production-openbsd/README.md

# production-openbsd

Edge-box OpenBSD config + provision script. Sister to `s8n/production-deb`.

Target role per [`s8n/production-setup-audit`](https://git.s8n.ru/s8n/production-setup-audit)
Topology 02: **OpenBSD bare metal on Dell Precision T5600** running pf +
relayd + acme-client + unbound + WireGuard. Public 80/443/22 land here;
nullstone (Debian compute) sits behind the WG tunnel on private addrs only.

## v0.1 workflow (manual interactive install + scripted provision)

OpenBSD's installer is small and interactive (~5 min). First-pass workflow:

1. **Burn stock OpenBSD install ISO** (`install76.iso` from
   <https://www.openbsd.org/76.html>) to a USB. Boot Dell, run installer.
   Pick:
   - Hostname (e.g. `flintstone`)
   - Network interface (em0/em1 — onboard Intel I217 typically)
   - Disk encryption: **yes** — softraid bioctl-style FDE
   - Sets: `bsd, bsd.mp, base, comp, man` (skip `xenocara` — no GUI on edge)
   - Root SSH: yes (key-only configured later by provision.sh)
   - Default user: `user`
2. **Reboot, log in as user, copy public SSH key** for onyx into
   `~/.ssh/authorized_keys`.
3. **From onyx, run** `./scripts/provision.sh user@<edge-ip>` — this clones
   the repo onto the edge box, runs `install.sh` to apply pf/relayd/acme/
   unbound/wg configs.

Edge box now ready to take public 80/443 traffic.

## v0.2 deferred — autoinstall ISO

Build an OpenBSD install ISO with `auto_install.conf` baked so install runs
unattended like production-deb's preseed. Defer until v0.1 proven on this
hardware.

## Layout

```
README.md
provision.sh              one-shot provision: copy configs, restart services
flash.sh                  flash stock OpenBSD install ISO to USB

etc/
  pf.conf                 default-deny + WAN→LAN nat + WG passthrough
  relayd.conf             TLS terminator → backend nullstone WG IP
  acme-client.conf        LE certs via Gandi DNS-01
  unbound.conf            recursive DNS for tunnel + LAN
  hostname.wg0.example    WG interface (key material handed-out separately)
  doas.conf               minimal admin
  sshd_config             key-only, no root login

scripts/
  provision.sh            push configs + apply
  read-logs.sh            pull /var/log/* from edge box for offline review
  cert-renew-check.sh     verify acme-client renewal cron working
  fetch-keys.sh           generate WG keypair + record pubkey

docs/
  setup-checklist.md      step-by-step install + provision walkthrough
  service-map.md          which OpenBSD service maps to which Debian role
  migration-from-deb.md   how to peel off TLS+DNS+ACME from nullstone
```

## Service mapping (Debian → OpenBSD)

| Debian (currently nullstone) | OpenBSD (T5600 edge) |
|------------------------------|------------------------|
| Traefik (TLS termination + reverse proxy) | relayd |
| acme-companion / Traefik LE | acme-client |
| Pi-hole DNS recursive | unbound (Pi-hole stays on Pi for LAN ad-block) |
| Tailscale + Headscale (admin plane) | WireGuard direct (only this 2-host link) |
| ufw / nftables | pf |
| sshd hardened | sshd hardened (different impl, smaller surface) |

Headscale stays on nullstone — admin plane unchanged. Edge box only handles
public traffic + WG tunnel into nullstone's private subnet.

## Why not autoinstall yet

OpenBSD install is fast enough interactive that automating the first pass
isn't worth the autoinstall toolchain learning. Once the manual config
proves out on T5600 hardware, v0.2 will bake the answers into a custom
miniroot for repeatable rebuilds.

## Forgejo remote

`ssh://git@192.168.0.100:222/s8n/production-openbsd.git`
feat: production-openbsd v0.1 scaffold Sister to s8n/production-deb. Edge-box config + provision script for running the OpenBSD-edge role per s8n/production-setup-audit Topology 02. v0.1 = stock OpenBSD install ISO (interactive, 5 min) + scripted provision from onyx. Autoinstall ISO build deferred to v0.2. Layout: README.md workflow + service mapping (Debian → OpenBSD) flash.sh burn stock install76.iso to USB etc/ pf / relayd / acme-client / unbound / hostname.wg0.example / sshd_config / doas.conf scripts/ provision.sh from onyx: SSH+git clone+run install.sh install.sh on edge: copy /etc/, validate, restart, cron cert-renew-check.sh weekly LE renewal read-logs.sh pull /var/log/ for offline diagnostics docs/ setup-checklist.md 7-phase first-time install walkthrough Hardware target: Dell Precision T5600 per s8n/production-setup-audit/hardware/dell-t5600.md WG mesh: 10.10.10.0/29 between edge (.1) and nullstone (.2). UDP 51820. Keys generated per-host (NEVER committed to repo). Public traffic flow after migration: Internet → router → edge T5600 (relayd TLS term) → wg0 → nullstone Traefik (10.10.10.2:8443, private only) CVE delta vs single-host Debian: regreSSHion + xz backdoor mitigated; public IP runs OpenBSD base only — no systemd, no glibc, no Docker. 2026-05-08 14:10:29 +01:00			`# production-openbsd`

			Edge-box OpenBSD config + provision script. Sister to `s8n/production-deb`.

