| Commit message (Collapse) | Author | Age | Files |
|
|
|
|
| |
Interhost communications are protected by stunnel4. The graphs are only
visible on the master itself, and content is generated by Fast CGI.
|
|
|
|
|
| |
Using client-side data signing/encryption and wrapping inter-host
communication into stunnel.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
By default repos are be readable by gitweb and the web server ('gitweb' and
'www-data' are both in the 'gitolite' group). Private repo owners will have
'chmod -R og-rwx' manually.
To automatically add new repos to gitweb's 'project.list' file, make it
readable to the special 'gitweb' user.
See /usr/share/doc/gitolite3/README.txt.gz for details.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The clients are identified using their certificate, and connect securely
to the SyncProv.
There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
- Authentication (XXX: strong authentication) is required prior to any DIT
operation (see 'olcRequires').
- We force a Security Strength Factor of 128 or above for all operations (see
'olcSecurity'), meaning one must use either a local connection (eg,
ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
least 128 bits of security.
- XXX: Services may not simple bind other than locally on a ldapi:// socket.
If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
socket whenever possible (if the service itself supports SASL binds).
If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
socket, and their identity should be derived from the CN of the client
certificate only (hence services may not simple bind).
- Admins have restrictions similar to that of the services.
- User access is only restricted by our global 'olcSecurity' attribute.
|
|
|
|
| |
For DKIM signing and virus checking.
|
|
|
|
|
|
|
|
|
| |
Right now the list server cannot be hosted with a MX, due to bug 51:
http://mlmmj.org/bugs/bug.php?id=51
Web archive can be compiled with MHonArc, but the web server
configuration is not there yet.
|
| |
|
|
|
|
| |
(Hence the SyncProv overlay.)
|
| |
|
| |
|
|
|
|
| |
I.e., put 'sudo=True' in ansible.cfg.
|
|
We use a dedicated instance for each role: MDA, MTA out, MX, etc.
|