rarias/jungle
2
0
Fork 3
Code Issues 61 Pull Requests 10 Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: rarias:slurm-groups
Branches Tags
rarias:master rarias:use-pam rarias:slurm-groups rarias:add-nextcloud rarias:project-management rarias:fox-regression rarias:pkgs/tacuda rarias:robust-fetchGit rarias:old-master rarias:gitea-lfs rarias:only-restart-logins rarias:monitor-gpfs-home rarias:add-tent-machine rarias:m/raccoon rarias:add-fpga-u280 rarias:maintenance-purchase rarias:add-fox-machine rarias:share-files rarias:shared-nix-store rarias:intro-nix rarias:lake2-ipoib varcila:master varcila:robust-fetchGit varcila:pkgs/gromacs varcila:pkgs/tasycl varcila:pkgs/tacuda varcila:enableStrictDeps varcila:fix/paraver varcila:pkgs/clsparse varcila:pkgs/aocc varcila:pkgs/taopencl varcila:old-master varcila:gitea-lfs varcila:only-restart-logins varcila:monitor-gpfs-home varcila:add-tent-machine varcila:m/raccoon varcila:add-fpga-u280 varcila:maintenance-purchase varcila:add-fox-machine varcila:share-files varcila:shared-nix-store varcila:intro-nix varcila:lake2-ipoib
..
compare: varcila:pkgs/tasycl
Branches Tags
varcila:master varcila:robust-fetchGit varcila:pkgs/gromacs varcila:pkgs/tasycl varcila:pkgs/tacuda varcila:enableStrictDeps varcila:fix/paraver varcila:pkgs/clsparse varcila:pkgs/aocc varcila:pkgs/taopencl varcila:old-master varcila:gitea-lfs varcila:only-restart-logins varcila:monitor-gpfs-home varcila:add-tent-machine varcila:m/raccoon varcila:add-fpga-u280 varcila:maintenance-purchase varcila:add-fox-machine varcila:share-files varcila:shared-nix-store varcila:intro-nix varcila:lake2-ipoib rarias:master rarias:use-pam rarias:slurm-groups rarias:add-nextcloud rarias:project-management rarias:fox-regression rarias:pkgs/tacuda rarias:robust-fetchGit rarias:old-master rarias:gitea-lfs rarias:only-restart-logins rarias:monitor-gpfs-home rarias:add-tent-machine rarias:m/raccoon rarias:add-fpga-u280 rarias:maintenance-purchase rarias:add-fox-machine rarias:share-files rarias:shared-nix-store rarias:intro-nix rarias:lake2-ipoib

13 Commits
slurm-grou ... pkgs/tasyc

Author SHA1 Message Date
Aleix Boné
15a1014280 Update versions to 2025.2
All checks were successful
CI / build:all (pull_request) Successful in 1m27s
Details
2025-10-08 14:19:44 +02:00
Aleix Boné
0a27ae0926 Minify packages.json 2025-10-08 14:19:44 +02:00
Aleix Boné
3ed5463c25 Use packages.json for intel packages instead of awk script 2025-10-08 14:19:44 +02:00
Aleix Boné
1430ae7ceb Use gcc13 for llvm-ompss2 for intel 2025-10-08 14:19:31 +02:00
Aleix Boné
96bb46cfbf Use gcc13 for intel compiler 2025-10-08 14:18:18 +02:00
Aleix Boné
3a60d4a77e Add passthru in ompss2 wrapper for icpx compat 2025-10-08 14:18:17 +02:00
Aleix Boné
ed573138e4 Remove wrapper flags when clang called from intel 2025-10-08 14:18:17 +02:00
Aleix Boné
4c1791c95d Add oneMath 2025-10-08 14:18:17 +02:00
Aleix Boné
f8f3811b67 Fix parsing of new apt package list for oneapi 2023 
New apt list does not have Package: as the first entry for all packages
 2025-10-08 14:18:17 +02:00
Aleix Boné
684e290a38 Add TASYCL 2.1.0 2025-10-08 14:18:17 +02:00
Aleix Boné
25543ac0a1 Add test for icpx with ompss-2 as host compiler 2025-10-08 14:18:17 +02:00
Aleix Boné
f15055ccdb Add SYCL test compilation 2025-10-08 11:41:25 +02:00
Aleix Boné
f836ffe7dc Add intelPackages_202{4,5} and make 2025 the default 2025-10-08 11:41:25 +02:00
127 changed files with 1207 additions and 45331 deletions
Expand all files Collapse all files

7
.gitea/workflows/ci.yaml
View File

@@ -12,9 +12,4 @@ jobs:
runs-on: native
steps:
- uses: https://gitea.com/ScMi1/checkout@v1.4
- run: nix build -L --no-link --print-out-paths .#bsc.ci.all
build:cross:
runs-on: native
steps:
- uses: https://gitea.com/ScMi1/checkout@v1.4
- run: nix build -L --no-link --print-out-paths .#bsc.ci.cross
- run: nix build -L --no-link --print-out-paths .#bsc-ci.all

30
doc/maintainers.md
View File

@@ -1,30 +0,0 @@
# Maintainers
## Role of a maintainer
The responsibilities of maintainers are quite lax, and similar in spirit to
[nixpkgs' maintainers][1]:
The main responsibility of a maintainer is to keep the packages they
maintain in a functioning state, and keep up with updates. In order to do
that, they are empowered to make decisions over the packages they maintain.
That being said, the maintainer is not alone in proposing changes to the
packages. Anybody (both bots and humans) can send PRs to bump or tweak the
package.
In practice, this means that when updating or proposing changes to a package,
we will notify maintainers by mentioning them in Gitea so they can test changes
and give feedback.
Since we do bi-yearly release cycles, there is no expectation from maintainers
to update packages at each upstream release. Nevertheless, on each release cycle
we may request help from maintainers when updating or testing their packages.
## Becoming a maintainer
You'll have to add yourself in the `maintainers.nix` list; your username should
match your `bsc.es` email. Then you can add yourself to the `meta.maintainers`
of any package you are interested in maintaining.
[1]: [https://github.com/NixOS/nixpkgs/tree/nixos-25.05/maintainers]

90
flake.lock generated
View File

@@ -1,25 +1,107 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1750173260,
"narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1767634882,
"narHash": "sha256-2GffSfQxe3sedHzK+sTKlYo/NTIAGzbFCIsNMUPAAnk=",
"lastModified": 1752436162,
"narHash": "sha256-Kt1UIPi7kZqkSc5HVj6UY5YLHHEzPBkgpNUByuyxtlw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3c9db02515ef1d9b6b709fc60ba9a540957f661c",
"rev": "dfcd5b901dbab46c9c6e80b265648481aafb01f8",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"nixpkgs": "nixpkgs"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

18
flake.nix
View File

@@ -1,13 +1,15 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { self, nixpkgs, ... }:
outputs = { self, nixpkgs, agenix, ... }:
let
mkConf = name: nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit nixpkgs; theFlake = self; };
specialArgs = { inherit nixpkgs agenix; theFlake = self; };
modules = [ "${self.outPath}/m/${name}/configuration.nix" ];
};
# For now we only support x86
@@ -40,13 +42,11 @@ in
# full nixpkgs with our overlay applied
legacyPackages.${system} = pkgs;
hydraJobs = self.legacyPackages.${system}.bsc.hydraJobs;
hydraJobs = {
inherit (self.legacyPackages.${system}.bsc-ci) tests pkgs cross;
};
# propagate nixpkgs lib, so we can do bscpkgs.lib
lib = nixpkgs.lib // {
maintainers = nixpkgs.lib.maintainers // {
bsc = import ./pkgs/maintainers.nix;
};
};
inherit (nixpkgs) lib;
};
}

3
keys.nix
View File

@@ -22,9 +22,8 @@ rec {
storage = [ bay lake2 ];
monitor = [ hut ];
login = [ apex ];
services = [ tent ];
system = storage ++ monitor ++ login ++ services;
system = storage ++ monitor ++ login;
safe = system ++ compute;
all = safe ++ playground;
};

12
m/apex/configuration.nix
View File

@@ -57,18 +57,6 @@
};
};
services.fail2ban = {
enable = true;
maxretry = 5;
bantime-increment = {
enable = true; # Double ban time on each attack
maxtime = "7d"; # Ban up to a week
};
};
# Disable SSH login with password, allow only keypair
services.openssh.settings.PasswordAuthentication = false;
networking.firewall = {
extraCommands = ''
# Blackhole BSC vulnerability scanner (OpenVAS) as it is spamming our

26
m/apex/nfs.nix
View File

@@ -7,7 +7,7 @@
mountdPort = 4002;
statdPort = 4000;
exports = ''
/home 10.0.40.0/21(rw,async,no_subtree_check,no_root_squash)
/home 10.0.40.0/24(rw,async,no_subtree_check,no_root_squash)
/home 10.106.0.0/24(rw,async,no_subtree_check,no_root_squash)
'';
};
@@ -15,19 +15,19 @@
# Check with `rpcinfo -p`
extraCommands = ''
# Accept NFS traffic from compute nodes but not from the outside
iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 111 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 2049 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 4000 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 4001 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 4002 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 20048 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 111 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 2049 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4000 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4001 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4002 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept
# Same but UDP
iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 111 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 2049 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 4000 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 4001 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 4002 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 20048 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 111 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 2049 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4000 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4001 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4002 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept
# Accept NFS traffic from wg0
iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 111 -j nixos-fw-accept

4
m/bay/configuration.nix
View File

@@ -24,7 +24,7 @@
address = "10.0.40.40";
prefixLength = 24;
} ];
interfaces.ibs785.ipv4.addresses = [ {
interfaces.ibp5s0.ipv4.addresses = [ {
address = "10.0.42.40";
prefixLength = 24;
} ];
@@ -35,7 +35,7 @@
# Accept monitoring requests from hut
iptables -A nixos-fw -p tcp -s hut -m multiport --dport 9283,9002 -j nixos-fw-accept
# Accept all Ceph traffic from the local network
iptables -A nixos-fw -p tcp -s 10.0.40.0/21 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
'';
};
};

1
m/common/base.nix
View File

@@ -11,7 +11,6 @@
./base/hw.nix
./base/net.nix
./base/nix.nix
./base/sys-devices.nix
./base/ntp.nix
./base/rev.nix
./base/ssh.nix

9
m/common/base/agenix.nix
View File

@@ -1,8 +1,9 @@
{ pkgs, ... }:
{ agenix, ... }:
{
imports = [ ../../module/agenix.nix ];
imports = [ agenix.nixosModules.default ];
# Add agenix to system packages
environment.systemPackages = [ pkgs.agenix ];
environment.systemPackages = [
agenix.packages.x86_64-linux.default
];
}

35
m/common/base/env.nix
View File

@@ -1,36 +1,11 @@
{ pkgs, ... }:
{ pkgs, config, ... }:
{
environment.systemPackages = with pkgs; [
cmake
ethtool
file
freeipmi
git
gnumake
home-manager
htop
ipmitool
ldns
lm_sensors
ncdu
nix-diff
nix-index
nix-output-monitor
nixfmt-tree
nixos-option
pciutils
perf
pv
ripgrep
tcpdump
tmux
tree
vim
wget
# From jungle overlay
nixgen
vim wget git htop tmux pciutils tcpdump ripgrep nix-index nixos-option
nix-diff ipmitool freeipmi ethtool lm_sensors cmake gnumake file tree
ncdu config.boot.kernelPackages.perf ldns pv
# From bsckgs overlay
osumb
];

9
m/common/base/sys-devices.nix
View File

@@ -1,9 +0,0 @@
{
nix.settings.system-features = [ "sys-devices" ];
programs.nix-required-mounts.enable = true;
programs.nix-required-mounts.allowedPatterns.sys-devices.paths = [
"/sys/devices/system/cpu"
"/sys/devices/system/node"
];
}

42
m/common/base/users.nix
View File

@@ -139,7 +139,6 @@
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGt0ESYxekBiHJQowmKpfdouw0hVm3N7tUMtAaeLejK vincent@varch"
];
shell = pkgs.zsh;
};
pmartin1 = {
@@ -181,51 +180,10 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFmMqKqPg4uocNOr3O41kLbZMOMJn3m2ZdN1JvTR96z3 bsccns@arnau-bsc"
];
};
aaguirre = {
uid = 9655;
isNormalUser = true;
home = "/home/Computational/aaguirre";
description = "Alejandro Aguirre";
group = "Computational";
hosts = [ "apex" "hut" ];
hashedPassword = "$6$TXRXQT6jjBvxkxU6$E.sh5KspAm1qeG5Ct7OPHpo8REmbGDwjFGvqeGgTVz3GASGOAnPL7UMZsMAsAKBoahOw.v8LNno6XGrTEPzZH1";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOlRX7ZCnqtUJYCxKgWmgSrFCYuA2LHY96rVwqxXPl86 aaguirre@BSC-8488184117"
];
};
emonteir = {
uid = 9656;
isNormalUser = true;
home = "/home/Computational/emonteir";
description = "Erwin Royson Monteiro";
group = "Computational";
hosts = [ "apex" "fox" ];
hashedPassword = "$6$0mU88zd3ZuK5NiJQ$DFWL5RMLH6esQM5UyhBCiiNryw4lDDmvJp7Usz3tmevnsiSJr6u0RsUKAnR/K8GRBFrV1.GocrgNjKjik5GY//";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOKZKot/Y3F5Wq9pQIXlCbyvQuVVeWMCsAC96Nd+LTcG erwin@Oreo"
];
};
ssanzmar = {
uid = 9657;
isNormalUser = true;
home = "/home/Computational/ssanzmar";
description = "Sergio Sanz Martínez";
group = "Computational";
hosts = [ "apex" "fox" ];
hashedPassword = "$6$HUjNDJeJMmNQ6M64$laXSOZcXg6o4v2r8Jm8Xj9kmqw7veCY32po3TVDPRR4WlyxvOeqwoKr4NjlUlPPpKN55Oot3ZYHi.9iNXsH5E1";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIELrsRRHXryrdA2ZBx5XmdGxL4DC5bmJydhBeTWQ0SQ sergio.sanz.martinez@estudiantat.upc.edu"
];
};
};
groups = {
Computational = { gid = 564; };
fox = { gid = 565; };
owl = { gid = 566; };
tracing = { };
};
};

2
m/common/base/watchdog.nix
View File

@@ -5,5 +5,5 @@
boot.kernelModules = [ "ipmi_watchdog" ];
# Enable systemd watchdog with 30 s interval
systemd.settings.Manager.RuntimeWatchdogSec = 30;
systemd.watchdog.runtimeTime = "30s";
}

7
m/eudy/kernel/perf.nix
View File

@@ -1,6 +1,11 @@
{ pkgs, lib, ... }:
{ config, pkgs, lib, ... }:
{
# add the perf tool
environment.systemPackages = with pkgs; [
config.boot.kernelPackages.perf
];
# allow non-root users to read tracing data from the kernel
boot.kernel.sysctl."kernel.perf_event_paranoid" = -2;
boot.kernel.sysctl."kernel.kptr_restrict" = 0;

16
m/fox/configuration.nix
View File

@@ -93,4 +93,20 @@
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = script;
};
# Only allow SSH connections from users who have a SLURM allocation
# See: https://slurm.schedmd.com/pam_slurm_adopt.html
security.pam.services.sshd.rules.account.slurm = {
control = "required";
enable = true;
modulePath = "${pkgs.slurm}/lib/security/pam_slurm_adopt.so";
args = [ "log_level=debug5" ];
order = 999999; # Make it last one
};
# Disable systemd session (pam_systemd.so) as it will conflict with the
# pam_slurm_adopt.so module. What happens is that the shell is first adopted
# into the slurmstepd task and then into the systemd session, which is not
# what we want, otherwise it will linger even if all jobs are gone.
security.pam.services.sshd.startSession = lib.mkForce false;
}

3
m/hut/configuration.nix
View File

@@ -17,7 +17,6 @@
./postgresql.nix
./nginx.nix
./p.nix
./ompss2-timer.nix
#./pxe.nix
];
@@ -45,7 +44,7 @@
address = "10.0.40.7";
prefixLength = 24;
} ];
interfaces.ibs785.ipv4.addresses = [ {
interfaces.ibp5s0.ipv4.addresses = [ {
address = "10.0.42.7";
prefixLength = 24;
} ];

3
m/hut/gitea.nix
View File

@@ -29,9 +29,6 @@
};
};
# Allow gitea user to send mail
users.users.gitea.extraGroups = [ "mail-robot" ];
services.gitea-actions-runner.instances = {
runrun = {
enable = true;

1
m/hut/gitlab-runner.nix
View File

@@ -51,7 +51,6 @@
"/nix/store:/nix/store:ro"
"/nix/var/nix/db:/nix/var/nix/db:ro"
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
"/var/run/postgresql/:/var/run/postgresql/"
];
dockerExtraHosts = [
# Required to pass the proxy via hut

19
m/hut/ssh-robot-probes.nix → m/hut/gpfs-probe.nix
View File

@@ -6,12 +6,6 @@ let
chmod +x $out
''
;
sblame-probe-script = pkgs.runCommand "sblame-probe.sh" { }
''
cp ${./sblame-probe.sh} $out;
chmod +x $out
''
;
in
{
# Use a new user to handle the SSH keys
@@ -34,17 +28,4 @@ in
Group = "ssh-robot";
};
};
systemd.services.sblame-probe = {
description = "Daemon to report SLURM statistics via SSH";
path = [ pkgs.openssh pkgs.netcat ];
after = [ "network.target" ];
wantedBy = [ "default.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.socat}/bin/socat TCP4-LISTEN:9967,fork EXEC:${sblame-probe-script}";
User = "ssh-robot";
Group = "ssh-robot";
};
};
}

3
m/hut/monitoring.nix
View File

@@ -5,7 +5,7 @@
../module/slurm-exporter.nix
../module/meteocat-exporter.nix
../module/upc-qaire-exporter.nix
./ssh-robot-probes.nix
./gpfs-probe.nix
../module/nix-daemon-exporter.nix
];
@@ -111,7 +111,6 @@
"127.0.0.1:${toString config.services.prometheus.exporters.smartctl.port}"
"127.0.0.1:9341" # Slurm exporter
"127.0.0.1:9966" # GPFS custom exporter
"127.0.0.1:9967" # SLURM custom exporter
"127.0.0.1:9999" # Nix-daemon custom exporter
"127.0.0.1:9929" # Meteocat custom exporter
"127.0.0.1:9928" # UPC Qaire custom exporter

5
m/hut/msmtp.nix
View File

@@ -1,11 +1,8 @@
{ config, lib, ... }:
{
# Robot user that can see the password to send mail from jungle-robot
users.groups.mail-robot = {};
age.secrets.jungleRobotPassword = {
file = ../../secrets/jungle-robot-password.age;
group = "mail-robot";
group = "gitea";
mode = "440";
};

