├── etc ├── locale.conf ├── sysconfig │ └── chronyd ├── modules-load.d │ ├── 60-softdog.conf │ └── 60-local.conf ├── default │ ├── cpupower.amd │ ├── cpupower.intel │ └── grub ├── resolv.conf ├── tmpfiles.d │ └── chrony.conf ├── systemd │ ├── system │ │ ├── -.slice.d │ │ │ └── override.conf │ │ ├── system.slice.d │ │ │ └── override.conf │ │ ├── plocate-updatedb.service.d │ │ │ └── override.conf │ │ ├── systemd-boot-update.service.d │ │ │ └── local.conf │ │ ├── certbot-renew.service.d │ │ │ ├── replicate.conf │ │ │ └── override.conf │ │ ├── mdmonitor.service.d │ │ │ └── override.conf │ │ ├── systemd-cryptsetup@.service.d │ │ │ └── override.conf │ │ ├── attestation.service.d │ │ │ └── override.conf │ │ ├── unbound.service.d │ │ │ └── override.conf │ │ ├── sshd.service.d │ │ │ └── override.conf │ │ ├── fstrim.timer.d │ │ │ └── override.conf │ │ ├── fstrim.service.d │ │ │ └── override.conf │ │ ├── logrotate.timer.d │ │ │ └── override.conf │ │ ├── sysstat-collect.timer.d │ │ │ └── override.conf │ │ ├── tcp-fastopen-rotate-keys.service │ │ ├── tcp-fastopen-rotate-keys.timer │ │ ├── chronyd.service.d │ │ │ └── override.conf │ │ ├── session-ticket-keys-rotate.timer │ │ ├── session-ticket-keys-sync.timer │ │ ├── xfs_fsr.service │ │ ├── session-ticket-keys-create.service │ │ ├── session-ticket-keys-sync.service │ │ ├── session-ticket-keys-rotate.service │ │ ├── single.fq.service │ │ ├── nginx.service.d │ │ │ └── override.conf │ │ ├── attestation.app.fq.service │ │ ├── grapheneos.social.fq.service │ │ ├── discuss.grapheneos.org.fq.service │ │ ├── matrix.grapheneos.org.fq.service │ │ ├── lax.releases.grapheneos.org.fq.service │ │ ├── mia.releases.grapheneos.org.fq.service │ │ ├── yto.releases.grapheneos.org.fq.service │ │ └── lon.releases.grapheneos.org.fq.service │ ├── network │ │ ├── attestation.app.link │ │ ├── brn.grapheneos.org.link │ │ ├── grapheneos.social.link │ │ ├── las.grapheneos.org.link │ │ ├── mail.grapheneos.org.link │ │ ├── matrix.grapheneos.org.link │ │ ├── mia.grapheneos.org.link │ │ ├── nyc.grapheneos.org.link │ │ ├── sao.grapheneos.org.link │ │ ├── sea.grapheneos.org.link │ │ ├── sin.grapheneos.org.link │ │ ├── syd.grapheneos.org.link │ │ ├── bom.ns1.grapheneos.org.link │ │ ├── brn.ns2.grapheneos.org.link │ │ ├── discuss.grapheneos.org.link │ │ ├── fra.ns1.grapheneos.org.link │ │ ├── las.ns2.grapheneos.org.link │ │ ├── lax.ns1.grapheneos.org.link │ │ ├── lon.ns1.grapheneos.org.link │ │ ├── mia.ns1.grapheneos.org.link │ │ ├── mia.ns2.grapheneos.org.link │ │ ├── ns1.staging.grapheneos.org.link │ │ ├── nyc.ns1.grapheneos.org.link │ │ ├── nyc.ns2.grapheneos.org.link │ │ ├── sao.ns1.grapheneos.org.link │ │ ├── sea.ns1.grapheneos.org.link │ │ ├── sin.ns1.grapheneos.org.link │ │ ├── staging.attestation.app.link │ │ ├── staging.grapheneos.org.link │ │ ├── syd.ns1.grapheneos.org.link │ │ ├── tyo.ns1.grapheneos.org.link │ │ ├── lon.releases.grapheneos.org.link │ │ ├── yto.releases.grapheneos.org.link │ │ ├── sao.grapheneos.org.network │ │ ├── sea.grapheneos.org.network │ │ ├── sin.grapheneos.org.network │ │ ├── syd.grapheneos.org.network │ │ ├── lax.releases.grapheneos.org.link │ │ ├── mia.releases.grapheneos.org.link │ │ ├── lon.releases.grapheneos.org.network │ │ ├── bom.ns1.grapheneos.org.network │ │ ├── fra.ns1.grapheneos.org.network │ │ ├── lax.ns1.grapheneos.org.network │ │ ├── lon.ns1.grapheneos.org.network │ │ ├── mia.ns1.grapheneos.org.network │ │ ├── nyc.ns1.grapheneos.org.network │ │ ├── sao.ns1.grapheneos.org.network │ │ ├── sea.ns1.grapheneos.org.network │ │ ├── sin.ns1.grapheneos.org.network │ │ ├── syd.ns1.grapheneos.org.network │ │ ├── tyo.ns1.grapheneos.org.network │ │ ├── attestation.app.network │ │ ├── matrix.grapheneos.org.network │ │ ├── grapheneos.social.network │ │ ├── discuss.grapheneos.org.network │ │ ├── yto.releases.grapheneos.org.network │ │ ├── nyc.grapheneos.org.network │ │ ├── brn.grapheneos.org.network │ │ ├── las.grapheneos.org.network │ │ ├── lax.releases.grapheneos.org.network │ │ ├── mia.grapheneos.org.network │ │ ├── mia.releases.grapheneos.org.network │ │ ├── staging.attestation.app.network │ │ ├── staging.grapheneos.org.network │ │ ├── mail.grapheneos.org.network │ │ ├── ns1.staging.grapheneos.org.network │ │ ├── brn.ns2.grapheneos.org.network │ │ ├── mia.ns2.grapheneos.org.network │ │ ├── nyc.ns2.grapheneos.org.network │ │ └── las.ns2.grapheneos.org.network │ ├── sleep.conf │ ├── networkd.conf │ ├── journald.conf │ └── system.conf ├── pacman.d │ └── mirrorlist ├── logrotate.d │ ├── letsencrypt │ └── nginx ├── sysctl.d │ ├── 60-mdraid.conf │ ├── 60-tcp_fastopen.conf │ └── 60-local.conf ├── crypttab ├── ssh │ ├── ssh_config │ └── sshd_config ├── fstab.virtual ├── modprobe.d │ └── local.conf ├── fstab.mdraid ├── logrotate.conf ├── syslog-ng │ ├── syslog-ng.conf │ └── conf.d │ │ └── nginx.conf ├── chrony.conf ├── mkinitcpio.d │ └── linux-lts.preset ├── unbound │ └── unbound.conf ├── pacman.conf ├── mkinitcpio.conf.simple ├── mkinitcpio.conf.mdraid └── nftables │ ├── nftables-mail.conf │ ├── nftables-social.conf │ ├── nftables-web.conf │ ├── nftables-discuss.conf │ ├── nftables-attestation.conf │ ├── nftables-network.conf │ └── nftables-matrix.conf ├── boot └── loader │ ├── loader.conf │ └── entries │ ├── arch-lts.conf │ └── arch-lts-fallback.conf ├── home └── .config │ ├── lesskey │ ├── user-tmpfiles.d │ └── vim.conf │ ├── inputrc │ ├── fish │ ├── functions │ │ └── fish_title.fish │ └── config.fish │ └── nvim │ ├── init.vim │ └── autoload │ └── gruvbox.vim ├── .github └── FUNDING.yml ├── README.md ├── guide ├── dane.txt └── samsung-opal.txt ├── session-ticket-keys-create ├── deploy-hostname ├── shared.sh ├── deploy-secondary ├── certbot ├── discuss.grapheneos.org ├── staging.attestation.app ├── attestation.app ├── grapheneos.social ├── matrix.grapheneos.org ├── mia.releases.grapheneos.org ├── ns1.staging.grapheneos.org ├── staging.grapheneos.org ├── nyc.ns1.grapheneos.org ├── nyc.ns2.grapheneos.org ├── mail.grapheneos.org └── nyc.grapheneos.org ├── connection-stats ├── disconnect ├── nginx-stats ├── .gitignore ├── for ├── packages ├── brn.grapheneos.org ├── las.grapheneos.org ├── mia.grapheneos.org ├── sao.grapheneos.org ├── sea.grapheneos.org ├── sin.grapheneos.org ├── syd.grapheneos.org ├── nyc.grapheneos.org ├── staging.grapheneos.org ├── bom.ns1.grapheneos.org ├── brn.ns2.grapheneos.org ├── fra.ns1.grapheneos.org ├── las.ns2.grapheneos.org ├── lax.ns1.grapheneos.org ├── lon.ns1.grapheneos.org ├── mia.ns1.grapheneos.org ├── mia.ns2.grapheneos.org ├── sao.ns1.grapheneos.org ├── sea.ns1.grapheneos.org ├── sin.ns1.grapheneos.org ├── syd.ns1.grapheneos.org ├── tyo.ns1.grapheneos.org ├── nyc.ns1.grapheneos.org ├── nyc.ns2.grapheneos.org ├── ns1.staging.grapheneos.org ├── lax.releases.grapheneos.org ├── yto.releases.grapheneos.org ├── staging.attestation.app ├── mia.releases.grapheneos.org ├── attestation.app ├── lon.releases.grapheneos.org ├── grapheneos.social ├── mail.grapheneos.org ├── discuss.grapheneos.org └── matrix.grapheneos.org ├── certbot-replicate ├── deploy-journald ├── reboot ├── fetch-info ├── deploy-nftables ├── deploy-primary ├── tcp-fastopen-rotate-keys ├── check-reverse-dns ├── deploy-certbot ├── session-ticket-keys-sync-deploy ├── session-ticket-keys-rotate ├── dns-stats ├── LICENSE ├── deploy-web ├── deploy-bootloader ├── session-ticket-keys-sync ├── count └── deploy-initial-vps /etc/locale.conf: -------------------------------------------------------------------------------- 1 | LANG=C.UTF-8 2 | -------------------------------------------------------------------------------- /etc/sysconfig/chronyd: -------------------------------------------------------------------------------- 1 | OPTIONS=-F1 -r 2 | -------------------------------------------------------------------------------- /etc/modules-load.d/60-softdog.conf: -------------------------------------------------------------------------------- 1 | softdog 2 | -------------------------------------------------------------------------------- /boot/loader/loader.conf: -------------------------------------------------------------------------------- 1 | default arch-lts.conf 2 | -------------------------------------------------------------------------------- /etc/default/cpupower.amd: -------------------------------------------------------------------------------- 1 | governor=performance 2 | -------------------------------------------------------------------------------- /etc/modules-load.d/60-local.conf: -------------------------------------------------------------------------------- 1 | nf_conntrack 2 | -------------------------------------------------------------------------------- /etc/resolv.conf: -------------------------------------------------------------------------------- 1 | nameserver ::1 2 | options edns0 trust-ad 3 | -------------------------------------------------------------------------------- /etc/default/cpupower.intel: -------------------------------------------------------------------------------- 1 | governor=performance 2 | perf_bias=0 3 | -------------------------------------------------------------------------------- /etc/tmpfiles.d/chrony.conf: -------------------------------------------------------------------------------- 1 | d /var/lib/chrony 0755 chrony chrony 30d 2 | -------------------------------------------------------------------------------- /etc/systemd/system/-.slice.d/override.conf: -------------------------------------------------------------------------------- 1 | [Slice] 2 | ManagedOOMSwap=kill 3 | -------------------------------------------------------------------------------- /home/.config/lesskey: -------------------------------------------------------------------------------- 1 | #env 2 | LESS = -R --use-color 3 | LESSHISTFILE = - 4 | -------------------------------------------------------------------------------- /etc/pacman.d/mirrorlist: -------------------------------------------------------------------------------- 1 | Server = https://fastly.mirror.pkgbuild.com/$repo/os/$arch 2 | -------------------------------------------------------------------------------- /etc/logrotate.d/letsencrypt: -------------------------------------------------------------------------------- 1 | /var/log/letsencrypt/letsencrypt.log { 2 | missingok 3 | } 4 | -------------------------------------------------------------------------------- /etc/systemd/system/system.slice.d/override.conf: -------------------------------------------------------------------------------- 1 | [Slice] 2 | MemoryLow=64M 3 | MemoryMin=64M 4 | -------------------------------------------------------------------------------- /etc/sysctl.d/60-mdraid.conf: -------------------------------------------------------------------------------- 1 | dev.raid.speed_limit_min=100000 2 | dev.raid.speed_limit_max=1000000 3 | -------------------------------------------------------------------------------- /etc/systemd/system/plocate-updatedb.service.d/override.conf: -------------------------------------------------------------------------------- 1 | [Service] 2 | CPUSchedulingPolicy=idle 3 | -------------------------------------------------------------------------------- /etc/systemd/network/attestation.app.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=76:66:b0:ea:74:b0 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/system/systemd-boot-update.service.d/local.conf: -------------------------------------------------------------------------------- 1 | [Service] 2 | Environment=SYSTEMD_RELAX_ESP_CHECKS=1 3 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: thestinger 2 | custom: ["https://grapheneos.org/donate", "https://attestation.app/donate"] 3 | -------------------------------------------------------------------------------- /etc/sysctl.d/60-tcp_fastopen.conf: -------------------------------------------------------------------------------- 1 | # keys are rotated by tcp-fastopen-rotate-keys.timer 2 | net.ipv4.tcp_fastopen = 3 3 | -------------------------------------------------------------------------------- /etc/systemd/network/brn.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:05:7b:bf:4e 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/grapheneos.social.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=7a:bd:03:e4:f2:36 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/las.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:ed:7b:89:9b 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/mail.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=fa:16:3e:ee:8b:bc 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/matrix.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=ea:5f:d2:f2:87:78 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/mia.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:a9:79:3b:c8 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/nyc.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:52:d3:b6:74 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/sao.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=56:00:05:d0:8e:a7 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/sea.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=56:00:05:c8:41:39 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/sin.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=56:00:05:c7:4c:dc 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/syd.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=56:00:05:c7:c9:02 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/system/certbot-renew.service.d/replicate.conf: -------------------------------------------------------------------------------- 1 | [Service] 2 | ExecStartPost=/usr/local/bin/certbot-replicate 3 | -------------------------------------------------------------------------------- /etc/systemd/network/bom.ns1.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=56:00:05:c5:d5:03 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/brn.ns2.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:0b:de:a3:3b 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/discuss.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=06:0c:f3:d1:77:e9 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/fra.ns1.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=56:00:05:c2:23:a1 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/las.ns2.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:bf:aa:e3:77 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/lax.ns1.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=56:00:05:c1:97:db 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/lon.ns1.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=56:00:05:c3:f3:f8 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/mia.ns1.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=56:00:05:c1:65:c4 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/mia.ns2.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:e1:c0:d9:dc 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/ns1.staging.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:27:1c:de:4c 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/nyc.ns1.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=56:00:05:c1:7c:21 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/nyc.ns2.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:54:9a:90:82 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/sao.ns1.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=56:00:05:ca:f1:36 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/sea.ns1.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=56:00:05:c1:9d:bd 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/sin.ns1.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=56:00:05:c2:23:b0 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/staging.attestation.app.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:a6:ef:f0:28 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/staging.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=00:16:54:aa:09:82 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/syd.ns1.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=56:00:05:c5:d4:1b 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/tyo.ns1.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=56:00:05:c4:e3:94 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/lon.releases.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=d0:50:99:fd:d2:9a 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/network/yto.releases.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=0c:c4:7a:ea:35:d1 3 | 4 | [Link] 5 | Name=public 6 | -------------------------------------------------------------------------------- /etc/systemd/system/mdmonitor.service.d/override.conf: -------------------------------------------------------------------------------- 1 | [Service] 2 | ExecStart= 3 | ExecStart=/sbin/mdadm --monitor --scan --syslog 4 | -------------------------------------------------------------------------------- /etc/crypttab: -------------------------------------------------------------------------------- 1 | swap /swapfile /dev/random swap,cipher=aes-xts-plain64,size=512,sector-size=4096,no-read-workqueue,no-write-workqueue 2 | -------------------------------------------------------------------------------- /etc/systemd/system/systemd-cryptsetup@.service.d/override.conf: -------------------------------------------------------------------------------- 1 | [Service] 2 | ExecStartPost=/usr/bin/udevadm trigger /dev/mapper/%i 3 | -------------------------------------------------------------------------------- /etc/systemd/network/sao.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | 7 | [DHCP] 8 | UseMTU=true 9 | -------------------------------------------------------------------------------- /etc/systemd/network/sea.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | 7 | [DHCP] 8 | UseMTU=true 9 | -------------------------------------------------------------------------------- /etc/systemd/network/sin.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | 7 | [DHCP] 8 | UseMTU=true 9 | -------------------------------------------------------------------------------- /etc/systemd/network/syd.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | 7 | [DHCP] 8 | UseMTU=true 9 | -------------------------------------------------------------------------------- /etc/systemd/system/attestation.service.d/override.conf: -------------------------------------------------------------------------------- 1 | [Service] 2 | IPAddressAllow={{ipv4_address}} 3 | IPAddressAllow={{ipv6_address}} 4 | -------------------------------------------------------------------------------- /etc/systemd/system/unbound.service.d/override.conf: -------------------------------------------------------------------------------- 1 | [Service] 2 | Restart=always 3 | RestartMaxDelaySec=10s 4 | RestartSec=100ms 5 | RestartSteps=5 6 | -------------------------------------------------------------------------------- /etc/systemd/system/sshd.service.d/override.conf: -------------------------------------------------------------------------------- 1 | [Unit] 2 | After=network-online.target 3 | 4 | [Service] 5 | LimitNOFILE=8192 6 | ManagedOOMPreference=avoid 7 | -------------------------------------------------------------------------------- /etc/systemd/system/fstrim.timer.d/override.conf: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Discard unused filesystem blocks once a day 3 | 4 | [Timer] 5 | OnCalendar= 6 | OnCalendar=daily 7 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Information about GrapheneOS servers is available in the [GrapheneOS servers 2 | article](https://grapheneos.org/articles/grapheneos-servers) on grapheneos.org. 3 | -------------------------------------------------------------------------------- /etc/systemd/network/lax.releases.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=9c:6b:00:68:14:ec 3 | 4 | [Link] 5 | Name=public 6 | CombinedChannels=24 7 | UseAdaptiveRxCoalesce=true 8 | -------------------------------------------------------------------------------- /etc/systemd/network/mia.releases.grapheneos.org.link: -------------------------------------------------------------------------------- 1 | [Match] 2 | MACAddress=9c:6b:00:65:dc:22 3 | 4 | [Link] 5 | Name=public 6 | CombinedChannels=24 7 | UseAdaptiveRxCoalesce=true 8 | -------------------------------------------------------------------------------- /etc/systemd/system/fstrim.service.d/override.conf: -------------------------------------------------------------------------------- 1 | #[Unit] 2 | #Wants=xfs_fsr.service 3 | #After=xfs_fsr.service 4 | 5 | [Service] 6 | CPUSchedulingPolicy=idle 7 | IOSchedulingClass=idle 8 | -------------------------------------------------------------------------------- /etc/systemd/system/logrotate.timer.d/override.conf: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Rotate log files every 5 minutes 3 | 4 | [Timer] 5 | AccuracySec=1us 6 | OnCalendar=*:0/5 7 | RandomizedDelaySec=0 8 | -------------------------------------------------------------------------------- /home/.config/user-tmpfiles.d/vim.conf: -------------------------------------------------------------------------------- 1 | d /root/.local/state/nvim/backup 0700 root root 10d 2 | d /root/.local/state/nvim/swap 0700 root root 10d 3 | d /root/.local/state/nvim/undo 0700 root root 10d 4 | -------------------------------------------------------------------------------- /etc/systemd/system/sysstat-collect.timer.d/override.conf: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Run system activity accounting tool every minute 3 | 4 | [Timer] 5 | AccuracySec=1us 6 | OnCalendar= 7 | OnCalendar=minutely 8 | -------------------------------------------------------------------------------- /etc/systemd/system/tcp-fastopen-rotate-keys.