Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Set up IPSec tunnels between each pair of hosts. | Guilhem Moulin | 2016-05-22 | 13 |
| | | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed. | |||
* | postfix: master.cf wibble | Guilhem Moulin | 2016-05-18 | 1 |
| | ||||
* | postfix: Update to recommended TLS settings. | Guilhem Moulin | 2016-05-18 | 2 |
| | | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.) | |||
* | Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public. | Guilhem Moulin | 2016-05-18 | 2 |
| | | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out. | |||
* | postfix: disable weak ciphers for the 'encrypt' TLS security level. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | That is, on the MSA and in our local infrastructure. | |||
* | Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵ | Guilhem Moulin | 2016-05-18 | 3 |
| | | | | | | locally. And use this to fetch all X.509 leaf certificates. | |||
* | bacula: Set heartbeat options. | Guilhem Moulin | 2016-05-12 | 2 |
| | | | | and also TCP keepalive options in the stunnel config. | |||
* | Add hardening options to our systemd unit files. | Guilhem Moulin | 2016-05-12 | 1 |
| | ||||
* | Use systemd unit files for stunnel4. | Guilhem Moulin | 2016-05-12 | 11 |
| | ||||
* | sysctl: don't set IPv6 privacy extensions globaly. | Guilhem Moulin | 2016-04-01 | 1 |
| | ||||
* | sysctl: set net.ipv6.conf.all.accept_ra = 0. | Guilhem Moulin | 2016-03-30 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-03-13 | 1 |
| | ||||
* | Ansible: Using bare variables is deprecated, and will be removed in a future ↵ | Guilhem Moulin | 2016-03-02 | 2 |
| | | | | release. | |||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-02-17 | 1 |
| | ||||
* | s/ansible_ssh_/ansible_/ | Guilhem Moulin | 2016-02-12 | 2 |
| | ||||
* | Upgrade playbooks to Ansible 2.0. | Guilhem Moulin | 2016-02-12 | 5 |
| | ||||
* | Only install letsencrypt-tiny to the relevant hosts. | Guilhem Moulin | 2015-12-28 | 2 |
| | ||||
* | Copy and install Let's Encrypt ACME client. | Guilhem Moulin | 2015-12-20 | 1 |
| | ||||
* | Use the Let's Encrypt CA for our public certs. | Guilhem Moulin | 2015-12-20 | 2 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-12-15 | 2 |
| | ||||
* | typo | Guilhem Moulin | 2015-12-04 | 1 |
| | ||||
* | Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the ↵ | Guilhem Moulin | 2015-12-03 | 1 |
| | | | | cert itself. | |||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-12-01 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-11-12 | 1 |
| | ||||
* | Internal Postfix config: Generate RSA 4096 keys by default. | Guilhem Moulin | 2015-10-28 | 1 |
| | ||||
* | genkeypair: use install(1) for atomic file creation with permission mode. | Guilhem Moulin | 2015-10-28 | 2 |
| | ||||
* | Internal Postfix config: Disable TLS protocols <1.2 rather than enable 1.2 only. | Guilhem Moulin | 2015-10-27 | 1 |
| | ||||
* | stunnel: disable compression. | Guilhem Moulin | 2015-10-27 | 2 |
| | ||||
* | stunnel: use GCM ciphers only; use SSL options rather than ciphers to ↵ | Guilhem Moulin | 2015-10-27 | 2 |
| | | | | disable protocols. | |||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-10-14 | 2 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-09-24 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-09-21 | 2 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-09-15 | 1 |
| | ||||
* | Configure FreshClam. | Guilhem Moulin | 2015-09-15 | 2 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-08-21 | 3 |
| | ||||
* | Update unattended-upgrades configuration. | Guilhem Moulin | 2015-07-19 | 1 |
| | ||||
* | Change match to "^(Genuine)?Intel.*" for Intel processors. | Guilhem Moulin | 2015-07-12 | 3 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-22 | 1 |
| | ||||
* | logcheck: Match only hexdigits in postfix queue ID. | Guilhem Moulin | 2015-06-19 | 1 |
| | ||||
* | Match IPv6 addresses in logcheck rules. | Guilhem Moulin | 2015-06-19 | 1 |
| | ||||
* | Use a single LDAP connection per Munin round to collect slapd statistics. | Guilhem Moulin | 2015-06-11 | 3 |
| | | | | Using multigraphs instead. | |||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-10 | 3 |
| | ||||
* | slapd monitoring. | Guilhem Moulin | 2015-06-10 | 2 |
| | | | | | We don't use the provided 'slapd_' Munin plugin because it doesn't support SASL binds. | |||
* | Configure munin nodes & master. | Guilhem Moulin | 2015-06-10 | 15 |
| | | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI. | |||
* | Don't assume that Postfix queue ID are always 10-digits long. | Guilhem Moulin | 2015-06-10 | 1 |
| | ||||
* | Add a reserved domain 'discard.fripost.org' to discard messages. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | ‘noreply@’ aliases can be added by routing them to ‘@discard.fripost.org’. | |||
* | Make the webmail connect directly to the outgoing SMTP proxy. | Guilhem Moulin | 2015-06-07 | 2 |
| | | | | | (Hence delete the 'webmail' Postfix instance.) This shortens the delay caused by the recipient verification probes. | |||
* | Use recipient address verification probes. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | This is specially useful for mailing lists and the webmail, since it prevents our outgoing gateway from accepting mails known to be bouncing. However the downside is that it adds a delay of up to 6s after the RCPT TO command. | |||
* | Configure Bacula File Daemon / Storage Daemon / Director. | Guilhem Moulin | 2015-06-07 | 7 |
| | | | | | Using client-side data signing/encryption and wrapping inter-host communication into stunnel. | |||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 |
| |