Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-02-24 08:49:58 -05:00
Code Issues Packages Projects Releases Wiki Activity
393 Commits 1 Branch 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Daniel Micay b38736ca74 enable nftables-based DDoS protection for all TCP services 
Now that the usage of synproxy is gated behind a SYN packet rate limit,
we can expand this to all our TCP services to have always enabled DDoS
protection instead of needing to deploy a stricter set of rules when the
servers are under attack. This is far better because there isn't always
a system administrator available to handle an ongoing attack.

We already used per-IP connection limits in nginx across the board but
those limits are applied far too late after a TLS connection has been
established and headers are sent rather than before. Using IPv6 /64
blocks means this is much more aggressive for IPv6, but many clients
will fall back to IPv4 due to the happy eyeballs approach. The nginx
limits are still useful due to HTTP/2 multiplexing and we'll need to
think over how to address IPv6 there.
2024-04-10 14:48:10 -04:00
.github
add GitHub funding metadata
2021-07-19 23:02:29 -04:00
certbot
certbot: add ns2 variant of staging authoritative DNS
2024-04-08 17:06:43 -04:00
guide
add nftables dscp counter config to guide
2023-08-19 00:46:21 -04:00
logrotate.d
replace certbot log rotation with logrotate
2024-02-13 12:38:14 -05:00
mkinitcpio.d
disable mkinitcpio fallback image
2024-03-04 13:13:58 -05:00
modprobe.d
blacklist virtio_console module
2023-07-17 02:21:12 -04:00
modules-load.d
disable loose TCP connection tracking
2022-07-03 03:50:53 -04:00
packages
switch to Java 21 LTS package since Java 22 is out
2024-03-30 02:12:00 -04:00
pacman.d
add directory structure for mirrorlist
2023-07-11 11:38:53 -04:00
ssh
move IP-based SSH connection limits to nftables
2024-03-28 11:38:03 -04:00
sysconfig
enable chronyd seccomp filter
2023-05-07 00:02:51 -04:00
sysctl.d
remove redundant vm.max_map_count configuration
2024-04-07 15:11:35 -04:00
systemd
set preferred source for static IPv6 configuration
2024-03-26 21:50:12 -04:00
.gitignore
add authorized_keys to gitignore
2024-02-03 17:48:56 -05:00
certbot-ocsp-fetcher
update certbot-ocsp-fetcher
2024-01-25 01:23:49 -05:00
chrony.conf
chrony: raise minsources to 3
2024-03-31 14:03:16 -04:00
connection-stats
clean up stats scripts
2023-07-16 01:25:27 -04:00
count
count: drop 3rd gen Pixels
2024-02-24 19:19:59 -05:00
crypttab
enable discard support for swapfile dm-crypt
2023-07-18 16:41:35 -04:00
deploy-initial
lsof replaced with lsfd
2024-03-06 16:53:42 -05:00
deploy.sh
explicit set XFS allocation group count
2024-02-24 10:28:10 -05:00
dns-stats
dns-stats: show total TCP and UDP queries
2024-03-28 11:38:06 -04:00
environment
disable less history by default for login sessions
2022-10-26 04:35:23 -04:00
fetch-info
filter irrelevant module output
2024-01-03 10:18:15 -05:00
fstab
only discard swapfile at mount time
2023-07-18 16:41:39 -04:00
grub
disable sending console output to unused ttyS0
2024-02-01 16:39:33 -05:00
hosts
add subset of shared configuration files
2021-07-28 08:23:04 -04:00
hosts.sh
split grapheneos.org hosts array
2024-03-18 21:10:47 -04:00
inputrc
add basic inputrc
2024-03-14 15:48:53 -04:00
LICENSE
update copyright notice
2024-01-25 01:57:18 -05:00
locale.conf
switch to C.UTF-8 locale
2023-01-10 14:09:06 -05:00
logrotate.conf
use standard log rotation approach for wtmp/btmp
2024-03-20 23:43:48 -04:00
nftables-attestation.conf
enable nftables-based DDoS protection for all TCP services
2024-04-10 14:48:10 -04:00
nftables-discuss.conf
enable nftables-based DDoS protection for all TCP services
2024-04-10 14:48:10 -04:00
nftables-mail.conf
enable nftables-based DDoS protection for all TCP services
2024-04-10 14:48:10 -04:00
nftables-matrix.conf
enable nftables-based DDoS protection for all TCP services
2024-04-10 14:48:10 -04:00
nftables-network.conf
enable nftables-based DDoS protection for all TCP services
2024-04-10 14:48:10 -04:00
nftables-ns1.conf
add rate limited synproxy bypass
2024-04-10 12:15:19 -04:00
nftables-ns2.conf
add rate limited synproxy bypass
2024-04-10 12:15:19 -04:00
nftables-social.conf
enable nftables-based DDoS protection for all TCP services
2024-04-10 14:48:10 -04:00
nftables-web.conf
enable nftables-based DDoS protection for all TCP services
2024-04-10 14:48:10 -04:00
nginx-create-session-ticket-keys
clean up session ticket rotation scripts
2024-03-20 22:55:40 -04:00
nginx-rotate-session-ticket-keys
clean up session ticket rotation scripts
2024-03-20 22:55:40 -04:00
nginx-stats
clean up stats scripts
2023-07-16 01:25:27 -04:00
ovh-mitigation
rename OVH mitigation script
2023-07-03 18:35:43 -04:00
ovh-mitigation.py
rename OVH mitigation script
2023-07-03 18:35:43 -04:00
pacman.conf
disable unused multilib repository
2023-07-18 16:58:34 -04:00
pacreport.conf
add updatedb drop-in unit to pacreport exclusions
2024-02-01 18:01:06 -05:00
README.md
Fix readme
2021-12-16 12:43:34 -05:00
requirements.in
add OVH mitigation control script
2023-02-22 16:22:47 -05:00
requirements.txt
update python dependencies
2024-02-23 13:04:36 -05:00
resolv.conf
add resolv.conf
2022-07-03 09:05:41 -04:00
setup
specify python3 in setup script
2023-07-06 22:12:26 -04:00
unbound.conf
unbound: block dns rebinding
2023-10-04 10:26:16 -04:00

README.md

Information about GrapheneOS servers is available in the GrapheneOS servers article on grapheneos.org.

Description
Shared server infrastructure - https://grapheneos.org/articles/grapheneos-servers
grapheneos
Readme MIT 2 MiB
Languages
Shell 52.3%
Vim Script 43.9%
Python 2.4%
Erlang 1.4%