summaryrefslogtreecommitdiffstats
path: root/roles/common/templates
Commit message (Collapse)AuthorAgeFiles
* Tunnel internal NTP traffic through IPSec.Guilhem Moulin2016-05-222
| | | | | | | More precisely, between our NTP-master (stratum 1) host and the other machines (all stratum 2). Providing authentification and integrity for internal NTP traffic ensures a consistent time within our internal infrastructure.
* Set up IPSec tunnels between each pair of hosts.Guilhem Moulin2016-05-225
| | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed.
* postfix: Update to recommended TLS settings.Guilhem Moulin2016-05-181
| | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.)
* postfix: disable weak ciphers for the 'encrypt' TLS security level.Guilhem Moulin2016-05-181
| | | | That is, on the MSA and in our local infrastructure.
* bacula: Set heartbeat options.Guilhem Moulin2016-05-122
| | | | and also TCP keepalive options in the stunnel config.
* Use systemd unit files for stunnel4.Guilhem Moulin2016-05-122
|
* s/ansible_ssh_/ansible_/Guilhem Moulin2016-02-122
|
* Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the ↵Guilhem Moulin2015-12-031
| | | | cert itself.
* Internal Postfix config: Disable TLS protocols <1.2 rather than enable 1.2 only.Guilhem Moulin2015-10-271
|
* stunnel: disable compression.Guilhem Moulin2015-10-272
|
* stunnel: use GCM ciphers only; use SSL options rather than ciphers to ↵Guilhem Moulin2015-10-272
| | | | disable protocols.
* Change match to "^(Genuine)?Intel.*" for Intel processors.Guilhem Moulin2015-07-122
|
* Use a single LDAP connection per Munin round to collect slapd statistics.Guilhem Moulin2015-06-111
| | | | Using multigraphs instead.
* slapd monitoring.Guilhem Moulin2015-06-101
| | | | | We don't use the provided 'slapd_' Munin plugin because it doesn't support SASL binds.
* Configure munin nodes & master.Guilhem Moulin2015-06-104
| | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI.
* Configure Bacula File Daemon / Storage Daemon / Director.Guilhem Moulin2015-06-073
| | | | | Using client-side data signing/encryption and wrapping inter-host communication into stunnel.
* wibbleGuilhem Moulin2015-06-071
|
* Configure ikiwiki (website + wiki).Guilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* Allow outgoing HKP and WHOIS traffic on the LDAP provider.Guilhem Moulin2015-06-071
|
* Allow outgoing SSH traffic.Guilhem Moulin2015-06-071
|
* Add wildcard Pin version in apt preferences.Guilhem Moulin2015-06-071
|
* Configure the list manager (Sympa).Guilhem Moulin2015-06-072
|
* Enable the use of git:// clients.Guilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-071
|
* Don't install intel-microcode on Xen guests.Guilhem Moulin2015-06-072
| | | | It should be installed on the dom0 instead.
* wibbleGuilhem Moulin2015-06-071
|
* Fix NTP configuration.Guilhem Moulin2015-06-072
| | | | We've yet to get authenticated time, though.
* Ensure have a TLS policy for each of our host we want to relay to.Guilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* Fix Dovecot's mail location.Guilhem Moulin2015-06-071
|
* Perform the alias resolution and address validation solely on the MX:es.Guilhem Moulin2015-06-071
| | | | | We can therefore spare some lookups on the MDA, and use static:all instead.
* Configure SyncRepl (OpenLDAP replication) and related ACLs.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | | | | | | | The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
* Tell vim the underlying filetype of templates for syntax highlighting.Guilhem Moulin2015-06-073
|
* Remove IPSec related files.Guilhem Moulin2015-06-072
|
* typoGuilhem Moulin2015-06-071
|
* Whitelist our IPs against fail2ban.Guilhem Moulin2015-06-071
| | | | | | | This is important as we don't want the IMAP server baning the webmail, for instance. (The fail2ban instance running next to the webmail should ban the attacker, but that running next to the IMAP server shouldn't ban legit users.)
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-073
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Outgoing SMTP proxy.Guilhem Moulin2015-06-072
|
* Log SASL usernames for longer, but don't include mail.log into syslog.Guilhem Moulin2015-06-071
|
* Don't use generic maps.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | In fact we want to only rewrite the envelope sender: :/etc/postfix/main.cf # Overwrite local FQDN envelope sender addresses sender_canonical_classes = envelope_sender propagate_unmatched_extensions = sender_canonical_maps = cdb:$config_directory/sender_canonical :/etc/postfix/sender_canonical @elefant.fripost.org admin@fripost.org However, when canonical(5) processes a mail sent vias sendmail(1), it rewrites the envelope sender which seems to *later* be use as From: header.
* wibbleGuilhem Moulin2015-06-071
|
* Don't require a PKI for IPSec.Guilhem Moulin2015-06-071
| | | | | | | | | | | Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines.
* Support non-free firmwares. (Can be required :-()Guilhem Moulin2015-06-072
| | | | Also, always install contrib's intel-microcode on Intel CPUs.
* Assume a DNS entry for each role.Guilhem Moulin2015-06-072
| | | | | | E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone would be provisioned by ansible, too.) It's a bit unclear how to index the subdomains (mx{1,2,3}, etc), though.
* Don't use IPSec to relay messages to localhost.Guilhem Moulin2015-06-071
|
* Excplicitely make local services run on localhost.Guilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|