Add access to fox for rpenacob user

Revert "Only allow Vincent to access fox for now"
This reverts commit efac36b186.
2025-07-02 15:20:51 +02:00 · 2025-07-02 15:20:05 +02:00 · 2025-07-02 15:08:42 +02:00 · 2025-07-02 15:08:02 +02:00 · 2025-07-02 15:07:58 +02:00 · 2025-07-02 15:07:54 +02:00
76 changed files with 2121 additions and 174 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 *.swp
 /result
+/misc
--- a/flake.lock
+++ b/flake.lock
@@ -10,11 +10,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1720546205,
-        "narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=",
+        "lastModified": 1723293904,
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
        "type": "github"
      },
      "original": {
@@ -30,11 +30,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1713974364,
-        "narHash": "sha256-ilZTVWSaNP1ibhQIIRXE+q9Lj2XOH+F9W3Co4QyY1eU=",
+        "lastModified": 1732868163,
+        "narHash": "sha256-qck4h298AgcNI6BnGhEwl26MTLXjumuJVr+9kak7uPo=",
        "ref": "refs/heads/master",
-        "rev": "de89197a4a7b162db7df9d41c9d07759d87c5709",
-        "revCount": 937,
+        "rev": "6782fc6c5b5a29e84a7f2c2d1064f4bcb1288c0f",
+        "revCount": 952,
        "type": "git",
        "url": "https://git.sr.ht/~rodarima/bscpkgs"
      },
@@ -88,16 +88,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1720957393,
-        "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=",
+        "lastModified": 1736867362,
+        "narHash": "sha256-i/UJ5I7HoqmFMwZEH6vAvBxOrjjOJNU739lnZnhUln8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb",
+        "rev": "9c6b49aeac36e2ed73a8c472f1546f6d9cf1addc",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,6 @@
 {
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
    agenix.url = "github:ryantm/agenix";
    agenix.inputs.nixpkgs.follows = "nixpkgs";
    bscpkgs.url = "git+https://git.sr.ht/~rodarima/bscpkgs";
@@ -18,6 +18,7 @@ in
  {
    nixosConfigurations = {
      hut     = mkConf "hut";
+      tent    = mkConf "tent";
      owl1    = mkConf "owl1";
      owl2    = mkConf "owl2";
      eudy    = mkConf "eudy";
@@ -25,6 +26,7 @@ in
      bay     = mkConf "bay";
      lake2   = mkConf "lake2";
      raccoon = mkConf "raccoon";
+      fox     = mkConf "fox";
    };

    packages.x86_64-linux = self.nixosConfigurations.hut.pkgs // {
--- a/keys.nix
+++ b/keys.nix
@@ -9,9 +9,12 @@ rec {
    koro  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImiTFDbxyUYPumvm8C4mEnHfuvtBY1H8undtd6oDd67 koro";
    bay   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvGBzpRQKuQYHdlUQeAk6jmdbkrhmdLwTBqf3el7IgU bay";
    lake2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINo66//S1yatpQHE/BuYD/Gfq64TY7ZN5XOGXmNchiO0 lake2";
+    fox   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwItIk5uOJcQEVPoy/CVGRzfmE1ojrdDcI06FrU4NFT fox";
+    tent  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAtTpHtdYoelbknD/IcfBlThwLKJv/dSmylOgpg3FRM tent";
  };

  hostGroup = with hosts; rec {
+    untrusted  = [ fox ];
    compute    = [ owl1 owl2 ];
    playground = [ eudy koro ];
    storage    = [ bay lake2 ];
@@ -23,7 +26,8 @@ rec {
  };

  admins = {
-    rarias = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1oZTPtlEXdGt0Ak+upeCIiBdaDQtcmuWoTUCVuSVIR rarias@hut";
-    root   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut";
+    "rarias@hut"  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1oZTPtlEXdGt0Ak+upeCIiBdaDQtcmuWoTUCVuSVIR rarias@hut";
+    "rarias@tent" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwlWSBTZi74WTz5xn6gBvTmCoVltmtIAeM3RMmkh4QZ rarias@tent";
+    root          = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut";
  };
 }
--- a/m/bay/configuration.nix
+++ b/m/bay/configuration.nix
@@ -2,7 +2,7 @@

 {
  imports = [
-    ../common/xeon.nix
+    ../common/ssf.nix
    ../module/monitoring.nix
  ];

--- a/m/common/base/nix.nix
+++ b/m/common/base/nix.nix
@@ -23,6 +23,7 @@
      trusted-users = [ "@wheel" ];
      flake-registry = pkgs.writeText "global-registry.json"
        ''{"flakes":[],"version":2}'';
+      keep-outputs = true;
    };

    gc = {
@@ -32,6 +33,21 @@
    };
  };

+  # The nix-gc.service can begin its execution *before* /home is mounted,
+  # causing it to remove all gcroots considering them as stale, as it cannot
+  # access the symlink. To prevent this problem, we force the service to wait
+  # until /home is mounted as well as other remote FS like /ceph.
+  systemd.services.nix-gc = {
+    # Start remote-fs.target if not already being started and fail if it fails
+    # to start. It will also be stopped if the remote-fs.target fails after
+    # starting successfully.
+    bindsTo = [ "remote-fs.target" ];
+    # Wait until remote-fs.target fully starts before starting this one.
+    after = [ "remote-fs.target"];
+    # Ensure we can access a remote path inside /home
+    unitConfig.ConditionPathExists = "/home/Computational";
+  };
+
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/m/common/base/ssh.nix
+++ b/m/common/base/ssh.nix
@@ -8,15 +8,11 @@ in
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;

-  # Connect to intranet git hosts via proxy
-  programs.ssh.extraConfig = ''
-    Host bscpm02.bsc.es bscpm03.bsc.es gitlab-internal.bsc.es alya.gitlab.bsc.es
-      User git
-      ProxyCommand nc -X connect -x hut:23080 %h %p
-  '';
-
  programs.ssh.knownHosts = hostsKeys // {
    "gitlab-internal.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3";
    "bscpm03.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2NuSUPsEhqz1j5b4Gqd+MWFnRqyqY57+xMvBUqHYUS";
+    "bscpm04.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPx4mC0etyyjYUT2Ztc/bs4ZXSbVMrogs1ZTP924PDgT";
+    "glogin1.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsHsZGCrzpd4QDVn5xoDOtrNBkb0ylxKGlyBt6l9qCz";
+    "glogin2.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsHsZGCrzpd4QDVn5xoDOtrNBkb0ylxKGlyBt6l9qCz";
  };
 }
--- a/m/common/base/users.nix
+++ b/m/common/base/users.nix
@@ -20,6 +20,7 @@
      rarias = {
        uid = 1880;
        isNormalUser = true;
+        linger = true;
        home = "/home/Computational/rarias";
        description = "Rodrigo Arias";
        group = "Computational";
@@ -39,7 +40,7 @@
        home = "/home/Computational/arocanon";
        description = "Aleix Roca";
        group = "Computational";
-        extraGroups = [ "wheel" ];
+        extraGroups = [ "wheel" "tracing" ];
        hashedPassword = "$6$hliZiW4tULC/tH7p$pqZarwJkNZ7vS0G5llWQKx08UFG9DxDYgad7jplMD8WkZh5k58i4dfPoWtnEShfjTO6JHiIin05ny5lmSXzGM/";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3zeB5KSimMBAjvzsp1GCkepVaquVZGPYwRIzyzaCba aleix@bsc"
@@ -55,7 +56,7 @@
        home = "/home/Computational/rpenacob";
        description = "Raúl Peñacoba";
        group = "Computational";
-        hosts = [ "owl1" "owl2" "hut" ];
+        hosts = [ "owl1" "owl2" "hut" "tent" "fox" ];
        hashedPassword = "$6$TZm3bDIFyPrMhj1E$uEDXoYYd1z2Wd5mMPfh3DZAjP7ztVjJ4ezIcn82C0ImqafPA.AnTmcVftHEzLB3tbe2O4SxDyPSDEQgJ4GOtj/";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYfXg37mauGeurqsLpedgA2XQ9d4Nm0ZGo/hI1f7wwH rpenacob@bsc"
@@ -68,7 +69,7 @@
        home = "/home/Computational/anavarro";
        description = "Antoni Navarro";
        group = "Computational";
-        hosts = [ "hut" "raccoon" ];
+        hosts = [ "hut" "tent" "raccoon" "fox" ];
        hashedPassword = "$6$QdNDsuLehoZTYZlb$CDhCouYDPrhoiB7/seu7RF.Gqg4zMQz0n5sA4U1KDgHaZOxy2as9pbIGeF8tOHJKRoZajk5GiaZv0rZMn7Oq31";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILWjRSlKgzBPZQhIeEtk6Lvws2XNcYwHcwPv4osSgst5 anavarro@ssfhead"
@@ -81,7 +82,7 @@
        home = "/home/Computational/abonerib";
        description = "Aleix Boné";
        group = "Computational";
-        hosts = [ "owl1" "owl2" "hut" "raccoon" ];
+        hosts = [ "owl1" "owl2" "hut" "tent" "raccoon" "fox" ];
        hashedPassword = "$6$V1EQWJr474whv7XJ$OfJ0wueM2l.dgiJiiah0Tip9ITcJ7S7qDvtSycsiQ43QBFyP4lU0e0HaXWps85nqB4TypttYR4hNLoz3bz662/";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIFiqXqt88VuUfyANkZyLJNiuroIITaGlOOTMhVDKjf abonerib@bsc"
@@ -100,10 +101,50 @@
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMwlUZRf9jfG666Qa5Sb+KtEhXqkiMlBV2su3x/dXHq victor@arch"
        ];
      };
+
+      dbautist = {
+        uid = 5649;
+        isNormalUser = true;
+        home = "/home/Computational/dbautist";
+        description = "Dylan Bautista Cases";
+        group = "Computational";
+        hosts = [ "hut" "tent" "raccoon" ];
+        hashedPassword = "$6$a2lpzMRVkG9nSgIm$12G6.ka0sFX1YimqJkBAjbvhRKZ.Hl090B27pdbnQOW0wzyxVWySWhyDDCILjQELky.HKYl9gqOeVXW49nW7q/";
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAb+EQBoS98zrCwnGKkHKwMLdYABMTqv7q9E0+T0QmkS dbautist@bsc-848818791"
+        ];
+      };
+
+      dalvare1 = {
+        uid = 2758;
+        isNormalUser = true;
+        home = "/home/Computational/dalvare1";
+        description = "David Álvarez";
+        group = "Computational";
+        hosts = [ "hut" "tent" "fox" ];
+        hashedPassword = "$6$mpyIsV3mdq.rK8$FvfZdRH5OcEkUt5PnIUijWyUYZvB1SgeqxpJ2p91TTe.3eQIDTcLEQ5rxeg.e5IEXAZHHQ/aMsR5kPEujEghx0";
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGEfy6F4rF80r4Cpo2H5xaWqhuUZzUsVsILSKGJzt5jF dalvare1@ssfhead"
+        ];
+      };
+
+      varcila = {
+        uid = 5650;
+        isNormalUser = true;
+        home = "/home/Computational/varcila";
+        description = "Vincent Arcila";
+        group = "Computational";
+        hosts = [ "hut" "tent" "fox" ];
+        hashedPassword = "$6$oB0Tcn99DcM4Ch$Vn1A0ulLTn/8B2oFPi9wWl/NOsJzaFAWjqekwcuC9sMC7cgxEVb.Nk5XSzQ2xzYcNe5MLtmzkVYnRS1CqP39Y0";
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGt0ESYxekBiHJQowmKpfdouw0hVm3N7tUMtAaeLejK vincent@varch"
+        ];
+      };
    };

    groups = {
      Computational = { gid = 564; };
+      tracing = { };
    };
  };
 }
--- a/m/common/ssf.nix
+++ b/m/common/ssf.nix
@@ -0,0 +1,9 @@
+{
+  # Provides the base system for a xeon node in the SSF rack.
+  imports = [
+    ./xeon.nix
+    ./ssf/fs.nix
+    ./ssf/net.nix
+    ./ssf/ssh.nix
+  ];
+}
--- a/m/common/xeon/fs.nix
+++ b/m/common/xeon/fs.nix
--- a/m/common/xeon/net.nix
+++ b/m/common/xeon/net.nix
@@ -11,7 +11,7 @@

    proxy = {
      default = "http://hut:23080/";
-      noProxy = "127.0.0.1,localhost,internal.domain,10.0.40.40";
+      noProxy = "127.0.0.1,localhost,internal.domain,10.0.40.40,hut";
      # Don't set all_proxy as go complains and breaks the gitlab runner, see:
      # https://github.com/golang/go/issues/16715
      allProxy = null;
@@ -34,37 +34,37 @@
      # Node Entry for node: mds01 (ID=72)
      10.0.40.40              bay mds01 mds01-eth0
      10.0.42.40              bay-ib mds01-ib0
-      10.0.40.141             bay-ipmi mds01-ipmi0
+      10.0.40.141             bay-ipmi mds01-ipmi0 mds01-ipmi
      
      # Node Entry for node: oss01 (ID=73)
      10.0.40.41              oss01 oss01-eth0
      10.0.42.41              oss01-ib0
-      10.0.40.142             oss01-ipmi0
+      10.0.40.142             oss01-ipmi0 oss01-ipmi
      
      # Node Entry for node: oss02 (ID=74)
      10.0.40.42              lake2 oss02 oss02-eth0
      10.0.42.42              lake2-ib oss02-ib0
-      10.0.40.143             lake2-ipmi oss02-ipmi0
+      10.0.40.143             lake2-ipmi oss02-ipmi0 oss02-ipmi
      
      # Node Entry for node: xeon01 (ID=15)
      10.0.40.1               owl1 xeon01 xeon01-eth0
      10.0.42.1               owl1-ib xeon01-ib0
-      10.0.40.101             owl1-ipmi xeon01-ipmi0
+      10.0.40.101             owl1-ipmi xeon01-ipmi0 xeon01-ipmi
      
      # Node Entry for node: xeon02 (ID=16)
      10.0.40.2               owl2 xeon02 xeon02-eth0
      10.0.42.2               owl2-ib xeon02-ib0
-      10.0.40.102             owl2-ipmi xeon02-ipmi0
+      10.0.40.102             owl2-ipmi xeon02-ipmi0 xeon02-ipmi
      
      # Node Entry for node: xeon03 (ID=17)
      10.0.40.3               xeon03 xeon03-eth0
      10.0.42.3               xeon03-ib0
-      10.0.40.103             xeon03-ipmi0
+      10.0.40.103             xeon03-ipmi0 xeon03-ipmi
      
      # Node Entry for node: xeon04 (ID=18)
      10.0.40.4               xeon04 xeon04-eth0
      10.0.42.4               xeon04-ib0
-      10.0.40.104             xeon04-ipmi0
+      10.0.40.104             xeon04-ipmi0 xeon04-ipmi
      
      # Node Entry for node: xeon05 (ID=19)
      10.0.40.5               koro xeon05 xeon05-eth0
@@ -74,17 +74,17 @@
      # Node Entry for node: xeon06 (ID=20)
      10.0.40.6               xeon06 xeon06-eth0
      10.0.42.6               xeon06-ib0
-      10.0.40.106             xeon06-ipmi0
+      10.0.40.106             xeon06-ipmi0 xeon06-ipmi
      
