add grapheneos.foundation domain

reorder configuration
increase max TCP send buffer size for matrix server
2024-04-13 19:18:03 -04:00 · 2024-04-13 18:20:14 -04:00 · 2024-04-13 18:20:12 -04:00 · 2024-04-13 14:27:31 -04:00 · 2024-04-13 14:17:23 -04:00 · 2024-04-13 13:52:08 -04:00
7 changed files with 29 additions and 12 deletions
--- a/certbot/0.grapheneos.org
+++ b/certbot/0.grapheneos.org
@ -12,6 +12,8 @@ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
    -d www.grapheneos.com \
    -d grapheneos.dev \
    -d www.grapheneos.dev \
+    -d grapheneos.foundation \
+    -d www.grapheneos.foundation \
    -d grapheneos.info \
    -d www.grapheneos.info \
    -d grapheneos.net \
--- a/certbot/0.ns2.grapheneos.org
+++ b/certbot/0.ns2.grapheneos.org
@ -8,6 +8,7 @@ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
    -d ns2.grapheneos.ca \
    -d ns2.grapheneos.com \
    -d ns2.grapheneos.dev \
+    -d ns2.grapheneos.foundation \
    -d ns2.grapheneos.info \
    -d ns2.grapheneos.net \
    -d ns2.grapheneos.network \
--- a/certbot/mta-sts.mail.grapheneos.org
+++ b/certbot/mta-sts.mail.grapheneos.org
@ -10,6 +10,7 @@ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
    -d mta-sts.grapheneos.ca \
    -d mta-sts.grapheneos.com \
    -d mta-sts.grapheneos.dev \
+    -d mta-sts.grapheneos.foundation \
    -d mta-sts.grapheneos.info \
    -d mta-sts.grapheneos.net \
    -d mta-sts.grapheneos.network \
--- a/certbot/ns1.grapheneos.org
+++ b/certbot/ns1.grapheneos.org
@ -8,6 +8,7 @@ certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
    -d ns1.grapheneos.ca \
    -d ns1.grapheneos.com \
    -d ns1.grapheneos.dev \
+    -d ns1.grapheneos.foundation \
    -d ns1.grapheneos.info \
    -d ns1.grapheneos.net \
    -d ns1.grapheneos.network \
--- a/hosts.sh
+++ b/hosts.sh
@ -1,11 +1,23 @@
 declare -Ar hosts_reserved_ports=(
-    [staging.attestation.app]=8080
-    [attestation.app]=8080
-    [matrix.grapheneos.org]=8008
    [0.grapheneos.network]=7275
    [1.grapheneos.network]=7275
    [2.grapheneos.network]=7275
    [3.grapheneos.network]=7275
+    [staging.attestation.app]=8080
+    [attestation.app]=8080
+    [matrix.grapheneos.org]=8008
+)
+
+declare -Ar hosts_tcp_wmem_max=(
+    [0.releases.grapheneos.org]=16777216
+    [1.releases.grapheneos.org]=16777216
+    [2.releases.grapheneos.org]=16777216
+    [3.releases.grapheneos.org]=16777216
+    [4.releases.grapheneos.org]=16777216
+    [5.releases.grapheneos.org]=16777216
+    [6.releases.grapheneos.org]=16777216
+    [7.releases.grapheneos.org]=16777216
+    [matrix.grapheneos.org]=16777216
 )

 declare -Ar hosts_ssh_users=(
@ -85,11 +97,11 @@ declare -Ar hosts_ipv4_address=(
    [5.releases.grapheneos.org]=141.94.71.72
    [6.releases.grapheneos.org]=135.125.183.155
    [7.releases.grapheneos.org]=141.95.0.242
+    [staging.attestation.app]=198.98.57.157
+    [attestation.app]=51.79.66.27
    [matrix.grapheneos.org]=51.79.51.42
    [discuss.grapheneos.org]=51.79.52.38
    [grapheneos.social]=51.222.30.159
-    [staging.attestation.app]=198.98.57.157
-    [attestation.app]=51.79.66.27
 )

