summaryrefslogtreecommitdiffstats
path: root/roles/common/files
Commit message (Collapse)AuthorAgeFiles
* More logcheck-database tweaks.Guilhem Moulin2018-04-043
|
* sympa: wibbleGuilhem Moulin2018-04-041
|
* Perform recipient address verification on the MSA itself.Guilhem Moulin2018-04-041
|
* More logcheck-database tweaks.Guilhem Moulin2017-09-143
|
* rkhunter: Disable remote updates to fix CVE-2017-7480.Guilhem Moulin2017-07-291
|
* Use MariaDB as default MySQL flavor.Guilhem Moulin2017-07-291
|
* More logcheck-database tweaks.Guilhem Moulin2017-06-071
|
* postfix-sender-login: wibbleGuilhem Moulin2017-06-051
|
* dovecot: enable user iteration and add a cronjob for `doveadm purge -A`Guilhem Moulin2017-06-051
|
* postfix: don't rate-limit our IPsec subnet.Guilhem Moulin2017-06-021
|
* /lib/systemd/system → /etc/systemd/systemGuilhem Moulin2017-05-313
|
* MSA: reject null sender address.Guilhem Moulin2017-05-141
|
* More logcheck-database tweaks.Guilhem Moulin2016-12-081
|
* Firewall: allow duplicates rules.Guilhem Moulin2016-09-181
|
* More logcheck-database tweaks.Guilhem Moulin2016-08-222
|
* Postfix: don't share the master.cf between the instances.Guilhem Moulin2016-07-101
|
* More logcheck-database tweaks.Guilhem Moulin2016-07-092
|
* IPSec → IPsecGuilhem Moulin2016-06-291
|
* More logcheck-database tweaks.Guilhem Moulin2016-06-293
|
* update-firewall.sh: COMMIT empty iptables rule files.Guilhem Moulin2016-06-291
|
* typoGuilhem Moulin2016-05-241
|
* IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication.Guilhem Moulin2016-05-241
| | | | There is no need to bother with X.509 cruft here.
* genkeypair, gendhparam: use -rand /dev/urandom when generating keys or DH ↵Guilhem Moulin2016-05-222
| | | | parameters.
* Tunnel bacula (dir → {fd,sd} and fd → sd) traffic through IPSec.Guilhem Moulin2016-05-221
|
* Set up IPSec tunnels between each pair of hosts.Guilhem Moulin2016-05-224
| | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed.
* postfix: master.cf wibbleGuilhem Moulin2016-05-181
|
* postfix: Update to recommended TLS settings.Guilhem Moulin2016-05-181
| | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.)
* Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public.Guilhem Moulin2016-05-181
| | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out.
* Add hardening options to our systemd unit files.Guilhem Moulin2016-05-121
|
* Use systemd unit files for stunnel4.Guilhem Moulin2016-05-123
|
* More logcheck-database tweaks.Guilhem Moulin2016-03-131
|
* More logcheck-database tweaks.Guilhem Moulin2016-02-171
|
* More logcheck-database tweaks.Guilhem Moulin2015-12-152
|
* typoGuilhem Moulin2015-12-041
|
* More logcheck-database tweaks.Guilhem Moulin2015-12-011
|
* More logcheck-database tweaks.Guilhem Moulin2015-11-121
|
* genkeypair: use install(1) for atomic file creation with permission mode.Guilhem Moulin2015-10-282
|
* More logcheck-database tweaks.Guilhem Moulin2015-10-142
|
* More logcheck-database tweaks.Guilhem Moulin2015-09-241
|
* More logcheck-database tweaks.Guilhem Moulin2015-09-212
|
* More logcheck-database tweaks.Guilhem Moulin2015-09-151
|
* More logcheck-database tweaks.Guilhem Moulin2015-08-213
|
* Update unattended-upgrades configuration.Guilhem Moulin2015-07-191
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-221
|
* logcheck: Match only hexdigits in postfix queue ID.Guilhem Moulin2015-06-191
|
* Match IPv6 addresses in logcheck rules.Guilhem Moulin2015-06-191
|
* Use a single LDAP connection per Munin round to collect slapd statistics.Guilhem Moulin2015-06-112
| | | | Using multigraphs instead.
* More logcheck-database tweaks.Guilhem Moulin2015-06-103
|
* slapd monitoring.Guilhem Moulin2015-06-101
| | | | | We don't use the provided 'slapd_' Munin plugin because it doesn't support SASL binds.
* Configure munin nodes & master.Guilhem Moulin2015-06-108
| | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI.