extraction de services & configuration générique

2016-08-08 23:32:19 +02:00
parent 3c7274848d
commit 453ad77953
6 changed files with 31 additions and 23 deletions
--- a/base/base.nix
+++ b/base/base.nix
@@ -2,8 +2,7 @@

 {
  imports = [
-    ./networking.nix
-    ./services.nix
+    ./network-dns.nix

    # inclusion conditionnelle
    ./activation-manuelle/fail2ban.nix
--- a/base/network-dns.nix
+++ b/base/network-dns.nix
@@ -0,0 +1,14 @@
+{ config, pkgs, ... }:
+
+{
+  # Définition des domaines utilisés lorsque un identifiant non-FQDN est donné (ping, nslookup)
+  networking = {
+    search = [
+      "dubronetwork.fr"
+      "prunetwork.fr"
+      "teleragno.fr"
+      "teleragno.net"
+    ];
+    dnsExtensionMechanism = true;
+  };
+}
--- a/base/networking.nix
+++ b/base/networking.nix
@@ -1,29 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  # Définition des domaines utilisés lorsque un identifiant non-FQDN est donné (ping, nslookup)
-  networking = {
-    search = [
-      "dubronetwork.fr"
-      "prunetwork.fr"
-      "teleragno.fr"
-      "teleragno.net"
-    ];
-    dnsExtensionMechanism = true;
-  };
-
-  # Utilisation d'adresse IPv6 temporaire
-  
-  ## https://blog.linitx.com/control-privacy-addressing-ipv6-linux/
-  ## http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/x1092.html
-
-  boot.kernel.sysctl = {
-    "net.ipv6.conf.all.temp_prefered_lft" = 1800; # 30 min
-    "net.ipv6.conf.all.temp_valid_lft" = 43200; # 12 heures
-    "net.ipv6.conf.all.use_tempaddr" = 2; # activé
-
-    "net.ipv6.conf.default.temp_prefered_lft" = 3600; # 1 heure
-    "net.ipv6.conf.default.temp_valid_lft" = 3600; # 1 heure
-    "net.ipv6.conf.default.use_tempaddr" = 2; # activé
-    };
-}
--- a/base/services.nix
+++ b/base/services.nix
@@ -1,30 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  # Sécurité & Acces distant
-
-  ## Augmentation de l'entropie du système par un générateur de nombres aléatoires
-  ## cat /proc/sys/kernel/random/entropy_avail
-  services.haveged = {
-    enable = true;
-    refill_threshold = 2048;
-  };
-
-  ## OpenSSH daemon
-  services.openssh = {
-    enable = true;
-    # https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
-    extraConfig = ''
-      KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
-      Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-      MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
-
-      # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
-      LogLevel VERBOSE
-
-      # Use kernel sandbox mechanisms where possible in unprivilegied processes
-      # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
-      UsePrivilegeSeparation sandbox
-    '';
-  };
-}