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Rotate TCP Fast Open keys 3 | 4 | [Service] 5 | ExecStart=/usr/local/bin/tcp-fastopen-rotate-keys 6 | Type=oneshot 7 | UMask=0077 8 | -------------------------------------------------------------------------------- /etc/ssh/ssh_config: -------------------------------------------------------------------------------- 1 | # Include drop-in configurations 2 | Include /etc/ssh/ssh_config.d/*.conf 3 | 4 | IPQoS cs2 cs0 5 | 6 | ServerAliveInterval 60 7 | ServerAliveCountMax 2 8 | TCPKeepAlive no 9 | 10 | VerifyHostKeyDNS ask 11 | -------------------------------------------------------------------------------- /guide/dane.txt: -------------------------------------------------------------------------------- 1 | openssl rsa -in /etc/letsencrypt/live/example.com/privkey.pem -outform der -pubout | openssl dgst -sha256 -hex 2 | openssl ec -in /etc/letsencrypt/live/example.com/privkey.pem -outform der -pubout | openssl dgst -sha256 -hex 3 | -------------------------------------------------------------------------------- /etc/systemd/system/tcp-fastopen-rotate-keys.timer: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Run tcp-fastopen-rotate-keys daily 3 | 4 | [Timer] 5 | AccuracySec=1us 6 | OnCalendar=daily UTC 7 | Persistent=true 8 | 9 | [Install] 10 | WantedBy=timers.target 11 | -------------------------------------------------------------------------------- /home/.config/inputrc: -------------------------------------------------------------------------------- 1 | set colored-stats on 2 | set menu-complete-display-prefix on 3 | set show-all-if-ambiguous on 4 | 5 | TAB:menu-complete 6 | "\e[Z":menu-complete-backward 7 | 8 | "\e[A":history-search-backward 9 | "\e[B":history-search-forward 10 | -------------------------------------------------------------------------------- /etc/fstab.virtual: -------------------------------------------------------------------------------- 1 | /dev/mapper/swap none swap x-systemd.device-timeout=30 0 0 2 | tmpfs /etc/tls/session-ticket-keys tmpfs size=1M,mode=750,gid=tls,noswap,x-systemd.before=session-ticket-keys-create.service,x-systemd.required-by=session-ticket-keys-create.service 0 0 3 | -------------------------------------------------------------------------------- /session-ticket-keys-create: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | cd /etc/tls/session-ticket-keys 6 | 7 | for i in next.key {1..4}.key; do 8 | head -c 80 $i 9 | done 10 | 11 | cat next.key {1..4}.key > keys 12 | -------------------------------------------------------------------------------- /deploy-hostname: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . shared.sh 4 | . hosts.sh 5 | 6 | for host in ${hosts_all[@]}; do 7 | remote=root@$host 8 | 9 | echo 10 | echo $host 11 | echo 12 | 13 | ssh $remote hostnamectl hostname ${hosts_hostname[$host]} 14 | done 15 | -------------------------------------------------------------------------------- /etc/systemd/system/chronyd.service.d/override.conf: -------------------------------------------------------------------------------- 1 | [Service] 2 | NoNewPrivileges=yes 3 | ReadWritePaths= 4 | ReadWritePaths=/run /var/lib/chrony -/var/log 5 | Restart=always 6 | RestartMaxDelaySec=10s 7 | RestartSec=100ms 8 | RestartSteps=5 9 | RestrictAddressFamilies=~AF_NETLINK 10 | -------------------------------------------------------------------------------- /shared.sh: -------------------------------------------------------------------------------- 1 | set -o errexit -o nounset -o pipefail 2 | shopt -s expand_aliases inherit_errexit 3 | 4 | alias rsync='rsync -pcv --chmod=D755,F644 --preallocate' 5 | 6 | touch lock 7 | exec {fd}< lock 8 | if ! flock -n $fd; then 9 | echo already deploying >&2 10 | exit 1 11 | fi 12 | -------------------------------------------------------------------------------- /deploy-secondary: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . shared.sh 4 | . hosts.sh 5 | 6 | for host in ${hosts_secondary[@]}; do 7 | remote=root@$host 8 | 9 | echo 10 | echo $host 11 | echo 12 | 13 | rsync --chmod=F755 session-ticket-keys-sync-deploy $remote:/usr/local/bin/ 14 | done 15 | -------------------------------------------------------------------------------- /boot/loader/entries/arch-lts.conf: -------------------------------------------------------------------------------- 1 | title Arch Linux LTS 2 | linux /vmlinuz-linux-lts 3 | initrd /initramfs-linux-lts.img 4 | options root=/dev/md/root rw slab_nomerge init_on_free=1 lockdown=confidentiality vsyscall=none ia32_emulation=0 preempt=none noautogroup libahci.ignore_sss=1 consoleblank=600 quiet 5 | -------------------------------------------------------------------------------- /certbot/discuss.grapheneos.org: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --max-log-backups 0 --no-eff-email \ 2 | --key-type ecdsa --reuse-key --required-profile shortlived \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name discuss.grapheneos.org \ 5 | -d discuss.grapheneos.org 6 | -------------------------------------------------------------------------------- /certbot/staging.attestation.app: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --max-log-backups 0 --no-eff-email \ 2 | --key-type ecdsa --reuse-key --required-profile shortlived \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name staging.attestation.app \ 5 | -d staging.attestation.app 6 | -------------------------------------------------------------------------------- /etc/modprobe.d/local.conf: -------------------------------------------------------------------------------- 1 | blacklist cfg80211 2 | blacklist floppy 3 | blacklist intel_agp 4 | blacklist ip_tables 5 | blacklist joydev 6 | blacklist mousedev 7 | blacklist pcspkr 8 | blacklist psmouse 9 | blacklist snd_intel8x0 10 | blacklist sr_mod 11 | blacklist virtio_balloon 12 | blacklist virtio_console 13 | -------------------------------------------------------------------------------- /certbot/attestation.app: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --max-log-backups 0 --no-eff-email \ 2 | --key-type ecdsa --reuse-key --required-profile shortlived \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name attestation.app \ 5 | -d attestation.app \ 6 | -d www.attestation.app 7 | -------------------------------------------------------------------------------- /connection-stats: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | [[ $# -eq 1 ]] || exit 1 6 | 7 | user=root 8 | 9 | . hosts.sh 10 | 11 | declare -n hosts=hosts_$1 12 | for host in ${hosts[@]}; do 13 | echo $host 14 | echo 15 | 16 | ssh $user@$host ss -s 17 | 18 | echo 19 | done 20 | -------------------------------------------------------------------------------- /disconnect: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | [[ $# -eq 0 ]] || exit 1 6 | 7 | . hosts.sh 8 | 9 | for host in ${hosts_all[@]}; do 10 | echo $host 11 | echo 12 | 13 | ssh root@$host -O exit || true 14 | ssh root@$host -O exit true || true 15 | 16 | echo 17 | done 18 | -------------------------------------------------------------------------------- /etc/systemd/system/session-ticket-keys-rotate.timer: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Rotate session ticket keys every 6 hours 3 | After=session-ticket-keys-create.service 4 | Requires=session-ticket-keys-create.service 5 | 6 | [Timer] 7 | OnActiveSec=6h 8 | OnUnitActiveSec=6h 9 | 10 | [Install] 11 | WantedBy=timers.target 12 | -------------------------------------------------------------------------------- /boot/loader/entries/arch-lts-fallback.conf: -------------------------------------------------------------------------------- 1 | title Arch Linux LTS Fallback 2 | linux /vmlinuz-linux-lts 3 | initrd /initramfs-linux-lts-fallback.img 4 | options root=/dev/md/root rw slab_nomerge init_on_free=1 lockdown=confidentiality vsyscall=none ia32_emulation=0 preempt=none noautogroup libahci.ignore_sss=1 consoleblank=600 quiet 5 | -------------------------------------------------------------------------------- /certbot/grapheneos.social: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --max-log-backups 0 --no-eff-email \ 2 | --key-type ecdsa --reuse-key --required-profile shortlived \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name grapheneos.social \ 5 | -d grapheneos.social \ 6 | -d www.grapheneos.social 7 | -------------------------------------------------------------------------------- /etc/systemd/system/session-ticket-keys-sync.timer: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Sync session ticket keys every minute 3 | After=session-ticket-keys-create.service 4 | Requires=session-ticket-keys-create.service 5 | 6 | [Timer] 7 | AccuracySec=1s 8 | OnActiveSec=0 9 | OnUnitActiveSec=1m 10 | 11 | [Install] 12 | WantedBy=timers.target 13 | -------------------------------------------------------------------------------- /etc/systemd/system/xfs_fsr.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=XFS filesystem reorganization 3 | 4 | [Service] 5 | CPUSchedulingPolicy=idle 6 | ExecStart=/usr/bin/xfs_fsr -f /var/lib/.fsrlast 7 | IOSchedulingClass=idle 8 | IPAddressDeny=any 9 | MemoryDenyWriteExecute=true 10 | PrivateIPC=true 11 | PrivateNetwork=true 12 | Type=oneshot 13 | -------------------------------------------------------------------------------- /certbot/matrix.grapheneos.org: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --max-log-backups 0 --no-eff-email \ 2 | --key-type ecdsa --reuse-key --required-profile shortlived \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name matrix.grapheneos.org \ 5 | -d matrix.grapheneos.org \ 6 | -d element.grapheneos.org 7 | -------------------------------------------------------------------------------- /etc/fstab.mdraid: -------------------------------------------------------------------------------- 1 | /dev/md/boot /boot vfat rw,nosuid,nodev,noexec,fmask=0177,dmask=0077 0 2 2 | 3 | /dev/mapper/swap none swap x-systemd.device-timeout=30 0 0 4 | tmpfs /etc/tls/session-ticket-keys tmpfs size=1M,mode=750,gid=tls,noswap,x-systemd.before=session-ticket-keys-create.service,x-systemd.required-by=session-ticket-keys-create.service 0 0 5 | -------------------------------------------------------------------------------- /etc/systemd/network/lon.releases.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=45.88.230.12/24 7 | 8 | [Route] 9 | Destination=0.0.0.0/0 10 | Gateway=45.88.230.1 11 | PreferredSource=45.88.230.12 12 | 13 | [Route] 14 | Destination=45.88.230.1 15 | PreferredSource=45.88.230.12 16 | -------------------------------------------------------------------------------- /etc/systemd/system/session-ticket-keys-create.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Create TLS session ticket keys 3 | Before=dnsdist.service nginx.service 4 | 5 | [Service] 6 | ExecStart=/usr/local/bin/session-ticket-keys-create 7 | Group=tls 8 | RemainAfterExit=yes 9 | Type=oneshot 10 | UMask=0027 11 | 12 | [Install] 13 | WantedBy=multi-user.target 14 | -------------------------------------------------------------------------------- /etc/systemd/system/session-ticket-keys-sync.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Sync TLS session ticket keys 3 | After=dnsdist.service nginx.service session-ticket-keys-create.service 4 | Requires=session-ticket-keys-create.service 5 | 6 | [Service] 7 | ExecStart=/usr/local/bin/session-ticket-keys-sync 8 | Group=tls 9 | Type=oneshot 10 | UMask=0027 11 | -------------------------------------------------------------------------------- /etc/systemd/system/session-ticket-keys-rotate.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Rotate TLS session ticket keys 3 | After=dnsdist.service nginx.service session-ticket-keys-create.service 4 | Requires=session-ticket-keys-create.service 5 | 6 | [Service] 7 | ExecStart=/usr/local/bin/session-ticket-keys-rotate 8 | Group=tls 9 | Type=oneshot 10 | UMask=0027 11 | -------------------------------------------------------------------------------- /guide/samsung-opal.txt: -------------------------------------------------------------------------------- 1 | Authenticate with the PSID in order to set up OPAL (anti-ransomware feature): 2 | 3 | sedutil-cli --yesIreallywanttoERASEALLmydatausingthePSID $PSID_FROM_DRIVE_STICKER $DRIVE 4 | sedutil-cli --initialsetup $PASSWORD $DRIVE 5 | sedutil-cli --enableLockingRange 0 $PASSWORD $DRIVE 6 | sedutil-cli --loadPBAimage $PASSWORD UEFI64.img $DRIVE 7 | -------------------------------------------------------------------------------- /nginx-stats: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | [[ $# -eq 1 ]] || exit 1 6 | 7 | user=root 8 | 9 | . hosts.sh 10 | 11 | declare -n hosts=hosts_$1 12 | for host in ${hosts[@]}; do 13 | echo $host 14 | echo 15 | 16 | ssh $user@$host curl -sS --unix-socket /run/nginx/status.sock http://localhost/ 17 | echo 18 | done 19 | -------------------------------------------------------------------------------- /etc/systemd/system/single.fq.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Requires=sys-subsystem-net-devices-public.device 3 | After=sys-subsystem-net-devices-public.device 4 | 5 | [Service] 6 | Type=oneshot 7 | ExecStart=/usr/bin/tc qdisc replace dev public root handle 1 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 8 | 9 | [Install] 10 | WantedBy=sys-subsystem-net-devices-public.device 11 | -------------------------------------------------------------------------------- /etc/logrotate.d/nginx: -------------------------------------------------------------------------------- 1 | /var/log/nginx/access.log { 2 | missingok 3 | maxsize 1G 4 | nodelaycompress 5 | postrotate 6 | syslog-ng-ctl reopen >/dev/null 7 | endscript 8 | } 9 | 10 | /var/log/nginx/error.log { 11 | missingok 12 | maxsize 64M 13 | nodelaycompress 14 | postrotate 15 | syslog-ng-ctl reopen >/dev/null 16 | endscript 17 | } 18 | -------------------------------------------------------------------------------- /etc/logrotate.conf: -------------------------------------------------------------------------------- 1 | rotate 16 2 | daily 3 | maxage 10 4 | maxsize 16M 5 | 6 | create 7 | 8 | compress 9 | compresscmd /usr/bin/zstd 10 | uncompresscmd /usr/bin/unzstd 11 | compressext .zst 12 | compressoptions -9 --long 13 | delaycompress 14 | 15 | # Ignore pacman saved files 16 | tabooext + .pacorig .pacnew .pacsave 17 | 18 | /var/log/wtmp /var/log/btmp {} 19 | 20 | include /etc/logrotate.d 21 | -------------------------------------------------------------------------------- /certbot/mia.releases.grapheneos.org: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --max-log-backups 0 --no-eff-email \ 2 | --key-type ecdsa --reuse-key --required-profile shortlived \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name releases.grapheneos.org \ 5 | -d releases.grapheneos.org \ 6 | -d apps.grapheneos.org \ 7 | -d seamlessupdate.app \ 8 | -d www.seamlessupdate.app 9 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /authorized_keys 2 | /authorized_keys-replica-grapheneos 3 | /authorized_keys-replica-network 4 | /authorized_keys-replica-ns1 5 | /authorized_keys-replica-ns2 6 | /authorized_keys-replica-releases 7 | /authorized_keys-staging-attestation 8 | /lock 9 | /logs/ 10 | /modules/ 11 | /ovh-mitigation.json 12 | /ovh-mitigation.txt 13 | /passwords/ 14 | /ssh.sh 15 | /sysctl/ 16 | /tmp 17 | /units/ 18 | /venv/ 19 | -------------------------------------------------------------------------------- /etc/syslog-ng/syslog-ng.conf: -------------------------------------------------------------------------------- 1 | @version: 4.10 2 | @include "/etc/syslog-ng/conf.d/*.conf" 3 | 4 | source s_internal { 5 | internal(); 6 | }; 7 | 8 | destination d_journald { 9 | unix-dgram("/dev/log"); 10 | }; 11 | 12 | log { 13 | source(s_internal); 14 | destination(d_journald); 15 | }; 16 | 17 | options { 18 | frac-digits(3); 19 | keep-hostname(yes); 20 | stats(freq(0)); 21 | use-dns(no); 22 | }; 23 | -------------------------------------------------------------------------------- /for: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | [[ $# -eq 2 ]] || exit 1 6 | 7 | input= 8 | read -p "Run command '$2' across $1 servers? " input 9 | if [[ $input != yes ]]; then 10 | exit 1 11 | fi 12 | echo 13 | 14 | user=root 15 | 16 | . hosts.sh 17 | 18 | declare -n hosts=hosts_$1 19 | for host in ${hosts[@]}; do 20 | echo $host 21 | echo 22 | 23 | ssh $user@$host "$2" 24 | 25 | echo 26 | done 27 | -------------------------------------------------------------------------------- /packages/brn.grapheneos.org: -------------------------------------------------------------------------------- 1 | base 2 | chrony 3 | cloud-guest-utils 4 | conntrack-tools 5 | ethtool 6 | fish 7 | grub 8 | htop 9 | ioping 10 | iperf 11 | linux-lts 12 | logrotate 13 | man-db 14 | moreutils 15 | mtr 16 | neovim 17 | nftables 18 | nginx 19 | nginx-mod-brotli 20 | nginx-mod-stream 21 | nmap 22 | openssh 23 | pacman-contrib 24 | pacutils 25 | plocate 26 | pv 27 | rsync 28 | strace 29 | stress 30 | syslog-ng 31 | sysstat 32 | tinyxxd 33 | tree 34 | unbound 35 | xfsprogs 36 | -------------------------------------------------------------------------------- /packages/las.grapheneos.org: -------------------------------------------------------------------------------- 1 | base 2 | chrony 3 | cloud-guest-utils 4 | conntrack-tools 5 | ethtool 6 | fish 7 | grub 8 | htop 9 | ioping 10 | iperf 11 | linux-lts 12 | logrotate 13 | man-db 14 | moreutils 15 | mtr 16 | neovim 17 | nftables 18 | nginx 19 | nginx-mod-brotli 20 | nginx-mod-stream 21 | nmap 22 | openssh 23 | pacman-contrib 24 | pacutils 25 | plocate 26 | pv 27 | rsync 28 | strace 29 | stress 30 | syslog-ng 31 | sysstat 32 | tinyxxd 33 | tree 34 | unbound 35 | xfsprogs 36 | -------------------------------------------------------------------------------- /packages/mia.grapheneos.org: -------------------------------------------------------------------------------- 1 | base 2 | chrony 3 | cloud-guest-utils 4 | conntrack-tools 5 | ethtool 6 | fish 7 | grub 8 | htop 9 | ioping 10 | iperf 11 | linux-lts 12 | logrotate 13 | man-db 14 | moreutils 15 | mtr 16 | neovim 17 | nftables 18 | nginx 19 | nginx-mod-brotli 20 | nginx-mod-stream 21 | nmap 22 | openssh 23 | pacman-contrib 24 | pacutils 25 | plocate 26 | pv 27 | rsync 28 | strace 29 | stress 30 | syslog-ng 31 | sysstat 32 | tinyxxd 33 | tree 34 | unbound 35 | xfsprogs 36 | -------------------------------------------------------------------------------- /packages/sao.grapheneos.org: -------------------------------------------------------------------------------- 1 | base 2 | chrony 3 | cloud-guest-utils 4 | conntrack-tools 5 | ethtool 6 | fish 7 | grub 8 | htop 9 | ioping 10 | iperf 11 | linux-lts 12 | logrotate 13 | man-db 14 | moreutils 15 | mtr 16 | neovim 17 | nftables 18 | nginx 19 | nginx-mod-brotli 20 | nginx-mod-stream 21 | nmap 22 | openssh 23 | pacman-contrib 24 | pacutils 25 | plocate 26 | pv 27 | rsync 28 | strace 29 | stress 30 | syslog-ng 31 | sysstat 32 | tinyxxd 33 | tree 34 | unbound 35 | xfsprogs 36 | -------------------------------------------------------------------------------- /packages/sea.grapheneos.org: -------------------------------------------------------------------------------- 1 | base 2 | chrony 3 | cloud-guest-utils 4 | conntrack-tools 5 | ethtool 6 | fish 7 | grub 8 | htop 9 | ioping 10 | iperf 11 | linux-lts 12 | logrotate 13 | man-db 14 | moreutils 15 | mtr 16 | neovim 17 | nftables 18 | nginx 19 | nginx-mod-brotli 20 | nginx-mod-stream 21 | nmap 22 | openssh 23 | pacman-contrib 24 | pacutils 25 | plocate 26 | pv 27 | rsync 28 | strace 29 | stress 30 | syslog-ng 31 | sysstat 32 | tinyxxd 33 | tree 34 | unbound 35 | xfsprogs 36 | -------------------------------------------------------------------------------- /packages/sin.grapheneos.org: -------------------------------------------------------------------------------- 1 | base 2 | chrony 3 | cloud-guest-utils 4 | conntrack-tools 5 | ethtool 6 | fish 7 | grub 8 | htop 9 | ioping 10 | iperf 11 | linux-lts 12 | logrotate 13 | man-db 14 | moreutils 15 | mtr 16 | neovim 17 | nftables 18 | nginx 19 | nginx-mod-brotli 20 | nginx-mod-stream 21 | nmap 22 | openssh 23 | pacman-contrib 24 | pacutils 25 | plocate 26 | pv 27 | rsync 28 | strace 29 | stress 30 | syslog-ng 31 | sysstat 32 | tinyxxd 33 | tree 34 | unbound 35 | xfsprogs 36 | -------------------------------------------------------------------------------- /packages/syd.grapheneos.org: -------------------------------------------------------------------------------- 1 | base 2 | chrony 3 | cloud-guest-utils 4 | conntrack-tools 5 | ethtool 6 | fish 7 | grub 8 | htop 9 | ioping 10 | iperf 11 | linux-lts 12 | logrotate 13 | man-db 14 | moreutils 15 | mtr 16 | neovim 17 | nftables 18 | nginx 19 | nginx-mod-brotli 20 | nginx-mod-stream 21 | nmap 22 | openssh 23 | pacman-contrib 24 | pacutils 25 | plocate 26 | pv 27 | rsync 28 | strace 29 | stress 30 | syslog-ng 31 | sysstat 32 | tinyxxd 33 | tree 34 | unbound 35 | xfsprogs 36 | -------------------------------------------------------------------------------- /packages/nyc.grapheneos.org: -------------------------------------------------------------------------------- 1 | base 2 | certbot 3 | chrony 4 | cloud-guest-utils 5 | conntrack-tools 6 | ethtool 7 | fish 8 | grub 9 | htop 10 | ioping 11 | iperf 12 | linux-lts 13 | logrotate 14 | man-db 15 | moreutils 16 | mtr 17 | neovim 18 | nftables 19 | nginx 20 | nginx-mod-brotli 21 | nginx-mod-stream 22 | nmap 23 | openssh 24 | pacman-contrib 25 | pacutils 26 | plocate 27 | pv 28 | rsync 29 | strace 30 | stress 31 | syslog-ng 32 | sysstat 33 | tinyxxd 34 | tree 35 | unbound 36 | xfsprogs 37 | -------------------------------------------------------------------------------- /packages/staging.grapheneos.org: -------------------------------------------------------------------------------- 1 | base 2 | certbot 3 | chrony 4 | cloud-guest-utils 5 | conntrack-tools 6 | ethtool 7 | fish 8 | grub 9 | htop 10 | ioping 11 | iperf 12 | linux-lts 13 | logrotate 14 | man-db 15 | moreutils 16 | mtr 17 | neovim 18 | nftables 19 | nginx 20 | nginx-mod-brotli 21 | nginx-mod-stream 22 | nmap 23 | openssh 24 | pacman-contrib 25 | pacutils 26 | plocate 27 | pv 28 | rsync 29 | strace 30 | stress 31 | syslog-ng 32 | sysstat 33 | tinyxxd 34 | tree 35 | unbound 36 | xfsprogs 37 | -------------------------------------------------------------------------------- /etc/systemd/network/bom.ns1.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | 7 | # 23.149.124.0/24 anycast subnet for ns1 instances 8 | [Address] 9 | Address=23.149.124.1/32 10 | PreferredLifetime=0 11 | 12 | # 2602:f4d9::/48 anycast subnet for ns1 instances 13 | [Address] 14 | Address=2602:f4d9::1/128 15 | PreferredLifetime=0 16 | 17 | # 2602:f4d9:2::/48 anycast subnet for ns1 instances 18 | [Address] 19 | Address=2602:f4d9:2::1/128 20 | PreferredLifetime=0 21 | 22 | [DHCP] 23 | UseMTU=true 24 | -------------------------------------------------------------------------------- /etc/systemd/network/fra.ns1.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | 7 | # 23.149.124.0/24 anycast subnet for ns1 instances 8 | [Address] 9 | Address=23.149.124.1/32 10 | PreferredLifetime=0 11 | 12 | # 2602:f4d9::/48 anycast subnet for ns1 instances 13 | [Address] 14 | Address=2602:f4d9::1/128 15 | PreferredLifetime=0 16 | 17 | # 2602:f4d9:2::/48 anycast subnet for ns1 instances 18 | [Address] 19 | Address=2602:f4d9:2::1/128 20 | PreferredLifetime=0 21 | 22 | [DHCP] 23 | UseMTU=true 24 | -------------------------------------------------------------------------------- /etc/systemd/network/lax.ns1.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | 7 | # 23.149.124.0/24 anycast subnet for ns1 instances 8 | [Address] 9 | Address=23.149.124.1/32 10 | PreferredLifetime=0 11 | 12 | # 2602:f4d9::/48 anycast subnet for ns1 instances 13 | [Address] 14 | Address=2602:f4d9::1/128 15 | PreferredLifetime=0 16 | 17 | # 2602:f4d9:2::/48 anycast subnet for ns1 instances 18 | [Address] 19 | Address=2602:f4d9:2::1/128 20 | PreferredLifetime=0 21 | 22 | [DHCP] 23 | UseMTU=true 24 | -------------------------------------------------------------------------------- /etc/systemd/network/lon.ns1.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | 7 | # 23.149.124.0/24 anycast subnet for ns1 instances 8 | [Address] 9 | Address=23.149.124.1/32 10 | PreferredLifetime=0 11 | 12 | # 2602:f4d9::/48 anycast subnet for ns1 instances 13 | [Address] 14 | Address=2602:f4d9::1/128 15 | PreferredLifetime=0 16 | 17 | # 2602:f4d9:2::/48 anycast subnet for ns1 instances 18 | [Address] 19 | Address=2602:f4d9:2::1/128 20 | PreferredLifetime=0 21 | 22 | [DHCP] 23 | UseMTU=true 24 | -------------------------------------------------------------------------------- /etc/systemd/network/mia.ns1.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | 7 | # 23.149.124.0/24 anycast subnet for ns1 instances 8 | [Address] 9 | Address=23.149.124.1/32 10 | PreferredLifetime=0 11 | 12 | # 2602:f4d9::/48 anycast subnet for ns1 instances 13 | [Address] 14 | Address=2602:f4d9::1/128 15 | PreferredLifetime=0 16 | 17 | # 2602:f4d9:2::/48 anycast subnet for ns1 instances 18 | [Address] 19 | Address=2602:f4d9:2::1/128 20 | PreferredLifetime=0 21 | 22 | [DHCP] 23 | UseMTU=true 24 | -------------------------------------------------------------------------------- /etc/systemd/network/nyc.ns1.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | 7 | # 23.149.124.0/24 anycast subnet for ns1 instances 8 | [Address] 9 | Address=23.149.124.1/32 10 | PreferredLifetime=0 11 | 12 | # 2602:f4d9::/48 anycast subnet for ns1 instances 13 | [Address] 14 | Address=2602:f4d9::1/128 15 | PreferredLifetime=0 16 | 17 | # 2602:f4d9:2::/48 anycast subnet for ns1 instances 18 | [Address] 19 | Address=2602:f4d9:2::1/128 20 | PreferredLifetime=0 21 | 22 | [DHCP] 23 | UseMTU=true 24 | -------------------------------------------------------------------------------- /etc/systemd/network/sao.ns1.