summaryrefslogtreecommitdiffstats
path: root/roles
Commit message (Collapse)AuthorAgeFiles
* wwsympa.service: Use existing directory /run/sympa.Guilhem Moulin2020-05-161
| | | | | We shouldn't use RuntimeDirectory to create it anew because is belongs to the Sympa daemon and WWSympa looks up for PID files in there.
* sympa.conf: remove deprecated options.Guilhem Moulin2020-05-161
|
* antilop: Upgrade baseline to Debian 10.Guilhem Moulin2020-05-163
|
* nextcloud: Set php values in pool configuration.Guilhem Moulin2020-05-162
|
* typofixGuilhem Moulin2020-05-161
|
* Upgrade baseline to Debian 10.Guilhem Moulin2020-05-1623
|
* wibbleGuilhem Moulin2020-05-161
|
* Nextcloud: Minor redis-server config tweak.Guilhem Moulin2020-05-161
|
* Nextcloud: use dedicated user and PHP FPM pool.Guilhem Moulin2020-05-165
| | | | | | There is a real security gain in not using the 'www-data' user: nginx workers can't read Nextcloud config files and data directory, so should our nginx configuration be insecure a leak is much less likely.
* Add nextcloud's logrotate file.Guilhem Moulin2020-05-161
| | | | This was forgotten in 0bfbe0e49f7fc77abfe7bb5d92c72dbdf6742204.
* role/common-web: Upgrade baseline to Debian 10.Guilhem Moulin2020-05-164
|
* Nextcloud: Better separation between code/data/logs/cache.Guilhem Moulin2020-05-124
| | | | | | Also, update baseline to Debian 10 (codename Buster) and deploy a local Redis instance for Transactional File Locking https://docs.nextcloud.com/server/18/admin_manual/configuration_server/caching_configuration.html#id2
* Add own DKIM key for debian.org address.Guilhem Moulin2020-04-131
| | | | | | | | | | | | Cf. https://lists.debian.org/debian-devel-announce/2020/04/msg00004.html . \o/ It's also fairly easy to deploy onto the Debian infrastucture: $ USERNAME="guilhem" $ SELECTOR="5d30c523ff3622ed454230a16a11ddf6.$USERNAME.user" $ printf "dkimPubKey: %s %s\n" "$SELECTOR" \ "$(openssl pkey -pubin -in "./certs/dkim/$SELECTOR:debian.org.pub" -outform DER | base64 -w0)" \ | gpg --clearsign | s-nail -r "USERNAME@debian.org" -s dkimPubKey changes@db.debian.org
* /etc/apt/sources.list: Use https:// URIs.Guilhem Moulin2020-01-251
| | | | | | | | Since 1.5 (Buster) APT supports https:// natively. There is no need to install ‘apt-transport-https’ (now a dummy transitional package) anymore. Plain-text connection don't undermine security as APT checks package OpenPGP signatures locally, but there is no reason not to use TLS here.
* Improve/harden fail2ban configuration.Guilhem Moulin2020-01-257
| | | | | | | | | * Use nftables sets with a timeout * Start daemon with a hardened unit file and restricted Capability Bounding Set. (This requires to change the log path to /var/log/fail2ban/*.) * Skip database as we don't care about persistence. * Refactor jail.local
* Convert firewall to nftables.Guilhem Moulin2020-01-2311
| | | | Debian Buster uses the nftables framework by default.
* Postfix: disable DNS lookups on the internal SMTPds.Guilhem Moulin2020-01-231
| | | | | | Our internal IPs don't have a reverse PTR record, and skipping the resolution speeds up mail delivery. http://www.postfix.org/postconf.5.html#smtpd_peername_lookup
* tr/-/_/ in group names.Guilhem Moulin2020-01-225
| | | | | | | | | | | | This avoids [DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set to allow bad characters in group names by default, this will change, but still be user configurable on deprecation. This feature will be removed in version 2.10. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. [WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
* dovecot: raise default_vsz_limit from 256MB to 512MB.Guilhem Moulin2019-05-231
| | | | | | | | | This avoids lmtp errors like Error: mmap(size=0) failed with file […] dbox-Mails/dovecot.index.cache: Cannot allocate memory See https://www.dovecot.org/list/dovecot/2012-August/137569.html and https://www.dovecot.org/list/dovecot/2011-December/132455.html .
* MSA: Open 465/TCP for Email Submission over TLS.Guilhem Moulin2019-03-195
| | | | See RFC 8314 sec. 3.3 "Cleartext Considered Obsolete".
* firewall: gracefully close invalid connections.Guilhem Moulin2018-12-221
| | | | | | | This is useful when an ESTABLISHED connection is seen as NEW because the client was offline for some time. For instance, clients now gracefully close existing SSH connections immediately after resuming from a suspend state, rather that waiting for the TCP timeout.
* fail2ban: Only install the roundcube/dovecot filters if needed.Guilhem Moulin2018-12-151
| | | | | | It doesn't hurt to install them on all machines, but we're overriding the provided /etc/fail2ban/filter.d/dovecot.conf and would rather keep our delta minimal.
* submission: Prospective SPF checking.Guilhem Moulin2018-12-125
| | | | Cf. http://www.openspf.org/Best_Practices/Outbound .
