{ config, lib, pkgs, ... }:

let
  inherit (lib) mkIf mkMerge mkThenElse;
  annuaire = config.r6d.machines;
  currentMachine = annuaire."${config.networking.fqdn}";
  flags = currentMachine.configurationFlags;
in

mkIf true {

  # Services
  ## OpenSSH daemon
  services.openssh = {
    enable = true;
    # https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
    # http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
    extraConfig = ''
      KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
      Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
      MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

      # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
      LogLevel VERBOSE

      # Use kernel sandbox mechanisms where possible in unprivilegied processes
      # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
      UsePrivilegeSeparation sandbox

      # Permet de gérer le nombre de connexions multiplexées en simultané
      MaxSessions 200
    '';
  };
}