├── .github └── FUNDING.yml ├── .gitignore ├── LICENSE ├── README.md ├── boot └── loader │ ├── entries │ ├── arch-lts-fallback.conf │ └── arch-lts.conf │ └── loader.conf ├── certbot ├── 0.grapheneos.network ├── 0.grapheneos.org ├── 0.ns1.grapheneos.org ├── 0.ns2.grapheneos.org ├── 4.releases.grapheneos.org ├── attestation.app ├── discuss.grapheneos.org ├── grapheneos.social ├── mail.grapheneos.org ├── matrix.grapheneos.org ├── ns1.staging.grapheneos.org ├── staging.attestation.app └── staging.grapheneos.org ├── connection-stats ├── count ├── create-session-ticket-keys ├── deploy-initial ├── disconnect ├── dns-stats ├── etc ├── chrony.conf ├── crypttab ├── default │ ├── cpupower.amd │ ├── cpupower.intel │ └── grub ├── fstab.metal ├── fstab.virtual ├── locale.conf ├── logrotate.conf ├── logrotate.d │ └── letsencrypt ├── mkinitcpio.conf ├── mkinitcpio.d │ └── linux-lts.preset ├── modprobe.d │ └── local.conf ├── modules-load.d │ ├── local.conf │ └── softdog.conf ├── nftables │ ├── nftables-attestation.conf │ ├── nftables-discuss.conf │ ├── nftables-mail.conf │ ├── nftables-matrix.conf │ ├── nftables-network.conf │ ├── nftables-ns1.conf │ ├── nftables-ns2.conf │ ├── nftables-social.conf │ └── nftables-web.conf ├── pacman.conf ├── pacman.d │ └── mirrorlist ├── pacreport.conf ├── resolv.conf ├── ssh │ ├── ssh_config │ └── sshd_config ├── sysconfig │ └── chronyd ├── sysctl.d │ ├── local.conf │ └── metal.conf ├── systemd │ ├── journald.conf │ ├── network │ │ ├── 0.grapheneos.network.link │ │ ├── 0.grapheneos.network.network │ │ ├── 0.grapheneos.org.link │ │ ├── 0.grapheneos.org.network │ │ ├── 0.ns1.grapheneos.org.link │ │ ├── 0.ns1.grapheneos.org.network │ │ ├── 0.ns2.grapheneos.org.link │ │ ├── 0.ns2.grapheneos.org.network │ │ ├── 1.grapheneos.network.link │ │ ├── 1.grapheneos.network.network │ │ ├── 1.grapheneos.org.link │ │ ├── 1.grapheneos.org.network │ │ ├── 1.ns1.grapheneos.org.link │ │ ├── 1.ns1.grapheneos.org.network │ │ ├── 1.ns2.grapheneos.org.link │ │ ├── 1.ns2.grapheneos.org.network │ │ ├── 2.grapheneos.network.link │ │ ├── 2.grapheneos.network.network │ │ ├── 2.grapheneos.org.link │ │ ├── 2.grapheneos.org.network │ │ ├── 2.ns1.grapheneos.org.link │ │ ├── 2.ns1.grapheneos.org.network │ │ ├── 2.ns2.grapheneos.org.link │ │ ├── 2.ns2.grapheneos.org.network │ │ ├── 3.grapheneos.network.link │ │ ├── 3.grapheneos.network.network │ │ ├── 3.grapheneos.org.link │ │ ├── 3.grapheneos.org.network │ │ ├── 3.ns1.grapheneos.org.link │ │ ├── 3.ns1.grapheneos.org.network │ │ ├── 4.releases.grapheneos.org.link │ │ ├── 4.releases.grapheneos.org.network │ │ ├── 5.releases.grapheneos.org.link │ │ ├── 5.releases.grapheneos.org.network │ │ ├── 6.releases.grapheneos.org.link │ │ ├── 6.releases.grapheneos.org.network │ │ ├── attestation.app.link │ │ ├── attestation.app.network │ │ ├── discuss.grapheneos.org.link │ │ ├── discuss.grapheneos.org.network │ │ ├── grapheneos.social.link │ │ ├── grapheneos.social.network │ │ ├── mail.grapheneos.org.link │ │ ├── mail.grapheneos.org.network │ │ ├── matrix.grapheneos.org.link │ │ ├── matrix.grapheneos.org.network │ │ ├── ns1.staging.grapheneos.org.link │ │ ├── ns1.staging.grapheneos.org.network │ │ ├── staging.attestation.app.link │ │ ├── staging.attestation.app.network │ │ ├── staging.grapheneos.org.link │ │ └── staging.grapheneos.org.network │ ├── networkd.conf │ ├── sleep.conf │ ├── system.conf │ └── system │ │ ├── -.slice.d │ │ └── override.conf │ │ ├── attestation.service.d │ │ └── override.conf │ │ ├── certbot-renew.service.d │ │ └── override.conf │ │ ├── chronyd.service.d │ │ └── override.conf │ │ ├── create-session-ticket-keys.service │ │ ├── fstrim.service.d │ │ └── override.conf │ │ ├── fstrim.timer.d │ │ └── override.conf │ │ ├── nginx.service.d │ │ └── override.conf │ │ ├── plocate-updatedb.service.d │ │ └── override.conf │ │ ├── rotate-session-ticket-keys.service │ │ ├── rotate-session-ticket-keys.timer │ │ ├── sshd.service.d │ │ └── override.conf │ │ ├── sysstat-collect.timer.d │ │ └── override.conf │ │ ├── system.slice.d │ │ └── override.conf │ │ ├── systemd-boot-update.service.d │ │ └── local.conf │ │ ├── unbound.service.d │ │ └── override.conf │ │ └── xfs_fsr.service ├── tmpfiles.d │ └── chrony.conf └── unbound │ └── unbound.conf ├── fetch-info ├── for ├── guide ├── dane.txt ├── nftables-dscp-counter.txt └── samsung-opal.txt ├── home └── .config │ ├── fish │ ├── config.fish │ └── functions │ │ └── fish_title.fish │ ├── inputrc │ ├── lesskey │ ├── nvim │ ├── autoload │ │ └── gruvbox.vim │ ├── colors │ │ └── gruvbox.vim │ └── init.vim │ └── user-tmpfiles.d │ └── vim.conf ├── hosts.sh ├── nginx-stats ├── ovh-mitigation ├── ovh-mitigation.py ├── packages ├── 0.grapheneos.network ├── 0.grapheneos.org ├── 0.ns1.grapheneos.org ├── 0.ns2.grapheneos.org ├── 1.grapheneos.network ├── 1.grapheneos.org ├── 1.ns1.grapheneos.org ├── 1.ns2.grapheneos.org ├── 2.grapheneos.network ├── 2.grapheneos.org ├── 2.ns1.grapheneos.org ├── 2.ns2.grapheneos.org ├── 3.grapheneos.network ├── 3.grapheneos.org ├── 3.ns1.grapheneos.org ├── 4.releases.grapheneos.org ├── 5.releases.grapheneos.org ├── 6.releases.grapheneos.org ├── attestation.app ├── discuss.grapheneos.org ├── grapheneos.social ├── mail.grapheneos.org ├── matrix.grapheneos.org ├── ns1.staging.grapheneos.org ├── staging.attestation.app └── staging.grapheneos.org ├── reboot ├── requirements.in ├── requirements.txt ├── rotate-session-ticket-keys └── setup /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: thestinger 2 | custom: ["https://grapheneos.org/donate", "https://attestation.app/donate"] 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /authorized_keys 2 | /authorized_keys-replica-grapheneos 3 | /authorized_keys-replica-network 4 | /authorized_keys-replica-ns1 5 | /authorized_keys-replica-ns2 6 | /authorized_keys-replica-releases 7 | /authorized_keys-staging-attestation 8 | /passwords/ 9 | /modules/ 10 | /sysctl/ 11 | /units/ 12 | /logs/ 13 | *.tmp 14 | /ovh-mitigation.json 15 | /ovh-mitigation.txt 16 | /venv/ 17 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright © 2014-2025 GrapheneOS 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy 4 | of this software and associated documentation files (the "Software"), to deal 5 | in the Software without restriction, including without limitation the rights 6 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | copies of the Software, and to permit persons to whom the Software is 8 | furnished to do so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in 11 | all copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 19 | THE SOFTWARE. 20 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Information about GrapheneOS servers is available in the [GrapheneOS servers 2 | article](https://grapheneos.org/articles/grapheneos-servers) on grapheneos.org. 3 | -------------------------------------------------------------------------------- /boot/loader/entries/arch-lts-fallback.conf: -------------------------------------------------------------------------------- 1 | title Arch Linux LTS Fallback 2 | linux /vmlinuz-linux-lts 3 | initrd /amd-ucode.img 4 | initrd /initramfs-linux-lts-fallback.img 5 | options root=/dev/md/root rw slab_nomerge init_on_free=1 lockdown=confidentiality vsyscall=none ia32_emulation=0 preempt=none noautogroup libahci.ignore_sss=1 consoleblank=600 quiet 6 | -------------------------------------------------------------------------------- /boot/loader/entries/arch-lts.conf: -------------------------------------------------------------------------------- 1 | title Arch Linux LTS 2 | linux /vmlinuz-linux-lts 3 | initrd /amd-ucode.img 4 | initrd /initramfs-linux-lts.img 5 | options root=/dev/md/root rw slab_nomerge init_on_free=1 lockdown=confidentiality vsyscall=none ia32_emulation=0 preempt=none noautogroup libahci.ignore_sss=1 consoleblank=600 quiet 6 | -------------------------------------------------------------------------------- /boot/loader/loader.conf: -------------------------------------------------------------------------------- 1 | default arch-lts.conf 2 | -------------------------------------------------------------------------------- /certbot/0.grapheneos.network: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ 2 | --key-type ecdsa --reuse-key --preferred-profile tlsserver \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name grapheneos.network \ 5 | -d grapheneos.network \ 6 | -d www.grapheneos.network \ 7 | -d connectivitycheck.grapheneos.network \ 8 | -d grapheneos.online \ 9 | -d www.grapheneos.online \ 10 | -d connectivitycheck.grapheneos.online \ 11 | -d time.grapheneos.org \ 12 | -d remoteprovisioning.grapheneos.org \ 13 | -d widevineprovisioning.grapheneos.org \ 14 | -d broadcom.psds.grapheneos.org \ 15 | -d samsung.psds.grapheneos.org \ 16 | -d qualcomm.psds.grapheneos.org \ 17 | -d supl.grapheneos.org \ 18 | -d nominatim.grapheneos.org \ 19 | -d gs-loc.apple.grapheneos.org \ 20 | -d update.vanadium.app \ 21 | -d dl.vanadium.app 22 | 23 | certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ 24 | --key-type rsa --rsa-key-size 3072 --reuse-key --preferred-profile tlsserver \ 25 | --deploy-hook "nginx -s reload" \ 26 | --cert-name supl.grapheneos.org \ 27 | -d supl.grapheneos.org 28 | 29 | certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ 30 | --key-type rsa --rsa-key-size 3072 --reuse-key \ 31 | --deploy-hook "nginx -s reload" \ 32 | --cert-name classic.supl.grapheneos.org \ 33 | -d supl.grapheneos.org 34 | -------------------------------------------------------------------------------- /certbot/0.grapheneos.org: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ 2 | --key-type ecdsa --reuse-key --preferred-profile tlsserver \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name grapheneos.org \ 5 | -d grapheneos.org \ 6 | -d www.grapheneos.org \ 7 | -d grapheneos.app \ 8 | -d www.grapheneos.app \ 9 | -d grapheneos.ca \ 10 | -d www.grapheneos.ca \ 11 | -d grapheneos.com \ 12 | -d www.grapheneos.com \ 13 | -d grapheneos.dev \ 14 | -d www.grapheneos.dev \ 15 | -d grapheneos.foundation \ 16 | -d www.grapheneos.foundation \ 17 | -d grapheneos.info \ 18 | -d www.grapheneos.info \ 19 | -d grapheneos.net \ 20 | -d www.grapheneos.net \ 21 | -d grapheneos.ovh \ 22 | -d www.grapheneos.ovh \ 23 | -d grapheneos.page \ 24 | -d www.grapheneos.page \ 25 | -d vanadium.app \ 26 | -d www.vanadium.app 27 | -------------------------------------------------------------------------------- /certbot/0.ns1.grapheneos.org: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ 2 | --key-type ecdsa --reuse-key --preferred-profile tlsserver \ 3 | --deploy-hook "nginx -s reload; rsync -rLvc --delete --chmod=D750,F640 --chown root:dnsdist /etc/letsencrypt/live/ /etc/letsencrypt/dnsdist/; dnsdist -c -e 'reloadAllCertificates()'" \ 4 | --cert-name ns1.grapheneos.org \ 5 | -d ns1.grapheneos.org \ 6 | -d ns1.attestation.app \ 7 | -d ns1.grapheneos.app \ 8 | -d ns1.grapheneos.ca \ 9 | -d ns1.grapheneos.com \ 10 | -d ns1.grapheneos.dev \ 11 | -d ns1.grapheneos.foundation \ 12 | -d ns1.grapheneos.info \ 13 | -d ns1.grapheneos.net \ 14 | -d ns1.grapheneos.network \ 15 | -d ns1.grapheneos.online \ 16 | -d ns1.grapheneos.ovh \ 17 | -d ns1.grapheneos.page \ 18 | -d ns1.grapheneos.social \ 19 | -d ns1.seamlessupdate.app \ 20 | -d ns1.vanadium.app 21 | -------------------------------------------------------------------------------- /certbot/0.ns2.grapheneos.org: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ 2 | --key-type ecdsa --reuse-key --preferred-profile tlsserver \ 3 | --deploy-hook "nginx -s reload; rsync -rLvc --delete --chmod=D750,F640 --chown root:dnsdist /etc/letsencrypt/live/ /etc/letsencrypt/dnsdist/; dnsdist -c -e 'reloadAllCertificates()'" \ 4 | --cert-name ns2.grapheneos.org \ 5 | -d ns2.grapheneos.org \ 6 | -d ns2.attestation.app \ 7 | -d ns2.grapheneos.app \ 8 | -d ns2.grapheneos.ca \ 9 | -d ns2.grapheneos.com \ 10 | -d ns2.grapheneos.dev \ 11 | -d ns2.grapheneos.foundation \ 12 | -d ns2.grapheneos.info \ 13 | -d ns2.grapheneos.net \ 14 | -d ns2.grapheneos.network \ 15 | -d ns2.grapheneos.online \ 16 | -d ns2.grapheneos.ovh \ 17 | -d ns2.grapheneos.page \ 18 | -d ns2.grapheneos.social \ 19 | -d ns2.seamlessupdate.app \ 20 | -d ns2.vanadium.app 21 | -------------------------------------------------------------------------------- /certbot/4.releases.grapheneos.org: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ 2 | --key-type ecdsa --reuse-key --preferred-profile tlsserver \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name releases.grapheneos.org \ 5 | -d releases.grapheneos.org \ 6 | -d apps.grapheneos.org \ 7 | -d seamlessupdate.app \ 8 | -d www.seamlessupdate.app 9 | -------------------------------------------------------------------------------- /certbot/attestation.app: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ 2 | --key-type ecdsa --reuse-key --preferred-profile tlsserver \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name attestation.app \ 5 | -d attestation.app \ 6 | -d www.attestation.app 7 | -------------------------------------------------------------------------------- /certbot/discuss.grapheneos.org: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ 2 | --key-type ecdsa --reuse-key --preferred-profile tlsserver \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name discuss.grapheneos.org \ 5 | -d discuss.grapheneos.org 6 | -------------------------------------------------------------------------------- /certbot/grapheneos.social: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ 2 | --key-type ecdsa --reuse-key --preferred-profile tlsserver \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name grapheneos.social \ 5 | -d grapheneos.social \ 6 | -d www.grapheneos.social 7 | -------------------------------------------------------------------------------- /certbot/mail.grapheneos.org: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ 2 | --key-type ecdsa --reuse-key --preferred-profile tlsserver \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name mta-sts.mail.grapheneos.org \ 5 | -d mail.grapheneos.org \ 6 | -d mail.grapheneos.net \ 7 | -d mta-sts.attestation.app \ 8 | -d mta-sts.discuss.grapheneos.org \ 9 | -d mta-sts.grapheneos.app \ 10 | -d mta-sts.grapheneos.ca \ 11 | -d mta-sts.grapheneos.com \ 12 | -d mta-sts.grapheneos.dev \ 13 | -d mta-sts.grapheneos.foundation \ 14 | -d mta-sts.grapheneos.info \ 15 | -d mta-sts.grapheneos.net \ 16 | -d mta-sts.grapheneos.network \ 17 | -d mta-sts.grapheneos.online \ 18 | -d mta-sts.grapheneos.org \ 19 | -d mta-sts.grapheneos.ovh \ 20 | -d mta-sts.grapheneos.page \ 21 | -d mta-sts.grapheneos.social \ 22 | -d mta-sts.mail.grapheneos.org \ 23 | -d mta-sts.matrix.grapheneos.org \ 24 | -d mta-sts.seamlessupdate.app \ 25 | -d mta-sts.vanadium.app 26 | 27 | certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ 28 | --key-type rsa --rsa-key-size 3072 --reuse-key \ 29 | --deploy-hook "postfix reload; dovecot reload" \ 30 | --cert-name mail.grapheneos.org \ 31 | -d mail.grapheneos.org \ 32 | -d mail.grapheneos.net 33 | -------------------------------------------------------------------------------- /certbot/matrix.grapheneos.org: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ 2 | --key-type ecdsa --reuse-key --preferred-profile tlsserver \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name matrix.grapheneos.org \ 5 | -d matrix.grapheneos.org \ 6 | -d element.grapheneos.org 7 | -------------------------------------------------------------------------------- /certbot/ns1.staging.grapheneos.org: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ 2 | --key-type ecdsa --reuse-key --preferred-profile tlsserver \ 3 | --deploy-hook "nginx -s reload; rsync -rLvc --delete --chmod=D750,F640 --chown root:dnsdist /etc/letsencrypt/live/ /etc/letsencrypt/dnsdist/; dnsdist -c -e 'reloadAllCertificates()'" \ 4 | --cert-name ns1.staging.grapheneos.org \ 5 | -d ns1.staging.grapheneos.org \ 6 | -d ns2.staging.grapheneos.org \ 7 | -d ns1.staging.attestation.app \ 8 | -d ns2.staging.attestation.app 9 | -------------------------------------------------------------------------------- /certbot/staging.attestation.app: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ 2 | --key-type ecdsa --reuse-key --preferred-profile tlsserver \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name staging.attestation.app \ 5 | -d staging.attestation.app 6 | -------------------------------------------------------------------------------- /certbot/staging.grapheneos.org: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \ 2 | --key-type ecdsa --reuse-key --preferred-profile tlsserver \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name staging.grapheneos.org \ 5 | -d staging.grapheneos.org 6 | -------------------------------------------------------------------------------- /connection-stats: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | [[ $# -eq 1 ]] || exit 