summaryrefslogtreecommitdiffstats
path: root/roles
Commit message (Collapse)AuthorAgeFiles
* postfix: Update to recommended TLS settings.Guilhem Moulin2016-05-187
| | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.)
* postfix: unset 'smtpd_tls_session_cache_database'.Guilhem Moulin2016-05-185
| | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11 http://article.gmane.org/gmane.mail.postfix.user/251935
* Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public.Guilhem Moulin2016-05-188
| | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out.
* postfix: disable weak ciphers for the 'encrypt' TLS security level.Guilhem Moulin2016-05-183
| | | | That is, on the MSA and in our local infrastructure.
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-1813
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* dovecot imapc: wibbleGuilhem Moulin2016-05-172
|
* roundube: Pin X.509 certificate for sieve.fripost.org:4190.Guilhem Moulin2016-05-172
|
* bacula: Set heartbeat options.Guilhem Moulin2016-05-126
| | | | and also TCP keepalive options in the stunnel config.
* bacula-sd: wibbleGuilhem Moulin2016-05-121
|
* bacula-dir: Fix Reschedule Interval from 17 months to 17 mins.Guilhem Moulin2016-05-121
|
* MySQL: set flush InnoDB flush method to 'O_DIRECT'Guilhem Moulin2016-05-121
|
* Add hardening options to our systemd unit files.Guilhem Moulin2016-05-126
|
* Use systemd unit files for stunnel4.Guilhem Moulin2016-05-1226
|
* Roundcube's CSP: remove 'upgrade-insecure-requests' and ↵Guilhem Moulin2016-04-081
| | | | 'block-all-mixed-content'.
* Roundcube's CSP: allow loading images from data: URIs and arbitrary URLs.Guilhem Moulin2016-04-071
| | | | Per user request: https://wiki.fripost.org/tracker/CSP_too_strict/
* nginx: update ssl_ciphers to follow Mozilla's TLS server recommendation.Guilhem Moulin2016-04-021
| | | | https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate
* Set frame-ancestors from 'none' to 'self' in roundcube's CSP.Guilhem Moulin2016-04-021
|
* wibbleGuilhem Moulin2016-04-023
|
* Set a HPKP on the webmail, website/wiki/git and list manager.Guilhem Moulin2016-04-015
|
* Set a CSP on the webmail, website/wiki and list manager.Guilhem Moulin2016-04-015
|
* sysctl: don't set IPv6 privacy extensions globaly.Guilhem Moulin2016-04-011
|
* sysctl: set net.ipv6.conf.all.accept_ra = 0.Guilhem Moulin2016-03-301
|
* Set HTTP security headers.Guilhem Moulin2016-03-309
| | | | See https://securityheaders.io .
* Replace LE's X1 intermediate CA with X3 since the latter has better support ↵Guilhem Moulin2016-03-281
| | | | for XP.
* munin-master CGI: add application-level ACLs to keep non-local users at bay.Guilhem Moulin2016-03-211
|
* Remove SMTP message size limit on non public MTAs.Guilhem Moulin2016-03-213
|
* More logcheck-database tweaks.Guilhem Moulin2016-03-131
|
* Let's Encrypt: Only reload (as opposed to restart) postfix/nginx after ↵Guilhem Moulin2016-03-051
| | | | renewing the cert
* Amavis: use the LMTP protocol in the policy banks.Guilhem Moulin2016-03-031
|
* Let's EncryptGuilhem Moulin2016-03-0212
|
* cgit: Create cache directory /var/cache/cgitGuilhem Moulin2016-03-021
|
* Ansible: Using bare variables is deprecated, and will be removed in a future ↵Guilhem Moulin2016-03-024
| | | | release.
* More logcheck-database tweaks.Guilhem Moulin2016-02-171
|
* s/ansible_ssh_/ansible_/Guilhem Moulin2016-02-122
|
* Upgrade playbooks to Ansible 2.0.Guilhem Moulin2016-02-1223
|
* Update all Fripost links from http:// to https://.Guilhem Moulin2015-12-283
|
* Only install letsencrypt-tiny to the relevant hosts.Guilhem Moulin2015-12-282
|
* Fix Let's Encrypt CAfile.Guilhem Moulin2015-12-281
|
* Copy and install Let's Encrypt ACME client.Guilhem Moulin2015-12-201
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-2019
|
* nginx: Move include.d/* to snippets/.Guilhem Moulin2015-12-2012
|
* More logcheck-database tweaks.Guilhem Moulin2015-12-152
|
* dovecot: remove !SSLv2 from ssl_cipher_list.Guilhem Moulin2015-12-151
|
* nginx: s/conf.d/include.d/Guilhem Moulin2015-12-157
|
* wibbleGuilhem Moulin2015-12-092
|
* ngnix: mv ssl/config conf.d/sslGuilhem Moulin2015-12-097
|
* typoGuilhem Moulin2015-12-041
|
* Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the ↵Guilhem Moulin2015-12-034
| | | | cert itself.
* Use a dedicated subdomain for ManageSieve.Guilhem Moulin2015-12-031
|
* Automatically fetch X.509 certificates, and add them to git.Guilhem Moulin2015-12-037
|