s8n/production-openbsd
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
production-openbsd/README.md
obsidian-ai be77f1eb2f feat: production-openbsd v0.1 scaffold 
Sister to s8n/production-deb. Edge-box config + provision script for
running the OpenBSD-edge role per s8n/production-setup-audit Topology 02.

v0.1 = stock OpenBSD install ISO (interactive, 5 min) + scripted provision
from onyx. Autoinstall ISO build deferred to v0.2.

Layout:
  README.md                    workflow + service mapping (Debian → OpenBSD)
  flash.sh                     burn stock install76.iso to USB
  etc/                         pf / relayd / acme-client / unbound /
                               hostname.wg0.example / sshd_config / doas.conf
  scripts/
    provision.sh               from onyx: SSH+git clone+run install.sh
    install.sh                 on edge: copy /etc/*, validate, restart, cron
    cert-renew-check.sh        weekly LE renewal
    read-logs.sh               pull /var/log/* for offline diagnostics
  docs/
    setup-checklist.md         7-phase first-time install walkthrough

Hardware target: Dell Precision T5600 per
  s8n/production-setup-audit/hardware/dell-t5600.md

WG mesh: 10.10.10.0/29 between edge (.1) and nullstone (.2). UDP 51820.
Keys generated per-host (NEVER committed to repo).

Public traffic flow after migration:
  Internet → router → edge T5600 (relayd TLS term) → wg0 →
  nullstone Traefik (10.10.10.2:8443, private only)

CVE delta vs single-host Debian: regreSSHion + xz backdoor mitigated;
public IP runs OpenBSD base only — no systemd, no glibc, no Docker.
2026-05-08 14:10:29 +01:00

88 lines
3.5 KiB
Markdown
Raw Permalink Blame History

# production-openbsd
Edge-box OpenBSD config + provision script. Sister to `s8n/production-deb`.
Target role per [`s8n/production-setup-audit`](https://git.s8n.ru/s8n/production-setup-audit)
Topology 02: **OpenBSD bare metal on Dell Precision T5600** running pf +
relayd + acme-client + unbound + WireGuard. Public 80/443/22 land here;
nullstone (Debian compute) sits behind the WG tunnel on private addrs only.
## v0.1 workflow (manual interactive install + scripted provision)
OpenBSD's installer is small and interactive (~5 min). First-pass workflow:
1. **Burn stock OpenBSD install ISO** (`install76.iso` from
<https://www.openbsd.org/76.html>) to a USB. Boot Dell, run installer.
Pick:
- Hostname (e.g. `flintstone`)
- Network interface (em0/em1 — onboard Intel I217 typically)
- Disk encryption: **yes** — softraid bioctl-style FDE
- Sets: `bsd, bsd.mp, base, comp, man` (skip `xenocara` — no GUI on edge)
- Root SSH: yes (key-only configured later by provision.sh)
- Default user: `user`
2. **Reboot, log in as user, copy public SSH key** for onyx into
`~/.ssh/authorized_keys`.
3. **From onyx, run** `./scripts/provision.sh user@<edge-ip>` — this clones
the repo onto the edge box, runs `install.sh` to apply pf/relayd/acme/
unbound/wg configs.
Edge box now ready to take public 80/443 traffic.
## v0.2 deferred — autoinstall ISO
Build an OpenBSD install ISO with `auto_install.conf` baked so install runs
unattended like production-deb's preseed. Defer until v0.1 proven on this
hardware.
## Layout
```
README.md
provision.sh one-shot provision: copy configs, restart services
flash.sh flash stock OpenBSD install ISO to USB
etc/
pf.conf default-deny + WAN→LAN nat + WG passthrough
relayd.conf TLS terminator → backend nullstone WG IP
acme-client.conf LE certs via Gandi DNS-01
unbound.conf recursive DNS for tunnel + LAN
hostname.wg0.example WG interface (key material handed-out separately)
doas.conf minimal admin
sshd_config key-only, no root login
scripts/
provision.sh push configs + apply
read-logs.sh pull /var/log/* from edge box for offline review
cert-renew-check.sh verify acme-client renewal cron working
fetch-keys.sh generate WG keypair + record pubkey
docs/
setup-checklist.md step-by-step install + provision walkthrough
service-map.md which OpenBSD service maps to which Debian role
migration-from-deb.md how to peel off TLS+DNS+ACME from nullstone
```
## Service mapping (Debian → OpenBSD)
| Debian (currently nullstone) | OpenBSD (T5600 edge) |
|------------------------------|------------------------|
| Traefik (TLS termination + reverse proxy) | relayd |
| acme-companion / Traefik LE | acme-client |
| Pi-hole DNS recursive | unbound (Pi-hole stays on Pi for LAN ad-block) |
| Tailscale + Headscale (admin plane) | WireGuard direct (only this 2-host link) |
| ufw / nftables | pf |
| sshd hardened | sshd hardened (different impl, smaller surface) |
Headscale stays on nullstone — admin plane unchanged. Edge box only handles
public traffic + WG tunnel into nullstone's private subnet.
## Why not autoinstall yet
OpenBSD install is fast enough interactive that automating the first pass
isn't worth the autoinstall toolchain learning. Once the manual config
proves out on T5600 hardware, v0.2 will bake the answers into a custom
miniroot for repeatable rebuilds.
## Forgejo remote
`ssh://git@192.168.0.100:222/s8n/production-openbsd.git`
Reference in a new issue View git blame Copy permalink