      # Node Entry for node: xeon07 (ID=21)
      10.0.40.7               hut xeon07 xeon07-eth0
      10.0.42.7               hut-ib xeon07-ib0
-      10.0.40.107             hut-ipmi xeon07-ipmi0
+      10.0.40.107             hut-ipmi xeon07-ipmi0 xeon07-ipmi
      
      # Node Entry for node: xeon08 (ID=22)
      10.0.40.8               eudy xeon08 xeon08-eth0
      10.0.42.8               eudy-ib xeon08-ib0
-      10.0.40.108             eudy-ipmi xeon08-ipmi0
+      10.0.40.108             eudy-ipmi xeon08-ipmi0 xeon08-ipmi
    '';
  };
 }
--- a/m/common/ssf/ssh.nix
+++ b/m/common/ssf/ssh.nix
@@ -0,0 +1,8 @@
+{
+  # Connect to intranet git hosts via proxy
+  programs.ssh.extraConfig = ''
+    # Connect to BSC machines via hut proxy too
+    Host amdlogin1.bsc.es armlogin1.bsc.es hualogin1.bsc.es glogin1.bsc.es glogin2.bsc.es fpgalogin1.bsc.es
+      ProxyCommand nc -X connect -x hut:23080 %h %p
+  '';
+}
--- a/m/common/xeon.nix
+++ b/m/common/xeon.nix
@@ -1,9 +1,7 @@
 {
-  # Provides the base system for a xeon node.
+  # Provides the base system for a xeon node, not necessarily in the SSF rack.
  imports = [
    ./base.nix
-    ./xeon/fs.nix
    ./xeon/console.nix
-    ./xeon/net.nix
  ];
 }
--- a/m/eudy/configuration.nix
+++ b/m/eudy/configuration.nix
@@ -2,7 +2,7 @@

 {
  imports = [
-    ../common/xeon.nix
+    ../common/ssf.nix
    #(modulesPath + "/installer/netboot/netboot-minimal.nix")

    ./kernel/kernel.nix
--- a/m/fox/configuration.nix
+++ b/m/fox/configuration.nix
@@ -0,0 +1,83 @@
+{ lib, config, pkgs, ... }:
+
+{
+  imports = [
+    ../common/base.nix
+    ../common/xeon/console.nix
+    ../module/emulation.nix
+  ];
+
+  # Select the this using the ID to avoid mismatches
+  boot.loader.grub.device = "/dev/disk/by-id/wwn-0x500a07514b0c1103";
+
+  # No swap, there is plenty of RAM
+  swapDevices = lib.mkForce [];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.kernelModules = [ "kvm-amd" "amd_uncore" ];
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode = lib.mkForce false;
+
+  # Use performance for benchmarks
+  powerManagement.cpuFreqGovernor = "performance";
+
+  # Disable NUMA balancing
+  boot.kernel.sysctl."kernel.numa_balancing" = 0;
+
+  # Expose kernel addresses
+  boot.kernel.sysctl."kernel.kptr_restrict" = 0;
+
+  services.openssh.settings.X11Forwarding = true;
+
+  networking = {
+    timeServers = [ "ntp1.upc.edu" "ntp2.upc.edu" ];
+    hostName = "fox";
+    # UPC network (may change over time, use DHCP)
+    # Public IP configuration:
+    # - Hostname: fox.ac.upc.edu
+    # - IP: 147.83.30.141
+    # - Gateway: 147.83.30.130
+    # - NetMask: 255.255.255.192
+    # Private IP configuration for BMC:
+    # - Hostname: fox-ipmi.ac.upc.edu
+    # - IP: 147.83.35.27
+    # - Gateway: 147.83.35.2
+    # - NetMask: 255.255.255.0
+    interfaces.enp1s0f0np0.useDHCP = true;
+  };
+
+  # Use hut for cache
+  nix.settings = {
+    extra-substituters = [ "https://jungle.bsc.es/cache" ];
+    extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
+  };
+
+  # Configure Nvidia driver to use with CUDA
+  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.production;
+  hardware.graphics.enable = true;
+  nixpkgs.config.allowUnfree = true;
+  nixpkgs.config.nvidia.acceptLicense = true;
+  services.xserver.videoDrivers = [ "nvidia" ];
+
+  # Mount NVME disks
+  fileSystems."/nvme0" = { device = "/dev/disk/by-label/nvme0"; fsType = "ext4"; };
+  fileSystems."/nvme1" = { device = "/dev/disk/by-label/nvme1"; fsType = "ext4"; };
+
+  # Make a /nvme{0,1}/$USER directory for each user.
+  systemd.services.create-nvme-dirs = let
+    # Take only normal users in fox
+    users = lib.filterAttrs (_: v: v.isNormalUser) config.users.users;
+    commands = lib.concatLists (lib.mapAttrsToList
+      (_: user: [
+        "install -d -o ${user.name} -g ${user.group} -m 0755 /nvme{0,1}/${user.name}"
+      ]) users);
+    script = pkgs.writeShellScript "create-nvme-dirs.sh" (lib.concatLines commands);
+  in {
+    enable = true;
+    wants = [ "local-fs.target" ];
+    after = [ "local-fs.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig.ExecStart = script;
+  };
+}
--- a/m/hut/configuration.nix
+++ b/m/hut/configuration.nix
@@ -1,8 +1,8 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:

 {
  imports = [
-    ../common/xeon.nix
+    ../common/ssf.nix

    ../module/ceph.nix
    ../module/debuginfod.nix
@@ -23,11 +23,21 @@
  ];

  # Select the this using the ID to avoid mismatches
-  boot.loader.grub.device = "/dev/disk/by-id/ata-INTEL_SSDSC2BB240G7_PHDV6462004Y240AGN";
+  boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53567f";

-  fileSystems."/nvme" = {
-    fsType = "ext4";
-    device = "/dev/disk/by-label/nvme";
+  fileSystems = {
+    "/" = lib.mkForce {
+      device = "/dev/disk/by-label/nvme";
+      fsType = "ext4";
+      neededForBoot = true;
+      options = [ "noatime" ];
+    };
+
+    "/boot" = lib.mkForce {
+      device = "/dev/disk/by-label/nixos-boot";
+      fsType = "ext4";
+      neededForBoot = true;
+    };
  };

  networking = {
@@ -46,6 +56,11 @@
        iptables -A nixos-fw -p tcp -s 10.0.40.30 --dport 23080 -j nixos-fw-log-refuse
        iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 23080 -j nixos-fw-accept
      '';
+      # Flush all rules and chains on stop so it won't break on start
+      extraStopCommands = ''
+        iptables -F
+        iptables -X
+      '';
    };
  };

--- a/m/hut/gitlab-runner.nix
+++ b/m/hut/gitlab-runner.nix
@@ -1,8 +1,9 @@
 { pkgs, lib, config, ... }:

 {
-  age.secrets.gitlabRunnerShellToken.file = ../../secrets/gitlab-runner-shell-token.age;
-  age.secrets.gitlabRunnerDockerToken.file = ../../secrets/gitlab-runner-docker-token.age;
+  age.secrets.gitlab-pm-shell.file = ../../secrets/gitlab-runner-shell-token.age;
+  age.secrets.gitlab-pm-docker.file = ../../secrets/gitlab-runner-docker-token.age;
+  age.secrets.gitlab-bsc-docker.file = ../../secrets/gitlab-bsc-docker-token.age;

  services.gitlab-runner = {
    enable = true;
@@ -21,21 +22,90 @@
          "--docker-network-mode host"
        ];
        environmentVariables = {
-          https_proxy = "http://localhost:23080";
-          http_proxy = "http://localhost:23080";
+          https_proxy = "http://hut:23080";
+          http_proxy = "http://hut:23080";
        };
      };
    in {
      # For pm.bsc.es/gitlab
      gitlab-pm-shell = common-shell // {
-        authenticationTokenConfigFile = config.age.secrets.gitlabRunnerShellToken.path;
+        authenticationTokenConfigFile = config.age.secrets.gitlab-pm-shell.path;
      };
      gitlab-pm-docker = common-docker // {
-        authenticationTokenConfigFile = config.age.secrets.gitlabRunnerDockerToken.path;
+        authenticationTokenConfigFile = config.age.secrets.gitlab-pm-docker.path;
+      };
+
+      gitlab-bsc-docker = {
+        # gitlab.bsc.es still uses the old token mechanism
+        registrationConfigFile = config.age.secrets.gitlab-bsc-docker.path;
+        tagList = [ "docker" "hut" ];
+        environmentVariables = {
+          # We cannot access the hut local interface from docker, so we connect
+          # to hut directly via the ethernet one.
+          https_proxy = "http://hut:23080";
+          http_proxy = "http://hut:23080";
+        };
+        executor = "docker";
+        dockerImage = "alpine";
+        dockerVolumes = [
+          "/nix/store:/nix/store:ro"
+          "/nix/var/nix/db:/nix/var/nix/db:ro"
+          "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
+        ];
+        dockerExtraHosts = [
+          # Required to pass the proxy via hut
+          "hut:10.0.40.7"
+        ];
+        dockerDisableCache = true;
+        registrationFlags = [
+          # Increase build log length to 64 MiB
+          "--output-limit 65536"
+        ];
+        preBuildScript = pkgs.writeScript "setup-container" ''
+          mkdir -p -m 0755 /nix/var/log/nix/drvs
+          mkdir -p -m 0755 /nix/var/nix/gcroots
+          mkdir -p -m 0755 /nix/var/nix/profiles
+          mkdir -p -m 0755 /nix/var/nix/temproots
+          mkdir -p -m 0755 /nix/var/nix/userpool
+          mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
+          mkdir -p -m 1777 /nix/var/nix/profiles/per-user
+          mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
+          mkdir -p -m 0700 "$HOME/.nix-defexpr"
+          mkdir -p -m 0700 "$HOME/.ssh"
+          cat > "$HOME/.ssh/config" << EOF
+          Host bscpm04.bsc.es gitlab-internal.bsc.es
+            User git
+            ProxyCommand nc -X connect -x hut:23080 %h %p
+          Host amdlogin1.bsc.es armlogin1.bsc.es hualogin1.bsc.es glogin1.bsc.es glogin2.bsc.es fpgalogin1.bsc.es
+            ProxyCommand nc -X connect -x hut:23080 %h %p
+          EOF
+          cat >> "$HOME/.ssh/known_hosts" << EOF
+          bscpm04.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPx4mC0etyyjYUT2Ztc/bs4ZXSbVMrogs1ZTP924PDgT
+          gitlab-internal.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3
+          EOF
+          . ${pkgs.nix}/etc/profile.d/nix-daemon.sh
+          # Required to load SSL certificate paths
+          . ${pkgs.cacert}/nix-support/setup-hook
+        '';
+        environmentVariables = {
+          ENV = "/etc/profile";
+          USER = "root";
+          NIX_REMOTE = "daemon";
+          PATH = "${config.system.path}/bin:/bin:/sbin:/usr/bin:/usr/sbin";
+        };
      };
    };
  };

+  # DOCKER* chains are useless, override at FORWARD and nixos-fw
+  networking.firewall.extraCommands = ''
+    # Don't forward any traffic from docker
+    iptables -I FORWARD 1 -p all -i docker0 -j nixos-fw-log-refuse
+
+    # Allow incoming traffic from docker to 23080
+    iptables -A nixos-fw -p tcp -i docker0 -d hut --dport 23080 -j ACCEPT
+  '';
+
  #systemd.services.gitlab-runner.serviceConfig.Shell = "${pkgs.bash}/bin/bash";
  systemd.services.gitlab-runner.serviceConfig.DynamicUser = lib.mkForce false;
  systemd.services.gitlab-runner.serviceConfig.User = "gitlab-runner";
--- a/m/hut/gpfs-probe.nix
+++ b/m/hut/gpfs-probe.nix
@@ -0,0 +1,31 @@
+{ pkgs, config, lib, ... }:
+let
+  gpfs-probe-script = pkgs.runCommand "gpfs-probe.sh" { }
+    ''
+      cp ${./gpfs-probe.sh} $out;
+      chmod +x $out
+    ''
+  ;
+in
+{
+  # Use a new user to handle the SSH keys
+  users.groups.ssh-robot = { };
+  users.users.ssh-robot = {
+    description = "SSH Robot";
+    isNormalUser = true;
+    home = "/var/lib/ssh-robot";
+  };
+
+  systemd.services.gpfs-probe = {
+    description = "Daemon to report GPFS latency via SSH";
+    path = [ pkgs.openssh pkgs.netcat ];
+    after = [ "network.target" ];
+    wantedBy = [ "default.target" ];
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "${pkgs.socat}/bin/socat TCP4-LISTEN:9966,fork EXEC:${gpfs-probe-script}";
+      User = "ssh-robot";
+      Group = "ssh-robot";
+    };
+  };
+}
--- a/m/hut/gpfs-probe.sh
+++ b/m/hut/gpfs-probe.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+N=500
+
+t=$(timeout 5 ssh bsc015557@glogin2.bsc.es "timeout 3 command time -f %e touch /gpfs/projects/bsc15/bsc015557/gpfs.{1..$N} 2>&1; rm -f /gpfs/projects/bsc15/bsc015557/gpfs.{1..$N}")
+
+if [ -z "$t" ]; then
+  t="5.00"
+fi
+
+cat <<EOF
+HTTP/1.1 200 OK
+Content-Type: text/plain; version=0.0.4; charset=utf-8; escaping=values
+
+# HELP gpfs_touch_latency Time to create $N files.
+# TYPE gpfs_touch_latency gauge
+gpfs_touch_latency $t
+EOF
--- a/m/hut/ipmi.yml
+++ b/m/hut/ipmi.yml
@@ -1,13 +0,0 @@
-modules:
-        default:
-                collectors:
-                - bmc
-                - ipmi
-                - chassis
-
-        lan:
-                collectors:
-                - ipmi
-                - chassis
-                user: ""
-                pass: ""
--- a/m/hut/monitoring.nix
+++ b/m/hut/monitoring.nix
@@ -1,7 +1,13 @@
 { config, lib, ... }:

 {
-  imports = [ ../module/slurm-exporter.nix ];
+  imports = [
+    ../module/slurm-exporter.nix
+    ../module/meteocat-exporter.nix
+    ../module/upc-qaire-exporter.nix
+    ./gpfs-probe.nix
+    ../module/nix-daemon-exporter.nix
+  ];

  age.secrets.grafanaJungleRobotPassword = {
    file = ../../secrets/jungle-robot-password.age;
@@ -9,6 +15,8 @@
    mode = "400";
  };

+  age.secrets.ipmiYml.file = ../../secrets/ipmi.yml.age;
+
  services.grafana = {
    enable = true;
    settings = {
@@ -41,7 +49,7 @@
  services.prometheus = {
    enable = true;
    port = 9001;
-    retentionTime = "1y";
+    retentionTime = "5y";
    listenAddress = "127.0.0.1";
  };

