Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-07-26 16:25:25 -04:00
Code Issues Projects Releases Packages Wiki Activity
671 commits 1 branch 0 tags 2.4 MiB
Commit graph

671 commits

This branch
This branch
All branches
Author SHA1 Message Date
Daniel Micay
ac0dc27596 move dnsdist control socket to port 55 
This avoids unnecessary overlap with our ephemeral port range.
 2025-06-27 13:39:43 -04:00
Daniel Micay
3b2f6d546c nftables: simplify nameserver control socket rules 2025-06-27 13:10:16 -04:00
Daniel Micay
719e1fcd35 gitignore: ignore /tmp 2025-06-26 16:49:08 -04:00
Daniel Micay
e2b35814f7 remove unused firmware packages 2025-06-26 15:24:03 -04:00
Daniel Micay
8b87654075 scale synproxy threshold based on conntrack max 2025-06-22 22:27:48 -04:00
Daniel Micay
bb797f412b adjust conntrack max based on available memory 2025-06-22 22:08:34 -04:00
Daniel Micay
5b9e9fe712 use default conntrack UDP stream timeout 
This is relevant to zerotier and will be relevant to QUIC once we begin
using it.
 2025-06-22 22:08:34 -04:00
Daniel Micay
bf63af97d7 update python dependencies 2025-06-22 14:19:57 -04:00
Daniel Micay
01ef6a5187 certbot: switch to --required-profile 2025-06-21 18:16:58 -04:00
Daniel Micay
57ed4ac360 count: add Pixel 9a 2025-06-17 13:06:58 -04:00
Daniel Micay
805d7984be update python dependencies 2025-06-16 18:20:11 -04:00
Daniel Micay
f98559218b update python dependencies 2025-06-10 11:53:11 -04:00
Daniel Micay
6b2e72e935 sshd: reduce LoginGraceTime to 5s 2025-06-06 11:01:01 -04:00
Daniel Micay
95ed9b1bef plocate-updatedb.timer is enabled by default now 2025-06-04 14:24:52 -04:00
Daniel Micay
e56b061eb3 use rsync --preallocate for deployment 2025-06-01 10:01:50 -04:00
Daniel Micay
05bc9199b3 use default log size for 2.ns2.grapheneos.org 2025-05-28 11:35:46 -04:00
Daniel Micay
3f2e33e8df raise journal size for several servers 2025-05-28 11:01:12 -04:00
Daniel Micay
5ce289433b rotate-session-ticket-keys: split up code with newlines 2025-05-27 15:40:54 -04:00
Daniel Micay
57a5209d8b integrate dnsdist in session ticket keys management 2025-05-27 15:40:54 -04:00
Daniel Micay
6555042a88 add unified session ticket keys file for dnsdist 2025-05-27 15:40:54 -04:00
Daniel Micay
94a2567b15 add tls group for session ticket keys 2025-05-27 15:40:52 -04:00
Daniel Micay
72ffc14258 add dnsdist deploy-hook setup for ns1.staging.grapheneos.org 2025-05-27 14:23:28 -04:00
Daniel Micay
c140d98366 clean up old files for dnsdist 2025-05-27 14:23:28 -04:00
Daniel Micay
44f6e6021a make session ticket management more generic 2025-05-27 14:23:23 -04:00
Daniel Micay
3e407eac80 certbot: add dnsdist support 2025-05-24 15:47:55 -04:00
Daniel Micay
ee7270f7c4 disable timeout for systemd-boot by default 
It's possible to access the menu without a timeout anyway and it also
tends to not be useful for any real world recovery situation anyway.
 2025-05-21 21:48:54 -04:00
Daniel Micay
7cb75131dc drop executable bit for regular files in FAT32 ESP 2025-05-21 20:00:08 -04:00
Daniel Micay
5c41418606 nftables: add support for dnsdist control socket 2025-05-16 13:19:38 -04:00
Daniel Micay
e75172d57c replace nginx with dnsdist for DNS-over-TLS 2025-05-13 21:42:53 -04:00
Daniel Micay
27fe524af6 update python dependencies 2025-05-13 10:44:01 -04:00
Daniel Micay
32f5653e80 gitignore: add /authorized_keys-replica-ns1 2025-05-13 00:18:20 -04:00
Daniel Micay
a3ca986940 merge mail.grapheneos.org certbot command files 2025-05-08 22:30:33 -04:00
Daniel Micay
c9d7aa52a6 remove duplicate domain 2025-05-08 22:26:56 -04:00
Daniel Micay
e9cbaebe22 split supl.grapheneos.org certificate for non-SNI 2025-05-08 22:26:56 -04:00
Daniel Micay
f9f3cdab05 add 1.ns1.grapheneos.org server 2025-05-08 22:26:56 -04:00
Daniel Micay
7095105832 add 3.ns1.grapheneos.org server 2025-05-08 22:26:56 -04:00
Daniel Micay
30128d2654 update releases.grapheneos.org authorized_keys configuration 2025-05-08 22:26:56 -04:00
Daniel Micay
e29998ff7d deploy-initial: use server-specific authorized_keys 2025-05-08 22:26:56 -04:00
Daniel Micay
90a7780b5e migrate to new tlsserver Let's Encrypt profile 
We can no longer use OCSP stapling and Must-Staple. These will soon be
obsolete once the `shortlived` profile is available for public use since
it will provide certificates with a similar lifetime as OCSP responses.

In the meantime, we've moved to the `tlsserver` profile stripping legacy
features to prepare for the `shortlived` profile which will be identical
to `tlsserver` but with a validity period of 6 days.

The certificate for SUPL is still temporarily using the classic profile
to work around the older generations of end-of-life Snapdragon Pixels
not having support for SNI. We can eventually drop support for these
devices from the SUPL service to allow us to disable TLSv1.1, DHE and
move to the `tlsserver` or `shortlived` profile.

The certificate for SMTP is still temporarily using the classic profile
to avoid potential compatibility issues with servers supporting TLSv1.2
but still not yet supporting SNI.
 2025-05-08 22:26:43 -04:00
Daniel Micay
a6d1e00d07 drop SSH connections to new anycast IPs 2025-05-05 17:29:56 -04:00
Daniel Micay
029882f051 set up certificate replication for ns1 replicas 2025-05-05 17:29:54 -04:00
Daniel Micay
4a9deb48ab add bird and zerotier-one packages to ns1 servers 2025-05-04 16:01:06 -04:00
Daniel Micay
c64bddb5c6 update Arch ISO for VPS deployment to 2025.05.01 2025-05-04 16:01:06 -04:00
Daniel Micay
c7cb5d025e add 2.ns1.grapheneos.org server 2025-05-04 16:01:04 -04:00
Daniel Micay
2784008a65 nftables: add support for rage4 anycast for ns1 2025-05-03 18:13:20 -04:00
Daniel Micay
566f1a10d2 rename ns1.grapheneos.org to 0.ns1.grapheneos.org 2025-05-03 18:13:18 -04:00
Daniel Micay
c41f579a51 raise journal file size for 2.grapheneos.org 2025-05-03 09:21:37 -04:00
Daniel Micay
476d7f4794 raise journal file size for 1.grapheneos.network 2025-05-03 09:21:34 -04:00
Daniel Micay
7cd1fcb8a3 temporarily rename releases certbot configuration 2025-04-30 23:30:49 -04:00
Daniel Micay
7861ef2c30 remove legacy OVH update servers 2025-04-30 23:27:40 -04:00