 declare -Ar hosts_ipv6_address=(
@ -116,11 +128,11 @@ declare -Ar hosts_ipv6_address=(
    [5.releases.grapheneos.org]=2001:41d0:304:200::a687
    [6.releases.grapheneos.org]=2001:41d0:701:1100::2ec9
    [7.releases.grapheneos.org]=2001:41d0:701:1100::3e56
+    [staging.attestation.app]=2605:6400:10:aa9:1c0f:44d3:da15:c0ec
+    [attestation.app]=2607:5300:205:200::7e9
    [matrix.grapheneos.org]=2607:5300:205:200::26e1
    [discuss.grapheneos.org]=2607:5300:205:200::3c4
    [grapheneos.social]=2607:5300:205:200::2706
-    [staging.attestation.app]=2605:6400:10:aa9:1c0f:44d3:da15:c0ec
-    [attestation.app]=2607:5300:205:200::7e9
 )

 readonly hosts_dns=(
@ -144,11 +156,11 @@ readonly hosts_certbot=(
    0.grapheneos.org
    0.grapheneos.network
    0.releases.grapheneos.org
+    staging.attestation.app
+    attestation.app
    matrix.grapheneos.org
    discuss.grapheneos.org
    grapheneos.social
-    staging.attestation.app
-    attestation.app
 )

 readonly hosts_grapheneos=(
@ -179,10 +191,10 @@ readonly hosts_web=(
    "${hosts_grapheneos_all[@]}"
    "${hosts_network[@]}"
    "${hosts_releases[@]}"
+    "${hosts_attestation[@]}"
    matrix.grapheneos.org
    discuss.grapheneos.org
    grapheneos.social
-    "${hosts_attestation[@]}"
 )

 readonly hosts_all=(
@ -204,8 +216,8 @@ readonly hosts_ovh=(
    {0,2,3}.grapheneos.org
    {0,2,3}.grapheneos.network
    {0..7}.releases.grapheneos.org
+    attestation.app
    matrix.grapheneos.org
    discuss.grapheneos.org
    grapheneos.social
-    attestation.app
 )
--- a/sysctl.d/local-reserved-ports.conf
+++ b/sysctl.d/local-reserved-ports.conf
@ -1 +0,0 @@
-net.ipv4.ip_local_reserved_ports = {{local_reserved_ports}}
--- a/sysctl.d/local.conf
+++ b/sysctl.d/local.conf
@ -10,6 +10,7 @@ net.ipv4.conf.*.rp_filter = 0

 net.ipv4.tcp_ecn = 1
 net.ipv4.tcp_slow_start_after_idle = 0
+net.ipv4.tcp_shrink_window = 1
 net.ipv4.tcp_notsent_lowat = 131072
 net.ipv4.tcp_fin_timeout = 30
 net.ipv4.tcp_rfc1337 = 1
Author	SHA1	Message	Date
Daniel Micay	8278883a84	add grapheneos.foundation domain	2024-04-13 19:18:03 -04:00
Daniel Micay	8a4e4f334f	reorder configuration	2024-04-13 18:20:14 -04:00
Daniel Micay	56f169cbba	increase max TCP send buffer size for matrix server	2024-04-13 18:20:12 -04:00
Daniel Micay	35e776f867	increase max TCP send buffer size for update servers	2024-04-13 14:27:31 -04:00
Daniel Micay	711e432a67	remove unnecessary local-reserved-ports.conf template	2024-04-13 14:17:23 -04:00
Daniel Micay	f9bce64060	enable TCP window shrinking The default is a potential denial of service issue via TCP memory exhaustion.	2024-04-13 13:52:08 -04:00
				`@ -1 +0,0 @@`
				`net.ipv4.ip_local_reserved_ports = {{local_reserved_ports}}`