Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-11-24 16:53:07 -05:00
Code Issues Projects Releases Packages Wiki Activity
Shared server infrastructure - https://grapheneos.org/articles/grapheneos-servers
728 commits 1 branch 0 tags 3.4 MiB
Find a file
Daniel Micay 35ca9a2a19 allow server TCP Fast Open and rotate the keys 
This needs to be configured by specific services to have any effect. For
now, we're only enabling it for the PowerDNS Authoritative Server and
dnsdist since it's recommended by RFC 9210 and actively used by various
recursive resolver servers when falling back to TCP. TCP Fast Open is
rarely used from end user devices due to it enabling tracking and having
issues with middleboxes. We aren't going to start using it anywhere in
GrapheneOS but may have more server-side uses for it. This functionality
is built into QUIC without the same downsides but QUIC support in the
software we use is not ready for us to enable it, especially the very
primitive support in nginx.

For most servers, a new random TCP Fast Open key is created on a daily
basis and the previous key continues to be accepted. For DNS servers,
the new key is generated via a keyed hash of the current date in order
to keep it consistent across servers providing an anycast IP without it
needing regular synchronization.
2025-09-15 21:10:39 -04:00
.github add GitHub funding metadata 2021-07-19 23:02:29 -04:00
boot/loader disable timeout for systemd-boot by default 2025-05-21 21:48:54 -04:00
certbot add --copy-links to certbot dnsdist deployment 2025-08-17 03:03:33 -04:00
etc allow server TCP Fast Open and rotate the keys 2025-09-15 21:10:39 -04:00
guide DSCP debugging replaced with counter on map 2025-09-04 00:53:20 -04:00
home/.config remove obsolete nvim tmpfiles.d configuration 2025-07-23 00:26:41 -04:00
packages allow server TCP Fast Open and rotate the keys 2025-09-15 21:10:39 -04:00
.gitignore sort gitignore 2025-08-29 10:38:33 -04:00
connection-stats clean up stats scripts 2023-07-16 01:25:27 -04:00
count count: add Pixel 9a 2025-07-23 00:26:41 -04:00
create-session-ticket-keys add unified session ticket keys file for dnsdist 2025-05-27 15:40:54 -04:00
deploy-initial expand SSH connection limit allowlist 2025-08-29 10:38:31 -04:00
disconnect add disconnect script 2024-09-25 17:44:13 -04:00
dns-stats dns-stats: show total TCP and UDP queries 2024-03-28 11:38:06 -04:00
fetch-info extend info fetching to sysctl values 2024-07-24 16:58:11 -04:00
for add batch command script 2024-11-17 10:38:51 -05:00
hosts.sh raise journal file size for relevant servers 2025-09-04 23:19:40 -04:00
LICENSE migrate to new tlsserver Let's Encrypt profile 2025-05-08 22:26:43 -04:00
nginx-stats clean up stats scripts 2023-07-16 01:25:27 -04:00
ovh-mitigation rename OVH mitigation script 2023-07-03 18:35:43 -04:00
ovh-mitigation.py drop code for toggling OVH permanent mitigation 2025-08-09 17:41:33 -04:00
README.md Fix readme 2021-12-16 12:43:34 -05:00
reboot improve reboot script confirmation message 2024-12-12 15:27:57 -05:00
requirements.in add OVH mitigation control script 2023-02-22 16:22:47 -05:00
requirements.txt update python dependencies 2025-08-24 09:34:50 -04:00
rotate-session-ticket-keys rotate-session-ticket-keys: improve error handling 2025-08-11 00:00:57 -04:00
setup specify python3 in setup script 2023-07-06 22:12:26 -04:00
tcp-fastopen-rotate-keys allow server TCP Fast Open and rotate the keys 2025-09-15 21:10:39 -04:00

README.md

Information about GrapheneOS servers is available in the GrapheneOS servers article on grapheneos.org.