summaryrefslogtreecommitdiffstats
path: root/common.yml
Commit message (Collapse)AuthorAgeFiles
* Configure munin nodes & master.Guilhem Moulin2015-06-101
| | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI.
* Configure Bacula File Daemon / Storage Daemon / Director.Guilhem Moulin2015-06-071
| | | | | Using client-side data signing/encryption and wrapping inter-host communication into stunnel.
* Configure ikiwiki (website + wiki).Guilhem Moulin2015-06-071
|
* Git (gitolite + git-http-backend + gitweb) configurationGuilhem Moulin2015-06-071
| | | | | | | | | | | By default repos are be readable by gitweb and the web server ('gitweb' and 'www-data' are both in the 'gitolite' group). Private repo owners will have 'chmod -R og-rwx' manually. To automatically add new repos to gitweb's 'project.list' file, make it readable to the special 'gitweb' user. See /usr/share/doc/gitolite3/README.txt.gz for details.
* Upgrade Dovecot config to Jessie.Guilhem Moulin2015-06-071
|
* Configure the list manager (Sympa).Guilhem Moulin2015-06-071
|
* Configure SyncRepl (OpenLDAP replication) and related ACLs.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | | | | | | | The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
* Install amavisd-new on the outgoing SMTP proxy.Guilhem Moulin2015-06-071
| | | | For DKIM signing and virus checking.
* Mailing lists (using mlmmj).Guilhem Moulin2015-06-071
| | | | | | | | | Right now the list server cannot be hosted with a MX, due to bug 51: http://mlmmj.org/bugs/bug.php?id=51 Web archive can be compiled with MHonArc, but the web server configuration is not there yet.
* Common web configuration.Guilhem Moulin2015-06-071
|
* Configure the LDAP provider.Guilhem Moulin2015-06-071
| | | | (Hence the SyncProv overlay.)
* LDAP Sync Replication.Guilhem Moulin2015-06-071
|
* Reorganization.Guilhem Moulin2015-06-071
|
* Tell ansible we generally want to use sudo(8).Guilhem Moulin2015-06-071
| | | | I.e., put 'sudo=True' in ansible.cfg.
* Postfix master (nullmailer) configurationGuilhem Moulin2015-06-071
We use a dedicated instance for each role: MDA, MTA out, MX, etc.