1 6 | 7 | user=root 8 | 9 | . hosts.sh 10 | 11 | declare -n hosts=hosts_$1 12 | for host in ${hosts[@]}; do 13 | echo $host 14 | echo 15 | 16 | ssh $user@$host ss -s 17 | 18 | echo 19 | done 20 | -------------------------------------------------------------------------------- /count: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | [[ $# -ge 1 ]] || exit 1 6 | 7 | . hosts.sh 8 | 9 | DEVICES=(comet komodo caiman tokay akita husky shiba felix tangorpro lynx cheetah panther bluejay raven oriole barbet redfin bramble sunfish coral flame) 10 | 11 | release=$1 12 | 13 | rm -rf logs 14 | mkdir logs 15 | 16 | for host in ${hosts_releases[@]}; do 17 | echo obtaining logs from $host 18 | ssh $host journalctl -u nginx -o cat -g ' 200 ' >> logs/merged.log 19 | done 20 | 21 | grep Dalvik/ logs/merged.log > logs/merged-device.log 22 | 23 | echo 24 | echo update checks 25 | echo total $(grep -Pc -- "/\w+-(stable|beta|alpha)" logs/merged-device.log) 26 | echo gen 9 $(grep -Pc -- "/(comet|komodo|caiman|tokay)-(stable|beta|alpha)" logs/merged-device.log) 27 | echo gen 8 $(grep -Pc -- "/(akita|husky|shiba)-(stable|beta|alpha)" logs/merged-device.log) 28 | echo gen 7 $(grep -Pc -- "/(felix|tangorpro|lynx|cheetah|panther)-(stable|beta|alpha)" logs/merged-device.log) 29 | echo gen 6 $(grep -Pc -- "/(bluejay|raven|oriole)-(stable|beta|alpha)" logs/merged-device.log) 30 | echo gen 5 $(grep -Pc -- "/(barbet|redfin|bramble)-(stable|beta|alpha)" logs/merged-device.log) 31 | echo gen 4 $(grep -Pc -- "/(sunfish|coral|flame)-(stable|beta|alpha)" logs/merged-device.log) 32 | 33 | echo 34 | 35 | for device in ${DEVICES[@]}; do 36 | echo $device $(grep -Pc "/$device-(stable|beta|alpha)" logs/merged-device.log) 37 | done 38 | 39 | echo 40 | echo factory images 41 | echo total $(grep -Pc "/\w+-(factory|install)-\d+.zip" logs/merged.log) 42 | echo gen 9 $(grep -Pc "/(comet|komodo|caiman|tokay)-(factory|install)-\d+.zip" logs/merged.log) 43 | echo gen 8 $(grep -Pc "/(akita|husky|shiba)-(factory|install)-\d+.zip" logs/merged.log) 44 | echo gen 7 $(grep -Pc "/(felix|tangorpro|lynx|cheetah|panther)-(factory|install)-\d+.zip" logs/merged.log) 45 | echo gen 6 $(grep -Pc "/(bluejay|raven|oriole)-(factory|install)-\d+.zip" logs/merged.log) 46 | echo gen 5 $(grep -Pc "/(barbet|redfin|bramble)-(factory|install)-\d+.zip" logs/merged.log) 47 | echo gen 4 $(grep -Pc "/(sunfish|coral|flame)-(factory|install)-\d+.zip" logs/merged.log) 48 | 49 | echo 50 | 51 | for device in ${DEVICES[@]}; do 52 | echo $device $(grep -Pc "/$device-(factory|install)-\d+.zip" logs/merged.log) 53 | done 54 | 55 | echo 56 | echo updates to $release 57 | echo total $(grep -Pc "/\w+-(ota_update|incremental-\d+)-$release.zip" logs/merged-device.log) 58 | echo gen 9 $(grep -Pc "/(comet|komodo|caiman|tokay)-(ota_update|incremental)-\d+.zip" logs/merged-device.log) 59 | echo gen 8 $(grep -Pc "/(akita|husky|shiba)-(ota_update|incremental-\d+)-$release.zip" logs/merged-device.log) 60 | echo gen 7 $(grep -Pc "/(felix|tangorpro|lynx|cheetah|panther)-(ota_update|incremental-\d+)-$release.zip" logs/merged-device.log) 61 | echo gen 6 $(grep -Pc "/(bluejay|raven|oriole)-(ota_update|incremental-\d+)-$release.zip" logs/merged-device.log) 62 | echo gen 5 $(grep -Pc "/(barbet|redfin|bramble)-(ota_update|incremental-\d+)-$release.zip" logs/merged-device.log) 63 | echo gen 4 $(grep -Pc "/(sunfish|coral|flame)-(ota_update|incremental-\d+)-$release.zip" logs/merged-device.log) 64 | 65 | echo 66 | 67 | for device in ${DEVICES[@]}; do 68 | echo $device $(grep -Pc "/$device-(ota_update|incremental-\d+)-$release.zip" logs/merged-device.log) 69 | done 70 | -------------------------------------------------------------------------------- /create-session-ticket-keys: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | cd /etc/session-ticket-keys 6 | 7 | for i in {1..4}; do 8 | head -c 80 $i.key 9 | done 10 | 11 | cat {1..4}.key > keys 12 | -------------------------------------------------------------------------------- /deploy-initial: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | . hosts.sh 6 | 7 | [[ $# -eq 1 ]] || exit 1 8 | 9 | readonly host=$1 10 | readonly ip=${hosts_ipv4_address[$host]} 11 | readonly hostname=${hosts_hostname[$host]} 12 | readonly agcount=${hosts_agcount[$host]:-4} 13 | readonly swap=${hosts_swap[$host]:-2048} 14 | readonly remote=root@$ip 15 | 16 | readonly drive=$(ssh $remote '[[ -e /dev/sda ]] && echo sda || echo vda') 17 | 18 | alias rsync='rsync --preallocate' 19 | 20 | # check for Arch ISO 21 | ssh $remote '[[ $(grep IMAGE_ID /etc/os-release) = "IMAGE_ID=archlinux" ]]' || exit 5 22 | ssh $remote '[[ $(grep IMAGE_VERSION /etc/os-release) = "IMAGE_VERSION=2025.05.01" ]]' || exit 5 23 | 24 | ssh $remote "sfdisk /dev/$drive -w always <<< ';'" 25 | ssh $remote "mkfs.xfs -d agcount=$agcount -f /dev/${drive}1" 26 | rsync -cv etc/pacman.d/mirrorlist $remote:/etc/pacman.d/mirrorlist 27 | ssh $remote "mount /dev/${drive}1 /mnt" 28 | ssh $remote "pacstrap -K /mnt $(tr '\n' ' ' < packages/$host)" 29 | 30 | rsync -cv etc/default/grub $remote:/mnt/etc/default/grub 31 | ssh $remote "arch-chroot /mnt grub-install /dev/$drive" 32 | ssh $remote "arch-chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg" 33 | 34 | ssh $remote "echo $hostname >/mnt/etc/hostname" 35 | 36 | rsync -cpv --chmod=644 etc/systemd/network/$host.link $remote:/mnt/etc/systemd/network/10-public.link 37 | rsync -cpv --chmod=644 etc/systemd/network/$host.network $remote:/mnt/etc/systemd/network/10-public.network 38 | 39 | rsync -cpv --chmod=644 etc/fstab.virtual $remote:/mnt/etc/fstab 40 | rsync -cpv --chmod=644 etc/{crypttab,locale.conf,mkinitcpio.conf,pacman.conf,pacreport.conf,resolv.conf} $remote:/mnt/etc/ 41 | 42 | rsync -cv etc/unbound/unbound.conf $remote:/mnt/etc/unbound/unbound.conf 43 | 44 | if [[ $host = @(0.grapheneos.network|1.grapheneos.network|2.grapheneos.network|3.grapheneos.network) ]]; then 45 | cp etc/chrony.conf etc/chrony.conf.tmp 46 | echo -e '\nallow' >> etc/chrony.conf.tmp 47 | rsync -cv etc/chrony.conf.tmp $remote:/mnt/etc/chrony.conf 48 | rm etc/chrony.conf.tmp 49 | else 50 | rsync -cv etc/chrony.conf $remote:/mnt/etc/chrony.conf 51 | fi 52 | ssh $remote mkdir -vp /mnt/etc/sysconfig 53 | rsync -cpv --chmod 644 etc/sysconfig/chronyd $remote:/mnt/etc/sysconfig/chronyd 54 | 55 | rsync -cv ${hosts_authorized_keys[$host]:-authorized_keys} $remote:/mnt/root/.ssh/authorized_keys 56 | cp etc/ssh/sshd_config etc/ssh/sshd_config.tmp 57 | sed -i "s/{{ssh_users}}/${hosts_ssh_users[$host]:-root}/g" etc/ssh/sshd_config.tmp 58 | rsync -cv etc/ssh/sshd_config.tmp $remote:/mnt/etc/ssh/sshd_config 59 | rm etc/ssh/sshd_config.tmp 60 | 61 | rsync -cv etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf $remote:/mnt/etc/nftables.conf 62 | 63 | ssh $remote "arch-chroot /mnt systemctl enable chronyd.service fstrim.timer logrotate.timer nftables.service plocate-updatedb.timer systemd-networkd.service systemd-oomd.service sshd.service sysstat.service unbound.service" 64 | ssh $remote "arch-chroot /mnt systemctl disable remote-fs.target systemd-network-generator.service systemd-userdbd.socket" 65 | ssh $remote "arch-chroot /mnt groupadd -g 2000 io_uring" 66 | ssh $remote "arch-chroot /mnt groupadd -g 2100 tls" 67 | 68 | ssh $remote "umask 077 && dd if=/dev/random of=/mnt/swapfile bs=1M count=$swap status=progress" 69 | 70 | ssh $remote "arch-chroot /mnt chsh -s /usr/bin/fish" 71 | 72 | password=$(head -c32 <(tr -dc A-Za-z0-9 ' for 26 | # help on a given hook. 27 | # 'base' is _required_ unless you know precisely what you are doing. 28 | # 'udev' is _required_ in order to automatically load modules 29 | # 'filesystems' is _required_ unless you specify your fs modules in MODULES 30 | # Examples: 31 | ## This setup specifies all modules in the MODULES setting above. 32 | ## No RAID, lvm2, or encrypted root is needed. 33 | # HOOKS=(base) 34 | # 35 | ## This setup will autodetect all modules for your system and should 36 | ## work as a sane default 37 | # HOOKS=(base udev autodetect modconf block filesystems fsck) 38 | # 39 | ## This setup will generate a 'full' image which supports most systems. 40 | ## No autodetection is done. 41 | # HOOKS=(base udev modconf block filesystems fsck) 42 | # 43 | ## This setup assembles a mdadm array with an encrypted root file system. 44 | ## Note: See 'mkinitcpio -H mdadm_udev' for more information on RAID devices. 45 | # HOOKS=(base udev modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck) 46 | # 47 | ## This setup loads an lvm2 volume group. 48 | # HOOKS=(base udev modconf block lvm2 filesystems fsck) 49 | # 50 | ## This will create a systemd based initramfs which loads an encrypted root filesystem. 51 | # HOOKS=(base systemd autodetect modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck) 52 | # 53 | ## NOTE: If you have /usr on a separate partition, you MUST include the 54 | # usr and fsck hooks. 55 | HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block filesystems fsck) 56 | 57 | # COMPRESSION 58 | # Use this to compress the initramfs image. By default, zstd compression 59 | # is used for Linux ≥ 5.9 and gzip compression is used for Linux < 5.9. 60 | # Use 'cat' to create an uncompressed image. 61 | #COMPRESSION="zstd" 62 | #COMPRESSION="gzip" 63 | #COMPRESSION="bzip2" 64 | #COMPRESSION="lzma" 65 | #COMPRESSION="xz" 66 | #COMPRESSION="lzop" 67 | #COMPRESSION="lz4" 68 | 69 | # COMPRESSION_OPTIONS 70 | # Additional options for the compressor 71 | #COMPRESSION_OPTIONS=() 72 | 73 | # MODULES_DECOMPRESS 74 | # Decompress loadable kernel modules and their firmware during initramfs 75 | # creation. Switch (yes/no). 76 | # Enable to allow further decreasing image size when using high compression 77 | # (e.g. xz -9e or zstd --long --ultra -22) at the expense of increased RAM usage 78 | # at early boot. 79 | # Note that any compressed files will be placed in the uncompressed early CPIO 80 | # to avoid double compression. 81 | #MODULES_DECOMPRESS="no" 82 | -------------------------------------------------------------------------------- /etc/mkinitcpio.d/linux-lts.preset: -------------------------------------------------------------------------------- 1 | # mkinitcpio preset file for the 'linux-lts' package 2 | 3 | #ALL_config="/etc/mkinitcpio.conf" 4 | ALL_kver="/boot/vmlinuz-linux-lts" 5 | 6 | PRESETS=('default') 7 | 8 | #default_config="/etc/mkinitcpio.conf" 9 | default_image="/boot/initramfs-linux-lts.img" 10 | #default_uki="/efi/EFI/Linux/arch-linux-lts.efi" 11 | #default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp" 12 | 13 | #fallback_config="/etc/mkinitcpio.conf" 14 | fallback_image="/boot/initramfs-linux-lts-fallback.img" 15 | #fallback_uki="/efi/EFI/Linux/arch-linux-lts-fallback.efi" 16 | fallback_options="-S autodetect" 17 | -------------------------------------------------------------------------------- /etc/modprobe.d/local.conf: -------------------------------------------------------------------------------- 1 | blacklist cfg80211 2 | blacklist floppy 3 | blacklist intel_agp 4 | blacklist ip_tables 5 | blacklist joydev 6 | blacklist mousedev 7 | blacklist pcspkr 8 | blacklist psmouse 9 | blacklist snd_intel8x0 10 | blacklist sr_mod 11 | blacklist tls 12 | blacklist virtio_balloon 13 | blacklist virtio_console 14 | -------------------------------------------------------------------------------- /etc/modules-load.d/local.conf: -------------------------------------------------------------------------------- 1 | nf_conntrack 2 | -------------------------------------------------------------------------------- /etc/modules-load.d/softdog.conf: -------------------------------------------------------------------------------- 1 | softdog 2 | -------------------------------------------------------------------------------- /etc/nftables/nftables-attestation.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/nft -f 2 | 3 | flush ruleset 4 | 5 | table inet filter { 6 | set ip-connlimit-ssh { 7 | type ipv4_addr 8 | flags dynamic 9 | } 10 | 11 | set ip6-connlimit-ssh { 12 | type ipv6_addr 13 | flags dynamic 14 | } 15 | 16 | set ip-connlimit-main { 17 | type ipv4_addr 18 | flags dynamic 19 | } 20 | 21 | set ip6-connlimit-main { 22 | type ipv6_addr 23 | flags dynamic 24 | } 25 | 26 | chain prerouting-raw { 27 | type filter hook prerouting priority raw 28 | policy drop 29 | 30 | # drop packets without a reverse path (strict reverse path filtering) 31 | fib saddr . iif oif missing counter drop 32 | 33 | iif lo notrack accept 34 | 35 | # drop packets to address not configured on incoming interface (strong host model) 36 | # 37 | # ordered after accepting loopback to permit using external IPs via loopback 38 | fib daddr . iif type != { local, broadcast, multicast } counter drop 39 | 40 | # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion 41 | tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept 42 | 43 | meta l4proto { tcp, udp } accept 44 | icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept 45 | meta l4proto ipv6-icmp notrack accept 46 | } 47 | 48 | chain input { 49 | type filter hook input priority filter 50 | policy drop 51 | 52 | tcp dport { 22, 80, 443 } goto input-tcp-service 53 | ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } 54 | } 55 | 56 | chain input-tcp-service { 57 | iif lo goto input-tcp-service-loopback 58 | 59 | # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough 60 | ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } 61 | 62 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 63 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 64 | tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset 65 | tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 66 | synproxy mss 1460 wscale 7 timestamp sack-perm 67 | } 68 | 69 | chain input-tcp-service-new { 70 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 71 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 72 | tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset 73 | tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 74 | accept 75 | } 76 | 77 | # add connections established without synproxy to connection limit sets with limits enforced 78 | chain input-tcp-service-established { 79 | ct mark 0x1 accept 80 | tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 81 | tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 82 | tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 83 | tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 84 | ct mark set 0x1 accept 85 | } 86 | 87 | # add connections established with synproxy to connection limit sets with limits enforced 88 | chain input-tcp-service-loopback { 89 | tcp flags != syn accept 90 | tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 91 | tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 92 | tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 93 | tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 94 | ct mark set 0x1 accept 95 | } 96 | 97 | chain forward { 98 | type filter hook forward priority filter 99 | policy drop 100 | } 101 | 102 | chain output-raw { 103 | type filter hook output priority raw 104 | 105 | oif lo goto output-raw-loopback 106 | skuid != { root, systemd-network, unbound, alpm, chrony, http, attestation } counter goto graceful-reject 107 | meta l4proto { icmp, ipv6-icmp } notrack accept 108 | } 109 | 110 | chain output-raw-loopback { 111 | skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8080 notrack accept 112 | skuid { alpm, chrony, attestation } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8080 th dport 53 notrack accept 113 | 114 | skuid attestation tcp sport 8080 tcp dport >= 1024 tcp dport != 8080 notrack accept 115 | skuid http tcp sport >= 1024 tcp sport != 8080 tcp dport 8080 notrack accept 116 | 117 | skuid != root counter goto graceful-reject 118 | notrack accept 119 | } 120 | 121 | chain graceful-reject { 122 | meta l4proto udp reject 123 | meta l4proto tcp reject with tcp reset 124 | reject 125 | } 126 | } 127 | -------------------------------------------------------------------------------- /etc/nftables/nftables-discuss.