by Joshua Branson ? April 28, 2023
set up doas
Let?s make any user that is in the group ?wheel? able to execute privledged commands.
# cat /etc/examples/doas.conf | sed 's/keepenv/persist keepevn/' > /etc/doas.confset up my pf
$ cat /etc/pf.conf
# most of this file was taken from here:
# https://home.nuug.no/~peter/pf/en/long-firewall.html
# another good pf resource: https://www.openbsd.org/faq/pf/filter.html
# block all traffic by default
block log (user) all
# ports to allow. more services can be found via: less /etc/services AND less /etc/protocols
# "domain" is insecure DNS, which I replaced with DNS over TLS. see /etc/unwind.conf
# if you use default (insecure) DNS, then add "domain" to both tcp_services and udp_services.
tcp_services = "{ ssh, smtp, domain-s, www, https, auth, netstat, ntp, imaps, irc, 6697, sip, xmpp-client, mdns, mdnsresponder }"
udp_services = "{ ntp }"
# don't filter on the loopback interface
set skip on lo0
# https://dataswamp.org/~solene/2024-06-08-openbsd-privacy-setup.html
match in all scrub (no-df random-id max-mss 1440)
antispoof quick for egress
# allow traffic on certain ports
pass quick proto tcp to port $tcp_services
pass quick proto udp to port $udp_services
# enable ping by default.
pass quick proto { icmp, icmp6 }
# Port build user does not need network
block return out log (user) quick proto {tcp udp} user _pbuild
# By default, do not permit remote connections to X11 can I delete this next line?
block return in on ! lo0 proto tcp to port 6000:6010set up httpd
I run three websites (the other two are here). I clone my websites to /var/www/htdocs and then link to them in my ~/prog/ directory.
$ cd /var/www/htdocs/
$ doas git clone https://git.sr.ht/~gnucode/gnucode.me
$ doas git chown -R joshua gnucode.me
$ does git chgrp -R daemon gnucode.me
$ cd gnucode.me; ls -lhatotal 64
drwxr-xr-x 11 joshua daemon 512B Oct 1 23:09 ./
drwxr-xr-x 6 root daemon 512B Oct 2 16:57 ../
drwxr-xr-x 7 joshua daemon 512B Oct 1 23:08 .git/
-rw-r--r-- 1 joshua daemon 7B Sep 29 21:50 .gitignore
drwxr-xr-x 2 joshua daemon 512B Sep 3 20:50 builders/
drwxr-xr-x 2 joshua daemon 512B Sep 3 20:50 css/
-rwxr-xr-x 1 joshua daemon 143B Sep 3 20:50 environment.sh*
-rw-r--r-- 1 joshua daemon 896B Sep 29 21:50 haunt.scm
drwxr-xr-x 2 joshua daemon 512B Sep 3 20:50 images/
drwxr-xr-x 2 joshua daemon 512B Sep 3 20:50 pages/
drwxr-xr-x 2 joshua daemon 2.5K Oct 1 23:08 posts/
drwxr-xr-x 5 joshua daemon 2.5K Oct 1 23:09 site/
drwxr-xr-x 2 joshua daemon 512B Sep 29 21:50 theme/
drwxr-xr-x 2 joshua daemon 512B Sep 3 20:50 utils/Then I create a symlink in my ~prog/ directory
$ mkdir -p ~/prog/gnu/guile/; cd ~/prog/gnu/guile/
$ ln -s /var/www/htdocs/gnucode.org gnucode.orgNow I can edit the files in my home directory and update the files that I serve
locally at the same time. And I can set up my /etc/hosts file so that I can
locally examine my websites.
$ cat /etc/hosts
127.0.0.1 localhost
127.0.0.1 local.gnucode.me
127.0.0.1 local.propernaming.org
127.0.0.1 local.gnu-hurd.com
::1 localhostNow I can set up my httpd.conf file.
$ cat /etc/httpd.conf; doas rcctl enable && rcctl start httpd
server "local.gnucode.org" {
listen on 127.0.0.1 port 80
root "/htdocs/gnucode.org/site"
}
server "local.propernaming.org" {
listen on 127.0.0.1 port 80
root "/htdocs/propernaming.org/site"
}
server "local.gnu-hurd.com" {
listen on 127.0.0.1 port 80
root "/htdocs/gnu-hurd.com"
}Now I can browse my websites locally via "local.gnucode.me".
set up unwind to block some ads
Unwind is a validating DNS resolver. It is intended to run on client machines like workstations or laptops and only listens on localhost. I use it paired with dismail.de's DNS servers, which try to block ads and malware by default.
