déplacement de nix-serve et fail2ban dans private

base/activation-manuelle/nix-serve-client.nix

@@ -1,30 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  inherit (lib) mkIf mkMerge mkThenElse;
-  cfg = config.r6d.config-generator;
-  computers = config.r6d.computers;
-  profiles = config.r6d.profiles;
-in
-
-mkIf cfg.nix-serve-client {
-
-  nix = {
-    # Cache http pour le store
-    requireSignedBinaryCaches = false;
-    binaryCaches =  [
-      (mkIf (profiles.isDubronetwork && (! computers.isPedro) && (! computers.isRollo)) "http://nix-cache.dubronetwork.fr:5001")
-      #(mkIf (profiles.isDubronetwork && computers.isPhenom) "http://latitude.grudu.net:5000")
-      (mkIf (profiles.isDubronetwork && computers.isPhenom) "http://monstre.grudu.net:5000")
-      (mkIf (profiles.isDubronetwork && computers.isPhenom) "http://radx.grudu.net:5000")
-
-      (mkIf profiles.isPrunetwork "https://cache.nixos.org/")
-      (mkIf (profiles.isPrunetwork && !profiles.isServer)   "http://nix-cache.dubronetwork.fr:5001")
-      (mkIf (profiles.isPrunetwork && computers.isRadx)     "http://monstre.grudu.net:5000")
-      (mkIf (profiles.isPrunetwork && computers.isRadx)     "http://phenom.grudu.net:5000")
-    ];
-    extraOptions = ''
-    connect-timeout = 5
-    '';
-  };
-}

base/activation-manuelle/nix-serve-server.nix

@@ -1,31 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  inherit (lib) mkIf mkMerge mkThenElse;
-  cfg = config.r6d.config-generator;
-  computers = config.r6d.computers;
-  profiles = config.r6d.profiles;
-in
-
-mkIf cfg.nix-serve-server {
-
-  # Cache http pour le store
-
-  # Services
-  services.nix-serve = {
-    enable = true;
-  };
-
-  # Réseau
-  networking.firewall = {
-    allowedTCPPorts = [
-      #5000 # ouvert sur tinc
-    ];
-    allowedUDPPorts = [
-    ];
-    extraCommands = ''
-      iptables  -A INPUT -i tinc.grudunet -p tcp --dport 5000 -j ACCEPT
-      ip6tables -A INPUT -i tinc.grudunet -p tcp --dport 5000 -j ACCEPT
-    '';
-  };
-}

base/activation-manuelle/service-fail2ban.nix

@@ -1,64 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  inherit (lib) mkIf mkMerge mkThenElse;
-  cfg = config.r6d.config-generator;
-  computers = config.r6d.computers;
-  profiles = config.r6d.profiles;
-
-  ignoreip = "pedro.dubronetwork.fr cube.dubronetwork.fr voyage.prunetwork.fr xray.prunetwork.fr 192.168.0.0/16 172.16.0.0/16";
-  destemail = "admins@dubronetwork.fr";
-in
-
-mkIf cfg.fail2ban {
-
-  # Gestion de fail2ban
-
-  # Paquets
-  environment.systemPackages = with pkgs; [
-    mailutils
-    whois
-  ];
-
-
-  # Services
-  services = {
-    fail2ban = {
-      enable = true;
-      jails = {
-        DEFAULT = ''
-          # "ignoreip" can be an IP address, a CIDR mask or a DNS host
-          ignoreip = 127.0.0.1/8 ${ignoreip}
-
-          # 1 jour
-          # bantime  = 86400
-          # 5 jours 
-          bantime  = 432000
-
-          maxretry = 3
-
-          destemail = ${destemail}
-
-          # https://github.com/Baughn/nixpkgs/blob/master/nixos/modules/services/security/fail2ban.nix
-          findtime = 600
-          maxretry = 3
-          backend  = systemd
-          enabled  = true
-        '';
-        ssh-route = ''
-          filter   = sshd
-          action   = route[blocktype=blackhole]
-        '';
-        # désactivation car souci de PATH avec les commandes mail ou sendmail. Nécessite un path motifiable
-        # ticket à ouvrir
-        #ssh-mail = ''
-        #  filter   = sshd
-        #  action   = sendmail[sendername=Fail2ban @${config.networking.hostName}]
-        #'';
-      };
-    };
-  };
-
-  # https://github.com/NixOS/nixpkgs/issues/8437
-  services.fail2ban.jails.ssh-iptables = "enabled = true";
-}

base/base.nix

@@ -10,10 +10,5 @@ in
 {
   imports = [
     ./network-dns.nix
-
-    # inclusion conditionnelle
-    ./activation-manuelle/service-fail2ban.nix
-    ./activation-manuelle/nix-serve-client.nix
-    ./activation-manuelle/nix-serve-server.nix
   ];
 }