4
m/hut/nginx.nix
View File

@@ -4,8 +4,8 @@ let
name = "jungle-web";
src = pkgs.fetchgit {
url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
rev = "5f18335d14126d2fef134c0cd441771436f7dfa1";
hash = "sha256-s9VBF91sQ7hg9+lrwNFPYgoXTTyXaQcAulCiGJgWERo=";
rev = "739bf0175a7f05380fe7ad7023ff1d60db1710e1";
hash = "sha256-ea5DzhYTzZ9TmqD+x95rdNdLbxPnBluqlYH2NmBYmc4=";
};
buildInputs = [ pkgs.hugo ];
buildPhase = ''

85
m/hut/ompss2-timer.nix
View File

@@ -1,85 +0,0 @@
{ config, pkgs, ... }:
{
systemd.timers = {
"ompss2-closing" = {
wantedBy = [ "timers.target" ];
timerConfig = {
Unit = "ompss2-closing.service";
OnCalendar = [ "*-03-15 07:00:00" "*-09-15 07:00:00"];
};
};
"ompss2-freeze" = {
wantedBy = [ "timers.target" ];
timerConfig = {
Unit = "ompss2-freeze.service";
OnCalendar = [ "*-04-15 07:00:00" "*-10-15 07:00:00" ];
};
};
"ompss2-release" = {
wantedBy = [ "timers.target" ];
timerConfig = {
Unit = "ompss2-release.service";
OnCalendar = [ "*-05-15 07:00:00" "*-11-15 07:00:00" ];
};
};
};
systemd.services =
let
closing = pkgs.writeText "closing.txt"
''
Subject: OmpSs-2 release enters closing period
Hi,
You have one month to merge the remaining features for the next OmpSs-2
release. Please, identify what needs to be merged and discuss it in the next
OmpSs-2 meeting.
Thanks!,
Jungle robot
'';
freeze = pkgs.writeText "freeze.txt"
''
Subject: OmpSs-2 release enters freeze period
Hi,
The period to introduce new features or breaking changes is over, only bug
fixes are allowed now. During this time, please prepare the release notes
to be included in the next OmpSs-2 release.
Thanks!,
Jungle robot
'';
release = pkgs.writeText "release.txt"
''
Subject: OmpSs-2 release now
Hi,
The period to introduce bug fixes is now over. Please, proceed to do the
OmpSs-2 release.
Thanks!,
Jungle robot
'';
mkServ = name: mail: {
"ompss2-${name}" = {
script = ''
set -eu
set -o pipefail
cat ${mail} | ${config.security.wrapperDir}/sendmail star@bsc.es
'';
serviceConfig = {
Type = "oneshot";
DynamicUser = true;
Group = "mail-robot";
};
};
};
in
(mkServ "closing" closing) //
(mkServ "freeze" freeze) //
(mkServ "release" release);
}

10
m/hut/postgresql.nix
View File

@@ -8,14 +8,12 @@
{ name = "anavarro"; ensureClauses.superuser = true; }
{ name = "rarias"; ensureClauses.superuser = true; }
{ name = "grafana"; }
{ name = "gitlab-runner"; }
];
authentication = ''
#type database DBuser auth-method
local perftestsdb rarias trust
local perftestsdb anavarro trust
local perftestsdb grafana trust
local perftestsdb gitlab-runner trust
#type database DBuser auth-method
local perftestsdb rarias trust
local perftestsdb anavarro trust
local perftestsdb grafana trust
'';
};
}

8
m/hut/sblame-probe.sh
View File

@@ -1,8 +0,0 @@
#!/bin/sh
cat <<EOF
HTTP/1.1 200 OK
Content-Type: text/plain; version=0.0.4; charset=utf-8; escaping=values
EOF
ssh bsc015557@glogin2.bsc.es "timeout 3 command sblame -E"

4
m/lake2/configuration.nix
View File

@@ -46,7 +46,7 @@
address = "10.0.40.42";
prefixLength = 24;
} ];
interfaces.ibs785.ipv4.addresses = [ {
interfaces.ibp5s0.ipv4.addresses = [ {
address = "10.0.42.42";
prefixLength = 24;
} ];
@@ -57,7 +57,7 @@
# Accept monitoring requests from hut
iptables -A nixos-fw -p tcp -s hut --dport 9002 -j nixos-fw-accept
# Accept all Ceph traffic from the local network
iptables -A nixos-fw -p tcp -s 10.0.40.0/21 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
'';
};
};

357
m/module/agenix.nix
View File

@@ -1,357 +0,0 @@
{
config,
options,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.age;
isDarwin = lib.attrsets.hasAttrByPath [ "environment" "darwinConfig" ] options;
ageBin = config.age.ageBin;
users = config.users.users;
sysusersEnabled =
if isDarwin then
false
else
options.systemd ? sysusers && (config.systemd.sysusers.enable || config.services.userborn.enable);
mountCommand =
if isDarwin then
''
if ! diskutil info "${cfg.secretsMountPoint}" &> /dev/null; then
num_sectors=1048576
dev=$(hdiutil attach -nomount ram://"$num_sectors" | sed 's/[[:space:]]*$//')
newfs_hfs -v agenix "$dev"
mount -t hfs -o nobrowse,nodev,nosuid,-m=0751 "$dev" "${cfg.secretsMountPoint}"
fi
''
else
''
grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts ||
mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
'';
newGeneration = ''
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
(( ++_agenix_generation ))
echo "[agenix] creating new generation in ${cfg.secretsMountPoint}/$_agenix_generation"
mkdir -p "${cfg.secretsMountPoint}"
chmod 0751 "${cfg.secretsMountPoint}"
${mountCommand}
mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
'';
chownGroup = if isDarwin then "admin" else "keys";
# chown the secrets mountpoint and the current generation to the keys group
# instead of leaving it root:root.
chownMountPoint = ''
chown :${chownGroup} "${cfg.secretsMountPoint}" "${cfg.secretsMountPoint}/$_agenix_generation"
'';
setTruePath = secretType: ''
${
if secretType.symlink then
''
_truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
''
else
''
_truePath="${secretType.path}"
''
}
'';
installSecret = secretType: ''
${setTruePath secretType}
echo "decrypting '${secretType.file}' to '$_truePath'..."
TMP_FILE="$_truePath.tmp"
IDENTITIES=()
for identity in ${toString cfg.identityPaths}; do
test -r "$identity" || continue
test -s "$identity" || continue
IDENTITIES+=(-i)
IDENTITIES+=("$identity")
done
test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix] WARNING: no readable identities found!"
mkdir -p "$(dirname "$_truePath")"
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
(
umask u=r,g=,o=
test -f "${secretType.file}" || echo '[agenix] WARNING: encrypted file ${secretType.file} does not exist!'
test -d "$(dirname "$TMP_FILE")" || echo "[agenix] WARNING: $(dirname "$TMP_FILE") does not exist!"
LANG=${
config.i18n.defaultLocale or "C"
} ${ageBin} --decrypt "''${IDENTITIES[@]}" -o "$TMP_FILE" "${secretType.file}"
)
chmod ${secretType.mode} "$TMP_FILE"
mv -f "$TMP_FILE" "$_truePath"
${optionalString secretType.symlink ''
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
''}
'';
testIdentities = map (path: ''
test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!'
'') cfg.identityPaths;
cleanupAndLink = ''
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
(( ++_agenix_generation ))
echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
(( _agenix_generation > 1 )) && {
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))"
}
'';
installSecrets = builtins.concatStringsSep "\n" (
[ "echo '[agenix] decrypting secrets...'" ]
++ testIdentities
++ (map installSecret (builtins.attrValues cfg.secrets))
++ [ cleanupAndLink ]
);
chownSecret = secretType: ''
${setTruePath secretType}
chown ${secretType.owner}:${secretType.group} "$_truePath"
'';
chownSecrets = builtins.concatStringsSep "\n" (
[ "echo '[agenix] chowning...'" ]
++ [ chownMountPoint ]
++ (map chownSecret (builtins.attrValues cfg.secrets))
);
secretType = types.submodule (
{ config, ... }:
{
options = {
name = mkOption {
type = types.str;
default = config._module.args.name;
defaultText = literalExpression "config._module.args.name";
description = ''
Name of the file used in {option}`age.secretsDir`
'';
};
file = mkOption {
type = types.path;
description = ''
Age file the secret is loaded from.
'';
};
path = mkOption {
type = types.str;
default = "${cfg.secretsDir}/${config.name}";
defaultText = literalExpression ''
"''${cfg.secretsDir}/''${config.name}"
'';
description = ''
Path where the decrypted secret is installed.
'';
};
mode = mkOption {
type = types.str;
default = "0400";
description = ''
Permissions mode of the decrypted secret in a format understood by chmod.
'';
};
owner = mkOption {
type = types.str;
default = "0";
description = ''
User of the decrypted secret.
'';
};
group = mkOption {
type = types.str;
default = users.${config.owner}.group or "0";
defaultText = literalExpression ''
users.''${config.owner}.group or "0"
'';
description = ''
Group of the decrypted secret.
'';
};
symlink = mkEnableOption "symlinking secrets to their destination" // {
default = true;
};
};
}
);
in
{
imports = [
(mkRenamedOptionModule [ "age" "sshKeyPaths" ] [ "age" "identityPaths" ])
];
options.age = {
ageBin = mkOption {
type = types.str;
default = "${pkgs.age}/bin/age";
defaultText = literalExpression ''
"''${pkgs.age}/bin/age"
'';
description = ''
The age executable to use.
'';
};
secrets = mkOption {
type = types.attrsOf secretType;
default = { };
description = ''
Attrset of secrets.
'';
};
secretsDir = mkOption {
type = types.path;
default = "/run/agenix";
description = ''
Folder where secrets are symlinked to
'';
};
secretsMountPoint = mkOption {
type =
types.addCheck types.str (
s:
(builtins.match "[ \t\n]*" s) == null # non-empty
&& (builtins.match ".+/" s) == null
) # without trailing slash
// {
description = "${types.str.description} (with check: non-empty without trailing slash)";
};
default = "/run/agenix.d";
description = ''
Where secrets are created before they are symlinked to {option}`age.secretsDir`
'';
};
identityPaths = mkOption {
type = types.listOf types.path;
default =
if isDarwin then
[
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_rsa_key"
]
else if (config.services.openssh.enable or false) then
map (e: e.path) (
lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys
)
else
[ ];
defaultText = literalExpression ''
if isDarwin
then [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_rsa_key"
]
else if (config.services.openssh.enable or false)
then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
else [];
'';
description = ''
Path to SSH keys to be used as identities in age decryption.
'';
};
};
config = mkIf (cfg.secrets != { }) (mkMerge [
{
assertions = [
{
assertion = cfg.identityPaths != [ ];
message = "age.identityPaths must be set, for example by enabling openssh.";
}
];
}
(optionalAttrs (!isDarwin) {
# When using sysusers we no longer be started as an activation script
# because those are started in initrd while sysusers is started later.
systemd.services.agenix-install-secrets = mkIf sysusersEnabled {
wantedBy = [ "sysinit.target" ];
after = [ "systemd-sysusers.service" ];
unitConfig.DefaultDependencies = "no";
path = [ pkgs.mount ];
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.writeShellScript "agenix-install" (concatLines [
newGeneration
installSecrets
chownSecrets
]);
RemainAfterExit = true;
};
};
# Create a new directory full of secrets for symlinking (this helps
# ensure removed secrets are actually removed, or at least become
# invalid symlinks).
system.activationScripts = mkIf (!sysusersEnabled) {
agenixNewGeneration = {
text = newGeneration;
deps = [
"specialfs"
];
};
agenixInstall = {
text = installSecrets;
deps = [
"agenixNewGeneration"
"specialfs"
];
};
# So user passwords can be encrypted.
users.deps = [ "agenixInstall" ];
# Change ownership and group after users and groups are made.
agenixChown = {
text = chownSecrets;
deps = [
"users"
"groups"
];
};
# So other activation scripts can depend on agenix being done.
agenix = {
text = "";
deps = [ "agenixChown" ];
};
};
})
(optionalAttrs isDarwin {
launchd.daemons.activate-agenix = {
script = ''
set -e
set -o pipefail
export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin"
${newGeneration}
${installSecrets}
${chownSecrets}
exit 0
'';
serviceConfig = {
RunAtLoad = true;
KeepAlive.SuccessfulExit = false;
};
};
})
]);
}

9
m/module/debuginfod.nix
View File

@@ -1,10 +1,3 @@
{
services.nixseparatedebuginfod2 = {
enable = true;
substituters = [
"local:"
"https://cache.nixos.org"
"http://hut/cache"
];
};
services.nixseparatedebuginfod.enable = true;
}

7
m/module/jungle-users.nix
View File

@@ -17,13 +17,8 @@ with lib;
allowedUser = host: userConf: builtins.elem host userConf.hosts;
filterUsers = host: users: filterAttrs (n: v: allowedUser host v) users;
removeHosts = users: mapAttrs (n: v: builtins.removeAttrs v [ "hosts" ]) users;
addExtraGroups = mapAttrs (_: user: user // {
extraGroups = (user.extraGroups or [ ])
++ (lib.optionals (allowedUser "fox" user) [ "fox" ])
++ (lib.optionals (allowedUser "owl1" user || allowedUser "owl2" user) [ "owl" ]);
});
currentHost = config.networking.hostName;
in {
users.users = removeHosts (addExtraGroups (filterUsers currentHost config.users.jungleUsers));
users.users = removeHosts (filterUsers currentHost config.users.jungleUsers);
};
}

18
m/module/slurm-client.nix
View File

@@ -1,4 +1,4 @@
{ lib, pkgs, ... }:
{ lib, ... }:
{
imports = [
@@ -21,20 +21,4 @@
};
services.slurm.client.enable = true;
# Only allow SSH connections from users who have a SLURM allocation
# See: https://slurm.schedmd.com/pam_slurm_adopt.html
security.pam.services.sshd.rules.account.slurm = {
control = "required";
enable = true;
modulePath = "${pkgs.slurm}/lib/security/pam_slurm_adopt.so";
args = [ "log_level=debug5" ];
order = 999999; # Make it last one
};
# Disable systemd session (pam_systemd.so) as it will conflict with the
# pam_slurm_adopt.so module. What happens is that the shell is first adopted
# into the slurmstepd task and then into the systemd session, which is not
# what we want, otherwise it will linger even if all jobs are gone.
security.pam.services.sshd.startSession = lib.mkForce false;
}

45
m/module/slurm-common.nix
View File

@@ -1,6 +1,31 @@
{ config, pkgs, ... }:
{
let
suspendProgram = pkgs.writeShellScript "suspend.sh" ''
exec 1>>/var/log/power_save.log 2>>/var/log/power_save.log
set -x
export "PATH=/run/current-system/sw/bin:$PATH"
echo "$(date) Suspend invoked $0 $*" >> /var/log/power_save.log
hosts=$(scontrol show hostnames $1)
for host in $hosts; do
echo Shutting down host: $host
ipmitool -I lanplus -H ''${host}-ipmi -P "" -U "" chassis power off
done
'';
resumeProgram = pkgs.writeShellScript "resume.sh" ''
exec 1>>/var/log/power_save.log 2>>/var/log/power_save.log
set -x
export "PATH=/run/current-system/sw/bin:$PATH"
echo "$(date) Suspend invoked $0 $*" >> /var/log/power_save.log
hosts=$(scontrol show hostnames $1)
for host in $hosts; do
echo Starting host: $host
ipmitool -I lanplus -H ''${host}-ipmi -P "" -U "" chassis power on
done
'';
in {
services.slurm = {
controlMachine = "apex";
clusterName = "jungle";
@@ -10,8 +35,8 @@
];
partitionName = [
"owl Nodes=owl[1-2] Default=YES DefaultTime=01:00:00 MaxTime=INFINITE State=UP AllowGroups=wheel,owl"
"fox Nodes=fox Default=NO DefaultTime=01:00:00 MaxTime=INFINITE State=UP AllowGroups=wheel,fox"
"owl Nodes=owl[1-2] Default=YES DefaultTime=01:00:00 MaxTime=INFINITE State=UP"
"fox Nodes=fox Default=NO DefaultTime=01:00:00 MaxTime=INFINITE State=UP"
];
# See slurm.conf(5) for more details about these options.
@@ -34,6 +59,16 @@
# the resources. Use the task/cgroup plugin to enable process containment.
TaskPlugin=task/affinity,task/cgroup
# Power off unused nodes until they are requested
SuspendProgram=${suspendProgram}
SuspendTimeout=60
ResumeProgram=${resumeProgram}
ResumeTimeout=300
SuspendExcNodes=fox
# Turn the nodes off after 1 hour of inactivity
SuspendTime=3600
# Reduce port range so we can allow only this range in the firewall
SrunPortRange=60000-61000
@@ -51,7 +86,9 @@
# when a task runs (srun) so we can ssh early.
PrologFlags=Alloc,Contain,X11
LaunchParameters=use_interactive_step
# LaunchParameters=ulimit_pam_adopt will set RLIMIT_RSS in processes
# adopted by the external step, similar to tasks running in regular steps
# LaunchParameters=ulimit_pam_adopt
SlurmdDebug=debug5
#DebugFlags=Protocol,Cgroup
'';

27
m/module/tc1-board.nix
View File

@@ -1,27 +0,0 @@
{ lib, pkgs, ... }:
{
# Allow user access to FTDI USB device
services.udev.packages = lib.singleton (pkgs.writeTextFile {
# Needs to be < 73
name = "60-ftdi-tc1.rules";
text = ''
# Bus 003 Device 003: ID 0403:6011 Future Technology Devices International, Ltd FT4232H Quad HS USB-UART/FIFO IC
# Use := to make sure it doesn't get changed later
SUBSYSTEMS=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6011", MODE:="0666"
'';
destination = "/etc/udev/rules.d/60-ftdi-tc1.rules";
});
# Allow access to USB for docker in GitLab runner
services.gitlab-runner = {
services.gitlab-bsc-docker = {
registrationFlags = [
# We need raw access to the USB port to reboot the board
"--docker-devices /dev/bus/usb/003/003"
# And TTY access for the serial port
"--docker-devices /dev/ttyUSB2"
];
};
};
}

2
m/owl1/configuration.nix
View File

@@ -20,7 +20,7 @@
address = "10.0.40.1";
prefixLength = 24;
} ];
interfaces.ibs785.ipv4.addresses = [ {
interfaces.ibp5s0.ipv4.addresses = [ {
address = "10.0.42.1";
prefixLength = 24;
} ];

