summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-06-25 02:43:06 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:51:48 +0200
commitd6b03b72e8081c983822502e436ec548aa36901e (patch)
tree6548fd4649f32a2ad37346c318c3b32060fae162 /roles
parent2a2333cdfb016bb884887f46fbcbfdce6e064d74 (diff)
wibble
Diffstat (limited to 'roles')
-rw-r--r--roles/MSA/templates/etc/postfix/main.cf.j21
-rw-r--r--roles/common-web/files/etc/nginx/ssl/config12
-rw-r--r--roles/common/tasks/ipsec.yml2
-rw-r--r--roles/common/tasks/samhain.yml7
-rw-r--r--roles/lists/handlers/main.yml3
-rw-r--r--roles/webmail/tasks/roundcube.yml2
6 files changed, 16 insertions, 11 deletions
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index b15b907..e234d73 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -72,7 +72,6 @@ smtp_bind_address = 172.16.0.1
smtpd_tls_security_level = encrypt
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
-smtpd_tls_CApath = /etc/ssl/certs/
smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
diff --git a/roles/common-web/files/etc/nginx/ssl/config b/roles/common-web/files/etc/nginx/ssl/config
index 6f0546b..7deef29 100644
--- a/roles/common-web/files/etc/nginx/ssl/config
+++ b/roles/common-web/files/etc/nginx/ssl/config
@@ -1,18 +1,18 @@
ssl on;
# See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
-keepalive_timeout 75 75;
-ssl_session_timeout 5m;
-ssl_session_cache shared:SSL:5m;
+keepalive_timeout 75 75;
+ssl_session_timeout 5m;
+ssl_session_cache shared:SSL:5m;
# XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST
# attack. Sadly as of 2013 many clients don't support TLSv1.2, though.
# The alternative would be to reject BEAST-vulnerable ciphers from TLSv1
# in favor of RC4, but that's not satisfactory either since RC4 has
# other weaknesses.
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH;
-ssl_prefer_server_ciphers on;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH;
+ssl_prefer_server_ciphers on;
# Strict Transport Security header for enhanced security. See
# http://www.chromium.org/sts.
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index 56c8300..7870626 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -55,6 +55,6 @@
- name: Auto-deactivate the dedicated interface for IPSec
file: src=../if-up.d/ipsec
dest=/etc/network/if-down.d/ipsec
- owner=root group=root state=link
+ owner=root group=root state=link force=yes
- meta: flush_handlers
diff --git a/roles/common/tasks/samhain.yml b/roles/common/tasks/samhain.yml
index 0d911a5..10b1f46 100644
--- a/roles/common/tasks/samhain.yml
+++ b/roles/common/tasks/samhain.yml
@@ -5,8 +5,11 @@
- auditd
# XXX: Doesn't work out of the box, see #660197.
# Every once in a while, or after a major upgrade, you may want to
- # update Samhain's database (to avoid being flooded at the next
- # reboot):
+ # update Samhain's database:
+ #
+ # sudo samhain -t update --foreground
+ #
+ # To update the database without sending mails:
#
# sudo samhain -t update --foreground -m none
diff --git a/roles/lists/handlers/main.yml b/roles/lists/handlers/main.yml
index c27834e..308f708 100644
--- a/roles/lists/handlers/main.yml
+++ b/roles/lists/handlers/main.yml
@@ -4,3 +4,6 @@
- name: Reload Postfix
service: name=postfix state=reloaded
+
+- name: Restart Nginx
+ service: name=nginx state=restarted
diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index 8e48208..477943f 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -79,7 +79,7 @@
file: src=../sites-available/roundcube
dest=/etc/nginx/sites-enabled/roundcube
owner=root group=root
- state=link
+ state=link force=yes
notify:
- Restart Nginx