merge website and network servers

This provides more redundancy for both services through having 2 instances in each region. The network services have much higher bandwidth usage and load so this will also delay us needing to obtain new servers by making better use of the ones we have.
2025-11-23 00:10:25 -05:00 · 2025-11-02 02:25:08 -05:00 · 2025-11-02 02:25:08 -05:00 · 944b4679c1
commit 944b4679c1
parent 2caa67529a
13 changed files with 24 additions and 20 deletions
--- a/etc/nftables/nftables-network-fq.conf
+++ b/etc/nftables/nftables-network-fq.conf
@ -9,12 +9,12 @@ table inet filter {
    define ip-allowlist-ssh = {
        {{ssh_ipv4}},
-        51.222.159.116, # 0.grapheneos.network
+        51.222.156.101, # 0.grapheneos.org
    }
    define ip6-allowlist-ssh = {
        {{ssh_ipv6}},
-        2607:5300:205:200::2584, # 0.grapheneos.network
+        2607:5300:205:200::29c6, # 0.grapheneos.org
    }
    define priority-besteffort = 0
--- a/etc/nftables/nftables-network.conf
+++ b/etc/nftables/nftables-network.conf
@ -9,12 +9,12 @@ table inet filter {
    define ip-allowlist-ssh = {
        {{ssh_ipv4}},
-        51.222.159.116, # 0.grapheneos.network
+        51.222.156.101, # 0.grapheneos.org
    }
    define ip6-allowlist-ssh = {
        {{ssh_ipv6}},
-        2607:5300:205:200::2584, # 0.grapheneos.network
+        2607:5300:205:200::29c6, # 0.grapheneos.org
    }
    set ip-connlimit-ssh {
--- a/etc/nftables/nftables-web.conf
+++ b/etc/nftables/nftables-web.conf
@ -8,12 +8,10 @@ table inet filter {
    define ip-allowlist-ssh = {
        {{ssh_ipv4}},
        51.222.156.101, # 0.grapheneos.org
    }
    define ip6-allowlist-ssh = {
        {{ssh_ipv6}},
        2607:5300:205:200::29c6, # 0.grapheneos.org
    }
    set ip-connlimit-ssh {
--- a/hosts.sh
+++ b/hosts.sh
@ -58,9 +58,10 @@ declare -Ar hosts_authorized_keys=(
    [1.grapheneos.org]=authorized_keys-replica-grapheneos
    [2.grapheneos.org]=authorized_keys-replica-grapheneos
    [3.grapheneos.org]=authorized_keys-replica-grapheneos
-    [1.grapheneos.network]=authorized_keys-replica-network
+    [0.grapheneos.network]=authorized_keys-replica-grapheneos
-    [2.grapheneos.network]=authorized_keys-replica-network
+    [1.grapheneos.network]=authorized_keys-replica-grapheneos
-    [3.grapheneos.network]=authorized_keys-replica-network
+    [2.grapheneos.network]=authorized_keys-replica-grapheneos
    [3.grapheneos.network]=authorized_keys-replica-grapheneos
    [1.releases.grapheneos.org]=authorized_keys-replica-releases
    [2.releases.grapheneos.org]=authorized_keys-replica-releases
    [3.releases.grapheneos.org]=authorized_keys-replica-releases
@ -77,8 +78,11 @@ declare -Ar hosts_firewall=(
    [1.ns2.grapheneos.org]=ns2
    [2.ns2.grapheneos.org]=ns2
    [mail.grapheneos.org]=mail
-    [staging.grapheneos.org]=web-fq
+    [staging.grapheneos.org]=network-fq
-    [1.grapheneos.org]=web-fq
+    [0.grapheneos.org]=network
    [1.grapheneos.org]=network-fq
    [2.grapheneos.org]=network
