From 1b731a756aed6b39c606e916c7c841d492ac7632 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Wed, 9 Jul 2025 11:02:11 +0200 Subject: [PATCH 01/13] Add new configuration for apex MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné --- flake.nix | 1 + keys.nix | 4 +- m/apex/configuration.nix | 58 +++++++++++++++++ m/apex/nfs.nix | 37 +++++++++++ m/common/base/env.nix | 2 +- m/common/base/net.nix | 2 +- m/common/ssf.nix | 1 + m/common/ssf/hosts.nix | 23 +++++++ m/common/ssf/net.nix | 59 ------------------ m/map.nix | 2 +- secrets/ceph-user.age | Bin 1023 -> 1133 bytes secrets/gitea-runner-token.age | 20 +++--- secrets/gitlab-bsc-docker-token.age | Bin 629 -> 629 bytes secrets/gitlab-runner-docker-token.age | Bin 626 -> 626 bytes secrets/gitlab-runner-shell-token.age | Bin 626 -> 626 bytes secrets/ipmi.yml.age | Bin 1563 -> 1563 bytes secrets/jungle-robot-password.age | 24 +++---- secrets/munge-key.age | Bin 2006 -> 2116 bytes secrets/nix-serve.age | 25 ++++---- .../tent-gitlab-runner-bsc-docker-token.age | Bin 628 -> 628 bytes .../tent-gitlab-runner-pm-docker-token.age | Bin 623 -> 623 bytes secrets/tent-gitlab-runner-pm-shell-token.age | 23 ++++--- secrets/vpn-dac-client-key.age | Bin 2246 -> 2246 bytes secrets/vpn-dac-login.age | Bin 568 -> 568 bytes 24 files changed, 172 insertions(+), 109 deletions(-) create mode 100644 m/apex/configuration.nix create mode 100644 m/apex/nfs.nix create mode 100644 m/common/ssf/hosts.nix diff --git a/flake.nix b/flake.nix index 67ae0875..b8352a93 100644 --- a/flake.nix +++ b/flake.nix @@ -27,6 +27,7 @@ in lake2 = mkConf "lake2"; raccoon = mkConf "raccoon"; fox = mkConf "fox"; + apex = mkConf "apex"; }; packages.x86_64-linux = self.nixosConfigurations.hut.pkgs // { diff --git a/keys.nix b/keys.nix index ad8e304c..69712670 100644 --- a/keys.nix +++ b/keys.nix @@ -11,6 +11,7 @@ rec { lake2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINo66//S1yatpQHE/BuYD/Gfq64TY7ZN5XOGXmNchiO0 lake2"; fox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwItIk5uOJcQEVPoy/CVGRzfmE1ojrdDcI06FrU4NFT fox"; tent = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAtTpHtdYoelbknD/IcfBlThwLKJv/dSmylOgpg3FRM tent"; + apex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBvUFjSfoxXnKwXhEFXx5ckRKJ0oewJ82mRitSMNMKjh apex"; }; hostGroup = with hosts; rec { @@ -19,8 +20,9 @@ rec { playground = [ eudy koro ]; storage = [ bay lake2 ]; monitor = [ hut ]; + login = [ apex ]; - system = storage ++ monitor; + system = storage ++ monitor ++ login; safe = system ++ compute; all = safe ++ playground; }; diff --git a/m/apex/configuration.nix b/m/apex/configuration.nix new file mode 100644 index 00000000..2facf6cc --- /dev/null +++ b/m/apex/configuration.nix @@ -0,0 +1,58 @@ +{ lib, config, pkgs, ... }: + +{ + imports = [ + ../common/xeon.nix + ../common/ssf/hosts.nix + ../module/ceph.nix + ./nfs.nix + ]; + + # Don't install grub MBR for now + boot.loader.grub.device = "nodev"; + + boot.initrd.kernelModules = [ + "megaraid_sas" # For HW RAID + ]; + + fileSystems."/home" = { + device = "/dev/disk/by-label/home"; + fsType = "ext4"; + }; + + # No swap, there is plenty of RAM + swapDevices = lib.mkForce []; + + networking = { + hostName = "apex"; + defaultGateway = "84.88.53.233"; + nameservers = [ "8.8.8.8" ]; + + # Public facing interface + interfaces.eno1.ipv4.addresses = [ { + address = "84.88.53.236"; + prefixLength = 29; + } ]; + + # Internal LAN to our Ethernet switch + interfaces.eno2.ipv4.addresses = [ { + address = "10.0.40.30"; + prefixLength = 24; + } ]; + + # Infiniband over Omnipath switch (disconnected for now) + # interfaces.ibp5s0 = {}; + + nat = { + enable = true; + internalInterfaces = [ "eno2" ]; + externalInterface = "eno1"; + }; + }; + + # Use tent for cache + nix.settings = { + extra-substituters = [ "https://jungle.bsc.es/cache" ]; + extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ]; + }; +} diff --git a/m/apex/nfs.nix b/m/apex/nfs.nix new file mode 100644 index 00000000..e245549f --- /dev/null +++ b/m/apex/nfs.nix @@ -0,0 +1,37 @@ +{ ... }: + +{ + services.nfs.server = { + enable = true; + lockdPort = 4001; + mountdPort = 4002; + statdPort = 4000; + exports = '' + /home 10.0.40.0/24(rw,sync,no_subtree_check,root_squash) + ''; + }; + networking.firewall = { + # Check with `rpcinfo -p` + extraCommands = '' + # Accept NFS traffic from compute nodes but not from the outside + iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 111 -j nixos-fw-accept + iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 2049 -j nixos-fw-accept + iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4000 -j nixos-fw-accept + iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4001 -j nixos-fw-accept + iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4002 -j nixos-fw-accept + iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept + # Same but UDP + iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 111 -j nixos-fw-accept + iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 2049 -j nixos-fw-accept + iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4000 -j nixos-fw-accept + iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4001 -j nixos-fw-accept + iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4002 -j nixos-fw-accept + iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept + ''; + # Flush all rules and chains on stop so it won't break on start + extraStopCommands = '' + iptables -F + iptables -X + ''; + }; +} diff --git a/m/common/base/env.nix b/m/common/base/env.nix index d8e417ba..e974a6c6 100644 --- a/m/common/base/env.nix +++ b/m/common/base/env.nix @@ -4,7 +4,7 @@ environment.systemPackages = with pkgs; [ vim wget git htop tmux pciutils tcpdump ripgrep nix-index nixos-option nix-diff ipmitool freeipmi ethtool lm_sensors ix cmake gnumake file tree - ncdu config.boot.kernelPackages.perf ldns + ncdu config.boot.kernelPackages.perf ldns pv # From bsckgs overlay osumb ]; diff --git a/m/common/base/net.nix b/m/common/base/net.nix index e49d2043..9fb15990 100644 --- a/m/common/base/net.nix +++ b/m/common/base/net.nix @@ -11,7 +11,7 @@ }; hosts = { - "84.88.53.236" = [ "ssfhead.bsc.es" "ssfhead" ]; + "84.88.53.236" = [ "apex" "ssfhead.bsc.es" "ssfhead" ]; "84.88.51.152" = [ "raccoon" ]; "84.88.51.142" = [ "raccoon-ipmi" ]; }; diff --git a/m/common/ssf.nix b/m/common/ssf.nix index a01839b3..4638c544 100644 --- a/m/common/ssf.nix +++ b/m/common/ssf.nix @@ -4,6 +4,7 @@ ./xeon.nix ./ssf/fs.nix ./ssf/net.nix + ./ssf/hosts.nix ./ssf/ssh.nix ]; } diff --git a/m/common/ssf/hosts.nix b/m/common/ssf/hosts.nix new file mode 100644 index 00000000..039b039e --- /dev/null +++ b/m/common/ssf/hosts.nix @@ -0,0 +1,23 @@ +{ pkgs, ... }: + +{ + networking.hosts = { + # Login + "10.0.40.30" = [ "apex" ]; + + # Storage + "10.0.40.40" = [ "bay" ]; "10.0.42.40" = [ "bay-ib" ]; "10.0.40.141" = [ "bay-ipmi" ]; + "10.0.40.41" = [ "oss01" ]; "10.0.42.41" = [ "oss01-ib0" ]; "10.0.40.142" = [ "oss01-ipmi" ]; + "10.0.40.42" = [ "lake2" ]; "10.0.42.42" = [ "lake2-ib" ]; "10.0.40.143" = [ "lake2-ipmi" ]; + + # Xeon compute + "10.0.40.1" = [ "owl1" ]; "10.0.42.1" = [ "owl1-ib" ]; "10.0.40.101" = [ "owl1-ipmi" ]; + "10.0.40.2" = [ "owl2" ]; "10.0.42.2" = [ "owl2-ib" ]; "10.0.40.102" = [ "owl2-ipmi" ]; + "10.0.40.3" = [ "xeon03" ]; "10.0.42.3" = [ "xeon03-ib" ]; "10.0.40.103" = [ "xeon03-ipmi" ]; + #"10.0.40.4" = [ "tent" ]; "10.0.42.4" = [ "tent-ib" ]; "10.0.40.104" = [ "tent-ipmi" ]; + "10.0.40.5" = [ "koro" ]; "10.0.42.5" = [ "koro-ib" ]; "10.0.40.105" = [ "koro-ipmi" ]; + "10.0.40.6" = [ "xeon06" ]; "10.0.42.6" = [ "xeon06-ib" ]; "10.0.40.106" = [ "xeon06-ipmi" ]; + "10.0.40.7" = [ "hut" ]; "10.0.42.7" = [ "hut-ib" ]; "10.0.40.107" = [ "hut-ipmi" ]; + "10.0.40.8" = [ "eudy" ]; "10.0.42.8" = [ "eudy-ib" ]; "10.0.40.108" = [ "eudy-ipmi" ]; + }; +} diff --git a/m/common/ssf/net.nix b/m/common/ssf/net.nix index dfd85f88..e09ba758 100644 --- a/m/common/ssf/net.nix +++ b/m/common/ssf/net.nix @@ -27,64 +27,5 @@ iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 60000:61000 -j nixos-fw-accept ''; }; - - extraHosts = '' - 10.0.40.30 ssfhead - - # Node Entry for node: mds01 (ID=72) - 10.0.40.40 bay mds01 mds01-eth0 - 10.0.42.40 bay-ib mds01-ib0 - 10.0.40.141 bay-ipmi mds01-ipmi0 mds01-ipmi - - # Node Entry for node: oss01 (ID=73) - 10.0.40.41 oss01 oss01-eth0 - 10.0.42.41 oss01-ib0 - 10.0.40.142 oss01-ipmi0 oss01-ipmi - - # Node Entry for node: oss02 (ID=74) - 10.0.40.42 lake2 oss02 oss02-eth0 - 10.0.42.42 lake2-ib oss02-ib0 - 10.0.40.143 lake2-ipmi oss02-ipmi0 oss02-ipmi - - # Node Entry for node: xeon01 (ID=15) - 10.0.40.1 owl1 xeon01 xeon01-eth0 - 10.0.42.1 owl1-ib xeon01-ib0 - 10.0.40.101 owl1-ipmi xeon01-ipmi0 xeon01-ipmi - - # Node Entry for node: xeon02 (ID=16) - 10.0.40.2 owl2 xeon02 xeon02-eth0 - 10.0.42.2 owl2-ib xeon02-ib0 - 10.0.40.102 owl2-ipmi xeon02-ipmi0 xeon02-ipmi - - # Node Entry for node: xeon03 (ID=17) - 10.0.40.3 xeon03 xeon03-eth0 - 10.0.42.3 xeon03-ib0 - 10.0.40.103 xeon03-ipmi0 xeon03-ipmi - - # Node Entry for node: xeon04 (ID=18) - 10.0.40.4 xeon04 xeon04-eth0 - 10.0.42.4 xeon04-ib0 - 10.0.40.104 xeon04-ipmi0 xeon04-ipmi - - # Node Entry for node: xeon05 (ID=19) - 10.0.40.5 koro xeon05 xeon05-eth0 - 10.0.42.5 koro-ib xeon05-ib0 - 10.0.40.105 koro-ipmi xeon05-ipmi0 - - # Node Entry for node: xeon06 (ID=20) - 10.0.40.6 xeon06 xeon06-eth0 - 10.0.42.6 xeon06-ib0 - 10.0.40.106 xeon06-ipmi0 xeon06-ipmi - - # Node Entry for node: xeon07 (ID=21) - 10.0.40.7 hut xeon07 xeon07-eth0 - 10.0.42.7 hut-ib xeon07-ib0 - 10.0.40.107 hut-ipmi xeon07-ipmi0 xeon07-ipmi - - # Node Entry for node: xeon08 (ID=22) - 10.0.40.8 eudy xeon08 xeon08-eth0 - 10.0.42.8 eudy-ib xeon08-ib0 - 10.0.40.108 eudy-ipmi xeon08-ipmi0 xeon08-ipmi - ''; }; } diff --git a/m/map.nix b/m/map.nix index 606d4171..fc6125ce 100644 --- a/m/map.nix +++ b/m/map.nix @@ -6,7 +6,7 @@ switch-opa = { pos=41; size=1; }; # SSF login - ssfhead = { pos=39; size=2; label="SSFHEAD"; board="R2208WTTYSR"; contact="operations@bsc.es"; }; + apex = { pos=39; size=2; label="SSFHEAD"; board="R2208WTTYSR"; contact="rodrigo.arias@bsc.es"; }; # Storage bay = { pos=38; size=1; label="MDS01"; board="S2600WT2R"; sn="BQWL64850303"; contact="rodrigo.arias@bsc.es"; }; diff --git a/secrets/ceph-user.age b/secrets/ceph-user.age index 1ca264b08b349dc20b50b7b679d1818d1eebaf59..951722d4439da7d74124c3d7b57c5e9d18960aab 100644 GIT binary patch literal 1133 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT4jI^loE?00VOEU2B zH?|DUu=EP73MjD%DF|~aj?DMg4+;v242f{5@T&+)FDo;2EatNCF)__`PI9VpbPm%u z%r!NPN-s-G%T6}(_6QHFEHFt*%rHzeFfS?eibS`qINdQZ*HNJ;B*jzPARxaqD9t>_ z#MP)IDa@~^%t+fjD9OmuB-z9xCBPyoGSbbs(u6C&*wN1<$1JSS-P9%7FfY?QxS+(t zyV4~*(J{xv)Wjpy+$6cYw9MNn*#O-(k4U4+pmYU;ESEg@!a~`>} z9KYmjr@X)nmqb_ZH2-W@3;(p7pg=Ac@5EfwihRrTDEIUL1MgB#e;<>=ta76i%lsn! zRI?(V9Mi%I_uz^wvru%~(#nk@GSU@NBfN@BqQVT5{E|W|%_9nf(n^g(gOV$?E7Er#!T@ASMj5B?6Bf_#>++ETmihYfY1C1TsQ}n&E(<~zO^D`nn4SanI zO)Jv$EiKS(D@iWR4G2`Ihzd5%*RJ&ScJ*=$EHN_5c1!hgH%{003e9zL%+1L&sLF|Q z^vTRga}DKkbYfF)oeBH8=9}O%BTUtTL@Mb1p5(F!e>Z z&CAQsCp=vt!`V6CEGRI?)TunG+#@Q>DK96rFwChm%RSJ;ETG)PysFAP-P|KLGdrKF zNIx(v*(k}e(mTnd*xS#gFgYS5FE7K(z&oVatvIkat-#IL-8iS%y*wS=HfP6hcauPc zaBa8n;&iXz!s29ONB3-FSHIFEw-P4{vj{`ClrR^k{HUrjpVUahV#jo@T#pLF;9ye^ z?*jciN5^6>v%*s2(9rS__hfyO#C+d;=g=t6Bu5v=%nDC*+bSH*jV&D&j9dcrwKK{B z%u~#RT)dOYvt2#P)5F4pJd2XO%nc*;vyEK*OSAIbq9RPVOp9H!42lz7eGR>WJbXff zj66(=O0^3EjItw~ECLGr@=7vY%*!L4vMVvtq;IgBaZ0*EnSM#3yK6*ZnYO9BS%pPp zL13tJKvk%pV?ddEsZ+YSQF)?epoeK$sF4Ymc37&BVRmY%t82bzSw@&?iBnaoe^9Pj zh`w`PvO!LnN1%UXYKF0Ps&6`%uCA_vPf>D}XJlDmK~cC@prK2taYcHdvzvE#wq-Gtl0>d_sNTbT2bOk?`0@Je4)CgnKB9}083m3P*Ov|+5 zWOKuUK)*0oi^xF3;1cHo?Z~W!>VsyWiB$ws}1S+H$RE32(S(KQETY85k7WfzE6&IBiIA)pqr2AS{ z1sha4mstb{=D8W9TW}>h1|)_Dg}6Go2BzmaX9u~PS^AZRN9pIdmL-~(d1(7sWTpiM zyBb6pdZOFr7VKBQxzE$T;*lz=#iR~RAy*D2N;fQXV zvtzisNuWZRdq%mJi;tJ5W2l8wL716)fQ3t5l~F-ih@)?5TBJ#tNnTk|k&(Y;WjR-d zUsRNvOJt~TK%k$msdiyB(H~$>~*PUYUi( zew9%nVcCX8Q3h_Vd4*0UKIv(Jh80=ff#ne?CHaOPSs3x=8|-GBlCF>+8fod7!)Z?rmz8 zuWwkWpKMfGR21kG;8>V#5>Vn8;>g8Z_j5zGuKxar@|#a(PlsL8kT`KGYH~`dR znAHn^e0^y=XG_qg#F$FA@Q1vd2c}B~Zr7Gz-^e&WDC=qKbP?