Git-Mirrors
/
graphene-os-server-infrastructure
mirror of https://github.com/GrapheneOS/infrastructure.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Git-Mirrors:471a0d6ccc29ae59211e27b08efed94b958ce08e
Branches Tags
Git-Mirrors:main
...
compare: Git-Mirrors:cd3849d355a83d54cfdc9ca4c2ea1c656b3ca764
Branches Tags
Git-Mirrors:main

9 Commits
471a0d6ccc ... cd3849d355

Author SHA1 Message Date
Tommy cd3849d355
Merge eeaaf12886 into ee62868a7b 2024-04-23 10:53:17 +02:00
Daniel Micay ee62868a7b nftables: use standard order for verdict map 2024-04-23 03:30:15 -04:00
Daniel Micay 965bc4f951 nftables: add invalid case to ct state vmap 
This might as well be dropped by the verdict map instead of falling
through to the default drop policy.
 2024-04-23 02:38:40 -04:00
Daniel Micay 5ba6cbd3d1 nftables: simplify rules via untracked state 2024-04-23 02:34:17 -04:00
Daniel Micay d369f159a9 add nmap package across servers mainly for nping 
It's extremely useful to have this around for debugging network issues,
testing firewall rules and other purposes. It's not particularly useful
having nmap itself, but nping and to a lesser extent ncat are great to
have available.
 2024-04-22 10:43:11 -04:00
Daniel Micay 9f99e9c3a5 drop whois package from discuss.grapheneos.org 
There's no particular reason to have this on the servers since it can be
done locally.
 2024-04-22 10:38:28 -04:00
Tommy eeaaf12886
Typo fix 2023-09-07 19:57:24 -07:00
Tommy 4a985cbe29
Typo fix 2023-09-07 19:56:43 -07:00
Tommy 1bc32489f1
Use curve secp384r1 2023-09-07 19:51:41 -07:00
47 changed files with 55 additions and 50 deletions
Show Stats Expand all files Collapse all files

2
certbot/0.grapheneos.network
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name grapheneos.network \
-d grapheneos.network \

2
certbot/0.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name grapheneos.org \
-d grapheneos.org \

2
certbot/0.releases.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name releases.grapheneos.org \
-d releases.grapheneos.org \

2
certbot/attestation.app
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name attestation.app \
-d attestation.app \

2
certbot/discuss.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name discuss.grapheneos.org \
-d discuss.grapheneos.org

2
certbot/grapheneos.social
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name grapheneos.social \
-d grapheneos.social \

2
certbot/matrix.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name matrix.grapheneos.org \
-d matrix.grapheneos.org \

2
certbot/mta-sts.mail.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name mta-sts.mail.grapheneos.org \
-d mail.grapheneos.org \

2
certbot/staging.attestation.app
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name staging.attestation.app \
-d staging.attestation.app

2
certbot/staging.grapheneos.org
View File

@ -1,5 +1,5 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" --elliptic-curve secp384r1 \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name staging.grapheneos.org \
-d staging.grapheneos.org

6
nftables/nftables-attestation.conf
View File

@ -47,16 +47,14 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset

6
nftables/nftables-discuss.conf
View File

@ -47,16 +47,14 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset

6
nftables/nftables-mail.conf
View File

@ -59,16 +59,14 @@ table inet filter {
policy drop
tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset

6
nftables/nftables-matrix.conf
View File

@ -47,16 +47,14 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset

7
nftables/nftables-network.conf
View File

@ -56,17 +56,14 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443, 7275 } goto input-tcp-service
iif lo accept
udp dport 123 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset

7
nftables/nftables-ns1.conf
View File

@ -49,17 +49,14 @@ table inet filter {
policy drop
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
iif lo accept
udp dport 53 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset

7
nftables/nftables-ns2.conf
View File

@ -61,17 +61,14 @@ table inet filter {
policy drop
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
iif lo accept
udp dport 53 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset

6
nftables/nftables-social.conf
View File

@ -47,16 +47,14 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset

6
nftables/nftables-web.conf
View File

@ -57,16 +57,14 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service
iif lo accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : drop, established : accept, related : accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {
iif lo goto input-tcp-service-loopback
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset

1
packages/0.grapheneos.network
View File

@ -14,6 +14,7 @@ moreutils
mtr
nftables
nginx
nmap
openssh
pacman-contrib
pacutils

1
packages/0.grapheneos.org
View File

@ -15,6 +15,7 @@ mtr
nftables
nginx
nginx-mod-brotli
nmap
openssh
pacman-contrib
pacutils

1
packages/0.ns2.grapheneos.org
View File

@ -18,6 +18,7 @@ moreutils
mtr
nftables
nginx
nmap
openssh
pacman-contrib
pacutils