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/nft -f 2 | 3 | flush ruleset 4 | 5 | table inet filter { 6 | set ip-connlimit-ssh { 7 | type ipv4_addr 8 | flags dynamic 9 | } 10 | 11 | set ip6-connlimit-ssh { 12 | type ipv6_addr 13 | flags dynamic 14 | } 15 | 16 | set ip-connlimit-main { 17 | type ipv4_addr 18 | flags dynamic 19 | } 20 | 21 | set ip6-connlimit-main { 22 | type ipv6_addr 23 | flags dynamic 24 | } 25 | 26 | chain prerouting-raw { 27 | type filter hook prerouting priority raw 28 | policy drop 29 | 30 | # drop packets without a reverse path (strict reverse path filtering) 31 | fib saddr . iif oif missing counter drop 32 | 33 | iif lo notrack accept 34 | 35 | # drop packets to address not configured on incoming interface (strong host model) 36 | # 37 | # ordered after accepting loopback to permit using external IPs via loopback 38 | fib daddr . iif type != { local, broadcast, multicast } counter drop 39 | 40 | # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion 41 | tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept 42 | 43 | meta l4proto { tcp, udp } accept 44 | icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept 45 | meta l4proto ipv6-icmp notrack accept 46 | } 47 | 48 | chain input { 49 | type filter hook input priority filter 50 | policy drop 51 | 52 | tcp dport { 22, 80, 443 } goto input-tcp-service 53 | ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } 54 | } 55 | 56 | chain input-tcp-service { 57 | iif lo goto input-tcp-service-loopback 58 | 59 | # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough 60 | ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } 61 | 62 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 63 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 64 | tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset 65 | tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 66 | synproxy mss 1460 wscale 7 timestamp sack-perm 67 | } 68 | 69 | chain input-tcp-service-new { 70 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 71 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 72 | tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset 73 | tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 74 | accept 75 | } 76 | 77 | # add connections established without synproxy to connection limit sets with limits enforced 78 | chain input-tcp-service-established { 79 | ct mark 0x1 accept 80 | tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 81 | tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 82 | tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 83 | tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 84 | ct mark set 0x1 accept 85 | } 86 | 87 | # add connections established with synproxy to connection limit sets with limits enforced 88 | chain input-tcp-service-loopback { 89 | tcp flags != syn accept 90 | tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 91 | tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 92 | tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 93 | tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 94 | ct mark set 0x1 accept 95 | } 96 | 97 | chain forward { 98 | type filter hook forward priority filter 99 | policy drop 100 | } 101 | 102 | chain output-raw { 103 | type filter hook output priority raw 104 | 105 | oif lo goto output-raw-loopback 106 | skuid != { root, systemd-network, unbound, alpm, chrony, http, flarum, flarum-admin, geoipupdate } counter goto graceful-reject 107 | meta l4proto { icmp, ipv6-icmp } notrack accept 108 | } 109 | 110 | chain output-raw-loopback { 111 | skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept 112 | skuid { alpm, chrony, http, flarum, flarum-admin, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept 113 | 114 | skuid != root counter goto graceful-reject 115 | notrack accept 116 | } 117 | 118 | chain graceful-reject { 119 | meta l4proto udp reject 120 | meta l4proto tcp reject with tcp reset 121 | reject 122 | } 123 | } 124 | -------------------------------------------------------------------------------- /etc/nftables/nftables-mail.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/nft -f 2 | 3 | flush ruleset 4 | 5 | table inet filter { 6 | define ip-allowlist-main = { 7 | 51.79.66.27, # attestation.app 8 | 51.79.52.38, # discuss.grapheneos.org 9 | 51.79.51.42, # matrix.grapheneos.org 10 | } 11 | 12 | define ip6-allowlist-main = { 13 | 2607:5300:205:200::7e9, # attestation.app 14 | 2607:5300:205:200::3c4, # discuss.grapheneos.org 15 | 2607:5300:205:200::26e1, # matrix.grapheneos.org 16 | } 17 | 18 | set ip-connlimit-ssh { 19 | type ipv4_addr 20 | flags dynamic 21 | } 22 | 23 | set ip6-connlimit-ssh { 24 | type ipv6_addr 25 | flags dynamic 26 | } 27 | 28 | set ip-connlimit-main { 29 | type ipv4_addr 30 | flags dynamic 31 | } 32 | 33 | set ip6-connlimit-main { 34 | type ipv6_addr 35 | flags dynamic 36 | } 37 | 38 | chain prerouting-raw { 39 | type filter hook prerouting priority raw 40 | policy drop 41 | 42 | # drop packets without a reverse path (strict reverse path filtering) 43 | fib saddr . iif oif missing counter drop 44 | 45 | iif lo notrack accept 46 | 47 | # drop packets to address not configured on incoming interface (strong host model) 48 | # 49 | # ordered after accepting loopback to permit using external IPs via loopback 50 | fib daddr . iif type != { local, broadcast, multicast } counter drop 51 | 52 | # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion 53 | tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept 54 | 55 | meta l4proto { tcp, udp } accept 56 | icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept 57 | meta l4proto ipv6-icmp notrack accept 58 | } 59 | 60 | chain input { 61 | type filter hook input priority filter 62 | policy drop 63 | 64 | tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service 65 | ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } 66 | } 67 | 68 | chain input-tcp-service { 69 | iif lo goto input-tcp-service-loopback 70 | 71 | # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough 72 | ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } 73 | 74 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 75 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 76 | tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset 77 | tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 78 | synproxy mss 1460 wscale 7 timestamp sack-perm 79 | } 80 | 81 | chain input-tcp-service-new { 82 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 83 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 84 | tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset 85 | tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 86 | accept 87 | } 88 | 89 | # add connections established without synproxy to connection limit sets with limits enforced 90 | chain input-tcp-service-established { 91 | ct mark 0x1 accept 92 | tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 93 | tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 94 | tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 95 | tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 96 | ct mark set 0x1 accept 97 | } 98 | 99 | # add connections established with synproxy to connection limit sets with limits enforced 100 | chain input-tcp-service-loopback { 101 | tcp flags != syn accept 102 | tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 103 | tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 104 | tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 105 | tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 106 | ct mark set 0x1 accept 107 | } 108 | 109 | chain forward { 110 | type filter hook forward priority filter 111 | policy drop 112 | } 113 | 114 | chain output-raw { 115 | type filter hook output priority raw 116 | 117 | oif lo goto output-raw-loopback 118 | skuid != { root, systemd-network, unbound, alpm, chrony, postfix, dovecot, dovenull, http } counter goto graceful-reject 119 | meta l4proto { icmp, ipv6-icmp } notrack accept 120 | } 121 | 122 | chain output-raw-loopback { 123 | skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept 124 | skuid { alpm, chrony, postfix, opendkim, opendmarc, policyd-spf } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept 125 | 126 | skuid != root counter goto graceful-reject 127 | notrack accept 128 | } 129 | 130 | chain graceful-reject { 131 | meta l4proto udp reject 132 | meta l4proto tcp reject with tcp reset 133 | reject 134 | } 135 | } 136 | -------------------------------------------------------------------------------- /etc/nftables/nftables-matrix.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/nft -f 2 | 3 | flush ruleset 4 | 5 | table inet filter { 6 | set ip-connlimit-ssh { 7 | type ipv4_addr 8 | flags dynamic 9 | } 10 | 11 | set ip6-connlimit-ssh { 12 | type ipv6_addr 13 | flags dynamic 14 | } 15 | 16 | set ip-connlimit-main { 17 | type ipv4_addr 18 | flags dynamic 19 | } 20 | 21 | set ip6-connlimit-main { 22 | type ipv6_addr 23 | flags dynamic 24 | } 25 | 26 | chain prerouting-raw { 27 | type filter hook prerouting priority raw 28 | policy drop 29 | 30 | # drop packets without a reverse path (strict reverse path filtering) 31 | fib saddr . iif oif missing counter drop 32 | 33 | iif lo notrack accept 34 | 35 | # drop packets to address not configured on incoming interface (strong host model) 36 | # 37 | # ordered after accepting loopback to permit using external IPs via loopback 38 | fib daddr . iif type != { local, broadcast, multicast } counter drop 39 | 40 | # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion 41 | tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept 42 | 43 | meta l4proto { tcp, udp } accept 44 | icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept 45 | meta l4proto ipv6-icmp notrack accept 46 | } 47 | 48 | chain input { 49 | type filter hook input priority filter 50 | policy drop 51 | 52 | tcp dport { 22, 80, 443 } goto input-tcp-service 53 | ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } 54 | } 55 | 56 | chain input-tcp-service { 57 | iif lo goto input-tcp-service-loopback 58 | 59 | # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough 60 | ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } 61 | 62 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 63 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 64 | tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset 65 | tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 66 | synproxy mss 1460 wscale 7 timestamp sack-perm 67 | } 68 | 69 | chain input-tcp-service-new { 70 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 71 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 72 | tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset 73 | tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 74 | accept 75 | } 76 | 77 | # add connections established without synproxy to connection limit sets with limits enforced 78 | chain input-tcp-service-established { 79 | ct mark 0x1 accept 80 | tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 81 | tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 82 | tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 83 | tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 84 | ct mark set 0x1 accept 85 | } 86 | 87 | # add connections established with synproxy to connection limit sets with limits enforced 88 | chain input-tcp-service-loopback { 89 | tcp flags != syn accept 90 | tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 91 | tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 92 | tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 93 | tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 94 | ct mark set 0x1 accept 95 | } 96 | 97 | chain forward { 98 | type filter hook forward priority filter 99 | policy drop 100 | } 101 | 102 | chain output-raw { 103 | type filter hook output priority raw 104 | 105 | oif lo goto output-raw-loopback 106 | skuid != { root, systemd-network, unbound, alpm, chrony, http, synapse, matterbridge } counter goto graceful-reject 107 | meta l4proto { icmp, ipv6-icmp } notrack accept 108 | } 109 | 110 | chain output-raw-loopback { 111 | skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8008 notrack accept 112 | skuid { alpm, chrony, synapse, matterbridge, mjolnir } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8008 th dport 53 notrack accept 113 | 114 | skuid postgres udp sport >= 1024 udp sport != 8008 udp dport >= 1024 udp dport != 8008 notrack accept 115 | 116 | skuid synapse tcp sport 8008 tcp dport >= 1024 tcp dport != 8008 notrack accept 117 | skuid http tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 notrack accept 118 | skuid mjolnir tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 notrack accept 119 | 120 | skuid http tcp sport 443 tcp dport >= 1024 tcp dport != 8008 notrack accept 121 | skuid matterbridge tcp sport >= 1024 tcp sport != 8008 tcp dport 443 notrack accept 122 | skuid synapse tcp sport >= 1024 tcp sport != 8008 tcp dport 443 notrack accept 123 | skuid mjolnir tcp sport >= 1024 tcp sport != 8008 tcp dport 443 notrack accept 124 | 125 | skuid != root counter goto graceful-reject 126 | notrack accept 127 | } 128 | 129 | chain graceful-reject { 130 | meta l4proto udp reject 131 | meta l4proto tcp reject with tcp reset 132 | reject 133 | } 134 | } 135 | -------------------------------------------------------------------------------- /etc/nftables/nftables-network.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/nft -f 2 | 3 | flush ruleset 4 | 5 | table inet filter { 6 | define ip-allowlist-ssh = { 7 | 51.222.159.116, # 0.grapheneos.network 8 | } 9 | 10 | define ip6-allowlist-ssh = { 11 | 2607:5300:205:200::2584, # 0.grapheneos.network 12 | } 13 | 14 | set ip-connlimit-ssh { 15 | type ipv4_addr 16 | flags dynamic 17 | } 18 | 19 | set ip6-connlimit-ssh { 20 | type ipv6_addr 21 | flags dynamic 22 | } 23 | 24 | set ip-connlimit-main { 25 | type ipv4_addr 26 | flags dynamic 27 | } 28 | 29 | set ip6-connlimit-main { 30 | type ipv6_addr 31 | flags dynamic 32 | } 33 | 34 | chain prerouting-raw { 35 | type filter hook prerouting priority raw 36 | policy drop 37 | 38 | # drop packets without a reverse path (strict reverse path filtering) 39 | fib saddr . iif oif missing counter drop 40 | 41 | iif lo notrack accept 42 | 43 | # drop packets to address not configured on incoming interface (strong host model) 44 | # 45 | # ordered after accepting loopback to permit using external IPs via loopback 46 | fib daddr . iif type != { local, broadcast, multicast } counter drop 47 | 48 | # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion 49 | tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept 50 | 51 | udp dport 123 notrack accept 52 | 53 | meta l4proto { tcp, udp } accept 54 | icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept 55 | meta l4proto ipv6-icmp notrack accept 56 | } 57 | 58 | chain input { 59 | type filter hook input priority filter 60 | policy drop 61 | 62 | tcp dport { 22, 80, 443, 7275 } goto input-tcp-service 63 | ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } 64 | } 65 | 66 | chain input-tcp-service { 67 | iif lo goto input-tcp-service-loopback 68 | 69 | # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough 70 | ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } 71 | 72 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 73 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 74 | tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset 75 | tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 76 | synproxy mss 1460 wscale 7 timestamp sack-perm 77 | } 78 | 79 | chain input-tcp-service-new { 80 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 81 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 82 | tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset 83 | tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 84 | accept 85 | } 86 | 87 | # add connections established without synproxy to connection limit sets with limits enforced 88 | chain input-tcp-service-established { 89 | ct mark 0x1 accept 90 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 91 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 92 | tcp dport { 80, 443, 7275 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 93 | tcp dport { 80, 443, 7275 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 94 | ct mark set 0x1 accept 95 | } 96 | 97 | # add connections established with synproxy to connection limit sets with limits enforced 98 | chain input-tcp-service-loopback { 99 | tcp flags != syn accept 100 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 101 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 102 | tcp dport { 80, 443, 7275 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 103 | tcp dport { 80, 443, 7275 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 104 | ct mark set 0x1 accept 105 | } 106 | 107 | chain forward { 108 | type filter hook forward priority filter 109 | policy drop 110 | } 111 | 112 | chain output-raw { 113 | type filter hook output priority raw 114 | 115 | oif lo goto output-raw-loopback 116 | skuid != { root, systemd-network, unbound, alpm, chrony, http } counter goto graceful-reject 117 | udp sport 123 notrack accept 118 | meta l4proto { icmp, ipv6-icmp } notrack accept 119 | } 120 | 121 | chain output-raw-loopback { 122 | skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept 123 | skuid { alpm, chrony, http } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept 124 | 125 | skuid != root counter goto graceful-reject 126 | notrack accept 127 | } 128 | 129 | chain graceful-reject { 130 | meta l4proto udp reject 131 | meta l4proto tcp reject with tcp reset 132 | reject 133 | } 134 | } 135 | -------------------------------------------------------------------------------- /etc/nftables/nftables-ns1.