summaryrefslogtreecommitdiffstats
path: root/roles/common/tasks
Commit message (Collapse)AuthorAgeFiles
...
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-073
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Log SASL usernames for longer, but don't include mail.log into syslog.Guilhem Moulin2015-06-071
|
* Fix syntax error.Guilhem Moulin2015-06-071
|
* Don't install 'unhide.rb'.Guilhem Moulin2015-06-071
|
* Don't use generic maps.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | In fact we want to only rewrite the envelope sender: :/etc/postfix/main.cf # Overwrite local FQDN envelope sender addresses sender_canonical_classes = envelope_sender propagate_unmatched_extensions = sender_canonical_maps = cdb:$config_directory/sender_canonical :/etc/postfix/sender_canonical @elefant.fripost.org admin@fripost.org However, when canonical(5) processes a mail sent vias sendmail(1), it rewrites the envelope sender which seems to *later* be use as From: header.
* Generate certs for Dovecot and Nginx if they are not there.Guilhem Moulin2015-06-071
|
* Make genkeypair.sh able to display TXT record for DKIM signatures.Guilhem Moulin2015-06-072
|
* Add support for CSR and subjectAltName in genkeypair.sh.Guilhem Moulin2015-06-071
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-071
|
* logcheck-database tweaks.Guilhem Moulin2015-06-071
|
* Don't require a PKI for IPSec.Guilhem Moulin2015-06-072
| | | | | | | | | | | Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines.
* Don't try to start smart on VMs.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-072
|
* Make use of Ansible 1.5 new features.Guilhem Moulin2015-06-073
| | | | Most notably pipelining=True and sysctl_set=yes.
* Install haveged.Guilhem Moulin2015-06-072
| | | | | | To avoid low-entropy conditions, see http://www.issihosts.com/haveged/
* Install ClamAV.Guilhem Moulin2015-06-072
|
* wibbleGuilhem Moulin2015-06-071
|
* Configure the webmail.Guilhem Moulin2015-06-071
|
* Force expansion of escape sequences.Guilhem Moulin2015-06-071
| | | | | By using double quoted scalars, cf. https://groups.google.com/forum/#!topic/ansible-project/ZaB6o-eqDzw
* wibbleGuilhem Moulin2015-06-071
|
* Install common packages.Guilhem Moulin2015-06-071
|
* Configure S.M.A.R.T.Guilhem Moulin2015-06-072
|
* Configure NTP.Guilhem Moulin2015-06-072
| | | | | | We use a "master" NTP server, which synchronizes against stratum 1 servers (hence is a stratum 2 itself); all other clients synchronize to this master server through IPSec.
* wibbleGuilhem Moulin2015-06-071
|
* Share master.cf accross all Postfix instances.Guilhem Moulin2015-06-071
| | | | | | And use main.cf's 'master_service_disable' setting to deactivate each service that's useless for a given instance. (Hence solve conflict when trying to listen twice on the same port, for instance.)
* Use a dedicated SMTP port for samhain.Guilhem Moulin2015-06-071
| | | | | | | It's unfortunate that samhain cannot use the sendmail binary, and wants to use a inet socket instead. We use a custom port to avoid conflicts with the usual SMTP port the MX:es need to listen on. See also: /usr/share/doc/samhain/TODO.Debian
* Reorganization.Guilhem Moulin2015-06-073
|
* Optimize LDAP modifications.Guilhem Moulin2015-06-071
| | | | | | | For non-indexed attributes, do not ask the LDAP server to modify values in the symmetric difference of A (the entry found in the directory) and B (the target). That is, we replace A by B only when they are disjoint; otherwise we remove values in A-B and add those in B-A.
* Load our schema *before* the database.Guilhem Moulin2015-06-071
| | | | Since indices are specified in the database LDIF.
* Configure debsecan.Guilhem Moulin2015-06-071
|
* Common LDAP (slapd) configuration.Guilhem Moulin2015-06-072
|
* Common MySQL configuration.Guilhem Moulin2015-06-072
|
* Postfix master (nullmailer) configurationGuilhem Moulin2015-06-073
| | | | We use a dedicated instance for each role: MDA, MTA out, MX, etc.
* Be more specific regarding the protocol in use for IPSec policies.Guilhem Moulin2015-06-071
| | | | We use ESP only, so other protocols shouldn't be ACCEPTed.
* Don't start daemons when there is a triggered handler.Guilhem Moulin2015-06-073
| | | | This is pointless since the service will be restarted anyway.
* Flush pending handlers between each include.Guilhem Moulin2015-06-076
| | | | | | | | | In particular, run 'apt-get update' right after configured APT, and restart daemon right after configured them. The advantage being that if ansible crashes in some "task", the earlier would already be restarted if neeeded. (This may not happen in the next run since the configuration should already be up to date.)
* We are not using nf_conntrack.Guilhem Moulin2015-06-071
|
* Autostart daemons.Guilhem Moulin2015-06-075
|
* Prohibit binding against the IP reserved for IPSec.Guilhem Moulin2015-06-071
| | | | | | | | | Packets originating from our (non-routable) $ipsec are marked; there is no xfrm lookup (i.e., no matching IPSec association), the packet will retain its mark and be null routed later on, thanks to ip rule add fwmark "$secmark" table 666 priority 666 ip route add blackhole default table 666
* Use a dedicated, non-routable, IPv4 for IPSec.Guilhem Moulin2015-06-072
| | | | | | | At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd from our dedicated IP after ESP decapsulation. Also, some IP tables ensure that alien (not coming from / going to the tunnel end-point) is dropped.
* Don't save dynamic rules.Guilhem Moulin2015-06-071
| | | | | These rules are automatically included by third-party servers such as strongSwan or fail2ban.
* Add a 'check' switch to the firewall.Guilhem Moulin2015-06-071
| | | | | update-firewall.sh -c does not update the firewall, but returns a non-zero value iff. running it without the switch would modify it.
* Configure the (basic) logging policy.Guilhem Moulin2015-06-072
|
* Configure IPSec.Guilhem Moulin2015-06-072
|
* Configure fail2ban.Guilhem Moulin2015-06-072
|
* Configure rkhunter.Guilhem Moulin2015-06-072
|
* Configure samhain.Guilhem Moulin2015-06-072
|
* Configure v4 and v6 iptable rulesets.Guilhem Moulin2015-06-072
|
* Configure APT.Guilhem Moulin2015-06-072
|
* Configure /etc/{hosts,hostname,mailname}.Guilhem Moulin2015-06-072
|