Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-08-09 15:02:22 -04:00
Code Issues Projects Releases Packages Wiki Activity
687 commits 1 branch 0 tags 2.5 MiB
Commit graph

687 commits

This branch
This branch
All branches
Author SHA1 Message Date
Daniel Micay
01bb6a5504 set CAKE flow isolation mode to dual-dsthost 
We have no use case for fairness based on source address.
 2025-07-30 18:45:03 -04:00
Daniel Micay
b669c4ce61 relax PrivateUsers for certbot-renew.service 
This was preventing using the dnsdist group for the nameservers.
 2025-07-27 13:08:48 -04:00
Daniel Micay
9b49a1966d unbound: update DMARC policy override for hotmail.com 2025-07-24 20:31:33 -04:00
Daniel Micay
227d5910fb add ethtool package on bare metal servers 2025-07-24 14:19:56 -04:00
Daniel Micay
86e765944f use more complete rsync command for dnsdist certificates 2025-07-23 00:26:41 -04:00
Daniel Micay
6b42334598 update python dependencies 2025-07-23 00:26:41 -04:00
Daniel Micay
2967eb02d7 remove obsolete nvim tmpfiles.d configuration 2025-07-23 00:26:41 -04:00
Daniel Micay
ec35c062d1 extend rsync alias for deployment 2025-07-23 00:26:41 -04:00
Daniel Micay
86de34d069 remove temporary file 2025-07-23 00:26:41 -04:00
Daniel Micay
7debc5a0b5 add linux-firmware-intel to 4.releases.grapheneos.org 
This is needed for full network card functionality. It worked without it
and wasn't logging an error message previously so we didn't notice until
network bandwidth was being bottlenecked as part of rolling out our port
to Android 16 to our Stable channel.
 2025-07-23 00:26:41 -04:00
Daniel Micay
a1336fba2f switch from CAKE to mq fq_codel for update servers 
CAKE was causing a bottleneck due to being single threaded.
 2025-07-23 00:26:41 -04:00
Daniel Micay
dc464772c2 drop sudo as an explicit package for grapheneos.social 2025-07-23 00:26:41 -04:00
Daniel Micay
e0af0efce6 preserve permissions for dnsdist certificate rsync 2025-07-23 00:26:41 -04:00
Daniel Micay
6a28dda6cd unbound: enable infra-keep-probing 2025-07-23 00:26:41 -04:00
Daniel Micay
54d41f25fa switch congestion control back to BBRv1 from CUBIC 
BBRv1 provides much better throughput in many cases and is particularly
useful for our update servers. The fairness issues based on round trip
time are not a major issue for us. The fairness issues for competing
with traditional loss-based congestion control are relevant to us but it
seems to benefit it more than it hurts us. BBRv3 will fix most of this
while preserving nearly all the benefits and will likely be shipped as a
replacement for BBRv1 in the Linux kernel rather than another option.

