diff options
Diffstat (limited to 'roles/common/templates/etc')
13 files changed, 171 insertions, 119 deletions
diff --git a/roles/common/templates/etc/apt/sources.list.j2 b/roles/common/templates/etc/apt/sources.list.j2 index 4ae1cb5..c8f5dfc 100644 --- a/roles/common/templates/etc/apt/sources.list.j2 +++ b/roles/common/templates/etc/apt/sources.list.j2 @@ -2,12 +2,12 @@ # Do NOT edit this file directly! # vim: set filetype=debsources : -deb http://deb.debian.org/debian {{ ansible_lsb.codename }} main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[1] is search("^(Genuine)?Intel.*") and not ansible_virtualization_role == 'guest') %} contrib non-free{% endif %} +deb https://deb.debian.org/debian {{ ansible_lsb.codename }} main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[1] is search("^(Genuine)?Intel.*") and not ansible_virtualization_role == 'guest') %} contrib non-free{% endif %} -deb http://deb.debian.org/debian-security {{ ansible_lsb.codename }}/updates main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[1] is search("^(Genuine)?Intel.*") and not ansible_virtualization_role == 'guest') %} contrib non-free{% endif %} +deb https://deb.debian.org/debian-security {{ ansible_lsb.codename }}{% if ansible_lsb.major_release | int < 11 %}/updates{% else %}-security{% endif %} main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[1] is search("^(Genuine)?Intel.*") and not ansible_virtualization_role == 'guest') %} contrib non-free{% endif %} -deb http://deb.debian.org/debian {{ ansible_lsb.codename }}-updates main +deb https://deb.debian.org/debian {{ ansible_lsb.codename }}-updates main {% if 'backports' in group_names -%} -deb http://deb.debian.org/debian {{ ansible_lsb.codename }}-backports main +deb https://deb.debian.org/debian {{ ansible_lsb.codename }}-backports main {% endif %} diff --git a/roles/common/templates/etc/bacula/bacula-fd.conf.j2 b/roles/common/templates/etc/bacula/bacula-fd.conf.j2 index e06911f..d0af395 100644 --- a/roles/common/templates/etc/bacula/bacula-fd.conf.j2 +++ b/roles/common/templates/etc/bacula/bacula-fd.conf.j2 @@ -1,7 +1,15 @@ # # Default Bacula File Daemon Configuration file # -# For Bacula release 5.2.6 (21 February 2012) -- debian jessie/sid +# For Bacula release 9.6.7 (10 December 2020) -- debian bullseye/sid +# +# There is not much to change here except perhaps the +# File daemon Name to +# +# +# Copyright (C) 2000-2020 Kern Sibbald +# License: BSD 2-Clause; see file LICENSE-FOSS +# # # List Directors who are permitted to contact this File daemon @@ -25,7 +33,7 @@ Messages { FileDaemon { # define myself Name = {{ inventory_hostname_short }}-fd Working Directory = /var/lib/bacula - Pid Directory = /var/run/bacula + Pid Directory = /run/bacula Maximum Concurrent Jobs = 20 FDAddress = {{ ipsec[inventory_hostname_short] }} FDPort = 9102 diff --git a/roles/common/templates/etc/clamav/freshclam.conf.j2 b/roles/common/templates/etc/clamav/freshclam.conf.j2 index 06cebd1..650a2b3 100644 --- a/roles/common/templates/etc/clamav/freshclam.conf.j2 +++ b/roles/common/templates/etc/clamav/freshclam.conf.j2 @@ -19,7 +19,6 @@ ReceiveTimeout 30 TestDatabases yes ScriptedUpdates yes CompressLocalDatabase no -SafeBrowsing false Bytecode true NotifyClamd /etc/clamav/clamd.conf # Check for new database 24 times a day diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2 index 29b004c..3cd19cc 100644 --- a/roles/common/templates/etc/fail2ban/jail.local.j2 +++ b/roles/common/templates/etc/fail2ban/jail.local.j2 @@ -13,7 +13,9 @@ destemail = admin@fripost.org ignoreip = 127.0.0.0/8, ::1, {{ ipsec_subnet }} banaction = nftables-allports -logpath = /var/log/fail2ban/fail2ban.log + +# must match nftables.conf's blackholes timeouts +bantime = 10m # # JAILS @@ -33,7 +35,7 @@ enabled = {{ 'MSA' in group_names }} [roundcube-auth] enabled = {{ 'webmail' in group_names }} -# XXX Bullseye: logpath = /var/log/roundcube/errors.log +logpath = /var/log/roundcube/errors.log [nextcloud] enabled = {{ 'nextcloud' in group_names }} diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2 index 6b3840f..e7505b4 100644 --- a/roles/common/templates/etc/ipsec.conf.j2 +++ b/roles/common/templates/etc/ipsec.conf.j2 @@ -17,7 +17,7 @@ conn %default {% endif %} leftauth = pubkey left = %defaultroute - leftsubnet = {{ ipsec[inventory_hostname_short] | ipv4 }}/32 + leftsubnet = {{ ipsec[inventory_hostname_short] | ansible.utils.ipv4 }}/32 leftid = {{ inventory_hostname }} leftsigkey = {{ inventory_hostname_short }}.pem leftfirewall = no @@ -36,7 +36,7 @@ conn {{ hostvars[host].inventory_hostname_short }} rightallowany = yes {% endif %} rightsigkey = {{ hostvars[host].inventory_hostname_short }}.pem - rightsubnet = {{ ipsec[ hostvars[host].inventory_hostname_short ] | ipv4 }}/32 + rightsubnet = {{ ipsec[ hostvars[host].inventory_hostname_short ] | ansible.utils.ipv4 }}/32 {% if 'NATed' not in group_names and 'NATed' in hostvars[host].group_names %} mobike = yes {% endif %} diff --git a/roles/common/templates/etc/munin/munin-node.conf.j2 b/roles/common/templates/etc/munin/munin-node.conf.j2 index 1563526..1aba053 100644 --- a/roles/common/templates/etc/munin/munin-node.conf.j2 +++ b/roles/common/templates/etc/munin/munin-node.conf.j2 @@ -4,7 +4,7 @@ log_level 4 log_file /var/log/munin/munin-node.log -pid_file /var/run/munin/munin-node.pid +pid_file /run/munin/munin-node.pid background 1 setsid 1 @@ -42,7 +42,7 @@ host_name {{ inventory_hostname_short }} # may repeat the allow line as many times as you'd like {% for host in groups['munin_master'] %} -allow ^{{ ipsec[ hostvars[host].inventory_hostname_short ] | ipv4 | replace(".","\.") }}$ +allow ^{{ ipsec[ hostvars[host].inventory_hostname_short ] | ansible.utils.ipv4 | replace(".","\.") }}$ {% endfor %} # Which address to bind to; diff --git a/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2 b/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2 index 2d434bc..ec471eb 100644 --- a/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2 +++ b/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2 @@ -73,7 +73,7 @@ user root [mysql*] user root env.mysqlopts --defaults-file=/etc/mysql/debian.cnf -env.mysqluser debian-sys-maint +env.mysqluser root env.mysqlconnection DBI:mysql:mysql;mysql_read_default_file=/etc/mysql/debian.cnf [postfix_mailqueue_*] diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2 index 1e1fde2..805d1a8 100755 --- a/roles/common/templates/etc/nftables.conf.j2 +++ b/roles/common/templates/etc/nftables.conf.j2 @@ -5,7 +5,7 @@ define in-tcp-ports = { {% if 'MX' in group_names %} , 25 # SMTP {% endif %} -{% if 'LDAP-provider' in group_names %} +{% if 'LDAP_provider' in group_names %} , 636 # ldaps {% endif %} {% if 'IMAP' in group_names %} @@ -29,7 +29,7 @@ define out-tcp-ports = { {% if 'out' in group_names or 'MSA' in group_names %} , 25 # SMTP {% endif %} -{% if 'LDAP-provider' in group_names %} +{% if 'LDAP_provider' in group_names %} , 11371 # OpenPGP HTTP Keyserver , 43 # whois {% elif 'MX' in group_names or 'lists' in group_names or 'nextcloud' in group_names %} @@ -45,8 +45,107 @@ define out-tcp-ports = { flush ruleset +table netdev filter { +{% for if in ansible_interfaces %} +{% if if != "lo" and ansible_facts[if].active %} +{% set addr = (ansible_facts[if].ipv4 | default({'address': '0.0.0.0'})).address %} + chain INGRESS-{{ if }} { + type