dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity
836 Commits
14 Branches
0 Tags
7.3 MiB
Commit Graph

6 Commits (06b399994e17ff3ed875dfa01ed2107284ed9fd3)

Author SHA1 Message Date
Dustin c51589adff gw1: Scrape BIND DNS server logs 
The BIND server on the firewall is configured to write query logs and
RPZ rewrite logs to files under `/var/log/named`.  We can scrape these
logs with Promtail and use the messages for analytics on the DNS-based
firewall, etc.
 2024-02-28 19:06:23 -06:00
Dustin b96164ce11 gw1: Allow rpm.grafana.com via proxy 
In order to install Promtail on machines (e.g. *unifi1*) that do not
have direct access to the Internet.
 2024-02-22 20:40:51 -06:00
Dustin 1bff9b2649 gw1: Enable pam_ssh_agent_auth for sudo 
This machine is _not_ a member of the _pyrocufflink.blue_ AD domain, so
it does not inherit the settings from that group.  Also, Jenkins does
not manage it, so only my personal keys are authorized.
 2024-01-28 12:16:35 -06:00
Dustin be63424fd8 hosts: Deploy Squid on gw1 
Running Squid on the firewall makes sense; it's a sort of layer-7
firewall, after all.  There's not much storage on that machine, though
so we don't really want to cache anything.  In fact, it's only purpose
is to allow very limited web access for certain applications.  All
outbound traffic is blocked, with two exceptions:

* Fedora package repositories (for the UniFi controller server)
* Google Fonts (for Invoice Ninja)
 2024-01-27 20:09:34 -06:00
Dustin 423951bac1 {burp1, gw1}: Configure upsmon 2024-01-19 21:55:36 -06:00
Dustin d0b0f2ff38 hosts: gw1: Deploy BURP, collectd 
Although *gw1* is not really managed by Ansible, it is much easier to
deploy collectd and BURP with the existing playbooks.
 2024-01-19 20:52:48 -06:00