LQDN Adminsys issueshttps://git.laquadrature.net/groups/lqdn-interne/-/issues2021-10-07T17:34:35+02:00https://git.laquadrature.net/lqdn-interne/piops-roles/monitoring-lqdn/-/issues/1Ajouter la configuration SSO2021-10-07T17:34:35+02:00nonoAjouter la configuration SSOVoir : https://grafana.com/docs/grafana/latest/enterprise/saml/Voir : https://grafana.com/docs/grafana/latest/enterprise/saml/nonononohttps://git.laquadrature.net/lqdn-interne/piops-roles/logging-lqdn/-/issues/1Configuration des certificats SSL pour les logs2021-10-15T15:30:01+02:00nonoConfiguration des certificats SSL pour les logsVoir le fichier `rsyslog-collector.conf.j2`Voir le fichier `rsyslog-collector.conf.j2`nonononohttps://git.laquadrature.net/lqdn-interne/piops-roles/security-lqdn/-/issues/2Erreur dans les handlers2021-10-17T12:24:09+02:00nonoErreur dans les handlersLes handlers de https://git.laquadrature.net/lqdn-interne/piops-roles/security-lqdn/-/blob/master/handlers/main.yml#L4 ne sont pas les bons.
Soucis repéré par @daftaupe , merci à lui !Les handlers de https://git.laquadrature.net/lqdn-interne/piops-roles/security-lqdn/-/blob/master/handlers/main.yml#L4 ne sont pas les bons.
Soucis repéré par @daftaupe , merci à lui !nonononohttps://git.laquadrature.net/lqdn-interne/piops-roles/security-lqdn/-/issues/3Sécurisation poussée de Nextcloud2021-11-09T11:23:23+01:00nonoSécurisation poussée de Nextcloudhttps://docs.nextcloud.com/server/latest/admin_manual/installation/harden_server.html?highlight=push%20notificationhttps://docs.nextcloud.com/server/latest/admin_manual/installation/harden_server.html?highlight=push%20notificationnonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/5Gestion des certificats SSL2021-11-22T10:25:13+01:00nonoGestion des certificats SSLÀ l'heure actuelle, la gestion des certificats SSL n'est pas claire. Ils semblent être géré par let'sencrypt. Toutefois, selon les archives :
> C'est le bordel, y'a des pointages de "/.wel-known/acme-challenge" partout :/ toutça. Benja...À l'heure actuelle, la gestion des certificats SSL n'est pas claire. Ils semblent être géré par let'sencrypt. Toutefois, selon les archives :
> C'est le bordel, y'a des pointages de "/.wel-known/acme-challenge" partout :/ toutça. Benjamin Sonntag : Je propose qu'on s'interdise de faire des certificats MULTIDOMAINES, ainsi c'est moins le bazar pour les humains.https://git.laquadrature.net/lqdn-interne/piops/-/issues/1Manage SSH keys through Ansible2022-01-14T10:52:23+01:00PorkepixManage SSH keys through AnsibleSSH authorized keys should be managed through Ansible.
I plan on adding it.
Current state is to use `authorized_keys2` because `authorized_keys` is managed by Octopuce's Puppet, therefore any modification would be erased. Everything is ...SSH authorized keys should be managed through Ansible.
I plan on adding it.
Current state is to use `authorized_keys2` because `authorized_keys` is managed by Octopuce's Puppet, therefore any modification would be erased. Everything is on `root` account, we don't have personal accounts.
For now we'll keep working with it.
As for the question:
I'll do a `common` role in the repository. As it's not the kind of role you keep generic, I don't think having it in a separate repository is the way to go.
Now two questions:
- Current files seems to have been modified, people in the files are not the same as those in the pad. Do I refer to the server file as the truth and use this?
