s8n/production-openbsd
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
production-openbsd/etc/unbound.conf
obsidian-ai be77f1eb2f feat: production-openbsd v0.1 scaffold 
Sister to s8n/production-deb. Edge-box config + provision script for
running the OpenBSD-edge role per s8n/production-setup-audit Topology 02.

v0.1 = stock OpenBSD install ISO (interactive, 5 min) + scripted provision
from onyx. Autoinstall ISO build deferred to v0.2.

Layout:
  README.md                    workflow + service mapping (Debian → OpenBSD)
  flash.sh                     burn stock install76.iso to USB
  etc/                         pf / relayd / acme-client / unbound /
                               hostname.wg0.example / sshd_config / doas.conf
  scripts/
    provision.sh               from onyx: SSH+git clone+run install.sh
    install.sh                 on edge: copy /etc/*, validate, restart, cron
    cert-renew-check.sh        weekly LE renewal
    read-logs.sh               pull /var/log/* for offline diagnostics
  docs/
    setup-checklist.md         7-phase first-time install walkthrough

Hardware target: Dell Precision T5600 per
  s8n/production-setup-audit/hardware/dell-t5600.md

WG mesh: 10.10.10.0/29 between edge (.1) and nullstone (.2). UDP 51820.
Keys generated per-host (NEVER committed to repo).

Public traffic flow after migration:
  Internet → router → edge T5600 (relayd TLS term) → wg0 →
  nullstone Traefik (10.10.10.2:8443, private only)

CVE delta vs single-host Debian: regreSSHion + xz backdoor mitigated;
public IP runs OpenBSD base only — no systemd, no glibc, no Docker.
2026-05-08 14:10:29 +01:00

67 lines
1.9 KiB
Text
Raw Blame History

# /var/unbound/etc/unbound.conf — recursive DNS resolver
#
# Listens on:
# 127.0.0.1:53 — for local apps (acme-client, relayd)
# 10.10.10.1:53 — for nullstone over WG tunnel
# 192.168.0.50:53 — for LAN clients (LAN IP of T5600; adjust)
#
# Pi-hole stays on the Pi for LAN ad-blocking; Pi-hole's upstream is set
# to THIS unbound instance (10.10.10.1 via tunnel OR LAN IP direct).
#
# Reload: rcctl reload unbound
# Test: dig @127.0.0.1 example.com
server:
interface: 127.0.0.1
interface: 10.10.10.1
interface: 192.168.0.50
# Restrict who can query
access-control: 127.0.0.0/8 allow
access-control: 10.10.10.0/29 allow # WG mesh
access-control: 192.168.0.0/24 allow # LAN
access-control: 0.0.0.0/0 refuse # block public recursive abuse
# Hide identity
hide-identity: yes
hide-version: yes
# Cache + perf
msg-cache-size: 64m
rrset-cache-size: 128m
cache-min-ttl: 60
cache-max-ttl: 86400
prefetch: yes
prefetch-key: yes
# DNSSEC validation
auto-trust-anchor-file: "/var/unbound/db/root.key"
val-clean-additional: yes
# Privacy
qname-minimisation: yes
aggressive-nsec: yes
minimal-responses: yes
do-not-query-localhost: no # allow forwarding to local Pi-hole if you do that later
# Drop common bogus
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
# ... but allow our own ranges to be returned in answers
private-domain: "s8n.ru"
private-domain: "veilor.uk"
# Local zone for internal hosts (nullstone, edge, etc.) — fill from /etc/hosts
local-zone: "s8n.ru." typetransparent
local-data: "edge.s8n.ru. IN A 10.10.10.1"
local-data: "nullstone.s8n.ru. IN A 10.10.10.2"
# Logs
use-syslog: yes
log-queries: no
log-replies: no
remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock
Reference in a new issue View git blame Copy permalink