Commit Graph

471 Commits

Author SHA1 Message Date
Daniel Micay
01201c0ece disable io_uring without CAP_SYS_ADMIN or io_uring group 2024-07-01 23:15:38 -04:00
Tommy
6e6957876e Update certbot-ocsp-fetcher to match upstream 2024-07-01 21:37:10 -04:00
Daniel Micay
84b2193808 switch to noswap tmpfs from ramfs for session ticket keys 2024-06-28 12:44:31 -04:00
Daniel Micay
ba2540c3fe add directory for home directory files 2024-06-27 10:13:15 -04:00
Tommy
6fc45525d9 Add NoNewPrivileges=true for certbot 2024-06-24 11:55:59 -04:00
Tommy
55221c8e44 Sort NGINX override alphabetically
Everything is already sorted alphabetically, but for some reason NoNewPrivileges is above MemoryDenyWriteExecute
2024-06-24 11:36:36 -04:00
Tommy
0e4d94e550 Remove redundant PrivateTmp=true 2024-06-24 11:18:11 -04:00
Daniel Micay
4382120e37 set umask for encrypted swapfile creation 2024-06-21 22:36:27 -04:00
Daniel Micay
597f534d63 increase journal file size for 3.grapheneos.network 2024-06-21 16:51:36 -04:00
Daniel Micay
f7643fa8b7 reorder initial deployment 2024-06-19 11:54:08 -04:00
Daniel Micay
4c52595bfd drop unmodified hosts file 2024-06-19 11:49:13 -04:00
Daniel Micay
54181d3031 increase journal size for update servers 2024-06-19 11:42:42 -04:00
Daniel Micay
65e2b8b109 increase journal size for network servers 2024-06-19 11:38:22 -04:00
Daniel Micay
1dc26ba006 add VerifyHostKeyDNS ask to ssh_config 2024-06-18 14:25:16 -04:00
Daniel Micay
4475df98a4 deploy nftables rules in deploy-initial 2024-06-18 14:15:19 -04:00
Daniel Micay
f40a017ec3 add nftables configuration mapping to hosts.sh 2024-06-18 13:55:18 -04:00
Daniel Micay
662a2d3522 update configuration for systemd 256 2024-06-18 13:16:03 -04:00
Daniel Micay
54490cf662 update python dependencies 2024-06-17 23:52:00 -04:00
Daniel Micay
d103f6cdf3 simplify deployment script usage 2024-06-17 18:29:28 -04:00
Daniel Micay
750cd5e985 replace urandom with random
These both use the same CSPRNG on modern kernels, but random waits for
CSPRNG initialization instead of only attempting to initialize it.
2024-06-17 15:04:13 -04:00
Daniel Micay
ce1fef8c0e use per-server package list for deploy-initial 2024-06-17 15:00:36 -04:00
Daniel Micay
73a88e36ad replace 3.grapheneos.org and 3.grapheneos.network 2024-06-15 14:02:29 -04:00
Daniel Micay
55e7cadc02 update deploy-initial image version 2024-06-15 13:36:29 -04:00
Daniel Micay
7a78e3bd07 count: add akita 2024-06-11 22:56:05 -04:00
Daniel Micay
aefa91830e update python dependencies 2024-06-08 14:34:08 -04:00
Daniel Micay
8e9fe48605 update python dependencies 2024-06-06 00:26:45 -04:00
Daniel Micay
1ed92eb04c short ISRG Root X1 chain is now the default 2024-06-04 13:26:50 -04:00
Daniel Micay
aacde289bf add postfix-pcre package to mail.grapheneos.org 2024-05-30 12:12:05 -04:00
Daniel Micay
59e15db025 update python dependencies 2024-05-30 10:32:19 -04:00
Daniel Micay
f837b81bbd replace obsolete python-postfix-policyd-spf with python-spf-engine 2024-05-29 22:32:33 -04:00
Daniel Micay
d77a7b2cff drop python-pydantic workaround
This was added as a dependency for matrix-synapse.
2024-05-24 15:43:08 -04:00
Daniel Micay
e1f968617b replace sshpass with swiftclient for backups 2024-05-24 15:35:04 -04:00
Daniel Micay
f1d388e5c9 add list of hosts using automated backups 2024-05-24 15:34:16 -04:00
Daniel Micay
a2758fe665 update python dependencies 2024-05-24 15:33:27 -04:00
Daniel Micay
39a48e6585 update python dependencies 2024-05-21 13:38:50 -04:00
Daniel Micay
38dc2fb4d2 add samsung.psds.grapheneos.org subdomain 2024-05-15 14:36:26 -04:00
Daniel Micay
3b1c43d29f update requirements.txt 2024-04-30 12:32:40 -04:00
Daniel Micay
f9425e3ebd reduce conntrack UDP timeouts
This only applies to outbound NTP requests since we use notrack for our
UDP services and DNS-over-TLS for our local resolver. We'd have no need
for longer timeouts even if that wasn't the case.
2024-04-30 12:13:02 -04:00
Daniel Micay
6dbc014f4b set conntrack expectation table to minimum size 2024-04-27 12:48:21 -04:00
Daniel Micay
a067120a49 downgrade to supported nodejs LTS branch for mjolnir 2024-04-27 09:48:20 -04:00
Daniel Micay
ba79d80b52 raise burst value for synproxy threshold 2024-04-26 16:30:49 -04:00
Daniel Micay
c99b8d0b47 nftables: use default drop in prerouting-raw table 2024-04-26 10:42:45 -04:00
Daniel Micay
bab3f0c14a disable IPv4-mapped IPv6 addresses by default 2024-04-25 10:38:54 -04:00
Daniel Micay
2c2943cc3e override default conntrack table size 2024-04-25 01:59:35 -04:00
Daniel Micay
fb40773157 reduce conntrack TCP TIME-WAIT timeout to match TCP stack 2024-04-24 21:12:12 -04:00
Daniel Micay
82cc1beccb remove unused SYN backlog configuration
This isn't used anymore despite inaccurate kernel configuration
documentation. The SYN_RECV queue is set based on the backlog value
just like the separate accept queue for established connections.
2024-04-24 18:58:41 -04:00
Daniel Micay
f3ae109eac reduce conntrack SYN timeouts to match TCP/IP stack 2024-04-24 10:45:02 -04:00
Daniel Micay
ee62868a7b nftables: use standard order for verdict map 2024-04-23 03:30:15 -04:00
Daniel Micay
965bc4f951 nftables: add invalid case to ct state vmap
This might as well be dropped by the verdict map instead of falling
through to the default drop policy.
2024-04-23 02:38:40 -04:00
Daniel Micay
5ba6cbd3d1 nftables: simplify rules via untracked state 2024-04-23 02:34:17 -04:00