- Do you prefer to keep it as simple as possible and just do a bare copy of the file, or a template and configure every user and parameters in a config file instead?PorkepixPorkepixhttps://git.laquadrature.net/lqdn-interne/piops/-/issues/4Remplacer toutes les IPs dans le fichier hosts par une URL2022-01-14T10:54:40+01:00nonoRemplacer toutes les IPs dans le fichier hosts par une URLPour l'heure, certains serveurs sont décrit par leur URL dans le fichier host, dû à une adresse qui est déjà prise, ou parce qu'il n'existe pas d'url sous la forme *.lqdn.fr pour le moment.Pour l'heure, certains serveurs sont décrit par leur URL dans le fichier host, dû à une adresse qui est déjà prise, ou parce qu'il n'existe pas d'url sous la forme *.lqdn.fr pour le moment.Nouvelle infrahttps://git.laquadrature.net/lqdn-interne/piops/-/issues/8Mettre à jour le README2022-01-14T10:54:58+01:00nonoMettre à jour le READMELa procédure d'ajout d'un rôle et la configuration des groupes n'est pas exactement celle décrite dans le README. On utilise notamment deux playbook ( production et test ) au lieu d'un seul, et on utilise des groupes pour définir les hôt...La procédure d'ajout d'un rôle et la configuration des groupes n'est pas exactement celle décrite dans le README. On utilise notamment deux playbook ( production et test ) au lieu d'un seul, et on utilise des groupes pour définir les hôtes auquels les rôles s'appliquent au lieu de tout appliquer à chaque hôte.Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops-roles/security-lqdn/-/issues/4Ajout de logiciels2022-01-18T17:59:55+01:00nonoAjout de logiciels- https://www.snort.org/#get-started
- https://www.sshguard.net/
- https://cisofy.com/lynis/
- https://aide.github.io/
Et voir : https://www.debian.org/doc/user-manuals#securing- https://www.snort.org/#get-started
- https://www.sshguard.net/
- https://cisofy.com/lynis/
- https://aide.github.io/
Et voir : https://www.debian.org/doc/user-manuals#securingnonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/2Old Octopuce SSH keys still around2022-01-20T20:00:14+01:00axelOld Octopuce SSH keys still aroundI just realised `/root/.ssh/authorized_keys` on Pi still has keys of people who appear to have left Octopuce, such as Skhaen :
```
environment="SSHCLIENTUSER=Guillaume Lecoquierre",environment="EDITOR=/usr/bin/vim" ssh-rsa AAAAB3NzaC1yc2...I just realised `/root/.ssh/authorized_keys` on Pi still has keys of people who appear to have left Octopuce, such as Skhaen :
```
environment="SSHCLIENTUSER=Guillaume Lecoquierre",environment="EDITOR=/usr/bin/vim" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKlModVGvtRDjgMJes165L8RsOhOrHkzh2kkE8x9VIGZkFplRK8ZSO46xHpJgLnbAd9WSakCld+tZd6U0j2PCYUbTx0Eeo5GeKg6wMhdaJZ1S9Ci66YJidXGbYW5wvPK2kbjOIFxZWzpLl36i34FXNcJ0Z8K2YIfova5OhMR0xke/Y/MfjnoAe8653dxqlDK0BZwuu16MTerj2QxC7vkRdMkux2R7dldd+LeD31OMUFJzPz+8spzzr9s1nIarshhoRo19s/jmModyq5694QHcq6Ex+O6AB43jEBiKpOMfaD9bM6sloLYbMPZKiTXXg+nAx0A3m+pn1BBf82Qc0i83d guillaume@octopuce.fr root
```
There is also a key for François Dupont, who doesn't appear to be part of Octopuce, if [this page](https://www.octopuce.fr/Equipe/) is up to date.
