mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2025-11-19 22:42:24 -05:00
8697cf2a2d
Since we're no longer storing nginx logs in journald, we no longer need to use journald configuration to control nginx log rotation/retention. We switched from nginx to dnsdist for the authoritative DNS servers and are therefore no longer logging any of the queries persistently since we can rely on the PowerDNS and dnsdist in-memory buffers and stats. We can use nginx-specific logrotate configuration on a per-server basis based on balancing the usefulness of access logs with storage space and getting rid of slightly sensitive data faster (mainly IP addresses).
386 lines
11 KiB
Bash
386 lines
11 KiB
Bash
declare -Ar hosts_hostname=(
|
|
[ns1.staging.grapheneos.org]=ns1-staging
|
|
[0.ns1.grapheneos.org]=0-ns1
|
|
[1.ns1.grapheneos.org]=1-ns1
|
|
[2.ns1.grapheneos.org]=2-ns1
|
|
[3.ns1.grapheneos.org]=3-ns1
|
|
[0.ns2.grapheneos.org]=0-ns2
|
|
[1.ns2.grapheneos.org]=1-ns2
|
|
[2.ns2.grapheneos.org]=2-ns2
|
|
[mail.grapheneos.org]=mail
|
|
[staging.grapheneos.org]=staging
|
|
[0.grapheneos.org]=0-grapheneos
|
|
[1.grapheneos.org]=1-grapheneos
|
|
[2.grapheneos.org]=2-grapheneos
|
|
[3.grapheneos.org]=3-grapheneos
|
|
[0.grapheneos.network]=0-network
|
|
[1.grapheneos.network]=1-network
|
|
[2.grapheneos.network]=2-network
|
|
[3.grapheneos.network]=3-network
|
|
[0.releases.grapheneos.org]=0-releases
|
|
[1.releases.grapheneos.org]=1-releases
|
|
[2.releases.grapheneos.org]=2-releases
|
|
[3.releases.grapheneos.org]=3-releases
|
|
[staging.attestation.app]=staging-attestation
|
|
[attestation.app]=attestation
|
|
[matrix.grapheneos.org]=matrix
|
|
[discuss.grapheneos.org]=discuss
|
|
[grapheneos.social]=social
|
|
)
|
|
|
|
declare -Ar hosts_uefi=(
|
|
[0.releases.grapheneos.org]=true
|
|
[1.releases.grapheneos.org]=true
|
|
[2.releases.grapheneos.org]=true
|
|
[3.releases.grapheneos.org]=true
|
|
)
|
|
|
|
declare -Ar hosts_metal=(
|
|
[0.releases.grapheneos.org]=true
|
|
[1.releases.grapheneos.org]=true
|
|
[2.releases.grapheneos.org]=true
|
|
[3.releases.grapheneos.org]=true
|
|
)
|
|
|
|
declare -Ar hosts_hardware_watchdog=(
|
|
[0.releases.grapheneos.org]=true
|
|
[1.releases.grapheneos.org]=true
|
|
[2.releases.grapheneos.org]=true
|
|
[3.releases.grapheneos.org]=true
|
|
)
|
|
|
|
declare -Ar hosts_authorized_keys=(
|
|
[1.ns1.grapheneos.org]=authorized_keys-replica-ns1
|
|
[2.ns1.grapheneos.org]=authorized_keys-replica-ns1
|
|
[3.ns1.grapheneos.org]=authorized_keys-replica-ns1
|
|
