Commit Graph

191 Commits

Author SHA1 Message Date
Daniel Micay
3dfbd4e777 add init_on_free=1 for non-hardened kernels 2023-01-23 21:34:33 -05:00
Daniel Micay
67de376313 add slab_nomerge for non-hardened kernels 2023-01-15 14:34:44 -05:00
Daniel Micay
3c6aeeab3d add Mastodon ports to unbound avoid list 2023-01-10 14:09:10 -05:00
Daniel Micay
4fd4aa40ee switch to C.UTF-8 locale
en_US.UTF-8 still needs to be generated for now since the PostgreSQL
databases and potentially other applications will still be using it.
2023-01-10 14:09:06 -05:00
Daniel Micay
6530e1a583 reboot immediately on kernel panic
We can adjust this if we ever need to debug a kernel panic issue which
is not expected.
2023-01-09 14:18:30 -05:00
Daniel Micay
13a3a4ece0 use optimized dm-crypt configuration for swap 2023-01-03 02:27:23 -05:00
Daniel Micay
cea56c8acd fix matrix.grapheneos.org loopback nftables rules 2022-12-25 19:03:41 -05:00
Daniel Micay
88692df381 dd nftables rules for grapheneos.social 2022-12-25 18:54:08 -05:00
Daniel Micay
34627b993a switch to default mkinitcpio.conf
We no longer make any changes to this configuration and are unlikely to
need any.
2022-12-14 05:10:51 -05:00
Daniel Micay
01f0b498cf add additional gitignore entries 2022-12-13 13:12:23 -05:00
Daniel Micay
3ea5a14b2f drop floating IPs for DNS servers 2022-11-30 19:23:18 -05:00
Daniel Micay
91e36044ca drop floating IPs for release servers 2022-11-29 02:26:51 -05:00
Daniel Micay
9f1ba5f2a5 drop floating IPs for website servers 2022-11-29 02:07:56 -05:00
Daniel Micay
3354bcb34d drop floating IPs for network servers 2022-11-29 02:07:05 -05:00
Daniel Micay
ace45c7d5c drop floating IP for attestation server 2022-11-29 01:39:15 -05:00
Daniel Micay
9929542f43 drop floating IP for forum server 2022-11-29 01:27:01 -05:00
Daniel Micay
38414a8313 drop floating IP for Matrix server 2022-11-29 01:26:31 -05:00
Daniel Micay
0aff07f884 add grapheneos.social network configuration 2022-11-27 01:41:42 -05:00
Daniel Micay
08da28f7b5 drop floating IPs for staging servers 2022-11-27 00:08:29 -05:00
Daniel Micay
7b3111deb6 update grub configuration 2022-11-16 22:49:10 -05:00
Daniel Micay
b996f5586f update systemd/system.conf 2022-11-10 17:09:19 -05:00
Daniel Micay
7a4ace53f7 disable less history by default for login sessions 2022-10-26 04:35:23 -04:00
Daniel Micay
224b1ae5d3 pam configuration now matches the package defaults 2022-10-21 21:48:35 -04:00
Daniel Micay
b93695ecc4 add encrypted swapfile configuration 2022-09-26 23:01:44 -04:00
Daniel Micay
36423fb2bc auto-restart nginx if master process is killed
nginx handles restarting workers automatically but the master process
is typically killed by the OOM killer too.
2022-09-26 16:45:15 -04:00
Daniel Micay
320ad2e3a8 replace tmpfiles.d with RuntimeDirectory for nginx
This is much more robust because nginx will fail to start after being
killed or crashing due to only removing old Unix domain sockets when it
stops cleanly. It ends up owned by root:root instead of root:http which
is fine because only the master process opens it.
2022-09-26 16:43:17 -04:00
Daniel Micay
88d8e37233 rename nginx service hardening.conf to local.conf 2022-09-26 14:04:45 -04:00
Daniel Micay
62a71c7600 drop obsolete nginx logrotate configuration 2022-09-25 14:23:01 -04:00
Daniel Micay
966100eb9f vm.max_map_count to 1048576 2022-09-25 07:48:50 -04:00
Daniel Micay
3d5f437ec7 allow unbound to use more outbound ports 2022-09-22 13:41:47 -04:00
Daniel Micay
f3fb90859a simplify mirrorlist 2022-09-15 23:13:28 -04:00
Daniel Micay
dfd3fc861b avoid disallowing chown syscall for certbot-renew 2022-09-14 18:29:12 -04:00
Daniel Micay
6c58739dc8 remove PowerDNS for unbound nftables allowlist
The unnecessary security polling has been disabled so it doesn't need
this anymore.
2022-09-10 18:11:58 -04:00
Daniel Micay
9a69263f6b switch to floating IPv4 addresses for staging 2022-09-10 04:36:49 -04:00
Daniel Micay
bcd14b805b blacklist legacy ip_tables module 2022-08-31 05:19:40 -04:00
Daniel Micay
337647c5a9 add cfg80211 to module blacklist to silence error 2022-08-31 04:34:35 -04:00
Daniel Micay
9939dbc67b use production time.nl hostname 2022-08-30 14:51:44 -04:00
Daniel Micay
9708449087 use anycast hostname for netnod.se 2022-08-30 14:48:55 -04:00
Daniel Micay
5461b3f05b raise tcp_max_syn_backlog to 65536 2022-08-28 15:54:11 -04:00
Daniel Micay
ef1a26b68c certbot-renew: make nginx ocsp-cache dir optional 2022-08-28 15:46:33 -04:00
Daniel Micay
89064482ed update pacman mirrorlist 2022-08-28 15:03:00 -04:00
Daniel Micay
fd397326ec add chown to certbot syscall allowlist 2022-08-28 14:58:21 -04:00
Daniel Micay
8482ac5144 give certbot access to /etc/nginx/ocsp-cache 2022-08-27 17:22:23 -04:00
Daniel Micay
2cf0966847 properly override ExecStart 2022-08-27 17:19:42 -04:00
Daniel Micay
256c3652cc disable unused binfmt_misc 2022-08-14 13:46:00 -04:00
Daniel Micay
f829e05134 raise discuss.grapheneos.org to 500M bandwidth cap 2022-08-11 11:44:22 -04:00
Daniel Micay
2a33c3b962 initial certbot-renew service hardening
This doesn't switch to using a dedicated certbot user yet since the
hooks used across the services will all still need to work.
2022-08-10 11:32:48 -04:00
Daniel Micay
5bbaecfce9 disable redundant random sleep for certbot renewal 2022-08-10 11:28:18 -04:00
Daniel Micay
07dca7919d reorder network allowlists for consistency 2022-08-10 11:13:31 -04:00
Daniel Micay
afce4f2a51 limit nginx service capabilities
Running nginx as non-root would be possible via CAP_NET_BIND_SERVICE as
an ambient capability but it would be inherited by workers. It's better
to leave the supervisor process as root for the time being unless nginx
was taught to use socket activation or drop capabilities for workers.
2022-08-10 11:12:20 -04:00