openbsd_readme.md

OpenBSD

Rails and Falcon run as an unprivileged user that only has owns tmp/ and log/. This way, not only will the root remain unaffected from a break-in attempt, but should the app be compromised it will not have access to modify any of its runtime files.

• relayd(8) does reverse proxying and TLS terminating for Falcon on HTTPS port 443 (HTTP/2)
• httpd(8) listens for ACME challenges from Let's Encrypt on HTTP port 80 and passes them on to acme-client(1) (HTTP/1.1)
• pf(4) does the firewalling and together with pf-badhost it blocks out roughly 600.000.000 spam IPs
• nsd(8) is the primary authoritative nameserver for all domains, with Domain Name Shop's ns.hyp.net being the secondary

---

Edit configs to taste and deploy to root

# cp -R etc/ var/ /

Create unprivileged user and group for the app

adduser -group USER -batch brgen

*Create privileged user with doas(1) root access *

adduser -group WHEEL -batch dev
echo "permit nopass :wheel" >> /etc/doas.conf

Ruby On Rails

doas pkg_add ruby

Set gem path in the shell

echo "PATH=$PATH:$HOME/.local/share/gem/ruby/3.1/bin; export PATH" >> ~/.kshrc
. ~/.kshrc

Nokogiri

doas pkg_add libxslt

gem install --user-install nokogiri -- --use-system-libraries
bundle config build.nokogiri --use-system-libraries

Rails

gem install --user-install rails
gem install --user-install falcon

For 7.1-alpha:

gem install --user-install specific_install

gem git_install --user-install https://github.com/rails/rails.git -d activesupport
gem git_install --user-install https://github.com/rails/rails.git -d activemodel
gem git_install --user-install https://github.com/rails/rails.git -d activerecord
gem git_install --user-install https://github.com/rails/rails.git -d activejob
gem git_install --user-install https://github.com/rails/rails.git -d actionview
gem git_install --user-install https://github.com/rails/rails.git -d actionpack
gem git_install --user-install https://github.com/rails/rails.git -d activestorage
gem git_install --user-install https://github.com/rails/rails.git -d actiontext
gem git_install --user-install https://github.com/rails/rails.git -d actioncable
gem git_install --user-install https://github.com/rails/rails.git -d actionmailbox
gem git_install --user-install https://github.com/rails/rails.git -d actionmailer
gem git_install --user-install https://github.com/rails/rails.git -d railties
gem git_install --user-install https://github.com/rails/rails.git

PostgreSQL

pkg_add postgresql-server

rcctl enable postgresql
doas -u _postgresql initdb -D /var/postgresql/data/ -U postgres
rcctl start postgresql
doas -u _postgresql psql -U postgres

CREATE ROLE <user> LOGIN SUPERUSER PASSWORD '<password>';

Redis

pkg_add redis

rcctl enable redis
rcctl start redis

JavaScript

pkg_add node
npm install --global yarn

Prevent Node errors

ln -s /usr/local/bin/node /tmp/node

CSS

pkg_add sass

Images

pkg_add libvips glib2 gobject-introspection

ln -sf /usr/local/lib/libvips.so.0.0 /usr/local/lib/libvips.so.42
ln -sf /usr/local/lib/libglib-2.0.so.4201.8 /usr/local/lib/glib-2.0.so.0
ln -sf /usr/local/lib/libgobject-2.0.so.4200.15 /usr/local/lib/libgobject-2.0.so.0

gem install --user-install tesseract-ocr -- --use-system-libraries

SSL certificates

rcctl enable httpd
rcctl start httpd

Generates Let's Encrypt TLS-certificates with acme-client(1) and adds renewal to crontab(1)

sh mkcert

Raise open files limit

sysctl kern.maxfiles=20000
echo "kern.maxfiles=20000" >> /etc/sysctl.conf

Modify daemon in /etc/login.conf

openfiles-max=20000
openfiles-cur=20000 

PF firewall

Install pf-badhost.

Add _TOR_BLOCK_ALL=1, lists_vpn and whitelisted IPs to /usr/local/bin/pf-badhost.

NSD DNS server

rcctl enable nsd
rcctl start nsd

OpenSMTPD email server

rcctl enable smtpd
rcctl start smtpd