Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | kernel parameters: Disable SYN cookies and improve SYN backlog handling. | Guilhem Moulin | 2020-11-02 | 1 |
| | | | | See tcp(7) and https://levelup.gitconnected.com/linux-kernel-tuning-for-high-performance-networking-high-volume-incoming-connections-196e863d458a . | |||
* | s/LDAP-provider/LDAP_provider/ | Guilhem Moulin | 2020-05-19 | 1 |
| | | | | This was forgotten after a092bfd947773281a23419ee0ab62358371b7166. | |||
* | stunnel4: Harden and socket-activate. | Guilhem Moulin | 2020-05-18 | 1 |
| | ||||
* | Remove 'meta: flush_handlers' directives under conditionals. | Guilhem Moulin | 2020-05-17 | 1 |
| | | | | They don't appear to be supported anymore. | |||
* | Upgrade baseline to Debian 10. | Guilhem Moulin | 2020-05-16 | 5 |
| | ||||
* | Improve/harden fail2ban configuration. | Guilhem Moulin | 2020-01-25 | 1 |
| | | | | | | | | | * Use nftables sets with a timeout * Start daemon with a hardened unit file and restricted Capability Bounding Set. (This requires to change the log path to /var/log/fail2ban/*.) * Skip database as we don't care about persistence. * Refactor jail.local | |||
* | Convert firewall to nftables. | Guilhem Moulin | 2020-01-23 | 3 |
| | | | | Debian Buster uses the nftables framework by default. | |||
* | fail2ban: Only install the roundcube/dovecot filters if needed. | Guilhem Moulin | 2018-12-15 | 1 |
| | | | | | | It doesn't hurt to install them on all machines, but we're overriding the provided /etc/fail2ban/filter.d/dovecot.conf and would rather keep our delta minimal. | |||
* | Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch. | Guilhem Moulin | 2018-12-09 | 1 |
| | ||||
* | Disable resume device. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | We don't need suspend-on-disk (hibernation). | |||
* | Don't install the haveged entropy daemon. | Guilhem Moulin | 2018-12-09 | 2 |
| | | | | | It's not really needed on our metal hosts, and our KVM guests use virtio-rng. | |||
* | Install unbound on metal hosts. | Guilhem Moulin | 2018-12-03 | 2 |
| | | | | (A validating, recursive, caching DNS resolver.) | |||
* | Upgrade syntax to Ansible 2.7 (apt module). | Guilhem Moulin | 2018-12-03 | 9 |
| | ||||
* | Postfix: replace cdb & btree tables with lmdb ones. | Guilhem Moulin | 2018-12-03 | 2 |
| | | | | Cf. lmdb_table(5). | |||
* | Upgrade baseline to Debian Stretch. | Guilhem Moulin | 2018-12-03 | 1 |
| | ||||
* | Skip samhain installation. | Guilhem Moulin | 2018-12-03 | 2 |
| | | | | It's become too verbose (too many false-positive)… | |||
* | Upgrade syntax to Ansible 2.5. | Guilhem Moulin | 2018-04-04 | 1 |
| | ||||
* | Upgrade syntax to Ansible 2.4. | Guilhem Moulin | 2017-11-23 | 1 |
| | ||||
* | Fix detection of KVM guests. | Guilhem Moulin | 2017-07-29 | 1 |
| | ||||
* | Don't install debsecan anymore by default. | Guilhem Moulin | 2017-06-26 | 1 |
| | | | | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789196 | |||
* | /lib/systemd/system → /etc/systemd/system | Guilhem Moulin | 2017-05-31 | 2 |
| | ||||
* | Change group of executables in /usr/local/{bin,sbin} from root to staff. | Guilhem Moulin | 2017-05-14 | 2 |
| | ||||
* | Postfix: ensure common aliases are present. | Guilhem Moulin | 2016-09-18 | 2 |
| | ||||
* | FreshClam: change ownership of /etc/clamav/freshclam.conf. | Guilhem Moulin | 2016-09-18 | 1 |
| | | | | | | | | To match the stock version shipped by clamav-freshclam 0.99.2+dfsg-0+deb8u2 ~$ stat -c '%U:%G %a' /etc/clamav/freshclam.conf clamav:adm 444 | |||
* | Route all internal SMTP traffic through IPsec. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | Postfix: don't share the master.cf between the instances. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | Route SMTP traffic from the webmail through IPsec. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | ClamAV (FreshClam): use a localized Database Mirror. | Guilhem Moulin | 2016-07-09 | 1 |
| | | | | | | As db.local.clamav.net is not always properly localized. Furthermore, our previous Ansiblee script did not ensure ordering of the DatabaseMirror lines. | |||
* | IPSec → IPsec | Guilhem Moulin | 2016-06-29 | 1 |
| | ||||
* | Use stunnel to secure the connection from the webmail to ldap.fripost.org. | Guilhem Moulin | 2016-06-05 | 1 |
| | | | | | We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting. | |||
* | IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication. | Guilhem Moulin | 2016-05-24 | 1 |
| | | | | There is no need to bother with X.509 cruft here. | |||
* | Tunnel bacula (dir → {fd,sd} and fd → sd) traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 1 |
| | ||||
* | Tunnel munin-update traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 3 |
| | ||||
* | Set up IPSec tunnels between each pair of hosts. | Guilhem Moulin | 2016-05-22 | 3 |
| | | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed. | |||
* | Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out. | |||
* | Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵ | Guilhem Moulin | 2016-05-18 | 3 |
| | | | | | | locally. And use this to fetch all X.509 leaf certificates. | |||
* | Use systemd unit files for stunnel4. | Guilhem Moulin | 2016-05-12 | 5 |
| | ||||
* | sysctl: don't set IPv6 privacy extensions globaly. | Guilhem Moulin | 2016-04-01 | 1 |
| | ||||
* | sysctl: set net.ipv6.conf.all.accept_ra = 0. | Guilhem Moulin | 2016-03-30 | 1 |
| | ||||
* | Ansible: Using bare variables is deprecated, and will be removed in a future ↵ | Guilhem Moulin | 2016-03-02 | 2 |
| | | | | release. | |||
* | Upgrade playbooks to Ansible 2.0. | Guilhem Moulin | 2016-02-12 | 5 |
| | ||||
* | Only install letsencrypt-tiny to the relevant hosts. | Guilhem Moulin | 2015-12-28 | 1 |
| | ||||
* | Use the Let's Encrypt CA for our public certs. | Guilhem Moulin | 2015-12-20 | 1 |
| | ||||
* | Internal Postfix config: Generate RSA 4096 keys by default. | Guilhem Moulin | 2015-10-28 | 1 |
| | ||||
* | Configure FreshClam. | Guilhem Moulin | 2015-09-15 | 1 |
| | ||||
* | Change match to "^(Genuine)?Intel.*" for Intel processors. | Guilhem Moulin | 2015-07-12 | 1 |
| | ||||
* | Configure munin nodes & master. | Guilhem Moulin | 2015-06-10 | 2 |
| | | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI. | |||
* | Configure Bacula File Daemon / Storage Daemon / Director. | Guilhem Moulin | 2015-06-07 | 2 |
| | | | | | Using client-side data signing/encryption and wrapping inter-host communication into stunnel. | |||
* | Install CAcert.org root certificates. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | XXX: this is a workaround the CAcert root CAs not being present in Jessie. In stretch, we would merely install the 'ca-cacert' package. | |||
* | logjam mitigation. | Guilhem Moulin | 2015-06-07 | 1 |
| |