summaryrefslogtreecommitdiffstats
path: root/roles
Commit message (Collapse)AuthorAgeFiles
* Fix logcheck.logfiles permissions.HEADmasterGuilhem Moulin3 days1
| | | | Regression from 0c5664f27d84c6d616b2c2fb0812aad94c4185af.
* Adjust nextcloud nginx and PHP-FPM config for bookworm.Guilhem Moulin3 days4
|
* Update charon.conf for bookworm.Guilhem Moulin3 days1
|
* Update logcheck database.Guilhem Moulin3 days4
|
* Resolver: Use systemd-resolved.Guilhem Moulin3 days5
|
* Set dmarc_protection_mode=all from dmarc_any.Guilhem Moulin2024-10-181
| | | | | Cf. https://www.sympa.community/gpldoc/man/sympa_config.5.html#dmarc_protection and https://sympa-community.github.io/manual/customize/dmarc-protection.html .
* LDAP: Rotate soon-to-be expired key material.Guilhem Moulin2024-09-083
| | | | | Also, switch from rsa4096 to ed25519 and use a separate key for each syncrepl.
* Fail2ban: Remove obsolete filter dovecot.conf.Guilhem Moulin2024-09-081
|
* Nextcloud: Tweak opcache settings.Guilhem Moulin2024-09-081
|
* Nextcloud: Upgrade backend to PHP7.4.Guilhem Moulin2024-09-084
|
* wibbleGuilhem Moulin2024-09-081
|
* Firewall: Harden IPsec configuration by pining the reqids.Guilhem Moulin2024-09-082
|
* OpenDMARC: Adjust configuration to bullseye.Guilhem Moulin2024-09-081
|
* Sympa: Default to dmarc_protection_mode=dmarc_reject.Guilhem Moulin2024-09-081
|
* Sympa: Update Content-Security-Policy.Guilhem Moulin2024-09-081
|
* APT: Prepare config bump to Debian 12.Guilhem Moulin2024-09-082
|
* logcheck-database update.Guilhem Moulin2024-09-082
|
* typofixGuilhem Moulin2024-09-081
|
* DKIM key generation: Adjust ownership.Guilhem Moulin2024-09-081
| | | | | As of bullseye amavis needs the private key material to be reabled by the 'amavis' user.
* MSA: Set smtpd_forbid_bare_newline to defeat SMTP smuggling attacks.Guilhem Moulin2024-09-081
|
* IMAP: Adjust dovecot configuration to bullseye.Guilhem Moulin2024-09-0812
| | | | | | | Provisioning /etc/dovecot/conf.d/*.conf is a pain on upgrade so we consolidate that by reverting these files to the distro-provided ones and shipping a single /etc/dovecot/conf.d/99-local.conf override instead.
* Roundcube: Set $config['max_recipients'] = 15 to avoid timeout.Guilhem Moulin2024-09-081
| | | | Cf. msgid=<ZFe5tjHTGbVemNTD@fripost.org>
* Don't take roundcube from backports.Guilhem Moulin2024-09-081
|
* Webmail: Upgrade backend to PHP7.4.Guilhem Moulin2024-09-084
|
* Sympa: Enable French support.Guilhem Moulin2024-06-121
| | | | Cf. msgid=<c368f04c-b8d1-4623-98f0-b6a3b724f90d@dubre.me>.
* Nextcloud: Set ‘X-Robots-Tag: noindex, nofollow’.Guilhem Moulin2023-03-261
| | | | Per upstream recommendation at https://cloud.fripost.org/settings/admin/overview .
* Sympa: Update robot.conf to fix HTTP 421 on virtual hosts.Guilhem Moulin2023-01-133
| | | | | | See https://github.com/sympa-community/sympa/issues/879 , https://www.sympa.community/manual/upgrade/notes.html#from-version-prior-to-6256 and https://www.sympa.community/gpldoc/man/sympa_config.5.html#wwsympa_url_local .
* Improve Debian 11's fail2ban rules.Guilhem Moulin2022-12-187
|
* Port baseline to Debian 11 (codename Bullseye).Guilhem Moulin2022-10-1323
|
* openldap module: Fix python3's bytes vs str mismatch.Guilhem Moulin2022-10-111
|
* Remove module ‘mysql_user2’.Guilhem Moulin2022-10-114
| | | | These days upstream's ‘mysql_user’ is good enough.
