From 64a52801ed8d5c4a57650c2c434254a9986c1901 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Mon, 26 May 2025 11:40:07 +0200 Subject: [PATCH 01/10] Remove pam_slurm_adopt from fox MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We no longer will be able to use SLURM from jungle. Reviewed-by: Aleix Boné --- m/fox/configuration.nix | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/m/fox/configuration.nix b/m/fox/configuration.nix index 97ac6863..60ab5b0f 100644 --- a/m/fox/configuration.nix +++ b/m/fox/configuration.nix @@ -56,20 +56,4 @@ wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = script; }; - - # Only allow SSH connections from users who have a SLURM allocation - # See: https://slurm.schedmd.com/pam_slurm_adopt.html - security.pam.services.sshd.rules.account.slurm = { - control = "required"; - enable = true; - modulePath = "${pkgs.slurm}/lib/security/pam_slurm_adopt.so"; - args = [ "log_level=debug5" ]; - order = 999999; # Make it last one - }; - - # Disable systemd session (pam_systemd.so) as it will conflict with the - # pam_slurm_adopt.so module. What happens is that the shell is first adopted - # into the slurmstepd task and then into the systemd session, which is not - # what we want, otherwise it will linger even if all jobs are gone. - security.pam.services.sshd.startSession = lib.mkForce false; } -- 2.49.0 From b4846b0f6cef6a4a7e95420a38f3c8f4ccbeff3c Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Mon, 26 May 2025 11:43:16 +0200 Subject: [PATCH 02/10] Remove fox from SLURM MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné --- m/fox/configuration.nix | 2 -- m/module/slurm-client.nix | 4 +--- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/m/fox/configuration.nix b/m/fox/configuration.nix index 60ab5b0f..3a188a63 100644 --- a/m/fox/configuration.nix +++ b/m/fox/configuration.nix @@ -5,8 +5,6 @@ ../common/xeon.nix ../module/ceph.nix ../module/emulation.nix - ../module/slurm-client.nix - ../module/slurm-firewall.nix ]; # Select the this using the ID to avoid mismatches diff --git a/m/module/slurm-client.nix b/m/module/slurm-client.nix index 46478a81..21ae9458 100644 --- a/m/module/slurm-client.nix +++ b/m/module/slurm-client.nix @@ -43,13 +43,11 @@ in { clusterName = "jungle"; nodeName = [ "owl[1,2] Sockets=2 CoresPerSocket=14 ThreadsPerCore=2 Feature=owl" - "fox Sockets=2 CoresPerSocket=96 ThreadsPerCore=1 Feature=fox" "hut Sockets=2 CoresPerSocket=14 ThreadsPerCore=2" ]; partitionName = [ "owl Nodes=owl[1-2] Default=YES DefaultTime=01:00:00 MaxTime=INFINITE State=UP" - "fox Nodes=fox Default=NO DefaultTime=01:00:00 MaxTime=INFINITE State=UP" ]; # See slurm.conf(5) for more details about these options. @@ -77,7 +75,7 @@ in { SuspendTimeout=60 ResumeProgram=${resumeProgram} ResumeTimeout=300 - SuspendExcNodes=hut,fox + SuspendExcNodes=hut # Turn the nodes off after 1 hour of inactivity SuspendTime=3600 -- 2.49.0 From db663913d83ccfe3b366a896bb22ade120d6dfc1 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Mon, 26 May 2025 11:50:57 +0200 Subject: [PATCH 03/10] Remove Ceph module from fox MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It will no longer be accesible from the UPC. Reviewed-by: Aleix Boné --- m/fox/configuration.