From a7775f9a8d5532aaf0c9796dd71b7ab87f81aacb Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Thu, 12 Jun 2025 10:32:31 +0200 Subject: [PATCH 01/21] Add monitoring in tent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/blackbox.yml | 13 +++ m/tent/configuration.nix | 1 + m/tent/monitoring.nix | 187 +++++++++++++++++++++++++++++++++++++++ secrets/ipmi.yml.age | Bin 1294 -> 1563 bytes secrets/secrets.nix | 3 +- 5 files changed, 203 insertions(+), 1 deletion(-) create mode 100644 m/tent/blackbox.yml create mode 100644 m/tent/monitoring.nix diff --git a/m/tent/blackbox.yml b/m/tent/blackbox.yml new file mode 100644 index 00000000..d716359d --- /dev/null +++ b/m/tent/blackbox.yml @@ -0,0 +1,13 @@ +modules: + http_2xx: + prober: http + timeout: 5s + http: + follow_redirects: true + valid_status_codes: [] # Defaults to 2xx + method: GET + icmp: + prober: icmp + timeout: 5s + icmp: + preferred_ip_protocol: "ip4" diff --git a/m/tent/configuration.nix b/m/tent/configuration.nix index 07b92449..14957553 100644 --- a/m/tent/configuration.nix +++ b/m/tent/configuration.nix @@ -6,6 +6,7 @@ ../module/emulation.nix ../module/debuginfod.nix ../module/ssh-hut-extern.nix + ./monitoring.nix ]; # Select the this using the ID to avoid mismatches diff --git a/m/tent/monitoring.nix b/m/tent/monitoring.nix new file mode 100644 index 00000000..e8b38dc8 --- /dev/null +++ b/m/tent/monitoring.nix @@ -0,0 +1,187 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + ../module/meteocat-exporter.nix + ../module/upc-qaire-exporter.nix + ]; + + services.grafana = { + enable = true; + settings = { + server = { + domain = "localhost"; + #domain = "jungle.bsc.es"; + #root_url = "%(protocol)s://%(domain)s/grafana"; + #serve_from_sub_path = true; + http_port = 2342; + http_addr = "127.0.0.1"; + }; + feature_toggles.publicDashboards = true; + "auth.anonymous".enabled = true; + log.level = "warn"; + }; + }; + + services.prometheus = { + enable = true; + port = 9001; + retentionTime = "5y"; + listenAddress = "127.0.0.1"; + }; + + # We need access to the devices to monitor the disk space + systemd.services.prometheus-node-exporter.serviceConfig.PrivateDevices = lib.mkForce false; + systemd.services.prometheus-node-exporter.serviceConfig.ProtectHome = lib.mkForce "read-only"; + + # Credentials for IPMI exporter + age.secrets.ipmiYml = { + file = ../../secrets/ipmi.yml.age; + owner = "ipmi-exporter"; + }; + + # Create an IPMI group and assign the ipmi0 device + users.groups.ipmi = {}; + services.udev.extraRules = '' + SUBSYSTEM=="ipmi", KERNEL=="ipmi0", GROUP="ipmi", MODE="0660" + ''; + + # Add a new ipmi-exporter user that can read the ipmi0 device + users.users.ipmi-exporter = { + isSystemUser = true; + group = "ipmi"; + }; + + # Disable dynamic user so we have the ipmi-exporter user available for the credentials + systemd.services.prometheus-ipmi-exporter.serviceConfig = { + DynamicUser = lib.mkForce false; + PrivateDevices = lib.mkForce false; + User = lib.mkForce "ipmi-exporter"; + Group = lib.mkForce "ipmi"; + RestrictNamespaces = lib.mkForce false; + # Fake uid to 0 so it shuts up + ExecStart = let + cfg = config.services.prometheus.exporters.ipmi; + in lib.mkForce (lib.concatStringsSep " " ([ + "${pkgs.util-linux}/bin/unshare --map-user 0" + "${pkgs.prometheus-ipmi-exporter}/bin/ipmi_exporter" + "--web.listen-address ${cfg.listenAddress}:${toString cfg.port}" + "--config.file ${lib.escapeShellArg cfg.configFile}" + ] ++ cfg.extraFlags)); + }; + + services.prometheus = { + exporters = { + ipmi = { + enable = true; + configFile = config.age.secrets.ipmiYml.path; + #extraFlags = [ "--log.level=debug" ]; + listenAddress = "127.0.0.1"; + }; + node = { + enable = true; + enabledCollectors = [ "logind" ]; + port = 9002; + listenAddress = "127.0.0.1"; + }; + blackbox = { + enable = true; + listenAddress = "127.0.0.1"; + configFile = ./blackbox.yml; + }; + }; + + scrapeConfigs = [ + { + job_name = "local"; + static_configs = [{ + targets = [ + "127.0.0.1:9002" # Node exporter + #"127.0.0.1:9115" # Blackbox exporter + "127.0.0.1:9290" # IPMI exporter for local node + "127.0.0.1:9928" # UPC Qaire custom exporter + "127.0.0.1:9929" # Meteocat custom exporter + ]; + }]; + } + { + job_name = "blackbox-http"; + metrics_path = "/probe"; + params = { module = [ "http_2xx" ]; }; + static_configs = [{ + targets = [ + "https://www.google.com/robots.txt" + "https://pm.bsc.es/" + "https://pm.bsc.es/gitlab/" + "https://jungle.bsc.es/" + "https://gitlab.bsc.es/" + ]; + }]; + relabel_configs = [ + { + # Takes the address and sets it in the "target=" URL parameter + source_labels = [ "__address__" ]; + target_label = "__param_target"; + } + { + # Sets the "instance" label with the remote host we are querying + source_labels = [ "__param_target" ]; + target_label = "instance"; + } + { + # Shows the host target address instead of the blackbox address + target_label = "__address__"; + replacement = "127.0.0.1:9115"; + } + ]; + } + { + job_name = "blackbox-icmp"; + metrics_path = "/probe"; + params = { module = [ "icmp" ]; }; + static_configs = [{ + targets = [ + "1.1.1.1" + "8.8.8.8" + "ssfhead" + "raccoon" + "anella-bsc.cesca.cat" + "upc-anella.cesca.cat" + "fox.ac.upc.edu" + "arenys5.ac.upc.edu" + "arenys0-2.ac.upc.edu" + "epi01.bsc.es" + ]; + }]; + relabel_configs = [ + { + # Takes the address and sets it in the "target=" URL parameter + source_labels = [ "__address__" ]; + target_label = "__param_target"; + } + { + # Sets the "instance" label with the remote host we are querying + source_labels = [ "__param_target" ]; + target_label = "instance"; + } + { + # Shows the host target address instead of the blackbox address + target_label = "__address__"; + replacement = "127.0.0.1:9115"; + } + ]; + } + { + job_name = "ipmi-raccoon"; + metrics_path = "/ipmi"; + static_configs = [ + { targets = [ "127.0.0.1:9290" ]; } + ]; + params = { + target = [ "raccoon-ipmi" ]; + module = [ "raccoon" ]; + }; + } + ]; + }; +} diff --git a/secrets/ipmi.yml.age b/secrets/ipmi.yml.age index e445aaed3f2865c4dac62c68d45c607eb37fea4b..02d1218774bb6ebfcbdcf14b93c3f410e9efa2b4 100644 GIT binary patch delta 1499 zcmeC(9$d~&9$s5!XPLpGtV<6*VEKBE!Wi0 zm&-86FFUEkEy}>W$}~LK*;C)UGRQJhJ1{w=JlD&`sGuOjIX$(qs>&lTluOr6p}06h zH#Nn`)YQ;Y!QIp+!n9n$&m*tG#k;7~-(0`Q%{eA314=^kC&x32*N2olC0qLC=vRa%=B1`O zdloDx`avrx}}g1Sk5ql^P^ETbOxN6}hAohU9oT z7ACox_?3i))u&b%=jD54MRJ`!lkc^A&VO#6KWC5a={y;y^!!AzqoCr84%bZu`&<5h zs_whJd+TwTZ~PsXd_G>2?3}&!96L+j4y}k-m;Nd+EZ|h=bi{|foxaDliG1sp8_gSljUc8!O)bYNB z&)rV+M{SGlwvCc4Tu0P+&7_6fCf||q>EOThWyRa?crO{q4!VvmdP9m%gpZY(@j zB{%DdN|Nu>+JkeQ5{@+7aIb$L^iA<$`StTF4om#pc!T%mq@aCw548V1b@TIudq;$B zWp+0G%E@?g*Y~S>%hwwILgxG1`07l~ITrhCU!MBKUv!r4RxZy#HPNWwiDC;+#UEro z|N9K{56x}q%B`$N4O5=K+0WOpI!mk3XMK8AL|cu@y}Ld4zL@>8n*X`*GBdBMa($g^ zgP{`LA~pb(zORrMs4&WYoU*=Xz1OJjlKoBMVeUr_ zY||GwXU5ix$=<&{%VY+3R^v?mE8lGI`EGn=QZ^~K^4Z~QmbSOpl(LyGX>PrLRM2Xc z`}9PwdCrDEPv^L7eC^_sCeZmavxYs{PeI_^lvIl)905|x6*u>+Fx3UW!tDbr4Zsoeq;fu3R9{9$g>b}LOZ0UD*Cu5hwQ2t)IleumwE3LKP z-nkj0pyZG$AEEu!weGj`jBmS}*TkCEPAxrj?^bA-Ucod~*A;f}ADuj-A$Q~XQq(ygS(Jk30`)XU8{#VuIdapFhu@DfYc zbjz^F07vZ&p>w*15d-0 z;K%|~XCLQeQ)lPGRP#jRoG?o_pU5&7=lm$`s<4RU$?=Th;cg`!1#YS4X@TJeZk4V9 zF2Ui386k=JA*DXruKJZp9*+6><&NPlmARqGT%|t6nVv=I#zu*55zc0L*&%6eKBeh~ zc}Bt7i3JAcDan@Z1y1g%8A%4&lg~1W*K4O4XH|MSxw&Neq@_lBdiezvyBT-z=d7HLZdyvxEkl?dKZ=iWt3HAxcg~4hox7gcyoaOvvmD(LH5IA$8;6#E%wM^=~zg_Rf=hB+Jgn??DhXXKlkdb?yK*M}4v zr}|Wcg>tE_kDbhEr1iY*%cE_-*4}-nd*gqCNL|#j%Yi9RR!!-idTaM-d+(+D8t>=* zYHNKri;HW;w@rp^8)bY&4@6o1lITCg{r3Aqw|A$t zwC29+zh``=KWBgDciB|4lQq#NTvvQ=$+4SSFB9hMH)AD-(wF&u^Wu4?tX#(}A$vb* zQ}x7(+f(zsTZ(=4*B+bLa<5O~!)Aw8h52(f?4Bfls46-5cFe3D(N8n>NVeK-YGTlm zdwxsNVng3P?R$JSi%RPaiiM|qVCP6^E#lsM>c@XyXWzo(TCw}0gSOpX{Arr2@dyR>3My1aai1^>Dv^-DdrUm608qU*wEF?|iF zs9t*AF#p~1M>7MNo-3DZ*cLMzpH57#Kfy- zCHcgF<(euBiOQ zJ4?d*e{pX!``1<-<&)d%C;iGx%-QQ8FM315^6j>If9v-FPFpIf*LsTgn7>ccOq`Rh zHOJMs)9~fvO>+E_9Xk&1IU4nMjY8@CN1=*3S@iq#NSo(tVuQ2o zb92j<70tL%rT5vM+m_7#^!0vG)~>gbY>9zPhvm;Y8rk3cy8FMf?vFgl#*-{s zFAs&Ohj`8FzCUqV-nZZbcJJow7f5ei`(w(#QtgNJKd&yhR;{vdYOBus4(F@c9705-xGK>z>% diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 58ec2d6d..30fe1dd7 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -2,6 +2,7 @@ let keys = import ../keys.nix; adminsKeys = builtins.attrValues keys.admins; hut = [ keys.hosts.hut ] ++ adminsKeys; + mon = [ keys.hosts.hut keys.hosts.tent ] ++ adminsKeys; # Only expose ceph keys to safe nodes and admins safe = keys.hostGroup.safe ++ adminsKeys; in @@ -12,7 +13,7 @@ in "gitlab-bsc-docker-token.age".publicKeys = hut; "nix-serve.age".publicKeys = hut; "jungle-robot-password.age".publicKeys = hut; - "ipmi.yml.age".publicKeys = hut; + "ipmi.yml.age".publicKeys = mon; "ceph-user.age".publicKeys = safe; "munge-key.age".publicKeys = safe; -- 2.49.0 From a0d1b31bb6e71df2808813dffb5a16cbd7c076bf Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Thu, 12 Jun 2025 12:47:43 +0200 Subject: [PATCH 02/21] Add nginx server in tent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/configuration.nix | 1 + m/tent/nginx.nix | 54 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 m/tent/nginx.nix diff --git a/m/tent/configuration.nix b/m/tent/configuration.nix index 14957553..c041683e 100644 --- a/m/tent/configuration.nix +++ b/m/tent/configuration.nix @@ -7,6 +7,7 @@ ../module/debuginfod.nix ../module/ssh-hut-extern.nix ./monitoring.nix + ./nginx.nix ]; # Select the this using the ID to avoid mismatches diff --git a/m/tent/nginx.nix b/m/tent/nginx.nix new file mode 100644 index 00000000..f67a5255 --- /dev/null +++ b/m/tent/nginx.nix @@ -0,0 +1,54 @@ +{ theFlake, pkgs, ... }: +let + website = pkgs.stdenv.mkDerivation { + name = "jungle-web"; + src = theFlake; + buildInputs = [ pkgs.hugo ]; + buildPhase = '' + cd web + rm -rf public/ + hugo + ''; + installPhase = '' + cp -r public $out + ''; + # Don't mess doc/ + dontFixup = true; + }; +in +{ + networking.firewall.allowedTCPPorts = [ 80 ]; + services.nginx = { + enable = true; + virtualHosts."jungle.bsc.es" = { + root = "${website}"; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + ]; + extraConfig = '' + set_real_ip_from 127.0.0.1; + set_real_ip_from 84.88.52.107; + real_ip_recursive on; + real_ip_header X-Forwarded-For; + + location /cache { + rewrite ^/cache/(.