Compare commits
9 Commits
471a0d6ccc
...
cd3849d355
Author | SHA1 | Date |
---|---|---|
Tommy | cd3849d355 | |
Daniel Micay | ee62868a7b | |
Daniel Micay | 965bc4f951 | |
Daniel Micay | 5ba6cbd3d1 | |
Daniel Micay | d369f159a9 | |
Daniel Micay | 9f99e9c3a5 | |
Tommy | eeaaf12886 | |
Tommy | 4a985cbe29 | |
Tommy | 1bc32489f1 |
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name grapheneos.network \
|
||||
-d grapheneos.network \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name grapheneos.org \
|
||||
-d grapheneos.org \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name releases.grapheneos.org \
|
||||
-d releases.grapheneos.org \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name attestation.app \
|
||||
-d attestation.app \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name discuss.grapheneos.org \
|
||||
-d discuss.grapheneos.org
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name grapheneos.social \
|
||||
-d grapheneos.social \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name matrix.grapheneos.org \
|
||||
-d matrix.grapheneos.org \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name mta-sts.mail.grapheneos.org \
|
||||
-d mail.grapheneos.org \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name staging.attestation.app \
|
||||
-d staging.attestation.app
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name staging.grapheneos.org \
|
||||
-d staging.grapheneos.org
|
||||
|
|
|
@ -47,16 +47,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
|
@ -47,16 +47,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
|
@ -59,16 +59,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
|
@ -47,16 +47,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
|
@ -56,17 +56,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 80, 443, 7275 } goto input-tcp-service
|
||||
iif lo accept
|
||||
udp dport 123 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
|
@ -49,17 +49,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
|
||||
iif lo accept
|
||||
udp dport 53 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
|
@ -61,17 +61,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
|
||||
iif lo accept
|
||||
udp dport 53 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
|
@ -47,16 +47,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
|
@ -57,16 +57,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
|
@ -14,6 +14,7 @@ moreutils
|
|||
mtr
|
||||
nftables
|
||||
nginx
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -15,6 +15,7 @@ mtr
|
|||
nftables
|
||||
nginx
|
||||
nginx-mod-brotli
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -18,6 +18,7 @@ moreutils
|
|||
mtr
|
||||
nftables
|
||||
nginx
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -15,6 +15,7 @@ mtr
|
|||
nftables
|
||||
nginx
|
||||
nginx-mod-brotli
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -13,6 +13,7 @@ moreutils
|
|||
mtr
|
||||
nftables
|
||||
nginx
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
|||
nftables
|
||||
nginx
|
||||
nginx-mod-brotli
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -17,6 +17,7 @@ moreutils
|
|||
mtr
|
||||
nftables
|
||||
nginx
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
|||
nftables
|
||||
nginx
|
||||
nginx-mod-brotli
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -13,6 +13,7 @@ moreutils
|
|||
mtr
|
||||
nftables
|
||||
nginx
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
|||
nftables
|
||||
nginx
|
||||
nginx-mod-brotli
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -17,6 +17,7 @@ moreutils
|
|||
mtr
|
||||
nftables
|
||||
nginx
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
|||
nftables
|
||||
nginx
|
||||
nginx-mod-brotli
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -13,6 +13,7 @@ moreutils
|
|||
mtr
|
||||
nftables
|
||||
nginx
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
|||
nftables
|
||||
nginx
|
||||
nginx-mod-brotli
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
|||
nftables
|
||||
nginx
|
||||
nginx-mod-brotli
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
|||
nftables
|
||||
nginx
|
||||
nginx-mod-brotli
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
|||
nftables
|
||||
nginx
|
||||
nginx-mod-brotli
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
|||
nftables
|
||||
nginx
|
||||
nginx-mod-brotli
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -14,6 +14,7 @@ mtr
|
|||
nftables
|
||||
nginx
|
||||
nginx-mod-brotli
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -17,6 +17,7 @@ mtr
|
|||
nftables
|
||||
nginx
|
||||
nginx-mod-brotli
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -41,6 +41,5 @@ sysstat
|
|||
tree
|
||||
unbound
|
||||
vim
|
||||
whois
|
||||
xfsprogs
|
||||
zopfli
|
||||
|
|
|
@ -17,6 +17,7 @@ mtr
|
|||
nftables
|
||||
nginx
|
||||
nginx-mod-brotli
|
||||
nmap
|
||||
nodejs-lts-iron
|
||||
openssh
|
||||
pacman-contrib
|
||||
|
|
|
@ -16,6 +16,7 @@ moreutils
|
|||
mtr
|
||||
nftables
|
||||
nginx
|
||||
nmap
|
||||
opendkim
|
||||
opendmarc
|
||||
openssh
|
||||
|
|
|
@ -21,6 +21,7 @@ mtr
|
|||
nftables
|
||||
nginx
|
||||
nginx-mod-brotli
|
||||
nmap
|
||||
nodejs-lts-iron
|
||||
openssh
|
||||
pacman-contrib
|
||||
|
|
|
@ -18,6 +18,7 @@ moreutils
|
|||
mtr
|
||||
nftables
|
||||
nginx
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -18,6 +18,7 @@ moreutils
|
|||
mtr
|
||||
nftables
|
||||
nginx
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -17,6 +17,7 @@ mtr
|
|||
nftables
|
||||
nginx
|
||||
nginx-mod-brotli
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
|
@ -15,6 +15,7 @@ mtr
|
|||
nftables
|
||||
nginx
|
||||
nginx-mod-brotli
|
||||
nmap
|
||||
openssh
|
||||
pacman-contrib
|
||||
pacutils
|
||||
|
|
Loading…
Reference in New Issue