summaryrefslogtreecommitdiffstats
path: root/production
Commit message (Collapse)AuthorAgeFiles
* Convert firewall to nftables.Guilhem Moulin2020-01-231
| | | | Debian Buster uses the nftables framework by default.
* tr/-/_/ in group names.Guilhem Moulin2020-01-221
| | | | | | | | | | | | This avoids [DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set to allow bad characters in group names by default, this will change, but still be user configurable on deprecation. This feature will be removed in version 2.10. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. [WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
* Define new host "calima" serving Nextcloud.Guilhem Moulin2018-12-031
|
* Upgrade webmail baseline to Debian Stretch.Guilhem Moulin2018-12-031
|
* Also install non-free firmwares on civett.Guilhem Moulin2017-05-301
|
* Change civett's CNAME from civett.friprogramvarusyndikatet.se to ↵Guilhem Moulin2017-05-141
| | | | civett.fripost.org
* ClamAV (FreshClam): use a localized Database Mirror.Guilhem Moulin2016-07-091
| | | | | | As db.local.clamav.net is not always properly localized. Furthermore, our previous Ansiblee script did not ensure ordering of the DatabaseMirror lines.
* Tunnel internal NTP traffic through IPSec.Guilhem Moulin2016-05-221
| | | | | | | More precisely, between our NTP-master (stratum 1) host and the other machines (all stratum 2). Providing authentification and integrity for internal NTP traffic ensures a consistent time within our internal infrastructure.
* Set up IPSec tunnels between each pair of hosts.Guilhem Moulin2016-05-221
| | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed.
* ‘benjamin.marxist.se’ → ‘benjamin.skangas.se’Guilhem Moulin2015-11-091
|
* Configure munin nodes & master.Guilhem Moulin2015-06-101
| | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI.
* Add ansible inventory file.Guilhem Moulin2015-06-071