Daniel Micay
5e07ae005b
use idle scheduling for fstrim.service
2023-07-26 13:21:24 -04:00
Daniel Micay
6595a2b05f
rename eth0 to public
...
This resolves a warning from systemd-networkd about using one of the
names reserved by the kernel.
2023-07-15 00:33:35 -04:00
Daniel Micay
b245498612
disable unused DHCP IPv4 address for mail server
2023-07-13 21:39:12 -04:00
Daniel Micay
6736cdc36f
use highest accuracy for sysstat-collect.timer
2023-07-13 18:51:39 -04:00
Daniel Micay
6567335b31
run sysstat-collect.service every minute
2023-07-13 18:51:28 -04:00
Daniel Micay
5f339efb2d
update certbot-ocsp-fetcher
2023-07-09 18:16:59 -04:00
Daniel Micay
462bdc8599
add session ticket key management scripts
2023-07-09 18:04:17 -04:00
Daniel Micay
8ac489c9aa
allow nginx master process to use CAP_CHOWN
...
This is required for it to create the /var directories it uses when the
master process is running as root. It would be possible to run the nginx
master process as non-root but it doesn't drop ambient capabilities when
it spawns the workers so running the master process as non-root will end
up giving the workers higher privileges due to them ending up getting
the CAP_NET_BIND_SERVICE capability passed through.
2023-07-06 05:30:35 -04:00
Daniel Micay
2cf694017b
silence systemd-networkd address prefix warning
...
It does the right thing by default now but it still produces a warning,
so silence it.
2023-07-06 04:39:16 -04:00
Daniel Micay
5777fa38ae
add network configuration for 1.grapheneos.network
2023-07-06 04:30:23 -04:00
Daniel Micay
2f4e9f67c4
set log retention time per server
2023-07-06 00:17:05 -04:00
Daniel Micay
5ea36399d1
rename 1.grapheneos.network to 2.grapheneos.network
2023-07-05 17:31:48 -04:00
Daniel Micay
a97e039314
rename 2.grapheneos.network to 3.grapheneos.network
2023-07-05 17:31:30 -04:00
Daniel Micay
37bf4935f1
drop mail server specific certbot configuration
...
The mail server is now using the webroot authentication method via nginx
due to moving the MTA-STS web service to the mail server.
2023-06-30 15:47:33 -04:00
Daniel Micay
8114047b9b
add new website server instance
2023-06-30 15:45:09 -04:00
Daniel Micay
2641d41169
move staging.attestation.app to BuyVM
2023-06-29 13:14:50 -04:00
Daniel Micay
f9bee29ab8
move staging.grapheneos.org to BuyVM
2023-06-23 14:41:01 -04:00
Daniel Micay
2f4218fc77
move ns1.staging.grapheneos.org to BuyVM
2023-06-22 12:41:26 -04:00
Daniel Micay
254e628a79
move staging.ns1.grapheneos.org to ns1.staging.grapheneos.org
2023-06-22 00:27:08 -04:00
Daniel Micay
f1d9c0693e
disable link-local addressing
2023-06-21 23:10:09 -04:00
Daniel Micay
384c29bd5e
simplify route metric configuration
2023-06-21 22:56:50 -04:00
Daniel Micay
d0d72994e2
replace ns2.grapheneos.org network configuration
2023-06-16 20:30:29 -04:00
Daniel Micay
27aca7474c
drop no-op RemoveIPC
2023-06-10 20:42:37 -04:00
Daniel Micay
ac23681718
update systemd/system.conf
2023-03-30 03:17:00 -04:00
Daniel Micay
7ffac9ab5a
raise max journald files
2023-03-29 00:15:04 -04:00
Daniel Micay
c573091af4
use per-host journald SystemMaxUse
2023-03-25 07:04:46 -04:00
Daniel Micay
d550ccbc73
update sleep.conf
2023-02-17 17:51:41 -05:00
Daniel Micay
68a73e798a
update system.conf
2023-02-17 17:51:24 -05:00
Daniel Micay
7fc42a25c4
remove Arch Linux nginx error_log configuration
...
error_log works the same way as add_header where defining it again on
the same level is additive and logs to both places, meaning that there
are duplicated logs when defining a proper syslog error_log output at
the top level.
