Adding a couple of more OpenBSD VMs from OpenBSD.Amsterdam
Posted on za 18 november 2023 in runbsd
To do some more OpenBSD fiddling without fiddling with actual hardware, I was looking for some extra virtual machines. I asked around for other options, but not many came up, and they were not particularly more interesting than OpenBSD.Amsterdam.
So yesterday I asked Mischa to set up two now virtual machines for me and this morning I wanted to do some basic setup.
First thing I tried was using ansible. I had already used ansible in the past on some other OpenBSD machines, but apparently the code needed fixing / updating / exploded in my face. When trying to 'fix' this by updating ansible on my Mac with a 'brew update', more stuff exploded and I was kinda done with ansible on my macbook. I logged into my Linux Laptop at this stage
Sooooo... I thought about using another tool for a second, Puppet came to mind. But that needs a server, and probably a Linux server. And I was trying to play with BSD here, so not really an attractive option.
Going oldskool
When bootstrapping new stuff, there are always these catch-22 situations. To run Y, you first need Z. So I figured I would try the approach of The Ancients from the last Millennium:
Just Run A Shell Script
Sample output:
redpuffy# ksh /home/systeemkabouter/no_ansible.sh
Preparing Lutra IT baseline setup for OpenBSD 7.4
Set hostname
redpuffy.lutra.it
Set up self signed certificate
Generating a 4096 bit RSA private key
..............
..........................
writing new private key to '/etc/ssl/private/redpuffy.lutra.it.key'
-----
Install baseline packages
quirks-6.159 signed on 2023-11-17T18:34:15Z
Configure doas
Set Lutra MOTD
Set authorized keys for root user
Set authorized_keys for user systeemkabouter
Configuring sshd
sshd(ok)
sshd(ok)
Install auto update shell script
Install postfix package
quirks-6.159 signed on 2023-11-17T18:34:15Z
Setup postfix aliases
smtpd(ok)
postfix(ok)
Good enough for now, will revisit when the need arises. The only thing I really missed was a safe way to handle secrets/passwords. For now I need to protect the original script or reset my authenticated smtp password.
That Was Fun
The full script with sensitive bits removed:
#!/bin/ksh
function report
{
logger "$1"
echo "$1"
}
UNAME=`uname -r`
report "Preparing Lutra IT baseline setup for OpenBSD $UNAME"
report "Set hostname"
SHORTHOSTNAME=`hostname | awk 'BEGIN { FS="."; } { print $1; }'`
FQDN=$SHORTHOSTNAME.lutra.it
hostname -s $FQDN
hostname
report "Set up self signed certificate"
if [ ! -f /etc/ssl/private/$FQDN.key ];
then
openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/ssl/private/$FQDN.key -out /etc/ssl/$FQDN.crt -sha256 -days 3650 -nodes -subj "/C=NL/ST=ZH/L=Sommelsdijk/O=Lutra IT/OU=Operations/CN=$FQDN"
fi
report "Install baseline packages"
pkg_add python3 neofetch bash curl wget git
report "Configure doas"
cat << EOF > /etc/doas.conf
# Allow wheel by default
permit keepenv :wheel
permit keepenv nopass systeemkabouter
EOF
report "Set Lutra MOTD"
cat << EOF > /etc/motd
Lutra IT
Unauthorized access prohibited
For support and inquiries please contact
us at XXXXXXX@lutra-it.eu or via signal at
+31 XXXXXXXXX - @systeemkabouter
EOF
report "Set authorized keys for root user"
mkdir -p /root/.ssh
cat << EOF > /root/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM6zfzF3846AZ0vjKWPIAQLYtpAsym+xp6kgWTQI1viZ
EOF
chmod -R go-rwx /root/.ssh
report "Set authorized_keys for user systeemkabouter"
mkdir -p /home/systeemkabouter/.ssh
cat << EOF > /home/systeemkabouter/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM6zfzF3846AZ0vjKWPIAQLYtpAsym+xp6kgWTQI1viZ
EOF
chmod -R go-rwx /home/systeemkabouter/.ssh
report "Configuring sshd"
cat << EOF > /etc/ssh/sshd_config
AllowTcpForwarding yes
ChallengeResponseAuthentication no
HostbasedAuthentication no
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
IgnoreRhosts yes
KexAlgorithms -diffie-hellman-group1-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin without-password
PrintLastLog yes
PrintMotd yes
Protocol 2
Subsystem sftp /usr/libexec/sftp-server
TCPKeepAlive yes
UseDNS no
X11Forwarding no
EOF
rcctl restart sshd
report "Install auto update shell script"
mkdir -p /opt/sa/bin
cat << EOF > /opt/sa/bin/openbsd_updates.sh
#!/usr/local/bin/bash
#
WAITIME=`/bin/expr $RANDOM % 600`
if [[ "X$WAITTIME" == "X" ]];
then
WAITTIME=1
fi
sleep $WAITTIME
logger "$0 autoinstalling updates "
syspatch >> /var/log/syspatch.log
exit 0
EOF
chmod 0550 /opt/sa/bin/openbsd_updates.sh
echo "/opt/sa/bin/openbsd_updates.sh" > /etc/daily.local
chmod u+x /etc/daily.local
report "Install postfix package"
if [ $UNAME == "7.4" ];
then
pkg_add postfix-3.8.20221007p11
else
report "Dont know which postfix to install on $UNAME"
fi
report "Setup postfix aliases"
cat << EOF > /etc/postfix/aliases
root:XXXXXXXXXX@lutra-it.eu
systeemkabouter:XXXXXXXXX@lutra-it.eu
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
logcheck: root
EOF
newaliases
cat << EOF > /etc/postfix/sasl_passwd
smtp.transip.email:465 XXXXXXXXXXXX@lutra-it.eu:XXXXXXXXXXXXX
EOF
chmod g-rwx /etc/postfix/sasl_passwd
cat << EOF > /etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 3.8
queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/postfix
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/sbin/newaliases
mailq_path = /usr/local/sbin/mailq
html_directory = /usr/local/share/doc/postfix/html
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
readme_directory = /usr/local/share/doc/postfix/readme
shlib_directory = no
meta_directory = /etc/postfix
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/$FQDN.crt
smtpd_tls_key_file=/etc/ssl/private/$FQDN.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
mail_owner = _postfix
setgid_group = _postdrop
canonical_maps = hash:/etc/postfix/canonical
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = $FQDN
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
#myorigin = $myhostname
mydestination = $myhostname, localhost
unknown_local_recipient_reject_code = 550
relayhost = smtp.transip.email:465
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
# enable SASL authentication
smtp_sasl_auth_enable = yes
# disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous
# where to find sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# Enable STARTTLS encryption
smtp_use_tls = yes
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
EOF
/usr/local/sbin/postfix-enable
rcctl stop smtpd
rcctl disable smtpd
rcctl enable postfix
rcctl start postfix