Commit Graph

119 Commits

Author SHA1 Message Date
Daniel Micay
9ed069073c use syslog (journald) for nginx access log 2022-09-25 14:18:13 -04:00
Daniel Micay
7b8a505d17 reduce keepalive requests 2022-09-24 11:53:02 -04:00
Daniel Micay
9cdf30c08c reduce connection limit to 128 2022-09-24 11:27:15 -04:00
Daniel Micay
0bcd3cdca3 reduce HTTP/2 concurrent streams to 16 2022-09-24 11:22:11 -04:00
Daniel Micay
46ca28258f reduce max client header buffer size 2022-09-24 11:11:01 -04:00
Daniel Micay
913cde9ff2 send X-Robots-Tag on errors too 2022-08-18 18:11:08 -04:00
Daniel Micay
e7885e1b87 fix backup timestamps 2022-08-11 18:17:24 -04:00
Daniel Micay
a5c257d8a5 remove legacy Expect-CT header 2022-08-11 17:29:34 -04:00
Daniel Micay
ff010aa945 add initial hardening to remote backup service 2022-08-11 17:29:31 -04:00
Daniel Micay
db209e53b4 move systemd units to subdirectory 2022-08-11 17:29:24 -04:00
Daniel Micay
36d1b69e6b move systemd units to subdirectory 2022-08-11 13:05:24 -04:00
Daniel Micay
5a4b71ed29 extend matterbridge service hardening 2022-08-09 07:42:11 -04:00
Daniel Micay
28c063bdc2 add RemoveIPC=true since systemd lints for it
This isn't useful due to PrivateIPC=true but there's no harm in
including it to satisfy the security linter.
2022-08-09 05:01:28 -04:00
Daniel Micay
84cfdcfe4d strip path prefix from backup tarballs 2022-08-07 08:10:45 -04:00
Daniel Micay
be7a6c9187 use modern option style for tar 2022-08-07 08:09:46 -04:00
Daniel Micay
fa61606984 add Origin-Agent-Cluster header 2022-07-30 20:13:28 -04:00
Daniel Micay
53f0d30d1b add cloud-archive-password.txt to gitignore 2022-07-22 17:05:18 -04:00
Daniel Micay
8a1b9cdb63 use batch CPU scheduling policy for backups 2022-07-22 02:16:36 -04:00
Daniel Micay
7054e7c09f add backup scripts and systemd units 2022-07-22 00:40:20 -04:00
Daniel Micay
989ed9718c add backup directory and keys to gitignore 2022-07-21 23:43:17 -04:00
Daniel Micay
7c45014149 drop unused PATH setup 2022-07-18 18:19:25 -04:00
Daniel Micay
bb45adb3f7 freeze python dependency versions 2022-07-18 17:26:47 -04:00
Daniel Micay
0a81e35a23 activate venv automatically 2022-07-18 17:24:00 -04:00
Daniel Micay
d724296a89 add venv to gitignore 2022-07-18 17:00:30 -04:00
Daniel Micay
90d542e2f4 stop setting CORP header for synapse API for now 2022-07-13 13:04:46 -04:00
Daniel Micay
9b19b811ac only AF_INET6 is required for mjolnir 2022-07-11 19:50:21 -04:00
Daniel Micay
6835a0bffb set NODE_ENV=production for mjolnir 2022-07-10 17:37:39 -04:00
Daniel Micay
69b0ff7bb3 move nginx status API to socket 2022-07-02 12:38:33 -04:00
Daniel Micay
bac4280478 add gixy to deploy script 2022-06-28 00:03:13 -04:00
Daniel Micay
11579e87ca reduce proxy send timeout 2022-06-27 23:58:50 -04:00
Daniel Micay
12d81c7885 use standard GrapheneOS mime.types 2022-06-26 17:51:01 -04:00
Daniel Micay
30209020a7 raise expected nginx version 2022-06-10 19:40:32 -04:00
Daniel Micay
9feb6f9d14 enable pinning feature for Element 2022-06-10 19:39:40 -04:00
Daniel Micay
0c46ce2027 deploy nginx snippets 2022-06-09 18:50:24 -04:00
dependabot[bot]
cd8acd3b69 Bump actions/setup-python from 3 to 4
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3 to 4.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-09 03:32:41 -04:00
Daniel Micay
3ff1fe54a9 add mjolnir systemd unit 2022-05-14 16:11:11 -04:00
Daniel Micay
c7f189ba29 add nginx mime.types configuration to deployment 2022-05-12 17:16:07 -04:00
Daniel Micay
2120e77103 improve flock error message 2022-05-08 05:45:52 -04:00
Daniel Micay
50570dc8a1 use new rsync fsync parameter 2022-05-05 02:22:36 -04:00
Daniel Micay
04fa0a2224 add file locking to deploy/process scripts 2022-05-05 00:26:23 -04:00
Daniel Micay
316a5c696b enable sendfile support again
There's a remaining issue fixed in mainline that's not fixed in the
current stable branch yet, but it doesn't apply unless HTTP/2 is being
used without encryption. Currently sendfile is only really used for the
backend proxy connections in practice due to TLS, and those are never
HTTP/2.
2022-05-03 19:10:31 -04:00
Daniel Micay
21059f1360 add resolver setup to baseline configuration 2022-05-02 04:10:42 -04:00
Daniel Micay
087c1a6349 disable traditional stateful TLS session cache
This is useless for TLSv1.3 since there's no longer any distinction in
the protocol based on whether the server is using stateless or stateful
session resumption. OpenSSL has a non-standard anti-replay mechanism for
0-RTT based on stateful session resumption but 0-RTT still ends up being
a downgrade for the TLS security properties. nginx disables that feature
since otherwise 0-RTT wouldn't work with the default stateless approach.

Since this cache is only used for TLSv1.2 when stateless resumption
isn't disabled and nearly all TLSv1.2 clients support tickets, it isn't
getting any significant use. It provides worse forward secrecy than
tickets because we implement ticket key rotation based on the expiry
time and sessions aren't actively purged from the stateful cache when
they expire. Cached session state varies in size and nginx ends up
writing errors to the log when clearing out a session fails to make room
for a new one due to it being larger. It's best to finally get rid of
this flawed approach to session resumption.

TLSv1.3 provides the option of forward secrecy for resumed sessions and
it's the only approach that's normally enabled so we don't need to worry
about this anymore once TLSv1.2 is disabled as long as we never enable
0-RTT which weakens forward secrecy and other security properties.
2022-04-30 22:53:43 -04:00
Daniel Micay
a703ab5d8c reduce proxy connect timeout 2022-04-18 10:26:47 -04:00
Daniel Micay
0a6c8e5c1f use IPv6 only for internal nginx status service 2022-04-17 13:15:36 -04:00
Daniel Micay
0873450d3f drop matrix.org servers from presence list
Our Element Web instance can only be used with the grapheneos.org
homeserver.
2022-04-13 20:58:10 -04:00
Daniel Micay
a87ea1b5fa add grapheneos.org to list with disabled presence 2022-04-13 16:19:32 -04:00
Daniel Micay
df3fa938a5 update Element configuration 2022-04-13 16:19:31 -04:00
Daniel Micay
14bb49d1e6 combine ssh commands for deployment 2022-03-24 18:54:07 -04:00
dependabot[bot]
eb2b9dfe5c Bump actions/checkout from 2 to 3
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-02 02:50:44 -05:00