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/nft -f 2 | 3 | flush ruleset 4 | 5 | table inet filter { 6 | define ip-anycast = 185.187.152.9 7 | define ip6-anycast = 2a05:b0c4:1::8 8 | 9 | define ip-allowlist-ssh = { 10 | 51.161.34.158, # 0.ns1.grapheneos.org 11 | } 12 | 13 | define ip6-allowlist-ssh = { 14 | 2607:5300:205:200::eaa, # 0.ns1.grapheneos.org 15 | } 16 | 17 | set ip-connlimit-ssh { 18 | type ipv4_addr 19 | flags dynamic 20 | } 21 | 22 | set ip6-connlimit-ssh { 23 | type ipv6_addr 24 | flags dynamic 25 | } 26 | 27 | set ip-connlimit-main { 28 | type ipv4_addr 29 | flags dynamic 30 | } 31 | 32 | set ip6-connlimit-main { 33 | type ipv6_addr 34 | flags dynamic 35 | } 36 | 37 | chain prerouting-raw { 38 | type filter hook prerouting priority raw 39 | policy drop 40 | 41 | # drop packets without a reverse path (strict reverse path filtering) 42 | fib saddr . iif oif missing counter drop 43 | 44 | iif lo notrack accept 45 | 46 | # drop packets to address not configured on incoming interface (strong host model) 47 | # 48 | # ordered after accepting loopback to permit using external IPs via loopback 49 | fib daddr . iif type != { local, broadcast, multicast } counter drop 50 | 51 | udp dport 53 notrack accept 52 | 53 | tcp dport 22 ip daddr $ip-anycast drop 54 | tcp dport 22 ip6 daddr $ip6-anycast drop 55 | 56 | # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion 57 | tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept 58 | 59 | meta l4proto { tcp, udp } accept 60 | icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept 61 | meta l4proto ipv6-icmp notrack accept 62 | } 63 | 64 | chain input { 65 | type filter hook input priority filter 66 | policy drop 67 | 68 | tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service 69 | ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } 70 | } 71 | 72 | chain input-tcp-service { 73 | iif lo goto input-tcp-service-loopback 74 | 75 | # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough 76 | ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } 77 | 78 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 79 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 80 | tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset 81 | tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 82 | synproxy mss 1460 wscale 7 timestamp sack-perm 83 | } 84 | 85 | chain input-tcp-service-new { 86 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 87 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 88 | tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset 89 | tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 90 | accept 91 | } 92 | 93 | # add connections established without synproxy to connection limit sets with limits enforced 94 | chain input-tcp-service-established { 95 | ct mark 0x1 accept 96 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 97 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 98 | tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset 99 | tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset 100 | ct mark set 0x1 accept 101 | } 102 | 103 | # add connections established with synproxy to connection limit sets with limits enforced 104 | chain input-tcp-service-loopback { 105 | tcp flags != syn accept 106 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 107 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 108 | tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset 109 | tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset 110 | ct mark set 0x1 accept 111 | } 112 | 113 | chain forward { 114 | type filter hook forward priority filter 115 | policy drop 116 | } 117 | 118 | chain output-raw { 119 | type filter hook output priority raw 120 | 121 | oif lo goto output-raw-loopback 122 | skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, dnsdist, geoipupdate, zerotier-one, bird } counter goto graceful-reject 123 | udp sport 53 notrack accept 124 | meta l4proto { icmp, ipv6-icmp } notrack accept 125 | } 126 | 127 | chain output-raw-loopback { 128 | skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept 129 | skuid { alpm, chrony, geoipupdate, zerotier-one } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept 130 | 131 | skuid powerdns meta l4proto { tcp, udp } th sport 54 th dport >= 1024 notrack accept 132 | skuid dnsdist meta l4proto { tcp, udp } th sport >= 1024 th dport 54 notrack accept 133 | 134 | skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept 135 | 136 | skuid dnsdist meta l4proto tcp th sport 5199 th dport >= 1024 notrack accept 137 | 138 | skuid zerotier-one meta l4proto tcp th sport 9993 th dport >= 1024 notrack accept 139 | 140 | skuid != root counter goto graceful-reject 141 | notrack accept 142 | } 143 | 144 | chain graceful-reject { 145 | meta l4proto udp reject 146 | meta l4proto tcp reject with tcp reset 147 | reject 148 | } 149 | } 150 | -------------------------------------------------------------------------------- /etc/nftables/nftables-ns2.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/nft -f 2 | 3 | flush ruleset 4 | 5 | table inet filter { 6 | define ip-anycast = 198.251.90.93 7 | 8 | define ip-allowlist-ssh = { 9 | 198.98.53.141, # 0.ns2.grapheneos.org 10 | } 11 | 12 | define ip6-allowlist-ssh = { 13 | 2605:6400:10:102e:95bc:89ef:2e7f:49bb, # 0.ns2.grapheneos.org 14 | } 15 | 16 | set ip-connlimit-ssh { 17 | type ipv4_addr 18 | flags dynamic 19 | } 20 | 21 | set ip6-connlimit-ssh { 22 | type ipv6_addr 23 | flags dynamic 24 | } 25 | 26 | set ip-connlimit-main { 27 | type ipv4_addr 28 | flags dynamic 29 | } 30 | 31 | set ip6-connlimit-main { 32 | type ipv6_addr 33 | flags dynamic 34 | } 35 | 36 | chain prerouting-raw { 37 | type filter hook prerouting priority raw 38 | policy drop 39 | 40 | # drop packets without a reverse path (strict reverse path filtering) 41 | fib saddr . iif oif missing counter drop 42 | 43 | iif lo notrack accept 44 | 45 | # drop packets to address not configured on incoming interface (strong host model) 46 | # 47 | # ordered after accepting loopback to permit using external IPs via loopback 48 | fib daddr . iif type != { local, broadcast, multicast } counter drop 49 | 50 | udp dport 53 notrack accept 51 | 52 | tcp dport 22 ip daddr $ip-anycast drop 53 | 54 | # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion 55 | tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept 56 | 57 | meta l4proto { tcp, udp } accept 58 | icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept 59 | meta l4proto ipv6-icmp notrack accept 60 | } 61 | 62 | chain input { 63 | type filter hook input priority filter 64 | policy drop 65 | 66 | tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service 67 | ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } 68 | } 69 | 70 | chain input-tcp-service { 71 | iif lo goto input-tcp-service-loopback 72 | 73 | # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough 74 | ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } 75 | 76 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 77 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 78 | tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset 79 | tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 80 | synproxy mss 1460 wscale 7 timestamp sack-perm 81 | } 82 | 83 | chain input-tcp-service-new { 84 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 85 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 86 | tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset 87 | tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 88 | accept 89 | } 90 | 91 | # add connections established without synproxy to connection limit sets with limits enforced 92 | chain input-tcp-service-established { 93 | ct mark 0x1 accept 94 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 95 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 96 | tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset 97 | tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset 98 | ct mark set 0x1 accept 99 | } 100 | 101 | # add connections established with synproxy to connection limit sets with limits enforced 102 | chain input-tcp-service-loopback { 103 | tcp flags != syn accept 104 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 105 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 106 | tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset 107 | tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset 108 | ct mark set 0x1 accept 109 | } 110 | 111 | chain forward { 112 | type filter hook forward priority filter 113 | policy drop 114 | } 115 | 116 | chain output-raw { 117 | type filter hook output priority raw 118 | 119 | oif lo goto output-raw-loopback 120 | skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, dnsdist, geoipupdate } counter goto graceful-reject 121 | udp sport 53 notrack accept 122 | meta l4proto { icmp, ipv6-icmp } notrack accept 123 | } 124 | 125 | chain output-raw-loopback { 126 | skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept 127 | skuid { alpm, chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept 128 | 129 | skuid powerdns meta l4proto { tcp, udp } th sport 54 th dport >= 1024 notrack accept 130 | skuid dnsdist meta l4proto { tcp, udp } th sport >= 1024 th dport 54 notrack accept 131 | 132 | skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept 133 | 134 | skuid dnsdist meta l4proto tcp th sport 5199 th dport >= 1024 notrack accept 135 | 136 | skuid != root counter goto graceful-reject 137 | notrack accept 138 | } 139 | 140 | chain graceful-reject { 141 | meta l4proto udp reject 142 | meta l4proto tcp reject with tcp reset 143 | reject 144 | } 145 | } 146 | -------------------------------------------------------------------------------- /etc/nftables/nftables-social.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/nft -f 2 | 3 | flush ruleset 4 | 5 | table inet filter { 6 | set ip-connlimit-ssh { 7 | type ipv4_addr 8 | flags dynamic 9 | } 10 | 11 | set ip6-connlimit-ssh { 12 | type ipv6_addr 13 | flags dynamic 14 | } 15 | 16 | set ip-connlimit-main { 17 | type ipv4_addr 18 | flags dynamic 19 | } 20 | 21 | set ip6-connlimit-main { 22 | type ipv6_addr 23 | flags dynamic 24 | } 25 | 26 | chain prerouting-raw { 27 | type filter hook prerouting priority raw 28 | policy drop 29 | 30 | # drop packets without a reverse path (strict reverse path filtering) 31 | fib saddr . iif oif missing counter drop 32 | 33 | iif lo notrack accept 34 | 35 | # drop packets to address not configured on incoming interface (strong host model) 36 | # 37 | # ordered after accepting loopback to permit using external IPs via loopback 38 | fib daddr . iif type != { local, broadcast, multicast } counter drop 39 | 40 | # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion 41 | tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept 42 | 43 | meta l4proto { tcp, udp } accept 44 | icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept 45 | meta l4proto ipv6-icmp notrack accept 46 | } 47 | 48 | chain input { 49 | type filter hook input priority filter 50 | policy drop 51 | 52 | tcp dport { 22, 80, 443 } goto input-tcp-service 53 | ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } 54 | } 55 | 56 | chain input-tcp-service { 57 | iif lo goto input-tcp-service-loopback 58 | 59 | # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough 60 | ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } 61 | 62 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 63 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 64 | tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset 65 | tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 66 | synproxy mss 1460 wscale 7 timestamp sack-perm 67 | } 68 | 69 | chain input-tcp-service-new { 70 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 71 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 72 | tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset 73 | tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 74 | accept 75 | } 76 | 77 | # add connections established without synproxy to connection limit sets with limits enforced 78 | chain input-tcp-service-established { 79 | ct mark 0x1 accept 80 | tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 81 | tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 82 | tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 83 | tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 84 | ct mark set 0x1 accept 85 | } 86 | 87 | # add connections established with synproxy to connection limit sets with limits enforced 88 | chain input-tcp-service-loopback { 89 | tcp flags != syn accept 90 | tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 91 | tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 92 | tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 93 | tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 94 | ct mark set 0x1 accept 95 | } 96 | 97 | chain forward { 98 | type filter hook forward priority filter 99 | policy drop 100 | } 101 | 102 | chain output-raw { 103 | type filter hook output priority raw 104 | 105 | oif lo goto output-raw-loopback 106 | skuid != { root, systemd-network, unbound, alpm, chrony, http, mastodon } counter goto graceful-reject 107 | meta l4proto { icmp, ipv6-icmp } notrack accept 108 | } 109 | 110 | chain output-raw-loopback { 111 | skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept 112 | skuid { alpm, chrony, mastodon } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept 113 | 114 | skuid postgres udp sport >= 1024 udp dport >= 1024 notrack accept 115 | 116 | skuid != root counter goto graceful-reject 117 | notrack accept 118 | } 119 | 120 | chain graceful-reject { 121 | meta l4proto udp reject 122 | meta l4proto tcp reject with tcp reset 123 | reject 124 | } 125 | } 126 | -------------------------------------------------------------------------------- /etc/nftables/nftables-web.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/nft -f 2 | 3 | flush ruleset 4 | 5 | table inet filter { 6 | define ip-allowlist-ssh = { 7 | 51.222.156.101, # 0.grapheneos.org 8 | 45.90.185.33, # 4.releases.grapheneos.org 9 | } 10 | 11 | define ip6-allowlist-ssh = { 12 | 2607:5300:205:200::29c6, # 0.grapheneos.org 13 | 2a14:3f87:6920:250::100, # 4.releases.grapheneos.org 14 | } 15 | 16 | set ip-connlimit-ssh { 17 | type ipv4_addr 18 | flags dynamic 19 | } 20 | 21 | set ip6-connlimit-ssh { 22 | type ipv6_addr 23 | flags dynamic 24 | } 25 | 26 | set ip-connlimit-main { 27 | type ipv4_addr 28 | flags dynamic 29 | } 30 | 31 | set ip6-connlimit-main { 32 | type ipv6_addr 33 | flags dynamic 34 | } 35 | 36 | chain prerouting-raw { 37 | type filter hook prerouting priority raw 38 | policy drop 39 | 40 | # drop packets without a reverse path (strict reverse path filtering) 41 | fib saddr . iif oif missing counter drop 42 | 43 | iif lo notrack accept 44 | 45 | # drop packets to address not configured on incoming interface (strong host model) 46 | # 47 | # ordered after accepting loopback to permit using external IPs via loopback 48 | fib daddr . iif type != { local, broadcast, multicast } counter drop 49 | 50 | # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion 51 | tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept 52 | 53 | meta l4proto { tcp, udp } accept 54 | icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept 55 | meta l4proto ipv6-icmp notrack accept 56 | } 57 | 58 | chain input { 59 | type filter hook input priority filter 60 | policy drop 61 | 62 | tcp dport { 22, 80, 443 } goto input-tcp-service 63 | ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } 64 | } 65 | 66 | chain input-tcp-service { 67 | iif lo goto input-tcp-service-loopback 68 | 69 | # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough 70 | ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } 71 | 72 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 73 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 74 | tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset 75 | tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 76 | synproxy mss 1460 wscale 7 timestamp sack-perm 77 | } 78 | 79 | chain input-tcp-service-new { 80 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 81 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 82 | tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset 83 | tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 84 | accept 85 | } 86 | 87 | # add connections established without synproxy to connection limit sets with limits enforced 88 | chain input-tcp-service-established { 89 | ct mark 0x1 accept 90 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 91 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 92 | tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 93 | tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 94 | ct mark set 0x1 accept 95 | } 96 | 97 | # add connections established with synproxy to connection limit sets with limits enforced 98 | chain input-tcp-service-loopback { 99 | tcp flags != syn accept 100 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 101 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 102 | tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 103 | tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 104 | ct mark set 0x1 accept 105 | } 106 | 107 | chain forward { 108 | type filter hook forward priority filter 109 | policy drop 110 | } 111 | 112 | chain output-raw { 113 | type filter hook output priority raw 114 | 115 | oif lo goto output-raw-loopback 116 | skuid != { root, systemd-network, unbound, alpm, chrony, http } counter goto graceful-reject 117 | meta l4proto { icmp, ipv6-icmp } notrack accept 118 | } 119 | 120 | chain output-raw-loopback { 121 | skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept 122 | skuid { alpm, chrony } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept 123 | 124 | skuid != root counter goto graceful-reject 125 | notrack accept 126 | } 127 | 128 | chain graceful-reject { 129 | meta l4proto udp reject 130 | meta l4proto tcp reject with tcp reset 131 | reject 132 | } 133 | } 134 | -------------------------------------------------------------------------------- /etc/pacman.conf: -------------------------------------------------------------------------------- 1 | # 2 | # /etc/pacman.conf 3 | # 4 | # See the pacman.conf(5) manpage for option and repository directives 5 | 6 | # 7 | # GENERAL OPTIONS 8 | # 9 | [options] 10 | # The following paths are commented out with their default values listed. 