2
m/owl2/configuration.nix
View File

@@ -21,7 +21,7 @@
prefixLength = 24;
} ];
# Watch out! The OmniPath device is not in the same place here:
interfaces.ibs801.ipv4.addresses = [ {
interfaces.ibp129s0.ipv4.addresses = [ {
address = "10.0.42.2";
prefixLength = 24;
} ];

9
m/tent/configuration.nix
View File

@@ -16,8 +16,6 @@
../module/p.nix
../module/vpn-dac.nix
../module/hut-substituter.nix
../module/tc1-board.nix
../module/ceph.nix
];
# Select the this using the ID to avoid mismatches
@@ -65,13 +63,6 @@
fsType = "ext4";
};
# Mount the NFS home
fileSystems."/nfs/home" = {
device = "10.106.0.30:/home";
fsType = "nfs";
options = [ "nfsvers=3" "rsize=1024" "wsize=1024" "cto" "nofail" ];
};
# Make a /vault/$USER directory for each user.
systemd.services.create-vault-dirs = let
# Take only normal users in tent

52
m/tent/gitea.nix
View File

@@ -1,7 +1,4 @@
{ config, lib, ... }:
let
cfg = config.services.gitea;
in
{
services.gitea = {
enable = true;
@@ -29,54 +26,5 @@ in
SENDMAIL_ARGS = "--";
};
};
dump = {
enable = false; # Do not enable NixOS module, use our custom systemd script below
backupDir = "/vault/backup/gitea";
};
};
systemd.services.gitea-backup = let
exe = lib.getExe cfg.package;
in {
description = "Gitea daily backup";
after = [ "gitea.service" ];
path = [ cfg.package ];
environment = {
USER = cfg.user;
HOME = cfg.stateDir;
GITEA_WORK_DIR = cfg.stateDir;
GITEA_CUSTOM = cfg.customDir;
};
serviceConfig = {
Type = "oneshot";
User = cfg.user;
WorkingDirectory = cfg.dump.backupDir;
};
script = ''
name="gitea-dump-$(date +%a).${cfg.dump.type}"
${exe} dump --type ${cfg.dump.type} --file - >"$name.tmp"
mv "$name.tmp" "$name"
cp "$name" "/ceph/backup/gitea/$name"
'';
};
# Create also the /ceph directories if needed
systemd.tmpfiles.rules = [
"d /ceph/backup/gitea/ 0750 ${cfg.user} ${cfg.group} - -"
"z /ceph/backup/gitea/ 0750 ${cfg.user} ${cfg.group} - -"
];
systemd.timers.gitea-backup = {
description = "Update timer for gitea-backup";
partOf = [ "gitea-backup.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = cfg.dump.interval;
};
# Allow gitea user to send mail
users.users.gitea.extraGroups = [ "mail-robot" ];
}

1
m/tent/gitlab-runner.nix
View File

@@ -43,7 +43,6 @@
registrationFlags = [
# Increase build log length to 64 MiB
"--output-limit 65536"
"--docker-network-mode host"
];
preBuildScript = pkgs.writeScript "setup-container" ''
mkdir -p -m 0755 /nix/var/log/nix/drvs

4
m/tent/nginx.nix
View File

@@ -4,8 +4,8 @@ let
name = "jungle-web";
src = pkgs.fetchgit {
url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
rev = "5f18335d14126d2fef134c0cd441771436f7dfa1";
hash = "sha256-s9VBF91sQ7hg9+lrwNFPYgoXTTyXaQcAulCiGJgWERo=";
rev = "739bf0175a7f05380fe7ad7023ff1d60db1710e1";
hash = "sha256-ea5DzhYTzZ9TmqD+x95rdNdLbxPnBluqlYH2NmBYmc4=";
};
buildInputs = [ pkgs.hugo ];
buildPhase = ''

2
m/weasel/configuration.nix
View File

@@ -25,7 +25,7 @@
address = "10.0.40.6";
prefixLength = 24;
} ];
interfaces.ibs785.ipv4.addresses = [ {
interfaces.ibp5s0.ipv4.addresses = [ {
address = "10.0.42.6";
prefixLength = 24;
} ];

89
overlay.nix
View File

@@ -7,7 +7,6 @@ let
callPackage = final.callPackage;
bscPkgs = {
agenix = prev.callPackage ./pkgs/agenix/default.nix { };
amd-uprof = prev.callPackage ./pkgs/amd-uprof/default.nix { };
bench6 = callPackage ./pkgs/bench6/default.nix { };
bigotes = callPackage ./pkgs/bigotes/default.nix { };
@@ -19,7 +18,11 @@ let
cudainfo = prev.callPackage ./pkgs/cudainfo/default.nix { };
#extrae = callPackage ./pkgs/extrae/default.nix { }; # Broken and outdated
gpi-2 = callPackage ./pkgs/gpi-2/default.nix { };
intel-apt = callPackage ./pkgs/intel-oneapi/packages.nix { };
intelPackages_2023 = callPackage ./pkgs/intel-oneapi/2023.nix { };
intelPackages_2024 = final.intel-apt.hpckit_2024;
intelPackages_2025 = final.intel-apt.hpckit_2025;
intelPackages = final.intelPackages_2025;
jemallocNanos6 = callPackage ./pkgs/nanos6/jemalloc.nix { };
# FIXME: Extend this to all linuxPackages variants. Open problem, see:
# https://discourse.nixos.org/t/whats-the-right-way-to-make-a-custom-kernel-module-available/4636
@@ -30,19 +33,19 @@ let
amd-uprof-driver = _prev.callPackage ./pkgs/amd-uprof/driver.nix { };
});
lmbench = callPackage ./pkgs/lmbench/default.nix { };
# Broken and unmantained
# mcxx = callPackage ./pkgs/mcxx/default.nix { };
mcxx = callPackage ./pkgs/mcxx/default.nix { };
meteocat-exporter = prev.callPackage ./pkgs/meteocat-exporter/default.nix { };
mpi = final.mpich; # Set MPICH as default
mpich = callPackage ./pkgs/mpich/default.nix { mpich = prev.mpich; };
nanos6 = callPackage ./pkgs/nanos6/default.nix { };
nanos6Debug = final.nanos6.override { enableDebug = true; };
nixtools = callPackage ./pkgs/nixtools/default.nix { };
nixgen = callPackage ./pkgs/nixgen/default.nix { };
nix-portable = callPackage ./pkgs/nix-portable/default.nix { };
nix-wrap = callPackage ./pkgs/nix-wrap/default.nix { };
# Broken because of pkgsStatic.libcap
# See: https://github.com/NixOS/nixpkgs/pull/268791
#nix-wrap = callPackage ./pkgs/nix-wrap/default.nix { };
nodes = callPackage ./pkgs/nodes/default.nix { };
nosv = callPackage ./pkgs/nosv/default.nix { };
oneMath = callPackage ./pkgs/onemath/default.nix { };
openmp = callPackage ./pkgs/llvm-ompss2/openmp.nix { monorepoSrc = final.clangOmpss2Unwrapped.src; version = final.clangOmpss2Unwrapped.version; };
openmpv = final.openmp.override { enableNosv = true; enableOvni = true; };
osumb = callPackage ./pkgs/osu/default.nix { };
@@ -52,7 +55,6 @@ let
prometheus-slurm-exporter = prev.callPackage ./pkgs/slurm-exporter/default.nix { };
#pscom = callPackage ./pkgs/parastation/pscom.nix { }; # Unmaintaned
#psmpi = callPackage ./pkgs/parastation/psmpi.nix { }; # Unmaintaned
slurm = import ./pkgs/slurm/default.nix { slurm = prev.slurm; };
sonar = callPackage ./pkgs/sonar/default.nix { };
stdenvClangOmpss2 = final.stdenv.override { cc = final.clangOmpss2; allowedRequisites = null; };
stdenvClangOmpss2Nanos6 = final.stdenv.override { cc = final.clangOmpss2Nanos6; allowedRequisites = null; };
@@ -60,15 +62,19 @@ let
stdenvClangOmpss2NodesOmpv = final.stdenv.override { cc = final.clangOmpss2NodesOmpv; allowedRequisites = null; };
tagaspi = callPackage ./pkgs/tagaspi/default.nix { };
tampi = callPackage ./pkgs/tampi/default.nix { };
tasycl = callPackage ./pkgs/tasycl/default.nix { };
tasycl-acpp = callPackage ./pkgs/tasycl/default.nix { useIntel = false; };
upc-qaire-exporter = prev.callPackage ./pkgs/upc-qaire-exporter/default.nix { };
wxparaver = callPackage ./pkgs/paraver/default.nix { };
};
tests = rec {
hwloc = callPackage ./test/bugs/hwloc.nix { };
#hwloc = callPackage ./test/bugs/hwloc.nix { }; # Broken, no /sys
#sigsegv = callPackage ./test/reproducers/sigsegv.nix { };
hello-c = callPackage ./test/compilers/hello-c.nix { };
hello-cpp = callPackage ./test/compilers/hello-cpp.nix { };
hello-sycl = callPackage ./test/compilers/hello-sycl.nix { };
hello-syclompss = callPackage ./test/compilers/icpx-ompss2.nix { };
lto = callPackage ./test/compilers/lto.nix { };
asan = callPackage ./test/compilers/asan.nix { };
intel2023-icx-c = hello-c.override { stdenv = final.intelPackages_2023.stdenv; };
@@ -78,6 +84,13 @@ let
intel2023-ifort = callPackage ./test/compilers/hello-f.nix {
stdenv = final.intelPackages_2023.stdenv-ifort;
};
intel2024-icx-c = hello-c.override { stdenv = final.intelPackages_2024.stdenv; };
intel2025-icx-c = hello-c.override { stdenv = final.intelPackages_2025.stdenv; };
intel2024-icx-cpp = hello-cpp.override { stdenv = final.intelPackages_2024.stdenv; };
intel2025-icx-cpp = hello-cpp.override { stdenv = final.intelPackages_2025.stdenv; };
# intel2023-sycl = hello-sycl.override { intelPackages = final.intelPackages_2023; }; # broken
intel2024-sycl = hello-sycl.override { intelPackages = final.intelPackages_2024; };
intel2025-sycl = hello-sycl.override { intelPackages = final.intelPackages_2025; };
clangOmpss2-lto = lto.override { stdenv = final.stdenvClangOmpss2Nanos6; };
clangOmpss2-asan = asan.override { stdenv = final.stdenvClangOmpss2Nanos6; };
clangOmpss2-task = callPackage ./test/compilers/ompss2.nix {
@@ -97,20 +110,12 @@ let
};
};
# For now, only build toplevel packages in CI/Hydra
pkgsTopLevel = filterAttrs (_: isDerivation) bscPkgs;
pkgs = filterAttrs (_: isDerivation) bscPkgs;
# Native build in that platform doesn't imply cross build works
canCrossCompile = platform: default: pkg:
(isDerivation pkg) &&
# If meta.cross is undefined, use default
(pkg.meta.cross or default) &&
(meta.availableOn final.pkgsCross.${platform}.stdenv.hostPlatform pkg);
# For now only RISC-V
crossSet = genAttrs [ "riscv64" ] (platform:
filterAttrs (_: canCrossCompile platform true)
final.pkgsCross.${platform}.bsc.pkgsTopLevel);
crossTargets = [ "riscv64" ];
cross = prev.lib.genAttrs crossTargets (target:
final.pkgsCross.${target}.bsc-ci.pkgs
);
buildList = name: paths:
final.runCommandLocal name { } ''
@@ -124,38 +129,22 @@ let
printf '%s\n' $deps >$out
'';
pkgsList = buildList "ci-pkgs" (builtins.attrValues pkgsTopLevel);
testsList = buildList "ci-tests" (collect isDerivation tests);
allList = buildList' "ci-all" [ pkgsList testsList ];
# For now only RISC-V
crossList = buildList "ci-cross"
(filter
(canCrossCompile "riscv64" false) # opt-in (pkgs with: meta.cross = true)
(builtins.attrValues crossSet.riscv64));
crossList = builtins.mapAttrs (t: v: buildList t (builtins.attrValues v)) cross;
pkgsList = buildList "ci-pkgs" (builtins.attrValues pkgs);
testList = buildList "ci-tests" (collect isDerivation tests);
all = buildList' "ci-all" [ pkgsList testList ];
in bscPkgs // {
lib = prev.lib // {
maintainers = prev.lib.maintainers // {
bsc = import ./pkgs/maintainers.nix;
};
};
# Prevent accidental usage of bsc-ci attribute
bsc-ci = throw "the bsc-ci attribute is deprecated, use bsc.ci";
# Prevent accidental usage of bsc attribute
bsc = throw "the bsc attribute is deprecated, packages are now in the root";
# Internal for our CI tests
bsc = {
# CI targets for nix build
ci = { pkgs = pkgsList; tests = testsList; all = allList; cross = crossList; };
# Direct access to package sets
tests = tests;
pkgs = bscPkgs;
pkgsTopLevel = pkgsTopLevel;
cross = crossSet;
# Hydra uses attribute sets of pkgs
hydraJobs = { tests = tests; pkgs = pkgsTopLevel; cross = crossSet; };
bsc-ci = {
inherit pkgs pkgsList;
inherit tests testList;
inherit cross crossList;
inherit all;
};
}

212
pkgs/agenix/agenix.sh
View File

@@ -1,212 +0,0 @@
#!/usr/bin/env bash
set -Eeuo pipefail
PACKAGE="agenix"
function show_help () {
echo "$PACKAGE - edit and rekey age secret files"
echo " "
echo "$PACKAGE -e FILE [-i PRIVATE_KEY]"
echo "$PACKAGE -r [-i PRIVATE_KEY]"
echo ' '
echo 'options:'
echo '-h, --help show help'
# shellcheck disable=SC2016
echo '-e, --edit FILE edits FILE using $EDITOR'
echo '-r, --rekey re-encrypts all secrets with specified recipients'
echo '-d, --decrypt FILE decrypts FILE to STDOUT'
echo '-i, --identity identity to use when decrypting'
echo '-v, --verbose verbose output'
echo ' '
echo 'FILE an age-encrypted file'
echo ' '
echo 'PRIVATE_KEY a path to a private SSH key used to decrypt file'
echo ' '
echo 'EDITOR environment variable of editor to use when editing FILE'
echo ' '
echo 'If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"'
echo ' '
echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
echo "Defaults to './secrets.nix'"
echo ' '
echo "agenix version: @version@"
echo "age binary path: @ageBin@"
echo "age version: $(@ageBin@ --version)"
}
function warn() {
printf '%s\n' "$*" >&2
}
function err() {
warn "$*"
exit 1
}
test $# -eq 0 && (show_help && exit 1)
REKEY=0
DECRYPT_ONLY=0
DEFAULT_DECRYPT=(--decrypt)
while test $# -gt 0; do
case "$1" in
-h|--help)
show_help
exit 0
;;
-e|--edit)
shift
if test $# -gt 0; then
export FILE=$1
else
echo "no FILE specified"
exit 1
fi
shift
;;
-i|--identity)
shift
if test $# -gt 0; then
DEFAULT_DECRYPT+=(--identity "$1")
else
echo "no PRIVATE_KEY specified"
exit 1
fi
shift
;;
-r|--rekey)
shift
REKEY=1
;;
-d|--decrypt)
shift
DECRYPT_ONLY=1
if test $# -gt 0; then
export FILE=$1
else
echo "no FILE specified"
exit 1
fi
shift
;;
-v|--verbose)
shift
set -x
;;
*)
show_help
exit 1
;;
esac
done
RULES=${RULES:-./secrets.nix}
function cleanup {
if [ -n "${CLEARTEXT_DIR+x}" ]
then
rm -rf -- "$CLEARTEXT_DIR"
fi
if [ -n "${REENCRYPTED_DIR+x}" ]
then
rm -rf -- "$REENCRYPTED_DIR"
fi
}
trap "cleanup" 0 2 3 15
function keys {
(@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in rules.\"$1\".publicKeys)" | @jqBin@ -r .[]) || exit 1
}
function armor {
(@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in (builtins.hasAttr \"armor\" rules.\"$1\" && rules.\"$1\".armor))") || exit 1
}
function decrypt {
FILE=$1
KEYS=$2
if [ -z "$KEYS" ]
then
err "There is no rule for $FILE in $RULES."
fi
if [ -f "$FILE" ]
then
DECRYPT=("${DEFAULT_DECRYPT[@]}")
if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
if [ -f "$HOME/.ssh/id_rsa" ]; then
DECRYPT+=(--identity "$HOME/.ssh/id_rsa")
fi
if [ -f "$HOME/.ssh/id_ed25519" ]; then
DECRYPT+=(--identity "$HOME/.ssh/id_ed25519")
fi
fi
if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
err "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file."
fi
@ageBin@ "${DECRYPT[@]}" -- "$FILE" || exit 1
fi
}
function edit {
FILE=$1
KEYS=$(keys "$FILE") || exit 1
ARMOR=$(armor "$FILE") || exit 1
CLEARTEXT_DIR=$(@mktempBin@ -d)
CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename -- "$FILE")"
DEFAULT_DECRYPT+=(-o "$CLEARTEXT_FILE")
decrypt "$FILE" "$KEYS" || exit 1
[ ! -f "$CLEARTEXT_FILE" ] || cp -- "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
[ -t 0 ] || EDITOR='cp -- /dev/stdin'
$EDITOR "$CLEARTEXT_FILE"
if [ ! -f "$CLEARTEXT_FILE" ]
then
warn "$FILE wasn't created."
return
fi
[ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q -- "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
ENCRYPT=()
if [[ "$ARMOR" == "true" ]]; then
ENCRYPT+=(--armor)
fi
while IFS= read -r key
do
if [ -n "$key" ]; then
ENCRYPT+=(--recipient "$key")
fi
done <<< "$KEYS"
REENCRYPTED_DIR=$(@mktempBin@ -d)
REENCRYPTED_FILE="$REENCRYPTED_DIR/$(basename -- "$FILE")"
ENCRYPT+=(-o "$REENCRYPTED_FILE")
@ageBin@ "${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
mkdir -p -- "$(dirname -- "$FILE")"
mv -f -- "$REENCRYPTED_FILE" "$FILE"
}
function rekey {
FILES=$( (@nixInstantiate@ --json --eval -E "(let rules = import $RULES; in builtins.attrNames rules)" | @jqBin@ -r .[]) || exit 1)
for FILE in $FILES
do
warn "rekeying $FILE..."
EDITOR=: edit "$FILE"
cleanup
done
}
[ $REKEY -eq 1 ] && rekey && exit 0
[ $DECRYPT_ONLY -eq 1 ] && DEFAULT_DECRYPT+=("-o" "-") && decrypt "${FILE}" "$(keys "$FILE")" && exit 0
edit "$FILE" && cleanup && exit 0

