Commit Graph

136 Commits

Author SHA1 Message Date
Daniel Micay
0c46ce2027 deploy nginx snippets 2022-06-09 18:50:24 -04:00
dependabot[bot]
cd8acd3b69 Bump actions/setup-python from 3 to 4
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3 to 4.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-09 03:32:41 -04:00
Daniel Micay
3ff1fe54a9 add mjolnir systemd unit 2022-05-14 16:11:11 -04:00
Daniel Micay
c7f189ba29 add nginx mime.types configuration to deployment 2022-05-12 17:16:07 -04:00
Daniel Micay
2120e77103 improve flock error message 2022-05-08 05:45:52 -04:00
Daniel Micay
50570dc8a1 use new rsync fsync parameter 2022-05-05 02:22:36 -04:00
Daniel Micay
04fa0a2224 add file locking to deploy/process scripts 2022-05-05 00:26:23 -04:00
Daniel Micay
316a5c696b enable sendfile support again
There's a remaining issue fixed in mainline that's not fixed in the
current stable branch yet, but it doesn't apply unless HTTP/2 is being
used without encryption. Currently sendfile is only really used for the
backend proxy connections in practice due to TLS, and those are never
HTTP/2.
2022-05-03 19:10:31 -04:00
Daniel Micay
21059f1360 add resolver setup to baseline configuration 2022-05-02 04:10:42 -04:00
Daniel Micay
087c1a6349 disable traditional stateful TLS session cache
This is useless for TLSv1.3 since there's no longer any distinction in
the protocol based on whether the server is using stateless or stateful
session resumption. OpenSSL has a non-standard anti-replay mechanism for
0-RTT based on stateful session resumption but 0-RTT still ends up being
a downgrade for the TLS security properties. nginx disables that feature
since otherwise 0-RTT wouldn't work with the default stateless approach.

Since this cache is only used for TLSv1.2 when stateless resumption
isn't disabled and nearly all TLSv1.2 clients support tickets, it isn't
getting any significant use. It provides worse forward secrecy than
tickets because we implement ticket key rotation based on the expiry
time and sessions aren't actively purged from the stateful cache when
they expire. Cached session state varies in size and nginx ends up
writing errors to the log when clearing out a session fails to make room
for a new one due to it being larger. It's best to finally get rid of
this flawed approach to session resumption.

TLSv1.3 provides the option of forward secrecy for resumed sessions and
it's the only approach that's normally enabled so we don't need to worry
about this anymore once TLSv1.2 is disabled as long as we never enable
0-RTT which weakens forward secrecy and other security properties.
2022-04-30 22:53:43 -04:00
Daniel Micay
a703ab5d8c reduce proxy connect timeout 2022-04-18 10:26:47 -04:00
Daniel Micay
0a6c8e5c1f use IPv6 only for internal nginx status service 2022-04-17 13:15:36 -04:00
Daniel Micay
0873450d3f drop matrix.org servers from presence list
Our Element Web instance can only be used with the grapheneos.org
homeserver.
2022-04-13 20:58:10 -04:00
Daniel Micay
a87ea1b5fa add grapheneos.org to list with disabled presence 2022-04-13 16:19:32 -04:00
Daniel Micay
df3fa938a5 update Element configuration 2022-04-13 16:19:31 -04:00
Daniel Micay
14bb49d1e6 combine ssh commands for deployment 2022-03-24 18:54:07 -04:00
dependabot[bot]
eb2b9dfe5c Bump actions/checkout from 2 to 3
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-02 02:50:44 -05:00
dependabot[bot]
0ba8425df2 Bump actions/setup-python from 2 to 3
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2 to 3.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-01 11:16:08 -05:00
Daniel Micay
218927ac6e switch to certbot webroot plugin 2022-02-19 08:17:14 -05:00
Daniel Micay
5571abff90 remove version workaround 2021-12-20 13:14:52 -05:00
Daniel Micay
5041ae9bf5 use Python 3.10 for CI 2021-12-14 18:36:14 -05:00
Daniel Micay
84df782352 improve unset Element version workaround 2021-12-13 11:44:00 -05:00
Daniel Micay
548554be39 set charset in Content-Type header for CSS too 2021-12-10 05:57:45 -05:00
Daniel Micay
525e5f5e9d add workaround for Element version being unset 2021-12-10 05:53:43 -05:00
Daniel Micay
91cb36d7a0 disable legacy X-XSS-Protection feature 2021-12-10 04:31:03 -05:00
Daniel Micay
27934d8d58 set a max connection limit to synapse from nginx 2021-12-03 22:44:24 -05:00
Daniel Micay
cdcd278394 nginx: enable aio_write due to 1.20.2 AIO fix 2021-11-28 19:03:51 -05:00
Daniel Micay
a2bfaef2fc nginx: disable sendfile due to bugs with AIO 2021-11-28 19:01:38 -05:00
Daniel Micay
c008ad5539 add pip to dependabot 2021-11-25 20:39:14 -05:00
Daniel Micay
c4cceaaf24 replace nginx lint workflow 2021-11-25 20:36:23 -05:00
Daniel Micay
8b4e119821 use a temporary directory for nginx configuration 2021-11-25 20:34:35 -05:00
Daniel Micay
43c8ac3c45 add dependabot configuration 2021-11-23 20:27:45 -05:00
Daniel Micay
d44f983d4d set default country code to Canada 2021-11-23 20:17:35 -05:00
Daniel Micay
b172e96897 remove sample feature from configuration 2021-11-23 20:12:27 -05:00
Daniel Micay
7c2425cd50 remove unused webmanifest extension 2021-11-23 20:06:54 -05:00
Daniel Micay
bfcc6b5958 nginx regex: don't capture groups unnecessarily 2021-11-23 20:00:41 -05:00
Daniel Micay
5fcd75f795 rename static_tmp to static-tmp for consistency 2021-11-23 18:45:28 -05:00
Daniel Micay
0ae1a5a9f4 preserve timestamps for zopfli 2021-11-23 18:28:10 -05:00
Daniel Micay
f945befca2 nginx: use syslog for error log 2021-09-07 08:05:23 -04:00
Daniel Micay
19222d2b0a add nginx modules symlink 2021-07-28 00:44:32 -04:00
Daniel Micay
b66981925a update symlink metadata sync call 2021-07-27 22:31:36 -04:00
Daniel Micay
a97dd92eb8 minor improvements to CSP 2021-07-22 00:12:22 -04:00
Daniel Micay
1a6400af4e split brotli and zopfli jobs 2021-07-21 17:46:05 -04:00
Daniel Micay
8a4a3ef0df stop unnecessarily copying mtime for gz output 2021-07-21 16:57:49 -04:00
Daniel Micay
265576f637 compress static files in parallel 2021-07-21 16:43:49 -04:00
Daniel Micay
dc00b338c6 run GitHub workflows on pushes to any branch 2021-07-16 16:08:21 -04:00
Daniel Micay
fa9de7b0e0 disable aio_write temporarily 2021-07-13 23:30:24 -04:00
Daniel Micay
faa1b0a270 permit frames fetching resources for Element CORP 2021-07-13 22:27:38 -04:00
Daniel Micay
e1d5caf206 raise file size limit to 100M 2021-07-13 22:27:12 -04:00
Daniel Micay
25fa8047c8 use matrix.grapheneos.org as the remote 2021-07-11 19:54:32 -04:00