11 | # If you wish to use different paths, uncomment and update the paths. 12 | #RootDir = / 13 | #DBPath = /var/lib/pacman/ 14 | #CacheDir = /var/cache/pacman/pkg/ 15 | LogFile = /dev/null 16 | #GPGDir = /etc/pacman.d/gnupg/ 17 | #HookDir = /etc/pacman.d/hooks/ 18 | HoldPkg = pacman glibc 19 | #XferCommand = /usr/bin/curl -L -C - -f -o %o %u 20 | #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u 21 | #CleanMethod = KeepInstalled 22 | Architecture = auto 23 | 24 | # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup 25 | #IgnorePkg = 26 | #IgnoreGroup = 27 | 28 | #NoUpgrade = 29 | #NoExtract = 30 | 31 | # Misc options 32 | UseSyslog 33 | Color 34 | #NoProgressBar 35 | CheckSpace 36 | VerbosePkgLists 37 | #ParallelDownloads = 5 38 | DownloadUser = alpm 39 | #DisableSandbox 40 | ILoveCandy 41 | 42 | # By default, pacman accepts packages signed by keys that its local keyring 43 | # trusts (see pacman-key and its man page), as well as unsigned packages. 44 | SigLevel = Required DatabaseOptional 45 | LocalFileSigLevel = Optional 46 | #RemoteFileSigLevel = Required 47 | 48 | # NOTE: You must run `pacman-key --init` before first using pacman; the local 49 | # keyring can then be populated with the keys of all official Arch Linux 50 | # packagers with `pacman-key --populate archlinux`. 51 | 52 | # 53 | # REPOSITORIES 54 | # - can be defined here or included from another file 55 | # - pacman will search repositories in the order defined here 56 | # - local/custom mirrors can be added here or in separate files 57 | # - repositories listed first will take precedence when packages 58 | # have identical names, regardless of version number 59 | # - URLs will have $repo replaced by the name of the current repo 60 | # - URLs will have $arch replaced by the name of the architecture 61 | # 62 | # Repository entries are of the format: 63 | # [repo-name] 64 | # Server = ServerName 65 | # Include = IncludePath 66 | # 67 | # The header [repo-name] is crucial - it must be present and 68 | # uncommented to enable the repo. 69 | # 70 | 71 | # The testing repositories are disabled by default. To enable, uncomment the 72 | # repo name header and Include lines. You can add preferred servers immediately 73 | # after the header, and they will be used before the default mirrors. 74 | 75 | #[core-testing] 76 | #Include = /etc/pacman.d/mirrorlist 77 | 78 | [core] 79 | Include = /etc/pacman.d/mirrorlist 80 | 81 | #[extra-testing] 82 | #Include = /etc/pacman.d/mirrorlist 83 | 84 | [extra] 85 | Include = /etc/pacman.d/mirrorlist 86 | 87 | # If you want to run 32 bit applications on your x86_64 system, 88 | # enable the multilib repositories as required here. 89 | 90 | #[multilib-testing] 91 | #Include = /etc/pacman.d/mirrorlist 92 | 93 | #[multilib] 94 | #Include = /etc/pacman.d/mirrorlist 95 | 96 | # An example of a custom package repository. See the pacman manpage for 97 | # tips on creating your own repositories. 98 | #[custom] 99 | #SigLevel = Optional TrustAll 100 | #Server = file:///home/custompkgs 101 | -------------------------------------------------------------------------------- /etc/pacman.d/mirrorlist: -------------------------------------------------------------------------------- 1 | Server = https://america.mirror.pkgbuild.com/$repo/os/$arch 2 | -------------------------------------------------------------------------------- /etc/pacreport.conf: -------------------------------------------------------------------------------- 1 | [Options] 2 | IgnoreUnowned = etc/letsencrypt 3 | IgnoreUnowned = etc/locale.conf 4 | IgnoreUnowned = etc/modprobe.d/local.conf 5 | IgnoreUnowned = etc/modules-load.d/local.conf 6 | IgnoreUnowned = etc/sysctl.d/local-tcp_wmem.conf 7 | IgnoreUnowned = etc/sysctl.d/local.conf 8 | IgnoreUnowned = lost+found 9 | IgnoreUnowned = swapfile 10 | 11 | [PkgIgnoreUnowned] 12 | ca-certificates = etc/ca-certificates/extracted 13 | certbot = etc/logrotate.d/letsencrypt 14 | certbot = etc/systemd/system/certbot-renew.service.d 15 | certbot = etc/systemd/system/certbot.service 16 | certbot = etc/systemd/system/certbot.service.d 17 | certbot = etc/systemd/system/certbot.timer 18 | certbot = usr/local/bin/certbot-replicate 19 | certbot = var/lib/letsencrypt 20 | chrony = etc/sysconfig 21 | chrony = etc/systemd/system/chronyd.service.d 22 | chrony = var/lib/chrony 23 | dbus = var/lib/dbus 24 | dovecot = etc/dovecot 25 | dovecot = var/lib/dovecot 26 | fontconfig = etc/fonts/conf.d 27 | gdk-pixbuf2 = usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache 28 | geoipupdate = etc/systemd/system/geoipupdate.service.d 29 | geoipupdate = etc/systemd/system/geoipupdate.timer.d 30 | geoipupdate = var/lib/GeoIP/.geoipupdate.lock 31 | geoipupdate = var/lib/GeoIP/GeoLite2-ASN.mmdb 32 | geoipupdate = var/lib/GeoIP/GeoLite2-City.mmdb 33 | geoipupdate = var/lib/GeoIP/GeoLite2-Country.mmdb 34 | glibc = etc/.pwd.lock 35 | glibc = etc/ld.so.cache 36 | glibc = usr/lib/gconv/gconv-modules.cache 37 | glibc = usr/lib/locale/locale-archive 38 | grub = boot/grub 39 | linux-lts = boot/initramfs-linux-lts-fallback.img 40 | linux-lts = boot/initramfs-linux-lts.img 41 | linux-lts = boot/vmlinuz-linux-lts 42 | linux-lts = etc/mkinitcpio.d/linux-lts.preset 43 | linux-lts = usr/lib/modules/*-lts/modules.alias 44 | linux-lts = usr/lib/modules/*-lts/modules.alias.bin 45 | linux-lts = usr/lib/modules/*-lts/modules.builtin.alias.bin 46 | linux-lts = usr/lib/modules/*-lts/modules.builtin.bin 47 | linux-lts = usr/lib/modules/*-lts/modules.dep 48 | linux-lts = usr/lib/modules/*-lts/modules.dep.bin 49 | linux-lts = usr/lib/modules/*-lts/modules.devname 50 | linux-lts = usr/lib/modules/*-lts/modules.softdep 51 | linux-lts = usr/lib/modules/*-lts/modules.symbols 52 | linux-lts = usr/lib/modules/*-lts/modules.symbols.bin 53 | linux-lts = usr/lib/modules/*-lts/modules.weakdep 54 | logrotate = var/lib/logrotate.status 55 | mariadb = etc/systemd/system/mariadb.service.d 56 | mariadb = var/lib/mysql 57 | mastodon = etc/systemd/system/mastodon-streaming@.service.d 58 | mastodon = etc/systemd/system/mastodon-web.service.d 59 | mastodon = var/lib/mastodon 60 | matrix-synapse = etc/default/synapse 61 | matrix-synapse = etc/synapse 62 | matrix-synapse = etc/sysctl.d/local-reserved-ports.conf 63 | matrix-synapse = etc/systemd/system/mjolnir.service 64 | matrix-synapse = etc/webapps 65 | matrix-synapse = opt/mjolnir 66 | matrix-synapse = var/lib/mjolnir 67 | matrix-synapse = var/lib/synapse 68 | matterbridge-git = etc/systemd/system/matterbridge.service.d 69 | matterbridge-git = var/lib/matterbridge 70 | nftables = etc/sysctl.d/local-conntrack_size.conf 71 | nginx = etc/nginx 72 | nginx = etc/systemd/system/create-session-ticket-keys.service 73 | nginx = etc/systemd/system/rotate-session-ticket-keys.service 74 | nginx = etc/systemd/system/rotate-session-ticket-keys.timer 75 | nginx = etc/systemd/system/nginx.service.d 76 | nginx = srv 77 | nginx = usr/local/bin/create-session-ticket-keys 78 | nginx = usr/local/bin/rotate-session-ticket-keys 79 | nginx = var/lib/nginx 80 | opendkim = etc/opendkim 81 | opendkim = etc/systemd/system/opendkim.service 82 | opendkim = var/lib/opendkim 83 | opendmarc = etc/systemd/system/opendmarc.service.d 84 | opendmarc = etc/tmpfiles.d/opendmarc.conf 85 | openssh = etc/ssh/ssh_host_ed25519_key 86 | openssh = etc/ssh/ssh_host_ed25519_key.pub 87 | openssh = etc/systemd/system/sshd.service.d 88 | openssh = etc/systemd/system/sshdgenkeys.service 89 | pacman = etc/pacman.d/gnupg 90 | pacman = etc/systemd/system/pacman-init.service 91 | pacman = var/lib/pacman 92 | pacutils = etc/pacreport.conf 93 | php-fpm = etc/systemd/system/php-fpm.service.d 94 | php-legacy-fpm = etc/systemd/system/php-fpm-legacy.service.d 95 | plocate = etc/systemd/system/plocate-updatedb.service.d 96 | plocate = var/lib/plocate/plocate.db 97 | postfix = etc/postfix 98 | postfix = var/lib/postfix 99 | postfix = var/spool/postfix 100 | postgresql = etc/systemd/system/postgresql.service.d 101 | postgresql = var/lib/postgres 102 | powerdns = etc/powerdns/keys 103 | powerdns = etc/powerdns/zones.yaml 104 | powerdns = etc/systemd/system/pdns.service.d 105 | shadow = etc/group- 106 | shadow = etc/gshadow- 107 | shadow = etc/hostname 108 | shadow = etc/passwd- 109 | shadow = etc/shadow- 110 | shadow = etc/subgid- 111 | shadow = etc/subuid- 112 | sysstat = etc/systemd/system/sysstat-collect.timer.d 113 | sysstat = etc/systemd/system/sysstat.service.wants 114 | systemd = etc/.updated 115 | systemd = etc/credstore 116 | systemd = etc/credstore.encrypted 117 | systemd = etc/machine-id 118 | systemd = etc/os-release 119 | systemd = etc/systemd/network/10-public.link 120 | systemd = etc/systemd/network/10-public.network 121 | systemd = etc/systemd/system/-.slice.d 122 | systemd = etc/systemd/system/ctrl-alt-del.target 123 | systemd = etc/systemd/system/dbus-org.freedesktop.network1.service 124 | systemd = etc/systemd/system/dbus-org.freedesktop.oom1.service 125 | systemd = etc/systemd/system/getty.target.wants 126 | systemd = etc/systemd/system/multi-user.target.wants 127 | systemd = etc/systemd/system/network-online.target.wants 128 | systemd = etc/systemd/system/sockets.target.wants 129 | systemd = etc/systemd/system/sys-fs-fuse-connections.mount 130 | systemd = etc/systemd/system/sysinit.target.wants 131 | systemd = etc/systemd/system/timers.target.wants 132 | systemd = etc/systemd/user/sockets.target.wants 133 | systemd = etc/udev/hwdb.bin 134 | systemd = etc/vconsole.conf 135 | systemd = usr/lib/udev/hwdb.bin 136 | systemd = var/.updated 137 | systemd = var/lib/machines 138 | systemd = var/lib/portables 139 | systemd = var/lib/private 140 | systemd = var/lib/systemd/catalog 141 | systemd = var/lib/systemd/coredump 142 | systemd = var/lib/systemd/ephemeral-trees 143 | systemd = var/lib/systemd/linger 144 | systemd = var/lib/systemd/network 145 | systemd = var/lib/systemd/pstore 146 | systemd = var/lib/systemd/random-seed 147 | systemd = var/lib/systemd/timers 148 | tpm2-tss = var/lib/tpm2-tss 149 | unbound = etc/systemd/system/unbound.service.d 150 | unbound = etc/unbound/dev 151 | unbound = etc/unbound/run 152 | unbound = etc/unbound/trusted-key.key 153 | unbound = var/lib/unbound 154 | util-linux = etc/passwd.OLD 155 | util-linux = etc/systemd/system/fstrim.service.d 156 | util-linux = etc/systemd/system/fstrim.timer.d 157 | util-linux = var/lib/lastlog 158 | util-linux = var/lib/libuuid 159 | valkey = etc/systemd/system/valkey.service.d 160 | valkey = etc/tmpfiles.d/valkey.conf 161 | valkey = var/lib/valkey 162 | xfsprogs = etc/systemd/system/xfs_fsr.service 163 | -------------------------------------------------------------------------------- /etc/resolv.conf: -------------------------------------------------------------------------------- 1 | nameserver ::1 2 | options edns0 trust-ad 3 | -------------------------------------------------------------------------------- /etc/ssh/ssh_config: -------------------------------------------------------------------------------- 1 | # Include drop-in configurations 2 | Include /etc/ssh/ssh_config.d/*.conf 3 | 4 | IPQoS af21 af11 5 | 6 | ServerAliveInterval 60 7 | ServerAliveCountMax 2 8 | TCPKeepAlive no 9 | 10 | VerifyHostKeyDNS ask 11 | -------------------------------------------------------------------------------- /etc/ssh/sshd_config: -------------------------------------------------------------------------------- 1 | # Include drop-in configurations 2 | Include /etc/ssh/sshd_config.d/*.conf 3 | 4 | # This is the sshd server system-wide configuration file. See 5 | # sshd_config(5) for more information. 6 | 7 | # This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin 8 | 9 | # The strategy used for options in the default sshd_config shipped with 10 | # OpenSSH is to specify options with their default value where 11 | # possible, but leave them commented. Uncommented options override the 12 | # default value. 13 | 14 | #Port 22 15 | #AddressFamily any 16 | #ListenAddress 0.0.0.0 17 | #ListenAddress :: 18 | 19 | IPQoS af21 af11 20 | 21 | HostKey /etc/ssh/ssh_host_ed25519_key 22 | HostKeyAlgorithms ssh-ed25519 23 | KexAlgorithms mlkem768x25519-sha256 24 | PubkeyAcceptedKeyTypes ssh-ed25519 25 | Ciphers aes256-gcm@openssh.com 26 | MACs -* 27 | 28 | # Ciphers and keying 29 | #RekeyLimit default none 30 | 31 | # Logging 32 | #SyslogFacility AUTH 33 | #LogLevel INFO 34 | 35 | # Authentication: 36 | 37 | LoginGraceTime 15s 38 | #PermitRootLogin prohibit-password 39 | #StrictModes yes 40 | MaxAuthTries 1 41 | #MaxSessions 10 42 | 43 | AllowUsers {{ssh_users}} 44 | 45 | #PubkeyAuthentication yes 46 | 47 | # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 48 | # but this is overridden so installations will only check .ssh/authorized_keys 49 | AuthorizedKeysFile .ssh/authorized_keys 50 | 51 | #AuthorizedPrincipalsFile none 52 | 53 | #AuthorizedKeysCommand none 54 | #AuthorizedKeysCommandUser nobody 55 | 56 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 57 | #HostbasedAuthentication no 58 | # Change to yes if you don't trust ~/.ssh/known_hosts for 59 | # HostbasedAuthentication 60 | #IgnoreUserKnownHosts no 61 | # Don't read the user's ~/.rhosts and ~/.shosts files 62 | #IgnoreRhosts yes 63 | 64 | # To disable tunneled clear text passwords, change to "no" here! 65 | PasswordAuthentication no 66 | #PermitEmptyPasswords no 67 | 68 | # Change to "no" to disable keyboard-interactive authentication. Depending on 69 | # the system's configuration, this may involve passwords, challenge-response, 70 | # one-time passwords or some combination of these and other methods. 71 | KbdInteractiveAuthentication no 72 | 73 | # Kerberos options 74 | #KerberosAuthentication no 75 | #KerberosOrLocalPasswd yes 76 | #KerberosTicketCleanup yes 77 | #KerberosGetAFSToken no 78 | 79 | # GSSAPI options 80 | #GSSAPIAuthentication no 81 | #GSSAPICleanupCredentials yes 82 | 83 | # Set this to 'yes' to enable PAM authentication, account processing, 84 | # and session processing. If this is enabled, PAM authentication will 85 | # be allowed through the KbdInteractiveAuthentication and 86 | # PasswordAuthentication. Depending on your PAM configuration, 87 | # PAM authentication via KbdInteractiveAuthentication may bypass 88 | # the setting of "PermitRootLogin prohibit-password". 89 | # If you just want the PAM account and session checks to run without 90 | # PAM authentication, then enable this but set PasswordAuthentication 91 | # and KbdInteractiveAuthentication to 'no'. 92 | UsePAM yes 93 | 94 | AllowAgentForwarding no 95 | #AllowTcpForwarding yes 96 | #GatewayPorts no 97 | #X11Forwarding no 98 | #X11DisplayOffset 10 99 | #X11UseLocalhost yes 100 | #PermitTTY yes 101 | PrintMotd no 102 | #PrintLastLog yes 103 | TCPKeepAlive no 104 | #PermitUserEnvironment no 105 | #Compression delayed 106 | ClientAliveInterval 60 107 | ClientAliveCountMax 2 108 | #UseDNS no 109 | #PidFile /run/sshd.pid 110 | MaxStartups 4096 111 | #PermitTunnel no 112 | #ChrootDirectory none 113 | #VersionAddendum none 114 | 115 | # no default banner path 116 | #Banner none 117 | 118 | # override default of no subsystems 119 | Subsystem sftp /usr/lib/ssh/sftp-server 120 | 121 | # Example of overriding settings on a per-user basis 122 | #Match User anoncvs 123 | # X11Forwarding no 124 | # AllowTcpForwarding no 125 | # PermitTTY no 126 | # ForceCommand cvs server 127 | -------------------------------------------------------------------------------- /etc/sysconfig/chronyd: -------------------------------------------------------------------------------- 1 | OPTIONS=-F1 -r 2 | -------------------------------------------------------------------------------- /etc/sysctl.d/local.conf: -------------------------------------------------------------------------------- 1 | net.ipv6.bindv6only = 1 2 | 3 | net.ipv4.ip_local_port_range = 1024 65535 4 | 5 | net.ipv4.conf.