production-openbsd/etc/hostname.wg0.example

# /etc/hostname.wg0 — WireGuard tunnel to nullstone
#
# Generate keys (do this on the edge box, NOT in this repo):
#   doas openssl rand -base64 32 > /etc/wg/edge.key
#   chmod 600 /etc/wg/edge.key
#   wg pubkey < /etc/wg/edge.key > /etc/wg/edge.pub
#
# Get nullstone's wg pubkey separately and paste below.
#
# Then: doas mv hostname.wg0.example /etc/hostname.wg0, edit values, sh /etc/netstart wg0

inet 10.10.10.1 255.255.255.248      # /29 subnet, edge = .1
mtu 1420
!/usr/local/bin/wg set wg0 \
    listen-port 51820 \
    private-key /etc/wg/edge.key \
    peer NULLSTONE_PUB_KEY_HERE= \
        endpoint 192.168.0.100:51820 \
        allowed-ips 10.10.10.2/32 \
        persistent-keepalive 25
!route -q add -net 10.10.10.0/29 10.10.10.1
up
feat: production-openbsd v0.1 scaffold Sister to s8n/production-deb. Edge-box config + provision script for running the OpenBSD-edge role per s8n/production-setup-audit Topology 02. v0.1 = stock OpenBSD install ISO (interactive, 5 min) + scripted provision from onyx. Autoinstall ISO build deferred to v0.2. Layout: README.md workflow + service mapping (Debian → OpenBSD) flash.sh burn stock install76.iso to USB etc/ pf / relayd / acme-client / unbound / hostname.wg0.example / sshd_config / doas.conf scripts/ provision.sh from onyx: SSH+git clone+run install.sh install.sh on edge: copy /etc/, validate, restart, cron cert-renew-check.sh weekly LE renewal read-logs.sh pull /var/log/ for offline diagnostics docs/ setup-checklist.md 7-phase first-time install walkthrough Hardware target: Dell Precision T5600 per s8n/production-setup-audit/hardware/dell-t5600.md WG mesh: 10.10.10.0/29 between edge (.1) and nullstone (.2). UDP 51820. Keys generated per-host (NEVER committed to repo). Public traffic flow after migration: Internet → router → edge T5600 (relayd TLS term) → wg0 → nullstone Traefik (10.10.10.2:8443, private only) CVE delta vs single-host Debian: regreSSHion + xz backdoor mitigated; public IP runs OpenBSD base only — no systemd, no glibc, no Docker. 2026-05-08 14:10:29 +01:00			`# /etc/hostname.wg0 — WireGuard tunnel to nullstone`
			`#`
			`# Generate keys (do this on the edge box, NOT in this repo):`
			`# doas openssl rand -base64 32 > /etc/wg/edge.key`
			`# chmod 600 /etc/wg/edge.key`
			`# wg pubkey < /etc/wg/edge.key > /etc/wg/edge.pub`
			`#`
			`# Get nullstone's wg pubkey separately and paste below.`
			`#`
			`# Then: doas mv hostname.wg0.example /etc/hostname.wg0, edit values, sh /etc/netstart wg0`

			`inet 10.10.10.1 255.255.255.248 # /29 subnet, edge = .1`
			`mtu 1420`
			`!/usr/local/bin/wg set wg0 \`
			`listen-port 51820 \`
			`private-key /etc/wg/edge.key \`
			`peer NULLSTONE_PUB_KEY_HERE= \`
			`endpoint 192.168.0.100:51820 \`
			`allowed-ips 10.10.10.2/32 \`
			`persistent-keepalive 25`
			`!route -q add -net 10.10.10.0/29 10.10.10.1`
			`up`