Commit Graph

430 Commits

Author SHA1 Message Date
Daniel Micay
fdf3839571 prepare to move MTA-STS web server to mail server 2023-06-21 13:12:04 -04:00
Daniel Micay
3d869bcac7 split out anycast DNS nftables configuration 2023-06-19 03:28:59 -04:00
Daniel Micay
d0d72994e2 replace ns2.grapheneos.org network configuration 2023-06-16 20:30:29 -04:00
Daniel Micay
341861f886 add xfsprogs package 2023-06-16 13:54:06 -04:00
Daniel Micay
f9bd265028 nftables: drop unnecessary semicolons 2023-06-10 22:14:54 -04:00
Daniel Micay
27aca7474c drop no-op RemoveIPC 2023-06-10 20:42:37 -04:00
Daniel Micay
6223daec3f document DANE TLSA commands 2023-06-09 01:09:47 -04:00
Daniel Micay
dcb50a9085 add /etc/sysctl.d/local-reserved-ports.conf 2023-06-06 21:55:11 -04:00
Daniel Micay
48f855cf83 exclude /etc/sysconfig in pacreport.conf 2023-06-06 17:05:58 -04:00
Daniel Micay
39ec27f421 move ssh configuration to subdirectory 2023-06-06 15:18:19 -04:00
Daniel Micay
4e12323e27 regenerate requirements.txt 2023-05-31 19:04:12 -04:00
Daniel Micay
36876296cd update pacman.conf to match standard one 2023-05-22 19:26:21 -04:00
Daniel Micay
593701cd63 add certbot commands 2023-05-22 18:44:50 -04:00
Daniel Micay
6f6b8ceb54 enable chronyd seccomp filter 2023-05-07 00:02:51 -04:00
Daniel Micay
a74812ca6e allow NTP requests to network servers 2023-05-05 10:44:43 -04:00
Daniel Micay
04e7114468 more precise gitignore rules 2023-04-16 16:09:20 -04:00
Daniel Micay
6c0201a9f7 add venv to gitignore 2023-04-16 16:08:58 -04:00
Daniel Micay
9b4d547dc1 mark php explicitly installed for forum 2023-04-10 02:22:20 -04:00
Daniel Micay
06d672d7f8 add credstore to pacreport configuration 2023-04-05 22:44:35 -04:00
Daniel Micay
19a7b5b9c9 add explicitly installed packages to repository 2023-04-04 14:43:57 -04:00
Daniel Micay
ac23681718 update systemd/system.conf 2023-03-30 03:17:00 -04:00
Daniel Micay
7ffac9ab5a raise max journald files 2023-03-29 00:15:04 -04:00
Daniel Micay
c573091af4 use per-host journald SystemMaxUse 2023-03-25 07:04:46 -04:00
Daniel Micay
581b590be0 update python dependencies 2023-03-24 18:47:48 -04:00
Daniel Micay
83877cb983 add OVH mitigation control script 2023-02-22 16:22:47 -05:00
Daniel Micay
d550ccbc73 update sleep.conf 2023-02-17 17:51:41 -05:00
Daniel Micay
68a73e798a update system.conf 2023-02-17 17:51:24 -05:00
Daniel Micay
7fc42a25c4 remove Arch Linux nginx error_log configuration
error_log works the same way as add_header where defining it again on
the same level is additive and logs to both places, meaning that there
are duplicated logs when defining a proper syslog error_log output at
the top level.
2023-02-17 17:31:00 -05:00
Daniel Micay
312b1a027b switch to unix domain sockets for mastodon 2023-02-17 16:24:35 -05:00
Daniel Micay
53b2431f6b switch to unix socket socket for redis 2023-02-15 02:45:52 -05:00
Daniel Micay
f8d62478cf drop old nginx tmpfiles.d conf from pacreport.conf 2023-02-14 01:43:03 -05:00
Daniel Micay
c9dcf479fc allow PowerDNS webserver on loopback for root 2023-02-14 01:19:19 -05:00
Daniel Micay
7871fa2d51 add comments for unbound avoid port configuration 2023-02-11 20:29:33 -05:00
Daniel Micay
edbb9158a4 avoid port 7275 (supl) for unbound 2023-02-11 20:23:22 -05:00
Daniel Micay
34d0f7fc3b baseline web server config doesn't use DNS 2023-02-11 03:26:25 -05:00
Daniel Micay
8b96ee620c split out network nftables rules for SUPL proxy 2023-02-11 03:11:47 -05:00
Daniel Micay
f0f6b9d993 sshd: switch to SSH protocol keep alive 2023-02-10 11:20:54 -05:00
Daniel Micay
d47d1569e5 update sshd_config 2023-02-02 13:48:35 -05:00
Daniel Micay
1ba011b865 update pacreport.conf 2023-01-31 20:22:36 -05:00
Daniel Micay
3dfbd4e777 add init_on_free=1 for non-hardened kernels 2023-01-23 21:34:33 -05:00
Daniel Micay
67de376313 add slab_nomerge for non-hardened kernels 2023-01-15 14:34:44 -05:00
Daniel Micay
3c6aeeab3d add Mastodon ports to unbound avoid list 2023-01-10 14:09:10 -05:00
Daniel Micay
4fd4aa40ee switch to C.UTF-8 locale
en_US.UTF-8 still needs to be generated for now since the PostgreSQL
databases and potentially other applications will still be using it.
2023-01-10 14:09:06 -05:00
Daniel Micay
6530e1a583 reboot immediately on kernel panic
We can adjust this if we ever need to debug a kernel panic issue which
is not expected.
2023-01-09 14:18:30 -05:00
Daniel Micay
13a3a4ece0 use optimized dm-crypt configuration for swap 2023-01-03 02:27:23 -05:00
Daniel Micay
cea56c8acd fix matrix.grapheneos.org loopback nftables rules 2022-12-25 19:03:41 -05:00
Daniel Micay
88692df381 dd nftables rules for grapheneos.social 2022-12-25 18:54:08 -05:00
Daniel Micay
34627b993a switch to default mkinitcpio.conf
We no longer make any changes to this configuration and are unlikely to
need any.
2022-12-14 05:10:51 -05:00
Daniel Micay
01f0b498cf add additional gitignore entries 2022-12-13 13:12:23 -05:00
Daniel Micay
3ea5a14b2f drop floating IPs for DNS servers 2022-11-30 19:23:18 -05:00