# production-openbsd

Edge-box OpenBSD config + provision script. Sister to `s8n/production-deb`.

Target role per [`s8n/production-setup-audit`](https://git.s8n.ru/s8n/production-setup-audit)
Topology 02: **OpenBSD bare metal on Dell Precision T5600** running pf +
relayd + acme-client + unbound + WireGuard. Public 80/443/22 land here;
nullstone (Debian compute) sits behind the WG tunnel on private addrs only.

## v0.1 workflow (manual interactive install + scripted provision)

OpenBSD's installer is small and interactive (~5 min). First-pass workflow:

1. **Burn stock OpenBSD install ISO** (`install76.iso` from
   <https://www.openbsd.org/76.html>) to a USB. Boot Dell, run installer.
   Pick:
   - Hostname (e.g. `flintstone`)
   - Network interface (em0/em1 — onboard Intel I217 typically)
   - Disk encryption: **yes** — softraid bioctl-style FDE
   - Sets: `bsd, bsd.mp, base, comp, man` (skip `xenocara` — no GUI on edge)
   - Root SSH: yes (key-only configured later by provision.sh)
   - Default user: `user`
2. **Reboot, log in as user, copy public SSH key** for onyx into
   `~/.ssh/authorized_keys`.
3. **From onyx, run** `./scripts/provision.sh user@<edge-ip>` — this clones
   the repo onto the edge box, runs `install.sh` to apply pf/relayd/acme/
   unbound/wg configs.

Edge box now ready to take public 80/443 traffic.

## v0.2 deferred — autoinstall ISO

Build an OpenBSD install ISO with `auto_install.conf` baked so install runs
unattended like production-deb's preseed. Defer until v0.1 proven on this
hardware.

## Layout

```
README.md
provision.sh              one-shot provision: copy configs, restart services
flash.sh                  flash stock OpenBSD install ISO to USB

etc/
  pf.conf                 default-deny + WAN→LAN nat + WG passthrough
  relayd.conf             TLS terminator → backend nullstone WG IP
  acme-client.conf        LE certs via Gandi DNS-01
  unbound.conf            recursive DNS for tunnel + LAN
  hostname.wg0.example    WG interface (key material handed-out separately)
  doas.conf               minimal admin
  sshd_config             key-only, no root login

scripts/
  provision.sh            push configs + apply
  read-logs.sh            pull /var/log/* from edge box for offline review
  cert-renew-check.sh     verify acme-client renewal cron working
  fetch-keys.sh           generate WG keypair + record pubkey

docs/
  setup-checklist.md      step-by-step install + provision walkthrough
  service-map.md          which OpenBSD service maps to which Debian role
  migration-from-deb.md   how to peel off TLS+DNS+ACME from nullstone
```

## Service mapping (Debian → OpenBSD)

| Debian (currently nullstone) | OpenBSD (T5600 edge) |
|------------------------------|------------------------|
| Traefik (TLS termination + reverse proxy) | relayd |
| acme-companion / Traefik LE | acme-client |
| Pi-hole DNS recursive | unbound (Pi-hole stays on Pi for LAN ad-block) |
| Tailscale + Headscale (admin plane) | WireGuard direct (only this 2-host link) |
| ufw / nftables | pf |
| sshd hardened | sshd hardened (different impl, smaller surface) |

Headscale stays on nullstone — admin plane unchanged. Edge box only handles
public traffic + WG tunnel into nullstone's private subnet.

## Why not autoinstall yet

OpenBSD install is fast enough interactive that automating the first pass
isn't worth the autoinstall toolchain learning. Once the manual config
proves out on T5600 hardware, v0.2 will bake the answers into a custom
miniroot for repeatable rebuilds.

## Forgejo remote

`ssh://git@192.168.0.100:222/s8n/production-openbsd.git`