Daniel Micay
36d1b69e6b
move systemd units to subdirectory
2022-08-11 13:05:24 -04:00
Daniel Micay
5a4b71ed29
extend matterbridge service hardening
2022-08-09 07:42:11 -04:00
Daniel Micay
28c063bdc2
add RemoveIPC=true since systemd lints for it
...
This isn't useful due to PrivateIPC=true but there's no harm in
including it to satisfy the security linter.
2022-08-09 05:01:28 -04:00
Daniel Micay
84cfdcfe4d
strip path prefix from backup tarballs
2022-08-07 08:10:45 -04:00
Daniel Micay
be7a6c9187
use modern option style for tar
2022-08-07 08:09:46 -04:00
Daniel Micay
fa61606984
add Origin-Agent-Cluster header
2022-07-30 20:13:28 -04:00
Daniel Micay
53f0d30d1b
add cloud-archive-password.txt to gitignore
2022-07-22 17:05:18 -04:00
Daniel Micay
8a1b9cdb63
use batch CPU scheduling policy for backups
2022-07-22 02:16:36 -04:00
Daniel Micay
7054e7c09f
add backup scripts and systemd units
2022-07-22 00:40:20 -04:00
Daniel Micay
989ed9718c
add backup directory and keys to gitignore
2022-07-21 23:43:17 -04:00
Daniel Micay
7c45014149
drop unused PATH setup
2022-07-18 18:19:25 -04:00
Daniel Micay
bb45adb3f7
freeze python dependency versions
2022-07-18 17:26:47 -04:00
Daniel Micay
0a81e35a23
activate venv automatically
2022-07-18 17:24:00 -04:00
Daniel Micay
d724296a89
add venv to gitignore
2022-07-18 17:00:30 -04:00
Daniel Micay
90d542e2f4
stop setting CORP header for synapse API for now
2022-07-13 13:04:46 -04:00
Daniel Micay
9b19b811ac
only AF_INET6 is required for mjolnir
2022-07-11 19:50:21 -04:00
Daniel Micay
6835a0bffb
set NODE_ENV=production for mjolnir
2022-07-10 17:37:39 -04:00
Daniel Micay
69b0ff7bb3
move nginx status API to socket
2022-07-02 12:38:33 -04:00
Daniel Micay
bac4280478
add gixy to deploy script
2022-06-28 00:03:13 -04:00
Daniel Micay
11579e87ca
reduce proxy send timeout
2022-06-27 23:58:50 -04:00
Daniel Micay
12d81c7885
use standard GrapheneOS mime.types
2022-06-26 17:51:01 -04:00
Daniel Micay
30209020a7
raise expected nginx version
2022-06-10 19:40:32 -04:00
Daniel Micay
9feb6f9d14
enable pinning feature for Element
2022-06-10 19:39:40 -04:00
Daniel Micay
0c46ce2027
deploy nginx snippets
2022-06-09 18:50:24 -04:00
dependabot[bot]
cd8acd3b69
Bump actions/setup-python from 3 to 4
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 3 to 4.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](https://github.com/actions/setup-python/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-06-09 03:32:41 -04:00
Daniel Micay
3ff1fe54a9
add mjolnir systemd unit
2022-05-14 16:11:11 -04:00
Daniel Micay
c7f189ba29
add nginx mime.types configuration to deployment
2022-05-12 17:16:07 -04:00
Daniel Micay
2120e77103
improve flock error message
2022-05-08 05:45:52 -04:00
Daniel Micay
50570dc8a1
use new rsync fsync parameter
2022-05-05 02:22:36 -04:00
Daniel Micay
04fa0a2224
add file locking to deploy/process scripts
2022-05-05 00:26:23 -04:00
Daniel Micay
316a5c696b
enable sendfile support again
...
There's a remaining issue fixed in mainline that's not fixed in the
current stable branch yet, but it doesn't apply unless HTTP/2 is being
used without encryption. Currently sendfile is only really used for the
backend proxy connections in practice due to TLS, and those are never
HTTP/2.
2022-05-03 19:10:31 -04:00
Daniel Micay
21059f1360
add resolver setup to baseline configuration
2022-05-02 04:10:42 -04:00
Daniel Micay
087c1a6349
disable traditional stateful TLS session cache
...
This is useless for TLSv1.3 since there's no longer any distinction in
the protocol based on whether the server is using stateless or stateful
session resumption. OpenSSL has a non-standard anti-replay mechanism for
0-RTT based on stateful session resumption but 0-RTT still ends up being
a downgrade for the TLS security properties. nginx disables that feature
since otherwise 0-RTT wouldn't work with the default stateless approach.
Since this cache is only used for TLSv1.2 when stateless resumption
isn't disabled and nearly all TLSv1.2 clients support tickets, it isn't
getting any significant use. It provides worse forward secrecy than
tickets because we implement ticket key rotation based on the expiry
time and sessions aren't actively purged from the stateful cache when
they expire. Cached session state varies in size and nginx ends up
writing errors to the log when clearing out a session fails to make room
for a new one due to it being larger. It's best to finally get rid of
this flawed approach to session resumption.
TLSv1.3 provides the option of forward secrecy for resumed sessions and
it's the only approach that's normally enabled so we don't need to worry
about this anymore once TLSv1.2 is disabled as long as we never enable
0-RTT which weakens forward secrecy and other security properties.
2022-04-30 22:53:43 -04:00
Daniel Micay
a703ab5d8c
reduce proxy connect timeout
2022-04-18 10:26:47 -04:00
Daniel Micay
0a6c8e5c1f
use IPv6 only for internal nginx status service
2022-04-17 13:15:36 -04:00
Daniel Micay
0873450d3f
drop matrix.org servers from presence list
...
Our Element Web instance can only be used with the grapheneos.org
homeserver.
2022-04-13 20:58:10 -04:00
Daniel Micay
a87ea1b5fa
add grapheneos.org to list with disabled presence
2022-04-13 16:19:32 -04:00
Daniel Micay
df3fa938a5
update Element configuration
2022-04-13 16:19:31 -04:00
Daniel Micay
14bb49d1e6
combine ssh commands for deployment
2022-03-24 18:54:07 -04:00
dependabot[bot]
eb2b9dfe5c
Bump actions/checkout from 2 to 3
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v2...v3 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-03-02 02:50:44 -05:00
dependabot[bot]
0ba8425df2
Bump actions/setup-python from 2 to 3
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 2 to 3.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](https://github.com/actions/setup-python/compare/v2...v3 )
---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-03-01 11:16:08 -05:00
Daniel Micay
218927ac6e
switch to certbot webroot plugin
2022-02-19 08:17:14 -05:00
Daniel Micay
5571abff90
remove version workaround
2021-12-20 13:14:52 -05:00
Daniel Micay
5041ae9bf5
use Python 3.10 for CI
2021-12-14 18:36:14 -05:00
Daniel Micay
84df782352
improve unset Element version workaround
2021-12-13 11:44:00 -05:00
Daniel Micay
548554be39
set charset in Content-Type header for CSS too
2021-12-10 05:57:45 -05:00
Daniel Micay
525e5f5e9d
add workaround for Element version being unset
2021-12-10 05:53:43 -05:00
Daniel Micay
91cb36d7a0
disable legacy X-XSS-Protection feature
2021-12-10 04:31:03 -05:00
Daniel Micay
27934d8d58
set a max connection limit to synapse from nginx
2021-12-03 22:44:24 -05:00
Daniel Micay
cdcd278394
nginx: enable aio_write due to 1.20.2 AIO fix
2021-11-28 19:03:51 -05:00