "$test_tmp"
+    }
+    trap "cleanup" 0 2 3 15
+
+    mkdir -p $HOME/.ssh
+    cp -r "${./example}" $HOME/secrets
+    chmod -R u+rw $HOME/secrets
+    (
+    umask u=rw,g=r,o=r
+    cp ${./example_keys/user1.pub} $HOME/.ssh/id_ed25519.pub
+    chown $UID $HOME/.ssh/id_ed25519.pub
+    )
+    (
+    umask u=rw,g=,o=
+    cp ${./example_keys/user1} $HOME/.ssh/id_ed25519
+    chown $UID $HOME/.ssh/id_ed25519
+    )
+
+    cd $HOME/secrets
+    test $(${bin} -d secret1.age) = "hello"
+  '';
+
+  installPhase = ''
+    install -D $src ${bin}
+  '';
+
+  meta.description = "age-encrypted secrets for NixOS";
+}
--- a/pkgs/agenix/example/-leading-hyphen-filename.age
+++ b/pkgs/agenix/example/-leading-hyphen-filename.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 V3XmEA zirqdzZZ1E+sedBn7fbEHq4ntLEkokZ4GctarBBOHXY
+Rvs5YHaAUeCZyNwPedubPcHClWYIuXXWA5zadXPWY6w
+-> ssh-ed25519 KLPP8w BVp4rDkOYSQyn8oVeHFeinSqW+pdVtxBF9+5VM1yORY
+bMwppAi8Nhz0328taU4AzUkTVyWtSLvFZG6c5W/Fs78
+--- xCbqLhXAcOziO2wmbjTiSQfZvt5Rlsc4SCvF+iEzpQA
+ôKB£î/²ZÅÈrÙ%¾à4¡´—Mq5×Ô_ÌÂÝ’‹†ã„Ò11Ü¨qM;& ¢‡LríÂÒføû”]>N
--- a/pkgs/agenix/example/armored-secret.age
+++ b/pkgs/agenix/example/armored-secret.age
@ -0,0 +1,7 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFYzWG1FQSBpZkZW
+aFpLNnJxc0VUMHRmZ2dZS0pjMGVENnR3OHd5K0RiT1RjRUhibFZBCnN5UG5vUjA3
+SXpsNGtiVUw4T0tIVFo5Wkk5QS9NQlBndzVvektiQ0ozc0kKLS0tIGxyY1Q4dEZ1
+VGZEanJyTFNta2JNRmpZb2FnK2JyS1hSVml1UGdMNWZKQXMKYla+wTXcRedyZoEb
+LVWaSx49WoUTU0KBPJg9RArxaeC23GoCDzR/aM/1DvYU
+-----END AGE ENCRYPTED FILE-----
--- a/pkgs/agenix/example/passwordfile-user1.age
+++ b/pkgs/agenix/example/passwordfile-user1.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 KLPP8w s1DYZRlZuSsyhmZCF1lFB+E9vB8bZ/+ZhBRlx8nprwE
+nmYVCsVBrX2CFXXPU+D+bbkkIe/foofp+xoUrg9DHZw
+-> ssh-ed25519 V3XmEA Pwv3oCwcY0DX8rY48UNfsj9RumWsn4dbgorYHCwObgI
+FKxRYkL3JHtJxUwymWDF0rAtJ33BivDI6IfPsfumM90
+-> V'v(/u$-grease em/Vgf 2qDuk
+7I3iiQLPGi1COML9u/JeYkr7EqbSLoU
+--- 57WJRigUGtmcObrssS3s4PvmR8wgh1AOC/ijJn1s3xI
+<EFBFBD>'K©Æ·Y&‘7GÆOÝòFj±kÆXç«BnuJöê:9Ê(’ÙÏX¬#¼AíÄÞÃÚ§j’,ê_ÈþÝ?ÝZ“¥vœ¹V’96]oks~%£c	Îe^CÅ%JQ5€<H¢z}îCý,°pŒ¿*!W§§ÈA±ºÒ…dC¼K)¿¢-žy
--- a/pkgs/agenix/example/secret1.age
+++ b/pkgs/agenix/example/secret1.age
--- a/pkgs/agenix/example/secret2.age
+++ b/pkgs/agenix/example/secret2.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 V3XmEA OB4+1FbPhQ3r6iGksM7peWX5it8NClpXIq/o5nnP7GA
+FmHVUj+A5i5+bDFgySQskmlvynnosJiWUTJmBRiNA9I
+--- tP+3mFVtd7ogVu1Lkboh55zoi5a77Ht08Uc/QuIviv4
+¤¬Xæ{”ïOŠ£èätMXxÔvÓª(¬IÁmyPÇï¸è+3²S3i
--- a/pkgs/agenix/example/secrets.nix
+++ b/pkgs/agenix/example/secrets.nix
@ -0,0 +1,23 @@
+let
+  user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
+  system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
+in
+{
+  "secret1.age".publicKeys = [
+    user1
+    system1
+  ];
+  "secret2.age".publicKeys = [ user1 ];
+  "passwordfile-user1.age".publicKeys = [
+    user1
+    system1
+  ];
+  "-leading-hyphen-filename.age".publicKeys = [
+    user1
+    system1
+  ];
+  "armored-secret.age" = {
+    publicKeys = [ user1 ];
+    armor = true;
+  };
+}
--- a/pkgs/agenix/example_keys/system1
+++ b/pkgs/agenix/example_keys/system1
@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACDyQ8iK/xUs9XCXXKFuvUfja1s8Biv/t4Caag9bfC9sxAAAAJA3yvCWN8rw
+lgAAAAtzc2gtZWQyNTUxOQAAACDyQ8iK/xUs9XCXXKFuvUfja1s8Biv/t4Caag9bfC9sxA
+AAAEA+J2V6AG1NriAIvnNKRauIEh1JE9HSdhvKJ68a5Fm0w/JDyIr/FSz1cJdcoW69R+Nr
+WzwGK/+3gJpqD1t8L2zEAAAADHJ5YW50bUBob21lMQE=
+-----END OPENSSH PRIVATE KEY-----
--- a/pkgs/agenix/example_keys/system1.pub
+++ b/pkgs/agenix/example_keys/system1.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE
--- a/pkgs/agenix/example_keys/user1
+++ b/pkgs/agenix/example_keys/user1
@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACC9InTb4BornFoLqf5j+/M8gtt7hY2KtHr3FnYxkFGgRwAAAJC2JJ8htiSf
+IQAAAAtzc2gtZWQyNTUxOQAAACC9InTb4BornFoLqf5j+/M8gtt7hY2KtHr3FnYxkFGgRw
+AAAEDxt5gC/s53IxiKAjfZJVCCcFIsdeERdIgbYhLO719+Kb0idNvgGiucWgup/mP78zyC
+23uFjYq0evcWdjGQUaBHAAAADHJ5YW50bUBob21lMQE=
+-----END OPENSSH PRIVATE KEY-----
--- a/pkgs/agenix/example_keys/user1.pub
+++ b/pkgs/agenix/example_keys/user1.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH
--- a/pkgs/agenix/update.sh
+++ b/pkgs/agenix/update.sh
@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -e
+
+# All operations are done relative to root
+GITROOT=$(git rev-parse --show-toplevel)
+cd "$GITROOT"
+
+REVISION=${1:-main}
+
+TMPCLONE=$(mktemp -d)
+trap "rm -rf ${TMPCLONE}" EXIT
+
+git clone https://github.com/ryantm/agenix.git --revision="$REVISION" "$TMPCLONE" --depth=1
+
+cp "${TMPCLONE}/pkgs/agenix.sh" pkgs/agenix/agenix.sh
+cp "${TMPCLONE}/pkgs/agenix.nix" pkgs/agenix/default.nix
+sed -i 's#../example#./example#' pkgs/agenix/default.nix
+
+cp "${TMPCLONE}/example/"* pkgs/agenix/example/
+cp "${TMPCLONE}/example_keys/"* pkgs/agenix/example_keys/
+
+cp "${TMPCLONE}/modules/age.nix" m/module/agenix.nix
--- a/pkgs/amd-uprof/default.nix
+++ b/pkgs/amd-uprof/default.nix
@ -86,4 +86,13 @@ in
      patchelf --add-needed libnuma.so $out/bin/AMDuProfPcm
      set +x
    '';
+
+    meta = {
+      description = "Performance analysis tool-suite for x86 based applications";
+      homepage = "https://www.amd.com/es/developer/uprof.html";
+      platforms = lib.platforms.linux;
+      license = lib.licenses.unfree;
+      maintainers = with lib.maintainers.bsc; [ rarias varcila ];
+    };
+
  }
--- a/pkgs/amd-uprof/driver.nix
+++ b/pkgs/amd-uprof/driver.nix
@ -29,5 +29,7 @@ in stdenv.mkDerivation {
    description = "AMD Power Profiler Driver";
    homepage = "https://www.amd.com/es/developer/uprof.html";
    platforms = lib.platforms.linux;
+    license = lib.licenses.unfree;
+    maintainers = with lib.maintainers.bsc; [ rarias varcila ];
  };
 }
--- a/pkgs/bench6/default.nix
+++ b/pkgs/bench6/default.nix
@ -1,5 +1,6 @@
 {
  stdenv
+, lib
 , bigotes
 , cmake
 , clangOmpss2
@ -58,4 +59,12 @@ stdenv.mkDerivation rec {
  ];
  hardeningDisable = [ "all" ];
  dontStrip = true;
+
+  meta = {
+    homepage = "https://gitlab.pm.bsc.es/rarias/bench6";
+    description = "Set of micro-benchmarks for OmpSs-2 and several mini-apps";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }
--- a/pkgs/bigotes/default.nix
+++ b/pkgs/bigotes/default.nix
@ -1,5 +1,6 @@
 {
  stdenv
+, lib
 , fetchFromGitHub
 , cmake
 }:
@ -14,4 +15,12 @@ stdenv.mkDerivation {
    sha256 = "sha256-ktxM3pXiL8YXSK+/IKWYadijhYXqGoLY6adLk36iigE=";
  };
  nativeBuildInputs = [ cmake ];
+
+  meta = {
+    homepage = "https://github.com/rodarima/bigotes";
+    description = "Versatile benchmark tool";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }
--- a/pkgs/extrae/default.nix
+++ b/pkgs/extrae/default.nix
@ -20,6 +20,7 @@
 #, python3Packages
 , installShellFiles
 , symlinkJoin
+, enablePapi ? stdenv.hostPlatform == stdenv.buildPlatform # Disabled when cross-compiling
 }:

