Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-11-25 17:16:17 -05:00
Code Issues Projects Releases Packages Wiki Activity
846 commits 1 branch 0 tags 3.5 MiB
Commit graph

846 commits

This branch
This branch
All branches
Author SHA1 Message Date
Daniel Micay
4c9be33036 networkd: remove unnecessary [Address] sections 2025-11-14 05:35:58 -05:00
Daniel Micay
21b9f52b4a add mia.ns2.grapheneos.org server 2025-11-14 05:35:58 -05:00
Daniel Micay
d682b05846 replace remaining OVH ns1 servers with Vultr 2025-11-14 05:35:58 -05:00
Daniel Micay
6819359c45 add IPv6 address from our /48 announced from BuyVM 2025-11-11 03:39:21 -05:00
Daniel Micay
80c8b239d5 add bird to ns2.grapheneos.org to use our IP space 2025-11-11 03:39:21 -05:00
Daniel Micay
f1859e38cc hosts: add list of Vultr instances 2025-11-11 03:39:21 -05:00
Daniel Micay
70cccd1e21 add IPv6 address from our /48 announced from Vultr 2025-11-11 03:39:21 -05:00
Daniel Micay
c4b5da59d5 nftables: ns1: add fq priority configuration 2025-11-11 03:39:21 -05:00
Daniel Micay
77795f92f6 replace 1.ns1.grapheneos.org server with sea.ns1.grapheneos.org 2025-11-11 03:39:21 -05:00
Daniel Micay
396086759b add lax.ns1.grapheneos.org server 2025-11-10 04:04:21 -05:00
Daniel Micay
72e3a980aa replace 0.ns1.grapheneos.org server with nyc.ns1.grapheneos.org 2025-11-09 23:20:09 -05:00
Daniel Micay
fa9e6de004 add mia.ns1.grapheneos.org server 2025-11-09 18:57:21 -05:00
Daniel Micay
8c57177aef deploy-initial-vps: handle mkinitcpio.conf split 2025-11-09 17:55:16 -05:00
Daniel Micay
cae80e26ab deploy-initial-vps: update Arch ISO image version 2025-11-09 17:55:12 -05:00
Daniel Micay
a76f259c23 certbot: add nominatim.staging.grapheneos.org 2025-11-08 23:28:40 -05:00
Daniel Micay
3b5589f117 certbot: rename 0.grapheneos.org to bhs0.grapheneos.org 2025-11-08 23:19:37 -05:00
Daniel Micay
c808621659 syslog-ng: add receive timestamps to nginx logs 
Since nginx only uses 1 second precision for the error logs and syslog
timestamps, we can use receive time on the syslog-ng side. We can switch
to source time once nginx adds RFC 5424 support which is currently in an
open pull request but will likely require changes to add a configuration
option for it. Our approach to working around this within nginx doesn't
work perfectly since $msec generates the time on-demand separately from
the timestamp used by $time_iso8601.
 2025-11-08 14:56:27 -05:00
Daniel Micay
c9fae6c345 syslog-ng: split nginx configuration into conf.d 2025-11-08 13:44:52 -05:00
Daniel Micay
3682298d01 syslog-ng: raise frac-digits to 3 2025-11-08 02:41:34 -05:00
Daniel Micay
a05232d2f6 add syslog-ng include directory 2025-11-08 01:41:56 -05:00
Daniel Micay
fa03067604 add script for checking reverse DNS 2025-11-07 23:51:33 -05:00
Daniel Micay
c15a09758b update lax.releases.grapheneos.org IPv6 address 2025-11-07 23:51:17 -05:00
Daniel Micay
459455286d use journald reload support added in systemd 258 2025-11-07 23:23:09 -05:00
Daniel Micay
4a5e91de42 count: handle nginx logs being done with syslog-ng 2025-11-07 21:56:47 -05:00
Daniel Micay
c3d7324536 certbot: merge 0.grapheneos.network into 0.grapheneos.org 2025-11-06 22:44:58 -05:00
Daniel Micay
7551794b6c grapheneos.org: switch to location-based server names 2025-11-06 22:44:33 -05:00