66
pkgs/agenix/default.nix
View File

@@ -1,66 +0,0 @@
{
lib,
stdenv,
age,
jq,
nix,
mktemp,
diffutils,
replaceVars,
ageBin ? "${age}/bin/age",
shellcheck,
}:
let
bin = "${placeholder "out"}/bin/agenix";
in
stdenv.mkDerivation rec {
pname = "agenix";
version = "0.15.0";
src = replaceVars ./agenix.sh {
inherit ageBin version;
jqBin = "${jq}/bin/jq";
nixInstantiate = "${nix}/bin/nix-instantiate";
mktempBin = "${mktemp}/bin/mktemp";
diffBin = "${diffutils}/bin/diff";
};
dontUnpack = true;
doInstallCheck = true;
installCheckInputs = [ shellcheck ];
postInstallCheck = ''
shellcheck ${bin}
${bin} -h | grep ${version}
test_tmp=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
export HOME="$test_tmp/home"
export NIX_STORE_DIR="$test_tmp/nix/store"
export NIX_STATE_DIR="$test_tmp/nix/var"
mkdir -p "$HOME" "$NIX_STORE_DIR" "$NIX_STATE_DIR"
function cleanup {
rm -rf "$test_tmp"
}
trap "cleanup" 0 2 3 15
mkdir -p $HOME/.ssh
cp -r "${./example}" $HOME/secrets
chmod -R u+rw $HOME/secrets
(
umask u=rw,g=r,o=r
cp ${./example_keys/user1.pub} $HOME/.ssh/id_ed25519.pub
chown $UID $HOME/.ssh/id_ed25519.pub
)
(
umask u=rw,g=,o=
cp ${./example_keys/user1} $HOME/.ssh/id_ed25519
chown $UID $HOME/.ssh/id_ed25519
)
cd $HOME/secrets
test $(${bin} -d secret1.age) = "hello"
'';
installPhase = ''
install -D $src ${bin}
'';
meta.description = "age-encrypted secrets for NixOS";
}

7
pkgs/agenix/example/-leading-hyphen-filename.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 V3XmEA zirqdzZZ1E+sedBn7fbEHq4ntLEkokZ4GctarBBOHXY
Rvs5YHaAUeCZyNwPedubPcHClWYIuXXWA5zadXPWY6w
-> ssh-ed25519 KLPP8w BVp4rDkOYSQyn8oVeHFeinSqW+pdVtxBF9+5VM1yORY
bMwppAi8Nhz0328taU4AzUkTVyWtSLvFZG6c5W/Fs78
--- xCbqLhXAcOziO2wmbjTiSQfZvt5Rlsc4SCvF+iEzpQA
<EFBFBD>KB<EFBFBD><EFBFBD>/<2F>Z<><5A>r<EFBFBD>%<01><>4<EFBFBD><34><EFBFBD>Mq5<71><35>_<EFBFBD><5F>ݒ<><DD92><EFBFBD><EFBFBD><EFBFBD>11 ܨqM;& <20><>Lr<4C><72><EFBFBD>f<EFBFBD><66><EFBFBD>]>N

7
pkgs/agenix/example/armored-secret.age
View File

@@ -1,7 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFYzWG1FQSBpZkZW
aFpLNnJxc0VUMHRmZ2dZS0pjMGVENnR3OHd5K0RiT1RjRUhibFZBCnN5UG5vUjA3
SXpsNGtiVUw4T0tIVFo5Wkk5QS9NQlBndzVvektiQ0ozc0kKLS0tIGxyY1Q4dEZ1
VGZEanJyTFNta2JNRmpZb2FnK2JyS1hSVml1UGdMNWZKQXMKYla+wTXcRedyZoEb
LVWaSx49WoUTU0KBPJg9RArxaeC23GoCDzR/aM/1DvYU
-----END AGE ENCRYPTED FILE-----

9
pkgs/agenix/example/passwordfile-user1.age
View File

@@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 KLPP8w s1DYZRlZuSsyhmZCF1lFB+E9vB8bZ/+ZhBRlx8nprwE
nmYVCsVBrX2CFXXPU+D+bbkkIe/foofp+xoUrg9DHZw
-> ssh-ed25519 V3XmEA Pwv3oCwcY0DX8rY48UNfsj9RumWsn4dbgorYHCwObgI
FKxRYkL3JHtJxUwymWDF0rAtJ33BivDI6IfPsfumM90
-> V'v(/u$-grease em/Vgf 2qDuk
7I3iiQLPGi1COML9u/JeYkr7EqbSLoU
--- 57WJRigUGtmcObrssS3s4PvmR8wgh1AOC/ijJn1s3xI
<EFBFBD>'K<>ƷY&<26>7G<37>O<EFBFBD><4F>Fj<13>k<EFBFBD>X<EFBFBD><58>BnuJ<75><4A>:9<>(<><7F><EFBFBD>X<EFBFBD>#<23>A<EFBFBD><41><EFBFBD><EFBFBD>ڧj<DAA7>,<02>_<17><><EFBFBD>?<3F>Z<EFBFBD><17>v<EFBFBD><76>V<EFBFBD>96]oks~%<25>c <04>e^C<>%JQ5<51><H<>z}<7D>C<EFBFBD>,<2C>p<EFBFBD><70>*!W<><57><EFBFBD>A<EFBFBD><41><EFBFBD>҅dC<15>K)<10><>-<2D>y

BIN
pkgs/agenix/example/secret1.age
View File

Binary file not shown.

5
pkgs/agenix/example/secret2.age
View File

@@ -1,5 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 V3XmEA OB4+1FbPhQ3r6iGksM7peWX5it8NClpXIq/o5nnP7GA
FmHVUj+A5i5+bDFgySQskmlvynnosJiWUTJmBRiNA9I
--- tP+3mFVtd7ogVu1Lkboh55zoi5a77Ht08Uc/QuIviv4
<EFBFBD><EFBFBD>X<EFBFBD>{<7B><>O<EFBFBD><4F><1F><04>tMXx<58>vӪ(<28>I<EFBFBD>myP<79><50><EFBFBD><EFBFBD>+3<>S3i

23
pkgs/agenix/example/secrets.nix
View File

@@ -1,23 +0,0 @@
let
user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
in
{
"secret1.age".publicKeys = [
user1
system1
];
"secret2.age".publicKeys = [ user1 ];
"passwordfile-user1.age".publicKeys = [
user1
system1
];
"-leading-hyphen-filename.age".publicKeys = [
user1
system1
];
"armored-secret.age" = {
publicKeys = [ user1 ];
armor = true;
};
}

7
pkgs/agenix/example_keys/system1
View File

@@ -1,7 +0,0 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDyQ8iK/xUs9XCXXKFuvUfja1s8Biv/t4Caag9bfC9sxAAAAJA3yvCWN8rw
lgAAAAtzc2gtZWQyNTUxOQAAACDyQ8iK/xUs9XCXXKFuvUfja1s8Biv/t4Caag9bfC9sxA
AAAEA+J2V6AG1NriAIvnNKRauIEh1JE9HSdhvKJ68a5Fm0w/JDyIr/FSz1cJdcoW69R+Nr
WzwGK/+3gJpqD1t8L2zEAAAADHJ5YW50bUBob21lMQE=
-----END OPENSSH PRIVATE KEY-----

1
pkgs/agenix/example_keys/system1.pub
View File

@@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE

7
pkgs/agenix/example_keys/user1
View File

@@ -1,7 +0,0 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACC9InTb4BornFoLqf5j+/M8gtt7hY2KtHr3FnYxkFGgRwAAAJC2JJ8htiSf
IQAAAAtzc2gtZWQyNTUxOQAAACC9InTb4BornFoLqf5j+/M8gtt7hY2KtHr3FnYxkFGgRw
AAAEDxt5gC/s53IxiKAjfZJVCCcFIsdeERdIgbYhLO719+Kb0idNvgGiucWgup/mP78zyC
23uFjYq0evcWdjGQUaBHAAAADHJ5YW50bUBob21lMQE=
-----END OPENSSH PRIVATE KEY-----

1
pkgs/agenix/example_keys/user1.pub
View File

@@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH

23
pkgs/agenix/update.sh
View File

@@ -1,23 +0,0 @@
#!/bin/sh
set -e
# All operations are done relative to root
GITROOT=$(git rev-parse --show-toplevel)
cd "$GITROOT"
REVISION=${1:-main}
TMPCLONE=$(mktemp -d)
trap "rm -rf ${TMPCLONE}" EXIT
git clone https://github.com/ryantm/agenix.git --revision="$REVISION" "$TMPCLONE" --depth=1
cp "${TMPCLONE}/pkgs/agenix.sh" pkgs/agenix/agenix.sh
cp "${TMPCLONE}/pkgs/agenix.nix" pkgs/agenix/default.nix
sed -i 's#../example#./example#' pkgs/agenix/default.nix
cp "${TMPCLONE}/example/"* pkgs/agenix/example/
cp "${TMPCLONE}/example_keys/"* pkgs/agenix/example_keys/
cp "${TMPCLONE}/modules/age.nix" m/module/agenix.nix

41
pkgs/amd-uprof/default.nix
View File

@@ -1,6 +1,8 @@
{ stdenv
, lib
, fetchurl
, curl
, cacert
, runCommandLocal
, autoPatchelfHook
, elfutils
, glib
@@ -24,22 +26,26 @@ let
tarball = "AMDuProf_Linux_x64_${version}.tar.bz2";
# NOTE: Remember to update the radare2 patch below if AMDuProfPcm changes.
src = fetchurl {
url = "https://download.amd.com/developer/eula/uprof/uprof-5-1/${tarball}";
sha256 = "sha256-j9gxcBcIg6Zhc5FglUXf/VV9bKSo+PAKeootbN7ggYk=";
curlOptsList = [
"-H" "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0"
"-H" "'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'"
"-H" "Accept-Language: en-US,en;q=0.5"
"-H" "Accept-Encoding: gzip, deflate, br, zstd"
"-H" "Referer: https://www.amd.com/"
];
};
uprofSrc = runCommandLocal tarball {
nativeBuildInputs = [ curl ];
outputHash = "sha256-j9gxcBcIg6Zhc5FglUXf/VV9bKSo+PAKeootbN7ggYk=";
SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt";
} ''
curl \
-o $out \
'https://download.amd.com/developer/eula/uprof/uprof-5-1/${tarball}' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
-H 'Accept-Language: en-US,en;q=0.5' \
-H 'Accept-Encoding: gzip, deflate, br, zstd' \
-H 'Referer: https://www.amd.com/' 2>&1 | tr '\r' '\n'
'';
in
stdenv.mkDerivation {
pname = "AMD-uProf";
inherit src version;
inherit version;
src = uprofSrc;
dontStrip = true;
phases = [ "installPhase" "fixupPhase" ];
nativeBuildInputs = [ autoPatchelfHook radare2 ];
@@ -80,13 +86,4 @@ in
patchelf --add-needed libnuma.so $out/bin/AMDuProfPcm
set +x
'';
meta = {
description = "Performance analysis tool-suite for x86 based applications";
homepage = "https://www.amd.com/es/developer/uprof.html";
platforms = [ "x86_64-linux" ];
license = lib.licenses.unfree;
maintainers = with lib.maintainers.bsc; [ rarias varcila ];
};
}

4
pkgs/amd-uprof/driver.nix
View File

@@ -19,7 +19,7 @@ in stdenv.mkDerivation {
'';
hardeningDisable = [ "pic" "format" ];
nativeBuildInputs = kernel.moduleBuildDependencies;
patches = [ ./makefile.patch ./hrtimer.patch ./remove-wr-rdmsrq.patch ];
patches = [ ./makefile.patch ./hrtimer.patch ];
makeFlags = [
"KERNEL_VERSION=${kernel.modDirVersion}"
"KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
@@ -29,7 +29,5 @@ in stdenv.mkDerivation {
description = "AMD Power Profiler Driver";
homepage = "https://www.amd.com/es/developer/uprof.html";
platforms = lib.platforms.linux;
license = lib.licenses.unfree;
maintainers = with lib.maintainers.bsc; [ rarias varcila ];
};
}

20
pkgs/amd-uprof/remove-wr-rdmsrq.patch
View File

@@ -1,20 +0,0 @@
diff --git a/inc/PwrProfAsm.h b/inc/PwrProfAsm.h
index d77770a..c93a0e9 100644
--- a/inc/PwrProfAsm.h
+++ b/inc/PwrProfAsm.h
@@ -347,6 +347,7 @@
#endif
+/*
#define rdmsrq(msr,val1,val2,val3,val4) ({ \
__asm__ __volatile__( \
"rdmsr\n" \
@@ -362,6 +363,7 @@
:"c"(msr), "a"(val1), "d"(val2), "S"(val3), "D"(val4) \
); \
})
+*/
#define rdmsrpw(msr,val1,val2,val3,val4) ({ \
__asm__ __volatile__( \

9
pkgs/bench6/default.nix
View File

@@ -1,6 +1,5 @@
{
stdenv
, lib
, bigotes
, cmake
, clangOmpss2
@@ -59,12 +58,4 @@ stdenv.mkDerivation rec {
];
hardeningDisable = [ "all" ];
dontStrip = true;
meta = {
homepage = "https://gitlab.pm.bsc.es/rarias/bench6";
description = "Set of micro-benchmarks for OmpSs-2 and several mini-apps";
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.gpl3Plus;
};
}

9
pkgs/bigotes/default.nix
View File

@@ -1,6 +1,5 @@
{
stdenv
, lib
, fetchFromGitHub
, cmake
}:
@@ -15,12 +14,4 @@ stdenv.mkDerivation {
sha256 = "sha256-ktxM3pXiL8YXSK+/IKWYadijhYXqGoLY6adLk36iigE=";
};
nativeBuildInputs = [ cmake ];
meta = {
homepage = "https://github.com/rodarima/bigotes";
description = "Versatile benchmark tool";
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.gpl3Plus;
};
}

8
pkgs/cudainfo/default.nix
View File

@@ -1,6 +1,5 @@
{
stdenv
, lib
, cudatoolkit
, cudaPackages
, autoAddDriverRunpath
@@ -12,7 +11,7 @@ stdenv.mkDerivation (finalAttrs: {
src = ./.;
buildInputs = [
cudatoolkit # Required for nvcc
(lib.getOutput "static" cudaPackages.cuda_cudart) # Required for -lcudart_static
cudaPackages.cuda_cudart.static # Required for -lcudart_static
autoAddDriverRunpath
];
installPhase = ''
@@ -41,9 +40,4 @@ stdenv.mkDerivation (finalAttrs: {
'';
installPhase = "touch $out";
};
meta = {
platforms = [ "x86_64-linux" ];
maintainers = with lib.maintainers.bsc; [ rarias ];
};
})

12
pkgs/extrae/default.nix
View File

@@ -20,7 +20,6 @@
#, python3Packages
, installShellFiles
, symlinkJoin
, enablePapi ? stdenv.hostPlatform == stdenv.buildPlatform # Disabled when cross-compiling
}:
let
@@ -88,7 +87,7 @@ stdenv.mkDerivation rec {
--enable-sampling
--with-unwind=${libunwind.dev}
--with-xml-prefix=${libxml2.dev}
${lib.optionalString enablePapi "--with-papi=${papi}"}
--with-papi=${papi}
${if (mpi != null) then ''--with-mpi=${mpi}''
else ''--without-mpi''}
--without-dyninst)
@@ -111,13 +110,4 @@ stdenv.mkDerivation rec {
# then [ "--enable-openmp" ]
# else []
# );
meta = {
homepage = "https://github.com/bsc-performance-tools/extrae";
description = "Instrumentation framework to generate execution traces of the most used parallel runtimes";
maintainers = [ ];
broken = true;
platforms = lib.platforms.linux;
license = lib.licenses.lgpl21Plus;
};
}

26
pkgs/gpi-2/default.nix
View File

@@ -1,6 +1,5 @@
{
stdenv
, lib
, fetchurl
, symlinkJoin
, slurm
@@ -9,6 +8,7 @@
, automake
, libtool
, mpi
, rsync
, gfortran
}:
@@ -43,33 +43,13 @@ stdenv.mkDerivation rec {
configureFlags = [
"--with-infiniband=${rdma-core-all}"
"--with-mpi=yes" # fixes mpi detection when cross-compiling
"--with-mpi=${mpiAll}"
"--with-slurm"
"CFLAGS=-fPIC"
"CXXFLAGS=-fPIC"
];
nativeBuildInputs = [
autoconf
automake
gfortran
libtool
];
buildInputs = [
slurm
mpiAll
rdma-core-all
];
buildInputs = [ slurm mpiAll rdma-core-all autoconf automake libtool rsync gfortran ];
hardeningDisable = [ "all" ];
meta = {
homepage = "https://pm.bsc.es/gitlab/interoperability/extern/GPI-2";
description = "GPI-2 extended for supporting Task-Aware GASPI (TAGASPI) library";
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.gpl3Plus;
cross = false; # infiniband detection does not work
};
}

9
pkgs/intel-compiler/icc2020.nix
View File

@@ -1,5 +1,4 @@
{ stdenv
, lib
, fetchurl
, rpmextract
, autoPatchelfHook
@@ -60,12 +59,4 @@ stdenv.mkDerivation rec {
rm $out/lib/*.dbg
popd
'';
meta = {
homepage = "https://www.intel.com/content/www/us/en/developer/tools/overview.html";
description = "Intel compiler";
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.unfree;
};
}

8
pkgs/intel-compiler/icc2021.nix
View File

@@ -145,12 +145,4 @@ in
popd
'';
meta = {
homepage = "https://www.intel.com/content/www/us/en/developer/tools/overview.html";
description = "Intel compiler";
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.unfree;
};
}

9
pkgs/intel-mpi/default.nix
View File

@@ -1,5 +1,4 @@
{ stdenv
, lib
, rpmextract
, gcc
, zlib
@@ -102,12 +101,4 @@ stdenv.mkDerivation rec {
patchelf --set-rpath "$out/lib:${rdma-core}/lib:${libpsm2}/lib" $out/lib/libfabric.so
echo "Patched RPATH in libfabric.so to: $(patchelf --print-rpath $out/lib/libfabric.so)"
'';
meta = {
homepage = "https://www.intel.com/content/www/us/en/developer/tools/overview.html";
description = "Intel MPI";
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.unfree;
};
}

74
pkgs/intel-oneapi/2023.nix
View File

@@ -10,7 +10,7 @@
, zlib
, autoPatchelfHook
, libfabric
, gcc
, gcc13
, wrapCCWith
}:
@@ -26,12 +26,7 @@
let
meta = {
description = "Intel oneapi hpckit package component";
homepage = "https://www.intel.com/content/www/us/en/developer/tools/oneapi/hpc-toolkit-download.html";
license = lib.licenses.unfree;
maintainers = with lib.maintainers.bsc; [ abonerib ];
};
gcc = gcc13;
v = {
hpckit = "2023.1.0";
@@ -40,45 +35,19 @@ let
mpi = "2021.9.0";
};
aptPackageIndex = stdenv.mkDerivation {
name = "intel-oneapi-packages";
srcs = [
# Run update.sh to update the package lists
./amd64-packages ./all-packages
];
phases = [ "installPhase" ];
installPhase = ''
awk -F': ' '\
BEGIN { print "[ {" } \
NR>1 && /^Package: / { print "} {"; } \
/: / { printf "%s = \"%s\";\n", $1, $2 } \
END { print "} ]" }' $srcs > $out
'';
};
aptPackages = import aptPackageIndex;
apthost = "https://apt.repos.intel.com/oneapi/";
getSum = pkgList: name:
findMatch = name:
let
matches = lib.filter (x: name == x.Package) pkgList;
#n = lib.length matches;
#match = builtins.trace (name + " -- ${builtins.toString n}") (lib.elemAt matches 0);
match = lib.elemAt matches 0;
in
match.SHA256;
getUrl = pkgList: name:
let
matches = lib.filter (x: name == x.Package) pkgList;
#match = assert lib.length matches == 1; lib.elemAt matches 0;
aptPackages = builtins.fromJSON (builtins.readFile ./packages.json);
matches = lib.filter (x: name == x.pname) aptPackages;
n = lib.length matches;
match =
#builtins.trace (name + " -- n=${builtins.toString n}")
(lib.elemAt matches 0);
match = builtins.traceVerbose (name + " -- ${builtins.toString n}") (builtins.head matches);
apthost = "https://apt.repos.intel.com/oneapi/";
in
apthost + match.Filename;
{
url = apthost + match.filename;
sha256 = match.sha256;
};
uncompressDebs = debs: name: stdenv.mkDerivation {
name = name;
@@ -92,16 +61,11 @@ let
dpkg -x $src $out
done
'';
inherit meta;
};
joinDebs = name: names:
let
urls = builtins.map (x: getUrl aptPackages x) names;
sums = builtins.map (x: getSum aptPackages x) names;
getsrc = url: sha256: builtins.fetchurl { inherit url sha256; };
debs = lib.zipListsWith getsrc urls sums;
debs = builtins.map (x: builtins.fetchurl (findMatch x)) names;
in
uncompressDebs debs "${name}-source";
@@ -152,8 +116,6 @@ let
sed -i "s:I_MPI_SUBSTITUTE_INSTALLDIR:$out:g" "$i"
done
'';
inherit meta;
};
intel-tbb = stdenv.mkDerivation rec {
@@ -192,8 +154,6 @@ let
rsync -a lib/intel64/gcc4.8/ $out/lib/
popd
'';
inherit meta;
};
intel-compiler-shared = stdenv.mkDerivation rec {
@@ -251,8 +211,6 @@ let
popd
popd
'';
inherit meta;
};
@@ -318,8 +276,6 @@ let
ln -s $out/lib $out/lib_lin
popd
'';
inherit meta;
};
intel-compiler = stdenv.mkDerivation rec {
@@ -407,8 +363,6 @@ let
rsync -a documentation/en/man/common/ $out/share/man/
popd
'';
inherit meta;
};
wrapIntel = { cc, mygcc, extraBuild ? "", extraInstall ? "" }:
@@ -470,7 +424,7 @@ let
'';
};
ifort-wrapper = wrapIntel rec {
ifort-wrapper = wrapIntel {
cc = intel-compiler-fortran;
mygcc = gcc;
extraBuild = ''

8769
pkgs/intel-oneapi/all-packages
View File

File diff suppressed because it is too large Load Diff

34075
pkgs/intel-oneapi/amd64-packages
View File

File diff suppressed because it is too large Load Diff

1
pkgs/intel-oneapi/packages.json Normal file
View File

File diff suppressed because one or more lines are too long

205
pkgs/intel-oneapi/packages.nix Normal file
View File

@@ -0,0 +1,205 @@
{ lib
, stdenv
, callPackage
, dpkg
, fetchurl
, recurseIntoAttrs
, sqlite
, elfutils
}:
let
inherit (builtins)
elem attrNames attrValues concatMap filter fromJSON getAttr groupBy head isNull listToAttrs map mapAttrs readFile replaceStrings splitVersion ;
inherit (lib)
converge findFirst groupBy' hasPrefix optional pipe take toInt toList versionAtLeast versionOlder ;
aptData = fromJSON (readFile ./packages.json);
# Compare versions in debian control file syntax
# See: https://www.debian.org/doc/debian-policy/ch-relationships.html#syntax-of-relationship-fields
#
# NOTE: this is not a proper version comparison
#
# A proper version solver, should aggregate dependencies with the same name
# and compute the constraint (e.g. a (>= 2) a (<< 5) -> 2 <= a << 5)
#
# But in the intel repo, there are no such "duplicated" dependencies to specify
# upper limits, which leads to issues when intel-hpckit-2021 depends on things
# like intel-basekit >= 2021.1.0-2403 and we end up installing the newest
# basekit instead of the one from 2021.
#
# To mitigate this, >= is set to take the latest version with matching major
# and minor (only revision and patch are allowed to change)
compareVersions = got: kind: want:
let
g0 = take 2 (splitVersion got);
w0 = take 2 (splitVersion want);
in if isNull want then true
else if kind == "=" then got == want
else if kind == "<<" then versionOlder got want
else if kind == "<=" then versionAtLeast want got
else if kind == ">>" then versionOlder want got
else if kind == ">=" then (g0 == w0) && versionAtLeast got want # always match major version
else throw "unknown operation: ${kind}";
findMatching = { pname, kind, version }:
findFirst (x: pname == x.pname && compareVersions x.version kind version) null aptData;
isIntel = pkg: (hasPrefix "intel-" pkg.pname);
expandDeps = pkg: (map findMatching (filter isIntel pkg.dependencies)) ++ (optional (pkg.size != 0) pkg);
# get the oldest by major version. If they have the same major version, take
# the newest. This prevents most issues with resolutions
# versionOlder b a -> true if b is older than a (b `older` a)
getNewerInMajor = a: b: let
va = a.version;
vb = b.version;
va0 = head (splitVersion va);
vb0 = head (splitVersion vb);
in
if isNull a then b
else if va0 != vb0 then
if va0 > vb0 then b else a
else if versionOlder vb va then a else b;
removeDups = l: attrValues (groupBy' getNewerInMajor null (getAttr "provides") l);
_resolveDeps = converge (l: removeDups (concatMap expandDeps l));
resolveDeps = pkg: let deps = _resolveDeps (toList pkg);
namedDeps = (map (x: "${x.pname}-${x.version}") deps);
in builtins.traceVerbose (builtins.deepSeq namedDeps namedDeps) deps;
blacklist = [
"intel-basekit-env"
"intel-basekit-getting-started"
"intel-hpckit-env"
"intel-hpckit-getting-started"
"intel-oneapi-advisor"
"intel-oneapi-common-licensing"
"intel-oneapi-common-oneapi-vars"
"intel-oneapi-common-vars"
"intel-oneapi-compiler-cpp-eclipse-cfg"
"intel-oneapi-compiler-dpcpp-eclipse-cfg"
"intel-oneapi-condaindex"
"intel-oneapi-dev-utilities-eclipse-cfg"
"intel-oneapi-dpcpp-ct-eclipse-cfg"
"intel-oneapi-eclipse-ide"
"intel-oneapi-hpc-toolkit-getting-started"
"intel-oneapi-icc-eclipse-plugin-cpp"
"intel-oneapi-vtune"
"intel-oneapi-vtune-eclipse-plugin-vtune"
];
isInBlacklist = pkg: elem pkg.provides blacklist;
removeBlacklist = filter (e: !(isInBlacklist e));
dpkgExtractAll = pname: version: {srcs, deps}: stdenv.mkDerivation {
inherit pname version srcs;
nativeBuildInputs = [ dpkg ];
phases = [ "installPhase" ];
passthru = { inherit deps; };
installPhase = ''
mkdir -p $out
for src in $srcs; do
echo "Unpacking $src"
dpkg -x $src $out
done
'';
};
apthost = "https://apt.repos.intel.com/oneapi/";
fetchDeb = p: fetchurl { url = apthost + p.filename; inherit (p) sha256; };
buildIntel = pkg: pipe pkg [
resolveDeps
removeBlacklist
(l: {srcs = map fetchDeb l; deps = l; })
(dpkgExtractAll "${pkg.provides}-extracted" pkg.version)
];
findHpcKit = year: findMatching { pname = "intel-hpckit"; kind = "<<"; version = toString (year+1); };
years = map toInt (attrNames components);
patchIntel = callPackage ./patch_intel.nix { };
# Version information for each hpckit. This is used to normalize the paths
# so that files are in $out/{bin,lib,include...} instead of all over the place
# in $out/opt/intel/oneapi/*/*/{...}.
#
# The most important is the compiler component, which is used to build the
# stdenv for the hpckit.
#
# NOTE: this have to be manually specified, so we can avoid IFD. To add a
# new version, add a new field with an empty attrset, (e.g. "2026" = {}; ),
# build hpckit_2026.unpatched and use the values from
# result/opt/intel/oneapi/* to populate the attrset.
#
# WARN: if there are more than one version in the folders of the unpatched
# components, our dependency resolution hacks have probably failed and the
# package set may be broken.
components = {
"2025" = {
ishmem = "1.4";
pti = "0.13";
tcm = "1.4";
umf = "0.11";
ccl = "2021.16";
compiler = "2025.2";
dal = "2025.8";
debugger = "2025.2";
dev-utilities = "2025.2";
dnnl = "2025.2";
dpcpp-ct = "2025.2";
dpl = "2022.9";
ipp = "2022.2";
ippcp = "2025.2";
mkl = "2025.2";
mpi = "2021.16";
tbb = "2022.2";
};
"2024" = {
tcm = "1.1";
ccl = "2021.13";
compiler = "2024.2";
dal = "2024.6";
debugger = "2024.2";
dev-utilities = "2024.2";
diagnostics = "2024.2";
dnnl = "2024.2";
dpcpp-ct = "2024.2";
dpl = "2022.6";
ipp = "2021.12";
ippcp = "2021.12";
mkl = "2024.2";
mpi = "2021.13";
tbb = "2021.13";
extraPackages = [
sqlite
elfutils
];
};
};
replaceDots = replaceStrings ["."] ["_"];
in recurseIntoAttrs (listToAttrs (map (year: let
year_str = toString year;
in {
name = "hpckit_${year_str}";
value = patchIntel {unpatched = buildIntel (findHpcKit year); components = components.${year_str}; };
}) years)) // {
apt = pipe aptData [
(groupBy (p: replaceDots p.provides))
(mapAttrs (_: l: listToAttrs (map (pkg: { name = replaceDots ("v" + pkg.version); value = pkg; }) l)))
] ;
inherit resolveDeps patchIntel buildIntel;
}

179
pkgs/intel-oneapi/patch_intel.nix Normal file
View File

@@ -0,0 +1,179 @@
{ stdenvNoCC
, lib
, symlinkJoin
, autoPatchelfHook
, wrapCCWith
, overrideCC
, gcc13
, gcc13Stdenv
, hwloc
, libelf
, libffi_3_3
, libpsm2
, libuuid
, libxml2
, numactl
, ocl-icd
, openssl
, python3
, rdma-core
, ucx
, zlib
, makeOverridable
, recurseIntoAttrs
}:
makeOverridable (
{
unpatched,
components ? { },
extraPackages ? components.extraPackages or []
}:
let
inherit (builtins) attrValues filter mapAttrs removeAttrs;
gcc = gcc13;
stdenv = gcc13Stdenv;
__components = removeAttrs components ["extraPackages"];
_components = __components;
# _components = lib.traceSeqN 2 {
# inherit unpatched __components;
# deps = builtins.map (x: "${x.pname}-${x.version}") unpatched.deps;
# } __components;
wrapIntel = { cc, extraBuildCommands ? "", extraInstall ? "", ... }@args:
let
targetConfig = stdenv.targetPlatform.config;
in (wrapCCWith {
inherit cc;
extraBuildCommands = ''
echo "-L${gcc.cc}/lib/gcc/${targetConfig}/${gcc.version}" >> $out/nix-support/cc-ldflags
echo "-L${gcc.cc.lib}/lib" >> $out/nix-support/cc-ldflags
echo "-L${cc}/lib" >> $out/nix-support/cc-ldflags
# echo "--gcc-toolchain=${gcc.cc}" >> $out/nix-support/libcxx-cxxflags
echo "--gcc-toolchain=${gcc.cc}" >> $out/nix-support/cc-cflags
# For some reason, If we don't resolve the realpath things go wrong
for stddef in ${cc}/lib/clang/*/include/stddef.h ; do
dir=$(dirname $(realpath "$stddef"))
echo "-isystem $dir" >> $out/nix-support/cc-cflags
done
echo "-isystem ${cc}/include" >> $out/nix-support/cc-cflags
echo "-isystem ${cc}/include/intel64" >> $out/nix-support/cc-cflags
for dir in ${gcc.cc}/lib/gcc/${targetConfig}/*/include; do
echo "-isystem $dir" >> $out/nix-support/cc-cflags
done
for dir in ${gcc.cc}/include/c++/*; do
echo "-isystem $dir" >> $out/nix-support/libcxx-cxxflags
done
for dir in ${gcc.cc}/include/c++/*/${targetConfig}; do
echo "-isystem $dir" >> $out/nix-support/libcxx-cxxflags
done
# FIXME: We should find a better way to modify the PATH instead of using
# this ugly hack. See https://jungle.bsc.es/git/rarias/bscpkgs/issues/9
echo 'path_backup="${gcc.cc}/bin:$path_backup"' >> $out/nix-support/cc-wrapper-hook
# Disable hardening by default
echo "" > $out/nix-support/add-hardening.sh
'' + extraBuildCommands;
} // (removeAttrs args ["cc" "extraBuildCommands" "extraInstall"])
).overrideAttrs (old: {
installPhase = old.installPhase + extraInstall;
});
in
stdenvNoCC.mkDerivation (finalAttrs: {
pname = lib.removeSuffix "-extracted" unpatched.pname;
inherit (unpatched) version;
src = unpatched;
phases = [ "installPhase" "fixupPhase" ];
buildInputs = [
libffi_3_3
libelf
libxml2
hwloc
numactl
libuuid
libpsm2
zlib
ocl-icd
rdma-core
ucx
openssl
python3
stdenv.cc.cc.lib
] ++ extraPackages;
autoPatchelfIgnoreMissingDeps = [ "libhwloc.so.5" "libcuda.so.1" "libze_loader.so.1" ];
# There are broken symlinks that go outside packages, ignore them
dontCheckForBrokenSymlinks = true;
nativeBuildInputs = [ autoPatchelfHook ];
installPhase = ''
cp -r $src/opt/intel/oneapi/ $out
'';
passthru = let
pkgs = mapAttrs
(folder: version: symlinkJoin {
pname = "intel-${folder}";
inherit version;
paths = ["${finalAttrs.finalPackage}/${folder}/${version}"];
})
_components;
in pkgs // {
inherit unpatched;
pkgs = recurseIntoAttrs pkgs;
components = _components;
# This contains all packages properly symlinked into toplevel directories
# in $out.
#
# NOTE: there are clashes with packages that have symlinks outside their
# scope (libtcm and env/vars.sh)
all = symlinkJoin {
pname = finalAttrs.finalPackage + "-symlinked";
inherit (finalAttrs.finalPackage) version;
paths = filter lib.isDerivation (attrValues finalAttrs.finalPackage.pkgs);
};
stdenv = overrideCC stdenv finalAttrs.finalPackage.cc;
cc = wrapIntel {
cc = finalAttrs.finalPackage.pkgs.compiler;
extraBuildCommands = ''
wrap icx $wrapper $ccPath/icx
wrap icpx $wrapper $ccPath/icpx
wrap ifx $wrapper $ccPath/ifx
ln -s $out/bin/icpx $out/bin/c++
ln -s $out/bin/icx $out/bin/cc
# Use this to detect when a compiler subprocess is called
# from icpx (--fsycl-host-compiler)
echo 'export "NIX_CC_WRAPPER_INTEL=1"' >> $out/nix-support/cc-wrapper-hook
sed -i 's/.*isCxx=0/isCxx=1/' $out/bin/icpx
# oneMath looks for sycl libraries in bin/../lib
ln -s ${finalAttrs.finalPackage.pkgs.compiler}/lib $out/lib
ln -s ${finalAttrs.finalPackage.pkgs.compiler}/include $out/include
'';
extraInstall = ''
export named_cc="icx"
export named_cxx="icpx"
export named_fc="ifx"
'';
};
};
}))

29
pkgs/intel-oneapi/process.jq Executable file
View File

@@ -0,0 +1,29 @@
#!/usr/bin/env -S jq -f
def extract_fields: {
pname : .Package,
version : .Version,
provides : .Package | sub("[0-9.-]*$"; ""),
filename : .Filename,
size : ."Installed-Size" | tonumber,
sha256 : .SHA256,
dependencies : .Depends,
} ;
# parses dependencies into a list of [{.pname, .kind, .version}]
# some dependencies do not have a version specified, in which case, kind = version = null
#
# example dependencies:
# intel-oneapi-common-vars (>= 2023.0.0-25325), intel-oneapi-common-licensing-2023.0.0
def split_dependencies : map(try(.dependencies |= split(",\\s?"; "")) // .dependencies |= []) ;
def match_version : capture("(?<pname>[a-zA-Z0-9_\\-.]*) *(\\((?<kind>[<>=]*) *(?<version>.*)\\))?"; "") ;
def parse_dependencies : map_values(.dependencies.[] |= match_version) ;
def sort_version_decreasing : sort_by(.version | split("[-.]"; "") | map(tonumber)) | reverse ;
map(extract_fields) | split_dependencies | parse_dependencies | sort_version_decreasing
# [.[] | select(.pname == "intel-hpckit") | .version]

29
pkgs/intel-oneapi/toJson.awk Executable file
View File

@@ -0,0 +1,29 @@
#!/usr/bin/env -S awk -f
BEGIN {
FS=": "
prev_empty=1
t=" "
print "[ {"
}
!NF { # empty line, update separator so next non empty line closes the dict
prev_empty=1
t="},\n{ "
next # skip line (we won't match anything else)
}
{
printf t "\"%s\" : \"%s\"\n", $1, $2
if (prev_empty) {
# we were the first after a group of empty lines, following ones have to
# have a comma
prev_empty=0
t=", "
}
}
END { print "} ]" }