@@ -70,13 +78,13 @@
        enable = true;
        group = "root";
        user = "root";
-        configFile = ./ipmi.yml;
-        #extraFlags = [ "--log.level=debug" ];
+        configFile = config.age.secrets.ipmiYml.path;
+        # extraFlags = [ "--log.level=debug" ];
        listenAddress = "127.0.0.1";
      };
      node = {
        enable = true;
-        enabledCollectors = [ "systemd" ];
+        enabledCollectors = [ "systemd" "logind" ];
        port = 9002;
        listenAddress = "127.0.0.1";
      };
@@ -102,6 +110,10 @@
            "127.0.0.1:9252"
            "127.0.0.1:${toString config.services.prometheus.exporters.smartctl.port}"
            "127.0.0.1:9341" # Slurm exporter
+            "127.0.0.1:9966" # GPFS custom exporter
+            "127.0.0.1:9999" # Nix-daemon custom exporter
+            "127.0.0.1:9929" # Meteocat custom exporter
+            "127.0.0.1:9928" # UPC Qaire custom exporter
            "127.0.0.1:${toString config.services.prometheus.exporters.blackbox.port}"
          ];
        }];
@@ -157,6 +169,9 @@
            "8.8.8.8"
            "ssfhead"
            "anella-bsc.cesca.cat"
+            "upc-anella.cesca.cat"
+            "fox.ac.upc.edu"
+            "arenys5.ac.upc.edu"
          ];
        }];
        relabel_configs = [
@@ -202,7 +217,7 @@
            # Sets the "instance" label with the remote host we are querying
            source_labels = [ "__param_target" ];
            separator = ";";
-            regex = "(.*)";
+            regex = "(.*)-ipmi"; # Remove "-ipm̀i" at the end
            target_label = "instance";
            replacement = "\${1}";
            action = "replace";
@@ -244,6 +259,14 @@
          module = [ "raccoon" ];
        };
      }
+      {
+        job_name = "raccoon";
+        static_configs = [
+          {
+            targets = [ "127.0.0.1:19002" ]; # Node exporter
+          }
+        ];
+      }
    ];
  };
 }
--- a/m/hut/nginx.nix
+++ b/m/hut/nginx.nix
@@ -1,14 +1,73 @@
+{ theFlake, pkgs, ... }:
+let
+  website = pkgs.stdenv.mkDerivation {
+    name = "jungle-web";
+    src = theFlake;
+    buildInputs = [ pkgs.hugo ];
+    buildPhase = ''
+      cd web
+      rm -rf public/
+      hugo
+    '';
+    installPhase = ''
+      cp -r public $out
+    '';
+    # Don't mess doc/
+    dontFixup = true;
+  };
+in
 {
+  networking.firewall.allowedTCPPorts = [ 80 ];
  services.nginx = {
    enable = true;
    virtualHosts."jungle.bsc.es" = {
+      root = "${website}";
      listen = [
        {
-          addr = "127.0.0.1";
-          port = 8123;
+          addr = "0.0.0.0";
+          port = 80;
        }
      ];
-      locations."/p/".alias = "/ceph/p/";
+      extraConfig = ''
+        set_real_ip_from 127.0.0.1;
+        set_real_ip_from 84.88.52.107;
+        real_ip_recursive on;
+        real_ip_header X-Forwarded-For;
+
+        location /git {
+          rewrite ^/git$ / break;
+          rewrite ^/git/(.*) /$1 break;
+          proxy_pass http://127.0.0.1:3000;
+          proxy_redirect http:// $scheme://;
+        }
+        location /cache {
+          rewrite ^/cache/(.*) /$1 break;
+          proxy_pass http://127.0.0.1:5000;
+          proxy_redirect http:// $scheme://;
+        }
+        location /lists {
+          proxy_pass http://127.0.0.1:8081;
+          proxy_redirect http:// $scheme://;
+        }
+        location /grafana {
+          proxy_pass http://127.0.0.1:2342;
+          proxy_redirect http:// $scheme://;
+          proxy_set_header Host $host;
+          # Websockets
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+        }
+        location ~ ^/~(.+?)(/.*)?$ {
+          alias /ceph/home/$1/public_html$2;
+          index  index.html index.htm;
+          autoindex on;
+          absolute_redirect off;
+        }
+        location /p/ {
+          alias /ceph/p/;
+        }
+      '';
    };
  };
 }
--- a/m/hut/p.nix
+++ b/m/hut/p.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, lib, config, ... }:
 let
  p = pkgs.writeShellScriptBin "p" ''
    set -e
@@ -6,12 +6,14 @@ let
    pastedir="p/$USER"
    mkdir -p "$pastedir"

+    ext="txt"
+
    if [ -n "$1" ]; then
-            out="$pastedir/$1"
-    else
-            out=$(mktemp "$pastedir/XXXXXXXX.txt")
+      ext="$1"
    fi

+    out=$(mktemp "$pastedir/XXXXXXXX.$ext")
+
    cat > "$out"
    chmod go+r "$out"
    echo "https://jungle.bsc.es/$out"
@@ -19,4 +21,23 @@ let
 in
 {
  environment.systemPackages = with pkgs; [ p ];
+
+  # Make sure we have a directory per user. We cannot use the nice
+  # systemd-tmpfiles-setup.service service because this is a remote FS, and it
+  # may not be mounted when it runs.
+  systemd.services.create-paste-dirs = let
+    # Take only normal users in hut
+    users = lib.filterAttrs (_: v: v.isNormalUser) config.users.users;
+    commands = lib.concatLists (lib.mapAttrsToList
+      (_: user: [
+        "install -d -o ${user.name} -g ${user.group} -m 0755 /ceph/p/${user.name}"
+      ]) users);
+    script = pkgs.writeShellScript "create-paste-dirs.sh" (lib.concatLines commands);
+  in {
+    enable = true;
+    wants = [ "remote-fs.target" ];
+    after = [ "remote-fs.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig.ExecStart = script;
+  };
 }
--- a/m/hut/targets.yml
+++ b/m/hut/targets.yml
@@ -1,15 +1,15 @@
 - targets:
-  - 10.0.40.101
-  - 10.0.40.102
-  - 10.0.40.103
-  - 10.0.40.104
-  - 10.0.40.105
-  - 10.0.40.106
-  - 10.0.40.107
-  - 10.0.40.108
+  - owl1-ipmi
+  - owl2-ipmi
+  - xeon03-ipmi
+  - xeon04-ipmi
+  - koro-ipmi
+  - xeon06-ipmi
+  - hut-ipmi
+  - eudy-ipmi
  # Storage
-  - 10.0.40.141
-  - 10.0.40.142
-  - 10.0.40.143
+  - bay-ipmi
+  - oss01-ipmi
+  - lake2-ipmi
  labels:
    job: ipmi-lan
--- a/m/koro/configuration.nix
+++ b/m/koro/configuration.nix
@@ -2,7 +2,7 @@

 {
  imports = [
-    ../common/xeon.nix
+    ../common/ssf.nix
    #(modulesPath + "/installer/netboot/netboot-minimal.nix")

    ../eudy/cpufreq.nix
--- a/m/lake2/configuration.nix
+++ b/m/lake2/configuration.nix
@@ -2,7 +2,7 @@

 {
  imports = [
-    ../common/xeon.nix
+    ../common/ssf.nix
    ../module/monitoring.nix
  ];

--- a/m/map.nix
+++ b/m/map.nix
@@ -0,0 +1,70 @@
+{
+  # In physical order from top to bottom (see note below)
+  ssf = {
+    # Switches for Ethernet and OmniPath
+    switch-C6-S1A-05 = { pos=42; size=1; model="Dell S3048-ON"; };
+    switch-opa = { pos=41; size=1; };
+
+    # SSF login
+    ssfhead = { pos=39; size=2; label="SSFHEAD"; board="R2208WTTYSR"; contact="operations@bsc.es"; };
+
+    # Storage
+    bay   = { pos=38; size=1; label="MDS01"; board="S2600WT2R"; sn="BQWL64850303"; contact="rodrigo.arias@bsc.es"; };
+    lake1 = { pos=37; size=1; label="OSS01"; board="S2600WT2R"; sn="BQWL64850234"; contact="rodrigo.arias@bsc.es"; };
+    lake2 = { pos=36; size=1; label="OSS02"; board="S2600WT2R"; sn="BQWL64850266"; contact="rodrigo.arias@bsc.es"; };
+
+    # Compute xeon
+    owl1   = { pos=35; size=1; label="SSF-XEON01"; board="S2600WTTR"; sn="BQWL64954172"; contact="rodrigo.arias@bsc.es"; };
+    owl2   = { pos=34; size=1; label="SSF-XEON02"; board="S2600WTTR"; sn="BQWL64756560"; contact="rodrigo.arias@bsc.es"; };
+    xeon03 = { pos=33; size=1; label="SSF-XEON03"; board="S2600WTTR"; sn="BQWL64750826"; contact="rodrigo.arias@bsc.es"; };
+    # Slot 34 empty
+    koro   = { pos=31; size=1; label="SSF-XEON05"; board="S2600WTTR"; sn="BQWL64954293"; contact="rodrigo.arias@bsc.es"; };
+    xeon06 = { pos=30; size=1; label="SSF-XEON06"; board="S2600WTTR"; sn="BQWL64750846"; contact="antoni.navarro@bsc.es"; };
+    hut    = { pos=29; size=1; label="SSF-XEON07"; board="S2600WTTR"; sn="BQWL64751184"; contact="rodrigo.arias@bsc.es"; };
+    eudy   = { pos=28; size=1; label="SSF-XEON08"; board="S2600WTTR"; sn="BQWL64756586"; contact="aleix.rocanonell@bsc.es"; };
+
+    # 16 KNL nodes, 4 per chassis
+    knl01_04 = { pos=26; size=2; label="KNL01..KNL04"; board="HNS7200APX"; };
+    knl05_08 = { pos=24; size=2; label="KNL05..KNL18"; board="HNS7200APX"; };
+    knl09_12 = { pos=22; size=2; label="KNL09..KNL12"; board="HNS7200APX"; };
+    knl13_16 = { pos=20; size=2; label="KNL13..KNL16"; board="HNS7200APX"; };
+
+    # Slot 19 empty
+
+    # EPI (hw team, guessed order)
+    epi01 = { pos=18; size=1; contact="joan.cabre@bsc.es"; };
+    epi02 = { pos=17; size=1; contact="joan.cabre@bsc.es"; };
+    epi03 = { pos=16; size=1; contact="joan.cabre@bsc.es"; };
+    anon  = { pos=14; size=2; }; # Unlabeled machine. Operative
+
+    # These are old and decommissioned (off)
+    power8    = { pos=12; size=2; label="BSCPOWER8N3";   decommissioned=true; };
+    powern1   = { pos=8;  size=4; label="BSCPOWERN1";    decommissioned=true; };
+    gustafson = { pos=7;  size=1; label="gustafson";     decommissioned=true; };
+    odap01    = { pos=3;  size=4; label="ODAP01";        decommissioned=true; };
+    amhdal    = { pos=2;  size=1; label="AMHDAL";        decommissioned=true; }; # sic
+    moore     = { pos=1;  size=1; label="moore (earth)"; decommissioned=true; };
+  };
+
+  bsc2218 = {
+    raccoon = { board="W2600CR"; sn="QSIP22500829"; contact="rodrigo.arias@bsc.es"; };
+    tent    = { label="SSF-XEON04"; board="S2600WTTR"; sn="BQWL64751229"; contact="rodrigo.arias@bsc.es"; };
+  };
+
+  upc = {
+    fox = { board="H13DSG-O-CPU"; sn="UM24CS600392"; prod="AS-4125GS-TNRT"; prod_sn="E508839X5103339"; contact="rodrigo.arias@bsc.es"; };
+  };
+
+  # NOTE: Position is specified in "U" units (44.45 mm) and starts at 1 from the
+  # bottom. Example:
+  #
+  #  |   ...  | - [pos+size] <--- Label in chassis
+  #  +--------+
+  #  |  node  | - [pos+1]
+  #  |   2U   | - [pos]
+  #  +------- +
+  #  |   ...  | - [pos-1]
+  #
+  # NOTE: The board and sn refers to the FRU information (Board Product and
+  # Board Serial) via `ipmitool fru print 0`.
+}
--- a/m/module/ceph.nix
+++ b/m/module/ceph.nix
@@ -13,22 +13,10 @@

  age.secrets.cephUser.file = ../../secrets/ceph-user.age;

-  fileSystems."/ceph-slow" = {
-    fsType = "ceph";
-    device = "user@9c8d06e0-485f-4aaf-b16b-06d6daf1232b.cephfs=/";
-    options = [
-      "mon_addr=10.0.40.40"
-      "secretfile=${config.age.secrets.cephUser.path}"
-    ];
-  };
-
-  services.cachefilesd.enable = true;
-
  fileSystems."/ceph" = {
    fsType = "ceph";
    device = "user@9c8d06e0-485f-4aaf-b16b-06d6daf1232b.cephfs=/";
    options = [
-      "fsc"
      "mon_addr=10.0.40.40"
      "secretfile=${config.age.secrets.cephUser.path}"
    ];
--- a/m/module/hut-substituter.nix
+++ b/m/module/hut-substituter.nix
@@ -0,0 +1,10 @@
+{ config, ... }:
+{
+  nix.settings =
+    # Don't add hut as a cache to itself
+    assert config.networking.hostName != "hut";
+    {
+      extra-substituters = [ "http://hut/cache" ];
+      extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
+    };
+}
--- a/m/module/meteocat-exporter.nix
+++ b/m/module/meteocat-exporter.nix
@@ -0,0 +1,17 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  systemd.services."prometheus-meteocat-exporter" = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    serviceConfig = {
+      Restart = mkDefault "always";
+      PrivateTmp = mkDefault true;
+      WorkingDirectory = mkDefault "/tmp";
+      DynamicUser = mkDefault true;
+      ExecStart = "${pkgs.meteocat-exporter}/bin/meteocat-exporter";
+    };
+  };
+}
--- a/m/module/nix-daemon-builds.sh
+++ b/m/module/nix-daemon-builds.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Locate nix daemon pid
+nd=$(pgrep -o nix-daemon)
+
+# Locate children of nix-daemon
+pids1=$(tr ' ' '\n' < "/proc/$nd/task/$nd/children")
+
+# For each children, locate 2nd level children
+pids2=$(echo "$pids1" | xargs -I @ /bin/sh -c 'cat /proc/@/task/*/children' | tr ' ' '\n')
+
+cat <<EOF
+HTTP/1.1 200 OK
+Content-Type: text/plain; version=0.0.4; charset=utf-8; escaping=values
+
+# HELP nix_daemon_build Nix daemon derivation build state.
+# TYPE nix_daemon_build gauge
+EOF
+
+for pid in $pids2; do
+  name=$(cat /proc/$pid/environ 2>/dev/null | tr '\0' '\n' | rg "^name=(.+)" - --replace '$1' | tr -dc ' [:alnum:]_\-\.')
+  user=$(ps -o uname= -p "$pid")
+  if [ -n "$name" -a -n "$user" ]; then
+    printf 'nix_daemon_build{user="%s",name="%s"} 1\n' "$user" "$name"
+  fi
+done
--- a/m/module/nix-daemon-exporter.nix
+++ b/m/module/nix-daemon-exporter.nix
@@ -0,0 +1,23 @@
+{ pkgs, config, lib, ... }:
+let
+  script = pkgs.runCommand "nix-daemon-exporter.sh" { }
+    ''
+      cp ${./nix-daemon-builds.sh} $out;
+      chmod +x $out
+    ''
+  ;
+in
+{
+  systemd.services.nix-daemon-exporter = {
+    description = "Daemon to export nix-daemon metrics";
+    path = [ pkgs.procps pkgs.ripgrep ];
+    wantedBy = [ "default.target" ];
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "${pkgs.socat}/bin/socat TCP4-LISTEN:9999,fork EXEC:${script}";
+      # Needed root to read the environment, potentially unsafe
+      User = "root";
+      Group = "root";
+    };
+  };
+}
--- a/m/module/p.nix
+++ b/m/module/p.nix
@@ -0,0 +1,68 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.p;
+in
+{
+  options = {
+    services.p = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Whether to enable the p service.";
+      };
+      path = lib.mkOption {
+        type = lib.types.str;
+        default = "/var/lib/p";
+        description = "Where to save the pasted files on disk.";
+      };
+      url = lib.mkOption {
+        type = lib.types.str;
+        default = "https://jungle.bsc.es/p";
+        description = "URL prefix for the printed file.";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = let 
+      p = pkgs.writeShellScriptBin "p" ''
+        set -e
+        pastedir="${cfg.path}/$USER"
+        cd "$pastedir"
+
+        ext="txt"
+        if [ -n "$1" ]; then
+          ext="$1"
+        fi
+
+        out=$(mktemp "XXXXXXXX.$ext")
+        cat > "$out"
+        chmod go+r "$out"
+        echo "${cfg.url}/$USER/$out"
+      '';
+    in [ p ];
+
+    systemd.services.p = let
+      # Take only normal users
+      users = lib.filterAttrs (_: v: v.isNormalUser) config.users.users;
+      # Create a directory for each user
+      commands = lib.concatLists (lib.mapAttrsToList (_: user: [
+        "install -d -o ${user.name} -g ${user.group} -m 0755 ${cfg.path}/${user.name}"
+      ]) users);
+    in {
+      description = "P service setup";
+      requires = [ "network-online.target" ];
+      #wants = [ "remote-fs.target" ];
+      #after = [ "remote-fs.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = pkgs.writeShellScript "p-init.sh" (''
+
+          install -d -o root -g root -m 0755 ${cfg.path}
+
+        '' + (lib.concatLines commands));
+      };
+    };
+  };
+}
--- a/m/module/slurm-client.nix
+++ b/m/module/slurm-client.nix
@@ -47,8 +47,7 @@ in {
    ];