Daniel Micay
0195d84f25 add missing reserved ports entries for unbound 2025-11-06 22:06:47 -05:00
Daniel Micay
3c248a9bd0 add deploy-hostname script 2025-11-06 19:54:19 -05:00
Daniel Micay
ddc56da224 new naming convention for staging server hostnames 2025-11-06 19:54:09 -05:00
Daniel Micay
9e6b18e3b2 ns2.grapheneos.org: switch to location-based server names 2025-11-06 19:27:39 -05:00
Daniel Micay
2cf774ca19 releases.grapheneos.org: switch to location-based server names 2025-11-06 19:01:50 -05:00
Daniel Micay
99b32fe4a9 grapheneos.social: switch to Node.js 24 LTS 2025-11-06 11:59:13 -05:00
Daniel Micay
cb8701e6d7 nftables: style fix 2025-11-06 11:59:13 -05:00
Daniel Micay
bafb23d0ec deploy-bootloader: deploy systemd-boot-update.service.d 2025-11-06 11:59:13 -05:00
Daniel Micay
63b6247438 drop unnecessary inclusion of / in fstab 2025-11-06 11:59:13 -05:00
Daniel Micay
40351149bb add mkinitcpio.conf for servers with mdraid 2025-11-06 11:59:13 -05:00
Daniel Micay
a999a00c88 split metal and mdraid server types 2025-11-06 11:59:13 -05:00
Daniel Micay
76b88bbffa update mkinitcpio.conf 2025-11-06 11:59:13 -05:00
Daniel Micay
c9b84fdb79 logrotate: use better size+time rotation approach 2025-11-06 11:58:40 -05:00
Daniel Micay
5f2e4a45c3 logrotate: preserve existing file owner/group/mode 
wmtp and btmp are reliably created by systemd at boot with the proper
permissions which also means missingok can be dropped.
 2025-11-05 23:45:10 -05:00
Daniel Micay
eeb00c5bda logrotate: default to delayed compression with opt-in to no delay 2025-11-05 23:32:48 -05:00
Daniel Micay
04722cdd95 Revert "remove obsolete nvim tmpfiles.d configuration" 
This reverts commit 2967eb02d7.
 2025-11-05 20:24:57 -05:00
Daniel Micay
a0563b249b ssh: use AcceptEnv for COLORTERM 2025-11-05 20:23:39 -05:00
Daniel Micay
2b90bbc50a journald: reconfigure based on nginx logging split 2025-11-04 14:15:44 -05:00
Daniel Micay
9a864106d7 deploy-bootloader: no need to source ssh.sh 2025-11-04 14:03:21 -05:00
Daniel Micay
8af52e3498 journald: revert back to default SystemMaxFiles 
This was raised to 10000 to work around 2 separate journald bugs causing
premature rotation which have been resolved for a long time.
 2025-11-04 13:45:16 -05:00
Daniel Micay
7f0982f9d7 journald: disable ForwardToWall 2025-11-04 11:51:00 -05:00
Daniel Micay
2b9a6f4c59 disable TCP Fast Open for 3.releases.grapheneos.org 
It currently causes issues with the TCP synproxy filter we may want to
use to mitigate DDoS attacks.
 2025-11-04 11:27:25 -05:00
Daniel Micay
f1ff8ac931 phase out 2.releases.grapheneos.org 2025-11-04 11:19:13 -05:00
Daniel Micay
8697cf2a2d switch back to unified journald rotation/retention 
Since we're no longer storing nginx logs in journald, we no longer need
to use journald configuration to control nginx log rotation/retention.

We switched from nginx to dnsdist for the authoritative DNS servers and
are therefore no longer logging any of the queries persistently since we
can rely on the PowerDNS and dnsdist in-memory buffers and stats.

We can use nginx-specific logrotate configuration on a per-server basis
based on balancing the usefulness of access logs with storage space and
getting rid of slightly sensitive data faster (mainly IP addresses).
 2025-11-03 20:03:59 -05:00