Sven Neuhaus
63ba754eb7
libpam-google-authenticator uses distribution package on Ubuntu 14.04
10 years ago
Gelnior
7995bac36c
put back enc.fs (removed by mistake)
10 years ago
Gelnior
bd57edd5a5
newebe config: fix Newebe config file task
10 years ago
Justin Plock
1d7986fd96
Enable UFW and deny everything by default
Removed unused status checks on UFW
10 years ago
Justin Plock
ea0b288818
Moved ufw firewall rules into individual roles
10 years ago
Justin Plock
ed75c9469b
libpam-dev didn't exist for some people so switching to libpam0g-dev instead
10 years ago
Justin Plock
e88fb57cba
Skip the google authenticator generation if we're running as vagrant. Vagrant can't sudo to the sovereign test user so this won't work.
10 years ago
Justin Plock
2d751ab680
The .google_authenticator file has to be generated by the user that is going to attempt to use it. Also, -W doesn't seem to work (results an in INVALID_WINDOW error in /var/log/auth.log), so use -w 1 to allow for a single concurrent token
10 years ago
Justin Plock
c037dce07a
Clarified parameters are bit in a comment
10 years ago
Justin Plock
22a8717f6d
Automatically generate the Google authenticator file for the default user
10 years ago
Justin Plock
84c9febec7
Added Google Authenticator 2FA logins
10 years ago
Justin Plock
89f018bd23
In preparation for using any 2FA solution, it will most likely need to modify sshd_config, so let's change the file in place instead of overwriting it completely.
10 years ago
Justin Plock
9f918363b9
Set a ServerName for apache (fixes #187 )
10 years ago
Benjamin Reitzammer
d957760697
Making main user's shell configurable
10 years ago
Justin Plock
3b0308d69e
Allow both TCP and UDP port 53 for DNS lookups through OpenVPN
10 years ago
Joost Baaij
ae2e74bb79
make NTP pool configurable
use the world-wide pool by default, but specify north-america in
user.yml. Also, documentation. This way Sovereign will still behave the
same, but the NTP servers can be changed when desired.
11 years ago
Joost Baaij
4837d2e87a
extract NTP logic
11 years ago
Joost Baaij
715399a2f1
added pop3s and imaps ports to fail2ban.
Otherwise only pop and imap (un-secured) are blocked.
Which we don't use.
11 years ago
Joost Baaij
2033c37982
Enabled unattended-upgrades
This works on Debian/Ubuntu only.
There are similar packages for other distributions, but they still
need manual configuration. It seemed better to go for the common
denominator. unattended-upgrades is usually installed by default
anyway, so we are just reinforcing best practices.
11 years ago
Joost Baaij
335cef5c9f
Enabled POP3S for old-timeys who dig that
added dovecot-pop3d
allowed in the firewall
monitored with monit
added relevant tests
11 years ago
Joshua Lund
4ed07a1e0a
* Made the OpenVPN port and protocol (tcp/udp) configurable
* Added 'cipher' and 'auth' lines to the generated client configs
11 years ago
Mark Paschal
10aff54015
Only ban in response to fail2ban results
Don't mail them individually to the destemail. The destemail setting is thus no
longer used, but let's set it anyway to be clear where it will mail if you
change the action back.
11 years ago
Luke Cyca
4bc4cebf41
Explicit permissions for all cert files
11 years ago
Luke Cyca
76d52b63f3
XMPP cert handling improvements, ufw rules, and tests
11 years ago
Alex Payne
f7f7157cec
more updated variable formatting and accommodation of the YAML parser being a fussbudget
11 years ago
Alex Payne
34d7595c0b
ensure we can install from third-party repos across playbooks
11 years ago
Alex Payne
d28f0f82b9
move to non-deprecated template variable formatting
11 years ago
Luke Cyca
e46ad018ba
Improved test suite, rewritten in python
Added friendly_networks variable to denote whitelisted networks
11 years ago
Luke Cyca
2f145ce543
Two small apache-related fixes
11 years ago
Luke Cyca
08d6827755
New vagrant-based development environment
11 years ago
Luke Cyca
b1a3b8b67d
Use discovered IPv4 address
11 years ago
Luke Cyca
37a0400c22
Standardize apache’s 301 redirect to https, and enable HSTS
11 years ago
Luke Cyca
bdab1cd6b1
Reworked ufw logic to not use change_when keyword
because it's not available in a stable ansible release yet
11 years ago
Allen Riddell
5b8ba840a4
workaround ufw bug, call ufw enable twice
11 years ago
Allen Riddell
ae0d1ca8f4
Ignore ufw error resulting from known bug on Debian 7
In order to check the version of the linux distribution we need to
set `gather_facts` to True.
Closes #73 .
11 years ago
Luke Cyca
7043143f90
Improved idempotency and removed ip detection for checkrbl
11 years ago
Allen Riddell
88705bb7fa
Replace ferm with ufw
11 years ago
Bertrand Cachet
f43c57e132
fix(apticron): apticron emails are sent to root
Instead of sending email to {{ admin_email }} we send them to root user.
These emails will be redirected to the appropriate user via
mail_virtual_aliases variables
11 years ago
Bertrand Cachet
373cb4584b
add(apticron): configure email
Apticron is configured to send email to {{ admin_email }}
11 years ago
Bertrand Cachet
df802919f7
add(fail2ban): Add server IP address to ignore IP
ignoreip field inside /etc/fail2ban/jail.local is populated with
server_ip_address variable
11 years ago
Alex Payne
a9cabad947
Update etc_ferm_ferm.conf
11 years ago
Allen Riddell
580e3ef5c1
Don't open unused ports
Sovereign does not currently use jabber/xmpp or insecure smtp.
11 years ago
Greg Karékinian
58dddc55d1
Remove variables from roles
Refs #39
11 years ago
Luke Cyca
c697e135e9
Move NameVirtualHost directives to ports.conf
11 years ago
Alex Payne
f27442b678
move tarsnap to its own role
11 years ago
Luke Cyca
5beacea2d2
Absolute path for tarsnap
11 years ago
Luke Cyca
ca8a371320
Use combined cert for postfix, dovecot, and znc
Fix CAcert usage in postfix and dovecot
11 years ago
Alex Payne
65103923ec
Fix typo in firm task name
11 years ago
Luke Cyca
7e2ce80a25
Update apt repo and upgrade safe packages
11 years ago
Luke Cyca
cf9d8350dd
Fix ssh handler typo
11 years ago