You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Solene Rapenne 501413754b openbsd: packages: Improve usage documentation through comments. 4 months ago
openbsd openbsd: packages: Improve usage documentation through comments. 4 months ago
LICENSE Initial commit 4 months ago
README.md first version 4 months ago

README.md

gearbsd

This repo will eventually turn into a collection of parametrized templates to easily deploy services or environments on $system.

Examples

  • Deploying a pf.conf on OpenBSD
  • Enabling Gnome3 on OpenBSD (requires enabling many services, modifying /etc/login.conf and /etc/gdm.conf)

Why?

Most of the time we need to do the same things over and over, using simple templates with parameters allow easy reproducibles configuration.

How to use

You need (R)?ex installed, cd into a directory to find a Rexfile, look at the self explanatory variables at the top of the file to adapt your needs and run rex -H destination configure, on localhost you can run it as root like rex configure or rex -H localhost configure if you have a localhost root access by ssh. You will need root access through ssh when using Rex over the network.

Improvements

  • Allow to use sudo instead of direct root access
  • Allow to use doas (but this will require changes in Rex)
  • Maintain a list of applied modules to keep track of used modules

Template example

In the openbsd/pf module, these variables will define the generation of the pf.conf file.

  • TCPports: [22, 80, 443]
  • UDPports: [53, "2000:20010"]
  • allow_icmp: 1
  • nat: 0
  • nat_from_interface: "wg0"
  • nat_to_interface: "em0

This set of values will produce the following file and load it into pf:

services_tcp="{ 22 80 443 }"
services_udp="{ 53 2000:20010 }"

set skip on lo
set block-policy drop

# block incoming by default
block return log
pass out quick

# allow TCP
pass in on egress inet proto tcp from any to (egress) port $services_tcp

# allow UDP
pass in on egress inet proto udp from any to (egress) port $services_udp

# allow ICMP (over ipv4)
pass in on egress inet proto icmp from any to (egress)

# <-- default rules --->
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

## Port build user does not need network
block return out log proto {tcp udp} user _pbuild