    [3.grapheneos.org]=network
    [0.grapheneos.network]=network
    [1.grapheneos.network]=network-fq
    [2.grapheneos.network]=network
@ -325,7 +329,6 @@ readonly hosts_certbot=(
    mail.grapheneos.org
    staging.grapheneos.org
    0.grapheneos.org
    0.grapheneos.network
    0.releases.grapheneos.org
    staging.attestation.app
    attestation.app
@ -338,7 +341,6 @@ readonly hosts_primary=(
    0.ns1.grapheneos.org
    0.ns2.grapheneos.org
    0.grapheneos.org
    0.grapheneos.network
    0.releases.grapheneos.org
 )
@ -346,7 +348,7 @@ readonly hosts_secondary=(
    {1..3}.ns1.grapheneos.org
    {1..2}.ns2.grapheneos.org
    {1..3}.grapheneos.org
-    {1..3}.grapheneos.network
+    {0..3}.grapheneos.network
    {1..3}.releases.grapheneos.org
 )
@ -361,6 +363,7 @@ readonly hosts_backup=(
 readonly hosts_grapheneos=(
    {0..3}.grapheneos.org
    {0..3}.grapheneos.network
 )
 readonly hosts_grapheneos_all=(
@ -372,10 +375,6 @@ readonly hosts_releases=(
    {0..3}.releases.grapheneos.org
 )
 readonly hosts_network=(
    {0..3}.grapheneos.network
 )
 readonly hosts_attestation=(
    staging.attestation.app
    attestation.app
@ -385,7 +384,6 @@ readonly hosts_web=(
    "${hosts_dns[@]}"
    mail.grapheneos.org
    "${hosts_grapheneos_all[@]}"
    "${hosts_network[@]}"
    "${hosts_releases[@]}"
    "${hosts_attestation[@]}"
    matrix.grapheneos.org
--- a/packages/0.grapheneos.network
+++ b/packages/0.grapheneos.network
@ -1,5 +1,4 @@
 base
 certbot
 chrony
 cloud-guest-utils
 conntrack-tools
@ -17,6 +16,7 @@ mtr
 neovim
 nftables
 nginx
 nginx-mod-brotli
 nginx-mod-stream
 nmap
 openssh
--- a/packages/0.grapheneos.org
+++ b/packages/0.grapheneos.org
@ -18,6 +18,7 @@ neovim
 nftables
 nginx
 nginx-mod-brotli
 nginx-mod-stream
 nmap
 openssh
 pacman-contrib
--- a/packages/1.grapheneos.network
+++ b/packages/1.grapheneos.network
@ -16,6 +16,7 @@ mtr
 neovim
 nftables
 nginx
 nginx-mod-brotli
 nginx-mod-stream
 nmap
 openssh
--- a/packages/1.grapheneos.org
+++ b/packages/1.grapheneos.org
@ -17,6 +17,7 @@ neovim
 nftables
 nginx
 nginx-mod-brotli
 nginx-mod-stream
 nmap
 openssh
 pacman-contrib
--- a/packages/2.grapheneos.network
+++ b/packages/2.grapheneos.network
@ -16,6 +16,7 @@ mtr
 neovim
 nftables
 nginx
 nginx-mod-brotli
 nginx-mod-stream
 nmap
 openssh
--- a/packages/2.grapheneos.org
+++ b/packages/2.grapheneos.org
@ -17,6 +17,7 @@ neovim
 nftables
 nginx
 nginx-mod-brotli
 nginx-mod-stream
 nmap
 openssh
 pacman-contrib
--- a/packages/3.grapheneos.network
+++ b/packages/3.grapheneos.network
@ -16,6 +16,7 @@ mtr
 neovim
 nftables
 nginx
 nginx-mod-brotli
 nginx-mod-stream
 nmap
 openssh
--- a/packages/3.grapheneos.org
+++ b/packages/3.grapheneos.org
@ -17,6 +17,7 @@ neovim
 nftables
 nginx
 nginx-mod-brotli
 nginx-mod-stream
 nmap
 openssh
 pacman-contrib
--- a/packages/staging.grapheneos.org
+++ b/packages/staging.grapheneos.org
@ -18,6 +18,7 @@ neovim
 nftables
 nginx
 nginx-mod-brotli
 nginx-mod-stream
 nmap
 openssh
 pacman-contrib