[...]
A few years ago, I created a set of Ansible scripts to code what I was
already doing manually, so I could rebuild my server from scratch.
The solution is on GitHub, and while there was already a plethora of
existing solutions, none of them implemented everything I wanted and
needed. It was apparently challenging:
1. A DNS server included, with DNSSEC implemented, and SSHFP.
2. Everything from Debian packages, so upgrade can be automatic.
3. No git clone and no zip download for any service.
4. The usual LetsEncrypt, but also the extra like CAA, DANE, etc...
5. All services should be running under AppArmor.
6. No PHP, no RoundCube, NextCloud, OwnCloud, etc please.
7. Jabber server, with c2s and s2s.
8. CardDAV and CalDAV server.
9. WebDAV server.
10. LDAP for authentication, not a MySQL database.
11. IPv6 support
The points #2 and #3 are particularly interesting. I seriously cannot
understand why or how people could trust a server exposed on internet,
without automatic updates from a serious community like Debian. Are they
suppose to receive alerts from GitHub releases to manually download them
as they happen ? How can this be done while they are on vacation ?
Excuse my naive question, if it is, please.
I precise, I am using unattended upgrades, and automatic reboot, and
never had any issue, thanks to Debian packages quality. I just sometimes
receive a nice email saying the server rebooted.
This wouldn't have been possible with the Debian community, so, again,
thank you for that.
We have been happy with this solution, for myself, and a few friends and
family members, but I would like the opinion from the security experts
on this list.
- What is the best approach to check if there is any vulnerability in
the packages configuration ?
- Is there any service that could audit the deployment code or the
configuration files ?