1
packages/0.releases.grapheneos.org
View File

@ -15,6 +15,7 @@ mtr
nftables
nginx
nginx-mod-brotli
nmap
openssh
pacman-contrib
pacutils

1
packages/1.grapheneos.network
View File

@ -13,6 +13,7 @@ moreutils
mtr
nftables
nginx
nmap
openssh
pacman-contrib
pacutils

1
packages/1.grapheneos.org
View File

@ -14,6 +14,7 @@ mtr
nftables
nginx
nginx-mod-brotli
nmap
openssh
pacman-contrib
pacutils

1
packages/1.ns2.grapheneos.org
View File

@ -17,6 +17,7 @@ moreutils
mtr
nftables
nginx
nmap
openssh
pacman-contrib
pacutils

1
packages/1.releases.grapheneos.org
View File

@ -14,6 +14,7 @@ mtr
nftables
nginx
nginx-mod-brotli
nmap
openssh
pacman-contrib
pacutils

1
packages/2.grapheneos.network
View File

@ -13,6 +13,7 @@ moreutils
mtr
nftables
nginx
nmap
openssh
pacman-contrib
pacutils

1
packages/2.grapheneos.org
View File

@ -14,6 +14,7 @@ mtr
nftables
nginx
nginx-mod-brotli
nmap
openssh
pacman-contrib
pacutils

1
packages/2.ns2.grapheneos.org
View File

@ -17,6 +17,7 @@ moreutils
mtr
nftables
nginx
nmap
openssh
pacman-contrib
pacutils

1
packages/2.releases.grapheneos.org
View File

@ -14,6 +14,7 @@ mtr
nftables
nginx
nginx-mod-brotli
nmap
openssh
pacman-contrib
pacutils

1
packages/3.grapheneos.network
View File

@ -13,6 +13,7 @@ moreutils
mtr
nftables
nginx
nmap
openssh
pacman-contrib
pacutils

1
packages/3.grapheneos.org
View File

@ -14,6 +14,7 @@ mtr
nftables
nginx
nginx-mod-brotli
nmap
openssh
pacman-contrib
pacutils

1
packages/3.releases.grapheneos.org
View File

@ -14,6 +14,7 @@ mtr
nftables
nginx
nginx-mod-brotli
nmap
openssh
pacman-contrib
pacutils

1
packages/4.releases.grapheneos.org
View File

@ -14,6 +14,7 @@ mtr
nftables
nginx
nginx-mod-brotli
nmap
openssh
pacman-contrib
pacutils

1
packages/5.releases.grapheneos.org
View File

@ -14,6 +14,7 @@ mtr
nftables
nginx
nginx-mod-brotli
nmap
openssh
pacman-contrib
pacutils

1
packages/6.releases.grapheneos.org
View File

@ -14,6 +14,7 @@ mtr
nftables
nginx
nginx-mod-brotli
nmap
openssh
pacman-contrib
pacutils

1
packages/7.releases.grapheneos.org
View File

@ -14,6 +14,7 @@ mtr
nftables
nginx
nginx-mod-brotli
nmap
openssh
pacman-contrib
pacutils

1
packages/attestation.app
View File

@ -17,6 +17,7 @@ mtr
nftables
nginx
nginx-mod-brotli
nmap
openssh
pacman-contrib
pacutils

1
packages/discuss.grapheneos.org
View File

@ -41,6 +41,5 @@ sysstat
tree
unbound
vim
whois
xfsprogs
zopfli

1
packages/grapheneos.social
View File

@ -17,6 +17,7 @@ mtr
nftables
nginx
nginx-mod-brotli
nmap
nodejs-lts-iron
openssh
pacman-contrib

1
packages/mail.grapheneos.org
View File

@ -16,6 +16,7 @@ moreutils
mtr
nftables
nginx
nmap
opendkim
opendmarc
openssh

1
packages/matrix.grapheneos.org
View File

@ -21,6 +21,7 @@ mtr
nftables
nginx
nginx-mod-brotli
nmap
nodejs-lts-iron
openssh
pacman-contrib

1
packages/ns1.grapheneos.org
View File

@ -18,6 +18,7 @@ moreutils
mtr
nftables
nginx
nmap
openssh
pacman-contrib
pacutils

1
packages/ns1.staging.grapheneos.org
View File

@ -18,6 +18,7 @@ moreutils
mtr
nftables
nginx
nmap
openssh
pacman-contrib
pacutils

1
packages/staging.attestation.app
View File

@ -17,6 +17,7 @@ mtr
nftables
nginx
nginx-mod-brotli
nmap
openssh
pacman-contrib
pacutils

1
packages/staging.grapheneos.org
View File

@ -15,6 +15,7 @@ mtr
nftables
nginx
nginx-mod-brotli
nmap
openssh
pacman-contrib
pacutils