| Commit message (Collapse) | Author | Age | Files | ||
|---|---|---|---|---|---|
| ... | |||||
| * | Load our schema *before* the database. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | Since indices are specified in the database LDIF. | ||||
| * | Configure debsecan. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | Common LDAP (slapd) configuration. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | Common MySQL configuration. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | Postfix master (nullmailer) configuration | Guilhem Moulin | 2015-06-07 | 3 | |
| | | | | | We use a dedicated instance for each role: MDA, MTA out, MX, etc. | ||||
| * | Be more specific regarding the protocol in use for IPSec policies. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | We use ESP only, so other protocols shouldn't be ACCEPTed. | ||||
| * | Don't start daemons when there is a triggered handler. | Guilhem Moulin | 2015-06-07 | 3 | |
| | | | | | This is pointless since the service will be restarted anyway. | ||||
| * | Flush pending handlers between each include. | Guilhem Moulin | 2015-06-07 | 6 | |
| | | | | | | | | | | In particular, run 'apt-get update' right after configured APT, and restart daemon right after configured them. The advantage being that if ansible crashes in some "task", the earlier would already be restarted if neeeded. (This may not happen in the next run since the configuration should already be up to date.) | ||||
| * | We are not using nf_conntrack. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | Autostart daemons. | Guilhem Moulin | 2015-06-07 | 5 | |
| | | |||||
| * | Prohibit binding against the IP reserved for IPSec. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | | | | | | Packets originating from our (non-routable) $ipsec are marked; there is no xfrm lookup (i.e., no matching IPSec association), the packet will retain its mark and be null routed later on, thanks to ip rule add fwmark "$secmark" table 666 priority 666 ip route add blackhole default table 666 | ||||
| * | Use a dedicated, non-routable, IPv4 for IPSec. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | | | | | | | At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd from our dedicated IP after ESP decapsulation. Also, some IP tables ensure that alien (not coming from / going to the tunnel end-point) is dropped. | ||||
| * | Don't save dynamic rules. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | | These rules are automatically included by third-party servers such as strongSwan or fail2ban. | ||||
| * | Add a 'check' switch to the firewall. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | | update-firewall.sh -c does not update the firewall, but returns a non-zero value iff. running it without the switch would modify it. | ||||
| * | Configure the (basic) logging policy. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | Configure IPSec. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | Configure fail2ban. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | Configure rkhunter. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | Configure samhain. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | Configure v4 and v6 iptable rulesets. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | Configure APT. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | Configure /etc/{hosts,hostname,mailname}. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | Basic ansible setup. | Guilhem Moulin | 2015-06-07 | 2 | |
| To run the playbook: cd ./ansible ansible-playbook -i vms site.yml | |||||
 |
index : fripost-ansible | |
| Fripost ansible scripts |
| summaryrefslogtreecommitdiffstats |