This is the live public configuration for the Geomys Tuscolo CT Log Server, a Sunlight instance.
See also the public playbooks.
listen:
- "185.230.223.193:443"
- "[2a0c:2f07:c1::c1]:443"
acme:
hosts:
- tuscolo.sunlight.geomys.org
cache: /var/db/sunlight/autocert/
checkpoints: /tank/shared/checkpoints.db
logs:
- shortname: tuscolo2026h1
inception: 2025-04-27
period: 200
submissionprefix: https://tuscolo2026h1.sunlight.geomys.org
monitoringprefix: https://tuscolo2026h1.skylight.geomys.org
secret: /tank/enc/tuscolo2026h1.seed.bin
cache: /tank/logs/tuscolo2026h1/cache.db
poolsize: 750
localdirectory: /tank/logs/tuscolo2026h1/data
notafterstart: 2026-01-01T00:00:00Z
notafterlimit: 2026-07-01T00:00:00Z
- shortname: tuscolo2026h2
inception: 2025-04-27
period: 200
submissionprefix: https://tuscolo2026h2.sunlight.geomys.org
monitoringprefix: https://tuscolo2026h2.skylight.geomys.org
secret: /tank/enc/tuscolo2026h2.seed.bin
cache: /tank/logs/tuscolo2026h2/cache.db
poolsize: 750
localdirectory: /tank/logs/tuscolo2026h2/data
notafterstart: 2026-07-01T00:00:00Z
notafterlimit: 2027-01-01T00:00:00Z
- shortname: tuscolo2027h1
inception: 2025-06-02
period: 200
submissionprefix: https://tuscolo2027h1.sunlight.geomys.org
monitoringprefix: https://tuscolo2027h1.skylight.geomys.org
secret: /tank/enc/tuscolo2027h1.seed.bin
cache: /tank/logs/tuscolo2027h1/cache.db
poolsize: 750
localdirectory: /tank/logs/tuscolo2027h1/data
notafterstart: 2027-01-01T00:00:00Z
notafterlimit: 2027-07-01T00:00:00Z
- shortname: tuscolo2027h2
inception: 2025-06-02
period: 200
submissionprefix: https://tuscolo2027h2.sunlight.geomys.org
monitoringprefix: https://tuscolo2027h2.skylight.geomys.org
secret: /tank/enc/tuscolo2027h2.seed.bin
cache: /tank/logs/tuscolo2027h2/cache.db
poolsize: 750
localdirectory: /tank/logs/tuscolo2027h2/data
notafterstart: 2027-07-01T00:00:00Z
notafterlimit: 2028-01-01T00:00:00Z
listen:
- "185.230.223.195:443"
- "[2a0c:2f07:c1::c3]:443"
acme:
hosts:
- navigli.sunlight.geomys.org
cache: /var/db/sunlight/autocert-staging/
checkpoints: /tank/shared/checkpoints.db
witness:
name: witness.navigli.sunlight.geomys.org
submissionprefix: https://witness.navigli.sunlight.geomys.org
secret: /tank/enc/navigli-witness.seed.bin
loglists:
- "https://testing.witness-network.org/log-list.1"
- "https://staging.witness-network.org/log-list-10qps-4klogs.1"
- "https://staging.witness-network.org/log-list-100qps-40klogs.1"
- "https://uptime.geomys.org/witness/log-list"
logs:
- shortname: navigli2026h1
inception: 2025-05-03
period: 200
submissionprefix: https://navigli2026h1.sunlight.geomys.org
monitoringprefix: https://navigli2026h1.skylight.geomys.org
ccadbroots: testing
extraroots: /etc/sunlight/extra-roots-staging.pem
secret: /tank/enc/navigli2026h1.seed.bin
cache: /tank/logs/navigli2026h1/cache.db
poolsize: 750
localdirectory: /tank/logs/navigli2026h1/data
notafterstart: 2026-01-01T00:00:00Z
notafterlimit: 2026-07-01T00:00:00Z
- shortname: navigli2026h2
inception: 2025-05-03
period: 200
submissionprefix: https://navigli2026h2.sunlight.geomys.org
monitoringprefix: https://navigli2026h2.skylight.geomys.org
ccadbroots: testing
extraroots: /etc/sunlight/extra-roots-staging.pem
secret: /tank/enc/navigli2026h2.seed.bin
cache: /tank/logs/navigli2026h2/cache.db
poolsize: 750
localdirectory: /tank/logs/navigli2026h2/data
notafterstart: 2026-07-01T00:00:00Z
notafterlimit: 2027-01-01T00:00:00Z
- shortname: navigli2027h1
inception: 2025-06-02
period: 200
submissionprefix: https://navigli2027h1.sunlight.geomys.org
monitoringprefix: https://navigli2027h1.skylight.geomys.org
ccadbroots: testing
extraroots: /etc/sunlight/extra-roots-staging.pem
