summaryrefslogtreecommitdiffstats
path: root/roles/common
Commit message (Collapse)AuthorAgeFiles
...
* wibbleGuilhem Moulin2015-06-071
|
* Don't require a PKI for IPSec.Guilhem Moulin2015-06-075
| | | | | | | | | | | Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines.
* Don't try to start smart on VMs.Guilhem Moulin2015-06-071
|
* Support non-free firmwares. (Can be required :-()Guilhem Moulin2015-06-072
| | | | Also, always install contrib's intel-microcode on Intel CPUs.
* wibbleGuilhem Moulin2015-06-072
|
* Assume a DNS entry for each role.Guilhem Moulin2015-06-072
| | | | | | E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone would be provisioned by ansible, too.) It's a bit unclear how to index the subdomains (mx{1,2,3}, etc), though.
* Replace mktemp's deprecated -t option by --tmpdir.Guilhem Moulin2015-06-071
| | | | | But not in the installer, as busybox's implementation of mktemp didn't deprecate -t/-p.
* Make use of Ansible 1.5 new features.Guilhem Moulin2015-06-075
| | | | Most notably pipelining=True and sysctl_set=yes.
* wibbleGuilhem Moulin2015-06-071
|
* Fix the catch-all resolution again.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | | | | We introduce a limitation on the domain-aliases: they can't have children (e.g., lists or users) any longer. The whole alias resolution, including catch-alls and domain aliases, is now done in 'virtual_alias_maps'. We stop the resolution by returning a dummy alias A -> A for mailboxes, before trying the catch-all maps. We're still using transport_maps for lists. If it turns out to be a bottleneck due to the high-latency coming from LDAP maps, (and the fact that there is a single qmgr(8) daemon), we could rewrite lists to a dummy subdomain and use a static transport_maps instead: virtual_alias_maps: mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain transport_maps: mlmmj.localhost.localdomain mlmmj:
* Mailing lists (using mlmmj).Guilhem Moulin2015-06-071
| | | | | | | | | Right now the list server cannot be hosted with a MX, due to bug 51: http://mlmmj.org/bugs/bug.php?id=51 Web archive can be compiled with MHonArc, but the web server configuration is not there yet.
* Don't use IPSec to relay messages to localhost.Guilhem Moulin2015-06-071
|
* Excplicitely make local services run on localhost.Guilhem Moulin2015-06-072
|
* typoGuilhem Moulin2015-06-071
|
* Fix catchall resolution.Guilhem Moulin2015-06-071
| | | | | | | | It has to be performed last, to give a chance to be accepted as a regular mailbox. We introduce a new, dedicated, smtpd daemon whose only purpose is to resolve catch-alls.
* Install haveged.Guilhem Moulin2015-06-072
| | | | | | To avoid low-entropy conditions, see http://www.issihosts.com/haveged/
* Install ClamAV.Guilhem Moulin2015-06-072
|
* Configure Sieve and ManageSieve.Guilhem Moulin2015-06-071
| | | | | Also, add the 'managesieve' RoundCube plugin to communicate with our server.
* wibbleGuilhem Moulin2015-06-071
|
* Configure the webmail.Guilhem Moulin2015-06-075
|
* Force expansion of escape sequences.Guilhem Moulin2015-06-073
| | | | | By using double quoted scalars, cf. https://groups.google.com/forum/#!topic/ansible-project/ZaB6o-eqDzw
* wibbleGuilhem Moulin2015-06-071
|
* Install common packages.Guilhem Moulin2015-06-071
|
* Configure S.M.A.R.T.Guilhem Moulin2015-06-072
|
* Configure NTP.Guilhem Moulin2015-06-075
| | | | | | We use a "master" NTP server, which synchronizes against stratum 1 servers (hence is a stratum 2 itself); all other clients synchronize to this master server through IPSec.
* Configure the Mail Submission Agent.Guilhem Moulin2015-06-073
|
* Configure the Mail Delivery Agent.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-072
|
* Configure the IMAP server.Guilhem Moulin2015-06-072
| | | | (For now, only LMTP and IMAP processes, without replication.)
* Configure the MX:es.Guilhem Moulin2015-06-074
|
* Share master.cf accross all Postfix instances.Guilhem Moulin2015-06-073
| | | | | | And use main.cf's 'master_service_disable' setting to deactivate each service that's useless for a given instance. (Hence solve conflict when trying to listen twice on the same port, for instance.)
* Use a dedicated SMTP port for samhain.Guilhem Moulin2015-06-074
| | | | | | | It's unfortunate that samhain cannot use the sendmail binary, and wants to use a inet socket instead. We use a custom port to avoid conflicts with the usual SMTP port the MX:es need to listen on. See also: /usr/share/doc/samhain/TODO.Debian
* Reorganization.Guilhem Moulin2015-06-077
|
* Optimize LDAP modifications.Guilhem Moulin2015-06-071
| | | | | | | For non-indexed attributes, do not ask the LDAP server to modify values in the symmetric difference of A (the entry found in the directory) and B (the target). That is, we replace A by B only when they are disjoint; otherwise we remove values in A-B and add those in B-A.
* Load our schema *before* the database.Guilhem Moulin2015-06-071
| | | | Since indices are specified in the database LDIF.
* Reformulate the headers showing the license.Guilhem Moulin2015-06-076
| | | | | To be clearer, and to follow the recommendation of the FSF, we include a full header rather than a single sentence.
* Configure debsecan.Guilhem Moulin2015-06-072
|
* Common LDAP (slapd) configuration.Guilhem Moulin2015-06-076
|
* Common MySQL configuration.Guilhem Moulin2015-06-072
|
* Postfix master (nullmailer) configurationGuilhem Moulin2015-06-077
| | | | We use a dedicated instance for each role: MDA, MTA out, MX, etc.
* Fix unattended-upgrades's configuration.Guilhem Moulin2015-06-071
| | | | | ${distro_codename} doesn't work properly there, so we put stable and/or oldstable instead.
* wibbleGuilhem Moulin2015-06-071
| | | | | Replaced [ -n "$string" ] with [ "$string" ], and [ -z "$string" ] with [ ! "$string" ].
* Replace the 'syslog' facility (5) by 'user' (1).Guilhem Moulin2015-06-072
| | | | | 'syslog' is meant for the messages generated internally by syslogd, whereas 'user' is for user-level messages.
* wibbleGuilhem Moulin2015-06-073
|
* Be more specific regarding the protocol in use for IPSec policies.Guilhem Moulin2015-06-073
| | | | We use ESP only, so other protocols shouldn't be ACCEPTed.
* Don't start daemons when there is a triggered handler.Guilhem Moulin2015-06-074
| | | | This is pointless since the service will be restarted anyway.
* Flush pending handlers between each include.Guilhem Moulin2015-06-076
| | | | | | | | | In particular, run 'apt-get update' right after configured APT, and restart daemon right after configured them. The advantage being that if ansible crashes in some "task", the earlier would already be restarted if neeeded. (This may not happen in the next run since the configuration should already be up to date.)
* We are not using nf_conntrack.Guilhem Moulin2015-06-071
|
* Autostart daemons.Guilhem Moulin2015-06-075
|
* Prohibit binding against the IP reserved for IPSec.Guilhem Moulin2015-06-073
| | | | | | | | | Packets originating from our (non-routable) $ipsec are marked; there is no xfrm lookup (i.e., no matching IPSec association), the packet will retain its mark and be null routed later on, thanks to ip rule add fwmark "$secmark" table 666 priority 666 ip route add blackhole default table 666