summaryrefslogtreecommitdiffstats
path: root/roles/common
Commit message (Collapse)AuthorAgeFiles
...
* Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public.Guilhem Moulin2016-05-182
| | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out.
* postfix: disable weak ciphers for the 'encrypt' TLS security level.Guilhem Moulin2016-05-181
| | | | That is, on the MSA and in our local infrastructure.
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-183
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* bacula: Set heartbeat options.Guilhem Moulin2016-05-122
| | | | and also TCP keepalive options in the stunnel config.
* Add hardening options to our systemd unit files.Guilhem Moulin2016-05-121
|
* Use systemd unit files for stunnel4.Guilhem Moulin2016-05-1211
|
* sysctl: don't set IPv6 privacy extensions globaly.Guilhem Moulin2016-04-011
|
* sysctl: set net.ipv6.conf.all.accept_ra = 0.Guilhem Moulin2016-03-301
|
* More logcheck-database tweaks.Guilhem Moulin2016-03-131
|
* Ansible: Using bare variables is deprecated, and will be removed in a future ↵Guilhem Moulin2016-03-022
| | | | release.
* More logcheck-database tweaks.Guilhem Moulin2016-02-171
|
* s/ansible_ssh_/ansible_/Guilhem Moulin2016-02-122
|
* Upgrade playbooks to Ansible 2.0.Guilhem Moulin2016-02-125
|
* Only install letsencrypt-tiny to the relevant hosts.Guilhem Moulin2015-12-282
|
* Copy and install Let's Encrypt ACME client.Guilhem Moulin2015-12-201
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-202
|
* More logcheck-database tweaks.Guilhem Moulin2015-12-152
|
* typoGuilhem Moulin2015-12-041
|
* Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the ↵Guilhem Moulin2015-12-031
| | | | cert itself.
* More logcheck-database tweaks.Guilhem Moulin2015-12-011
|
* More logcheck-database tweaks.Guilhem Moulin2015-11-121
|
* Internal Postfix config: Generate RSA 4096 keys by default.Guilhem Moulin2015-10-281
|
* genkeypair: use install(1) for atomic file creation with permission mode.Guilhem Moulin2015-10-282
|
* Internal Postfix config: Disable TLS protocols <1.2 rather than enable 1.2 only.Guilhem Moulin2015-10-271
|
* stunnel: disable compression.Guilhem Moulin2015-10-272
|
* stunnel: use GCM ciphers only; use SSL options rather than ciphers to ↵Guilhem Moulin2015-10-272
| | | | disable protocols.
* More logcheck-database tweaks.Guilhem Moulin2015-10-142
|
* More logcheck-database tweaks.Guilhem Moulin2015-09-241
|
* More logcheck-database tweaks.Guilhem Moulin2015-09-212
|
* More logcheck-database tweaks.Guilhem Moulin2015-09-151
|
* Configure FreshClam.Guilhem Moulin2015-09-152
|
* More logcheck-database tweaks.Guilhem Moulin2015-08-213
|
* Update unattended-upgrades configuration.Guilhem Moulin2015-07-191
|
* Change match to "^(Genuine)?Intel.*" for Intel processors.Guilhem Moulin2015-07-123
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-221
|
* logcheck: Match only hexdigits in postfix queue ID.Guilhem Moulin2015-06-191
|
* Match IPv6 addresses in logcheck rules.Guilhem Moulin2015-06-191
|
* Use a single LDAP connection per Munin round to collect slapd statistics.Guilhem Moulin2015-06-113
| | | | Using multigraphs instead.
* More logcheck-database tweaks.Guilhem Moulin2015-06-103
|
* slapd monitoring.Guilhem Moulin2015-06-102
| | | | | We don't use the provided 'slapd_' Munin plugin because it doesn't support SASL binds.
* Configure munin nodes & master.Guilhem Moulin2015-06-1015
| | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI.
* Don't assume that Postfix queue ID are always 10-digits long.Guilhem Moulin2015-06-101
|
* Add a reserved domain 'discard.fripost.org' to discard messages.Guilhem Moulin2015-06-071
| | | | | ‘noreply@’ aliases can be added by routing them to ‘@discard.fripost.org’.
* Make the webmail connect directly to the outgoing SMTP proxy.Guilhem Moulin2015-06-072
| | | | | (Hence delete the 'webmail' Postfix instance.) This shortens the delay caused by the recipient verification probes.
* Use recipient address verification probes.Guilhem Moulin2015-06-071
| | | | | | | This is specially useful for mailing lists and the webmail, since it prevents our outgoing gateway from accepting mails known to be bouncing. However the downside is that it adds a delay of up to 6s after the RCPT TO command.
* Configure Bacula File Daemon / Storage Daemon / Director.Guilhem Moulin2015-06-077
| | | | | Using client-side data signing/encryption and wrapping inter-host communication into stunnel.
* wibbleGuilhem Moulin2015-06-071
|
* firewall: allow 127.0.0.1/8 on lo.Guilhem Moulin2015-06-071
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-071
|
* genkeypair.sh: Merge privkey and pubkey for identical filekeys.Guilhem Moulin2015-06-071
| | | | Also, set ‘subjectKeyIdentifier = hash’ in the CSR.