* Outgoing SMTP: masquerade internal hostnames.Guilhem Moulin2018-12-123
| | | | | | Use admin@fripost.org instead. We were sending out (to the admin team) system messages with non-existing or invalid envelope sender addresses, such as <logcheck@antilop.fripost.org> or <root@mistral.fripost.org>.
* IMAP: raise per user maximum number of inotify instances from 128 to 512.Guilhem Moulin2018-12-121
|
* IPsec: use Suite-B-GCM-256 algorithms for IKEv2 & ESP.Guilhem Moulin2018-12-091
| | | | | | | (That is, remove algorithms from Suite-B-GCM-128.) Cf. https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites and https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations .
* MSA verification probes: enable opportunistic encryption.Guilhem Moulin2018-12-092
| | | | | | And use ‘noreply.fripost.org’ as HELO name rather than $myhostname (i.e., ‘smtp.fripost.org’), so the same SPF policy can be used for ehlo and envelope sender identities.
* Use mariadb.service not mysql.service.Guilhem Moulin2018-12-092
| | | | | Since d8d07afe49e69114f8deb807031bec71a327d3ae our MySQL flavor is MariaDB.
* Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch.Guilhem Moulin2018-12-0924
|
* Disable resume device.Guilhem Moulin2018-12-093
| | | | We don't need suspend-on-disk (hibernation).
* IMAP: Ensure /home/mail is mounted before creating sub-directories.Guilhem Moulin2018-12-091
|
* bacula-sd: Ensure /mnt/backup is mounted before creating sub-directories.Guilhem Moulin2018-12-091
|
* bacula: Backup MySQL database for the nextcloud host.Guilhem Moulin2018-12-092
|
* systemd.service: Tighten hardening options.Guilhem Moulin2018-12-099
|
* bacula-*.service: Don't fork in the background.Guilhem Moulin2018-12-093
| | | | Inspired from /lib/systemd/system/bacula-fd.service.
* Upgrade 'lists' role to Debian Stretch.Guilhem Moulin2018-12-098
|
* Firewall: disable outgoing access to git:// remote servers.Guilhem Moulin2018-12-091
| | | | We don't need it anymore as we use https:// these days.
* systemd: Replace ‘ProtectSystem=full’ with ‘ProtectSystem=strict’.Guilhem Moulin2018-12-099
| | | | And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’.
* Firewall: REJECT outgoing connections instead of DROPing them.Guilhem Moulin2018-12-091
|
* Upgrade 'out' role to Debian Stretch.Guilhem Moulin2018-12-091
|
* Don't install the haveged entropy daemon.Guilhem Moulin2018-12-092
| | | | | It's not really needed on our metal hosts, and our KVM guests use virtio-rng.
* ntp.conf: reduce delta with the packaged version.Guilhem Moulin2018-12-091
|
* MX: chroot postscreen(8), smtpd(8) and cleanup(8) daemons.Guilhem Moulin2018-12-098
| | | | | | Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f) the postscreen(8) server can run chrooted, meaning we can also chroot the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons.
* MX: don't override 5XY reject codes to 554.Guilhem Moulin2018-12-091
|
* postfix: remove explicit default 'mail_owner = postfix'.Guilhem Moulin2018-12-066
|
* postfix ≥3.0: don't advertise SMTPUTF8 support.Guilhem Moulin2018-12-061
| | | | | | | | | | | | | | | | | We're relaying messages to our LMTP daemons (Dovecot, Amavisd) and some downstream SMTP servers, not all of which are under our control. Forwarding messages with UTF-8 envelope addresses or RFC 5322 headers yields undeliverable messages, and the bounces make us a potential backscatter source. So it's better to disable SMTPUTF8 at this point. Cf. also http://www.postfix.org/SMTPUTF8_README.html and https://unix.stackexchange.com/questions/320091/configure-postfix-and-dovecot-lmtp-to-receive-mail-via-smtputf8 . See also upstream's comment at https://marc.info/?l=postfix-users&m=149183235529042&w=2 : “Perhaps SMTPUTF8 autodetection could be more granular: UTF8 in the envelope is definitely problematic for a receiver that does not support SMTPUTF8, while UTF8 in a message header is less so.”
* Upgrade 'ikiwiki-pandoc' to v0.5.1.Guilhem Moulin2018-12-061
| | | | | https://raw.githubusercontent.com/sciunto-org/ikiwiki-pandoc/v0.5.1/pandoc.pm Currently at commit 9292e45cea1be120adb3babd5b835b547f4c825a .
* Roundcube: improve serving of static resources.Guilhem Moulin2018-12-061
| | | | | | | | | | | | | | | We only serve whitelisted extensions (css, js, png, etc.), and only for some selected sub-directories. Access to everything else (incl. log files and config files) is denied with a 404. This is unlike upstream's .htaccess file, which blacklists restricted locations and happily serves the rest: https://github.com/roundcube/roundcubemail/blob/master/.htaccess#L8 To find out which extensions exist on the file system, run find -L /var/lib/roundcube/{plugins,program/js,program/resources,skins} -type f \ | sed -n 's/.*\.//p' | sort | uniq -c
* DKIM: also include the "d=" tag in key filenames, not only the "s=" tag.Guilhem Moulin2018-12-053
| | | | | While the combination of "s=" tag (selector) & "d=" tag signing domain maps to a unique key, the selector alone doesn't necessarily.
* Upgrade DKIM keys to rsa2048, and allow for multiple keys.Guilhem Moulin2018-12-043
|