Daniel Micay
39b7e1f479
add counter to connection limit reject rules
2024-03-30 02:12:18 -04:00
Daniel Micay
b40988122c
switch to Java 21 LTS package since Java 22 is out
2024-03-30 02:12:00 -04:00
Daniel Micay
280eb51c8d
rename loopback chains for clarity
2024-03-30 02:12:00 -04:00
Daniel Micay
9b40bb90b8
split out input chain for loopback
2024-03-30 02:12:00 -04:00
Daniel Micay
811fcf593e
enforce IPv6 DNS connection limit for /64 blocks
2024-03-30 02:12:00 -04:00
Daniel Micay
d95752bea6
move IP-based DNS connection limits to nftables
...
This reuses the approach in cd59960e7b
2024-03-30 02:11:21 -04:00
Daniel Micay
6b573fe227
dns-stats: show total TCP and UDP queries
2024-03-28 11:38:06 -04:00
Daniel Micay
8c929f02ac
enforce IPv6 SSH connection limit for /48 blocks
...
Since our primary servers using SSH to mirror their TLS certificates to
replicas are now allowlisted, we can use a stricter block size than we
could with the PerSourceMaxStartups approach in sshd.
2024-03-28 11:38:06 -04:00
Daniel Micay
cd59960e7b
move IP-based SSH connection limits to nftables
...
We use synproxy for establishing all new connections to the SSH port and
enforce a connection limit between synproxy and the standard network
stack. Once the connection limit is reached, it's also enforced for new
connections at the synproxy layer. This avoids creating conntrack and
connection limit set entries until connections are already established
to avoid packets with spoofed source addresses exhausting these limited
size tables. Primary servers using SSH to mirror TLS certificates to
their replicas are allowlisted.
2024-03-28 11:38:03 -04:00
Daniel Micay
16ef317460
nftables: rename output-reject to graceful-reject
2024-03-27 12:31:09 -04:00
Daniel Micay
66562272ac
set preferred source for static IPv6 configuration
2024-03-26 21:50:12 -04:00
Daniel Micay
3de32072da
consistently use short form IPv6 addresses
2024-03-26 21:24:50 -04:00
Daniel Micay
571644526d
consistently list IPv4 routes before IPv6 routes
2024-03-26 21:24:50 -04:00
Daniel Micay
64e2e836d3
set preferred source for static IPv4 configuration
2024-03-26 21:24:48 -04:00
Daniel Micay
14e9cd5b76
use standard style for nftables sets
2024-03-24 16:23:54 -04:00
Daniel Micay
0ac67c38c3
allow IPv6 SSH for discuss.grapheneos.org
...
This could be useful and disabling it isn't necessary for blocking IPv6
connections to the forum.
2024-03-24 15:41:13 -04:00
Daniel Micay
7b64ffd4cd
simplify nftables based on strong host model
2024-03-24 15:22:00 -04:00
Daniel Micay
59984a477c
enforce strong host model via nftables
2024-03-24 14:36:24 -04:00
Daniel Micay
eb55afa3a8
reorganize sysctl configuration
2024-03-24 11:03:31 -04:00
Daniel Micay
51a4f8ca7a
extend disabling ICMP redirects
2024-03-24 10:43:37 -04:00
Daniel Micay
ec2cbbdb4e
enforce strict reverse path filtering via nftables
2024-03-23 13:35:49 -04:00
Daniel Micay
81fa5f8ebd
use standard log rotation approach for wtmp/btmp
2024-03-20 23:43:48 -04:00
Daniel Micay
455ef92c18
disable chrony client log
...
This is only needed to support clients using the interleaved mode. We
only use chrony as a server on our network servers and the clients are
only using SNTP via xtra-daemon so we don't need this. This frees up a
little bit of memory and avoids having a list of recent clients stored
in memory.
2024-03-20 23:24:57 -04:00
Daniel Micay
e1df22a68f
clean up session ticket rotation scripts
2024-03-20 22:55:40 -04:00
Daniel Micay
f35dc08868
split grapheneos.org hosts array
2024-03-18 21:10:47 -04:00
Daniel Micay
f6d6b0584b
use larger journal for matrix.grapheneos.org too
2024-03-17 19:47:36 -04:00
Daniel Micay
bcfa2aef63
add basic inputrc
2024-03-14 15:48:53 -04:00
Daniel Micay
d5653b25f2
increase 0.grapheneos.network journal size
2024-03-12 11:40:26 -04:00
Daniel Micay
d57ca21e06
add sqlite-analyzer to attestation servers
2024-03-08 11:54:02 -05:00
Daniel Micay
e9d90bf88b
lsof replaced with lsfd
2024-03-06 16:53:42 -05:00
Daniel Micay
c8d359af57
disable mkinitcpio fallback image
2024-03-04 13:13:58 -05:00
Daniel Micay
8591cb9354
raise 2.grapheneos.network journal size to 2G
2024-03-03 15:47:19 -05:00
Daniel Micay
14174e90f4
nginx-rotate-session-ticket-keys: drop unnecessary time sync
2024-03-03 09:57:30 -05:00
Daniel Micay
fb8775bb85
use checksum-based rsync
2024-03-03 09:55:02 -05:00
Daniel Micay
d8b70fce4f
raise journal size for high log volume servers
2024-03-01 10:05:39 -05:00
Daniel Micay
16e3df0c39
raise max log size for OVH network instances
2024-02-29 13:58:38 -05:00
Daniel Micay
67a71a5cd3
count: drop 3rd gen Pixels
2024-02-24 19:19:59 -05:00
Daniel Micay
23207e99bf
replace 4.releases.grapheneos.org server
2024-02-24 10:34:52 -05:00
Daniel Micay
c9cceb3bc0
explicit set XFS allocation group count
2024-02-24 10:28:10 -05:00
Daniel Micay
e0d5ff2fb2
enable deploy-initial script
2024-02-24 10:22:19 -05:00
Daniel Micay
b185e04a2c
update install image to 2024.02.01
2024-02-24 10:21:24 -05:00
Daniel Micay
0899b7e984
update python dependencies
2024-02-23 13:04:36 -05:00
Daniel Micay
827324d15d
stop generating unused en_US.UTF-8 locale
...
We only use the C.UTF-8 locale now.
2024-02-15 13:56:29 -05:00
Daniel Micay
5b25870f96
enable reboot on systemd crash caught systemd
2024-02-13 13:07:51 -05:00
Daniel Micay
2e7058e9c4
replace certbot log rotation with logrotate
2024-02-13 12:38:14 -05:00
Daniel Micay
e81e9feef3
replace MaxRetentionSec to stop excessive rotation
2024-02-13 11:30:56 -05:00
Daniel Micay
d39937fc6c
disable currently unused energy aware scheduling
2024-02-12 16:13:45 -05:00
Daniel Micay
bd9a3d97d7
update python dependencies
2024-02-08 15:08:27 -05:00
Daniel Micay
81307b3bb9
add authorized_keys to gitignore
2024-02-03 17:48:56 -05:00
Daniel Micay
86d582ba2b
add stripped down initial deployment script
2024-02-03 17:47:41 -05:00
