Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-11-24 08:43:11 -05:00
Code Issues Projects Releases Packages Wiki Activity
839 commits 1 branch 0 tags 3.4 MiB
Commit graph

839 commits

This branch
This branch
All branches
Author SHA1 Message Date
Daniel Micay
5b82f11b25 nftables: ns1: add fq priority configuration 2025-11-21 11:31:48 -05:00
Daniel Micay
5256f2e4a4 replace 1.ns1.grapheneos.org server with sea.ns1.grapheneos.org 2025-11-21 11:31:48 -05:00
Daniel Micay
f95fa51821 add lax.ns1.grapheneos.org server 2025-11-21 11:31:48 -05:00
Daniel Micay
951662aeca replace 0.ns1.grapheneos.org server with nyc.ns1.grapheneos.org 2025-11-21 11:31:48 -05:00
Daniel Micay
4aba8d355a add mia.ns1.grapheneos.org server 2025-11-21 11:31:48 -05:00
Daniel Micay
f0682a9aa2 deploy-initial-vps: handle mkinitcpio.conf split 2025-11-21 11:31:48 -05:00
Daniel Micay
cc83000202 deploy-initial-vps: update Arch ISO image version 2025-11-21 11:31:48 -05:00
Daniel Micay
e78433dbf8 certbot: add nominatim.staging.grapheneos.org 2025-11-21 11:31:48 -05:00
Daniel Micay
d0751e07c6 certbot: rename 0.grapheneos.org to bhs0.grapheneos.org 2025-11-21 11:31:48 -05:00
Daniel Micay
b80f10f396 syslog-ng: add receive timestamps to nginx logs 
Since nginx only uses 1 second precision for the error logs and syslog
timestamps, we can use receive time on the syslog-ng side. We can switch
to source time once nginx adds RFC 5424 support which is currently in an
open pull request but will likely require changes to add a configuration
option for it. Our approach to working around this within nginx doesn't
work perfectly since $msec generates the time on-demand separately from
the timestamp used by $time_iso8601.
 2025-11-21 11:31:48 -05:00
Daniel Micay
a45b8ada72 syslog-ng: split nginx configuration into conf.d 2025-11-21 11:31:48 -05:00
Daniel Micay
7a5535973b syslog-ng: raise frac-digits to 3 2025-11-21 11:31:48 -05:00
Daniel Micay
a511902b90 add syslog-ng include directory 2025-11-21 11:31:48 -05:00
Daniel Micay
ce4fe06d6a add script for checking reverse DNS 2025-11-21 11:31:48 -05:00
Daniel Micay
f36aa981cd update lax.releases.grapheneos.org IPv6 address 2025-11-21 11:31:48 -05:00
Daniel Micay
6e728a885c use journald reload support added in systemd 258 2025-11-21 11:31:48 -05:00
Daniel Micay
51d23a1736 count: handle nginx logs being done with syslog-ng 2025-11-21 11:31:48 -05:00
Daniel Micay
5fe719250b certbot: merge 0.grapheneos.network into 0.grapheneos.org 2025-11-21 11:31:48 -05:00
Daniel Micay
ebd44c9253 grapheneos.org: switch to location-based server names 2025-11-21 11:31:48 -05:00
Daniel Micay
3a720695c6 add missing reserved ports entries for unbound 2025-11-21 11:31:48 -05:00
Daniel Micay
5f5c590bbc add deploy-hostname script 2025-11-21 11:31:48 -05:00
Daniel Micay
37809b12ad new naming convention for staging server hostnames 2025-11-21 11:31:48 -05:00
Daniel Micay
e3bcb9e87f ns2.grapheneos.org: switch to location-based server names 2025-11-21 11:31:48 -05:00
Daniel Micay
93e1d3866b releases.grapheneos.org: switch to location-based server names 2025-11-21 11:31:48 -05:00
Daniel Micay
c354823e2e grapheneos.social: switch to Node.js 24 LTS 2025-11-21 03:46:12 -05:00
Daniel Micay
89686dc1a0 nftables: style fix 2025-11-21 03:46:12 -05:00
Daniel Micay
f24f557736 deploy-bootloader: deploy systemd-boot-update.service.d 2025-11-21 03:46:12 -05:00
Daniel Micay
6c8ddbe012 drop unnecessary inclusion of / in fstab 2025-11-21 03:46:12 -05:00
Daniel Micay
1427e0c7c4 add mkinitcpio.conf for servers with mdraid 2025-11-21 03:46:12 -05:00
Daniel Micay
50729cadb9 split metal and mdraid server types 2025-11-21 03:46:07 -05:00
Daniel Micay
76b88bbffa update mkinitcpio.conf 2025-11-06 11:59:13 -05:00
Daniel Micay
c9b84fdb79 logrotate: use better size+time rotation approach 2025-11-06 11:58:40 -05:00
Daniel Micay
5f2e4a45c3 logrotate: preserve existing file owner/group/mode 
wmtp and btmp are reliably created by systemd at boot with the proper
permissions which also means missingok can be dropped.
 2025-11-05 23:45:10 -05:00
Daniel Micay
eeb00c5bda logrotate: default to delayed compression with opt-in to no delay 2025-11-05 23:32:48 -05:00
Daniel Micay
04722cdd95 Revert "remove obsolete nvim tmpfiles.d configuration" 
This reverts commit 2967eb02d7.
 2025-11-05 20:24:57 -05:00
Daniel Micay
a0563b249b ssh: use AcceptEnv for COLORTERM 2025-11-05 20:23:39 -05:00
Daniel Micay
2b90bbc50a journald: reconfigure based on nginx logging split 2025-11-04 14:15:44 -05:00
Daniel Micay
9a864106d7 deploy-bootloader: no need to source ssh.sh 2025-11-04 14:03:21 -05:00
Daniel Micay
8af52e3498 journald: revert back to default SystemMaxFiles 
This was raised to 10000 to work around 2 separate journald bugs causing
premature rotation which have been resolved for a long time.
 2025-11-04 13:45:16 -05:00
Daniel Micay
7f0982f9d7 journald: disable ForwardToWall 2025-11-04 11:51:00 -05:00
Daniel Micay
2b9a6f4c59 disable TCP Fast Open for 3.releases.grapheneos.org 
It currently causes issues with the TCP synproxy filter we may want to
use to mitigate DDoS attacks.
 2025-11-04 11:27:25 -05:00
Daniel Micay
f1ff8ac931 phase out 2.releases.grapheneos.org 2025-11-04 11:19:13 -05:00
Daniel Micay
8697cf2a2d switch back to unified journald rotation/retention 
Since we're no longer storing nginx logs in journald, we no longer need
to use journald configuration to control nginx log rotation/retention.

