summaryrefslogtreecommitdiffstats
path: root/roles
Commit message (Collapse)AuthorAgeFiles
...
* postfix-sender-login: Better hardening.Guilhem Moulin2020-05-214
| | | | Run as a dedicated user, not ‘postfix’.
* dovecot-auth-proxy: replace directory traversal with LDAP lookups.Guilhem Moulin2020-05-215
| | | | | | | | | | | | | This provides better isolation opportunity as the service doesn't need to run as ‘vmail’ user. We use a dedicated system user instead, and LDAP ACLs to limit its access to the strict minimum. The new solution is also more robust to quoting/escaping, and doesn't depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID instead of %d/%n at some point to make user renaming simpler). OTOH we no longer lists users that have been removed from LDAP but still have a mailstore lingering around. This is fair.
* dovecot-auth-proxy: Bump protocol version to 2.2.Guilhem Moulin2020-05-201
| | | | | | | | This a regression rom 829f4d830aefedd95a75e61cfc9aa3e03f039c6f. There are no relevant interface changes between 2.2.27 (stretch) and 2.3.4 (buster) cf. `git diff 2.2.27..2.3.4 src/lib-dict/dict-client.h` and https://github.com/dovecot/core/commits/2.3.4/src/lib-dict/dict-client.h .
* IMAP: Update role to Debian Buster.Guilhem Moulin2020-05-1912
| | | | | | | | For `ssl_cipher_list` we pick the suggested value from https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’ to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
* MSA: Update role to Debian Buster.Guilhem Moulin2020-05-193
| | | | | | | | For `ssl_cipher_list` we pick the suggested value from https://ssl-config.mozilla.org/#server=postfix&version=3.4.10&config=intermediate&openssl=1.1.1d At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’ to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
* LDAP: Update role to Debian Buster.Guilhem Moulin2020-05-192
|
* s/LDAP-provider/LDAP_provider/Guilhem Moulin2020-05-198
| | | | This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.
* wibbleGuilhem Moulin2020-05-181
|
* stunnel4: Harden and socket-activate.Guilhem Moulin2020-05-187
|
* Firewall: note on reqid matching.Guilhem Moulin2020-05-181
| | | | To be done when we upgrade to Bullseye for more fine-grained control.
* AEAD ciphers: Add EECDH+CHACHA20 macro.Guilhem Moulin2020-05-184
| | | | | | | This adds the following two ciphers: ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
* cgit and HTTP backend: Remove unused files.Guilhem Moulin2020-05-182
| | | | We replace uwsgi in 70f16ac939497e3e424bad05c5f82ce36d1bceda.
* Firewall: Use `meta secpath exists` to match xfrm associations.Guilhem Moulin2020-05-181
| | | | | Marking incoming ESP packets and matching decapsulated packets doesn't work with NAT traverslate (UDP encapsulation aka MOBIKE).
* nginx: Add Expires: HTTP headers.Guilhem Moulin2020-05-176
|
* webmail: Add .webp to the list of static resources.Guilhem Moulin2020-05-171
|
* Nextcloud: Fix location{} directives.Guilhem Moulin2020-05-171
| | | | For use with Nextcloud 18, cf. https://docs.nextcloud.com/server/18/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx .
* lacme: Port to Debian 10.Guilhem Moulin2020-05-172
| | | | | We also rename the ‘lacme’ system user to ‘_lacme’ per Debian Policy §9.2.1: https://www.debian.org/doc/debian-policy/ch-opersys.html#introduction .
* lists.fripost.org: Improve gzip support.Guilhem Moulin2020-05-171
|
* git, wiki, website: Improve gzip support.Guilhem Moulin2020-05-173
|
* Webmail: Compress static resources.Guilhem Moulin2020-05-171
| | | | | | | | | | | We leave dynamic pages (those passed to PHP-FPM) alone for now: compressing them would make us vulnerable to BREACH attacks. This will be revisited once Roundcube 1.5 is released: 1.5 adds support for the same-site cookie attribute which once set to 'Strict' makes it immune to BREACH attacks: https://github.com/roundcube/roundcubemail/pull/6772 https://www.sjoerdlangkemper.nl/2016/11/07/current-state-of-breach-attack/#same-site-cookies
* Webmail: Fix allowed extensions for static resources.Guilhem Moulin2020-05-171
| | | | | $ find -L /usr/share/roundcube/{plugins,program/js,program/resources,skins} -xtype f -printf "%f\\n" \ | sed -r "s/^([^.]+)(.*)/\1\2\t\2/" | sort -k2 | uniq -c -f1
* Webmail: Improve Content-Security-Policy.Guilhem Moulin2020-05-171
|
* nginx: Add MIME type declaration for .woff2 files.Guilhem Moulin2020-05-171
|
* Remove 'meta: flush_handlers' directives under conditionals.Guilhem Moulin2020-05-172
| | | | They don't appear to be supported anymore.
* Roundcube: skip 'keyboard_shortcuts' plugin.Guilhem Moulin2020-05-171
| | | | | It doesn't integrate too well with the new elastic theme at the moment. https://github.com/corbosman/keyboard_shortcuts
* roles/amavis: Drop packages that no longer exist.Guilhem Moulin2020-05-171
|
* Roundcube: Port to Debian 10.Guilhem Moulin2020-05-1712
| | | | | We use the version from buster-backports (currently 1.4.4+dfsg.1-1~bpo10+1) for the elastic theme.