    partitionName = [
-      "owl Nodes=owl[1-2] Default=YES DefaultTime=01:00:00 MaxTime=INFINITE State=UP"
-      "all Nodes=owl[1-2],hut Default=NO DefaultTime=01:00:00 MaxTime=INFINITE State=UP"
+      "owl Nodes=owl[1-2]     Default=YES DefaultTime=01:00:00 MaxTime=INFINITE State=UP"
    ];

    # See slurm.conf(5) for more details about these options.
@@ -91,9 +90,29 @@ in {
      # Ignore memory constraints and only use unused cores to share a node with
      # other jobs.
      SelectTypeParameters=CR_Core
+
+      # Required for pam_slurm_adopt, see https://slurm.schedmd.com/pam_slurm_adopt.html
+      # This sets up the "extern" step into which ssh-launched processes will be
+      # adopted. Alloc runs the prolog at job allocation (salloc) rather than
+      # when a task runs (srun) so we can ssh early.
+      PrologFlags=Alloc,Contain,X11
+
+      # LaunchParameters=ulimit_pam_adopt will set RLIMIT_RSS in processes
+      # adopted by the external step, similar to tasks running in regular steps
+      # LaunchParameters=ulimit_pam_adopt
+      SlurmdDebug=debug5
+      #DebugFlags=Protocol,Cgroup
+    '';
+
+    extraCgroupConfig = ''
+      CgroupPlugin=cgroup/v2
+      #ConstrainCores=yes
    '';
  };

+  # Place the slurm config in /etc as this will be required by PAM
+  environment.etc.slurm.source = config.services.slurm.etcSlurm;
+
  age.secrets.mungeKey = {
    file = ../../secrets/munge-key.age;
    owner = "munge";
--- a/m/module/ssh-hut-extern.nix
+++ b/m/module/ssh-hut-extern.nix
@@ -0,0 +1,9 @@
+{
+  programs.ssh.extraConfig = ''
+    Host ssfhead
+      HostName ssflogin.bsc.es
+    Host hut
+      ProxyJump ssfhead
+      HostName xeon07
+  '';
+}
--- a/m/module/upc-qaire-exporter.nix
+++ b/m/module/upc-qaire-exporter.nix
@@ -0,0 +1,17 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  systemd.services."prometheus-upc-qaire-exporter" = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    serviceConfig = {
+      Restart = mkDefault "always";
+      PrivateTmp = mkDefault true;
+      WorkingDirectory = mkDefault "/tmp";
+      DynamicUser = mkDefault true;
+      ExecStart = "${pkgs.upc-qaire-exporter}/bin/upc-qaire-exporter";
+    };
+  };
+}
--- a/m/owl1/configuration.nix
+++ b/m/owl1/configuration.nix
@@ -2,12 +2,13 @@

 {
  imports = [
-    ../common/xeon.nix
+    ../common/ssf.nix
    ../module/ceph.nix
    ../module/emulation.nix
    ../module/slurm-client.nix
    ../module/slurm-firewall.nix
    ../module/debuginfod.nix
+    ../module/hut-substituter.nix
  ];

  # Select the this using the ID to avoid mismatches
--- a/m/owl2/configuration.nix
+++ b/m/owl2/configuration.nix
@@ -2,12 +2,13 @@

 {
  imports = [
-    ../common/xeon.nix
+    ../common/ssf.nix
    ../module/ceph.nix
    ../module/emulation.nix
    ../module/slurm-client.nix
    ../module/slurm-firewall.nix
    ../module/debuginfod.nix
+    ../module/hut-substituter.nix
  ];

  # Select the this using the ID to avoid mismatches
--- a/m/raccoon/configuration.nix
+++ b/m/raccoon/configuration.nix
@@ -3,6 +3,10 @@
 {
  imports = [
    ../common/base.nix
+    ../module/emulation.nix
+    ../module/debuginfod.nix
+    ../module/ssh-hut-extern.nix
+    ../eudy/kernel/perf.nix
  ];

  # Don't install Grub on the disk yet
@@ -23,8 +27,28 @@
      address = "84.88.51.152";
      prefixLength = 25;
    } ];
+    interfaces.enp5s0f1.ipv4.addresses = [ {
+      address = "10.0.44.1";
+      prefixLength = 24;
+    } ];
+    nat = {
+      enable = true;
+      internalInterfaces = [ "enp5s0f1" ];
+      externalInterface = "eno0";
+    };
+    hosts = {
+      "10.0.44.4" = [ "tent" ];
+    };
  };

+  nix.settings = {
+    extra-substituters = [ "https://jungle.bsc.es/cache" ];
+    extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
+  };
+
+  # Enable performance governor
+  powerManagement.cpuFreqGovernor = "performance";
+
  # Configure Nvidia driver to use with CUDA
  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.production;
  hardware.graphics.enable = true;
@@ -32,6 +56,18 @@
  nixpkgs.config.nvidia.acceptLicense = true;
  services.xserver.videoDrivers = [ "nvidia" ];

