{ config, pkgs, ... }:

{
  # Sécurité & Acces distant

  ## Augmentation de l'entropie du système par un générateur de nombres aléatoires
  ## cat /proc/sys/kernel/random/entropy_avail
  services.haveged = {
    enable = true;
    refill_threshold = 2048;
  };

  ## OpenSSH daemon
  services.openssh = {
    enable = true;
    # https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
    extraConfig = ''
      KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
      Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
      MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

      # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
      LogLevel VERBOSE

      # Use kernel sandbox mechanisms where possible in unprivilegied processes
      # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
      UsePrivilegeSeparation sandbox
    '';
  };

  # Monitoring

  ## Noeud de supervision munin = pas de stockage des données locales

  services.munin-node = {
    enable = true;
  };
}