| Commit message (Collapse) | Author | Age | Files | |
|---|---|---|---|---|
| * | Use systemd unit files for stunnel4. | Guilhem Moulin | 2016-05-12 | 1 |
| | | ||||
| * | Only install letsencrypt-tiny to the relevant hosts. | Guilhem Moulin | 2015-12-28 | 1 |
| | | ||||
| * | Copy and install Let's Encrypt ACME client. | Guilhem Moulin | 2015-12-20 | 1 |
| | | ||||
| * | Use the Let's Encrypt CA for our public certs. | Guilhem Moulin | 2015-12-20 | 1 |
| | | ||||
| * | Configure FreshClam. | Guilhem Moulin | 2015-09-15 | 1 |
| | | ||||
| * | Configure munin nodes & master. | Guilhem Moulin | 2015-06-10 | 1 |
| | | | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI. | |||
| * | Configure Bacula File Daemon / Storage Daemon / Director. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | Using client-side data signing/encryption and wrapping inter-host communication into stunnel. | |||
| * | typo | Guilhem Moulin | 2015-06-07 | 1 |
| | | ||||
| * | Reload Postfix upon configuration change, but don't restart it. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill. | |||
| * | Remove IPSec related files. | Guilhem Moulin | 2015-06-07 | 1 |
| | | ||||
| * | Log SASL usernames for longer, but don't include mail.log into syslog. | Guilhem Moulin | 2015-06-07 | 1 |
| | | ||||
| * | Don't require a PKI for IPSec. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | | | | | Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines. | |||
| * | Configure NTP. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | We use a "master" NTP server, which synchronizes against stratum 1 servers (hence is a stratum 2 itself); all other clients synchronize to this master server through IPSec. | |||
| * | Reorganization. | Guilhem Moulin | 2015-06-07 | 1 |
| | | ||||
| * | Common LDAP (slapd) configuration. | Guilhem Moulin | 2015-06-07 | 1 |
| | | ||||
| * | Postfix master (nullmailer) configuration | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | We use a dedicated instance for each role: MDA, MTA out, MX, etc. | |||
| * | Don't start daemons when there is a triggered handler. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | This is pointless since the service will be restarted anyway. | |||
| * | Use a dedicated, non-routable, IPv4 for IPSec. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd from our dedicated IP after ESP decapsulation. Also, some IP tables ensure that alien (not coming from / going to the tunnel end-point) is dropped. | |||
| * | Don't save dynamic rules. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | These rules are automatically included by third-party servers such as strongSwan or fail2ban. | |||
| * | Configure IPSec. | Guilhem Moulin | 2015-06-07 | 1 |
| | | ||||
| * | Configure fail2ban. | Guilhem Moulin | 2015-06-07 | 1 |
| | | ||||
| * | Configure rkhunter. | Guilhem Moulin | 2015-06-07 | 1 |
| | | ||||
| * | Configure samhain. | Guilhem Moulin | 2015-06-07 | 1 |
| | | ||||
| * | Configure v4 and v6 iptable rulesets. | Guilhem Moulin | 2015-06-07 | 1 |
| | | ||||
| * | Configure APT. | Guilhem Moulin | 2015-06-07 | 1 |
| | | ||||
| * | Configure /etc/{hosts,hostname,mailname}. | Guilhem Moulin | 2015-06-07 | 1 |
 |
index : fripost-ansible | |
| Fripost ansible scripts |
| summaryrefslogtreecommitdiffstats |