* Update OpenVPN role to generate self-contained "unified" .ovpn
profiles
* The role now generates .ovpn profiles with embedded CA, certificate,
key, and HMAC firewall key information. These .ovpn profiles are
compatible with OpenVPN for iOS and Android, and only a single file
needs to be transferred to your mobile device.
* Added explicit route information to the .ovpn profile
The .google_authenticator file has to be generated by the user that is going to attempt to use it. Also, -W doesn't seem to work (results an in INVALID_WINDOW error in /var/log/auth.log), so use -w 1 to allow for a single concurrent token
In preparation for using any 2FA solution, it will most likely need to modify sshd_config, so let's change the file in place instead of overwriting it completely.
Data loss will occur if backing up postgresql while it runs. A simple
fix is to stop it during the backup. I've moved the backup to early
morning to reduce possible downtime.
A better approach would be to use pg_dump.
The previous behaviour relied on managesieve copying over the
.dovecot.sieve file into the user's directory. I found this to be
particularly fragile. For instance, re-deploying roundcube without
dovecot could overwrite the .dovecot.sieve symlink and break
managesieve.
A better approach is to use the global sieve configuration that
roundcube provides and not mess with dovecot's files directly.
I had a # in my mail_db_password and spent the last 2 hours trying to figure out why I couldn't connect by IMAP. A # is only allowed if the connect string is wrapped in quotes.
Fixes issue #8. Adds new variable mail_header_privacy, on by default.
Installs postfix-pcre unconditionally, and then copies the pcre file
over and adds the header check to main.cf based on the variable value.
“this header replacement works great, but it logs that the replacement
has been done, which means that you are storing this information,
unless you are anonymizing your logs”
use the world-wide pool by default, but specify north-america in
user.yml. Also, documentation. This way Sovereign will still behave the
same, but the NTP servers can be changed when desired.
This works on Debian/Ubuntu only.
There are similar packages for other distributions, but they still
need manual configuration. It seemed better to go for the common
denominator. unattended-upgrades is usually installed by default
anyway, so we are just reinforcing best practices.