*) /$1 break; + proxy_pass http://127.0.0.1:5000; + proxy_redirect http:// $scheme://; + } + location /grafana { + proxy_pass http://127.0.0.1:2342; + proxy_redirect http:// $scheme://; + proxy_set_header Host $host; + # Websockets + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + ''; + }; + }; +} -- 2.49.0 From 7aeb78426e53fbb8d2edadf7840c9b93f30b2c66 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Thu, 12 Jun 2025 12:57:34 +0200 Subject: [PATCH 03/21] Serve Grafana from subpath MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/monitoring.nix | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/m/tent/monitoring.nix b/m/tent/monitoring.nix index e8b38dc8..1bc0208f 100644 --- a/m/tent/monitoring.nix +++ b/m/tent/monitoring.nix @@ -10,10 +10,9 @@ enable = true; settings = { server = { - domain = "localhost"; - #domain = "jungle.bsc.es"; - #root_url = "%(protocol)s://%(domain)s/grafana"; - #serve_from_sub_path = true; + domain = "jungle.bsc.es"; + root_url = "%(protocol)s://%(domain)s/grafana"; + serve_from_sub_path = true; http_port = 2342; http_addr = "127.0.0.1"; }; -- 2.49.0 From ad9a5bc90637f78c408587f28899545c3d3d19a3 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Thu, 12 Jun 2025 13:17:26 +0200 Subject: [PATCH 04/21] Enable nix cache MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/configuration.nix | 1 + m/tent/nix-serve.nix | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 m/tent/nix-serve.nix diff --git a/m/tent/configuration.nix b/m/tent/configuration.nix index c041683e..63f1f66f 100644 --- a/m/tent/configuration.nix +++ b/m/tent/configuration.nix @@ -8,6 +8,7 @@ ../module/ssh-hut-extern.nix ./monitoring.nix ./nginx.nix + ./nix-serve.nix ]; # Select the this using the ID to avoid mismatches diff --git a/m/tent/nix-serve.nix b/m/tent/nix-serve.nix new file mode 100644 index 00000000..35ccd728 --- /dev/null +++ b/m/tent/nix-serve.nix @@ -0,0 +1,16 @@ +{ config, ... }: + +{ + age.secrets.nixServe.file = ../../secrets/nix-serve.age; + + services.nix-serve = { + enable = true; + # Only listen locally, as we serve it via ssh + bindAddress = "127.0.0.1"; + port = 5000; + + secretKeyFile = config.age.secrets.nixServe.path; + # Public key: + # jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0= + }; +} -- 2.49.0 From 978087e53a7c423792523bb155616e606d759982 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Thu, 12 Jun 2025 13:18:01 +0200 Subject: [PATCH 05/21] Remove jungle nix cache from tent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/configuration.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/m/tent/configuration.nix b/m/tent/configuration.nix index 63f1f66f..8449b37f 100644 --- a/m/tent/configuration.nix +++ b/m/tent/configuration.nix @@ -28,11 +28,6 @@ defaultGateway = "10.0.44.1"; }; - nix.settings = { - extra-substituters = [ "https://jungle.bsc.es/cache" ]; - extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ]; - }; - services.prometheus.exporters.node = { enable = true; enabledCollectors = [ "systemd" ]; -- 2.49.0 From 27d4f4f272295c4f0a7208fd8639db65ab98fdf1 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Thu, 12 Jun 2025 13:20:29 +0200 Subject: [PATCH 06/21] Add tent key for nix-serve MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- secrets/nix-serve.age | 22 ++++++++++++---------- secrets/secrets.nix | 2 +- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/secrets/nix-serve.age b/secrets/nix-serve.age index 9ba631a9..2d142fbd 100644 --- a/secrets/nix-serve.age +++ b/secrets/nix-serve.age @@ -1,11 +1,13 @@ age-encryption.org/v1 --> ssh-ed25519 HY2yRg PJVi+uAtVYX0QDMUG5/Ip9OrvpUacDhmqWc/n3gLW30 -EkAFsA6KxxO6bAavRSyJ/faFTQnXqcI/+R1ZAujvmGQ --> ssh-ed25519 CAWG4Q 0JqMbIWUuT0kc/5hdUd4i4Qp41W1LpaiLS5Qz3qlVU8 -uTw5Xjr24vZ1uWeMjy/OVF5SR2EsTgREBF0L1sFEjR8 --> ssh-ed25519 xA739A Ssbmf6ra+Ov4YC9L0ygizkmwOg1GLztxfDQtNY/Y4G8 -rbGwoyinV9phgBqaOgMJeqFKyAFB1fb0hLWhf4mviGE --> ssh-ed25519 MSF3dg KcJlZUVuZaIAnnWxuXZmxZZ9v0whgVe9D3lqpR2GmEI -JND6nt2RWGT53gQp/rot2bXOpm3c4n/WPP4l5KJ/wFo ---- /C3CrTiYseZVwp0N4tMSOiAu49Mp/J6yUn3RUpfmqoc -ݙ0c^bX .7bǜ]CfYB;d∭3%?߭r2-՞'z]$[Sf%̜ŏ 0NM_d|bR~puԝ Aji{6ÊW+o \ No newline at end of file +-> ssh-ed25519 HY2yRg T/Qom1qxE0M+FuvsXD/KZ6Usfp6v3Xwx043kDgxbCz4 +6GRg0QjuHd2+d6lJfZqqPMPMjS91HEcJ/W0KRV6Et50 +-> ssh-ed25519 G5LX5w pzg0wK+Q6KZP67CkyZNYbNcahlq9SIuFN18H85ARykU +aDSrO49tg/a3GOAJR96lh803bXoZqp/G6VMiSvf91vw +-> ssh-ed25519 CAWG4Q X+F/6LF8VUUoV72iCLzKKpYGRDoUHuBy1E+yr29RKEo +c779vpt/fiN7n0kGAc5jA9fWkzCPrthlNZdN4p6csrk +-> ssh-ed25519 xA739A sbg087VKj/gcycV9JrBNCoCfB4kRMDSVo3EtfpRVDyg +Lv5ges1KmxGwvz4UPZCD0v4YN2ms2Q3wmrJ14XCKYsQ +-> ssh-ed25519 MSF3dg pCLeyeWYbnNWQwwlGcsKz0KZ4BaaYKCGjo0XOPpo+no +IsNxFoB2nTxyThJxtAxSA6gauXHGQJnVefs/K2MZ+DM +--- tgB3F+k1/PQt+r5Cz+FqH31hCZFvr0Y8uZVKkdA80yo +60.