 let
@ -87,7 +88,7 @@ stdenv.mkDerivation rec {
      --enable-sampling
      --with-unwind=${libunwind.dev}
      --with-xml-prefix=${libxml2.dev}
-      --with-papi=${papi}
+      ${lib.optionalString enablePapi "--with-papi=${papi}"}
      ${if (mpi != null) then ''--with-mpi=${mpi}''
        else ''--without-mpi''}
      --without-dyninst)
@ -110,4 +111,13 @@ stdenv.mkDerivation rec {
 #    then [ "--enable-openmp" ]
 #    else []
 #  );
+
+  meta = {
+    homepage = "https://github.com/bsc-performance-tools/extrae";
+    description = "Instrumentation framework to generate execution traces of the most used parallel runtimes";
+    maintainers = [ ];
+    broken = true;
+    platforms = lib.platforms.linux;
+    license = lib.licenses.lgpl21Plus;
+  };
 }
--- a/pkgs/gpi-2/default.nix
+++ b/pkgs/gpi-2/default.nix
@ -1,5 +1,6 @@
 {
  stdenv
+, lib
 , fetchurl
 , symlinkJoin
 , slurm
@ -52,4 +53,12 @@ stdenv.mkDerivation rec {
  buildInputs = [ slurm mpiAll rdma-core-all autoconf automake libtool rsync gfortran ];

  hardeningDisable = [ "all" ];
+
+  meta = {
+    homepage = "https://pm.bsc.es/gitlab/interoperability/extern/GPI-2";
+    description = "GPI-2 extended for supporting Task-Aware GASPI (TAGASPI) library";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }
--- a/pkgs/intel-compiler/icc2020.nix
+++ b/pkgs/intel-compiler/icc2020.nix
@ -1,4 +1,5 @@
 { stdenv
+, lib
 , fetchurl
 , rpmextract
 , autoPatchelfHook
@ -59,4 +60,12 @@ stdenv.mkDerivation rec {
      rm $out/lib/*.dbg
    popd
  '';
+
+  meta = {
+    homepage = "https://www.intel.com/content/www/us/en/developer/tools/overview.html";
+    description = "Intel compiler";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.unfree;
+  };
 }
--- a/pkgs/intel-compiler/icc2021.nix
+++ b/pkgs/intel-compiler/icc2021.nix
@ -145,4 +145,12 @@ in
      popd
    '';

