mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2025-08-02 11:36:13 -04:00
migrate to new tlsserver Let's Encrypt profile
We can no longer use OCSP stapling and Must-Staple. These will soon be obsolete once the `shortlived` profile is available for public use since it will provide certificates with a similar lifetime as OCSP responses. In the meantime, we've moved to the `tlsserver` profile stripping legacy features to prepare for the `shortlived` profile which will be identical to `tlsserver` but with a validity period of 6 days. The certificate for SUPL is still temporarily using the classic profile to work around the older generations of end-of-life Snapdragon Pixels not having support for SNI. We can eventually drop support for these devices from the SUPL service to allow us to disable TLSv1.1, DHE and move to the `tlsserver` or `shortlived` profile. The certificate for SMTP is still temporarily using the classic profile to avoid potential compatibility issues with servers supporting TLSv1.2 but still not yet supporting SNI.
This commit is contained in:
Daniel Micay
parent
a6d1e00d07
commit
90a7780b5e
19 changed files with 28 additions and 775 deletions
|
|
@ -1,57 +0,0 @@
|
|||
[Unit]
|
||||
Description=Fetch OCSP responses for all certificates issued with Certbot
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
|
||||
Restart=on-failure
|
||||
|
||||
CacheDirectory=%N
|
||||
|
||||
User=root
|
||||
Group=root
|
||||
ExecStart=%N --no-reload-webserver
|
||||
ExecStartPost=systemctl reload nginx.service
|
||||
|
||||
RestartSec=5
|
||||
PrivateDevices=true
|
||||
PrivateTmp=yes
|
||||
PrivateUsers=yes
|
||||
PrivateIPC=true
|
||||
|
||||
NoNewPrivileges=true
|
||||
LockPersonality=true
|
||||
|
||||
CapabilityBoundingSet=
|
||||
ProtectHome=yes
|
||||
ProtectControlGroups=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectClock=true
|
||||
ProtectProc=invisible
|
||||
ProcSubset=pid
|
||||
ProtectHostname=true
|
||||
RemoveIPC=true
|
||||
|
||||
RestrictAddressFamilies=AF_INET6 AF_INET AF_UNIX
|
||||
MemoryDenyWriteExecute=true
|
||||
RestrictRealtime=true
|
||||
RestrictNamespaces=true
|
||||
RestrictSUIDSGID=true
|
||||
|
||||
DevicePolicy=strict
|
||||
DeviceAllow=/dev/random r
|
||||
DeviceAllow=/dev/urandom r
|
||||
DeviceAllow=/dev/stdin r
|
||||
DeviceAllow=/dev/stdout r
|
||||
DeviceAllow=/dev/null w
|
||||
|
||||
ProtectSystem=strict
|
||||
InaccessiblePaths=/root/
|
||||
ReadOnlyPaths=/etc/letsencrypt
|
||||
UMask=0077
|
||||
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallFilter=~@clock @debug @module @mount @reboot @swap @resources @cpu-emulation @raw-io @obsolete @keyring @privileged
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
[Unit]
|
||||
Description=Nightly run %N
|
||||
|
||||
[Timer]
|
||||
OnCalendar=*-*-* 01:00:00
|
||||
RandomizedDelaySec=21600
|
||||
Persistent=true
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
|
|
@ -19,7 +19,7 @@ ProtectKernelModules=true
|
|||
ProtectKernelTunables=true
|
||||
ProtectProc=invisible
|
||||
ProtectSystem=strict
|
||||
ReadWritePaths=/etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt -/srv/certbot -/var/cache/certbot-ocsp-fetcher
|
||||
ReadWritePaths=/etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt -/srv/certbot
|
||||
RestrictAddressFamilies=AF_INET AF_INET6
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue