On Wed, Feb 21, 2024 at 5:47 PM Andre Rodier <an...@rodier.me> wrote: > [...] > > A few years ago, I created a set of Ansible scripts to code what I was > already doing manually, so I could rebuild my server from scratch. > > The solution is on GitHub, and while there was already a plethora of > existing solutions, none of them implemented everything I wanted and > needed. It was apparently challenging: > > 1. A DNS server included, with DNSSEC implemented, and SSHFP. > 2. Everything from Debian packages, so upgrade can be automatic. > 3. No git clone and no zip download for any service. > 4. The usual LetsEncrypt, but also the extra like CAA, DANE, etc... > 5. All services should be running under AppArmor. > 6. No PHP, no RoundCube, NextCloud, OwnCloud, etc please. > 7. Jabber server, with c2s and s2s. > 8. CardDAV and CalDAV server. > 9. WebDAV server. > 10. LDAP for authentication, not a MySQL database. > 11. IPv6 support > > The points #2 and #3 are particularly interesting. I seriously cannot > understand why or how people could trust a server exposed on internet, > without automatic updates from a serious community like Debian. Are they > suppose to receive alerts from GitHub releases to manually download them > as they happen ? How can this be done while they are on vacation ? > Excuse my naive question, if it is, please. > > I precise, I am using unattended upgrades, and automatic reboot, and > never had any issue, thanks to Debian packages quality. I just sometimes > receive a nice email saying the server rebooted. > > This wouldn't have been possible with the Debian community, so, again, > thank you for that. > > We have been happy with this solution, for myself, and a few friends and > family members, but I would like the opinion from the security experts > on this list. > > - What is the best approach to check if there is any vulnerability in > the packages configuration ? > - Is there any service that could audit the deployment code or the > configuration files ?
You will probably need to stitch together several different solutions, based on the context. For example, use an Ansible Linter for your Ansible scripts, <https://www.google.com/search?q=Ansible+linter>. Jeff