production-openbsd/scripts/provision.sh

#!/bin/sh
# provision.sh — one-shot provision: clone repo onto edge box, run install.sh
#
# Usage (run from onyx):
#   ./scripts/provision.sh user@<edge-ip-or-hostname>
#
# What it does:
#   1. SSH into edge box, install required pkgs (acme-client + wireguard-tools)
#   2. git clone this repo to /tmp/production-openbsd
#   3. Run /tmp/production-openbsd/scripts/install.sh on the edge box
#      which copies /etc/* + enables services + reloads
#
# Expected pre-state:
#   - OpenBSD 7.6+ installed on edge box
#   - User 'user' exists with sudo/doas access
#   - Your SSH pubkey already in user@edge:.ssh/authorized_keys
#   - WG keys generated separately (see etc/hostname.wg0.example header)

set -eu

TARGET="${1:-}"
[ -n "$TARGET" ] || { echo "Usage: $0 user@<edge-ip>" >&2; exit 1; }

REPO_URL="ssh://git@192.168.0.100:222/s8n/production-openbsd.git"
REMOTE_PATH="/tmp/production-openbsd"

echo "[*] Provisioning $TARGET ..."

ssh "$TARGET" -- "/bin/sh -se" <<EOF
set -eu
echo "[remote] installing prerequisites"
doas pkg_add -I acme-client wireguard-tools git rsync || true
[ -d $REMOTE_PATH ] && rm -rf $REMOTE_PATH
git clone $REPO_URL $REMOTE_PATH
cd $REMOTE_PATH
doas /bin/sh scripts/install.sh
echo "[remote] provision complete"
EOF

echo "[*] Done. Verify: ssh $TARGET 'doas pfctl -sr | head'"
feat: production-openbsd v0.1 scaffold Sister to s8n/production-deb. Edge-box config + provision script for running the OpenBSD-edge role per s8n/production-setup-audit Topology 02. v0.1 = stock OpenBSD install ISO (interactive, 5 min) + scripted provision from onyx. Autoinstall ISO build deferred to v0.2. Layout: README.md workflow + service mapping (Debian → OpenBSD) flash.sh burn stock install76.iso to USB etc/ pf / relayd / acme-client / unbound / hostname.wg0.example / sshd_config / doas.conf scripts/ provision.sh from onyx: SSH+git clone+run install.sh install.sh on edge: copy /etc/, validate, restart, cron cert-renew-check.sh weekly LE renewal read-logs.sh pull /var/log/ for offline diagnostics docs/ setup-checklist.md 7-phase first-time install walkthrough Hardware target: Dell Precision T5600 per s8n/production-setup-audit/hardware/dell-t5600.md WG mesh: 10.10.10.0/29 between edge (.1) and nullstone (.2). UDP 51820. Keys generated per-host (NEVER committed to repo). Public traffic flow after migration: Internet → router → edge T5600 (relayd TLS term) → wg0 → nullstone Traefik (10.10.10.2:8443, private only) CVE delta vs single-host Debian: regreSSHion + xz backdoor mitigated; public IP runs OpenBSD base only — no systemd, no glibc, no Docker. 2026-05-08 14:10:29 +01:00			`#!/bin/sh`
			`# provision.sh — one-shot provision: clone repo onto edge box, run install.sh`
			`#`
			`# Usage (run from onyx):`
			`# ./scripts/provision.sh user@<edge-ip-or-hostname>`
			`#`
			`# What it does:`
			`# 1. SSH into edge box, install required pkgs (acme-client + wireguard-tools)`
			`# 2. git clone this repo to /tmp/production-openbsd`
			`# 3. Run /tmp/production-openbsd/scripts/install.sh on the edge box`
			`# which copies /etc/* + enables services + reloads`
			`#`
			`# Expected pre-state:`
			`# - OpenBSD 7.6+ installed on edge box`
			`# - User 'user' exists with sudo/doas access`
			`# - Your SSH pubkey already in user@edge:.ssh/authorized_keys`
			`# - WG keys generated separately (see etc/hostname.wg0.example header)`

			`set -eu`

			`TARGET="${1:-}"`
			`[ -n "$TARGET" ] \|\| { echo "Usage: $0 user@<edge-ip>" >&2; exit 1; }`

			`REPO_URL="ssh://git@192.168.0.100:222/s8n/production-openbsd.git"`
			`REMOTE_PATH="/tmp/production-openbsd"`

			`echo "[*] Provisioning $TARGET ..."`

			`ssh "$TARGET" -- "/bin/sh -se" <<EOF`
			`set -eu`
			`echo "[remote] installing prerequisites"`
			`doas pkg_add -I acme-client wireguard-tools git rsync \|\| true`
			`[ -d $REMOTE_PATH ] && rm -rf $REMOTE_PATH`
			`git clone $REPO_URL $REMOTE_PATH`
			`cd $REMOTE_PATH`
			`doas /bin/sh scripts/install.sh`
			`echo "[remote] provision complete"`
			`EOF`

			`echo "[*] Done. Verify: ssh $TARGET 'doas pfctl -sr \| head'"`