Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Port baseline to Debian 11 (codename Bullseye). | Guilhem Moulin | 2022-10-13 | 1 |
| | ||||
* | Upgrade syntax to Ansible 2.7 (apt module). | Guilhem Moulin | 2018-12-03 | 1 |
| | ||||
* | Set up IPSec tunnels between each pair of hosts. | Guilhem Moulin | 2016-05-22 | 1 |
| | | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed. | |||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Tel logcheck which logs to monitor. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Log SASL usernames for longer, but don't include mail.log into syslog. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Make use of Ansible 1.5 new features. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | Most notably pipelining=True and sysctl_set=yes. | |||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Autostart daemons. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure the (basic) logging policy. | Guilhem Moulin | 2015-06-07 | 1 |