diff --git a/README b/README new file mode 100644 index 0000000..34ee0a2 --- /dev/null +++ b/README @@ -0,0 +1,5 @@ + +# Lien pour install sur machine distante + +* https://nixos.org/wiki/How_to_install_NixOS_from_Linux#Installing_through_a_chroot +* https://github.com/NixOS/nixpkgs/issues/13305 diff --git a/base/Makefile b/base/Makefile new file mode 100644 index 0000000..ea084b8 --- /dev/null +++ b/base/Makefile @@ -0,0 +1,48 @@ +all: rebuild-switch + date + +clean: + nix-collect-garbage -d --delete-older-than 15d + +clean-aggressive: + nix-collect-garbage -d --delete-older-than 1d + +clean-total: + nix-collect-garbage -d + +clean-log: + journalctl --vacuum-size=1G + +full-auto: submodules-update upgrade clean optimise + +optimise: + nix-store --optimise + +push: submodules-push + git push --all + git push --tags + +rebuild-switch: + nixos-rebuild switch --fallback --show-trace + +store-repair: + nix-store --verify --check-contents --repair + +submodules-update: + #git submodule update --remote + git submodule foreach git co master + git submodule foreach git ff + +submodules-push: + git submodule foreach git push --all + git submodule foreach git push --tags + +submodules-tag: + git submodule foreach git tag -f "$$(date +%F)-$$(hostname -s)" + +tag: submodules-tag + git tag -f "$$(date +%F)-$$(hostname -s)" + +upgrade: + nixos-rebuild switch --upgrade --fallback --show-trace + diff --git a/base/activation-manuelle/auto-upgrade.nix b/base/activation-manuelle/auto-upgrade.nix new file mode 100644 index 0000000..4c2637a --- /dev/null +++ b/base/activation-manuelle/auto-upgrade.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: + +with pkgs.lib; + +let + cfg = config.r6d.config-generator; +in { + # Automatic update & automatic clean + + system.autoUpgrade.enable = cfg.auto-upgrade; + nix.gc.automatic = cfg.auto-upgrade; +} diff --git a/base/activation-manuelle/fail2ban.nix b/base/activation-manuelle/fail2ban.nix new file mode 100644 index 0000000..9f28547 --- /dev/null +++ b/base/activation-manuelle/fail2ban.nix @@ -0,0 +1,37 @@ +{ config, pkgs, ... }: + +with pkgs.lib; + +let + cfg = config.r6d.config-generator; +in { + # Gestion de fail2ban + + services = mkIf cfg.fail2ban { + fail2ban = { + enable = true; + jails = { + DEFAULT = '' + # "ignoreip" can be an IP address, a CIDR mask or a DNS host + ignoreip = 127.0.0.1/8 pedro.dubronetwork.fr cube.dubronetwork.fr voyage.prunetwork.fr xray.prunetwork.fr 192.168.0.0/16 172.16.0.0/16 + + # 1 jour + # bantime = 86400 + # 5 jours + bantime = 432000 + maxretry = 3 + + # + # Destination email address used solely for the interpolations in + # jail.{conf,local} configuration files. + destemail = admins@dubronetwork.fr + ''; + ssh-route = '' + filter = sshd + action = route[blocktype=blackhole] + maxretry = 3 + ''; + }; + }; + }; +} diff --git a/base/activation-manuelle/laptop.nix b/base/activation-manuelle/laptop.nix new file mode 100644 index 0000000..fdbd5db --- /dev/null +++ b/base/activation-manuelle/laptop.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: + +with pkgs.lib; + +let + cfg = config.r6d.config-generator; +in { + # Gestion spécifique pour PC portable + powerManagement.cpuFreqGovernor = mkIf cfg.laptop "powersave"; +} diff --git a/base/activation-manuelle/locate.nix b/base/activation-manuelle/locate.nix new file mode 100644 index 0000000..a27e977 --- /dev/null +++ b/base/activation-manuelle/locate.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: + +with pkgs.lib; + +let + cfg = config.r6d.config-generator; +in { + imports = [ + ]; + + services.locate = { + enable = cfg.locate; + interval = "hourly"; + }; +} diff --git a/base/activation-manuelle/nix-serve-client.nix b/base/activation-manuelle/nix-serve-client.nix new file mode 100644 index 0000000..fa83547 --- /dev/null +++ b/base/activation-manuelle/nix-serve-client.