secret: /tank/enc/navigli2027h1.seed.bin
cache: /tank/logs/navigli2027h1/cache.db
poolsize: 750
localdirectory: /tank/logs/navigli2027h1/data
notafterstart: 2027-01-01T00:00:00Z
notafterlimit: 2027-07-01T00:00:00Z
- shortname: navigli2027h2
inception: 2025-06-02
period: 200
submissionprefix: https://navigli2027h2.sunlight.geomys.org
monitoringprefix: https://navigli2027h2.skylight.geomys.org
ccadbroots: testing
extraroots: /etc/sunlight/extra-roots-staging.pem
secret: /tank/enc/navigli2027h2.seed.bin
cache: /tank/logs/navigli2027h2/cache.db
poolsize: 750
localdirectory: /tank/logs/navigli2027h2/data
notafterstart: 2027-07-01T00:00:00Z
notafterlimit: 2028-01-01T00:00:00Z
listen:
- "185.230.223.194:443"
- "[2a0c:2f07:c1::c2]:443"
acme:
hosts:
- skylight.geomys.org
cache: /var/db/sunlight/skylight/
homeredirect: https://tuscolo.sunlight.geomys.org
logs:
- shortname: tuscolo2025h2
monitoringprefix: https://tuscolo2025h2.skylight.geomys.org
localdirectory: /tank/logs/tuscolo2025h2/data
- shortname: tuscolo2026h1
monitoringprefix: https://tuscolo2026h1.skylight.geomys.org
localdirectory: /tank/logs/tuscolo2026h1/data
- shortname: tuscolo2026h2
monitoringprefix: https://tuscolo2026h2.skylight.geomys.org
localdirectory: /tank/logs/tuscolo2026h2/data
- shortname: tuscolo2027h1
monitoringprefix: https://tuscolo2027h1.skylight.geomys.org
localdirectory: /tank/logs/tuscolo2027h1/data
- shortname: tuscolo2027h2
monitoringprefix: https://tuscolo2027h2.skylight.geomys.org
localdirectory: /tank/logs/tuscolo2027h2/data
- shortname: navigli2026h1
monitoringprefix: https://navigli2026h1.skylight.geomys.org
localdirectory: /tank/logs/navigli2026h1/data
staging: true
- shortname: navigli2026h2
monitoringprefix: https://navigli2026h2.skylight.geomys.org
localdirectory: /tank/logs/navigli2026h2/data
staging: true
- shortname: navigli2027h1
monitoringprefix: https://navigli2027h1.skylight.geomys.org
localdirectory: /tank/logs/navigli2027h1/data
staging: true
- shortname: navigli2027h2
monitoringprefix: https://navigli2027h2.skylight.geomys.org
localdirectory: /tank/logs/navigli2027h2/data
staging: true
#!/bin/bash
set -euo pipefail
unit_flag="skylight"
display_help() {
echo "Usage: debug [-u unit] {useragents|ips|keylog={on|off}|logs={on|off}|port}"
}
while getopts "u:h" opt; do
case ${opt} in
u )
unit_flag=$OPTARG
;;
h )
display_help >&2
exit 0
;;
\? )
echo "Invalid option: -$OPTARG" >&2
display_help >&2
exit 1
;;
: )
echo "Option -$OPTARG requires an argument" >&2
display_help >&2
exit 1
;;
esac
done
shift $((OPTIND - 1))
if [ "$#" -ne 1 ]; then
echo "Exactly one positional argument is required" >&2
display_help >&2
exit 1
fi
PID=$(systemctl show "$unit_flag" --property MainPID | cut -d'=' -f2)
if [ -z "$PID" ]; then
echo "Unit $unit_flag is not running" >&2
exit 1
fi
PORT=$(ss -tulnp | grep "pid=$PID," | awk '{print $5}' | grep 127.0.0.1)
if [ -z "$PORT" ]; then
echo "No port found for unit $unit_flag" >&2
exit 1
fi
case $1 in
useragents )
curl -s "$PORT/debug/heavyhitter/useragents"
;;
ips )
curl -s "$PORT/debug/heavyhitter/ips"
;;
keylog=on )
curl -s -x POST "$PORT/debug/keylog/on"
;;
keylog=off )
curl -s -x POST "$PORT/debug/keylog/off"
;;
logs=on )
curl -s -x POST "$PORT/debug/logs/on"
;;
logs=off )
curl -s -x POST "$PORT/debug/logs/off"
;;
port )
echo "$PORT"
;;
* )
echo "Invalid argument: $1" >&2
display_help >&2
exit 1
;;
esac
[Unit]
Description=Sunlight Certificate Transparency Log
After=network-online.target tank-enc.mount
Wants=network-online.target
StartLimitIntervalSec=0
[Service]
ExecStart=/usr/local/bin/sunlight -c /etc/sunlight/sunlight.yaml
ExecReload=kill -HUP $MAINPID
StandardOutput=append:/var/log/sunlight.jsonl
