#!/bin/sh # install.sh — runs on the edge box (called by provision.sh) # # Copies repo's etc/* into /etc/, validates configs, restarts services. # Idempotent: re-running just refreshes configs. set -eu cd "$(dirname "$0")/.." REPO_DIR="$(pwd)" echo "[install] running from $REPO_DIR" # === Backup existing configs once === BACKUP_DIR=/var/backups/production-openbsd-pre-install if [ ! -d "$BACKUP_DIR" ]; then echo "[install] backing up current configs to $BACKUP_DIR" mkdir -p "$BACKUP_DIR" for f in /etc/pf.conf /etc/relayd.conf /etc/acme-client.conf /var/unbound/etc/unbound.conf /etc/ssh/sshd_config /etc/doas.conf; do [ -f "$f" ] && cp "$f" "$BACKUP_DIR/" || true done fi # === Copy configs === echo "[install] installing configs" install -m 600 "$REPO_DIR/etc/pf.conf" /etc/pf.conf install -m 600 "$REPO_DIR/etc/relayd.conf" /etc/relayd.conf install -m 600 "$REPO_DIR/etc/acme-client.conf" /etc/acme-client.conf install -m 644 "$REPO_DIR/etc/unbound.conf" /var/unbound/etc/unbound.conf install -m 600 "$REPO_DIR/etc/sshd_config" /etc/ssh/sshd_config install -m 600 "$REPO_DIR/etc/doas.conf" /etc/doas.conf # WG: only copy if /etc/hostname.wg0 doesn't already exist if [ ! -f /etc/hostname.wg0 ]; then echo "[install] WARN: /etc/hostname.wg0 not present" echo "[install] Copy etc/hostname.wg0.example, generate keys, paste nullstone pubkey" echo "[install] See its header for steps. Skipping wg0 enable for now." fi # === Validate configs === echo "[install] validating configs" pfctl -nf /etc/pf.conf relayd -nf /etc/relayd.conf unbound-checkconf /var/unbound/etc/unbound.conf # === Enable services === echo "[install] enabling services" rcctl enable pf relayd acme-client unbound sshd [ -f /etc/hostname.wg0 ] && rcctl set wg flags || true # === Reload services === echo "[install] reloading services" rcctl reload pf || pfctl -f /etc/pf.conf rcctl restart relayd rcctl restart unbound rcctl restart sshd # === Cron for acme-client renewal (weekly) === CRON_FILE=/var/cron/tabs/root if ! grep -q '/usr/local/sbin/cert-renew-check.sh' "$CRON_FILE" 2>/dev/null; then echo "[install] adding weekly cert-renew cron" install -m 755 "$REPO_DIR/scripts/cert-renew-check.sh" /usr/local/sbin/ ( crontab -l 2>/dev/null; echo '15 3 * * 0 /usr/local/sbin/cert-renew-check.sh' ) | crontab - fi echo "[install] DONE" echo "[install] verify:" echo " pfctl -sr | head" echo " rcctl ls on" echo " acme-client -v s8n.ru # request first cert (DNS-01 manual for now)"