Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-11-19 14:32:27 -05:00
Code Issues Projects Releases Packages Wiki Activity

merge website and network servers

Browse source 
This provides more redundancy for both services through having 2
instances in each region. The network services have much higher
bandwidth usage and load so this will also delay us needing to obtain
new servers by making better use of the ones we have.
This commit is contained in:
Daniel Micay 2025-11-02 02:25:08 -05:00
parent 2caa67529a
commit 944b4679c1
13 changed files with 24 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

4
etc/nftables/nftables-network-fq.conf
View file

@ -9,12 +9,12 @@ table inet filter {
define ip-allowlist-ssh = {
{{ssh_ipv4}},
51.222.159.116, # 0.grapheneos.network
51.222.156.101, # 0.grapheneos.org
}
define ip6-allowlist-ssh = {
{{ssh_ipv6}},
2607:5300:205:200::2584, # 0.grapheneos.network
2607:5300:205:200::29c6, # 0.grapheneos.org
}
define priority-besteffort = 0

4
etc/nftables/nftables-network.conf
View file

@ -9,12 +9,12 @@ table inet filter {
define ip-allowlist-ssh = {
{{ssh_ipv4}},
51.222.159.116, # 0.grapheneos.network
51.222.156.101, # 0.grapheneos.org
}
define ip6-allowlist-ssh = {
{{ssh_ipv6}},
2607:5300:205:200::2584, # 0.grapheneos.network
2607:5300:205:200::29c6, # 0.grapheneos.org
}
set ip-connlimit-ssh {

2
etc/nftables/nftables-web.conf
View file

@ -8,12 +8,10 @@ table inet filter {
define ip-allowlist-ssh = {
{{ssh_ipv4}},
51.222.156.101, # 0.grapheneos.org
}
define ip6-allowlist-ssh = {
{{ssh_ipv6}},
2607:5300:205:200::29c6, # 0.grapheneos.org
}
set ip-connlimit-ssh {

24
hosts.sh
View file

@ -58,9 +58,10 @@ declare -Ar hosts_authorized_keys=(
[1.grapheneos.org]=authorized_keys-replica-grapheneos
[2.grapheneos.org]=authorized_keys-replica-grapheneos
[3.grapheneos.org]=authorized_keys-replica-grapheneos
[1.grapheneos.network]=authorized_keys-replica-network
[2.grapheneos.network]=authorized_keys-replica-network
[3.grapheneos.network]=authorized_keys-replica-network
[0.grapheneos.network]=authorized_keys-replica-grapheneos
[1.grapheneos.network]=authorized_keys-replica-grapheneos
[2.grapheneos.network]=authorized_keys-replica-grapheneos
[3.grapheneos.network]=authorized_keys-replica-grapheneos
[1.releases.grapheneos.org]=authorized_keys-replica-releases
[2.releases.grapheneos.org]=authorized_keys-replica-releases
[3.releases.grapheneos.org]=authorized_keys-replica-releases
@ -77,8 +78,11 @@ declare -Ar hosts_firewall=(
[1.ns2.grapheneos.org]=ns2
[2.ns2.grapheneos.org]=ns2
[mail.grapheneos.org]=mail
[staging.grapheneos.org]=web-fq
[1.grapheneos.org]=web-fq
[staging.grapheneos.org]=network-fq
[0.grapheneos.org]=network
[1.grapheneos.org]=network-fq
[2.grapheneos.org]=network
[3.grapheneos.org]=network
[0.grapheneos.network]=network
[1.grapheneos.network]=network-fq
[2.grapheneos.network]=network
@ -325,7 +329,6 @@ readonly hosts_certbot=(
mail.grapheneos.org
staging.grapheneos.org
0.grapheneos.org
0.grapheneos.network
0.releases.grapheneos.org
staging.attestation.app
attestation.app
@ -338,7 +341,6 @@ readonly hosts_primary=(
0.ns1.grapheneos.org
0.ns2.grapheneos.org
0.grapheneos.org
0.grapheneos.network
0.releases.grapheneos.org
)
@ -346,7 +348,7 @@ readonly hosts_secondary=(
{1..3}.ns1.grapheneos.org
{1..2}.ns2.grapheneos.org
{1..3}.grapheneos.org
{1..3}.grapheneos.network
{0..3}.grapheneos.network
{1..3}.releases.grapheneos.org
)
@ -361,6 +363,7 @@ readonly hosts_backup=(
readonly hosts_grapheneos=(
{0..3}.grapheneos.org
{0..3}.grapheneos.network
)
readonly hosts_grapheneos_all=(
@ -372,10 +375,6 @@ readonly hosts_releases=(
{0..3}.releases.grapheneos.org
)
readonly hosts_network=(
{0..3}.grapheneos.network
)
readonly hosts_attestation=(
staging.attestation.app
attestation.app
@ -385,7 +384,6 @@ readonly hosts_web=(
"${hosts_dns[@]}"
mail.grapheneos.org
"${hosts_grapheneos_all[@]}"
"${hosts_network[@]}"
"${hosts_releases[@]}"
"${hosts_attestation[@]}"
matrix.grapheneos.org

2
packages/0.grapheneos.network
View file

@ -1,5 +1,4 @@
base
certbot
chrony
cloud-guest-utils
conntrack-tools
@ -17,6 +16,7 @@ mtr
neovim
nftables
nginx
nginx-mod-brotli
nginx-mod-stream
nmap
openssh

1
packages/0.grapheneos.org
View file

@ -18,6 +18,7 @@ neovim
nftables
nginx
nginx-mod-brotli
nginx-mod-stream
nmap
openssh
pacman-contrib

1
packages/1.grapheneos.network
View file

@ -16,6 +16,7 @@ mtr
neovim
nftables
nginx
nginx-mod-brotli
nginx-mod-stream
nmap
openssh

1
packages/1.grapheneos.org
View file

@ -17,6 +17,7 @@ neovim
nftables
nginx
nginx-mod-brotli
nginx-mod-stream
nmap
openssh
pacman-contrib

1
packages/2.grapheneos.network
View file

@ -16,6 +16,7 @@ mtr
neovim
nftables
nginx
nginx-mod-brotli
nginx-mod-stream
nmap
openssh

1
packages/2.grapheneos.org
View file

@ -17,6 +17,7 @@ neovim
nftables
nginx
nginx-mod-brotli
nginx-mod-stream
nmap
openssh
pacman-contrib

1
packages/3.grapheneos.network
View file

@ -16,6 +16,7 @@ mtr
neovim
nftables
nginx
nginx-mod-brotli
nginx-mod-stream
nmap
openssh

1
packages/3.grapheneos.org
View file

@ -17,6 +17,7 @@ neovim
nftables
nginx
nginx-mod-brotli
nginx-mod-stream
nmap
openssh
pacman-contrib

1
packages/staging.grapheneos.org
View file

@ -18,6 +18,7 @@ neovim
nftables
nginx
nginx-mod-brotli
nginx-mod-stream
nmap
openssh
pacman-contrib