Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2024-12-22 13:45:02 -05:00
Code Issues Packages Projects Releases Wiki Activity
469 Commits 1 Branch 0 Tags 1.9 MiB
84b2193808
Commit Graph

469 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Daniel Micay
84b2193808 switch to noswap tmpfs from ramfs for session ticket keys 2024-06-28 12:44:31 -04:00
Daniel Micay
ba2540c3fe add directory for home directory files 2024-06-27 10:13:15 -04:00
Tommy
6fc45525d9 Add NoNewPrivileges=true for certbot 2024-06-24 11:55:59 -04:00
Tommy
55221c8e44 Sort NGINX override alphabetically 
Everything is already sorted alphabetically, but for some reason NoNewPrivileges is above MemoryDenyWriteExecute
 2024-06-24 11:36:36 -04:00
Tommy
0e4d94e550 Remove redundant PrivateTmp=true 2024-06-24 11:18:11 -04:00
Daniel Micay
4382120e37 set umask for encrypted swapfile creation 2024-06-21 22:36:27 -04:00
Daniel Micay
597f534d63 increase journal file size for 3.grapheneos.network 2024-06-21 16:51:36 -04:00
Daniel Micay
f7643fa8b7 reorder initial deployment 2024-06-19 11:54:08 -04:00
Daniel Micay
4c52595bfd drop unmodified hosts file 2024-06-19 11:49:13 -04:00
Daniel Micay
54181d3031 increase journal size for update servers 2024-06-19 11:42:42 -04:00
Daniel Micay
65e2b8b109 increase journal size for network servers 2024-06-19 11:38:22 -04:00
Daniel Micay
1dc26ba006 add VerifyHostKeyDNS ask to ssh_config 2024-06-18 14:25:16 -04:00
Daniel Micay
4475df98a4 deploy nftables rules in deploy-initial 2024-06-18 14:15:19 -04:00
Daniel Micay
f40a017ec3 add nftables configuration mapping to hosts.sh 2024-06-18 13:55:18 -04:00
Daniel Micay
662a2d3522 update configuration for systemd 256 2024-06-18 13:16:03 -04:00
Daniel Micay
54490cf662 update python dependencies 2024-06-17 23:52:00 -04:00
Daniel Micay
d103f6cdf3 simplify deployment script usage 2024-06-17 18:29:28 -04:00
Daniel Micay
750cd5e985 replace urandom with random 
These both use the same CSPRNG on modern kernels, but random waits for
CSPRNG initialization instead of only attempting to initialize it.
 2024-06-17 15:04:13 -04:00
Daniel Micay
ce1fef8c0e use per-server package list for deploy-initial 2024-06-17 15:00:36 -04:00
Daniel Micay
73a88e36ad replace 3.grapheneos.org and 3.grapheneos.network 2024-06-15 14:02:29 -04:00
Daniel Micay
55e7cadc02 update deploy-initial image version 2024-06-15 13:36:29 -04:00
Daniel Micay
7a78e3bd07 count: add akita 2024-06-11 22:56:05 -04:00
Daniel Micay
aefa91830e update python dependencies 2024-06-08 14:34:08 -04:00
Daniel Micay
8e9fe48605 update python dependencies 2024-06-06 00:26:45 -04:00
Daniel Micay
1ed92eb04c short ISRG Root X1 chain is now the default 2024-06-04 13:26:50 -04:00
Daniel Micay
aacde289bf add postfix-pcre package to mail.grapheneos.org 2024-05-30 12:12:05 -04:00
Daniel Micay
59e15db025 update python dependencies 2024-05-30 10:32:19 -04:00
Daniel Micay
f837b81bbd replace obsolete python-postfix-policyd-spf with python-spf-engine 2024-05-29 22:32:33 -04:00
Daniel Micay
d77a7b2cff drop python-pydantic workaround 
This was added as a dependency for matrix-synapse.
 2024-05-24 15:43:08 -04:00
Daniel Micay
e1f968617b replace sshpass with swiftclient for backups 2024-05-24 15:35:04 -04:00
Daniel Micay
f1d388e5c9 add list of hosts using automated backups 2024-05-24 15:34:16 -04:00
Daniel Micay
a2758fe665 update python dependencies 2024-05-24 15:33:27 -04:00
Daniel Micay
39a48e6585 update python dependencies 2024-05-21 13:38:50 -04:00
Daniel Micay
38dc2fb4d2 add samsung.psds.grapheneos.org subdomain 2024-05-15 14:36:26 -04:00
Daniel Micay
3b1c43d29f update requirements.txt 2024-04-30 12:32:40 -04:00
Daniel Micay
f9425e3ebd reduce conntrack UDP timeouts 
This only applies to outbound NTP requests since we use notrack for our
UDP services and DNS-over-TLS for our local resolver. We'd have no need
for longer timeouts even if that wasn't the case.
 2024-04-30 12:13:02 -04:00
Daniel Micay
6dbc014f4b set conntrack expectation table to minimum size 2024-04-27 12:48:21 -04:00
Daniel Micay
a067120a49 downgrade to supported nodejs LTS branch for mjolnir 2024-04-27 09:48:20 -04:00
Daniel Micay
ba79d80b52 raise burst value for synproxy threshold 2024-04-26 16:30:49 -04:00
Daniel Micay
c99b8d0b47 nftables: use default drop in prerouting-raw table 2024-04-26 10:42:45 -04:00
Daniel Micay
bab3f0c14a disable IPv4-mapped IPv6 addresses by default 2024-04-25 10:38:54 -04:00
Daniel Micay
2c2943cc3e override default conntrack table size 2024-04-25 01:59:35 -04:00
Daniel Micay
fb40773157 reduce conntrack TCP TIME-WAIT timeout to match TCP stack 2024-04-24 21:12:12 -04:00
Daniel Micay
82cc1beccb remove unused SYN backlog configuration 
This isn't used anymore despite inaccurate kernel configuration
documentation. The SYN_RECV queue is set based on the backlog value
just like the separate accept queue for established connections.
 2024-04-24 18:58:41 -04:00
Daniel Micay
f3ae109eac reduce conntrack SYN timeouts to match TCP/IP stack 2024-04-24 10:45:02 -04:00
Daniel Micay
ee62868a7b nftables: use standard order for verdict map 2024-04-23 03:30:15 -04:00
Daniel Micay
965bc4f951 nftables: add invalid case to ct state vmap 
This might as well be dropped by the verdict map instead of falling
through to the default drop policy.
 2024-04-23 02:38:40 -04:00
Daniel Micay
5ba6cbd3d1 nftables: simplify rules via untracked state 2024-04-23 02:34:17 -04:00
Daniel Micay
d369f159a9 add nmap package across servers mainly for nping 
It's extremely useful to have this around for debugging network issues,
testing firewall rules and other purposes. It's not particularly useful
having nmap itself, but nping and to a lesser extent ncat are great to
have available.
 2024-04-22 10:43:11 -04:00
Daniel Micay
9f99e9c3a5 drop whois package from discuss.grapheneos.org 
There's no particular reason to have this on the servers since it can be
done locally.
 2024-04-22 10:38:28 -04:00