Commit Graph

108 Commits

Author SHA1 Message Date
Daniel Micay
9a69263f6b switch to floating IPv4 addresses for staging 2022-09-10 04:36:49 -04:00
Daniel Micay
bcd14b805b blacklist legacy ip_tables module 2022-08-31 05:19:40 -04:00
Daniel Micay
337647c5a9 add cfg80211 to module blacklist to silence error 2022-08-31 04:34:35 -04:00
Daniel Micay
9939dbc67b use production time.nl hostname 2022-08-30 14:51:44 -04:00
Daniel Micay
9708449087 use anycast hostname for netnod.se 2022-08-30 14:48:55 -04:00
Daniel Micay
5461b3f05b raise tcp_max_syn_backlog to 65536 2022-08-28 15:54:11 -04:00
Daniel Micay
ef1a26b68c certbot-renew: make nginx ocsp-cache dir optional 2022-08-28 15:46:33 -04:00
Daniel Micay
89064482ed update pacman mirrorlist 2022-08-28 15:03:00 -04:00
Daniel Micay
fd397326ec add chown to certbot syscall allowlist 2022-08-28 14:58:21 -04:00
Daniel Micay
8482ac5144 give certbot access to /etc/nginx/ocsp-cache 2022-08-27 17:22:23 -04:00
Daniel Micay
2cf0966847 properly override ExecStart 2022-08-27 17:19:42 -04:00
Daniel Micay
256c3652cc disable unused binfmt_misc 2022-08-14 13:46:00 -04:00
Daniel Micay
f829e05134 raise discuss.grapheneos.org to 500M bandwidth cap 2022-08-11 11:44:22 -04:00
Daniel Micay
2a33c3b962 initial certbot-renew service hardening
This doesn't switch to using a dedicated certbot user yet since the
hooks used across the services will all still need to work.
2022-08-10 11:32:48 -04:00
Daniel Micay
5bbaecfce9 disable redundant random sleep for certbot renewal 2022-08-10 11:28:18 -04:00
Daniel Micay
07dca7919d reorder network allowlists for consistency 2022-08-10 11:13:31 -04:00
Daniel Micay
afce4f2a51 limit nginx service capabilities
Running nginx as non-root would be possible via CAP_NET_BIND_SERVICE as
an ambient capability but it would be inherited by workers. It's better
to leave the supervisor process as root for the time being unless nginx
was taught to use socket activation or drop capabilities for workers.
2022-08-10 11:12:20 -04:00
Daniel Micay
ca7c036e8c sort nginx hardening.conf options 2022-08-10 11:12:20 -04:00
Daniel Micay
7332d93575 update base systemd/sleep.conf 2022-08-10 05:31:31 -04:00
Daniel Micay
316561389c extend nginx service hardening 2022-08-09 04:55:10 -04:00
Daniel Micay
74933df9cc set preempt=none for PREEMPT_DYNAMIC kernels 2022-08-07 19:26:29 -04:00
Daniel Micay
d7323bacba set lockdown to confidentiality mode 2022-08-01 01:47:22 -04:00
Daniel Micay
01791fdcd3 configure CAKE via systemd-networkd 2022-07-27 20:56:14 -04:00
Daniel Micay
2ff883f37f add systemd-network configurations 2022-07-27 15:40:10 -04:00
Daniel Micay
953420e7a3 disable systemd sleep support 2022-07-27 14:47:48 -04:00
Daniel Micay
45f6f63cc0 Revert "hard-wire ext4 as the only initramfs filesystem"
This reverts commit 73a78746f1.
2022-07-27 02:47:20 -04:00
Daniel Micay
97ad3e7810 unbound: disable unnecessary id/version queries 2022-07-27 02:38:34 -04:00
Daniel Micay
16b58ea6e4 enable strict QNAME minimisation 2022-07-27 02:30:53 -04:00
Daniel Micay
91de1aea2f add packages, modules and logs to gitignore 2022-07-27 02:16:04 -04:00
Daniel Micay
e90ae84627 ignore all tmp files in gitignore 2022-07-27 02:15:14 -04:00
Daniel Micay
54b52a3655 use dedicated geoipupdate user 2022-07-26 23:09:06 -04:00
Daniel Micay
6081f9fa73 allow synapse to connect to nginx via loopback
For an unknown reason, synapse occasionally tries to connect to
matrix.grapheneos.org which ends up being routed via the loopback
interface. For now, allow this to avoid rejected packets.
2022-07-26 19:30:33 -04:00
Daniel Micay
984d0f200f nftables: implement loopback access control 2022-07-25 20:47:29 -04:00
Daniel Micay
a68a456778 update mirrorlist 2022-07-25 04:09:58 -04:00
Daniel Micay
f38929f9b4 add pacreport.conf 2022-07-24 20:55:47 -04:00
Daniel Micay
c0266f6a16 rename modprobe.d configuration file 2022-07-24 20:07:57 -04:00
Daniel Micay
e5f576c062 sshd: reduce MaxAuthTries to 1 2022-07-22 20:00:52 -04:00
Daniel Micay
84ca6bfa27 sshd: sntrup761x25519-sha512@openssh.com kex only 2022-07-22 19:55:59 -04:00
Daniel Micay
d7c23eac02 disable unused AES-GCM cipher suites 2022-07-22 19:11:28 -04:00
Daniel Micay
ad6e998ec2 nftables: filter input service traffic by dst addr 2022-07-21 19:32:43 -04:00
Daniel Micay
fdf21af1ae nftables: use notrack accept instead of notrack 2022-07-21 17:31:16 -04:00
Daniel Micay
f7da683012 nftables: simplify ICMP handling 2022-07-18 22:14:35 -04:00
Daniel Micay
494247747c add flarum-admin user 2022-07-12 17:36:13 -04:00
Daniel Micay
1a195570c8 sshd: disable unused agent forwarding feature
This is a misguided feature and while this doesn't meaningfully reduce
attack surface, it makes sense not to enable it.
2022-07-11 19:57:42 -04:00
Daniel Micay
1d9d5df54c unbound: only listen on IPv6 2022-07-10 15:41:10 -04:00
Daniel Micay
710d487e78 qname-minimisation is enabled by default now 2022-07-03 09:30:44 -04:00
Daniel Micay
f957d83855 add resolv.conf 2022-07-03 09:05:41 -04:00
Daniel Micay
829ea23e8d lower conntrack established tcp connection timeout 2022-07-03 05:28:54 -04:00
Daniel Micay
1c47cd88ab disable loose TCP connection tracking 2022-07-03 03:50:53 -04:00
Daniel Micay
9dbc7347b5 directory for nginx unix domain sockets in /run 2022-07-02 13:10:42 -04:00