*.send_redirects = 0 6 | net.ipv4.conf.*.accept_redirects = 0 7 | net.ipv6.conf.*.accept_redirects = 0 8 | 9 | # enforced with nftables to handle both IPv4 and IPv6 in the same way 10 | net.ipv4.conf.default.rp_filter = 0 11 | net.ipv4.conf.*.rp_filter = 0 12 | 13 | net.ipv4.tcp_ecn = 0 14 | net.ipv4.tcp_slow_start_after_idle = 0 15 | net.ipv4.tcp_shrink_window = 1 16 | net.ipv4.tcp_notsent_lowat = 131072 17 | net.ipv4.tcp_fin_timeout = 30 18 | net.ipv4.tcp_rfc1337 = 1 19 | net.ipv4.tcp_tw_reuse = 1 20 | 21 | # 31s with initial 1s RTO 22 | net.ipv4.tcp_syn_retries = 4 23 | net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 31 24 | 25 | # 15s with initial 1s RTO 26 | net.ipv4.tcp_synack_retries = 3 27 | net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 15 28 | 29 | # 102.2s with minimum 0.2s RTO 30 | net.ipv4.tcp_retries2 = 8 31 | 32 | # 25.4s with minimum 0.2s RTO 33 | net.ipv4.tcp_orphan_retries = 6 34 | 35 | net.mptcp.enabled = 0 36 | 37 | net.netfilter.nf_conntrack_tcp_loose = 0 38 | net.netfilter.nf_conntrack_tcp_timeout_established = 14400 39 | net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60 40 | net.netfilter.nf_conntrack_udp_timeout = 15 41 | net.netfilter.nf_conntrack_udp_timeout_stream = 15 42 | net.netfilter.nf_conntrack_expect_max = 1 43 | 44 | kernel.yama.ptrace_scope = 2 45 | 46 | vm.mmap_rnd_bits = 32 47 | vm.mmap_rnd_compat_bits = 16 48 | 49 | kernel.kptr_restrict = 2 50 | 51 | kernel.unprivileged_userns_clone = 0 52 | 53 | kernel.unprivileged_bpf_disabled = 1 54 | net.core.bpf_jit_harden = 2 55 | 56 | kernel.io_uring_disabled = 1 57 | kernel.io_uring_group = 2000 58 | 59 | kernel.kexec_load_disabled = 1 60 | 61 | fs.protected_regular = 2 62 | fs.protected_fifos = 2 63 | 64 | kernel.panic = -1 65 | kernel.panic_on_oops = 1 66 | 67 | dev.tty.ldisc_autoload = 0 68 | 69 | fs.binfmt_misc.status = 0 70 | -------------------------------------------------------------------------------- /etc/sysctl.d/metal.conf: -------------------------------------------------------------------------------- 1 | dev.raid.speed_limit_min=100000 2 | dev.raid.speed_limit_max=1000000 3 | -------------------------------------------------------------------------------- /etc/systemd/journald.conf: -------------------------------------------------------------------------------- 1 | # This file is part of systemd. 2 | # 3 | # systemd is free software; you can redistribute it and/or modify it under the 4 | # terms of the GNU Lesser General Public License as published by the Free 5 | # Software Foundation; either version 2.1 of the License, or (at your option) 6 | # any later version. 7 | # 8 | # Entries in this file show the compile time defaults. Local configuration 9 | # should be created by either modifying this file (or a copy of it placed in 10 | # /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in 11 | # the /etc/systemd/journald.conf.d/ directory. The latter is generally 12 | # recommended. Defaults can be restored by simply deleting the main 13 | # configuration file and all drop-ins located in /etc/. 14 | # 15 | # Use 'systemd-analyze cat-config systemd/journald.conf' to display the full config. 16 | # 17 | # See journald.conf(5) for details. 18 | 19 | [Journal] 20 | #Storage=auto 21 | #Compress=yes 22 | #Seal=yes 23 | #SplitMode=uid 24 | #SyncIntervalSec=5m 25 | #RateLimitIntervalSec=30s 26 | #RateLimitBurst=10000 27 | SystemMaxUse={{journald_system_max_use}} 28 | #SystemKeepFree= 29 | SystemMaxFileSize={{journald_system_max_file_size}} 30 | SystemMaxFiles=10000 31 | #RuntimeMaxUse= 32 | #RuntimeKeepFree= 33 | #RuntimeMaxFileSize= 34 | #RuntimeMaxFiles=100 35 | MaxRetentionSec={{journald_max_retention_sec}} 36 | MaxFileSec=1day 37 | #ForwardToSyslog=no 38 | #ForwardToKMsg=no 39 | #ForwardToConsole=no 40 | #ForwardToWall=yes 41 | #TTYPath=/dev/console 42 | #MaxLevelStore=debug 43 | #MaxLevelSyslog=debug 44 | #MaxLevelKMsg=notice 45 | #MaxLevelConsole=info 46 | #MaxLevelWall=emerg 47 | #MaxLevelSocket=debug 48 | #LineMax=48K 49 | #ReadKMsg=yes 50 | #Audit=yes 51 | -------------------------------------------------------------------------------- /etc/systemd/network/0.grapheneos.network.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=fa:16:3e:2d:63:3f 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/0.grapheneos.network.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | LinkLocalAddressing=no 7 | Address=2607:5300:205:200::2584/128 8 | 9 | [Route] 10 | Destination=::/0 11 | Gateway=2607:5300:205:200::1 12 | PreferredSource=2607:5300:205:200::2584 13 | 14 | [Route] 15 | Destination=2607:5300:205:200::1 16 | PreferredSource=2607:5300:205:200::2584 17 | 18 | [DHCP] 19 | UseMTU=true 20 | 21 | [CAKE] 22 | Bandwidth=500M 23 | PriorityQueueingPreset=besteffort 24 | -------------------------------------------------------------------------------- /etc/systemd/network/0.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=fa:16:3e:40:35:e3 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/0.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | LinkLocalAddressing=no 7 | Address=2607:5300:205:200::29c6/128 8 | 9 | [Route] 10 | Destination=::/0 11 | Gateway=2607:5300:205:200::1 12 | PreferredSource=2607:5300:205:200::29c6 13 | 14 | [Route] 15 | Destination=2607:5300:205:200::1 16 | PreferredSource=2607:5300:205:200::29c6 17 | 18 | [DHCP] 19 | UseMTU=true 20 | 21 | [CAKE] 22 | Bandwidth=500M 23 | PriorityQueueingPreset=besteffort 24 | -------------------------------------------------------------------------------- /etc/systemd/network/0.ns1.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=fa:16:3e:2c:22:df 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/0.ns1.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | LinkLocalAddressing=no 7 | Address=2607:5300:205:200::eaa/128 8 | 9 | [Route] 10 | Destination=::/0 11 | Gateway=2607:5300:205:200::1 12 | PreferredSource=2607:5300:205:200::eaa 13 | 14 | [Route] 15 | Destination=2607:5300:205:200::1 16 | PreferredSource=2607:5300:205:200::eaa 17 | 18 | [DHCP] 19 | UseMTU=true 20 | 21 | [CAKE] 22 | Bandwidth=500M 23 | PriorityQueueingPreset=besteffort 24 | -------------------------------------------------------------------------------- /etc/systemd/network/0.ns2.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:54:9a:90:82 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/0.ns2.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=198.98.53.141/24 7 | Address=2605:6400:10:102e:95bc:89ef:2e7f:49bb/128 8 | 9 | [Address] 10 | Address=198.251.90.93/32 11 | 12 | [Route] 13 | Destination=0.0.0.0/0 14 | Gateway=198.98.53.1 15 | PreferredSource=198.98.53.141 16 | 17 | [Route] 18 | Destination=198.98.53.1 19 | PreferredSource=198.98.53.141 20 | 21 | [Route] 22 | Destination=::/0 23 | Gateway=2605:6400:10::1 24 | PreferredSource=2605:6400:10:102e:95bc:89ef:2e7f:49bb 25 | 26 | [Route] 27 | Destination=2605:6400:10::1 28 | PreferredSource=2605:6400:10:102e:95bc:89ef:2e7f:49bb 29 | 30 | [CAKE] 31 | Bandwidth=1000M 32 | PriorityQueueingPreset=besteffort 33 | SplitGSO=false 34 | -------------------------------------------------------------------------------- /etc/systemd/network/1.grapheneos.network.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:ed:7b:89:9b 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/1.grapheneos.network.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=209.141.37.35/24 7 | Address=2605:6400:20:387:72d4:dab9:a369:f351/128 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=209.141.37.1 12 | PreferredSource=209.141.37.35 13 | 14 | [Route] 15 | Destination=209.141.37.1 16 | PreferredSource=209.141.37.35 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2605:6400:20::1 21 | PreferredSource=2605:6400:20:387:72d4:dab9:a369:f351 22 | 23 | [Route] 24 | Destination=2605:6400:20::1 25 | PreferredSource=2605:6400:20:387:72d4:dab9:a369:f351 26 | 27 | [CAKE] 28 | Bandwidth=1000M 29 | PriorityQueueingPreset=besteffort 30 | SplitGSO=false 31 | -------------------------------------------------------------------------------- /etc/systemd/network/1.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:fc:5d:d5:ed 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/1.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=209.141.35.164/24 7 | Address=2605:6400:20:1131:8088:e08:84e6:632/128 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=209.141.35.1 12 | PreferredSource=209.141.35.164 13 | 14 | [Route] 15 | Destination=209.141.35.1 16 | PreferredSource=209.141.35.164 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2605:6400:20::1 21 | PreferredSource=2605:6400:20:1131:8088:e08:84e6:632 22 | 23 | [Route] 24 | Destination=2605:6400:20::1 25 | PreferredSource=2605:6400:20:1131:8088:e08:84e6:632 26 | 27 | [CAKE] 28 | Bandwidth=1000M 29 | PriorityQueueingPreset=besteffort 30 | SplitGSO=false 31 | -------------------------------------------------------------------------------- /etc/systemd/network/1.ns1.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=fa:16:3e:13:ae:28 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/1.ns1.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | LinkLocalAddressing=no 7 | Address=2604:2dc0:202:300::23a6/128 8 | 9 | [Route] 10 | Destination=::/0 11 | Gateway=2604:2dc0:202:300::1 12 | PreferredSource=2604:2dc0:202:300::23a6 13 | 14 | [Route] 15 | Destination=2604:2dc0:202:300::1 16 | PreferredSource=2604:2dc0:202:300::23a6 17 | 18 | [DHCP] 19 | UseMTU=true 20 | 21 | [CAKE] 22 | Bandwidth=500M 23 | PriorityQueueingPreset=besteffort 24 | -------------------------------------------------------------------------------- /etc/systemd/network/1.ns2.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:bf:aa:e3:77 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/1.ns2.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=205.185.124.155/24 7 | Address=2605:6400:20:1c8f:a0c9:372d:482e:945b/128 8 | 9 | [Address] 10 | Address=198.251.90.93/32 11 | 12 | [Route] 13 | Destination=0.0.0.0/0 14 | Gateway=205.185.124.1 15 | PreferredSource=205.185.124.155 16 | 17 | [Route] 18 | Destination=205.185.124.1 19 | PreferredSource=205.185.124.155 20 | 21 | [Route] 22 | Destination=::/0 23 | Gateway=2605:6400:20::1 24 | PreferredSource=2605:6400:20:1c8f:a0c9:372d:482e:945b 25 | 26 | [Route] 27 | Destination=2605:6400:20::1 28 | PreferredSource=2605:6400:20:1c8f:a0c9:372d:482e:945b 29 | 30 | [CAKE] 31 | Bandwidth=1000M 32 | PriorityQueueingPreset=besteffort 33 | SplitGSO=false 34 | -------------------------------------------------------------------------------- /etc/systemd/network/2.grapheneos.network.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=fa:16:3e:98:41:2c 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/2.grapheneos.network.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | LinkLocalAddressing=no 7 | Address=2001:41d0:304:200::b109/128 8 | 9 | [Route] 10 | Destination=::/0 11 | Gateway=2001:41d0:304:200::1 12 | PreferredSource=2001:41d0:304:200::b109 13 | 14 | [Route] 15 | Destination=2001:41d0:304:200::1 16 | PreferredSource=2001:41d0:304:200::b109 17 | 18 | [DHCP] 19 | UseMTU=true 20 | 21 | [CAKE] 22 | Bandwidth=500M 23 | PriorityQueueingPreset=besteffort 24 | -------------------------------------------------------------------------------- /etc/systemd/network/2.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=fa:16:3e:92:1f:72 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/2.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | LinkLocalAddressing=no 7 | Address=2001:41d0:304:200::902f/128 8 | 9 | [Route] 10 | Destination=::/0 11 | Gateway=2001:41d0:304:200::1 12 | PreferredSource=2001:41d0:304:200::902f 13 | 14 | [Route] 15 | Destination=2001:41d0:304:200::1 16 | PreferredSource=2001:41d0:304:200::902f 17 | 18 | [DHCP] 19 | UseMTU=true 20 | 21 | [CAKE] 22 | Bandwidth=500M 23 | PriorityQueueingPreset=besteffort 24 | -------------------------------------------------------------------------------- /etc/systemd/network/2.ns1.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=fa:16:3e:96:60:9c 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/2.ns1.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | LinkLocalAddressing=no 7 | Address=2001:41d0:701:1100::245b/128 8 | 9 | [Route] 10 | Destination=::/0 11 | Gateway=2001:41d0:701:1100::1 12 | PreferredSource=2001:41d0:701:1100::245b 13 | 14 | [Route] 15 | Destination=2001:41d0:701:1100::1 16 | PreferredSource=2001:41d0:701:1100::245b 17 | 18 | [DHCP] 19 | UseMTU=true 20 | 21 | [CAKE] 22 | Bandwidth=500M 23 | PriorityQueueingPreset=besteffort 24 | -------------------------------------------------------------------------------- /etc/systemd/network/2.ns2.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:0b:de:a3:3b 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/2.ns2.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=107.189.3.168/24 7 | Address=2605:6400:30:ec25:102c:af6d:5be:1eb8/128 8 | 9 | [Address] 10 | Address=198.251.90.93/32 11 | 12 | [Route] 13 | Destination=0.0.0.0/0 14 | Gateway=107.189.3.1 15 | PreferredSource=107.189.3.168 16 | 17 | [Route] 18 | Destination=107.189.3.1 19 | PreferredSource=107.189.3.168 20 | 21 | [Route] 22 | Destination=::/0 23 | Gateway=2605:6400:30::1 24 | PreferredSource=2605:6400:30:ec25:102c:af6d:5be:1eb8 25 | 26 | [Route] 27 | Destination=2605:6400:30::1 28 | PreferredSource=2605:6400:30:ec25:102c:af6d:5be:1eb8 29 | 30 | [CAKE] 31 | Bandwidth=1000M 32 | PriorityQueueingPreset=besteffort 33 | SplitGSO=false 34 | -------------------------------------------------------------------------------- /etc/systemd/network/3.grapheneos.network.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=fa:16:3e:9a:33:c3 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/3.grapheneos.network.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | LinkLocalAddressing=no 7 | Address=2402:1f00:8000:800::1949/128 8 | 9 | [Route] 10 | Destination=::/0 11 | Gateway=2402:1f00:8000:800::1 12 | PreferredSource=2402:1f00:8000:800::1949 13 | 14 | [Route] 15 | Destination=2402:1f00:8000:800::1 16 | PreferredSource=2402:1f00:8000:800::1949 17 | 18 | [DHCP] 19 | UseMTU=true 20 | 21 | [CAKE] 22 | Bandwidth=500M 23 | PriorityQueueingPreset=besteffort 24 | -------------------------------------------------------------------------------- /etc/systemd/network/3.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=fa:16:3e:ed:88:95 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/3.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | LinkLocalAddressing=no 7 | Address=2402:1f00:8000:800::16d6/128 8 | 9 | [Route] 10 | Destination=::/0 11 | Gateway=2402:1f00:8000:800::1 12 | PreferredSource=2402:1f00:8000:800::16d6 13 | 14 | [Route] 15 | Destination=2402:1f00:8000:800::1 16 | PreferredSource=2402:1f00:8000:800::16d6 17 | 18 | [DHCP] 19 | UseMTU=true 20 | 21 | [CAKE] 22 | Bandwidth=500M 23 | PriorityQueueingPreset=besteffort 24 | -------------------------------------------------------------------------------- /etc/systemd/network/3.ns1.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=fa:16:3e:f7:ba:47 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/3.ns1.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | LinkLocalAddressing=no 7 | Address=2402:1f00:8000:800::3966/128 8 | 9 | [Route] 10 | Destination=::/0 11 | Gateway=2402:1f00:8000:800::1 12 | PreferredSource=2402:1f00:8000:800::3966 13 | 14 | [Route] 15 | Destination=2402:1f00:8000:800::1 16 | PreferredSource=2402:1f00:8000:800::3966 17 | 18 | [DHCP] 19 | UseMTU=true 20 | 21 | [CAKE] 22 | Bandwidth=500M 23 | PriorityQueueingPreset=besteffort 24 | -------------------------------------------------------------------------------- /etc/systemd/network/4.releases.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=50:7c:6f:7d:4c:93 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/4.releases.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=45.90.185.33/24 7 | Address=2a14:3f87:6920:250::100/60 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=45.90.185.1 12 | PreferredSource=45.90.185.33 13 | 14 | [Route] 15 | Destination=45.90.185.1 16 | PreferredSource=45.90.185.33 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2a14:3f87:6920:250::1 21 | PreferredSource=2a14:3f87:6920:250::100 22 | 23 | [Route] 24 | Destination=2a14:3f87:6920:250::1 25 | PreferredSource=2a14:3f87:6920:250::100 26 | 27 | [CAKE] 28 | Bandwidth=25000M 29 | PriorityQueueingPreset=besteffort 30 | SplitGSO=false 31 | -------------------------------------------------------------------------------- /etc/systemd/network/5.releases.