Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Set up IPSec tunnels between each pair of hosts. | Guilhem Moulin | 2016-05-22 | 3 |
| | | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed. | |||
* | Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out. | |||
* | Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵ | Guilhem Moulin | 2016-05-18 | 3 |
| | | | | | | locally. And use this to fetch all X.509 leaf certificates. | |||
* | Use systemd unit files for stunnel4. | Guilhem Moulin | 2016-05-12 | 5 |
| | ||||
* | sysctl: don't set IPv6 privacy extensions globaly. | Guilhem Moulin | 2016-04-01 | 1 |
| | ||||
* | sysctl: set net.ipv6.conf.all.accept_ra = 0. | Guilhem Moulin | 2016-03-30 | 1 |
| | ||||
* | Ansible: Using bare variables is deprecated, and will be removed in a future ↵ | Guilhem Moulin | 2016-03-02 | 2 |
| | | | | release. | |||
* | Upgrade playbooks to Ansible 2.0. | Guilhem Moulin | 2016-02-12 | 5 |
| | ||||
* | Only install letsencrypt-tiny to the relevant hosts. | Guilhem Moulin | 2015-12-28 | 1 |
| | ||||
* | Use the Let's Encrypt CA for our public certs. | Guilhem Moulin | 2015-12-20 | 1 |
| | ||||
* | Internal Postfix config: Generate RSA 4096 keys by default. | Guilhem Moulin | 2015-10-28 | 1 |
| | ||||
* | Configure FreshClam. | Guilhem Moulin | 2015-09-15 | 1 |
| | ||||
* | Change match to "^(Genuine)?Intel.*" for Intel processors. | Guilhem Moulin | 2015-07-12 | 1 |
| | ||||
* | Configure munin nodes & master. | Guilhem Moulin | 2015-06-10 | 2 |
| | | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI. | |||
* | Configure Bacula File Daemon / Storage Daemon / Director. | Guilhem Moulin | 2015-06-07 | 2 |
| | | | | | Using client-side data signing/encryption and wrapping inter-host communication into stunnel. | |||
* | Install CAcert.org root certificates. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | XXX: this is a workaround the CAcert root CAs not being present in Jessie. In stretch, we would merely install the 'ca-cacert' package. | |||
* | logjam mitigation. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't instal smartd on KVM guests. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Upgrade the common package list. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | Add a 'root' alias to root@fripost.org. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Upgrade rkhunter config to Jessie. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't install intel-microcode on Xen guests. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | It should be installed on the dom0 instead. | |||
* | Don't install smartd on Xen guests. | Guilhem Moulin | 2015-06-07 | 2 |
| | | | | S.M.A.R.T makes little sense for virtual HDDs. | |||
* | Install auditd. | Guilhem Moulin | 2015-06-07 | 3 |
| | ||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Fix NTP configuration. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | We've yet to get authenticated time, though. | |||
* | Ensure have a TLS policy for each of our host we want to relay to. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Postfix needs to be restarted after rekeying. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | (It opens the key as root, but then drops the permissions.) | |||
* | Add a tag 'tls_policy' to facilitate rekeying. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | First generate all certs (-t genkey), then build the TLS policy maps ( -t tls_policy). | |||
* | Add ability to add custom OrganizationalUnits in genkeypair. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | Also, it's now possible to reuse an existing private key (with -f). | |||
* | Don't install daemontools. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Reload Postfix upon configuration change, but don't restart it. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill. | |||
* | Don't restart/reload Postifx upon change of a file based database. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | And don't restart or reload either upon change of pcre: files that are used by smtpd(8), cleanup(8) or local(8), following the suggestion from http://www.postfix.org/DATABASE_README.html#detect . | |||
* | wibble | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | Remove IPSec related files. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Tel logcheck which logs to monitor. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Replace IPSec tunnels by app-level ephemeral TLS sessions. | Guilhem Moulin | 2015-06-07 | 3 |
| | | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well. | |||
* | Log SASL usernames for longer, but don't include mail.log into syslog. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Fix syntax error. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't install 'unhide.rb'. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't use generic maps. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | | | | | | | | | | In fact we want to only rewrite the envelope sender: :/etc/postfix/main.cf # Overwrite local FQDN envelope sender addresses sender_canonical_classes = envelope_sender propagate_unmatched_extensions = sender_canonical_maps = cdb:$config_directory/sender_canonical :/etc/postfix/sender_canonical @elefant.fripost.org admin@fripost.org However, when canonical(5) processes a mail sent vias sendmail(1), it rewrites the envelope sender which seems to *later* be use as From: header. | |||
* | Generate certs for Dovecot and Nginx if they are not there. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Make genkeypair.sh able to display TXT record for DKIM signatures. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | Add support for CSR and subjectAltName in genkeypair.sh. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't require a PKI for IPSec. | Guilhem Moulin | 2015-06-07 | 2 |
| | | | | | | | | | | | Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines. | |||
* | Don't try to start smart on VMs. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | wibble | Guilhem Moulin | 2015-06-07 | 2 |
| |