+  # Disable garbage collection for now
+  nix.gc.automatic = lib.mkForce false;
+
+  services.openssh.settings.X11Forwarding = true;
+
+  services.prometheus.exporters.node = {
+    enable = true;
+    enabledCollectors = [ "systemd" ];
+    port = 9002;
+    listenAddress = "127.0.0.1";
+  };
+
  users.motd = ''
    ⠀⠀⠀⠀⠀⠀⠀⣀⣀⣄⣠⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
    ⠀⠀⠀⠀⠀⠀⢰⠇⡀⠀⠙⠻⡿⣦⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡀⠀⠀⠀⠀
--- a/m/tent/blackbox.yml
+++ b/m/tent/blackbox.yml
@@ -0,0 +1,14 @@
+modules:
+  http_2xx:
+    prober: http
+    timeout: 5s
+    http:
+      preferred_ip_protocol: "ip4"
+      follow_redirects: true
+      valid_status_codes: []  # Defaults to 2xx
+      method: GET
+  icmp:
+    prober: icmp
+    timeout: 5s
+    icmp:
+      preferred_ip_protocol: "ip4"
--- a/m/tent/configuration.nix
+++ b/m/tent/configuration.nix
@@ -0,0 +1,79 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ../common/xeon.nix
+    ../module/emulation.nix
+    ../module/debuginfod.nix
+    ../module/ssh-hut-extern.nix
+    ./monitoring.nix
+    ./nginx.nix
+    ./nix-serve.nix
+    ./gitlab-runner.nix
+    ./gitea.nix
+    ../hut/public-inbox.nix
+    ../hut/msmtp.nix
+    ../module/p.nix
+  ];
+
+  # Select the this using the ID to avoid mismatches
+  boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d537675";
+
+  networking = {
+    hostName = "tent";
+    interfaces.eno1.ipv4.addresses = [
+      {
+        address = "10.0.44.4";
+        prefixLength = 24;
+      }
+    ];
+
+    # Only BSC DNSs seem to be reachable from the office VLAN
+    nameservers = [ "84.88.52.35" "84.88.52.36" ];
+    search = [ "bsc.es" ];
+    defaultGateway = "10.0.44.1";
+  };
+
+  services.p.enable = true;
+
+  services.prometheus.exporters.node = {
+    enable = true;
+    enabledCollectors = [ "systemd" ];
+    port = 9002;
+    listenAddress = "127.0.0.1";
+  };
+
+  boot.swraid = {
+    enable = true;
+    mdadmConf = ''
+      DEVICE partitions
+      ARRAY /dev/md0 metadata=1.2 UUID=496db1e2:056a92aa:a544543f:40db379d
+      MAILADDR root
+    '';
+  };
+
+  fileSystems."/vault" = {
+    device = "/dev/disk/by-label/vault";
+    fsType = "ext4";
+  };
+
+  # Make a /vault/$USER directory for each user.
+  systemd.services.create-vault-dirs = let
+    # Take only normal users in tent
+    users = lib.filterAttrs (_: v: v.isNormalUser) config.users.users;
+    commands = lib.concatLists (lib.mapAttrsToList
+      (_: user: [
+        "install -d -o ${user.name} -g ${user.group} -m 0711 /vault/home/${user.name}"
+      ]) users);
+    script = pkgs.writeShellScript "create-vault-dirs.sh" (lib.concatLines commands);
+  in {
+    enable = true;
+    wants = [ "local-fs.target" ];
+    after = [ "local-fs.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig.ExecStart = script;
+  };
+
+  # disable automatic garbage collector
+  nix.gc.automatic = lib.mkForce false;
+}
--- a/m/tent/gitea.nix
+++ b/m/tent/gitea.nix
@@ -0,0 +1,30 @@
+{ config, lib, ... }:
+{
+  services.gitea = {
+    enable = true;
+    appName = "Gitea in the jungle";
+
+    settings = {
+      server = {
+        ROOT_URL = "https://jungle.bsc.es/git/";
+        LOCAL_ROOT_URL = "https://jungle.bsc.es/git/";
+        LANDING_PAGE = "explore";
+      };
+      metrics.ENABLED = true;
+      service = {
+        DISABLE_REGISTRATION = true;
+        REGISTER_MANUAL_CONFIRM = true;
+        ENABLE_NOTIFY_MAIL = true;
+      };
+      log.LEVEL = "Warn";
+
+      mailer = {
+        ENABLED       = true;
+        FROM          = "jungle-robot@bsc.es";
+        PROTOCOL      = "sendmail";
+        SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
+        SENDMAIL_ARGS = "--";
+      };
+    };
+  };
+}
--- a/m/tent/gitlab-runner.nix
+++ b/m/tent/gitlab-runner.nix
@@ -0,0 +1,93 @@
+{ pkgs, lib, config, ... }:
+
+{
+  age.secrets.tent-gitlab-runner-pm-shell.file = ../../secrets/tent-gitlab-runner-pm-shell-token.age;
+  age.secrets.tent-gitlab-runner-pm-docker.file = ../../secrets/tent-gitlab-runner-pm-docker-token.age;
+  age.secrets.tent-gitlab-runner-bsc-docker.file = ../../secrets/tent-gitlab-runner-bsc-docker-token.age;
+
+  services.gitlab-runner = let sec = config.age.secrets; in {
+    enable = true;
+    settings.concurrent = 5;
+    services = {
+      # For gitlab.pm.bsc.es
+      gitlab-pm-shell = {
+        executor = "shell";
+        environmentVariables = {
+          SHELL = "${pkgs.bash}/bin/bash";
+        };
+        authenticationTokenConfigFile = sec.tent-gitlab-runner-pm-shell.path;
+        preGetSourcesScript = pkgs.writeScript "setup" ''
+          echo "This is the preGetSources script running, brace for impact"
+          env
+        '';
+      };
+      gitlab-pm-docker = {
+        authenticationTokenConfigFile = sec.tent-gitlab-runner-pm-docker.path;
+        executor = "docker";
+        dockerImage = "debian:stable";
+      };
+
+      # For gitlab.bsc.es
+      gitlab-bsc-docker = {
+        # gitlab.bsc.es still uses the old token mechanism
+        registrationConfigFile = sec.tent-gitlab-runner-bsc-docker.path;
+        tagList = [ "docker" "tent" "nix" ];
+        executor = "docker";
+        dockerImage = "alpine";
+        dockerVolumes = [
+          "/nix/store:/nix/store:ro"
+          "/nix/var/nix/db:/nix/var/nix/db:ro"
+          "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
+        ];
+        dockerDisableCache = true;
+        registrationFlags = [
+          # Increase build log length to 64 MiB
+          "--output-limit 65536"
+        ];
+        preBuildScript = pkgs.writeScript "setup-container" ''
+          mkdir -p -m 0755 /nix/var/log/nix/drvs
+          mkdir -p -m 0755 /nix/var/nix/gcroots
+          mkdir -p -m 0755 /nix/var/nix/profiles
+          mkdir -p -m 0755 /nix/var/nix/temproots
+          mkdir -p -m 0755 /nix/var/nix/userpool
+          mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
+          mkdir -p -m 1777 /nix/var/nix/profiles/per-user
+          mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
+          mkdir -p -m 0700 "$HOME/.nix-defexpr"
+          mkdir -p -m 0700 "$HOME/.ssh"
+          cat >> "$HOME/.ssh/known_hosts" << EOF
+          bscpm04.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPx4mC0etyyjYUT2Ztc/bs4ZXSbVMrogs1ZTP924PDgT
+          gitlab-internal.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3
+          EOF
+          . ${pkgs.nix}/etc/profile.d/nix-daemon.sh
+          # Required to load SSL certificate paths
+          . ${pkgs.cacert}/nix-support/setup-hook
+        '';
+        environmentVariables = {
+          ENV = "/etc/profile";
+          USER = "root";
+          NIX_REMOTE = "daemon";
+          PATH = "${config.system.path}/bin:/bin:/sbin:/usr/bin:/usr/sbin";
+        };
+      };
+    };
+  };
+
+  systemd.services.gitlab-runner.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "gitlab-runner";
+    Group = "gitlab-runner";
+    ExecStart = lib.mkForce
+      ''${pkgs.gitlab-runner}/bin/gitlab-runner run --config ''${HOME}/.gitlab-runner/config.toml --listen-address "127.0.0.1:9252" --working-directory ''${HOME}'';
+  };
+
+  users.users.gitlab-runner = {
+    uid = config.ids.uids.gitlab-runner;
+    home = "/var/lib/gitlab-runner";
+    description = "Gitlab Runner";
+    group = "gitlab-runner";
+    extraGroups = [ "docker" ];
+    createHome = true;
+  };
+  users.groups.gitlab-runner.gid = config.ids.gids.gitlab-runner;
+}
--- a/m/tent/monitoring.nix
+++ b/m/tent/monitoring.nix
@@ -0,0 +1,205 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ../module/meteocat-exporter.nix
+    ../module/upc-qaire-exporter.nix
+    ../module/nix-daemon-exporter.nix
+  ];
+
+  age.secrets.grafanaJungleRobotPassword = {
+    file = ../../secrets/jungle-robot-password.age;
+    owner = "grafana";
+    mode = "400";
+  };
+
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        domain = "jungle.bsc.es";
+        root_url = "%(protocol)s://%(domain)s/grafana";
+        serve_from_sub_path = true;
+        http_port = 2342;
+        http_addr = "127.0.0.1";
+      };
+      smtp = {
+        enabled = true;
+        from_address = "jungle-robot@bsc.es";
+        user = "jungle-robot";
+        # Read the password from a file, which is only readable by grafana user
+        # https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
+        password = "$__file{${config.age.secrets.grafanaJungleRobotPassword.path}}";
+        host = "mail.bsc.es:465";
+        startTLS_policy = "NoStartTLS";
+      };
+      feature_toggles.publicDashboards = true;
+      "auth.anonymous".enabled = true;
+      log.level = "warn";
+    };
+  };
+
+  services.prometheus = {
+    enable = true;
+    port = 9001;
+    retentionTime = "5y";
+    listenAddress = "127.0.0.1";
+  };
+
+  # We need access to the devices to monitor the disk space
+  systemd.services.prometheus-node-exporter.serviceConfig.PrivateDevices = lib.mkForce false;
+  systemd.services.prometheus-node-exporter.serviceConfig.ProtectHome = lib.mkForce "read-only";
+
+  # Credentials for IPMI exporter
+  age.secrets.ipmiYml = {
+    file = ../../secrets/ipmi.yml.age;
+    owner = "ipmi-exporter";
+  };
+
+  # Create an IPMI group and assign the ipmi0 device
+  users.groups.ipmi = {};
+  services.udev.extraRules = ''
+    SUBSYSTEM=="ipmi", KERNEL=="ipmi0", GROUP="ipmi", MODE="0660"
+  '';
+
+  # Add a new ipmi-exporter user that can read the ipmi0 device
+  users.users.ipmi-exporter = {
+    isSystemUser = true;
+    group = "ipmi";
+  };
+
+  # Disable dynamic user so we have the ipmi-exporter user available for the credentials
+  systemd.services.prometheus-ipmi-exporter.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    PrivateDevices = lib.mkForce false;
+    User = lib.mkForce "ipmi-exporter";
+    Group = lib.mkForce "ipmi";
+    RestrictNamespaces = lib.mkForce false;
+    # Fake uid to 0 so it shuts up
+    ExecStart = let
+      cfg = config.services.prometheus.exporters.ipmi;
+    in lib.mkForce (lib.concatStringsSep " " ([
+      "${pkgs.util-linux}/bin/unshare --map-user 0"
+      "${pkgs.prometheus-ipmi-exporter}/bin/ipmi_exporter"
+      "--web.listen-address ${cfg.listenAddress}:${toString cfg.port}"
+      "--config.file ${lib.escapeShellArg cfg.configFile}"
+    ] ++ cfg.extraFlags));
+  };
+
+  services.prometheus = {
+    exporters = {
+      ipmi = {
+        enable = true;
+        configFile = config.age.secrets.ipmiYml.path;
+        #extraFlags = [ "--log.level=debug" ];
+        listenAddress = "127.0.0.1";
+      };
+      node = {
+        enable = true;
+        enabledCollectors = [ "logind" ];
+        port = 9002;
+        listenAddress = "127.0.0.1";
+      };
+      blackbox = {
+        enable = true;
+        listenAddress = "127.0.0.1";
+        configFile = ./blackbox.yml;
+      };
+    };
+
+    scrapeConfigs = [
+      {
+        job_name = "local";
+        static_configs = [{
+          targets = [
+            "127.0.0.1:9002" # Node exporter
+            #"127.0.0.1:9115" # Blackbox exporter
+            "127.0.0.1:9290" # IPMI exporter for local node
+            "127.0.0.1:9928" # UPC Qaire custom exporter
+            "127.0.0.1:9929" # Meteocat custom exporter
+            "127.0.0.1:9999" # Nix-daemon custom exporter
+          ];
+        }];
+      }
+      {
+        job_name = "blackbox-http";
+        metrics_path = "/probe";
+        params = { module = [ "http_2xx" ]; };
+        static_configs = [{
+          targets = [
+            "https://www.google.com/robots.txt"
+            "https://pm.bsc.es/"
+            "https://pm.bsc.es/gitlab/"
+            "https://jungle.bsc.es/"
+            "https://gitlab.bsc.es/"
+          ];
+        }];
+        relabel_configs = [
+          {
+            # Takes the address and sets it in the "target=<xyz>" URL parameter
+            source_labels = [ "__address__" ];
+            target_label = "__param_target";
+          }
+          {
+            # Sets the "instance" label with the remote host we are querying
+            source_labels = [ "__param_target" ];
+            target_label = "instance";
+          }
+          {
+            # Shows the host target address instead of the blackbox address
+            target_label = "__address__";
+            replacement = "127.0.0.1:9115";
+          }
+        ];
+      }
+      {
+        job_name = "blackbox-icmp";
+        metrics_path = "/probe";
+        params = { module = [ "icmp" ]; };
+        static_configs = [{
+          targets = [
+            "1.1.1.1"
+            "8.8.8.8"
+            "ssfhead"
+            "raccoon"
+            "anella-bsc.cesca.cat"
+            "upc-anella.cesca.cat"
+            "fox.ac.upc.edu"
+            "arenys5.ac.upc.edu"
+            "arenys0-2.ac.upc.edu"
+            "epi01.bsc.es"
+            "axle.bsc.es"
+          ];
+        }];
+        relabel_configs = [
+          {
+            # Takes the address and sets it in the "target=<xyz>" URL parameter
+            source_labels = [ "__address__" ];
+            target_label = "__param_target";
+          }
+          {
+            # Sets the "instance" label with the remote host we are querying
+            source_labels = [ "__param_target" ];
+            target_label = "instance";
+          }
+          {
+            # Shows the host target address instead of the blackbox address
+            target_label = "__address__";
+            replacement = "127.0.0.1:9115";
+          }
+        ];
+      }
+      {
+        job_name = "ipmi-raccoon";
+        metrics_path = "/ipmi";
+        static_configs = [
+          { targets = [ "127.0.0.1:9290" ]; }
+        ];
+        params = {
+          target = [ "raccoon-ipmi" ];
+          module = [ "raccoon" ];
+        };
+      }
+    ];
+  };
+}
--- a/m/tent/nginx.nix
+++ b/m/tent/nginx.nix
@@ -0,0 +1,73 @@
+{ theFlake, pkgs, ... }:
+let
+  website = pkgs.stdenv.mkDerivation {
+    name = "jungle-web";
+    src = theFlake;
+    buildInputs = [ pkgs.hugo ];
+    buildPhase = ''
+      cd web
+      rm -rf public/
+      hugo
+    '';
+    installPhase = ''
+      cp -r public $out
+    '';
+    # Don't mess doc/
+    dontFixup = true;
+  };
+in
+{
+  networking.firewall.allowedTCPPorts = [ 80 ];
+  services.nginx = {
+    enable = true;
+    virtualHosts."jungle.bsc.es" = {
+      root = "${website}";
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 80;
+        }
+      ];
+      extraConfig = ''
+        set_real_ip_from 127.0.0.1;
+        set_real_ip_from 84.88.52.107;
+        real_ip_recursive on;
+        real_ip_header X-Forwarded-For;
+
+        location /git {
+          rewrite ^/git$ / break;
+          rewrite ^/git/(.*) /$1 break;
+          proxy_pass http://127.0.0.1:3000;
+          proxy_redirect http:// $scheme://;
+        }
+        location /cache {
+          rewrite ^/cache/(.*) /$1 break;
+          proxy_pass http://127.0.0.1:5000;
+          proxy_redirect http:// $scheme://;
+        }
+        location /lists {
+          proxy_pass http://127.0.0.1:8081;
+          proxy_redirect http:// $scheme://;
+        }
+        location /grafana {
+          proxy_pass http://127.0.0.1:2342;
+          proxy_redirect http:// $scheme://;
+          proxy_set_header Host $host;
+          # Websockets
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+        }
+        location ~ ^/~(.+?)(/.*)?$ {
+          alias /vault/home/$1/public_html$2;
+          index  index.html index.htm;
+          autoindex on;
+          absolute_redirect off;
+        }
+        location /p/ {
+          alias /var/lib/p/;
+        }
+      '';
+    };
+  };
+}
--- a/m/tent/nix-serve.nix
+++ b/m/tent/nix-serve.nix
@@ -0,0 +1,16 @@
+{ config, ... }:
+
+{
+  age.secrets.nixServe.file = ../../secrets/nix-serve.age;
+
+  services.nix-serve = {
+    enable = true;
+    # Only listen locally, as we serve it via ssh
+    bindAddress = "127.0.0.1";
+    port = 5000;
+
+    secretKeyFile = config.age.secrets.nixServe.path;
+    # Public key:
+    # jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=
+  };
+}
--- a/pkgs/meteocat-exporter/default.nix
+++ b/pkgs/meteocat-exporter/default.nix
@@ -0,0 +1,25 @@
+{ python3Packages, lib }:
+
+python3Packages.buildPythonApplication rec {
+  pname = "meteocat-exporter";
+  version = "1.0";
+
+  src = ./.;
+
+  doCheck = false;
+
+  build-system = with python3Packages; [
+    setuptools
+  ];
+
+  dependencies = with python3Packages; [
+    beautifulsoup4
+    lxml
+    prometheus-client
+  ];
+
+  meta = with lib; {
+    description = "MeteoCat Prometheus Exporter";
+    platforms = platforms.linux;
+  };
+}
--- a/pkgs/meteocat-exporter/meteocat-exporter
+++ b/pkgs/meteocat-exporter/meteocat-exporter
@@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+
+import time
+from prometheus_client import start_http_server, Gauge
+from bs4 import BeautifulSoup
+from urllib import request
+
+# Configuration -------------------------------------------
+meteo_station = "X8" # Barcelona - Zona Universitària
+listening_port = 9929
+update_period = 60 * 5 # Each 5 min
+# ---------------------------------------------------------
+
+metric_tmin = Gauge('meteocat_temp_min', 'Min temperature')
+metric_tmax = Gauge('meteocat_temp_max', 'Max temperature')
+metric_tavg = Gauge('meteocat_temp_avg', 'Average temperature')
+metric_srad = Gauge('meteocat_solar_radiation', 'Solar radiation')
+
+def update(st):
+    url = 'https://www.meteo.cat/observacions/xema/dades?codi=' + st
+    response = request.urlopen(url)
+    data = response.read()
+    soup = BeautifulSoup(data, 'lxml')
+    table = soup.find("table", {"class" : "tblperiode"})
+    rows = table.find_all('tr')
+    row = rows[-1] # Take the last row
+    row_data = []
+    header = row.find('th')
+    header_text = header.text.strip()
+    row_data.append(header_text)
+    for col in row.find_all('td'):
+        row_data.append(col.text)
+    try:
+        # Sometimes it will return '(s/d)' and fail to parse
+        metric_tavg.set(float(row_data[1]))
+        metric_tmax.set(float(row_data[2]))
+        metric_tmin.set(float(row_data[3]))
+        metric_srad.set(float(row_data[10]))
+        #print("ok: temp_avg={}".format(float(row_data[1])))
+    except:
+        print("cannot parse row: {}".format(row))
+        metric_tavg.set(float("nan"))
+        metric_tmax.set(float("nan"))
+        metric_tmin.set(float("nan"))
+        metric_srad.set(float("nan"))
+
+if __name__ == '__main__':
+    start_http_server(port=listening_port, addr="localhost")
+    while True:
+        try:
+            update(meteo_station)
+        except:
+            print("update failed")
+        time.sleep(update_period)
--- a/pkgs/meteocat-exporter/setup.py
+++ b/pkgs/meteocat-exporter/setup.py
@@ -0,0 +1,11 @@
+#!/usr/bin/env python
+
+from setuptools import setup, find_packages
+
+setup(name='meteocat-exporter',
+      version='1.0',
+      # Modules to import from other scripts:
+      packages=find_packages(),
+      # Executables
+      scripts=["meteocat-exporter"],
+     )
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -11,7 +11,7 @@ final: prev:
      paths = [ pmix.dev pmix.out ];
    };
  in prev.mpich.overrideAttrs (old: {
-    patches = [
+    patches = (old.patches or []) ++ [
      # See https://github.com/pmodels/mpich/issues/6946
      ./mpich-fix-hwtopo.patch
    ];
@@ -39,7 +39,21 @@ final: prev:
      # See https://bugs.schedmd.com/show_bug.cgi?id=19324
      ./slurm-rank-expansion.patch
    ];
+    # Install also the pam_slurm_adopt library to restrict users from accessing
+    # nodes with no job allocated.
+    postBuild = (old.postBuild or "") + ''
+      pushd contribs/pam_slurm_adopt
+        make "PAM_DIR=$out/lib/security"
+      popd
+    '';
+    postInstall = (old.postInstall or "") + ''
+      pushd contribs/pam_slurm_adopt
+        make "PAM_DIR=$out/lib/security" install
+      popd
+    '';
  });