+    meta = {
+      homepage = "https://www.intel.com/content/www/us/en/developer/tools/overview.html";
+      description = "Intel compiler";
+      maintainers = with lib.maintainers.bsc; [ rarias ];
+      platforms = lib.platforms.linux;
+      license = lib.licenses.unfree;
+    };
+
  }
--- a/pkgs/intel-mpi/default.nix
+++ b/pkgs/intel-mpi/default.nix
@ -1,4 +1,5 @@
 { stdenv
+, lib
 , rpmextract
 , gcc
 , zlib
@ -101,4 +102,12 @@ stdenv.mkDerivation rec {
    patchelf --set-rpath "$out/lib:${rdma-core}/lib:${libpsm2}/lib" $out/lib/libfabric.so
    echo "Patched RPATH in libfabric.so to: $(patchelf --print-rpath $out/lib/libfabric.so)"
  '';
+
+  meta = {
+    homepage = "https://www.intel.com/content/www/us/en/developer/tools/overview.html";
+    description = "Intel MPI";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.unfree;
+  };
 }
--- a/pkgs/intel-oneapi/2023.nix
+++ b/pkgs/intel-oneapi/2023.nix
@ -26,6 +26,13 @@

 let

+  meta = {
+    description = "Intel oneapi hpckit package component";
+    homepage = "https://www.intel.com/content/www/us/en/developer/tools/oneapi/hpc-toolkit-download.html";
+    license = lib.licenses.unfree;
+    maintainers = with lib.maintainers.bsc; [ abonerib ];
+  };
+
  gcc = gcc13;

  v = {
@ -87,6 +94,8 @@ let
        dpkg -x $src $out
      done
    '';
+
+    inherit meta;
  };

  joinDebs = name: names:
@ -145,6 +154,8 @@ let
        sed -i "s:I_MPI_SUBSTITUTE_INSTALLDIR:$out:g" "$i"
      done
    '';
+
+    inherit meta;
  };

  intel-tbb = stdenv.mkDerivation rec {
@ -183,6 +194,8 @@ let
        rsync -a lib/intel64/gcc4.8/ $out/lib/
      popd
    '';
+
+    inherit meta;
  };

  intel-compiler-shared = stdenv.mkDerivation rec {
@ -240,6 +253,8 @@ let
        popd
      popd
    '';
+
+    inherit meta;
  };


@ -305,6 +320,8 @@ let
        ln -s $out/lib $out/lib_lin
      popd
    '';
+
+    inherit meta;
  };

  intel-compiler = stdenv.mkDerivation rec {
@ -392,6 +409,8 @@ let
        rsync -a documentation/en/man/common/ $out/share/man/
      popd
    '';
+
+    inherit meta;
  };

  wrapIntel = { cc, mygcc, extraBuild ? "", extraInstall ? "" }:
--- a/pkgs/llvm-ompss2/clang.nix
+++ b/pkgs/llvm-ompss2/clang.nix
@ -16,19 +16,19 @@
 , useGit ? false
 , gitUrl ? "ssh://git@bscpm04.bsc.es/llvm-ompss/llvm-mono.git"
 , gitBranch ? "master"
-, gitCommit ? "880e2341c56bad1dc14e8c369fb3356bec19018e"
+, gitCommit ? "872ba63f86edaefc9787984ef3fae9f2f94e0124" # github-release-2025.11
 }:

 let
  stdenv = llvmPackages_latest.stdenv;

  release = rec {
-    version = "2025.06";
+    version = "2025.11";
    src = fetchFromGitHub {
      owner = "bsc-pm";
      repo = "llvm";
      rev = "refs/tags/github-release-${version}";
-      hash = "sha256-ww9PpRmtz/M9IyLiZ8rAehx2UW4VpQt+svf4XfKBzKo=";
+      hash = "sha256-UgwMTUkM9Z87dDH205swZFBeFhrcbLAxginViG40pBM=";
    };
  };

@ -126,4 +126,12 @@ in stdenv.mkDerivation {
 # nanos6 installation, but this is would require a recompilation of clang each
 # time nanos6 is changed. Better to use the environment variable NANOS6_HOME,
 # and specify nanos6 at run time.
+
+  meta = {
+    homepage = "https://gitlab.pm.bsc.es/llvm-ompss/llvm-mono";
+    description = "C language family frontend for LLVM (for OmpSs-2)";
+    maintainers = with lib.maintainers.bsc; [ rpenacob ];
+    platforms = lib.platforms.linux;
+    license = [ lib.licenses.asl20 lib.licenses.llvm-exception ];
+  };
 }
--- a/pkgs/llvm-ompss2/openmp.nix
+++ b/pkgs/llvm-ompss2/openmp.nix
@ -74,5 +74,13 @@ stdenv.mkDerivation rec {
  passthru = {
    inherit nosv;
  };
+
+  meta = {
+    homepage = "https://gitlab.pm.bsc.es/llvm-ompss/llvm-mono";
+    description = "Support for the OpenMP language (with nOS-V)";
+    maintainers = with lib.maintainers.bsc; [ rpenacob ];
+    platforms = lib.platforms.linux;
+    license = [ lib.licenses.asl20 lib.licenses.llvm-exception ];
+  };
 }