StandardError=journal
Restart=always
# RestartSteps=10
# RestartMaxDelaySec=60s
RestartSec=60s
[Install]
WantedBy=tank-enc.mount
[Unit]
Description=Sunlight Certificate Transparency Log (staging)
After=network-online.target tank-enc.mount
Wants=network-online.target
StartLimitIntervalSec=0
[Service]
ExecStart=/usr/local/bin/sunlight-staging -c /etc/sunlight/sunlight-staging.yaml
ExecReload=kill -HUP $MAINPID
StandardOutput=append:/var/log/sunlight-staging.jsonl
StandardError=journal
Restart=always
# RestartSteps=10
# RestartMaxDelaySec=60s
RestartSec=60s
[Install]
WantedBy=tank-enc.mount
[Unit]
Description=Sunlight Certificate Transparency Log (read path)
After=network-online.target
Wants=network-online.target
StartLimitIntervalSec=0
[Service]
ExecStart=/usr/local/bin/skylight -c /etc/sunlight/skylight.yaml
StandardOutput=append:/var/log/skylight.jsonl
StandardError=journal
Restart=always
# RestartSteps=10
# RestartMaxDelaySec=60s
RestartSec=60s
[Install]
WantedBy=multi-user.target
[Unit]
Description=Clean up partial tiles
[Service]
Type=oneshot
ExecStart=/usr/local/bin/partial-aftersun -c /etc/sunlight/sunlight.yaml
ExecStartPost=/usr/bin/curl --retry 3 --retry-delay 1 -m 15 https://sm.hetrixtools.net/hb/?s=a4f010ea1bd8d93598fc96f94000190f
StandardOutput=append:/var/log/partial-aftersun.jsonl
StandardError=journal
[Unit]
Description=Periodically run partial tiles cleanup while Sunlight is running
RefuseManualStart=yes
PartOf=sunlight.service
[Timer]
OnActiveSec=5s
OnUnitActiveSec=5m
[Install]
WantedBy=sunlight.service
[Unit]
Description=Clean up partial tiles (staging)
[Service]
Type=oneshot
ExecStart=/usr/local/bin/partial-aftersun -c /etc/sunlight/sunlight-staging.yaml
ExecStartPost=/usr/bin/curl --retry 3 --retry-delay 1 -m 15 https://sm.hetrixtools.net/hb/?s=590ce0eb9954e649e6f2be05a4c651bd
StandardOutput=append:/var/log/partial-aftersun.jsonl
StandardError=journal
[Unit]
Description=Periodically run partial tiles cleanup while Sunlight is running (staging)
RefuseManualStart=yes
PartOf=sunlight-staging.service
[Timer]
OnActiveSec=5s
OnUnitActiveSec=5m
[Install]
WantedBy=sunlight-staging.service
[Unit]
Description=Generate heliograph CT log dashboard
After=prometheus.service
[Service]
Type=oneshot
ExecStart=/usr/local/bin/heliograph-dashboard \
-prometheus http://localhost:9090 \
-title "Tuscolo CT log" \
-log-name tuscolo \
-o /var/www/heliograph/index.html
TimeoutStartSec=30s
ProtectSystem=strict
ReadWritePaths=/var/www/heliograph
ProtectHome=yes
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
RestrictAddressFamilies=AF_INET AF_INET6
[Unit]
Description=Refresh heliograph dashboard every minute
[Timer]
OnBootSec=20s
OnUnitActiveSec=5m
AccuracySec=5s
[Install]
WantedBy=timers.target
[Unit]
Description=Email-authenticated age public key server
After=network-online.target tank-enc.mount
Wants=network-online.target
StartLimitIntervalSec=0
[Service]
Type=exec
ExecStart=/usr/local/bin/age-keyserver -listen localhost:13889 -db /tank/keyserver/keyserver.sqlite3 -logdir /tank/keyserver/tlog
EnvironmentFile=/tank/enc/age-keyserver.env
StandardOutput=append:/var/log/age-keyserver.jsonl
StandardError=journal
Restart=always
# RestartSteps=10
# RestartMaxDelaySec=60s
RestartSec=60s
[Install]
WantedBy=tank-enc.mount
[Unit]
After=network-online.target
Wants=network-online.target
Before=caddy.service
StartLimitIntervalSec=0
[Service]
ExecStart=/usr/local/bin/pkg.geomys.dev -addr localhost:8081
DynamicUser=true
Restart=always
# RestartSteps=10
# RestartMaxDelaySec=60s
RestartSec=60s
[Install]
WantedBy=multi-user.target
[Unit]
Description=PLC Directory Replica
