Commit message (Collapse) | Author | Age | Files | ||
---|---|---|---|---|---|
... | |||||
* | genkeypair, gendhparam: use -rand /dev/urandom when generating keys or DH ↵ | Guilhem Moulin | 2016-05-22 | 2 | |
| | | | | parameters. | ||||
* | Tunnel bacula (dir → {fd,sd} and fd → sd) traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 15 | |
| | |||||
* | Fix munin-cgi-graph systemd service file. | Guilhem Moulin | 2016-05-22 | 2 | |
| | | | | By allowing to place graphs into /var/lib/munin/cgi-tmp/munin-cgi-graph. | ||||
* | Tunnel munin-update traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 11 | |
| | |||||
* | Tunnel internal NTP traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 2 | |
| | | | | | | | More precisely, between our NTP-master (stratum 1) host and the other machines (all stratum 2). Providing authentification and integrity for internal NTP traffic ensures a consistent time within our internal infrastructure. | ||||
* | Set up IPSec tunnels between each pair of hosts. | Guilhem Moulin | 2016-05-22 | 13 | |
| | | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed. | ||||
* | postfix: master.cf wibble | Guilhem Moulin | 2016-05-18 | 1 | |
| | |||||
* | postfix: Update to recommended TLS settings. | Guilhem Moulin | 2016-05-18 | 7 | |
| | | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.) | ||||
* | postfix: unset 'smtpd_tls_session_cache_database'. | Guilhem Moulin | 2016-05-18 | 5 | |
| | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11 http://article.gmane.org/gmane.mail.postfix.user/251935 | ||||
* | Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public. | Guilhem Moulin | 2016-05-18 | 8 | |
| | | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out. | ||||
* | postfix: disable weak ciphers for the 'encrypt' TLS security level. | Guilhem Moulin | 2016-05-18 | 3 | |
| | | | | That is, on the MSA and in our local infrastructure. | ||||
* | Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵ | Guilhem Moulin | 2016-05-18 | 13 | |
| | | | | | | locally. And use this to fetch all X.509 leaf certificates. | ||||
* | dovecot imapc: wibble | Guilhem Moulin | 2016-05-17 | 2 | |
| | |||||
* | roundube: Pin X.509 certificate for sieve.fripost.org:4190. | Guilhem Moulin | 2016-05-17 | 2 | |
| | |||||
* | bacula: Set heartbeat options. | Guilhem Moulin | 2016-05-12 | 6 | |
| | | | | and also TCP keepalive options in the stunnel config. | ||||
* | bacula-sd: wibble | Guilhem Moulin | 2016-05-12 | 1 | |
| | |||||
* | bacula-dir: Fix Reschedule Interval from 17 months to 17 mins. | Guilhem Moulin | 2016-05-12 | 1 | |
| | |||||
* | MySQL: set flush InnoDB flush method to 'O_DIRECT' | Guilhem Moulin | 2016-05-12 | 1 | |
| | |||||
* | Add hardening options to our systemd unit files. | Guilhem Moulin | 2016-05-12 | 6 | |
| | |||||
* | Use systemd unit files for stunnel4. | Guilhem Moulin | 2016-05-12 | 26 | |
| | |||||
* | Roundcube's CSP: remove 'upgrade-insecure-requests' and ↵ | Guilhem Moulin | 2016-04-08 | 1 | |
| | | | | 'block-all-mixed-content'. | ||||
* | Roundcube's CSP: allow loading images from data: URIs and arbitrary URLs. | Guilhem Moulin | 2016-04-07 | 1 | |
| | | | | Per user request: https://wiki.fripost.org/tracker/CSP_too_strict/ | ||||
* | nginx: update ssl_ciphers to follow Mozilla's TLS server recommendation. | Guilhem Moulin | 2016-04-02 | 1 | |
| | | | | https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate | ||||
* | Set frame-ancestors from 'none' to 'self' in roundcube's CSP. | Guilhem Moulin | 2016-04-02 | 1 | |
| | |||||
* | wibble | Guilhem Moulin | 2016-04-02 | 3 | |
| | |||||
* | Set a HPKP on the webmail, website/wiki/git and list manager. | Guilhem Moulin | 2016-04-01 | 5 | |
| | |||||
* | Set a CSP on the webmail, website/wiki and list manager. | Guilhem Moulin | 2016-04-01 | 5 | |
| | |||||
* | sysctl: don't set IPv6 privacy extensions globaly. | Guilhem Moulin | 2016-04-01 | 1 | |
| | |||||
* | sysctl: set net.ipv6.conf.all.accept_ra = 0. | Guilhem Moulin | 2016-03-30 | 1 | |
| | |||||
* | Set HTTP security headers. | Guilhem Moulin | 2016-03-30 | 9 | |
| | | | | See https://securityheaders.io . | ||||
* | Replace LE's X1 intermediate CA with X3 since the latter has better support ↵ | Guilhem Moulin | 2016-03-28 | 1 | |
| | | | | for XP. | ||||
* | munin-master CGI: add application-level ACLs to keep non-local users at bay. | Guilhem Moulin | 2016-03-21 | 1 | |
| | |||||
* | Remove SMTP message size limit on non public MTAs. | Guilhem Moulin | 2016-03-21 | 3 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-03-13 | 1 | |
| | |||||
* | Let's Encrypt: Only reload (as opposed to restart) postfix/nginx after ↵ | Guilhem Moulin | 2016-03-05 | 1 | |
| | | | | renewing the cert | ||||
* | Amavis: use the LMTP protocol in the policy banks. | Guilhem Moulin | 2016-03-03 | 1 | |
| | |||||
* | Let's Encrypt | Guilhem Moulin | 2016-03-02 | 12 | |
| | |||||
* | cgit: Create cache directory /var/cache/cgit | Guilhem Moulin | 2016-03-02 | 1 | |
| | |||||
* | Ansible: Using bare variables is deprecated, and will be removed in a future ↵ | Guilhem Moulin | 2016-03-02 | 4 | |
| | | | | release. | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-02-17 | 1 | |
| | |||||
* | s/ansible_ssh_/ansible_/ | Guilhem Moulin | 2016-02-12 | 2 | |
| | |||||
* | Upgrade playbooks to Ansible 2.0. | Guilhem Moulin | 2016-02-12 | 23 | |
| | |||||
* | Update all Fripost links from http:// to https://. | Guilhem Moulin | 2015-12-28 | 3 | |
| | |||||
* | Only install letsencrypt-tiny to the relevant hosts. | Guilhem Moulin | 2015-12-28 | 2 | |
| | |||||
* | Fix Let's Encrypt CAfile. | Guilhem Moulin | 2015-12-28 | 1 | |
| | |||||
* | Copy and install Let's Encrypt ACME client. | Guilhem Moulin | 2015-12-20 | 1 | |
| | |||||
* | Use the Let's Encrypt CA for our public certs. | Guilhem Moulin | 2015-12-20 | 19 | |
| | |||||
* | nginx: Move include.d/* to snippets/. | Guilhem Moulin | 2015-12-20 | 12 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-12-15 | 2 | |
| | |||||
* | dovecot: remove !SSLv2 from ssl_cipher_list. | Guilhem Moulin | 2015-12-15 | 1 | |
| |