(s?68QIdgb`Az Date: Thu, 12 Jun 2025 13:25:43 +0200 Subject: [PATCH 07/21] Enable jungle robot emails for Grafana in tent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/monitoring.nix | 16 ++++++++++++++++ secrets/jungle-robot-password.age | Bin 587 -> 697 bytes secrets/secrets.nix | 2 +- 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/m/tent/monitoring.nix b/m/tent/monitoring.nix index 1bc0208f..e2ffd025 100644 --- a/m/tent/monitoring.nix +++ b/m/tent/monitoring.nix @@ -6,6 +6,12 @@ ../module/upc-qaire-exporter.nix ]; + age.secrets.grafanaJungleRobotPassword = { + file = ../../secrets/jungle-robot-password.age; + owner = "grafana"; + mode = "400"; + }; + services.grafana = { enable = true; settings = { @@ -16,6 +22,16 @@ http_port = 2342; http_addr = "127.0.0.1"; }; + smtp = { + enabled = true; + from_address = "jungle-robot@bsc.es"; + user = "jungle-robot"; + # Read the password from a file, which is only readable by grafana user + # https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider + password = "$__file{${config.age.secrets.grafanaJungleRobotPassword.path}}"; + host = "mail.bsc.es:465"; + startTLS_policy = "NoStartTLS"; + }; feature_toggles.publicDashboards = true; "auth.anonymous".enabled = true; log.level = "warn"; diff --git a/secrets/jungle-robot-password.age b/secrets/jungle-robot-password.age index af68a1b2dbc1f8ac9bb13b277a4174375cfdf0ea..a25102e933510c475bfb6ad9eef0c05adad3e44c 100644 GIT binary patch delta 626 zcmX@jvXga!PQ5`%fpe5;rKhp6WkGs?w|j=MhnGciUUr6ej&FWtWTtnJVQ#)*a#?n+ z0heo7Sb>*CUS+v{xTTYsX-K)LrDv9xvuQw*Noin&sgHYJRX}o@enx1q0hg|wLUD11 zZfc5=si~o*g1f0tglV}#WTK0scdDafXV$k#~`HzKfT>Nn&L& zx^>Qu;qE4Z3Yq%J1-{AtiBSa}=81*n#X2z29@QBo?(&Nj#XI&nT1t}d7+U7d6tfTL5WGF>A?|6t`k3shr5Ji zMik~bR~c6MrC0itScH}3`DcguxRj?Q8WegJggOP5TlyC37kYR&a+P~$1xH5uhq`)Y z2V@pkgqZpIg&U^kM`mklyE+#Y8)hb1mbykp6gvh+PL5|3ulLF=^D1_&2oDH1Niqux zF*C}oG6^qEt}u5ku5<|qOS3d|v@9sL)Gp5OI0!nFIptNW~adG0@fHa}nd>R#%dvqh3ER7Y^_lb@fW zb@%Q$v`cCQyG>~FtknLd&41qZyqI_5^X4{9wuXzWPurBz)}Nks>xJaDs6*<`09cFL Ad;kCd delta 496 zcmdnVdYWZ|PPkWKrg3FvRbFC-yP=0+WwC{6P>MlbdcM1HK~+&jiBooYd8T%xv$lJ1 zI#-xSdSXUJMW%mNZkl0bx_(NQNn}Y>fqSt@dO(Otv7w23hGB?)WT~%rhki%a#h%|dd`%p6Su-AzpmCZA;#uQy8!D2vST3GoSc4=cAc%gZqd3^z?QHuOlW zN(`{@%rDDMO-ZZB3-PZ^<}x>qtnkS7^f2(PD$x$kFe}LkD|0qC%y!Oq3-R>NPAb<_5ita9-&$SHOV^bIL6%y4lkFif+EOw7&q4fA#` z$}BO9%;%c$rsdB^^emnabr5U}QPG2_k(Nsw`-#+nk n%mx!{UBg4(9X)#=D6i9$X`H6Iu2ypLFVPYu5tr)tQ^qd Date: Thu, 5 Jun 2025 11:11:13 +0200 Subject: [PATCH 08/21] Add GitLab shell runner in tent for PM MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/configuration.nix | 1 + m/tent/gitlab-runner.nix | 41 +++++++++++++++++++ secrets/secrets.nix | 4 ++ secrets/tent-gitlab-runner-pm-shell-token.age | 13 ++++++ 4 files changed, 59 insertions(+) create mode 100644 m/tent/gitlab-runner.nix create mode 100644 secrets/tent-gitlab-runner-pm-shell-token.age diff --git a/m/tent/configuration.nix b/m/tent/configuration.nix index 8449b37f..9a242ac4 100644 --- a/m/tent/configuration.nix +++ b/m/tent/configuration.nix @@ -9,6 +9,7 @@ ./monitoring.nix ./nginx.nix ./nix-serve.nix + ./gitlab-runner.nix ]; # Select the this using the ID to avoid mismatches diff --git a/m/tent/gitlab-runner.nix b/m/tent/gitlab-runner.nix new file mode 100644 index 00000000..aa1dbd55 --- /dev/null +++ b/m/tent/gitlab-runner.nix @@ -0,0 +1,41 @@ +{ pkgs, lib, config, ... }: + +{ + age.secrets.tent-gitlab-runner-pm-shell.file = ../../secrets/tent-gitlab-runner-pm-shell-token.age; + + services.gitlab-runner = let sec = config.age.secrets; in { + enable = true; + settings.concurrent = 5; + services = { + # For gitlab.pm.bsc.es + gitlab-pm-shell = { + executor = "shell"; + environmentVariables = { + SHELL = "${pkgs.bash}/bin/bash"; + }; + authenticationTokenConfigFile = sec.tent-gitlab-runner-pm-shell.path; + preGetSourcesScript = pkgs.writeScript "setup" '' + echo "This is the preGetSources script running, brace for impact" + env + ''; + }; + }; + }; + + systemd.services.gitlab-runner.serviceConfig = { + DynamicUser = lib.mkForce false; + User = "gitlab-runner"; + Group = "gitlab-runner"; + ExecStart = lib.mkForce + ''${pkgs.gitlab-runner}/bin/gitlab-runner run --config ''${HOME}/.gitlab-runner/config.toml --listen-address "127.0.0.1:9252" --working-directory ''${HOME}''; + }; + + users.users.gitlab-runner = { + uid = config.ids.uids.gitlab-runner; + home = "/var/lib/gitlab-runner"; + description = "Gitlab Runner"; + group = "gitlab-runner"; + createHome = true; + }; + users.groups.gitlab-runner.gid = config.ids.gids.gitlab-runner; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 450c8282..ad1a4d0f 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -3,6 +3,7 @@ let adminsKeys = builtins.attrValues keys.admins; hut = [ keys.hosts.hut ] ++ adminsKeys; mon = [ keys.hosts.hut keys.hosts.tent ] ++ adminsKeys; + tent = [ keys.hosts.tent ] ++ adminsKeys; # Only expose ceph keys to safe nodes and admins safe = keys.hostGroup.safe ++ adminsKeys; in @@ -15,6 +16,9 @@ in "jungle-robot-password.age".publicKeys = mon; "ipmi.yml.age".publicKeys = mon; + "tent-gitlab-runner-pm-docker-token.age".publicKeys = tent; + "tent-gitlab-runner-pm-shell-token.age".publicKeys = tent; + "ceph-user.age".publicKeys = safe; "munge-key.age".publicKeys = safe; } diff --git a/secrets/tent-gitlab-runner-pm-shell-token.age b/secrets/tent-gitlab-runner-pm-shell-token.age new file mode 100644 index 00000000..19407895 --- /dev/null +++ b/secrets/tent-gitlab-runner-pm-shell-token.