Adding a couple of more OpenBSD VMs from OpenBSD.Amsterdam

 · Systeemkabouter

To do some more OpenBSD fiddling without fiddling with actual hardware, I was looking for some extra virtual machines. I asked around for other options, but not many came up, and they were not particularly more interesting than OpenBSD.Amsterdam.

So yesterday I asked Mischa to set up two now virtual machines for me and this morning I wanted to do some basic setup.

First thing I tried was using ansible. I had already used ansible in the past on some other OpenBSD machines, but apparently the code needed fixing / updating / exploded in my face. When trying to 'fix' this by updating ansible on my Mac with a 'brew update', more stuff exploded and I was kinda done with ansible on my macbook. I logged into my Linux Laptop at this stage

Sooooo... I thought about using another tool for a second, Puppet came to mind. But that needs a server, and probably a Linux server. And I was trying to play with BSD here, so not really an attractive option.

Going oldskool

When bootstrapping new stuff, there are always these catch-22 situations. To run Y, you first need Z. So I figured I would try the approach of The Ancients from the last Millennium:

Just Run A Shell Script

Sample output:

redpuffy# ksh /home/eelco/                                                                                                                                                                     
Preparing Lutra IT baseline setup for OpenBSD 7.4
Set hostname
Set up self signed certificate
Generating a 4096 bit RSA private key
writing new private key to '/etc/ssl/private/'
Install baseline packages
quirks-6.159 signed on 2023-11-17T18:34:15Z
Configure doas
Set Lutra MOTD
Set authorized keys for root user
Set authorized_keys for user eelco
Configuring sshd
Install auto update shell script
Install postfix package
quirks-6.159 signed on 2023-11-17T18:34:15Z
Setup postfix aliases

Good enough for now, will revisit when the need arises. The only thing I really missed was a safe way to handle secrets/passwords. For now I need to protect the original script or reset my authenticated smtp password.

That Was Fun

The full script with sensitive bits removed:


function report
  logger "$1"
  echo "$1"

UNAME=`uname -r`

report "Preparing Lutra IT baseline setup for OpenBSD $UNAME"

report "Set hostname"
SHORTHOSTNAME=`hostname | awk 'BEGIN { FS="."; } { print $1; }'`
hostname -s $FQDN

report "Set up self signed certificate"
if [ ! -f /etc/ssl/private/$FQDN.key ];
  openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/ssl/private/$FQDN.key -out /etc/ssl/$FQDN.crt -sha256 -days 3650 -nodes -subj "/C=NL/ST=ZH/L=Sommelsdijk/O=Lutra IT/OU=Operations/CN=$FQDN"

report "Install baseline packages"
pkg_add python3 neofetch bash curl wget git

report "Configure doas"
cat << EOF > /etc/doas.conf
# Allow wheel by default
permit keepenv :wheel
permit keepenv nopass eelco

report "Set Lutra MOTD"
cat << EOF > /etc/motd

  Lutra IT

  Unauthorized access prohibited

  For support and inquiries please contact
  us at or via signal at
  +31 XXXXXXXXX  - @systeemkabouter


report "Set authorized keys for root user"
mkdir -p /root/.ssh
cat << EOF > /root/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM6zfzF3846AZ0vjKWPIAQLYtpAsym+xp6kgWTQI1viZ
chmod -R go-rwx /root/.ssh

report "Set authorized_keys for user eelco"
mkdir -p /home/eelco/.ssh
cat << EOF > /home/eelco/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM6zfzF3846AZ0vjKWPIAQLYtpAsym+xp6kgWTQI1viZ
chmod -R go-rwx /home/eelco/.ssh

report "Configuring sshd"
cat << EOF > /etc/ssh/sshd_config
AllowTcpForwarding yes
ChallengeResponseAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes
KexAlgorithms -diffie-hellman-group1-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin without-password
PrintLastLog yes
PrintMotd yes
Protocol 2
Subsystem sftp /usr/libexec/sftp-server
TCPKeepAlive yes
UseDNS no
X11Forwarding no
rcctl restart sshd

report "Install auto update shell script"
mkdir -p /opt/sa/bin
cat << EOF > /opt/sa/bin/
WAITIME=`/bin/expr $RANDOM % 600`

if [[ "X$WAITTIME" == "X" ]];

logger "$0 autoinstalling updates "
syspatch >> /var/log/syspatch.log
exit 0
chmod 0550 /opt/sa/bin/
echo "/opt/sa/bin/" > /etc/daily.local
chmod u+x /etc/daily.local

report "Install postfix package"
if [ $UNAME  == "7.4" ];
  pkg_add postfix-3.8.20221007p11
  report "Dont know which postfix to install on $UNAME"

report "Setup postfix aliases"
cat << EOF > /etc/postfix/aliases
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
logcheck: root

cat << EOF > /etc/postfix/sasl_passwd
chmod g-rwx /etc/postfix/sasl_passwd

cat << EOF > /etc/postfix/
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
# See -- default to 2 on
# fresh installs.
compatibility_level = 3.8

queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/postfix

sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/sbin/newaliases
mailq_path = /usr/local/sbin/mailq

html_directory = /usr/local/share/doc/postfix/html
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
readme_directory = /usr/local/share/doc/postfix/readme
shlib_directory = no
meta_directory = /etc/postfix

# TLS parameters
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

mail_owner = _postfix
setgid_group = _postdrop

canonical_maps = hash:/etc/postfix/canonical

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = $FQDN
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
#myorigin = $myhostname
mydestination = $myhostname, localhost

unknown_local_recipient_reject_code = 550

relayhost =
mynetworks = [::ffff:]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4

# enable SASL authentication
smtp_sasl_auth_enable = yes
# disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous
# where to find sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# Enable STARTTLS encryption
smtp_use_tls = yes
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt

rcctl stop smtpd
rcctl disable smtpd
rcctl enable postfix
rcctl start postfix