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/m/fox/configuration.nix b/m/fox/configuration.nix index 3a188a63..e33afab6 100644 --- a/m/fox/configuration.nix +++ b/m/fox/configuration.nix @@ -3,7 +3,6 @@ { imports = [ ../common/xeon.nix - ../module/ceph.nix ../module/emulation.nix ]; -- 2.49.0 From 6316a12a67f0453cd631c308a22e7ed0857f8f68 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Mon, 26 May 2025 12:00:21 +0200 Subject: [PATCH 04/10] Distrust fox SSH key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We no longer will share secrets with fox until we can regain our trust. Reviewed-by: Aleix Boné --- keys.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/keys.nix b/keys.nix index a2b8c2c1..f3a6bcf3 100644 --- a/keys.nix +++ b/keys.nix @@ -13,7 +13,8 @@ rec { }; hostGroup = with hosts; rec { - compute = [ owl1 owl2 fox ]; + untrusted = [ fox ]; + compute = [ owl1 owl2 ]; playground = [ eudy koro ]; storage = [ bay lake2 ]; monitor = [ hut ]; -- 2.49.0 From be77f6a5f5334a6c8fe3839597e9d1d4dd7f192c Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Mon, 26 May 2025 12:27:57 +0200 Subject: [PATCH 05/10] Rotate fox SSH host key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Prevent decrypting old secrets by reading the git history. Reviewed-by: Aleix Boné --- keys.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keys.nix b/keys.nix index f3a6bcf3..83b8ff4a 100644 --- a/keys.nix +++ b/keys.nix @@ -9,7 +9,7 @@ rec { koro = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImiTFDbxyUYPumvm8C4mEnHfuvtBY1H8undtd6oDd67 koro"; bay = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvGBzpRQKuQYHdlUQeAk6jmdbkrhmdLwTBqf3el7IgU bay"; lake2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINo66//S1yatpQHE/BuYD/Gfq64TY7ZN5XOGXmNchiO0 lake2"; - fox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDa9lId4rB/EKGkkCCVOy0cuId2SYLs+8W8kx0kmpO1y fox"; + fox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwItIk5uOJcQEVPoy/CVGRzfmE1ojrdDcI06FrU4NFT fox"; }; hostGroup = with hosts; rec { -- 2.49.0 From 2ae9e9b635a25339be76b3948a00b33e8db3aa9d Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Mon, 26 May 2025 12:30:03 +0200 Subject: [PATCH 06/10] Rekey all secrets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fox is no longer able to use munge or ceph, so we remove the key and rekey them. Reviewed-by: Aleix Boné --- secrets/ceph-user.age | Bin 1023 -> 913 bytes secrets/gitea-runner-token.age | Bin 479 -> 479 bytes secrets/gitlab-bsc-docker-token.age | 19 +++++++++---------- secrets/gitlab-runner-docker-token.age | 17 ++++++++--------- secrets/gitlab-runner-shell-token.age | 16 ++++++++-------- secrets/ipmi.yml.age | Bin 1184 -> 1184 bytes secrets/jungle-robot-password.age | Bin 477 -> 477 bytes secrets/munge-key.age | Bin 2006 -> 1896 bytes secrets/nix-serve.age | Bin 534 -> 534 bytes 9 files changed, 25 insertions(+), 27 deletions(-) diff --git a/secrets/ceph-user.age b/secrets/ceph-user.age index 880fbbf33f23b68b298d1efcfde58e2581d46ba7..c37e0f4727564e981f6c1b8c6e404d092f3034ac 100644 GIT binary patch delta 825 zcmey*K9PNbPJM($Nou%PpkKaWaE5_Pu2-c;zKcg*a!Hw!X{c9mXl99%k84=DbCpY0 zF_%$Da;aN-RZf^sSb$Shx>s;sa709rWvWYQv1dk_pR2o9MU-Pjq@j~vK9{bYLUD11 zZfc5=si~o*LUFodVy>ftuXC|qSfQzpS87s@v!SP{ghD$_Nptpr-- zbdJzYw8$+hPAd(}3o^(|&UJMvNDs^B3d+a`sVH&xjr8<)c1lh!$j+(q&N1?I%yY~! zchAoC3Qsl4FVFQTEHleSj{#@LaCehHg-WmVqNG3aGw%05ACeX9J8XZVlKz<0MGQSvZ~-v7Z=CKPz%?BU{B95Q%kdgvPvg!|0;`O zpQuXLka9ndVsz_#gWZf%(iI}z%gYU%i=9f{4E-JRJY3AOJfcEe4UIh9qg+!;9nBpB z>XY5PoLq~|G9tMud^|FY@{JSyGV(*S{QNvTi?d6e3v#@Rw2kt!{0x)A+@gFEoif5A zER(r(b#)a=qRPEI!opolDng9B+ynhm{0x$dva`e7{Sy5P3~~~KQ!~e?v1dqVgs)F|VN|(kc5-%ZiCboIcwu6yexQGdOQBh5UZQJQ zR<@C0M81GgPPv(3hGmY)WxiqF1(}suK~X8jzPTQTQIWpcp5eaQCh3k`z8U(Z zNigsU?x#p1#IaF6GX7E~UO6KIXaZzFFSIIT>ad>E(`-;~B-n(=APk%zdLg zolJuY%Ca+yvoey+^}U@evh&K*1N?%`9P>>olM2gx%$z*A5{tu~qTCIVLj!U`%*u<3 z^MVrn%FA7iQ#`WW4J#|7vdmIV-9mzV3rk!lpJf!U_tbVa$qe^)^A9d?t*k69H#Vt^ zDk!P&^365#Ov`uA4K>%V@U}1rPsw!T3a#>p@-7Ups3=T~a5lCGH1RLbsPym+GWB;a zjLHnj^h)>eOAE;jHgonwj{)rv*Rb$F1;Yr}Aop_1ob>$Md`II-FR%Iv^YlEAFwZt7XA9T^qwrSItC6KKGttE;Qv zT3MLx6Vd<=2 z3z%OqtTA?F_9{bKJN8}z?4&*N%&W;B_t@xrnad0S4qsI$6~7ab=Y+BD@^ W)3(hrFZtAL!abK?l>NcIj28ePPC9=8 diff --git a/secrets/gitea-runner-token.age b/secrets/gitea-runner-token.age index 31d52cf5ca7ae9694122700299a1796a6beecd3e..2b59fef1ec69d035923a75f20fa27a3545397ef5 100644 GIT binary patch delta 424 zcmcc5e4lxOPJM}cm|uyXOO#v<- z4-)kz$t8Z_ZsCDmc|L)GL3vJ!sWxn*YMUS5TnCgGv3zM<}>M)_QU6)BF9 zKKcHMo@thqJ|TXl202N7=J|$hxgq9G!Oqzhc{%w(j{2rPX1-jyy1EJ>Y0lckVTSqo zWnNC1fmxp3`boJ?m672tMajlyo<#xv#X%9lCfc4+l`gJa4|m>Tjoff(TE3x39z&wt zDj$bh*BQ6d=6=0r%IWdl_tEo-v!)*nHMN@jp-tRhsqF{ntio{Vkcun4>hE7}J(|`q U^GRI0#+BI*&k67SDA~LU0MFBx+W-In delta 424 zcmcc5e4lxOPJL=nScGY1UP`!&Pr7ABxp{GgTN z4-)kru2pFTK^BQQ?q=ZuRT+t{S&q56S^jSMZppsEfuT7m6((jWPQ?*LnI>HRjxMGi z`c+Zx8EL6ykwtD^RbE9&e%=B3x!zGO{=t@k6{aP*AqD0ZUin||9_c1FUa_O?pXCjyLE1S z9IQ1*GY^+>KYHd`Tm7b}^xUIk+q>^dZKywewl;2er`^Y7Ga0s}Od?w(v%YiwOn>1X T-gww*x|gx!&zc`KZBZ8iFqoPy diff --git a/secrets/gitlab-bsc-docker-token.age b/secrets/gitlab-bsc-docker-token.age index 74b83e04..f3798053 100644 --- a/secrets/gitlab-bsc-docker-token.age +++ b/secrets/gitlab-bsc-docker-token.age @@ -1,11 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 HY2yRg WSdjyQPzBJ4JbzQpGeq1AAYpWKoXmLI1ZtmNmM5QOzs -qGDlDT31DQF1DdHen0+5+52DdsQlabJdA2pOB5O1I6g --> ssh-ed25519 CAWG4Q wioWMDxQjN+d4JdIbCwZg0DLQu1OH2mV6gukRprjuAs -670fE61hidOEh20hHiQAhP0+CjDF0WMBNzgwkGT8Yqg --> ssh-ed25519 MSF3dg DN19uvAEtqq4708P6HpuX9i/o/qAvHX6dj69dCF2H1o -4Lu9GnjiFLMeXJ2C7aVPJsCHCQVlhylNWJi896Av92s ---- 7cKBwOYNOUZ2h3/kAY09aSMASZSxX7hZIT4kvlIiT6w -6fQF5=bX+v e`7/A~PѦ7 -A)h=oZ$ ^V0/܅r -kubĶ:R>^gik_*% a7KG&PIn \ No newline at end of file +-> ssh-ed25519 HY2yRg XPOFoZqY+AnKC77jrgNqAm1ADphurfuhO4NRrfiuUDc +iCfMMpGHyaYHGy6ci8sqjUtcPeteLlyvLGEF79VPOEc +-> ssh-ed25519 CAWG4Q 6OsGrnM+/c5lTN81Rvp166K+ygmSIFeSYzXxYg25KGE +Av1zTw2zK4Gufzti9kQaye7C362GCiDRRHzCqBLR33g +-> ssh-ed25519 MSF3dg 8CHqJ7mEDvjvqbmF+eE6Em1Wi6eHAzEUpiExC1gm7S0 +bdwzYHw3RAbdHq+RsiFUP++sQ586VUlSnAzAOhiQUjI +--- gA5XSUfjUBol938sC5DbUf8PvQUIr2pNkS2nL95OF9c +Ea1G7ݩ[R\{~$GocQwKP&w6] +ѣ^z̄ 1kY2p2Knok/Xpt''$0co= \ No newline at end of file diff --git a/secrets/gitlab-runner-docker-token.age b/secrets/gitlab-runner-docker-token.age index cd1432e3..3efea559 100644 --- a/secrets/gitlab-runner-docker-token.age +++ b/secrets/gitlab-runner-docker-token.age @@ -1,10 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 HY2yRg GdmdkW+BqqwBgu30b846jv3J7jtCM+a3rgOERuA050A -FeGqM75jG9egesR+yyVKHm0/M+uBBp5Hclg4+qN0BR8 --> ssh-ed25519 CAWG4Q a0wTWHgulQUYDAMZmXf3dOf6PdYgCqNtSylzWVVRNVM -Bx+WSYaiY4ZwlSZJo2a1XPMQmbKOU7F0tKAqVRLBOPo --> ssh-ed25519 MSF3dg KccUvZZUbxbCrRWUWrX8KcHF6vQ5FV/BqUqI59G7dj4 -CFr7GXpZ9rPgy7HBfOyiYF9FnZUw6KcZwq9f7/0KaU8 ---- E0Rp6RR/8+o0jvB1lRdhnlabxvI6uu/IgL2ZpPXzTc8 -#H$F;%62rfX\Dn шȉx>&;cUI=M?TǸ"pxӭ\sbFWD{ -AW>?UHԳ \ No newline at end of file +-> ssh-ed25519 HY2yRg pXNTB/ailRwSEJG1pXvrzzpz5HqkDZdWVWnOH7JGeQ4 +NzA+2fxfkNRy/u+Zq96A02K1Vxy0ETYZjMkDVTKyCY8 +-> ssh-ed25519 CAWG4Q 7CLJWn+EAxoWDduXaOSrHaBFHQ4GIpYP/62FFTj3ZTI +vSYV1pQg2qI2ngCzM0nCZAnqdz1tbT4hM5m+/TyGU2c +-> ssh-ed25519 MSF3dg Akmp4NcZcDuaYHta/Vej6zulNSrAOCd5lmSV+OiBGC4 +qTxqVzTyywur+GjtUQdbaIUdH1fqCqPe6qPf8iHRa4w +--- uCKNqD1TmZZThOzlpsecBKx/k+noIWhCVMr/pzNwBr8 +r'Ƌs4˺AĥPL7` ) H-0AH5LQeH2bB޲CJG"-S\ H ssh-ed25519 HY2yRg xWRxJGWSzA5aplRYCYLB6aBwrUrQQJ2MtDYaD75V5nI -J07XF3NQiaYKKKNRcNWi9MloJD2wXHd+2K7bo6lF+QU --> ssh-ed25519 CAWG4Q jNWymbyCczcm8RcaIEbFQBlOMALsuxTl4+pLUi0aR20 -z5NixlrRD+Y7Z/aFPs6hiDW4/lp8CBQCeJYpbuG9yYM --> ssh-ed25519 MSF3dg QsUQloEKN3k1G49FQnNR/Do6ILgGpjFcw3zu5kk1Ako -IHwyFWUEWqCStNcFprnpBa8L5J6zKIsn+7HcgGRv3sM ---- oUia0fsL6opeYWACyXtHAu/Ld+bUIt/7S1VszYTvwgU -V*t2-7h&͢_!տ+(n (/}CNͷ|Nu5ù勚Kl"klOXyAe$ \ No newline at end of file +-> ssh-ed25519 HY2yRg s6iI9f25xulF4KXt+XY07kXXPKxXo7f2Ql/OTHN55Hk +WO4Fd2H9c+HL3+XhUF3BmEZVILlcchGxSrSmL2OEdGw +-> ssh-ed25519 CAWG4Q TBkdpx8k8K1NvW3wcvaF7omKFwEJ2DxWJp3tIOTjwCA +LcYgWRix23AQnw0OQ7f8+8S3J84CHUElX1vKZSETiLE +-> ssh-ed25519 MSF3dg WzrF8kjTP7BXXDjmUp7kPCKguthAW12RPo6Vy2RMmh4 +8C3mT9ktudCTANDxhyNszUkbeDG6X4wOJdx825++dYM +--- /w3YQ2UeTi67H1JR0GsdPz2KoLN2Y7BIZfFY+//AWjY +ӣ-`P@ބ)99l ZfV?I>΍w鉐 z40 2{i@ZxAHn% ʤ/WĔl}&얶(KSoz=d \ No newline at end of file diff --git a/secrets/ipmi.yml.age b/secrets/ipmi.yml.age index ec99e58f0e378b4bc7c7cdf61e3e3f668d1aa412..0240478155d4e35f1b1d58c328dff89f63e38fc2 100644 GIT binary patch delta 1136 zcmZ3$xqx$mPJLO4X`)k+VQzjwT0vE$PgbC-fxCIQc9prlSGtjE%p-YreK!s~?np>D@wu@UHVc zAr*cZrYT|Ok(quGX{otcUV*9M{=rTera=bv;l@#+9x0CbTs@ZxJsAYu&R95r0N11!i(; z+F4$P=?