[1.ns2.grapheneos.org]=authorized_keys-replica-ns2
|
|
[2.ns2.grapheneos.org]=authorized_keys-replica-ns2
|
|
[1.grapheneos.org]=authorized_keys-replica-grapheneos
|
|
[2.grapheneos.org]=authorized_keys-replica-grapheneos
|
|
[3.grapheneos.org]=authorized_keys-replica-grapheneos
|
|
[0.grapheneos.network]=authorized_keys-replica-grapheneos
|
|
[1.grapheneos.network]=authorized_keys-replica-grapheneos
|
|
[2.grapheneos.network]=authorized_keys-replica-grapheneos
|
|
[3.grapheneos.network]=authorized_keys-replica-grapheneos
|
|
[1.releases.grapheneos.org]=authorized_keys-replica-releases
|
|
[2.releases.grapheneos.org]=authorized_keys-replica-releases
|
|
[3.releases.grapheneos.org]=authorized_keys-replica-releases
|
|
[staging.attestation.app]=authorized_keys-staging-attestation
|
|
)
|
|
|
|
declare -Ar hosts_firewall=(
|
|
[ns1.staging.grapheneos.org]=ns1
|
|
[0.ns1.grapheneos.org]=ns1
|
|
[1.ns1.grapheneos.org]=ns1
|
|
[2.ns1.grapheneos.org]=ns1
|
|
[3.ns1.grapheneos.org]=ns1
|
|
[0.ns2.grapheneos.org]=ns2
|
|
[1.ns2.grapheneos.org]=ns2
|
|
[2.ns2.grapheneos.org]=ns2
|
|
[mail.grapheneos.org]=mail
|
|
[staging.grapheneos.org]=network-fq
|
|
[0.grapheneos.org]=network
|
|
[1.grapheneos.org]=network-fq
|
|
[2.grapheneos.org]=network
|
|
[3.grapheneos.org]=network
|
|
[0.grapheneos.network]=network
|
|
[1.grapheneos.network]=network-fq
|
|
[2.grapheneos.network]=network
|
|
[3.grapheneos.network]=network
|
|
[0.releases.grapheneos.org]=web-fq
|
|
[1.releases.grapheneos.org]=web-fq
|
|
[2.releases.grapheneos.org]=web-fq
|
|
[3.releases.grapheneos.org]=web-fq
|
|
[staging.attestation.app]=attestation-fq
|
|
[attestation.app]=attestation
|
|
[matrix.grapheneos.org]=matrix
|
|
[discuss.grapheneos.org]=discuss
|
|
[grapheneos.social]=social
|
|
)
|
|
|
|
declare -Ar hosts_swap=(
|
|
[0.releases.grapheneos.org]=32768
|
|
[1.releases.grapheneos.org]=32768
|
|
[2.releases.grapheneos.org]=32768
|
|
[3.releases.grapheneos.org]=32768
|
|
[attestation.app]=4096
|
|
[matrix.grapheneos.org]=8192
|
|
[discuss.grapheneos.org]=4096
|
|
[grapheneos.social]=4096
|
|
)
|
|
|
|
declare -Ar hosts_agcount=(
|
|
[0.releases.grapheneos.org]=24
|
|
[1.releases.grapheneos.org]=24
|
|
[2.releases.grapheneos.org]=32
|
|
[3.releases.grapheneos.org]=32
|
|
)
|
|
|
|
declare -Ar hosts_reserved_ports=(
|
|
[0.grapheneos.network]=7275
|
|
[1.grapheneos.network]=7275
|
|
[2.grapheneos.network]=7275
|
|
[3.grapheneos.network]=7275
|
|
[staging.attestation.app]=8080
|
|
[attestation.app]=8080
|
|
)
|
|
|
|
declare -Ar hosts_tcp_wmem_max=(
|
|