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkMerge; + profiles = config.r6d.profiles; + cfg = config.r6d.config-generator; + computers = config.r6d.computers; +in { + nix = mkIf config.r6d.config-generator.nix-serve-client { + # Cache http pour le store + requireSignedBinaryCaches = false; + binaryCaches = [ + ("https://cache.nixos.org/") + (mkIf (profiles.isDubronetwork && (! computers.isMonstre)) "http://192.168.10.169:5000") + (mkIf profiles.isDubronetwork "http://192.168.10.252:5000") + + (mkIf (profiles.isPrunetwork && !profiles.isServer) "http://192.168.1.20:5000") + ]; + extraOptions = '' + connect-timeout = 5 + ''; + }; + + } diff --git a/base/activation-manuelle/nix-serve-server.nix b/base/activation-manuelle/nix-serve-server.nix new file mode 100644 index 0000000..86dfea6 --- /dev/null +++ b/base/activation-manuelle/nix-serve-server.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: + +with pkgs.lib; + +let + cfg = config.r6d.config-generator; +in { + # Cache http pour le store + + services.nix-serve.enable = cfg.nix-serve-server; + networking.firewall.allowedTCPPorts = mkIf cfg.nix-serve-server [ 5000 ]; +} diff --git a/base/activation-manuelle/print.nix b/base/activation-manuelle/print.nix new file mode 100644 index 0000000..5c0735b --- /dev/null +++ b/base/activation-manuelle/print.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: + +with pkgs.lib; + +let + cfg = config.r6d.config-generator; +in { + # Enable CUPS to print documents. + services.printing = mkIf cfg.print { + enable = true; + drivers = [ + pkgs.samsung-unified-linux-driver + ]; + }; +} diff --git a/base/activation-manuelle/swap.nix b/base/activation-manuelle/swap.nix new file mode 100644 index 0000000..1318e2d --- /dev/null +++ b/base/activation-manuelle/swap.nix @@ -0,0 +1,16 @@ +{ config, pkgs, ... }: + +with pkgs.lib; + +let + cfg = config.r6d.config-generator; +in { + # Gestion du swap + + # https://en.wikipedia.org/wiki/Swappiness + boot.kernel.sysctl = mkIf cfg.swap { + # le swap est activé (!= 0) + # le swap est utilisé lorsque (100 - x) % de la mémoire est déja allouée + "vm.swappiness" = 10; + }; +} diff --git a/base/activation-manuelle/users.nix b/base/activation-manuelle/users.nix new file mode 100644 index 0000000..33a215c --- /dev/null +++ b/base/activation-manuelle/users.nix @@ -0,0 +1,29 @@ +{ config, pkgs, ... }: + +with pkgs.lib; + +let + cfg = config.r6d.config-generator; + profiles = config.r6d.profiles; +in { + + security.sudo.wheelNeedsPassword = !(profiles.isPrunetwork && profiles.isServer); + + users.extraUsers.jpierre03 = mkIf profiles.isPrunetwork + { isNormalUser = true; + createHome = true; + home = "/home/jpierre03"; + description = "jpierre03"; + extraGroups = [ + "docker" + "plugdev" + "vbox" + "wheel" + ]; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD3Ds2/GqTcw3oROmKMT13jI8y3B3ZzhlOK0zdyvmiHGHVzY/NEqZftSQGb3macIxWvMu2xIE298r8cqWFO1kwoL4U+pb/m2bb9r8KsDGmK0C/cf5FytsxzaVmwk+QrInTJS9t/Bt1tTjpQ3SuM7RPmaiJ+ODrh/my0efsobGQPxIi90HI/qsAI67HDU5swA8xXJIRpYJuqZuafI0772n6vDD+fh9+lMfUxAxH++6gpNfKWbpawHUAmwIB+FqHTKj015iQ0oi5nmKh4SSei5MU5mfGX6UsDRjquU0/gxfNpLh7tt5C8l5YF9xzmO3qjlN0OJbUZrA4XvhmLsYcN6gifgaO+gk07XOJtBNxGI/JAAoh6eQ5Duc8wSFNR9OCqqydeX57npcu8pyPomfBLpAV01h7m5DH1ZpqB6pzk7ndBulgLUhiv3tTEbXDeoDKNNc/2/CxQUCpyOrURbYjSd0wsQklB53vIjKz2st9vG5hH4dqvnNQt9qjW0JkvFGzfa/sBOVIDt6ApzPbiF9x8sABqfm6PKzwDBKpUyGbBgdLo7E/wkqeEXsinWGidOfCok+HRSoo+U3Iq3RynpBe92E6/JsdCIGHiwLqrZNcYLjpJXzciH+brSIVkUeQeljHlu5zfkxYptqCLVHlO4A+kvRcgh0jyzxKw7Dq7IOWxlks/WQ== jpierre03@radx.prunetwork.fr" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDS9RFWbeHgLIZNBA1gMZygftVElQwyph7t4NiKtoH9Yejj0okoxMfwxveUZMyqRN8bIMm3OTuZ6TXsyGvjcAV1fSaIUEX57/e+QeFRxJ7i08Yv+9rXkS7Xb4bc+gF7ev0/QnhCu/rqqSX2mJWe19IA7anuSfXKvcrDaMd+jYP7w+kdlNQej4TQtiTGV2Dq/exaMGqttCZU4yHoqVB5EHiMGAHN5SS+JgSWHdZctpG7r6ONyhaXeU4HNm1WOKwV2G/lu8N4kNLnLwA74iduqJmEQYySEhG0EmM6MAAsrD1pcvIphTrD2e6BsVTsA3aT7Zu62F7mcJVm7+aVQy0mn589 jpierre03@mbp.home" + ]; + }; +} diff --git a/base/base.nix b/base/base.nix new file mode 100644 index 0000000..f0397a7 --- /dev/null +++ b/base/base.nix @@ -0,0 +1,14 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./environment.nix + ./localisation.nix + ./monitoring.nix + ./networking.nix + ./services.nix + + # inclusion conditionnelle + ./config-generator.nix + ]; +} diff --git a/base/bash-interactive-init.sh b/base/bash-interactive-init.sh new file mode 100644 index 0000000..3b9f2e6 --- /dev/null +++ b/base/bash-interactive-init.sh @@ -0,0 +1,18 @@ +# don't put duplicate lines in the history. See bash(1) for more options +# don't overwrite GNU Midnight Commander's setting of `ignorespace'. +export HISTCONTROL=$HISTCONTROL${HISTCONTROL+,}ignoredups +# ... or force ignoredups and ignorespace +export HISTCONTROL=ignoreboth + +# append to the history file, don't overwrite it +shopt -s histappend + +# check the window size after each command and, if necessary, +# update the values of LINES and COLUMNS. +shopt -s checkwinsize + +# set a fancy prompt (non-color, unless we know we "want" color) +case "$TERM" in + xterm) TERM=xterm-256color;; + screen) TERM=screen-256color;; +esac diff --git a/base/bash-prompt.sh b/base/bash-prompt.sh new file mode 100644 index 0000000..90affa8 --- /dev/null +++ b/base/bash-prompt.sh @@ -0,0 +1,27 @@ +# Définition des couleurs du prompt +if [[ $(tput colors) -ge 256 ]] 2>/dev/null; then + PS1_USER='\[$(tput setaf 27)\]' + PS1_HOST='\[$(tput setaf 37)\]' + PS1_ROOT='\[$(tput setaf 160)\]' + PS1_PATH='\[$(tput setaf 64)\]' + PS1_GIT='\[$(tput setaf 136)\]' + PS1_MISC='\[$(tput setaf 230)\]' + +else + PS1_USER='\[$(tput setaf 4)\]' + PS1_HOST='\[$(tput setaf 6)\]' + PS1_ROOT='\[$(tput setaf 1)\]' + PS1_PATH='\[$(tput setaf 2)\]' + PS1_GIT='\[$(tput setaf 3)\]' + PS1_MISC='\[$(tput setaf 7)\]' +fi +BOLD='\[$(tput bold)\]' +RESET='\[$(tput sgr0)\]' + +# Définition du prompt +if [ $UID = 0 ]; then + PS1_ID=$PS1_ROOT +else + PS1_ID=$PS1_USER'\u'$PS1_MISC@$PS1_HOST +fi +PS1=$RESET$BOLD$PS1_ID'\h '$PS1_PATH'\w'$PS1_GIT'$(__git_ps1)'"\n"$PS1_MISC'\$ '$RESET diff --git a/base/config-generator.nix b/base/config-generator.nix new file mode 100644 index 0000000..2b18b2f --- /dev/null +++ b/base/config-generator.nix @@ -0,0 +1,250 @@ +{ config, lib, pkgs, ... }: + +# exemple utilisé pour commencer bird.nix +let + inherit (lib) mkEnableOption mkIf mkMerge mkOption singleton types; + cfg = config.r6d.config-generator; + pfl = config.r6d.profiles; + comp = config.r6d.computers; + host = config.networking.hostName; +in + + { + imports = [ + ./activation-manuelle/auto-upgrade.nix + ./activation-manuelle/laptop.nix + ./activation-manuelle/locate.nix + ./activation-manuelle/fail2ban.nix + ./activation-manuelle/nix-serve-client.nix + ./activation-manuelle/nix-serve-server.nix + ./activation-manuelle/print.nix + ./activation-manuelle/swap.nix + ./activation-manuelle/users.nix + ]; + + ###### interface + + options = { + + #* Utilisé pour afecter des capacités aux machines + r6d.profiles = { + # Domaine + isDubronetwork = mkEnableOption "Pour distinguer les machines dubronetwork."; + isPrunetwork = mkEnableOption "Pour distinguer les machines prunetwork."; + # Utilisation machine + isDesktop = mkEnableOption "Pour indiquer une machine avec interface graphique."; + isHome = mkEnableOption "Pour indiquer que la machine sert à la maison (divertissement & autre)."; + isServer = mkEnableOption "Pour indiquer qu'il s'agit d'un serveur."; + isWorkstation = mkEnableOption "Pour indiquer que la machine sert à travailler."; + }; + + #* Utilisé dans les fichiers .nix + r6d.config-generator = { + enable = mkEnableOption "Génération de la configuration d'une machine."; + awesome = mkEnableOption "Profil pour activer le gestionnaire de fenêtre awesome."; + auto-upgrade = mkEnableOption "Profil pour activer les mises à jour automatiques."; + database_postgres=mkEnableOption "Profil pour activer le SGBD PostgreSQL."; + docker = mkEnableOption "Profil pour l'utilisation de Docker."; + dns_autorite = mkEnableOption "Profil pour servir les fichiers de zone DNS."; + dns_resolveur = mkEnableOption "Profil pour activer un résolveur DNS local."; + fail2ban = mkEnableOption "Profil pour activer Fail2ban."; + jeux = mkEnableOption "Profil pour les jeux vidéos."; + laptop = mkEnableOption "Profil pour les outils spécifiques aux ordinateurs portables.."; + locate = mkEnableOption "Profil pour activer la fonction locate."; + murmur = mkEnableOption "Profil pour activer un serveur Mumble (murmur)"; + nix-serve-client= mkEnableOption "Profil pour que la machine soit un client de cache nix."; + nix-serve-server= mkEnableOption "Profil pour que la machine soit un serveur de cache nix."; + print = mkEnableOption "Profil pour activer cups & pouvoir imprimer."; + rabbitmq = mkEnableOption "Profil pour activer le service de messagerie AMQP."; + swap = mkEnableOption "Profil pour que le swap soit activé."; + virtualbox = mkEnableOption "Profil pour l'utilisation de VirtualBox."; + xmonad = mkEnableOption "Profil pour activer le gestionnaire de fenêtres xmonad."; + }; + #* Utilisé pour avoir des raccourcis de machine + r6d.computers = { + isLatitude = mkEnableOption "Identification du nom de machine."; + isMonstre = mkEnableOption "Identification du nom de machine."; + isNeoNomade = mkEnableOption "Identification du nom de machine."; + isNomade = mkEnableOption "Identification du nom de machine."; + isOcean = mkEnableOption "Identification du nom de machine."; + isPhenom = mkEnableOption "Identification du nom de machine."; + isRadx = mkEnableOption "Identification du nom de machine."; + isRollo = mkEnableOption "Identification du nom de machine."; + isXray = mkEnableOption "Identification du nom de machine."; + }; + }; + + ###### implementation + # https://nixos.org/releases/nixos/14.12-small/nixos-14.12.374.61adf9e/manual/sec-writing-modules.html + # https://nixos.org/wiki/NixOS:extend_NixOS + config = mkMerge + [ # Unconditional stuff. + { + r6d.config-generator.enable = true; + r6d.computers = { + isLatitude = host == "latitude.dubronetwork.fr"; + isMonstre = host == "monstre.dubronetwork.fr"; + isNeoNomade = host == "neo-nomade.dubronetwork.fr"; + isNomade = host == "nomade.dubronetwork.fr"; + isOcean = host == "ocean.prunetwork.fr"; + isPhenom = host == "phenom.dubronetwork.fr"; + isRadx = host == "radx.prunetwork.fr"; + isRollo = host == "rollo.dubronetwork.fr"; + isXray = host == "xray.prunetwork.fr"; + }; + } + + # Conditional stuff + + ## Définition des profils génériques + (mkIf pfl.isDesktop { + r6d.config-generator = { + awesome = true; + nix-serve-client = true; + }; + }) + (mkIf pfl.isHome { + r6d.profiles.isDesktop = true; + }) + (mkIf pfl.isServer { + r6d.config-generator = { + #database_postgres = true; + dns_autorite = true; + #dns_resolveur = true; + # inutile d'exposer la conf complète du serveur par le store tant qu'il n'y a pas de protection complémentaire - utilisation SSH ? + #nix-serve-server = true; + + #rabbitmq = true; + }; + }) + # /!