be77f1eb2f
Sister to s8n/production-deb. Edge-box config + provision script for
running the OpenBSD-edge role per s8n/production-setup-audit Topology 02.
v0.1 = stock OpenBSD install ISO (interactive, 5 min) + scripted provision
from onyx. Autoinstall ISO build deferred to v0.2.
Layout:
README.md workflow + service mapping (Debian → OpenBSD)
flash.sh burn stock install76.iso to USB
etc/ pf / relayd / acme-client / unbound /
hostname.wg0.example / sshd_config / doas.conf
scripts/
provision.sh from onyx: SSH+git clone+run install.sh
install.sh on edge: copy /etc/*, validate, restart, cron
cert-renew-check.sh weekly LE renewal
read-logs.sh pull /var/log/* for offline diagnostics
docs/
setup-checklist.md 7-phase first-time install walkthrough
Hardware target: Dell Precision T5600 per
s8n/production-setup-audit/hardware/dell-t5600.md
WG mesh: 10.10.10.0/29 between edge (.1) and nullstone (.2). UDP 51820.
Keys generated per-host (NEVER committed to repo).
Public traffic flow after migration:
Internet → router → edge T5600 (relayd TLS term) → wg0 →
nullstone Traefik (10.10.10.2:8443, private only)
CVE delta vs single-host Debian: regreSSHion + xz backdoor mitigated;
public IP runs OpenBSD base only — no systemd, no glibc, no Docker.
40 lines
1.3 KiB
Bash
Executable file
40 lines
1.3 KiB
Bash
Executable file
#!/bin/sh
|
|
# provision.sh — one-shot provision: clone repo onto edge box, run install.sh
|
|
#
|
|
# Usage (run from onyx):
|
|
# ./scripts/provision.sh user@<edge-ip-or-hostname>
|
|
#
|
|
# What it does:
|
|
# 1. SSH into edge box, install required pkgs (acme-client + wireguard-tools)
|
|
# 2. git clone this repo to /tmp/production-openbsd
|
|
# 3. Run /tmp/production-openbsd/scripts/install.sh on the edge box
|
|
# which copies /etc/* + enables services + reloads
|
|
#
|
|
# Expected pre-state:
|
|
# - OpenBSD 7.6+ installed on edge box
|
|
# - User 'user' exists with sudo/doas access
|
|
# - Your SSH pubkey already in user@edge:.ssh/authorized_keys
|
|
# - WG keys generated separately (see etc/hostname.wg0.example header)
|
|
|
|
set -eu
|
|
|
|
TARGET="${1:-}"
|
|
[ -n "$TARGET" ] || { echo "Usage: $0 user@<edge-ip>" >&2; exit 1; }
|
|
|
|
REPO_URL="ssh://git@192.168.0.100:222/s8n/production-openbsd.git"
|
|
REMOTE_PATH="/tmp/production-openbsd"
|
|
|
|
echo "[*] Provisioning $TARGET ..."
|
|
|
|
ssh "$TARGET" -- "/bin/sh -se" <<EOF
|
|
set -eu
|
|
echo "[remote] installing prerequisites"
|
|
doas pkg_add -I acme-client wireguard-tools git rsync || true
|
|
[ -d $REMOTE_PATH ] && rm -rf $REMOTE_PATH
|
|
git clone $REPO_URL $REMOTE_PATH
|
|
cd $REMOTE_PATH
|
|
doas /bin/sh scripts/install.sh
|
|
echo "[remote] provision complete"
|
|
EOF
|
|
|
|
echo "[*] Done. Verify: ssh $TARGET 'doas pfctl -sr | head'"
|