~({E2=tvXZF)O5#jk diff --git a/secrets/gitea-runner-token.age b/secrets/gitea-runner-token.age index b3a1294c..a074de3b 100644 --- a/secrets/gitea-runner-token.age +++ b/secrets/gitea-runner-token.age @@ -1,11 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 HY2yRg WUMWvyagPalsy7u1RaEFAwJvFowso1/quNBo+nAkxhQ -OHcebB7koPKhy58A6qngEVNWckkWChyEK3dwgy8EL5o --> ssh-ed25519 CAWG4Q Yx/HLIryUNE2BaqTl84FrNRy4XLCY2TRkRgbA9k3qU4 -LZljfuLS5yMVVK6N57iC6cKEaFP6Hh2OkvWJjuFg8q0 --> ssh-ed25519 xA739A DOXjPRttSWz51Sr7KfjgKfAtaIYMo3foB1Ywqw9HYDY -CA5puXK/1HDOitA2XHBI3OdKmZ7BzHst4DyuWGMC6hE --> ssh-ed25519 MSF3dg +2LetdIiIZUk7wtHNS1tYsLo4ypwqZ9gpg77RQrnzHU -yIUu8BVbF3dhUx3531RR50/cJQd9gd8VfKUQzEeT/iQ ---- oY/wQ+RjZO2CmKZtbQ0yOVZ5fv2+AlvvkRu1UDfCNAA -_8`G=C7@x &\Ft)cPe%ֽ[zX-0[ɲtz;%~H0؃*XD; \ No newline at end of file +-> ssh-ed25519 HY2yRg d7+nvfAcdC3GjJxipXFrsfGGyP5jAY+gRWRV+4FVYAM +CG7r0bRGgnUWcdfDnpe7HwZ3L/y7b5iuJuqvf15b3/Y +-> ssh-ed25519 CAWG4Q X0vITOErz4wkR3VQYOcVlnrkHtwe+ytdZz1Hcrs4vVs +6IWYOhXLQ+BnML9YfLLHJYEO2CZ/uEc9IBqhoWvjDHI +-> ssh-ed25519 xA739A p5e/0AJtZ0+zbRvkB/usLuxusY8xXRx9Ksi/LQlcIHw +M4S/qlzT9POyJx4gY9lmycstUcdwG2cinN4OlV22zzo +-> ssh-ed25519 MSF3dg Ydl7uBWzBx6sAaxbzC3x8qiaU3ysGqV4rUFLpHCEV30 +/1AUHBhCNOs9i7LJbmzwQDHsu+ybzYf6+coztKk5E3U +--- kYt15WxClpT7PXD1oFe9GqJU+OswjH7y9wIc8/GzZ7M +hߓ`V4F_k)^m$uj:ѳ}Z]$U]u 0v8?XPg%d#d9{rAi \ No newline at end of file diff --git a/secrets/gitlab-bsc-docker-token.age b/secrets/gitlab-bsc-docker-token.age index 4650f21d7a6f53ae51f58f9e79794e70519a631a..985097b038e77c9122ea636bcbdafaa1ac7dad1d 100644 GIT binary patch delta 558 zcmey$@|9(RPQ6ie`m4#)IX2~Vx`e{XxZr*`aK{=L2+PNVSQRTi|nPrYn zZk|b1r6vV|MODU?1xB8kl_3#sZn;VNiQ)d*zKKrdRTfUgiAl+m;~B;4Jv_?uB8*b1 zl1u`^Qp&wUgZ%R?QUimHGAqN9O#_`nJtGqH{F5@w4c$VyQhW^xgB%SlTvGgu1KnJU zOjAo7vr3%(@{B@_QgX8klR~pAvt0{JQhn07baizVDzq~zGE>4+v&!6k!~Lqv3ae6c z+ybh!EsMPjO+(D{^V2HojomH%4Wpu5xhC^{2y@HOwRJlA*m5SL=7;=$t~Tq}7it9D zl3OHlUqk;`Bu`;+=&ofEi&CFF>71a+TY2wty;Y~N-7jC6xevQ9pW54ce6y(K|EpQ~ zZ@-x`@vq)cr~i!q;@&2u%Jlc8!aHU5fACW_Pq^)T?Ch^P#s9sJtZg*@nvnPq|giT?R{J{G0{1^UJ2hC#_5so{}aMV@AP zVV>bBmfD#~WxfGs0lC@UxfNmMzNLvy`q_qt?#Zc+IiUfeZULT?;~B;4EiI~COx*$t zD%?G*inTrcjdLws6AL2!&60~slGDR0^Gw5YqavJ&lbr*(e9B#2JaP^5B1}tz{Vfc0 zqAEiJ&HT+XBJzx!Ov?*Q!jm%m)0{(mL$fTnbaizVf^*#>Epnm)!%D-8i_87YO-qb@ zbJE?7QXI`P4I=!qy-l<0EhEDGN<)kDxmLx$RC(xn`%UW;^Yr74GWy$2^h7P&t&noQ zgyob*`EuJ+Y~RAG9FIR`=wz-kU$ASwk3sw7SO*@(8SgG`+qx=iS=hlXhmzlaxZ`zo zOWVAM1(OVP9e+zDaNPUwXussEiNYS=JsCWfpHS8@6Wr5S;ai~_{6p!&<6_2-0C!5u Aod5s; diff --git a/secrets/gitlab-runner-docker-token.age b/secrets/gitlab-runner-docker-token.age index 3a33b335d80e157c2268ccc9c667ef2d40c8c47f..c481b59b138c092201c280c42e93d28a25bf46de 100644 GIT binary patch delta 554 zcmeyw@`+`FPQ7uymw%G6qf@F+N{DH?pI=0wuc1YeZ?KzFWI%dhYL!7&qDOvNQI)o< z1y^!$Vs2ilqhm^@V~%OLc92PCuA5OxpsE( z#E;_PLB1g=ewD_7W%`9ihDnua22~lZ$;n=c1vzOY9_juS=0;{lWhwq9Mitpy1ttMm z5k*GD0ludBe(sgp1yNq1RmP{jD}9Q&baizVa?@R+97{9Pa^1X>3(UeyqD-p% zQ=L3=GR#BFTmws-%`Kg3i_$_|3(Aesxn35^ojY3jTd}>q=v`oF;H?u@a%VXj69eC| zto11m`{CYuT_Ng~9{>IN>D`CYe*V9f?5KB(-{soou(jGPS8UE6t=scZW}H*7s>6Kc5rLD^;@flt{0W|dkhxno)K&U0EG+5oB#j- delta 554 zcmeyw@`+`FPQ974sdJgRr%#GgQGsu^b4ZAOW?pezgKyYUsRf>kwr;SPLXA4rEx{Lep*$5BbTn7LUD11 zZfc5=si~o*g0o||yGfuzg?^T{v6+cyWN1)&iFsOvr(1wiRbo<7xUXxvfkj?~g>O)i zm#@BIpjl8Tm!pqqXo*pgOObJCL~>w+ZA1@5v4_CW?8=B#YP^f#vXx_;~B;4-P{eF1O2ls z(}HsHQo~IHi^4N2O|y%G3Nn*J%RLGsECYQDqQWy=Jafyre2fh849lW|QVWWM0zynG ze9c1q%>t4=^?ki6%1v^ed_vs}Tm#B1Lo(N?5LjuKN_@wn|fV v=FG|7K5HJ&Y%kbjWw&l$_iHs4>3N#mYXh%}8}@kIX%5>Td~f1nvAhoe+A7AB diff --git a/secrets/gitlab-runner-shell-token.age b/secrets/gitlab-runner-shell-token.age index d35f5340cb0496bce82e3e40ba7d155c6f04c52c..8ecc7e23301a3be68696fcb1dfd8212123fed120 100644 GIT binary patch delta 554 zcmeyw@`+`FPQA9Hlc`UIbD5#Og}G5qMPRN$ez=>rcY3&Au4i$&f1+uXU#YXRe_mpG zF;|IcVwzF0N2p6sp?;)`r)OS%o=ItlsYP<4X;ffXs#jUAS)^rL95v16fSRYXQ|Mo>^$fLpkMdzgt|qJe4P z#E;_PQK=Q_Nfzl&6#=P6CYc#ohRLOd;g$x8e#z-YjuAeNf!;xu0Zxw279pNonZ90L zWkC`7q1xu9;pM&_$*Gnh#V(m?MN#_UIms@;{wW!e&e;_fxuwaI;~B;4vy67baizVJSyBWB2ALha)U}e!%ag|J$y_u zLekSSvYa9;%e=CZ(#n%+GlI;@eL@{0xpq8Y_}I~WxsB~ztE&119u0=Hsf$>TrLmfS zTKC%{d-dOHNj7yPJU`o ziJ5+gzp-I9SDs~Bc^Wg~6d^Wp4RgrA~=O zJ`pKSmPJ0Ep2^x3>8Sy3k?zH=MaeJ=@;~B;4t0Hs!{Iz{@ z^UCuwi_JsbEj@G0A}vfk{QO;f3XMYY(z87BOe#YROtTHR!kwyIjMGcpvb8Oe3?scw zGYy@BA`JC&{8F=%T{1F^N+WYad>t(clF}WybaizVD#I#ri~`CG^v(3molVn%T-{Rw zL(6lEB8q*>B0}7JLjqlEy)3+4!;C!3xxT$xs&Zaxf;RulN0pb}A2=TuYF}x5t|vB0 z=(&-pi~TMEp9e2z^*8g%2s)jVHQA@e5#l!GvB13)o&4El)|I^1w5 diff --git a/secrets/ipmi.yml.age b/secrets/ipmi.yml.age index 02d1218774bb6ebfcbdcf14b93c3f410e9efa2b4..f98c6e47e87972e1cfb66537ae953e105843c3e1 100644 GIT binary patch delta 1480 zcmbQuGn;3EPJM2nV?ji!Pk2(Mt9gK5gn^S!QB<~3P*I7SUx`bYqnBl=YerzIfmeQZ zB$s1ekwIZrWo~eOuy;Ual}nM6wqc&9mseS_v6FLVs!?QAepq5!qGhS2Czr0BLUD11 zZfc5=si~o*g1f0tglV}#c!i^TkW*P&K~ku`k8^wCKhH{zEvfW89~{l-s$>9`ks#AW|h8~`hH%yzHXkA;~B-nGtxctDnlZ| z!%f}X&GU`2s+>by^dl0rLo!Q(wDnyB(@er#L$X~wDk93cv@3kQGu%y_U2@&>-9syV zatcG7A}d|oOS20D{Y!Hz!jg(hBaJcwv&?)apJf!UuguPJ^p8qT4)@RxO?F94G7R=| zE~<3%bPd(_@HH?ku#C)1F-t8BGIe$23QjdQNJ)1p^ezuHO|1;k&M&UW$V>^!DD=sz zG)XS^t8@>nFvu_tc5)Bp($&>f2&@PUC`|SVa5P9UP07hg%kjv|OZ0U2Pjt(6Ep{`E z@bomVkIGJ}^iItx=L&!ISf}h%!rz9{>2E@xpK+`7_`S!;D1}97-@*$Yv>Y4niSGSx zE#!E#GOc48Z}L*n?W^l{=&0V?naV3!=hZR)^qtTyA}uUx;LA{u`0{5NV!x0&gqG*TDd{Y_sw)IUQDUuXMD!u^^fav z$@0DCzLq<;$9>J3uI81ffAsAB@2&6m*N8>hR>=e^_8Fh{Ed?Fi|F)w?Qn31yz#Yd+|LW2#HOq@=U}kSGTw2m zW&Xdf)mldsmQ8GP3s2XGxj&V`&^vG?-#TuFm@cM=>{+)G-)~sQ|5mi(XuV~e)Vm$O z&2)A?W#`%Am74n303&RCR?)GJVzB6_jy|&J*|M4y8 z+Qq_xYiv)#THl9$+A`y$nvJJp)n`xp`VHKt9yq<~JoMvL1LwXYbEN`qY3;oFr`lZH zkL9lJy9M+DQsi zyh3hkoQm?~&X05zn0zT#}KMlT~m@6^m?dLmBF3e5e+>~DW zor7aqef;V2iH`r}oFk`n-aq&E&8iE&J04zUcVPW@zEXlSYH1#KY*~kpcSj}D&(|08 z66fBn5$>54F;}Mg`K`J3+v@!GXU1OH!Ib)NTWqs7ugucV@e-X(k@sc9j$HrtTs`6D zdy}aBQ?(@*na$OGw?g-ErBmcVNqGT9d##=gH*4aUi!17Vh2ws%NhmqlBzX3;gjEf{bOjZnUot5$FXQtythjRzwRgccS zFke18bhX3u9pT*DCM=kgwXFEp>aG23rtP;F<#{x|e5)@yvuyLzJ659nLdrWWxc?|k z=wMiUt3_kJ*7@3i3HFC?PhY2d%`IHp!CPyJhDwmuik25#PX)`5yw3Ucp+D|dzu?_< gn*8Of7PWfFNE$9|YTe`|(wOZfu#tII^if|&0OQ9(h5b9!oJRh36xD3`9CLUD11 zZfc5=si~o*g1f0tglV~gpGRJWi+53}zqx*qn{#${rkg=VN=l@wL7;_cXsB~&cz$G| zcad9_pLwP)mup&Krh#QhxL;J2WvOdHVtS5+g-bz^W1>lcVZKpFhPQ!7T3B{edWuW( z#E;_PLBXl{zD5CN!Jhgl!3X2yn*h2Gjl!A2&9A!crs0l}_Z$-#x5 zuC93zrmp!RzJWPWN!cz*u9?L?+CfP!2KlC$g~@3Z=4qvwety1_;~B-n9g_>p%`CFg zwNvuEt5PCD0-Ph0N^?>R(n=lO@-2K*^euccQY}mM3!Hqpio^X4%uGU~viuW63XM~J z0=*(5Og$YV&5R1u13V29gCh&WBC2u&N<#A|pJf!U4=Hy_w)D%a(aGONgP4J$KFPcF{NDKIPY$_gy-^mOy_%n0@j zNlLVEi!=?-DvGkmb#@Bn($&>fNcS>NGdA%EPV{jrHAr-}F!QJ?a!Dx+$?xBUN9-FJKU z*5fkY_&YB7e7q*vIeYCnc9y;!S`o1>{cGZm_h#%`ACzYoDEuZP-!p1{LD!sB=c4o` z@McGEOHW!j=T4(a%`|7T*rS-miW2x2Jg*DLHq6=X#aca=I0CdjtJe#>}>j# zlkw!P?