Access internal hosts via apex proxy. From the compute nodes we first open an SSH connection to apex, and then tunnel it through the HTTP proxy with netcat. This way we allow reaching internal GitLab repositories without requiring the user to have credentials in the remote host, while we can use multiple remotes to provide redundancy. Reviewed-by: Aleix Boné <abonerib@bsc.es>
		
			
				
	
	
		
			74 lines
		
	
	
		
			1.6 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
			
		
		
	
	
			74 lines
		
	
	
		
			1.6 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
| { lib, config, pkgs, ... }:
 | |
| 
 | |
| {
 | |
|   imports = [
 | |
|     ../common/xeon.nix
 | |
|     ../common/ssf/hosts.nix
 | |
|     ../module/ceph.nix
 | |
|     ./nfs.nix
 | |
|   ];
 | |
| 
 | |
|   # Don't install grub MBR for now
 | |
|   boot.loader.grub.device = "nodev";
 | |
| 
 | |
|   boot.initrd.kernelModules = [
 | |
|     "megaraid_sas" # For HW RAID
 | |
|   ];
 | |
| 
 | |
|   environment.systemPackages = with pkgs; [
 | |
|     storcli # To manage HW RAID
 | |
|   ];
 | |
| 
 | |
|   fileSystems."/home" = {
 | |
|     device = "/dev/disk/by-label/home";
 | |
|     fsType = "ext4";
 | |
|   };
 | |
| 
 | |
|   # No swap, there is plenty of RAM
 | |
|   swapDevices = lib.mkForce [];
 | |
| 
 | |
|   networking = {
 | |
|     hostName = "apex";
 | |
|     defaultGateway = "84.88.53.233";
 | |
|     nameservers = [ "8.8.8.8" ];
 | |
| 
 | |
|     # Public facing interface
 | |
|     interfaces.eno1.ipv4.addresses = [ {
 | |
|       address = "84.88.53.236";
 | |
|       prefixLength = 29;
 | |
|     } ];
 | |
| 
 | |
|     # Internal LAN to our Ethernet switch
 | |
|     interfaces.eno2.ipv4.addresses = [ {
 | |
|       address = "10.0.40.30";
 | |
|       prefixLength = 24;
 | |
|     } ];
 | |
| 
 | |
|     # Infiniband over Omnipath switch (disconnected for now)
 | |
|     # interfaces.ibp5s0 = {};
 | |
| 
 | |
|     nat = {
 | |
|       enable = true;
 | |
|       internalInterfaces = [ "eno2" ];
 | |
|       externalInterface = "eno1";
 | |
|     };
 | |
|   };
 | |
| 
 | |
|   # Use SSH tunnel to reach internal hosts
 | |
|   programs.ssh.extraConfig = ''
 | |
|     Host bscpm04.bsc.es gitlab-internal.bsc.es knights3.bsc.es
 | |
|       ProxyCommand nc -X connect -x localhost:23080 %h %p
 | |
|     Host raccoon
 | |
|       HostName knights3.bsc.es
 | |
|       ProxyCommand nc -X connect -x localhost:23080 %h %p
 | |
|     Host tent
 | |
|       ProxyJump raccoon
 | |
|   '';
 | |
| 
 | |
|   # Use tent for cache
 | |
|   nix.settings = {
 | |
|     extra-substituters = [ "https://jungle.bsc.es/cache" ];
 | |
|     extra-trusted-public-keys = [ "jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" ];
 | |
|   };
 | |
| }
 |