Daniel Micay
662a2d3522
update configuration for systemd 256
2024-06-18 13:16:03 -04:00
Daniel Micay
73a88e36ad
replace 3.grapheneos.org and 3.grapheneos.network
2024-06-15 14:02:29 -04:00
Daniel Micay
66562272ac
set preferred source for static IPv6 configuration
2024-03-26 21:50:12 -04:00
Daniel Micay
3de32072da
consistently use short form IPv6 addresses
2024-03-26 21:24:50 -04:00
Daniel Micay
571644526d
consistently list IPv4 routes before IPv6 routes
2024-03-26 21:24:50 -04:00
Daniel Micay
64e2e836d3
set preferred source for static IPv4 configuration
2024-03-26 21:24:48 -04:00
Daniel Micay
d8b70fce4f
raise journal size for high log volume servers
2024-03-01 10:05:39 -05:00
Daniel Micay
23207e99bf
replace 4.releases.grapheneos.org server
2024-02-24 10:34:52 -05:00
Daniel Micay
5b25870f96
enable reboot on systemd crash caught systemd
2024-02-13 13:07:51 -05:00
Daniel Micay
2e7058e9c4
replace certbot log rotation with logrotate
2024-02-13 12:38:14 -05:00
Daniel Micay
e81e9feef3
replace MaxRetentionSec to stop excessive rotation
2024-02-13 11:30:56 -05:00
Daniel Micay
0e3521564c
replace mail.grapheneos.org server
2024-01-24 22:53:09 -05:00
Daniel Micay
da98484270
replace attestation.app server
2024-01-23 19:15:19 -05:00
Daniel Micay
7213c1745a
replace 2.grapheneos.org and 2.grapheneos.network
2024-01-22 01:39:38 -05:00
Daniel Micay
4714b0bdb9
replace discuss.grapheneos.org server
2024-01-20 23:36:30 -05:00
Daniel Micay
6a0481714f
replace 0.grapheneos.org and 0.grapheneos.network
2024-01-20 00:59:00 -05:00
Daniel Micay
a954a4a024
use clean syntax for IPv6 address
2024-01-18 08:44:19 -05:00
Daniel Micay
d22b380520
replace ns1.grapheneos.org server
2024-01-18 08:19:33 -05:00
Daniel Micay
e581aeafb5
use idle CPU scheduling mode for updatedb
2024-01-03 10:10:04 -05:00
Daniel Micay
dc4101f3de
update systemd configuration files
2023-12-07 12:33:59 -05:00
Daniel Micay
15f1cbcd02
nginx: drop ExecStart override
2023-09-18 02:41:59 -04:00
Daniel Micay
90411f367c
update OCSP cache path for certbot-renew.service
2023-09-02 15:07:28 -04:00
Daniel Micay
e1af23a478
add attestation service config for email
2023-08-18 23:57:44 -04:00
Daniel Micay
894f150a62
use CAKE no-split-gso for release servers
2023-08-06 23:18:53 -04:00
Daniel Micay
2f56bae4a5
use consistent naming for system drop-in configs
2023-08-04 14:45:15 -04:00
Daniel Micay
e56add4330
run fstrim daily instead of weekly
2023-08-04 14:38:41 -04:00
Daniel Micay
b67d037a5e
add xfs_fsr service run before fstrim service
2023-08-03 16:35:53 -04:00
Daniel Micay
124897ccba
update systemd/system.conf
2023-08-01 18:06:28 -04:00
Daniel Micay
7a95f6bfb4
update systemd/networkd.conf
2023-08-01 18:05:17 -04:00
Daniel Micay
53b46f6166
set correct subnet mask for BuyVM main IP
2023-07-28 00:12:05 -04:00
Daniel Micay
5e07ae005b
use idle scheduling for fstrim.service
2023-07-26 13:21:24 -04:00
Daniel Micay
6595a2b05f
rename eth0 to public
...
This resolves a warning from systemd-networkd about using one of the
names reserved by the kernel.
2023-07-15 00:33:35 -04:00
Daniel Micay
b245498612
disable unused DHCP IPv4 address for mail server
2023-07-13 21:39:12 -04:00
Daniel Micay
6736cdc36f
use highest accuracy for sysstat-collect.timer
2023-07-13 18:51:39 -04:00
Daniel Micay
6567335b31
run sysstat-collect.service every minute
2023-07-13 18:51:28 -04:00
Daniel Micay
5f339efb2d
update certbot-ocsp-fetcher
2023-07-09 18:16:59 -04:00
Daniel Micay
462bdc8599
add session ticket key management scripts
2023-07-09 18:04:17 -04:00
Daniel Micay
8ac489c9aa
allow nginx master process to use CAP_CHOWN
...
This is required for it to create the /var directories it uses when the
master process is running as root. It would be possible to run the nginx
master process as non-root but it doesn't drop ambient capabilities when
it spawns the workers so running the master process as non-root will end
up giving the workers higher privileges due to them ending up getting
the CAP_NET_BIND_SERVICE capability passed through.
2023-07-06 05:30:35 -04:00
Daniel Micay
2cf694017b
silence systemd-networkd address prefix warning
...
It does the right thing by default now but it still produces a warning,
so silence it.
2023-07-06 04:39:16 -04:00
Daniel Micay
5777fa38ae
add network configuration for 1.grapheneos.network
2023-07-06 04:30:23 -04:00
Daniel Micay
2f4e9f67c4
set log retention time per server
2023-07-06 00:17:05 -04:00
Daniel Micay
5ea36399d1
rename 1.grapheneos.network to 2.grapheneos.network
2023-07-05 17:31:48 -04:00
Daniel Micay
a97e039314
rename 2.grapheneos.network to 3.grapheneos.network
2023-07-05 17:31:30 -04:00
Daniel Micay
37bf4935f1
drop mail server specific certbot configuration
...
The mail server is now using the webroot authentication method via nginx
due to moving the MTA-STS web service to the mail server.
2023-06-30 15:47:33 -04:00
Daniel Micay
8114047b9b
add new website server instance
2023-06-30 15:45:09 -04:00
Daniel Micay
2641d41169
move staging.attestation.app to BuyVM
2023-06-29 13:14:50 -04:00
Daniel Micay
f9bee29ab8
move staging.grapheneos.org to BuyVM
2023-06-23 14:41:01 -04:00
Daniel Micay
2f4218fc77
move ns1.staging.grapheneos.org to BuyVM
2023-06-22 12:41:26 -04:00
Daniel Micay
254e628a79
move staging.ns1.grapheneos.org to ns1.staging.grapheneos.org
2023-06-22 00:27:08 -04:00
Daniel Micay
f1d9c0693e
disable link-local addressing
2023-06-21 23:10:09 -04:00