^pGfuQmLI%=fqP)tQ`gEcVyFJoSse=q%l>T%LhyqEWvS#TK55KgfLk_Zj9N zn%mNqTUn19raXVMpRZ$emR6(B`t+)Zwi=atcYE%AG5cjT|8wDGW?on2`a0JJK}{b0 zh`_I(XUnEt3}1ir^@n@L%AI$n96FQTuyv*$hnn}x%ceemN*eVlYK6SFNpClad)%G2 zg|`Wr+Du8+W6(W9i!3mU+*O9GLMN$cP&53sD1Cx^`dggV{EG)^xe3im{fM< zgQe~-R=1V6Ty|!Ahp8vMZ+UUiW}a1F>`{)}`&V68h~l<8zh_P)`aXArY~^L zjI9@wy?=d{$qeqS#+m$AzS-XM-T2C+Y*KFJv%}XcZEvwDWiwyW+4{$R zoDF}T&T-lJ+QlbLpz~*D4STYmg21^csTNB(0;HBJZtS@u=owcqOSny=nCq0w`8li(tpBs!aAkJ znfq>TWfweFJ@eGv%5|T^7iXV5@Qp*&eTz}q((mq0#x8}S{JnA~bKO!_T5G?(b2COk z$stufLi?#}-EZd^-*z{zi8ZaAT6*Z-t zF)B5`WTk5UxX3=A@f#20Jngvs>c7_))OqCX&&sx1_n*=GOm3^dWB(Wr*`w1Wr^>Of d-DTRXyI%JBd>`*6yL=U_xA;B2`zUydKLAbiffE1# diff --git a/secrets/jungle-robot-password.age b/secrets/jungle-robot-password.age index a25102e9..1ebca6bc 100644 --- a/secrets/jungle-robot-password.age +++ b/secrets/jungle-robot-password.age @@ -1,13 +1,13 @@ age-encryption.org/v1 --> ssh-ed25519 HY2yRg 0tpCZ5yI339pgPKGh3HJ8cnkhKlMoyYiKR1mo1cvkm0 -EVVpJ8nyw/W9B65Tw59IjJC5Pb4uQX5LGnzPcf/hUs0 --> ssh-ed25519 G5LX5w YaDAKeAAunommW6q6+hTjrjaadmB17OG89t1Dx/T5z4 -tJXdciiBTz9V+0nf1sGAk4vSlOgfeEgrKr+oDJ/4ays --> ssh-ed25519 CAWG4Q i/cpMcOaZpH7aqwsR/fZiVL9CreL9dkk5F5S9dXrQBY -uU8G51pMH00ywaIVY+AzjpiqzanUYpn9ANRabugSXbE --> ssh-ed25519 xA739A DTiXqnCz1zNgyLt8VvnOkVLDwfa0qJpUBQw9Ms/qHHA -wKjSYYOUEJkPisxT6MNW1eoYk++ECrs1ib9uEYXsAQY --> ssh-ed25519 MSF3dg JmvJsExWPW4b6RT62mz4Wscx7EsyDPVf91A9ps9+shM -67jZYnxJpQAhnRWnTOXs+Cu445dRCpDzIGGp1xYuF3s ---- QmdvzR7QqRPxS1fHc8rR/PDZxN8u+BVKAVvE8cMLhqc -EG Q ssh-ed25519 HY2yRg rsbyYULV9S/kz4OzBLQIVfyotgKrzPzvjPNVw69coTo +i9fgGAYTPxJ4Ulft3xzwNPF8v85Ae9ePMNWp593vSfA +-> ssh-ed25519 G5LX5w mhB3iiqV2e+tT31FCREX2Bqq2F2g+vTYvjCuyGSeJxs +Ep9zZykCGFW841S2mnllEi0oPnRiRuYIGtv6ckp+IBg +-> ssh-ed25519 CAWG4Q M0AJEZuiC6FnRy8rAJQ9T9dCXfIfLXGk0uBGhYOxRSg +5jSRNTi0c6we/oLBdUy1am5saH/5Nh1fmVqYajXFbGc +-> ssh-ed25519 xA739A Zf9tUKg4S4UuWMGEtAWVg0pa6vTzKIl2Ty39IjEG2mE +RCSkVFyO2ZuDlAHung9bTeM91aTXxNRJ779kE0C6pK4 +-> ssh-ed25519 MSF3dg QLiG9s3mgfO6HnQ8/ReizkGllsjYebIL5ZthSVcD7Ao +YdzcodBarrdg6R96Ys01aEPoeYygbT56yz90BMFfr0U +--- fS/rGOP3IGG8b3bCDy26nBL0P1rtqC70CmKOGDsg8Tw +;YM_Zꙺ:]Ez89ze DX9{x^ Ll 㦑9RVhWs \ No newline at end of file diff --git a/secrets/munge-key.age b/secrets/munge-key.age index fe9f9773f091c2f664d751c57f4929e9310864cb..9da37fa5e597fb193f38336cb893e66f1b2c13cc 100644 GIT binary patch delta 2037 zcmcb{e?(w{PJKjqqJgJVdT@DYjzONMt7~P2hiS1}L1d&;np;YiuaQ$xj(dhlKt{Q{ z1(%b4vUjGoOGHpfnp<&}kC}y`r>A>?YpH2svY&gfie?W<)_%zN@}pnu|qtnUS+)iCa#RdA3KHX@IkZQL(#mhO2*w zhmWC)xo4mwS4feCen_ZAdTF+qYe`r{WrabxMTovnWu-@vOGII1a9X&jOO{uXx3R11 z#E;_j7M77^PDRPazM+LVPC1U+Q5gZL#i`*XZk}FcW{#CEo`p$XhDE_Cp?SVsRr+QY zE|n(PenyE-IVR4Drr}w}Mj>8F=A|j_mJudJ2Ek>yh8{+qfl(&tK1nM#ipWS;$PLT# zO?FIj&nQjF(Kqo+c6AHzu_&}Ca8Gj0(RcMs_YDg6Gjk6!F1M&M;0iDea!>UrPAxJn z$q6d-3wQK$kMt@sEhzWSN%hW4EOyk+OtC1d3iLBJnHNwTaZPzvx|{yieYGS zd09bthG)2|znNEQWROL!BUfdlt3_FAnSW?@Vw$$QYe0FfnX5~QipP<(}^2pOWvDT$*c?6qyyO9h93?q-|jwo}N_Z?q^YyWae2M?3-U1;*}JMZk=zi zn{i6ILZM|&MxIwyh<;$PXGKm_NlH$RafFLsSX7XCgt=#ySF%}tfVY`JNv=~Mmq(y} ziib-^y;oYQM`1>RK|!*9ptirUueM`;vZH@xL9m}?k#|~3ia}XLIhU@ku0mm9X1{QO1?fo>`x)1Evuvj3l#d-`+n z*$X0)f%AG_r_}Sm{n|Y(-tAcL#chVa3-_L}j^s`_ebW5n3OzSDjgwQu71^0y&gU?g zX%QB8s_^*JbIP%AZu)a}Z}W+BZfMrqu;t~>es?vAW~TWc5^ZgZr(Xa4R3qba0duec z<6>>54GvOIc~*vs7ZkBea(yV7@Sv;D z@b9AK?^XNPFAAOe?_aG`uE2tqt+P#?u0J#@+Op8>@g|=$Le<|F{V46-fBu!FeV&q8 zZkCzX+V(4kZ?4Nd+MSWknV52QRqwjJpS)GWHOgP59(d`LvQ*!-5 z$Imvmx6N|7#kkt=R7cXAdt47|cuytGw_a3OY2!TY^KNDi>$O`d`=6tvmD?d3A#YfEGQIkSB5)Dr&FxhJ{Sfa~*eMZYNrzgK1>i5q-*l3vbEx2{z-hFTWIVQx!86@8;pB5qfI_0F4p zr)8k1$-G8flCP?+iPp`C|`5K7a43`%*eW0uulJ-MU_A Vw!iM=%ULs?7FdRV_|esR0RWlCSQP*O delta 1945 zcmX>iaE*V0PJLjcNq&eyhIY7imSs^!x@(rViCdvzK~QpJQdF>cNs3QIph2!rR#r}E zI+sa6s#|EePg-PlR&ZvZWtN-2K}C9*U%GE%URGeSTV$kJiFTn`q=}<;AeXM4LUD11 zZfc5=si~o*LUFodVy>ftPnJt)s!O74goOHzopzj3ltSZ--hU~YI>YGy%JS(sOmPgF`#R%voTM!spKUxr`) z#E;_P$q{*BVO1WEK|vOQkrl3$=|$$1rg_B$Q3cM%6_w_NK6%DL6{S)Bl|i9gNj}*{ zk>*u7rjaHFnL*jUrsbv;zRsSx&iWPJ7EwuQ9zmWFc_Dd$!A1s?&oYYFhZq#+ScVi= zdWEL>I+a8iaY}n1|+MdzE^-`4(3Mn0XtgmSm)J<%DY&=adBdR+?rwxtgXK z=IA@QdZ!hY7^USp2bol6x+Pawx+aDOc~?cEhmx0ae-rwQK(t2SA|!oCs&bWN_MenUS&qMM@68cX>gK%pl4c1 zXm&tKp`S}+goR;MrKP#KyGdrHE4p>gj^XYmfeNKTq5hu1ks(ImiJ_4xzPZUEiJ2a5 zrtX$zrXkKIsg}+W^@XNxNf`znM)_QxIgw^zmClX@ropDJseX>R+P>~4j#(agZkGDq zzJ*zViTWw#MXv5%MZW0PRXCa(TRJKj6k3Lr8m5_;<~tV^8&*08SteonMzrujM> zCzm-UmTUW0l?JC)y1H`dhvb_V<$2c|6?+AE7dpFy7`T{*8T#kDc)M7H2Do~-nB_;g z7#O7#m}g@oIp1J6Bup@UkRrZEaH{-*O|foTSJw{XC~~uA6x` zUrg}Z*zW(`M#AaQ6~pYV7YA(k(i!fD_7qew{8%GtQR%sQvu5aY{oJ(q6{3y33Kv9E zE=_KntS3>ww)N~{-iAlntVgmsC&sUeJk0;^<6EJf%emG>id^0KIXpjxb>AM_2~XGO z9zH94!kg*V-MFv`T~|!b%U)Z|y>Uuco#}IyfN8Fp;b&sZ-@N&_ck5Ocvl;s?nj~`H z2u!z9E9xp-eZS~klGdgR>@R1Ei}&gF(TF8;GOzx0v! zO%lBSRq7g#{ezjS=N@4Z+PO@3-~C9vUjlifRk*z0)oWk) zR~C`iYSz*8R`bd2)0}&Q8w|I&h`op@I8Z+0L3^yWL6_hZ=~O;#!DU&Bj+YOY&kMVL zpD(fVtk|+M0*<%tX}GSIsb`&UDxh4m_4e|dp0LBeRxs{3`Kd!L`EK|e#|70DrM?Te zwyv)5v#R>RY{Gxwi0S%*?;m+NLUy0+x@A%S?yjiZKfBQ8fA&9Y-$ie6g3Y zvEk2kvC};ZPQJgh)p!3|nVWBHW7bZ;z5WZ=qqS2fUCDiXcD>>em9Tc1=c1RA5*5?u za2R}c`~0w;Vfq>ddxh|ikM_U($EeiGyM)!hMr-zt*5r=R_w_7gulhr6`i71YwoYHN#dA0K zoDTT4Q1mVTRnwklt5sb@OEosD->+L@AoXa<-#nkkRpIHat0GjV>Q_zBi7cwz@_mtI zR^u%V_Pl+`8_k(Z!wx-6$|*k4#krt!u8>Xq>K$J=Ty&0C8@tG+?cf)5NmEy5x*aVm zw_=9$p?MQmwm*JZ%x9lduuX8c*Q?&(+pgi>e^P7Z&n#wrVlk~mbne!IClS8Q+;6{n zukrfoXOg;3b7#OVF;i(*VFuogxA9RSHG=;P-w7^EcAxFCT-K?2e!s(me{rkS_cuB$ dv_InV=EM2e0vq2sJek@7$F6R4u#0W01puXN9|r&c diff --git a/secrets/nix-serve.age b/secrets/nix-serve.age index 2d142fbd..f3668972 100644 --- a/secrets/nix-serve.age +++ b/secrets/nix-serve.age @@ -1,13 +1,14 @@ age-encryption.org/v1 --> ssh-ed25519 HY2yRg T/Qom1qxE0M+FuvsXD/KZ6Usfp6v3Xwx043kDgxbCz4 -6GRg0QjuHd2+d6lJfZqqPMPMjS91HEcJ/W0KRV6Et50 --> ssh-ed25519 G5LX5w pzg0wK+Q6KZP67CkyZNYbNcahlq9SIuFN18H85ARykU -aDSrO49tg/a3GOAJR96lh803bXoZqp/G6VMiSvf91vw --> ssh-ed25519 CAWG4Q X+F/6LF8VUUoV72iCLzKKpYGRDoUHuBy1E+yr29RKEo -c779vpt/fiN7n0kGAc5jA9fWkzCPrthlNZdN4p6csrk --> ssh-ed25519 xA739A sbg087VKj/gcycV9JrBNCoCfB4kRMDSVo3EtfpRVDyg -Lv5ges1KmxGwvz4UPZCD0v4YN2ms2Q3wmrJ14XCKYsQ --> ssh-ed25519 MSF3dg pCLeyeWYbnNWQwwlGcsKz0KZ4BaaYKCGjo0XOPpo+no -IsNxFoB2nTxyThJxtAxSA6gauXHGQJnVefs/K2MZ+DM ---- tgB3F+k1/PQt+r5Cz+FqH31hCZFvr0Y8uZVKkdA80yo -60.