Daniel Micay
73a88e36ad
replace 3.grapheneos.org and 3.grapheneos.network
2024-06-15 14:02:29 -04:00
Daniel Micay
55e7cadc02
update deploy-initial image version
2024-06-15 13:36:29 -04:00
Daniel Micay
7a78e3bd07
count: add akita
2024-06-11 22:56:05 -04:00
Daniel Micay
aefa91830e
update python dependencies
2024-06-08 14:34:08 -04:00
Daniel Micay
8e9fe48605
update python dependencies
2024-06-06 00:26:45 -04:00
Daniel Micay
1ed92eb04c
short ISRG Root X1 chain is now the default
2024-06-04 13:26:50 -04:00
Daniel Micay
aacde289bf
add postfix-pcre package to mail.grapheneos.org
2024-05-30 12:12:05 -04:00
Daniel Micay
59e15db025
update python dependencies
2024-05-30 10:32:19 -04:00
Daniel Micay
f837b81bbd
replace obsolete python-postfix-policyd-spf with python-spf-engine
2024-05-29 22:32:33 -04:00
Daniel Micay
d77a7b2cff
drop python-pydantic workaround
...
This was added as a dependency for matrix-synapse.
2024-05-24 15:43:08 -04:00
Daniel Micay
e1f968617b
replace sshpass with swiftclient for backups
2024-05-24 15:35:04 -04:00
Daniel Micay
f1d388e5c9
add list of hosts using automated backups
2024-05-24 15:34:16 -04:00
Daniel Micay
a2758fe665
update python dependencies
2024-05-24 15:33:27 -04:00
Daniel Micay
39a48e6585
update python dependencies
2024-05-21 13:38:50 -04:00
Daniel Micay
38dc2fb4d2
add samsung.psds.grapheneos.org subdomain
2024-05-15 14:36:26 -04:00
Daniel Micay
3b1c43d29f
update requirements.txt
2024-04-30 12:32:40 -04:00
Daniel Micay
f9425e3ebd
reduce conntrack UDP timeouts
...
This only applies to outbound NTP requests since we use notrack for our
UDP services and DNS-over-TLS for our local resolver. We'd have no need
for longer timeouts even if that wasn't the case.
2024-04-30 12:13:02 -04:00
Daniel Micay
6dbc014f4b
set conntrack expectation table to minimum size
2024-04-27 12:48:21 -04:00
Daniel Micay
a067120a49
downgrade to supported nodejs LTS branch for mjolnir
2024-04-27 09:48:20 -04:00
Daniel Micay
ba79d80b52
raise burst value for synproxy threshold
2024-04-26 16:30:49 -04:00
Daniel Micay
c99b8d0b47
nftables: use default drop in prerouting-raw table
2024-04-26 10:42:45 -04:00
Daniel Micay
bab3f0c14a
disable IPv4-mapped IPv6 addresses by default
2024-04-25 10:38:54 -04:00
Daniel Micay
2c2943cc3e
override default conntrack table size
2024-04-25 01:59:35 -04:00
Daniel Micay
fb40773157
reduce conntrack TCP TIME-WAIT timeout to match TCP stack
2024-04-24 21:12:12 -04:00
Daniel Micay
82cc1beccb
remove unused SYN backlog configuration
...
This isn't used anymore despite inaccurate kernel configuration
documentation. The SYN_RECV queue is set based on the backlog value
just like the separate accept queue for established connections.
2024-04-24 18:58:41 -04:00
Daniel Micay
f3ae109eac
reduce conntrack SYN timeouts to match TCP/IP stack
2024-04-24 10:45:02 -04:00
Daniel Micay
ee62868a7b
nftables: use standard order for verdict map
2024-04-23 03:30:15 -04:00
Daniel Micay
965bc4f951
nftables: add invalid case to ct state vmap
...
This might as well be dropped by the verdict map instead of falling
through to the default drop policy.
2024-04-23 02:38:40 -04:00
Daniel Micay
5ba6cbd3d1
nftables: simplify rules via untracked state
2024-04-23 02:34:17 -04:00
Daniel Micay
d369f159a9
add nmap package across servers mainly for nping
...
It's extremely useful to have this around for debugging network issues,
testing firewall rules and other purposes. It's not particularly useful
having nmap itself, but nping and to a lesser extent ncat are great to
have available.
2024-04-22 10:43:11 -04:00
Daniel Micay
9f99e9c3a5
drop whois package from discuss.grapheneos.org
...
There's no particular reason to have this on the servers since it can be
done locally.
2024-04-22 10:38:28 -04:00
Daniel Micay
398acc6fe8
nftables: drop instead of reject for unused ports
...
This provides consistency with DDoS protection services placed in front
of the services rather than the behavior changing based on whether DDoS
protection is active. This doesn't help with protecting against attacks
since they'll almost always be targeting ports with services active or
exhausting inbound bandwidth via UDP reflection attacks. This appears to
be the standard approach used by most large tech companies.
2024-04-19 13:54:12 -04:00
Daniel Micay
b17b2f3fd3
nftables: add define for ns2.grapheneos.org anycast IP
2024-04-18 10:45:53 -04:00
Daniel Micay
741ea728ea
nftables: move output skuid checks to raw phase
...
This is a minor simplification and also a minor optimization.
2024-04-17 15:28:16 -04:00
Daniel Micay
7782c861cb
nftables: reorder rule for rejecting SSH via anycast
2024-04-15 23:54:17 -04:00
Daniel Micay
8caa777e11
add connection limit allowlist for mail server
2024-04-15 23:21:26 -04:00
Daniel Micay
dade50c832
nftables: drop unnecessary ssh localhost allowlist
2024-04-15 22:38:36 -04:00
Daniel Micay
9f84c50869
force DMARC enforcement for gmail.com
2024-04-15 11:42:03 -04:00
Daniel Micay
8278883a84
add grapheneos.foundation domain
2024-04-13 19:18:03 -04:00
Daniel Micay
8a4e4f334f
reorder configuration
2024-04-13 18:20:14 -04:00
Daniel Micay
56f169cbba
increase max TCP send buffer size for matrix server
2024-04-13 18:20:12 -04:00
Daniel Micay
35e776f867
increase max TCP send buffer size for update servers
2024-04-13 14:27:31 -04:00
Daniel Micay
711e432a67
remove unnecessary local-reserved-ports.conf template
2024-04-13 14:17:23 -04:00
Daniel Micay
f9bce64060
enable TCP window shrinking
...
The default is a potential denial of service issue via TCP memory
exhaustion.
2024-04-13 13:52:08 -04:00
Daniel Micay
6a325f8798
update python dependencies
2024-04-12 21:33:35 -04:00
Daniel Micay
bd6f127acf
move nftables configuration to a directory
2024-04-12 21:33:35 -04:00
Daniel Micay
c412fec336
simplify rate limited synproxy bypass
2024-04-12 21:33:33 -04:00
Daniel Micay
ca35fcc648
add python-pydantic package for matrix.grapheneos.org
2024-04-11 22:45:55 -04:00
Daniel Micay
b928b197b0
nftables: add comments explaining adding to connlimit sets
2024-04-11 15:59:07 -04:00
Daniel Micay
edbf50a3da
nftables: rename tcp service chains
2024-04-11 11:59:27 -04:00