2025-06-02 11:28:55 +02:00
14 changed files with 57 additions and 71 deletions
--- a/keys.nix
+++ b/keys.nix
@ -9,11 +9,12 @@ rec {
    koro  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImiTFDbxyUYPumvm8C4mEnHfuvtBY1H8undtd6oDd67 koro";
    bay   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvGBzpRQKuQYHdlUQeAk6jmdbkrhmdLwTBqf3el7IgU bay";
    lake2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINo66//S1yatpQHE/BuYD/Gfq64TY7ZN5XOGXmNchiO0 lake2";
-    fox   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDa9lId4rB/EKGkkCCVOy0cuId2SYLs+8W8kx0kmpO1y fox";
+    fox   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwItIk5uOJcQEVPoy/CVGRzfmE1ojrdDcI06FrU4NFT fox";
  };
  hostGroup = with hosts; rec {
-    compute    = [ owl1 owl2 fox ];
+    untrusted  = [ fox ];
    compute    = [ owl1 owl2 ];
    playground = [ eudy koro ];
    storage    = [ bay lake2 ];
    monitor    = [ hut ];
--- a/m/common/xeon/net.nix
+++ b/m/common/xeon/net.nix
@ -85,10 +85,6 @@
      10.0.40.8               eudy xeon08 xeon08-eth0
      10.0.42.8               eudy-ib xeon08-ib0
      10.0.40.108             eudy-ipmi xeon08-ipmi0 xeon08-ipmi
      # fox
      10.0.40.26              fox
      10.0.40.126             fox-ipmi
    '';
  };
 }
--- a/m/fox/configuration.nix
+++ b/m/fox/configuration.nix
@ -2,11 +2,9 @@
 {
  imports = [
-    ../common/xeon.nix
+    ../common/base.nix
-    ../module/ceph.nix
+    ../common/xeon/console.nix
    ../module/emulation.nix
    ../module/slurm-client.nix
    ../module/slurm-firewall.nix
  ];
  # Select the this using the ID to avoid mismatches
@ -22,11 +20,30 @@
  hardware.cpu.intel.updateMicrocode = lib.mkForce false;
  networking = {
    defaultGateway = "147.83.30.130";
    nameservers = [ "8.8.8.8" ];
    hostName = "fox";
-    interfaces.enp1s0f0np0.ipv4.addresses = [ {
+    interfaces.enp1s0f0np0.ipv4.addresses = [
-      address = "10.0.40.26";
+      {
-      prefixLength = 24;
+        # UPC network
-    } ];
+        # Public IP configuration:
        # - Hostname: fox.ac.upc.edu
        # - IP: 147.83.30.141
        # - Gateway: 147.83.30.130
        # - NetMask: 255.255.255.192
        # Private IP configuration for BMC:
        # - Hostname: fox-ipmi.ac.upc.edu
        # - IP: 147.83.35.27
        # - Gateway: 147.83.35.2
        # - NetMask: 255.255.255.0
        address = "147.83.30.141";
        prefixLength = 26; # 255.255.255.192
      }
    ];
    extraHosts = ''
      147.83.30.141   fox.ac.upc.edu
      147.83.35.27    fox-ipmi.ac.upc.edu
    '';
  };
  # Configure Nvidia driver to use with CUDA
@ -56,20 +73,4 @@
    wantedBy = [ "multi-user.target" ];
    serviceConfig.ExecStart = script;
  };
  # Only allow SSH connections from users who have a SLURM allocation
  # See: https://slurm.schedmd.com/pam_slurm_adopt.html
  security.pam.services.sshd.rules.account.slurm = {
    control = "required";
    enable = true;
    modulePath = "${pkgs.slurm}/lib/security/pam_slurm_adopt.so";
    args = [ "log_level=debug5" ];
    order = 999999; # Make it last one
  };
