staging

thestinger · thestinger · commit 32784515bd2e · 2026-02-09T10:39:16.000-05:00
diff --git a/bird.ns1.staging.grapheneos.org.conf b/bird.ns1.staging.grapheneos.org.conf
@@ -0,0 +1,14 @@
+define public_ipv4 = 198.98.56.238;
+define public_ipv6 = 2605:6400:0010:0c41:de92:c534:326a:711a;
+define neighbor_as = 53667;
+define neighbor_ipv4 = 169.254.169.179;
+define neighbor_ipv6 = 2605:6400:ffff::2;
+define bgp_password = "{{bgp_password}}";
+
+filter grapheneos_ipv4_filter {
+    accept;
+};
+
+filter grapheneos_ipv6_filter {
+    accept;
+};
diff --git a/bird.staging.conf b/bird.staging.conf
@@ -0,0 +1,46 @@
+include "bird.local.conf";
+
+log syslog all;
+
+router id public_ipv4;
+
+protocol device {
+    scan time 10;
+};
+
+template bgp grapheneos {
+    local as 40806;
+    multihop 2;
+    authentication md5;
+    password bgp_password;
+    graceful restart on;
+    connect delay time 0;
+    connect retry time 5;
+}
+
+protocol bgp grapheneos_ipv4 from grapheneos {
+    source address public_ipv4;
+    neighbor neighbor_ipv4 as neighbor_as;
+    ipv4 {
+        import none;
+        export filter grapheneos_ipv4_filter;
+    };
+};
+
+protocol bgp grapheneos_ipv6 from grapheneos {
+    source address public_ipv6;
+    neighbor neighbor_ipv6 as neighbor_as;
+    ipv6 {
+        import none;
+        export filter grapheneos_ipv6_filter;
+    };
+};
+
+protocol static grapheneos_ipv4_route {
+    ipv4;
+};
+
+protocol static grapheneos_ipv6_route {
+    ipv6;
+    route 2602:f4d9:4::/48 via public_ipv6;
+};
diff --git a/deploy b/deploy
@@ -23,7 +23,7 @@ elif [[ $# -ne 0 ]]; then
 fi
 
 # use YYYYMMDDSS SOA serial format
-old_serial=$(cat serial.txt 2>/dev/null || echo -n $(date -u +"%Y%m%d00"))
+old_serial=$(cat serial-staging.txt 2>/dev/null || echo -n $(date -u +"%Y%m%d00"))
 serial=$(date -u +"%Y%m%d")
 if [[ ${old_serial:0:8} = ${serial} ]]; then
     old_sequence=${old_serial:8:2}
@@ -35,7 +35,7 @@ else
 fi
 echo serial: $serial
 echo
-echo -n $serial > serial.txt
+echo -n $serial > serial-staging.txt
 
 . servers.sh
 
@@ -44,11 +44,7 @@ for server in ${servers[@]}; do
 
     remote=root@$server
 
-    if [[ $server == *.ns1.grapheneos.org ]]; then
-        subdomain=ns1
-    else
-        subdomain=ns2
-    fi
+    subdomain=ns1.staging
 
     if (( reconfigure )); then
         cp pdns.conf pdns.conf.tmp
@@ -70,8 +66,7 @@ for server in ${servers[@]}; do
     rm -rf zones.tmp
 
     if (( reconfigure )); then
-        ssh $remote 'sleep 5 &&
-systemctl daemon-reload &&
+        ssh $remote 'systemctl daemon-reload &&
 systemctl enable --now geoipupdate.timer pdns.service pdns-trigger-health-checks.timer &&
 systemctl restart pdns.service'
     else
diff --git a/deploy-bgp b/deploy-bgp
@@ -24,11 +24,7 @@ deploy_bird() {
 for server in ${servers[@]}; do
     echo $server
 
-    if [[ $server == *.ns1.grapheneos.org ]]; then
-        subdomain=ns1
-    else
-        subdomain=ns2
-    fi
+    subdomain=staging
 
     deploy_bird $server $subdomain
 
diff --git a/deploy-dnsdist b/deploy-dnsdist
@@ -16,11 +16,7 @@ for server in ${servers[@]}; do
 
     remote=root@$server
 
-    if [[ $server == *.ns1.grapheneos.org ]]; then
-        subdomain=ns1
-    else
-        subdomain=ns2
-    fi
+    subdomain=ns1.staging
 
     cp dnsdist.conf dnsdist.conf.tmp
     sed -i "s/{{subdomain}}/$subdomain/g;s/{{threads}}/${threads[$server]:-1}/g" dnsdist.conf.tmp
diff --git a/deploy-static b/deploy-static
@@ -11,9 +11,6 @@ if ! flock -n $fd; then
     exit 1
 fi
 