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 G5LX5w V9bHLoGuY4stRwbzVS9Qa0L9yoY+UoCoXc+dJJQW/Ag +2ut9GfdJ3KBCqZRaloZCQsl8MLfaZAZxqj6JtPJzu2k +-> ssh-ed25519 CAWG4Q OAqnIfMECpKglZ7aF9tv/PQinG1Ou2+IEZ+nf4dtQjg +dANdMLe4iI0d6Xd/dIMpZK+mgw2+VmJFQScHaIxD7WI +-> ssh-ed25519 xA739A nVNF4Y6VSa5PP6FFBJpVmoFYYseoFx5F2wJU+Pwk+Xk +A5CiuTSNlX9Y76qhYgblBdJl3zPhtjWho2oL5/sIKu0 +-> ssh-ed25519 MSF3dg /WMsGnBGzquIMyw06gHKpSS4OUxheulT59kxi+/pxxU +ppwcv7RLzUbQUM7j0Tb9rRVT9XyPMhqYr2fr4S0nTJY +--- zOe0Ko0oxArbmxePMPDVAT0pDju7IeOAih7sNrDcoVs +ikA +hODVw! E݈+`C5LAtM^ E<HI_nno?j- +AnԔί>ZzdTb"(@{_ځC \ No newline at end of file -- 2.49.0 From 7b108431dcf88565c9b6a0725786a3fa947f1f70 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Thu, 12 Jun 2025 13:49:51 +0200 Subject: [PATCH 09/21] Add docker GitLab runner for BSC GitLab MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/gitlab-runner.nix | 44 ++++++++++++++++++ secrets/secrets.nix | 1 + .../tent-gitlab-runner-bsc-docker-token.age | Bin 0 -> 628 bytes 3 files changed, 45 insertions(+) create mode 100644 secrets/tent-gitlab-runner-bsc-docker-token.age diff --git a/m/tent/gitlab-runner.nix b/m/tent/gitlab-runner.nix index aa1dbd55..447c5837 100644 --- a/m/tent/gitlab-runner.nix +++ b/m/tent/gitlab-runner.nix @@ -2,6 +2,7 @@ { age.secrets.tent-gitlab-runner-pm-shell.file = ../../secrets/tent-gitlab-runner-pm-shell-token.age; + age.secrets.tent-gitlab-runner-bsc-docker.file = ../../secrets/tent-gitlab-runner-bsc-docker-token.age; services.gitlab-runner = let sec = config.age.secrets; in { enable = true; @@ -19,6 +20,48 @@ env ''; }; + gitlab-bsc-docker = { + # gitlab.bsc.es still uses the old token mechanism + registrationConfigFile = sec.tent-gitlab-runner-bsc-docker.path; + tagList = [ "docker" "tent" "nix" ]; + executor = "docker"; + dockerImage = "alpine"; + dockerVolumes = [ + "/nix/store:/nix/store:ro" + "/nix/var/nix/db:/nix/var/nix/db:ro" + "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" + ]; + dockerDisableCache = true; + registrationFlags = [ + # Increase build log length to 64 MiB + "--output-limit 65536" + ]; + preBuildScript = pkgs.writeScript "setup-container" '' + mkdir -p -m 0755 /nix/var/log/nix/drvs + mkdir -p -m 0755 /nix/var/nix/gcroots + mkdir -p -m 0755 /nix/var/nix/profiles + mkdir -p -m 0755 /nix/var/nix/temproots + mkdir -p -m 0755 /nix/var/nix/userpool + mkdir -p -m 1777 /nix/var/nix/gcroots/per-user + mkdir -p -m 1777 /nix/var/nix/profiles/per-user + mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root + mkdir -p -m 0700 "$HOME/.nix-defexpr" + mkdir -p -m 0700 "$HOME/.ssh" + cat >> "$HOME/.ssh/known_hosts" << EOF + bscpm04.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPx4mC0etyyjYUT2Ztc/bs4ZXSbVMrogs1ZTP924PDgT + gitlab-internal.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3 + EOF + . ${pkgs.nix}/etc/profile.d/nix-daemon.sh + # Required to load SSL certificate paths + . ${pkgs.cacert}/nix-support/setup-hook + ''; + environmentVariables = { + ENV = "/etc/profile"; + USER = "root"; + NIX_REMOTE = "daemon"; + PATH = "${config.system.path}/bin:/bin:/sbin:/usr/bin:/usr/sbin"; + }; + }; }; }; @@ -35,6 +78,7 @@ home = "/var/lib/gitlab-runner"; description = "Gitlab Runner"; group = "gitlab-runner"; + extraGroups = [ "docker" ]; createHome = true; }; users.groups.gitlab-runner.gid = config.ids.gids.gitlab-runner; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index ad1a4d0f..791a3aca 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -18,6 +18,7 @@ in "tent-gitlab-runner-pm-docker-token.age".publicKeys = tent; "tent-gitlab-runner-pm-shell-token.age".publicKeys = tent; + "tent-gitlab-runner-bsc-docker-token.age".publicKeys = tent; "ceph-user.age".publicKeys = safe; "munge-key.age".publicKeys = safe; diff --git a/secrets/tent-gitlab-runner-bsc-docker-token.age b/secrets/tent-gitlab-runner-bsc-docker-token.age new file mode 100644 index 0000000000000000000000000000000000000000..8c69121a61468287707e6ec89d75db7b18a628c2 GIT binary patch literal 628 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT4H}#1yEmugd%y5qg zDR(sXFVpr;F35~X%5e2@^-C_abk;Y~cTUsKaxTp-k2ET)@a0PN^v`lJ%P&v%3Np_O zH#V*EFbp?JweWFDaY=IuNDK2VH!~_NGLEV$EJwG^*)iPRBv2tcGOO65tlZ4VGAA;^ zB+4()J1eEqJkvSdB+c2!KR49GpfWwPEZEW9&6UeI#JMmr!bdy9Gt@uC(J?A2$IH0b z-6`L>+$Z1JB+9YO(=gdD%fmR-uo&I83P*EeOGky&#JsA+D0j2MWOwsQpTh8vqVOEA zl)ONbGK-?(EN%bt0@vig%F;p?Cs(e33LlRWPtR1#(x9-!yx=IusERV9{FKCU6SpWg zk1P|jaL1%Xau%{+1pDt*lZtK9wEEu71p43eS>D+<%ntAdRZ zEA!H_@(g^=!^^pJb#)ageGDCoirmYSGAq2RLQN{eB7?k)JQ7{Q&C)yrs*=s~Jq^r5wGGmP zK(4!|aX~7rd#{7@y_}lZGe2tV89w;x%W0_JHaKoORe!ol#JUXal)_k%t%X^i7GGx# zTUy`DC6M@Rg3+gCQrt|1oRz7Qn?G;b%k8ACxa Date: Thu, 12 Jun 2025 15:24:31 +0200 Subject: [PATCH 10/21] Add public html files to tent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/nginx.