The reason we rolled it back last time was seeing cases of the initial
bandwidth estimate being overly low combined with a very bad interaction
with synproxy causing low bandwidth initially. We've partially addressed
the synproxy issue by raising the synproxy threshold based on conntrack
table size which we're now fully scaling based on available memory. If
we decide this is still a significant issue, we can limit using BBRv1 to
our update servers where it has massive benefits and the least downside
due to initial bandwidth not being as important. BBRv3 will help with
this by probing Round Trip Time every 5 seconds instead of 10 seconds
but still has similar issues.
 2025-07-23 00:26:41 -04:00
Daniel Micay
58e107dd97 move zerotier-one to port 999 2025-07-23 00:26:41 -04:00
Daniel Micay
a948b7c244 move dnsdist control socket to port 55 
This avoids unnecessary overlap with our ephemeral port range.
 2025-07-23 00:26:41 -04:00
Daniel Micay
76b5b554ca nftables: simplify nameserver control socket rules 2025-07-23 00:26:41 -04:00
Daniel Micay
e73d56241c gitignore: ignore /tmp 2025-07-23 00:26:41 -04:00
Daniel Micay
bc79ecb3a0 remove unused firmware packages 2025-07-23 00:26:41 -04:00
Daniel Micay
7153fcbc8a scale synproxy threshold based on conntrack max 2025-07-23 00:26:41 -04:00
Daniel Micay
53ca057a9a adjust conntrack max based on available memory 2025-07-23 00:26:41 -04:00
Daniel Micay
d14c4cccc6 use default conntrack UDP stream timeout 
This is relevant to zerotier and will be relevant to QUIC once we begin
using it.
 2025-07-23 00:26:41 -04:00
Daniel Micay
3ee28a720f update python dependencies 2025-07-23 00:26:41 -04:00
Daniel Micay
b1452518fc certbot: switch to --required-profile 2025-07-23 00:26:41 -04:00
Daniel Micay
224bdfe93f count: add Pixel 9a 2025-07-23 00:26:41 -04:00
Daniel Micay
b911d1c484 update python dependencies 2025-07-23 00:26:41 -04:00
Daniel Micay
23de1ec38b update python dependencies 2025-07-23 00:26:41 -04:00
Daniel Micay
808177956c sshd: reduce LoginGraceTime to 5s 2025-07-23 00:26:41 -04:00
Daniel Micay
0dcd593d7f plocate-updatedb.timer is enabled by default now 2025-07-23 00:26:41 -04:00
Daniel Micay
7836022d46 use rsync --preallocate for deployment 2025-07-23 00:26:39 -04:00
Daniel Micay
05bc9199b3 use default log size for 2.ns2.grapheneos.org 2025-05-28 11:35:46 -04:00
Daniel Micay
3f2e33e8df raise journal size for several servers 2025-05-28 11:01:12 -04:00
Daniel Micay
5ce289433b rotate-session-ticket-keys: split up code with newlines 2025-05-27 15:40:54 -04:00
Daniel Micay
57a5209d8b integrate dnsdist in session ticket keys management 2025-05-27 15:40:54 -04:00
Daniel Micay
6555042a88 add unified session ticket keys file for dnsdist 2025-05-27 15:40:54 -04:00
Daniel Micay
94a2567b15 add tls group for session ticket keys 2025-05-27 15:40:52 -04:00
Daniel Micay
72ffc14258 add dnsdist deploy-hook setup for ns1.staging.grapheneos.org 2025-05-27 14:23:28 -04:00
Daniel Micay
c140d98366 clean up old files for dnsdist 2025-05-27 14:23:28 -04:00
Daniel Micay
44f6e6021a make session ticket management more generic 2025-05-27 14:23:23 -04:00
Daniel Micay
3e407eac80 certbot: add dnsdist support 2025-05-24 15:47:55 -04:00
Daniel Micay
ee7270f7c4 disable timeout for systemd-boot by default 
It's possible to access the menu without a timeout anyway and it also
tends to not be useful for any real world recovery situation anyway.
 2025-05-21 21:48:54 -04:00
Daniel Micay
7cb75131dc drop executable bit for regular files in FAT32 ESP 2025-05-21 20:00:08 -04:00
Daniel Micay
5c41418606 nftables: add support for dnsdist control socket 2025-05-16 13:19:38 -04:00
Daniel Micay
e75172d57c replace nginx with dnsdist for DNS-over-TLS 2025-05-13 21:42:53 -04:00
Daniel Micay
27fe524af6 update python dependencies 2025-05-13 10:44:01 -04:00
Daniel Micay
32f5653e80 gitignore: add /authorized_keys-replica-ns1 2025-05-13 00:18:20 -04:00
Daniel Micay
a3ca986940 merge mail.grapheneos.org certbot command files 2025-05-08 22:30:33 -04:00
Daniel Micay
c9d7aa52a6 remove duplicate domain 2025-05-08 22:26:56 -04:00
Daniel Micay
e9cbaebe22 split supl.grapheneos.org certificate for non-SNI 2025-05-08 22:26:56 -04:00