From 944b4679c1280abcac01c5b6b05c82cb8733d0a1 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Sun, 2 Nov 2025 02:25:08 -0500 Subject: [PATCH] merge website and network servers This provides more redundancy for both services through having 2 instances in each region. The network services have much higher bandwidth usage and load so this will also delay us needing to obtain new servers by making better use of the ones we have. --- etc/nftables/nftables-network-fq.conf | 4 ++-- etc/nftables/nftables-network.conf | 4 ++-- etc/nftables/nftables-web.conf | 2 -- hosts.sh | 24 +++++++++++------------- packages/0.grapheneos.network | 2 +- packages/0.grapheneos.org | 1 + packages/1.grapheneos.network | 1 + packages/1.grapheneos.org | 1 + packages/2.grapheneos.network | 1 + packages/2.grapheneos.org | 1 + packages/3.grapheneos.network | 1 + packages/3.grapheneos.org | 1 + packages/staging.grapheneos.org | 1 + 13 files changed, 24 insertions(+), 20 deletions(-) diff --git a/etc/nftables/nftables-network-fq.conf b/etc/nftables/nftables-network-fq.conf index cb79c97..5f1f7a6 100644 --- a/etc/nftables/nftables-network-fq.conf +++ b/etc/nftables/nftables-network-fq.conf @@ -9,12 +9,12 @@ table inet filter { define ip-allowlist-ssh = { {{ssh_ipv4}}, - 51.222.159.116, # 0.grapheneos.network + 51.222.156.101, # 0.grapheneos.org } define ip6-allowlist-ssh = { {{ssh_ipv6}}, - 2607:5300:205:200::2584, # 0.grapheneos.network + 2607:5300:205:200::29c6, # 0.grapheneos.org } define priority-besteffort = 0 diff --git a/etc/nftables/nftables-network.conf b/etc/nftables/nftables-network.conf index 389fb20..e6265aa 100644 --- a/etc/nftables/nftables-network.conf +++ b/etc/nftables/nftables-network.conf @@ -9,12 +9,12 @@ table inet filter { define ip-allowlist-ssh = { {{ssh_ipv4}}, - 51.222.159.116, # 0.grapheneos.network + 51.222.156.101, # 0.grapheneos.org } define ip6-allowlist-ssh = { {{ssh_ipv6}}, - 2607:5300:205:200::2584, # 0.grapheneos.network + 2607:5300:205:200::29c6, # 0.grapheneos.org } set ip-connlimit-ssh { diff --git a/etc/nftables/nftables-web.conf b/etc/nftables/nftables-web.conf index 2b56f9b..13752ba 100644 --- a/etc/nftables/nftables-web.conf +++ b/etc/nftables/nftables-web.conf @@ -8,12 +8,10 @@ table inet filter { define ip-allowlist-ssh = { {{ssh_ipv4}}, - 51.222.156.101, # 0.grapheneos.org } define ip6-allowlist-ssh = { {{ssh_ipv6}}, - 2607:5300:205:200::29c6, # 0.grapheneos.org } set ip-connlimit-ssh { diff --git a/hosts.sh b/hosts.sh index 5366a94..748e9d4 100644 --- a/hosts.sh +++ b/hosts.sh @@ -58,9 +58,10 @@ declare -Ar hosts_authorized_keys=( [1.grapheneos.org]=authorized_keys-replica-grapheneos [2.grapheneos.org]=authorized_keys-replica-grapheneos [3.grapheneos.org]=authorized_keys-replica-grapheneos - [1.grapheneos.network]=authorized_keys-replica-network - [2.grapheneos.network]=authorized_keys-replica-network - [3.grapheneos.network]=authorized_keys-replica-network + [0.grapheneos.network]=authorized_keys-replica-grapheneos + [1.grapheneos.network]=authorized_keys-replica-grapheneos + [2.grapheneos.network]=authorized_keys-replica-grapheneos + [3.grapheneos.network]=authorized_keys-replica-grapheneos [1.releases.grapheneos.org]=authorized_keys-replica-releases [2.releases.grapheneos.org]=authorized_keys-replica-releases [3.releases.grapheneos.org]=authorized_keys-replica-releases @@ -77,8 +78,11 @@ declare -Ar hosts_firewall=( [1.ns2.grapheneos.org]=ns2 [2.ns2.grapheneos.org]=ns2 [mail.grapheneos.org]=mail - [staging.grapheneos.org]=web-fq - [1.grapheneos.org]=web-fq + [staging.grapheneos.org]=network-fq + [0.grapheneos.org]=network + [1.grapheneos.org]=network-fq + [2.grapheneos.org]=network + [3.grapheneos.org]=network [0.grapheneos.network]=network [1.grapheneos.network]=network-fq [2.grapheneos.network]=network @@ -325,7 +329,6 @@ readonly hosts_certbot=( mail.grapheneos.org staging.grapheneos.org 0.grapheneos.org - 0.grapheneos.network 0.releases.grapheneos.org staging.attestation.app attestation.app @@ -338,7 +341,6 @@ readonly hosts_primary=( 0.ns1.grapheneos.org 0.ns2.grapheneos.org 0.grapheneos.org - 0.grapheneos.network 0.releases.grapheneos.org ) @@ -346,7 +348,7 @@ readonly hosts_secondary=( {1..3}.ns1.grapheneos.org {1..2}.ns2.grapheneos.org {1..3}.grapheneos.org - {1..3}.grapheneos.network + {0..3}.grapheneos.network {1..3}.releases.grapheneos.org ) @@ -361,6 +363,7 @@ readonly hosts_backup=( readonly hosts_grapheneos=( {0..3}.grapheneos.org + {0..3}.grapheneos.network ) readonly hosts_grapheneos_all=( @@ -372,10 +375,6 @@ readonly hosts_releases=( {0..3}.releases.grapheneos.org ) -readonly hosts_network=( - {0..3}.grapheneos.network -) - readonly hosts_attestation=( staging.attestation.app attestation.app @@ -385,7 +384,6 @@ readonly hosts_web=( "${hosts_dns[@]}" mail.grapheneos.org "${hosts_grapheneos_all[@]}" - "${hosts_network[@]}" "${hosts_releases[@]}" "${hosts_attestation[@]}" matrix.grapheneos.org diff --git a/packages/0.grapheneos.network b/packages/0.grapheneos.network index 118629e..b3b7bbf 100644 --- a/packages/0.grapheneos.network +++ b/packages/0.grapheneos.network @@ -1,5 +1,4 @@ base -certbot chrony cloud-guest-utils conntrack-tools @@ -17,6 +16,7 @@ mtr neovim nftables nginx +nginx-mod-brotli nginx-mod-stream nmap openssh diff --git a/packages/0.grapheneos.org b/packages/0.grapheneos.org index 9dfb786..1e0174a 100644 --- a/packages/0.grapheneos.org +++ b/packages/0.grapheneos.org @@ -18,6 +18,7 @@ neovim nftables nginx nginx-mod-brotli +nginx-mod-stream nmap openssh pacman-contrib diff --git a/packages/1.grapheneos.network b/packages/1.grapheneos.network index 8f0b780..b3b7bbf 100644 --- a/packages/1.grapheneos.network +++ b/packages/1.grapheneos.network @@ -16,6 +16,7 @@ mtr neovim nftables nginx +nginx-mod-brotli nginx-mod-stream nmap openssh diff --git a/packages/1.grapheneos.org b/packages/1.grapheneos.org index 7e3ab42..b3b7bbf 100644 --- a/packages/1.grapheneos.org +++ b/packages/1.grapheneos.org @@ -17,6 +17,7 @@ neovim nftables nginx nginx-mod-brotli +nginx-mod-stream nmap openssh pacman-contrib diff --git a/packages/2.grapheneos.network b/packages/2.grapheneos.network index 8f0b780..b3b7bbf 100644 --- a/packages/2.grapheneos.network +++ b/packages/2.grapheneos.network @@ -16,6 +16,7 @@ mtr neovim nftables nginx +nginx-mod-brotli nginx-mod-stream nmap openssh diff --git a/packages/2.grapheneos.org b/packages/2.grapheneos.org index 7e3ab42..b3b7bbf 100644 --- a/packages/2.grapheneos.org +++ b/packages/2.grapheneos.org @@ -17,6 +17,7 @@ neovim nftables nginx nginx-mod-brotli +nginx-mod-stream nmap openssh pacman-contrib diff --git a/packages/3.grapheneos.network b/packages/3.grapheneos.network index 8f0b780..b3b7bbf 100644 --- a/packages/3.grapheneos.network +++ b/packages/3.grapheneos.network @@ -16,6 +16,7 @@ mtr neovim nftables nginx +nginx-mod-brotli nginx-mod-stream nmap openssh diff --git a/packages/3.grapheneos.org b/packages/3.grapheneos.org index 7e3ab42..b3b7bbf 100644 --- a/packages/3.grapheneos.org +++ b/packages/3.grapheneos.org @@ -17,6 +17,7 @@ neovim nftables nginx nginx-mod-brotli +nginx-mod-stream nmap openssh pacman-contrib diff --git a/packages/staging.grapheneos.org b/packages/staging.grapheneos.org index 9dfb786..1e0174a 100644 --- a/packages/staging.grapheneos.org +++ b/packages/staging.grapheneos.org @@ -18,6 +18,7 @@ neovim nftables nginx nginx-mod-brotli +nginx-mod-stream nmap openssh pacman-contrib