flake.lock: Update

Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/1381a759b205dff7a6818733118d02253340fd5e' (2024-04-02)
  → 'github:ryantm/agenix/de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6' (2024-07-09)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/6143fc5eeb9c4f00163267708e26191d1e918932' (2024-04-21)
  → 'github:NixOS/nixpkgs/693bc46d169f5af9c992095736e82c3488bf7dbb' (2024-07-14)

doc/install.md

@@ -151,26 +151,12 @@ And update grub.
 # nix build .#nixosConfigurations.xeon02.config.system.build.kexecTree -v
 ```
 
-## Chain NixOS in same disk with other systems
-
-To install NixOS on a partition along another system which controls the GRUB,
-first disable the grub device, so the GRUB is not installed in the disk by
-NixOS (only the /boot files will be generated):
-
-```
-boot.loader.grub.device = "nodev";
-```
-
-Then add the following entry to the old GRUB configuration:
+## Chain NixOS in same disk
 
 ```
 menuentry 'NixOS' {
         insmod chain
-        search --no-floppy --label nixos --set root
+        set root=(hd3,1)
         configfile /boot/grub/grub.cfg
 }
 ```
-
-The partition with NixOS must have the label "nixos" for it to be found. New
-system configuration entries will be stored in the GRUB configuration managed
-by NixOS, so there is no need to change the old GRUB settings.

m/bay/configuration.nix

@@ -9,10 +9,6 @@
   # Select the this using the ID to avoid mismatches
   boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53562d";
 
-  boot.kernel.sysctl = {
-    "kernel.yama.ptrace_scope" = lib.mkForce "1";
-  };
-
   environment.systemPackages = with pkgs; [
     ceph
   ];

m/common/base.nix

@@ -3,7 +3,6 @@
   # Includes the basic configuration for an Intel server.
   imports = [
     ./base/agenix.nix
-    ./base/august-shutdown.nix
     ./base/boot.nix
     ./base/env.nix
     ./base/fs.nix

m/common/base/august-shutdown.nix

@@ -1,14 +0,0 @@
-{
-  # Shutdown all machines on August 2nd at 11:00 AM, so we can protect the
-  # hardware from spurious electrical peaks on the yearly electrical cut for
-  # manteinance that starts on August 4th.
-  systemd.timers.august-shutdown = {
-    description = "Shutdown on August 2nd for maintenance";
-    wantedBy = [ "timers.target" ];
-    timerConfig = {
-      OnCalendar = "*-08-02 11:00:00";
-      RandomizedDelaySec = "10min";
-      Unit = "systemd-poweroff.service";
-    };
-  };
-}

m/common/base/boot.nix

@@ -11,6 +11,12 @@
     terminal_output --append serial
   '';
 
+  # Enable serial console
+  boot.kernelParams = [
+    "console=tty1"
+    "console=ttyS0,115200"
+  ];
+
   boot.kernel.sysctl = {
     "kernel.perf_event_paranoid" = lib.mkDefault "-1";
 

m/common/xeon.nix

@@ -3,7 +3,7 @@
   imports = [
     ./base.nix
     ./xeon/fs.nix
-    ./xeon/console.nix
+    ./xeon/getty.nix
     ./xeon/net.nix
   ];
 }

m/common/xeon/getty.nix

@@ -5,10 +5,4 @@
     wantedBy = [ "getty.target" ];
     serviceConfig.Restart = "always";
   };
-
-  # Enable serial console
-  boot.kernelParams = [
-    "console=tty1"
-    "console=ttyS0,115200"
-  ];
 }

m/hut/configuration.nix

@@ -6,7 +6,6 @@
 
     ../module/ceph.nix
     ../module/debuginfod.nix
-    ../module/emulation.nix
     ../module/slurm-client.nix
     ./gitlab-runner.nix
     ./monitoring.nix
@@ -17,19 +16,14 @@
     ./gitea.nix
     ./msmtp.nix
     ./postgresql.nix
-    ./nginx.nix
-    ./p.nix
     #./pxe.nix
   ];
 
+  boot.binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" "powerpc64le-linux" "riscv64-linux" ];
+
   # Select the this using the ID to avoid mismatches
   boot.loader.grub.device = "/dev/disk/by-id/ata-INTEL_SSDSC2BB240G7_PHDV6462004Y240AGN";
 
-  fileSystems."/nvme" = {
-    fsType = "ext4";
-    device = "/dev/disk/by-label/nvme";
-  };
-
   networking = {
     hostName = "hut";
     interfaces.eno1.ipv4.addresses = [ {

m/hut/gitea.nix

@@ -17,7 +17,6 @@
         REGISTER_MANUAL_CONFIRM = true;
         ENABLE_NOTIFY_MAIL = true;
       };
-      log.LEVEL = "Warn";
 
       mailer = {
         ENABLED       = true;

m/hut/gitlab-runner.nix

@@ -1,8 +1,9 @@
 { pkgs, lib, config, ... }:
 
 {
-  age.secrets.gitlabRunnerShellToken.file = ../../secrets/gitlab-runner-shell-token.age;
-  age.secrets.gitlabRunnerDockerToken.file = ../../secrets/gitlab-runner-docker-token.age;
+  age.secrets.ovniToken.file = ../../secrets/ovni-token.age;
+  age.secrets.gitlabToken.file = ../../secrets/gitlab-bsc-es-token.age;
+  age.secrets.nosvToken.file = ../../secrets/nosv-token.age;
 
   services.gitlab-runner = {
     enable = true;
@@ -10,14 +11,20 @@
     services = let
       common-shell = {
         executor = "shell";
+        tagList = [ "nix" "xeon" ];
+        registrationFlags = [
+          # Using space doesn't work, and causes it to misread the next flag
+          "--locked='false'"
+        ];
         environmentVariables = {
           SHELL = "${pkgs.bash}/bin/bash";
         };
       };
       common-docker = {
-        executor = "docker";
         dockerImage = "debian:stable";
+        tagList = [ "docker" "xeon" ];
         registrationFlags = [
+          "--locked='false'"
           "--docker-network-mode host"
         ];
         environmentVariables = {
@@ -26,12 +33,19 @@
         };
       };
     in {
+      # For gitlab.bsc.es
+      gitlab-bsc-es-shell = common-shell // {
+        registrationConfigFile = config.age.secrets.gitlabToken.path;
+      };
+      gitlab-bsc-es-docker = common-docker // {
+        registrationConfigFile = config.age.secrets.gitlabToken.path;
+      };
       # For pm.bsc.es/gitlab
       gitlab-pm-shell = common-shell // {
-        authenticationTokenConfigFile = config.age.secrets.gitlabRunnerShellToken.path;
+        registrationConfigFile = config.age.secrets.ovniToken.path;
       };
       gitlab-pm-docker = common-docker // {
-        authenticationTokenConfigFile = config.age.secrets.gitlabRunnerDockerToken.path;
+        registrationConfigFile = config.age.secrets.ovniToken.path;
       };
     };
   };

m/hut/monitoring.nix

@@ -31,7 +31,6 @@
       };
       feature_toggles.publicDashboards = true;
       "auth.anonymous".enabled = true;
-      log.level = "warn";
     };
   };
 

m/hut/nginx.nix

@@ -1,14 +0,0 @@
-{
-  services.nginx = {
-    enable = true;
-    virtualHosts."jungle.bsc.es" = {
-      listen = [
-        {
-          addr = "127.0.0.1";
-          port = 8123;
-        }
-      ];
-      locations."/p/".alias = "/ceph/p/";
-    };
-  };
-}

m/hut/p.nix