\ PAS un serveur + (mkIf (!pfl.isServer) { + r6d.config-generator = { + dns_resolveur = true; + }; + }) + (mkIf pfl.isWorkstation { + r6d.profiles.isDesktop = true; + + r6d.config-generator = { + docker = true; + }; + }) + + ## Profils liés à Dubronetwork + (mkIf pfl.isDubronetwork { + r6d.config-generator = { + auto-upgrade = true; + print = true; + }; + }) + (mkIf (pfl.isDubronetwork && pfl.isHome) { + r6d.config-generator.jeux = true; + }) + (mkIf (pfl.isDubronetwork && pfl.isServer) { + r6d.config-generator.nix-serve-server = true; + }) + (mkIf (pfl.isDubronetwork && pfl.isWorkstation) { + r6d.config-generator = { + virtualbox = true; + xmonad = true; + }; + }) + + ## Profils liés à Prunetwork + (mkIf pfl.isPrunetwork { + r6d.config-generator = { + auto-upgrade = true; + fail2ban = true; + swap = true; + }; + }) + + + ## Affectation des profils aux machines + (mkIf comp.isOcean { + r6d.profiles = { + isPrunetwork = true; + isServer = true; + }; + }) + (mkIf comp.isRadx { + r6d.profiles = { + isHome = true; + isPrunetwork = true; + isServer = true; + isWorkstation = true; + }; + + r6d.config-generator = { + nix-serve-server = true; + virtualbox = true; + }; + }) + (mkIf comp.isXray { + r6d.profiles = { + isPrunetwork = true; + isServer = true; + }; + }) + + (mkIf comp.isLatitude { + r6d.profiles = { + isDubronetwork = true; + isHome = true; + isWorkstation = true; + }; + + r6d.config-generator = { + laptop = true; + }; + }) + (mkIf comp.isMonstre { + r6d.profiles = { + isDubronetwork = true; + isServer = true; + }; + + r6d.config-generator.fail2ban = true; + }) + (mkIf comp.isNeoNomade{ + r6d.profiles = { + isDubronetwork = true; + isHome = true; + }; + + r6d.config-generator = { + laptop = true; + }; + }) + (mkIf comp.isNomade{ + r6d.profiles.isDubronetwork = true; + + r6d.config-generator = { + laptop = true; + }; + }) + (mkIf comp.isPhenom { + r6d.profiles = { + isDubronetwork = true; + isHome = true; + isWorkstation = true; + }; + + r6d.config-generator = { + nix-serve-server = true; + }; + }) + (mkIf comp.isRollo { + r6d.profiles = { + isDubronetwork = true; + isServer = true; + }; + + r6d.config-generator = { + fail2ban = true; + murmur = true; + }; + }) + ]; +} diff --git a/base/environment.nix b/base/environment.nix new file mode 100644 index 0000000..8bac7f1 --- /dev/null +++ b/base/environment.nix @@ -0,0 +1,72 @@ +{ config, pkgs, ... }: + +{ + # Nombre de process d'installation en parrallèle effectués par Nix + nix.buildCores = 0; + + # The NixOS release to be compatible with for stateful data such as databases. + system.stateVersion = "16.03"; + + # On autorise les paquets non-libres + nixpkgs.config.allowUnfree = true; + + # List packages installed in system profile. To search by name, run: + # $ nix-env -qaP | grep wget + environment = { + systemPackages = with pkgs; [ + bind # utilisé pour les utilitaires comme dig + byobu # permet de se déconnecter d'un terminal sans l'aréter + exfat # Pour monter les FAT avec Fuse + git gitAndTools.gitSVN gitAndTools.tig gti # outil de gestion de version + gnumake # pour décrire les recettes de compilation + gnupg # GPG + gpm # prise en charge de la souris en console + htop # monitoring + #libressl # librairie pour faire du TLS et les algorithmes de crypto par OpenBSD + ncdu # outil pour voir l'espace utilisé + nmap # outil de scan de port réseau + mtr # outil de diagnostic réseau + par2cmdline # outil de récupération de fichiers corrompus - .par2 + p7zip # compression de fichier + parted # partitionnement de disque + pciutils + python # python -- python -m SimpleHTTPServer 8000 + python34Packages.glances # monitoring + pwgen # générateur de mot de passe + rtorrent # outil de téléchargement de torrent & magnet + tmux # nécessaire pour byobu + tree # affiche une arborescence de fichiers et dossiers + usbutils + (import ./vim.nix) + wget # client HTTP console + which # pour connaitre le chemin d'un exécutable + ]; + shellAliases = { + byobu = "byobu-tmux"; + tree = "tree -C"; + tree1 = "tree -d -L 1"; + tree2 = "tree -d -L 2"; + tree3 = "tree -d -L 3"; + grep = "grep --color=auto"; + vi = "vim"; + }; + etc.gitconfig.text = builtins.readFile ./gitconfig; + }; + programs.bash = { + enableCompletion = true; + promptInit = builtins.readFile ./bash-prompt.sh; + interactiveShellInit = builtins.readFile ./bash-interactive-init.sh; + }; + + # https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern + programs.ssh.extraConfig = '' + # Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to. + HashKnownHosts yes + # Host keys the client accepts - order here is honored by OpenSSH + HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 + + KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group-exchange-sha256 + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + ''; +} diff --git a/base/gitconfig b/base/gitconfig new file mode 100644 index 0000000..1a83ecb --- /dev/null +++ b/base/gitconfig @@ -0,0 +1,25 @@ +# http://www.git-attitude.fr/2014/09/15/30-options-git-qui-gagnent-a-etre-connues/ +[color] + diff = auto + branch = auto + interactive = auto + pager = true + showbranch = auto + status = auto +[alias] + a = add -p + ci = commit + co = checkout + ff = pull --ff-only + oops = commit --amend --no-edit + # Show files ignored by git + ignored = ls-files -o -i --exclude-standard + ls = ls-files + st = status + # Logs + lol = log --graph --decorate --pretty=oneline --abbrev-commit + lola = log --graph --decorate --pretty=oneline --abbrev-commit --all +[push] + default = simple +[core] + editor = /usr/bin/env vim diff --git a/base/localisation.nix b/base/localisation.nix new file mode 100644 index 0000000..37bafcf --- /dev/null +++ b/base/localisation.nix @@ -0,0 +1,13 @@ +{ config, pkgs, ... }: + +{ + # Select internationalisation properties. + i18n = { + consoleFont = "Lat2-Terminus16"; + consoleKeyMap = "fr"; + defaultLocale = "fr_FR.UTF-8"; + }; + + # Set your time zone. + time.timeZone = "Europe/Paris"; +} diff --git a/base/monitoring.nix b/base/monitoring.nix new file mode 100644 index 0000000..1198826 --- /dev/null +++ b/base/monitoring.nix @@ -0,0 +1,27 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + ## Munin server -- generate /var/www/munin + services.munin-cron = { + enable = true; + hosts = '' + [${config.networking.hostName}] + address localhost + ''; + extraGlobalConfig = '' + contact.email.command mail -s "Munin notification for ''${var:host}" hostmaster@prunetwork.fr + ''; + }; + + networking.firewall.allowedTCPPorts = [ + # TODO configurer les bon ports lors de l'ouverture du service + ]; + + ## Documentation + # * https://nixos.org/wiki/Create_and_debug_nix_packages + # * http://chriswarbo.net/essays/nixos/developing_on_nixos.html +} diff --git a/base/networking.nix b/base/networking.nix new file mode 100644 index 0000000..5763240 --- /dev/null +++ b/base/networking.nix @@ -0,0 +1,29 @@ +{ config, pkgs, ... }: + +{ + # Définition des domaines utilisés lorsque un identifiant non-FQDN est donné (ping, nslookup) + networking = { + search = [ + "dubronetwork.fr" + "prunetwork.fr" + "teleragno.fr" + "teleragno.net" + ]; + dnsExtensionMechanism = true; + }; + + # Utilisation d'adresse IPv6 temporaire + + ## https://blog.linitx.com/control-privacy-addressing-ipv6-linux/ + ## http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/x1092.html + + boot.kernel.sysctl = { + "net.ipv6.conf.all.temp_prefered_lft" = 1800; # 30 min + "net.ipv6.conf.all.temp_valid_lft" = 43200; # 12 heures + "net.ipv6.conf.all.use_tempaddr" = 2; # activé + + "net.ipv6.conf.default.temp_prefered_lft" = 3600; # 1 heure + "net.ipv6.conf.default.temp_valid_lft" = 3600; # 1 heure + "net.ipv6.conf.default.use_tempaddr" = 2; # activé + }; +} diff --git a/base/services.nix b/base/services.nix new file mode 100644 index 0000000..667c707 --- /dev/null +++ b/base/services.nix @@ -0,0 +1,38 @@ +{ config, pkgs, ... }: + +{ + # Sécurité & Acces distant + + ## Augmentation de l'entropie du système par un générateur de nombres aléatoires + ## cat /proc/sys/kernel/random/entropy_avail + services.haveged = { + enable = true; + refill_threshold = 2048; + }; + + ## OpenSSH daemon + services.openssh = { + enable = true; + # https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29 + extraConfig = '' + KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + + # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. + LogLevel VERBOSE + + # Use kernel sandbox mechanisms where possible in unprivilegied processes + # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere. + UsePrivilegeSeparation sandbox + ''; + }; + + # Monitoring + + ## Noeud de supervision munin = pas de stockage des données locales + + services.munin-node = { + enable = true; + }; +} diff --git a/base/vim.nix b/base/vim.nix new file mode 100644 index 0000000..d48ae33 --- /dev/null +++ b/base/vim.nix @@ -0,0 +1,19 @@ +with import {}; + +vim_configurable.customize { + # Specifies the vim binary name. + # E.g. set this to "my-vim" and you need to type "my-vim" to open this vim + # This allows to have multiple vim packages installed (e.g. with a different set of plugins) + name = "vim"; + vimrcConfig.customRC = builtins.readFile ./vimrc; + vimrcConfig.vam.knownPlugins = pkgs.vimPlugins; + vimrcConfig.vam.pluginDictionaries = [ + { names = [ + # Here you can place all your vim plugins + # They are installed managed by `vam` (a vim plugin manager) + #"vim-addon-nix" + "vim-nix" + "wombat256-vim" + ]; } + ]; +} diff --git a/base/vimrc b/base/vimrc new file mode 100644 index 0000000..257846c --- /dev/null +++ b/base/vimrc @@ -0,0 +1,34 @@ +" Use Vim settings, rather than Vi settings (much better!). +" This must be first, because it changes other options as a side effect. +set nocompatible + +" allow backspacing over everything in insert mode +set backspace=indent,eol,start + +if has("vms") + set nobackup " do not keep a backup file, use versions instead +else + set backup " keep a backup file +endif +set history=50 " keep 50 lines of command line history +set ruler " show the cursor position all the time +set showcmd " display incomplete commands +set incsearch " do incremental searching + +" Tab specific option +set tabstop=4 "A tab is 8 spaces +set expandtab "Always uses spaces instead of tabs +set softtabstop=4 "Insert 4 spaces when tab is pressed +set shiftwidth=4 "An indent is 4 spaces +set shiftround "Round indent to nearest shiftwidth multiple + +"""""" Réglages cosmétiques +set background=dark +set number +highlight ColorColumn ctermbg=8 +"Détection de la profondeur des couleurs (8bits) +if &t_Co > 8 + colorscheme wombat256mod + let &colorcolumn="80,".join(range(120,999),",") + highlight ColorColumn ctermbg=235 guibg=#2c2d27 +endif