OpenBSD

OpenBSD - Rclone

OpenBSD

WebDAV Server

need a little WebDAV Server ? Selfhosting your Password DB ?

pkg

pkg_add rclone
mkdir -p /rclone/webdav

run

rclone serve webdav /your/root/folder --addr YOUR_PUBLIC_IP:PORT \
  --key /etc/ssl/certs/your.private.key \
  --cert /etc/ssl/certs/your.public.cer \
  --user someuser \
  --pass somepass

Browser

browse to https://your_public_ip:port

  • user: someuser
  • pass: somepass

done !

htpasswd

got some Users and wanna put them in the htaccess file ? be carefull as these users all share the same folder !

cd /rclone
touch htpasswd
htpasswd htpasswd tick
htpasswd htpasswd trick
htpasswd htpasswd track
chmod 600 htpasswd

Dashboard

do you like dashboars ? it’s also included, have a look …

NextCloud - OpenBSD 7.3

OpenBSD

NextCloud on OpenBSD 7.3

some install notes …

  • Powerup Fresh VM
  • Upgrade to 7.3 Beta (7.3 is not yet released)

pkg_info nextcloud

pkg_info -Q nextcloud -D snap
nextcloud-23.0.12p0
nextcloud-24.0.10
nextcloud-25.0.4
nextcloudclient-3.7.4

adding 25.0.4

pkg_add -D snap nextcloud 
quirks-6.121 signed on 2023-03-21T18:57:42Z
Ambiguous: choose package for nextcloud
a	0: <None>
	1: nextcloud-23.0.12p0
	2: nextcloud-24.0.10
	3: nextcloud-25.0.4
Your choice: 3

installed:

  • php-8.1
  • lot of stuff

got some readme

...
nextcloud-25.0.4:gd-2.3.3: ok
nextcloud-25.0.4:php-gd-8.1.16: ok
nextcloud-25.0.4:icu4c-72.1v0: ok
nextcloud-25.0.4:icu4c-wwwdata-72.1v0: ok
nextcloud-25.0.4:php-intl-8.1.16: ok
nextcloud-25.0.4:php-curl-8.1.16p0: ok
nextcloud-25.0.4:pecl81-redis-5.3.7p0: ok
nextcloud-25.0.4: ok
Running tags: ok
The following new rcscripts were installed: /etc/rc.d/php81_fpm
See rcctl(8) for details.
New and changed readme(s):
	/usr/local/share/doc/pkg-readmes/femail-chroot
	/usr/local/share/doc/pkg-readmes/nextcloud
	/usr/local/share/doc/pkg-readmes/php-8.1

readme is for loosers, right ? so, let’s have a look …

OpenBSD - OpenSMTPD

OpenBSD

Running a Mailserver on OpenBSD …

Source

Requirements

  • OpenBSD VM
  • Public IP & FQDN
  • no Portfilter from Hoster
  • root permission

Packages

pkg_add opensmtpd-extras opensmtpd-filter-rspamd dovecot dovecot-pigeonhole redis rspamd-- opensmtpd-filter-senderscore

FQDN

export host="hostname"
export domain="domain.tld"
export fqdn="${host}.${domain}"

httpd.conf

f="/etc/httpd.conf"; test -f ${f} && cp ${f} "${f}-$(date +'%s')"

cat << EOF > ${f}
# added $(date)
server "${fqdn}" {
  listen on * port 80
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}
EOF
chown root:wheel ${f}; chmod 644 ${f}

pf.conf

allow Certain Ports for Any

OpenBSD - Rainloop

OpenBSD

Source

how to add a nice WebInterface to an existing Mailserver

Vars

export fqdn="your.server.de"

add pkg

PHP Version ? I took 8.1

pkg_add \
  curl-- \
  php--%8.1 \
  php-curl--%8.1 \
  php-pdo_sqlite--%8.1 \
  php-zip--%8.1 \
  pecl81-mcrypt \
  unzip-- \
  zip--

Cert

Assume you already have a TLS Cert, you can skip this one

php

cd /etc/php-8.1.sample/
cp * /etc/php-8.1/

size

sed -i 's/^upload_max_filesize.*/upload_max_filesize = 25M/' /etc/php-8.1.ini 
sed -i 's/^post_max_size.*/post_max_size = 29M/' /etc/php-8.1.ini

httpd

cat << EOF > /etc/httpd.conf

server "${fqdn}" {
    listen on * port 80
    block return 302 "https://\$SERVER_NAME\$REQUEST_URI"
}

server "${fqdn}" {
    listen on * tls port 443
    tls {
      certificate "/etc/ssl/${fqdn}.fullchain.pem"
      key         "/etc/ssl/private/${fqdn}.key"
    }
    hsts {
      max-age 31556952
      preload
    }
    log {
      access  "${fqdn}-access.log"
      error   "${fqdn}-error.log"
    }

    root "/htdocs/rainloop"
    directory index index.php

    # Value below is 25MB in bytes. 1MB = 1048576 bytes
    connection max request body 26214400

    # security
    location "*/.git*"              { block }

    ## app specific (ref: https://www.rainloop.net/docs/permissions/ )
    location "/data/*"              { block }

    # robots.txt
    location "/robots.txt"          { pass }

    location "/*.php" {
        fastcgi socket "/run/php-fpm.sock"
    }
}
EOF

enable & start

rcctl enable httpd php81_fpm
rcctl restart httpd php81_fpm

Prepare Rainloop

mkdir /var/www/htdocs/rainloop
cd /var/www/htdocs/rainloop

Get Rainloop #1

curl -sL https://repository.rainloop.net/installer.php | php-8.1
chown -R www data

