|  | Commit message (Collapse) | Author | Age | Files | 
|---|
| ... |  | 
| | |  | 
| | 
| 
| 
| 
| 
| | "username=postfix,cn=peercred,cn=external,cn=auth" is replaced by
"gidNumber=106+uidNumber=102,cn=peercred,cn=external,cn=auth" where 102
is postfix's UID and 106 its primary GID (looked up from /etc/passwd). | 
| | |  | 
| | 
| 
| 
| | I.e., put 'sudo=True' in ansible.cfg. | 
| | 
| 
| 
| 
| 
| 
| | For non-indexed attributes, do not ask the LDAP server to modify values
in the symmetric difference of A (the entry found in the directory) and
B (the target). That is, we replace A by B only when they are disjoint;
otherwise we remove values in A-B and add those in B-A. | 
| | 
| 
| 
| | Since indices are specified in the database LDIF. | 
| | 
| 
| 
| 
| 
| 
| | It's not happy with non-ASCII characters in comments, unless the
encoding is made explicit…
        http://www.python.org/dev/peps/pep-0263/ | 
| | 
| 
| 
| 
| | To be clearer, and to follow the recommendation of the FSF, we include
a full header rather than a single sentence. | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | In order to allow strings of the form:
    priv="db.table1:SELECT,       UPDATE,DELETE
         /db.table2:SELECT,INSERT,       DELETE" | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | A.k.a "IDENTIFIED WITH ...". The plugin is automatically loaded on first
use.
References:
 - https://dev.mysql.com/doc/refman/5.5/en/pluggable-authentication.html
 - https://dev.mysql.com/doc/refman/5.5/en/socket-authentication-plugin.html
Sadly as of MySQL 5.5, the "ALTER USER" command does not allow changing
the Authentication Plugin, so we have to manually manipulate
`mysql.user` (and FLUSH PRIVILEGES) instead. See also
http://bugs.mysql.com/bug.php?id=67449 | 
| | 
| 
| 
| 
| 
| | From ref origin/release1.4.0, commit
  2a58c2bbe33236ccfdde9fe7466d8a65956f21a5 | 
| | 
| 
| 
| | We use a dedicated instance for each role: MDA, MTA out, MX, etc. | 
| | 
| 
| 
| 
| | ${distro_codename} doesn't work properly there, so we put stable and/or
oldstable instead. | 
| | 
| 
| 
| 
| | Replaced [ -n "$string" ] with [ "$string" ], and [ -z "$string" ] with
[ ! "$string" ]. | 
| | 
| 
| 
| 
| | 'syslog' is meant for the messages generated internally by syslogd,
whereas 'user' is for user-level messages. | 
| | |  | 
| | 
| 
| 
| | We use ESP only, so other protocols shouldn't be ACCEPTed. | 
| | 
| 
| 
| | This is pointless since the service will be restarted anyway. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | In particular, run 'apt-get update' right after configured APT, and
restart daemon right after configured them.
The advantage being that if ansible crashes in some "task", the earlier
would already be restarted if neeeded. (This may not happen in the next
run since the configuration should already be up to date.) | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Packets originating from our (non-routable) $ipsec are marked; there is
no xfrm lookup (i.e., no matching IPSec association), the packet will
retain its mark and be null routed later on, thanks to
    ip rule  add fwmark "$secmark" table 666 priority 666
    ip route add blackhole default table 666 | 
| | 
| 
| 
| | Also, use ESP tunnel mode instead of transport mode. | 
| | 
| 
| 
| | I.e., as packets are treated along the way: mangle -> nat -> filter. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd
from our dedicated IP after ESP decapsulation. Also, some IP tables
ensure that alien (not coming from / going to the tunnel end-point) is
dropped. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | Also, added some options:
    -f force:   no confirmation asked
    -c check:   check (dry-run) mode
    -v verbose: see the difference between old and new ruleset
    -4 IPv4 only
    -6 IPv6 only | 
| | 
| 
| 
| 
| | These rules are automatically included by third-party servers such as
strongSwan or fail2ban. | 
| | 
| 
| 
| | So it doesn't mess with the high-priority rules regarding IPSec. | 
| | 
| 
| 
| 
| | update-firewall.sh -c does not update the firewall, but returns a
non-zero value iff. running it without the switch would modify it. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| | To run the playbook:
  cd ./ansible
  ansible-playbook -i vms site.yml | 
|  |  |