s8n/production-openbsd
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Production OpenBSD edge box config (pf + relayd + acme-client + unbound + WireGuard). Sister to s8n/production-deb. Targets the Dell Precision T5600 edge role per s8n/production-setup-audit Topology 02. Bare config + provision.sh; autoinstall ISO deferred to v0.2.
1 commit 1 branch 0 tags 36 KiB
Shell 100%
Find a file
obsidian-ai be77f1eb2f feat: production-openbsd v0.1 scaffold 
Sister to s8n/production-deb. Edge-box config + provision script for
running the OpenBSD-edge role per s8n/production-setup-audit Topology 02.

v0.1 = stock OpenBSD install ISO (interactive, 5 min) + scripted provision
from onyx. Autoinstall ISO build deferred to v0.2.

Layout:
  README.md                    workflow + service mapping (Debian → OpenBSD)
  flash.sh                     burn stock install76.iso to USB
  etc/                         pf / relayd / acme-client / unbound /
                               hostname.wg0.example / sshd_config / doas.conf
  scripts/
    provision.sh               from onyx: SSH+git clone+run install.sh
    install.sh                 on edge: copy /etc/*, validate, restart, cron
    cert-renew-check.sh        weekly LE renewal
    read-logs.sh               pull /var/log/* for offline diagnostics
  docs/
    setup-checklist.md         7-phase first-time install walkthrough

Hardware target: Dell Precision T5600 per
  s8n/production-setup-audit/hardware/dell-t5600.md

WG mesh: 10.10.10.0/29 between edge (.1) and nullstone (.2). UDP 51820.
Keys generated per-host (NEVER committed to repo).

Public traffic flow after migration:
  Internet → router → edge T5600 (relayd TLS term) → wg0 →
  nullstone Traefik (10.10.10.2:8443, private only)

CVE delta vs single-host Debian: regreSSHion + xz backdoor mitigated;
public IP runs OpenBSD base only — no systemd, no glibc, no Docker.
2026-05-08 14:10:29 +01:00
docs feat: production-openbsd v0.1 scaffold 2026-05-08 14:10:29 +01:00
etc feat: production-openbsd v0.1 scaffold 2026-05-08 14:10:29 +01:00
scripts feat: production-openbsd v0.1 scaffold 2026-05-08 14:10:29 +01:00
.gitignore feat: production-openbsd v0.1 scaffold 2026-05-08 14:10:29 +01:00
flash.sh feat: production-openbsd v0.1 scaffold 2026-05-08 14:10:29 +01:00
README.md feat: production-openbsd v0.1 scaffold 2026-05-08 14:10:29 +01:00

README.md

production-openbsd

Edge-box OpenBSD config + provision script. Sister to s8n/production-deb.

Target role per s8n/production-setup-audit Topology 02: OpenBSD bare metal on Dell Precision T5600 running pf + relayd + acme-client + unbound + WireGuard. Public 80/443/22 land here; nullstone (Debian compute) sits behind the WG tunnel on private addrs only.

v0.1 workflow (manual interactive install + scripted provision)

OpenBSD's installer is small and interactive (~5 min). First-pass workflow:

  1. Burn stock OpenBSD install ISO (install76.iso from https://www.openbsd.org/76.html) to a USB. Boot Dell, run installer. Pick:
    • Hostname (e.g. flintstone)
    • Network interface (em0/em1 — onboard Intel I217 typically)
    • Disk encryption: yes — softraid bioctl-style FDE
    • Sets: bsd, bsd.mp, base, comp, man (skip xenocara — no GUI on edge)
    • Root SSH: yes (key-only configured later by provision.sh)
    • Default user: user
  2. Reboot, log in as user, copy public SSH key for onyx into ~/.ssh/authorized_keys.
  3. From onyx, run ./scripts/provision.sh user@<edge-ip> — this clones the repo onto the edge box, runs install.sh to apply pf/relayd/acme/ unbound/wg configs.

Edge box now ready to take public 80/443 traffic.

v0.2 deferred — autoinstall ISO

Build an OpenBSD install ISO with auto_install.conf baked so install runs unattended like production-deb's preseed. Defer until v0.1 proven on this hardware.

Layout

README.md
provision.sh              one-shot provision: copy configs, restart services
flash.sh                  flash stock OpenBSD install ISO to USB

etc/
  pf.conf                 default-deny + WAN→LAN nat + WG passthrough
  relayd.conf             TLS terminator → backend nullstone WG IP
  acme-client.conf        LE certs via Gandi DNS-01
  unbound.conf            recursive DNS for tunnel + LAN
  hostname.wg0.example    WG interface (key material handed-out separately)
  doas.conf               minimal admin
  sshd_config             key-only, no root login

scripts/
  provision.sh            push configs + apply
  read-logs.sh            pull /var/log/* from edge box for offline review
  cert-renew-check.sh     verify acme-client renewal cron working
  fetch-keys.sh           generate WG keypair + record pubkey

docs/
  setup-checklist.md      step-by-step install + provision walkthrough
  service-map.md          which OpenBSD service maps to which Debian role
  migration-from-deb.md   how to peel off TLS+DNS+ACME from nullstone

Service mapping (Debian → OpenBSD)

Debian (currently nullstone) OpenBSD (T5600 edge)
Traefik (TLS termination + reverse proxy) relayd
acme-companion / Traefik LE acme-client
Pi-hole DNS recursive unbound (Pi-hole stays on Pi for LAN ad-block)
Tailscale + Headscale (admin plane) WireGuard direct (only this 2-host link)
ufw / nftables pf
sshd hardened sshd hardened (different impl, smaller surface)

Headscale stays on nullstone — admin plane unchanged. Edge box only handles public traffic + WG tunnel into nullstone's private subnet.

Why not autoinstall yet

OpenBSD install is fast enough interactive that automating the first pass isn't worth the autoinstall toolchain learning. Once the manual config proves out on T5600 hardware, v0.2 will bake the answers into a custom miniroot for repeatable rebuilds.

Forgejo remote

ssh://git@192.168.0.100:222/s8n/production-openbsd.git