  prometheus-slurm-exporter = prev.callPackage ./slurm-exporter.nix { };
+  meteocat-exporter = prev.callPackage ./meteocat-exporter/default.nix { };
+  upc-qaire-exporter = prev.callPackage ./upc-qaire-exporter/default.nix { };
 }
--- a/pkgs/upc-qaire-exporter/default.nix
+++ b/pkgs/upc-qaire-exporter/default.nix
@@ -0,0 +1,24 @@
+{ python3Packages, lib }:
+
+python3Packages.buildPythonApplication rec {
+  pname = "upc-qaire-exporter";
+  version = "1.0";
+
+  src = ./.;
+
+  doCheck = false;
+
+  build-system = with python3Packages; [
+    setuptools
+  ];
+
+  dependencies = with python3Packages; [
+    prometheus-client
+    requests
+  ];
+
+  meta = with lib; {
+    description = "UPC Qaire Prometheus Exporter";
+    platforms = platforms.linux;
+  };
+}
--- a/pkgs/upc-qaire-exporter/setup.py
+++ b/pkgs/upc-qaire-exporter/setup.py
@@ -0,0 +1,11 @@
+#!/usr/bin/env python
+
+from setuptools import setup, find_packages
+
+setup(name='upc-qaire-exporter',
+      version='1.0',
+      # Modules to import from other scripts:
+      packages=find_packages(),
+      # Executables
+      scripts=["upc-qaire-exporter"],
+     )
--- a/pkgs/upc-qaire-exporter/upc-qaire-exporter
+++ b/pkgs/upc-qaire-exporter/upc-qaire-exporter
@@ -0,0 +1,74 @@
+#!/usr/bin/env python3
+
+import time
+from prometheus_client import start_http_server, Gauge
+import requests, json
+from datetime import datetime, timedelta
+
+# Configuration -------------------------------------------
+listening_port = 9928
+update_period = 60 * 5 # Each 5 min
+# ---------------------------------------------------------
+
+metric_temp = Gauge('upc_c6_s302_temp', 'UPC C6 S302 temperature sensor')
+
+def genparams():
+    d = {}
+    d['topic'] = 'TEMPERATURE'
+    d['shift_dates_to'] = ''
+    d['datapoints'] = 301
+    d['devicesAndColors'] = '1148418@@@#40ACB6'
+
+    now = datetime.now()
+
+    d['fromDate'] = now.strftime('%d/%m/%Y')
+    d['toDate'] = now.strftime('%d/%m/%Y')
+    d['serviceFrequency'] = 'NONE'
+
+    # WTF!
+    for i in range(7):
+        for j in range(48):
+            key = 'week.days[{}].hours[{}].value'.format(i, j)
+            d[key] = 'OPEN'
+
+    return d
+
+def measure():
+    # First we need to load session
+    s = requests.Session()
+    r = s.get("https://upc.edu/sirena")
+    if r.status_code != 200:
+        print("bad HTTP status code on new session: {}".format(r.status_code))
+        return
+
+    if s.cookies.get("JSESSIONID") is None:
+        print("cannot get JSESSIONID")
+        return
+
+    # Now we can pull the data
+    url = "https://upcsirena.app.dexma.com/l_12535/analysis/by_datapoints/data.json"
+    r = s.post(url, data=genparams())
+
+    if r.status_code != 200:
+        print("bad HTTP status code on data: {}".format(r.status_code))
+        return
+
+    #print(r.text)
+    j = json.loads(r.content)
+
+    # Just take the last one
+    last = j['data']['chartElementList'][-1]
+    temp = last['values']['1148418-Temperatura']
+
+    return temp
+
+if __name__ == '__main__':
+    start_http_server(port=listening_port, addr="localhost")
+    while True:
+        try:
+            metric_temp.set(measure())
+        except:
+            print("measure failed")
+            metric_temp.set(float("nan"))
+
+        time.sleep(update_period)
--- a/secrets/ceph-user.age
+++ b/secrets/ceph-user.age
@@ -1,21 +1,19 @@
 age-encryption.org/v1
-> ssh-ed25519 AY8zKw J00a6ZOhkupkhLU5WQ0kD05HEF4KKsSs2hwjHKbnnHU
-J14VoNOCqLpScVO7OLXbqTcLI4tcVUHt5cqY/XQmbGs
-> ssh-ed25519 sgAamA k8R/bSUdvVmlBI6yHPi5NBQPBGM36lPJwsir8DFGgxE
-4ZKC3gYvic6AVrNGgNjwztbUzhxP8ViX5O3wFo9wlrk
-> ssh-ed25519 HY2yRg 966xf2fTnA6Wq0uYXbXZQOManqITJcCbQS9LZCGEOh4
-Qg5echQSrzqeDqvaMx+5fqi8XyTjAeCsY/UFJX6YnDs
-> ssh-ed25519 tcumPQ e0U2okrGIoUpLfPYjIRx1V92rE3hZW13nJef+l3kBQg
-LejAUKBl+tPhwocCF00ZHTzFISnwX8og8GvemiMIcyo
-> ssh-ed25519 JJ1LWg QkzTsPq9Gdh+FNz/a4bDb9LQOreFyxeTC51UNd1fsj0
-ayrlKenETfQzH1Z9drVEWqszQebicGVJve0/pCnxAE8
-> ssh-ed25519 CAWG4Q lJLW9+dxvyoD4hYzeXeE/4rzJ6HIeEQOB1+fbhV3xw0
-T2RrVCtTuQvya9HiJB7txk3QGrntpsMX9Tt1cyXoW5E
-> ssh-ed25519 MSF3dg JOZkFb2CfqWKvZIz7lYxXWgv8iEVDkQF8hInDMZvknc
-MHDWxjUw4dNiC1h4MrU9uKKcI3rwkxABm0+5FYMZkok
-> ~8m;7f-grease
-lDIullfC98RhpTZ4Mk87Td+VtPmwPdgz+iIilpKugUkmV5r4Uqd7yE+5ArA6ekr/
-G/X4EA
--- Cz4sv9ZunBcVdZCozdTh1zlg1zIASjk2MjYeYfcN9eA
-<EFBFBD>N	<09>$[H<><48>Q<EFBFBD><51><EFBFBD>
-d<EFBFBD><EFBFBD><EFBFBD>'<27><><EFBFBD>7<EFBFBD><1F>Ͳ)<29><><EFBFBD><17>x9y<39><79><EFBFBD>E<04><><EFBFBD>M7^<5E>[<5B>M<EFBFBD>+<2B>&<26><><EFBFBD><0E>$8tM<74>в
+-> ssh-ed25519 AY8zKw xeyzSqfio6SMS9SqywR+7II80D12Oha9T5zOgAIABSQ
+ST26VaF2G1xv9l7d3jWKG32ssOivfwx+p9jLLV7ZFnU
+-> ssh-ed25519 sgAamA HrRx+x7NjXKVDaealWFo+Q8zMAdzoj6nTBxw0KMi3jE
+nlcEVTDTe1mPeS16/t9GYRnSSkm5EjpeiBZPIC/2f8U
+-> ssh-ed25519 HY2yRg NDp5vUeX35rDV78DFQi9fsc71pQNVE8YQ1StCp+YjTg
+MdUAWHd1k6Jed2pp7Wct/DgF6ShqXFwNxPaXeBOLAcs
+-> ssh-ed25519 tcumPQ d0zVVB8t7W9KUapOsnsrvpAj7LgM9zS0yCv8SQnF0g8
+aAPaWRTEBEQgmCkRG69NuWZ/lEva7vH+L8ifQSE0Z1I
+-> ssh-ed25519 JJ1LWg 4l8GZNdGOSbqKvmKq1q1aPvjeQIwpgbJj4DBYBse7x4
+rNhTiZlwzyOiCLzYRSzJ5AHebbv94dOgl1UyNmDJD8A
+-> ssh-ed25519 CAWG4Q vGhwJDLJIAU8BpV6GP8Dnz2pvTAMufY4v4nvrr2O9yw
+hNZZFDYUMPQNM5+qcc5arIgqQw0PXuqq1WWDTpE+EHo
+-> ssh-ed25519 xA739A 8eEi9S5dMWPVR4fKVZdV5eHBOJVf2Ap+3qHSYtYHYgc
+GcgzvJiqsNyZTVk12Z0FEnqB4LgfQ1xjKQwXdto1Hjs
+-> ssh-ed25519 MSF3dg oUY9IjDR6hi1qbrCV5z5IcYj85cMppxO94iqkD60Eww
+cBzFGrhh+kWjIi0llw2RqACU1pa7XT9kqWkSeAY8VGI
+--- q7AaMOj7ZaS+Mf6trWK56o/1q/c2urrQBPAqk4PtATA
+~<7E><>k-/<2F>Xw<58><77><1D>V<EFBFBD>(<18><>Z<EFBFBD>d\<5C><>t<EFBFBD>'q<><71><EFBFBD>3<EFBFBD><33>R<EFBFBD>a\yFW<46>
--- a/secrets/gitea-runner-token.age
+++ b/secrets/gitea-runner-token.age
@@ -1,9 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 HY2yRg DQdgCk16Yu524BsrWVf0krnwWzDM6SeaJCgQipOfwCA
-Ab9ocqra/UWJZI+QGMlxUhBu5AzqfjPgXl+ENIiHYGs
-> ssh-ed25519 CAWG4Q KF9rGCenb3nf+wyz2hyVs/EUEbsmUs5R+1fBxlCibC8
-7++Kxbr3FHVdVfnFdHYdAuR0Tgfd+sRcO6WRss6LhEw
-> ssh-ed25519 MSF3dg aUe4DhRsu4X8CFOEAnD/XM/o/0qHYSB522woCaAVh0I
-GRcs5cm2YqA/lGhUtbpboBaz7mfgiLaCr+agaB7vACU
--- 9Q7Ou+Pxq+3RZilCb2dKC/pCFjZEt4rp5KnTUUU7WJ8
-1<12>Mw4<77><34>	<09>:H<>@<40>/<2F>gLtM<74>,<2C>ƥ<>*<2A><>z<EFBFBD>NV5<56>m<EFBFBD><6D>N<EFBFBD>o<EFBFBD><6F>j1$<24>T<EFBFBD>G_<47>E{<7B>%<25><>1ǯ<17><>H<EFBFBD><EFBFBD>A<EFBFBD>p<EFBFBD>
+-> ssh-ed25519 HY2yRg WUMWvyagPalsy7u1RaEFAwJvFowso1/quNBo+nAkxhQ
+OHcebB7koPKhy58A6qngEVNWckkWChyEK3dwgy8EL5o
+-> ssh-ed25519 CAWG4Q Yx/HLIryUNE2BaqTl84FrNRy4XLCY2TRkRgbA9k3qU4
+LZljfuLS5yMVVK6N57iC6cKEaFP6Hh2OkvWJjuFg8q0
+-> ssh-ed25519 xA739A DOXjPRttSWz51Sr7KfjgKfAtaIYMo3foB1Ywqw9HYDY
+CA5puXK/1HDOitA2XHBI3OdKmZ7BzHst4DyuWGMC6hE
+-> ssh-ed25519 MSF3dg +2LetdIiIZUk7wtHNS1tYsLo4ypwqZ9gpg77RQrnzHU
+yIUu8BVbF3dhUx3531RR50/cJQd9gd8VfKUQzEeT/iQ
+--- oY/wQ+RjZO2CmKZtbQ0yOVZ5fv2+AlvvkRu1UDfCNAA
+_8`G<>=C7@x&<26><>\Ft<46>)<29><><EFBFBD><EFBFBD><EFBFBD>cPe<50><65>%<25>ֽ[zX-0<>[<11><><EFBFBD>ɲ<><C9B2>tz<74><7A>;%<25><><EFBFBD><EFBFBD><EFBFBD>~<7E>H0<48>؃*XD<58>;<3B><>
--- a/secrets/gitlab-bsc-docker-token.age
+++ b/secrets/gitlab-bsc-docker-token.age
--- a/secrets/gitlab-runner-docker-token.age
+++ b/secrets/gitlab-runner-docker-token.age
@@ -1,9 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 HY2yRg WvKK6U1wQtx2pbUDfuaUIXTQiCulDkz7hgUCSwMfMzQ
-jLktUMqKuVxukqzz++pHOKvmucUQqeKYy5IwBma7KxY
-> ssh-ed25519 CAWG4Q XKGuNNoYFl9bdZzsqYYTY7GsEt5sypLW4R+1uk78NmU
-8dIA2GzRAwTGM5CDHSM2BUBsbXzEAUssWUz2PY2PaTg
-> ssh-ed25519 MSF3dg T630RsKuZIF/bp+KITnIIWWHsg6M/VQGqbWQZxqT+AA
-SraZcgZJVtmUzHF/XR9J7aK5t5EDNpkC/av/WJUT/G8
--- /12G8pj9sbs591OM/ryhoLnSWWmzYcoqprk9uN/3g18
-<EFBFBD><EFBFBD><EFBFBD><01>%<25>]yi"<22><><EFBFBD>L<EFBFBD><0B><>H`<60>a$<24><>)<29>9ve<76>.0<EFBFBD>m<EFBFBD>K<EFBFBD>v<EFBFBD><EFBFBD><0B>u"|1c<31>-%<25><>"<22>WF<12><><EFBFBD>A<EFBFBD><41>h<EFBFBD>$<05><>j<e<><65>x<EFBFBD>Lx<4C><78>.?<3F><><EFBFBD>:L<><4C><EFBFBD><EFBFBD>,<2C>u<EFBFBD>|<7C><>F|<7C>i<EFBFBD><69><EFBFBD>
+-> ssh-ed25519 HY2yRg 6C5Cv7ILdBrpMkCTT/insUY0kyQWbfgU500Ai8ePOXY
+tMw6ehFrsq2dvDEXkLOJwrNZfI28trlr9uy3xW/fzpA
+-> ssh-ed25519 CAWG4Q x/j+364IYURgt7fhIPBzabbWMEg08nX8MRrJM/1Q6RU
+AL5Ut2rDr3UXcQXMZJ53ZMf5wMHmT83whx0ntJfW/WU
+-> ssh-ed25519 xA739A QjXftBsoGV1rVeHSKcsjp+HMpRVsaHOeeGdDcF6ZWg4
+ovVoYPaPn3liGPAxHWY37CBIUFjAXurv6jMWs2He3HQ
+-> ssh-ed25519 MSF3dg FG0CQOj9fRlneW5QrWiy5ksRpicUwHqX9QMpZWhDImw
+L20n1vZRepsRPT4xM6TO6PcI/MJxw4mBLUF0EPv9Uhs
+--- DEi7iuzkniq0JPatJ5f2KhrhxWid7ojHpvNfUCGxFtk
+<EFBFBD><EFBFBD>%	n<><6E>!;^Q<>rqG<71>:<3A>jC.8l<38>|<7C><>o<EFBFBD><1E><>$LYy<59>N<EFBFBD>b<EFBFBD><1E><>:<14>{<7B><><EFBFBD>fާxTS\<5C>t<04>U<EFBFBD><55>\F<>)%<25><><EFBFBD>KL<4B>㙇p<E39987>:><3E><><EFBFBD><EFBFBD>&<1B>)<0B>Q<EFBFBD>1<>H܃V<DC83>Sޑ<53>n<>
--- a/secrets/gitlab-runner-shell-token.age
+++ b/secrets/gitlab-runner-shell-token.age
--- a/secrets/ipmi.yml.age
+++ b/secrets/ipmi.yml.age
--- a/secrets/jungle-robot-password.age
+++ b/secrets/jungle-robot-password.age
@@ -1,10 +1,13 @@
 age-encryption.org/v1
-> ssh-ed25519 HY2yRg 3L1Y5upc5qN6fgiFAox5rD/W8n0eQUv5mT39QAdO5Ac
-XkWsmPmzRgHjsvJgsDKJRgHZ7/sBZFmd1Doppj/y390
-> ssh-ed25519 CAWG4Q v03Qr+fckdIpsxvQG/viKxlF8WNpO4XUe//QcPzH4k0
-afUwi3ccDCRfUxPDdF7ZkoL+0UX1XwqVtiyabDWjVQk
-> ssh-ed25519 MSF3dg c2hEUk4LslJpiL7v/4UpT8fK7ZiBJ8+uRhZ/vBoRUDE
-YX9EpnJpHo1eDsZtapTVY6jD+81kb588Oik4NoY9jro
--- LhUkopNtCsyHCLzEYzBFs+vekOkAR4B3VBaiMF/ZF8w
-o˝<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>C<EFBFBD><EFBFBD>H<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>y<EFBFBD>LؔItM<74><4D><EFBFBD><EFBFBD>IױsM<12>\<5C>1-<2D>K<EFBFBD><4B><10><>G:<><7F><02><>
-<EFBFBD>g<16><><EFBFBD>bpF<70>Ӷ<EFBFBD>%Y<>
+-> ssh-ed25519 HY2yRg 0tpCZ5yI339pgPKGh3HJ8cnkhKlMoyYiKR1mo1cvkm0
+EVVpJ8nyw/W9B65Tw59IjJC5Pb4uQX5LGnzPcf/hUs0
+-> ssh-ed25519 G5LX5w YaDAKeAAunommW6q6+hTjrjaadmB17OG89t1Dx/T5z4
+tJXdciiBTz9V+0nf1sGAk4vSlOgfeEgrKr+oDJ/4ays
+-> ssh-ed25519 CAWG4Q i/cpMcOaZpH7aqwsR/fZiVL9CreL9dkk5F5S9dXrQBY
+uU8G51pMH00ywaIVY+AzjpiqzanUYpn9ANRabugSXbE
+-> ssh-ed25519 xA739A DTiXqnCz1zNgyLt8VvnOkVLDwfa0qJpUBQw9Ms/qHHA
+wKjSYYOUEJkPisxT6MNW1eoYk++ECrs1ib9uEYXsAQY
+-> ssh-ed25519 MSF3dg JmvJsExWPW4b6RT62mz4Wscx7EsyDPVf91A9ps9+shM
+67jZYnxJpQAhnRWnTOXs+Cu445dRCpDzIGGp1xYuF3s
+--- QmdvzR7QqRPxS1fHc8rR/PDZxN8u+BVKAVvE8cMLhqc
+<EFBFBD><EFBFBD><02><>EG<45><0B>Q<<3C><><EFBFBD><EFBFBD><EFBFBD>Kl<4B>U,<11><><EFBFBD><EFBFBD>[-<2D><>º<1A><Uc<55>e<EFBFBD><65><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>)<06><><05><>"f<>˖<EFBFBD><CB96><19>Z<EFBFBD>'C
--- a/secrets/munge-key.age
+++ b/secrets/munge-key.age
--- a/secrets/nix-serve.age
+++ b/secrets/nix-serve.age
@@ -1,12 +1,13 @@
 age-encryption.org/v1
-> ssh-ed25519 HY2yRg d144D+VvxhYgKtH//uD2qNuVnYX6bh74YqkyM3ZjBwU
-0IeVmFAf4U8Sm0d01O6ZwJ1V2jl/mSMl4wF0MP5LrIg
-> ssh-ed25519 CAWG4Q H4nKxue/Cj/3KUF5A+/ygHMjjArwgx3SIWwXcqFtyUo
-4k5NJkLUrueLYiPkr2LAwQLWmuaOIsDmV/86ravpleU
-> ssh-ed25519 MSF3dg HpgUAFHLPs4w0cdJHqTwf8lySkTeV9O9NnBf49ClDHs
-foPIUUgAYe1YSDy6+aMfjN7xv9xud9fDmhRlIztHoEo
-> vLkF\<-grease
-3GRT+W8gYSpjl/a6Ix9+g9UJnTpl1ZH/oucfR801vfE8y77DV2Jxz/XJwzxYxKG5
-YEhiTGMNbXw/V7E5aVSz6Bdc
--- GtiHKCZdHByq9j0BSLd544PhbEwTN138E8TFdxipeiA
-<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>G$S<><53><EFBFBD>RA<52><41><EFBFBD>Th]n<>8<EFBFBD>,<2C>H<EFBFBD>s<EFBFBD><73><EFBFBD>=p<><70><EFBFBD>'<27><><EFBFBD>+<2B>j<><6A><EFBFBD><EFBFBD>9<EFBFBD>)<29>:<3A>)<15><><EFBFBD>Y<EFBFBD><59><EFBFBD>8<EFBFBD>I<EFBFBD><49>8:ol<6F><6C><EFBFBD><1F><><EFBFBD>Z<EFBFBD><5A>3<>PM<50>F;<3B>rY<72><59><EFBFBD><EFBFBD><1F>$<24><>y<EFBFBD>L<>ٜ<EFBFBD>Μ<1B><>U<EFBFBD>s16Ǿ<>L<EFBFBD>b<EFBFBD><62><EFBFBD>
+-> ssh-ed25519 HY2yRg T/Qom1qxE0M+FuvsXD/KZ6Usfp6v3Xwx043kDgxbCz4
+6GRg0QjuHd2+d6lJfZqqPMPMjS91HEcJ/W0KRV6Et50
+-> ssh-ed25519 G5LX5w pzg0wK+Q6KZP67CkyZNYbNcahlq9SIuFN18H85ARykU
+aDSrO49tg/a3GOAJR96lh803bXoZqp/G6VMiSvf91vw
+-> ssh-ed25519 CAWG4Q X+F/6LF8VUUoV72iCLzKKpYGRDoUHuBy1E+yr29RKEo
+c779vpt/fiN7n0kGAc5jA9fWkzCPrthlNZdN4p6csrk
+-> ssh-ed25519 xA739A sbg087VKj/gcycV9JrBNCoCfB4kRMDSVo3EtfpRVDyg
+Lv5ges1KmxGwvz4UPZCD0v4YN2ms2Q3wmrJ14XCKYsQ
+-> ssh-ed25519 MSF3dg pCLeyeWYbnNWQwwlGcsKz0KZ4BaaYKCGjo0XOPpo+no
+IsNxFoB2nTxyThJxtAxSA6gauXHGQJnVefs/K2MZ+DM
+--- tgB3F+k1/PQt+r5Cz+FqH31hCZFvr0Y8uZVKkdA80yo
+60.<2E><><19><0F><><EFBFBD><EFBFBD>(<28>s<EFBFBD>?68<36><38>Q<EFBFBD>I<><49><EFBFBD>d<EFBFBD><64><EFBFBD>gb<67><62><EFBFBD><EFBFBD><EFBFBD><04>`<60><><13><>A<EFBFBD><EFBFBD>z<L}<7D>2&w<0B>!<21><>6<EFBFBD> ;F<><46>r<EFBFBD>BR\<5C><><1B>ً<02>h"<22>"<22><>~q<>×<EFBFBD><C397><EFBFBD>1ƾ<31><C6BE>!({0<>^<5E><>Q<05>1e<31><0F><><EFBFBD><EFBFBD>୏<><E0AD8F>+<2B>
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -2,6 +2,8 @@ let
  keys = import ../keys.nix;
  adminsKeys = builtins.attrValues keys.admins;
  hut = [ keys.hosts.hut ] ++ adminsKeys;
+  mon = [ keys.hosts.hut keys.hosts.tent ] ++ adminsKeys;
+  tent = [ keys.hosts.tent ] ++ adminsKeys;
  # Only expose ceph keys to safe nodes and admins
  safe = keys.hostGroup.safe ++ adminsKeys;
 in
@@ -9,8 +11,14 @@ in
  "gitea-runner-token.age".publicKeys = hut;
  "gitlab-runner-docker-token.age".publicKeys = hut;
  "gitlab-runner-shell-token.age".publicKeys = hut;
-  "nix-serve.age".publicKeys = hut;
-  "jungle-robot-password.age".publicKeys = hut;
+  "gitlab-bsc-docker-token.age".publicKeys = hut;
+  "nix-serve.age".publicKeys = mon;
+  "jungle-robot-password.age".publicKeys = mon;
+  "ipmi.yml.age".publicKeys = mon;
+
+  "tent-gitlab-runner-pm-docker-token.age".publicKeys = tent;
+  "tent-gitlab-runner-pm-shell-token.age".publicKeys = tent;
+  "tent-gitlab-runner-bsc-docker-token.age".publicKeys = tent;

