Commit Graph

22 Commits

Author SHA1 Message Date
Daniel Micay
ef1a26b68c certbot-renew: make nginx ocsp-cache dir optional 2022-08-28 15:46:33 -04:00
Daniel Micay
fd397326ec add chown to certbot syscall allowlist 2022-08-28 14:58:21 -04:00
Daniel Micay
8482ac5144 give certbot access to /etc/nginx/ocsp-cache 2022-08-27 17:22:23 -04:00
Daniel Micay
2cf0966847 properly override ExecStart 2022-08-27 17:19:42 -04:00
Daniel Micay
f829e05134 raise discuss.grapheneos.org to 500M bandwidth cap 2022-08-11 11:44:22 -04:00
Daniel Micay
2a33c3b962 initial certbot-renew service hardening
This doesn't switch to using a dedicated certbot user yet since the
hooks used across the services will all still need to work.
2022-08-10 11:32:48 -04:00
Daniel Micay
5bbaecfce9 disable redundant random sleep for certbot renewal 2022-08-10 11:28:18 -04:00
Daniel Micay
afce4f2a51 limit nginx service capabilities
Running nginx as non-root would be possible via CAP_NET_BIND_SERVICE as
an ambient capability but it would be inherited by workers. It's better
to leave the supervisor process as root for the time being unless nginx
was taught to use socket activation or drop capabilities for workers.
2022-08-10 11:12:20 -04:00
Daniel Micay
ca7c036e8c sort nginx hardening.conf options 2022-08-10 11:12:20 -04:00
Daniel Micay
7332d93575 update base systemd/sleep.conf 2022-08-10 05:31:31 -04:00
Daniel Micay
316561389c extend nginx service hardening 2022-08-09 04:55:10 -04:00
Daniel Micay
01791fdcd3 configure CAKE via systemd-networkd 2022-07-27 20:56:14 -04:00
Daniel Micay
2ff883f37f add systemd-network configurations 2022-07-27 15:40:10 -04:00
Daniel Micay
953420e7a3 disable systemd sleep support 2022-07-27 14:47:48 -04:00
Daniel Micay
e73dab2375 update systemd/system.conf 2022-05-22 15:57:02 -04:00
Daniel Micay
962270c183 update system.conf 2022-03-14 15:08:14 -04:00
Daniel Micay
72937c922f add new file limit configuration for sshd 2022-02-25 19:31:35 -05:00
Daniel Micay
9f82fe54bd use double brace for templates 2021-11-27 20:25:47 -05:00
Daniel Micay
35f539f237 only permit native system call architecture 2021-09-16 03:57:53 -04:00
Daniel Micay
e4872fb5bb enable IP and IO accounting by default 2021-09-09 08:44:11 -04:00
Daniel Micay
64b3a1031d move units to systemd directory 2021-09-08 17:57:50 -04:00
Daniel Micay
fe9d4e0f5f add systemd directory 2021-09-08 17:53:20 -04:00