summaryrefslogtreecommitdiffstats
path: root/roles/lists
Commit message (Collapse)AuthorAgeFiles
* Sympa: Update Content-Security-Policy.Guilhem Moulin2024-09-081
|
* Sympa: Enable French support.Guilhem Moulin2024-06-121
| | | | Cf. msgid=<c368f04c-b8d1-4623-98f0-b6a3b724f90d@dubre.me>.
* Sympa: Update robot.conf to fix HTTP 421 on virtual hosts.Guilhem Moulin2023-01-133
| | | | | | See https://github.com/sympa-community/sympa/issues/879 , https://www.sympa.community/manual/upgrade/notes.html#from-version-prior-to-6256 and https://www.sympa.community/gpldoc/man/sympa_config.5.html#wwsympa_url_local .
* Remove module ‘mysql_user2’.Guilhem Moulin2022-10-111
| | | | These days upstream's ‘mysql_user’ is good enough.
* Prefix ‘ipaddr’ and ‘ipv4’ with ‘ansible.utils.’.Guilhem Moulin2022-10-111
| | | | | | | This silences the following deprecation warning: Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
* Postfix: Install -lmdb in all roles using db=lmdb.Guilhem Moulin2020-05-211
| | | | | | And drop -ldap from all roles other than MX. -lmdb is included in roles/common but it can be helpful to have it individual roles as well as they can be run individually.
* nginx: Add Expires: HTTP headers.Guilhem Moulin2020-05-171
|
* lists.fripost.org: Improve gzip support.Guilhem Moulin2020-05-171
|
* wwsympa.service: Use existing directory /run/sympa.Guilhem Moulin2020-05-161
| | | | | We shouldn't use RuntimeDirectory to create it anew because is belongs to the Sympa daemon and WWSympa looks up for PID files in there.
* sympa.conf: remove deprecated options.Guilhem Moulin2020-05-161
|
* antilop: Upgrade baseline to Debian 10.Guilhem Moulin2020-05-163
|
* systemd.service: Tighten hardening options.Guilhem Moulin2018-12-091
|
* Upgrade 'lists' role to Debian Stretch.Guilhem Moulin2018-12-097
|
* systemd: Replace ‘ProtectSystem=full’ with ‘ProtectSystem=strict’.Guilhem Moulin2018-12-091
| | | | And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’.
* postfix: remove explicit default 'mail_owner = postfix'.Guilhem Moulin2018-12-061
|
* Upgrade syntax to Ansible 2.7 (apt module).Guilhem Moulin2018-12-033
|
* Postfix: replace cdb & btree tables with lmdb ones.Guilhem Moulin2018-12-032
| | | | Cf. lmdb_table(5).
* sympa: wibbleGuilhem Moulin2018-04-041
|
* Upgrade syntax to Ansible 2.4.Guilhem Moulin2017-11-231
|
* Use MariaDB as default MySQL flavor.Guilhem Moulin2017-07-291
|
* /lib/systemd/system → /etc/systemd/systemGuilhem Moulin2017-05-313
|
* Install more sympa dependencies.Guilhem Moulin2017-05-291
|
* Change group of executables in /usr/local/{bin,sbin} from root to staff.Guilhem Moulin2017-05-142
|
* sympa: don't tweak /etc/logrotate.d/sympa.Guilhem Moulin2017-05-141
|
* wwsympa: allow write access to /var/spool/sympa.Guilhem Moulin2017-05-141
| | | | Request to post and moderate messages using the web interface.
* nginx: add support for HTTP/2.Guilhem Moulin2016-12-131
|
* systemd: Ensure sympa service is enabled.Guilhem Moulin2016-09-181
|
* postfix: Remove obsolete templates tls_policy/relay_clientcerts.Guilhem Moulin2016-07-121
|
* postfix: commit the master.cf symlinks.Guilhem Moulin2016-07-121
|
* nginx: Don't hard-code the HPKP headers.Guilhem Moulin2016-07-123
| | | | | Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out.
* Postfix lists/MDA instances: only include the MX:es' IPs in $mynetworks.Guilhem Moulin2016-07-101
|
* Route all internal SMTP traffic through IPsec.Guilhem Moulin2016-07-102
|
* Postfix: don't share the master.cf between the instances.Guilhem Moulin2016-07-102
|
* postfix: Don't explicitly set inet_interfaces=all as it's the default.Guilhem Moulin2016-07-101
|
* Change the pubkey extension from .pem to .pub.Guilhem Moulin2016-07-101
|
* certs/public: fetch each cert's pubkey (SPKI), not the cert itself.Guilhem Moulin2016-06-151
| | | | To avoid new commits upon cert renewal.
* wwsympa systemd service file: Set PrivateTmp=yes.Guilhem Moulin2016-06-071
| | | | The CGI wants to create a temp file during bulk subcription.
* postfix: Update to recommended TLS settings.Guilhem Moulin2016-05-181
| | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.)
* postfix: unset 'smtpd_tls_session_cache_database'.Guilhem Moulin2016-05-181
| | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11 http://article.gmane.org/gmane.mail.postfix.user/251935
* Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public.Guilhem Moulin2016-05-181
| | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out.
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-181
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* Add hardening options to our systemd unit files.Guilhem Moulin2016-05-121
|
* Set a HPKP on the webmail, website/wiki/git and list manager.Guilhem Moulin2016-04-011
|
* Set a CSP on the webmail, website/wiki and list manager.Guilhem Moulin2016-04-011
|
* Set HTTP security headers.Guilhem Moulin2016-03-301
| | | | See https://securityheaders.io .
* Remove SMTP message size limit on non public MTAs.Guilhem Moulin2016-03-211
|
* Let's EncryptGuilhem Moulin2016-03-021
|
* Upgrade playbooks to Ansible 2.0.Guilhem Moulin2016-02-122
|
* Update all Fripost links from http:// to https://.Guilhem Moulin2015-12-281
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-202
|