Skip to content
Permalink
Branch: master
Commits on Sep 6, 2019
  1. [debops.dhcpd] Secure dhcpd configuration

    imrejonk committed Sep 6, 2019
    The dhcpd.conf file used to be world-readable, which is a security
    issue when nsupdate keys are stored in this file (see dhcpd_keys
    variable). This change sets the file mode of the dhcpd configuration
    files (/etc/default/isc-dhcp-server and /etc/dhcp/dhcpd.conf under
    Debian) to 0640.
Commits on Sep 4, 2019
  1. [debops-init] PEP-8

    imrejonk committed Sep 4, 2019
  2. Update CHANGELOG.rst

    imrejonk committed Sep 4, 2019
  3. [debops-init] Automatically create .gitattributes

    imrejonk committed Sep 4, 2019
    This file is used with git-crypt. It's commented out by default.
  4. [docs] Add git-crypt to additional software list

    imrejonk committed Sep 4, 2019
Commits on Aug 16, 2019
  1. [debops.roundcube] Add role to Mail Services index

    imrejonk committed Aug 16, 2019
  2. [debops.roundcube] Add role to role index

    imrejonk committed Aug 16, 2019
Commits on Aug 14, 2019
  1. [debops.dnsmasq] do not open bootps TCP port

    imrejonk committed Aug 14, 2019
    Default /etc/services in Debian 10 no longer contains 'bootps 67/udp',
    causing ferm restarts to fail. BOOTP RFCs don't mention the word TCP so
    this is probably a safe change.
Commits on Aug 8, 2019
  1. [docs] Add pyOpenSSL to required Python packages

    imrejonk committed Aug 8, 2019
    pyOpenSSL is required for debops.opendkim
Commits on Jul 29, 2019
  1. [debops.docker_server] Change TCP listen variable

    imrejonk committed Jul 29, 2019
    This change turns listening on a TCP port off by default, even if
    `debops.pki` is enabled. This is a security measure, it should prevent
    administrators from unknowingly leaving the Docker TCP port open.
    
    Closes #871
Commits on Jul 27, 2019
  1. [debops.nginx] No longer limit HTTP methods

    imrejonk committed Jul 27, 2019
    HTTP request methods used to be limited to GET, HEAD and POST by
    default on PHP-enabled websites. This caused REST API calls to break.
    This commit changes that behaviour so that there are no limits applied
    by default. The user can set their own request method whitelist in the
    ``item.php_limit_except`` parameter.
    
    Closes #935
Commits on Jul 19, 2019
  1. [debops.ldap] Consider DNS NODATA response

    imrejonk committed Jul 19, 2019
    This change makes sure that the `debops.ldap` role falls back to using
    '[ "ldap." + ldap__domain ]' as ldap__servers when the Ansible dig
    lookup returns an empty (NODATA) response.
    
    Closes: #905
Commits on Jun 11, 2019
  1. [debops.docker_server] apply feedback from drybjed

    imrejonk committed Jun 11, 2019
    - documentation fixes
    - indentation
    - rename fact file to docker_server.fact
    - add debops.docker_server to GitLab CI pipeline
  2. [debops.docker_server] finish role rename

    imrejonk committed Jun 11, 2019
    The debops.docker role has been renamed to debops.docker_server in
    preparation of adding a role that will provide client functionality like
    network and container management.
Commits on May 21, 2019
  1. [debops.docker_gen] update changelog and watchfile

    imrejonk committed May 21, 2019
  2. [multiple roles] add NCSC-NL cipher suite

    imrejonk committed May 21, 2019
    The Dutch National Cyber Security Centre published updated TLS
    guidelines last month. This version was created in collaboration with
    the national communication security agency, with contributions from
    numerous organizations and individuals.
    
    One of the changes in this version is the cipher suite selection. This
    commit adds the 'good' cipher suite from the document to debops.apache,
    debops.dovecot and debops.nginx.
  3. [debops.docker_gen] Update docker_gen to 0.7.4

    imrejonk committed May 21, 2019
    0.7.4 is the latest docker-gen release, supporting IPv6 and docker networks. These changes also update the nginx template in order to support docker networks.
Commits on Apr 20, 2019
  1. [debops.opendkim] Install PyOpenSSL module with debops.python

    imrejonk committed Apr 20, 2019
  2. Revert "[debops.opendkim] Add pyOpenSSL"

    imrejonk committed Apr 20, 2019
    This reverts commit 5f83b4a.
Commits on Apr 18, 2019
  1. [debops.opendkim] Add pyOpenSSL

    imrejonk committed Apr 18, 2019
    I was greeted with an error when I tried out the debops.opendkim role on a Debian 9 box (with Ansible 2.7.5) this morning:
    
    ```
    failed: [myhostname -> localhost] (item={u'name': u'mail'}) => {"changed": false, "item": {"name": "mail"}, "msg": "the python pyOpenSSL module is required"}
    ```
    
    Turns out the 'python-openssl' package was missing. This package contains the pyOpenSSL module needed to generate the DKIM keys. These changes add this package to the `opendkim__base_packages` variable.
Commits on Apr 12, 2019
  1. [debops.logrotate] keep newlines in config

    imrejonk committed Apr 12, 2019
    These changes remove the Jinja 'strip' operations from the logrotate templates. Logrotate does not like missing newlines and presented us with errors like these:
    
    ```
    /etc/cron.daily/logrotate:
    error: php7.0-fpm:prerotate, postrotate or preremove without endscript
    error: found error in file php7.0-fpm, skipping
    error: rsyslog:prerotate, postrotate or preremove without endscript
    error: found error in file rsyslog, skipping
    error: rsyslog-remote:prerotate, postrotate or preremove without endscript
    error: found error in file rsyslog-remote, skipping
    error: /etc/logrotate.conf:14 bad rotation count '1}'
    error: found error in /var/log/wtmp , skipping
    ```
    
    These errors were all caused by missing newlines. For example, 'endscript' and the curly bracket after the '1' must be on new lines.
    I'm not sure why the 'strip' operation was in the templates in the first place. Maybe I'm overlooking something, but this seems to work for us.
Commits on Mar 28, 2019
  1. Fix RST syntax in pki docs

    imrejonk committed Mar 28, 2019
  2. Implement more nameConstraints controllability

    imrejonk committed Mar 28, 2019
    The default critical mark of the X.509 nameConstraints extension can now
    be disabled in debops.pki.
Commits on Mar 27, 2019
  1. Update default nameConstraints to allow subdomains

    imrejonk committed Mar 27, 2019
    'permitted;DNS:${config_domain}' only allows names which exactly match
    ${config_domain}. 'permitted;DNS:.${config_domain}' (notice the extra ".") only
    allows expanded labels, but not ${config_domain} itself. Let's have the best of
    both worlds by combining the two name constraints together, which allows both
    ${config_domain} and expanded labels.
    
    OpenSSL throws `error 47 at 0 depth lookup: permitted subtree violation; error
    hcert.pem: verification failed` when using this role with critical
    nameConstraints. That's why I removed the 'critical' property. This might be
    better for backwards compatibility as well. Modern software will still refuse
    to accept the certificate when the name is outside the nameConstraints space.
    For example, Mozilla Firefox 60.6.1esr-1~deb9u1 will fail to connect with
    'SEC_ERROR_CERT_NOT_IN_NAME_SPACE', and curl 7.52.1-5+deb9u9 fails with '(60)
    SSL certificate problem: permitted subtree violation'.
You can’t perform that action at this time.