filter hook ingress device {{ if }} priority -499 + policy accept + + # IPsec traffic (refined later in the filter rule) + ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept + + # rate-limiting is done directly by the kernel (net.ipv4.icmp_{ratelimit,ratemask} runtime options) + icmp type { echo-reply, echo-request, destination-unreachable, time-exceeded } counter accept + icmpv6 type { echo-reply, echo-request, destination-unreachable, + packet-too-big, time-exceeded, parameter-problem } counter accept + + # accept neighbour discovery for autoconfiguration, RFC 4890 sec. 4.4.1 + ip6 hoplimit 255 icmpv6 type { 133,134,135,136,141,142 } counter accept + + # accept link-local multicast receiver notification messages + ip6 saddr fe80::/10 ip6 daddr ff02::/16 ip6 hoplimit 1 icmpv6 type { 130,131,132,143 } counter accept + + # drop all remaining ICMP/ICMPv6 traffic + meta l4proto { icmp, icmpv6 } counter drop + + # bogon filter (cf. RFC 6890 for non-global ip addresses) + define bogon = { + 0.0.0.0/8 # this host, on this network (RFC 1122 sec. 3.2.1.3) +{% if not addr | ansible.utils.ipaddr('10.0.0.0/8') %} + , 10.0.0.0/8 # private-use (RFC 1918) +{% endif %} + , 100.64.0.0/10 # shared address space (RFC 6598) + , 127.0.0.0/8 # loopback (RFC 1122, sec. 3.2.1.3) + , 169.254.0.0/16 # link local (RFC 3927) + , 172.16.0.0/12 # private-use (RFC 1918) + , 192.0.0.0/24 # IETF protocol assignments (RFC 6890 sec. 2.1) + , 192.0.2.0/24 # documentation (RFC 5737) +{% if not addr | ansible.utils.ipaddr('192.168.0.0/16') %} + , 192.168.0.0/16 # private-use (RFC 1918) +{% endif %} + , 198.18.0.0/15 # benchmarking (RFC 2544) + , 198.51.100.0/24 # documentation (RFC 5737) + , 203.0.113.0/24 # documentation (RFC 5737) + , 224.0.0.0/3 # multicast - class D 224.0.0.0/4 + class E 240.0.0.0/4 (RFC 1112 sec. 4) + , 255.255.255.255/32 # limited broadcast (RFC 0919 sec. 7) + } + + ip saddr $bogon counter drop + ip daddr $bogon counter drop + + # See also https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt + define bogon6 = { + ::1/128 # loopback address (RFC 4291) + , ::/128 # unspecified (RFC 4291) + , ::ffff:0:0/96 # IPv4-mapped address (RFC 4291) + , 100::/64 # discard-only address block (RFC 6666) + , 2001::/23 # IETF protocol assignments (RFC 2928) + , 2001::/32 # TEREDO (RFC 4380) + , 2001:2::/48 # benchmarking (RFC 5180) + , 2001:db8::/32 # documentation (RFC 3849) + , 2001:10::/28 # ORCHID (RFC 4843) + , 2002::/16 # 6to4 (RFC 3056) + , fc00::/7 # unique-local (RFC 4193) + , fe80::/10 # linked-scoped unicast (RFC 4291) + } + + ip6 saddr $bogon6 counter drop + ip6 saddr $bogon6 counter drop + } +{% endif %} +{% endfor %} +} + +table inet raw { + chain PREROUTING-stateless { + # XXX can't add that to the ingress hook as that happens before IP defragmentation + # so we don't have the TCP header in later fragments (we don't want to drop IP + # fragments, see https://blog.cloudflare.com/ip-fragmentation-is-broken/ ) + type filter hook prerouting priority -399 # > NF_IP_PRI_CONNTRACK_DEFRAG (-400) + policy accept + + # stateless filter for bogus TCP packets + tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop # null packet + tcp flags & (fin|psh|urg) == fin|psh|urg counter drop # XMAS packet + tcp flags & (syn|rst) == syn|rst counter drop + tcp flags & (fin|rst) == fin|rst counter drop + tcp flags & (fin|syn) == fin|syn counter drop + tcp flags & (fin|psh|ack) == fin|psh counter drop + } + + chain PREROUTING { + type filter hook prerouting priority -199 # > NF_IP_PRI_CONNTRACK (-200) + policy accept + + # stateful filter + ct state invalid counter drop + } +} + table inet filter { - # blackholes + # blackholes (timeout must