Daniel Micay
3d5f437ec7
allow unbound to use more outbound ports
2022-09-22 13:41:47 -04:00
Daniel Micay
f3fb90859a
simplify mirrorlist
2022-09-15 23:13:28 -04:00
Daniel Micay
dfd3fc861b
avoid disallowing chown syscall for certbot-renew
2022-09-14 18:29:12 -04:00
Daniel Micay
6c58739dc8
remove PowerDNS for unbound nftables allowlist
...
The unnecessary security polling has been disabled so it doesn't need
this anymore.
2022-09-10 18:11:58 -04:00
Daniel Micay
9a69263f6b
switch to floating IPv4 addresses for staging
2022-09-10 04:36:49 -04:00
Daniel Micay
bcd14b805b
blacklist legacy ip_tables module
2022-08-31 05:19:40 -04:00
Daniel Micay
337647c5a9
add cfg80211 to module blacklist to silence error
2022-08-31 04:34:35 -04:00
Daniel Micay
9939dbc67b
use production time.nl hostname
2022-08-30 14:51:44 -04:00
Daniel Micay
9708449087
use anycast hostname for netnod.se
2022-08-30 14:48:55 -04:00
Daniel Micay
5461b3f05b
raise tcp_max_syn_backlog to 65536
2022-08-28 15:54:11 -04:00
Daniel Micay
ef1a26b68c
certbot-renew: make nginx ocsp-cache dir optional
2022-08-28 15:46:33 -04:00
Daniel Micay
89064482ed
update pacman mirrorlist
2022-08-28 15:03:00 -04:00
Daniel Micay
fd397326ec
add chown to certbot syscall allowlist
2022-08-28 14:58:21 -04:00
Daniel Micay
8482ac5144
give certbot access to /etc/nginx/ocsp-cache
2022-08-27 17:22:23 -04:00
Daniel Micay
2cf0966847
properly override ExecStart
2022-08-27 17:19:42 -04:00
Daniel Micay
256c3652cc
disable unused binfmt_misc
2022-08-14 13:46:00 -04:00
Daniel Micay
f829e05134
raise discuss.grapheneos.org to 500M bandwidth cap
2022-08-11 11:44:22 -04:00
Daniel Micay
2a33c3b962
initial certbot-renew service hardening
...
This doesn't switch to using a dedicated certbot user yet since the
hooks used across the services will all still need to work.
2022-08-10 11:32:48 -04:00
Daniel Micay
5bbaecfce9
disable redundant random sleep for certbot renewal
2022-08-10 11:28:18 -04:00
Daniel Micay
07dca7919d
reorder network allowlists for consistency
2022-08-10 11:13:31 -04:00
Daniel Micay
afce4f2a51
limit nginx service capabilities
...
Running nginx as non-root would be possible via CAP_NET_BIND_SERVICE as
an ambient capability but it would be inherited by workers. It's better
to leave the supervisor process as root for the time being unless nginx
was taught to use socket activation or drop capabilities for workers.
2022-08-10 11:12:20 -04:00
Daniel Micay
ca7c036e8c
sort nginx hardening.conf options
2022-08-10 11:12:20 -04:00
Daniel Micay
7332d93575
update base systemd/sleep.conf
2022-08-10 05:31:31 -04:00
Daniel Micay
316561389c
extend nginx service hardening
2022-08-09 04:55:10 -04:00
Daniel Micay
74933df9cc
set preempt=none for PREEMPT_DYNAMIC kernels
2022-08-07 19:26:29 -04:00
Daniel Micay
d7323bacba
set lockdown to confidentiality mode
2022-08-01 01:47:22 -04:00
Daniel Micay
01791fdcd3
configure CAKE via systemd-networkd
2022-07-27 20:56:14 -04:00
Daniel Micay
2ff883f37f
add systemd-network configurations
2022-07-27 15:40:10 -04:00
Daniel Micay
953420e7a3
disable systemd sleep support
2022-07-27 14:47:48 -04:00
Daniel Micay
45f6f63cc0
Revert "hard-wire ext4 as the only initramfs filesystem"
...
This reverts commit 73a78746f1
.
2022-07-27 02:47:20 -04:00
Daniel Micay
97ad3e7810
unbound: disable unnecessary id/version queries
2022-07-27 02:38:34 -04:00
Daniel Micay
16b58ea6e4
enable strict QNAME minimisation
2022-07-27 02:30:53 -04:00
Daniel Micay
91de1aea2f
add packages, modules and logs to gitignore
2022-07-27 02:16:04 -04:00
Daniel Micay
e90ae84627
ignore all tmp files in gitignore
2022-07-27 02:15:14 -04:00
Daniel Micay
54b52a3655
use dedicated geoipupdate user
2022-07-26 23:09:06 -04:00
Daniel Micay
6081f9fa73
allow synapse to connect to nginx via loopback
...
For an unknown reason, synapse occasionally tries to connect to
matrix.grapheneos.org which ends up being routed via the loopback
interface. For now, allow this to avoid rejected packets.
2022-07-26 19:30:33 -04:00
Daniel Micay
984d0f200f
nftables: implement loopback access control
2022-07-25 20:47:29 -04:00
Daniel Micay
a68a456778
update mirrorlist
2022-07-25 04:09:58 -04:00
Daniel Micay
f38929f9b4
add pacreport.conf
2022-07-24 20:55:47 -04:00
Daniel Micay
c0266f6a16
rename modprobe.d configuration file
2022-07-24 20:07:57 -04:00
Daniel Micay
e5f576c062
sshd: reduce MaxAuthTries to 1
2022-07-22 20:00:52 -04:00
Daniel Micay
84ca6bfa27
sshd: sntrup761x25519-sha512@openssh.com kex only
2022-07-22 19:55:59 -04:00
Daniel Micay
d7c23eac02
disable unused AES-GCM cipher suites
2022-07-22 19:11:28 -04:00
Daniel Micay
ad6e998ec2
nftables: filter input service traffic by dst addr
2022-07-21 19:32:43 -04:00
Daniel Micay
fdf21af1ae
nftables: use notrack accept instead of notrack
2022-07-21 17:31:16 -04:00
Daniel Micay
f7da683012
nftables: simplify ICMP handling
2022-07-18 22:14:35 -04:00
Daniel Micay
494247747c
add flarum-admin user
2022-07-12 17:36:13 -04:00
Daniel Micay
1a195570c8
sshd: disable unused agent forwarding feature
...
This is a misguided feature and while this doesn't meaningfully reduce
attack surface, it makes sense not to enable it.
2022-07-11 19:57:42 -04:00
Daniel Micay
1d9d5df54c
unbound: only listen on IPv6
2022-07-10 15:41:10 -04:00
Daniel Micay
710d487e78
qname-minimisation is enabled by default now
2022-07-03 09:30:44 -04:00