* Roundcube: managesieve: Disable ‘reject’ and ‘ereject’ extensions.Guilhem Moulin2022-10-111
|
* clamav-freshclam: Remove ‘SafeBrowsing’ option.Guilhem Moulin2022-10-111
|
* logcheck-database update.Guilhem Moulin2022-10-113
|
* postfix: Adjust anonymize_sender.pcre.Guilhem Moulin2022-10-111
|
* dovecot: Bump VSZ to 1G.Guilhem Moulin2022-10-111
|
* Prefix ‘ipaddr’ and ‘ipv4’ with ‘ansible.utils.’.Guilhem Moulin2022-10-1111
| | | | | | | This silences the following deprecation warning: Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
* Nextcloud: Adapt configuration to v21.Guilhem Moulin2021-05-232
|
* Rename '_lacme' user to '_lacme-client'.Guilhem Moulin2021-02-242
| | | | For a smooth upgrade to Bullseye's lacme 0.8-1.
* logcheck-database update.Guilhem Moulin2021-02-131
| | | | ansible 2.10.7 uses "ansible-ansible.legacy.stat: Invoked with […]".
* Don't restart amavis on DKIM key generation.Guilhem Moulin2021-02-131
| | | | | We want to give people the time add the key to DNS before we update the signing policy.
* munin: Skip ntp_* plugins when ntpq(1) is missing.Guilhem Moulin2021-02-061
|
* Roundcube: Fix favicon path.Guilhem Moulin2021-01-271
|
* Roundcube: Serve assets pre-compressed when possible.Guilhem Moulin2021-01-271
| | | | See https://salsa.debian.org/roundcube-team/roundcube/-/commit/f1e89494e8b777d69564e67f2d8b47ac84eb02f4 .
* Roundcube: Change document root to /var/lib/roundcube/public_html.Guilhem Moulin2021-01-271
| | | | Per https://salsa.debian.org/roundcube-team/roundcube/commit/7df02624eec4857053432d8ebe9b4e2b36f22bc5 .
* Postfix: pin key material to our MX:es for fripost.org and its subdomains.Guilhem Moulin2021-01-266
| | | | | | | | | | | | | | | | | | | | | | | | | | This solves an issue where an attacker would strip the STARTTLS keyword from the EHLO response, thereby preventing connection upgrade; or spoof DNS responses to route outgoing messages to an attacker-controlled SMTPd, thereby allowing message MiTM'ing. With key material pinning in place, smtp(8postfix) immediately aborts the connection (before the MAIL command) and places the message into the deferred queue instead: postfix-out/smtp[NNN]: … dsn=4.7.5, status=undeliverable (Server certificate not verified) This applies to the smarthost as well as for verification probes on the Mail Submission Agent. Placing message into the deferred queue might yield denial of service, but we argue that it's better than a privacy leak. This only covers *internal messages* (from Fripost to Fripost) though: only messages with ‘fripost.org’ (or a subdomain of such) as recipient domain. Other domains, even those using mx[12].fripost.org as MX, are not covered. A scalable solution for arbitrary domains would involve either DANE and TLSA records, or MTA-STS [RFC8461]. Regardless, there is some merit in hardcoding our internal policy (when the client and server are both under our control) in the configuration. It for instance enables us to harden TLS ciphers and protocols, and makes the verification logic independent of DNS.
* nginx: Update trusted certificate used for OCSP stapling.Guilhem Moulin2020-12-051
| | | | See https://bugs.debian.org/975862 .
* Firewall: Always include 172.16.0.0/12 to the bogon list.Guilhem Moulin2020-11-151
| | | | | Our IPsec subnet is in that subnet but the setup won't deal well with subnet overlap so it's best to explicitely not support NATed machines with an IP in 172.16.0.0/12.
* Firewall: Add counter to dropped ICMP packets.Guilhem Moulin2020-11-151
|
* rkhunter: workaround for mix usrmerge/non-usrmerge environments.Guilhem Moulin2020-11-151
| | | | See https://bugs.debian.org/932594#15 .
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-31 03:01:03 +0000