graphene-os-server-infrastructure

Git-Mirrors/graphene-os-server-infrastructure

mirror of https://github.com/GrapheneOS/infrastructure.git synced 2024-10-01 00:55:42 -04:00

Author	SHA1	Message	Date
Daniel Micay	e1af23a478	add attestation service config for email	2023-08-18 23:57:44 -04:00
Daniel Micay	894f150a62	use CAKE no-split-gso for release servers	2023-08-06 23:18:53 -04:00
Daniel Micay	2f56bae4a5	use consistent naming for system drop-in configs	2023-08-04 14:45:15 -04:00
Daniel Micay	e56add4330	run fstrim daily instead of weekly	2023-08-04 14:38:41 -04:00
Daniel Micay	b67d037a5e	add xfs_fsr service run before fstrim service	2023-08-03 16:35:53 -04:00
Daniel Micay	124897ccba	update systemd/system.conf	2023-08-01 18:06:28 -04:00
Daniel Micay	7a95f6bfb4	update systemd/networkd.conf	2023-08-01 18:05:17 -04:00
Daniel Micay	53b46f6166	set correct subnet mask for BuyVM main IP	2023-07-28 00:12:05 -04:00
Daniel Micay	5e07ae005b	use idle scheduling for fstrim.service	2023-07-26 13:21:24 -04:00
Daniel Micay	6595a2b05f	rename eth0 to public This resolves a warning from systemd-networkd about using one of the names reserved by the kernel.	2023-07-15 00:33:35 -04:00
Daniel Micay	b245498612	disable unused DHCP IPv4 address for mail server	2023-07-13 21:39:12 -04:00
Daniel Micay	6736cdc36f	use highest accuracy for sysstat-collect.timer	2023-07-13 18:51:39 -04:00
Daniel Micay	6567335b31	run sysstat-collect.service every minute	2023-07-13 18:51:28 -04:00
Daniel Micay	5f339efb2d	update certbot-ocsp-fetcher	2023-07-09 18:16:59 -04:00
Daniel Micay	462bdc8599	add session ticket key management scripts	2023-07-09 18:04:17 -04:00
Daniel Micay	8ac489c9aa	allow nginx master process to use CAP_CHOWN This is required for it to create the /var directories it uses when the master process is running as root. It would be possible to run the nginx master process as non-root but it doesn't drop ambient capabilities when it spawns the workers so running the master process as non-root will end up giving the workers higher privileges due to them ending up getting the CAP_NET_BIND_SERVICE capability passed through.	2023-07-06 05:30:35 -04:00
Daniel Micay	2cf694017b	silence systemd-networkd address prefix warning It does the right thing by default now but it still produces a warning, so silence it.	2023-07-06 04:39:16 -04:00
Daniel Micay	5777fa38ae	add network configuration for 1.grapheneos.network	2023-07-06 04:30:23 -04:00
Daniel Micay	2f4e9f67c4	set log retention time per server	2023-07-06 00:17:05 -04:00
Daniel Micay	5ea36399d1	rename 1.grapheneos.network to 2.grapheneos.network	2023-07-05 17:31:48 -04:00
Daniel Micay	a97e039314	rename 2.grapheneos.network to 3.grapheneos.network	2023-07-05 17:31:30 -04:00
Daniel Micay	37bf4935f1	drop mail server specific certbot configuration The mail server is now using the webroot authentication method via nginx due to moving the MTA-STS web service to the mail server.	2023-06-30 15:47:33 -04:00
Daniel Micay	8114047b9b	add new website server instance	2023-06-30 15:45:09 -04:00
Daniel Micay	2641d41169	move staging.attestation.app to BuyVM	2023-06-29 13:14:50 -04:00
Daniel Micay	f9bee29ab8	move staging.grapheneos.org to BuyVM	2023-06-23 14:41:01 -04:00
Daniel Micay	2f4218fc77	move ns1.staging.grapheneos.org to BuyVM	2023-06-22 12:41:26 -04:00
Daniel Micay	254e628a79	move staging.ns1.grapheneos.org to ns1.staging.grapheneos.org	2023-06-22 00:27:08 -04:00
Daniel Micay	f1d9c0693e	disable link-local addressing	2023-06-21 23:10:09 -04:00
Daniel Micay	384c29bd5e	simplify route metric configuration	2023-06-21 22:56:50 -04:00
Daniel Micay	d0d72994e2	replace ns2.grapheneos.org network configuration	2023-06-16 20:30:29 -04:00
Daniel Micay	27aca7474c	drop no-op RemoveIPC	2023-06-10 20:42:37 -04:00
Daniel Micay	ac23681718	update systemd/system.conf	2023-03-30 03:17:00 -04:00
Daniel Micay	7ffac9ab5a	raise max journald files	2023-03-29 00:15:04 -04:00
Daniel Micay	c573091af4	use per-host journald SystemMaxUse	2023-03-25 07:04:46 -04:00
Daniel Micay	d550ccbc73	update sleep.conf	2023-02-17 17:51:41 -05:00
Daniel Micay	68a73e798a	update system.conf	2023-02-17 17:51:24 -05:00
Daniel Micay	7fc42a25c4	remove Arch Linux nginx error_log configuration error_log works the same way as add_header where defining it again on the same level is additive and logs to both places, meaning that there are duplicated logs when defining a proper syslog error_log output at the top level.	2023-02-17 17:31:00 -05:00
Daniel Micay	3ea5a14b2f	drop floating IPs for DNS servers	2022-11-30 19:23:18 -05:00
Daniel Micay	91e36044ca	drop floating IPs for release servers	2022-11-29 02:26:51 -05:00
Daniel Micay	9f1ba5f2a5	drop floating IPs for website servers	2022-11-29 02:07:56 -05:00
Daniel Micay	3354bcb34d	drop floating IPs for network servers	2022-11-29 02:07:05 -05:00
Daniel Micay	ace45c7d5c	drop floating IP for attestation server	2022-11-29 01:39:15 -05:00
Daniel Micay	9929542f43	drop floating IP for forum server	2022-11-29 01:27:01 -05:00
Daniel Micay	38414a8313	drop floating IP for Matrix server	2022-11-29 01:26:31 -05:00
Daniel Micay	0aff07f884	add grapheneos.social network configuration	2022-11-27 01:41:42 -05:00
Daniel Micay	08da28f7b5	drop floating IPs for staging servers	2022-11-27 00:08:29 -05:00
Daniel Micay	b996f5586f	update systemd/system.conf	2022-11-10 17:09:19 -05:00
Daniel Micay	36423fb2bc	auto-restart nginx if master process is killed nginx handles restarting workers automatically but the master process is typically killed by the OOM killer too.	2022-09-26 16:45:15 -04:00
Daniel Micay	320ad2e3a8	replace tmpfiles.d with RuntimeDirectory for nginx This is much more robust because nginx will fail to start after being killed or crashing due to only removing old Unix domain sockets when it stops cleanly. It ends up owned by root:root instead of root:http which is fine because only the master process opens it.	2022-09-26 16:43:17 -04:00
Daniel Micay	88d8e37233	rename nginx service hardening.conf to local.conf	2022-09-26 14:04:45 -04:00

1 2

74 Commits