Documentation=https://github.com/did-method-plc/go-didplc/tree/main/cmd/plc-replica
After=network-online.target
Wants=network-online.target
Before=caddy.service
StartLimitIntervalSec=0
[Service]
ExecStart=/usr/local/bin/plc-replica \
--db-url "sqlite:///tank/plc/replica.db?mode=rwc&cache=shared&_journal_mode=WAL" \
--bind localhost:6780 \
--metrics-addr localhost:9464 \
--num-workers 16 \
--log-json
StandardOutput=append:/var/log/plc-replica.jsonl
StandardError=journal
Restart=always
# RestartSteps=10
# RestartMaxDelaySec=60s
RestartSec=60s
MemoryMax=24G
MemorySwapMax=0
ProtectSystem=strict
ReadWritePaths=/tank/plc
ProtectHome=yes
NoNewPrivileges=yes
PrivateTmp=yes
[Install]
WantedBy=multi-user.target
[Unit]
Description=https://github.com/FiloSottile/mostly-harmless/tree/main/public-config
After=network-online.target
Wants=network-online.target
Before=caddy.service
StartLimitIntervalSec=0
[Service]
ExecStart=/usr/local/bin/public-config
DynamicUser=true
Restart=always
# RestartSteps=10
# RestartMaxDelaySec=60s
RestartSec=60s
[Install]
WantedBy=multi-user.target
/var/log/sunlight.jsonl {
daily
rotate 10
copytruncate
compress
delaycompress
notifempty
missingok
}
/var/log/sunlight-staging.jsonl {
daily
rotate 10
copytruncate
compress
delaycompress
notifempty
missingok
}
config.sunlight.geomys.org:443 {
bind 185.230.223.196 [2a0c:2f07:c1::c4]
reverse_proxy localhost:8080
}
stats.sunlight.geomys.org:443 {
bind 185.230.223.196 [2a0c:2f07:c1::c4]
root * /var/www/heliograph
file_server
encode zstd gzip
header Cache-Control "public, max-age=60"
}
keyserver.geomys.org:443 {
bind 185.230.223.196 [2a0c:2f07:c1::c4]
reverse_proxy localhost:13889
}
pkg.geomys.dev:443 {
bind 185.230.223.196 [2a0c:2f07:c1::c4]
reverse_proxy localhost:8081
}
plc.geomys.org:443 {
bind 185.230.223.196 [2a0c:2f07:c1::c4]
reverse_proxy localhost:6780
}
global:
scrape_interval: 15s
scrape_configs:
- job_name: prometheus
static_configs:
- targets:
- localhost:9090
- job_name: node
static_configs:
- targets:
- localhost:9100
- job_name: plc
static_configs:
- targets:
- localhost:9464
- job_name: tuscolo
scheme: https
static_configs:
- targets:
- tuscolo.sunlight.geomys.org
- job_name: navigli
scheme: https
static_configs:
- targets:
- navigli.sunlight.geomys.org
- job_name: skylight
scheme: https
static_configs:
- targets:
- skylight.geomys.org
- job_name: twig
scheme: https
static_configs:
- targets:
- log.twig.ct.letsencrypt.org
- job_name: sycamore
scheme: https
static_configs:
- targets:
- log.sycamore.ct.letsencrypt.org
- job_name: willow
scheme: https
static_configs:
- targets:
- log.willow.ct.letsencrypt.org
- job_name: gouda
scheme: https
static_configs:
- targets:
- gouda2027h2.log.ct.ipng.ch
- job_name: rennet
scheme: https
static_configs:
- targets:
- rennet2027h2.log.ct.ipng.ch
#!/bin/sh
set -eu
out=/var/lib/prometheus/node-exporter/zfs.prom
tmp=$(mktemp "$out.XXXXXX")
{
echo '# TYPE zfs_dataset_referenced_bytes gauge'
echo '# TYPE zfs_dataset_logicalreferenced_bytes gauge'
echo '# TYPE zfs_dataset_available_bytes gauge'
zfs list -Hp -r -o name,referenced,logicalreferenced,available tank/logs \
| awk '{
printf "zfs_dataset_referenced_bytes{dataset=\"%s\"} %s\n", $1, $2
printf "zfs_dataset_logicalreferenced_bytes{dataset=\"%s\"} %s\n", $1, $3
printf "zfs_dataset_available_bytes{dataset=\"%s\"} %s\n", $1, $4
}'
} > "$tmp"
chmod 0644 "$tmp"
mv "$tmp" "$out"
[Unit]
Description=Write ZFS dataset metrics for node_exporter textfile collector
[Service]
Type=oneshot
ExecStart=/usr/local/bin/zfs-textfile
TimeoutStartSec=30s
[Unit]
Description=Run zfs-textfile every minute
[Timer]
OnBootSec=30s
OnUnitActiveSec=60s
AccuracySec=1s
[Install]
WantedBy=timers.target