summaryrefslogtreecommitdiffstats
path: root/roles/common/files/etc
Commit message (Collapse)AuthorAgeFiles
* logcheck-database update.Guilhem Moulin2021-02-131
| | | | ansible 2.10.7 uses "ansible-ansible.legacy.stat: Invoked with […]".
* rkhunter: workaround for mix usrmerge/non-usrmerge environments.Guilhem Moulin2020-11-151
| | | | See https://bugs.debian.org/932594#15 .
* logcheck-database update.Guilhem Moulin2020-11-154
|
* Bacula: refactor systemd service files.Guilhem Moulin2020-11-031
| | | | | | Use unit overrides on top of upstream's service files instead of overriding entire service files. In particular, upstream uses flag `-P` so we don't need to use RuntimeDirectory= anymore.
* IMAP: Update role to Debian Buster.Guilhem Moulin2020-05-191
| | | | | | | | For `ssl_cipher_list` we pick the suggested value from https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’ to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
* stunnel4: Harden and socket-activate.Guilhem Moulin2020-05-181
|
* Upgrade baseline to Debian 10.Guilhem Moulin2020-05-1610
|
* Improve/harden fail2ban configuration.Guilhem Moulin2020-01-255
| | | | | | | | | * Use nftables sets with a timeout * Start daemon with a hardened unit file and restricted Capability Bounding Set. (This requires to change the log path to /var/log/fail2ban/*.) * Skip database as we don't care about persistence. * Refactor jail.local
* Convert firewall to nftables.Guilhem Moulin2020-01-232
| | | | Debian Buster uses the nftables framework by default.
* MSA: Open 465/TCP for Email Submission over TLS.Guilhem Moulin2019-03-191
| | | | See RFC 8314 sec. 3.3 "Cleartext Considered Obsolete".
* Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch.Guilhem Moulin2018-12-093
|
* Disable resume device.Guilhem Moulin2018-12-091
| | | | We don't need suspend-on-disk (hibernation).
* systemd.service: Tighten hardening options.Guilhem Moulin2018-12-092
|
* bacula-*.service: Don't fork in the background.Guilhem Moulin2018-12-091
| | | | Inspired from /lib/systemd/system/bacula-fd.service.
* Upgrade 'lists' role to Debian Stretch.Guilhem Moulin2018-12-091
|
* systemd: Replace ‘ProtectSystem=full’ with ‘ProtectSystem=strict’.Guilhem Moulin2018-12-092
| | | | And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’.
* Postfix: replace cdb & btree tables with lmdb ones.Guilhem Moulin2018-12-031
| | | | Cf. lmdb_table(5).
* IPsec: allow ISAKMP over IPv6.Guilhem Moulin2018-12-031
|
* Upgrade baseline to Debian Stretch.Guilhem Moulin2018-12-038
|
* Skip samhain installation.Guilhem Moulin2018-12-031
| | | | It's become too verbose (too many false-positive)…
* Harden anti spam on the MX:es.Guilhem Moulin2018-06-091
|
* More logcheck-database tweaks.Guilhem Moulin2018-04-043
|
* sympa: wibbleGuilhem Moulin2018-04-041
|
* Perform recipient address verification on the MSA itself.Guilhem Moulin2018-04-041
|
* More logcheck-database tweaks.Guilhem Moulin2017-09-143
|
* rkhunter: Disable remote updates to fix CVE-2017-7480.Guilhem Moulin2017-07-291
|
* Use MariaDB as default MySQL flavor.Guilhem Moulin2017-07-291
|
* More logcheck-database tweaks.Guilhem Moulin2017-06-071
|
* postfix-sender-login: wibbleGuilhem Moulin2017-06-051
|
* dovecot: enable user iteration and add a cronjob for `doveadm purge -A`Guilhem Moulin2017-06-051
|
* postfix: don't rate-limit our IPsec subnet.Guilhem Moulin2017-06-021
|
* /lib/systemd/system → /etc/systemd/systemGuilhem Moulin2017-05-313
|
* MSA: reject null sender address.Guilhem Moulin2017-05-141
|
* More logcheck-database tweaks.Guilhem Moulin2016-12-081
|
* More logcheck-database tweaks.Guilhem Moulin2016-08-222
|
* Postfix: don't share the master.cf between the instances.Guilhem Moulin2016-07-101
|
* More logcheck-database tweaks.Guilhem Moulin2016-07-092
|
* More logcheck-database tweaks.Guilhem Moulin2016-06-293
|
* Set up IPSec tunnels between each pair of hosts.Guilhem Moulin2016-05-223
| | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed.
* postfix: master.cf wibbleGuilhem Moulin2016-05-181
|
* postfix: Update to recommended TLS settings.Guilhem Moulin2016-05-181
| | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.)
* Use systemd unit files for stunnel4.Guilhem Moulin2016-05-121
|
* More logcheck-database tweaks.Guilhem Moulin2016-03-131
|
* More logcheck-database tweaks.Guilhem Moulin2016-02-171
|
* More logcheck-database tweaks.Guilhem Moulin2015-12-152
|
* More logcheck-database tweaks.Guilhem Moulin2015-12-011
|
* More logcheck-database tweaks.Guilhem Moulin2015-11-121
|
* More logcheck-database tweaks.Guilhem Moulin2015-10-142
|
* More logcheck-database tweaks.Guilhem Moulin2015-09-241
|
* More logcheck-database tweaks.Guilhem Moulin2015-09-212
|