summaryrefslogtreecommitdiffstats
path: root/roles/common/tasks/main.yml
Commit message (Collapse)AuthorAgeFiles
* Upgrade playbooks to Ansible 2.0.Guilhem Moulin2016-02-121
|
* Only install letsencrypt-tiny to the relevant hosts.Guilhem Moulin2015-12-281
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-201
|
* Change match to "^(Genuine)?Intel.*" for Intel processors.Guilhem Moulin2015-07-121
|
* Configure munin nodes & master.Guilhem Moulin2015-06-101
| | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI.
* Configure Bacula File Daemon / Storage Daemon / Director.Guilhem Moulin2015-06-071
| | | | | Using client-side data signing/encryption and wrapping inter-host communication into stunnel.
* Install CAcert.org root certificates.Guilhem Moulin2015-06-071
| | | | | XXX: this is a workaround the CAcert root CAs not being present in Jessie. In stretch, we would merely install the 'ca-cacert' package.
* logjam mitigation.Guilhem Moulin2015-06-071
|
* Don't instal smartd on KVM guests.Guilhem Moulin2015-06-071
|
* Upgrade the common package list.Guilhem Moulin2015-06-071
|
* Don't install intel-microcode on Xen guests.Guilhem Moulin2015-06-071
| | | | It should be installed on the dom0 instead.
* Don't install smartd on Xen guests.Guilhem Moulin2015-06-071
| | | | S.M.A.R.T makes little sense for virtual HDDs.
* Install auditd.Guilhem Moulin2015-06-071
|
* Don't install daemontools.Guilhem Moulin2015-06-071
|
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-071
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Make genkeypair.sh able to display TXT record for DKIM signatures.Guilhem Moulin2015-06-071
|
* Don't require a PKI for IPSec.Guilhem Moulin2015-06-071
| | | | | | | | | | | Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines.
* Install haveged.Guilhem Moulin2015-06-071
| | | | | | To avoid low-entropy conditions, see http://www.issihosts.com/haveged/
* Install ClamAV.Guilhem Moulin2015-06-071
|
* Install common packages.Guilhem Moulin2015-06-071
|
* Configure S.M.A.R.T.Guilhem Moulin2015-06-071
|
* Configure NTP.Guilhem Moulin2015-06-071
| | | | | | We use a "master" NTP server, which synchronizes against stratum 1 servers (hence is a stratum 2 itself); all other clients synchronize to this master server through IPSec.
* Reorganization.Guilhem Moulin2015-06-071
|
* Common LDAP (slapd) configuration.Guilhem Moulin2015-06-071
|
* Common MySQL configuration.Guilhem Moulin2015-06-071
|
* Postfix master (nullmailer) configurationGuilhem Moulin2015-06-071
| | | | We use a dedicated instance for each role: MDA, MTA out, MX, etc.
* Configure the (basic) logging policy.Guilhem Moulin2015-06-071
|
* Configure IPSec.Guilhem Moulin2015-06-071
|
* Configure fail2ban.Guilhem Moulin2015-06-071
|
* Configure rkhunter.Guilhem Moulin2015-06-071
|
* Configure samhain.Guilhem Moulin2015-06-071
|
* Configure v4 and v6 iptable rulesets.Guilhem Moulin2015-06-071
|
* Configure APT.Guilhem Moulin2015-06-071
|
* Configure /etc/{hosts,hostname,mailname}.Guilhem Moulin2015-06-071
|
* Basic ansible setup.Guilhem Moulin2015-06-071
To run the playbook: cd ./ansible ansible-playbook -i vms site.yml