11
pkgs/intel-oneapi/update.sh
View File

@@ -1,4 +1,11 @@
#!/bin/sh
curl https://apt.repos.intel.com/oneapi/dists/all/main/binary-amd64/Packages -o amd64-packages
curl https://apt.repos.intel.com/oneapi/dists/all/main/binary-all/Packages -o all-packages
out_64=$(mktemp intel-api.64.XXXXXX)
out_all=$(mktemp intel-api.all.XXXXXX)
trap 'rm -f "$out_64" "$out_all"' EXIT INT HUP
curl https://apt.repos.intel.com/oneapi/dists/all/main/binary-amd64/Packages -o "$out_64"
curl https://apt.repos.intel.com/oneapi/dists/all/main/binary-all/Packages -o "$out_all"
# NOTE: we use `jq -r tostring` to minify the json (3.2Mb -> 2.3Mb)
cat "$out_64" "$out_all" | ./toJson.awk | ./process.jq | jq -r tostring >packages.json

14
pkgs/llvm-ompss2/clang.nix
View File

@@ -16,19 +16,19 @@
, useGit ? false
, gitUrl ? "ssh://git@bscpm04.bsc.es/llvm-ompss/llvm-mono.git"
, gitBranch ? "master"
, gitCommit ? "872ba63f86edaefc9787984ef3fae9f2f94e0124" # github-release-2025.11
, gitCommit ? "880e2341c56bad1dc14e8c369fb3356bec19018e"
}:
let
stdenv = llvmPackages_latest.stdenv;
release = rec {
version = "2025.11";
version = "2025.06";
src = fetchFromGitHub {
owner = "bsc-pm";
repo = "llvm";
rev = "refs/tags/github-release-${version}";
hash = "sha256-UgwMTUkM9Z87dDH205swZFBeFhrcbLAxginViG40pBM=";
hash = "sha256-ww9PpRmtz/M9IyLiZ8rAehx2UW4VpQt+svf4XfKBzKo=";
};
};
@@ -126,12 +126,4 @@ in stdenv.mkDerivation {
# nanos6 installation, but this is would require a recompilation of clang each
# time nanos6 is changed. Better to use the environment variable NANOS6_HOME,
# and specify nanos6 at run time.
meta = {
homepage = "https://gitlab.pm.bsc.es/llvm-ompss/llvm-mono";
description = "C language family frontend for LLVM (for OmpSs-2)";
maintainers = with lib.maintainers.bsc; [ rpenacob ];
platforms = lib.platforms.linux;
license = [ lib.licenses.asl20 lib.licenses.llvm-exception ];
};
}

67
pkgs/llvm-ompss2/default.nix
View File

@@ -2,7 +2,9 @@
stdenv
, lib
, gcc
, gcc13
, clangOmpss2Unwrapped
, writeShellScript
, openmp ? null
, wrapCCWith
, llvmPackages_latest
@@ -27,20 +29,17 @@ let
# We need to replace the lld linker from bintools with our linker just built,
# otherwise we run into incompatibility issues when mixing compiler and linker
# versions.
bintools-unwrapped = llvmPackages_latest.bintools-unwrapped.override {
bintools-unwrapped = llvmPackages_latest.tools.bintools-unwrapped.override {
lld = clangOmpss2Unwrapped;
};
bintools = llvmPackages_latest.bintools.override {
bintools = llvmPackages_latest.tools.bintools.override {
bintools = bintools-unwrapped;
};
targetConfig = stdenv.targetPlatform.config;
inherit gcc;
cc = clangOmpss2Unwrapped;
gccVersion = with versions; let v = gcc.version; in concatStringsSep "." [(major v) (minor v) (patch v)];
in wrapCCWith {
inherit cc bintools;
# extraPackages adds packages to depsTargetTargetPropagated
extraPackages = optional (openmp != null) openmp;
extraBuildCommands = ''
echo "-target ${targetConfig}" >> $out/nix-support/cc-cflags
echo "-B${gcc.cc}/lib/gcc/${targetConfig}/${gccVersion}" >> $out/nix-support/cc-cflags
@@ -57,14 +56,52 @@ in wrapCCWith {
echo "--gcc-toolchain=${gcc}" >> $out/nix-support/cc-cflags
wrap clang++ $wrapper $ccPath/clang++
'' + optionalString (openmp != null) ''
echo "export OPENMP_RUNTIME=${ompname}" >> $out/nix-support/cc-wrapper-hook
'' + optionalString (ompss2rt != null) ''
echo "export OMPSS2_RUNTIME=${rtname}" >> $out/nix-support/cc-wrapper-hook
echo "export ${homevar}=${ompss2rt}" >> $out/nix-support/cc-wrapper-hook
'' + optionalString (ompss2rt != null && ompss2rt.pname == "nodes") ''
echo "export NOSV_HOME=${ompss2rt.nosv}" >> $out/nix-support/cc-wrapper-hook
'';
}
envExports = lib.optionalString (openmp != null) ''
echo "export OPENMP_RUNTIME=${ompname}" >> $out/nix-support/cc-wrapper-hook
'' + optionalString (ompss2rt != null) ''
echo "export OMPSS2_RUNTIME=${rtname}" >> $out/nix-support/cc-wrapper-hook
echo "export ${homevar}=${ompss2rt}" >> $out/nix-support/cc-wrapper-hook
'' + optionalString (ompss2rt != null && ompss2rt.pname == "nodes") ''
echo "export NOSV_HOME=${ompss2rt.nosv}" >> $out/nix-support/cc-wrapper-hook
'';
extraPackages = optional (openmp != null) openmp;
wrappedCC = wrapCCWith {
# extraPackages adds packages to depsTargetTargetPropagated
inherit cc bintools extraPackages;
extraBuildCommands = extraBuildCommands + envExports;
};
resetIntelCCFlags = let tconf = builtins.replaceStrings ["-"] ["_"] targetConfig;
in writeShellScript "remove-intel.sh" ''
if [ "''${NIX_CC_WRAPPER_INTEL:-0}" = 1 ]; then
unset NIX_CFLAGS_COMPILE_${tconf}
unset NIX_CC_WRAPPER_FLAGS_SET_${tconf}
if (( "''${NIX_DEBUG:-0}" >= 1 )); then
echo "ompss2: cleaned NIX_CFLAGS_COMPILE_${tconf} (invokation from intel compiler detected)"
fi
fi
'';
intelExtraBuildCommands = ''
sed -i 's|# Flirting.*|source ${resetIntelCCFlags}\n\n&|' $out/bin/clang
sed -i 's|# Flirting.*|source ${resetIntelCCFlags}\n\n&|' $out/bin/clang++
'';
wrappedCCIntel = wrapCCWith {
inherit bintools extraPackages;
cc = cc.override { gcc = gcc13; }; # Intel uses gcc13, so we have to match it
gccForLibs = gcc13;
# extraPackages adds packages to depsTargetTargetPropagated
extraBuildCommands = intelExtraBuildCommands + envExports;
};
in wrappedCC.overrideAttrs (oldAttrs: {
passthru = oldAttrs.passthru // {
forIcpx = wrappedCCIntel;
};
})

8
pkgs/llvm-ompss2/openmp.nix
View File

@@ -74,13 +74,5 @@ stdenv.mkDerivation rec {
passthru = {
inherit nosv;
};
meta = {
homepage = "https://gitlab.pm.bsc.es/llvm-ompss/llvm-mono";
description = "Support for the OpenMP language (with nOS-V)";
maintainers = with lib.maintainers.bsc; [ rpenacob ];
platforms = lib.platforms.linux;
license = [ lib.licenses.asl20 lib.licenses.llvm-exception ];
};
}

7
pkgs/lmbench/default.nix
View File

@@ -35,16 +35,13 @@ stdenv.mkDerivation rec {
CFLAGS=-Wno-implicit-int
CPPFLAGS=-I${libtirpc.dev}/include/tirpc
LDFLAGS=-ltirpc
CC=$CC
AR=$AR
)
'';
meta = {
description = "lmbench";
homepage = "https://github.com/intel/lmbench";
maintainers = with lib.maintainers.bsc; [ rarias ];
homepage = "http://www.bitmover.com/lmbench/";
maintainers = [ ];
platforms = lib.platforms.all;
license = lib.licenses.gpl2Plus;
};
}

7
pkgs/maintainers.nix
View File

@@ -1,7 +0,0 @@
builtins.mapAttrs (name: value: { email = name + "@bsc.es"; } // value) {
abonerib.name = "Aleix Boné";
arocanon.name = "Aleix Roca";
rarias.name = "Rodrigo Arias";
rpenacob.name = "Raúl Peñacoba";
varcila.name = "Vincent Arcila";
}

10
pkgs/mcxx/default.nix
View File

@@ -1,6 +1,5 @@
{
stdenv
, lib
, fetchFromGitHub
, autoreconfHook
, nanos6
@@ -63,13 +62,4 @@ stdenv.mkDerivation rec {
# Fails with "memory exhausted" with bison 3.7.1
# "--enable-bison-regeneration"
];
meta = {
broken = true;
homepage = "https://github.com/bsc-pm/mcxx";
description = "C/C++/Fortran source-to-source compilation infrastructure aimed at fast prototyping";
maintainers = with lib.maintainers.bsc; [ rpenacob ];
platforms = lib.platforms.linux;
license = lib.licenses.gpl3Plus;
};
}

9
pkgs/mcxx/git.nix
View File

@@ -1,6 +1,5 @@
{
stdenv
, lib
, fetchFromGitHub
, autoreconfHook
, nanos6
@@ -58,12 +57,4 @@ stdenv.mkDerivation rec {
# Fails with "memory exhausted" with bison 3.7.1
# "--enable-bison-regeneration"
];
meta = {
homepage = "https://github.com/bsc-pm/mcxx";
description = "C/C++/Fortran source-to-source compilation infrastructure aimed at fast prototyping";
maintainers = with lib.maintainers.bsc; [ rpenacob ];
platforms = lib.platforms.linux;
license = lib.licenses.gpl3Plus;
};
}

9
pkgs/mcxx/rarias.nix
View File

@@ -1,5 +1,4 @@
{ stdenv
, lib
, fetchgit
, autoreconfHook
, nanos6
@@ -57,12 +56,4 @@ stdenv.mkDerivation rec {
#preBuild = ''
# make generate_builtins_ia32 GXX_X86_BUILTINS=${gcc}/bin/g++
#'';
#
meta = {
homepage = "https://github.com/bsc-pm/mcxx";
description = "C/C++/Fortran source-to-source compilation infrastructure aimed at fast prototyping";
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.gpl3Plus;
};
}

4
pkgs/meteocat-exporter/default.nix
View File

@@ -1,11 +1,9 @@
{ python3Packages, lib }:
python3Packages.buildPythonApplication {
python3Packages.buildPythonApplication rec {
pname = "meteocat-exporter";
version = "1.0";
pyproject = true;
src = ./.;
doCheck = false;

27
pkgs/mpich/default.nix
View File

@@ -6,13 +6,6 @@
, pmix
, gfortran
, symlinkJoin
# Disabled when cross-compiling
# To fix cross compilation, we should fill the values in:
# https://github.com/pmodels/mpich/blob/main/maint/fcrosscompile/cross_values.txt.in
# For each arch
, enableFortran ? stdenv.hostPlatform == stdenv.buildPlatform
, perl
, targetPackages
}:
let
@@ -22,13 +15,10 @@ let
paths = [ pmix.dev pmix.out ];
};
in mpich.overrideAttrs (old: {
buildInputs = old.buildInputs ++ [
buildInput = old.buildInputs ++ [
libfabric
pmixAll
];
nativeBuildInputs = old.nativeBuildInputs ++ [
perl
];
configureFlags = [
"--enable-shared"
"--enable-sharedlib"
@@ -41,21 +31,6 @@ in mpich.overrideAttrs (old: {
] ++ lib.optionals (lib.versionAtLeast gfortran.version "10") [
"FFLAGS=-fallow-argument-mismatch" # https://github.com/pmodels/mpich/issues/4300
"FCFLAGS=-fallow-argument-mismatch"
] ++ lib.optionals (!enableFortran) [
"--disable-fortran"
];
preFixup = ''
sed -i 's:^CC=.*:CC=${targetPackages.stdenv.cc}/bin/${targetPackages.stdenv.cc.targetPrefix}cc:' $out/bin/mpicc
sed -i 's:^CXX=.*:CXX=${targetPackages.stdenv.cc}/bin/${targetPackages.stdenv.cc.targetPrefix}c++:' $out/bin/mpicxx
'' + lib.optionalString enableFortran ''
sed -i 's:^FC=.*:FC=${targetPackages.gfortran or gfortran}/bin/${targetPackages.gfortran.targetPrefix or gfortran.targetPrefix}gfortran:' $out/bin/mpifort
'';
hardeningDisable = [ "all" ];
meta = old.meta // {
maintainers = old.meta.maintainers ++ (with lib.maintainers.bsc; [ rarias ]);
cross = true;
};
})

22
pkgs/nanos6/default.nix
View File

@@ -16,7 +16,6 @@
, jemallocNanos6 ? null
, cachelineBytes ? 64
, enableGlibcxxDebug ? false
, enablePapi ? stdenv.hostPlatform == stdenv.buildPlatform # Disabled when cross-compiling
, useGit ? false
, gitUrl ? "ssh://git@bscpm04.bsc.es/nanos6/nanos6"
, gitBranch ? "master"
@@ -48,8 +47,6 @@ let
};
source = if (useGit) then git else release;
isCross = stdenv.hostPlatform != stdenv.buildPlatform;
in
stdenv.mkDerivation (source // {
pname = "nanos6";
@@ -74,13 +71,9 @@ in
"--disable-all-instrumentations"
"--enable-ovni-instrumentation"
"--with-ovni=${ovni}"
"--with-boost=${boost.dev}"
] ++
(optional enableJemalloc "--with-jemalloc=${jemallocNanos6}") ++
(optional enableGlibcxxDebug "CXXFLAGS=-D_GLIBCXX_DEBUG") ++
# Most nanos6 api symbols are resolved at runtime, so prefer
# ifunc by default
(optional isCross "--with-symbol-resolution=ifunc");
(optional enableGlibcxxDebug "CXXFLAGS=-D_GLIBCXX_DEBUG");
postConfigure = lib.optionalString (!enableDebug) ''
# Disable debug
@@ -104,14 +97,16 @@ in
# TODO: papi_version is needed for configure:
# ./configure: line 27378: papi_version: command not found
# This probably breaks cross-compilation
] ++ lib.optionals enablePapi [ papi ];
papi
];
buildInputs = [
boost
numactl
hwloc
papi
ovni
] ++ lib.optionals enablePapi [ papi ];
];
# Create a script that sets NANOS6_HOME
postInstall = ''
@@ -119,12 +114,11 @@ in
echo "export NANOS6_HOME=$out" >> $out/nix-support/setup-hook
'';
meta = {
meta = with lib; {
homepage = "https://github.com/bsc-pm/nanos6";
description = "Nanos6 runtime for OmpSs-2" +
optionalString (enableDebug) " (with debug symbols)";
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.gpl3Plus;
platforms = platforms.linux;
license = licenses.gpl3;
};
})

4
pkgs/nanos6/jemalloc.nix
View File

@@ -1,14 +1,12 @@
{ jemalloc, lib }:
{ jemalloc }:
jemalloc.overrideAttrs (old: {
configureFlags = old.configureFlags ++ [
"--with-jemalloc-prefix=nanos6_je_"
"--enable-stats"
];
enableParallelBuilding = true;
hardeningDisable = [ "all" ];
meta = old.meta // {
description = old.meta.description + " (for Nanos6)";
maintainers = (old.meta.maintainers or []) ++ (with lib.maintainers.bsc; [ rarias ]);
};
})

650
pkgs/nix-portable/default.nix
View File

@@ -1,650 +0,0 @@
with builtins;
{
nix,
unzip,
zip,
unixtools,
stdenv,
buildPackages,
upx,
bootstrapPrograms ? [
"gitMinimal"
"netcat-openbsd"
"openssh"
"bashInteractive"
],
cacert ? pkgs.cacert,
compression ? "zstd -19 -T0",
lib ? pkgs.lib,
pkgs ? import <nixpkgs> {},
# hardcode executable to run. Useful when creating a bundle.
bundledPackage ? null,
nixStatic,
busyboxStatic ? pkgs.pkgsStatic.busybox,
bwrapStatic ? pkgs.pkgsStatic.bubblewrap,
zstdStatic ? pkgs.pkgsStatic.zstd,
perlBuildBuild ? pkgs.pkgsBuildBuild.perl,
}@inp:
with lib;
let
perl = perlBuildBuild;
pname =
if bundledPackage == null
then "nix-portable"
else lib.getName bundledPackage;
bundledExe = lib.getExe bundledPackage;
nixpkgsSrc = pkgs.path;
maketar = targets:
let
closureInfo = buildPackages.closureInfo { rootPaths = targets; };
in
stdenv.mkDerivation {
name = "nix-portable-store-tarball";
nativeBuildInputs = [ perl zstd ];
exportReferencesGraph = map (x: [("closure-" + baseNameOf x) x]) targets;
buildCommand = ''
storePaths=$(cat ${closureInfo}/store-paths)
mkdir $out
echo $storePaths > $out/index
cp -r ${closureInfo} $out/closureInfo
tar -cf - \
--owner=0 --group=0 --mode=u+rw,uga+r \
--hard-dereference \
$storePaths | ${compression} > $out/tar
'';
};
packStaticBin = binPath: let
binName = (last (splitString "/" binPath)); in
pkgs.runCommand
binName
{ nativeBuildInputs = [ upx ]; }
''
mkdir -p $out/bin
theBinPath=${binPath}
if [[ -L "$theBinPath" ]]; then
theBinPath=$(readlink -f "$theBinPath")
fi
upx -9 -o $out/bin/${binName} $theBinPath
'';
installBin = pkg: bin: ''
unzip -qqoj "\$self" ${ lib.removePrefix "/" "${pkg}/bin/${bin}"} -d \$dir/bin
chmod +wx \$dir/bin/${bin};
'';
installDynamic = pkgname: let
out = pkgs.${pkgname}.out;
in ''
if [ ! -e \$store${lib.removePrefix "/nix/store" pkgs.${pkgname}.out} ] ; then
debug "Installing ${pkgname}"
\$run \$store${lib.removePrefix "/nix/store" nix}/bin/nix build --impure --no-link --expr "
(import ${nixpkgsSrc} {}).${pkgname}.out
"
else
debug "${pkgname} already installed"
fi
export PATH="${out}/bin:\$PATH"
'';
caBundleZstd = pkgs.runCommand "cacerts" {} "cat ${cacert}/etc/ssl/certs/ca-bundle.crt | ${zstd}/bin/zstd -19 > $out";
bwrap = packStaticBin "${bwrapStatic}/bin/bwrap";
nixStatic = packStaticBin "${inp.nixStatic}/bin/nix";
zstd = packStaticBin "${zstdStatic}/bin/zstd";
# the default nix store contents to extract when first used
storeTar = maketar ([ cacert nix nixpkgsSrc ] ++ lib.optional (bundledPackage != null) bundledPackage);
# The runtime script which unpacks the necessary files to $HOME/.nix-portable
# and then executes nix via bwrap
# Some shell expressions will be evaluated at build time and some at run time.
# Variables/expressions escaped via `\$` will be evaluated at run time
runtimeScript = ''
#!/usr/bin/env bash
set -eo pipefail
start=\$(date +%s%N) # start time in nanoseconds
# dump environment on exit if debug is enabled
if [ -n "\$NP_DEBUG" ] && [ "\$NP_DEBUG" -ge 1 ]; then
trap "declare -p > \''${TMPDIR:-/tmp}/np_env" EXIT
fi
set -e
if [ -n "\$NP_DEBUG" ] && [ "\$NP_DEBUG" -ge 2 ]; then
set -x
fi
# &3 is our error out which we either forward to &2 or to /dev/null
# depending on the setting
if [ -n "\$NP_DEBUG" ] && [ "\$NP_DEBUG" -ge 1 ]; then
debug(){
echo \$@ || true
}
exec 3>&2
else
debug(){
true
}
exec 3>/dev/null
fi
# to reference this script's file
self="\$(realpath \''${BASH_SOURCE[0]})"
# fingerprint will be inserted by builder
fingerprint="_FINGERPRINT_PLACEHOLDER_"
# user specified location for program files and nix store
[ -z "\$NP_LOCATION" ] && NP_LOCATION="\$HOME"
NP_LOCATION="\$(readlink -f "\$NP_LOCATION")"
dir="\$NP_LOCATION/.nix-portable"
# Create NP_LOCATION and remove sgid bit
mkdir -p \$dir
if [ ! -z "\$BSC_MACHINE" ]; then
# Attempt to avoid issues with sgid folders
chmod g-s \$dir
chgrp bsc \$dir
fi
store="\$dir/nix/store"
# create /nix/var/nix to prevent nix from falling back to chroot store.
mkdir -p \$dir/{bin,nix/var/nix,nix/store}
# create minimal drv file for nix to spawn a nix shell
echo 'builtins.derivation {name="foo"; builder="/bin/sh"; args = ["-c" "echo hello \> \\\$out"]; system=builtins.currentSystem;}' > "\$dir/mini-drv.nix"
# the fingerprint being present inside a file indicates that
# this version of nix-portable has already been initialized
if test -e \$dir/conf/fingerprint && [ "\$(cat \$dir/conf/fingerprint)" == "\$fingerprint" ]; then
newNPVersion=false
else
newNPVersion=true
fi
# Nix portable ships its own nix.conf
export NIX_CONF_DIR=\$dir/conf/
NP_CONF_SANDBOX=\''${NP_CONF_SANDBOX:-false}
NP_CONF_STORE=\''${NP_CONF_STORE:-auto}
recreate_nix_conf(){
mkdir -p "\$NIX_CONF_DIR"
rm -f "\$NIX_CONF_DIR/nix.conf"
# static config
echo "build-users-group = " >> \$dir/conf/nix.conf
echo "experimental-features = nix-command flakes" >> \$dir/conf/nix.conf
echo "ignored-acls = security.selinux system.nfs4_acl" >> \$dir/conf/nix.conf
echo "sandbox-paths = /bin/sh=\$dir/busybox/bin/busybox" >> \$dir/conf/nix.conf
echo "extra-substituters = https://jungle.bsc.es/cache">> \$dir/conf/nix.conf
echo "extra-trusted-public-keys = jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" >> \$dir/conf/nix.conf
echo "extra-system-features = sys-devices" >> \$dir/conf/nix.conf
echo "extra-sandbox-paths = /sys/devices/system/cpu=/sys/devices/system/cpu /sys/devices/system/node=/sys/devices/system/node" >> \$dir/conf/nix.conf
echo "extra-trusted-users = @bsc" >> \$dir/conf/nix.conf
# configurable config
echo "sandbox = \$NP_CONF_SANDBOX" >> \$dir/conf/nix.conf
echo "store = \$NP_CONF_STORE" >> \$dir/conf/nix.conf
}
### install files
PATH_OLD="\$PATH"
# as soon as busybox is unpacked, restrict PATH to busybox to ensure reproducibility of this script
# only unpack binaries if necessary
if [ "\$newNPVersion" == "false" ]; then
debug "binaries already installed"
# our busybox does not run on termux, therefore we suffix the PATH only on termux
export PATH="\''${TERMUX_VERSION:+\$PATH:}\$dir/busybox/bin"
else
debug "installing files"
mkdir -p \$dir/emptyroot
# install busybox
mkdir -p \$dir/busybox/bin
(base64 -d> "\$dir/busybox/bin/busybox" && chmod +x "\$dir/busybox/bin/busybox") << END
$(cat ${busyboxStatic}/bin/busybox | base64)
END
busyBins="${toString (attrNames (filterAttrs (d: type: type == "symlink") (readDir "${busyboxStatic}/bin")))}"
for bin in \$busyBins; do
[ ! -e "\$dir/busybox/bin/\$bin" ] && ln -s busybox "\$dir/busybox/bin/\$bin"
done
# our busybox does not run on termux, therefore we suffix the PATH only on termux
export PATH="\''${TERMUX_VERSION:+\$PATH:}\$dir/busybox/bin"
# install other binaries
${installBin zstd "zstd"}
${installBin bwrap "bwrap"}
${installBin nixStatic "nix"}
# install ssl cert bundle
unzip -poj "\$self" ${ lib.removePrefix "/" "${caBundleZstd}"} | \$dir/bin/zstd -d > \$dir/ca-bundle.crt
recreate_nix_conf
fi
# Override $SHELL with nix bashInteractive
export SHELL="${pkgs.bashInteractive.out}/bin/bash"
export PS1="\n\[\033[1;32m\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\$\[\033[0m\] "
# unset bash function aliases
unset -f which ml module
### setup SSL
# find ssl certs or use from nixpkgs
debug "figuring out ssl certs"
if [ -z "\$SSL_CERT_FILE" ]; then
debug "SSL_CERT_FILE not defined. trying to find certs automatically"
if [ -e /etc/ssl/certs/ca-bundle.crt ]; then
export SSL_CERT_FILE=\$(realpath /etc/ssl/certs/ca-bundle.crt)
debug "found /etc/ssl/certs/ca-bundle.crt with real path \$SSL_CERT_FILE"
elif [ -e /etc/ssl/certs/ca-certificates.crt ]; then
export SSL_CERT_FILE=\$(realpath /etc/ssl/certs/ca-certificates.crt)
debug "found /etc/ssl/certs/ca-certificates.crt with real path \$SSL_CERT_FILE"
elif [ ! -e /etc/ssl/certs ]; then
debug "/etc/ssl/certs does not exist. Will use certs from nixpkgs."
export SSL_CERT_FILE=\$dir/ca-bundle.crt
else
debug "certs seem to reside in /etc/ssl/certs. No need to set up anything"
fi
fi
if [ -n "\$SSL_CERT_FILE" ]; then
sslBind="\$(realpath \$SSL_CERT_FILE) \$dir/ca-bundle.crt"
export SSL_CERT_FILE="\$dir/ca-bundle.crt"
else
sslBind="/etc/ssl /etc/ssl"
fi
if [ -n "\$NP_GIT" ]; then
echo "WARN: NP_GIT is not supported, using nix version instead"
fi
storePathOfFile(){
file=\$(realpath \$1)
sPath="\$(echo \$file | awk -F "/" 'BEGIN{OFS="/";}{print \$2,\$3,\$4}')"
echo "/\$sPath"
}
collectBinds(){
pathsTopLevel="/boot /run /sys \$PWD /gpfs /tmp /scratch"
toBind=""
for p in \$pathsTopLevel; do
if [ -e "\$p" ]; then
real=\$(realpath \$p)
if [ -e "\$real" ]; then
if [[ "\$real" == /nix/store/* ]]; then
storePath=\$(storePathOfFile \$real)
toBind="\$toBind \$storePath \$storePath"
else
toBind="\$toBind \$real \$p"
fi
fi
fi
done
# TODO: add /var/run/dbus/system_bus_socket
paths="/etc/host.conf /etc/hosts /etc/hosts.equiv /etc/mtab /etc/netgroup /etc/networks /etc/passwd /etc/group /etc/nsswitch.conf /etc/resolv.conf /etc/localtime \$HOME"
for p in \$paths; do
if [ -e "\$p" ]; then
real=\$(realpath \$p)
if [ -e "\$real" ]; then
if [[ "\$real" == /nix/store/* ]]; then
storePath=\$(storePathOfFile \$real)
toBind="\$toBind \$storePath \$storePath"
else
toBind="\$toBind \$real \$real"
fi
fi
fi
done
# provide /bin/sh via the shipped busybox
toBind="\$toBind \$dir/busybox/bin/busybox /bin/sh"
toBind="\$toBind \$dir/busybox/bin/busybox /usr/bin/env"
# on termux, make sure termux packages still work inside the nix-portable environment
if [ -n "\$TERMUX_VERSION" ]; then
# binds required so termux native packages still run inside the nix-portable sandbox
# TODO: this doesn't quite work yet. debug and fix
toBind="\$toBind /system/lib64/libc.so /system/lib64/libc.so"
toBind="\$toBind /system/lib64/ld-android.so /system/lib64/ld-android.so"
toBind="\$toBind /system/lib64/libdl.so /system/lib64/libdl.so"
toBind="\$toBind /system/bin /system/bin"
toBind="\$toBind /system/lib64 /system/lib64"
toBind="\$toBind /apex/com.android.runtime/bin /apex/com.android.runtime/bin"
toBind="\$toBind /linkerconfig/ld.config.txt /linkerconfig/ld.config.txt"
toBind="\$toBind \$dir/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt"
toBind="\$toBind \$(realpath \$HOME/../usr/etc/resolv.conf) /etc/resolv.conf"
fi
}
makeBindArgs(){
arg=\$1; shift
sep=\$1; shift
binds=""
while :; do
if [ -n "\$1" ]; then
from="\$1"; shift
to="\$1"; shift || { echo "no bind destination provided for \$from!"; exit 3; }
binds="\$binds \$arg \$from\$sep\$to";
else
break
fi
done
}
### select container runtime
debug "figuring out which runtime to use"
[ -z "\$NP_BWRAP" ] && NP_BWRAP=\$dir/bin/bwrap
debug "bwrap executable: \$NP_BWRAP"
[ -z "\$NP_NIX" ] && NP_NIX=\$dir/bin/nix
debug "nix executable: \$NP_NIX"
debug "testing all available runtimes..."
if [ -z "\$NP_RUNTIME" ]; then
# read last automatic selected runtime from disk
if [ "\$newNPVersion" == "true" ]; then
debug "removing cached auto selected runtime"
rm -f "\$dir/conf/last_auto_runtime"
fi
if [ -f "\$dir/conf/last_auto_runtime" ]; then
last_auto_runtime="\$(cat "\$dir/conf/last_auto_runtime")"
else
last_auto_runtime=
fi
debug "last auto selected runtime: \$last_auto_runtime"
if [ "\$last_auto_runtime" != "" ]; then
NP_RUNTIME="\$last_auto_runtime"
# check if nix --store works
elif \\
debug "testing nix --store" \\
&& mkdir -p \$dir/tmp/ \\
&& touch \$dir/tmp/testfile \\
&& "\$NP_NIX" --store "\$dir/tmp/__store" shell -f "\$dir/mini-drv.nix" -c "\$dir/bin/nix" store add-file --store "\$dir/tmp/__store" "\$dir/tmp/testfile" >/dev/null 2>&3; then
chmod -R +w \$dir/tmp/__store
rm -r \$dir/tmp/__store
debug "nix --store works on this system -> will use nix as runtime"
NP_RUNTIME=nix
# check if bwrap works properly
elif \\
debug "nix --store failed -> testing bwrap" \\
&& \$NP_BWRAP --bind \$dir/emptyroot / --bind \$dir/ /nix --bind \$dir/busybox/bin/busybox "\$dir/true" "\$dir/true" 2>&3 ; then
debug "bwrap seems to work on this system -> will use bwrap"
NP_RUNTIME=bwrap
else
debug "bwrap doesn't work on this system -> will use proot"
NP_RUNTIME=proot
fi
echo -n "\$NP_RUNTIME" > "\$dir/conf/last_auto_runtime"
else
debug "runtime selected via NP_RUNTIME: \$NP_RUNTIME"
fi
debug "NP_RUNTIME: \$NP_RUNTIME"
if [ "\$NP_RUNTIME" == "nix" ]; then
run="\$NP_NIX shell -f \$dir/mini-drv.nix -c"
export PATH="\$PATH:\$store${lib.removePrefix "/nix/store" nix}/bin"
NP_CONF_STORE="\$dir"
recreate_nix_conf
elif [ "\$NP_RUNTIME" == "bwrap" ]; then
collectBinds
makeBindArgs --bind " " \$toBind \$sslBind
run="\$NP_BWRAP \$BWRAP_ARGS \\
--bind \$dir/emptyroot /\\
--dev-bind /dev /dev\\
--proc /proc\\
--bind \$dir/nix /nix\\
\$binds"
# --bind \$dir/busybox/bin/busybox /bin/sh\\
else
# proot
echo Unsupported runtime: $NP_RUNTIME
exit 1
fi
debug "base command will be: \$run"
### setup environment
export NIX_PATH="\$dir/channels:nixpkgs=\$dir/channels/nixpkgs"
mkdir -p \$dir/channels
[ -h \$dir/channels/nixpkgs ] || ln -s ${nixpkgsSrc} \$dir/channels/nixpkgs
### install nix store
# Install all the nix store paths necessary for the current nix-portable version
# We only unpack missing store paths from the tar archive.
index="$(cat ${storeTar}/index)"
export missing=\$(
for path in \$index; do
basepath=\$(basename \$path)
if [ ! -e \$store/\$basepath ]; then
echo "nix/store/\$basepath"
fi
done
)
if [ -n "\$missing" ]; then
debug "extracting missing store paths"
(
mkdir -p \$dir/tmp \$store/
rm -rf \$dir/tmp/*
cd \$dir/tmp
unzip -qqp "\$self" ${ lib.removePrefix "/" "${storeTar}/tar"} \
| \$dir/bin/zstd -d \
| tar -x \$missing --strip-components 2
mv \$dir/tmp/* \$store/
)
rm -rf \$dir/tmp
fi
if [ -n "\$missing" ]; then
debug "registering new store paths to DB"
reg="$(cat ${storeTar}/closureInfo/registration)"
cmd="\$run \$store${lib.removePrefix "/nix/store" nix}/bin/nix-store --load-db"
debug "running command: \$cmd"
echo "\$reg" | \$cmd
fi
### select executable
# the executable can either be selected by
# - executing './nix-portable BIN_NAME',
# - symlinking to nix-portable, in which case the name of the symlink selects the nix executable
# Alternatively the executable can be hardcoded by specifying the argument 'executable' of nix-portable's default.nix file.
executable="${if bundledPackage == null then "" else bundledExe}"
if [ "\$executable" != "" ]; then
bin="\$executable"
debug "executable is hardcoded to: \$bin"
elif [[ "\$(basename \$0)" == nix-portable* ]]; then\
if [ -z "\$1" ]; then
echo "Error: please specify the nix binary to execute"
echo "Alternatively symlink against \$0"
exit 1
elif [ "\$1" == "debug" ]; then
bin="\$(which \$2)"
shift; shift
else
bin="\$store${lib.removePrefix "/nix/store" nix}/bin/\$1"
shift
fi
# for binary selection via symlink
else
bin="\$store${lib.removePrefix "/nix/store" nix}/bin/\$(basename \$0)"
fi
### check which runtime has been used previously
if [ -f "\$dir/conf/last_runtime" ]; then
lastRuntime=\$(cat "\$dir/conf/last_runtime")
else
lastRuntime=
fi
### check if nix is functional with or without sandbox
# sandbox-fallback is not reliable: https://github.com/NixOS/nix/issues/4719
if [ "\$newNPVersion" == "true" ] || [ "\$lastRuntime" != "\$NP_RUNTIME" ]; then
nixBin="\$(dirname \$bin)/nix"
debug "Testing if nix can build stuff without sandbox"
if ! \$run "\$nixBin" build --no-link -f "\$dir/mini-drv.nix" --option sandbox false >&3 2>&3; then
echo "Fatal error: nix is unable to build packages"
exit 1
fi
debug "Testing if nix sandbox is functional"
if ! \$run "\$nixBin" build --no-link -f "\$dir/mini-drv.nix" --option sandbox true >&3 2>&3; then
debug "Sandbox doesn't work -> disabling sandbox"
NP_CONF_SANDBOX=false
recreate_nix_conf
else
debug "Sandboxed builds work -> enabling sandbox"
NP_CONF_SANDBOX=true
recreate_nix_conf
fi
fi
### save fingerprint and lastRuntime
if [ "\$newNPVersion" == "true" ]; then
echo -n "\$fingerprint" > "\$dir/conf/fingerprint"
fi
if [ "\$lastRuntime" != \$NP_RUNTIME ]; then
echo -n \$NP_RUNTIME > "\$dir/conf/last_runtime"
fi
### set PATH
export PATH="\$dir/busybox/bin"
export PATH="\$PATH:\$store${lib.removePrefix "/nix/store" nix}/bin"
### install programs via nix
${concatMapStringsSep "\n" installDynamic bootstrapPrograms}
### print elapsed time
end=\$(date +%s%N) # end time in nanoseconds
# time elapsed in millis with two decimal places
# print stats about initialization time of nix-portable
# skipt for termux, as it doesn't have bc installed
if [ -z "\$TERMUX_VERSION" ]; then
elapsed=\$(echo "scale=2; (\$end - \$start)/1000000" | bc)
debug "Time to initialize nix-portable: \$elapsed millis"
fi
### run commands
[ -z "\$NP_RUN" ] && NP_RUN="\$run"
if [ "\$NP_RUNTIME" == "proot" ]; then
debug "running command: \$NP_RUN \$bin \$@"
exec \$NP_RUN \$bin "\$@"
else
cmd="\$NP_RUN \$bin \$@"
debug "running command: \$cmd"
exec \$NP_RUN \$bin "\$@"
fi
exit
'';
runtimeScriptEscaped = replaceStrings ["\""] ["\\\""] runtimeScript;
nixPortable = pkgs.runCommand pname {
nativeBuildInputs = [unixtools.xxd unzip];
meta = {
homepage = "https://github.com/DavHau/nix-portable";
description = "Nix - Static, Permissionless, Installation-free, Pre-configured for mn5";
maintainers = with lib.maintainers.bsc; [ abonerib ];
platforms = lib.platforms.linux;
license = lib.licenses.mit;
};
} ''
mkdir -p $out/bin
echo "${runtimeScriptEscaped}" > $out/bin/nix-portable.zip
xxd $out/bin/nix-portable.zip | tail
sizeA=$(printf "%08x" `stat -c "%s" $out/bin/nix-portable.zip` | tac -rs ..)
echo 504b 0304 0000 0000 0000 0000 0000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
echo 0000 0000 0000 0000 0000 0200 0000 4242 | xxd -r -p >> $out/bin/nix-portable.zip
sizeB=$(printf "%08x" `stat -c "%s" $out/bin/nix-portable.zip` | tac -rs ..)
echo 504b 0102 0000 0000 0000 0000 0000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
echo 0000 0000 0000 0000 0000 0000 0200 0000 | xxd -r -p >> $out/bin/nix-portable.zip
echo 0000 0000 0000 0000 0000 $sizeA 4242 | xxd -r -p >> $out/bin/nix-portable.zip
echo 504b 0506 0000 0000 0000 0100 3000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
echo $sizeB 0000 0000 0000 0000 0000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
unzip -vl $out/bin/nix-portable.zip
zip="${zip}/bin/zip -0"
$zip $out/bin/nix-portable.zip ${bwrap}/bin/bwrap
$zip $out/bin/nix-portable.zip ${nixStatic}/bin/nix
$zip $out/bin/nix-portable.zip ${zstd}/bin/zstd
$zip $out/bin/nix-portable.zip ${storeTar}/tar
$zip $out/bin/nix-portable.zip ${caBundleZstd}
# create fingerprint
fp=$(sha256sum $out/bin/nix-portable.zip | cut -d " " -f 1)
sed -i "s/_FINGERPRINT_PLACEHOLDER_/$fp/g" $out/bin/nix-portable.zip
# fix broken zip header due to manual modification
${zip}/bin/zip -F $out/bin/nix-portable.zip --out $out/bin/nix-portable-fixed.zip
rm $out/bin/nix-portable.zip
executable=${if bundledPackage == null then "" else bundledExe}
if [ "$executable" == "" ]; then
target="$out/bin/nix-portable"
else
target="$out/bin/$(basename "$executable")"
fi
mv $out/bin/nix-portable-fixed.zip "$target"
chmod +x "$target"
'';
in
nixPortable.overrideAttrs (prev: {
passthru = (prev.passthru or {}) // {
inherit bwrap;
};
})