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | 7 | # 23.149.124.0/24 anycast subnet for ns1 instances 8 | [Address] 9 | Address=23.149.124.1/32 10 | PreferredLifetime=0 11 | 12 | # 2602:f4d9::/48 anycast subnet for ns1 instances 13 | [Address] 14 | Address=2602:f4d9::1/128 15 | PreferredLifetime=0 16 | 17 | # 2602:f4d9:2::/48 anycast subnet for ns1 instances 18 | [Address] 19 | Address=2602:f4d9:2::1/128 20 | PreferredLifetime=0 21 | 22 | [DHCP] 23 | UseMTU=true 24 | -------------------------------------------------------------------------------- /etc/systemd/network/sea.ns1.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | 7 | # 23.149.124.0/24 anycast subnet for ns1 instances 8 | [Address] 9 | Address=23.149.124.1/32 10 | PreferredLifetime=0 11 | 12 | # 2602:f4d9::/48 anycast subnet for ns1 instances 13 | [Address] 14 | Address=2602:f4d9::1/128 15 | PreferredLifetime=0 16 | 17 | # 2602:f4d9:2::/48 anycast subnet for ns1 instances 18 | [Address] 19 | Address=2602:f4d9:2::1/128 20 | PreferredLifetime=0 21 | 22 | [DHCP] 23 | UseMTU=true 24 | -------------------------------------------------------------------------------- /etc/systemd/network/sin.ns1.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | 7 | # 23.149.124.0/24 anycast subnet for ns1 instances 8 | [Address] 9 | Address=23.149.124.1/32 10 | PreferredLifetime=0 11 | 12 | # 2602:f4d9::/48 anycast subnet for ns1 instances 13 | [Address] 14 | Address=2602:f4d9::1/128 15 | PreferredLifetime=0 16 | 17 | # 2602:f4d9:2::/48 anycast subnet for ns1 instances 18 | [Address] 19 | Address=2602:f4d9:2::1/128 20 | PreferredLifetime=0 21 | 22 | [DHCP] 23 | UseMTU=true 24 | -------------------------------------------------------------------------------- /etc/systemd/network/syd.ns1.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | 7 | # 23.149.124.0/24 anycast subnet for ns1 instances 8 | [Address] 9 | Address=23.149.124.1/32 10 | PreferredLifetime=0 11 | 12 | # 2602:f4d9::/48 anycast subnet for ns1 instances 13 | [Address] 14 | Address=2602:f4d9::1/128 15 | PreferredLifetime=0 16 | 17 | # 2602:f4d9:2::/48 anycast subnet for ns1 instances 18 | [Address] 19 | Address=2602:f4d9:2::1/128 20 | PreferredLifetime=0 21 | 22 | [DHCP] 23 | UseMTU=true 24 | -------------------------------------------------------------------------------- /etc/systemd/network/tyo.ns1.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | DHCP=ipv4 6 | 7 | # 23.149.124.0/24 anycast subnet for ns1 instances 8 | [Address] 9 | Address=23.149.124.1/32 10 | PreferredLifetime=0 11 | 12 | # 2602:f4d9::/48 anycast subnet for ns1 instances 13 | [Address] 14 | Address=2602:f4d9::1/128 15 | PreferredLifetime=0 16 | 17 | # 2602:f4d9:2::/48 anycast subnet for ns1 instances 18 | [Address] 19 | Address=2602:f4d9:2::1/128 20 | PreferredLifetime=0 21 | 22 | [DHCP] 23 | UseMTU=true 24 | -------------------------------------------------------------------------------- /certbot-replicate: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | status=0 6 | 7 | for mirror in $(cat /etc/mirrors); do 8 | echo 9 | echo Deploying to $mirror 10 | echo 11 | 12 | rsync -acv --delete --fsync --preallocate /etc/letsencrypt/ $mirror:/etc/letsencrypt && 13 | ssh root@$mirror "systemctl is-active --quiet nginx.service && nginx -s reload; systemctl is-active --quiet dnsdist.service && dnsdist -c -e 'reloadAllCertificates()'" || 14 | status=1 15 | done 16 | 17 | exit $status 18 | -------------------------------------------------------------------------------- /etc/systemd/network/attestation.app.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=159.195.67.50/22 7 | Address=2a0a:4cc0:c2:1cf3::1/64 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=159.195.64.1 12 | PreferredSource=159.195.67.50 13 | 14 | [Route] 15 | Destination=159.195.64.1 16 | PreferredSource=159.195.67.50 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=fe80::1 21 | PreferredSource=2a0a:4cc0:c2:1cf3::1 22 | 23 | [Route] 24 | Destination=fe80::1 25 | PreferredSource=2a0a:4cc0:c2:1cf3::1 26 | -------------------------------------------------------------------------------- /etc/systemd/network/matrix.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=152.53.39.88/22 7 | Address=2a0a:4cc0:2000:dbc::1/64 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=152.53.36.1 12 | PreferredSource=152.53.39.88 13 | 14 | [Route] 15 | Destination=152.53.36.1 16 | PreferredSource=152.53.39.88 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=fe80::1 21 | PreferredSource=2a0a:4cc0:2000:dbc::1 22 | 23 | [Route] 24 | Destination=fe80::1 25 | PreferredSource=2a0a:4cc0:2000:dbc::1 26 | -------------------------------------------------------------------------------- /etc/systemd/network/grapheneos.social.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=152.53.168.159/22 7 | Address=2a0a:4cc0:2000:a62d::1/64 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=152.53.168.1 12 | PreferredSource=152.53.168.159 13 | 14 | [Route] 15 | Destination=152.53.168.1 16 | PreferredSource=152.53.168.159 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=fe80::1 21 | PreferredSource=2a0a:4cc0:2000:a62d::1 22 | 23 | [Route] 24 | Destination=fe80::1 25 | PreferredSource=2a0a:4cc0:2000:a62d::1 26 | -------------------------------------------------------------------------------- /packages/bom.ns1.grapheneos.org: -------------------------------------------------------------------------------- 1 | b3sum 2 | base 3 | bird 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | dnsdist 8 | ethtool 9 | fish 10 | geoip 11 | geoipupdate 12 | grub 13 | htop 14 | ioping 15 | iperf 16 | libmaxminddb 17 | linux-lts 18 | logrotate 19 | man-db 20 | mmdblookup 21 | moreutils 22 | mtr 23 | neovim 24 | nftables 25 | nginx 26 | nmap 27 | openssh 28 | pacman-contrib 29 | pacutils 30 | plocate 31 | powerdns 32 | pv 33 | rsync 34 | strace 35 | stress 36 | syslog-ng 37 | sysstat 38 | tinyxxd 39 | tree 40 | unbound 41 | xfsprogs 42 | yaml-cpp 43 | -------------------------------------------------------------------------------- /packages/brn.ns2.grapheneos.org: -------------------------------------------------------------------------------- 1 | b3sum 2 | base 3 | bird 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | dnsdist 8 | ethtool 9 | fish 10 | geoip 11 | geoipupdate 12 | grub 13 | htop 14 | ioping 15 | iperf 16 | libmaxminddb 17 | linux-lts 18 | logrotate 19 | man-db 20 | mmdblookup 21 | moreutils 22 | mtr 23 | neovim 24 | nftables 25 | nginx 26 | nmap 27 | openssh 28 | pacman-contrib 29 | pacutils 30 | plocate 31 | powerdns 32 | pv 33 | rsync 34 | strace 35 | stress 36 | syslog-ng 37 | sysstat 38 | tinyxxd 39 | tree 40 | unbound 41 | xfsprogs 42 | yaml-cpp 43 | -------------------------------------------------------------------------------- /packages/fra.ns1.grapheneos.org: -------------------------------------------------------------------------------- 1 | b3sum 2 | base 3 | bird 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | dnsdist 8 | ethtool 9 | fish 10 | geoip 11 | geoipupdate 12 | grub 13 | htop 14 | ioping 15 | iperf 16 | libmaxminddb 17 | linux-lts 18 | logrotate 19 | man-db 20 | mmdblookup 21 | moreutils 22 | mtr 23 | neovim 24 | nftables 25 | nginx 26 | nmap 27 | openssh 28 | pacman-contrib 29 | pacutils 30 | plocate 31 | powerdns 32 | pv 33 | rsync 34 | strace 35 | stress 36 | syslog-ng 37 | sysstat 38 | tinyxxd 39 | tree 40 | unbound 41 | xfsprogs 42 | yaml-cpp 43 | -------------------------------------------------------------------------------- /packages/las.ns2.grapheneos.org: -------------------------------------------------------------------------------- 1 | b3sum 2 | base 3 | bird 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | dnsdist 8 | ethtool 9 | fish 10 | geoip 11 | geoipupdate 12 | grub 13 | htop 14 | ioping 15 | iperf 16 | libmaxminddb 17 | linux-lts 18 | logrotate 19 | man-db 20 | mmdblookup 21 | moreutils 22 | mtr 23 | neovim 24 | nftables 25 | nginx 26 | nmap 27 | openssh 28 | pacman-contrib 29 | pacutils 30 | plocate 31 | powerdns 32 | pv 33 | rsync 34 | strace 35 | stress 36 | syslog-ng 37 | sysstat 38 | tinyxxd 39 | tree 40 | unbound 41 | xfsprogs 42 | yaml-cpp 43 | -------------------------------------------------------------------------------- /packages/lax.ns1.grapheneos.org: -------------------------------------------------------------------------------- 1 | b3sum 2 | base 3 | bird 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | dnsdist 8 | ethtool 9 | fish 10 | geoip 11 | geoipupdate 12 | grub 13 | htop 14 | ioping 15 | iperf 16 | libmaxminddb 17 | linux-lts 18 | logrotate 19 | man-db 20 | mmdblookup 21 | moreutils 22 | mtr 23 | neovim 24 | nftables 25 | nginx 26 | nmap 27 | openssh 28 | pacman-contrib 29 | pacutils 30 | plocate 31 | powerdns 32 | pv 33 | rsync 34 | strace 35 | stress 36 | syslog-ng 37 | sysstat 38 | tinyxxd 39 | tree 40 | unbound 41 | xfsprogs 42 | yaml-cpp 43 | -------------------------------------------------------------------------------- /packages/lon.ns1.grapheneos.org: -------------------------------------------------------------------------------- 1 | b3sum 2 | base 3 | bird 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | dnsdist 8 | ethtool 9 | fish 10 | geoip 11 | geoipupdate 12 | grub 13 | htop 14 | ioping 15 | iperf 16 | libmaxminddb 17 | linux-lts 18 | logrotate 19 | man-db 20 | mmdblookup 21 | moreutils 22 | mtr 23 | neovim 24 | nftables 25 | nginx 26 | nmap 27 | openssh 28 | pacman-contrib 29 | pacutils 30 | plocate 31 | powerdns 32 | pv 33 | rsync 34 | strace 35 | stress 36 | syslog-ng 37 | sysstat 38 | tinyxxd 39 | tree 40 | unbound 41 | xfsprogs 42 | yaml-cpp 43 | -------------------------------------------------------------------------------- /packages/mia.ns1.grapheneos.org: -------------------------------------------------------------------------------- 1 | b3sum 2 | base 3 | bird 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | dnsdist 8 | ethtool 9 | fish 10 | geoip 11 | geoipupdate 12 | grub 13 | htop 14 | ioping 15 | iperf 16 | libmaxminddb 17 | linux-lts 18 | logrotate 19 | man-db 20 | mmdblookup 21 | moreutils 22 | mtr 23 | neovim 24 | nftables 25 | nginx 26 | nmap 27 | openssh 28 | pacman-contrib 29 | pacutils 30 | plocate 31 | powerdns 32 | pv 33 | rsync 34 | strace 35 | stress 36 | syslog-ng 37 | sysstat 38 | tinyxxd 39 | tree 40 | unbound 41 | xfsprogs 42 | yaml-cpp 43 | -------------------------------------------------------------------------------- /packages/mia.ns2.grapheneos.org: -------------------------------------------------------------------------------- 1 | b3sum 2 | base 3 | bird 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | dnsdist 8 | ethtool 9 | fish 10 | geoip 11 | geoipupdate 12 | grub 13 | htop 14 | ioping 15 | iperf 16 | libmaxminddb 17 | linux-lts 18 | logrotate 19 | man-db 20 | mmdblookup 21 | moreutils 22 | mtr 23 | neovim 24 | nftables 25 | nginx 26 | nmap 27 | openssh 28 | pacman-contrib 29 | pacutils 30 | plocate 31 | powerdns 32 | pv 33 | rsync 34 | strace 35 | stress 36 | syslog-ng 37 | sysstat 38 | tinyxxd 39 | tree 40 | unbound 41 | xfsprogs 42 | yaml-cpp 43 | -------------------------------------------------------------------------------- /packages/sao.ns1.grapheneos.org: -------------------------------------------------------------------------------- 1 | b3sum 2 | base 3 | bird 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | dnsdist 8 | ethtool 9 | fish 10 | geoip 11 | geoipupdate 12 | grub 13 | htop 14 | ioping 15 | iperf 16 | libmaxminddb 17 | linux-lts 18 | logrotate 19 | man-db 20 | mmdblookup 21 | moreutils 22 | mtr 23 | neovim 24 | nftables 25 | nginx 26 | nmap 27 | openssh 28 | pacman-contrib 29 | pacutils 30 | plocate 31 | powerdns 32 | pv 33 | rsync 34 | strace 35 | stress 36 | syslog-ng 37 | sysstat 38 | tinyxxd 39 | tree 40 | unbound 41 | xfsprogs 42 | yaml-cpp 43 | -------------------------------------------------------------------------------- /packages/sea.ns1.grapheneos.org: -------------------------------------------------------------------------------- 1 | b3sum 2 | base 3 | bird 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | dnsdist 8 | ethtool 9 | fish 10 | geoip 11 | geoipupdate 12 | grub 13 | htop 14 | ioping 15 | iperf 16 | libmaxminddb 17 | linux-lts 18 | logrotate 19 | man-db 20 | mmdblookup 21 | moreutils 22 | mtr 23 | neovim 24 | nftables 25 | nginx 26 | nmap 27 | openssh 28 | pacman-contrib 29 | pacutils 30 | plocate 31 | powerdns 32 | pv 33 | rsync 34 | strace 35 | stress 36 | syslog-ng 37 | sysstat 38 | tinyxxd 39 | tree 40 | unbound 41 | xfsprogs 42 | yaml-cpp 43 | -------------------------------------------------------------------------------- /packages/sin.ns1.grapheneos.org: -------------------------------------------------------------------------------- 1 | b3sum 2 | base 3 | bird 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | dnsdist 8 | ethtool 9 | fish 10 | geoip 11 | geoipupdate 12 | grub 13 | htop 14 | ioping 15 | iperf 16 | libmaxminddb 17 | linux-lts 18 | logrotate 19 | man-db 20 | mmdblookup 21 | moreutils 22 | mtr 23 | neovim 24 | nftables 25 | nginx 26 | nmap 27 | openssh 28 | pacman-contrib 29 | pacutils 30 | plocate 31 | powerdns 32 | pv 33 | rsync 34 | strace 35 | stress 36 | syslog-ng 37 | sysstat 38 | tinyxxd 39 | tree 40 | unbound 41 | xfsprogs 42 | yaml-cpp 43 | -------------------------------------------------------------------------------- /packages/syd.ns1.grapheneos.org: -------------------------------------------------------------------------------- 1 | b3sum 2 | base 3 | bird 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | dnsdist 8 | ethtool 9 | fish 10 | geoip 11 | geoipupdate 12 | grub 13 | htop 14 | ioping 15 | iperf 16 | libmaxminddb 17 | linux-lts 18 | logrotate 19 | man-db 20 | mmdblookup 21 | moreutils 22 | mtr 23 | neovim 24 | nftables 25 | nginx 26 | nmap 27 | openssh 28 | pacman-contrib 29 | pacutils 30 | plocate 31 | powerdns 32 | pv 33 | rsync 34 | strace 35 | stress 36 | syslog-ng 37 | sysstat 38 | tinyxxd 39 | tree 40 | unbound 41 | xfsprogs 42 | yaml-cpp 43 | -------------------------------------------------------------------------------- /packages/tyo.ns1.grapheneos.org: -------------------------------------------------------------------------------- 1 | b3sum 2 | base 3 | bird 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | dnsdist 8 | ethtool 9 | fish 10 | geoip 11 | geoipupdate 12 | grub 13 | htop 14 | ioping 15 | iperf 16 | libmaxminddb 17 | linux-lts 18 | logrotate 19 | man-db 20 | mmdblookup 21 | moreutils 22 | mtr 23 | neovim 24 | nftables 25 | nginx 26 | nmap 27 | openssh 28 | pacman-contrib 29 | pacutils 30 | plocate 31 | powerdns 32 | pv 33 | rsync 34 | strace 35 | stress 36 | syslog-ng 37 | sysstat 38 | tinyxxd 39 | tree 40 | unbound 41 | xfsprogs 42 | yaml-cpp 43 | -------------------------------------------------------------------------------- /etc/systemd/network/discuss.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=152.53.168.153/22 7 | Address=2a0a:4cc0:2000:aa27::1/64 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=152.53.168.1 12 | PreferredSource=152.53.168.153 13 | 14 | [Route] 15 | Destination=152.53.168.1 16 | PreferredSource=152.53.168.153 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=fe80::1 21 | PreferredSource=2a0a:4cc0:2000:aa27::1 22 | 23 | [Route] 24 | Destination=fe80::1 25 | PreferredSource=2a0a:4cc0:2000:aa27::1 26 | -------------------------------------------------------------------------------- /deploy-journald: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . shared.sh 4 | . hosts.sh 5 | 6 | for host in ${hosts_all[@]}; do 7 | remote=root@$host 8 | 9 | echo 10 | echo $host 11 | echo 12 | 13 | cp etc/systemd/journald.conf tmp 14 | sed -i "s/{{journald_system_max_use}}/${hosts_journald_system_max_use[$host]:-4G}/g" tmp 15 | sed -i "s/{{journald_system_max_file_size}}/${hosts_journald_system_max_file_size[$host]:-256M}/g" tmp 16 | rsync tmp $remote:/etc/systemd/journald.conf 17 | rm tmp 18 | ssh $remote systemctl reload systemd-journald 19 | done 20 | -------------------------------------------------------------------------------- /etc/chrony.conf: -------------------------------------------------------------------------------- 1 | server time.cloudflare.com iburst nts 2 | server ntppool1.time.nl iburst nts 3 | server nts.netnod.se iburst nts 4 | server ptbtime1.ptb.de iburst nts 5 | server time.dfm.dk iburst nts 6 | server time.cifelli.xyz iburst nts 7 | 8 | minsources 3 9 | authselectmode require 10 | 11 | # EF 12 | dscp 46 13 | 14 | driftfile /var/lib/chrony/drift 15 | dumpdir /var/lib/chrony 16 | ntsdumpdir /var/lib/chrony 17 | 18 | leapseclist /usr/share/zoneinfo/leap-seconds.list 19 | makestep 1.0 3 20 | 21 | rtconutc 22 | rtcsync 23 | 24 | cmdport 0 25 | 26 | noclientlog 27 | -------------------------------------------------------------------------------- /packages/nyc.ns1.grapheneos.org: -------------------------------------------------------------------------------- 1 | b3sum 2 | base 3 | bird 4 | certbot 5 | chrony 6 | cloud-guest-utils 7 | conntrack-tools 8 | dnsdist 9 | ethtool 10 | fish 11 | geoip 12 | geoipupdate 13 | grub 14 | htop 15 | ioping 16 | iperf 17 | libmaxminddb 18 | linux-lts 19 | logrotate 20 | man-db 21 | mmdblookup 22 | moreutils 23 | mtr 24 | neovim 25 | nftables 26 | nginx 27 | nmap 28 | openssh 29 | pacman-contrib 30 | pacutils 31 | plocate 32 | powerdns 33 | pv 34 | rsync 35 | strace 36 | stress 37 | syslog-ng 38 | sysstat 39 | tinyxxd 40 | tree 41 | unbound 42 | xfsprogs 43 | yaml-cpp 44 | -------------------------------------------------------------------------------- /packages/nyc.ns2.grapheneos.org: -------------------------------------------------------------------------------- 1 | b3sum 2 | base 3 | bird 4 | certbot 5 | chrony 6 | cloud-guest-utils 7 | conntrack-tools 8 | dnsdist 9 | ethtool 10 | fish 11 | geoip 12 | geoipupdate 13 | grub 14 | htop 15 | ioping 16 | iperf 17 | libmaxminddb 18 | linux-lts 19 | logrotate 20 | man-db 21 | mmdblookup 22 | moreutils 23 | mtr 24 | neovim 25 | nftables 26 | nginx 27 | nmap 28 | openssh 29 | pacman-contrib 30 | pacutils 31 | plocate 32 | powerdns 33 | pv 34 | rsync 35 | strace 36 | stress 37 | syslog-ng 38 | sysstat 39 | tinyxxd 40 | tree 41 | unbound 42 | xfsprogs 43 | yaml-cpp 44 | -------------------------------------------------------------------------------- /packages/ns1.staging.grapheneos.org: -------------------------------------------------------------------------------- 1 | b3sum 2 | base 3 | bird 4 | certbot 5 | chrony 6 | cloud-guest-utils 7 | conntrack-tools 8 | dnsdist 9 | ethtool 10 | fish 11 | geoip 12 | geoipupdate 13 | grub 14 | htop 15 | ioping 16 | iperf 17 | libmaxminddb 18 | linux-lts 19 | logrotate 20 | man-db 21 | mmdblookup 22 | moreutils 23 | mtr 24 | neovim 25 | nftables 26 | nginx 27 | nmap 28 | openssh 29 | pacman-contrib 30 | pacutils 31 | plocate 32 | powerdns 33 | pv 34 | rsync 35 | strace 36 | stress 37 | syslog-ng 38 | sysstat 39 | tinyxxd 40 | tree 41 | unbound 42 | xfsprogs 43 | yaml-cpp 44 | -------------------------------------------------------------------------------- /reboot: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | [[ $# -eq 2 ]] || exit 1 6 | 7 | input= 8 | read -p "Reboot $1 servers with $2 second delay? " input 9 | if [[ $input != yes ]]; then 10 | exit 1 11 | fi 12 | echo 13 | 14 | user=root 15 | 16 | . hosts.sh 17 | 18 | declare -n hosts=hosts_$1 19 | for host in ${hosts[@]}; do 20 | echo $host 21 | echo 22 | 23 | ssh root@$host 'systemctl is-active bird.service >/dev/null && systemctl stop bird.service && sleep 5' 24 | systemctl -H $host reboot 25 | sleep $2 26 | 27 | echo 28 | done 29 | -------------------------------------------------------------------------------- /certbot/ns1.staging.grapheneos.org: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --max-log-backups 0 --no-eff-email \ 2 | --key-type ecdsa --reuse-key --required-profile shortlived \ 3 | --deploy-hook "nginx -s reload; rsync -acv --copy-links --delete --chmod=D750,F640 --chown root:dnsdist /etc/letsencrypt/live/ /etc/letsencrypt/dnsdist/; dnsdist -c -e 'reloadAllCertificates()'" \ 4 | --cert-name ns1.staging.grapheneos.org \ 5 | -d ns1.staging.grapheneos.org \ 6 | -d ns2.staging.grapheneos.org \ 7 | -d ns1.staging.attestation.app \ 8 | -d ns2.staging.attestation.app 9 | -------------------------------------------------------------------------------- /etc/systemd/network/yto.releases.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=207.174.104.20/26 7 | Address=2602:fd50:1a1:20::2/112 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=207.174.104.62 12 | PreferredSource=207.174.104.20 13 | 14 | [Route] 15 | Destination=207.174.104.62 16 | PreferredSource=207.174.104.20 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2602:fd50:1a1:20::1 21 | PreferredSource=2602:fd50:1a1:20::2 22 | 23 | [Route] 24 | Destination=2602:fd50:1a1:20::1 25 | PreferredSource=2602:fd50:1a1:20::2 26 | -------------------------------------------------------------------------------- /fetch-info: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | user=root 6 | 7 | . hosts.sh 8 | 9 | rm -rf modules packages units 10 | mkdir -p modules packages units 11 | 12 | for host in ${hosts_all[@]}; do 13 | ( 14 | ssh root@$host lsmod | awk '{ print $1 }' | sort > modules/$host 15 | ssh root@$host pacman -Qqe > packages/$host 16 | ssh root@$host systemctl list-unit-files --state=enabled --state=disabled --state=masked | sort > units/$host 17 | ssh root@$host sysctl -a | sort > sysctl/$host 18 | ) & 19 | done 20 | 21 | wait 22 | -------------------------------------------------------------------------------- /deploy-nftables: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . shared.sh 4 | . hosts.sh 5 | . ssh.sh 6 | 7 | for host in ${hosts_all[@]}; do 8 | remote=root@$host 9 | 10 | echo 11 | echo $host 12 | echo 13 | 14 | cp etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf tmp 15 | sed -i "s/{{synproxy_threshold}}/$(( ${hosts_conntrack_size[$host]:-65536} / 64 ))/g" tmp 16 | sed -i "s/{{ssh_ipv4}}/$ssh_ipv4/g" tmp 17 | sed -i "s/{{ssh_ipv6}}/$ssh_ipv6/g" tmp 18 | rsync tmp $remote:/etc/nftables.conf 19 | rm tmp 20 | ssh $remote systemctl enable --now nftables.service 21 | done 22 | -------------------------------------------------------------------------------- /packages/lax.releases.grapheneos.org: -------------------------------------------------------------------------------- 1 | amd-ucode 2 | base 3 | chrony 4 | cloud-guest-utils 5 | conntrack-tools 6 | cpupower 7 | dmidecode 8 | dosfstools 9 | efibootmgr 10 | ethtool 11 | fish 12 | htop 13 | ioping 14 | iperf 15 | linux-firmware-amdgpu 16 | linux-lts 17 | logrotate 18 | man-db 19 | mdadm 20 | moreutils 21 | mtr 22 | neovim 23 | nftables 24 | nginx 25 | nginx-mod-brotli 26 | nmap 27 | openssh 28 | pacman-contrib 29 | pacutils 30 | plocate 31 | pv 32 | rsync 33 | smartmontools 34 | strace 35 | stress 36 | syslog-ng 37 | sysstat 38 | tinyxxd 39 | tree 40 | turbostat 41 | unbound 42 | xfsprogs 43 | -------------------------------------------------------------------------------- /packages/yto.releases.grapheneos.org: -------------------------------------------------------------------------------- 1 | base 2 | chrony 3 | cloud-guest-utils 4 | conntrack-tools 5 | cpupower 6 | dmidecode 7 | dosfstools 8 | efibootmgr 9 | ethtool 10 | fish 11 | htop 12 | intel-ucode 13 | ioping 14 | iperf 15 | linux-firmware-intel 16 | linux-lts 17 | logrotate 18 | man-db 19 | mdadm 20 | moreutils 21 | mtr 22 | neovim 23 | nftables 24 | nginx 25 | nginx-mod-brotli 26 | nmap 27 | openssh 28 | pacman-contrib 29 | pacutils 30 | plocate 31 | pv 32 | rsync 33 | smartmontools 34 | strace 35 | stress 36 | syslog-ng 37 | sysstat 38 | tinyxxd 39 | tree 40 | turbostat 41 | unbound 42 | xfsprogs 43 | -------------------------------------------------------------------------------- /certbot/staging.grapheneos.org: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --max-log-backups 0 --no-eff-email \ 2 | --key-type ecdsa --reuse-key --required-profile shortlived \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name staging.grapheneos.org \ 5 | -d staging.grapheneos.org 6 | 7 | certbot certonly --webroot --webroot-path /srv/certbot --max-log-backups 0 --no-eff-email \ 8 | --key-type ecdsa --reuse-key --required-profile shortlived \ 9 | --deploy-hook "nginx -s reload" \ 10 | --cert-name staging.grapheneos.network \ 11 | -d nominatim.staging.grapheneos.org 12 | -------------------------------------------------------------------------------- /etc/systemd/network/nyc.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=198.98.62.94/24 7 | Address=2605:6400:10:50:20a1:d9ea:5c10:a895/48 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=198.98.62.1 12 | PreferredSource=198.98.62.94 13 | 14 | [Route] 15 | Destination=198.98.62.1 16 | PreferredSource=198.98.62.94 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2605:6400:10::1 21 | PreferredSource=2605:6400:10:50:20a1:d9ea:5c10:a895 22 | 23 | [Route] 24 | Destination=2605:6400:10::1 25 | PreferredSource=2605:6400:10:50:20a1:d9ea:5c10:a895 26 | -------------------------------------------------------------------------------- /packages/staging.attestation.app: -------------------------------------------------------------------------------- 1 | age 2 | base 3 | certbot 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | ethtool 8 | fish 9 | grub 10 | htop 11 | ioping 12 | iperf 13 | jre21-openjdk-headless 14 | linux-lts 15 | logrotate 16 | man-db 17 | moreutils 18 | mtr 19 | neovim 20 | nftables 21 | nginx 22 | nginx-mod-brotli 23 | nmap 24 | openssh 25 | pacman-contrib 26 | pacutils 27 | plocate 28 | pv 29 | python-keystoneauth1 30 | python-keystoneclient 31 | python-swiftclient 32 | rsync 33 | sqlite-analyzer 34 | strace 35 | stress 36 | syslog-ng 37 | sysstat 38 | tinyxxd 39 | tree 40 | unbound 41 | xfsprogs 42 | -------------------------------------------------------------------------------- /etc/systemd/network/brn.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=107.189.14.16/24 7 | Address=2605:6400:30:fbfc:64d:dafb:d00a:5d19/48 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=107.189.14.1 12 | PreferredSource=107.189.14.16 13 | 14 | [Route] 15 | Destination=107.189.14.1 16 | PreferredSource=107.189.14.16 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2605:6400:30::1 21 | PreferredSource=2605:6400:30:fbfc:64d:dafb:d00a:5d19 22 | 23 | [Route] 24 | Destination=2605:6400:30::1 25 | PreferredSource=2605:6400:30:fbfc:64d:dafb:d00a:5d19 26 | -------------------------------------------------------------------------------- /etc/systemd/network/las.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=209.141.37.35/24 7 | Address=2605:6400:20:387:72d4:dab9:a369:f351/48 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=209.141.37.1 12 | PreferredSource=209.141.37.35 13 | 14 | [Route] 15 | Destination=209.141.37.1 16 | PreferredSource=209.141.37.35 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2605:6400:20::1 21 | PreferredSource=2605:6400:20:387:72d4:dab9:a369:f351 22 | 23 | [Route] 24 | Destination=2605:6400:20::1 25 | PreferredSource=2605:6400:20:387:72d4:dab9:a369:f351 26 | -------------------------------------------------------------------------------- /packages/mia.releases.grapheneos.org: -------------------------------------------------------------------------------- 1 | amd-ucode 2 | base 3 | certbot 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | cpupower 8 | dmidecode 9 | dosfstools 10 | efibootmgr 11 | ethtool 12 | fish 13 | htop 14 | ioping 15 | iperf 16 | linux-firmware-amdgpu 17 | linux-lts 18 | logrotate 19 | man-db 20 | mdadm 21 | moreutils 22 | mtr 23 | neovim 24 | nftables 25 | nginx 26 | nginx-mod-brotli 27 | nmap 28 | openssh 29 | pacman-contrib 30 | pacutils 31 | plocate 32 | pv 33 | rsync 34 | smartmontools 35 | strace 36 | stress 37 | syslog-ng 38 | sysstat 39 | tinyxxd 40 | tree 41 | turbostat 42 | unbound 43 | xfsprogs 44 | -------------------------------------------------------------------------------- /etc/systemd/network/lax.releases.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=104.194.8.203/24 7 | Address=2605:9880:200:400:135:7700:ef0a:81/64 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=104.194.8.1 12 | PreferredSource=104.194.8.203 13 | 14 | [Route] 15 | Destination=104.194.8.1 16 | PreferredSource=104.194.8.203 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2605:9880:200::1 21 | PreferredSource=2605:9880:200:400:135:7700:ef0a:81 22 | 23 | [Route] 24 | Destination=2605:9880:200::1 25 | PreferredSource=2605:9880:200:400:135:7700:ef0a:81 26 | -------------------------------------------------------------------------------- /etc/systemd/network/mia.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=45.61.186.223/24 7 | Address=2605:6400:40:ffb4:40e3:e5c8:9b96:614b/48 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=45.61.186.1 12 | PreferredSource=45.61.186.223 13 | 14 | [Route] 15 | Destination=45.61.186.1 16 | PreferredSource=45.61.186.223 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2605:6400:40::1 21 | PreferredSource=2605:6400:40:ffb4:40e3:e5c8:9b96:614b 22 | 23 | [Route] 24 | Destination=2605:6400:40::1 25 | PreferredSource=2605:6400:40:ffb4:40e3:e5c8:9b96:614b 26 | -------------------------------------------------------------------------------- /etc/systemd/network/mia.releases.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=172.96.172.37/24 7 | Address=2605:9880:400:1100:15:1240:515:6e/64 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=172.96.172.1 12 | PreferredSource=172.96.172.37 13 | 14 | [Route] 15 | Destination=172.96.172.1 16 | PreferredSource=172.96.172.37 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2605:9880:400::1 21 | PreferredSource=2605:9880:400:1100:15:1240:515:6e 22 | 23 | [Route] 24 | Destination=2605:9880:400::1 25 | PreferredSource=2605:9880:400:1100:15:1240:515:6e 26 | -------------------------------------------------------------------------------- /etc/systemd/network/staging.attestation.app.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=198.98.57.157/24 7 | Address=2605:6400:10:aa9:1c0f:44d3:da15:c0ec/48 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=198.98.57.1 12 | PreferredSource=198.98.57.157 13 | 14 | [Route] 15 | Destination=198.98.57.1 16 | PreferredSource=198.98.57.157 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2605:6400:10::1 21 | PreferredSource=2605:6400:10:aa9:1c0f:44d3:da15:c0ec 22 | 23 | [Route] 24 | Destination=2605:6400:10::1 25 | PreferredSource=2605:6400:10:aa9:1c0f:44d3:da15:c0ec 26 | -------------------------------------------------------------------------------- /packages/attestation.app: -------------------------------------------------------------------------------- 1 | age 2 | base 3 | certbot 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | dosfstools 8 | efibootmgr 9 | ethtool 10 | fish 11 | htop 12 | ioping 13 | iperf 14 | jre21-openjdk-headless 15 | linux-lts 16 | logrotate 17 | man-db 18 | moreutils 19 | mtr 20 | neovim 21 | nftables 22 | nginx 23 | nginx-mod-brotli 24 | nmap 25 | openssh 26 | pacman-contrib 27 | pacutils 28 | plocate 29 | pv 30 | python-keystoneauth1 31 | python-keystoneclient 32 | python-swiftclient 33 | rsync 34 | sqlite-analyzer 35 | strace 36 | stress 37 | syslog-ng 38 | sysstat 39 | tinyxxd 40 | tree 41 | unbound 42 | xfsprogs 43 | -------------------------------------------------------------------------------- /deploy-primary: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . shared.sh 4 | . hosts.sh 5 | 6 | for host in ${hosts_primary[@]}; do 7 | remote=root@$host 8 | 9 | echo 10 | echo $host 11 | echo 12 | 13 | rsync --chmod=F755 certbot-replicate session-ticket-keys-sync $remote:/usr/local/bin/ 14 | rsync etc/systemd/system/certbot-renew.service.d/replicate.conf $remote:/etc/systemd/system/certbot-renew.service.d/ 15 | rsync etc/systemd/system/session-ticket-keys-sync.{service,timer} $remote:/etc/systemd/system/ 16 | ssh $remote 'systemctl daemon-reload && systemctl enable --now session-ticket-keys-sync.timer' 17 | done 18 | -------------------------------------------------------------------------------- /etc/systemd/network/staging.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=199.195.250.78/24 7 | Address=2605:6400:10:9d6:6d84:e183:acda:16d7/48 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=199.195.250.1 12 | PreferredSource=199.195.250.78 13 | 14 | [Route] 15 | Destination=199.195.250.1 16 | PreferredSource=199.195.250.78 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2605:6400:10::1 21 | PreferredSource=2605:6400:10:9d6:6d84:e183:acda:16d7 22 | 23 | [Route] 24 | Destination=2605:6400:10::1 25 | PreferredSource=2605:6400:10:9d6:6d84:e183:acda:16d7 26 | -------------------------------------------------------------------------------- /packages/lon.releases.grapheneos.org: -------------------------------------------------------------------------------- 1 | amd-ucode 2 | base 3 | chrony 4 | cloud-guest-utils 5 | conntrack-tools 6 | cpupower 7 | dmidecode 8 | dosfstools 9 | efibootmgr 10 | ethtool 11 | fish 12 | htop 13 | ioping 14 | iperf 15 | linux-firmware-amdgpu 16 | linux-firmware-intel 17 | linux-lts 18 | logrotate 19 | man-db 20 | mdadm 21 | moreutils 22 | mtr 23 | neovim 24 | nftables 25 | nginx 26 | nginx-mod-brotli 27 | nmap 28 | openssh 29 | pacman-contrib 30 | pacutils 31 | plocate 32 | pv 33 | rsync 34 | smartmontools 35 | strace 36 | stress 37 | syslog-ng 38 | sysstat 39 | tinyxxd 40 | tree 41 | turbostat 42 | unbound 43 | xfsprogs 44 | -------------------------------------------------------------------------------- /packages/grapheneos.social: -------------------------------------------------------------------------------- 1 | age 2 | base 3 | certbot 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | dosfstools 8 | efibootmgr 9 | ethtool 10 | fish 11 | htop 12 | ioping 13 | iperf 14 | linux-lts 15 | logrotate 16 | man-db 17 | mastodon 18 | moreutils 19 | mtr 20 | neovim 21 | nftables 22 | nginx 23 | nginx-mod-brotli 24 | nmap 25 | nodejs-lts-krypton 26 | openssh 27 | pacman-contrib 28 | pacutils 29 | plocate 30 | postgresql-old-upgrade 31 | pv 32 | python-keystoneauth1 33 | python-keystoneclient 34 | python-swiftclient 35 | rsync 36 | strace 37 | stress 38 | syslog-ng 39 | sysstat 40 | tinyxxd 41 | tree 42 | unbound 43 | xfsprogs 44 | -------------------------------------------------------------------------------- /etc/mkinitcpio.d/linux-lts.preset: -------------------------------------------------------------------------------- 1 | # mkinitcpio preset file for the 'linux-lts' package 2 | 3 | #ALL_config="/etc/mkinitcpio.conf" 4 | ALL_kver="/boot/vmlinuz-linux-lts" 5 | 6 | PRESETS=('default' 'fallback') 7 | 8 | #default_config="/etc/mkinitcpio.conf" 9 | default_image="/boot/initramfs-linux-lts.img" 10 | #default_uki="/efi/EFI/Linux/arch-linux-lts.efi" 11 | #default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp" 12 | 13 | #fallback_config="/etc/mkinitcpio.conf" 14 | fallback_image="/boot/initramfs-linux-lts-fallback.img" 15 | #fallback_uki="/efi/EFI/Linux/arch-linux-lts-fallback.efi" 16 | fallback_options="-S autodetect" 17 | -------------------------------------------------------------------------------- /etc/syslog-ng/conf.d/nginx.conf: -------------------------------------------------------------------------------- 1 | source s_nginx_access { 2 | unix-dgram("/run/nginx-access-log" group("http") perm(0660)); 3 | }; 4 | source s_nginx_error { 5 | unix-dgram("/run/nginx-error-log" group("http") perm(0660)); 6 | }; 7 | 8 | destination d_nginx_access { 9 | file("/var/log/nginx/access.log" template("${R_ISODATE} ${MESSAGE}\n")); 10 | }; 11 | destination d_nginx_error { 12 | file("/var/log/nginx/error.log" template("${R_ISODATE} ${MESSAGE}\n")); 13 | }; 14 | 15 | log { 16 | source(s_nginx_access); 17 | destination(d_nginx_access); 18 | }; 19 | log { 20 | source(s_nginx_error); 21 | destination(d_nginx_error); 22 | }; 23 | -------------------------------------------------------------------------------- /tcp-fastopen-rotate-keys: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | umask 077 6 | 7 | if [[ -e /etc/tcp_fastopen_seed ]]; then 8 | rand=$(b3sum --keyed -l 16 --no-names /etc/sysctl.d/50-tcp_fastopen_key.conf 20 | sysctl -p /etc/sysctl.d/50-tcp_fastopen_key.conf 21 | -------------------------------------------------------------------------------- /check-reverse-dns: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . shared.sh 4 | . hosts.sh 5 | 6 | status=0 7 | 8 | check_address() { 9 | reverse=$(drill -Qx $1) 10 | if [[ $reverse != $2. ]]; then 11 | echo mismatched reverse dns: $reverse 12 | status=1 13 | fi 14 | } 15 | 16 | for host in ${hosts_all[@]}; do 17 | remote=root@$host 18 | 19 | echo 20 | echo $host 21 | echo 22 | 23 | if test -v hosts_ipv4_address[$host]; then 24 | check_address ${hosts_ipv4_address[$host]} $host 25 | fi 26 | if test -v hosts_ipv6_address[$host]; then 27 | check_address ${hosts_ipv6_address[$host]} $host 28 | fi 29 | done 30 | 31 | exit $status 32 | -------------------------------------------------------------------------------- /deploy-certbot: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . shared.sh 4 | . hosts.sh 5 | 6 | for host in ${hosts_certbot[@]}; do 7 | remote=root@$host 8 | 9 | echo 10 | echo $host 11 | echo 12 | 13 | rsync etc/logrotate.d/letsencrypt $remote:/etc/logrotate.d/ 14 | ssh $remote mkdir -p /etc/systemd/system/certbot-renew.service.d 15 | rsync etc/systemd/system/certbot-renew.service.d/override.conf $remote:/etc/systemd/system/certbot-renew.service.d/override.conf 16 | 17 | ssh $remote "systemctl daemon-reload && 18 | systemctl enable --now certbot-renew.timer && 19 | mkdir -vp /srv/certbot && 20 | chmod -c 750 /srv/certbot && 21 | chown -c root:http /srv/certbot" 22 | done 23 | -------------------------------------------------------------------------------- /session-ticket-keys-sync-deploy: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | cd /etc/tls/session-ticket-keys 6 | 7 | exec {fd}>sync-lock 8 | flock $fd 9 | 10 | if ! cmp --silent keys sync/keys; then 11 | rsync -aIv sync/{{next,1,2,3,4}.key,keys} . 12 | rm -rf sync 13 | 14 | status=0 15 | 16 | if systemctl is-active --quiet nginx.service; then 17 | nginx -s reload || status=1 18 | fi 19 | 20 | if systemctl is-active --quiet dnsdist.service; then 21 | dnsdist -c -e 'reloadAllCertificates()' || status=1 22 | fi 23 | 24 | touch synced 25 | 26 | exit $status 27 | fi 28 | 29 | rm -rf sync 30 | touch synced 31 | -------------------------------------------------------------------------------- /packages/mail.grapheneos.org: -------------------------------------------------------------------------------- 1 | age 2 | base 3 | certbot 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | dovecot 8 | ethtool 9 | fish 10 | grub 11 | htop 12 | ioping 13 | iperf 14 | linux-lts 15 | logrotate 16 | man-db 17 | moreutils 18 | mtr 19 | mutt 20 | neovim 21 | nftables 22 | nginx 23 | nmap 24 | opendkim 25 | opendmarc 26 | openssh 27 | pacman-contrib 28 | pacutils 29 | plocate 30 | postfix 31 | postfix-pcre 32 | publicsuffix-list 33 | pv 34 | python-authres 35 | python-keystoneauth1 36 | python-keystoneclient 37 | python-spf-engine 38 | python-swiftclient 39 | rsync 40 | s-nail 41 | strace 42 | stress 43 | syslog-ng 44 | sysstat 45 | tinyxxd 46 | tree 47 | unbound 48 | xfsprogs 49 | -------------------------------------------------------------------------------- /etc/systemd/network/mail.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=192.99.98.22/32 7 | Address=2607:5300:205:200::472f/128 8 | 9 | [Route] 10 | Destination=0.0.0.0/0 11 | Gateway=51.79.64.1 12 | PreferredSource=192.99.98.22 13 | 14 | [Route] 15 | Destination=51.79.64.1 16 | PreferredSource=192.99.98.22 17 | 18 | [Route] 19 | Destination=::/0 20 | Gateway=2607:5300:205:200::1 21 | PreferredSource=2607:5300:205:200::472f 22 | 23 | [Route] 24 | Destination=2607:5300:205:200::1 25 | PreferredSource=2607:5300:205:200::472f 26 | 27 | [CAKE] 28 | Handle=1 29 | Bandwidth=500M 30 | PriorityQueueingPreset=diffserv4 31 | FlowIsolationMode=dual-dst-host 32 | SplitGSO=false 33 | -------------------------------------------------------------------------------- /packages/discuss.grapheneos.org: -------------------------------------------------------------------------------- 1 | age 2 | base 3 | brotli 4 | certbot 5 | chrony 6 | cloud-guest-utils 7 | composer 8 | conntrack-tools 9 | dosfstools 10 | efibootmgr 11 | ethtool 12 | fish 13 | geoipupdate 14 | htop 15 | ioping 16 | iperf 17 | linux-lts 18 | logrotate 19 | man-db 20 | mariadb 21 | mmdblookup 22 | moreutils 23 | mtr 24 | neovim 25 | nftables 26 | nginx 27 | nginx-mod-brotli 28 | nginx-mod-geoip2 29 | nmap 30 | openssh 31 | pacman-contrib 32 | pacutils 33 | php 34 | php-fpm 35 | php-gd 36 | plocate 37 | pv 38 | python-keystoneauth1 39 | python-keystoneclient 40 | python-swiftclient 41 | rsync 42 | strace 43 | stress 44 | syslog-ng 45 | sysstat 46 | tinyxxd 47 | tree 48 | unbound 49 | valkey 50 | xfsprogs 51 | zopfli 52 | -------------------------------------------------------------------------------- /etc/systemd/network/ns1.staging.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=198.98.56.238/24 7 | Address=2605:6400:10:c41:de92:c534:326a:711a/48 8 | 9 | # 2602:f4d9:4::/48 subnet for ns1.staging.grapheneos.org 10 | [Address] 11 | Address=2602:f4d9:4::1/128 12 | PreferredLifetime=0 13 | 14 | [Route] 15 | Destination=0.0.0.0/0 16 | Gateway=198.98.56.1 17 | PreferredSource=198.98.56.238 18 | 19 | [Route] 20 | Destination=198.98.56.1 21 | PreferredSource=198.98.56.238 22 | 23 | [Route] 24 | Destination=::/0 25 | Gateway=2605:6400:10::1 26 | PreferredSource=2605:6400:10:c41:de92:c534:326a:711a 27 | 28 | [Route] 29 | Destination=2605:6400:10::1 30 | PreferredSource=2605:6400:10:c41:de92:c534:326a:711a 31 | -------------------------------------------------------------------------------- /home/.config/fish/functions/fish_title.fish: -------------------------------------------------------------------------------- 1 | function fish_title 2 | # If we're connected via ssh, we print the hostname. 3 | set -l ssh 4 | set -q SSH_TTY 5 | and set ssh "["(prompt_hostname | string sub -l 20 | string collect)"]" 6 | # An override for the current command is passed as the first parameter. 7 | # This is used by `fg` to show the true process name, among others. 8 | if set -q argv[1] 9 | echo -- $ssh (string sub -l 20 -- $argv[1]) (prompt_pwd -d 1 -D 4) 10 | else 11 | # Don't print "fish" because it's redundant 12 | set -l command (status current-command) 13 | if test "$command" = fish 14 | set command 15 | end 16 | echo -- $ssh (string sub -l 20 -- $command) (prompt_pwd -d 1 -D 4) 17 | end 18 | end 19 | -------------------------------------------------------------------------------- /session-ticket-keys-rotate: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | cd /etc/tls/session-ticket-keys 6 | 7 | exec {fd}>sync-lock 8 | flock $fd 9 | 10 | if [[ -f synced ]]; then 11 | echo skipping rotation due to sync 12 | rm synced 13 | exit 0 14 | fi 15 | 16 | rsync -tI 2.key 1.key 17 | rsync -tI 3.key 2.key 18 | rsync -tI 4.key 3.key 19 | rsync -tI next.key 4.key 20 | head -c 80 tmp.key 21 | mv tmp.key next.key 22 | 23 | cat next.key {1..4}.key > keys.new 24 | mv keys.new keys 25 | 26 | status=0 27 | 28 | if systemctl is-active --quiet nginx.service; then 29 | nginx -s reload || status=1 30 | fi 31 | 32 | if systemctl is-active --quiet dnsdist.service; then 33 | dnsdist -c -e 'reloadAllCertificates()' || status=1 34 | fi 35 | 36 | exit $status 37 | -------------------------------------------------------------------------------- /packages/matrix.grapheneos.org: -------------------------------------------------------------------------------- 1 | age 2 | base 3 | certbot 4 | chrony 5 | cloud-guest-utils 6 | conntrack-tools 7 | dosfstools 8 | efibootmgr 9 | ethtool 10 | fish 11 | git 12 | htop 13 | ioping 14 | iperf 15 | jemalloc 16 | jq 17 | linux-lts 18 | logrotate 19 | man-db 20 | matrix-synapse 21 | matterbridge-git 22 | moreutils 23 | mtr 24 | neovim 25 | nftables 26 | nginx 27 | nginx-mod-brotli 28 | nmap 29 | nodejs-lts-jod 30 | openssh 31 | pacman-contrib 32 | pacutils 33 | parallel 34 | plocate 35 | postgresql 36 | postgresql-old-upgrade 37 | pv 38 | python-hiredis 39 | python-keystoneauth1 40 | python-keystoneclient 41 | python-pip 42 | python-psycopg2 43 | python-swiftclient 44 | python-txredisapi 45 | rsync 46 | strace 47 | stress 48 | syslog-ng 49 | sysstat 50 | tinyxxd 51 | tree 52 | unbound 53 | valkey 54 | xfsprogs 55 | yarn 56 | -------------------------------------------------------------------------------- /dns-stats: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | [[ $# -eq 0 ]] || exit 1 6 | 7 | user=root 8 | 9 | . hosts.sh 10 | 11 | function print_stat() { 12 | echo $1 ${stats["$1"]} 13 | } 14 | 15 | declare -n hosts=hosts_dns 16 | for host in ${hosts[@]}; do 17 | echo $host 18 | echo 19 | 20 | declare -A stats 21 | for field in $(ssh $user@$host 'pdns_control list' | tr ',' '\n'); do 22 | IFS== read key value <<<$field 23 | stats[$key]=$value 24 | done 25 | 26 | print_stat uptime 27 | print_stat backend-queries 28 | print_stat tcp-queries 29 | print_stat tcp4-queries 30 | print_stat tcp6-queries 31 | print_stat udp-queries 32 | print_stat udp4-queries 33 | print_stat udp6-queries 34 | print_stat latency 35 | print_stat receive-latency 36 | print_stat backend-latency 37 | print_stat send-latency 38 | 39 | echo 40 | done 41 | -------------------------------------------------------------------------------- /home/.config/nvim/init.vim: -------------------------------------------------------------------------------- 1 | set title 2 | set mouse=a 3 | set cursorline 4 | set number 5 | set whichwrap+=<,>,[,] 6 | set virtualedit=block 7 | set scrolloff=3 8 | set shortmess=atToOI 9 | 10 | " double slash to use full path to file 11 | set backup backupdir=~/.local/state/nvim/backup// 12 | set undofile 13 | 14 | set wildmode=list:longest,full 15 | 16 | set expandtab softtabstop=4 shiftwidth=4 17 | set cinoptions=(0 18 | 19 | set ignorecase 20 | set smartcase 21 | 22 | let mapleader = "," 23 | 24 | nnoremap gb :ls:b 25 | 26 | colorscheme gruvbox 27 | 28 | " highlight trailing whitespace, except when typing at eol 29 | highlight ExtraWhitespace ctermbg=darkred guibg=darkred 30 | match ExtraWhitespace /\s\+$/ 31 | autocmd BufWinEnter * match ExtraWhitespace /\s\+$/ 32 | autocmd InsertEnter * match ExtraWhitespace /\s\+\%#\@ 5 | " Source: https://github.com/morhetz/gruvbox 6 | " Last Modified: 09 Apr 2014 7 | " ----------------------------------------------------------------------------- 8 | 9 | function! gruvbox#invert_signs_toggle() 10 | if g:gruvbox_invert_signs == 0 11 | let g:gruvbox_invert_signs=1 12 | else 13 | let g:gruvbox_invert_signs=0 14 | endif 15 | 16 | colorscheme gruvbox 17 | endfunction 18 | 19 | " Search Highlighting {{{ 20 | 21 | function! gruvbox#hls_show() 22 | set hlsearch 23 | call GruvboxHlsShowCursor() 24 | endfunction 25 | 26 | function! gruvbox#hls_hide() 27 | set nohlsearch 28 | call GruvboxHlsHideCursor() 29 | endfunction 30 | 31 | function! gruvbox#hls_toggle() 32 | if &hlsearch 33 | call gruvbox#hls_hide() 34 | else 35 | call gruvbox#hls_show() 36 | endif 37 | endfunction 38 | 39 | " }}} 40 | 41 | " vim: set sw=2 ts=2 sts=2 et tw=80 ft=vim fdm=marker: 42 | -------------------------------------------------------------------------------- /etc/systemd/network/mia.ns2.