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/m/tent/nginx.nix b/m/tent/nginx.nix index f67a5255..bf739959 100644 --- a/m/tent/nginx.nix +++ b/m/tent/nginx.nix @@ -48,6 +48,12 @@ in proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } + location ~ ^/~(.+?)(/.*)?$ { + alias /vault/home/$1/public_html$2; + index index.html index.htm; + autoindex on; + absolute_redirect off; + } ''; }; }; -- 2.49.0 From e386a320ff92193262824cbe6670b2dbfe15ddf1 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Thu, 12 Jun 2025 16:38:40 +0200 Subject: [PATCH 11/21] Use IPv4 for blackbox exporter MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/blackbox.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/m/tent/blackbox.yml b/m/tent/blackbox.yml index d716359d..ccd701e8 100644 --- a/m/tent/blackbox.yml +++ b/m/tent/blackbox.yml @@ -3,6 +3,7 @@ modules: prober: http timeout: 5s http: + preferred_ip_protocol: "ip4" follow_redirects: true valid_status_codes: [] # Defaults to 2xx method: GET -- 2.49.0 From 38fd0eefa3ae8462a787f56620bd31d82ab67097 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Thu, 12 Jun 2025 16:47:40 +0200 Subject: [PATCH 12/21] Monitor AXLE machine too MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/monitoring.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/m/tent/monitoring.nix b/m/tent/monitoring.nix index e2ffd025..504cab19 100644 --- a/m/tent/monitoring.nix +++ b/m/tent/monitoring.nix @@ -166,6 +166,7 @@ "arenys5.ac.upc.edu" "arenys0-2.ac.upc.edu" "epi01.bsc.es" + "axle.bsc.es" ]; }]; relabel_configs = [ -- 2.49.0 From c49dd153036263f2a7e7aaed39c69fc413d944e8 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Fri, 13 Jun 2025 09:40:17 +0200 Subject: [PATCH 13/21] Add bsc.es to resolve domain names MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/m/tent/configuration.nix b/m/tent/configuration.nix index 9a242ac4..e680a412 100644 --- a/m/tent/configuration.nix +++ b/m/tent/configuration.nix @@ -26,6 +26,7 @@ # Only BSC DNSs seem to be reachable from the office VLAN nameservers = [ "84.88.52.35" "84.88.52.36" ]; + search = [ "bsc.es" ]; defaultGateway = "10.0.44.1"; }; -- 2.49.0 From 09a5bdfbe4d8feb038918176f514ac19d0842daf Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Fri, 13 Jun 2025 11:10:39 +0200 Subject: [PATCH 14/21] Enable gitea in tent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/configuration.nix | 1 + m/tent/gitea.nix | 29 +++++++++++++++++++++++++++++ m/tent/nginx.nix | 6 ++++++ 3 files changed, 36 insertions(+) create mode 100644 m/tent/gitea.nix diff --git a/m/tent/configuration.nix b/m/tent/configuration.nix index e680a412..043554f0 100644 --- a/m/tent/configuration.nix +++ b/m/tent/configuration.nix @@ -10,6 +10,7 @@ ./nginx.nix ./nix-serve.nix ./gitlab-runner.nix + ./gitea.nix ]; # Select the this using the ID to avoid mismatches diff --git a/m/tent/gitea.nix b/m/tent/gitea.nix new file mode 100644 index 00000000..031fd718 --- /dev/null +++ b/m/tent/gitea.nix @@ -0,0 +1,29 @@ +{ config, lib, ... }: +{ + services.gitea = { + enable = true; + appName = "Gitea in the jungle"; + + settings = { + server = { + ROOT_URL = "https://jungle.bsc.es/git/"; + LOCAL_ROOT_URL = "https://jungle.bsc.es/git/"; + LANDING_PAGE = "explore"; + }; + metrics.ENABLED = true; + service = { + REGISTER_MANUAL_CONFIRM = true; + ENABLE_NOTIFY_MAIL = true; + }; + log.LEVEL = "Warn"; + + mailer = { + ENABLED = true; + FROM = "jungle-robot@bsc.es"; + PROTOCOL = "sendmail"; + SENDMAIL_PATH = "/run/wrappers/bin/sendmail"; + SENDMAIL_ARGS = "--"; + }; + }; + }; +} diff --git a/m/tent/nginx.nix b/m/tent/nginx.nix index bf739959..72a28adf 100644 --- a/m/tent/nginx.nix +++ b/m/tent/nginx.nix @@ -34,6 +34,12 @@ in real_ip_recursive on; real_ip_header X-Forwarded-For; + location /git { + rewrite ^/git$ / break; + rewrite ^/git/(.*) /$1 break; + proxy_pass http://127.0.0.1:3000; + proxy_redirect http:// $scheme://; + } location /cache { rewrite ^/cache/(.*) /$1 break; proxy_pass http://127.0.0.1:5000; -- 2.49.0 From ec2eb8c3ed021ceb3b029d3292aba17ac73ef1a8 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Fri, 13 Jun 2025 11:52:10 +0200 Subject: [PATCH 15/21] Enable public-inbox service in tent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/configuration.nix | 1 + m/tent/nginx.nix | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/m/tent/configuration.nix b/m/tent/configuration.nix index 043554f0..bf18f911 100644 --- a/m/tent/configuration.nix +++ b/m/tent/configuration.nix @@ -11,6 +11,7 @@ ./nix-serve.nix ./gitlab-runner.nix ./gitea.nix + ../hut/public-inbox.nix ]; # Select the this using the ID to avoid mismatches diff --git a/m/tent/nginx.nix b/m/tent/nginx.nix index 72a28adf..0e6811af 100644 --- a/m/tent/nginx.nix +++ b/m/tent/nginx.nix @@ -45,6 +45,10 @@ in proxy_pass http://127.0.0.1:5000; proxy_redirect http:// $scheme://; } + location /lists { + proxy_pass http://127.0.0.1:8081; + proxy_redirect http:// $scheme://; + } location /grafana { proxy_pass http://127.0.0.1:2342; proxy_redirect