  "ceph-user.age".publicKeys = safe;
  "munge-key.age".publicKeys = safe;
--- a/secrets/tent-gitlab-runner-bsc-docker-token.age
+++ b/secrets/tent-gitlab-runner-bsc-docker-token.age
--- a/secrets/tent-gitlab-runner-pm-docker-token.age
+++ b/secrets/tent-gitlab-runner-pm-docker-token.age
--- a/secrets/tent-gitlab-runner-pm-shell-token.age
+++ b/secrets/tent-gitlab-runner-pm-shell-token.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 G5LX5w V9bHLoGuY4stRwbzVS9Qa0L9yoY+UoCoXc+dJJQW/Ag
+2ut9GfdJ3KBCqZRaloZCQsl8MLfaZAZxqj6JtPJzu2k
+-> ssh-ed25519 CAWG4Q OAqnIfMECpKglZ7aF9tv/PQinG1Ou2+IEZ+nf4dtQjg
+dANdMLe4iI0d6Xd/dIMpZK+mgw2+VmJFQScHaIxD7WI
+-> ssh-ed25519 xA739A nVNF4Y6VSa5PP6FFBJpVmoFYYseoFx5F2wJU+Pwk+Xk
+A5CiuTSNlX9Y76qhYgblBdJl3zPhtjWho2oL5/sIKu0
+-> ssh-ed25519 MSF3dg /WMsGnBGzquIMyw06gHKpSS4OUxheulT59kxi+/pxxU
+ppwcv7RLzUbQUM7j0Tb9rRVT9XyPMhqYr2fr4S0nTJY
+--- zOe0Ko0oxArbmxePMPDVAT0pDju7IeOAih7sNrDcoVs
+i<EFBFBD>k<EFBFBD>A
+hODV<44>w!<21><0C><>E݈<45><DD88>+<2B><>`<60><><EFBFBD><EFBFBD>C<><43>5<EFBFBD>L<EFBFBD>A<EFBFBD>t<1A>M^<01>E<<1B>HI<48>_<EFBFBD>nn<6E><6E><EFBFBD>o<EFBFBD>?<3F>j-<05>
+A<1B>nԔί<1B>>Z<><5A>z<EFBFBD><7A><EFBFBD>dT<64><54>b"<22>(@<40><>{_ځC
--- a/web/content/access/index.md
+++ b/web/content/access/index.md
@@ -11,7 +11,7 @@ access to the login machine using a resource petition in the BSC intranet.

 Then, to request access to the machines we will need some information about you:

-1. Which machines you want access to (hut, owl1, owl2, eudy, koro...)
+1. Which machines you want access to ([hut](/hut), [fox](/fox), owl1, owl2, eudy, koro...)
 1. Your user name and user id (to match the NFS permissions)
 1. Your real name and surname (for identification purposes)
 1. The salted hash of your login password, generated with `mkpasswd -m sha-512`
--- a/web/content/doc/_index.md
+++ b/web/content/doc/_index.md
@@ -0,0 +1,10 @@
+---
+title: "Docs"
+description: "Documentation for users of jungle machines"
+date: 2023-09-15
+---
+
+If this is the first time you use any of the jungle machines with NixOS, follow
+the [quick start guide](quickstart).
+
+
--- a/web/content/doc/quickstart.md
+++ b/web/content/doc/quickstart.md
@@ -0,0 +1,234 @@
+---
+title: "Quick start"
+date: 2023-09-15
+---
+
+This documentation will guide you on how to build custom packages of software
+and use them in the jungle machines. It has been designed to reduce the friction
+from users coming from module systems.
+
+You should be able to access the jungle machines, otherwise [request
+access](/access).
+
+## Changes from other HPC machines
+
+Users of other machines have been using the Lmod tool (module load ...) to add
+or remove programs from their environment, as well as manually building their
+own software for too many years.
+
+While we cannot prevent users from continuing to use this tedious mechanism, we
+have designed the jungle machines to be much easier to operate by using the nix
+package manager.
+
+### Freedom to install packages
+
+When a user wanted to install a package, it was forced to either do it on its
+own directory, or request a system administrator to install it in a shared
+directory, so other users can also use that package.
+
+This situation is gone, each user can install any package of software by
+themselves, without requiring any other authorization. When two users request
+the same package, the same copy will be provided.
+
+A new package will be downloaded if it is available (someone already built it)
+or will be built from source on demand.
+
+### No changes over time
+
+All users retain the same versions of the packages they request until they
+decide to update them.
+
+## Using nix to manage packages
+
+In this chapter we show how to install packages and enter a development shell to
+build new programs from source. The examples are done from the hut machine,
+read [this page](/access) to request access.
+
+### Installing binaries
+
+To temporarily install new packages, use:
+
+```text
+hut% nix shell jungle#gcc jungle#cowsay jungle#ovni
+```
+
+Notice that the packages are described as two parts divided by the `#` symbol.
+The first part defines where to take the package from and the second part is
+the name of the package. For now we will use `jungle#<package>`. You can find
+many more packages here:
+
+<https://search.nixos.org/packages>
+
+You will now enter a new shell, where those requested package **binaries are
+available in $PATH**:
+
+```text
+hut% cowsay hello world
+ _____________
+< hello world >
+ -------------
+        \   ^__^
+         \  (oo)\_______
+            (__)\       )\/\
+                ||----w |
+                ||     ||
+
+hut% ovniver
+LD_LIBRARY_PATH not set
+libovni: build v1.11.0 (a7103f8), dynamic v1.11.0 (a7103f8)
+
+hut% gcc --version
+gcc (GCC) 13.3.0
+Copyright (C) 2023 Free Software Foundation, Inc.
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+```
+
+### Building programs
+
+The above method only loads new binaries in the `$PATH`. If we try to build a
+program that includes headers or links with a library, it will fail to find
+them:
+
+```text
+hut$ cat test.c
+#include <ovni.h>
+
+int main()
+{
+        ovni_version_check();
+        return 0;
+}
+hut% gcc test.c -lovni -o test
+test.c:1:10: fatal error: ovni.h: No such file or directory
+    1 | #include <ovni.h>
+      |          ^~~~~~~~
+compilation terminated.
+```
+
+We could manually add the full path to the ovni include directory with `-I` and
+the libraries with `-L`, but there is a tool that already perform these steps
+automatically for us, `nix develop`.
+
+Let's go back to our original shell first, where those packages are not
+available anymore:
+
+```
+hut% ps
+    PID TTY          TIME CMD
+2356260 pts/1    00:00:01 zsh
+2457268 pts/1    00:00:00 zsh
+2457297 pts/1    00:00:00 ps
+hut% exit
+hut% ovniver
+ovniver: command not found
+```
+
+### Creating a flake.nix
+
+To define which packages we want, we will write a small file that list them, a
+flake.nix file.
+
+First, we will create a new directory where we are going to be working:
+
+```
+hut% mkdir example
+hut% cd exmple
+```
+
+Then place this flake.nix file:
+
+```nix
+{
+  inputs.jungle.url = "jungle";
+  outputs = { self, jungle }:  
+  let
+    pkgs = jungle.outputs.packages.x86_64-linux;
+  in {
+    devShells.x86_64-linux.default = pkgs.mkShell {
+      pname = "devshell";
+      buildInputs = with pkgs; [
+        ovni gcc cowsay # more packages here...
+      ];
+    };
+  };
+}
+```
+
+
+Now enter the shell with:
+
+```
+hut% nix develop
+warning: creating lock file '/home/Computational/rarias/example/flake.lock':
+• Added input 'jungle':
+    'path:/nix/store/27srv8haj6vv4ywrbmw0a8vds561m8rq-source?lastModified=1739479441&narHash=sha256-Kgjs8SO1w9NbPBu8ghwzCxYJ9kvWpoQOT%2BXwPvA9DcU%3D&rev=76396c0d67ef0cf32377d5c1894bb695293bca9d' (2025-02-13)
+• Added input 'jungle/agenix':
+    'github:ryantm/agenix/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41?narHash=sha256-b%2Buqzj%2BWa6xgMS9aNbX4I%2BsXeb5biPDi39VgvSFqFvU%3D' (2024-08-10)
+• Added input 'jungle/agenix/darwin':
+    'github:lnl7/nix-darwin/4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d?narHash=sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0%3D' (2023-11-24)
+• Added input 'jungle/agenix/darwin/nixpkgs':
+    follows 'jungle/agenix/nixpkgs'
+• Added input 'jungle/agenix/home-manager':
+    'github:nix-community/home-manager/3bfaacf46133c037bb356193bd2f1765d9dc82c1?narHash=sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE%3D' (2023-12-20)
+• Added input 'jungle/agenix/home-manager/nixpkgs':
+    follows 'jungle/agenix/nixpkgs'
+• Added input 'jungle/agenix/nixpkgs':
+    follows 'jungle/nixpkgs'
+• Added input 'jungle/agenix/systems':
+    'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e?narHash=sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768%3D' (2023-04-09)
+• Added input 'jungle/bscpkgs':
+    'git+https://git.sr.ht/~rodarima/bscpkgs?ref=refs/heads/master&rev=6782fc6c5b5a29e84a7f2c2d1064f4bcb1288c0f' (2024-11-29)
+• Added input 'jungle/bscpkgs/nixpkgs':
+    follows 'jungle/nixpkgs'
+• Added input 'jungle/nixpkgs':
+    'github:NixOS/nixpkgs/9c6b49aeac36e2ed73a8c472f1546f6d9cf1addc?narHash=sha256-i/UJ5I7HoqmFMwZEH6vAvBxOrjjOJNU739lnZnhUln8%3D' (2025-01-14)
+
+hut$ 
+```
+
+Notice that long list of messages is Nix creating a new flake.lock file with the
+current state of the packages. Next invocations will use the same packages as
+described by the lock file.
+
+### Building a program from nix develop
+
+Now let's try again building our test program:
+
+```text
+hut$ cat test.c
+#include <ovni.h>
+
+int main()
+{
+        ovni_version_check();
+        return 0;
+}
+hut$ gcc test.c -o test -lovni
+hut$ ldd test
+        linux-vdso.so.1 (0x00007ffff7fc4000)
+        libovni.so.1 => /nix/store/sqk972akjv0q8dchn8ccjln2llzyyfd0-ovni-1.11.0/lib/libovni.so.1 (0x00007ffff7fab000)
+        libc.so.6 => /nix/store/nqb2ns2d1lahnd5ncwmn6k84qfd7vx2k-glibc-2.40-36/lib/libc.so.6 (0x00007ffff7db2000)
+        /nix/store/nqb2ns2d1lahnd5ncwmn6k84qfd7vx2k-glibc-2.40-36/lib/ld-linux-x86-64.so.2 => /nix/store/nqb2ns2d1lahnd5ncwmn6k84qfd7vx2k-glibc-2.40-36/lib64/ld-linux-x86-64.so.2 (0x00007ffff7fc6000)
+hut$ ./test
+```
+
+Now the ovni.h header and the libovni library are found and the program is
+successfully built, linked and executed.
+
+You can add more packages as needed in your flake.nix:
+
+```nix
+  buildInputs = with pkgs; [
+    ovni gcc cowsay # more packages here...
+  ];
+```
+
+Make sure you exit the develop shell first, and then enter again with `nix
+develop`.
+
+## Remember
+
+- `nix shell` places binaries in the `$PATH`.
+- `nix develop` enters a development shell where both binaries and the libraries
+  and includes are available so you can build new programs.
--- a/web/content/fox/_index.md
+++ b/web/content/fox/_index.md
@@ -0,0 +1,97 @@
+---
+title: "Fox"
+description: "AMD Genoa 9684X with 2 NVIDIA RTX4000 GPUs"
+date: 2025-02-12
+---
+
+![Fox](fox.jpg)
+
+Picture by [Joanne Redwood](https://web.archive.org/web/20191109175146/https://www.inaturalist.org/photos/6568074),
+[CC0](http://creativecommons.org/publicdomain/zero/1.0/deed.en).
+
+The *fox* machine is a big GPU server that is configured to run heavy workloads.
+It has two fast AMD CPUs with large cache and 2 reasonable NVIDIA GPUs. Here are
+the detailed specifications:
+
+- 2x AMD GENOA X 9684X DP/UP 96C/192T 2.55G 1,150M 400W SP5 3D V-cach
+- 24x 32GB DDR5-4800 ECC RDIMM (total 768 GiB of RAM)
+- 1x 2.5" SSD SATA3 MICRON 5400 MAX 480GB
+- 2x 2.5" KIOXIA CM7-R 1.92TB NVMe GEN5 PCIe 5x4
+- 2x NVIDIA RTX4000 ADA Gen 20GB GDDR6 PCIe 4.0
+
+## Access
+
+To access the machine, request a SLURM session from [hut](/hut) using the `fox`
+partition:
+
+    hut% salloc -p fox
+
+Then connect via ssh:
+
+    hut% ssh fox
+    fox%
+
+Follow [these steps](/access) if you don't have access to hut or fox.
+
+## CUDA
+
+To use CUDA, you can use the following `flake.nix` placed in a new directory to
+load all the required dependencies:
+
+```nix
+{
+  inputs.jungle.url = "jungle";
+
+  outputs = { jungle, ... }: {
+    devShell.x86_64-linux = let
+      pkgs = jungle.nixosConfigurations.fox.pkgs;
+    in pkgs.mkShell {
+      name = "cuda-env-shell";
+      buildInputs = with pkgs; [
+        git gitRepo gnupg autoconf curl
+        procps gnumake util-linux m4 gperf unzip
+
+        # Cuda packages (more at https://search.nixos.org/packages)
+        cudatoolkit linuxPackages.nvidia_x11
+        cudaPackages.cuda_cudart.static
+        cudaPackages.libcusparse
+
+        libGLU libGL
+        xorg.libXi xorg.libXmu freeglut
+        xorg.libXext xorg.libX11 xorg.libXv xorg.libXrandr zlib
+        ncurses5 stdenv.cc binutils
+      ];
+      shellHook = ''
+        export CUDA_PATH=${pkgs.cudatoolkit}
+        export LD_LIBRARY_PATH=/var/run/opengl-driver/lib
+        export SMS=50
+      '';
+    };
+  };
+}
+```
+
+Then just run `nix develop` from the same directory:
+
+    % mkdir cuda
+    % cd cuda
+    % vim flake.nix
+    [...]
+    % nix develop
+    $ nvcc -V
+    nvcc: NVIDIA (R) Cuda compiler driver
+    Copyright (c) 2005-2024 NVIDIA Corporation
+    Built on Tue_Feb_27_16:19:38_PST_2024
+    Cuda compilation tools, release 12.4, V12.4.99
+    Build cuda_12.4.r12.4/compiler.33961263_0
+
+## Filesystems
+
+The machine has several file systems available.
+
+- `$HOME`: Mounted via NFS across all nodes. It is slow and has low capacity.
+  Don't abuse.
+- `/ceph/home/$USER`: Shared Ceph file system across jungle nodes. Slow but high
+  capacity. Stores three redundant copies of every file.
+- `/nvme{0,1}/$USER`: The two local NVME disks, very fast and large capacity.
+- `/tmp`: tmpfs, fast but not backed by a disk. Will be erased on reboot.
--- a/web/content/fox/fox.jpg
+++ b/web/content/fox/fox.jpg
--- a/web/content/hut/_index.md
+++ b/web/content/hut/_index.md
@@ -13,6 +13,115 @@ which is available at `hut` or `xeon07`. It runs the following services:
 - Grafana: to plot the data in the web browser.
 - Slurmctld: to manage the SLURM nodes.
 - Gitlab runner: to run CI jobs from Gitlab.
+- Nix binary cache: to serve cached nix builds

 This node is prone to interruptions from all the services it runs, so it is not
 a good candidate for low noise executions.
+
+# Binary cache
+
+We provide a binary cache in `hut`, with the aim of avoiding unnecessary
+recompilation of packages.
+
+The cache should contain common packages from bscpkgs, but we don't provide
+any guarantee that of what will be available in the cache, or for how long.
+We recommend following the latest version of the `jungle` flake to avoid cache
+misses.
+
+## Usage
+
+### From NixOS
+
+In NixOS, we can add the cache through the `nix.settings` option, which will
+enable it for all builds in the system.
+
+```nix
+{ ... }: {
+  nix.settings = {
+    extra-substituters = [ "https://jungle.bsc.es/cache" ];
+    extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
+  };
+}
+```
+
+### Interactively
+
+The cache can also be specified in a per-command basis through the flags
+`--substituters` and `--trusted-public-keys`:
+
+```sh
+nix build --substituters "https://jungle.bsc.es/cache" --trusted-public-keys "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" <...>
+```
+
+Note: you'll have to be a trusted user.
+
+### Nix configuration file (non-nixos)
+
+If using nix outside of NixOS, you'll have to update `/etc/nix/nix.conf`
+
+```
+# echo "extra-substituters = https://jungle.bsc.es/cache" >> /etc/nix/nix.conf
+# echo "extra-trusted-public-keys = jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" >> /etc/nix/nix.conf
+```
+
+### Hint in flakes
+
+By adding the configuration below to a `flake.nix`, when someone uses the flake,
+`nix` will interactively ask to trust and use the provided binary cache:
+
+```nix
+{
+  nixConfig = {
+    extra-substituters = [
+      "https://jungle.bsc.es/cache"
+    ];
+    extra-trusted-public-keys = [
+      "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0="
+    ];
+  };
+  outputs = { ... }: {
+    ...
+  };
+}
+```
+
+### Querying the cache
+
+Check if the cache is available:
+```sh
+$ curl https://jungle.bsc.es/cache/nix-cache-info
+StoreDir: /nix/store
+WantMassQuery: 1
+Priority: 30
+```
+
+Prevent nix from building locally:
+```bash
+nix build --max-jobs 0 <...>
+```
+
+Check if a package is in cache:
+```bash
+# Do a raw eval on the <package>.outPath (this should not build the package)
+$ nix eval --raw jungle#openmp.outPath
+/nix/store/dwnn4dgm1m4184l4xbi0qfrprji9wjmi-openmp-2024.11
+# Take the hash (everything from / to - in the basename) and curl <hash>.narinfo
+# if it exists in the cache, it will return HTTP 200 and some information
+# if not, it will return 404
+$ curl https://jungle.bsc.es/cache/dwnn4dgm1m4184l4xbi0qfrprji9wjmi.narinfo
+StorePath: /nix/store/dwnn4dgm1m4184l4xbi0qfrprji9wjmi-openmp-2024.11
+URL: nar/dwnn4dgm1m4184l4xbi0qfrprji9wjmi-17imkdfqzmnb013d14dx234bx17bnvws8baf3ii1xra5qi2y1wiz.nar
+Compression: none
+NarHash: sha256:17imkdfqzmnb013d14dx234bx17bnvws8baf3ii1xra5qi2y1wiz
+NarSize: 1519328
+References: 4gk773fqcsv4fh2rfkhs9bgfih86fdq8-gcc-13.3.0-lib nqb2ns2d1lahnd5ncwmn6k84qfd7vx2k-glibc-2.40-36
+Deriver: vcn0x8hikc4mvxdkvrdxp61bwa5r7lr6-openmp-2024.11.drv
+Sig: jungle.bsc.es:GDTOUEs1jl91wpLbb+gcKsAZjpKdARO9j5IQqb3micBeqzX2M/NDtKvgCS1YyiudOUdcjwa3j+hyzV2njokcCA==
+# In oneline:
+$ curl "https://jungle.bsc.es/cache/$(nix eval --raw jungle#<package>.outPath | cut -d '/' -f4 | cut -d '-' -f1).narinfo"
+```
+
+#### References
+
+- https://nix.dev/guides/recipes/add-binary-cache.html
+- https://nixos.wiki/wiki/Binary_Cache
--- a/web/content/paste/_index.md
+++ b/web/content/paste/_index.md
@@ -0,0 +1,68 @@
+---
+title: "Paste"
+description: "Paste service"
+author: "Rodrigo Arias Mallo"
+date: 2024-09-20
+---
+
+The tent machine provides a paste service using the program `p` (as in paste).
+
+You can use it directly from the tent machine or remotely if you have [SSH
+access](/access) to tent using the following alias:
+
+```
+alias p="ssh tent p"
+```
+
+You can add it to bashrc or zshrc for persistent installation.
+
+## Usage
+
+The `p` command reads from the standard input, uploads the content to a file
+in the local filesystem and prints the URL to access it. It only accepts an
+optional argument, which is the extension of the file that will be stored on
+disk (without the dot). By default it uses the `txt` extension, so plain text
+can be read in the browser directly.
+
+```
+p [extension]
+```
+
+To remove files, go to `/var/lib/p/$USER` and remove them manually.
+
+## Examples
+
+Share a text file, in this case the source of p itself:
+
+```
+tent% p < m/tent/p.nix
+https://jungle.bsc.es/p/rarias/okbtG130.txt
+```
+
+Paste the last dmesg lines directly from a pipe:
+
+```
+tent% dmesg | tail -5 | p
+https://jungle.bsc.es/p/rarias/luX4STm9.txt
+```
+
+Upload a PNG picture from a file:
+
+```
+hop% p png < mark-api-cpu.png
+https://jungle.bsc.es/p/rarias/oSRAMVsE.png
+```
+
+Take an screenshot and upload it as a PNG file:
+
+```
+hop% scrot -s - | p png
+https://jungle.bsc.es/p/rarias/SOgK5EV0.png
+```
+
+Upload a directory by creating a tar.gz file on the fly:
+
+```
+hop% tar c ovni | gzip | p tar.gz
+https://jungle.bsc.es/p/rarias/tkwROcTR.tar.gz
+```
--- a/web/hugo.toml
+++ b/web/hugo.toml
@@ -3,26 +3,38 @@ languageCode = 'en-us'
 title = 'The jungle'
 theme = 'PaperMod'

+[[menu.main]]
+identifier = "doc"
+name = "Docs"
+url = "/doc/"
+weight = 10
+
 [[menu.main]]
 identifier = "grafana"
 name = "Grafana"
 url = "/grafana/"
-weight = 10
+weight = 20

 [[menu.main]]
 identifier = "Git"
 name = "Git"
 url = "/git/"
-weight = 20
+weight = 30

 [[menu.main]]
 identifier = "Lists"
 name = "Lists"
 url = "/lists/"
-weight = 30
+weight = 40
+
+[[menu.main]]
+identifier = "Paste"
+name = "Paste"
+url = "/paste/"
+weight = 50

 [[menu.main]]
 identifier = "Posts"
 name = "Posts"
 url = "/posts/"
-weight = 40
+weight = 60
--- a/web/themes/PaperMod/layouts/partials/templates/opengraph.html
+++ b/web/themes/PaperMod/layouts/partials/templates/opengraph.html
@@ -49,4 +49,4 @@
 {{ end }}{{ end }}

 {{- /* Facebook Page Admin ID for Domain Insights */}}
-{{- with site.Social.facebook_admin }}<meta property="fb:admins" content="{{ . }}" />{{ end }}
+{{- with site.Params.Social.facebook_admin }}<meta property="fb:admins" content="{{ . }}" />{{ end }}
--- a/web/themes/PaperMod/layouts/partials/templates/twitter_cards.html
+++ b/web/themes/PaperMod/layouts/partials/templates/twitter_cards.html
@@ -28,6 +28,6 @@
 {{- end }}
 <meta name="twitter:title" content="{{ .Title }}"/>
 <meta name="twitter:description" content="{{ with .Description }}{{ . }}{{ else }}{{if .IsPage}}{{ .Summary }}{{ else }}{{ with site.Params.description }}{{ . }}{{ end }}{{ end }}{{ end -}}"/>
-{{ with site.Social.twitter -}}
+{{ with site.Params.Social.twitter -}}
 <meta name="twitter:site" content="@{{ . }}"/>
 {{ end -}}