wibble

author: Guilhem Moulin <guilhem@fripost.org> 2014-06-25 02:43:06 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:51:48 +0200
commit: d6b03b72e8081c983822502e436ec548aa36901e (patch)
tree: 6548fd4649f32a2ad37346c318c3b32060fae162
parent: 2a2333cdfb016bb884887f46fbcbfdce6e064d74 (diff)
6 files changed, 16 insertions, 11 deletions
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index b15b907..e234d73 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -55,41 +55,40 @@ local_header_rewrite_clients     =
 smtp_destination_recipient_limit = 1000
 # Tolerate occasional high latency
 smtp_data_done_timeout           = 1200s
 
 # Anonymize the (authenticated) sender; pass the mail to the antivirus
 header_checks  = pcre:$config_directory/anonymize_sender.pcre
 #content_filter = amavisfeed:unix:public/amavisfeed-antivirus
 
 # Tunnel everything through IPSec
 smtp_tls_security_level = none
 {% if 'MTA-out' in group_names %}
 smtp_bind_address       = 127.0.0.1
 {% else %}
 smtp_bind_address       = 172.16.0.1
 {% endif %}
 
 # TLS
 smtpd_tls_security_level        = encrypt
 smtpd_tls_cert_file             = /etc/ssl/certs/ssl-cert-snakeoil.pem
 smtpd_tls_key_file              = /etc/ssl/private/ssl-cert-snakeoil.key
-smtpd_tls_CApath                = /etc/ssl/certs/
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
 smtpd_tls_ask_ccert             = yes
 smtpd_tls_fingerprint_digest    = sha1
 smtpd_tls_eecdh_grade           = strong
 tls_random_source               = dev:/dev/urandom
 
 # SASL
 smtpd_sasl_auth_enable          = yes
 smtpd_sasl_authenticated_header = no
 smtpd_sasl_local_domain         =
 smtpd_sasl_exceptions_networks  = $mynetworks
 smtpd_sasl_security_options     = noanonymous, noplaintext
 smtpd_sasl_tls_security_options = noanonymous
 broken_sasl_auth_clients        = no
 smtpd_sasl_type                 = dovecot
 smtpd_sasl_path                 = unix:private/dovecot-auth
 
 
 strict_rfc821_envelopes = yes
diff --git a/roles/common-web/files/etc/nginx/ssl/config b/roles/common-web/files/etc/nginx/ssl/config
index 6f0546b..7deef29 100644
--- a/roles/common-web/files/etc/nginx/ssl/config
+++ b/roles/common-web/files/etc/nginx/ssl/config
@@ -1,19 +1,19 @@
 ssl on;
 
 # See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
-keepalive_timeout 			75 75;
-ssl_session_timeout			5m;
-ssl_session_cache 			shared:SSL:5m;
+keepalive_timeout           75 75;
+ssl_session_timeout         5m;
+ssl_session_cache           shared:SSL:5m;
 
 # XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST
 # attack. Sadly as of 2013 many clients don't support TLSv1.2, though.
 # The alternative would be to reject BEAST-vulnerable ciphers from TLSv1
 # in favor of RC4, but that's not satisfactory either since RC4 has
 # other weaknesses.
-ssl_protocols 				TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers 				HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH;
-ssl_prefer_server_ciphers 	on;
+ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers                 HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH;
+ssl_prefer_server_ciphers   on;
 
 # Strict Transport Security header for enhanced security. See
 # http://www.chromium.org/sts.
 add_header Strict-Transport-Security "max-age=15552000";
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index 56c8300..7870626 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -38,23 +38,23 @@
             mode=0644
   register: r2
   notify:
     - Restart IPSec
 
 - name: Start IPSec
   service: name=ipsec state=started
   when: not (r1.changed or r2.changed)
 
 - name: Auto-create a dedicated interface for IPSec
   copy: src=etc/network/if-up.d/ipsec
         dest=/etc/network/if-up.d/ipsec
         owner=root group=root
         mode=0755
   notify:
     - Reload networking
 
 - name: Auto-deactivate the dedicated interface for IPSec
   file: src=../if-up.d/ipsec
         dest=/etc/network/if-down.d/ipsec
-        owner=root group=root state=link
+        owner=root group=root state=link force=yes
 
 - meta: flush_handlers
diff --git a/roles/common/tasks/samhain.yml b/roles/common/tasks/samhain.yml
index 0d911a5..10b1f46 100644
--- a/roles/common/tasks/samhain.yml
+++ b/roles/common/tasks/samhain.yml
@@ -1,26 +1,29 @@
 - name: Install samhain
   apt: pkg={{ item }}
   with_items:
     - samhain
     - auditd
   # XXX: Doesn't work out of the box, see #660197.
   # Every once in a while, or after a major upgrade, you may want to
-  # update Samhain's database (to avoid being flooded at the next
-  # reboot):
+  # update Samhain's database:
+  #
+  #     sudo samhain -t update --foreground
+  #
+  # To update the database without sending mails:
   #
   #     sudo samhain -t update --foreground -m none
 
 - name: Configure samhain
   copy: src=etc/samhain/samhainrc
         dest=/etc/samhain/samhainrc
         owner=root group=root
         mode=0644
   notify:
     - Reload samhain
 
 - name: Start samhain
   # This task is inconditional because samhain is reloaded not
   # restarted.
   service: name=samhain state=started
 
 - meta: flush_handlers
diff --git a/roles/lists/handlers/main.yml b/roles/lists/handlers/main.yml
index c27834e..308f708 100644
--- a/roles/lists/handlers/main.yml
+++ b/roles/lists/handlers/main.yml
@@ -1,6 +1,9 @@
 ---
 - name: Restart Postfix
   service: name=postfix state=restarted
 
 - name: Reload Postfix
   service: name=postfix state=reloaded
+
+- name: Restart Nginx
+  service: name=nginx state=restarted
diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index 8e48208..477943f 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -62,25 +62,25 @@
   with_items:
     - additional_message_headers
     - managesieve
     - password
 
 - name: Start php5-fpm
   service: name=php5-fpm state=started
 
 - name: Copy /etc/nginx/sites-available/roundcube
   copy: src=etc/nginx/sites-available/roundcube
         dest=/etc/nginx/sites-available/roundcube
         owner=root group=root
         mode=0644
   notify:
     - Restart Nginx
 
 - name: Create /etc/nginx/sites-enabled/roundcube
   file: src=../sites-available/roundcube
         dest=/etc/nginx/sites-enabled/roundcube
         owner=root group=root
-        state=link
+        state=link force=yes
   notify:
     - Restart Nginx
 
 - meta: flush_handlers
author	Guilhem Moulin <guilhem@fripost.org>	2014-06-25 02:43:06 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:51:48 +0200
commit	d6b03b72e8081c983822502e436ec548aa36901e (patch)
tree	6548fd4649f32a2ad37346c318c3b32060fae162
parent	2a2333cdfb016bb884887f46fbcbfdce6e064d74 (diff)