Lorenzo Villani
e7703d0d9c
Add support for Apache 2.4 on Ubuntu 14.04
vor 10 Jahren
Lorenzo Villani
e2e61a2f76
Install 'fuse' instead of 'fuse-utils'
The 'fuse-utils' package doesn't exist on Ubuntu 14.04 and is marked as a
transitional package on both Debian 7 and Ubuntu 12.04 that installs the
'fuse' package.
Since Debian 7 is the officially supported distribution we can safely
switch to install 'fuse' instead of 'fuse-utils' and we also gain
compatibility with Ubuntu 14.04.
vor 10 Jahren
Sven Neuhaus
63ba754eb7
libpam-google-authenticator uses distribution package on Ubuntu 14.04
vor 10 Jahren
Gelnior
7995bac36c
put back enc.fs (removed by mistake)
vor 10 Jahren
Gelnior
bd57edd5a5
newebe config: fix Newebe config file task
vor 10 Jahren
Justin Plock
1d7986fd96
Enable UFW and deny everything by default
Removed unused status checks on UFW
vor 10 Jahren
Justin Plock
ea0b288818
Moved ufw firewall rules into individual roles
vor 10 Jahren
Justin Plock
ed75c9469b
libpam-dev didn't exist for some people so switching to libpam0g-dev instead
vor 10 Jahren
Justin Plock
e88fb57cba
Skip the google authenticator generation if we're running as vagrant. Vagrant can't sudo to the sovereign test user so this won't work.
vor 10 Jahren
Justin Plock
2d751ab680
The .google_authenticator file has to be generated by the user that is going to attempt to use it. Also, -W doesn't seem to work (results an in INVALID_WINDOW error in /var/log/auth.log), so use -w 1 to allow for a single concurrent token
vor 10 Jahren
Justin Plock
c037dce07a
Clarified parameters are bit in a comment
vor 10 Jahren
Justin Plock
22a8717f6d
Automatically generate the Google authenticator file for the default user
vor 10 Jahren
Justin Plock
84c9febec7
Added Google Authenticator 2FA logins
vor 10 Jahren
Justin Plock
89f018bd23
In preparation for using any 2FA solution, it will most likely need to modify sshd_config, so let's change the file in place instead of overwriting it completely.
vor 10 Jahren
Justin Plock
9f918363b9
Set a ServerName for apache (fixes #187 )
vor 10 Jahren
Benjamin Reitzammer
d957760697
Making main user's shell configurable
vor 10 Jahren
Justin Plock
3b0308d69e
Allow both TCP and UDP port 53 for DNS lookups through OpenVPN
vor 10 Jahren
Joost Baaij
ae2e74bb79
make NTP pool configurable
use the world-wide pool by default, but specify north-america in
user.yml. Also, documentation. This way Sovereign will still behave the
same, but the NTP servers can be changed when desired.
vor 11 Jahren
Joost Baaij
4837d2e87a
extract NTP logic
vor 11 Jahren
Joost Baaij
715399a2f1
added pop3s and imaps ports to fail2ban.
Otherwise only pop and imap (un-secured) are blocked.
Which we don't use.
vor 11 Jahren
Joost Baaij
2033c37982
Enabled unattended-upgrades
This works on Debian/Ubuntu only.
There are similar packages for other distributions, but they still
need manual configuration. It seemed better to go for the common
denominator. unattended-upgrades is usually installed by default
anyway, so we are just reinforcing best practices.
vor 11 Jahren
Joost Baaij
335cef5c9f
Enabled POP3S for old-timeys who dig that
added dovecot-pop3d
allowed in the firewall
monitored with monit
added relevant tests
vor 11 Jahren
Joshua Lund
4ed07a1e0a
* Made the OpenVPN port and protocol (tcp/udp) configurable
* Added 'cipher' and 'auth' lines to the generated client configs
vor 11 Jahren
Mark Paschal
10aff54015
Only ban in response to fail2ban results
Don't mail them individually to the destemail. The destemail setting is thus no
longer used, but let's set it anyway to be clear where it will mail if you
change the action back.
vor 11 Jahren
Luke Cyca
4bc4cebf41
Explicit permissions for all cert files
vor 11 Jahren
Luke Cyca
76d52b63f3
XMPP cert handling improvements, ufw rules, and tests
vor 11 Jahren
Alex Payne
f7f7157cec
more updated variable formatting and accommodation of the YAML parser being a fussbudget
vor 11 Jahren
Alex Payne
34d7595c0b
ensure we can install from third-party repos across playbooks
vor 11 Jahren
Alex Payne
d28f0f82b9
move to non-deprecated template variable formatting
vor 11 Jahren
Luke Cyca
e46ad018ba
Improved test suite, rewritten in python
Added friendly_networks variable to denote whitelisted networks
vor 11 Jahren
Luke Cyca
2f145ce543
Two small apache-related fixes
vor 11 Jahren
Luke Cyca
08d6827755
New vagrant-based development environment
vor 11 Jahren
Luke Cyca
b1a3b8b67d
Use discovered IPv4 address
vor 11 Jahren
Luke Cyca
37a0400c22
Standardize apache’s 301 redirect to https, and enable HSTS
vor 11 Jahren
Luke Cyca
bdab1cd6b1
Reworked ufw logic to not use change_when keyword
because it's not available in a stable ansible release yet
vor 11 Jahren
Allen Riddell
5b8ba840a4
workaround ufw bug, call ufw enable twice
vor 11 Jahren
Allen Riddell
ae0d1ca8f4
Ignore ufw error resulting from known bug on Debian 7
In order to check the version of the linux distribution we need to
set `gather_facts` to True.
Closes #73 .
vor 11 Jahren
Luke Cyca
7043143f90
Improved idempotency and removed ip detection for checkrbl
vor 11 Jahren
Allen Riddell
88705bb7fa
Replace ferm with ufw
vor 11 Jahren
Bertrand Cachet
f43c57e132
fix(apticron): apticron emails are sent to root
Instead of sending email to {{ admin_email }} we send them to root user.
These emails will be redirected to the appropriate user via
mail_virtual_aliases variables
vor 11 Jahren
Bertrand Cachet
373cb4584b
add(apticron): configure email
Apticron is configured to send email to {{ admin_email }}
vor 11 Jahren
Bertrand Cachet
df802919f7
add(fail2ban): Add server IP address to ignore IP
ignoreip field inside /etc/fail2ban/jail.local is populated with
server_ip_address variable
vor 11 Jahren
Alex Payne
a9cabad947
Update etc_ferm_ferm.conf
vor 11 Jahren
Allen Riddell
580e3ef5c1
Don't open unused ports
Sovereign does not currently use jabber/xmpp or insecure smtp.
vor 11 Jahren
Greg Karékinian
58dddc55d1
Remove variables from roles
Refs #39
vor 11 Jahren
Luke Cyca
c697e135e9
Move NameVirtualHost directives to ports.conf
vor 11 Jahren
Alex Payne
f27442b678
move tarsnap to its own role
vor 11 Jahren
Luke Cyca
5beacea2d2
Absolute path for tarsnap
vor 11 Jahren
Luke Cyca
ca8a371320
Use combined cert for postfix, dovecot, and znc
Fix CAcert usage in postfix and dovecot
vor 11 Jahren
Alex Payne
65103923ec
Fix typo in firm task name
vor 11 Jahren