You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
|
|
|
{ config, pkgs, ... }:
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
# Sécurité & Acces distant
|
|
|
|
|
|
|
|
|
|
## Augmentation de l'entropie du système par un générateur de nombres aléatoires
|
|
|
|
|
## cat /proc/sys/kernel/random/entropy_avail
|
|
|
|
|
services.haveged = {
|
|
|
|
|
enable = true;
|
|
|
|
|
refill_threshold = 2048;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
## OpenSSH daemon
|
|
|
|
|
services.openssh = {
|
|
|
|
|
enable = true;
|
|
|
|
|
# https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
|
|
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
|
|
|
|
|
|
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
|
|
|
|
|
LogLevel VERBOSE
|
|
|
|
|
|
|
|
|
|
# Use kernel sandbox mechanisms where possible in unprivilegied processes
|
|
|
|
|
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
|
|
|
|
|
UsePrivilegeSeparation sandbox
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# Monitoring
|
|
|
|
|
|
|
|
|
|
## Noeud de supervision munin = pas de stockage des données locales
|
|
|
|
|
|
|
|
|
|
services.munin-node = {
|
|
|
|
|
enable = true;
|
|
|
|
|
};
|
|
|
|
|
}
|
