Fossil Self-hosting Repository Server on OpenBSD (httpd)

Introduction

With my preferred Git repository hosting provider preparing to introduce some changes that don't cohere with my philosophical ideals, I finally decided to make the move to Fossil. Git has never been favoured but its ubiquity made it hard to ignore. The OpenBSD development of got was more than a desireable improvement but now that I needed to self-host, there was no longer an obstacle to using Fossil that could be avoided by staying with Git—and so I switched. Fossil is super simple, clean, and consistent …

more ...

L2TP IPSec VPN with npppd on OpenBSD

Introduction

If you're even slightly security- or privacy-conscious, which in the present era of Big Data and tech oligarchs is a provident predilection, you should, if not already, be using a VPN (Virtual Private Network). And I don't mean one of the oft-advertised commercial offerings you see plastered about social media—but one that you control. Where every outgoing request that leaves your computer is tunneled through an encrypted private network owned and operated by you. Fortunately, the …

more ...

EuroBSDCon 2019 Talks

The presentations from this year's EuroBSDCon held during late September in Lillehammer, Norway are now available on YouTube.

The program lists a number of interesting talks from seasoned OpenBSD developers such as Alexander Bluhm's assay of performance metrics on OpenBSD (cf. test results), and Stefan Sperling sharing the new Game of Trees git tool—more commonly referred to as got. But there are also many other speakers from various backgrounds presenting an assortment of topics ranging from Paul Vixie—the author of cron, and numerous RFCs—discussing DNS over HTTP (DoH) to an exposition on the basics of ZFS by Dan Langille …

more ...

OpenBSD 6.6 Released Early

OpenBSD's second of its biannual releases came early again this year with the release of OpenBSD 6.6 last week; while this post comes late.

For anyone who isn't yet aware, Theo's announcement came a few days ago on Thursday, October 17 to the relevant mailing lists.

Among the many changes are:

  • sysupgrade(8): an automatic upgrade utility that performs release and snapshot upgrades with one command
  • LibreSSL 3.0.2: a new release of the project's OpenSSL fork
  • sshsig: a minimal signature and verification utility for ssh-keygen(1)
  • OpenSSH 8.1: a new release of the project's ubiquitous ssh protocol implementation …
more ...

OpenBSD: Secure by Default

Correction: ASLR was not innovated by OpenBSD, the Linux PaX project published the first design and implementation of ASLR in July 2001 as a patch for the Linux kernel. ASLR was then added to OpenBSD 3.4 in 2003 followed by Linux in 2005. —Unix Sheikh

Continuing with the theme of my last post regarding the impetus of the OpenBSD project, and the principles by which development of the operating system adheres, I felt compelled to enumerate some of the tangible benefits that such a system produces. The principled purist within me notwithstanding, for what reason do I not only choose to …

more ...

OpenBSD: Clean, Correct Code by Default

I was perusing some not-too-recent-nor-old messages on the misc@openbsd.org mailing list when I entered a thread based on an interest in the subject—OpenBSD Project—where after reading the original message I would have normally passed on the rest but fortuitously didn't, and was pleased to read a contribution that reminded me of one of OpenBSD's most compelling merits:

"If your choice of operating system depends on any kind of formalities rather than on technical quality, OpenBSD is not the project you are looking for."

The entire message deserves a read but this key point made by author Ingo Schwarze …

more ...

OpenBSD DNS Server with unbound and nsd

Table of Contents

Introduction

The default installation of OpenBSD comes with both unbound(8) and nsd(8); unbound is a validating, recursive, and caching DNS resolver that provides DNSSEC validation, while nsd is an authoritative name server that holds DNS records. The combination of the two running locally, means that name server lookups (i.e., requests to resolve domain names into IP addresses and vice versa) can be handled locally without being sent upstream to your ISP or another public name server such as Google. This almost completely prevents snooping or tampering …

more ...

Starting ssh-agent on OpenBSD

You'll find that unlike macOS, ssh-agent doesn't automatically run at startup on OpenBSD, so you need to initialise it, which is quick and easy but somewhat abstruse.

First, don't do the seemingly obvious and simply run ssh-agent like so:

$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-MUxDCsIBiG5G/agent.38206; export SSH_AUTH_SOCK;
SSH_AGENT_PID=65950; export SSH_AGENT_PID;
echo Agent pid 65950;

Despite what you might intuit from the output, ssh-agent has only printed the shell script needed to initialise the daemon—it hasn't actually set the variables. Instead, we should evaluate the output, which will set both the SSH_AUTH_SOCK and SSH_AGENT_PID variables that allow ssh-add to communicate with …

more ...

Quick and Convenient Command Line E-mail

If you spend a considerable amount of time in your terminal, you might find the ability to fire off short emails from within it—without context-switching to your mail client or browser or whichever means you use—a convenient shortcut. Not to mention the utility it affords any number of use cases you might later choose to implement; a simple shell script, for example, can deliver notifications via email. It's a convenient feature of Unices that requires very little setup.

First, edit /etc/mail/secrets, as a privileged user, to store your credentials in the following format:

relayid relayuser:secretpassword

Where relayuser …

more ...

Boost Nextcloud Performance with Redis Cache on OpenBSD

Introduction

A PHP memory caching utility such as Redis can significantly decrease load times, speeding up PHP requests by storing compiled files for quicker retrieval.

Install Redis

Both the Redis database and PHP interfacing extension need to be installed:

# pkg_add redis pecl-redis

Add to rc.d to run at startup and then start Redis:

# rcctl enable redis
# rcctl start redis

Redis and Nextcloud Configuration

First, make the directory with appropriate ownership and permissions in the chroot where Redis will create the unix socket file:

# mkdir /var/www/redis
# chown …
more ...