$ cat /etc/unwind.conf
# unwind is a locally caching DNS resolver. If I have
# already been to a site, then unwind, will turn the
# url into its appropriate IP address.
# forwarder { 1.1.1.1 9.9.9.9 }
# dismail.de DNS over TLS servers
forwarder { 116.203.32.217 DoT 159.69.114.157 DoT 2a01:4f8:1c1b:44aa::1 DoT 2a01:4f8:c17:739a::2 DoT}
preference { forwarder recursor } install packages
# pkg_add emacs dino netsurf dino git fish mpv chromium gpg \
hack-fonts pkg_add isync evince libreoffice xfce4-terminal \
xfce4-screenshooter xfce4-dict i3When I installed isync, I got a message that said, the following rcscripts were installed: /etc/rc.d/saslauthd apparently openbsd?s packaged isync, lets you set up a daemon to periodically fetch your email. looking at the file, I?m not sure what it is.
Well I could list all of the packages that I minually installed, it is actually much easier to create a list of packages.
pkg_info -mz | tee openbsd-pkg-listNow, when I want to re-install those packages I can just do this:
# pkg_add -l listclone my various repos
cd ~/
git clone https://notabug.org/jbranso/prog
cd prog
mkdir -p gnu/guix/
cd gnu/guix
git clone https://notabug.org/jbranso/guix
mv guix guix-src
git clone https://notabug.org/jbranso/guix-configupdate my OpenBSD install
# doas syspatch
Enable playing of DVDs/CDs without doas
Add this line to the top of /etc/X11/xenodm/GiveConsole:
chown $USER /dev/rcd0c
window manager stuff
modify my ~/.xsession
auto start xfce, prefer utf-8, set up a background color, and lock X after some inactivity.
cat ~/.xsession
# prefer UTF-8 whenever possible
export LC_CTYPE="en_US.UTF-8"
# use UTF-8 everywhere
export LANG=en_US.UTF-8
# specify location of kshrc
export ENV=$HOME/.kshrc
# set your background color
xsetroot -solid dimgray
xidle -delay 5 -sw -program "/usr/X11R6/bin/xlock -mode flag" \
-timeout 300
exec i3set up polybar for i3
https://forum.endeavouros.com/t/tutorial-easy-setup-endeavour-xfce-i3-tiling-window-manager/13171
# doas pkg_add polybar
$ mkdir ~/.config/polybar
$ cp /usr/local/share/examples/polybar/config ~/.config/polybarThis wiki page has a lot of details about setting up fonts.
More information is in my polybar config.
If this is a laptop with a battery, then install this
https://dataswamp.org/~solene/2022-03-21-openbsd-cool-frequency.html
# doas pkg_add obsdfreqd
# rcctl enable obsdfreqd
# rcctl stop apmd
# rcctl disable apmd
# rcctl start obsdfreqdset up doom emacs
(I also need to ensure that ~/prog/gnu/guix/ exists because my emacs looks for
some guix snippets).
git clone --depth 1 https://github.com/doomemacsdoomemacs ~/.config/emacs
~/.config/emacs/bin/doom installadd doom emacs to path
cat ~/.profile
# $OpenBSD: dot.profile,v 1.8 2022/08/10 07:40:37 tb Exp $
#
# sh/ksh initialization
#
PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/home/joshua/.config/emacs/bin
export PATH HOME TERMcopy my ~/ config files
cp .authinfo.gpg, .ssh, .mbsyncrc, .gnupg/
cp documents to ~/
import my gpg keys from my usb stick.
$ gpg --import ./dismail.de.gpg.key.asc
$ git config --global commit.gpgsign true
$ gpg --list-secret-keys --keyid-format=longCopy the really long alphanumeric word from the above command. It'll look something like:
62A42A3CC13497D626FZ686C750BCFEF3A5E1572
$ git config --global user.signingkey <your alphanumeric word>set up pinentry
# pkg_add pinentry-dmenuThere are two things that you need to do to set up pinentry-dmenu, so that when I need to sign commits or decrypt stuff, the pinentry-dmenu popup happens.