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=45.61.188.113/24 7 | Address=2605:6400:40:ffbd:14e7:d270:fd75:600c/48 8 | 9 | # 23.149.125.0/24 anycast subnet for ns2 instances 10 | [Address] 11 | Address=23.149.125.1/32 12 | PreferredLifetime=0 13 | 14 | # 2602:f4d9:1::/48 anycast subnet for ns2 instances 15 | [Address] 16 | Address=2602:f4d9:1::1/128 17 | PreferredLifetime=0 18 | 19 | # 2602:f4d9:3::/48 anycast subnet for ns2 instances 20 | [Address] 21 | Address=2602:f4d9:3::1/128 22 | PreferredLifetime=0 23 | 24 | # fallback anycast address for BuyVM ns2 instances 25 | [Address] 26 | Address=198.251.90.93/32 27 | PreferredLifetime=0 28 | 29 | [Route] 30 | Destination=0.0.0.0/0 31 | Gateway=45.61.188.1 32 | PreferredSource=45.61.188.113 33 | 34 | [Route] 35 | Destination=45.61.188.1 36 | PreferredSource=45.61.188.113 37 | 38 | [Route] 39 | Destination=::/0 40 | Gateway=2605:6400:40::1 41 | PreferredSource=2605:6400:40:ffbd:14e7:d270:fd75:600c 42 | 43 | [Route] 44 | Destination=2605:6400:40::1 45 | PreferredSource=2605:6400:40:ffbd:14e7:d270:fd75:600c 46 | -------------------------------------------------------------------------------- /etc/systemd/network/nyc.ns2.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=198.98.53.141/24 7 | Address=2605:6400:10:102e:95bc:89ef:2e7f:49bb/48 8 | 9 | # 23.149.125.0/24 anycast subnet for ns2 instances 10 | [Address] 11 | Address=23.149.125.1/32 12 | PreferredLifetime=0 13 | 14 | # 2602:f4d9:1::/48 anycast subnet for ns2 instances 15 | [Address] 16 | Address=2602:f4d9:1::1/128 17 | PreferredLifetime=0 18 | 19 | # 2602:f4d9:3::/48 anycast subnet for ns2 instances 20 | [Address] 21 | Address=2602:f4d9:3::1/128 22 | PreferredLifetime=0 23 | 24 | # fallback anycast address for BuyVM ns2 instances 25 | [Address] 26 | Address=198.251.90.93/32 27 | PreferredLifetime=0 28 | 29 | [Route] 30 | Destination=0.0.0.0/0 31 | Gateway=198.98.53.1 32 | PreferredSource=198.98.53.141 33 | 34 | [Route] 35 | Destination=198.98.53.1 36 | PreferredSource=198.98.53.141 37 | 38 | [Route] 39 | Destination=::/0 40 | Gateway=2605:6400:10::1 41 | PreferredSource=2605:6400:10:102e:95bc:89ef:2e7f:49bb 42 | 43 | [Route] 44 | Destination=2605:6400:10::1 45 | PreferredSource=2605:6400:10:102e:95bc:89ef:2e7f:49bb 46 | -------------------------------------------------------------------------------- /etc/systemd/network/las.ns2.grapheneos.org.network: -------------------------------------------------------------------------------- 1 | [Match] 2 | Name=public 3 | 4 | [Network] 5 | LinkLocalAddressing=no 6 | Address=205.185.124.155/24 7 | Address=2605:6400:20:1c8f:a0c9:372d:482e:945b/48 8 | 9 | # 23.149.125.0/24 anycast subnet for ns2 instances 10 | [Address] 11 | Address=23.149.125.1/32 12 | PreferredLifetime=0 13 | 14 | # 2602:f4d9:1::/48 anycast subnet for ns2 instances 15 | [Address] 16 | Address=2602:f4d9:1::1/128 17 | PreferredLifetime=0 18 | 19 | # 2602:f4d9:3::/48 anycast subnet for ns2 instances 20 | [Address] 21 | Address=2602:f4d9:3::1/128 22 | PreferredLifetime=0 23 | 24 | # fallback anycast address for BuyVM ns2 instances 25 | [Address] 26 | Address=198.251.90.93/32 27 | PreferredLifetime=0 28 | 29 | [Route] 30 | Destination=0.0.0.0/0 31 | Gateway=205.185.124.1 32 | PreferredSource=205.185.124.155 33 | 34 | [Route] 35 | Destination=205.185.124.1 36 | PreferredSource=205.185.124.155 37 | 38 | [Route] 39 | Destination=::/0 40 | Gateway=2605:6400:20::1 41 | PreferredSource=2605:6400:20:1c8f:a0c9:372d:482e:945b 42 | 43 | [Route] 44 | Destination=2605:6400:20::1 45 | PreferredSource=2605:6400:20:1c8f:a0c9:372d:482e:945b 46 | -------------------------------------------------------------------------------- /etc/systemd/sleep.conf: -------------------------------------------------------------------------------- 1 | # This file is part of systemd. 2 | # 3 | # systemd is free software; you can redistribute it and/or modify it under the 4 | # terms of the GNU Lesser General Public License as published by the Free 5 | # Software Foundation; either version 2.1 of the License, or (at your option) 6 | # any later version. 7 | # 8 | # Entries in this file show the compile time defaults. Local configuration 9 | # should be created by either modifying this file (or a copy of it placed in 10 | # /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in 11 | # the /etc/systemd/sleep.conf.d/ directory. The latter is generally 12 | # recommended. Defaults can be restored by simply deleting the main 13 | # configuration file and all drop-ins located in /etc/. 14 | # 15 | # Use 'systemd-analyze cat-config systemd/sleep.conf' to display the full config. 16 | # 17 | # See systemd-sleep.conf(5) for details. 18 | 19 | [Sleep] 20 | AllowSuspend=no 21 | AllowHibernation=no 22 | #AllowSuspendThenHibernate=yes 23 | #AllowHybridSleep=yes 24 | #SuspendState=mem standby freeze 25 | #HibernateMode=platform shutdown 26 | #MemorySleepMode= 27 | #HibernateDelaySec= 28 | #HibernateOnACPower=yes 29 | #SuspendEstimationSec=60min 30 | -------------------------------------------------------------------------------- /deploy-web: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . shared.sh 4 | . hosts.sh 5 | 6 | for host in ${hosts_web[@]}; do 7 | remote=root@$host 8 | 9 | echo 10 | echo $host 11 | echo 12 | 13 | ssh $remote ln -snf /usr/lib/nginx/modules/ /etc/nginx/modules 14 | 15 | rsync etc/systemd/system/{session-ticket-keys-create.service,session-ticket-keys-rotate.service,session-ticket-keys-rotate.timer} $remote:/etc/systemd/system/ 16 | rsync --chmod=755 session-ticket-keys-create session-ticket-keys-rotate $remote:/usr/local/bin/ 17 | rsync -r --delete etc/systemd/system/nginx.service.d/ $remote:/etc/systemd/system/nginx.service.d 18 | rsync etc/syslog-ng/syslog-ng.conf $remote:/etc/syslog-ng/syslog-ng.conf 19 | rsync -r etc/syslog-ng/conf.d/ $remote:/etc/syslog-ng/conf.d 20 | rsync etc/logrotate.d/nginx $remote:/etc/logrotate.d/nginx 21 | 22 | ssh $remote 'mkdir -pm755 /var/cache/nginx && 23 | groupadd -fr tls && 24 | mkdir -pm 750 /etc/tls/session-ticket-keys && 25 | chmod 750 /etc/tls && 26 | chown root:tls /etc/tls && 27 | systemctl daemon-reload && 28 | systemctl enable --now session-ticket-keys-create.service session-ticket-keys-rotate.timer syslog-ng@default.service nginx.service && 29 | chmod 700 /var/log/nginx && 30 | syslog-ng-ctl reload' 31 | done 32 | -------------------------------------------------------------------------------- /deploy-bootloader: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . shared.sh 4 | . hosts.sh 5 | 6 | for host in ${hosts_all[@]}; do 7 | remote=root@$host 8 | 9 | echo 10 | echo $host 11 | echo 12 | 13 | if [[ ${hosts_uefi[$host]:-false} = true ]]; then 14 | rsync boot/loader/loader.conf $remote:/boot/loader/loader.conf 15 | if [[ ${hosts_mdraid[$host]:-false} = true ]]; then 16 | # standalone intel-ucode.img is needed for yto.releases.grapheneos.org 17 | if [[ $host != yto.releases.grapheneos.org ]]; then 18 | rsync boot/loader/entries/arch-lts{,-fallback}.conf $remote:/boot/loader/entries/ 19 | fi 20 | ssh $remote "SYSTEMD_RELAX_ESP_CHECKS=1 bootctl install && systemctl enable systemd-boot-update.service" 21 | rsync -r --delete etc/systemd/system/systemd-boot-update.service.d $remote:/etc/systemd/system/ 22 | else 23 | ssh $remote "bootctl install && systemctl enable systemd-boot-update.service" 24 | fi 25 | else 26 | rsync etc/default/grub $remote:/etc/default/grub 27 | drive=$(ssh $remote bash -c '[[ -e /dev/sda ]] && echo sda || echo vda') 28 | ssh $remote grub-install /dev/$drive 29 | ssh $remote grub-mkconfig -o /boot/grub/grub.cfg 30 | fi 31 | done 32 | -------------------------------------------------------------------------------- /certbot/mail.grapheneos.org: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --max-log-backups 0 --no-eff-email \ 2 | --key-type ecdsa --reuse-key --required-profile shortlived \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name mta-sts.mail.grapheneos.org \ 5 | -d mail.grapheneos.org \ 6 | -d mail.grapheneos.net \ 7 | -d mta-sts.attestation.app \ 8 | -d mta-sts.discuss.grapheneos.org \ 9 | -d mta-sts.grapheneos.app \ 10 | -d mta-sts.grapheneos.ca \ 11 | -d mta-sts.grapheneos.com \ 12 | -d mta-sts.grapheneos.dev \ 13 | -d mta-sts.grapheneos.foundation \ 14 | -d mta-sts.grapheneos.info \ 15 | -d mta-sts.grapheneos.net \ 16 | -d mta-sts.grapheneos.network \ 17 | -d mta-sts.grapheneos.online \ 18 | -d mta-sts.grapheneos.org \ 19 | -d mta-sts.grapheneos.ovh \ 20 | -d mta-sts.grapheneos.page \ 21 | -d mta-sts.grapheneos.social \ 22 | -d mta-sts.mail.grapheneos.org \ 23 | -d mta-sts.matrix.grapheneos.org \ 24 | -d mta-sts.seamlessupdate.app \ 25 | -d mta-sts.vanadium.app 26 | 27 | certbot certonly --webroot --webroot-path /srv/certbot --max-log-backups 0 --no-eff-email \ 28 | --key-type rsa --rsa-key-size 3072 --reuse-key \ 29 | --deploy-hook "postfix reload; dovecot reload" \ 30 | --cert-name mail.grapheneos.org \ 31 | -d mail.grapheneos.org \ 32 | -d mail.grapheneos.net 33 | -------------------------------------------------------------------------------- /session-ticket-keys-sync: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | status=0 6 | 7 | cd /etc/tls/session-ticket-keys 8 | 9 | if [[ ! -f syncing ]]; then 10 | for mirror in $(cat /etc/mirrors); do 11 | echo 12 | echo Syncing from $mirror 13 | echo 14 | 15 | ssh $mirror "bash -c [[ -f /etc/tls/session-ticket-keys/synced ]]" || continue 16 | 17 | rm -rf sync 18 | mkdir sync 19 | rsync -aI $mirror:/etc/tls/session-ticket-keys/{{next,1,2,3,4}.key,keys} sync/ || continue 20 | rsync -aIv sync/{{next,1,2,3,4}.key,keys} . || continue 21 | rm -r sync 22 | 23 | if systemctl is-active --quiet nginx.service; then 24 | nginx -s reload || true 25 | fi 26 | 27 | if systemctl is-active --quiet dnsdist.service; then 28 | dnsdist -c -e 'reloadAllCertificates()' || true 29 | fi 30 | 31 | touch syncing 32 | break 33 | done 34 | fi 35 | 36 | for mirror in $(cat /etc/mirrors); do 37 | echo 38 | echo Syncing to $mirror 39 | echo 40 | 41 | ssh $mirror "rm -rf /etc/tls/session-ticket-keys/sync && mkdir /etc/tls/session-ticket-keys/sync" || continue 42 | rsync -aI {{next,1,2,3,4}.key,keys} $mirror:/etc/tls/session-ticket-keys/sync || continue 43 | ssh $mirror session-ticket-keys-sync-deploy || continue 44 | done 45 | -------------------------------------------------------------------------------- /etc/systemd/networkd.conf: -------------------------------------------------------------------------------- 1 | # This file is part of systemd. 2 | # 3 | # systemd is free software; you can redistribute it and/or modify it under the 4 | # terms of the GNU Lesser General Public License as published by the Free 5 | # Software Foundation; either version 2.1 of the License, or (at your option) 6 | # any later version. 7 | # 8 | # Entries in this file show the compile time defaults. Local configuration 9 | # should be created by either modifying this file (or a copy of it placed in 10 | # /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in 11 | # the /etc/systemd/networkd.conf.d/ directory. The latter is generally 12 | # recommended. Defaults can be restored by simply deleting the main 13 | # configuration file and all drop-ins located in /etc/. 14 | # 15 | # Use 'systemd-analyze cat-config systemd/networkd.conf' to display the full config. 16 | # 17 | # See networkd.conf(5) for details. 18 | 19 | [Network] 20 | SpeedMeter=yes 21 | #SpeedMeterIntervalSec=10sec 22 | #ManageForeignRoutingPolicyRules=yes 23 | #ManageForeignRoutes=yes 24 | #ManageForeignNextHops=yes 25 | #RouteTable= 26 | #IPv4Forwarding= 27 | #IPv6Forwarding= 28 | #IPv6PrivacyExtensions=no 29 | #UseDomains=no 30 | 31 | #[IPv6AddressLabel] 32 | #Prefix= 33 | #Label= 34 | 35 | [IPv6AcceptRA] 36 | #UseDomains= 37 | 38 | [DHCPv4] 39 | #ClientIdentifier=duid 40 | #DUIDType=vendor 41 | #DUIDRawData= 42 | #UseDomains= 43 | 44 | [DHCPv6] 45 | #DUIDType=vendor 46 | #DUIDRawData= 47 | #UseDomains= 48 | 49 | [DHCPServer] 50 | #PersistLeases=yes 51 | -------------------------------------------------------------------------------- /etc/systemd/system/matrix.grapheneos.org.fq.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Requires=sys-subsystem-net-devices-public.device 3 | After=sys-subsystem-net-devices-public.device 4 | 5 | [Service] 6 | Type=oneshot 7 | ExecStart=/usr/bin/tc qdisc replace dev public root handle 1 mq 8 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:1 handle 1001 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 9 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:2 handle 1002 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 10 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:3 handle 1003 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 11 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:4 handle 1004 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 12 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:5 handle 1005 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 13 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:6 handle 1006 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 14 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:7 handle 1007 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 15 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:8 handle 1008 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 16 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:9 handle 1009 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 17 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:a handle 100a fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 18 | 19 | [Install] 20 | WantedBy=sys-subsystem-net-devices-public.device 21 | -------------------------------------------------------------------------------- /etc/systemd/journald.conf: -------------------------------------------------------------------------------- 1 | # This file is part of systemd. 2 | # 3 | # systemd is free software; you can redistribute it and/or modify it under the 4 | # terms of the GNU Lesser General Public License as published by the Free 5 | # Software Foundation; either version 2.1 of the License, or (at your option) 6 | # any later version. 7 | # 8 | # Entries in this file show the compile time defaults. Local configuration 9 | # should be created by either modifying this file (or a copy of it placed in 10 | # /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in 11 | # the /etc/systemd/journald.conf.d/ directory. The latter is generally 12 | # recommended. Defaults can be restored by simply deleting the main 13 | # configuration file and all drop-ins located in /etc/. 14 | # 15 | # Use 'systemd-analyze cat-config systemd/journald.conf' to display the full config. 16 | # 17 | # See journald.conf(5) for details. 18 | 19 | [Journal] 20 | #Storage=persistent 21 | #Compress=yes 22 | #Seal=yes 23 | #SplitMode=uid 24 | #SyncIntervalSec=5m 25 | #RateLimitIntervalSec=30s 26 | #RateLimitBurst=10000 27 | SystemMaxUse={{journald_system_max_use}} 28 | #SystemKeepFree= 29 | SystemMaxFileSize={{journald_system_max_file_size}} 30 | #SystemMaxFiles=100 31 | #RuntimeMaxUse= 32 | #RuntimeKeepFree= 33 | #RuntimeMaxFileSize= 34 | #RuntimeMaxFiles=100 35 | MaxRetentionSec=10day 36 | MaxFileSec=1day 37 | #ForwardToSyslog=no 38 | #ForwardToKMsg=no 39 | #ForwardToConsole=no 40 | ForwardToWall=no 41 | #TTYPath=/dev/console 42 | #MaxLevelStore=debug 43 | #MaxLevelSyslog=debug 44 | #MaxLevelKMsg=notice 45 | #MaxLevelConsole=info 46 | #MaxLevelWall=emerg 47 | #MaxLevelSocket=debug 48 | #LineMax=48K 49 | #ReadKMsg=yes 50 | #Audit=yes 51 | -------------------------------------------------------------------------------- /etc/unbound/unbound.conf: -------------------------------------------------------------------------------- 1 | server: 2 | interface: ::1 3 | trust-anchor-file: /etc/unbound/trusted-key.key 4 | tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt 5 | prefetch: yes 6 | prefetch-key: yes 7 | qname-minimisation-strict: yes 8 | hide-identity: yes 9 | hide-trustanchor: yes 10 | hide-version: yes 11 | harden-large-queries: yes 12 | infra-keep-probing: yes 13 | outgoing-port-permit: 1024-65535 14 | outgoing-port-avoid: 7275 # supl 15 | outgoing-port-avoid: 8080 # attestation 16 | 17 | # Block DNS rebinding 18 | private-address: 10.0.0.0/8 19 | private-address: 172.16.0.0/12 20 | private-address: 192.168.0.0/16 21 | private-address: fd00::/8 22 | private-address: 169.254.0.0/16 23 | private-address: fe80::/10 24 | private-address: 127.0.0.0/8 25 | private-address: ::1/128 26 | private-address: ::ffff:0:0/96 27 | 28 | # force DMARC enforcement 29 | local-zone: "_dmarc.gmail.com" static 30 | local-data: '_dmarc.gmail.com 600 IN TXT "v=DMARC1; p=quarantine; rua=mailto:mailauth-reports@google.com"' 31 | local-zone: "_dmarc.hotmail.com" static 32 | local-data: '_dmarc.hotmail.com 600 IN TXT "v=DMARC1; p=quarantine; rua=mailto:rua@dmarc.microsoft; ruf=mailto:ruf@dmarc.microsoft; fo=1:s:d""' 33 | local-zone: "_dmarc.live.com" static 34 | local-data: '_dmarc.live.com 600 IN TXT "v=DMARC1; p=quarantine; rua=mailto:rua@dmarc.microsoft; ruf=mailto:ruf@dmarc.microsoft; fo=1"' 35 | local-zone: "_dmarc.outlook.com" static 36 | local-data: '_dmarc.outlook.com 600 IN TXT "v=DMARC1; p=quarantine; rua=mailto:rua@dmarc.microsoft; ruf=mailto:ruf@dmarc.microsoft; fo=1"' 37 | 38 | forward-zone: 39 | name: "." 40 | forward-tls-upstream: yes 41 | forward-addr: 1.1.1.1@853#cloudflare-dns.com 42 | forward-addr: 1.0.0.1@853#cloudflare-dns.com 43 | forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com 44 | forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com 45 | -------------------------------------------------------------------------------- /etc/sysctl.d/60-local.conf: -------------------------------------------------------------------------------- 1 | net.ipv6.bindv6only = 1 2 | 3 | net.ipv4.ip_local_port_range = 1024 65535 4 | 5 | net.ipv4.conf.*.send_redirects = 0 6 | net.ipv4.conf.*.accept_redirects = 0 7 | net.ipv6.conf.*.accept_redirects = 0 8 | 9 | # enforced with nftables to handle both IPv4 and IPv6 in the same way 10 | net.ipv4.conf.default.rp_filter = 0 11 | net.ipv4.conf.*.rp_filter = 0 12 | 13 | net.core.wmem_max=4194304 14 | net.core.rmem_max=4194304 15 | 16 | # use BBR and disable ECN since BBRv1 doesn't support it 17 | net.ipv4.tcp_congestion_control = bbr 18 | net.ipv4.tcp_ecn = 0 19 | 20 | net.ipv4.tcp_slow_start_after_idle = 0 21 | net.ipv4.tcp_shrink_window = 1 22 | net.ipv4.tcp_notsent_lowat = 131072 23 | net.ipv4.tcp_fin_timeout = 30 24 | net.ipv4.tcp_rfc1337 = 1 25 | net.ipv4.tcp_tw_reuse = 1 26 | 27 | # 31s with initial 1s RTO 28 | net.ipv4.tcp_syn_retries = 4 29 | net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 31 30 | 31 | # 15s with initial 1s RTO 32 | net.ipv4.tcp_synack_retries = 3 33 | net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 15 34 | 35 | # 102.2s with minimum 0.2s RTO 36 | net.ipv4.tcp_retries2 = 8 37 | 38 | # 25.4s with minimum 0.2s RTO 39 | net.ipv4.tcp_orphan_retries = 6 40 | 41 | net.mptcp.enabled = 0 42 | 43 | net.netfilter.nf_conntrack_tcp_loose = 0 44 | net.netfilter.nf_conntrack_tcp_timeout_established = 1800 45 | net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60 46 | net.netfilter.nf_conntrack_udp_timeout = 15 47 | net.netfilter.nf_conntrack_expect_max = 1 48 | 49 | kernel.yama.ptrace_scope = 2 50 | 51 | vm.mmap_rnd_bits = 32 52 | vm.mmap_rnd_compat_bits = 16 53 | 54 | kernel.kptr_restrict = 2 55 | 56 | kernel.unprivileged_userns_clone = 0 57 | 58 | kernel.unprivileged_bpf_disabled = 1 59 | net.core.bpf_jit_harden = 2 60 | 61 | kernel.io_uring_disabled = 1 62 | kernel.io_uring_group = 2000 63 | 64 | kernel.kexec_load_disabled = 1 65 | 66 | fs.protected_regular = 2 67 | fs.protected_fifos = 2 68 | 69 | kernel.panic = -1 70 | kernel.panic_on_oops = 1 71 | 72 | dev.tty.ldisc_autoload = 0 73 | 74 | fs.binfmt_misc.status = 0 75 | -------------------------------------------------------------------------------- /certbot/nyc.grapheneos.org: -------------------------------------------------------------------------------- 1 | certbot certonly --webroot --webroot-path /srv/certbot --max-log-backups 0 --no-eff-email \ 2 | --key-type ecdsa --reuse-key --required-profile shortlived \ 3 | --deploy-hook "nginx -s reload" \ 4 | --cert-name grapheneos.org \ 5 | -d grapheneos.org \ 6 | -d www.grapheneos.org \ 7 | -d grapheneos.app \ 8 | -d www.grapheneos.app \ 9 | -d grapheneos.ca \ 10 | -d www.grapheneos.ca \ 11 | -d grapheneos.com \ 12 | -d www.grapheneos.com \ 13 | -d grapheneos.dev \ 14 | -d www.grapheneos.dev \ 15 | -d grapheneos.foundation \ 16 | -d www.grapheneos.foundation \ 17 | -d grapheneos.info \ 18 | -d www.grapheneos.info \ 19 | -d grapheneos.net \ 20 | -d www.grapheneos.net \ 21 | -d grapheneos.ovh \ 22 | -d www.grapheneos.ovh \ 23 | -d grapheneos.page \ 24 | -d www.grapheneos.page \ 25 | -d vanadium.app \ 26 | -d www.vanadium.app 27 | 28 | certbot certonly --webroot --webroot-path /srv/certbot --max-log-backups 0 --no-eff-email \ 29 | --key-type ecdsa --reuse-key --required-profile shortlived \ 30 | --deploy-hook "nginx -s reload" \ 31 | --cert-name grapheneos.network \ 32 | -d grapheneos.network \ 33 | -d www.grapheneos.network \ 34 | -d connectivitycheck.grapheneos.network \ 35 | -d grapheneos.online \ 36 | -d www.grapheneos.online \ 37 | -d connectivitycheck.grapheneos.online \ 38 | -d time.grapheneos.org \ 39 | -d remoteprovisioning.grapheneos.org \ 40 | -d widevineprovisioning.grapheneos.org \ 41 | -d broadcom.psds.grapheneos.org \ 42 | -d samsung.psds.grapheneos.org \ 43 | -d qualcomm.psds.grapheneos.org \ 44 | -d supl.grapheneos.org \ 45 | -d nominatim.grapheneos.org \ 46 | -d gs-loc.apple.grapheneos.org \ 47 | -d update.vanadium.app \ 48 | -d dl.vanadium.app 49 | 50 | certbot certonly --webroot --webroot-path /srv/certbot --max-log-backups 0 --no-eff-email \ 51 | --key-type rsa --rsa-key-size 3072 --reuse-key --required-profile shortlived \ 52 | --deploy-hook "nginx -s reload" \ 53 | --cert-name supl.grapheneos.org \ 54 | -d supl.grapheneos.org 55 | 56 | certbot certonly --webroot --webroot-path /srv/certbot --max-log-backups 0 --no-eff-email \ 57 | --key-type rsa --rsa-key-size 3072 --reuse-key \ 58 | --deploy-hook "nginx -s reload" \ 59 | --cert-name classic.supl.grapheneos.org \ 60 | -d supl.grapheneos.org 61 | -------------------------------------------------------------------------------- /etc/default/grub: -------------------------------------------------------------------------------- 1 | # GRUB boot loader configuration 2 | 3 | GRUB_DEFAULT=0 4 | GRUB_TIMEOUT=0 5 | GRUB_DISTRIBUTOR="Arch" 6 | GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet" 7 | GRUB_CMDLINE_LINUX="slab_nomerge init_on_free=1 lockdown=confidentiality vsyscall=none ia32_emulation=0 preempt=none noautogroup" 8 | 9 | # Preload both GPT and MBR modules so that they are not missed 10 | GRUB_PRELOAD_MODULES="part_gpt part_msdos" 11 | 12 | # Uncomment to enable booting from LUKS encrypted devices 13 | #GRUB_ENABLE_CRYPTODISK=y 14 | 15 | # Set to 'countdown' or 'hidden' to change timeout behavior, 16 | # press ESC key to display menu. 17 | GRUB_TIMEOUT_STYLE=menu 18 | 19 | # Uncomment to use basic console 20 | GRUB_TERMINAL_INPUT=console 21 | 22 | # Uncomment to disable graphical terminal 23 | #GRUB_TERMINAL_OUTPUT=console 24 | 25 | # The resolution used on graphical terminal 26 | # note that you can use only modes which your graphic card supports via VBE 27 | # you can see them in real GRUB with the command `videoinfo' 28 | GRUB_GFXMODE=auto 29 | 30 | # Uncomment to allow the kernel use the same resolution used by grub 31 | GRUB_GFXPAYLOAD_LINUX=keep 32 | 33 | # Uncomment if you want GRUB to pass to the Linux kernel the old parameter 34 | # format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx" 35 | #GRUB_DISABLE_LINUX_UUID=true 36 | 37 | # Uncomment to disable generation of recovery mode menu entries 38 | GRUB_DISABLE_RECOVERY=true 39 | 40 | # Uncomment and set to the desired menu colors. Used by normal and wallpaper 41 | # modes only. Entries specified as foreground/background. 