match /etc/fail2ban/jail.local) set fail2ban { type ipv4_addr; timeout 10m; } set fail2ban6 { type ipv6_addr; timeout 10m; } @@ -56,26 +155,23 @@ table inet filter { iif lo accept - # XXX Bullseye: this is a hack for the lack of reqid matches in - # nftables: we mark the esp packet and accept after decapsulation + # XXX Bullseye: this is a rather crude match as nftables 0.9.0 lacks support for ipsec expressions + # to match match inbound resp. outbound policies and source resp. destination tunnel addresses. # https://serverfault.com/questions/971735/how-to-match-reqid-in-nftables # https://blog.fraggod.net/2016/09/25/nftables-re-injected-ipsec-matching-without-xt_policy.html - define IPsec.mark = 0x220 - meta l4proto esp mark set mark | $IPsec.mark accept - ip saddr 172.16.0.0/24 ip daddr 172.16.0.7 mark & $IPsec.mark == $IPsec.mark accept + # (We can't use marks to match post-ESP decapsulation here because that doesn't work well with UDP + # encapsulation.) We'll also pin the reqid to the lowest address byte in ipsec.conf(5); that way + # peers can't impersonate each other. + meta l4proto esp accept + # ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} ipsec in reqid $i accept + ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept - # rate-limiting is done directly by the kernel (net.ipv4.icmp_{ratelimit,ratemask} runtime options) - icmp type { echo-reply, echo-request, destination-unreachable } counter accept - icmpv6 type { echo-reply, echo-request, destination-unreachable, - packet-too-big, time-exceeded, parameter-problem } counter accept + # incoming ICMP/ICMPv6 traffic was filtered in the ingress chain already + meta l4proto { icmp, icmpv6 } counter accept - # accept neighbour discovery for autoconfiguration, RFC 4890 sec. 4.4.1 - icmpv6 type { 133,134,135,136,141,142 } ip6 hoplimit 255 counter accept + # NTP (ntpd uses sport 123 but systemd-timesyncd does not) + udp sport 123 ct state related,established accept - jump martian - jump invalid - - udp sport 123 udp dport 123 ct state related,established accept {% if groups.all | length > 1 %} udp sport 500 udp dport 500 ct state new,related,established accept {% if groups.NATed | length > 0 %} @@ -86,11 +182,12 @@ table inet filter { udp sport 53 ct state related,established accept tcp sport 53 ct state related,established accept {% if 'dhclient' in group_names %} - udp sport 67 ct state related,established accept + ip version 4 udp sport 67 udp dport 68 ct state related,established accept + ip6 version 6 udp sport 547 udp dport 546 ct state related,established accept {% endif %} - meta l4proto tcp ip saddr @fail2ban counter drop - meta l4proto tcp ip6 saddr @fail2ban6 counter drop + ip saddr @fail2ban counter drop + ip6 saddr @fail2ban6 counter drop tcp dport $in-tcp-ports ct state related,established accept tcp dport $in-tcp-ports ct state new counter accept @@ -103,25 +200,30 @@ table inet filter { oif lo accept - # XXX Bullseye: unlike for input we can't use marks here, - # because by the time we see a packet to 172.16.0.0/24 we don't - # know if it'll be encapsulated + # XXX Bullseye: unlike for input we can't use marks or test for + # secpath existence here, because by the time we see a packet to + # 172.16.0.0/24 we don't know if it'll be encapsulated meta l4proto esp accept - ip saddr 172.16.0.7 ip daddr 172.16.0.0/24 accept + # ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} ipsec out reqid $i accept + ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} accept - meta l4proto { icmp, icmpv6 } accept + meta l4proto { icmp, icmpv6 } counter accept - jump martian - jump invalid + # NTP (ntpd uses sport 123 but systemd-timesyncd does not) + udp