Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2024-09-27 19:15:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Shared server infrastructure - https://grapheneos.org/articles/grapheneos-servers
383 Commits 1 Branch 0 Tags 1.8 MiB
Shell 91.9%
Python 5.1%
Erlang 3%
9fcac6b105
Go to file
Daniel Micay 9fcac6b105 use DNS connlimit for HTTP/HTTPS on DNS servers 
Our DNS servers only have HTTP(S) for obtaining certificates via ACME
with accounturi pinning along with redirecting people who visit the
domain in a browser to our server documentation. We also only permit 1
request for each HTTP(S) connection for these services so connections
are very short lived.

We'll need to do this in a less aggressive way for our web sites and our
services used to transfer significant amounts of data such as the update
servers since not all clients have TCP timestamps and will lose SACK and
window scaling with the current Linux SYN cookie design despite it being
possible to avoid that as FreeBSD does.
2024-03-31 22:23:10 -04:00
.github add GitHub funding metadata 2021-07-19 23:02:29 -04:00
certbot switch main domain for ECDSA mail server cert 2024-01-25 12:55:57 -05:00
guide add nftables dscp counter config to guide 2023-08-19 00:46:21 -04:00
logrotate.d replace certbot log rotation with logrotate 2024-02-13 12:38:14 -05:00
mkinitcpio.d disable mkinitcpio fallback image 2024-03-04 13:13:58 -05:00
modprobe.d blacklist virtio_console module 2023-07-17 02:21:12 -04:00
modules-load.d disable loose TCP connection tracking 2022-07-03 03:50:53 -04:00
packages switch to Java 21 LTS package since Java 22 is out 2024-03-30 02:12:00 -04:00
pacman.d add directory structure for mirrorlist 2023-07-11 11:38:53 -04:00
ssh move IP-based SSH connection limits to nftables 2024-03-28 11:38:03 -04:00
sysconfig enable chronyd seccomp filter 2023-05-07 00:02:51 -04:00
sysctl.d reorganize sysctl configuration 2024-03-24 11:03:31 -04:00
systemd set preferred source for static IPv6 configuration 2024-03-26 21:50:12 -04:00
.gitignore add authorized_keys to gitignore 2024-02-03 17:48:56 -05:00
certbot-ocsp-fetcher update certbot-ocsp-fetcher 2024-01-25 01:23:49 -05:00
chrony.conf chrony: raise minsources to 3 2024-03-31 14:03:16 -04:00
connection-stats clean up stats scripts 2023-07-16 01:25:27 -04:00
count count: drop 3rd gen Pixels 2024-02-24 19:19:59 -05:00
crypttab enable discard support for swapfile dm-crypt 2023-07-18 16:41:35 -04:00
deploy-initial lsof replaced with lsfd 2024-03-06 16:53:42 -05:00
deploy.sh explicit set XFS allocation group count 2024-02-24 10:28:10 -05:00
dns-stats dns-stats: show total TCP and UDP queries 2024-03-28 11:38:06 -04:00
environment disable less history by default for login sessions 2022-10-26 04:35:23 -04:00
fetch-info filter irrelevant module output 2024-01-03 10:18:15 -05:00
fstab only discard swapfile at mount time 2023-07-18 16:41:39 -04:00
grub disable sending console output to unused ttyS0 2024-02-01 16:39:33 -05:00
hosts add subset of shared configuration files 2021-07-28 08:23:04 -04:00
hosts.sh split grapheneos.org hosts array 2024-03-18 21:10:47 -04:00
inputrc add basic inputrc 2024-03-14 15:48:53 -04:00
LICENSE update copyright notice 2024-01-25 01:57:18 -05:00
locale.conf switch to C.UTF-8 locale 2023-01-10 14:09:06 -05:00
logrotate.conf use standard log rotation approach for wtmp/btmp 2024-03-20 23:43:48 -04:00
nftables-attestation.conf add counter to connection limit reject rules 2024-03-30 02:12:18 -04:00
nftables-discuss.conf add counter to connection limit reject rules 2024-03-30 02:12:18 -04:00
nftables-mail.conf add counter to connection limit reject rules 2024-03-30 02:12:18 -04:00
nftables-matrix.conf add counter to connection limit reject rules 2024-03-30 02:12:18 -04:00
nftables-network.conf enforce IPv6 SUPL connection limit for /64 blocks 2024-03-30 20:40:38 -04:00
nftables-ns1.conf use DNS connlimit for HTTP/HTTPS on DNS servers 2024-03-31 22:23:10 -04:00
nftables-ns2.conf use DNS connlimit for HTTP/HTTPS on DNS servers 2024-03-31 22:23:10 -04:00
nftables-social.conf add counter to connection limit reject rules 2024-03-30 02:12:18 -04:00
nftables-web.conf add counter to connection limit reject rules 2024-03-30 02:12:18 -04:00
nginx-create-session-ticket-keys clean up session ticket rotation scripts 2024-03-20 22:55:40 -04:00
nginx-rotate-session-ticket-keys clean up session ticket rotation scripts 2024-03-20 22:55:40 -04:00
nginx-stats clean up stats scripts 2023-07-16 01:25:27 -04:00
ovh-mitigation rename OVH mitigation script 2023-07-03 18:35:43 -04:00
ovh-mitigation.py rename OVH mitigation script 2023-07-03 18:35:43 -04:00
pacman.conf disable unused multilib repository 2023-07-18 16:58:34 -04:00
pacreport.conf add updatedb drop-in unit to pacreport exclusions 2024-02-01 18:01:06 -05:00
README.md Fix readme 2021-12-16 12:43:34 -05:00
requirements.in add OVH mitigation control script 2023-02-22 16:22:47 -05:00
requirements.txt update python dependencies 2024-02-23 13:04:36 -05:00
resolv.conf add resolv.conf 2022-07-03 09:05:41 -04:00
setup specify python3 in setup script 2023-07-06 22:12:26 -04:00
unbound.conf unbound: block dns rebinding 2023-10-04 10:26:16 -04:00

README.md

Information about GrapheneOS servers is available in the GrapheneOS servers article on grapheneos.org.