}CTOl9LXU*wNB_mm6VH*X?;TSi{FYfID1Cn|CNu6-U#OeSj{Y%h6q+qpWi zY<+{l%0m;sn{U2(tG;26{-%dcs~czBvGjJzY|7B7a27Q5KCvbyDb(gt#a;$2e$ ztrq@CQet8)xg-PVDWzaIQYo(JKC&an19|*L2q&U@>2Heo{!S$ZiU&;MGzoDJGOMPjUs<`jbXqQw)|HkFznva|J9hS?T5|vv$P0yutiG#wIiM9a$)ap|J delta 1136 zcmZ3$xqx$mPJMcYae!w|S$UbcetLPKr(?KRMW~TekiKb!VR(vDfR}!$ab!SdL}r#@ zF_(pNK&pYIafq*5idj;6SYWcFbBR-sWu8YyS)g}*Xn|!$sGo_UvqwQ#I+w1ULUD11 zZfc5=si~o*g0o||yGfuzZb)K@vxkwlWv)*|X>N&Spj%R;VMLW-QiWf>g`=slQFf%4 zNm{94x}kA7m$P$9kaJRUjz?I8n^}N~mw7;lZ(y2%x0il?wo#g8grk$Eaal-dVTxJ# z#E;_jPNBuA7E!JSQ30+QrWP(P#`-}SK0fXh;g(sxrcv(ZnNiLbk!9(I6)uiku1PLs zjzQWHLAe$F5jn0dW#;Z-7I|UjF5W&Rk;WNG2HHhQ?twvJ0bUkdy1KdwfvII-+Eo=r z<(`FRK^5L*29B17kr82)NvWO&rQv}o232A8r5@o`dHR{jTy9QlpDWyvKa|7W#{Ny` z@WJiYCej)IKKgv?ES9Lx``hJ|KNcGWpQ9m>GK8 zBFoRl_6eNGR^Z88?x$xZt*Q{CE!2B;^Q2=hgcp@%*&eytWEb&c^ESgMkqO@>%J(en zn09#Pz5xF(t&a;$6WSY|NU(flSE+mTdYv1u=Z1zyU)J5os6Q1fzV=p)ueVdO?~-r3 z>dt2IIutB8Y+#eV*7M)$s{R`qjIY>}Dr?W$KWh5kC-sHVWrtO@@WLO9*YYoa=%{3* zrd++X_`;Nys#YDW zF7IoTolE6!q+i{wxxBMpe$Vf0$N9%%=Y2gTe>0S|U)W;(;ac|xpC_LB-*3Dj&oe@M zW$2yk=GAd-+p?z@O#Q2VQ{;AK(NpvH&-drQ5agP3?f%K?^6R%gO{f)FX7g#Qs9BGE zamC96Yxy4S&@Jmr6uUQ(^R&u4fyh?dR+f~dL$#c8?>rU0PdS_Uq zB(u)D+{+s1a`JXv{JxdRO7;cs*5^+S`hKj^Z|Cl8)z(*X6WPpd`=c0Nh1zpmx;cld z+CQVe_9$<>P=^=q^x*qElAJG&BugL5D$U4{E1S&lSL%}8r?1)}OVbYTw|3Q2Ki)I- z>FN--lOpo>*d-H^7+gvwt?uqvs;Bs@KD2haRuKc^2M=@pYfsZ>yk8Vuk-X~tlNCWH zj+{BS^@HZm>do`t@jk9U#O}X$?i(4&FSiAhbN+Un)O(`lKD*T7#4(ncT|XaOaLs94 zF=y+wXz2-p&vu9YzxI3C>&H(2>n@AT@L}Bc@PP9Y(fp(DmwPOkczMT9_SfB;|Hb86 qoi{G=l<#Q#W)jQ#Nq&{%m&b>f^*97yo_Oei0n1x)af8Vf<(&Y7vib-B diff --git a/secrets/jungle-robot-password.age b/secrets/jungle-robot-password.age index 7b8cd84284e84acf2ffa496148466fc590495dc0..3e7053e43ff829c030a2e63a36e7b764bf5a5324 100644 GIT binary patch delta 422 zcmcc1e3yBGZoOksu~S}{MZS-7xO0GWa9U}UrLjv@N_e@mskUKYNU>*FesD!bh=q|S zS8_^ngmY?Oa;1BeyQf7}aE4))k8h<@W_D^$rgn0fe!69mg{f&tX;pSIm#&>cadC!j zYKoDmsiCEUvtzisNuWZxewkUeo4!k8P+3Y=u%%m&n`@YplV5IthkJg7bGTQ5U#Lf_ zp=DHQu5mG!iLpsop}Dz{hjEyXTb74Gc~HJrq+yw_dzgz;q>)L9o4;jFzJI7`ZbtUR zkK*;7X*r=0d1hhGIbOcGd8s++IYuS9A;#v35$*xu0qG@aAxQ=9i8<+hZjM~VPQHEy zF7772sX38`m97>3`GKZc!IoheNs(q*&VFu&E)`i>W)n6 zz9ojvvNX{j`4$O!I=mxGwKF+_H1Qi&Dqn2!=Yp6&0)64_tS>bVZY~ S(eF%4;o5^u*W&*C`wRfPW|@}& delta 422 zcmcc1e3yBGZheJ;v1z5NU$Bd(w!W8hs8_0SrnX;JM7d)`NQhZxUY@&Uif^igf1a@g zmw%;)r;(pQh=H4NYKmh>Wx9K0xlgWls;jSmW=dJGc3NsiQD#wTky)54m#&>cadC!j zYKoDmsiCEUvtzisNuWZAi+{48bC$k^c}AsoRj9s2m8-K+RBmyipGQTMe_~LOcBxN5 zPK8T=c1SXpVSZF#QD#t*b9RMehDBaxWtOpVhDC&LP`G|#c$%e|xk<9SMWl&~xs&U} zkK*-4u921A1?9=5{z0K3q3Iq48384QVZj-O{`w^mRVI$+E@>WtzLBL#Ar@Q~rIG0Y z!REnc+Fp4Ek(L?Sk*)z|`KG=GnQjFJX<;ErNg3H5z8Oj7$)Q}jy1EJxMm~iWW$s2^ z9$xM#Imsbe8LpMN`6d;9o)yN9;hD~kRhD6;WqFoP&dHHnZ2$Qt`FU#Ft(?rTR@3V6 zJoa^eoeW);tTQbBaBX(L!UfX}{B&J}=PzK}r+Hs$!M)ut+3RJeoNL|L<^Iy6OJTba SM@tLiiQ7jeelbtnBn1EqW0Eoe diff --git a/secrets/munge-key.age b/secrets/munge-key.age index ce50c123cb06c52273d098937b9cb0072650ee4f..372d152b06ca8631f5451961dcf19d14fba0aa44 100644 GIT binary patch delta 1816 zcmcb{|AKFVPJK~nSh!