			Target role per [`s8n/production-setup-audit`](https://git.s8n.ru/s8n/production-setup-audit)
			`Topology 02: OpenBSD bare metal on Dell Precision T5600 running pf +`
			`relayd + acme-client + unbound + WireGuard. Public 80/443/22 land here;`
			`nullstone (Debian compute) sits behind the WG tunnel on private addrs only.`

			`## v0.1 workflow (manual interactive install + scripted provision)`

			`OpenBSD's installer is small and interactive (~5 min). First-pass workflow:`

			1. Burn stock OpenBSD install ISO (`install76.iso` from
			`<https://www.openbsd.org/76.html>) to a USB. Boot Dell, run installer.`
			`Pick:`
			- Hostname (e.g. `flintstone`)
			`- Network interface (em0/em1 — onboard Intel I217 typically)`
			`- Disk encryption: yes — softraid bioctl-style FDE`
			- Sets: `bsd, bsd.mp, base, comp, man` (skip `xenocara` — no GUI on edge)
			`- Root SSH: yes (key-only configured later by provision.sh)`
			- Default user: `user`
			`2. Reboot, log in as user, copy public SSH key for onyx into`
			`~/.ssh/authorized_keys`.
			3. From onyx, run `./scripts/provision.sh user@<edge-ip>` — this clones
			the repo onto the edge box, runs `install.sh` to apply pf/relayd/acme/
			`unbound/wg configs.`

			`Edge box now ready to take public 80/443 traffic.`

			`## v0.2 deferred — autoinstall ISO`

			Build an OpenBSD install ISO with `auto_install.conf` baked so install runs
			`unattended like production-deb's preseed. Defer until v0.1 proven on this`
			`hardware.`

			`## Layout`

			```
			`README.md`
			`provision.sh one-shot provision: copy configs, restart services`
			`flash.sh flash stock OpenBSD install ISO to USB`

			`etc/`
			`pf.conf default-deny + WAN→LAN nat + WG passthrough`
			`relayd.conf TLS terminator → backend nullstone WG IP`
			`acme-client.conf LE certs via Gandi DNS-01`
			`unbound.conf recursive DNS for tunnel + LAN`
			`hostname.wg0.example WG interface (key material handed-out separately)`
			`doas.conf minimal admin`
			`sshd_config key-only, no root login`

			`scripts/`
			`provision.sh push configs + apply`
			`read-logs.sh pull /var/log/* from edge box for offline review`
			`cert-renew-check.sh verify acme-client renewal cron working`
			`fetch-keys.sh generate WG keypair + record pubkey`

			`docs/`
			`setup-checklist.md step-by-step install + provision walkthrough`
			`service-map.md which OpenBSD service maps to which Debian role`
			`migration-from-deb.md how to peel off TLS+DNS+ACME from nullstone`
			```

			`## Service mapping (Debian → OpenBSD)`

			`\| Debian (currently nullstone) \| OpenBSD (T5600 edge) \|`
			`\|------------------------------\|------------------------\|`
			`\| Traefik (TLS termination + reverse proxy) \| relayd \|`
			`\| acme-companion / Traefik LE \| acme-client \|`
			`\| Pi-hole DNS recursive \| unbound (Pi-hole stays on Pi for LAN ad-block) \|`
			`\| Tailscale + Headscale (admin plane) \| WireGuard direct (only this 2-host link) \|`
			`\| ufw / nftables \| pf \|`
			`\| sshd hardened \| sshd hardened (different impl, smaller surface) \|`

			`Headscale stays on nullstone — admin plane unchanged. Edge box only handles`
			`public traffic + WG tunnel into nullstone's private subnet.`

			`## Why not autoinstall yet`

			`OpenBSD install is fast enough interactive that automating the first pass`
			`isn't worth the autoinstall toolchain learning. Once the manual config`
			`proves out on T5600 hardware, v0.2 will bake the answers into a custom`
			`miniroot for repeatable rebuilds.`

			`## Forgejo remote`

			`ssh://git@192.168.0.100:222/s8n/production-openbsd.git`