* common-web: Remove snippets/acme-challenge.conf.Guilhem Moulin2020-05-162
| | | | lacme now ships that file as /etc/lacme/nginx.conf.
* MX: Port to Debian 10.Guilhem Moulin2020-05-162
| | | | | | | | For postfix, don't defer if "abused legit". (I.e., DBL return code in the 127.0.1.100+ range.) This used to work for Postfix 3.1.14 (Stretch) but for 3.4.8 (Buster) the 'defer_if_reject' also applies to $smtpd_relay_restrictions, to reject_unauth_destination & reject_unlisted_recipient in particular.
* wiki/website: harden config and port to Debian 10.Guilhem Moulin2020-05-168
|
* git browser and HTTP backend: harden config and port to Debian 10.Guilhem Moulin2020-05-168
|
* MX: Install OpenDMARC to add Authentication-Results headers.Guilhem Moulin2020-05-166
| | | | | | | | On the infrastructure boundary. We don't reject/quarantine as it would affect members who forward their mail sent to <user@example.com> to <user@fripost.org>. Members can install Sieve rules to send any messages with failed Authentication-Results headers directly in their spambox.
* wwsympa.service: Use existing directory /run/sympa.Guilhem Moulin2020-05-161
| | | | | We shouldn't use RuntimeDirectory to create it anew because is belongs to the Sympa daemon and WWSympa looks up for PID files in there.
* sympa.conf: remove deprecated options.Guilhem Moulin2020-05-161
|
* antilop: Upgrade baseline to Debian 10.Guilhem Moulin2020-05-163
|
* nextcloud: Set php values in pool configuration.Guilhem Moulin2020-05-162
|
* typofixGuilhem Moulin2020-05-161
|
* Upgrade baseline to Debian 10.Guilhem Moulin2020-05-1623
|
* wibbleGuilhem Moulin2020-05-161
|
* Nextcloud: Minor redis-server config tweak.Guilhem Moulin2020-05-161
|
* Nextcloud: use dedicated user and PHP FPM pool.Guilhem Moulin2020-05-165
| | | | | | There is a real security gain in not using the 'www-data' user: nginx workers can't read Nextcloud config files and data directory, so should our nginx configuration be insecure a leak is much less likely.
* Add nextcloud's logrotate file.Guilhem Moulin2020-05-161
| | | | This was forgotten in 0bfbe0e49f7fc77abfe7bb5d92c72dbdf6742204.
* role/common-web: Upgrade baseline to Debian 10.Guilhem Moulin2020-05-164
|
* Nextcloud: Better separation between code/data/logs/cache.Guilhem Moulin2020-05-124
| | | | | | Also, update baseline to Debian 10 (codename Buster) and deploy a local Redis instance for Transactional File Locking https://docs.nextcloud.com/server/18/admin_manual/configuration_server/caching_configuration.html#id2
* Add own DKIM key for debian.org address.Guilhem Moulin2020-04-131
| | | | | | | | | | | | Cf. https://lists.debian.org/debian-devel-announce/2020/04/msg00004.html . \o/ It's also fairly easy to deploy onto the Debian infrastucture: $ USERNAME="guilhem" $ SELECTOR="5d30c523ff3622ed454230a16a11ddf6.$USERNAME.user" $ printf "dkimPubKey: %s %s\n" "$SELECTOR" \ "$(openssl pkey -pubin -in "./certs/dkim/$SELECTOR:debian.org.pub" -outform DER | base64 -w0)" \ | gpg --clearsign | s-nail -r "USERNAME@debian.org" -s dkimPubKey changes@db.debian.org
* /etc/apt/sources.list: Use https:// URIs.Guilhem Moulin2020-01-251
| | | | | | | | Since 1.5 (Buster) APT supports https:// natively. There is no need to install ‘apt-transport-https’ (now a dummy transitional package) anymore. Plain-text connection don't undermine security as APT checks package OpenPGP signatures locally, but there is no reason not to use TLS here.
* Improve/harden fail2ban configuration.Guilhem Moulin2020-01-257
| | | | | | | | | * Use nftables sets with a timeout * Start daemon with a hardened unit file and restricted Capability Bounding Set. (This requires to change the log path to /var/log/fail2ban/*.) * Skip database as we don't care about persistence. * Refactor jail.local
* Convert firewall to nftables.Guilhem Moulin2020-01-2311
| | | | Debian Buster uses the nftables framework by default.
* Postfix: disable DNS lookups on the internal SMTPds.Guilhem Moulin2020-01-231
| | | | | | Our internal IPs don't have a reverse PTR record, and skipping the resolution speeds up mail delivery. http://www.postfix.org/postconf.5.html#smtpd_peername_lookup
* tr/-/_/ in group names.Guilhem Moulin2020-01-225
| | | | | | | | | | | | This avoids [DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set to allow bad characters in group names by default, this will change, but still be user configurable on deprecation. This feature will be removed in version 2.10. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. [WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details