Changed tarsnap.sh to not shut down postgresql, instead use the pg_dumpall command to create a .sql backup file in /decrypted/. Much better than shutting down the entire db server.
This change set builds collectd from source and configures it in one of
the following ways:
- If Librato credentials are present, collectd will be configured to
send data points to Librato using the collectd-librato plugin.
- If no Librato credentials are present, collectd will be configured to
write RRD files locally (/opt/collectd/var/lib/collectd/rrd by default).
Added rules for dealing with old virtualhost files in
/etc/apache2/sites-available and old (dangling) symlinks in
/etc/apaches/sites-enabled.
Also, remove unnecessary apache2 restart after creating a new
virtualhost but not yet enabling it.
* Postfix: Trusty comes with postgresql 9.3, not 9.1
* owncloud 6.0.1 is part of the distribution, doesn't require opensuse repository
* owncloud requires libapache2-mod-php5
* uses prosody repository that matches the ansible_distribution_release (trusty, wheezy, etc)
The virtual site files must be owned by root (serious security issue)
and they must have the .conf filename suffix for a2ensite on
Ubuntu 14.04LTS (apache 2.4.7).
On Ubuntu 14.04 LTS, a2ensite automatically appends ".conf" to the filename it looks for in /etc/apache2/sites-available/
Therefore, the file "/etc/apache2/sites-available/roundcube" must be renamed to
"/etc/apache2/sites-available/roundcube.conf".
Security issue:
This file must be owned by root, otherwise it is a huge security issue (User www-data could modify the file and get root at next restart of apache).
* Update OpenVPN role to generate self-contained "unified" .ovpn
profiles
* The role now generates .ovpn profiles with embedded CA, certificate,
key, and HMAC firewall key information. These .ovpn profiles are
compatible with OpenVPN for iOS and Android, and only a single file
needs to be transferred to your mobile device.
* Added explicit route information to the .ovpn profile
The .google_authenticator file has to be generated by the user that is going to attempt to use it. Also, -W doesn't seem to work (results an in INVALID_WINDOW error in /var/log/auth.log), so use -w 1 to allow for a single concurrent token
In preparation for using any 2FA solution, it will most likely need to modify sshd_config, so let's change the file in place instead of overwriting it completely.