42 | #GRUB_COLOR_NORMAL="light-blue/black" 43 | #GRUB_COLOR_HIGHLIGHT="light-cyan/blue" 44 | 45 | # Uncomment one of them for the gfx desired, a image background or a gfxtheme 46 | #GRUB_BACKGROUND="/path/to/wallpaper" 47 | #GRUB_THEME="/path/to/gfxtheme" 48 | 49 | # Uncomment to get a beep at GRUB start 50 | #GRUB_INIT_TUNE="480 440 1" 51 | 52 | # Uncomment to make GRUB remember the last selection. This requires 53 | # setting 'GRUB_DEFAULT=saved' above. 54 | #GRUB_SAVEDEFAULT=true 55 | 56 | # Uncomment to disable submenus in boot menu 57 | #GRUB_DISABLE_SUBMENU=y 58 | 59 | # Probing for other operating systems is disabled for security reasons. Read 60 | # documentation on GRUB_DISABLE_OS_PROBER, if still want to enable this 61 | # functionality install os-prober and uncomment to detect and include other 62 | # operating systems. 63 | #GRUB_DISABLE_OS_PROBER=false 64 | -------------------------------------------------------------------------------- /etc/systemd/system.conf: -------------------------------------------------------------------------------- 1 | # This file is part of systemd. 2 | # 3 | # systemd is free software; you can redistribute it and/or modify it under the 4 | # terms of the GNU Lesser General Public License as published by the Free 5 | # Software Foundation; either version 2.1 of the License, or (at your option) 6 | # any later version. 7 | # 8 | # Entries in this file show the compile time defaults. Local configuration 9 | # should be created by either modifying this file (or a copy of it placed in 10 | # /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in 11 | # /etc/systemd/system.conf.d/ directory. The latter is generally recommended. 12 | # Defaults can be restored by simply deleting the main configuration file and 13 | # all drop-ins located in /etc/. 14 | # 15 | # Use 'systemd-analyze cat-config systemd/system.conf' to display the full config. 16 | # 17 | # See systemd-system.conf(5) for details. 18 | 19 | [Manager] 20 | #LogLevel=info 21 | #LogTarget=journal-or-kmsg 22 | #LogColor=yes 23 | #LogLocation=no 24 | #LogTime=no 25 | #DumpCore=yes 26 | #ShowStatus=yes 27 | #CrashChangeVT=no 28 | #CrashShell=no 29 | CrashAction=reboot 30 | #CtrlAltDelBurstAction=reboot-force 31 | #CPUAffinity= 32 | #NUMAPolicy=default 33 | #NUMAMask= 34 | RuntimeWatchdogSec=60s 35 | #RuntimeWatchdogPreSec=off 36 | #RuntimeWatchdogPreGovernor= 37 | RebootWatchdogSec=60s 38 | #KExecWatchdogSec=off 39 | #WatchdogDevice= 40 | #CapabilityBoundingSet= 41 | #NoNewPrivileges=no 42 | #ProtectSystem=auto 43 | SystemCallArchitectures=native 44 | #TimerSlackNSec= 45 | #StatusUnitFormat=description 46 | #DefaultTimerAccuracySec=1min 47 | #DefaultStandardOutput=journal 48 | #DefaultStandardError=inherit 49 | #DefaultTimeoutStartSec=90s 50 | #DefaultTimeoutStopSec=90s 51 | #DefaultTimeoutAbortSec= 52 | #DefaultDeviceTimeoutSec=90s 53 | #DefaultRestartSec=100ms 54 | DefaultStartLimitIntervalSec=0 55 | #DefaultStartLimitBurst=5 56 | #DefaultEnvironment= 57 | DefaultIOAccounting=yes 58 | DefaultIPAccounting=yes 59 | #DefaultMemoryAccounting=yes 60 | #DefaultTasksAccounting=yes 61 | #DefaultTasksMax=15% 62 | #DefaultLimitCPU= 63 | #DefaultLimitFSIZE= 64 | #DefaultLimitDATA= 65 | #DefaultLimitSTACK= 66 | #DefaultLimitCORE= 67 | #DefaultLimitRSS= 68 | #DefaultLimitNOFILE=1024:524288 69 | #DefaultLimitAS= 70 | #DefaultLimitNPROC= 71 | #DefaultLimitMEMLOCK=8M 72 | #DefaultLimitLOCKS= 73 | #DefaultLimitSIGPENDING= 74 | #DefaultLimitMSGQUEUE= 75 | #DefaultLimitNICE= 76 | #DefaultLimitRTPRIO= 77 | #DefaultLimitRTTIME= 78 | #DefaultMemoryPressureThresholdSec=200ms 79 | #DefaultMemoryPressureWatch=auto 80 | #DefaultOOMPolicy=stop 81 | #DefaultSmackProcessLabel= 82 | #DefaultRestrictSUIDSGID= 83 | #ReloadLimitIntervalSec= 84 | #ReloadLimitBurst= 85 | -------------------------------------------------------------------------------- /home/.config/fish/config.fish: -------------------------------------------------------------------------------- 1 | set -g fish_greeting 2 | 3 | set -gx INPUTRC ~/.config/inputrc 4 | set -gx PARALLEL_HOME ~/.config/parallel 5 | 6 | set -gx EDITOR nvim 7 | set -gx VISUAL nvim 8 | set -gx PAGER less 9 | 10 | set -gx LS_COLORS "rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=00:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.7z=01;31:*.ace=01;31:*.alz=01;31:*.apk=01;31:*.arc=01;31:*.arj=01;31:*.bz=01;31:*.bz2=01;31:*.br=01;31:*.cab=01;31:*.cpio=01;31:*.crate=01;31:*.deb=01;31:*.drpm=01;31:*.dwm=01;31:*.dz=01;31:*.ear=01;31:*.egg=01;31:*.esd=01;31:*.gz=01;31:*.jar=01;31:*.lha=01;31:*.lrz=01;31:*.lz=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.lzo=01;31:*.pyz=01;31:*.rar=01;31:*.rpm=01;31:*.rz=01;31:*.sar=01;31:*.swm=01;31:*.t7z=01;31:*.tar=01;31:*.taz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tgz=01;31:*.tlz=01;31:*.txz=01;31:*.tz=01;31:*.tzo=01;31:*.tzst=01;31:*.udeb=01;31:*.war=01;31:*.whl=01;31:*.wim=01;31:*.xz=01;31:*.z=01;31:*.zip=01;31:*.zoo=01;31:*.zst=01;31:*.avif=01;35:*.jpg=01;35:*.jpeg=01;35:*.jxl=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:*~=00;90:*#=00;90:*.bak=00;90:*.crdownload=00;90:*.dpkg-dist=00;90:*.dpkg-new=00;90:*.dpkg-old=00;90:*.dpkg-tmp=00;90:*.old=00;90:*.orig=00;90:*.part=00;90:*.rej=00;90:*.rpmnew=00;90:*.rpmorig=00;90:*.rpmsave=00;90:*.swp=00;90:*.tmp=00;90:*.ucf-dist=00;90:*.ucf-new=00;90:*.ucf-old=00;90:" 11 | 12 | if status is-interactive 13 | fish_vi_key_bindings 14 | set fish_cursor_insert line 15 | set fish_cursor_replace_one underscore 16 | set fish_cursor_replace underscore 17 | set fish_cursor_external line 18 | 19 | set -g fish_prompt_pwd_full_dirs 2 20 | 21 | alias rsync 'rsync --preallocate' 22 | alias diff 'diff --color=auto' 23 | alias grep 'grep --color=auto' 24 | alias ls 'ls -A --color=auto' 25 | alias ip 'ip -color=auto' 26 | alias tc 'tc -color=auto' 27 | alias pstree 'pstree -UC age' 28 | alias tree 'tree -a' 29 | alias chown 'chown --preserve-root' 30 | alias chmod 'chmod --preserve-root' 31 | alias chgrp 'chgrp --preserve-root' 32 | alias vim nvim 33 | alias vimdiff 'nvim -d' 34 | alias certbot 'certbot --max-log-backups 0' 35 | 36 | abbr cp cp -i 37 | abbr mv mv -i 38 | abbr rm rm -I 39 | abbr ln ln -i 40 | 41 | abbr free free -m 42 | abbr ls ls -h 43 | abbr df df -h 44 | abbr du du -h 45 | 46 | abbr vi vim 47 | abbr rr rm -rI 48 | abbr ll ls -lh 49 | end 50 | -------------------------------------------------------------------------------- /etc/systemd/system/lax.releases.grapheneos.org.fq.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Requires=sys-subsystem-net-devices-public.device 3 | After=sys-subsystem-net-devices-public.device 4 | 5 | [Service] 6 | Type=oneshot 7 | ExecStart=/usr/bin/tc qdisc replace dev public root handle 1 mq 8 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:1 handle 1001 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 9 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:2 handle 1002 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 10 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:3 handle 1003 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 11 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:4 handle 1004 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 12 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:5 handle 1005 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 13 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:6 handle 1006 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 14 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:7 handle 1007 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 15 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:8 handle 1008 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 16 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:9 handle 1009 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 17 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:a handle 100a fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 18 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:b handle 100b fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 19 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:c handle 100c fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 20 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:d handle 100d fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 21 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:e handle 100e fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 22 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:f handle 100f fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 23 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:10 handle 1010 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 24 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:11 handle 1011 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 25 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:12 handle 1012 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 26 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:13 handle 1013 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 27 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:14 handle 1014 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 28 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:15 handle 1015 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 29 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:16 handle 1016 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 30 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:17 handle 1017 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 31 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:18 handle 1018 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 32 | 33 | [Install] 34 | WantedBy=sys-subsystem-net-devices-public.device 35 | -------------------------------------------------------------------------------- /etc/systemd/system/mia.releases.grapheneos.org.fq.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Requires=sys-subsystem-net-devices-public.device 3 | After=sys-subsystem-net-devices-public.device 4 | 5 | [Service] 6 | Type=oneshot 7 | ExecStart=/usr/bin/tc qdisc replace dev public root handle 1 mq 8 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:1 handle 1001 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 9 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:2 handle 1002 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 10 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:3 handle 1003 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 11 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:4 handle 1004 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 12 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:5 handle 1005 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 13 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:6 handle 1006 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 14 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:7 handle 1007 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 15 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:8 handle 1008 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 16 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:9 handle 1009 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 17 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:a handle 100a fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 18 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:b handle 100b fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 19 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:c handle 100c fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 20 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:d handle 100d fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 21 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:e handle 100e fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 22 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:f handle 100f fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 23 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:10 handle 1010 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 24 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:11 handle 1011 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 25 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:12 handle 1012 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 26 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:13 handle 1013 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 27 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:14 handle 1014 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 28 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:15 handle 1015 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 29 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:16 handle 1016 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 30 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:17 handle 1017 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 31 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:18 handle 1018 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 32 | 33 | [Install] 34 | WantedBy=sys-subsystem-net-devices-public.device 35 | -------------------------------------------------------------------------------- /count: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | 5 | [[ $# -ge 1 ]] || exit 1 6 | 7 | . hosts.sh 8 | 9 | DEVICES=(tegu comet komodo caiman tokay akita husky shiba felix tangorpro lynx cheetah panther bluejay raven oriole barbet redfin bramble sunfish coral flame) 10 | 11 | release=$1 12 | 13 | rm -rf logs 14 | mkdir logs 15 | 16 | for host in ${hosts_releases[@]}; do 17 | echo obtaining logs from $host 18 | ssh $host 'zstdcat /var/log/nginx/access.log* | zstd -1' | zstd -1d >> logs/merged.log 19 | done 20 | 21 | grep Dalvik/ logs/merged.log > logs/merged-device.log 22 | 23 | echo 24 | echo update checks 25 | echo total $(grep -Pc -- "/\w+-(stable|beta|alpha)" logs/merged-device.log) 26 | echo gen 9 $(grep -Pc -- "/(tegu|comet|komodo|caiman|tokay)-(stable|beta|alpha)" logs/merged-device.log) 27 | echo gen 8 $(grep -Pc -- "/(akita|husky|shiba)-(stable|beta|alpha)" logs/merged-device.log) 28 | echo gen 7 $(grep -Pc -- "/(felix|tangorpro|lynx|cheetah|panther)-(stable|beta|alpha)" logs/merged-device.log) 29 | echo gen 6 $(grep -Pc -- "/(bluejay|raven|oriole)-(stable|beta|alpha)" logs/merged-device.log) 30 | echo gen 5 $(grep -Pc -- "/(barbet|redfin|bramble)-(stable|beta|alpha)" logs/merged-device.log) 31 | echo gen 4 $(grep -Pc -- "/(sunfish|coral|flame)-(stable|beta|alpha)" logs/merged-device.log) 32 | 33 | echo 34 | 35 | for device in ${DEVICES[@]}; do 36 | echo $device $(grep -Pc "/$device-(stable|beta|alpha)" logs/merged-device.log) 37 | done 38 | 39 | echo 40 | echo factory images 41 | echo total $(grep -Pc "/\w+-(factory|install)-\d+.zip" logs/merged.log) 42 | echo gen 9 $(grep -Pc "/(tegu|comet|komodo|caiman|tokay)-(factory|install)-\d+.zip" logs/merged.log) 43 | echo gen 8 $(grep -Pc "/(akita|husky|shiba)-(factory|install)-\d+.zip" logs/merged.log) 44 | echo gen 7 $(grep -Pc "/(felix|tangorpro|lynx|cheetah|panther)-(factory|install)-\d+.zip" logs/merged.log) 45 | echo gen 6 $(grep -Pc "/(bluejay|raven|oriole)-(factory|install)-\d+.zip" logs/merged.log) 46 | echo gen 5 $(grep -Pc "/(barbet|redfin|bramble)-(factory|install)-\d+.zip" logs/merged.log) 47 | echo gen 4 $(grep -Pc "/(sunfish|coral|flame)-(factory|install)-\d+.zip" logs/merged.log) 48 | 49 | echo 50 | 51 | for device in ${DEVICES[@]}; do 52 | echo $device $(grep -Pc "/$device-(factory|install)-\d+.zip" logs/merged.log) 53 | done 54 | 55 | echo 56 | echo updates to $release 57 | echo total $(grep -Pc "/\w+-(ota_update|incremental-\d+)-$release.zip" logs/merged-device.log) 58 | echo gen 9 $(grep -Pc "/(tegu|comet|komodo|caiman|tokay)-(ota_update|incremental-\d+)-$release.zip" logs/merged-device.log) 59 | echo gen 8 $(grep -Pc "/(akita|husky|shiba)-(ota_update|incremental-\d+)-$release.zip" logs/merged-device.log) 60 | echo gen 7 $(grep -Pc "/(felix|tangorpro|lynx|cheetah|panther)-(ota_update|incremental-\d+)-$release.zip" logs/merged-device.log) 61 | echo gen 6 $(grep -Pc "/(bluejay|raven|oriole)-(ota_update|incremental-\d+)-$release.zip" logs/merged-device.log) 62 | echo gen 5 $(grep -Pc "/(barbet|redfin|bramble)-(ota_update|incremental-\d+)-$release.zip" logs/merged-device.log) 63 | echo gen 4 $(grep -Pc "/(sunfish|coral|flame)-(ota_update|incremental-\d+)-$release.zip" logs/merged-device.log) 64 | 65 | echo 66 | 67 | for device in ${DEVICES[@]}; do 68 | echo $device $(grep -Pc "/$device-(ota_update|incremental-\d+)-$release.zip" logs/merged-device.log) 69 | done 70 | -------------------------------------------------------------------------------- /etc/pacman.conf: -------------------------------------------------------------------------------- 1 | # 2 | # /etc/pacman.conf 3 | # 4 | # See the pacman.conf(5) manpage for option and repository directives 5 | 6 | # 7 | # GENERAL OPTIONS 8 | # 9 | [options] 10 | # The following paths are commented out with their default values listed. 11 | # If you wish to use different paths, uncomment and update the paths. 12 | #RootDir = / 13 | #DBPath = /var/lib/pacman/ 14 | #CacheDir = /var/cache/pacman/pkg/ 15 | LogFile = /dev/null 16 | #GPGDir = /etc/pacman.d/gnupg/ 17 | #HookDir = /etc/pacman.d/hooks/ 18 | HoldPkg = pacman glibc 19 | #XferCommand = /usr/bin/curl -L -C - -f -o %o %u 20 | #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u 21 | #CleanMethod = KeepInstalled 22 | Architecture = auto 23 | 24 | # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup 25 | #IgnorePkg = 26 | #IgnoreGroup = 27 | 28 | #NoUpgrade = 29 | NoExtract = etc/logrotate.d/chrony etc/logrotate.d/syslog-ng etc/synapse/workers/generic_worker.yaml.example 30 | 31 | # Misc options 32 | UseSyslog 33 | Color 34 | #NoProgressBar 35 | CheckSpace 36 | VerbosePkgLists 37 | #ParallelDownloads = 5 38 | DownloadUser = alpm 39 | #DisableSandboxFilesystem 40 | #DisableSandboxSyscalls 41 | ILoveCandy 42 | 43 | # By default, pacman accepts packages signed by keys that its local keyring 44 | # trusts (see pacman-key and its man page), as well as unsigned packages. 45 | SigLevel = Required DatabaseOptional 46 | LocalFileSigLevel = Optional 47 | #RemoteFileSigLevel = Required 48 | 49 | # NOTE: You must run `pacman-key --init` before first using pacman; the local 50 | # keyring can then be populated with the keys of all official Arch Linux 51 | # packagers with `pacman-key --populate archlinux`. 52 | 53 | # 54 | # REPOSITORIES 55 | # - can be defined here or included from another file 56 | # - pacman will search repositories in the order defined here 57 | # - local/custom mirrors can be added here or in separate files 58 | # - repositories listed first will take precedence when packages 59 | # have identical names, regardless of version number 60 | # - URLs will have $repo replaced by the name of the current repo 61 | # - URLs will have $arch replaced by the name of the architecture 62 | # 63 | # Repository entries are of the format: 64 | # [repo-name] 65 | # Server = ServerName 66 | # Include = IncludePath 67 | # 68 | # The header [repo-name] is crucial - it must be present and 69 | # uncommented to enable the repo. 70 | # 71 | 72 | # The testing repositories are disabled by default. To enable, uncomment the 73 | # repo name header and Include lines. You can add preferred servers immediately 74 | # after the header, and they will be used before the default mirrors. 75 | 76 | #[core-testing] 77 | #Include = /etc/pacman.d/mirrorlist 78 | 79 | [core] 80 | Include = /etc/pacman.d/mirrorlist 81 | 82 | #[extra-testing] 83 | #Include = /etc/pacman.d/mirrorlist 84 | 85 | [extra] 86 | Include = /etc/pacman.d/mirrorlist 87 | 88 | # If you want to run 32 bit applications on your x86_64 system, 89 | # enable the multilib repositories as required here. 90 | 91 | #[multilib-testing] 92 | #Include = /etc/pacman.d/mirrorlist 93 | 94 | #[multilib] 95 | #Include = /etc/pacman.d/mirrorlist 96 | 97 | # An example of a custom package repository. See the pacman manpage for 98 | # tips on creating your own repositories. 99 | #[custom] 100 | #SigLevel = Optional TrustAll 101 | #Server = file:///home/custompkgs 102 | -------------------------------------------------------------------------------- /etc/mkinitcpio.conf.simple: -------------------------------------------------------------------------------- 1 | # vim:set ft=sh: 2 | # MODULES 3 | # The following modules are loaded before any boot hooks are 4 | # run. Advanced users may wish to specify all system modules 5 | # in this array. For instance: 6 | # MODULES=(usbhid xhci_hcd) 7 | MODULES=() 8 | 9 | # BINARIES 10 | # This setting includes any additional binaries a given user may 11 | # wish into the CPIO image. This is run last, so it may be used to 12 | # override the actual binaries included by a given hook 13 | # BINARIES are dependency parsed, so you may safely ignore libraries 14 | BINARIES=() 15 | 16 | # FILES 17 | # This setting is similar to BINARIES above, however, files are added 18 | # as-is and are not parsed in any way. This is useful for config files. 19 | FILES=() 20 | 21 | # HOOKS 22 | # This is the most important setting in this file. The HOOKS control the 23 | # modules and scripts added to the image, and what happens at boot time. 24 | # Order is important, and it is recommended that you do not change the 25 | # order in which HOOKS are added. Run 'mkinitcpio -H ' for 26 | # help on a given hook. 27 | # 'base' is _required_ unless you know precisely what you are doing. 28 | # 'udev' is _required_ in order to automatically load modules 29 | # 'filesystems' is _required_ unless you specify your fs modules in MODULES 30 | # Examples: 31 | ## This setup specifies all modules in the MODULES setting above. 32 | ## No RAID, lvm2, or encrypted root is needed. 33 | # HOOKS=(base) 34 | # 35 | ## This setup will autodetect all modules for your system and should 36 | ## work as a sane default 37 | # HOOKS=(base udev autodetect microcode modconf block filesystems fsck) 38 | # 39 | ## This setup will generate a 'full' image which supports most systems. 40 | ## No autodetection is done. 41 | # HOOKS=(base udev microcode modconf block filesystems fsck) 42 | # 43 | ## This setup assembles a mdadm array with an encrypted root file system. 44 | ## Note: See 'mkinitcpio -H mdadm_udev' for more information on RAID devices. 45 | # HOOKS=(base udev microcode modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck) 46 | # 47 | ## This setup loads an lvm2 volume group. 48 | # HOOKS=(base udev microcode modconf block lvm2 filesystems fsck) 49 | # 50 | ## This will create a systemd based initramfs which loads an encrypted root filesystem. 51 | # HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck) 52 | # 53 | ## NOTE: If you have /usr on a separate partition, you MUST include the 54 | # usr and fsck hooks. 55 | HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block filesystems fsck) 56 | 57 | # COMPRESSION 58 | # Use this to compress the initramfs image. By default, zstd compression 59 | # is used for Linux ≥ 5.9 and gzip compression is used for Linux < 5.9. 