summaryrefslogtreecommitdiffstats
path: root/roles/common/handlers
Commit message (Collapse)AuthorAgeFiles
* Disable resume device.Guilhem Moulin2018-12-091
| | | | We don't need suspend-on-disk (hibernation).
* Install unbound on metal hosts.Guilhem Moulin2018-12-031
| | | | (A validating, recursive, caching DNS resolver.)
* Skip samhain installation.Guilhem Moulin2018-12-031
| | | | It's become too verbose (too many false-positive)…
* IPSec → IPsecGuilhem Moulin2016-06-291
|
* Tunnel bacula (dir → {fd,sd} and fd → sd) traffic through IPSec.Guilhem Moulin2016-05-221
|
* Tunnel munin-update traffic through IPSec.Guilhem Moulin2016-05-221
|
* Set up IPSec tunnels between each pair of hosts.Guilhem Moulin2016-05-221
| | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed.
* Use systemd unit files for stunnel4.Guilhem Moulin2016-05-121
|
* Only install letsencrypt-tiny to the relevant hosts.Guilhem Moulin2015-12-281
|
* Copy and install Let's Encrypt ACME client.Guilhem Moulin2015-12-201
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-201
|
* Configure FreshClam.Guilhem Moulin2015-09-151
|
* Configure munin nodes & master.Guilhem Moulin2015-06-101
| | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI.
* Configure Bacula File Daemon / Storage Daemon / Director.Guilhem Moulin2015-06-071
| | | | | Using client-side data signing/encryption and wrapping inter-host communication into stunnel.
* typoGuilhem Moulin2015-06-071
|
* Reload Postfix upon configuration change, but don't restart it.Guilhem Moulin2015-06-071
| | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill.
* Remove IPSec related files.Guilhem Moulin2015-06-071
|
* Log SASL usernames for longer, but don't include mail.log into syslog.Guilhem Moulin2015-06-071
|
* Don't require a PKI for IPSec.Guilhem Moulin2015-06-071
| | | | | | | | | | | Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines.
* Configure NTP.Guilhem Moulin2015-06-071
| | | | | | We use a "master" NTP server, which synchronizes against stratum 1 servers (hence is a stratum 2 itself); all other clients synchronize to this master server through IPSec.
* Reorganization.Guilhem Moulin2015-06-071
|
* Common LDAP (slapd) configuration.Guilhem Moulin2015-06-071
|
* Postfix master (nullmailer) configurationGuilhem Moulin2015-06-071
| | | | We use a dedicated instance for each role: MDA, MTA out, MX, etc.
* Don't start daemons when there is a triggered handler.Guilhem Moulin2015-06-071
| | | | This is pointless since the service will be restarted anyway.
* Use a dedicated, non-routable, IPv4 for IPSec.Guilhem Moulin2015-06-071
| | | | | | | At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd from our dedicated IP after ESP decapsulation. Also, some IP tables ensure that alien (not coming from / going to the tunnel end-point) is dropped.
* Don't save dynamic rules.Guilhem Moulin2015-06-071
| | | | | These rules are automatically included by third-party servers such as strongSwan or fail2ban.
* Configure IPSec.Guilhem Moulin2015-06-071
|
* Configure fail2ban.Guilhem Moulin2015-06-071
|
* Configure rkhunter.Guilhem Moulin2015-06-071
|
* Configure samhain.Guilhem Moulin2015-06-071
|
* Configure v4 and v6 iptable rulesets.Guilhem Moulin2015-06-071
|
* Configure APT.Guilhem Moulin2015-06-071
|
* Configure /etc/{hosts,hostname,mailname}.Guilhem Moulin2015-06-071