12
pkgs/nix-wrap/default.nix
View File

@@ -1,6 +1,5 @@
{
stdenv
, lib
, bashInteractive
, busybox
, nix
@@ -14,7 +13,7 @@ let
nixConfDir = "share";
nix_wrap_sh = writeText "nix-wrap.sh" ''
#!/usr/bin/env bash
#
busybox_bin="${nixPrefix}${busybox}/bin"
bubblewrap_bin="${nixPrefix}/${bubblewrap}/bin"
@@ -69,6 +68,7 @@ stdenv.mkDerivation rec {
name = "nix-wrap";
buildInputs = [
bashInteractive
busybox
nix
];
src = null;
@@ -86,13 +86,5 @@ stdenv.mkDerivation rec {
mkdir -p $out/share
cp ${nix_conf} $out/share/nix.conf
'';
meta = {
homepage = null;
description = "nix bubblewrap wrapper";
maintainers = [ ];
platforms = lib.platforms.linux;
license = lib.licenses.mit;
};
}

22
pkgs/nixgen/default.nix
View File

@@ -1,22 +0,0 @@
{
stdenv
, lib
}:
stdenv.mkDerivation {
pname = "nixgen";
version = "0.0.1";
src = ./nixgen;
dontUnpack = true;
phases = [ "installPhase" ];
installPhase = ''
mkdir -p $out/bin
cp -a $src $out/bin/nixgen
'';
meta = {
description = "Quickly generate flake.nix from command line";
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.gpl3Plus;
};
}

97
pkgs/nixgen/nixgen
View File

@@ -1,97 +0,0 @@
#!/bin/sh
#
# Copyright (c) 2025, Barcelona Supercomputing Center (BSC)
# SPDX-License-Identifier: GPL-3.0+
# Author: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
function usage() {
echo "USAGE: nixgen [-f] [package [...]] [-b package [...]]" >&2
echo " Generates a flake.nix file with the given packages." >&2
echo " After flake.nix is created, use 'nix develop' to enter the shell." >&2
echo "OPTIONS" >&2
echo " -f Overwrite existing flake.nix (default: no)." >&2
echo " packages... Add these packages to the shell." >&2
echo " -b packages... Add the dependencies needed to build these packages." >&2
echo "EXAMPLE" >&2
echo " $ nixgen ovni bigotes -b nosv tampi" >&2
echo " Adds the packages ovni and bigotes as well as all required dependencies" >&2
echo " to build nosv and tampi." >&2
echo "AUTHOR" >&2
echo " Rodrigo Arias Mallo <rodrigo.arias@bsc.es>" >&2
exit 1
}
mode=package
packages=
inputsFrom=
force=
if [[ $# -eq 0 ]]; then
usage
fi
while [[ $# -gt 0 ]]; do
case $1 in -b)
mode=build
shift
;;
-f)
force=1
shift
;;
-h)
usage
;;
-*|--*)
echo "error: unknown option $1" >&2
exit 1
;;
*)
if [ "$mode" == "package" ]; then
packages+="${packages:+ }$1"
else
inputsFrom+="${inputsFrom:+ }$1"
fi
shift
;;
esac
done
if [ ! "$force" -a -e flake.nix ]; then
echo "error: flake.nix exists, force overwrite with -f" >&2
exit 1
fi
cat > flake.nix <<EOF
{
inputs.jungle.url = "git+https://jungle.bsc.es/git/rarias/jungle";
outputs = { self, jungle }:
let
nixpkgs = jungle.inputs.nixpkgs;
customOverlay = (final: prev: {
# Example overlay, for now empty
});
pkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [
# Apply jungle overlay to get our BSC custom packages
jungle.outputs.bscOverlay
# And on top apply our local changes to customize for cluster
customOverlay
];
};
in {
devShells.x86_64-linux.default = pkgs.mkShell {
pname = "devshell";
# Include these packages in the shell
packages = with pkgs; [
$packages
];
# The dependencies needed to build these packages will be also included
inputsFrom = with pkgs; [
$inputsFrom
];
};
};
}
EOF

8
pkgs/nixtools/default.nix
View File

@@ -1,6 +1,5 @@
{
stdenv
, lib
, glibc
}:
@@ -16,11 +15,4 @@ stdenv.mkDerivation rec {
makeFlags = [ "DESTDIR=$(out)" ];
preBuild = "env";
dontPatchShebangs = true;
meta = {
homepage = "https://gitlab.pm.bsc.es/rarias/nixtools";
description = "nix bubblewrap wrapper";
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
};
}

17
pkgs/nodes/default.nix
View File

@@ -3,6 +3,7 @@
, lib
, fetchFromGitHub
, pkg-config
, perl
, numactl
, hwloc
, boost
@@ -10,23 +11,22 @@
, ovni
, nosv
, clangOmpss2
, which
, useGit ? false
, gitUrl ? "ssh://git@gitlab-internal.bsc.es/nos-v/nodes.git"
, gitBranch ? "master"
, gitCommit ? "511489e71504a44381e0930562e7ac80ac69a848" # version-1.4
, gitCommit ? "6002ec9ae6eb876d962cc34366952a3b26599ba6"
}:
with lib;
let
release = rec {
version = "1.4";
version = "1.3";
src = fetchFromGitHub {
owner = "bsc-pm";
repo = "nodes";
rev = "version-${version}";
hash = "sha256-+lR/R0l3fGZO3XG7whMorFW2y2YZ0ZFnLeOHyQYrAsQ=";
hash = "sha256-cFb9pxcjtkMmH0CsGgUO9LTdXDNh7MCqicgGWawLrsU=";
};
};
@@ -59,7 +59,6 @@ in
doCheck = false;
nativeCheckInputs = [
clangOmpss2
which
];
# The "bindnow" flags are incompatible with ifunc resolution mechanism. We
@@ -82,12 +81,4 @@ in
passthru = {
inherit nosv;
};
meta = {
homepage = "https://gitlab.bsc.es/nos-v/nodes";
description = "Runtime library designed to work on top of the nOS-V runtime";
maintainers = with lib.maintainers.bsc; [ abonerib rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.gpl3Plus;
};
}

16
pkgs/nosv/default.nix
View File

@@ -7,25 +7,25 @@
, numactl
, hwloc
, papi
, enablePapi ? stdenv.hostPlatform == stdenv.buildPlatform # Disabled when cross-compiling
, enablePapi ? true
, cacheline ? 64 # bits
, ovni ? null
, useGit ? false
, gitUrl ? "git@gitlab-internal.bsc.es:nos-v/nos-v.git"
, gitBranch ? "master"
, gitCommit ? "1108e4786b58e0feb9a16fa093010b763eb2f8e8" # version 4.0.0
, gitCommit ? "9f47063873c3aa9d6a47482a82c5000a8c813dd8"
}:
with lib;
let
release = rec {
version = "4.0.0";
version = "3.2.0";
src = fetchFromGitHub {
owner = "bsc-pm";
repo = "nos-v";
rev = "${version}";
hash = "sha256-llaq73bd/YxLVKNlMebnUHKa4z3sdcsuDUoVwUxNuw8=";
hash = "sha256-yaz92426EM8trdkBJlISmAoG9KJCDTvoAW/HKrasvOw=";
};
};
@@ -59,12 +59,4 @@ in
hwloc
ovni
] ++ lib.optionals enablePapi [ papi ];
meta = {
homepage = "https://gitlab.bsc.es/nos-v/nos-v";
description = "Tasking library enables the co-execution of multiple applications with system-wide scheduling and a centralized management of resources";
maintainers = with lib.maintainers.bsc; [ abonerib rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.gpl3Plus;
};
}

84
pkgs/onemath/default.nix Normal file
View File

@@ -0,0 +1,84 @@
{ lib
, fetchFromGitHub
, cmake
, withCFlags
, intelPackages
, mklSupport ? true
, config
, cudaSupport ? config.cudaSupport
, cudaPackages ? { }
, rocmSupport ? config.rocmSupport
, hipTargets ? null # only one target at a time supported
, rocmPackages ? { }
}:
let
# rocmSupport is not enough, we need a specific target
enableHip = rocmSupport && hipTargets != null;
stdenv = withCFlags (lib.optionals cudaSupport [ "--cuda-path=${cudaPackages.cudatoolkit}" ]) intelPackages.stdenv;
in
# at least one backend has to be enabled
assert mklSupport || cudaSupport || enableHip;
stdenv.mkDerivation rec {
pname = "oneMath";
version = "0.8";
src = fetchFromGitHub {
owner = "uxlfoundation";
repo = "oneMath";
rev = "v${version}";
sha256 = "sha256-xK8lKI3oqKlx3xtvdScpMq+HXAuoYCP0BZdkEqnJP5o=";
};
cmakeFlags = [
(lib.cmakeBool "ENABLE_MKLCPU_BACKEND" mklSupport)
(lib.cmakeBool "ENABLE_MKLGPU_BACKEND" mklSupport)
(lib.cmakeBool "ENABLE_CUBLAS_BACKEND" cudaSupport)
(lib.cmakeBool "ENABLE_CUFFT_BACKEND" cudaSupport)
(lib.cmakeBool "ENABLE_CURAND_BACKEND" cudaSupport)
(lib.cmakeBool "ENABLE_CUSOLVER_BACKEND" cudaSupport)
(lib.cmakeBool "ENABLE_CUSPARSE_BACKEND" cudaSupport)
(lib.cmakeBool "ENABLE_ROCBLAS_BACKEND" enableHip)
(lib.cmakeBool "ENABLE_ROCFFT_BACKEND" enableHip)
(lib.cmakeBool "ENABLE_ROCSOLVER_BACKEND" enableHip)
(lib.cmakeBool "ENABLE_ROCRAND_BACKEND" enableHip)
(lib.cmakeBool "ENABLE_ROCSPARSE_BACKEND" enableHip)
(lib.cmakeBool "BUILD_FUNCTIONAL_TESTS" false)
(lib.cmakeBool "BUILD_EXAMPLES" false)
] ++ lib.optionals enableHip [
(lib.cmakeFeature "HIP_TARGETS" hipTargets)
];
nativeBuildInputs = [ cmake ];
buildInputs = lib.optionals (mklSupport) [
intelPackages.mkl
intelPackages.tbb
] ++ lib.optionals (enableHip) [
rocmPackages.rocmPath
rocmPackages.rocblas
rocmPackages.rocfft
rocmPackages.rocsolver
rocmPackages.rocrand
rocmPackages.rocsparse
] ++ lib.optionals (cudaSupport) [
(lib.getDev cudaPackages.cuda_cudart)
cudaPackages.cudatoolkit
cudaPackages.libcublas
cudaPackages.libcurand
cudaPackages.libcufft
cudaPackages.libcusparse
cudaPackages.libcusolver
];
}

6
pkgs/osu/default.nix
View File

@@ -32,11 +32,6 @@ stdenv.mkDerivation rec {
"CXX=mpicxx"
];
env = {
MPICH_CC="${stdenv.cc}/bin/${stdenv.cc.targetPrefix}cc";
MPICH_CXX="${stdenv.cc}/bin/${stdenv.cc.targetPrefix}c++";
};
postInstall = ''
mkdir -p $out/bin
for f in $(find $out -executable -type f); do
@@ -49,6 +44,5 @@ stdenv.mkDerivation rec {
homepage = "http://mvapich.cse.ohio-state.edu/benchmarks/";
maintainers = [ ];
platforms = lib.platforms.all;
cross = true;
};
}

17
pkgs/ovni/default.nix
View File

@@ -7,7 +7,7 @@
, useGit ? false
, gitBranch ? "master"
, gitUrl ? "ssh://git@bscpm04.bsc.es/rarias/ovni.git"
, gitCommit ? "06432668f346c8bdc1006fabc23e94ccb81b0d8b" # version 1.13.0
, gitCommit ? "e4f62382076f0cf0b1d08175cf57cc0bc51abc61"
, enableDebug ? false
# Only enable MPI if the build is native (fails on cross-compilation)
, useMpi ? (stdenv.buildPlatform.canExecute stdenv.hostPlatform)
@@ -15,13 +15,13 @@
let
release = rec {
version = "1.13.0";
version = "1.12.0";
src = fetchFromGitHub {
owner = "bsc-pm";
repo = "ovni";
rev = "${version}";
hash = "sha256-0l2ryIyWNiZqeYdVlnj/WnQGS3xFCY4ICG8JedX424w=";
} // { shortRev = "0643266"; };
hash = "sha256-H04JvsVKrdqr3ON7JhU0g17jjlg/jzQ7eTfx9vUNd3E=";
} // { shortRev = "a73afcf"; };
};
git = rec {
@@ -55,13 +55,4 @@ in
doCheck = true;
checkTarget = "test";
hardeningDisable = [ "all" ];
meta = {
homepage = "https://ovni.readthedocs.io";
description = "Obtuse but Versatile Nanoscale Instrumentation";
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.gpl3Plus;
cross = true;
};
}

19
pkgs/paraver/default.nix
View File

@@ -1,6 +1,5 @@
{
stdenv
, lib
, fetchFromGitHub
, autoreconfHook
, boost
@@ -12,7 +11,7 @@
, paraverKernel
, openssl
, glibcLocales
, wrapGAppsHook3
, wrapGAppsHook
}:
let
@@ -64,7 +63,7 @@ stdenv.mkDerivation rec {
autoconf
automake
autoreconfHook
wrapGAppsHook3
wrapGAppsHook
];
buildInputs = [
@@ -89,18 +88,4 @@ stdenv.mkDerivation rec {
mkdir -p $out/share/man
mv $out/share/doc/wxparaver_help_contents/man $out/share/man/man1
'';
meta = {
homepage = "https://tools.bsc.es/paraver";
downloadPage = "https://github.com/bsc-performance-tools/wxparaver";
description = "Performance analyzer based on event traces";
longDescription = ''
Trace-based visualization and analysis tool designed to study quantitative
detailed metrics and obtain qualitative knowledge of the performance of
applications, libraries, processors and whole architectures
'';
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.lgpl21Plus;
};
}

10
pkgs/paraver/kernel.nix
View File

@@ -1,6 +1,5 @@
{
stdenv
, lib
, fetchFromGitHub
, autoreconfHook
, boost
@@ -58,13 +57,4 @@ stdenv.mkDerivation rec {
xml2
zlib
];
meta = {
homepage = "https://tools.bsc.es/paraver";
downloadPage = "https://github.com/bsc-performance-tools/paraver-kernel";
description = "Kernel library used by wxparaver";
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.lgpl21Plus;
};
}

10
pkgs/sonar/default.nix
View File

@@ -1,6 +1,5 @@
{
stdenv
, lib
, autoreconfHook
, fetchFromGitHub
, ovni
@@ -28,13 +27,4 @@ stdenv.mkDerivation rec {
ovni
mpi
];
meta = {
homepage = "https://github.com/bsc-pm/sonar";
description = "Set of runtime libraries which instrument parallel programming models through the ovni instrumentation library";
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.mit;
cross = true;
};
}

27
pkgs/tagaspi/default.nix
View File

@@ -1,18 +1,26 @@
{
stdenv
, lib
, fetchFromGitHub
, automake
, autoconf
, libtool
, mpi
, autoreconfHook
, gpi-2
, boost
, numactl
, rdma-core
, gfortran
, symlinkJoin
}:
let
mpiAll = symlinkJoin {
name = "mpi-all";
paths = [ mpi.all ];
};
in
stdenv.mkDerivation rec {
pname = "tagaspi";
enableParallelBuilding = true;
@@ -26,18 +34,16 @@ stdenv.mkDerivation rec {
hash = "sha256-RGG/Re2uM293HduZfGzKUWioDtwnSYYdfeG9pVrX9EM=";
};
nativeBuildInputs = [
buildInputs = [
autoreconfHook
automake
autoconf
libtool
gfortran
];
buildInputs = [
boost
numactl
rdma-core
gfortran
mpiAll
];
dontDisableStatic = true;
@@ -49,13 +55,4 @@ stdenv.mkDerivation rec {
];
hardeningDisable = [ "all" ];
meta = {
homepage = "https://github.com/bsc-pm/tagaspi";
description = "Task-Aware GASPI";
maintainers = with lib.maintainers.bsc; [ rarias ];
platforms = lib.platforms.linux;
license = lib.licenses.gpl3Plus;
cross = false; # gpi-2 cannot cross
};
}

Some files were not shown because too many files have changed in this diff Show More