Adding a couple of more OpenBSD VMs from OpenBSD.Amsterdam

 · Systeemkabouter

To do some more OpenBSD fiddling without fiddling with actual hardware, I was looking for some extra virtual machines. I asked around for other options, but not many came up, and they were not particularly more interesting than OpenBSD.Amsterdam.

So yesterday I asked Mischa to set up two now virtual machines for me and this morning I wanted to do some basic setup.

First thing I tried was using ansible. I had already used ansible in the past on some other OpenBSD machines, but apparently the code needed fixing / updating / exploded in my face. When trying to 'fix' this by updating ansible on my Mac with a 'brew update', more stuff exploded and I was kinda done with ansible on my macbook. I logged into my Linux Laptop at this stage

Sooooo... I thought about using another tool for a second, Puppet came to mind. But that needs a server, and probably a Linux server. And I was trying to play with BSD here, so not really an attractive option.

Going oldskool

When bootstrapping new stuff, there are always these catch-22 situations. To run Y, you first need Z. So I figured I would try the approach of The Ancients from the last Millennium:

Just Run A Shell Script

Sample output: 

redpuffy# ksh /home/systeemkabouter/no_ansible.sh                                                                                                                                                                     
Preparing Lutra IT baseline setup for OpenBSD 7.4
Set hostname
redpuffy.lutra.it
Set up self signed certificate
Generating a 4096 bit RSA private key
..............
..........................
writing new private key to '/etc/ssl/private/redpuffy.lutra.it.key'
-----
Install baseline packages
quirks-6.159 signed on 2023-11-17T18:34:15Z
Configure doas
Set Lutra MOTD
Set authorized keys for root user
Set authorized_keys for user systeemkabouter
Configuring sshd
sshd(ok)
sshd(ok)
Install auto update shell script
Install postfix package
quirks-6.159 signed on 2023-11-17T18:34:15Z
Setup postfix aliases
smtpd(ok)
postfix(ok)

Good enough for now, will revisit when the need arises. The only thing I really missed was a safe way to handle secrets/passwords. For now I need to protect the original script or reset my authenticated smtp password.

That Was Fun

The full script with sensitive bits removed: 

#!/bin/ksh

function report
{
  logger "$1"
  echo "$1"
}

UNAME=`uname -r`

report "Preparing Lutra IT baseline setup for OpenBSD $UNAME"

report "Set hostname"
SHORTHOSTNAME=`hostname | awk 'BEGIN { FS="."; } { print $1; }'`
FQDN=$SHORTHOSTNAME.lutra.it
hostname -s $FQDN
hostname


report "Set up self signed certificate"
if [ ! -f /etc/ssl/private/$FQDN.key ];
then
  openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/ssl/private/$FQDN.key -out /etc/ssl/$FQDN.crt -sha256 -days 3650 -nodes -subj "/C=NL/ST=ZH/L=Sommelsdijk/O=Lutra IT/OU=Operations/CN=$FQDN"
fi

report "Install baseline packages"
pkg_add python3 neofetch bash curl wget git

report "Configure doas"
cat << EOF > /etc/doas.conf
# Allow wheel by default
permit keepenv :wheel
permit keepenv nopass systeemkabouter
EOF

report "Set Lutra MOTD"
cat << EOF > /etc/motd

  Lutra IT

  Unauthorized access prohibited

  For support and inquiries please contact
  us at XXXXXXX@lutra-it.eu or via signal at
  +31 XXXXXXXXX  - @systeemkabouter

EOF

report "Set authorized keys for root user"
mkdir -p /root/.ssh
cat << EOF > /root/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM6zfzF3846AZ0vjKWPIAQLYtpAsym+xp6kgWTQI1viZ
EOF
chmod -R go-rwx /root/.ssh

report "Set authorized_keys for user systeemkabouter"
mkdir -p /home/systeemkabouter/.ssh
cat << EOF > /home/systeemkabouter/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM6zfzF3846AZ0vjKWPIAQLYtpAsym+xp6kgWTQI1viZ
EOF
chmod -R go-rwx /home/systeemkabouter/.ssh

report "Configuring sshd"
cat << EOF > /etc/ssh/sshd_config
AllowTcpForwarding yes
ChallengeResponseAuthentication no
HostbasedAuthentication no
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
IgnoreRhosts yes
KexAlgorithms -diffie-hellman-group1-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin without-password
PrintLastLog yes
PrintMotd yes
Protocol 2
Subsystem sftp /usr/libexec/sftp-server
TCPKeepAlive yes
UseDNS no
X11Forwarding no
EOF
rcctl restart sshd

report "Install auto update shell script"
mkdir -p /opt/sa/bin
cat << EOF > /opt/sa/bin/openbsd_updates.sh
#!/usr/local/bin/bash
#
WAITIME=`/bin/expr $RANDOM % 600`

if [[ "X$WAITTIME" == "X" ]];
then
  WAITTIME=1
fi

sleep $WAITTIME
logger "$0 autoinstalling updates "
syspatch >> /var/log/syspatch.log
exit 0
EOF
chmod 0550 /opt/sa/bin/openbsd_updates.sh
echo "/opt/sa/bin/openbsd_updates.sh" > /etc/daily.local
chmod u+x /etc/daily.local

report "Install postfix package"
if [ $UNAME  == "7.4" ];
then
  pkg_add postfix-3.8.20221007p11
else
  report "Dont know which postfix to install on $UNAME"
fi

report "Setup postfix aliases"
cat << EOF > /etc/postfix/aliases
root:XXXXXXXXXX@lutra-it.eu
systeemkabouter:XXXXXXXXX@lutra-it.eu
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
logcheck: root
EOF
newaliases

cat << EOF > /etc/postfix/sasl_passwd
smtp.transip.email:465 XXXXXXXXXXXX@lutra-it.eu:XXXXXXXXXXXXX
EOF
chmod g-rwx /etc/postfix/sasl_passwd

cat << EOF > /etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 3.8

queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/postfix

sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/sbin/newaliases
mailq_path = /usr/local/sbin/mailq

html_directory = /usr/local/share/doc/postfix/html
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
readme_directory = /usr/local/share/doc/postfix/readme
shlib_directory = no
meta_directory = /etc/postfix

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/$FQDN.crt
smtpd_tls_key_file=/etc/ssl/private/$FQDN.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

mail_owner = _postfix
setgid_group = _postdrop

canonical_maps = hash:/etc/postfix/canonical

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = $FQDN
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
#myorigin = $myhostname
mydestination = $myhostname, localhost

unknown_local_recipient_reject_code = 550

relayhost = smtp.transip.email:465
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4

# enable SASL authentication
smtp_sasl_auth_enable = yes
# disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous
# where to find sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# Enable STARTTLS encryption
smtp_use_tls = yes
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
EOF

/usr/local/sbin/postfix-enable
rcctl stop smtpd
rcctl disable smtpd
rcctl enable postfix
rcctl start postfix