[0.releases.grapheneos.org]=33554432
|
|
[1.releases.grapheneos.org]=33554432
|
|
[2.releases.grapheneos.org]=33554432
|
|
[3.releases.grapheneos.org]=33554432
|
|
[matrix.grapheneos.org]=16777216
|
|
)
|
|
|
|
declare -Ar hosts_tcp_fastopen=(
|
|
[ns1.staging.grapheneos.org]=false
|
|
[0.ns2.grapheneos.org]=false
|
|
[1.ns2.grapheneos.org]=false
|
|
[2.ns2.grapheneos.org]=false
|
|
[staging.grapheneos.org]=false
|
|
[1.grapheneos.org]=false
|
|
[1.grapheneos.network]=false
|
|
[staging.attestation.app]=false
|
|
)
|
|
|
|
declare -Ar hosts_conntrack_size=(
|
|
[ns1.staging.grapheneos.org]=65536
|
|
[0.ns1.grapheneos.org]=131072
|
|
[1.ns1.grapheneos.org]=131072
|
|
[2.ns1.grapheneos.org]=131072
|
|
[3.ns1.grapheneos.org]=131072
|
|
[0.ns2.grapheneos.org]=65536
|
|
[1.ns2.grapheneos.org]=65536
|
|
[2.ns2.grapheneos.org]=65536
|
|
[mail.grapheneos.org]=131072
|
|
[staging.grapheneos.org]=65536
|
|
[0.grapheneos.org]=131072
|
|
[1.grapheneos.org]=65536
|
|
[2.grapheneos.org]=131072
|
|
[3.grapheneos.org]=131072
|
|
[0.grapheneos.network]=131072
|
|
[1.grapheneos.network]=65536
|
|
[2.grapheneos.network]=131072
|
|
[3.grapheneos.network]=131072
|
|
[0.releases.grapheneos.org]=12582912
|
|
[1.releases.grapheneos.org]=12582912
|
|
[2.releases.grapheneos.org]=8388608
|
|
[3.releases.grapheneos.org]=8388608
|
|
[staging.attestation.app]=65536
|
|
[attestation.app]=131072
|
|
[matrix.grapheneos.org]=131072
|
|
[discuss.grapheneos.org]=131072
|
|
[grapheneos.social]=131072
|
|
)
|
|
|
|
declare -Ar hosts_ssh_users=(
|
|
[staging.attestation.app]="root attestation"
|
|
[attestation.app]="root attestation"
|
|
[discuss.grapheneos.org]="root flarum-admin"
|
|
)
|
|
|
|
declare -Ar hosts_journald_system_max_use=(
|
|
[0.grapheneos.org]=16G
|
|
[1.grapheneos.org]=16G
|
|
[2.grapheneos.org]=16G
|
|
[3.grapheneos.org]=16G
|
|
[0.grapheneos.network]=24G
|
|
[1.grapheneos.network]=16G
|
|
[2.grapheneos.network]=24G
|
|
[3.grapheneos.network]=24G
|
|
[0.releases.grapheneos.org]=64G
|
|
[1.releases.grapheneos.org]=64G
|
|
[2.releases.grapheneos.org]=64G
|
|
[3.releases.grapheneos.org]=64G
|
|
)
|
|
|
|
declare -Ar hosts_journald_system_max_file_size=(
|
|
[0.grapheneos.org]=512M
|
|
[1.grapheneos.org]=512M
|
|
[2.grapheneos.org]=1G
|
|
[3.grapheneos.org]=512M
|
|
[0.grapheneos.network]=4G
|
|
[1.grapheneos.network]=4G
|
|
[2.grapheneos.network]=4G
|
|
[3.grapheneos.network]=2G
|
|
[0.releases.grapheneos.org]=4G
|
|
[1.releases.grapheneos.org]=4G
|
|
[2.releases.grapheneos.org]=4G
|
|
[3.releases.grapheneos.org]=4G
|
|
