Daniel Micay
fdf3839571
prepare to move MTA-STS web server to mail server
2023-06-21 13:12:04 -04:00
Daniel Micay
3d869bcac7
split out anycast DNS nftables configuration
2023-06-19 03:28:59 -04:00
Daniel Micay
d0d72994e2
replace ns2.grapheneos.org network configuration
2023-06-16 20:30:29 -04:00
Daniel Micay
341861f886
add xfsprogs package
2023-06-16 13:54:06 -04:00
Daniel Micay
f9bd265028
nftables: drop unnecessary semicolons
2023-06-10 22:14:54 -04:00
Daniel Micay
27aca7474c
drop no-op RemoveIPC
2023-06-10 20:42:37 -04:00
Daniel Micay
6223daec3f
document DANE TLSA commands
2023-06-09 01:09:47 -04:00
Daniel Micay
dcb50a9085
add /etc/sysctl.d/local-reserved-ports.conf
2023-06-06 21:55:11 -04:00
Daniel Micay
48f855cf83
exclude /etc/sysconfig in pacreport.conf
2023-06-06 17:05:58 -04:00
Daniel Micay
39ec27f421
move ssh configuration to subdirectory
2023-06-06 15:18:19 -04:00
Daniel Micay
4e12323e27
regenerate requirements.txt
2023-05-31 19:04:12 -04:00
Daniel Micay
36876296cd
update pacman.conf to match standard one
2023-05-22 19:26:21 -04:00
Daniel Micay
593701cd63
add certbot commands
2023-05-22 18:44:50 -04:00
Daniel Micay
6f6b8ceb54
enable chronyd seccomp filter
2023-05-07 00:02:51 -04:00
Daniel Micay
a74812ca6e
allow NTP requests to network servers
2023-05-05 10:44:43 -04:00
Daniel Micay
04e7114468
more precise gitignore rules
2023-04-16 16:09:20 -04:00
Daniel Micay
6c0201a9f7
add venv to gitignore
2023-04-16 16:08:58 -04:00
Daniel Micay
9b4d547dc1
mark php explicitly installed for forum
2023-04-10 02:22:20 -04:00
Daniel Micay
06d672d7f8
add credstore to pacreport configuration
2023-04-05 22:44:35 -04:00
Daniel Micay
19a7b5b9c9
add explicitly installed packages to repository
2023-04-04 14:43:57 -04:00
Daniel Micay
ac23681718
update systemd/system.conf
2023-03-30 03:17:00 -04:00
Daniel Micay
7ffac9ab5a
raise max journald files
2023-03-29 00:15:04 -04:00
Daniel Micay
c573091af4
use per-host journald SystemMaxUse
2023-03-25 07:04:46 -04:00
Daniel Micay
581b590be0
update python dependencies
2023-03-24 18:47:48 -04:00
Daniel Micay
83877cb983
add OVH mitigation control script
2023-02-22 16:22:47 -05:00
Daniel Micay
d550ccbc73
update sleep.conf
2023-02-17 17:51:41 -05:00
Daniel Micay
68a73e798a
update system.conf
2023-02-17 17:51:24 -05:00
Daniel Micay
7fc42a25c4
remove Arch Linux nginx error_log configuration
...
error_log works the same way as add_header where defining it again on
the same level is additive and logs to both places, meaning that there
are duplicated logs when defining a proper syslog error_log output at
the top level.
2023-02-17 17:31:00 -05:00
Daniel Micay
312b1a027b
switch to unix domain sockets for mastodon
2023-02-17 16:24:35 -05:00
Daniel Micay
53b2431f6b
switch to unix socket socket for redis
2023-02-15 02:45:52 -05:00
Daniel Micay
f8d62478cf
drop old nginx tmpfiles.d conf from pacreport.conf
2023-02-14 01:43:03 -05:00
Daniel Micay
c9dcf479fc
allow PowerDNS webserver on loopback for root
2023-02-14 01:19:19 -05:00
Daniel Micay
7871fa2d51
add comments for unbound avoid port configuration
2023-02-11 20:29:33 -05:00
Daniel Micay
edbb9158a4
avoid port 7275 (supl) for unbound
2023-02-11 20:23:22 -05:00
Daniel Micay
34d0f7fc3b
baseline web server config doesn't use DNS
2023-02-11 03:26:25 -05:00
Daniel Micay
8b96ee620c
split out network nftables rules for SUPL proxy
2023-02-11 03:11:47 -05:00
Daniel Micay
f0f6b9d993
sshd: switch to SSH protocol keep alive
2023-02-10 11:20:54 -05:00
Daniel Micay
d47d1569e5
update sshd_config
2023-02-02 13:48:35 -05:00
Daniel Micay
1ba011b865
update pacreport.conf
2023-01-31 20:22:36 -05:00
Daniel Micay
3dfbd4e777
add init_on_free=1 for non-hardened kernels
2023-01-23 21:34:33 -05:00
Daniel Micay
67de376313
add slab_nomerge for non-hardened kernels
2023-01-15 14:34:44 -05:00
Daniel Micay
3c6aeeab3d
add Mastodon ports to unbound avoid list
2023-01-10 14:09:10 -05:00
Daniel Micay
4fd4aa40ee
switch to C.UTF-8 locale
...
en_US.UTF-8 still needs to be generated for now since the PostgreSQL
databases and potentially other applications will still be using it.
2023-01-10 14:09:06 -05:00
Daniel Micay
6530e1a583
reboot immediately on kernel panic
...
We can adjust this if we ever need to debug a kernel panic issue which
is not expected.
2023-01-09 14:18:30 -05:00
Daniel Micay
13a3a4ece0
use optimized dm-crypt configuration for swap
2023-01-03 02:27:23 -05:00
Daniel Micay
cea56c8acd
fix matrix.grapheneos.org loopback nftables rules
2022-12-25 19:03:41 -05:00
Daniel Micay
88692df381
dd nftables rules for grapheneos.social
2022-12-25 18:54:08 -05:00
Daniel Micay
34627b993a
switch to default mkinitcpio.conf
...
We no longer make any changes to this configuration and are unlikely to
need any.
2022-12-14 05:10:51 -05:00
Daniel Micay
01f0b498cf
add additional gitignore entries
2022-12-13 13:12:23 -05:00
Daniel Micay
3ea5a14b2f
drop floating IPs for DNS servers
2022-11-30 19:23:18 -05:00