--- a/pkgs/lmbench/default.nix
+++ b/pkgs/lmbench/default.nix
@ -35,13 +35,16 @@ stdenv.mkDerivation rec {
      CFLAGS=-Wno-implicit-int
      CPPFLAGS=-I${libtirpc.dev}/include/tirpc
      LDFLAGS=-ltirpc
+      CC=$CC
+      AR=$AR
    )
  '';

  meta = {
    description = "lmbench";
-    homepage = "http://www.bitmover.com/lmbench/";
-    maintainers = [ ];
+    homepage = "https://github.com/intel/lmbench";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
    platforms = lib.platforms.all;
+    license = lib.licenses.gpl2Plus;
  };
 }
--- a/pkgs/maintainers.nix
+++ b/pkgs/maintainers.nix
@ -0,0 +1,7 @@
+builtins.mapAttrs (name: value: { email = name + "@bsc.es"; } // value) {
+  abonerib.name = "Aleix Boné";
+  arocanon.name = "Aleix Roca";
+  rarias.name = "Rodrigo Arias";
+  rpenacob.name = "Raúl Peñacoba";
+  varcila.name = "Vincent Arcila";
+}
--- a/pkgs/mcxx/default.nix
+++ b/pkgs/mcxx/default.nix
@ -1,5 +1,6 @@
 {
  stdenv
+, lib
 , fetchFromGitHub
 , autoreconfHook
 , nanos6
@ -62,4 +63,12 @@ stdenv.mkDerivation rec {
 # Fails with "memory exhausted" with bison 3.7.1
 #    "--enable-bison-regeneration"
  ];
+
+  meta = {
+    homepage = "https://github.com/bsc-pm/mcxx";
+    description = "C/C++/Fortran source-to-source compilation infrastructure aimed at fast prototyping";
+    maintainers = with lib.maintainers.bsc; [ rpenacob ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }
--- a/pkgs/mcxx/git.nix
+++ b/pkgs/mcxx/git.nix
@ -1,5 +1,6 @@
 {
  stdenv
+, lib
 , fetchFromGitHub
 , autoreconfHook
 , nanos6
@ -57,4 +58,12 @@ stdenv.mkDerivation rec {
 # Fails with "memory exhausted" with bison 3.7.1
 #    "--enable-bison-regeneration"
  ];
+
+  meta = {
+    homepage = "https://github.com/bsc-pm/mcxx";
+    description = "C/C++/Fortran source-to-source compilation infrastructure aimed at fast prototyping";
+    maintainers = with lib.maintainers.bsc; [ rpenacob ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }
--- a/pkgs/mcxx/rarias.nix
+++ b/pkgs/mcxx/rarias.nix
@ -1,4 +1,5 @@
 { stdenv
+, lib
 , fetchgit
 , autoreconfHook
 , nanos6
@ -56,4 +57,12 @@ stdenv.mkDerivation rec {
  #preBuild = ''
  #  make generate_builtins_ia32 GXX_X86_BUILTINS=${gcc}/bin/g++
  #'';
+  #
+  meta = {
+    homepage = "https://github.com/bsc-pm/mcxx";
+    description = "C/C++/Fortran source-to-source compilation infrastructure aimed at fast prototyping";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }
--- a/pkgs/mpich/default.nix
+++ b/pkgs/mpich/default.nix
@ -33,4 +33,8 @@ in mpich.overrideAttrs (old: {
    "FCFLAGS=-fallow-argument-mismatch"
  ];
  hardeningDisable = [ "all" ];
+
+  meta = old.meta // {
+    maintainers = old.meta.maintainers ++ (with lib.maintainers.bsc; [ rarias ]);
+  };
 })
--- a/pkgs/nanos6/default.nix
+++ b/pkgs/nanos6/default.nix
@ -16,6 +16,7 @@
 , jemallocNanos6 ? null
 , cachelineBytes ? 64
 , enableGlibcxxDebug ? false
+, enablePapi ? stdenv.hostPlatform == stdenv.buildPlatform # Disabled when cross-compiling
 , useGit ? false
 , gitUrl ? "ssh://git@bscpm04.bsc.es/nanos6/nanos6"
 , gitBranch ? "master"
@ -47,6 +48,8 @@ let
  };

  source = if (useGit) then git else release;
+
+  isCross = stdenv.hostPlatform != stdenv.buildPlatform;
 in
  stdenv.mkDerivation (source // {
    pname = "nanos6";
@ -71,9 +74,13 @@ in
      "--disable-all-instrumentations"
      "--enable-ovni-instrumentation"
      "--with-ovni=${ovni}"
+      "--with-boost=${boost.dev}"
    ] ++
      (optional enableJemalloc "--with-jemalloc=${jemallocNanos6}") ++
-      (optional enableGlibcxxDebug "CXXFLAGS=-D_GLIBCXX_DEBUG");
+      (optional enableGlibcxxDebug "CXXFLAGS=-D_GLIBCXX_DEBUG") ++
+      # Most nanos6 api symbols are resolved at runtime, so prefer
+      # ifunc by default
+      (optional isCross "--with-symbol-resolution=ifunc");

    postConfigure = lib.optionalString (!enableDebug) ''
      # Disable debug
@ -97,16 +104,14 @@ in
      # TODO: papi_version is needed for configure:
      # ./configure: line 27378: papi_version: command not found
      # This probably breaks cross-compilation
-      papi
-    ];
+    ] ++ lib.optionals enablePapi [ papi ];

    buildInputs = [
      boost
      numactl
      hwloc
-      papi
      ovni
-    ];
+    ] ++ lib.optionals enablePapi [ papi ];

    # Create a script that sets NANOS6_HOME
    postInstall = ''
@ -114,11 +119,12 @@ in
      echo "export NANOS6_HOME=$out" >> $out/nix-support/setup-hook
    '';