set up gpg agent
$ cat ~/.gnupg/gpg-agent.conf pinentry-program /usr/local/bin/pinentry-dmenu default-cache-ttl 3600man gpg-agentsays to do this:You should always add the following lines to your .bashrc or whatever initialization file is used for all shell invocations: $ cat ~/.profile | grep GPG_TTY GPG_TTY=$(tty) export GPG_TTYstart a dbus session
This is only needed if you want to use pinentry-gnome3
$ cat ~/.xsession | grep dbus # start a dbus session, which I believe gpg needs to for graphical pinentry # I found this command in /usr/local/share/doc/pkg-readmes/dbus if [ -x /usr/local/bin/dbus-launch -a -z "${DBUS_SESSION_BUS_ADDRESS}" ]; then eval `dbus-launch --sh-syntax --exit-with-x11`
If you have difficulty getting pinentry to work, here are some steps to manually get pinentry to work:
in a fish terminal a type in:
$ gpgconf --kill gpg-agent
$ set GPG_TTY $(tty)
$ export GPG_TTY
$ git commit -m "my commit message"change /etc/motd
I once set an invalid option up in /etc/fstab that threw me in a root shell with
only root mounted. All of a sudden vi would not work. That below command is
how to fix it: export TERM=vt200
$ cat /etc/motd
OpenBSD 7.2 (GENERIC.MP) #7: Sat Feb 25 14:07:58 MST 2023
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
If you are having trouble using vi in the console try this:
export TERM=vt200;install haunt on OpenBSD
doas pkg_add guile info
First install guile-commonmark:
$ cd ~/prog/guile
$ git clone git clone https://github.com/OrangeShark/guile-commonmark
$ cd guile-commonmark
# Remember what version of autoconf and automake that you install!
# You will need it later!
# doas pkg_add autoconf automakeWhy am I seeing 2 aclocal binaries? No idea.
$ ls /usr/local/bin/aclocal*
/usr/local/bin/aclocal
/usr/local/bin/aclocal-1.16
$
$ ls /usr/local/bin/automake*
/usr/local/bin/automake
/usr/local/bin/automake-1.16Arsen on irc helped me figure out the next incantation.
$ AUTOMAKE_VERSION=1.17 AUTOCONF_VERSION=2.72 ./bootstrap
$ ./configure
$ gmake
$ gmake check
# gmake installThe output tells you where the guile-commonmark library is installed:
gmake[1]: Entering directory '/home/joshua/prog/guile/guile-commonmark'
gmake[1]: Nothing to be done for 'install-exec-am'.
mkdir -p '/usr/local/share/info'
/usr/bin/install -c -m 644 ./doc/guile-commonmark.info '/usr/local/share/info'
install-info --info-dir='/usr/local/share/info' '/usr/local/share/info/guile-commonmark.info'
mkdir -p '/usr/local/share/guile/site/3.0'
mkdir -p '/usr/local/share/guile/site/3.0/commonmark'
/usr/bin/install -c -m 644 commonmark/utils.scm commonmark/common.scm \
commonmark/parser.scm commonmark/entities.scm commonmark/node.scm \
commonmark/blocks.scm commonmark/inlines.scm commonmark/sxml.scm \
'/usr/local/share/guile/site/3.0/commonmark'
/usr/bin/install -c -m 644 commonmark.scm '/usr/local/share/guile/site/3.0/.'
mkdir -p '/usr/local/lib/guile/3.0/site-ccache'
mkdir -p '/usr/local/lib/guile/3.0/site-ccache/commonmark'
/usr/bin/install -c -m 644 commonmark/utils.go commonmark/common.go \
commonmark/parser.go commonmark/entities.go commonmark/node.go \
commonmark/blocks.go commonmark/inlines.go commonmark/sxml.go \
'/usr/local/lib/guile/3.0/site-ccache/commonmark'
/usr/bin/install -c -m 644 commonmark.go '/usr/local/lib/guile/3.0/site-ccache/.'
gmake[1]: Leaving directory '/home/joshua/prog/guile/guile-commonmark'Now let?s install haunt
$ git clone https://git.dthompson.us/haunt.git
$ cd haunt
$ AUTOMAKE_VERSION=1.17 AUTOCONF_VERSION=2.72 ./bootstrap
$ ./configure
$ gmake
$ gmake check
# gmake installhardening my OpenBSD install
My computer has only one regular user on it. Let's remove myself from the wheel
group and change doas.conf to only allow user joshua to execute privledged
commands.
# usermod -S '' joshua
$ userinfo joshua
$ cat doas.conf
permit persist keepenv joshuaIf you want to do a little harder, delete doas.conf, remove yourself from the
wheel group, and when you need to be root switch to a tty and run your command.
Enable clamav, an antivirus scanner:
# pkg_add clamav
# rcctl enable clamav
# rcctl enable clamav_milter
# rcctl enable freshclamSet up anacron and enable auto updating https://dataswamp.org/~solene/2023-06-28-anacron.html
harden your malloc
# sysctl vm.malloc_conf=SAnd edit /etc/sysctl.conf to add vm.malloc_conf=S
This may cause some programs to stop working, because some software is not really written well.