@@ -1,22 +0,0 @@
-{ pkgs, ... }:
-let
-  p = pkgs.writeShellScriptBin "p" ''
-    set -e
-    cd /ceph
-    pastedir="p/$USER"
-    mkdir -p "$pastedir"
-
-    if [ -n "$1" ]; then
-            out="$pastedir/$1"
-    else
-            out=$(mktemp "$pastedir/XXXXXXXX.txt")
-    fi
-
-    cat > "$out"
-    chmod go+r "$out"
-    echo "https://jungle.bsc.es/$out"
-  '';
-in
-{
-  environment.systemPackages = with pkgs; [ p ];
-}

m/lake2/configuration.nix

@@ -8,10 +8,6 @@
 
   boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53563a";
 
-  boot.kernel.sysctl = {
-    "kernel.yama.ptrace_scope" = lib.mkForce "1";
-  };
-
   environment.systemPackages = with pkgs; [
     ceph
   ];

m/module/ceph.nix

@@ -13,22 +13,10 @@
 
   age.secrets.cephUser.file = ../../secrets/ceph-user.age;
 
-  fileSystems."/ceph-slow" = {
-    fsType = "ceph";
-    device = "user@9c8d06e0-485f-4aaf-b16b-06d6daf1232b.cephfs=/";
-    options = [
-      "mon_addr=10.0.40.40"
-      "secretfile=${config.age.secrets.cephUser.path}"
-    ];
-  };
-
-  services.cachefilesd.enable = true;
-
   fileSystems."/ceph" = {
     fsType = "ceph";
     device = "user@9c8d06e0-485f-4aaf-b16b-06d6daf1232b.cephfs=/";
     options = [
-      "fsc"
       "mon_addr=10.0.40.40"
       "secretfile=${config.age.secrets.cephUser.path}"
     ];

m/module/emulation.nix

@@ -1,3 +0,0 @@
-{
-  boot.binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" "powerpc64le-linux" "riscv64-linux" ];
-}

m/module/slurm-client.nix

@@ -47,8 +47,8 @@ in {
     ];
 
     partitionName = [
-      "owl Nodes=owl[1-2] Default=YES DefaultTime=01:00:00 MaxTime=INFINITE State=UP"
-      "all Nodes=owl[1-2],hut Default=NO DefaultTime=01:00:00 MaxTime=INFINITE State=UP"
+      "owl Nodes=owl[1-2] Default=YES MaxTime=INFINITE State=UP"
+      "all Nodes=owl[1-2],hut Default=NO MaxTime=INFINITE State=UP"
     ];
 
     # See slurm.conf(5) for more details about these options.
@@ -83,14 +83,6 @@ in {
 
       # Reduce port range so we can allow only this range in the firewall
       SrunPortRange=60000-61000
-
-      # Use cores as consumable resources. In SLURM terms, a core may have
-      # multiple hardware threads (or CPUs).
-      SelectType=select/cons_tres
-
-      # Ignore memory constraints and only use unused cores to share a node with
-      # other jobs.
-      SelectTypeParameters=CR_Core
     '';
   };
 

m/owl1/configuration.nix

@@ -4,10 +4,9 @@
   imports = [
     ../common/xeon.nix
     ../module/ceph.nix
-    ../module/emulation.nix
     ../module/slurm-client.nix
     ../module/slurm-firewall.nix
-    ../module/debuginfod.nix
+    ../module/slurm-hut-nix-store.nix
   ];
 
   # Select the this using the ID to avoid mismatches

m/owl2/configuration.nix

@@ -4,10 +4,9 @@
   imports = [
     ../common/xeon.nix
     ../module/ceph.nix
-    ../module/emulation.nix
     ../module/slurm-client.nix
     ../module/slurm-firewall.nix
-    ../module/debuginfod.nix
+    ../module/slurm-hut-nix-store.nix
   ];
 
   # Select the this using the ID to avoid mismatches

m/raccoon/configuration.nix

@@ -8,12 +8,6 @@
   # Don't install Grub on the disk yet
   boot.loader.grub.device = "nodev";
 
-  # Enable serial console
-  boot.kernelParams = [
-    "console=tty1"