2023-02-17 17:31:00 -05:00
Daniel Micay
3ea5a14b2f
drop floating IPs for DNS servers
2022-11-30 19:23:18 -05:00
Daniel Micay
91e36044ca
drop floating IPs for release servers
2022-11-29 02:26:51 -05:00
Daniel Micay
9f1ba5f2a5
drop floating IPs for website servers
2022-11-29 02:07:56 -05:00
Daniel Micay
3354bcb34d
drop floating IPs for network servers
2022-11-29 02:07:05 -05:00
Daniel Micay
ace45c7d5c
drop floating IP for attestation server
2022-11-29 01:39:15 -05:00
Daniel Micay
9929542f43
drop floating IP for forum server
2022-11-29 01:27:01 -05:00
Daniel Micay
38414a8313
drop floating IP for Matrix server
2022-11-29 01:26:31 -05:00
Daniel Micay
0aff07f884
add grapheneos.social network configuration
2022-11-27 01:41:42 -05:00
Daniel Micay
08da28f7b5
drop floating IPs for staging servers
2022-11-27 00:08:29 -05:00
Daniel Micay
b996f5586f
update systemd/system.conf
2022-11-10 17:09:19 -05:00
Daniel Micay
36423fb2bc
auto-restart nginx if master process is killed
...
nginx handles restarting workers automatically but the master process
is typically killed by the OOM killer too.
2022-09-26 16:45:15 -04:00
Daniel Micay
320ad2e3a8
replace tmpfiles.d with RuntimeDirectory for nginx
...
This is much more robust because nginx will fail to start after being
killed or crashing due to only removing old Unix domain sockets when it
stops cleanly. It ends up owned by root:root instead of root:http which
is fine because only the master process opens it.
2022-09-26 16:43:17 -04:00
Daniel Micay
88d8e37233
rename nginx service hardening.conf to local.conf
2022-09-26 14:04:45 -04:00
Daniel Micay
dfd3fc861b
avoid disallowing chown syscall for certbot-renew
2022-09-14 18:29:12 -04:00
Daniel Micay
9a69263f6b
switch to floating IPv4 addresses for staging
2022-09-10 04:36:49 -04:00
Daniel Micay
ef1a26b68c
certbot-renew: make nginx ocsp-cache dir optional
2022-08-28 15:46:33 -04:00
Daniel Micay
fd397326ec
add chown to certbot syscall allowlist
2022-08-28 14:58:21 -04:00
Daniel Micay
8482ac5144
give certbot access to /etc/nginx/ocsp-cache
2022-08-27 17:22:23 -04:00
Daniel Micay
2cf0966847
properly override ExecStart
2022-08-27 17:19:42 -04:00
Daniel Micay
f829e05134
raise discuss.grapheneos.org to 500M bandwidth cap
2022-08-11 11:44:22 -04:00
Daniel Micay
2a33c3b962
initial certbot-renew service hardening
...
This doesn't switch to using a dedicated certbot user yet since the
hooks used across the services will all still need to work.
2022-08-10 11:32:48 -04:00
Daniel Micay
5bbaecfce9
disable redundant random sleep for certbot renewal
2022-08-10 11:28:18 -04:00
Daniel Micay
afce4f2a51
limit nginx service capabilities
...
Running nginx as non-root would be possible via CAP_NET_BIND_SERVICE as
an ambient capability but it would be inherited by workers. It's better
to leave the supervisor process as root for the time being unless nginx
was taught to use socket activation or drop capabilities for workers.
2022-08-10 11:12:20 -04:00
Daniel Micay
ca7c036e8c
sort nginx hardening.conf options
2022-08-10 11:12:20 -04:00
Daniel Micay
7332d93575
update base systemd/sleep.conf
2022-08-10 05:31:31 -04:00
Daniel Micay
316561389c
extend nginx service hardening
2022-08-09 04:55:10 -04:00
Daniel Micay
01791fdcd3
configure CAKE via systemd-networkd
2022-07-27 20:56:14 -04:00
Daniel Micay
2ff883f37f
add systemd-network configurations
2022-07-27 15:40:10 -04:00
Daniel Micay
953420e7a3
disable systemd sleep support
2022-07-27 14:47:48 -04:00
Daniel Micay
e73dab2375
update systemd/system.conf
2022-05-22 15:57:02 -04:00
Daniel Micay
962270c183
update system.conf
2022-03-14 15:08:14 -04:00
Daniel Micay
72937c922f
add new file limit configuration for sshd
2022-02-25 19:31:35 -05:00
Daniel Micay
9f82fe54bd
use double brace for templates
2021-11-27 20:25:47 -05:00
Daniel Micay
35f539f237
only permit native system call architecture
2021-09-16 03:57:53 -04:00
Daniel Micay
e4872fb5bb
enable IP and IO accounting by default
2021-09-09 08:44:11 -04:00
Daniel Micay
64b3a1031d
move units to systemd directory
2021-09-08 17:57:50 -04:00
Daniel Micay
fe9d4e0f5f
add systemd directory
2021-09-08 17:53:20 -04:00