(s?68QIdgb`Az ssh-ed25519 HY2yRg tdVrzL3EryCEDJSiAjHfr3AC6rhyKLLe9ZaKKa/fyEk +kIbJjp/odUkQ9E2fXpk4zratLieyMNdNLHYGQt8+860 +-> ssh-ed25519 G5LX5w A0wBDwowrQyByfinVVrypH5VyvyKk3O3O8+2JnVgcCI +kLiXfQkC+8QycLyyM/6dAKEE6SGxSZJS7PuOTQr10XE +-> ssh-ed25519 CAWG4Q HkbFgDtrbuv+KCwULZppiy88ZHl3kHcdlTVTOfMKTzM +KMGdQl8Gl51gUp1bxEa41a0VBBiHWD81/9C75NX/pzA +-> ssh-ed25519 xA739A XfYFE5jPFvcoTMXtwJgs3+HPLQxRmvz1W7yqE7jSYGE +497iDMqiIx1u+cBu8KZDNF2SPpGCrVqjGdUPD8kEjE4 +-> ssh-ed25519 MSF3dg Vbxxsmfoywpi4W9WUMzgay3Nd1UBigliYHD7Wew9AHM +aLt5GN8jJWbbrHfs1321tQz44lBaATe0BipT/EGc80I +--- JHESkz0eGNPo3ZEGALVH4xsQ4p1O/6ShlfOw58fjH1k + +AwNgCԢְ7 ǟ4#0ss-*$Z[*ia{?=v-E70]q0)q"K{BZs*l9-E+8<(a*$dNxd \ No newline at end of file diff --git a/secrets/tent-gitlab-runner-bsc-docker-token.age b/secrets/tent-gitlab-runner-bsc-docker-token.age index 8c69121a61468287707e6ec89d75db7b18a628c2..c105a3a34a03b7aab0c76055b28bae063478e772 100644 GIT binary patch delta 556 zcmeyu@`YuBPQ6D?ph=iTj#G+pX0Bc zVMtnTcy^T|mvfMbW1v}DVWL-9q+xDKsAq&>dR1anc~G%oaj1oxMTSRJNnW;}MVX($ z#E;_P6_tsmj;1AM#{T6M+F?cR>7i+1`Z=Bf7D@UQVTQ@6MZN{4QBFRIE@8f0<=O>~ zrWVGPp?PkFMvi6fPVQCVNr9g3fv%C3;f3J_&cQx`mSx((?gq(|;~B;46C<*HDx51L zQ~b-r@(VmXatk6{Jd~O+5V#yj@c=f{ly0!o4H1LyD`S{LIX>1EW%c zUA#COWH delta 556 zcmeyu@`YuBPJMc1hI>RvxudavnYMRwL1si!hO3XOUvi5mo0Tn(T zC7zzCmZd>qiFv_Mj!_k5M)@g;kvQ7#sf;~B;4{mndb3@Uxi z1FPKq+%25ToeYwq3M&fJ(yM}v5-ao4vhoak%{+|5Qk;^x0!=Lgjf|2)3tgRDJ1FDkE^F0mf%|o>f(t}(qxODGnT#!oZ-s|9eFQ+E<%#Rv-h7Z2_avJKl z4UXGR)t{~su`WY9r7%`xYhl)>#n)NGmex0O2_!z7VDxF36gN{LXJzW-=FgkudeN>!$>kDI%GrL%j0Pk3;4W~HmPWlmwG zb6Bd0rD0w=S7NePzJ6YYccF1Xa6rDBYe1r#kDp;$m4`=?YgKWHU%pRCenz;Xhj*s$ z#E%kTsqS9+KB>W;f#p7-Mv>{-?wLkOnb{s*#vaAVK53QthPlOsKE__<9_3smA?1k` zK~CNwIr_o*m67^Bc@;tWS^B2oWzK#PreUd3KHixIh8B^&MUj)^8O7_vD|5|5E7J@k z$~+7`%yRu)T!XUxE%FPpeKY+Gs;VM#jRLYF(n?(Y!;85>%PpeH%e_6FOhXIP!%Fjm zeO!$K6SMqWyrQx_%=IIU{faBK!`*VsBZ|3nb#)aiO)}iWk|Hym-J?=`UAyuTW|n_pl}llTK}n*AetKp~UaD`RwsTmZrAc6#vqxf7P*P#I zE0=SHVPQ_HX;@-*T4hS9SH7ilq_?k6dQqZDMPZa@VMtK9k%?P)?b7NxF%CUP^X;SVdGwnNMLwaG_86 z#E%kT?v_Srj)`75VU8Xd76IO&k>;l1d7kjyc-d29=(nW}%bg8O7^e0}cJleacgk z@?E_$%gb}Ui$a`?EJAYAiW42Hii4d>ebV#uT?(t5f?T=MLbI~+Jaf_t^j(btUA3Ju zj4LdS%JUo(v&+nljYCttOPtCA9Ss8wqLR6Eb#)cW4Ff{`f?Z9E4SjT-SffXV&v@ zZa%Nyb7aCr-_xnmdZB+$w{L2jm>fQ{Md`q$iI0E2UEBKdsuAbMZLDt&rm8EZub#TQ rjE_fPUx`X?uOI))3#~aV%iRhR&6PS8?%7AaRlOs3dHy5m2KD&>*Qv&O diff --git a/secrets/tent-gitlab-runner-pm-shell-token.age b/secrets/tent-gitlab-runner-pm-shell-token.age index 19407895..2d957a7a 100644 --- a/secrets/tent-gitlab-runner-pm-shell-token.age +++ b/secrets/tent-gitlab-runner-pm-shell-token.age @@ -1,13 +1,12 @@ age-encryption.org/v1 --> ssh-ed25519 G5LX5w V9bHLoGuY4stRwbzVS9Qa0L9yoY+UoCoXc+dJJQW/Ag -2ut9GfdJ3KBCqZRaloZCQsl8MLfaZAZxqj6JtPJzu2k --> ssh-ed25519 CAWG4Q OAqnIfMECpKglZ7aF9tv/PQinG1Ou2+IEZ+nf4dtQjg -dANdMLe4iI0d6Xd/dIMpZK+mgw2+VmJFQScHaIxD7WI --> ssh-ed25519 xA739A nVNF4Y6VSa5PP6FFBJpVmoFYYseoFx5F2wJU+Pwk+Xk -A5CiuTSNlX9Y76qhYgblBdJl3zPhtjWho2oL5/sIKu0 --> ssh-ed25519 MSF3dg /WMsGnBGzquIMyw06gHKpSS4OUxheulT59kxi+/pxxU -ppwcv7RLzUbQUM7j0Tb9rRVT9XyPMhqYr2fr4S0nTJY ---- zOe0Ko0oxArbmxePMPDVAT0pDju7IeOAih7sNrDcoVs -ikA -hODVw! E݈+`C5LAtM^ E<HI_nno?j- -AnԔί>ZzdTb"(@{_ځC \ No newline at end of file +-> ssh-ed25519 G5LX5w 5K0mzfJGvAB2LGmoQ9ZLbWooVEX6F4+fQdo1JUoB3FM +AKGa507bUrYjXFaMQ1MXTDBFYsdS6zbs+flmxYN0UNo +-> ssh-ed25519 CAWG4Q 8KzLc949on8iN1pK8q11OpCIeO71t6b0zxCLHhcQ6ns +uy7z6RdIuoUes+Uap3k5eoFFuu/DcSrEBwq4V4C/ygc +-> ssh-ed25519 xA739A SLx5cKo0fdAHj+cLpJ4FYTWTUTyDsCqKQOufDu3xnGo +VnS/WsiSaf6RpXuhgfij4pYu4p9hlJl1oXrfYY9rKlQ +-> ssh-ed25519 MSF3dg c5ZXvdNxNfZU3HeWsttuhy+UC5JxWN/IFuCuCGbksn4 +vcKlIirf+VvERX71YpmwW6zp6ClhlG2PR4R8LIN7cQo +--- pJKICDaYAlxqNnvHIuzB3Yk7tv0ZNYflGTQD+Zk/8+4 +h/\JJ +0? p@܉73za',kaIXXOZI\ BP/cUɿ~BS' Qfer^8lVE \ No newline at end of file diff --git a/secrets/vpn-dac-client-key.age b/secrets/vpn-dac-client-key.age index 3e92d23553e801a07a342dd94960dc46a4799298..4ed52512f11a537b76b59a154feac1887cbd7c04 100644 GIT binary patch delta 2187 zcmX>mcua7DPJL01QDJh1WpYMom_cBrc3zsXo2P5Op<}VPk7-13Re^p+q-mzUhoMJ= zBUeOmP*8AUc5abNdZvZBc3yZ`zI$Y1NuIfhL3nOOSYlN{Qb=*Rqic|RD3`9CLUD11 zZfc5=si~o*g0o||yGfuzc2%&Wain`hwnb88s&kleqMM0hR#;H5c4%peiMMg4n{SSv zX-0Obe`ug5S5i<(Vp2*-U}<5lX>eMZZ-`@2agnLFcdCDSaY3iX$?7 zvK;d(ax6+SlFR*aEK&+9-P|e+!@QF#yi9!jN>j_soDD3va!X6nJga=elCrZ4qe=|J zJuSimJk$I`!jhv5or--6(?ZNWe4{+fOhc2obaizVf(tAwJ^T&Q_0z)Ae0-CtjMBnO z14=7%6a77NN{fm!3nMG*^L#_{-Lfq`xfJVfoa$H9@2Gs_CvwSUhM#!O`u%L%LoY@ab8fpG@YJ`j_`6mz zSNc!Q>7$O;r#FA%NU4oDdSxfKN7SwQ%X1IxG2=bpTVZ^0{XNn9^LyUzbXmH^%<^Z`p zerMa-FgdfU{}*q(bkVYo^>eKBifXK|l+m-pb$d9+ z`85X$kFtF}9GtDMrOr{KQz{i+{M+rUQ4ULD;)+l&pO&iqE>;zj3WM4#M5D}>O})#| z)|eDx>B;$dN%3ksWwSNm#yLr%zgWdm7V1R&%diMnx_^}SV_n%#Tm8-a-#zTFx4$*6 zHJg-~l0!T0#KMxu zS2LK_E;MNRygHqGO4vJbEB_J)6HQK8$AhcaX#H4z{dd}u^DS~xy!G2{Yp<%f#rjOV zbolFn&nX8|vz9G5EM_W|R}els(a_$*ZY`gP>Y>THeFpjyTuLiX&YfhVK37^+#^y0^ zQ-s>Kn|`;fELX{F3${`9tSeprZ~l(Gyu4z`d!%aF#hcdl_)8i-5Rq)R-*r>LPpI^) z*mBd`>u!ow2g_cNjA3pLs=rqM&8PgVzqFf)LoG}C{w2YmQ$ur4@PAo3A?8uky#~Jn zA0NA(NYF5ST)(<_$F|9tHXlEIUwN`CL;h*OhwZob)Spwh(C@WrU-}lViNAfBr*C}p zg_p1T*rCYt9({U=y|%LtE0_Ii%*o^ql-2$el3*CU!gxmYImaG@jeq{Iy#2PD_fq}V z)$_NA@-O-PBy7HC>Ersvu(ko zkN4$5?b`K965SOOf-M%VnV>hztBSwI{#R;VeKA+v`ENSG*E>t8-pn(f$^Sp^kCPR$uN+_5#rbU&D_bwXz&ZZ9-f z7u%(@^c$N`#MZmBcP!lAQDqZXm$*WZJ-{|Vbnl}s&wz`uGebA%6zn>0{Gs6yD@S&+YWua7BB>5fml$1j_p$hu!1}PpPjwD;}*lb?=h1kia5= z85t99KH%E*k7@1!w+mr`Q~muu%dS?Qs8wY%;@deqm10%rE;QZ0>0{S-S(VH; zv4IIX7oL9L-oGS!p2NBJLodod|CzDmG2f{GpA$=txp~A)*=CuNUNuG4>6YuNJGLHy z7v+6-@^qM+@e0p9GIi&SOK&$fG+bC>x~;u+R`!huu7W@OtjG8x-*#;Xm?{$|Q(q=2 zmcua7DPQ8hDig`*@xTSWvKqiK#_sUZtODU{!i%QLwjhu&cg#D3`9CLUD11 zZfc5=si~o*g0o||yGfveiK%NvMTB!`h<=!5Zn#s1sautQl~1ZcPI#87vwNgjV6a7Q zMY@TRab!q2mr00cnweu!N@Q?KWx94&USwHFd2ysisZl_pmxWdqEcM*&5I%{jU5YJoq}Ba)AYT=y@O1+g7d2aw3Etmi&BH!3@S@9 z{ZrjTv(vM@6VoEHO0omp6Lazn%8SyA3X&qZbaizV^1VF+Dl9CME4`Bn{hUJ6^Md>{ z%Di*k!g9m>svbf>MJ+x&F>wws!NIywtWlCoP>XNy4k{M{vfiTvGO) z`MGz$@t%f*H%*&veb-gxcHYBv^^EA`-}(v%C+_hOjlNeu)4x1b$#So-xYW|~pQ9MF zoAy}8yEExTM7g*mygL2qN5swu@x@QI6Al!FM#a_Z+?&)Rd1b$})z5-g9QDQOAJ5L; z$EX_jfuZiXm4t)*!HlIgA+F9RU2o{_to=1pQ_6R3qW1j9&jj_{7TuBCa{8a#I?mP$ zUWo!H)wb1z=e{X4@~E|P$@(>UW{c*Vy}v9p*DP3@cmFEqH5=<)>#MGNJzf5ZUrkE& znnCXD&r6$+&tsTB)!Hvjw=KEXTqA68y-L56hS5g7^*&6F7vE{W`R4w?bZ=v~#iuoI z`F>d}@Tyqs%KCBr%iX%Qk}Kb}=H-a87YF+Oo;&H$hV;EnYTOP9rM9VIY>r35Di=#E zIy|3;)5}`=`i`9o|Lr{gW_tUTw!-o?