-    "console=ttyS1,115200"
-  ];
-
   networking = {
     hostName = "raccoon";
     # Only BSC DNSs seem to be reachable from the office VLAN
@@ -27,7 +21,11 @@
 
   # Configure Nvidia driver to use with CUDA
   hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.production;
-  hardware.graphics.enable = true;
+  hardware.opengl = {
+    enable = true;
+    driSupport = true;
+    setLdLibraryPath = true;
+  };
   nixpkgs.config.allowUnfree = true;
   nixpkgs.config.nvidia.acceptLicense = true;
   services.xserver.videoDrivers = [ "nvidia" ];

secrets/gitlab-bsc-es-token.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 HY2yRg caTbx0NBmsTSmZH4HtBaxhsauWqWUDTesJqT08UsoEQ
+8ND31xuco+H8d5SKg8xsCFRPVDhU4d8UKwV1BnmKVjQ
+-> ssh-ed25519 CAWG4Q 4ETYuhCwHHECkut4DWDknMMgpAvFqtzLWVC2Wi2L8FM
+BGMvRnAfd8qZG5hzLefmk32FkGvwzE9pqBUyx4JY0co
+-> ssh-ed25519 MSF3dg hj5QL4ZfylN8/W/MXQHvVqtI7mRvlQOYr8HsaQEmPB0
+kvB7sljmmkswSGZDQnrwdTbTsN78EAwH3pz1pPe0Hu0
+-> )Q-grease vHF} [8p1> @7z;C"/
+tgSUKFyyrf2jLXZp+pakigwB2fRO/WFj2Qnt1aPjtVPEK92JbJ4
+--- xzM0AhV4gTQE0Q7inJNo9vFj+crJQxWeI7u9pl7bqAI
+<05>6nGJ<47>0B<03><>7F<37><46><EFBFBD>b<EFBFBD>ٽ2<D9BD>L<EFBFBD><4C><EFBFBD>]<18>2zl<7A><6C>&e<>K<EFBFBD>x<EFBFBD><78><EFBFBD>9SWN<19>V"Mf<4D><66><EFBFBD><EFBFBD>KHUC:1b;9St<53><74><EFBFBD><EFBFBD>Duѧ<75><D1A7>Ϣ<EFBFBD>̟<04><02><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>f<EFBFBD>7<1D><>1<>I(<28>d<><64><EFBFBD><EFBFBD><EFBFBD><0C>

secrets/gitlab-runner-docker-token.age

@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 HY2yRg WvKK6U1wQtx2pbUDfuaUIXTQiCulDkz7hgUCSwMfMzQ
-jLktUMqKuVxukqzz++pHOKvmucUQqeKYy5IwBma7KxY
--> ssh-ed25519 CAWG4Q XKGuNNoYFl9bdZzsqYYTY7GsEt5sypLW4R+1uk78NmU
-8dIA2GzRAwTGM5CDHSM2BUBsbXzEAUssWUz2PY2PaTg
--> ssh-ed25519 MSF3dg T630RsKuZIF/bp+KITnIIWWHsg6M/VQGqbWQZxqT+AA
-SraZcgZJVtmUzHF/XR9J7aK5t5EDNpkC/av/WJUT/G8
---- /12G8pj9sbs591OM/ryhoLnSWWmzYcoqprk9uN/3g18
-<EFBFBD><EFBFBD><EFBFBD>
<01>‡%<25>]yi"<22><><EFBFBD>L<EFBFBD><0B><>H`<60>a$<24><>)<29>9ve<76>.0<EFBFBD>m<EFBFBD>K<EFBFBD>v<EFBFBD><EFBFBD><0B>u"|1c<31>-%<25><>"<22>WF<12><><EFBFBD>A<EFBFBD><41>h<EFBFBD>$<05><>j<e<><65>x<EFBFBD>Lx<4C><78>.?<3F><><EFBFBD>:L<><4C><EFBFBD><EFBFBD>,<2C>u<EFBFBD>|<7C><>F|<7C>i<EFBFBD><69><EFBFBD>

secrets/nosv-token.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 HY2yRg hrdS7Dl/j+u3XVfM79ZJpZSlre9TcD7DTQ+EEAT6kEE
+avUO96P1h7w2BYWgrQ7GpUgdaCV9AZL7eOTTcF9gfro
+-> ssh-ed25519 CAWG4Q A5raRY1CAgFYZgoQ92GMyNejYNdHx/7Y6uTS+EjLPWA
+FRFqT2Jz7qRcybaxkQTKHGl797LVXoHpYG4RZSrX/70
+-> ssh-ed25519 MSF3dg D+R80Bg7W9AuiOMAqtGFZQl994dRBIegYRLmmTaeZ3o
+BHvZsugRiuZ91b4jk91h30o3eF3hadSnVCwxXge95T8
+-> BT/El`a-grease W{nq|Vm )bld 2Nl}4 N$#JGB4t
+oLG+0S1aGfO/ohCfgGmhDhwwLi4H
+--- 2I5C+FvBG/K1ZHh7C5QD39feTSLoFGwcTeZAmeILNsI
+<EFBFBD><EFBFBD>W<EFBFBD>o<> <14><>d;<3B><>C<EFBFBD>.<2E><>_(<28>u

secrets/secrets.nix

@@ -6,9 +6,10 @@ let
   safe = keys.hostGroup.safe ++ adminsKeys;
 in
 {
+  "gitlab-bsc-es-token.age".publicKeys = hut;
   "gitea-runner-token.age".publicKeys = hut;
-  "gitlab-runner-docker-token.age".publicKeys = hut;
-  "gitlab-runner-shell-token.age".publicKeys = hut;
+  "ovni-token.age".publicKeys = hut;
+  "nosv-token.age".publicKeys = hut;
   "nix-serve.age".publicKeys = hut;
   "jungle-robot-password.age".publicKeys = hut;