summaryrefslogtreecommitdiffstats
path: root/roles/common/tasks
Commit message (Collapse)AuthorAgeFiles
* Load our schema *before* the database.Guilhem Moulin2015-06-071
| | | | Since indices are specified in the database LDIF.
* Configure debsecan.Guilhem Moulin2015-06-071
|
* Common LDAP (slapd) configuration.Guilhem Moulin2015-06-072
|
* Common MySQL configuration.Guilhem Moulin2015-06-072
|
* Postfix master (nullmailer) configurationGuilhem Moulin2015-06-073
| | | | We use a dedicated instance for each role: MDA, MTA out, MX, etc.
* Be more specific regarding the protocol in use for IPSec policies.Guilhem Moulin2015-06-071
| | | | We use ESP only, so other protocols shouldn't be ACCEPTed.
* Don't start daemons when there is a triggered handler.Guilhem Moulin2015-06-073
| | | | This is pointless since the service will be restarted anyway.
* Flush pending handlers between each include.Guilhem Moulin2015-06-076
| | | | | | | | | In particular, run 'apt-get update' right after configured APT, and restart daemon right after configured them. The advantage being that if ansible crashes in some "task", the earlier would already be restarted if neeeded. (This may not happen in the next run since the configuration should already be up to date.)
* We are not using nf_conntrack.Guilhem Moulin2015-06-071
|
* Autostart daemons.Guilhem Moulin2015-06-075
|
* Prohibit binding against the IP reserved for IPSec.Guilhem Moulin2015-06-071
| | | | | | | | | Packets originating from our (non-routable) $ipsec are marked; there is no xfrm lookup (i.e., no matching IPSec association), the packet will retain its mark and be null routed later on, thanks to ip rule add fwmark "$secmark" table 666 priority 666 ip route add blackhole default table 666
* Use a dedicated, non-routable, IPv4 for IPSec.Guilhem Moulin2015-06-072
| | | | | | | At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd from our dedicated IP after ESP decapsulation. Also, some IP tables ensure that alien (not coming from / going to the tunnel end-point) is dropped.
* Don't save dynamic rules.Guilhem Moulin2015-06-071
| | | | | These rules are automatically included by third-party servers such as strongSwan or fail2ban.
* Add a 'check' switch to the firewall.Guilhem Moulin2015-06-071
| | | | | update-firewall.sh -c does not update the firewall, but returns a non-zero value iff. running it without the switch would modify it.
* Configure the (basic) logging policy.Guilhem Moulin2015-06-072
|
* Configure IPSec.Guilhem Moulin2015-06-072
|
* Configure fail2ban.Guilhem Moulin2015-06-072
|
* Configure rkhunter.Guilhem Moulin2015-06-072
|
* Configure samhain.Guilhem Moulin2015-06-072
|
* Configure v4 and v6 iptable rulesets.Guilhem Moulin2015-06-072
|
* Configure APT.Guilhem Moulin2015-06-072
|
* Configure /etc/{hosts,hostname,mailname}.Guilhem Moulin2015-06-072
|
* Basic ansible setup.Guilhem Moulin2015-06-072
To run the playbook: cd ./ansible ansible-playbook -i vms site.yml