-    meta = with lib; {
+    meta = {
      homepage = "https://github.com/bsc-pm/nanos6";
      description = "Nanos6 runtime for OmpSs-2" +
        optionalString (enableDebug) " (with debug symbols)";
-      platforms = platforms.linux;
-      license = licenses.gpl3;
+      maintainers = with lib.maintainers.bsc; [ rarias ];
+      platforms = lib.platforms.linux;
+      license = lib.licenses.gpl3Plus;
    };
  })
--- a/pkgs/nanos6/jemalloc.nix
+++ b/pkgs/nanos6/jemalloc.nix
@ -1,4 +1,4 @@
-{ jemalloc }:
+{ jemalloc, lib }:

 jemalloc.overrideAttrs (old: {
  configureFlags = old.configureFlags ++ [
@ -8,5 +8,6 @@ jemalloc.overrideAttrs (old: {
  hardeningDisable = [ "all" ];
  meta = old.meta // {
    description = old.meta.description + " (for Nanos6)";
+    maintainers = (old.meta.maintainers or []) ++ (with lib.maintainers.bsc; [ rarias ]);
  };
 })
--- a/pkgs/nix-wrap/default.nix
+++ b/pkgs/nix-wrap/default.nix
@ -1,5 +1,6 @@
 {
  stdenv
+, lib
 , bashInteractive
 , busybox
 , nix
@ -86,5 +87,14 @@ stdenv.mkDerivation rec {
    mkdir -p $out/share
    cp ${nix_conf} $out/share/nix.conf
  '';
+
+  meta = {
+    homepage = null;
+    description = "nix bubblewrap wrapper";
+    maintainers = [ ];
+    broken = true;
+    platforms = lib.platforms.linux;
+    license = lib.licenses.mit;
+  };
 }

--- a/pkgs/nixgen/default.nix
+++ b/pkgs/nixgen/default.nix
@ -0,0 +1,22 @@
+{
+  stdenv
+, lib
+}:
+
+stdenv.mkDerivation {
+  pname = "nixgen";
+  version = "0.0.1";
+  src = ./nixgen;
+  dontUnpack = true;
+  phases = [ "installPhase" ];
+  installPhase = ''
+    mkdir -p $out/bin
+    cp -a $src $out/bin/nixgen
+  '';
+  meta = {
+    description = "Quickly generate flake.nix from command line";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
+}
--- a/pkgs/nixgen/nixgen
+++ b/pkgs/nixgen/nixgen
@ -0,0 +1,97 @@
+#!/bin/sh
+#
+# Copyright (c) 2025, Barcelona Supercomputing Center (BSC)
+# SPDX-License-Identifier: GPL-3.0+
+# Author: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
+
+function usage() {
+  echo "USAGE: nixgen [-f] [package [...]] [-b package [...]]" >&2
+  echo "  Generates a flake.nix file with the given packages." >&2
+  echo "  After flake.nix is created, use 'nix develop' to enter the shell." >&2
+  echo "OPTIONS" >&2
+  echo "  -f               Overwrite existing flake.nix (default: no)." >&2
+  echo "  packages...      Add these packages to the shell." >&2
+  echo "  -b packages...   Add the dependencies needed to build these packages." >&2
+  echo "EXAMPLE" >&2
+  echo "  $ nixgen ovni bigotes -b nosv tampi" >&2
+  echo "  Adds the packages ovni and bigotes as well as all required dependencies" >&2
+  echo "  to build nosv and tampi." >&2
+  echo "AUTHOR" >&2
+  echo "  Rodrigo Arias Mallo <rodrigo.arias@bsc.es>" >&2
+  exit 1
+}
+
+mode=package
+packages=
+inputsFrom=
+force=
+
+if [[ $# -eq 0 ]]; then
+  usage
+fi
+
+while [[ $# -gt 0 ]]; do
+    case $1 in -b)
+      mode=build
+      shift
+      ;;
+    -f)
+      force=1
+      shift
+      ;;
+    -h)
+      usage
+      ;;
+    -*|--*)
+      echo "error: unknown option $1" >&2
+      exit 1
+      ;;
+    *)
+      if [ "$mode" == "package" ]; then
+        packages+="${packages:+ }$1"
+      else
+        inputsFrom+="${inputsFrom:+ }$1"
+      fi
+      shift
+      ;;
+  esac
+done
+
+if [ ! "$force" -a -e flake.nix ]; then
+  echo "error: flake.nix exists, force overwrite with -f" >&2
+  exit 1
+fi
+
+cat > flake.nix <<EOF
+{
+  inputs.jungle.url = "git+https://jungle.bsc.es/git/rarias/jungle";
+  outputs = { self, jungle }:
+  let
+    nixpkgs = jungle.inputs.nixpkgs;
+    customOverlay = (final: prev: {
+      # Example overlay, for now empty
+    });
+    pkgs = import nixpkgs {
+      system = "x86_64-linux";
+      overlays = [
+        # Apply jungle overlay to get our BSC custom packages
+        jungle.outputs.bscOverlay
+        # And on top apply our local changes to customize for cluster
+        customOverlay
+      ];
+    };
+  in {
+    devShells.x86_64-linux.default = pkgs.mkShell {
+      pname = "devshell";
+      # Include these packages in the shell
+      packages = with pkgs; [
+        $packages
+      ];
+      # The dependencies needed to build these packages will be also included
+      inputsFrom = with pkgs; [
+        $inputsFrom
+      ];
+    };
+  };
+}
+EOF
--- a/pkgs/nixtools/default.nix
+++ b/pkgs/nixtools/default.nix
@ -1,5 +1,6 @@
 {
  stdenv
+, lib
 , glibc
 }:

@ -15,4 +16,11 @@ stdenv.mkDerivation rec {
  makeFlags = [ "DESTDIR=$(out)" ];
  preBuild = "env";
  dontPatchShebangs = true;
+
+  meta = {
+    homepage = "https://gitlab.pm.bsc.es/rarias/nixtools";
+    description = "nix bubblewrap wrapper";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+  };
 }
--- a/pkgs/nodes/default.nix
+++ b/pkgs/nodes/default.nix
@ -3,7 +3,6 @@
 , lib
 , fetchFromGitHub
 , pkg-config
-, perl
 , numactl
 , hwloc
 , boost
@ -11,22 +10,23 @@
 , ovni
 , nosv
 , clangOmpss2
+, which
 , useGit ? false
 , gitUrl ? "ssh://git@gitlab-internal.bsc.es/nos-v/nodes.git"
 , gitBranch ? "master"
-, gitCommit ? "6002ec9ae6eb876d962cc34366952a3b26599ba6"
+, gitCommit ? "511489e71504a44381e0930562e7ac80ac69a848" # version-1.4
 }:

 with lib;

 let
  release = rec {
-    version = "1.3";
+    version = "1.4";
    src = fetchFromGitHub {
      owner = "bsc-pm";
      repo = "nodes";
      rev = "version-${version}";
-      hash = "sha256-cFb9pxcjtkMmH0CsGgUO9LTdXDNh7MCqicgGWawLrsU=";
+      hash = "sha256-+lR/R0l3fGZO3XG7whMorFW2y2YZ0ZFnLeOHyQYrAsQ=";
    };
  };

