s8n/production-openbsd
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
production-openbsd/etc/doas.conf

11 lines
460 B
Text
Raw Permalink Normal View History

feat: production-openbsd v0.1 scaffold Sister to s8n/production-deb. Edge-box config + provision script for running the OpenBSD-edge role per s8n/production-setup-audit Topology 02. v0.1 = stock OpenBSD install ISO (interactive, 5 min) + scripted provision from onyx. Autoinstall ISO build deferred to v0.2. Layout: README.md workflow + service mapping (Debian → OpenBSD) flash.sh burn stock install76.iso to USB etc/ pf / relayd / acme-client / unbound / hostname.wg0.example / sshd_config / doas.conf scripts/ provision.sh from onyx: SSH+git clone+run install.sh install.sh on edge: copy /etc/*, validate, restart, cron cert-renew-check.sh weekly LE renewal read-logs.sh pull /var/log/* for offline diagnostics docs/ setup-checklist.md 7-phase first-time install walkthrough Hardware target: Dell Precision T5600 per s8n/production-setup-audit/hardware/dell-t5600.md WG mesh: 10.10.10.0/29 between edge (.1) and nullstone (.2). UDP 51820. Keys generated per-host (NEVER committed to repo). Public traffic flow after migration: Internet → router → edge T5600 (relayd TLS term) → wg0 → nullstone Traefik (10.10.10.2:8443, private only) CVE delta vs single-host Debian: regreSSHion + xz backdoor mitigated; public IP runs OpenBSD base only — no systemd, no glibc, no Docker.
2026-05-08 14:10:29 +01:00
# /etc/doas.conf — minimal sudo replacement on OpenBSD
# user = primary admin, can do anything with password
permit persist user as root
# Common operational commands without password (for cron + scripts)
permit nopass user as root cmd /usr/sbin/rcctl
permit nopass user as root cmd /usr/local/sbin/acme-client
permit nopass user as root cmd /sbin/pfctl args -nf /etc/pf.conf
permit nopass user as root cmd /bin/sh args /usr/local/sbin/cert-renew-check.sh
Reference in a new issue Copy permalink