  # Disable systemd session (pam_systemd.so) as it will conflict with the
  # pam_slurm_adopt.so module. What happens is that the shell is first adopted
  # into the slurmstepd task and then into the systemd session, which is not
  # what we want, otherwise it will linger even if all jobs are gone.
  security.pam.services.sshd.startSession = lib.mkForce false;
 }
--- a/m/hut/monitoring.nix
+++ b/m/hut/monitoring.nix
@ -169,6 +169,9 @@
            "8.8.8.8"
            "ssfhead"
            "anella-bsc.cesca.cat"
            "upc-anella.cesca.cat"
            "fox.ac.upc.edu"
            "arenys5.ac.upc.edu"
          ];
        }];
        relabel_configs = [
@ -264,17 +267,6 @@
          }
        ];
      }
      {
        job_name = "ipmi-fox";
        metrics_path = "/ipmi";
        static_configs = [
          { targets = [ "127.0.0.1:9290" ]; }
        ];
        params = {
          target = [ "fox-ipmi" ];
          module = [ "fox" ];
        };
      }
    ];
  };
 }
--- a/m/module/slurm-client.nix
+++ b/m/module/slurm-client.nix
@ -43,13 +43,11 @@ in {
    clusterName = "jungle";
    nodeName = [
      "owl[1,2]  Sockets=2 CoresPerSocket=14 ThreadsPerCore=2 Feature=owl"
      "fox       Sockets=2 CoresPerSocket=96 ThreadsPerCore=1 Feature=fox"
      "hut       Sockets=2 CoresPerSocket=14 ThreadsPerCore=2"
    ];
    partitionName = [
      "owl Nodes=owl[1-2]     Default=YES DefaultTime=01:00:00 MaxTime=INFINITE State=UP"
      "fox Nodes=fox          Default=NO  DefaultTime=01:00:00 MaxTime=INFINITE State=UP"
    ];
    # See slurm.conf(5) for more details about these options.
@ -77,7 +75,7 @@ in {
      SuspendTimeout=60
      ResumeProgram=${resumeProgram}
      ResumeTimeout=300
-      SuspendExcNodes=hut,fox
+      SuspendExcNodes=hut
      # Turn the nodes off after 1 hour of inactivity
      SuspendTime=3600
--- a/secrets/ceph-user.age
+++ b/secrets/ceph-user.age
--- a/secrets/gitea-runner-token.age
+++ b/secrets/gitea-runner-token.age
--- a/secrets/gitlab-bsc-docker-token.age
+++ b/secrets/gitlab-bsc-docker-token.age
@ -1,11 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 HY2yRg WSdjyQPzBJ4JbzQpGeq1AAYpWKoXmLI1ZtmNmM5QOzs
+-> ssh-ed25519 HY2yRg XPOFoZqY+AnKC77jrgNqAm1ADphurfuhO4NRrfiuUDc
-qGDlDT31DQF1DdHen0+5+52DdsQlabJdA2pOB5O1I6g
+iCfMMpGHyaYHGy6ci8sqjUtcPeteLlyvLGEF79VPOEc
-> ssh-ed25519 CAWG4Q wioWMDxQjN+d4JdIbCwZg0DLQu1OH2mV6gukRprjuAs
+-> ssh-ed25519 CAWG4Q 6OsGrnM+/c5lTN81Rvp166K+ygmSIFeSYzXxYg25KGE
-670fE61hidOEh20hHiQAhP0+CjDF0WMBNzgwkGT8Yqg
+Av1zTw2zK4Gufzti9kQaye7C362GCiDRRHzCqBLR33g
-> ssh-ed25519 MSF3dg DN19uvAEtqq4708P6HpuX9i/o/qAvHX6dj69dCF2H1o
+-> ssh-ed25519 MSF3dg 8CHqJ7mEDvjvqbmF+eE6Em1Wi6eHAzEUpiExC1gm7S0
-4Lu9GnjiFLMeXJ2C7aVPJsCHCQVlhylNWJi896Av92s
+bdwzYHw3RAbdHq+RsiFUP++sQ586VUlSnAzAOhiQUjI
