Commit Graph

44 Commits

Author SHA1 Message Date
Daniel Micay
cbed8c0b42 use standard override.conf name for unit overrides 2024-10-13 21:27:51 -04:00
Daniel Micay
26bedef1a1 enable ManagedOOMSwap=kill for root slice 2024-10-13 05:26:08 -04:00
Daniel Micay
ea3d577ac6 use incrementing auto-restart delay 2024-09-15 00:20:45 -04:00
Daniel Micay
76c1ae3aaf enable auto-restart for unbound and chronyd 2024-09-14 22:27:40 -04:00
Daniel Micay
a787d6c446 use default RestartSec for nginx 2024-09-14 20:16:10 -04:00
Daniel Micay
9638832f82 switch back to MaxRetentionSec now that it's fixed
The fix for this causing excessive log rotation was backported to systemd 256.5.
2024-08-18 19:41:04 -04:00
Tommy
6fc45525d9 Add NoNewPrivileges=true for certbot 2024-06-24 11:55:59 -04:00
Tommy
55221c8e44 Sort NGINX override alphabetically
Everything is already sorted alphabetically, but for some reason NoNewPrivileges is above MemoryDenyWriteExecute
2024-06-24 11:36:36 -04:00
Tommy
0e4d94e550 Remove redundant PrivateTmp=true 2024-06-24 11:18:11 -04:00
Daniel Micay
2e7058e9c4 replace certbot log rotation with logrotate 2024-02-13 12:38:14 -05:00
Daniel Micay
e81e9feef3 replace MaxRetentionSec to stop excessive rotation 2024-02-13 11:30:56 -05:00
Daniel Micay
e581aeafb5 use idle CPU scheduling mode for updatedb 2024-01-03 10:10:04 -05:00
Daniel Micay
15f1cbcd02 nginx: drop ExecStart override 2023-09-18 02:41:59 -04:00
Daniel Micay
90411f367c update OCSP cache path for certbot-renew.service 2023-09-02 15:07:28 -04:00
Daniel Micay
e1af23a478 add attestation service config for email 2023-08-18 23:57:44 -04:00
Daniel Micay
2f56bae4a5 use consistent naming for system drop-in configs 2023-08-04 14:45:15 -04:00
Daniel Micay
e56add4330 run fstrim daily instead of weekly 2023-08-04 14:38:41 -04:00
Daniel Micay
b67d037a5e add xfs_fsr service run before fstrim service 2023-08-03 16:35:53 -04:00
Daniel Micay
5e07ae005b use idle scheduling for fstrim.service 2023-07-26 13:21:24 -04:00
Daniel Micay
6736cdc36f use highest accuracy for sysstat-collect.timer 2023-07-13 18:51:39 -04:00
Daniel Micay
6567335b31 run sysstat-collect.service every minute 2023-07-13 18:51:28 -04:00
Daniel Micay
5f339efb2d update certbot-ocsp-fetcher 2023-07-09 18:16:59 -04:00
Daniel Micay
462bdc8599 add session ticket key management scripts 2023-07-09 18:04:17 -04:00
Daniel Micay
8ac489c9aa allow nginx master process to use CAP_CHOWN
This is required for it to create the /var directories it uses when the
master process is running as root. It would be possible to run the nginx
master process as non-root but it doesn't drop ambient capabilities when
it spawns the workers so running the master process as non-root will end
up giving the workers higher privileges due to them ending up getting
the CAP_NET_BIND_SERVICE capability passed through.
2023-07-06 05:30:35 -04:00
Daniel Micay
37bf4935f1 drop mail server specific certbot configuration
The mail server is now using the webroot authentication method via nginx
due to moving the MTA-STS web service to the mail server.
2023-06-30 15:47:33 -04:00
Daniel Micay
27aca7474c drop no-op RemoveIPC 2023-06-10 20:42:37 -04:00
Daniel Micay
7fc42a25c4 remove Arch Linux nginx error_log configuration
error_log works the same way as add_header where defining it again on
the same level is additive and logs to both places, meaning that there
are duplicated logs when defining a proper syslog error_log output at
the top level.
2023-02-17 17:31:00 -05:00
Daniel Micay
36423fb2bc auto-restart nginx if master process is killed
nginx handles restarting workers automatically but the master process
is typically killed by the OOM killer too.
2022-09-26 16:45:15 -04:00
Daniel Micay
320ad2e3a8 replace tmpfiles.d with RuntimeDirectory for nginx
This is much more robust because nginx will fail to start after being
killed or crashing due to only removing old Unix domain sockets when it
stops cleanly. It ends up owned by root:root instead of root:http which
is fine because only the master process opens it.
2022-09-26 16:43:17 -04:00
Daniel Micay
88d8e37233 rename nginx service hardening.conf to local.conf 2022-09-26 14:04:45 -04:00
Daniel Micay
dfd3fc861b avoid disallowing chown syscall for certbot-renew 2022-09-14 18:29:12 -04:00
Daniel Micay
ef1a26b68c certbot-renew: make nginx ocsp-cache dir optional 2022-08-28 15:46:33 -04:00
Daniel Micay
fd397326ec add chown to certbot syscall allowlist 2022-08-28 14:58:21 -04:00
Daniel Micay
8482ac5144 give certbot access to /etc/nginx/ocsp-cache 2022-08-27 17:22:23 -04:00
Daniel Micay
2cf0966847 properly override ExecStart 2022-08-27 17:19:42 -04:00
Daniel Micay
2a33c3b962 initial certbot-renew service hardening
This doesn't switch to using a dedicated certbot user yet since the
hooks used across the services will all still need to work.
2022-08-10 11:32:48 -04:00
Daniel Micay
5bbaecfce9 disable redundant random sleep for certbot renewal 2022-08-10 11:28:18 -04:00
Daniel Micay
afce4f2a51 limit nginx service capabilities
Running nginx as non-root would be possible via CAP_NET_BIND_SERVICE as
an ambient capability but it would be inherited by workers. It's better
to leave the supervisor process as root for the time being unless nginx
was taught to use socket activation or drop capabilities for workers.
2022-08-10 11:12:20 -04:00
Daniel Micay
ca7c036e8c sort nginx hardening.conf options 2022-08-10 11:12:20 -04:00
Daniel Micay
316561389c extend nginx service hardening 2022-08-09 04:55:10 -04:00
Daniel Micay
01791fdcd3 configure CAKE via systemd-networkd 2022-07-27 20:56:14 -04:00
Daniel Micay
72937c922f add new file limit configuration for sshd 2022-02-25 19:31:35 -05:00
Daniel Micay
9f82fe54bd use double brace for templates 2021-11-27 20:25:47 -05:00
Daniel Micay
64b3a1031d move units to systemd directory 2021-09-08 17:57:50 -04:00