# OpenBSD Server Automation

**Choose [OpenBSD](https://openbsd.org) for your Unix needs.**  
OpenBSD is the world’s simplest and most secure Unix-like operating system. It’s a safe alternative to the frequent vulnerabilities and overengineering found in the Linux ecosystem.

Consider the issues with these Linux components and their known vulnerabilities:  
- [Bash](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bash) (Shellshock)  
- [OpenSSL](https://www.openssl.org/news/vulnerabilities.html) (Heartbleed, CVE-2014-0160)  
- [NGiNX](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=nginx)  
- [Apache](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=apache)  
- [iptables](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=iptables), [nftables](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=nftables)  
- [systemd](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=systemd)  
- [BIND](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bind)  
- [Postfix](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=postfix)  
- [Docker](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=docker)

In contrast, OpenBSD comes with secure and minimal daemons by default, and thanks to [LibreSSL](https://libressl.org), derived from OpenSSL but cleaned up and audited, you enjoy a safer cryptographic stack.

**OpenBSD—the cleanest kernel, the cleanest userland, the cleanest configuration syntax.**

---

## Overview

This repository provides a script to configure an OpenBSD VPS as a secure, production-ready platform for Ruby on Rails 8 applications running under [Falcon](https://github.com/socketry/falcon). Falcon, a multi-process, multi-fiber HTTP server built atop [async](https://github.com/socketry/async) primitives, integrates seamlessly with OpenBSD’s services to provide an efficient, stable environment.

[Falcon Documentation](https://socketry.github.io/falcon/) details how to integrate Falcon with Rails and optimize performance.

---

## Key Features

- **Native Security and Simplicity**: Leverages OpenBSD’s base daemons:
  - [httpd(8)](https://man.openbsd.org/httpd.8) for web serving and ACME challenges.
  - [acme-client(1)](https://man.openbsd.org/acme-client.1) for automated TLS/SSL certificate management.
  - [nsd(8)](https://man.openbsd.org/nsd.8) for authoritative DNS with DNSSEC.
  - [relayd(8)](https://man.openbsd.org/relayd.8) for secure reverse proxying to Falcon.
  - [pf(4)](https://man.openbsd.org/pf.4) for a robust, simple firewall.
  
- **LibreSSL Integration**: Enjoy improved security and code quality with [LibreSSL](https://libressl.org) instead of the legacy OpenSSL.

- **Optimized for Ruby on Rails 8 and Falcon**:
  Falcon supports HTTP/1 and HTTP/2, running requests in lightweight fibers for excellent concurrency and performance.

- **Multi-Domain Ready**: Effortlessly manage multiple domains and subdomains. NSD handles DNS zones, HTTPD and ACME-Client secure them, RELAYD routes requests, and PF keeps it all locked down.

---

## Usage

### Prerequisites

1. Fresh OpenBSD installation.
2. [doas(1)](https://man.openbsd.org/doas.1) configured for administrative tasks.

### Steps

1. Upload `openbsd.sh` to your server.
2. Make it executable:
   ```sh
   chmod +x openbsd.sh
   ```
3. Run the script:
   ```sh
   doas ./openbsd.sh
   ```
4. Deploy your Rails apps (Rails 8 + Falcon):
   ```sh
   mkdir -p /home/<app_name>/<app_name>
   chown -R <app_name>:<app_name> /home/<app_name>/<app_name>
   cd /home/<app_name>/<app_name>
   doas -u <app_name> bundle install
   ```

---

## Validation

- Check DNS:
  ```sh
  dig @localhost example.com
  ```

- Verify TLS:
  ```sh
  openssl s_client -connect yourdomain.com:443
  ```

- Check running services:
  ```sh
  rcctl check nsd httpd relayd sshguard varnishd
  ```

- Rails apps:
  Access configured domains in your browser and confirm Rails 8 + Falcon integration.

---

## Notes and Best Practices

- Harden permissions:
  ```sh
  doas chmod 600 /etc/ssl/private/*.key
  doas chmod 644 /etc/ssl/*.pem
  ```
- Keep OpenBSD up-to-date with `syspatch`.
- Set up glue records at your registrar for your DNS if needed.

