Daniel Micay
88692df381
dd nftables rules for grapheneos.social
2022-12-25 18:54:08 -05:00
Daniel Micay
34627b993a
switch to default mkinitcpio.conf
...
We no longer make any changes to this configuration and are unlikely to
need any.
2022-12-14 05:10:51 -05:00
Daniel Micay
01f0b498cf
add additional gitignore entries
2022-12-13 13:12:23 -05:00
Daniel Micay
3ea5a14b2f
drop floating IPs for DNS servers
2022-11-30 19:23:18 -05:00
Daniel Micay
91e36044ca
drop floating IPs for release servers
2022-11-29 02:26:51 -05:00
Daniel Micay
9f1ba5f2a5
drop floating IPs for website servers
2022-11-29 02:07:56 -05:00
Daniel Micay
3354bcb34d
drop floating IPs for network servers
2022-11-29 02:07:05 -05:00
Daniel Micay
ace45c7d5c
drop floating IP for attestation server
2022-11-29 01:39:15 -05:00
Daniel Micay
9929542f43
drop floating IP for forum server
2022-11-29 01:27:01 -05:00
Daniel Micay
38414a8313
drop floating IP for Matrix server
2022-11-29 01:26:31 -05:00
Daniel Micay
0aff07f884
add grapheneos.social network configuration
2022-11-27 01:41:42 -05:00
Daniel Micay
08da28f7b5
drop floating IPs for staging servers
2022-11-27 00:08:29 -05:00
Daniel Micay
7b3111deb6
update grub configuration
2022-11-16 22:49:10 -05:00
Daniel Micay
b996f5586f
update systemd/system.conf
2022-11-10 17:09:19 -05:00
Daniel Micay
7a4ace53f7
disable less history by default for login sessions
2022-10-26 04:35:23 -04:00
Daniel Micay
224b1ae5d3
pam configuration now matches the package defaults
2022-10-21 21:48:35 -04:00
Daniel Micay
b93695ecc4
add encrypted swapfile configuration
2022-09-26 23:01:44 -04:00
Daniel Micay
36423fb2bc
auto-restart nginx if master process is killed
...
nginx handles restarting workers automatically but the master process
is typically killed by the OOM killer too.
2022-09-26 16:45:15 -04:00
Daniel Micay
320ad2e3a8
replace tmpfiles.d with RuntimeDirectory for nginx
...
This is much more robust because nginx will fail to start after being
killed or crashing due to only removing old Unix domain sockets when it
stops cleanly. It ends up owned by root:root instead of root:http which
is fine because only the master process opens it.
2022-09-26 16:43:17 -04:00
Daniel Micay
88d8e37233
rename nginx service hardening.conf to local.conf
2022-09-26 14:04:45 -04:00
Daniel Micay
62a71c7600
drop obsolete nginx logrotate configuration
2022-09-25 14:23:01 -04:00
Daniel Micay
966100eb9f
vm.max_map_count to 1048576
2022-09-25 07:48:50 -04:00
Daniel Micay
3d5f437ec7
allow unbound to use more outbound ports
2022-09-22 13:41:47 -04:00
Daniel Micay
f3fb90859a
simplify mirrorlist
2022-09-15 23:13:28 -04:00
Daniel Micay
dfd3fc861b
avoid disallowing chown syscall for certbot-renew
2022-09-14 18:29:12 -04:00
Daniel Micay
6c58739dc8
remove PowerDNS for unbound nftables allowlist
...
The unnecessary security polling has been disabled so it doesn't need
this anymore.
2022-09-10 18:11:58 -04:00
Daniel Micay
9a69263f6b
switch to floating IPv4 addresses for staging
2022-09-10 04:36:49 -04:00
Daniel Micay
bcd14b805b
blacklist legacy ip_tables module
2022-08-31 05:19:40 -04:00
Daniel Micay
337647c5a9
add cfg80211 to module blacklist to silence error
2022-08-31 04:34:35 -04:00
Daniel Micay
9939dbc67b
use production time.nl hostname
2022-08-30 14:51:44 -04:00
Daniel Micay
9708449087
use anycast hostname for netnod.se
2022-08-30 14:48:55 -04:00
Daniel Micay
5461b3f05b
raise tcp_max_syn_backlog to 65536
2022-08-28 15:54:11 -04:00
Daniel Micay
ef1a26b68c
certbot-renew: make nginx ocsp-cache dir optional
2022-08-28 15:46:33 -04:00
Daniel Micay
89064482ed
update pacman mirrorlist
2022-08-28 15:03:00 -04:00
Daniel Micay
fd397326ec
add chown to certbot syscall allowlist
2022-08-28 14:58:21 -04:00
Daniel Micay
8482ac5144
give certbot access to /etc/nginx/ocsp-cache
2022-08-27 17:22:23 -04:00
Daniel Micay
2cf0966847
properly override ExecStart
2022-08-27 17:19:42 -04:00
Daniel Micay
256c3652cc
disable unused binfmt_misc
2022-08-14 13:46:00 -04:00
Daniel Micay
f829e05134
raise discuss.grapheneos.org to 500M bandwidth cap
2022-08-11 11:44:22 -04:00
Daniel Micay
2a33c3b962
initial certbot-renew service hardening
...
This doesn't switch to using a dedicated certbot user yet since the
hooks used across the services will all still need to work.
2022-08-10 11:32:48 -04:00
Daniel Micay
5bbaecfce9
disable redundant random sleep for certbot renewal
2022-08-10 11:28:18 -04:00
Daniel Micay
07dca7919d
reorder network allowlists for consistency
2022-08-10 11:13:31 -04:00
Daniel Micay
afce4f2a51
limit nginx service capabilities
...
Running nginx as non-root would be possible via CAP_NET_BIND_SERVICE as
an ambient capability but it would be inherited by workers. It's better
to leave the supervisor process as root for the time being unless nginx
was taught to use socket activation or drop capabilities for workers.
2022-08-10 11:12:20 -04:00
Daniel Micay
ca7c036e8c
sort nginx hardening.conf options
2022-08-10 11:12:20 -04:00
Daniel Micay
7332d93575
update base systemd/sleep.conf
2022-08-10 05:31:31 -04:00
Daniel Micay
316561389c
extend nginx service hardening
2022-08-09 04:55:10 -04:00
Daniel Micay
74933df9cc
set preempt=none for PREEMPT_DYNAMIC kernels
2022-08-07 19:26:29 -04:00
Daniel Micay
d7323bacba
set lockdown to confidentiality mode
2022-08-01 01:47:22 -04:00
Daniel Micay
01791fdcd3
configure CAKE via systemd-networkd
2022-07-27 20:56:14 -04:00
Daniel Micay
2ff883f37f
add systemd-network configurations
2022-07-27 15:40:10 -04:00