sovereign

Commit graph

Autor	SHA1	Nachricht	Datum
Justin Plock	1d7986fd96	Enable UFW and deny everything by default Removed unused status checks on UFW	vor 10 Jahren
Justin Plock	ea0b288818	Moved ufw firewall rules into individual roles	vor 10 Jahren
Justin Plock	ed75c9469b	libpam-dev didn't exist for some people so switching to libpam0g-dev instead	vor 10 Jahren
Justin Plock	e88fb57cba	Skip the google authenticator generation if we're running as vagrant. Vagrant can't sudo to the sovereign test user so this won't work.	vor 10 Jahren
Justin Plock	2d751ab680	The .google_authenticator file has to be generated by the user that is going to attempt to use it. Also, -W doesn't seem to work (results an in INVALID_WINDOW error in /var/log/auth.log), so use -w 1 to allow for a single concurrent token	vor 10 Jahren
Justin Plock	c037dce07a	Clarified parameters are bit in a comment	vor 10 Jahren
Justin Plock	22a8717f6d	Automatically generate the Google authenticator file for the default user	vor 10 Jahren
Justin Plock	84c9febec7	Added Google Authenticator 2FA logins	vor 10 Jahren
Justin Plock	89f018bd23	In preparation for using any 2FA solution, it will most likely need to modify sshd_config, so let's change the file in place instead of overwriting it completely.	vor 10 Jahren
Justin Plock	9f918363b9	Set a ServerName for apache (fixes #187)	vor 10 Jahren
Benjamin Reitzammer	d957760697	Making main user's shell configurable	vor 10 Jahren
Justin Plock	3b0308d69e	Allow both TCP and UDP port 53 for DNS lookups through OpenVPN	vor 10 Jahren
Joost Baaij	4837d2e87a	extract NTP logic	vor 11 Jahren
Joost Baaij	2033c37982	Enabled unattended-upgrades This works on Debian/Ubuntu only. There are similar packages for other distributions, but they still need manual configuration. It seemed better to go for the common denominator. unattended-upgrades is usually installed by default anyway, so we are just reinforcing best practices.	vor 11 Jahren
Joost Baaij	335cef5c9f	Enabled POP3S for old-timeys who dig that added dovecot-pop3d allowed in the firewall monitored with monit added relevant tests	vor 11 Jahren
Joshua Lund	4ed07a1e0a	* Made the OpenVPN port and protocol (tcp/udp) configurable * Added 'cipher' and 'auth' lines to the generated client configs	vor 11 Jahren
Luke Cyca	4bc4cebf41	Explicit permissions for all cert files	vor 11 Jahren
Luke Cyca	76d52b63f3	XMPP cert handling improvements, ufw rules, and tests	vor 11 Jahren
Alex Payne	f7f7157cec	more updated variable formatting and accommodation of the YAML parser being a fussbudget	vor 11 Jahren
Alex Payne	34d7595c0b	ensure we can install from third-party repos across playbooks	vor 11 Jahren
Alex Payne	d28f0f82b9	move to non-deprecated template variable formatting	vor 11 Jahren
Luke Cyca	2f145ce543	Two small apache-related fixes	vor 11 Jahren
Luke Cyca	37a0400c22	Standardize apache’s 301 redirect to https, and enable HSTS	vor 11 Jahren
Luke Cyca	bdab1cd6b1	Reworked ufw logic to not use change_when keyword because it's not available in a stable ansible release yet	vor 11 Jahren
Allen Riddell	5b8ba840a4	workaround ufw bug, call ufw enable twice	vor 11 Jahren
Allen Riddell	ae0d1ca8f4	Ignore ufw error resulting from known bug on Debian 7 In order to check the version of the linux distribution we need to set `gather_facts` to True. Closes #73.	vor 11 Jahren
Luke Cyca	7043143f90	Improved idempotency and removed ip detection for checkrbl	vor 11 Jahren
Allen Riddell	88705bb7fa	Replace ferm with ufw	vor 11 Jahren
Bertrand Cachet	373cb4584b	add(apticron): configure email Apticron is configured to send email to {{ admin_email }}	vor 11 Jahren
Luke Cyca	c697e135e9	Move NameVirtualHost directives to ports.conf	vor 11 Jahren
Alex Payne	f27442b678	move tarsnap to its own role	vor 11 Jahren
Luke Cyca	5beacea2d2	Absolute path for tarsnap	vor 11 Jahren
Luke Cyca	ca8a371320	Use combined cert for postfix, dovecot, and znc Fix CAcert usage in postfix and dovecot	vor 11 Jahren
Alex Payne	65103923ec	Fix typo in firm task name	vor 11 Jahren
Luke Cyca	7e2ce80a25	Update apt repo and upgrade safe packages	vor 11 Jahren
Luke Cyca	09c8fcb295	Named all tasks and made them idempotent where possible	vor 11 Jahren
Luke Cyca	6168cd68d0	Automate encfs setup and name mount point more appropriately	vor 11 Jahren
Luke Cyca	12d42ad38a	Configure sshd_config to disable PermitRootLogin and PasswordAuthentication	vor 11 Jahren
Luke Cyca	921cebb41d	Fix invalid service state	vor 11 Jahren
Luke Cyca	5920b17609	Remove usergroup because debian adds it by default as the primary group	vor 11 Jahren
Henrik Hodne	a844401d7c	tarsnap: Only run cron job once per day. The old action would generate a crontab job for `* 3 * * *`, which means every minute at 3am, so 60 times per day.	vor 11 Jahren
Alex Payne	080d38986c	first commit	vor 11 Jahren

46 Commits (1d7986fd961e49a54d614c5888ce471d6091101c)