>(uY)1sBft&S)vhd-b*`bHPOACyH)o9X-o+ z`o7k`dSLj`W~Iueryol!T=#0uJo;qA&1W1Q%cFwo%bgS zOFIN|FhsPl8J$|yF(>xJ?C@@b{oCgD&-pj+;UDh2=^tLq5S_hpom6?%a&hKs^5Lsu z*1pIn5`51Tx%#HJu33us2WO{4k1h+%z9GQBr7E#FZxx4Ke)~-B8-Eynlvu~O8S0k) z$hYFJ|0VXq=+i!-dP|eJDHpQePZBWQaLYhjZ^`BbT#o;~{r+{p!}sr|us`-Qf~Mr} z>9P47*`I45uDjygk^S-}Yh0UBq=UNmr~k6QQRLLoJ|2ij4pD8uXbI$jUuT?B1ky{ykgfFaIE`9fM-I2VRotiW1Rb_%oZXTZB z(ciGmkMC;Kzdx_8A3k_l_^)CF&-{)^-u;Z4@~@V!Ra0!3!xj1_XfuZ*tNgz!x@x^4 z3MYEjSei=o2+x|HBj%@d=!8m8cZY}NXRFVf_Q%ayTRU_5^k8@1hX*$QzW3)zgQMDJ zqds@#p1oq#chqwVa!#Qorx~`=*^PUpZt`9Yj`|&iZ*e zWC!!JbJe2h<%JuXGy8>E%_J%W~R z>6yj?Se^-^`7qACq|_6J*dgvV)G?nO{%`)p3k5C_q>=icS5QA z+796ubM(uj%!2)#WdrJv_4}^|ycMHm-T$4dHF~YaPyg;VsoNm&^Sb+M+M_ zSdz(6F0vHaNye1{Sp_B;VHSzziJ5**KB37ad49%8?yiws#%Z2r z!IfcIVHp`lz80m)`VnEqNjU{6fxZF0k(ow?Rf!&c5oHwyNoBs1;~B;44V;Sg6T=Pi z{5*q$wJnW3OUzC4%`&{B!V}GdwSC-7liW-l3yQsr(gH2GD$Vl^ydzyaTvPK5jq_4G zE7J9IBQtZ1Q++Ecs>&kWj0(aFGklY@i=0BabaizVJPY&9P2Ekj4U8f!^O6ny{j-x@ zE3`8MbG-B1Bb`&T9V^V8%}RniOpVJOxdiTUJ&t(sS2c}ie}mB1j0o;&55qtg?mwmpND&HshMAyS&o~ZXJ(#xvbUeMrBiB{yLX_Ic5a%Xt7)<8 z#E;_Pj_!%c5rzICX)gL1xtaOd#@P``&c#Xk#zux-iCIBm+Wu8u7KuqAVMf_p`ue`f zhLwg!+9pnwW}bdt`H2-CK`E};mQj(uCSGYNDM3!g+9j24`WAtc;~B;4tGx5ma&i-^ zd~=+fOp`pkEqy9{lZ*V!EQ3Rmyd2$%LsLQvlYJu7D~+?c@=Uxl^0JCbEcAU#EW*4( z+yX-rgWUW*TtZ9A3NrM~vI29>N~_9^1Kk3-baizV^aIQc$_#?b-1Cwgt3m@E!y`=! z!c+3iqmuojLb4*W6DxzA3ro|yeT>sRx#~ Date: Wed, 9 Jul 2025 11:11:22 +0200 Subject: [PATCH 02/13] Add storcli utility to apex MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné --- m/apex/configuration.nix | 4 ++++ m/common/base/nix.nix | 2 ++ 2 files changed, 6 insertions(+) diff --git a/m/apex/configuration.nix b/m/apex/configuration.nix index 2facf6cc..a36a9657 100644 --- a/m/apex/configuration.nix +++ b/m/apex/configuration.nix @@ -15,6 +15,10 @@ "megaraid_sas" # For HW RAID ]; + environment.systemPackages = with pkgs; [ + storcli # To manage HW RAID + ]; + fileSystems."/home" = { device = "/dev/disk/by-label/home"; fsType = "ext4"; diff --git a/m/common/base/nix.nix b/m/common/base/nix.nix index 5eee5b7b..0e41b27d 100644 --- a/m/common/base/nix.nix +++ b/m/common/base/nix.nix @@ -6,6 +6,8 @@ (import ../../../pkgs/overlay.nix) ]; + nixpkgs.config.allowUnfree = true; + nix = { nixPath = [ "nixpkgs=${nixpkgs}" -- 2.51.2 From 4a25056897d6abb77852c6a9220dc3aa96462496 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Wed, 9 Jul 2025 11:24:22 +0200 Subject: [PATCH 03/13] Remove proxy configuration from environment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit All machines have now direct connection with the outside world. Reviewed-by: Aleix Boné --- m/common/ssf/net.nix | 8 -------- 1 file changed, 8 deletions(-) diff --git a/m/common/ssf/net.nix b/m/common/ssf/net.nix index e09ba758..911e180d 100644 --- a/m/common/ssf/net.nix +++ b/m/common/ssf/net.nix @@ -9,14 +9,6 @@ defaultGateway = "10.0.40.30"; nameservers = ["8.8.8.8"]; - proxy = { - default = "http://hut:23080/"; - noProxy = "127.0.0.1,localhost,internal.domain,10.0.40.40,hut"; - # Don't set all_proxy as go complains and breaks the gitlab runner, see: - # https://github.com/golang/go/issues/16715 - allProxy = null; - }; - firewall = { extraCommands = '' # Prevent ssfhead from contacting our slurmd daemon -- 2.51.2 From e8f5ce735e1401a54be7a03240713ae4b0bf0844 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Wed, 9 Jul 2025 11:26:22 +0200 Subject: [PATCH 04/13] Remove proxy from hut HTTP probes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné --- m/hut/blackbox.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/m/hut/blackbox.yml b/m/hut/blackbox.yml index e69acd31..96d72ae5 100644 --- a/m/hut/blackbox.yml +++ b/m/hut/blackbox.yml @@ -3,8 +3,6 @@ modules: prober: http timeout: 5s http: - proxy_url: "http://127.0.0.1:23080" - skip_resolve_phase_with_proxy: true follow_redirects: true valid_status_codes: [] # Defaults to 2xx method: GET -- 2.51.2 From c40871bbfe563c8e4138a044963d4b43b363f7b0 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Wed, 9 Jul 2025 11:59:36 +0200 Subject: [PATCH 05/13] Add users to apex machine MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit They need to be able to login to apex to access any other machine from the SSF rack. Reviewed-by: Aleix Boné --- m/common/base/users.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/m/common/base/users.nix b/m/common/base/users.nix index 92e7b133..3017aaf7 100644 --- a/m/common/base/users.nix +++ b/m/common/base/users.nix @@ -56,7 +56,7 @@ home = "/home/Computational/rpenacob"; description = "Raúl Peñacoba"; group = "Computational"; - hosts = [ "owl1" "owl2" "hut" "tent" "fox" ]; + hosts = [ "apex" "owl1" "owl2" "hut" "tent" "fox" ]; hashedPassword = "$6$TZm3bDIFyPrMhj1E$uEDXoYYd1z2Wd5mMPfh3DZAjP7ztVjJ4ezIcn82C0ImqafPA.AnTmcVftHEzLB3tbe2O4SxDyPSDEQgJ4GOtj/"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYfXg37mauGeurqsLpedgA2XQ9d4Nm0ZGo/hI1f7wwH rpenacob@bsc" @@ -69,7 +69,7 @@ home = "/home/Computational/anavarro"; description = "Antoni Navarro"; group = "Computational"; - hosts = [ "hut" "tent" "raccoon" "fox" ]; + hosts = [ "apex" "hut" "tent" "raccoon" "fox" ]; hashedPassword = "$6$QdNDsuLehoZTYZlb$CDhCouYDPrhoiB7/seu7RF.Gqg4zMQz0n5sA4U1KDgHaZOxy2as9pbIGeF8tOHJKRoZajk5GiaZv0rZMn7Oq31"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILWjRSlKgzBPZQhIeEtk6Lvws2XNcYwHcwPv4osSgst5 anavarro@ssfhead" @@ -82,7 +82,7 @@ home = "/home/Computational/abonerib"; description = "Aleix Boné"; group = "Computational"; - hosts = [ "owl1" "owl2" "hut" "tent" "raccoon" "fox" ]; + hosts = [ "apex" "owl1" "owl2" "hut" "tent" "raccoon" "fox" ]; hashedPassword = "$6$V1EQWJr474whv7XJ$OfJ0wueM2l.dgiJiiah0Tip9ITcJ7S7qDvtSycsiQ43QBFyP4lU0e0HaXWps85nqB4TypttYR4hNLoz3bz662/"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIFiqXqt88VuUfyANkZyLJNiuroIITaGlOOTMhVDKjf abonerib@bsc" @@ -95,7 +95,7 @@ home = "/home/Computational/vlopez"; description = "Victor López"; group = "Computational"; - hosts = [ "koro" ]; + hosts = [ "apex" "koro" ]; hashedPassword = "$6$0ZBkgIYE/renVqtt$1uWlJsb0FEezRVNoETTzZMx4X2SvWiOsKvi0ppWCRqI66S6TqMBXBdP4fcQyvRRBt0e4Z7opZIvvITBsEtO0f0"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMwlUZRf9jfG666Qa5Sb+KtEhXqkiMlBV2su3x/dXHq victor@arch" @@ -108,7 +108,7 @@ home = "/home/Computational/dbautist"; description = "Dylan Bautista Cases"; group = "Computational"; - hosts = [ "hut" "tent" "raccoon" ]; + hosts = [ "apex" "hut" "tent" "raccoon" ]; hashedPassword = "$6$a2lpzMRVkG9nSgIm$12G6.ka0sFX1YimqJkBAjbvhRKZ.Hl090B27pdbnQOW0wzyxVWySWhyDDCILjQELky.HKYl9gqOeVXW49nW7q/"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAb+EQBoS98zrCwnGKkHKwMLdYABMTqv7q9E0+T0QmkS dbautist@bsc-848818791" @@ -121,7 +121,7 @@ home = "/home/Computational/dalvare1"; description = "David Álvarez"; group = "Computational"; - hosts = [ "hut" "tent" "fox" ]; + hosts = [ "apex" "hut" "tent" "fox" ]; hashedPassword = "$6$mpyIsV3mdq.rK8$FvfZdRH5OcEkUt5PnIUijWyUYZvB1SgeqxpJ2p91TTe.3eQIDTcLEQ5rxeg.e5IEXAZHHQ/aMsR5kPEujEghx0"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGEfy6F4rF80r4Cpo2H5xaWqhuUZzUsVsILSKGJzt5jF dalvare1@ssfhead" @@ -134,7 +134,7 @@ home = "/home/Computational/varcila"; description = "Vincent Arcila"; group = "Computational"; - hosts = [ "hut" "tent" "fox" ]; + hosts = [ "apex" "hut" "tent" "fox" ]; hashedPassword = "$6$oB0Tcn99DcM4Ch$Vn1A0ulLTn/8B2oFPi9wWl/NOsJzaFAWjqekwcuC9sMC7cgxEVb.Nk5XSzQ2xzYcNe5MLtmzkVYnRS1CqP39Y0"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGt0ESYxekBiHJQowmKpfdouw0hVm3N7tUMtAaeLejK vincent@varch" -- 2.51.2 From fdd21d0dd06cd4aba7186b46f1084d6683d406c4 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Fri, 11 Jul 2025 10:22:04 +0200 Subject: [PATCH 06/13] Remove SSH proxy to access BSC clusters MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We now have direct connection to them. Reviewed-by: Aleix Boné --- m/common/ssf.nix | 1 - m/common/ssf/ssh.nix | 8 -------- 2 files changed, 9 deletions(-) delete mode 100644 m/common/ssf/ssh.nix diff --git a/m/common/ssf.nix b/m/common/ssf.nix index 4638c544..60fbb044 100644 --- a/m/common/ssf.nix +++ b/m/common/ssf.nix @@ -5,6 +5,5 @@ ./ssf/fs.nix ./ssf/net.nix ./ssf/hosts.nix - ./ssf/ssh.nix ]; } diff --git a/m/common/ssf/ssh.nix b/m/common/ssf/ssh.nix deleted file mode 100644 index 86978f97..00000000 --- a/m/common/ssf/ssh.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - # Connect to intranet git hosts via proxy - programs.ssh.extraConfig = '' - # Connect to BSC machines via hut proxy too - Host amdlogin1.bsc.es armlogin1.bsc.es hualogin1.bsc.es glogin1.bsc.es glogin2.bsc.es fpgalogin1.bsc.es - ProxyCommand nc -X connect -x hut:23080 %h %p - ''; -} -- 2.51.2 From 3ad9452637e5dd8e7652ad8375ccbbaf3701d568 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Fri, 11 Jul 2025 10:35:38 +0200 Subject: [PATCH 07/13] Disable root_squash from NFS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Allows root to read files in the NFS export, so we can directly run `nixos-rebuild switch` from /home. Reviewed-by: Aleix Boné --- m/apex/nfs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/m/apex/nfs.nix b/m/apex/nfs.nix index e245549f..84d9555e 100644 --- a/m/apex/nfs.nix +++ b/m/apex/nfs.nix @@ -7,7 +7,7 @@ mountdPort = 4002; statdPort = 4000; exports = '' - /home 10.0.40.0/24(rw,sync,no_subtree_check,root_squash) + /home 10.0.40.0/24(rw,sync,no_subtree_check,no_root_squash) ''; }; networking.firewall = { -- 2.51.2 From e505a952af11b94373a09ddb47ab2af6c5f301d9 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Fri, 11 Jul 2025 11:10:07 +0200 Subject: [PATCH 08/13] Make NFS mount async to improve latency MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Don't wait to flush writes, as we don't care about consistency on a crash: > This option allows the NFS server to violate the NFS protocol and > reply to requests before any changes made by that request have been > committed to stable storage (e.g. disc drive). > > Using this option usually improves performance, but at the cost that > an unclean server restart (i.e. a crash) can cause data to be lost or > corrupted. Reviewed-by: Aleix Boné --- m/apex/nfs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/m/apex/nfs.nix b/m/apex/nfs.nix index 84d9555e..353a9363 100644 --- a/m/apex/nfs.nix +++ b/m/apex/nfs.nix @@ -7,7 +7,7 @@ mountdPort = 4002; statdPort = 4000; exports = '' - /home 10.0.40.0/24(rw,sync,no_subtree_check,no_root_squash) + /home 10.0.40.0/24(rw,async,no_subtree_check,no_root_squash) ''; }; networking.firewall = { -- 2.51.2 From 3ca55acfdf9aa66d890667192130bc960fc7530e Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Fri, 11 Jul 2025 11:33:04 +0200 Subject: [PATCH 09/13] Use IPv4 in blackbox probes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Otherwise they simply fail as IPv6 doesn't work. Reviewed-by: Aleix Boné --- m/hut/blackbox.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/m/hut/blackbox.yml b/m/hut/blackbox.yml index 96d72ae5..38d1ac07 100644 --- a/m/hut/blackbox.yml +++ b/m/hut/blackbox.yml @@ -4,6 +4,7 @@ modules: timeout: 5s http: follow_redirects: true + preferred_ip_protocol: "ip4" valid_status_codes: [] # Defaults to 2xx method: GET http_with_proxy: -- 2.51.2 From b7603053fa7cff64ea2a81f5120d57a12c86d4b8 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Fri, 11 Jul 2025 11:34:08 +0200 Subject: [PATCH 10/13] Remove unused blackbox configuration modules MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné --- m/hut/blackbox.yml | 147 --------------------------------------------- 1 file changed, 147 deletions(-) diff --git a/m/hut/blackbox.yml b/m/hut/blackbox.yml index 38d1ac07..a4c12d20 100644 --- a/m/hut/blackbox.yml +++ b/m/hut/blackbox.yml @@ -7,155 +7,8 @@ modules: preferred_ip_protocol: "ip4" valid_status_codes: [] # Defaults to 2xx method: GET - http_with_proxy: - prober: http - http: - proxy_url: "http://127.0.0.1:3128" - skip_resolve_phase_with_proxy: true - http_with_proxy_and_headers: - prober: http - http: - proxy_url: "http://127.0.0.1:3128" - proxy_connect_header: - Proxy-Authorization: - - Bearer token - http_post_2xx: - prober: http - timeout: 5s - http: - method: POST - headers: - Content-Type: application/json - body: '{}' - http_post_body_file: - prober: http - timeout: 5s - http: - method: POST - body_file: "/files/body.txt" - http_basic_auth_example: - prober: http - timeout: 5s - http: - method: POST - headers: - Host: "login.example.com" - basic_auth: - username: "username" - password: "mysecret" - http_2xx_oauth_client_credentials: - prober: http - timeout: 5s - http: - valid_http_versions: ["HTTP/1.1", "HTTP/2"] - follow_redirects: true - preferred_ip_protocol: "ip4" - valid_status_codes: - - 200 - - 201 - oauth2: - client_id: "client_id" - client_secret: "client_secret" - token_url: "https://api.example.com/token" - endpoint_params: - grant_type: "client_credentials" - http_custom_ca_example: - prober: http - http: - method: GET - tls_config: - ca_file: "/certs/my_cert.crt" - http_gzip: - prober: http - http: - method: GET - compression: gzip - http_gzip_with_accept_encoding: - prober: http - http: - method: GET - compression: gzip - headers: - Accept-Encoding: gzip - tls_connect: - prober: tcp - timeout: 5s - tcp: - tls: true - tcp_connect_example: - prober: tcp - timeout: 5s - imap_starttls: - prober: tcp - timeout: 5s - tcp: - query_response: - - expect: "OK.