Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Upgrade baseline to Debian 10. | Guilhem Moulin | 2020-05-16 | 1 |
| | ||||
* | Convert firewall to nftables. | Guilhem Moulin | 2020-01-23 | 1 |
| | | | | Debian Buster uses the nftables framework by default. | |||
* | Disable resume device. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | We don't need suspend-on-disk (hibernation). | |||
* | Don't install the haveged entropy daemon. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | | It's not really needed on our metal hosts, and our KVM guests use virtio-rng. | |||
* | Install unbound on metal hosts. | Guilhem Moulin | 2018-12-03 | 1 |
| | | | | (A validating, recursive, caching DNS resolver.) | |||
* | Upgrade syntax to Ansible 2.7 (apt module). | Guilhem Moulin | 2018-12-03 | 1 |
| | ||||
* | Skip samhain installation. | Guilhem Moulin | 2018-12-03 | 1 |
| | | | | It's become too verbose (too many false-positive)… | |||
* | Upgrade syntax to Ansible 2.5. | Guilhem Moulin | 2018-04-04 | 1 |
| | ||||
* | Upgrade syntax to Ansible 2.4. | Guilhem Moulin | 2017-11-23 | 1 |
| | ||||
* | Fix detection of KVM guests. | Guilhem Moulin | 2017-07-29 | 1 |
| | ||||
* | Change group of executables in /usr/local/{bin,sbin} from root to staff. | Guilhem Moulin | 2017-05-14 | 1 |
| | ||||
* | Route SMTP traffic from the webmail through IPsec. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | Use stunnel to secure the connection from the webmail to ldap.fripost.org. | Guilhem Moulin | 2016-06-05 | 1 |
| | | | | | We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting. | |||
* | Tunnel munin-update traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 1 |
| | ||||
* | Set up IPSec tunnels between each pair of hosts. | Guilhem Moulin | 2016-05-22 | 1 |
| | | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed. | |||
* | Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out. | |||
* | Use systemd unit files for stunnel4. | Guilhem Moulin | 2016-05-12 | 1 |
| | ||||
* | Upgrade playbooks to Ansible 2.0. | Guilhem Moulin | 2016-02-12 | 1 |
| | ||||
* | Only install letsencrypt-tiny to the relevant hosts. | Guilhem Moulin | 2015-12-28 | 1 |
| | ||||
* | Use the Let's Encrypt CA for our public certs. | Guilhem Moulin | 2015-12-20 | 1 |
| | ||||
* | Change match to "^(Genuine)?Intel.*" for Intel processors. | Guilhem Moulin | 2015-07-12 | 1 |
| | ||||
* | Configure munin nodes & master. | Guilhem Moulin | 2015-06-10 | 1 |
| | | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI. | |||
* | Configure Bacula File Daemon / Storage Daemon / Director. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | Using client-side data signing/encryption and wrapping inter-host communication into stunnel. | |||
* | Install CAcert.org root certificates. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | XXX: this is a workaround the CAcert root CAs not being present in Jessie. In stretch, we would merely install the 'ca-cacert' package. | |||
* | logjam mitigation. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't instal smartd on KVM guests. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Upgrade the common package list. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't install intel-microcode on Xen guests. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | It should be installed on the dom0 instead. | |||
* | Don't install smartd on Xen guests. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | S.M.A.R.T makes little sense for virtual HDDs. | |||
* | Install auditd. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't install daemontools. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Replace IPSec tunnels by app-level ephemeral TLS sessions. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well. | |||
* | Make genkeypair.sh able to display TXT record for DKIM signatures. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't require a PKI for IPSec. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | | | | Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines. | |||
* | Install haveged. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | To avoid low-entropy conditions, see http://www.issihosts.com/haveged/ | |||
* | Install ClamAV. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Install common packages. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure S.M.A.R.T. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure NTP. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | We use a "master" NTP server, which synchronizes against stratum 1 servers (hence is a stratum 2 itself); all other clients synchronize to this master server through IPSec. | |||
* | Reorganization. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Common LDAP (slapd) configuration. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Common MySQL configuration. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Postfix master (nullmailer) configuration | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | We use a dedicated instance for each role: MDA, MTA out, MX, etc. | |||
* | Configure the (basic) logging policy. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure IPSec. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure fail2ban. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure rkhunter. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure samhain. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure v4 and v6 iptable rulesets. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure APT. | Guilhem Moulin | 2015-06-07 | 1 |
| |