Commit Graph

306 Commits

Author SHA1 Message Date
Daniel Micay
d44a316624 disable 32-bit support via kernel line
This is now supported in mainline and will be available in Linux 6.7. It
will be a while before we have it in production due to using the latest
LTS branch, but it might as well be set up in advance.

We currently have SystemCallArchitectures=native in the systemd
configuration to disallow 32-bit system calls via seccomp-bpf.
2024-01-03 11:10:07 -05:00
Daniel Micay
dd9d6ff2a5 disable unused multipath TCP 2024-01-03 10:52:27 -05:00
Daniel Micay
d0e6159220 filter irrelevant module output 2024-01-03 10:18:15 -05:00
Daniel Micay
e581aeafb5 use idle CPU scheduling mode for updatedb 2024-01-03 10:10:04 -05:00
Daniel Micay
ae0373cc38 simplify log fetching 2023-12-24 20:21:06 -05:00
Daniel Micay
15a2fa132f disable services on IPv6 for discussion forum 2023-12-22 17:47:49 -05:00
Daniel Micay
8bfec062dc switch to nodejs 20 LTS branch 2023-12-21 20:12:55 -05:00
Daniel Micay
99973b1ca2 add mmdblookup to servers using geoip2 2023-12-21 09:49:36 -05:00
Daniel Micay
5a7110bee4 add geoip2 packages for discuss.grapheneos.org 2023-12-21 09:46:53 -05:00
Daniel Micay
5cef4a2aa6 allow geoipupdate internet access for discuss 2023-12-21 09:44:05 -05:00
Daniel Micay
dc4101f3de update systemd configuration files 2023-12-07 12:33:59 -05:00
Daniel Micay
8708b133e5 update python dependencies 2023-12-03 23:52:09 -05:00
Daniel Micay
c1a826278e add widevineprovisioning.grapheneos.org 2023-12-02 02:16:42 -05:00
Daniel Micay
d99ca0a43f switch to development release of matterbridge 2023-12-02 02:16:24 -05:00
Daniel Micay
bed640859d update python dependencies 2023-11-20 22:43:56 -05:00
Daniel Micay
f9bd8e2476 switch domain order for nameserver certbot setup 2023-11-05 01:33:56 -05:00
Daniel Micay
ebd0c7d8d0 add staging nameserver certbot setup 2023-11-05 01:32:44 -05:00
Daniel Micay
38bb002a01 add authenticated DNS-over-TLS to nameservers 2023-11-05 00:51:33 -04:00
Daniel Micay
3a92693611 move PowerDNS webserver to localhost port 81 2023-11-05 00:31:54 -04:00
Daniel Micay
c959f8bc5b drop jdk-openjdk from attestation servers 2023-11-04 16:31:03 -04:00
Daniel Micay
a10afab253 update Python dependencies 2023-10-24 14:16:54 -04:00
Orazio
9aba6192e7 unbound: block dns rebinding
Blocking RFC 1918 addresses too is unlikely to be useful on your setup, but may be in case you add something like a VPC in the future.
2023-10-04 10:26:16 -04:00
Daniel Micay
cb0007f816 update python dependencies 2023-10-03 11:39:02 -04:00
Daniel Micay
a4af9e2faf add ephemeral-trees directory to pacreport 2023-10-01 09:04:41 -04:00
Daniel Micay
c29206dff6 update python dependencies 2023-10-01 08:41:06 -04:00
Daniel Micay
ffff417df9 mastodon package now declares proper dependencies 2023-09-24 22:21:09 -04:00
Daniel Micay
1f7ea042fe expand host variable declarations 2023-09-18 03:29:23 -04:00
Daniel Micay
15f1cbcd02 nginx: drop ExecStart override 2023-09-18 02:41:59 -04:00
Daniel Micay
90411f367c update OCSP cache path for certbot-renew.service 2023-09-02 15:07:28 -04:00
Daniel Micay
067b42213f update ocsp cache path for certbot deploy hook 2023-08-21 03:20:50 -04:00
Daniel Micay
adec4b9bda certbot: drop absolute path for deploy hook 2023-08-21 03:19:47 -04:00
Daniel Micay
a92156528a add nftables dscp counter config to guide 2023-08-19 00:46:21 -04:00
Daniel Micay
104c1857d9 add vconsole.conf to pacreport.conf 2023-08-19 00:37:54 -04:00
Daniel Micay
14da5949f2 add fstrim/xfs_fsr configuration to pacreport.conf 2023-08-19 00:37:00 -04:00
Daniel Micay
5a86b91909 update pip-compile command 2023-08-19 00:27:56 -04:00
Daniel Micay
9419af1bd6 use af21 for unbound DoT traffic 2023-08-19 00:20:21 -04:00
Daniel Micay
e1af23a478 add attestation service config for email 2023-08-18 23:57:44 -04:00
Daniel Micay
343d1fdb2f add mtr package 2023-08-16 22:55:53 -04:00
Daniel Micay
b88d0d5c96 raise ssh background traffic priority to af11
The default cs1 is resulting traffic being completely dropped for some
routes with congestion.
2023-08-14 23:32:00 -04:00
Daniel Micay
ae2fc9244b support drop-in configurations for ssh configs 2023-08-11 11:36:08 -04:00
Daniel Micay
894f150a62 use CAKE no-split-gso for release servers 2023-08-06 23:18:53 -04:00
Daniel Micay
4160e5a6b7 chrony: mark traffic as EF 2023-08-04 17:20:25 -04:00
Daniel Micay
2f56bae4a5 use consistent naming for system drop-in configs 2023-08-04 14:45:15 -04:00
Daniel Micay
e56add4330 run fstrim daily instead of weekly 2023-08-04 14:38:41 -04:00
Daniel Micay
b67d037a5e add xfs_fsr service run before fstrim service 2023-08-03 16:35:53 -04:00
Daniel Micay
124897ccba update systemd/system.conf 2023-08-01 18:06:28 -04:00
Daniel Micay
7a95f6bfb4 update systemd/networkd.conf 2023-08-01 18:05:17 -04:00
Daniel Micay
2703b7a378 add pv package 2023-07-28 23:24:40 -04:00
Daniel Micay
53b46f6166 set correct subnet mask for BuyVM main IP 2023-07-28 00:12:05 -04:00
Daniel Micay
5e07ae005b use idle scheduling for fstrim.service 2023-07-26 13:21:24 -04:00