*STARTTLS" - - send: ". STARTTLS" - - expect: "OK" - - starttls: true - - send: ". capability" - - expect: "CAPABILITY IMAP4rev1" - smtp_starttls: - prober: tcp - timeout: 5s - tcp: - query_response: - - expect: "^220 ([^ ]+) ESMTP (.+)$" - - send: "EHLO prober\r" - - expect: "^250-STARTTLS" - - send: "STARTTLS\r" - - expect: "^220" - - starttls: true - - send: "EHLO prober\r" - - expect: "^250-AUTH" - - send: "QUIT\r" - irc_banner_example: - prober: tcp - timeout: 5s - tcp: - query_response: - - send: "NICK prober" - - send: "USER prober prober prober :prober" - - expect: "PING :([^ ]+)" - send: "PONG ${1}" - - expect: "^:[^ ]+ 001" icmp: prober: icmp timeout: 5s icmp: preferred_ip_protocol: "ip4" - dns_udp_example: - prober: dns - timeout: 5s - dns: - query_name: "www.prometheus.io" - query_type: "A" - valid_rcodes: - - NOERROR - validate_answer_rrs: - fail_if_matches_regexp: - - ".*127.0.0.1" - fail_if_all_match_regexp: - - ".*127.0.0.1" - fail_if_not_matches_regexp: - - "www.prometheus.io.\t300\tIN\tA\t127.0.0.1" - fail_if_none_matches_regexp: - - "127.0.0.1" - validate_authority_rrs: - fail_if_matches_regexp: - - ".*127.0.0.1" - validate_additional_rrs: - fail_if_matches_regexp: - - ".*127.0.0.1" - dns_soa: - prober: dns - dns: - query_name: "prometheus.io" - query_type: "SOA" - dns_tcp_example: - prober: dns - dns: - transport_protocol: "tcp" # defaults to "udp" - preferred_ip_protocol: "ip4" # defaults to "ip6" - query_name: "www.prometheus.io" -- 2.51.2 From e6aef2cbd0b6948ca16b5b5e28b572d8648278b1 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Fri, 11 Jul 2025 12:29:52 +0200 Subject: [PATCH 11/13] Add proxy configuration for internal hosts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Access internal hosts via apex proxy. From the compute nodes we first open an SSH connection to apex, and then tunnel it through the HTTP proxy with netcat. This way we allow reaching internal GitLab repositories without requiring the user to have credentials in the remote host, while we can use multiple remotes to provide redundancy. Reviewed-by: Aleix Boné --- m/apex/configuration.nix | 11 +++++++++++ m/common/ssf.nix | 3 ++- m/common/ssf/ssh.nix | 16 ++++++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 m/common/ssf/ssh.nix diff --git a/m/apex/configuration.nix b/m/apex/configuration.nix index a36a9657..0f59f8fb 100644 --- a/m/apex/configuration.nix +++ b/m/apex/configuration.nix @@ -54,6 +54,17 @@ }; }; + # Use SSH tunnel to reach internal hosts + programs.ssh.extraConfig = '' + Host bscpm04.bsc.es gitlab-internal.bsc.es knights3.bsc.es + ProxyCommand nc -X connect -x localhost:23080 %h %p + Host raccoon + HostName knights3.bsc.es + ProxyCommand nc -X connect -x localhost:23080 %h %p + Host tent + ProxyJump raccoon + ''; + # Use tent for cache nix.settings = { extra-substituters = [ "https://jungle.bsc.es/cache" ]; diff --git a/m/common/ssf.nix b/m/common/ssf.nix index 60fbb044..8e8dc6b4 100644 --- a/m/common/ssf.nix +++ b/m/common/ssf.nix @@ -3,7 +3,8 @@ imports = [ ./xeon.nix ./ssf/fs.nix - ./ssf/net.nix ./ssf/hosts.nix + ./ssf/net.nix + ./ssf/ssh.nix ]; } diff --git a/m/common/ssf/ssh.nix b/m/common/ssf/ssh.nix new file mode 100644 index 00000000..b73abd79 --- /dev/null +++ b/m/common/ssf/ssh.nix @@ -0,0 +1,16 @@ +{ + # Use SSH tunnel to apex to reach internal hosts + programs.ssh.extraConfig = '' + Host tent + ProxyJump raccoon + + # Access raccoon via the HTTP proxy + Host raccoon knights3.bsc.es + HostName knights3.bsc.es + ProxyCommand=ssh apex 'nc -X connect -x localhost:23080 %h %p' + + # Make sure we can reach gitlab even if we don't have SSH access to raccoon + Host bscpm04.bsc.es gitlab-internal.bsc.es + ProxyCommand=ssh apex 'nc -X connect -x localhost:23080 %h %p' + ''; +} -- 2.51.2 From ce2cda1c41de71f27f6566c049496dfa3f9d4c3f Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Fri, 11 Jul 2025 16:12:44 +0200 Subject: [PATCH 12/13] Prevent accidental use of nftables MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné --- m/common/base/net.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/m/common/base/net.nix b/m/common/base/net.nix index 9fb15990..3a64c786 100644 --- a/m/common/base/net.nix +++ b/m/common/base/net.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, lib, ... }: { networking = { @@ -10,6 +10,9 @@ allowedTCPPorts = [ 22 ]; }; + # Make sure we use iptables + nftables.enable = lib.mkForce false; + hosts = { "84.88.53.236" = [ "apex" "ssfhead.bsc.es" "ssfhead" ]; "84.88.51.152" = [ "raccoon" ]; -- 2.51.2 From 9e83565977bda949c6fcd9445d24a80556be00bf Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Fri, 11 Jul 2025 16:13:35 +0200 Subject: [PATCH 13/13] Remove extra flush commands on firewall stop MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit They are not needed as they are already flushed when the firewall starts or stops. Reviewed-by: Aleix Boné --- m/apex/nfs.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/m/apex/nfs.nix b/m/apex/nfs.nix index 353a9363..b1668c15 100644 --- a/m/apex/nfs.nix +++ b/m/apex/nfs.nix @@ -28,10 +28,5 @@ iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4002 -j nixos-fw-accept iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept ''; - # Flush all rules and chains on stop so it won't break on start - extraStopCommands = '' - iptables -F - iptables -X - ''; }; } -- 2.51.2