**With OpenBSD and Falcon, build a resilient, high-performance Rails 8 platform without the baggage of Linux complexities and vulnerabilities.**


#!/usr/bin/env zsh
set -euo pipefail

# OpenBSD Rails Server Setup Script
#
# This script sets up an OpenBSD VPS for hosting Ruby on Rails applications.
# It handles firewall rules, DNS configuration, SSL certificates, and service initialization.
#
# Generated Files:
# - /etc/pf.conf
# - /etc/relayd.conf
# - /etc/httpd.conf
# - /etc/acme-client.conf
# - /etc/nsd/nsd.conf
# - /var/nsd/zones/master/*.zone
# - /etc/rc.d/<app_name>

OPENBSD_AMSTERDAM_IP="XXX"

ALL_DOMAINS=(
  "mydomain.com:subdomain1,subdomain2"
  "mydomain2.com:subdomain1,subdomain2"
)

RAILS_APPS=("myappie" "myappie2")

declare -A APP_BACKEND_PORTS

# Functions
install_packages() {
  echo "Installing required packages..."
  doas pkg_add -UI ruby-3.3.5 postgresql-server redis varnish monit sshguard
}

configure_pf() {
  echo "Configuring pf..."
  doas tee /etc/pf.conf > /dev/null <<EOF
set skip on lo
block all
pass in proto tcp to port { 22, 80, 443 } keep state
pass out on egress keep state
EOF
  doas pfctl -f /etc/pf.conf
  echo "pf configured."
}

configure_nsd() {
  echo "Configuring nsd..."
  doas tee /etc/nsd/nsd.conf > /dev/null <<EOF
server:
  verbosity: 2
  zonesdir: "/var/nsd/zones/master"
EOF

  for domain_entry in "${ALL_DOMAINS[@]}"; do
    domain="${domain_entry%%:*}"
    subdomains="${domain_entry#*:}"
    doas tee "/var/nsd/zones/master/$domain.zone" > /dev/null <<ZONE
\$ORIGIN $domain.
\$TTL 3600
@ IN SOA ns.mydomain.com. admin.$domain. (
  $(date +%Y%m%d%H) ; serial
  7200 ; refresh
  3600 ; retry
  1209600 ; expire
  3600 ; minimum
)
  NS ns.mydomain.com.
  NS ns.friendsns2.com.

  A $OPENBSD_AMSTERDAM_IP
ZONE
    if [[ -n "$subdomains" ]]; then
      for sub in ${(s/,/)subdomains}; do
        echo "$sub IN CNAME @" | doas tee -a "/var/nsd/zones/master/$domain.zone" > /dev/null
      done
    fi
  done

  doas nsd-checkconf /etc/nsd/nsd.conf
  doas rcctl enable nsd
  doas rcctl restart nsd
  echo "nsd configured."
}

configure_relayd() {
  echo "Configuring relayd..."
  doas tee /etc/relayd.conf > /dev/null <<EOF
table <acme_client> { 127.0.0.1:19022 }

http protocol "http" {
  pass request header append "X-Forwarded-For" value "\$REMOTE_ADDR"
}

relay "http_relay" {
  listen on * port 80
  protocol "http"
  forward to <acme_client>
}
EOF
  doas rcctl enable relayd
  doas rcctl restart relayd
  echo "relayd configured."
}

configure_httpd() {
  echo "Configuring httpd..."
  doas tee /etc/httpd.conf > /dev/null <<EOF
server "acme" {
  listen on $OPENBSD_AMSTERDAM_IP port 80
  location "/.well-known/acme-challenge/*" {
    root "/var/www/acme"
    request strip 2
  }
}
EOF
  doas rcctl enable httpd
  doas rcctl restart httpd
  echo "httpd configured."
}

configure_acme_client() {
  echo "Configuring acme-client..."
  doas tee /etc/acme-client.conf > /dev/null <<EOF
authority letsencrypt {
  api url "https://acme-v02.api.letsencrypt.org/directory"
  account key "/etc/ssl/private/letsencrypt-privkey.pem"
}
EOF
  for domain_entry in "${ALL_DOMAINS[@]}"; do
    domain="${domain_entry%%:*}"
    doas tee -a /etc/acme-client.conf > /dev/null <<EOF
domain $domain {
  domain key "/etc/ssl/private/$domain.key"
  domain fullchain "/etc/ssl/$domain.fullchain.pem"
  sign with letsencrypt
}
EOF
  done
  doas rcctl enable acme-client
  doas rcctl restart acme-client
  echo "acme-client configured."
}

main() {
  install_packages
  configure_pf
  configure_nsd
  configure_httpd
  configure_relayd
  configure_acme_client
  echo "OpenBSD server setup complete."
}

main