_mm`_AzaAjDauUDu~P-<>^RhVy3P=QlOSekQws&{x$X;QX9 zK9^s)c|b;pOKPx5QC^6#p=VTfRzPUEet4osxvOu6uX%_`iiK}@j-h{YGMBEMLUD11 zZfc5=si~o*LUFodVy>ftk#nSBNM*50slTCtbErvLqFY5~VwHJTc%gS%NOD1nS&o;F zOK@h9mtl4~SFoe2WvY*Np?Ru%T0~K@e|V{OQbBQLaj3SVsY{h>X<<-6RY_!?bEHS{ z#E;_PC6+}lp_V2E!9gAtzUd{-A!gaB5h+zAE)l`zrY7EHQO2c(c}~gZA(h!&p)N+r zVJ5~Ix!!q!!DafnX2JfBm7#%|j>$n~DcZSd<>6sYnV|;RMJ}F`;~B-nE&R$#Jwo!e z^ZY}MovT7p9Yc$qD?D>tyd%>*9mBj`O3ZWf5}hJl%t8XWvckV1vk%jIw0Eur#OASTgWZf%(iKv@yvieU{enu}Ju4#I)0`dM^}W;5vqH?0wF}C$i>tIN z>%B|U%stF1!d$sLlifq30{l~|yhB5ay?sm5jY7?H^aHEROr7(*(_Jz>i?nkRQ!>J{ zjf=T-b#)b-48j95+%qim0s?}=%nZ^zObT)>68$|Qqx>u@3=DIsDtszZ{Bp8f3W~X& z{<-t1Gvw=0<9?$xZx+4_I`RC6){mSDw&?mVsmDDx^5joCdUi^IibTu?N3Pj3)i{d- zmCxtZZ)M+*Gof;o#H5fjHfxf)E7C1?h!l8<?ht~Ffcd1p%ct0Nyig--kw7xZ*lW3I=mgV$v`RyURQ8?NN` z6;)+^THm`hjp3iWl(KX3wv(RW<&GOw^0%v8OAvn{75jf(eYUKTsp{63vH92gIjxqS z@{VzkQr8#ns7PiL3yhN&{JgsDo%NrS6*oWleqU#z6x6YH!;w1{zBzkW&AG%_ZDwQq z(tC1PSjr~#JI3z%i~c{BHg_&XQ1T!hoi`&yN-ojc)Pxz+8xd+8?;Lz-X>FD;#~czExR^lY>J3|Y~Fk$aL%^tfdxD#qjnu; z)hYgGxa(J0^mI?pNAJ71 zjQ%fKas19txvy3SAC*4QGgslCDl=)zx4GRDPfajC)%kDMzLzZ1H{QFy_Q?FgpLxfx znA8UeNmv~VWeS`BO5$(JKJg!oXP1fI_CE2&?Vjer>8z7J<^6igvFYfKpnAy}c6(MA zKELnlWfb_h>rEt=?`_>Dr_F3`zp(swYpSHSnfG3^i&L!TD&G%xSZZ_q%0ur78q^S^iHOIhySL((m3EArl>=^>5 zxaoyX-t|5+F#AaCDn+l#&iO{?_hu;7uYDAnZhhuO+Oe65i>C2L#RuQLVg7Q}($j^3 z88Q844Fy?ICDRXoO}A;g9Jh0S-2QFfQg*Wl9)5l^{Rsc+NzGkPc)qni`>DYen?Pd z{$F|9aFgJ>GzN32Bsu+$&y9rj6@*r1J71R-Kj~2!;TJY<`wORt&2~e1Xh^3N2GU5s4&^${3GQb%l{r1%N>t)PPuy4cx}fco#r^>2WKaFUih`@b)Jo( zFzY+pwBsv8{Z&}RryA$4`?hY~juidhDz9f8(S7>(#r|ps(S&|RBc0<@miVt;FIubh ieO-@$%!6Niua5?;s^Hh(@%6@w8g2F5!;AQmmAe4~EDP}f delta 1926 zcmaFCca497PQ9x~M4nSwM1)U-S*d=mg>Q0DMNnQe?UTS(-l)h_XVxV(+Ub?Aextp7jZ&9ZmS=Iemy<_kMOt27il3vSkBfh1MPOq7 z#E;_P!LHe9o}RgxktW^+X~u~@hEW;Lj^UNs+Kwd_PF4N}W)&vsu7*x-l{wj5=E;#> zDG}i%RhebsL74%*720LSKH(X@-hs}p{$2%XMH%kluI^z@QTdUR;~B-n104%oe0)>W z&D?WJ9i3cCaxIFzJS+TClMTErLxMt#jWb=0U46p6^D{lUObc>zi~R!)JqwG%%ZiEv ziZcwe{1Zb>ydy#j0>WGk%9Dc3JuAHn@>~rjpJf!UcQW%2D$4W;42(*O2r7=$4@)*o zD|B)8G)~E|Fpf$~ad-1{FGM zvJl6N%&bDcsM74HfN=9*PcGlG^ziJm0E1lP6yu7hic*UzQ?Jb6s-n#N;Ph1g%z`A} z2=9;x%gRU>S9I%~9mCyC0u@qS49YXJD?Cio3tT+2!$VB6wDa^+48678Bhr1%GK!r- z>%+sGN(-}#!d4t4R%E%5em4f81S zugK>LHO$B}2=J^gj!bna!WQS%P?}R3^(%R($&>f zNXqpnG;lMpH1^X^_DxT7O^zt43et8=&Cd@s3Qlq?u}DnucP|Yri^xyrGUMOdYu8;W zcJ6;&n!$o4v#-d`)9zhsaCGUJ%a$jZ9fJNw&zdqjq4rnAwfcqXFHEd{8^uqWD9u;I z`oemaU>bmEaC&s_$aOzEcE7ONj@_z() zg#QL+%yBvGn6+<@W1mUCRjuQOg~v7Juf6*ED6G?P&lKAphl?9@nLfnst>pRWa*=V~ z;-joT-G8i7Ex361w5-Tifg|E&bvp~f9-h#dclyIiA?q#s#6OB3-SBhK@d*m`yH2tl z5J;@rk~HQ2-B+h?YxBpyc(;b{Re(Xmvpuss=Er_GH!D1N(aJQ%=$2!DqQBqWJ*Ab4 zMKj$jWXiS6QBvnhz8&g45+qR&)Mpg5^j7NQO0}v~f$raPdP^C&tG4og$emN^dUeJD z9>sNM`KG!lUNCRvXXQQacU@;A%MU}oH7xZ~>8DGZE$<1)UjG}vA*!V*2)o59ew(sTE)oTiJIxWsgPARo!Y%tRMbS|X9=oAyDtxR#yLQSKw5(^%S*xjB8?7zaxmoF=i_GGGO9H+zsXY!