They should be removed on the Octopuce side, given that file is managed by their Puppet.https://git.laquadrature.net/lqdn-interne/piops-roles/don-lqdn/-/issues/1Add a flag to enforce home dir ownership and permissions only in prod, and di...2022-09-13T13:04:27+02:00nonoAdd a flag to enforce home dir ownership and permissions only in prod, and disable in testinghttps://git.laquadrature.net/lqdn-interne/piops-roles/ansible-role-hedgedocs/-/issues/1Write the README in english2023-01-20T11:29:39+01:00nonoWrite the README in englishVersion 0.1.0nonononohttps://git.laquadrature.net/lqdn-interne/piops-roles/ansible-role-hedgedocs/-/issues/7Create first release2023-01-20T11:30:35+01:00nonoCreate first releaseCreate a release when the issues in https://git.laquadrature.net/lqdn-interne/piops-roles/hedgedocs-pad-lqdn/-/milestones/1 are closed.Create a release when the issues in https://git.laquadrature.net/lqdn-interne/piops-roles/hedgedocs-pad-lqdn/-/milestones/1 are closed.Version 0.1.0nonononohttps://git.laquadrature.net/lqdn-interne/piops-roles/ansible-role-hedgedocs/-/issues/6Rename role to ansible-role-hedgedocs2023-01-24T15:27:58+01:00nonoRename role to ansible-role-hedgedocsIn line with common naming of rolesIn line with common naming of rolesVersion 0.1.0nonononohttps://git.laquadrature.net/lqdn-interne/piops-roles/ansible-role-hedgedocs/-/issues/10Cleanup the role and remove unsued parts2023-03-24T12:18:19+01:00nonoCleanup the role and remove unsued partsThe role was originally written to install all of it's dependencies, including nginx for example. This is not the way it's supposed to be installed currently, but there are leftover files we should remove.The role was originally written to install all of it's dependencies, including nginx for example. This is not the way it's supposed to be installed currently, but there are leftover files we should remove.Version 0.1.0nonononohttps://git.laquadrature.net/lqdn-interne/piops-roles/ansible-role-hedgedocs/-/issues/8Add continuous integration testing via Gitlab CI2023-03-30T13:51:47+02:00nonoAdd continuous integration testing via Gitlab CIRelated to #5 , once that is done we can add a CI pipeline to validate merge requests.
We can get help from the tutorials here : https://docs.gitlab.com/ee/ci/quick_start/
- [ ] Verify that this repo has access to a runner
- [ ] Add th...Related to #5 , once that is done we can add a CI pipeline to validate merge requests.
We can get help from the tutorials here : https://docs.gitlab.com/ee/ci/quick_start/
- [ ] Verify that this repo has access to a runner
- [ ] Add the gitlab CI yaml file
- [ ] Write the stages of the pipelineVersion 0.1.0https://git.laquadrature.net/lqdn-interne/piops-roles/ansible-role-hedgedocs/-/issues/5Add testing via molecule2023-03-30T17:06:20+02:00nonoAdd testing via molecule- [x] Add molecule folder
- [x] Add create role
- [x] Update the Vagrant VM for testing
- [ ] Check omnipotence
- [x] Check installation
- [x] Check that the service is well running after role completion- [x] Add molecule folder
- [x] Add create role
- [x] Update the Vagrant VM for testing
- [ ] Check omnipotence
- [x] Check installation
- [x] Check that the service is well running after role completionVersion 0.1.0nonononohttps://git.laquadrature.net/lqdn-interne/piops-roles/sso-lqdn/-/issues/1Rename role to ansible-role-keycloak2023-04-04T10:54:31+02:00nonoRename role to ansible-role-keycloakVersion 0.1.0https://git.laquadrature.net/lqdn-interne/piops-roles/sso-lqdn/-/issues/2Update README and translate role to english2023-04-04T10:55:07+02:00nonoUpdate README and translate role to englishVersion 0.1.0https://git.laquadrature.net/lqdn-interne/piops-roles/ansible-role-hedgedocs/-/issues/13Add Keycloak role as dependency to test the SAML option2023-04-04T10:57:01+02:00nonoAdd Keycloak role as dependency to test the SAML optionAdd this role https://git.laquadrature.net/lqdn-interne/piops-roles/sso-lqdn/ to the dependencies to be able to fully test the SAML configuration of this role.Add this role https://git.laquadrature.net/lqdn-interne/piops-roles/sso-lqdn/ to the dependencies to be able to fully test the SAML configuration of this role.Version 0.1.1