60 | # Use 'cat' to create an uncompressed image. 61 | #COMPRESSION="zstd" 62 | #COMPRESSION="gzip" 63 | #COMPRESSION="bzip2" 64 | #COMPRESSION="lzma" 65 | #COMPRESSION="xz" 66 | #COMPRESSION="lzop" 67 | #COMPRESSION="lz4" 68 | 69 | # COMPRESSION_OPTIONS 70 | # Additional options for the compressor 71 | #COMPRESSION_OPTIONS=() 72 | 73 | # MODULES_DECOMPRESS 74 | # Decompress loadable kernel modules and their firmware during initramfs 75 | # creation. Switch (yes/no). 76 | # Enable to allow further decreasing image size when using high compression 77 | # (e.g. xz -9e or zstd --long --ultra -22) at the expense of increased RAM usage 78 | # at early boot. 79 | # Note that any compressed files will be placed in the uncompressed early CPIO 80 | # to avoid double compression. 81 | #MODULES_DECOMPRESS="no" 82 | -------------------------------------------------------------------------------- /etc/mkinitcpio.conf.mdraid: -------------------------------------------------------------------------------- 1 | # vim:set ft=sh: 2 | # MODULES 3 | # The following modules are loaded before any boot hooks are 4 | # run. Advanced users may wish to specify all system modules 5 | # in this array. For instance: 6 | # MODULES=(usbhid xhci_hcd) 7 | MODULES=() 8 | 9 | # BINARIES 10 | # This setting includes any additional binaries a given user may 11 | # wish into the CPIO image. This is run last, so it may be used to 12 | # override the actual binaries included by a given hook 13 | # BINARIES are dependency parsed, so you may safely ignore libraries 14 | BINARIES=() 15 | 16 | # FILES 17 | # This setting is similar to BINARIES above, however, files are added 18 | # as-is and are not parsed in any way. This is useful for config files. 19 | FILES=() 20 | 21 | # HOOKS 22 | # This is the most important setting in this file. The HOOKS control the 23 | # modules and scripts added to the image, and what happens at boot time. 24 | # Order is important, and it is recommended that you do not change the 25 | # order in which HOOKS are added. Run 'mkinitcpio -H ' for 26 | # help on a given hook. 27 | # 'base' is _required_ unless you know precisely what you are doing. 28 | # 'udev' is _required_ in order to automatically load modules 29 | # 'filesystems' is _required_ unless you specify your fs modules in MODULES 30 | # Examples: 31 | ## This setup specifies all modules in the MODULES setting above. 32 | ## No RAID, lvm2, or encrypted root is needed. 33 | # HOOKS=(base) 34 | # 35 | ## This setup will autodetect all modules for your system and should 36 | ## work as a sane default 37 | # HOOKS=(base udev autodetect microcode modconf block filesystems fsck) 38 | # 39 | ## This setup will generate a 'full' image which supports most systems. 40 | ## No autodetection is done. 41 | # HOOKS=(base udev microcode modconf block filesystems fsck) 42 | # 43 | ## This setup assembles a mdadm array with an encrypted root file system. 44 | ## Note: See 'mkinitcpio -H mdadm_udev' for more information on RAID devices. 45 | # HOOKS=(base udev microcode modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck) 46 | # 47 | ## This setup loads an lvm2 volume group. 48 | # HOOKS=(base udev microcode modconf block lvm2 filesystems fsck) 49 | # 50 | ## This will create a systemd based initramfs which loads an encrypted root filesystem. 51 | # HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck) 52 | # 53 | ## NOTE: If you have /usr on a separate partition, you MUST include the 54 | # usr and fsck hooks. 55 | HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block mdadm_udev filesystems fsck) 56 | 57 | # COMPRESSION 58 | # Use this to compress the initramfs image. By default, zstd compression 59 | # is used for Linux ≥ 5.9 and gzip compression is used for Linux < 5.9. 60 | # Use 'cat' to create an uncompressed image. 61 | #COMPRESSION="zstd" 62 | #COMPRESSION="gzip" 63 | #COMPRESSION="bzip2" 64 | #COMPRESSION="lzma" 65 | #COMPRESSION="xz" 66 | #COMPRESSION="lzop" 67 | #COMPRESSION="lz4" 68 | 69 | # COMPRESSION_OPTIONS 70 | # Additional options for the compressor 71 | #COMPRESSION_OPTIONS=() 72 | 73 | # MODULES_DECOMPRESS 74 | # Decompress loadable kernel modules and their firmware during initramfs 75 | # creation. Switch (yes/no). 76 | # Enable to allow further decreasing image size when using high compression 77 | # (e.g. xz -9e or zstd --long --ultra -22) at the expense of increased RAM usage 78 | # at early boot. 79 | # Note that any compressed files will be placed in the uncompressed early CPIO 80 | # to avoid double compression. 81 | #MODULES_DECOMPRESS="no" 82 | -------------------------------------------------------------------------------- /etc/systemd/system/yto.releases.grapheneos.org.fq.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Requires=sys-subsystem-net-devices-public.device 3 | After=sys-subsystem-net-devices-public.device 4 | 5 | [Service] 6 | Type=oneshot 7 | ExecStart=/usr/bin/tc qdisc replace dev public root handle 1 mq 8 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:1 handle 1001 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 9 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:2 handle 1002 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 10 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:3 handle 1003 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 11 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:4 handle 1004 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 12 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:5 handle 1005 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 13 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:6 handle 1006 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 14 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:7 handle 1007 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 15 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:8 handle 1008 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 16 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:9 handle 1009 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 17 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:a handle 100a fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 18 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:b handle 100b fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 19 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:c handle 100c fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 20 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:d handle 100d fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 21 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:e handle 100e fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 22 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:f handle 100f fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 23 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:10 handle 1010 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 24 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:11 handle 1011 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 25 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:12 handle 1012 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 26 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:13 handle 1013 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 27 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:14 handle 1014 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 28 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:15 handle 1015 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 29 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:16 handle 1016 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 30 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:17 handle 1017 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 31 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:18 handle 1018 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 32 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:19 handle 1019 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 33 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:1a handle 101a fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 34 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:1b handle 101b fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 35 | ExecStart=/usr/bin/tc qdisc replace dev public parent 1:1c handle 101c fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1 36 | 37 | [Install] 38 | WantedBy=sys-subsystem-net-devices-public.device 39 | -------------------------------------------------------------------------------- /deploy-initial-vps: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset -o pipefail 4 | shopt -s expand_aliases 5 | 6 | . hosts.sh 7 | . ssh.sh 8 | 9 | [[ $# -eq 1 ]] || exit 1 10 | 11 | readonly host=$1 12 | readonly ip=${hosts_ipv4_address[$host]} 13 | readonly hostname=${hosts_hostname[$host]} 14 | readonly agcount=${hosts_agcount[$host]:-4} 15 | readonly swap=${hosts_swap[$host]:-2048} 16 | readonly remote=root@$ip 17 | 18 | readonly drive=$(ssh $remote '[[ -e /dev/sda ]] && echo sda || echo vda') 19 | 20 | alias rsync='rsync -cpv --chmod=D755,F644 --preallocate' 21 | 22 | # check for Arch ISO 23 | ssh $remote '[[ $(grep IMAGE_ID /etc/os-release) = "IMAGE_ID=archlinux" ]]' || exit 5 24 | ssh $remote '[[ $(grep IMAGE_VERSION /etc/os-release) = "IMAGE_VERSION=2025.12.01" ]]' || exit 5 25 | 26 | ssh $remote "sfdisk /dev/$drive -w always <<< ';'" 27 | ssh $remote "mkfs.xfs -d agcount=$agcount -f /dev/${drive}1" 28 | rsync etc/pacman.d/mirrorlist $remote:/etc/pacman.d/mirrorlist 29 | ssh $remote "mount /dev/${drive}1 /mnt" 30 | ssh $remote "pacstrap -K /mnt $(tr '\n' ' ' < packages/$host)" 31 | 32 | rsync etc/default/grub $remote:/mnt/etc/default/grub 33 | ssh $remote "arch-chroot /mnt grub-install /dev/$drive" 34 | ssh $remote "arch-chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg" 35 | 36 | ssh $remote "echo $hostname >/mnt/etc/hostname" 37 | 38 | rsync etc/systemd/network/$host.link $remote:/mnt/etc/systemd/network/10-public.link 39 | rsync etc/systemd/network/$host.network $remote:/mnt/etc/systemd/network/10-public.network 40 | 41 | rsync etc/fstab.virtual $remote:/mnt/etc/fstab 42 | rsync etc/{crypttab,locale.conf,pacman.conf,pacreport.conf,resolv.conf} $remote:/mnt/etc/ 43 | rsync etc/mkinitcpio.conf.simple $remote:/mnt/etc/mkinitcpio.conf 44 | 45 | rsync etc/unbound/unbound.conf $remote:/mnt/etc/unbound/unbound.conf 46 | 47 | if [[ $host = @(0.grapheneos.network|1.grapheneos.network|2.grapheneos.network|3.grapheneos.network) ]]; then 48 | cp etc/chrony.conf tmp 49 | echo -e '\nallow' >> tmp 50 | rsync tmp $remote:/mnt/etc/chrony.conf 51 | rm tmp 52 | else 53 | rsync etc/chrony.conf $remote:/mnt/etc/chrony.conf 54 | fi 55 | ssh $remote mkdir -vp /mnt/etc/sysconfig 56 | rsync etc/sysconfig/chronyd $remote:/mnt/etc/sysconfig/chronyd 57 | 58 | rsync ${hosts_authorized_keys[$host]:-authorized_keys} $remote:/mnt/root/.ssh/authorized_keys 59 | cp etc/ssh/sshd_config tmp 60 | sed -i "s/{{ipv4_address}}/${hosts_ipv4_address[$host]:-127.0.0.1}/g" tmp 61 | sed -i "s/{{ipv6_address}}/${hosts_ipv6_address[$host]:-::1}/g" tmp 62 | sed -i "s/{{ssh_users}}/${hosts_ssh_users[$host]:-root}/g" tmp 63 | rsync tmp $remote:/mnt/etc/ssh/sshd_config 64 | rm tmp 65 | 66 | rsync -r --delete etc/systemd/system/sshd.service.d $remote:/mnt/etc/systemd/system/ 67 | 68 | cp etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf tmp 69 | sed -i "s/{{synproxy_threshold}}/$(( ${hosts_conntrack_size[$host]:-65536} / 64 ))/g" tmp 70 | sed -i "s/{{ssh_ipv4}}/$ssh_ipv4/g" tmp 71 | sed -i "s/{{ssh_ipv6}}/$ssh_ipv6/g" tmp 72 | rsync tmp $remote:/mnt/etc/nftables.conf 73 | rm tmp 74 | 75 | ssh $remote "arch-chroot /mnt systemctl enable chronyd.service fstrim.timer logrotate.timer nftables.service systemd-networkd.service systemd-oomd.service sshd.service sysstat.service unbound.service" 76 | ssh $remote "arch-chroot /mnt systemctl disable remote-fs.target systemd-network-generator.service systemd-userdbd.socket" 77 | ssh $remote "arch-chroot /mnt groupadd -g 2000 io_uring" 78 | 79 | ssh $remote "umask 077 && dd if=/dev/random of=/mnt/swapfile bs=1M count=$swap status=progress" 80 | 81 | ssh $remote "arch-chroot /mnt chsh -s /usr/bin/fish" 82 | 83 | password=$(head -c32 <(tr -dc A-Za-z0-9 = 1024 notrack accept 138 | skuid { alpm, chrony, postfix, opendkim, opendmarc, policyd-spf } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept 139 | 140 | skuid != root counter goto graceful-reject 141 | notrack accept 142 | } 143 | 144 | chain graceful-reject { 145 | meta l4proto udp reject 146 | meta l4proto tcp reject with tcp reset 147 | reject 148 | } 149 | } 150 | -------------------------------------------------------------------------------- /etc/nftables/nftables-social.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/nft -f 2 | 3 | table inet filter 4 | flush table inet filter 5 | table inet filter { 6 | define tcp-ports = { 80, 443 } 7 | define tcp-ports-full = { 22, $tcp-ports } 8 | 9 | define ip-allowlist-ssh = { 10 | {{ssh_ipv4}}, 11 | } 12 | 13 | define ip6-allowlist-ssh = { 14 | {{ssh_ipv6}}, 15 | } 16 | 17 | define priority-besteffort = 0 18 | define priority-bulk = 2 19 | define priority-interactive-bulk = 4 20 | define priority-interactive = 6 21 | 22 | # based on CAKE diffserv4 23 | map dscp-to-priority { 24 | typeof ip dscp : meta priority 25 | elements = { 26 | cs1 : $priority-bulk, 27 | lephb : $priority-bulk, 28 | af11 : $priority-besteffort, 29 | af12 : $priority-besteffort, 30 | af13 : $priority-besteffort, 31 | cs2 : $priority-interactive-bulk, 32 | cs3 : $priority-interactive-bulk, 33 | cs4 : $priority-interactive-bulk, 34 | af21 : $priority-interactive-bulk, 35 | af22 : $priority-interactive-bulk, 36 | af23 : $priority-interactive-bulk, 37 | af31 : $priority-interactive-bulk, 38 | af32 : $priority-interactive-bulk, 39 | af33 : $priority-interactive-bulk, 40 | af41 : $priority-interactive-bulk, 41 | af42 : $priority-interactive-bulk, 42 | af43 : $priority-interactive-bulk, 43 | cs5 : $priority-interactive, 44 | cs6 : $priority-interactive, 45 | cs7 : $priority-interactive, 46 | ef : $priority-interactive, 47 | va : $priority-interactive, 48 | } 49 | } 50 | 51 | set ip-connlimit-ssh { 52 | type ipv4_addr 53 | flags dynamic 54 | } 55 | 56 | set ip6-connlimit-ssh { 57 | type ipv6_addr 58 | flags dynamic 59 | } 60 | 61 | set ip-connlimit-main { 62 | type ipv4_addr 63 | flags dynamic 64 | } 65 | 66 | set ip6-connlimit-main { 67 | type ipv6_addr 68 | flags dynamic 69 | } 70 | 71 | chain prerouting-raw { 72 | type filter hook prerouting priority raw 73 | policy drop 74 | 75 | # drop packets without a reverse path (strict reverse path filtering) 76 | fib saddr . iif oif missing counter drop 77 | 78 | iif lo notrack accept 79 | 80 | # drop packets to address not configured on incoming interface (strong host model) 81 | # 82 | # ordered after accepting loopback to permit using external IPs via loopback 83 | fib daddr . iif type != { local, broadcast, multicast } counter drop 84 | 85 | # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion 86 | tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept 87 | 88 | meta l4proto { tcp, udp } accept 89 | icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept 90 | meta l4proto ipv6-icmp notrack accept 91 | } 92 | 93 | chain input { 94 | type filter hook input priority filter 95 | policy drop 96 | 97 | ip dscp set cs0 98 | ip6 dscp set cs0 99 | 100 | tcp dport $tcp-ports-full goto input-tcp-service 101 | ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } 102 | } 103 | 104 | chain input-tcp-service { 105 | iif lo goto input-tcp-service-loopback 106 | 107 | # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough 108 | ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } 109 | 110 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 111 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 112 | tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset 113 | tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 114 | synproxy mss 1460 wscale 7 timestamp sack-perm 115 | } 116 | 117 | chain input-tcp-service-new { 118 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 119 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 120 | tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset 121 | tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 122 | accept 123 | } 124 | 125 | # add connections established without synproxy to connection limit sets with limits enforced 126 | chain input-tcp-service-established { 127 | ct mark 0x1 accept 128 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 129 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 130 | tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 131 | tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 132 | ct mark set 0x1 accept 133 | } 134 | 135 | # add connections established with synproxy to connection limit sets with limits enforced 136 | chain input-tcp-service-loopback { 137 | tcp flags != syn accept 138 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 139 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 140 | tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 141 | tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 142 | ct mark set 0x1 accept 143 | } 144 | 145 | chain forward { 146 | type filter hook forward priority filter 147 | policy drop 148 | } 149 | 150 | chain output-raw { 151 | type filter hook output priority raw 152 | 153 | oif lo goto output-raw-loopback 154 | skuid != { root, systemd-network, unbound, alpm, chrony, http, mastodon } counter goto graceful-reject 155 | 156 | # translate DSCP to priority for fq bands 157 | meta priority set ip dscp map @dscp-to-priority 158 | meta priority set ip6 dscp map @dscp-to-priority 159 | 160 | meta l4proto { icmp, ipv6-icmp } notrack accept 161 | } 162 | 163 | chain output-raw-loopback { 164 | skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept 165 | skuid { alpm, chrony, mastodon } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept 166 | 167 | skuid != root counter goto graceful-reject 168 | notrack accept 169 | } 170 | 171 | chain graceful-reject { 172 | meta l4proto udp reject 173 | meta l4proto tcp reject with tcp reset 174 | reject 175 | } 176 | } 177 | -------------------------------------------------------------------------------- /etc/nftables/nftables-web.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/nft -f 2 | 3 | table inet filter 4 | flush table inet filter 5 | table inet filter { 6 | define tcp-ports = { 80, 443 } 7 | define tcp-ports-full = { 22, $tcp-ports } 8 | 9 | define ip-allowlist-ssh = { 10 | {{ssh_ipv4}}, 11 | 172.96.172.37, # mia.releases.grapheneos.org 12 | } 13 | 14 | define ip6-allowlist-ssh = { 15 | {{ssh_ipv6}}, 16 | 2605:9880:400:1100:15:1240:515:6e, # mia.releases.grapheneos.org 17 | } 18 | 19 | define priority-besteffort = 0 20 | define priority-bulk = 2 21 | define priority-interactive-bulk = 4 22 | define priority-interactive = 6 23 | 24 | # based on CAKE diffserv4 25 | map dscp-to-priority { 26 | typeof ip dscp : meta priority 27 | elements = { 28 | cs1 : $priority-bulk, 29 | lephb : $priority-bulk, 30 | af11 : $priority-besteffort, 31 | af12 : $priority-besteffort, 32 | af13 : $priority-besteffort, 33 | cs2 : $priority-interactive-bulk, 34 | cs3 : $priority-interactive-bulk, 35 | cs4 : $priority-interactive-bulk, 36 | af21 : $priority-interactive-bulk, 37 | af22 : $priority-interactive-bulk, 38 | af23 : $priority-interactive-bulk, 39 | af31 : $priority-interactive-bulk, 40 | af32 : $priority-interactive-bulk, 41 | af33 : $priority-interactive-bulk, 42 | af41 : $priority-interactive-bulk, 43 | af42 : $priority-interactive-bulk, 44 | af43 : $priority-interactive-bulk, 45 | cs5 : $priority-interactive, 46 | cs6 : $priority-interactive, 47 | cs7 : $priority-interactive, 48 | ef : $priority-interactive, 49 | va : $priority-interactive, 50 | } 51 | } 52 | 53 | set ip-connlimit-ssh { 54 | type ipv4_addr 55 | flags dynamic 56 | } 57 | 58 | set ip6-connlimit-ssh { 59 | type ipv6_addr 60 | flags dynamic 61 | } 62 | 63 | set ip-connlimit-main { 64 | type ipv4_addr 65 | flags dynamic 66 | } 67 | 68 | set ip6-connlimit-main { 69 | type ipv6_addr 70 | flags dynamic 71 | } 72 | 73 | chain prerouting-raw { 74 | type filter hook prerouting priority raw 75 | policy drop 76 | 77 | # drop packets without a reverse path (strict reverse path filtering) 78 | fib saddr . iif oif missing counter drop 79 | 80 | iif lo notrack accept 81 | 82 | # drop packets to address not configured on incoming interface (strong host model) 83 | # 84 | # ordered after accepting loopback to permit using external IPs via loopback 85 | fib daddr . iif type != { local, broadcast, multicast } counter drop 86 | 87 | # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion 88 | tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept 89 | 90 | meta l4proto { tcp, udp } accept 91 | icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept 92 | meta l4proto ipv6-icmp notrack accept 93 | } 94 | 95 | chain input { 96 | type filter hook input priority filter 97 | policy drop 98 | 99 | ip dscp set cs0 100 | ip6 dscp set cs0 101 | 102 | tcp dport $tcp-ports-full goto input-tcp-service 103 | ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } 104 | } 105 | 106 | chain input-tcp-service { 107 | iif lo goto input-tcp-service-loopback 108 | 109 | # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough 110 | ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } 111 | 112 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 113 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 114 | tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset 115 | tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 116 | synproxy mss 1460 wscale 7 timestamp sack-perm 117 | } 118 | 119 | chain input-tcp-service-new { 120 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 121 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 122 | tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset 123 | tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 124 | accept 125 | } 126 | 127 | # add connections established without synproxy to connection limit sets with limits enforced 128 | chain input-tcp-service-established { 129 | ct mark 0x1 accept 130 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 131 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 132 | tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 133 | tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 134 | ct mark set 0x1 accept 135 | } 136 | 137 | # add connections established with synproxy to connection limit sets with limits enforced 138 | chain input-tcp-service-loopback { 139 | tcp flags != syn accept 140 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 141 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 142 | tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 143 | tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 144 | ct mark set 0x1 accept 145 | } 146 | 147 | chain forward { 148 | type filter hook forward priority filter 149 | policy drop 150 | } 151 | 152 | chain output-raw { 153 | type filter hook output priority raw 154 | 155 | oif lo goto output-raw-loopback 156 | skuid != { root, systemd-network, unbound, alpm, chrony, http } counter goto graceful-reject 157 | 158 | # translate DSCP to priority for fq bands 159 | meta priority set ip dscp map @dscp-to-priority 160 | meta priority set ip6 dscp map @dscp-to-priority 161 | 162 | meta l4proto { icmp, ipv6-icmp } notrack accept 163 | } 164 | 165 | chain output-raw-loopback { 166 | skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept 167 | skuid { alpm, chrony } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept 168 | 169 | skuid != root counter goto graceful-reject 170 | notrack accept 171 | } 172 | 173 | chain graceful-reject { 174 | meta l4proto udp reject 175 | meta l4proto tcp reject with tcp reset 176 | reject 177 | } 178 | } 179 | -------------------------------------------------------------------------------- /etc/nftables/nftables-discuss.