Get Rainloop #2

ftp https://www.rainloop.net/repository/webmail/rainloop-latest.zip
unzip rainloop-latest.zip
chown -R www data

allow resolv.conf

test -d /var/www/etc || mkdir -p /var/www/etc
test -f /var/www/etc/resolv.conf || cp /etc/resolv.conf /var/www/etc/resolv.conf

Admin Interface

-> user admin:12345

OpenBSD - Minio

Linux

Inspired

https://obsd.solutions/en/blog/2023/01/11/minio-on-openbsd-72-install/

Requirements

  • Fresh VM, running OpenBSD 7.2, fully patched

  • Public IP, all Ports allowed

  • FQDN pointing to your IP

run all the commands as root (or with ‘doas’ prepending …)

add Package

as usual with OpenBSD

pkg_add minio

Extend File Limits

we need some more current open files …

cat << EOF >> /etc/login.conf

# Minio, added $(date)
EOF

cat << 'EOF' >> /etc/login.conf
minio:\
  :openfiles-cur=4096:\
  :openfiles-max=8192:\
  :tc=daemon:
EOF

# Rebuild capdb
cap_mkdb /etc/login.conf

don’t forget go restart the box

OpenBSD - Packages

OpenBSD

How to Build a Package on OpenBSD

Thx for the Initial Support [email protected] …!

Setup Build Machine on Current

  • Install OpenBSD
  • Upgrade to Current
  • get SYS & Ports

Switch to Port to Update

cd /usr/ports/net/scapy

  • Change to 2.5.0

  • make makesum

  • make update-plist

  • make

  • make test

  • make install

  • make package

Add your own PKG Repo

export PKG_PATH="https://your.server.de/pub/OpenBSD/7.2/packages-self/amd64/"

# Check Repo
root@host# pkg_info -Q scapy                                                                                                 
scapy-2.5.0p0

# add Repo
root@host# pkg_add -V scapy
https://your.server.de/pub/OpenBSD/7.2/packages-self/amd64/scapy-2.5.0p0.tgz: unsigned package
Couldn't install scapy-2.5.0p0

# allow unsigned, as this is build on my own
root@host# pkg_add -D unsigned scapy
scapy-2.5.0p0: ok

Todo

  • Check Upgrade Path

IP over SSH

OpenBSD

wanna tunnel IP over SSH ? give a try ? Tested for you with … OpenBSD :)

Host1

do the following as root

echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf
sysctl net.inet.ip.forwarding=1

echo "inet 10.0.0.1 255.255.255.0 10.0.0.2" >> /etc/hostname.tun0
sh /etc/netstart tun0

sed -i '/PermitTunnel .*/PermitTunnel                      yes/' /etc/ssh/sshd_config
rcctl restart sshd

ssh-copy-id root@host2

Host2

do the following as root

echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf
sysctl net.inet.ip.forwarding=1

echo "inet 10.0.0.2 255.255.255.0 10.0.0.1" >> /etc/hostname.tun0
sh /etc/netstart tun0

sed -i '/PermitTunnel .*/PermitTunnel                      yes/' /etc/ssh/sshd_config
rcctl restart sshd

ssh-copy-id root@host1

now do ifconfig tun0 on Host1 and Host2 -> tunnel should be down

OpenBSD - Rock4C+

OpenBSD

How to get OpenBSD on OKdo Rock 4C+

got a new Toy and i’d like to put puffy on it

Mount SD Card on APU/existing HW

dmesg |grep sd1

sd1 at scsibus2 targ 1 lun 0: <Generic-, Multi-Card, 1.00> removable serial.0bda0309201209010309
sd1: 58911MB, 512 bytes/sector, 120649728 sectors

Speedtest

dd if=/dev/random of=/dev/rsd1c bs=1m count=512

dd: /dev/rsd1c: Device not configured

not working properly :(

Softraid on OpenBSD

OpenBSD

Softraid

Inspired by a book from MWL - OpenBSD Mastery Filesystems, here some Notes ..

Target

build a RAID with 3 Disks, add some Data, destroy one Disk, and rebuild the Raid (and it’s Data).

Requirements

  • OpenBSD 7.2 Running
  • added 3 Disk with 20G each: sd0, sd1, sd2

Find Disks

root@puffy # dmesg |grep -i sec

wd0: 64-sector PIO, LBA, 20480MB, 41943040 sectors
sd0: 20480MB, 512 bytes/sector, 41943040 sectors
sd1: 20480MB, 512 bytes/sector, 41943040 sectors
sd2: 20480MB, 512 bytes/sector, 41943040 sectors

sd0, sd1, sd2 are New Disks for RAID

Vault on OpenBSD

OpenBSD

how to Install and run Hashicorp Vault on OpenBSD

in addition to [https://blog.stoege.net/categories/vault/](this Blog Entry), here some instructions for OpenBSD.

Requirements

  • VM with OpenBSD 7.2 (or older …) and root/doas permission
  • Domain, or at least a FQDN Name pointing to your VM
  • HTTP/HTTPS allowed from Internet (for Certificate Generation)
  • Nginx installed (pkg_add nginx)

Source

https://developer.hashicorp.com/vault/docs/get-started/developer-qs

Install Vault

all the Steps must be run as root (or with doas)

pkg_add vault

Vault Config

Backup the prev. Config before …