dport 123 ct state new,related,established accept - udp sport 123 udp dport 123 ct state new,related,established accept +{% if groups.all | length > 1 %} udp sport 500 udp dport 500 ct state new,related,established accept +{% if groups.NATed | length > 0 %} udp sport 4500 udp dport 4500 ct state new,related,established accept +{% endif %} +{% endif %} udp dport 53 ct state new,related,established accept tcp dport 53 ct state new,related,established accept {% if 'dhclient' in group_names %} - udp dport 67 ct state new,related,established accept + ip version 4 udp sport 68 udp dport 67 ct state new,related,established accept + ip6 version 6 udp sport 546 udp dport 547 ct state new,related,established accept {% endif %} tcp sport $in-tcp-ports ct state related,established accept @@ -132,62 +234,4 @@ table inet filter { meta l4proto udp counter reject counter reject } - - chain martian { - # bogon filter (cf. RFC 6890 for non-global ip addresses) - define invalid-ip = { - 0.0.0.0/8 # this host, on this network (RFC 1122 sec. 3.2.1.3) -{% if not ansible_default_ipv4.address | ipaddr('10.0.0.0/8') %} - , 10.0.0.0/8 # private-use (RFC 1918) -{% endif %} - , 100.64.0.0/10 # shared address space (RFC 6598) - , 127.0.0.0/8 # loopback (RFC 1122, sec. 3.2.1.3) - , 169.254.0.0/16 # link local (RFC 3927) -{% if not ansible_default_ipv4.address | ipaddr('172.16.0.0/12') %} - , 172.16.0.0/12 # private-use (RFC 1918) -{% endif %} - , 192.0.0.0/24 # IETF protocol assignments (RFC 6890 sec. 2.1) - , 192.0.2.0/24 # documentation (RFC 5737) -{% if not ansible_default_ipv4.address | ipaddr('192.168.0.0/16') %} - , 192.168.0.0/16 # private-use (RFC 1918) -{% endif %} - , 198.18.0.0/15 # benchmarking (RFC 2544) - , 198.51.100.0/24 # documentation (RFC 5737) - , 203.0.113.0/24 # documentation (RFC 5737) - , 240.0.0.0/4 # reserved (RFC 1112, sec. 4) - , 255.255.255.255/32 # limited broadcast (RFC 0919, section 7) - } - - define invalid-ip6 = { - ::1/128 # loopback address (RFC 4291) - , ::/128 # unspecified (RFC 4291) - , ::ffff:0:0/96 # IPv4-mapped address (RFC 4291) - , 100::/64 # discard-only address block (RFC 6666) - , 2001::/23 # IETF protocol assignments (RFC 2928) - , 2001::/32 # TEREDO (RFC 4380) - , 2001:2::/48 # benchmarking (RFC 5180) - , 2001:db8::/32 # documentation (RFC 3849) - , 2001:10::/28 # ORCHID (RFC 4843) - , 2002::/16 # 6to4 (RFC 3056) - , fc00::/7 # unique-local (RFC 4193) - , fe80::/10 # linked-scoped unicast (RFC 4291) - } - - ip saddr $invalid-ip counter drop - ip daddr $invalid-ip counter drop - - ip6 saddr $invalid-ip6 counter drop - ip6 daddr $invalid-ip6 counter drop - } - - chain invalid { - ct state invalid counter reject - - # drop bogus TCP packets - tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop # null packets - tcp flags != syn ct state new counter drop # SYN-flood attacks - tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter drop # XMAS packets - tcp flags & (fin|syn) == fin|syn counter drop # bogus - tcp flags & (syn|rst) == syn|rst counter drop # bogus - } } diff --git a/roles/common/templates/etc/ntp.conf.j2 b/roles/common/templates/etc/ntp.conf.j2 index 18c03cf..b76f0dd 100644 --- a/roles/common/templates/etc/ntp.conf.j2 +++ b/roles/common/templates/etc/ntp.conf.j2 @@ -2,6 +2,8 @@ driftfile /var/lib/ntp/ntp.drift +# Leap seconds definition provided by tzdata +leapfile /usr/share/zoneinfo/leap-seconds.list # Enable this if you want statistics to be logged. #statsdir /var/log/ntpstats/ @@ -13,7 +15,6 @@ filegen clockstats file clockstats type day enable # You do need to talk to an NTP server or two (or three). -{% if 'NTP_master' in group_names %} # Use Stratum One Time Servers: # http://support.ntp.org/bin/view/Servers/StratumOneTimeServers server sth1.ntp.se iburst @@ -22,17 +23,6 @@ server gbg1.ntp.se iburst server gbg2.ntp.se iburst server ntp1.sp.se iburst server ntp2.sp.se iburst -{% else %} -# Sychronize to our (stratum 2) NTP server, to ensure our network has a -# consistent time. -{% for host in groups['NTP_master'] | sort %} -server {{ ipsec[ hostvars[host].inventory_hostname_short ] }} prefer iburst -{% endfor %} -pool 0.