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/nft -f 2 | 3 | table inet filter 4 | flush table inet filter 5 | table inet filter { 6 | define tcp-ports = { 80, 443 } 7 | define tcp-ports-full = { 22, $tcp-ports } 8 | 9 | define ip-allowlist-ssh = { 10 | {{ssh_ipv4}}, 11 | } 12 | 13 | define ip6-allowlist-ssh = { 14 | {{ssh_ipv6}}, 15 | } 16 | 17 | define priority-besteffort = 0 18 | define priority-bulk = 2 19 | define priority-interactive-bulk = 4 20 | define priority-interactive = 6 21 | 22 | # based on CAKE diffserv4 23 | map dscp-to-priority { 24 | typeof ip dscp : meta priority 25 | elements = { 26 | cs1 : $priority-bulk, 27 | lephb : $priority-bulk, 28 | af11 : $priority-besteffort, 29 | af12 : $priority-besteffort, 30 | af13 : $priority-besteffort, 31 | cs2 : $priority-interactive-bulk, 32 | cs3 : $priority-interactive-bulk, 33 | cs4 : $priority-interactive-bulk, 34 | af21 : $priority-interactive-bulk, 35 | af22 : $priority-interactive-bulk, 36 | af23 : $priority-interactive-bulk, 37 | af31 : $priority-interactive-bulk, 38 | af32 : $priority-interactive-bulk, 39 | af33 : $priority-interactive-bulk, 40 | af41 : $priority-interactive-bulk, 41 | af42 : $priority-interactive-bulk, 42 | af43 : $priority-interactive-bulk, 43 | cs5 : $priority-interactive, 44 | cs6 : $priority-interactive, 45 | cs7 : $priority-interactive, 46 | ef : $priority-interactive, 47 | va : $priority-interactive, 48 | } 49 | } 50 | 51 | set ip-connlimit-ssh { 52 | type ipv4_addr 53 | flags dynamic 54 | } 55 | 56 | set ip6-connlimit-ssh { 57 | type ipv6_addr 58 | flags dynamic 59 | } 60 | 61 | set ip-connlimit-main { 62 | type ipv4_addr 63 | flags dynamic 64 | } 65 | 66 | set ip6-connlimit-main { 67 | type ipv6_addr 68 | flags dynamic 69 | } 70 | 71 | chain prerouting-raw { 72 | type filter hook prerouting priority raw 73 | policy drop 74 | 75 | # drop packets without a reverse path (strict reverse path filtering) 76 | fib saddr . iif oif missing counter drop 77 | 78 | iif lo notrack accept 79 | 80 | # drop packets to address not configured on incoming interface (strong host model) 81 | # 82 | # ordered after accepting loopback to permit using external IPs via loopback 83 | fib daddr . iif type != { local, broadcast, multicast } counter drop 84 | 85 | # IPv6 interacts badly with IP-based spam filtering 86 | meta nfproto ipv6 tcp dport { 80, 443 } drop 87 | 88 | # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion 89 | tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept 90 | 91 | meta l4proto { tcp, udp } accept 92 | icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept 93 | meta l4proto ipv6-icmp notrack accept 94 | } 95 | 96 | chain input { 97 | type filter hook input priority filter 98 | policy drop 99 | 100 | ip dscp set cs0 101 | ip6 dscp set cs0 102 | 103 | tcp dport $tcp-ports-full goto input-tcp-service 104 | ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } 105 | } 106 | 107 | chain input-tcp-service { 108 | iif lo goto input-tcp-service-loopback 109 | 110 | # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough 111 | ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } 112 | 113 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 114 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 115 | tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset 116 | tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 117 | synproxy mss 1460 wscale 7 timestamp sack-perm 118 | } 119 | 120 | chain input-tcp-service-new { 121 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 122 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 123 | tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset 124 | tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 125 | accept 126 | } 127 | 128 | # add connections established without synproxy to connection limit sets with limits enforced 129 | chain input-tcp-service-established { 130 | ct mark 0x1 accept 131 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 132 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 133 | tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 134 | tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 135 | ct mark set 0x1 accept 136 | } 137 | 138 | # add connections established with synproxy to connection limit sets with limits enforced 139 | chain input-tcp-service-loopback { 140 | tcp flags != syn accept 141 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 142 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 143 | tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 144 | tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 145 | ct mark set 0x1 accept 146 | } 147 | 148 | chain forward { 149 | type filter hook forward priority filter 150 | policy drop 151 | } 152 | 153 | chain output-raw { 154 | type filter hook output priority raw 155 | 156 | oif lo goto output-raw-loopback 157 | skuid != { root, systemd-network, unbound, alpm, chrony, http, flarum, flarum-admin, geoipupdate } counter goto graceful-reject 158 | 159 | # translate DSCP to priority for fq bands 160 | meta priority set ip dscp map @dscp-to-priority 161 | meta priority set ip6 dscp map @dscp-to-priority 162 | 163 | meta l4proto { icmp, ipv6-icmp } notrack accept 164 | } 165 | 166 | chain output-raw-loopback { 167 | skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept 168 | skuid { alpm, chrony, http, flarum, flarum-admin, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept 169 | 170 | skuid != root counter goto graceful-reject 171 | notrack accept 172 | } 173 | 174 | chain graceful-reject { 175 | meta l4proto udp reject 176 | meta l4proto tcp reject with tcp reset 177 | reject 178 | } 179 | } 180 | -------------------------------------------------------------------------------- /etc/nftables/nftables-attestation.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/nft -f 2 | 3 | table inet filter 4 | flush table inet filter 5 | table inet filter { 6 | define tcp-ports = { 80, 443 } 7 | define tcp-ports-full = { 22, $tcp-ports } 8 | 9 | define ip-allowlist-ssh = { 10 | {{ssh_ipv4}}, 11 | } 12 | 13 | define ip6-allowlist-ssh = { 14 | {{ssh_ipv6}}, 15 | } 16 | 17 | define priority-besteffort = 0 18 | define priority-bulk = 2 19 | define priority-interactive-bulk = 4 20 | define priority-interactive = 6 21 | 22 | # based on CAKE diffserv4 23 | map dscp-to-priority { 24 | typeof ip dscp : meta priority 25 | elements = { 26 | cs1 : $priority-bulk, 27 | lephb : $priority-bulk, 28 | af11 : $priority-besteffort, 29 | af12 : $priority-besteffort, 30 | af13 : $priority-besteffort, 31 | cs2 : $priority-interactive-bulk, 32 | cs3 : $priority-interactive-bulk, 33 | cs4 : $priority-interactive-bulk, 34 | af21 : $priority-interactive-bulk, 35 | af22 : $priority-interactive-bulk, 36 | af23 : $priority-interactive-bulk, 37 | af31 : $priority-interactive-bulk, 38 | af32 : $priority-interactive-bulk, 39 | af33 : $priority-interactive-bulk, 40 | af41 : $priority-interactive-bulk, 41 | af42 : $priority-interactive-bulk, 42 | af43 : $priority-interactive-bulk, 43 | cs5 : $priority-interactive, 44 | cs6 : $priority-interactive, 45 | cs7 : $priority-interactive, 46 | ef : $priority-interactive, 47 | va : $priority-interactive, 48 | } 49 | } 50 | 51 | set ip-connlimit-ssh { 52 | type ipv4_addr 53 | flags dynamic 54 | } 55 | 56 | set ip6-connlimit-ssh { 57 | type ipv6_addr 58 | flags dynamic 59 | } 60 | 61 | set ip-connlimit-main { 62 | type ipv4_addr 63 | flags dynamic 64 | } 65 | 66 | set ip6-connlimit-main { 67 | type ipv6_addr 68 | flags dynamic 69 | } 70 | 71 | chain prerouting-raw { 72 | type filter hook prerouting priority raw 73 | policy drop 74 | 75 | # drop packets without a reverse path (strict reverse path filtering) 76 | fib saddr . iif oif missing counter drop 77 | 78 | iif lo notrack accept 79 | 80 | # drop packets to address not configured on incoming interface (strong host model) 81 | # 82 | # ordered after accepting loopback to permit using external IPs via loopback 83 | fib daddr . iif type != { local, broadcast, multicast } counter drop 84 | 85 | # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion 86 | tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept 87 | 88 | meta l4proto { tcp, udp } accept 89 | icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept 90 | meta l4proto ipv6-icmp notrack accept 91 | } 92 | 93 | chain input { 94 | type filter hook input priority filter 95 | policy drop 96 | 97 | ip dscp set cs0 98 | ip6 dscp set cs0 99 | 100 | tcp dport $tcp-ports-full goto input-tcp-service 101 | ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } 102 | } 103 | 104 | chain input-tcp-service { 105 | iif lo goto input-tcp-service-loopback 106 | 107 | # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough 108 | ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } 109 | 110 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 111 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 112 | tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset 113 | tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 114 | synproxy mss 1460 wscale 7 timestamp sack-perm 115 | } 116 | 117 | chain input-tcp-service-new { 118 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 119 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 120 | tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset 121 | tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 122 | accept 123 | } 124 | 125 | # add connections established without synproxy to connection limit sets with limits enforced 126 | chain input-tcp-service-established { 127 | ct mark 0x1 accept 128 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 129 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 130 | tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 131 | tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 132 | ct mark set 0x1 accept 133 | } 134 | 135 | # add connections established with synproxy to connection limit sets with limits enforced 136 | chain input-tcp-service-loopback { 137 | tcp flags != syn accept 138 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 139 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 140 | tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 141 | tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 142 | ct mark set 0x1 accept 143 | } 144 | 145 | chain forward { 146 | type filter hook forward priority filter 147 | policy drop 148 | } 149 | 150 | chain output-raw { 151 | type filter hook output priority raw 152 | 153 | oif lo goto output-raw-loopback 154 | skuid != { root, systemd-network, unbound, alpm, chrony, http, attestation } counter goto graceful-reject 155 | 156 | # translate DSCP to priority for fq bands 157 | meta priority set ip dscp map @dscp-to-priority 158 | meta priority set ip6 dscp map @dscp-to-priority 159 | 160 | meta l4proto { icmp, ipv6-icmp } notrack accept 161 | } 162 | 163 | chain output-raw-loopback { 164 | skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8080 notrack accept 165 | skuid { alpm, chrony, attestation } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8080 th dport 53 notrack accept 166 | 167 | skuid attestation tcp sport 8080 tcp dport >= 1024 tcp dport != 8080 notrack accept 168 | skuid http tcp sport >= 1024 tcp sport != 8080 tcp dport 8080 notrack accept 169 | 170 | skuid != root counter goto graceful-reject 171 | notrack accept 172 | } 173 | 174 | chain graceful-reject { 175 | meta l4proto udp reject 176 | meta l4proto tcp reject with tcp reset 177 | reject 178 | } 179 | } 180 | -------------------------------------------------------------------------------- /etc/nftables/nftables-network.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/nft -f 2 | 3 | table inet filter 4 | flush table inet filter 5 | table inet filter { 6 | define tcp-ports = { 80, 443, 7275 } 7 | define tcp-ports-full = { 22, $tcp-ports } 8 | define udp-ports = 123 9 | 10 | define ip-allowlist-ssh = { 11 | {{ssh_ipv4}}, 12 | 51.222.156.101, # 0.grapheneos.org 13 | } 14 | 15 | define ip6-allowlist-ssh = { 16 | {{ssh_ipv6}}, 17 | 2605:6400:10:50:20a1:d9ea:5c10:a895, # nyc.grapheneos.org 18 | } 19 | 20 | define priority-besteffort = 0 21 | define priority-bulk = 2 22 | define priority-interactive-bulk = 4 23 | define priority-interactive = 6 24 | 25 | # based on CAKE diffserv4 26 | map dscp-to-priority { 27 | typeof ip dscp : meta priority 28 | elements = { 29 | cs1 : $priority-bulk, 30 | lephb : $priority-bulk, 31 | af11 : $priority-besteffort, 32 | af12 : $priority-besteffort, 33 | af13 : $priority-besteffort, 34 | cs2 : $priority-interactive-bulk, 35 | cs3 : $priority-interactive-bulk, 36 | cs4 : $priority-interactive-bulk, 37 | af21 : $priority-interactive-bulk, 38 | af22 : $priority-interactive-bulk, 39 | af23 : $priority-interactive-bulk, 40 | af31 : $priority-interactive-bulk, 41 | af32 : $priority-interactive-bulk, 42 | af33 : $priority-interactive-bulk, 43 | af41 : $priority-interactive-bulk, 44 | af42 : $priority-interactive-bulk, 45 | af43 : $priority-interactive-bulk, 46 | cs5 : $priority-interactive, 47 | cs6 : $priority-interactive, 48 | cs7 : $priority-interactive, 49 | ef : $priority-interactive, 50 | va : $priority-interactive, 51 | } 52 | } 53 | 54 | set ip-connlimit-ssh { 55 | type ipv4_addr 56 | flags dynamic 57 | } 58 | 59 | set ip6-connlimit-ssh { 60 | type ipv6_addr 61 | flags dynamic 62 | } 63 | 64 | set ip-connlimit-main { 65 | type ipv4_addr 66 | flags dynamic 67 | } 68 | 69 | set ip6-connlimit-main { 70 | type ipv6_addr 71 | flags dynamic 72 | } 73 | 74 | chain prerouting-raw { 75 | type filter hook prerouting priority raw 76 | policy drop 77 | 78 | # drop packets without a reverse path (strict reverse path filtering) 79 | fib saddr . iif oif missing counter drop 80 | 81 | iif lo notrack accept 82 | 83 | # drop packets to address not configured on incoming interface (strong host model) 84 | # 85 | # ordered after accepting loopback to permit using external IPs via loopback 86 | fib daddr . iif type != { local, broadcast, multicast } counter drop 87 | 88 | udp dport $udp-ports notrack accept 89 | 90 | # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion 91 | tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept 92 | 93 | meta l4proto { tcp, udp } accept 94 | icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept 95 | meta l4proto ipv6-icmp notrack accept 96 | } 97 | 98 | chain input { 99 | type filter hook input priority filter 100 | policy drop 101 | 102 | ip dscp set cs0 103 | ip6 dscp set cs0 104 | 105 | tcp dport $tcp-ports-full goto input-tcp-service 106 | ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } 107 | } 108 | 109 | chain input-tcp-service { 110 | iif lo goto input-tcp-service-loopback 111 | 112 | # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough 113 | ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } 114 | 115 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 116 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 117 | tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset 118 | tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 119 | synproxy mss 1460 wscale 7 timestamp sack-perm 120 | } 121 | 122 | chain input-tcp-service-new { 123 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 124 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 125 | tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset 126 | tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 127 | accept 128 | } 129 | 130 | # add connections established without synproxy to connection limit sets with limits enforced 131 | chain input-tcp-service-established { 132 | ct mark 0x1 accept 133 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 134 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 135 | tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 136 | tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 137 | ct mark set 0x1 accept 138 | } 139 | 140 | # add connections established with synproxy to connection limit sets with limits enforced 141 | chain input-tcp-service-loopback { 142 | tcp flags != syn accept 143 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 144 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 145 | tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 146 | tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 147 | ct mark set 0x1 accept 148 | } 149 | 150 | chain forward { 151 | type filter hook forward priority filter 152 | policy drop 153 | } 154 | 155 | chain output-raw { 156 | type filter hook output priority raw 157 | 158 | oif lo goto output-raw-loopback 159 | skuid != { root, systemd-network, unbound, alpm, chrony, http } counter goto graceful-reject 160 | udp sport $udp-ports notrack accept 161 | 162 | # translate DSCP to priority for fq bands 163 | meta priority set ip dscp map @dscp-to-priority 164 | meta priority set ip6 dscp map @dscp-to-priority 165 | 166 | meta l4proto { icmp, ipv6-icmp } notrack accept 167 | } 168 | 169 | chain output-raw-loopback { 170 | skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept 171 | skuid { alpm, chrony, http } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept 172 | 173 | skuid != root counter goto graceful-reject 174 | notrack accept 175 | } 176 | 177 | chain graceful-reject { 178 | meta l4proto udp reject 179 | meta l4proto tcp reject with tcp reset 180 | reject 181 | } 182 | } 183 | -------------------------------------------------------------------------------- /etc/nftables/nftables-matrix.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/nft -f 2 | 3 | table inet filter 4 | flush table inet filter 5 | table inet filter { 6 | define tcp-ports = { 80, 443 } 7 | define tcp-ports-full = { 22, $tcp-ports } 8 | 9 | define ip-allowlist-ssh = { 10 | {{ssh_ipv4}}, 11 | } 12 | 13 | define ip6-allowlist-ssh = { 14 | {{ssh_ipv6}}, 15 | } 16 | 17 | define priority-besteffort = 0 18 | define priority-bulk = 2 19 | define priority-interactive-bulk = 4 20 | define priority-interactive = 6 21 | 22 | # based on CAKE diffserv4 23 | map dscp-to-priority { 24 | typeof ip dscp : meta priority 25 | elements = { 26 | cs1 : $priority-bulk, 27 | lephb : $priority-bulk, 28 | af11 : $priority-besteffort, 29 | af12 : $priority-besteffort, 30 | af13 : $priority-besteffort, 31 | cs2 : $priority-interactive-bulk, 32 | cs3 : $priority-interactive-bulk, 33 | cs4 : $priority-interactive-bulk, 34 | af21 : $priority-interactive-bulk, 35 | af22 : $priority-interactive-bulk, 36 | af23 : $priority-interactive-bulk, 37 | af31 : $priority-interactive-bulk, 38 | af32 : $priority-interactive-bulk, 39 | af33 : $priority-interactive-bulk, 40 | af41 : $priority-interactive-bulk, 41 | af42 : $priority-interactive-bulk, 42 | af43 : $priority-interactive-bulk, 43 | cs5 : $priority-interactive, 44 | cs6 : $priority-interactive, 45 | cs7 : $priority-interactive, 46 | ef : $priority-interactive, 47 | va : $priority-interactive, 48 | } 49 | } 50 | 51 | set ip-connlimit-ssh { 52 | type ipv4_addr 53 | flags dynamic 54 | } 55 | 56 | set ip6-connlimit-ssh { 57 | type ipv6_addr 58 | flags dynamic 59 | } 60 | 61 | set ip-connlimit-main { 62 | type ipv4_addr 63 | flags dynamic 64 | } 65 | 66 | set ip6-connlimit-main { 67 | type ipv6_addr 68 | flags dynamic 69 | } 70 | 71 | chain prerouting-raw { 72 | type filter hook prerouting priority raw 73 | policy drop 74 | 75 | # drop packets without a reverse path (strict reverse path filtering) 76 | fib saddr . iif oif missing counter drop 77 | 78 | iif lo notrack accept 79 | 80 | # drop packets to address not configured on incoming interface (strong host model) 81 | # 82 | # ordered after accepting loopback to permit using external IPs via loopback 83 | fib daddr . iif type != { local, broadcast, multicast } counter drop 84 | 85 | # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion 86 | tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept 87 | 88 | meta l4proto { tcp, udp } accept 89 | icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept 90 | meta l4proto ipv6-icmp notrack accept 91 | } 92 | 93 | chain input { 94 | type filter hook input priority filter 95 | policy drop 96 | 97 | ip dscp set cs0 98 | ip6 dscp set cs0 99 | 100 | tcp dport $tcp-ports-full goto input-tcp-service 101 | ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } 102 | } 103 | 104 | chain input-tcp-service { 105 | iif lo goto input-tcp-service-loopback 106 | 107 | # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough 108 | ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } 109 | 110 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 111 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 112 | tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset 113 | tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 114 | synproxy mss 1460 wscale 7 timestamp sack-perm 115 | } 116 | 117 | chain input-tcp-service-new { 118 | tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset 119 | tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset 120 | tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset 121 | tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset 122 | accept 123 | } 124 | 125 | # add connections established without synproxy to connection limit sets with limits enforced 126 | chain input-tcp-service-established { 127 | ct mark 0x1 accept 128 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 129 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 130 | tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 131 | tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 132 | ct mark set 0x1 accept 133 | } 134 | 135 | # add connections established with synproxy to connection limit sets with limits enforced 136 | chain input-tcp-service-loopback { 137 | tcp flags != syn accept 138 | tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset 139 | tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset 140 | tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset 141 | tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset 142 | ct mark set 0x1 accept 143 | } 144 | 145 | chain forward { 146 | type filter hook forward priority filter 147 | policy drop 148 | } 149 | 150 | chain output-raw { 151 | type filter hook output priority raw 152 | 153 | oif lo goto output-raw-loopback 154 | skuid != { root, systemd-network, unbound, alpm, chrony, http, synapse, matterbridge } counter goto graceful-reject 155 | 156 | # translate DSCP to priority for fq bands 157 | meta priority set ip dscp map @dscp-to-priority 158 | meta priority set ip6 dscp map @dscp-to-priority 159 | 160 | meta l4proto { icmp, ipv6-icmp } notrack accept 161 | } 162 | 163 | chain output-raw-loopback { 164 | skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept 165 | skuid { alpm, chrony, synapse, matterbridge, mjolnir } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept 166 | 167 | skuid http tcp sport 443 tcp dport >= 1024 notrack accept 168 | skuid matterbridge tcp sport >= 1024 tcp dport 443 notrack accept 169 | skuid mjolnir tcp sport >= 1024 tcp dport 443 notrack accept 170 | 171 | skuid != root counter goto graceful-reject 172 | notrack accept 173 | } 174 | 175 | chain graceful-reject { 176 | meta l4proto udp reject 177 | meta l4proto tcp reject with tcp reset 178 | reject 179 | } 180 | } 181 | --------------------------------------------------------------------------------