From 71ae7fb585660cd1a096abc4f7307227627fe428 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Fri, 11 Apr 2025 12:15:33 +0200 Subject: [PATCH 1/3] Add bscpm04.bsc.es SSH host and public key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Allows fetching repositories from hut and other machines in jungle without the need to do any extra configuration. Reviewed-by: Aleix Boné --- m/common/base/ssh.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/m/common/base/ssh.nix b/m/common/base/ssh.nix index 7d7b939d..b5310762 100644 --- a/m/common/base/ssh.nix +++ b/m/common/base/ssh.nix @@ -10,7 +10,7 @@ in # Connect to intranet git hosts via proxy programs.ssh.extraConfig = '' - Host bscpm02.bsc.es bscpm03.bsc.es gitlab-internal.bsc.es alya.gitlab.bsc.es + Host bscpm02.bsc.es bscpm03.bsc.es bscpm04.bsc.es gitlab-internal.bsc.es alya.gitlab.bsc.es User git ProxyCommand nc -X connect -x hut:23080 %h %p @@ -22,6 +22,7 @@ in programs.ssh.knownHosts = hostsKeys // { "gitlab-internal.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3"; "bscpm03.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2NuSUPsEhqz1j5b4Gqd+MWFnRqyqY57+xMvBUqHYUS"; + "bscpm04.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPx4mC0etyyjYUT2Ztc/bs4ZXSbVMrogs1ZTP924PDgT"; "glogin1.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsHsZGCrzpd4QDVn5xoDOtrNBkb0ylxKGlyBt6l9qCz"; "glogin2.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsHsZGCrzpd4QDVn5xoDOtrNBkb0ylxKGlyBt6l9qCz"; }; -- 2.51.2 From e8c309f5845aabe0b67440c15a1e60ef7d7880c3 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Tue, 15 Apr 2025 12:17:00 +0200 Subject: [PATCH 2/3] Allow traffic from docker to enter port 23080 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Before: hut% sudo docker run -it --rm alpine /bin/ash -xc 'true | nc -w 3 -v 10.0.40.7 23080' + true + nc -w 3 -v 10.0.40.7 23080 nc: 10.0.40.7 (10.0.40.7:23080): Operation timed out After: hut% sudo docker run -it --rm alpine /bin/ash -xc 'true | nc -w 3 -v 10.0.40.7 23080' + true + nc -w 3 -v 10.0.40.7 23080 10.0.40.7 (10.0.40.7:23080) open Fixes: https://jungle.bsc.es/git/rarias/jungle/issues/94 Reviewed-by: Aleix Boné --- m/hut/gitlab-runner.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/m/hut/gitlab-runner.nix b/m/hut/gitlab-runner.nix index 9241e5de..a68d8d17 100644 --- a/m/hut/gitlab-runner.nix +++ b/m/hut/gitlab-runner.nix @@ -97,12 +97,14 @@ }; }; - # DOCKER* chains are useless, override at FORWARD + # DOCKER* chains are useless, override at FORWARD and nixos-fw networking.firewall.extraCommands = '' # Allow docker to use our proxy iptables -I FORWARD 1 -p tcp -i docker0 -d hut --dport 23080 -j nixos-fw-accept # Block anything else coming from docker iptables -I FORWARD 2 -p all -i docker0 -j nixos-fw-log-refuse + # Allow incoming traffic from docker to 23080 + iptables -A nixos-fw -p tcp -i docker0 -d hut --dport 23080 -j ACCEPT ''; #systemd.services.gitlab-runner.serviceConfig.Shell = "${pkgs.bash}/bin/bash"; -- 2.51.2 From 44bd061823860d79eb9e194199b45f1e197f3772 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Tue, 15 Apr 2025 12:46:08 +0200 Subject: [PATCH 3/3] Don't forward any docker traffic MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Access to the 23080 local port will be done by applying the INPUT rules, which pass through nixos-fw. Reviewed-by: Aleix Boné --- m/hut/gitlab-runner.nix | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/m/hut/gitlab-runner.nix b/m/hut/gitlab-runner.nix index a68d8d17..2fe7c1cb 100644 --- a/m/hut/gitlab-runner.nix +++ b/m/hut/gitlab-runner.nix @@ -99,10 +99,9 @@ # DOCKER* chains are useless, override at FORWARD and nixos-fw networking.firewall.extraCommands = '' - # Allow docker to use our proxy - iptables -I FORWARD 1 -p tcp -i docker0 -d hut --dport 23080 -j nixos-fw-accept - # Block anything else coming from docker - iptables -I FORWARD 2 -p all -i docker0 -j nixos-fw-log-refuse + # Don't forward any traffic from docker + iptables -I FORWARD 1 -p all -i docker0 -j nixos-fw-log-refuse + # Allow incoming traffic from docker to 23080 iptables -A nixos-fw -p tcp -i docker0 -d hut --dport 23080 -j ACCEPT ''; -- 2.51.2