Daniel Micay
9ed069073c
use syslog (journald) for nginx access log
2022-09-25 14:18:13 -04:00
Daniel Micay
7b8a505d17
reduce keepalive requests
2022-09-24 11:53:02 -04:00
Daniel Micay
9cdf30c08c
reduce connection limit to 128
2022-09-24 11:27:15 -04:00
Daniel Micay
0bcd3cdca3
reduce HTTP/2 concurrent streams to 16
2022-09-24 11:22:11 -04:00
Daniel Micay
46ca28258f
reduce max client header buffer size
2022-09-24 11:11:01 -04:00
Daniel Micay
913cde9ff2
send X-Robots-Tag on errors too
2022-08-18 18:11:08 -04:00
Daniel Micay
e7885e1b87
fix backup timestamps
2022-08-11 18:17:24 -04:00
Daniel Micay
a5c257d8a5
remove legacy Expect-CT header
2022-08-11 17:29:34 -04:00
Daniel Micay
ff010aa945
add initial hardening to remote backup service
2022-08-11 17:29:31 -04:00
Daniel Micay
db209e53b4
move systemd units to subdirectory
2022-08-11 17:29:24 -04:00
Daniel Micay
36d1b69e6b
move systemd units to subdirectory
2022-08-11 13:05:24 -04:00
Daniel Micay
5a4b71ed29
extend matterbridge service hardening
2022-08-09 07:42:11 -04:00
Daniel Micay
28c063bdc2
add RemoveIPC=true since systemd lints for it
...
This isn't useful due to PrivateIPC=true but there's no harm in
including it to satisfy the security linter.
2022-08-09 05:01:28 -04:00
Daniel Micay
84cfdcfe4d
strip path prefix from backup tarballs
2022-08-07 08:10:45 -04:00
Daniel Micay
be7a6c9187
use modern option style for tar
2022-08-07 08:09:46 -04:00
Daniel Micay
fa61606984
add Origin-Agent-Cluster header
2022-07-30 20:13:28 -04:00
Daniel Micay
53f0d30d1b
add cloud-archive-password.txt to gitignore
2022-07-22 17:05:18 -04:00
Daniel Micay
8a1b9cdb63
use batch CPU scheduling policy for backups
2022-07-22 02:16:36 -04:00
Daniel Micay
7054e7c09f
add backup scripts and systemd units
2022-07-22 00:40:20 -04:00
Daniel Micay
989ed9718c
add backup directory and keys to gitignore
2022-07-21 23:43:17 -04:00
Daniel Micay
7c45014149
drop unused PATH setup
2022-07-18 18:19:25 -04:00
Daniel Micay
bb45adb3f7
freeze python dependency versions
2022-07-18 17:26:47 -04:00
Daniel Micay
0a81e35a23
activate venv automatically
2022-07-18 17:24:00 -04:00
Daniel Micay
d724296a89
add venv to gitignore
2022-07-18 17:00:30 -04:00
Daniel Micay
90d542e2f4
stop setting CORP header for synapse API for now
2022-07-13 13:04:46 -04:00
Daniel Micay
9b19b811ac
only AF_INET6 is required for mjolnir
2022-07-11 19:50:21 -04:00
Daniel Micay
6835a0bffb
set NODE_ENV=production for mjolnir
2022-07-10 17:37:39 -04:00
Daniel Micay
69b0ff7bb3
move nginx status API to socket
2022-07-02 12:38:33 -04:00
Daniel Micay
bac4280478
add gixy to deploy script
2022-06-28 00:03:13 -04:00
Daniel Micay
11579e87ca
reduce proxy send timeout
2022-06-27 23:58:50 -04:00
Daniel Micay
12d81c7885
use standard GrapheneOS mime.types
2022-06-26 17:51:01 -04:00
Daniel Micay
30209020a7
raise expected nginx version
2022-06-10 19:40:32 -04:00
Daniel Micay
9feb6f9d14
enable pinning feature for Element
2022-06-10 19:39:40 -04:00
Daniel Micay
0c46ce2027
deploy nginx snippets
2022-06-09 18:50:24 -04:00
dependabot[bot]
cd8acd3b69
Bump actions/setup-python from 3 to 4
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 3 to 4.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](https://github.com/actions/setup-python/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-06-09 03:32:41 -04:00
Daniel Micay
3ff1fe54a9
add mjolnir systemd unit
2022-05-14 16:11:11 -04:00
Daniel Micay
c7f189ba29
add nginx mime.types configuration to deployment
2022-05-12 17:16:07 -04:00
Daniel Micay
2120e77103
improve flock error message
2022-05-08 05:45:52 -04:00
Daniel Micay
50570dc8a1
use new rsync fsync parameter
2022-05-05 02:22:36 -04:00
Daniel Micay
04fa0a2224
add file locking to deploy/process scripts
2022-05-05 00:26:23 -04:00
Daniel Micay
316a5c696b
enable sendfile support again
...
There's a remaining issue fixed in mainline that's not fixed in the
current stable branch yet, but it doesn't apply unless HTTP/2 is being
used without encryption. Currently sendfile is only really used for the
backend proxy connections in practice due to TLS, and those are never
HTTP/2.
2022-05-03 19:10:31 -04:00
Daniel Micay
21059f1360
add resolver setup to baseline configuration
2022-05-02 04:10:42 -04:00
Daniel Micay
087c1a6349
disable traditional stateful TLS session cache
...
This is useless for TLSv1.3 since there's no longer any distinction in
the protocol based on whether the server is using stateless or stateful
session resumption. OpenSSL has a non-standard anti-replay mechanism for
0-RTT based on stateful session resumption but 0-RTT still ends up being
a downgrade for the TLS security properties. nginx disables that feature
since otherwise 0-RTT wouldn't work with the default stateless approach.
Since this cache is only used for TLSv1.2 when stateless resumption
isn't disabled and nearly all TLSv1.2 clients support tickets, it isn't
getting any significant use. It provides worse forward secrecy than
tickets because we implement ticket key rotation based on the expiry
time and sessions aren't actively purged from the stateful cache when
they expire. Cached session state varies in size and nginx ends up
writing errors to the log when clearing out a session fails to make room
for a new one due to it being larger. It's best to finally get rid of
this flawed approach to session resumption.
TLSv1.3 provides the option of forward secrecy for resumed sessions and
it's the only approach that's normally enabled so we don't need to worry
about this anymore once TLSv1.2 is disabled as long as we never enable
0-RTT which weakens forward secrecy and other security properties.
2022-04-30 22:53:43 -04:00
Daniel Micay
a703ab5d8c
reduce proxy connect timeout
2022-04-18 10:26:47 -04:00
Daniel Micay
0a6c8e5c1f
use IPv6 only for internal nginx status service
2022-04-17 13:15:36 -04:00
Daniel Micay
0873450d3f
drop matrix.org servers from presence list
...
Our Element Web instance can only be used with the grapheneos.org
homeserver.
2022-04-13 20:58:10 -04:00
Daniel Micay
a87ea1b5fa
add grapheneos.org to list with disabled presence
2022-04-13 16:19:32 -04:00
Daniel Micay
df3fa938a5
update Element configuration
2022-04-13 16:19:31 -04:00
Daniel Micay
14bb49d1e6
combine ssh commands for deployment
2022-03-24 18:54:07 -04:00
dependabot[bot]
eb2b9dfe5c
Bump actions/checkout from 2 to 3
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v2...v3 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-03-02 02:50:44 -05:00