Commit Graph

102 Commits

Author SHA1 Message Date
Daniel Micay
b6d8ef1500 add intended CrashAction configuration 2024-08-18 19:49:51 -04:00
Daniel Micay
9638832f82 switch back to MaxRetentionSec now that it's fixed
The fix for this causing excessive log rotation was backported to systemd 256.5.
2024-08-18 19:41:04 -04:00
Daniel Micay
4dc70b8df7 update journald.conf 2024-08-18 19:28:57 -04:00
Tommy
6fc45525d9 Add NoNewPrivileges=true for certbot 2024-06-24 11:55:59 -04:00
Tommy
55221c8e44 Sort NGINX override alphabetically
Everything is already sorted alphabetically, but for some reason NoNewPrivileges is above MemoryDenyWriteExecute
2024-06-24 11:36:36 -04:00
Tommy
0e4d94e550 Remove redundant PrivateTmp=true 2024-06-24 11:18:11 -04:00
Daniel Micay
662a2d3522 update configuration for systemd 256 2024-06-18 13:16:03 -04:00
Daniel Micay
73a88e36ad replace 3.grapheneos.org and 3.grapheneos.network 2024-06-15 14:02:29 -04:00
Daniel Micay
66562272ac set preferred source for static IPv6 configuration 2024-03-26 21:50:12 -04:00
Daniel Micay
3de32072da consistently use short form IPv6 addresses 2024-03-26 21:24:50 -04:00
Daniel Micay
571644526d consistently list IPv4 routes before IPv6 routes 2024-03-26 21:24:50 -04:00
Daniel Micay
64e2e836d3 set preferred source for static IPv4 configuration 2024-03-26 21:24:48 -04:00
Daniel Micay
d8b70fce4f raise journal size for high log volume servers 2024-03-01 10:05:39 -05:00
Daniel Micay
23207e99bf replace 4.releases.grapheneos.org server 2024-02-24 10:34:52 -05:00
Daniel Micay
5b25870f96 enable reboot on systemd crash caught systemd 2024-02-13 13:07:51 -05:00
Daniel Micay
2e7058e9c4 replace certbot log rotation with logrotate 2024-02-13 12:38:14 -05:00
Daniel Micay
e81e9feef3 replace MaxRetentionSec to stop excessive rotation 2024-02-13 11:30:56 -05:00
Daniel Micay
0e3521564c replace mail.grapheneos.org server 2024-01-24 22:53:09 -05:00
Daniel Micay
da98484270 replace attestation.app server 2024-01-23 19:15:19 -05:00
Daniel Micay
7213c1745a replace 2.grapheneos.org and 2.grapheneos.network 2024-01-22 01:39:38 -05:00
Daniel Micay
4714b0bdb9 replace discuss.grapheneos.org server 2024-01-20 23:36:30 -05:00
Daniel Micay
6a0481714f replace 0.grapheneos.org and 0.grapheneos.network 2024-01-20 00:59:00 -05:00
Daniel Micay
a954a4a024 use clean syntax for IPv6 address 2024-01-18 08:44:19 -05:00
Daniel Micay
d22b380520 replace ns1.grapheneos.org server 2024-01-18 08:19:33 -05:00
Daniel Micay
e581aeafb5 use idle CPU scheduling mode for updatedb 2024-01-03 10:10:04 -05:00
Daniel Micay
dc4101f3de update systemd configuration files 2023-12-07 12:33:59 -05:00
Daniel Micay
15f1cbcd02 nginx: drop ExecStart override 2023-09-18 02:41:59 -04:00
Daniel Micay
90411f367c update OCSP cache path for certbot-renew.service 2023-09-02 15:07:28 -04:00
Daniel Micay
e1af23a478 add attestation service config for email 2023-08-18 23:57:44 -04:00
Daniel Micay
894f150a62 use CAKE no-split-gso for release servers 2023-08-06 23:18:53 -04:00
Daniel Micay
2f56bae4a5 use consistent naming for system drop-in configs 2023-08-04 14:45:15 -04:00
Daniel Micay
e56add4330 run fstrim daily instead of weekly 2023-08-04 14:38:41 -04:00
Daniel Micay
b67d037a5e add xfs_fsr service run before fstrim service 2023-08-03 16:35:53 -04:00
Daniel Micay
124897ccba update systemd/system.conf 2023-08-01 18:06:28 -04:00
Daniel Micay
7a95f6bfb4 update systemd/networkd.conf 2023-08-01 18:05:17 -04:00
Daniel Micay
53b46f6166 set correct subnet mask for BuyVM main IP 2023-07-28 00:12:05 -04:00
Daniel Micay
5e07ae005b use idle scheduling for fstrim.service 2023-07-26 13:21:24 -04:00
Daniel Micay
6595a2b05f rename eth0 to public
This resolves a warning from systemd-networkd about using one of the
names reserved by the kernel.
2023-07-15 00:33:35 -04:00
Daniel Micay
b245498612 disable unused DHCP IPv4 address for mail server 2023-07-13 21:39:12 -04:00
Daniel Micay
6736cdc36f use highest accuracy for sysstat-collect.timer 2023-07-13 18:51:39 -04:00
Daniel Micay
6567335b31 run sysstat-collect.service every minute 2023-07-13 18:51:28 -04:00
Daniel Micay
5f339efb2d update certbot-ocsp-fetcher 2023-07-09 18:16:59 -04:00
Daniel Micay
462bdc8599 add session ticket key management scripts 2023-07-09 18:04:17 -04:00
Daniel Micay
8ac489c9aa allow nginx master process to use CAP_CHOWN
This is required for it to create the /var directories it uses when the
master process is running as root. It would be possible to run the nginx
master process as non-root but it doesn't drop ambient capabilities when
it spawns the workers so running the master process as non-root will end
up giving the workers higher privileges due to them ending up getting
the CAP_NET_BIND_SERVICE capability passed through.
2023-07-06 05:30:35 -04:00
Daniel Micay
2cf694017b silence systemd-networkd address prefix warning
It does the right thing by default now but it still produces a warning,
so silence it.
2023-07-06 04:39:16 -04:00
Daniel Micay
5777fa38ae add network configuration for 1.grapheneos.network 2023-07-06 04:30:23 -04:00
Daniel Micay
2f4e9f67c4 set log retention time per server 2023-07-06 00:17:05 -04:00
Daniel Micay
5ea36399d1 rename 1.grapheneos.network to 2.grapheneos.network 2023-07-05 17:31:48 -04:00
Daniel Micay
a97e039314 rename 2.grapheneos.network to 3.grapheneos.network 2023-07-05 17:31:30 -04:00
Daniel Micay
37bf4935f1 drop mail server specific certbot configuration
The mail server is now using the webroot authentication method via nginx
due to moving the MTA-STS web service to the mail server.
2023-06-30 15:47:33 -04:00