[matrix.grapheneos.org]=1G
|
|
[discuss.grapheneos.org]=1G
|
|
[grapheneos.social]=1G
|
|
)
|
|
|
|
declare -Ar hosts_ipv4_address=(
|
|
[ns1.staging.grapheneos.org]=198.98.56.238
|
|
[0.ns1.grapheneos.org]=51.161.34.158
|
|
[1.ns1.grapheneos.org]=15.204.8.153
|
|
[2.ns1.grapheneos.org]=57.129.65.223
|
|
[3.ns1.grapheneos.org]=15.235.197.61
|
|
[0.ns2.grapheneos.org]=198.98.53.141
|
|
[1.ns2.grapheneos.org]=205.185.124.155
|
|
[2.ns2.grapheneos.org]=107.189.3.168
|
|
[mail.grapheneos.org]=192.99.98.22
|
|
[staging.grapheneos.org]=199.195.250.78
|
|
[0.grapheneos.org]=51.222.156.101
|
|
[1.grapheneos.org]=209.141.35.164
|
|
[2.grapheneos.org]=54.37.41.188
|
|
[3.grapheneos.org]=51.79.160.50
|
|
[0.grapheneos.network]=51.222.159.116
|
|
[1.grapheneos.network]=209.141.37.35
|
|
[2.grapheneos.network]=54.37.41.189
|
|
[3.grapheneos.network]=51.79.161.36
|
|
[0.releases.grapheneos.org]=172.96.172.37
|
|
[1.releases.grapheneos.org]=104.194.8.203
|
|
[2.releases.grapheneos.org]=185.225.24.20
|
|
[3.releases.grapheneos.org]=45.88.230.12
|
|
[staging.attestation.app]=198.98.57.157
|
|
[attestation.app]=51.79.66.27
|
|
[matrix.grapheneos.org]=51.79.51.42
|
|
[discuss.grapheneos.org]=51.79.52.38
|
|
[grapheneos.social]=51.222.159.14
|
|
)
|
|
|
|
declare -Ar hosts_ipv6_address=(
|
|
[ns1.staging.grapheneos.org]=2605:6400:10:c41:de92:c534:326a:711a
|
|
[0.ns1.grapheneos.org]=2607:5300:205:200::eaa
|
|
[1.ns1.grapheneos.org]=2604:2dc0:202:300::23a6
|
|
[2.ns1.grapheneos.org]=2001:41d0:701:1100::245b
|
|
[3.ns1.grapheneos.org]=2402:1f00:8000:800::3966
|
|
[0.ns2.grapheneos.org]=2605:6400:10:102e:95bc:89ef:2e7f:49bb
|
|
[1.ns2.grapheneos.org]=2605:6400:20:1c8f:a0c9:372d:482e:945b
|
|
[2.ns2.grapheneos.org]=2605:6400:30:ec25:102c:af6d:5be:1eb8
|
|
[mail.grapheneos.org]=2607:5300:205:200::472f
|
|
[staging.grapheneos.org]=2605:6400:10:9d6:6d84:e183:acda:16d7
|
|
[0.grapheneos.org]=2607:5300:205:200::29c6
|
|
[1.grapheneos.org]=2605:6400:20:1131:8088:e08:84e6:632
|
|
[2.grapheneos.org]=2001:41d0:304:200::902f
|
|
[3.grapheneos.org]=2402:1f00:8000:800::16d6
|
|
[0.grapheneos.network]=2607:5300:205:200::2584
|
|
[1.grapheneos.network]=2605:6400:20:387:72d4:dab9:a369:f351
|
|
[2.grapheneos.network]=2001:41d0:304:200::b109
|
|
[3.grapheneos.network]=2402:1f00:8000:800::1949
|
|
[0.releases.grapheneos.org]=2605:9880:400:1100:15:1240:515:6e
|
|
[1.releases.grapheneos.org]=2605:9880:200:20::113
|
|
[2.releases.grapheneos.org]=2a14:3f87:6920:250::100
|
|
[staging.attestation.app]=2605:6400:10:aa9:1c0f:44d3:da15:c0ec
|
