Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Don't install intel-microcode on Xen guests. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | It should be installed on the dom0 instead. | |||
* | Don't install smartd on Xen guests. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | S.M.A.R.T makes little sense for virtual HDDs. | |||
* | Install auditd. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't install daemontools. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Replace IPSec tunnels by app-level ephemeral TLS sessions. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well. | |||
* | Make genkeypair.sh able to display TXT record for DKIM signatures. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't require a PKI for IPSec. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | | | | Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines. | |||
* | Install haveged. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | To avoid low-entropy conditions, see http://www.issihosts.com/haveged/ | |||
* | Install ClamAV. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Install common packages. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure S.M.A.R.T. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure NTP. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | We use a "master" NTP server, which synchronizes against stratum 1 servers (hence is a stratum 2 itself); all other clients synchronize to this master server through IPSec. | |||
* | Reorganization. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Common LDAP (slapd) configuration. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Common MySQL configuration. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Postfix master (nullmailer) configuration | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | We use a dedicated instance for each role: MDA, MTA out, MX, etc. | |||
* | Configure the (basic) logging policy. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure IPSec. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure fail2ban. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure rkhunter. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure samhain. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure v4 and v6 iptable rulesets. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure APT. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure /etc/{hosts,hostname,mailname}. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Basic ansible setup. | Guilhem Moulin | 2015-06-07 | 1 |
To run the playbook: cd ./ansible ansible-playbook -i vms site.yml |