--- 7cKBwOYNOUZ2h3/kAY09aSMASZSxX7hZIT4kvlIiT6w
+--- gA5XSUfjUBol938sC5DbUf8PvQUIr2pNkS2nL95OF9c
-³6—çà•äfQF5=¦bX+‡v e`Ï7/øªA~PÎÖÑ¦7<15>Ì
+ý‘îEa1G7·ŠÝ©[R¥€\{~$GoðcQœwKP&²»Üw«›Ç6]
-´ÖA÷)·h³ù=oZ¸$é^´V0ñ/Ü…µr
+¤ÙÑ£ó”€À÷ç^zôÌ„ 1k·í‘Üìì<C3AC>Y»<59>2Íp§2¼ÜKîÒäŒnokî°ž¹/X¾Âpt''±Ú$0co=“Ø
 k¸uœbÄ¶:R‘<52>>^gŒõ¼ik_*%<0B>a7ùKGæ<47>ÐÖçâ&PI¶£n
--- a/secrets/gitlab-runner-docker-token.age
+++ b/secrets/gitlab-runner-docker-token.age
@ -1,10 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 HY2yRg GdmdkW+BqqwBgu30b846jv3J7jtCM+a3rgOERuA050A
+-> ssh-ed25519 HY2yRg pXNTB/ailRwSEJG1pXvrzzpz5HqkDZdWVWnOH7JGeQ4
-FeGqM75jG9egesR+yyVKHm0/M+uBBp5Hclg4+qN0BR8
+NzA+2fxfkNRy/u+Zq96A02K1Vxy0ETYZjMkDVTKyCY8
-> ssh-ed25519 CAWG4Q a0wTWHgulQUYDAMZmXf3dOf6PdYgCqNtSylzWVVRNVM
+-> ssh-ed25519 CAWG4Q 7CLJWn+EAxoWDduXaOSrHaBFHQ4GIpYP/62FFTj3ZTI
-Bx+WSYaiY4ZwlSZJo2a1XPMQmbKOU7F0tKAqVRLBOPo
+vSYV1pQg2qI2ngCzM0nCZAnqdz1tbT4hM5m+/TyGU2c
-> ssh-ed25519 MSF3dg KccUvZZUbxbCrRWUWrX8KcHF6vQ5FV/BqUqI59G7dj4
+-> ssh-ed25519 MSF3dg Akmp4NcZcDuaYHta/Vej6zulNSrAOCd5lmSV+OiBGC4
-CFr7GXpZ9rPgy7HBfOyiYF9FnZUw6KcZwq9f7/0KaU8
+qTxqVzTyywur+GjtUQdbaIUdH1fqCqPe6qPf8iHRa4w
--- E0Rp6RR/8+o0jvB1lRdhnlabxvI6uu/IgL2ZpPXzTc8
+--- uCKNqD1TmZZThOzlpsecBKx/k+noIWhCVMr/pzNwBr8
-Ã»#ã¶H÷$°F;Ñéù%›È6êË2†¢rfXŸ\Dn ÖÑˆºÈ‰©x™Î>¥Ù&;÷c‘UŠI=›ÑMöÀª?Tœ¡Ç¸ÂÂ"px†Ó\s‚ÙãbFý<46>ù¹WD¼{Ë
+r'ÖÆ‹s4íËºÐAÄ¥„PíLù‘7`	â—š)HŽ“-ú0ÓAHŽ5ÇÁ€ñL®QeÍÌH2bÒƒBÞ²óCJG¯"-SÝÊ\åÎþH<nðV
P³á~øtÃ=vçqÂ\šNA0£Ñ:
 AW>?U©ÙÊçÐHÔ³
--- a/secrets/gitlab-runner-shell-token.age
+++ b/secrets/gitlab-runner-shell-token.age
@ -1,9 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 HY2yRg xWRxJGWSzA5aplRYCYLB6aBwrUrQQJ2MtDYaD75V5nI
+-> ssh-ed25519 HY2yRg s6iI9f25xulF4KXt+XY07kXXPKxXo7f2Ql/OTHN55Hk
-J07XF3NQiaYKKKNRcNWi9MloJD2wXHd+2K7bo6lF+QU
+WO4Fd2H9c+HL3+XhUF3BmEZVILlcchGxSrSmL2OEdGw
-> ssh-ed25519 CAWG4Q jNWymbyCczcm8RcaIEbFQBlOMALsuxTl4+pLUi0aR20
+-> ssh-ed25519 CAWG4Q TBkdpx8k8K1NvW3wcvaF7omKFwEJ2DxWJp3tIOTjwCA
-z5NixlrRD+Y7Z/aFPs6hiDW4/lp8CBQCeJYpbuG9yYM
+LcYgWRix23AQnw0OQ7f8+8S3J84CHUElX1vKZSETiLE
-> ssh-ed25519 MSF3dg QsUQloEKN3k1G49FQnNR/Do6ILgGpjFcw3zu5kk1Ako
+-> ssh-ed25519 MSF3dg WzrF8kjTP7BXXDjmUp7kPCKguthAW12RPo6Vy2RMmh4
-IHwyFWUEWqCStNcFprnpBa8L5J6zKIsn+7HcgGRv3sM
+8C3mT9ktudCTANDxhyNszUkbeDG6X4wOJdx825++dYM
--- oUia0fsL6opeYWACyXtHAu/Ld+bUIt/7S1VszYTvwgU
+--- /w3YQ2UeTi67H1JR0GsdPz2KoLN2Y7BIZfFY+//AWjY
-™êVäœ*øtë2-Ÿ7·œ–Ž“§hÜ&‰éÍ¢_!Õ¿+”·±¯(‚ã¡nù¿	¬í(Ëê÷/}òœäáCúNÍ·|ÇNèuÎ5‰Ã¹å‹šKÀìlÆ"ÃØklOX¨yº÷æØàù¤¹ø²Aíõe„È$
+ŽÓ£-`PÝ@þ€Þ„‹Œ³)9®9l™ð‹ØZfƒÍV?I>Î<>Ÿwé‰<C3A9>¡z40 ³2{i@…ZÁîx¦±AHná%Ü×ÏÊ¤ÿ/W¶®Ä”¢løç–å}Æ&–ì–¶Ä(–ÂÐKªóÙS±Åo·z¨=Ÿd
--- a/secrets/ipmi.yml.age
+++ b/secrets/ipmi.yml.age
--- a/secrets/jungle-robot-password.age
+++ b/secrets/jungle-robot-password.age
--- a/secrets/munge-key.age
+++ b/secrets/munge-key.age
--- a/secrets/nix-serve.age
+++ b/secrets/nix-serve.age