|
[attestation.app]=2607:5300:205:200::7e9
|
|
[matrix.grapheneos.org]=2607:5300:205:200::26e1
|
|
[discuss.grapheneos.org]=2607:5300:205:200::3c4
|
|
[grapheneos.social]=2607:5300:205:200::5e3f
|
|
)
|
|
|
|
readonly hosts_ns1=(
|
|
{0..3}.ns1.grapheneos.org
|
|
)
|
|
|
|
readonly hosts_ns2=(
|
|
{0..2}.ns2.grapheneos.org
|
|
)
|
|
|
|
readonly hosts_dns=(
|
|
ns1.staging.grapheneos.org
|
|
"${hosts_ns1[@]}"
|
|
"${hosts_ns2[@]}"
|
|
)
|
|
|
|
readonly hosts_staging=(
|
|
ns1.staging.grapheneos.org
|
|
staging.grapheneos.org
|
|
staging.attestation.app
|
|
)
|
|
|
|
readonly hosts_certbot=(
|
|
ns1.staging.grapheneos.org
|
|
0.ns1.grapheneos.org
|
|
0.ns2.grapheneos.org
|
|
mail.grapheneos.org
|
|
staging.grapheneos.org
|
|
0.grapheneos.org
|
|
0.releases.grapheneos.org
|
|
staging.attestation.app
|
|
attestation.app
|
|
matrix.grapheneos.org
|
|
discuss.grapheneos.org
|
|
grapheneos.social
|
|
)
|
|
|
|
readonly hosts_primary=(
|
|
0.ns1.grapheneos.org
|
|
0.ns2.grapheneos.org
|
|
0.grapheneos.org
|
|
0.releases.grapheneos.org
|
|
)
|
|
|
|
readonly hosts_secondary=(
|
|
{1..3}.ns1.grapheneos.org
|
|
{1..2}.ns2.grapheneos.org
|
|
{1..3}.grapheneos.org
|
|
{0..3}.grapheneos.network
|
|
{1..3}.releases.grapheneos.org
|
|
)
|
|
|
|
readonly hosts_backup=(
|
|
mail.grapheneos.org
|
|
staging.attestation.app
|
|
attestation.app
|
|
matrix.grapheneos.org
|
|
discuss.grapheneos.org
|
|
grapheneos.social
|
|
)
|
|
|
|
readonly hosts_grapheneos=(
|
|
{0..3}.grapheneos.org
|
|
{0..3}.grapheneos.network
|
|
)
|
|
|
|
readonly hosts_grapheneos_all=(
|
|
staging.grapheneos.org
|
|
"${hosts_grapheneos[@]}"
|
|
)
|
|
|
|
readonly hosts_releases=(
|
|
{0..3}.releases.grapheneos.org
|
|
)
|
|
|
|
readonly hosts_attestation=(
|
|
staging.attestation.app
|
|
attestation.app
|
|
)
|
|
|
|
readonly hosts_web=(
|
|
"${hosts_dns[@]}"
|
|
mail.grapheneos.org
|
|
"${hosts_grapheneos_all[@]}"
|
|
"${hosts_releases[@]}"
|
|
"${hosts_attestation[@]}"
|
|
matrix.grapheneos.org
|
|
discuss.grapheneos.org
|
|
grapheneos.social
|
|
)
|
|
|
|
readonly hosts_all=(
|
|
"${hosts_web[@]}"
|
|
)
|
|
|
|
readonly hosts_buyvm=(
|
|
ns1.staging.grapheneos.org
|
|
{0..2}.ns2.grapheneos.org
|
|
staging.grapheneos.org
|
|
1.grapheneos.org
|
|
1.grapheneos.network
|
|
staging.attestation.app
|
|
)
|
|
|
|
readonly hosts_ovh=(
|
|
{0..3}.ns1.grapheneos.org
|
|
mail.grapheneos.org
|
|
{0,2,3}.grapheneos.org
|
|
{0,2,3}.grapheneos.network
|
|
attestation.app
|
|
matrix.grapheneos.org
|
|
discuss.grapheneos.org
|
|
grapheneos.social
|
|
)
|