Commit Graph

128 Commits

Author SHA1 Message Date
Daniel Micay
7d9379972f freeze hashes of python dependencies 2023-01-10 13:02:53 -05:00
Daniel Micay
0e574a4ee9 add postgresql.conf 2022-12-04 04:35:35 -05:00
Daniel Micay
5fe0978ef2 brotli keeps source files by default 2022-11-01 00:20:47 -04:00
Daniel Micay
d5ed786d2a add minimal Permissions Policy as a starting point 2022-10-17 22:27:09 -04:00
Daniel Micay
4f1aa5bceb increase resolver timeout 2022-10-12 16:30:25 -04:00
Daniel Micay
a1997d89c4 rename conn limit memory zone 2022-10-01 12:56:03 -04:00
Daniel Micay
9fbcc9587d update Element web app configuration 2022-09-28 12:00:55 -04:00
Daniel Micay
06cd80873f use custom format for access log again 2022-09-27 10:27:36 -04:00
Daniel Micay
0e16b5798b reduce HTTP/2 chunk size to match TLS record size 2022-09-26 13:14:40 -04:00
Daniel Micay
9ed069073c use syslog (journald) for nginx access log 2022-09-25 14:18:13 -04:00
Daniel Micay
7b8a505d17 reduce keepalive requests 2022-09-24 11:53:02 -04:00
Daniel Micay
9cdf30c08c reduce connection limit to 128 2022-09-24 11:27:15 -04:00
Daniel Micay
0bcd3cdca3 reduce HTTP/2 concurrent streams to 16 2022-09-24 11:22:11 -04:00
Daniel Micay
46ca28258f reduce max client header buffer size 2022-09-24 11:11:01 -04:00
Daniel Micay
913cde9ff2 send X-Robots-Tag on errors too 2022-08-18 18:11:08 -04:00
Daniel Micay
e7885e1b87 fix backup timestamps 2022-08-11 18:17:24 -04:00
Daniel Micay
a5c257d8a5 remove legacy Expect-CT header 2022-08-11 17:29:34 -04:00
Daniel Micay
ff010aa945 add initial hardening to remote backup service 2022-08-11 17:29:31 -04:00
Daniel Micay
db209e53b4 move systemd units to subdirectory 2022-08-11 17:29:24 -04:00
Daniel Micay
36d1b69e6b move systemd units to subdirectory 2022-08-11 13:05:24 -04:00
Daniel Micay
5a4b71ed29 extend matterbridge service hardening 2022-08-09 07:42:11 -04:00
Daniel Micay
28c063bdc2 add RemoveIPC=true since systemd lints for it
This isn't useful due to PrivateIPC=true but there's no harm in
including it to satisfy the security linter.
2022-08-09 05:01:28 -04:00
Daniel Micay
84cfdcfe4d strip path prefix from backup tarballs 2022-08-07 08:10:45 -04:00
Daniel Micay
be7a6c9187 use modern option style for tar 2022-08-07 08:09:46 -04:00
Daniel Micay
fa61606984 add Origin-Agent-Cluster header 2022-07-30 20:13:28 -04:00
Daniel Micay
53f0d30d1b add cloud-archive-password.txt to gitignore 2022-07-22 17:05:18 -04:00
Daniel Micay
8a1b9cdb63 use batch CPU scheduling policy for backups 2022-07-22 02:16:36 -04:00
Daniel Micay
7054e7c09f add backup scripts and systemd units 2022-07-22 00:40:20 -04:00
Daniel Micay
989ed9718c add backup directory and keys to gitignore 2022-07-21 23:43:17 -04:00
Daniel Micay
7c45014149 drop unused PATH setup 2022-07-18 18:19:25 -04:00
Daniel Micay
bb45adb3f7 freeze python dependency versions 2022-07-18 17:26:47 -04:00
Daniel Micay
0a81e35a23 activate venv automatically 2022-07-18 17:24:00 -04:00
Daniel Micay
d724296a89 add venv to gitignore 2022-07-18 17:00:30 -04:00
Daniel Micay
90d542e2f4 stop setting CORP header for synapse API for now 2022-07-13 13:04:46 -04:00
Daniel Micay
9b19b811ac only AF_INET6 is required for mjolnir 2022-07-11 19:50:21 -04:00
Daniel Micay
6835a0bffb set NODE_ENV=production for mjolnir 2022-07-10 17:37:39 -04:00
Daniel Micay
69b0ff7bb3 move nginx status API to socket 2022-07-02 12:38:33 -04:00
Daniel Micay
bac4280478 add gixy to deploy script 2022-06-28 00:03:13 -04:00
Daniel Micay
11579e87ca reduce proxy send timeout 2022-06-27 23:58:50 -04:00
Daniel Micay
12d81c7885 use standard GrapheneOS mime.types 2022-06-26 17:51:01 -04:00
Daniel Micay
30209020a7 raise expected nginx version 2022-06-10 19:40:32 -04:00
Daniel Micay
9feb6f9d14 enable pinning feature for Element 2022-06-10 19:39:40 -04:00
Daniel Micay
0c46ce2027 deploy nginx snippets 2022-06-09 18:50:24 -04:00
dependabot[bot]
cd8acd3b69 Bump actions/setup-python from 3 to 4
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3 to 4.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-09 03:32:41 -04:00
Daniel Micay
3ff1fe54a9 add mjolnir systemd unit 2022-05-14 16:11:11 -04:00
Daniel Micay
c7f189ba29 add nginx mime.types configuration to deployment 2022-05-12 17:16:07 -04:00
Daniel Micay
2120e77103 improve flock error message 2022-05-08 05:45:52 -04:00
Daniel Micay
50570dc8a1 use new rsync fsync parameter 2022-05-05 02:22:36 -04:00
Daniel Micay
04fa0a2224 add file locking to deploy/process scripts 2022-05-05 00:26:23 -04:00
Daniel Micay
316a5c696b enable sendfile support again
There's a remaining issue fixed in mainline that's not fixed in the
current stable branch yet, but it doesn't apply unless HTTP/2 is being
used without encryption. Currently sendfile is only really used for the
backend proxy connections in practice due to TLS, and those are never
HTTP/2.
2022-05-03 19:10:31 -04:00