Mike Ashley
1746afcc3a
Arrange automated tests to not use Let's Encrypt
9 years ago
Mike Ashley
8f1b6a9ed8
Arrange for services to restart on cert renewal
9 years ago
Mike Ashley
65729d12f8
Update xmpp role for LE certificate
9 years ago
Mike Ashley
7bb523950e
Draft design description for Let's Encrypt support
9 years ago
Mike Ashley
8e1d473027
Use Let's Encrypt for generating site certificates
This method uses Subjective Alternative Names (SANs) to get one
certificate for all the subdomains that Sovereign employs, whether or
not the user configured their site with the roles.
9 years ago
Mike Ashley
7f46129a4c
Remove use of wildcard certificate
9 years ago
Mike Ashley
195d8811fc
Remove references to Trusty and Wheezy
Make a clean distinction between Debian 7 and Debian 8. Anticipate the
next Ubuntu LTS release (Xenial) that is planned for support.
8 years ago
Mike Ashley
d3abc02f84
Clean up Apache SSL configuration
Avoid using the Include directive. Move most of the SSL configuration
to the global configuration and leave enabling the SSL engine to each
virtual host that wants to use it.
8 years ago
fengor
e63661f982
Added "UseRoaming no" to ssh.config to fix OpenSSH: client bugs CVE-2016-0777 and CVE-2016-0778
see: http://undeadly.org/cgi?action=article&sid= 2016011414
8 years ago
Sebastian Kriems
fe536873b7
ufw tasks shall have the ufw tag
resolves #453
Conflicts:
roles/common/tasks/ufw.yml
9 years ago
Dan Milon
829c8491c7
restart apache on SSL changes
9 years ago
Dan Milon
a5c6f663ce
properly install changed SSL certificate
9 years ago
Sven Neuhaus
d59c5eff05
Generate 2048 DH group and add it to Postfix
9 years ago
Dan Milon
2fb7cfa7c9
Add SSL stapling cache for apache
Fixes #406
9 years ago
Laurent Arnoud
1419c4e26e
Use common_timezone and fix idempotence
Thanks-to: 8e693b3db3
Conflicts:
roles/common/tasks/main.yml
9 years ago
Alex Payne
0579cf1ba9
Use same Apache server name configuration across distros
9 years ago
Alex Payne
290a3b4312
Remove wheezy-specific Apache SSL config omission
9 years ago
Alex Payne
474c1d5f92
No longer need `fuse` group in Jessie.
9 years ago
Alex Payne
6906412f63
Remove wheezy-specific ufw task.
9 years ago
Alex Payne
6d1eebb9d2
Use Ansible task names, not comments.
9 years ago
Alex Payne
c9b32cd2e2
Same Google auth install should work for both Jessie and Trusty.
Move Apache task to their own file.
9 years ago
Alex Payne
006f8e9b82
Just plain Ruby
9 years ago
Laurent Arnoud
a09e2e71c1
tar used in place of unarchive module
9 years ago
Laurent Arnoud
311fae7e11
Trailing whitespace
9 years ago
Laurent Arnoud
3b8f15b745
Added whois for fail2ban report
Report will print: "missing whois program"
9 years ago
Will McCutchen
1be1afe1ff
Disable SSL stapling on wheezy
9 years ago
Will McCutchen
16b66cc849
Define apache SSL config in one place
9 years ago
Manfred Touron
16c93ea486
Using more verbose 'dependencies' tag (#393 )
9 years ago
Manfred Touron
b49f3a6586
Tagged 'deps' aptitude tasks
9 years ago
Laurent Arnoud
353e69d299
Remove duplication with items unattended upgrades
9 years ago
Laurent Arnoud
89d47731ff
Add molly-guard and unattended-upgrades as common pkgs
9 years ago
Alex Payne
b11fb68559
Automatically set up passwordless sudo for deploy user.
Closes #343 .
9 years ago
Aleksandr Bogdanov
a849948e8d
Choosing the closest ubuntu mirror before anything else
10 years ago
Sven Neuhaus
ae58053653
Create /decrypted directory even if encfs is not used.
Helps with issue #120 .
9 years ago
Sven Neuhaus
d5217ea1cd
Create main user without "fuse" group, instead add it later as part
of the "encfs" tag. This allows the user to make encfs optional.
Helps with issue #120 .
9 years ago
Marius Voila
b13ab39f11
cleaning security.yml
10 years ago
fengor
7ed46f590c
renamed templates to be consistent with coding standard.
removed comment line in ssh_config
10 years ago
Marius Voila
ec69fef60c
removed old template
10 years ago
Marius Voila
2ae2c3683c
removed template and implemented logic
10 years ago
fengor
2fd1e1b722
readded google authenticator lines
10 years ago
fengor
224e8cb339
Setting timezone to UTC
10 years ago
fengor
39566abb6c
More secure defaults for ssh.
Ciphers, Kex and MAC can be set via defaults.var
10 years ago
Marius Voila
67e1bf0fc3
fail2ban support for Trusty
10 years ago
Marius Voila
e62bd7c71a
fail2ban support for Trusty
10 years ago
Anthony Perez-sanz
cdf9ed07bb
Enable UFW after setting firewall rules
On fresh installs of Debian 7.6, the current order of steps will lock you
out of SSH. This will enable UFW after creating rules for http, https, ssh,
and DNS. Fix comes from @Debugreality in issue #303 :
https://github.com/al3x/sovereign/issues/303
10 years ago
Lorenzo Villani
5d1090d488
Make sure fail2ban is started
10 years ago
Lorenzo Villani
d5ecf673d3
Calm OCD by sorting almost every with_items block in alphabetical order
10 years ago
Lorenzo Villani
e7703d0d9c
Add support for Apache 2.4 on Ubuntu 14.04
10 years ago
Lorenzo Villani
e2e61a2f76
Install 'fuse' instead of 'fuse-utils'
The 'fuse-utils' package doesn't exist on Ubuntu 14.04 and is marked as a
transitional package on both Debian 7 and Ubuntu 12.04 that installs the
'fuse' package.
Since Debian 7 is the officially supported distribution we can safely
switch to install 'fuse' instead of 'fuse-utils' and we also gain
compatibility with Ubuntu 14.04.
10 years ago
Sven Neuhaus
63ba754eb7
libpam-google-authenticator uses distribution package on Ubuntu 14.04
10 years ago