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=9c:6b:00:65:dc:22 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/5.releases.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=172.96.172.37/24 7 | Address=2605:9880:400:1100:15:1240:515:6e/128 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=172.96.172.1 12 | PreferredSource=172.96.172.37 13 | 14 | [Route] 15 | Destination=172.96.172.1 16 | PreferredSource=172.96.172.37 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2605:9880:400::1 21 | PreferredSource=2605:9880:400:1100:15:1240:515:6e 22 | 23 | [Route] 24 | Destination=2605:9880:400::1 25 | PreferredSource=2605:9880:400:1100:15:1240:515:6e 26 | 27 | [CAKE] 28 | Bandwidth=10000M 29 | PriorityQueueingPreset=besteffort 30 | SplitGSO=false 31 | -------------------------------------------------------------------------------- /etc/systemd/network/6.releases.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=9c:6b:00:68:14:ec 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/6.releases.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=104.194.8.203/24 7 | Address=2605:9880:200:20::113/128 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=104.194.8.1 12 | PreferredSource=104.194.8.203 13 | 14 | [Route] 15 | Destination=104.194.8.1 16 | PreferredSource=104.194.8.203 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2605:9880:200::1 21 | PreferredSource=2605:9880:200:20::113 22 | 23 | [Route] 24 | Destination=2605:9880:200::1 25 | PreferredSource=2605:9880:200:20::113 26 | 27 | [CAKE] 28 | Bandwidth=10000M 29 | PriorityQueueingPreset=besteffort 30 | SplitGSO=false 31 | -------------------------------------------------------------------------------- /etc/systemd/network/attestation.app.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=fa:16:3e:03:e1:1a 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/attestation.app.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | LinkLocalAddressing=no 7 | Address=2607:5300:205:200::7e9/128 8 | 9 | [Route] 10 | Destination=::/0 11 | Gateway=2607:5300:205:200::1 12 | PreferredSource=2607:5300:205:200::7e9 13 | 14 | [Route] 15 | Destination=2607:5300:205:200::1 16 | PreferredSource=2607:5300:205:200::7e9 17 | 18 | [DHCP] 19 | UseMTU=true 20 | 21 | [CAKE] 22 | Bandwidth=1000M 23 | PriorityQueueingPreset=besteffort 24 | -------------------------------------------------------------------------------- /etc/systemd/network/discuss.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=fa:16:3e:19:92:33 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/discuss.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | LinkLocalAddressing=no 7 | Address=2607:5300:205:200::3c4/128 8 | 9 | [Route] 10 | Destination=::/0 11 | Gateway=2607:5300:205:200::1 12 | PreferredSource=2607:5300:205:200::3c4 13 | 14 | [Route] 15 | Destination=2607:5300:205:200::1 16 | PreferredSource=2607:5300:205:200::3c4 17 | 18 | [DHCP] 19 | UseMTU=true 20 | 21 | [CAKE] 22 | Bandwidth=1000M 23 | PriorityQueueingPreset=besteffort 24 | -------------------------------------------------------------------------------- /etc/systemd/network/grapheneos.social.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=fa:16:3e:45:3b:9c 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/grapheneos.social.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | LinkLocalAddressing=no 7 | Address=2607:5300:205:200::5e3f/128 8 | 9 | [Route] 10 | Destination=::/0 11 | Gateway=2607:5300:205:200::1 12 | PreferredSource=2607:5300:205:200::5e3f 13 | 14 | [Route] 15 | Destination=2607:5300:205:200::1 16 | PreferredSource=2607:5300:205:200::5e3f 17 | 18 | [DHCP] 19 | UseMTU=true 20 | 21 | [CAKE] 22 | Bandwidth=1000M 23 | PriorityQueueingPreset=besteffort 24 | -------------------------------------------------------------------------------- /etc/systemd/network/mail.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=fa:16:3e:ee:8b:bc 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/mail.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=192.99.98.22/32 7 | Address=2607:5300:205:200::472f/128 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=51.79.64.1 12 | PreferredSource=192.99.98.22 13 | 14 | [Route] 15 | Destination=51.79.64.1 16 | PreferredSource=192.99.98.22 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2607:5300:205:200::1 21 | PreferredSource=2607:5300:205:200::472f 22 | 23 | [Route] 24 | Destination=2607:5300:205:200::1 25 | PreferredSource=2607:5300:205:200::472f 26 | 27 | [CAKE] 28 | Bandwidth=500M 29 | PriorityQueueingPreset=besteffort 30 | -------------------------------------------------------------------------------- /etc/systemd/network/matrix.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=fa:16:3e:67:24:cc 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/matrix.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | LinkLocalAddressing=no 7 | Address=2607:5300:205:200::26e1/128 8 | 9 | [Route] 10 | Destination=::/0 11 | Gateway=2607:5300:205:200::1 12 | PreferredSource=2607:5300:205:200::26e1 13 | 14 | [Route] 15 | Destination=2607:5300:205:200::1 16 | PreferredSource=2607:5300:205:200::26e1 17 | 18 | [DHCP] 19 | UseMTU=true 20 | 21 | [CAKE] 22 | Bandwidth=1000M 23 | PriorityQueueingPreset=besteffort 24 | -------------------------------------------------------------------------------- /etc/systemd/network/ns1.staging.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:27:1c:de:4c 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/ns1.staging.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=198.98.56.238/24 7 | Address=2605:6400:10:c41:de92:c534:326a:711a/128 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=198.98.56.1 12 | PreferredSource=198.98.56.238 13 | 14 | [Route] 15 | Destination=198.98.56.1 16 | PreferredSource=198.98.56.238 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2605:6400:10::1 21 | PreferredSource=2605:6400:10:c41:de92:c534:326a:711a 22 | 23 | [Route] 24 | Destination=2605:6400:10::1 25 | PreferredSource=2605:6400:10:c41:de92:c534:326a:711a 26 | 27 | [CAKE] 28 | Bandwidth=1000M 29 | PriorityQueueingPreset=besteffort 30 | SplitGSO=false 31 | -------------------------------------------------------------------------------- /etc/systemd/network/staging.attestation.app.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:a6:ef:f0:28 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/staging.attestation.app.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=198.98.57.157/24 7 | Address=2605:6400:10:aa9:1c0f:44d3:da15:c0ec/128 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=198.98.57.1 12 | PreferredSource=198.98.57.157 13 | 14 | [Route] 15 | Destination=198.98.57.1 16 | PreferredSource=198.98.57.157 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2605:6400:10::1 21 | PreferredSource=2605:6400:10:aa9:1c0f:44d3:da15:c0ec 22 | 23 | [Route] 24 | Destination=2605:6400:10::1 25 | PreferredSource=2605:6400:10:aa9:1c0f:44d3:da15:c0ec 26 | 27 | [CAKE] 28 | Bandwidth=1000M 29 | PriorityQueueingPreset=besteffort 30 | SplitGSO=false 31 | -------------------------------------------------------------------------------- /etc/systemd/network/staging.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:54:aa:09:82 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/staging.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=199.195.250.78/24 7 | Address=2605:6400:10:9d6:6d84:e183:acda:16d7/128 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=199.195.250.1 12 | PreferredSource=199.195.250.78 13 | 14 | [Route] 15 | Destination=199.195.250.1 16 | PreferredSource=199.195.250.78 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2605:6400:10::1 21 | PreferredSource=2605:6400:10:9d6:6d84:e183:acda:16d7 22 | 23 | [Route] 24 | Destination=2605:6400:10::1 25 | PreferredSource=2605:6400:10:9d6:6d84:e183:acda:16d7 26 | 27 | [CAKE] 28 | Bandwidth=1000M 29 | PriorityQueueingPreset=besteffort 30 | SplitGSO=false 31 | -------------------------------------------------------------------------------- /etc/systemd/networkd.conf: -------------------------------------------------------------------------------- 1 | # This file is part of systemd. 2 | # 3 | # systemd is free software; you can redistribute it and/or modify it under the 4 | # terms of the GNU Lesser General Public License as published by the Free 5 | # Software Foundation; either version 2.1 of the License, or (at your option) 6 | # any later version. 7 | # 8 | # Entries in this file show the compile time defaults. Local configuration 9 | # should be created by either modifying this file (or a copy of it placed in 10 | # /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in 11 | # the /etc/systemd/networkd.conf.d/ directory. The latter is generally 12 | # recommended. Defaults can be restored by simply deleting the main 13 | # configuration file and all drop-ins located in /etc/. 14 | # 15 | # Use 'systemd-analyze cat-config systemd/networkd.conf' to display the full config. 16 | # 17 | # See networkd.conf(5) for details. 18 | 19 | [Network] 20 | SpeedMeter=yes 21 | #SpeedMeterIntervalSec=10sec 22 | #ManageForeignRoutingPolicyRules=yes 23 | #ManageForeignRoutes=yes 24 | #ManageForeignNextHops=yes 25 | #RouteTable= 26 | #IPv6PrivacyExtensions=no 27 | #UseDomains=no 28 | 29 | [IPv6AcceptRA] 30 | #UseDomains= 31 | 32 | [DHCPv4] 33 | #DUIDType=vendor 34 | #DUIDRawData= 35 | #UseDomains= 36 | 37 | [DHCPv6] 38 | #DUIDType=vendor 39 | #DUIDRawData= 40 | #UseDomains= 41 | 42 | [DHCPServer] 43 | #PersistLeases=yes 44 | -------------------------------------------------------------------------------- /etc/systemd/sleep.conf: -------------------------------------------------------------------------------- 1 | # This file is part of systemd. 2 | # 3 | # systemd is free software; you can redistribute it and/or modify it under the 4 | # terms of the GNU Lesser General Public License as published by the Free 5 | # Software Foundation; either version 2.1 of the License, or (at your option) 6 | # any later version. 7 | # 8 | # Entries in this file show the compile time defaults. Local configuration 9 | # should be created by either modifying this file (or a copy of it placed in 10 | # /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in 11 | # the /etc/systemd/sleep.conf.d/ directory. The latter is generally 12 | # recommended. Defaults can be restored by simply deleting the main 13 | # configuration file and all drop-ins located in /etc/. 14 | # 15 | # Use 'systemd-analyze cat-config systemd/sleep.conf' to display the full config. 16 | # 17 | # See systemd-sleep.conf(5) for details. 18 | 19 | [Sleep] 20 | AllowSuspend=no 21 | AllowHibernation=no 22 | #AllowSuspendThenHibernate=yes 23 | #AllowHybridSleep=yes 24 | #SuspendState=mem standby freeze 25 | #HibernateMode=platform shutdown 26 | #MemorySleepMode= 27 | #HibernateDelaySec= 28 | #HibernateOnACPower=yes 29 | #SuspendEstimationSec=60min 30 | -------------------------------------------------------------------------------- /etc/systemd/system.conf: -------------------------------------------------------------------------------- 1 | # This file is part of systemd. 2 | # 3 | # systemd is free software; you can redistribute it and/or modify it under the 4 | # terms of the GNU Lesser General Public License as published by the Free 5 | # Software Foundation; either version 2.1 of the License, or (at your option) 6 | # any later version. 7 | # 8 | # Entries in this file show the compile time defaults. Local configuration 9 | # should be created by either modifying this file (or a copy of it placed in 10 | # /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in 11 | # /etc/systemd/system.conf.d/ directory. The latter is generally recommended. 12 | # Defaults can be restored by simply deleting the main configuration file and 13 | # all drop-ins located in /etc/. 14 | # 15 | # Use 'systemd-analyze cat-config systemd/system.conf' to display the full config. 16 | # 17 | # See systemd-system.conf(5) for details. 18 | 19 | [Manager] 20 | #LogLevel=info 21 | #LogTarget=journal-or-kmsg 22 | #LogColor=yes 23 | #LogLocation=no 24 | #LogTime=no 25 | #DumpCore=yes 26 | #ShowStatus=yes 27 | #CrashChangeVT=no 28 | #CrashShell=no 29 | CrashAction=reboot 30 | #CtrlAltDelBurstAction=reboot-force 31 | #CPUAffinity= 32 | #NUMAPolicy=default 33 | #NUMAMask= 34 | RuntimeWatchdogSec=60s 35 | #RuntimeWatchdogPreSec=off 36 | #RuntimeWatchdogPreGovernor= 37 | RebootWatchdogSec=60s 38 | #KExecWatchdogSec=off 39 | #WatchdogDevice= 40 | #CapabilityBoundingSet= 41 | #NoNewPrivileges=no 42 | #ProtectSystem=auto 43 | SystemCallArchitectures=native 44 | #TimerSlackNSec= 45 | #StatusUnitFormat=description 46 | #DefaultTimerAccuracySec=1min 47 | #DefaultStandardOutput=journal 48 | #DefaultStandardError=inherit 49 | #DefaultTimeoutStartSec=90s 50 | #DefaultTimeoutStopSec=90s 51 | #DefaultTimeoutAbortSec= 52 | #DefaultDeviceTimeoutSec=90s 53 | #DefaultRestartSec=100ms 54 | DefaultStartLimitIntervalSec=0 55 | #DefaultStartLimitBurst=5 56 | #DefaultEnvironment= 57 | #DefaultCPUAccounting=yes 58 | DefaultIOAccounting=yes 59 | DefaultIPAccounting=yes 60 | #DefaultMemoryAccounting=yes 61 | #DefaultTasksAccounting=yes 62 | #DefaultTasksMax=15% 63 | #DefaultLimitCPU= 64 | #DefaultLimitFSIZE= 65 | #DefaultLimitDATA= 66 | #DefaultLimitSTACK= 67 | #DefaultLimitCORE= 68 | #DefaultLimitRSS= 69 | #DefaultLimitNOFILE=1024:524288 70 | #DefaultLimitAS= 71 | #DefaultLimitNPROC= 72 | #DefaultLimitMEMLOCK=8M 73 | #DefaultLimitLOCKS= 74 | #DefaultLimitSIGPENDING= 75 | #DefaultLimitMSGQUEUE= 76 | #DefaultLimitNICE= 77 | #DefaultLimitRTPRIO= 78 | #DefaultLimitRTTIME= 79 | #DefaultMemoryPressureThresholdSec=200ms 80 | #DefaultMemoryPressureWatch=auto 81 | #DefaultOOMPolicy=stop 82 | #DefaultSmackProcessLabel= 83 | #ReloadLimitIntervalSec= 84 | #ReloadLimitBurst= 85 | -------------------------------------------------------------------------------- /etc/systemd/system/-.slice.d/override.conf: -------------------------------------------------------------------------------- 1 | [Slice] 2 | ManagedOOMSwap=kill 3 | -------------------------------------------------------------------------------- /etc/systemd/system/attestation.service.d/override.conf: -------------------------------------------------------------------------------- 1 | [Service] 2 | IPAddressAllow={{ipv4_address}} 3 | IPAddressAllow={{ipv6_address}} 4 | -------------------------------------------------------------------------------- /etc/systemd/system/certbot-renew.service.d/override.conf: -------------------------------------------------------------------------------- 1 | [Service] 2 | CapabilityBoundingSet= 3 | CPUSchedulingPolicy=batch 4 | ExecStart= 5 | ExecStart=/usr/bin/certbot -q renew --no-random-sleep-on-renew --max-log-backups 0 6 | LockPersonality=true 7 | MemoryDenyWriteExecute=true 8 | NoNewPrivileges=true 9 | PrivateDevices=true 10 | PrivateIPC=true 11 | PrivateUsers=true 12 | ProcSubset=pid 13 | ProtectClock=true 14 | ProtectControlGroups=true 15 | ProtectHome=read-only 16 | ProtectHostname=true 17 | ProtectKernelLogs=true 18 | ProtectKernelModules=true 19 | ProtectKernelTunables=true 20 | ProtectProc=invisible 21 | ProtectSystem=strict 22 | ReadWritePaths=/etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt -/srv/certbot 23 | RestrictAddressFamilies=AF_INET AF_INET6 24 | RestrictNamespaces=true 25 | RestrictRealtime=true 26 | RestrictSUIDSGID=true 27 | SystemCallArchitectures=native 28 | SystemCallFilter=@system-service 29 | SystemCallFilter=~@resources @obsolete 30 | -------------------------------------------------------------------------------- /etc/systemd/system/chronyd.service.d/override.conf: -------------------------------------------------------------------------------- 1 | [Service] 2 | NoNewPrivileges=yes 3 | ReadWritePaths= 4 | ReadWritePaths=/run /var/lib/chrony -/var/log 5 | Restart=always 6 | RestartMaxDelaySec=10s 7 | RestartSec=100ms 8 | RestartSteps=5 9 | RestrictAddressFamilies=~AF_NETLINK 10 | -------------------------------------------------------------------------------- /etc/systemd/system/create-session-ticket-keys.