-rsync -pcv --chmod=F644 --fsync --preallocate mirrors.ns1 root@ewr.ns1.grapheneos.org:/etc/mirrors
-rsync -pcv --chmod=F644 --fsync --preallocate mirrors.ns2 root@iad.ns2.grapheneos.org:/etc/mirrors
-
 . servers.sh
 
 for server in ${servers[@]}; do
@@ -23,11 +20,7 @@ for server in ${servers[@]}; do
 
     rm -rf nginx-tmp
     cp -a nginx nginx-tmp
-    if [[ $server == *.ns1.grapheneos.org ]]; then
-        sed -i 's/{{subdomain}}/ns1/g; s/{{primary}}/ewr/g' nginx-tmp/nginx.conf
-    else
-        sed -i 's/{{subdomain}}/ns2/g; s/{{primary}}/iad/g' nginx-tmp/nginx.conf
-    fi
+    sed -i s/{{subdomain}}/ns1.staging/g nginx-tmp/nginx.conf
     gixy nginx-tmp/nginx.conf
     rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate nginx-tmp/{nginx.conf,mime.types} $remote:/etc/nginx/
     ssh $remote systemctl reload nginx
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -87,10 +87,10 @@ http {
     server {
         listen 80;
         listen [::]:80;
-        server_name {{subdomain}}.grapheneos.org {{subdomain}}.attestation.app {{subdomain}}.grapheneos.app {{subdomain}}.grapheneos.ca {{subdomain}}.grapheneos.com {{subdomain}}.grapheneos.dev {{subdomain}}.grapheneos.foundation {{subdomain}}.grapheneos.info {{subdomain}}.grapheneos.net {{subdomain}}.grapheneos.network {{subdomain}}.grapheneos.online {{subdomain}}.grapheneos.ovh {{subdomain}}.grapheneos.page {{subdomain}}.grapheneos.social {{subdomain}}.seamlessupdate.app {{subdomain}}.vanadium.app;
+        server_name {{subdomain}}.grapheneos.org ns2.staging.grapheneos.org {{subdomain}}.attestation.app ns2.staging.attestation.app;
 
         location /.well-known/acme-challenge/ {
-            return 301 http://{{primary}}.{{subdomain}}.grapheneos.org$request_uri;
+            root /srv/certbot;
         }
 
         location / {
@@ -128,12 +128,12 @@ http {
         listen 443 ssl;
         listen [::]:443 ssl;
         http2 on;
-        server_name {{subdomain}}.grapheneos.org {{subdomain}}.attestation.app {{subdomain}}.grapheneos.app {{subdomain}}.grapheneos.ca {{subdomain}}.grapheneos.com {{subdomain}}.grapheneos.dev {{subdomain}}.grapheneos.foundation {{subdomain}}.grapheneos.info {{subdomain}}.grapheneos.net {{subdomain}}.grapheneos.network {{subdomain}}.grapheneos.online {{subdomain}}.grapheneos.ovh {{subdomain}}.grapheneos.page {{subdomain}}.grapheneos.social {{subdomain}}.seamlessupdate.app {{subdomain}}.vanadium.app;
+        server_name {{subdomain}}.grapheneos.org ns2.staging.grapheneos.org {{subdomain}}.attestation.app ns2.staging.attestation.app;
 
         add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 
         location = / {
-            return 301 https://grapheneos.org/articles/grapheneos-servers#ns1.grapheneos.org;
+            return 301 https://grapheneos.org/articles/grapheneos-servers#ns1.staging.grapheneos.org;
         }
 
         location / {
diff --git a/pdns.conf b/pdns.conf
@@ -47,3 +47,6 @@ security-poll-suffix=
 
 webserver=yes
 webserver-address=/run/pdns/http.sock
+
+loglevel=7
+log-dns-queries=yes
diff --git a/servers.sh b/servers.sh
@@ -1,14 +1,13 @@
 . bgp-password.sh
 
 readonly servers_ns1=(
-    {bom,ewr,fra,lax,lon,mia,sao,sea,sin,syd,tyo}.ns1.grapheneos.org
 )
 
 readonly servers_ns2=(
-    {ber,iad,lon,mia,sea,sjc,sin,tyo}.ns2.grapheneos.org
 )
 
 readonly servers=(
+    ns1.staging.grapheneos.org
     "${servers_ns1[@]}"
     "${servers_ns2[@]}"
 )

Original file line number	Diff line number	Diff line change
`@@ -1,14 +1,13 @@`
`1`	`1`	`. bgp-password.sh`
`2`	`2`
`3`	`3`	`readonly servers_ns1=(`
`4`		`- {bom,ewr,fra,lax,lon,mia,sao,sea,sin,syd,tyo}.ns1.grapheneos.org`
`5`	`4`	`)`
`6`	`5`
`7`	`6`	`readonly servers_ns2=(`
`8`		`- {ber,iad,lon,mia,sea,sjc,sin,tyo}.ns2.grapheneos.org`
`9`	`7`	`)`
`10`	`8`
`11`	`9`	`readonly servers=(`
	`10`	`+ ns1.staging.grapheneos.org`
`12`	`11`	`"${servers_ns1[@]}"`
`13`	`12`	`"${servers_ns2[@]}"`
`14`	`13`	`)`