@ -59,6 +59,7 @@ in
    doCheck = false;
    nativeCheckInputs = [
      clangOmpss2
+      which
    ];

    # The "bindnow" flags are incompatible with ifunc resolution mechanism. We
@ -81,4 +82,12 @@ in
    passthru = {
      inherit nosv;
    };
+
+    meta = {
+      homepage = "https://gitlab.bsc.es/nos-v/nodes";
+      description = "Runtime library designed to work on top of the nOS-V runtime";
+      maintainers = with lib.maintainers.bsc; [ abonerib rarias ];
+      platforms = lib.platforms.linux;
+      license = lib.licenses.gpl3Plus;
+    };
  }
--- a/pkgs/nosv/default.nix
+++ b/pkgs/nosv/default.nix
@ -7,25 +7,25 @@
 , numactl
 , hwloc
 , papi
-, enablePapi ? true
+, enablePapi ? stdenv.hostPlatform == stdenv.buildPlatform # Disabled when cross-compiling
 , cacheline ? 64 # bits
 , ovni ? null
 , useGit ? false
 , gitUrl ? "git@gitlab-internal.bsc.es:nos-v/nos-v.git"
 , gitBranch ? "master"
-, gitCommit ? "9f47063873c3aa9d6a47482a82c5000a8c813dd8"
+, gitCommit ? "1108e4786b58e0feb9a16fa093010b763eb2f8e8" # version 4.0.0
 }:

 with lib;

 let
  release = rec {
-    version = "3.2.0";
+    version = "4.0.0";
    src = fetchFromGitHub {
      owner = "bsc-pm";
      repo = "nos-v";
      rev = "${version}";
-      hash = "sha256-yaz92426EM8trdkBJlISmAoG9KJCDTvoAW/HKrasvOw=";
+      hash = "sha256-llaq73bd/YxLVKNlMebnUHKa4z3sdcsuDUoVwUxNuw8=";
    };
  };

@ -59,4 +59,12 @@ in
      hwloc
      ovni
    ] ++ lib.optionals enablePapi [ papi ];
+
+    meta = {
+      homepage = "https://gitlab.bsc.es/nos-v/nos-v";
+      description = "Tasking library enables the co-execution of multiple applications with system-wide scheduling and a centralized management of resources";
+      maintainers = with lib.maintainers.bsc; [ abonerib rarias ];
+      platforms = lib.platforms.linux;
+      license = lib.licenses.gpl3Plus;
+    };
  }
--- a/pkgs/ovni/default.nix
+++ b/pkgs/ovni/default.nix
@ -7,7 +7,7 @@
 , useGit ? false
 , gitBranch ? "master"
 , gitUrl ? "ssh://git@bscpm04.bsc.es/rarias/ovni.git"
-, gitCommit ? "e4f62382076f0cf0b1d08175cf57cc0bc51abc61"
+, gitCommit ? "06432668f346c8bdc1006fabc23e94ccb81b0d8b" # version 1.13.0
 , enableDebug ? false
 # Only enable MPI if the build is native (fails on cross-compilation)
 , useMpi ? (stdenv.buildPlatform.canExecute stdenv.hostPlatform)
@ -15,13 +15,13 @@

 let
  release = rec {
-    version = "1.12.0";
+    version = "1.13.0";
    src = fetchFromGitHub {
      owner = "bsc-pm";
      repo = "ovni";
      rev = "${version}";
-      hash = "sha256-H04JvsVKrdqr3ON7JhU0g17jjlg/jzQ7eTfx9vUNd3E=";
-    } // { shortRev = "a73afcf"; };
+      hash = "sha256-0l2ryIyWNiZqeYdVlnj/WnQGS3xFCY4ICG8JedX424w=";
+    } // { shortRev = "0643266"; };
  };

  git = rec {
@ -55,4 +55,13 @@ in
    doCheck = true;
    checkTarget = "test";
    hardeningDisable = [ "all" ];
+
+    meta = {
+      homepage = "https://ovni.readthedocs.io";
+      description = "Obtuse but Versatile Nanoscale Instrumentation";
+      maintainers = with lib.maintainers.bsc; [ rarias ];
+      platforms = lib.platforms.linux;
+      license = lib.licenses.gpl3Plus;
+      cross = true;
+    };
  }
--- a/pkgs/paraver/default.nix
+++ b/pkgs/paraver/default.nix
@ -1,5 +1,6 @@
 {
  stdenv
+, lib
 , fetchFromGitHub
 , autoreconfHook
 , boost
@ -88,4 +89,18 @@ stdenv.mkDerivation rec {
    mkdir -p $out/share/man
    mv $out/share/doc/wxparaver_help_contents/man $out/share/man/man1
  '';
+
+  meta = {
+    homepage = "https://tools.bsc.es/paraver";
+    downloadPage = "https://github.com/bsc-performance-tools/wxparaver";
+    description = "Performance analyzer based on event traces";
+    longDescription = ''
+      Trace-based visualization and analysis tool designed to study quantitative
+      detailed metrics and obtain qualitative knowledge of the performance of
+      applications, libraries, processors and whole architectures
+    '';
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.lgpl21Plus;
+  };
 }
--- a/pkgs/paraver/kernel.nix
+++ b/pkgs/paraver/kernel.nix
@ -1,5 +1,6 @@
 {
  stdenv
+, lib
 , fetchFromGitHub
 , autoreconfHook
 , boost
@ -57,4 +58,13 @@ stdenv.mkDerivation rec {
    xml2
    zlib
  ];
+
+  meta = {
+    homepage = "https://tools.bsc.es/paraver";
+    downloadPage = "https://github.com/bsc-performance-tools/paraver-kernel";
+    description = "Kernel library used by wxparaver";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.lgpl21Plus;
+  };
 }
--- a/pkgs/sonar/default.nix
+++ b/pkgs/sonar/default.nix
@ -1,5 +1,6 @@
 {
  stdenv
+, lib
 , autoreconfHook
 , fetchFromGitHub
 , ovni
@ -27,4 +28,12 @@ stdenv.mkDerivation rec {
    ovni
    mpi
  ];
+
+  meta = {
+    homepage = "https://github.com/bsc-pm/sonar";
+    description = "Set of runtime libraries which instrument parallel programming models through the ovni instrumentation library";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.mit;
+  };
 }
--- a/pkgs/tagaspi/default.nix
+++ b/pkgs/tagaspi/default.nix
@ -1,5 +1,6 @@
 {
  stdenv
+, lib
 , fetchFromGitHub
 , automake
 , autoconf
@ -55,4 +56,12 @@ stdenv.mkDerivation rec {
  ];