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Create TLS session ticket keys 3 | Before=dnsdist.service nginx.service 4 | 5 | [Service] 6 | ExecStart=/usr/local/bin/create-session-ticket-keys 7 | Group=tls 8 | Type=oneshot 9 | UMask=0027 10 | 11 | [Install] 12 | WantedBy=multi-user.target 13 | -------------------------------------------------------------------------------- /etc/systemd/system/fstrim.service.d/override.conf: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Wants=xfs_fsr.service 3 | After=xfs_fsr.service 4 | 5 | [Service] 6 | CPUSchedulingPolicy=idle 7 | IOSchedulingClass=idle 8 | -------------------------------------------------------------------------------- /etc/systemd/system/fstrim.timer.d/override.conf: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Discard unused filesystem blocks once a day 3 | 4 | [Timer] 5 | OnCalendar= 6 | OnCalendar=daily 7 | -------------------------------------------------------------------------------- /etc/systemd/system/nginx.service.d/override.conf: -------------------------------------------------------------------------------- 1 | [Service] 2 | CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID 3 | LockPersonality=true 4 | MemoryDenyWriteExecute=true 5 | NoNewPrivileges=true 6 | PrivateIPC=true 7 | ProcSubset=pid 8 | ProtectClock=true 9 | ProtectControlGroups=true 10 | ProtectHome=true 11 | ProtectHostname=true 12 | ProtectKernelLogs=true 13 | ProtectKernelModules=true 14 | ProtectKernelTunables=true 15 | ProtectProc=invisible 16 | ProtectSystem=strict 17 | ReadWritePaths=/var/lib/nginx /var/log/nginx -/var/cache/nginx 18 | Restart=always 19 | RestartMaxDelaySec=10s 20 | RestartSec=100ms 21 | RestartSteps=5 22 | RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX 23 | RestrictNamespaces=true 24 | RestrictRealtime=true 25 | RestrictSUIDSGID=true 26 | RuntimeDirectory=nginx 27 | RuntimeDirectoryMode=700 28 | SystemCallArchitectures=native 29 | SystemCallFilter=@system-service 30 | SystemCallFilter=~@obsolete 31 | -------------------------------------------------------------------------------- /etc/systemd/system/plocate-updatedb.service.d/override.conf: -------------------------------------------------------------------------------- 1 | [Service] 2 | CPUSchedulingPolicy=idle 3 | -------------------------------------------------------------------------------- /etc/systemd/system/rotate-session-ticket-keys.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Rotate TLS session ticket keys 3 | After=dnsdist.service nginx.service create-session-ticket-keys.service 4 | Requires=create-session-ticket-keys.service 5 | 6 | [Service] 7 | ExecStart=/usr/local/bin/rotate-session-ticket-keys 8 | Group=tls 9 | Type=oneshot 10 | UMask=0027 11 | -------------------------------------------------------------------------------- /etc/systemd/system/rotate-session-ticket-keys.timer: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Run rotate-session-ticket-keys three times daily 3 | 4 | [Timer] 5 | OnCalendar=0/8:00:00 6 | 7 | [Install] 8 | WantedBy=timers.target 9 | -------------------------------------------------------------------------------- /etc/systemd/system/sshd.service.d/override.conf: -------------------------------------------------------------------------------- 1 | [Service] 2 | LimitNOFILE=8192 3 | ManagedOOMPreference=avoid 4 | -------------------------------------------------------------------------------- /etc/systemd/system/sysstat-collect.timer.d/override.conf: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Run system activity accounting tool every minute 3 | 4 | [Timer] 5 | AccuracySec=1us 6 | OnCalendar= 7 | OnCalendar=minutely 8 | -------------------------------------------------------------------------------- /etc/systemd/system/system.slice.d/override.conf: -------------------------------------------------------------------------------- 1 | [Slice] 2 | MemoryLow=64M 3 | MemoryMin=64M 4 | -------------------------------------------------------------------------------- /etc/systemd/system/systemd-boot-update.service.d/local.conf: -------------------------------------------------------------------------------- 1 | [Service] 2 | Environment=SYSTEMD_RELAX_ESP_CHECKS=1 3 | -------------------------------------------------------------------------------- /etc/systemd/system/unbound.service.d/override.conf: -------------------------------------------------------------------------------- 1 | [Service] 2 | Restart=always 3 | RestartMaxDelaySec=10s 4 | RestartSec=100ms 5 | RestartSteps=5 6 | -------------------------------------------------------------------------------- /etc/systemd/system/xfs_fsr.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=XFS filesystem reorganization 3 | 4 | [Service] 5 | CPUSchedulingPolicy=idle 6 | ExecStart=/usr/bin/xfs_fsr -f /var/lib/.fsrlast 7 | IOSchedulingClass=idle 8 | IPAddressDeny=any 9 | MemoryDenyWriteExecute=true 10 | PrivateIPC=true 11 | PrivateNetwork=true 12 | Type=oneshot 13 | -------------------------------------------------------------------------------- /etc/tmpfiles.d/chrony.conf: -------------------------------------------------------------------------------- 1 | d /var/lib/chrony 0755 chrony chrony 30d 2 | -------------------------------------------------------------------------------- /etc/unbound/unbound.conf: -------------------------------------------------------------------------------- 1 | server: 2 | interface: ::1 3 | trust-anchor-file: /etc/unbound/trusted-key.key 4 | tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt 5 | prefetch: yes 6 | prefetch-key: yes 7 | qname-minimisation-strict: yes 8 | hide-identity: yes 9 | hide-trustanchor: yes 10 | hide-version: yes 11 | harden-large-queries: yes 12 | outgoing-port-permit: 1024-65535 13 | outgoing-port-avoid: 7275 # supl 14 | outgoing-port-avoid: 8008 # synapse 15 | outgoing-port-avoid: 8080 # attestation 16 | 17 | # Block DNS rebinding 18 | private-address: 10.0.0.0/8 19 | private-address: 172.16.0.0/12 20 | private-address: 192.168.0.0/16 21 | private-address: fd00::/8 22 | private-address: 169.254.0.0/16 23 | private-address: fe80::/10 24 | private-address: 127.0.0.0/8 25 | private-address: ::1/128 26 | private-address: ::ffff:0:0/96 27 | 28 | # AF21 29 | ip-dscp: 18 30 | 31 | # force DMARC enforcement 32 | local-zone: "_dmarc.gmail.com" static 33 | local-data: '_dmarc.gmail.com 600 IN TXT "v=DMARC1; p=quarantine; rua=mailto:mailauth-reports@google.com"' 34 | local-zone: "_dmarc.hotmail.com" static 35 | local-data: '_dmarc.hotmail.com 600 IN TXT "v=DMARC1; p=quarantine; rua=mailto:rua@dmarc.microsoft; ruf=mailto:ruf@dmarc.microsoft; fo=1"' 36 | local-zone: "_dmarc.live.com" static 37 | local-data: '_dmarc.live.com 600 IN TXT "v=DMARC1; p=quarantine; rua=mailto:rua@dmarc.microsoft; ruf=mailto:ruf@dmarc.microsoft; fo=1"' 38 | local-zone: "_dmarc.outlook.com" static 39 | local-data: '_dmarc.outlook.com 600 IN TXT "v=DMARC1; p=quarantine; rua=mailto:rua@dmarc.microsoft; ruf=mailto:ruf@dmarc.microsoft; fo=1"' 40 | 41 | forward-zone: 42 | name: "." 43 | forward-tls-upstream: yes 44 | forward-addr: 1.1.1.1@853#cloudflare-dns.com 45 | forward-addr: 1.0.0.1@853#cloudflare-dns.com 46 | forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com 47 | forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com 48 | -------------------------------------------------------------------------------- /fetch-info: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit 4 | 5 | user=root 6 | 7 | . hosts.sh 8 | 9 | rm -rf modules packages units 10 | mkdir -p modules packages units 11 | 12 | for host in ${hosts_all[@]}; do 13 | ( 14 | ssh root@$host lsmod | awk '{ print $1 }' | sort > modules/$host 15 | ssh root@$host pacman -Qqe > packages/$host 16 | ssh root@$host systemctl list-unit-files --state=enabled --state=disabled --state=masked | sort > units/$host 17 | ssh root@$host sysctl -a | sort > sysctl/$host 18 | ) & 19 | done 20 | 21 | wait 22 | -------------------------------------------------------------------------------- /for: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | [[ $# -eq 2 ]] || exit 1 6 | 7 | input= 8 | read -p "Run command '$2' across $1 servers? " input 9 | if [[ $input != yes ]]; then 10 | exit 1 11 | fi 12 | echo 13 | 14 | user=root 15 | 16 | . hosts.sh 17 | 18 | declare -n hosts=hosts_$1 19 | for host in ${hosts[@]}; do 20 | echo $host 21 | echo 22 | 23 | ssh $user@$host "$2" 24 | 25 | echo 26 | done 27 | -------------------------------------------------------------------------------- /guide/dane.txt: -------------------------------------------------------------------------------- 1 | openssl rsa -in /etc/letsencrypt/live/example.com/privkey.pem -outform der -pubout | openssl dgst -sha256 -hex 2 | openssl ec -in /etc/letsencrypt/live/example.com/privkey.pem -outform der -pubout | openssl dgst -sha256 -hex 3 | -------------------------------------------------------------------------------- /guide/nftables-dscp-counter.txt: -------------------------------------------------------------------------------- 1 | ip dscp == df counter 2 | ip dscp == lephb counter 3 | ip dscp == cs1 counter 4 | ip dscp == cs2 counter 5 | ip dscp == cs3 counter 6 | ip dscp == cs4 counter 7 | ip dscp == cs5 counter 8 | ip dscp == cs6 counter 9 | ip dscp == cs7 counter 10 | ip dscp == af11 counter 11 | ip dscp == af12 counter 12 | ip dscp == af13 counter 13 | ip dscp == af21 counter 14 | ip dscp == af22 counter 15 | ip dscp == af23 counter 16 | ip dscp == af31 counter 17 | ip dscp == af32 counter 18 | ip dscp == af33 counter 19 | ip dscp == af41 counter 20 | ip dscp == af42 counter 21 | ip dscp == af43 counter 22 | ip dscp == va counter 23 | ip dscp == ef counter 24 | ip dscp != {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, va, ef} counter 25 | -------------------------------------------------------------------------------- /guide/samsung-opal.txt: -------------------------------------------------------------------------------- 1 | Authenticate with the PSID in order to set up OPAL (anti-ransomware feature): 2 | 3 | sedutil-cli --yesIreallywanttoERASEALLmydatausingthePSID $PSID_FROM_DRIVE_STICKER $DRIVE 4 | sedutil-cli --initialsetup $PASSWORD $DRIVE 5 | sedutil-cli --enableLockingRange 0 $PASSWORD $DRIVE 6 | sedutil-cli --loadPBAimage $PASSWORD UEFI64.img $DRIVE 7 | -------------------------------------------------------------------------------- /home/.config/fish/config.fish: -------------------------------------------------------------------------------- 1 | set -g fish_greeting 2 | 3 | set -gx INPUTRC ~/.config/inputrc 4 | set -gx PARALLEL_HOME ~/.config/parallel 5 | 6 | set -gx EDITOR nvim 7 | set -gx VISUAL nvim 8 | set -gx PAGER less 9 | 10 | set -gx LS_COLORS "rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=00:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.7z=01;31:*.ace=01;31:*.alz=01;31:*.apk=01;31:*.arc=01;31:*.arj=01;31:*.bz=01;31:*.bz2=01;31:*.cab=01;31:*.cpio=01;31:*.crate=01;31:*.deb=01;31:*.drpm=01;31:*.dwm=01;31:*.dz=01;31:*.ear=01;31:*.egg=01;31:*.esd=01;31:*.gz=01;31:*.jar=01;31:*.lha=01;31:*.lrz=01;31:*.lz=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.lzo=01;31:*.pyz=01;31:*.rar=01;31:*.rpm=01;31:*.rz=01;31:*.sar=01;31:*.swm=01;31:*.t7z=01;31:*.tar=01;31:*.taz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tgz=01;31:*.tlz=01;31:*.txz=01;31:*.tz=01;31:*.tzo=01;31:*.tzst=01;31:*.udeb=01;31:*.war=01;31:*.whl=01;31:*.wim=01;31:*.xz=01;31:*.z=01;31:*.zip=01;31:*.zoo=01;31:*.zst=01;31:*.avif=01;35:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:*~=00;90:*#=00;90:*.bak=00;90:*.crdownload=00;90:*.dpkg-dist=00;90:*.dpkg-new=00;90:*.dpkg-old=00;90:*.dpkg-tmp=00;90:*.old=00;90:*.orig=00;90:*.part=00;90:*.rej=00;90:*.rpmnew=00;90:*.rpmorig=00;90:*.rpmsave=00;90:*.swp=00;90:*.tmp=00;90:*.ucf-dist=00;90:*.ucf-new=00;90:*.ucf-old=00;90:" 11 | 12 | # ssh doesn't forward COLORTERM 13 | if set -q TERM && test $TERM = alacritty && ! set -q COLORTERM 14 | set -gx COLORTERM truecolor 15 | end 16 | 17 | if status is-interactive 18 | fish_vi_key_bindings 19 | set fish_cursor_insert line 20 | set fish_cursor_replace_one underscore 21 | set fish_cursor_replace underscore 22 | set fish_cursor_external line 23 | 24 | set -g fish_prompt_pwd_full_dirs 2 25 | 26 | alias rsync 'rsync --preallocate' 27 | alias diff 'diff --color=auto' 28 | alias grep 'grep --color=auto' 29 | alias ls 'ls -A --color=auto' 30 | alias ip 'ip -color=auto' 31 | alias tc 'tc -color=auto' 32 | alias pstree 'pstree -UC age' 33 | alias tree 'tree -a' 34 | alias chown 'chown --preserve-root' 35 | alias chmod 'chmod --preserve-root' 36 | alias chgrp 'chgrp --preserve-root' 37 | alias vim nvim 38 | alias vimdiff 'nvim -d' 39 | 40 | abbr cp cp -i 41 | abbr mv mv -i 42 | abbr rm rm -I 43 | abbr ln ln -i 44 | 45 | abbr free free -m 46 | abbr ls ls -h 47 | abbr df df -h 48 | abbr du du -h 49 | 50 | abbr vi vim 51 | abbr rr rm -rI 52 | abbr ll ls -lh 53 | end 54 | -------------------------------------------------------------------------------- /home/.config/fish/functions/fish_title.fish: -------------------------------------------------------------------------------- 1 | function fish_title 2 | # If we're connected via ssh, we print the hostname. 3 | set -l ssh 4 | set -q SSH_TTY 5 | and set ssh "["(prompt_hostname | string sub -l 20 | string collect)"]" 6 | # An override for the current command is passed as the first parameter. 7 | # This is used by `fg` to show the true process name, among others. 8 | if set -q argv[1] 9 | echo -- $ssh (string sub -l 20 -- $argv[1]) (prompt_pwd -d 1 -D 4) 10 | else 11 | # Don't print "fish" because it's redundant 12 | set -l command (status current-command) 13 | if test "$command" = fish 14 | set command 15 | end 16 | echo -- $ssh (string sub -l 20 -- $command) (prompt_pwd -d 1 -D 4) 17 | end 18 | end 19 | -------------------------------------------------------------------------------- /home/.config/inputrc: -------------------------------------------------------------------------------- 1 | set colored-stats on 2 | set menu-complete-display-prefix on 3 | set show-all-if-ambiguous on 4 | 5 | TAB:menu-complete 6 | "\e[Z":menu-complete-backward 7 | 8 | "\e[A":history-search-backward 9 | "\e[B":history-search-forward 10 | -------------------------------------------------------------------------------- /home/.config/lesskey: -------------------------------------------------------------------------------- 1 | #env 2 | LESS = -R --use-color 3 | LESSHISTFILE = - 4 | -------------------------------------------------------------------------------- /home/.config/nvim/autoload/gruvbox.vim: -------------------------------------------------------------------------------- 1 | " ----------------------------------------------------------------------------- 2 | " File: gruvbox.vim 3 | " Description: Retro groove color scheme for Vim 4 | " Author: morhetz 5 | " Source: https://github.com/morhetz/gruvbox 6 | " Last Modified: 09 Apr 2014 7 | " ----------------------------------------------------------------------------- 8 | 9 | function! gruvbox#invert_signs_toggle() 10 | if g:gruvbox_invert_signs == 0 11 | let g:gruvbox_invert_signs=1 12 | else 13 | let g:gruvbox_invert_signs=0 14 | endif 15 | 16 | colorscheme gruvbox 17 | endfunction 18 | 19 | " Search Highlighting {{{ 20 | 21 | function! gruvbox#hls_show() 22 | set hlsearch 23 | call GruvboxHlsShowCursor() 24 | endfunction 25 | 26 | function! gruvbox#hls_hide() 27 | set nohlsearch 28 | call GruvboxHlsHideCursor() 29 | endfunction 30 | 31 | function! gruvbox#hls_toggle() 32 | if &hlsearch 33 | call gruvbox#hls_hide() 34 | else 35 | call gruvbox#hls_show() 36 | endif 37 | endfunction 38 | 39 | " }}} 40 | 41 | " vim: set sw=2 ts=2 sts=2 et tw=80 ft=vim fdm=marker: 42 | -------------------------------------------------------------------------------- /home/.config/nvim/init.vim: -------------------------------------------------------------------------------- 1 | set title 2 | set mouse=a 3 | set cursorline 4 | set number 5 | set whichwrap+=<,>,[,] 6 | set virtualedit=block 7 | set scrolloff=3 8 | set shortmess=atToOI 9 | 10 | " double slash to use full path to file 11 | set backup backupdir=~/.local/state/nvim/backup// 12 | set undofile 13 | 14 | set wildmode=list:longest,full 15 | 16 | set expandtab softtabstop=4 shiftwidth=4 17 | set cinoptions=(0 18 | 19 | set ignorecase 20 | set smartcase 21 | 22 | let mapleader = "," 23 | 24 | nnoremap gb :ls:b 25 | 26 | colorscheme gruvbox 27 | 28 | " highlight trailing whitespace, except when typing at eol 29 | highlight ExtraWhitespace ctermbg=darkred guibg=darkred 30 | match ExtraWhitespace /\s\+$/ 31 | autocmd BufWinEnter * match ExtraWhitespace /\s\+$/ 32 | autocmd InsertEnter * match ExtraWhitespace /\s\+\%#\@new.key 11 | rsync -I new.key 4.key 12 | rm new.key 13 | 14 | cat {1..4}.key > keys.new 15 | rsync -I keys.new keys 16 | rm keys.new 17 | 18 | if systemctl is-enabled nginx.service >/dev/null; then 19 | nginx -s reload 20 | fi 21 | 22 | if systemctl is-enabled dnsdist.service >/dev/null; then 23 | dnsdist -c -e 'reloadAllCertificates()' 24 | fi 25 | -------------------------------------------------------------------------------- /setup: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | python3 -m venv --clear venv 4 | source venv/bin/activate 5 | pip install --require-hashes --only-binary :all: -r requirements.txt 6 | --------------------------------------------------------------------------------