feat: enable slurm jwt and remove slocket proxy

2025-09-25 12:15:24 +02:00
parent d2e27a7e87
commit 9b798444d1
2 changed files with 35 additions and 28 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
 *.pem
 *.csr
+*.key
 result
 result-*
 gcroots/
--- a/modules/hpc/slurm.nix
+++ b/modules/hpc/slurm.nix
@@ -11,6 +11,12 @@ let
        uid = cfg.mungeUid;
        gid = 0;
    };
+    environment.etc."slurmctld/jwt_hs256.key" = {
+        source = cfg.jwtKey;
+        mode = "0400";
+        uid = cfg.slurmUid;
+        gid = 0;
+    };

    services.slurm = {
      controlMachine = cfg.controlMachine;
@@ -24,8 +30,8 @@ let
        MailProg=/run/wrappers/bin/sendmail
        SelectType=select/cons_tres
        SelectTypeParameters=CR_Core
-        # AuthAltTypes=auth/jwt
-        # AuthAltParameters=jwt_key=/var/spool/slurm/statesave/jwt_hs256.key
+        AuthAltTypes=auth/jwt
+        AuthAltParameters=jwt_key=/etc/slurmctld/jwt_hs256.key
      '';
    };

@@ -34,7 +40,6 @@ let
    nixpkgs.overlays = [ slurm-ucx ];
  };

-
  slurmServer = {
    services.mysql = {
      enable = true;
@@ -60,7 +65,7 @@ let
      # '';
      dbdserver = {
        enable = true;
-        # dbdHost = cfg.controlMachine;
+        dbdHost = cfg.dbdHost;
        # storagePass  = cfg.storagePass;
      };
    };
@@ -113,8 +118,14 @@ let
    };
  };

+
  slurmrestd = {
-    systemd.tmpfiles.rules = [ "d /run/slurmrestd 0750 hipster hipster -" ];
+    services.dnsmasq.enable = true;
+    services.dnsmasq.settings = {
+      domain = [ "cluster.local"  ];
+      address = [ "/slurmctld.cluster.local/127.0.0.1" ];
+      srv-host= "_slurmctld._tcp.cluster.local,slurmctld.cluster.local,6817,0,5";
+    };

    systemd.services.slurmrestd = {
        description = "Slurm REST API service";
@@ -126,42 +137,26 @@ let
            Group = "hipster";
        };
        environment = {
-            # SLURM_JWT = "daemon";
+            SLURM_JWT = "daemon";
        };
        script = ''
-            rm -f /run/slurmrestd/hipster.socket
-            /run/current-system/sw/bin/slurmrestd -v -a rest_auth/local unix:/run/slurmrestd/hipster.socket
+             /run/current-system/sw/bin/slurmrestd -v -a rest_auth/jwt :6822
        '';
        serviceConfig = {
          RuntimeDirectory = "slurmrestd";
        };
    };
-
-    systemd.sockets.slurm-http-proxy  = {
-        enable = true;
-        description = "Proxy slurmrestd unix socket to port 6822";
-        listenStreams = [ "0.0.0.0:6822" ];
-        wantedBy = [ "sockets.target" ];
-        # If 'true', allow multiple instances of corresponding service (fails)
-        socketConfig.Accept = false;
-    };
-
-    systemd.services."slurm-http-proxy@"  = {
-        enable = true;
-        description = "Proxy slurmrestd unix socket to port 6822";
-        serviceConfig = {
-            ExecStart = "-${pkgs.socat}/bin/socat STDIO UNIX-CONNECT:/run/slurmrestd/hipster.socket";
-            StandardInput="socket";
-            User = "hipster";
-            Group = "hipster";
-        };
-    };
  };
 in
 {
  options.features.hpc.slurm = {
    enable = mkEnableOption "Enable SLURM batch system";

+    jwtKey = mkOption {
+      type = types.path;
+      default = null;
+    };
+
    mungeKey = mkOption {
      type = types.path;
      default = null;
@@ -172,6 +167,11 @@ in
      default = 997;
    };

+    slurmUid = mkOption {
+      type = types.int;
+      default = 307;
+    };
+
    pkey = mkOption {
      type = types.str;
      default = "0x7fff";
@@ -181,6 +181,12 @@ in
      type = types.str;
      default = null;
    };
+
+    dbdHost = mkOption {
+      type = types.str;
+      default = null;
+    };
+
    server = mkOption {
      type = types.bool;
      default = false;