Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2024-06-26 14:22:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
Shared server infrastructure - https://grapheneos.org/articles/grapheneos-servers
371 Commits 1 Branch 0 Tags 1.7 MiB
Shell 93.2%
Python 3.7%
Erlang 3.1%
d95752bea6
Go to file
Daniel Micay d95752bea6 move IP-based DNS connection limits to nftables 
This reuses the approach in cd59960e7b for
SSH connection limits with the same rationale.

PowerDNS also lacks a way to allowlist an address and was limiting our
ADoT reverse proxy to only being able to make 16 connections to the
backend. We could have worked around that by proxing every TCP DNS
connection but it makes more sense to switch to doing this via nftables
where new TCP connections can be completely avoided.

TCP DNS will be perfectly fine without window scaling and Selective
Acknowledgements for clients without TCP timestamps enabled.
2024-03-30 02:11:21 -04:00
.github add GitHub funding metadata 2021-07-19 23:02:29 -04:00
certbot switch main domain for ECDSA mail server cert 2024-01-25 12:55:57 -05:00
guide add nftables dscp counter config to guide 2023-08-19 00:46:21 -04:00
logrotate.d replace certbot log rotation with logrotate 2024-02-13 12:38:14 -05:00
mkinitcpio.d disable mkinitcpio fallback image 2024-03-04 13:13:58 -05:00
modprobe.d blacklist virtio_console module 2023-07-17 02:21:12 -04:00
modules-load.d disable loose TCP connection tracking 2022-07-03 03:50:53 -04:00
packages add sqlite-analyzer to attestation servers 2024-03-08 11:54:02 -05:00
pacman.d add directory structure for mirrorlist 2023-07-11 11:38:53 -04:00
ssh move IP-based SSH connection limits to nftables 2024-03-28 11:38:03 -04:00
sysconfig enable chronyd seccomp filter 2023-05-07 00:02:51 -04:00
sysctl.d reorganize sysctl configuration 2024-03-24 11:03:31 -04:00
systemd set preferred source for static IPv6 configuration 2024-03-26 21:50:12 -04:00
.gitignore add authorized_keys to gitignore 2024-02-03 17:48:56 -05:00
certbot-ocsp-fetcher update certbot-ocsp-fetcher 2024-01-25 01:23:49 -05:00
chrony.conf disable chrony client log 2024-03-20 23:24:57 -04:00
connection-stats clean up stats scripts 2023-07-16 01:25:27 -04:00
count count: drop 3rd gen Pixels 2024-02-24 19:19:59 -05:00
crypttab enable discard support for swapfile dm-crypt 2023-07-18 16:41:35 -04:00
deploy-initial lsof replaced with lsfd 2024-03-06 16:53:42 -05:00
deploy.sh explicit set XFS allocation group count 2024-02-24 10:28:10 -05:00
dns-stats dns-stats: show total TCP and UDP queries 2024-03-28 11:38:06 -04:00
environment disable less history by default for login sessions 2022-10-26 04:35:23 -04:00
fetch-info filter irrelevant module output 2024-01-03 10:18:15 -05:00
fstab only discard swapfile at mount time 2023-07-18 16:41:39 -04:00
grub disable sending console output to unused ttyS0 2024-02-01 16:39:33 -05:00
hosts add subset of shared configuration files 2021-07-28 08:23:04 -04:00
hosts.sh split grapheneos.org hosts array 2024-03-18 21:10:47 -04:00
inputrc add basic inputrc 2024-03-14 15:48:53 -04:00
LICENSE update copyright notice 2024-01-25 01:57:18 -05:00
locale.conf switch to C.UTF-8 locale 2023-01-10 14:09:06 -05:00
logrotate.conf use standard log rotation approach for wtmp/btmp 2024-03-20 23:43:48 -04:00
nftables-attestation.conf enforce IPv6 SSH connection limit for /48 blocks 2024-03-28 11:38:06 -04:00
nftables-discuss.conf enforce IPv6 SSH connection limit for /48 blocks 2024-03-28 11:38:06 -04:00
nftables-mail.conf enforce IPv6 SSH connection limit for /48 blocks 2024-03-28 11:38:06 -04:00
nftables-matrix.conf enforce IPv6 SSH connection limit for /48 blocks 2024-03-28 11:38:06 -04:00
nftables-network.conf enforce IPv6 SSH connection limit for /48 blocks 2024-03-28 11:38:06 -04:00
nftables-ns1.conf move IP-based DNS connection limits to nftables 2024-03-30 02:11:21 -04:00
nftables-ns2.conf move IP-based DNS connection limits to nftables 2024-03-30 02:11:21 -04:00
nftables-social.conf enforce IPv6 SSH connection limit for /48 blocks 2024-03-28 11:38:06 -04:00
nftables-web.conf enforce IPv6 SSH connection limit for /48 blocks 2024-03-28 11:38:06 -04:00
nginx-create-session-ticket-keys clean up session ticket rotation scripts 2024-03-20 22:55:40 -04:00
nginx-rotate-session-ticket-keys clean up session ticket rotation scripts 2024-03-20 22:55:40 -04:00
nginx-stats clean up stats scripts 2023-07-16 01:25:27 -04:00
ovh-mitigation rename OVH mitigation script 2023-07-03 18:35:43 -04:00
ovh-mitigation.py rename OVH mitigation script 2023-07-03 18:35:43 -04:00
pacman.conf disable unused multilib repository 2023-07-18 16:58:34 -04:00
pacreport.conf add updatedb drop-in unit to pacreport exclusions 2024-02-01 18:01:06 -05:00
README.md Fix readme 2021-12-16 12:43:34 -05:00
requirements.in add OVH mitigation control script 2023-02-22 16:22:47 -05:00
requirements.txt update python dependencies 2024-02-23 13:04:36 -05:00
resolv.conf add resolv.conf 2022-07-03 09:05:41 -04:00
setup specify python3 in setup script 2023-07-06 22:12:26 -04:00
unbound.conf unbound: block dns rebinding 2023-10-04 10:26:16 -04:00

README.md

Information about GrapheneOS servers is available in the GrapheneOS servers article on grapheneos.org.