#`IKJInT5uiN*)qkhdDe>~kq#`PR$Bv41w<~Ie%)z<-j-G^1;bTbavH3QCj8}o zbNFS0_GRDYLN$}3IpY1F-71{DVMEHjbla_O{3S2ew$aHA?*J3QvJ$l=bzo{Ph5LOa_X!t(X&6ViWNBEyn5EunVV;BWKAypdtmv# z4`*&&D=AD)T$yu2n1#n>&vJ_szn49_aBD?Cf^!Pr>7R#f<5r#d@UT(msH<#J$@#mC zd4Wkh?rL9~CqInV3Vig|2m=VmF}GbSC6jHkruEv{ae^n+I3DeK*slW($=%< aFHSkdqO?m-h;!#8|L${N_m`~YHwFMy!YFG1 diff --git a/secrets/nix-serve.age b/secrets/nix-serve.age index ecd0593eb5b92071f8dedb20f3aa0d1ba2646b05..a498056fcc84bf41240facabae6993a82932b2a8 100644 GIT binary patch delta 481 zcmbQnGL2<|PJLuph<1Kfnz^w@Sz2+Dmwv8(iJ3=uXogRoWks1^N=BriYe-08ieZ6K zAeWnenrTY0lVw;+ns!AN0FafenDAOxoK#*e}s0JK|rvDi?e6( z#E;_j!NJ8Y79~|hSy?7Ip?+?Dxm8&fkx53G5rv_~=BCL>DVeDrZvMso&K@RQ`W41* z`MyC#B_?L3e%|gOxvAlvrRJtCrCDLw$=*hm>B$EACP@(?X`Yc>y1Kdw`sMn0l_^D` z;St7Zexa^~Wfn%|o|Z07PKilDkTu*p=7F>B?e3VsxgJok) zLeT^}?#{VOjdXL=V!ql(?BD3Mruc;>_r3SAOskF7dhC@td3pw4$#SvK%$p3-a+3tI zzQ0adG4JTiwTX+unRCDXJhrL++Hy}F-kDKh_BxL*&yA?$UsA>2zhL6#iM)&cs44r2 bG(@@f=?ECJ#62-qoh!zgEc>bF-xdP^YoD%o delta 481 zcmbQnGL2<|PJK#xh(WSZvYVf)cW_0hpOIOTNqAX=pND0BiAPpWR9Ts?en6o`evxxf zK37(Xqo=wpn&oNQr-_vvWm& zVPdIsQGlTC{%J{G&Z*|X=6Q}09-;1u*_LH4If2DoW~IJq zkw(RtX+DvTDM^t*QEmZ=gR0NhOY4y1KdwP9Y&x`Ie>5 z;il;+c}7{jMa2;Y8NQj3$&MwZWmP#jQTiVB1={HbPDR;~T*vO8oO3?3wDL|6vzp*7 z0masdm$y8c>@2(O%*isb%h4gi`4_qC6V%GZ_{^^zf4cPZhU*1oz5*AHUfF!~uhNZa zF~Y4suDP~m95|5I@vih|>Hpe4uPtV?%ddWIdxN1PJ#mwti0qvlzMpfwCQn~@-v7># d3ku6#Jkt`$Eua1O?<@AFd)bd|^m@H$5&$o9x?}(V -- 2.49.0 From e51fc9ffa5a88c244565d3c290d9cd6cd2b72398 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Mon, 26 May 2025 13:41:36 +0200 Subject: [PATCH 07/10] Disable home via NFS in fox MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It won't be accesible anymore as we won't be in the same LAN. Reviewed-by: Aleix Boné --- m/fox/configuration.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/m/fox/configuration.nix b/m/fox/configuration.nix index e33afab6..24a3d2c9 100644 --- a/m/fox/configuration.nix +++ b/m/fox/configuration.nix @@ -2,7 +2,9 @@ { imports = [ - ../common/xeon.nix + ../common/base.nix + ../common/xeon/console.nix + ../common/xeon/net.nix ../module/emulation.nix ]; -- 2.49.0 From 4419f689480b1432a8b6b880a1b15eace4b0e646 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Mon, 26 May 2025 14:17:06 +0200 Subject: [PATCH 08/10] Update configuration for UPC network MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The fox machine will be placed in the UPC network, so we update the configuration with the new IP and gateway. We won't be able to reach hut directly so we also remove the host entry and proxy. Reviewed-by: Aleix Boné --- m/common/xeon/net.nix | 4 ---- m/fox/configuration.nix | 28 +++++++++++++++++++++++----- 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/m/common/xeon/net.nix b/m/common/xeon/net.nix index 09e83edf..dfd85f88 100644 --- a/m/common/xeon/net.nix +++ b/m/common/xeon/net.nix @@ -85,10 +85,6 @@ 10.0.40.8 eudy xeon08 xeon08-eth0 10.0.42.8 eudy-ib xeon08-ib0 10.0.40.108 eudy-ipmi xeon08-ipmi0 xeon08-ipmi - - # fox - 10.0.40.26 fox - 10.0.40.126 fox-ipmi ''; }; } diff --git a/m/fox/configuration.nix b/m/fox/configuration.nix index 24a3d2c9..29d8fe95 100644 --- a/m/fox/configuration.nix +++ b/m/fox/configuration.nix @@ -4,7 +4,6 @@ imports = [ ../common/base.nix ../common/xeon/console.nix - ../common/xeon/net.nix ../module/emulation.nix ]; @@ -21,11 +20,30 @@ hardware.cpu.intel.updateMicrocode = lib.mkForce false; networking = { + defaultGateway = "147.83.30.130"; + nameservers = [ "8.8.8.8" ]; hostName = "fox"; - interfaces.enp1s0f0np0.ipv4.addresses = [ { - address = "10.0.40.26"; - prefixLength = 24; - } ]; + interfaces.enp1s0f0np0.ipv4.addresses = [ + { + # UPC network + # Public IP configuration: + # - Hostname: fox.ac.upc.edu + # - IP: 147.83.30.141 + # - Gateway: 147.83.30.130 + # - NetMask: 255.255.255.192 + # Private IP configuration for BMC: + # - Hostname: fox-ipmi.ac.upc.edu + # - IP: 147.83.35.27 + # - Gateway: 147.83.35.2 + # - NetMask: 255.255.255.0 + address = "147.83.30.141"; + prefixLength = 26; # 255.255.255.192 + } + ]; + extraHosts = '' + 147.83.30.141 fox.ac.upc.edu + 147.83.35.27 fox-ipmi.ac.upc.edu + ''; }; # Configure Nvidia driver to use with CUDA -- 2.49.0 From 3a3c3050ef38192b569a62477e066ede3efd2ca1 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Wed, 28 May 2025 13:03:01 +0200 Subject: [PATCH 09/10] Monitor fox, gateway and UPC anella via ICMP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fox should reply once the machine is connected to the UPC network. Monitoring also the gateway and UPC anella allows us to estimate if the whole network is down or just fox. Reviewed-by: Aleix Boné --- m/hut/monitoring.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/m/hut/monitoring.nix b/m/hut/monitoring.nix index 7042c913..dd3893a6 100644 --- a/m/hut/monitoring.nix +++ b/m/hut/monitoring.nix @@ -169,6 +169,9 @@ "8.8.8.8" "ssfhead" "anella-bsc.cesca.cat" + "upc-anella.cesca.cat" + "fox.ac.upc.edu" + "arenys5.ac.upc.edu" ]; }]; relabel_configs = [ -- 2.49.0 From 9f43a0e13bad3528f0b15ef2a23546803b5bfdf2 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Mon, 2 Jun 2025 07:55:11 +0200 Subject: [PATCH 10/10] Remove fox monitoring via IPMI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We will need to setup an VPN to be able to access fox in its new location, so for now we simply remove the IPMI monitoring. Reviewed-by: Aleix Boné --- m/hut/monitoring.nix | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/m/hut/monitoring.nix b/m/hut/monitoring.nix index dd3893a6..db5f49fb 100644 --- a/m/hut/monitoring.nix +++ b/m/hut/monitoring.nix @@ -267,17 +267,6 @@ } ]; } - { - job_name = "ipmi-fox"; - metrics_path = "/ipmi"; - static_configs = [ - { targets = [ "127.0.0.1:9290" ]; } - ]; - params = { - target = [ "fox-ipmi" ]; - module = [ "fox" ]; - }; - } ]; }; } -- 2.49.0