We switched from nginx to dnsdist for the authoritative DNS servers and
are therefore no longer logging any of the queries persistently since we
can rely on the PowerDNS and dnsdist in-memory buffers and stats.

We can use nginx-specific logrotate configuration on a per-server basis
based on balancing the usefulness of access logs with storage space and
getting rid of slightly sensitive data faster (mainly IP addresses).
 2025-11-03 20:03:59 -05:00
Daniel Micay
9d68a079db logrotate: use specific log file paths 
This avoids ending up with the glob path in the logrotate state file
when nothing matches the glob pattern.
 2025-11-03 12:54:18 -05:00
Daniel Micay
39b6de58dd syslog-ng: add socket for nginx error logs 
The error log is fairly quiet during regular use but can end up logging
one or more lines per request during DDoS attacks. Errors are logged for
worker_connections depletion and limit_conn rejections. There's also
currently an nginx bug with modern TLS and OpenSSL causing some client
side TLS errors to be logged as crit instead of info.
 2025-11-03 12:53:24 -05:00
Daniel Micay
386d332aaf remove unused logrotate configurations 2025-11-03 00:33:30 -05:00
Daniel Micay
ca20c421a5 deploy-certbot: avoid syncing replicate.conf 2025-11-03 00:33:30 -05:00
Daniel Micay
934c5dbd53 logrotate: remove notifempty for nginx 2025-11-03 00:33:30 -05:00
Daniel Micay
b61c76c324 logrotate: remove nocreate for letsencrypt 2025-11-03 00:33:30 -05:00
Daniel Micay
cee00863e3 update servers haven't been on OVH for a while 2025-11-03 00:33:30 -05:00