summaryrefslogtreecommitdiffstats
path: root/roles/common
Commit message (Collapse)AuthorAgeFiles
* FreshClam: change ownership of /etc/clamav/freshclam.conf.Guilhem Moulin2016-09-181
| | | | | | | | To match the stock version shipped by clamav-freshclam 0.99.2+dfsg-0+deb8u2 ~$ stat -c '%U:%G %a' /etc/clamav/freshclam.conf clamav:adm 444
* Firewall: allow duplicates rules.Guilhem Moulin2016-09-181
|
* More logcheck-database tweaks.Guilhem Moulin2016-08-222
|
* postfix: Remove obsolete templates tls_policy/relay_clientcerts.Guilhem Moulin2016-07-121
|
* Route all internal SMTP traffic through IPsec.Guilhem Moulin2016-07-104
|
* Postfix: avoid hardcoding the instance names.Guilhem Moulin2016-07-101
|
* Postfix: don't share the master.cf between the instances.Guilhem Moulin2016-07-102
|
* Route SMTP traffic from the webmail through IPsec.Guilhem Moulin2016-07-101
|
* More logcheck-database tweaks.Guilhem Moulin2016-07-092
|
* Localize the NTP pool hostnames.Guilhem Moulin2016-07-091
|
* Localize the debian archive hostnames.Guilhem Moulin2016-07-091
|
* ClamAV (FreshClam): use a localized Database Mirror.Guilhem Moulin2016-07-092
| | | | | | As db.local.clamav.net is not always properly localized. Furthermore, our previous Ansiblee script did not ensure ordering of the DatabaseMirror lines.
* IPSec → IPsecGuilhem Moulin2016-06-295
|
* More logcheck-database tweaks.Guilhem Moulin2016-06-293
|
* update-firewall.sh: COMMIT empty iptables rule files.Guilhem Moulin2016-06-291
|
* Use stunnel to secure the connection from the webmail to ldap.fripost.org.Guilhem Moulin2016-06-051
| | | | | We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting.
* typoGuilhem Moulin2016-05-241
|
* IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication.Guilhem Moulin2016-05-243
| | | | There is no need to bother with X.509 cruft here.
* genkeypair, gendhparam: use -rand /dev/urandom when generating keys or DH ↵Guilhem Moulin2016-05-222
| | | | parameters.
* Tunnel bacula (dir → {fd,sd} and fd → sd) traffic through IPSec.Guilhem Moulin2016-05-226
|
* Tunnel munin-update traffic through IPSec.Guilhem Moulin2016-05-227
|
* Tunnel internal NTP traffic through IPSec.Guilhem Moulin2016-05-222
| | | | | | | More precisely, between our NTP-master (stratum 1) host and the other machines (all stratum 2). Providing authentification and integrity for internal NTP traffic ensures a consistent time within our internal infrastructure.
* Set up IPSec tunnels between each pair of hosts.Guilhem Moulin2016-05-2213
| | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed.
* postfix: master.cf wibbleGuilhem Moulin2016-05-181
|
* postfix: Update to recommended TLS settings.Guilhem Moulin2016-05-182
| | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.)
* Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public.Guilhem Moulin2016-05-182
| | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out.
* postfix: disable weak ciphers for the 'encrypt' TLS security level.Guilhem Moulin2016-05-181
| | | | That is, on the MSA and in our local infrastructure.
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-183
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* bacula: Set heartbeat options.Guilhem Moulin2016-05-122
| | | | and also TCP keepalive options in the stunnel config.
* Add hardening options to our systemd unit files.Guilhem Moulin2016-05-121
|
* Use systemd unit files for stunnel4.Guilhem Moulin2016-05-1211
|
* sysctl: don't set IPv6 privacy extensions globaly.Guilhem Moulin2016-04-011
|
* sysctl: set net.ipv6.conf.all.accept_ra = 0.Guilhem Moulin2016-03-301
|
* More logcheck-database tweaks.Guilhem Moulin2016-03-131
|
* Ansible: Using bare variables is deprecated, and will be removed in a future ↵Guilhem Moulin2016-03-022
| | | | release.
* More logcheck-database tweaks.Guilhem Moulin2016-02-171
|
* s/ansible_ssh_/ansible_/Guilhem Moulin2016-02-122
|
* Upgrade playbooks to Ansible 2.0.Guilhem Moulin2016-02-125
|
* Only install letsencrypt-tiny to the relevant hosts.Guilhem Moulin2015-12-282
|
* Copy and install Let's Encrypt ACME client.Guilhem Moulin2015-12-201
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-202
|
* More logcheck-database tweaks.Guilhem Moulin2015-12-152
|
* typoGuilhem Moulin2015-12-041
|
* Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the ↵Guilhem Moulin2015-12-031
| | | | cert itself.
* More logcheck-database tweaks.Guilhem Moulin2015-12-011
|
* More logcheck-database tweaks.Guilhem Moulin2015-11-121
|
* Internal Postfix config: Generate RSA 4096 keys by default.Guilhem Moulin2015-10-281
|
* genkeypair: use install(1) for atomic file creation with permission mode.Guilhem Moulin2015-10-282
|
* Internal Postfix config: Disable TLS protocols <1.2 rather than enable 1.2 only.Guilhem Moulin2015-10-271
|
* stunnel: disable compression.Guilhem Moulin2015-10-272
|