| Commit message (Collapse) | Author | Age | Files |
| |
|
| |
|
|
|
|
|
| |
We use the version from buster-backports (currently 1.4.4+dfsg.1-1~bpo10+1)
for the elastic theme.
|
|
|
|
| |
Debian Buster uses the nftables framework by default.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This avoids
[DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set
to allow bad characters in group names by default, this will change, but
still be user configurable on deprecation. This feature will be removed
in version 2.10. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
[WARNING]: Invalid characters were found in group names but not
replaced, use -vvvv to see details
|
| |
|
| |
|
| |
|
|
|
|
| |
civett.fripost.org
|
|
|
|
|
|
| |
As db.local.clamav.net is not always properly localized. Furthermore,
our previous Ansiblee script did not ensure ordering of the
DatabaseMirror lines.
|
|
|
|
|
|
|
| |
More precisely, between our NTP-master (stratum 1) host and the other
machines (all stratum 2). Providing authentification and integrity for
internal NTP traffic ensures a consistent time within our internal
infrastructure.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore
the subnet is nullrouted in the absence of xfrm lookup (i.e., when there
is no matching IPSec Security Association) to avoid data leaks.
Each host is associated with an IP in that subnet (thus only reachble
within that subnet, either by the host itself or by its IPSec peers).
The peers authenticate each other using RSA public key authentication.
Kernel traps are used to ensure that connections are only established
when traffic is detected between the peers; after 30m of inactivity
(this value needs to be less than the rekeying period) the connection is
brought down and a kernel trap is installed.
|
| |
|
|
|
|
|
| |
Interhost communications are protected by stunnel4. The graphs are only
visible on the master itself, and content is generated by Fast CGI.
|
|
|