Commit Graph

159 Commits

Author SHA1 Message Date
Daniel Micay
36d1b69e6b move systemd units to subdirectory 2022-08-11 13:05:24 -04:00
Daniel Micay
5a4b71ed29 extend matterbridge service hardening 2022-08-09 07:42:11 -04:00
Daniel Micay
28c063bdc2 add RemoveIPC=true since systemd lints for it
This isn't useful due to PrivateIPC=true but there's no harm in
including it to satisfy the security linter.
2022-08-09 05:01:28 -04:00
Daniel Micay
84cfdcfe4d strip path prefix from backup tarballs 2022-08-07 08:10:45 -04:00
Daniel Micay
be7a6c9187 use modern option style for tar 2022-08-07 08:09:46 -04:00
Daniel Micay
fa61606984 add Origin-Agent-Cluster header 2022-07-30 20:13:28 -04:00
Daniel Micay
53f0d30d1b add cloud-archive-password.txt to gitignore 2022-07-22 17:05:18 -04:00
Daniel Micay
8a1b9cdb63 use batch CPU scheduling policy for backups 2022-07-22 02:16:36 -04:00
Daniel Micay
7054e7c09f add backup scripts and systemd units 2022-07-22 00:40:20 -04:00
Daniel Micay
989ed9718c add backup directory and keys to gitignore 2022-07-21 23:43:17 -04:00
Daniel Micay
7c45014149 drop unused PATH setup 2022-07-18 18:19:25 -04:00
Daniel Micay
bb45adb3f7 freeze python dependency versions 2022-07-18 17:26:47 -04:00
Daniel Micay
0a81e35a23 activate venv automatically 2022-07-18 17:24:00 -04:00
Daniel Micay
d724296a89 add venv to gitignore 2022-07-18 17:00:30 -04:00
Daniel Micay
90d542e2f4 stop setting CORP header for synapse API for now 2022-07-13 13:04:46 -04:00
Daniel Micay
9b19b811ac only AF_INET6 is required for mjolnir 2022-07-11 19:50:21 -04:00
Daniel Micay
6835a0bffb set NODE_ENV=production for mjolnir 2022-07-10 17:37:39 -04:00
Daniel Micay
69b0ff7bb3 move nginx status API to socket 2022-07-02 12:38:33 -04:00
Daniel Micay
bac4280478 add gixy to deploy script 2022-06-28 00:03:13 -04:00
Daniel Micay
11579e87ca reduce proxy send timeout 2022-06-27 23:58:50 -04:00
Daniel Micay
12d81c7885 use standard GrapheneOS mime.types 2022-06-26 17:51:01 -04:00
Daniel Micay
30209020a7 raise expected nginx version 2022-06-10 19:40:32 -04:00
Daniel Micay
9feb6f9d14 enable pinning feature for Element 2022-06-10 19:39:40 -04:00
Daniel Micay
0c46ce2027 deploy nginx snippets 2022-06-09 18:50:24 -04:00
dependabot[bot]
cd8acd3b69 Bump actions/setup-python from 3 to 4
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3 to 4.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-09 03:32:41 -04:00
Daniel Micay
3ff1fe54a9 add mjolnir systemd unit 2022-05-14 16:11:11 -04:00
Daniel Micay
c7f189ba29 add nginx mime.types configuration to deployment 2022-05-12 17:16:07 -04:00
Daniel Micay
2120e77103 improve flock error message 2022-05-08 05:45:52 -04:00
Daniel Micay
50570dc8a1 use new rsync fsync parameter 2022-05-05 02:22:36 -04:00
Daniel Micay
04fa0a2224 add file locking to deploy/process scripts 2022-05-05 00:26:23 -04:00
Daniel Micay
316a5c696b enable sendfile support again
There's a remaining issue fixed in mainline that's not fixed in the
current stable branch yet, but it doesn't apply unless HTTP/2 is being
used without encryption. Currently sendfile is only really used for the
backend proxy connections in practice due to TLS, and those are never
HTTP/2.
2022-05-03 19:10:31 -04:00
Daniel Micay
21059f1360 add resolver setup to baseline configuration 2022-05-02 04:10:42 -04:00
Daniel Micay
087c1a6349 disable traditional stateful TLS session cache
This is useless for TLSv1.3 since there's no longer any distinction in
the protocol based on whether the server is using stateless or stateful
session resumption. OpenSSL has a non-standard anti-replay mechanism for
0-RTT based on stateful session resumption but 0-RTT still ends up being
a downgrade for the TLS security properties. nginx disables that feature
since otherwise 0-RTT wouldn't work with the default stateless approach.

Since this cache is only used for TLSv1.2 when stateless resumption
isn't disabled and nearly all TLSv1.2 clients support tickets, it isn't
getting any significant use. It provides worse forward secrecy than
tickets because we implement ticket key rotation based on the expiry
time and sessions aren't actively purged from the stateful cache when
they expire. Cached session state varies in size and nginx ends up
writing errors to the log when clearing out a session fails to make room
for a new one due to it being larger. It's best to finally get rid of
this flawed approach to session resumption.

TLSv1.3 provides the option of forward secrecy for resumed sessions and
it's the only approach that's normally enabled so we don't need to worry
about this anymore once TLSv1.2 is disabled as long as we never enable
0-RTT which weakens forward secrecy and other security properties.
2022-04-30 22:53:43 -04:00
Daniel Micay
a703ab5d8c reduce proxy connect timeout 2022-04-18 10:26:47 -04:00
Daniel Micay
0a6c8e5c1f use IPv6 only for internal nginx status service 2022-04-17 13:15:36 -04:00
Daniel Micay
0873450d3f drop matrix.org servers from presence list
Our Element Web instance can only be used with the grapheneos.org
homeserver.
2022-04-13 20:58:10 -04:00
Daniel Micay
a87ea1b5fa add grapheneos.org to list with disabled presence 2022-04-13 16:19:32 -04:00
Daniel Micay
df3fa938a5 update Element configuration 2022-04-13 16:19:31 -04:00
Daniel Micay
14bb49d1e6 combine ssh commands for deployment 2022-03-24 18:54:07 -04:00
dependabot[bot]
eb2b9dfe5c Bump actions/checkout from 2 to 3
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-02 02:50:44 -05:00
dependabot[bot]
0ba8425df2 Bump actions/setup-python from 2 to 3
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2 to 3.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-01 11:16:08 -05:00
Daniel Micay
218927ac6e switch to certbot webroot plugin 2022-02-19 08:17:14 -05:00
Daniel Micay
5571abff90 remove version workaround 2021-12-20 13:14:52 -05:00
Daniel Micay
5041ae9bf5 use Python 3.10 for CI 2021-12-14 18:36:14 -05:00
Daniel Micay
84df782352 improve unset Element version workaround 2021-12-13 11:44:00 -05:00
Daniel Micay
548554be39 set charset in Content-Type header for CSS too 2021-12-10 05:57:45 -05:00
Daniel Micay
525e5f5e9d add workaround for Element version being unset 2021-12-10 05:53:43 -05:00
Daniel Micay
91cb36d7a0 disable legacy X-XSS-Protection feature 2021-12-10 04:31:03 -05:00
Daniel Micay
27934d8d58 set a max connection limit to synapse from nginx 2021-12-03 22:44:24 -05:00
Daniel Micay
cdcd278394 nginx: enable aio_write due to 1.20.2 AIO fix 2021-11-28 19:03:51 -05:00