summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFiles
...
* nginx: Update trusted certificate used for OCSP stapling.Guilhem Moulin2020-12-051
| | | | See https://bugs.debian.org/975862 .
* Firewall: Always include 172.16.0.0/12 to the bogon list.Guilhem Moulin2020-11-151
| | | | | Our IPsec subnet is in that subnet but the setup won't deal well with subnet overlap so it's best to explicitely not support NATed machines with an IP in 172.16.0.0/12.
* Firewall: Add counter to dropped ICMP packets.Guilhem Moulin2020-11-151
|
* rkhunter: workaround for mix usrmerge/non-usrmerge environments.Guilhem Moulin2020-11-151
| | | | See https://bugs.debian.org/932594#15 .
* Firewall: ICMPv6: accept link-local multicast receiver notification messages.Guilhem Moulin2020-11-151
|
* typofixGuilhem Moulin2020-11-151
| | | | Regression from ead9aaa3dd7ca48012b2b21cc930ee73c8eaa9d3.
* Change NTP client to systemd-timesyncd.Guilhem Moulin2020-11-155
| | | | | | | | | (Excluding our NTP master.) It's simpler, arguably more secure, and provides enough functionality when only simple client use-cases are desired. We allow outgoing connections to 123/udp also on NTP slaves so systemd-timesyncd can connect to the fallbacks NTP servers.
* Bacula: tweak fileset and retention policy.Guilhem Moulin2020-11-151
| | | | | | In particular, trigger weekly differential backups for mailboxes, and exclude Dovecot's transaction/index/etc log and cache files which are constantly updated but not useful assets to backup.
* logcheck-database update.Guilhem Moulin2020-11-154
|
* Firewall: allow ICMP type 11 (time time-exceeded).Guilhem Moulin2020-11-031
| | | | This is in particular needed for traceroutes and routing loop detection.
* Revert "Bacula Director: Properly quote shell command."Guilhem Moulin2020-11-031
| | | | This reverts commit 26bae877102752a41a903cab2ee0891f8f261d38.
* Move bacula and munin master to new host levante from benjamin.Guilhem Moulin2020-11-035
|
* Bacula: refactor systemd service files.Guilhem Moulin2020-11-036
| | | | | | Use unit overrides on top of upstream's service files instead of overriding entire service files. In particular, upstream uses flag `-P` so we don't need to use RuntimeDirectory= anymore.
* Firewall: Move IPsec/ICMP/ICMPv6 rules to ingress chain.Guilhem Moulin2020-11-031
| | | | | | | | This is required to receive incoming traffic to our IPsec IP in 172.16.0.0/24, as well as linked-scoped ICMPv6 traffic from/to fe80::/10 (for neighbour discovery). Regression from a6b8c0b3a4758f8d84a7ad07bb9e068075d098d3.
* Firewall: Move martian and bogus TCP filters early in the packet flow.Guilhem Moulin2020-11-021
| | | | | This is more efficient: the earlier we filter the crap out the less resources they consume.
* kernel parameters: Disable SYN cookies and improve SYN backlog handling.Guilhem Moulin2020-11-021
| | | | See tcp(7) and https://levelup.gitconnected.com/linux-kernel-tuning-for-high-performance-networking-high-volume-incoming-connections-196e863d458a .
* Refactor SQL custom configuration.Guilhem Moulin2020-11-023
| | | | As of MariaDB 10.3 this should be more future proof.
* Bacula Director: Properly quote shell command.Guilhem Moulin2020-11-021
|
* typofixGuilhem Moulin2020-11-021
|
* Munin master: Bug fix for the HTML rendering.Guilhem Moulin2020-11-022
|
* Wiki: Install dependencies for static web content.Guilhem Moulin2020-11-021
| | | | See https://git.fripost.org/fripost-wiki/commit/?id=72983121e68289a7497927417e52a8ec5f16aa7b .
* typofixGuilhem Moulin2020-10-021
|
* Roundcube: Add minimal config confile for thunderbird_labels plugin.Guilhem Moulin2020-10-022
|
* Roundcube: Don't allow overriding authres_status's ↵Guilhem Moulin2020-10-022
| | | | use_fallback_verifier/trusted_mtas.