{{ geoip | default('debian') }}.pool.ntp.org iburst -pool 1.{{ geoip | default('debian') }}.pool.ntp.org iburst -pool 2.{{ geoip | default('debian') }}.pool.ntp.org iburst -pool 3.{{ geoip | default('debian') }}.pool.ntp.org iburst -{% endif %} # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2 index b369d43..5ac7920 100644 --- a/roles/common/templates/etc/postfix/main.cf.j2 +++ b/roles/common/templates/etc/postfix/main.cf.j2 @@ -31,7 +31,7 @@ virtual_alias_maps = lmdb:/etc/aliases alias_database = $virtual_alias_maps # Forward everything to our internal outgoing proxy -relayhost = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }} +relayhost = [{{ postfix_instance.out.addr | ansible.utils.ipaddr }}]:{{ postfix_instance.out.port }} relay_domains = smtp_tls_security_level = none diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2 index a9c73f7..3954085 100644 --- a/roles/common/templates/etc/postfix/master.cf.j2 +++ b/roles/common/templates/etc/postfix/master.cf.j2 @@ -19,10 +19,8 @@ tlsproxy unix - - y - 0 tlsproxy dnsblog unix - - y - 0 dnsblog {% elif inst == 'MSA' %} submission inet n - y - - smtpd - -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL submissions inet n - y - - smtpd -o smtpd_tls_wrappermode=yes - -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL {% if groups.webmail | difference([inventory_hostname]) | length > 0 %} [{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - y - - smtpd -o broken_sasl_auth_clients=no @@ -59,6 +57,8 @@ smtp_verify unix - - y - - smtp -o smtp_tls_protocols=!SSLv2,!SSLv3 -o smtp_tls_note_starttls_offer=yes -o smtp_tls_session_cache_database=lmdb:$data_directory/smtp_tls_session_cache + -o smtp_tls_fingerprint_digest=sha256 + -o smtp_tls_policy_maps=lmdb:$config_directory/smtp_tls_policy {% endif %} relay unix - - y - - smtp showq unix n - y - - showq @@ -85,7 +85,7 @@ sympa unix - n n - - pipe {% if inst is defined and inst == 'out' %} # Client part (lmtp) - amavis -amavisfeed unix - - n - 5 lmtp +amavisfeed unix - - y - 5 lmtp -o lmtp_destination_recipient_limit=1000 -o lmtp_send_xforward_command=yes -o lmtp_data_done_timeout=1200s diff --git a/roles/common/templates/etc/systemd/timesyncd.conf.d/fripost.conf.j2 b/roles/common/templates/etc/systemd/timesyncd.conf.d/fripost.conf.j2 new file mode 100644 index 0000000..f578cd9 --- /dev/null +++ b/roles/common/templates/etc/systemd/timesyncd.conf.d/fripost.conf.j2 @@ -0,0 +1,9 @@ +[Time] +# Sychronize to our (stratum 2) NTP server, to ensure our network has a +# consistent time. +{%- set ntp = [] -%} +{%- for host in groups['NTP_master'] -%} +{%- set _ = ntp.append(ipsec[ hostvars[host].inventory_hostname_short ]) -%} +{%- endfor %} + +NTP={{ ntp | join(' ') }} diff --git a/roles/common/templates/etc/unbound/unbound.conf.j2 b/roles/common/templates/etc/unbound/unbound.conf.j2 index 64f32bf..e75e66f 100644 --- a/roles/common/templates/etc/unbound/unbound.conf.j2 +++ b/roles/common/templates/etc/unbound/unbound.conf.j2 @@ -29,4 +29,4 @@ server: # # The following line includes additional configuration files from the # /etc/unbound/unbound.conf.d directory. -include: "/etc/unbound/unbound.conf.d/*.conf" +include-toplevel: "/etc/unbound/unbound.conf.d/*.conf" |