http:// $scheme://; -- 2.49.0 From 956b99f02a0e45b03e6d66729fa435cc8ef78840 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Fri, 13 Jun 2025 12:53:58 +0200 Subject: [PATCH 16/21] Add p service for pastes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/module/p.nix | 68 +++++++++++++++++++++++++++++++++++++ m/tent/configuration.nix | 3 ++ m/tent/nginx.nix | 3 ++ web/content/paste/_index.md | 16 ++++----- 4 files changed, 82 insertions(+), 8 deletions(-) create mode 100644 m/module/p.nix diff --git a/m/module/p.nix b/m/module/p.nix new file mode 100644 index 00000000..2005eb87 --- /dev/null +++ b/m/module/p.nix @@ -0,0 +1,68 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.p; +in +{ + options = { + services.p = { + enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether to enable the p service."; + }; + path = lib.mkOption { + type = lib.types.str; + default = "/var/lib/p"; + description = "Where to save the pasted files on disk."; + }; + url = lib.mkOption { + type = lib.types.str; + default = "https://jungle.bsc.es/p"; + description = "URL prefix for the printed file."; + }; + }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = let + p = pkgs.writeShellScriptBin "p" '' + set -e + pastedir="${cfg.path}/$USER" + cd "$pastedir" + + ext="txt" + if [ -n "$1" ]; then + ext="$1" + fi + + out=$(mktemp "XXXXXXXX.$ext") + cat > "$out" + chmod go+r "$out" + echo "${cfg.url}/$USER/$out" + ''; + in [ p ]; + + systemd.services.p = let + # Take only normal users + users = lib.filterAttrs (_: v: v.isNormalUser) config.users.users; + # Create a directory for each user + commands = lib.concatLists (lib.mapAttrsToList (_: user: [ + "install -d -o ${user.name} -g ${user.group} -m 0755 ${cfg.path}/${user.name}" + ]) users); + in { + description = "P service setup"; + requires = [ "network-online.target" ]; + #wants = [ "remote-fs.target" ]; + #after = [ "remote-fs.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = pkgs.writeShellScript "p-init.sh" ('' + + install -d -o root -g root -m 0755 ${cfg.path} + + '' + (lib.concatLines commands)); + }; + }; + }; +} diff --git a/m/tent/configuration.nix b/m/tent/configuration.nix index bf18f911..327d4d46 100644 --- a/m/tent/configuration.nix +++ b/m/tent/configuration.nix @@ -12,6 +12,7 @@ ./gitlab-runner.nix ./gitea.nix ../hut/public-inbox.nix + ../module/p.nix ]; # Select the this using the ID to avoid mismatches @@ -32,6 +33,8 @@ defaultGateway = "10.0.44.1"; }; + services.p.enable = true; + services.prometheus.exporters.node = { enable = true; enabledCollectors = [ "systemd" ]; diff --git a/m/tent/nginx.nix b/m/tent/nginx.nix index 0e6811af..de9214e7 100644 --- a/m/tent/nginx.nix +++ b/m/tent/nginx.nix @@ -64,6 +64,9 @@ in autoindex on; absolute_redirect off; } + location /p/ { + alias /var/lib/p/; + } ''; }; }; diff --git a/web/content/paste/_index.md b/web/content/paste/_index.md index e4ebd61d..1022a31d 100644 --- a/web/content/paste/_index.md +++ b/web/content/paste/_index.md @@ -5,13 +5,13 @@ author: "Rodrigo Arias Mallo" date: 2024-09-20 --- -The hut machine provides a paste service using the program `p` (as in paste). +The tent machine provides a paste service using the program `p` (as in paste). -You can use it directly from the hut machine or remotely if you have [SSH -access](/access) to hut using the following alias: +You can use it directly from the tent machine or remotely if you have [SSH +access](/access) to tent using the following alias: ``` -alias p="ssh hut p" +alias p="ssh tent p" ``` You can add it to bashrc or zshrc for persistent installation. @@ -19,7 +19,7 @@ You can add it to bashrc or zshrc for persistent installation. ## Usage The `p` command reads from the standard input, uploads the content to a file -in the ceph filesystem and prints the URL to access it. It only accepts an +in the local filesystem and prints the URL to access it. It only accepts an optional argument, which is the extension of the file that will be stored on disk (without the dot). By default it uses the `txt` extension, so plain text can be read in the browser directly. @@ -28,21 +28,21 @@ can be read in the browser directly. p [extension] ``` -To remove files, go to `/ceph/p/$USER` and remove them manually. +To remove files, go to `/var/lib/p/$USER` and remove them manually. ## Examples Share a text file, in this case the source of p itself: ``` -hut% p < m/hut/p.nix +tent% p < m/tent/p.nix https://jungle.bsc.es/p/rarias/okbtG130.txt ``` Paste the last dmesg lines directly from a pipe: ``` -hut% dmesg | tail -5 | p +tent% dmesg | tail -5 | p https://jungle.bsc.es/p/rarias/luX4STm9.txt ``` -- 2.49.0 From 448d85ef9d0e9485f8409027e346725720658e18 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Fri, 13 Jun 2025 15:09:54 +0200 Subject: [PATCH 17/21] Move nix-daemon exporter to modules MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/hut/monitoring.nix | 2 +- m/{hut => module}/nix-daemon-builds.sh | 0 m/{hut => module}/nix-daemon-exporter.nix | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename m/{hut => module}/nix-daemon-builds.sh (100%) rename m/{hut => module}/nix-daemon-exporter.nix (100%) diff --git a/m/hut/monitoring.nix b/m/hut/monitoring.nix index db5f49fb..0c1cb78a 100644 --- a/m/hut/monitoring.nix +++ b/m/hut/monitoring.nix @@ -6,7 +6,7 @@ ../module/meteocat-exporter.nix ../module/upc-qaire-exporter.nix ./gpfs-probe.nix - ./nix-daemon-exporter.nix + ../module/nix-daemon-exporter.nix ]; age.secrets.grafanaJungleRobotPassword = { diff --git a/m/hut/nix-daemon-builds.sh b/m/module/nix-daemon-builds.sh similarity index 100% rename from m/hut/nix-daemon-builds.sh rename to m/module/nix-daemon-builds.sh diff --git a/m/hut/nix-daemon-exporter.nix b/m/module/nix-daemon-exporter.nix similarity index 100% rename from m/hut/nix-daemon-exporter.nix rename to m/module/nix-daemon-exporter.nix -- 2.49.0 From 4618a149b37d26756fa8a3c24bf9da4335ec927b Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Fri, 13 Jun 2025 15:11:24 +0200 Subject: [PATCH 18/21] Monitor nix-daemon in tent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/monitoring.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/m/tent/monitoring.nix b/m/tent/monitoring.nix index 504cab19..2d1bdc58 100644 --- a/m/tent/monitoring.nix +++ b/m/tent/monitoring.nix @@ -4,6 +4,7 @@ imports = [ ../module/meteocat-exporter.nix ../module/upc-qaire-exporter.nix + ../module/nix-daemon-exporter.nix ]; age.secrets.grafanaJungleRobotPassword = { @@ -116,6 +117,7 @@ "127.0.0.1:9290" # IPMI exporter for local node "127.0.0.1:9928" # UPC Qaire custom exporter "127.0.0.1:9929" # Meteocat custom exporter + "127.0.0.1:9999" # Nix-daemon custom exporter ]; }]; } -- 2.49.0 From 6b53ab4413ea5453cf5e4c74e78638007a0c499e Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Fri, 13 Jun 2025 15:52:31 +0200 Subject: [PATCH 19/21] Add GitLab runner with debian docker for PM MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/gitlab-runner.nix | 8 ++++++++ secrets/tent-gitlab-runner-pm-docker-token.age | Bin 0 -> 623 bytes 2 files changed, 8 insertions(+) create mode 100644 secrets/tent-gitlab-runner-pm-docker-token.age diff --git a/m/tent/gitlab-runner.nix b/m/tent/gitlab-runner.nix index 447c5837..166b8ca5 100644 --- a/m/tent/gitlab-runner.nix +++ b/m/tent/gitlab-runner.nix @@ -2,6 +2,7 @@ { age.secrets.tent-gitlab-runner-pm-shell.file = ../../secrets/tent-gitlab-runner-pm-shell-token.age; + age.secrets.tent-gitlab-runner-pm-docker.file = ../../secrets/tent-gitlab-runner-pm-docker-token.age; age.secrets.tent-gitlab-runner-bsc-docker.file = ../../secrets/tent-gitlab-runner-bsc-docker-token.age; services.gitlab-runner = let sec = config.age.secrets; in { @@ -20,6 +21,13 @@ env ''; }; + gitlab-pm-docker = { + authenticationTokenConfigFile = sec.tent-gitlab-runner-pm-docker.path; + executor = "docker"; + dockerImage = "debian:stable"; + }; + + # For gitlab.bsc.es gitlab-bsc-docker = { # gitlab.bsc.es still uses the old token mechanism registrationConfigFile = sec.tent-gitlab-runner-bsc-docker.path; diff --git a/secrets/tent-gitlab-runner-pm-docker-token.age b/secrets/tent-gitlab-runner-pm-docker-token.age new file mode 100644 index 0000000000000000000000000000000000000000..6ce71b4d295043882819fa1c40a28fbfa3e75665 GIT binary patch literal 623 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT4H}#1yEmsINGfhr2 z%FOaFta2%=Fepj%&`-}y$xHQ3)OHRFv@{7!bM{D#3Q8&rcja=fFf7bTH4RJ5POD5Q z^~$$&j`a5RNiRw?sVI!{EDQ-MH!^X}s&ol(_eHnO*)iPRBv7H$q$J6tG@>}fG)g}w z!^}IS+)zI#z`!}htt`u}A~&ldz^}k8BD1pGF`3IT&m_RdGc(YyG^nc3Gt{KYEi)*m z%)BJsL_aSjJ3p)Y&0}cJleacgk@?E_$%gb}Ui$a`?EJAYAiW42H zii4d>ebV#uT?(t5f?T=MLbI~+Jaf_t^j(btUA3Juj4LdS%JUo(v&+nljYCttOPtCA z9Ss8wqLR6Eb#)cW4Ff{`f?Z9E4SjAh+xqgV5$DHktZxpcsw<|ip1Qk?k4Io%iArv-AOFe=tvM~r-3k)T Wl{yvf*+;%ry(4#d{v+uI_4xo7``Ii2 literal 0 HcmV?d00001 -- 2.49.0 From 09bc9d9c259bb521662c46583fac7cc96ea83bc3 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Mon, 16 Jun 2025 15:40:06 +0200 Subject: [PATCH 20/21] Enable msmtp configuration in tent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Allows gitea to send notifications via email. Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/m/tent/configuration.nix b/m/tent/configuration.nix index 327d4d46..956a191c 100644 --- a/m/tent/configuration.nix +++ b/m/tent/configuration.nix @@ -12,6 +12,7 @@ ./gitlab-runner.nix ./gitea.nix ../hut/public-inbox.nix + ../hut/msmtp.nix ../module/p.nix ]; -- 2.49.0 From 0bc69789d9b95f2a444e653fcd30d6eb218b8da6 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Mon, 16 Jun 2025 15:55:53 +0200 Subject: [PATCH 21/21] Disable registration in Gitea MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Get rid of all the spam accounts they are trying to register. Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/gitea.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/m/tent/gitea.nix b/m/tent/gitea.nix index 031fd718..546ac5f3 100644 --- a/m/tent/gitea.nix +++ b/m/tent/gitea.nix @@ -12,6 +12,7 @@ }; metrics.ENABLED = true; service = { + DISABLE_REGISTRATION = true; REGISTER_MANUAL_CONFIRM = true; ENABLE_NOTIFY_MAIL = true; }; -- 2.49.0