* Use dedicated DKIM key for tevs.net.Guilhem Moulin2020-10-012
|
* Add PHP modules required for Nextcloud 19.Guilhem Moulin2020-08-191
|
* slapcat-all.sh: Use ldapsearch(1) to generate the LDIF.Guilhem Moulin2020-05-262
| | | | | Unlike slapcat(1) it doesn't require write access to ~openldap, so we don't have to weaken bacula-fd.service.
* munin: `sed s,/var/run/,/run,`Guilhem Moulin2020-05-262
|
* bacula-dir: Add jobs for nextcloud-data.Guilhem Moulin2020-05-261
|
* bacula-{dir,sd}: Upgrade role to Debian Buster.Guilhem Moulin2020-05-264
|
* Wiki: Content-Security-Policy: Add data: to img-src.Guilhem Moulin2020-05-222
| | | | | This is needed for BS4's navbar-toggler-icon which uses an SVG background-image.
* Use dedicated DKIM key for hemdal.se.Guilhem Moulin2020-05-222
|
* cgit: Tighten Content-Security-Policy.Guilhem Moulin2020-05-211
| | | | Add frame-ancestors and form-action.
* LDAP: Add ACLs for group ‘styrelse’.Guilhem Moulin2020-05-211
|
* Postfix: Install -lmdb in all roles using db=lmdb.Guilhem Moulin2020-05-214
| | | | | | And drop -ldap from all roles other than MX. -lmdb is included in roles/common but it can be helpful to have it individual roles as well as they can be run individually.
* postfix-sender-login: Better hardening.Guilhem Moulin2020-05-214
| | | | Run as a dedicated user, not ‘postfix’.
* dovecot-auth-proxy: replace directory traversal with LDAP lookups.Guilhem Moulin2020-05-216
| | | | | | | | | | | | | This provides better isolation opportunity as the service doesn't need to run as ‘vmail’ user. We use a dedicated system user instead, and LDAP ACLs to limit its access to the strict minimum. The new solution is also more robust to quoting/escaping, and doesn't depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID instead of %d/%n at some point to make user renaming simpler). OTOH we no longer lists users that have been removed from LDAP but still have a mailstore lingering around. This is fair.
* dovecot-auth-proxy: Bump protocol version to 2.2.Guilhem Moulin2020-05-201
| | | | | | | | This a regression rom 829f4d830aefedd95a75e61cfc9aa3e03f039c6f. There are no relevant interface changes between 2.2.27 (stretch) and 2.3.4 (buster) cf. `git diff 2.2.27..2.3.4 src/lib-dict/dict-client.h` and https://github.com/dovecot/core/commits/2.3.4/src/lib-dict/dict-client.h .
* IMAP: Update role to Debian Buster.Guilhem Moulin2020-05-1912
| | | | | | | | For `ssl_cipher_list` we pick the suggested value from https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’ to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
* MSA: Update role to Debian Buster.Guilhem Moulin2020-05-193
| | | | | | | | For `ssl_cipher_list` we pick the suggested value from https://ssl-config.mozilla.org/#server=postfix&version=3.4.10&config=intermediate&openssl=1.1.1d At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’ to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
* LDAP: Update role to Debian Buster.Guilhem Moulin2020-05-192
|
* s/LDAP-provider/LDAP_provider/Guilhem Moulin2020-05-198
| | | | This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.
* wibbleGuilhem Moulin2020-05-181
|
* stunnel4: Harden and socket-activate.Guilhem Moulin2020-05-187
|
* Firewall: note on reqid matching.Guilhem Moulin2020-05-181
| | | | To be done when we upgrade to Bullseye for more fine-grained control.
* AEAD ciphers: Add EECDH+CHACHA20 macro.Guilhem Moulin2020-05-184
| | | | | | | This adds the following two ciphers: ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
* cgit and HTTP backend: Remove unused files.Guilhem Moulin2020-05-182
| | | | We replace uwsgi in 70f16ac939497e3e424bad05c5f82ce36d1bceda.
* Firewall: Use `meta secpath exists` to match xfrm associations.Guilhem Moulin2020-05-181
| | | | | Marking incoming ESP packets and matching decapsulated packets doesn't work with NAT traverslate (UDP encapsulation aka MOBIKE).
* nginx: Add Expires: HTTP headers.Guilhem Moulin2020-05-176
|
* webmail: Add .webp to the list of static resources.Guilhem Moulin2020-05-171
|