  hardeningDisable = [ "all" ];
+
+  meta = {
+    homepage = "https://github.com/bsc-pm/tagaspi";
+    description = "Task-Aware GASPI";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }
--- a/pkgs/tampi/default.nix
+++ b/pkgs/tampi/default.nix
@ -61,4 +61,12 @@ in stdenv.mkDerivation {
  configureFlags = optional (enableOvni) "--with-ovni=${ovni}";
  dontDisableStatic = true;
  hardeningDisable = [ "all" ];
+
+  meta = {
+    homepage = "https://github.com/bsc-pm/tampi";
+    description = "Task-Aware MPI";
+    maintainers = with lib.maintainers.bsc; [ rarias ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl3Plus;
+  };
 }
--- a/test/bugs/hwloc.nix
+++ b/test/bugs/hwloc.nix
@ -6,6 +6,7 @@

 stdenv.mkDerivation {
  name = "hwloc-test";
+  requiredSystemFeatures = [ "sys-devices" ];

  src = ./.;

@ -14,7 +15,7 @@ stdenv.mkDerivation {
  buildPhase = ''
    ls -l /sys
    gcc -lhwloc hwloc.c -o hwloc
-    strace ./hwloc
+    strace ./hwloc > $out
  '';

 }
--- a/test/compilers/clang-openmp-ld.nix
+++ b/test/compilers/clang-openmp-ld.nix
@ -23,9 +23,8 @@ in stdenv.mkDerivation {
  dontUnpack = true;
  dontConfigure = true;

-  # nOS-V requires access to /sys/devices to request NUMA information. It will
-  # fail to run otherwise, so we disable the sandbox for this test.
-  __noChroot = true;
+  # nOS-V requires access to /sys/devices to request NUMA information
+  requiredSystemFeatures = [ "sys-devices" ];

  buildInputs = [ openmp ];

--- a/test/compilers/clang-openmp-nosv.nix
+++ b/test/compilers/clang-openmp-nosv.nix
@ -36,9 +36,8 @@ in stdenv.mkDerivation {
  dontUnpack = true;
  dontConfigure = true;

-  # nOS-V requires access to /sys/devices to request NUMA information. It will
-  # fail to run otherwise, so we disable the sandbox for this test.
-  __noChroot = true;
+  # nOS-V requires access to /sys/devices to request NUMA information
+  requiredSystemFeatures = [ "sys-devices" ];

  buildInputs = [ nosv ];

--- a/test/compilers/clang-openmp.nix
+++ b/test/compilers/clang-openmp.nix
@ -24,9 +24,8 @@ in stdenv.mkDerivation {
  dontUnpack = true;
  dontConfigure = true;

-  # nOS-V requires access to /sys/devices to request NUMA information. It will
-  # fail to run otherwise, so we disable the sandbox for this test.
-  __noChroot = true;
+  # nOS-V requires access to /sys/devices to request NUMA information
+  requiredSystemFeatures = [ "sys-devices" ];

  buildPhase = ''
    set -x
--- a/test/compilers/ompss2.nix
+++ b/test/compilers/ompss2.nix
@ -25,9 +25,10 @@ stdenv.mkDerivation rec {
  hardeningDisable = [ "all" ];
  #NIX_DEBUG = 1;
  buildInputs = [ ]; #strace gdb;
-  # NODES requires access to /sys/devices to request NUMA information. It will
-  # fail to run otherwise, so we disable the sandbox for this test.
-  __noChroot = true;
+
+  # NODES requires access to /sys/devices to request NUMA information
+  requiredSystemFeatures = [ "sys-devices" ];
+
  buildPhase = ''
    set -x
    #$CC -v
Author	SHA1	Message	Date
Rodrigo Arias Mallo	5ff1b1343b	Add nixgen to all machines All checks were successful CI / build:cross (pull_request) Successful in 5s Details CI / build:all (pull_request) Successful in 16s Details CI / build:all (push) Successful in 3s Details CI / build:cross (push) Successful in 5s Details Reviewed-by: Aleix Boné <abonerib@bsc.es>	2025-10-29 16:28:05 +01:00
Rodrigo Arias Mallo	c5cc13fad8	Add nixgen package Reviewed-by: Aleix Boné <abonerib@bsc.es>	2025-10-29 16:27:56 +01:00
Rodrigo Arias Mallo	2e09314a7e	Update OmpSs-2 LLVM to 2025.11 All checks were successful CI / build:cross (pull_request) Successful in 9s Details CI / build:all (pull_request) Successful in 3m34s Details CI / build:all (push) Successful in 3s Details CI / build:cross (push) Successful in 5s Details Reviewed-by: Aleix Boné <abonerib@bsc.es> Tested-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2025-10-29 16:22:57 +01:00
Rodrigo Arias Mallo	217d9c1fc0	Update NODES to 1.4 Reviewed-by: Aleix Boné <abonerib@bsc.es>	2025-10-29 16:21:46 +01:00
Rodrigo Arias Mallo	f47ab7757e	Update nOS-V to 4.0.0 Reviewed-by: Aleix Boné <abonerib@bsc.es>	2025-10-29 16:21:43 +01:00
Rodrigo Arias Mallo	4b265c071e	Update ovni to 1.13.0 Reviewed-by: Aleix Boné <abonerib@bsc.es>	2025-10-29 16:21:32 +01:00
Rodrigo Arias Mallo	019826d09e	Add OmpSs-2 release timers and services All checks were successful CI / build:cross (pull_request) Successful in 6s Details CI / build:all (pull_request) Successful in 15s Details CI / build:all (push) Successful in 4s Details CI / build:cross (push) Successful in 6s Details Send a reminder email to the STAR group to mark the release cycle dates. Reviewed-by: Aleix Boné <abonerib@bsc.es>	2025-10-28 12:38:37 +01:00
Rodrigo Arias Mallo	a294daf7e3	Use specific mail-robot group to send mail Allows any user to be able to send mail from the robot account as long as it is added to the mail-robot group. Reviewed-by: Aleix Boné <abonerib@bsc.es>	2025-10-28 12:38:17 +01:00
Rodrigo Arias Mallo	a7018250ca	Add missing slurm package to overlay All checks were successful CI / build:cross (pull_request) Successful in 6s Details CI / build:all (pull_request) Successful in 15s Details CI / build:all (push) Successful in 4s Details CI / build:cross (push) Successful in 6s Details Reviewed-by: Aleix Boné <abonerib@bsc.es>	2025-10-28 11:44:40 +01:00
Rodrigo Arias Mallo	e3d1785285	Run a shell in the allocated node with salloc By default, salloc will open a new shell in the current node instead of in the allocated node. This often causes users to leave the extra shell running once the allocation ends. Repeating this process several times causes chains of shells. By running the shell in the remote node, once the allocation ends the shell finishes as well. Fixes: #174 See: https://slurm.schedmd.com/faq.html#prompt Reviewed-by: Aleix Boné <abonerib@bsc.es>	2025-10-28 11:44:14 +01:00
Aleix Boné	ab86243a07	Add missing which in nodes checkPhase All checks were successful CI / build:cross (pull_request) Successful in 6s Details CI / build:all (pull_request) Successful in 16s Details CI / build:all (push) Successful in 4s Details CI / build:cross (push) Successful in 6s Details When enabling checks, the build log is polluted with errors. Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es> Tested-by: Aleix Boné <abonerib@bsc.es>	2025-10-23 15:59:21 +02:00
Rodrigo Arias Mallo	14f2393d30	Update website All checks were successful CI / build:cross (pull_request) Successful in 6s Details CI / build:all (pull_request) Successful in 15s Details CI / build:all (push) Successful in 4s Details CI / build:cross (push) Successful in 6s Details Add apex page and replace bscpkgs references for jungle after the merge. See: rarias/jungle-website#1 Reviewed-by: Aleix Boné <abonerib@bsc.es>	2025-10-22 15:48:13 +02:00
Rodrigo Arias Mallo	f115d611e7	Add aaguirre user All checks were successful CI / build:cross (pull_request) Successful in 6s Details CI / build:all (pull_request) Successful in 15s Details CI / build:all (push) Successful in 3s Details CI / build:cross (push) Successful in 6s Details Reviewed-by: Aleix Boné <abonerib@bsc.es>	2025-10-22 15:28:29 +02:00
Rodrigo Arias Mallo	4261d327c6	Include agenix module and package directly All checks were successful CI / build:cross (pull_request) Successful in 6s Details CI / build:all (pull_request) Successful in 15s Details CI / build:all (push) Successful in 4s Details CI / build:cross (push) Successful in 6s Details Avoids adding an extra flake input only to fetch a single module and package. Reviewed-by: Aleix Boné <abonerib@bsc.es> Tested-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2025-10-14 09:37:47 +02:00
Aleix Boné	4685c36e2f	Add brief documentation on maintainer roles All checks were successful CI / build:cross (pull_request) Successful in 6s Details CI / build:all (pull_request) Successful in 15s Details CI / build:all (push) Successful in 3s Details CI / build:cross (push) Successful in 6s Details Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es> Tested-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2025-10-10 16:37:00 +02:00
Aleix Boné	c6c788f1e2	Add meta to packages Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2025-10-10 16:36:56 +02:00
Aleix Boné	606386d006	Add maintainers Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2025-10-10 16:36:38 +02:00
Rodrigo Arias Mallo	1fba0a14a8	Enable ovni for cross compilation All checks were successful CI / build:cross (pull_request) Successful in 5s Details CI / build:all (pull_request) Successful in 15s Details CI / build:all (push) Successful in 3s Details CI / build:cross (push) Successful in 6s Details Reviewed-by: Aleix Boné <abonerib@bsc.es> Tested-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2025-10-10 12:08:28 +02:00
Rodrigo Arias Mallo	d6621e939a	Add RISC-V cross-compilation target for CI Reviewed-by: Aleix Boné <abonerib@bsc.es>	2025-10-10 12:08:24 +02:00
Aleix Boné	67726c1d44	Fix nanos6 cross-compilation for riscv All checks were successful CI / build:all (pull_request) Successful in 15s Details CI / build:all (push) Successful in 4s Details Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es> Tested-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2025-10-09 15:49:01 +02:00
Aleix Boné	a971ed6a54	Fix cross compilation for lmbench Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2025-10-09 15:49:01 +02:00
Aleix Boné	06581e455c	Disable papi when cross compiling Even if we do an override to papi get the proper configure flags for cross-compiling, the memory fences are not defined for risc-v: mb.h:67:2: error: #error Need to define rmb for this architecture! See: #184 Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2025-10-09 15:48:45 +02:00
Aleix Boné	dd7f24f455	Replace __noChroot with requiredSystemFeatures All checks were successful CI / build:all (pull_request) Successful in 15s Details CI / build:all (push) Successful in 4s Details Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es> Tested-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2025-10-09 11:41:18 +02:00
Rodrigo Arias Mallo	64e2c39582	Add hwloc test with sys-devices feature Reviewed-by: Aleix Boné <abonerib@bsc.es>	2025-10-09 11:41:06 +02:00
Aleix Boné	98d17b19d3	Enable custom sys-devices system feature Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2025-10-09 11:40:44 +02:00
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE`
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH`