wiki

# Creating a mirror for OpenBSD and Netbsd website on OpenBSD

  • why nginx? because I am using it for other service on my server. You can easily use httpd instead.

  • why nfs? because I like the nullfs mountpoint style from FreeBSD, and the only way to do that on OpenBSD is to use nfs

  • why creating a mirror? because sometimes, official website can just be unavalable. When the project is open, you can easily create a mirror by using their repositories.

# install git and nginx
pkg_add git nginx

# enable nfs (read only local mountpoint)
rcctl enable portmap nfsd mountd lockd

# enable nginx web server
rcctl enable nginx

# enable nsd domain name server
rcctl enable nsd

# Create OpenBSD website mirror

# create _openbsd user
adduser -noconfig -class daemon -group _openbsd -shell nologin -batch _openbsd

# clone the repository from github
git clone https://github.com/openbsd/www /home/_openbsd/www
# or you can use anoncvs
cd /home/_openbsd && cvs -qz5 -danoncvs.eu.openbsd.org:/cvs co www

# exports /home/_openbsd/www as nfs mountpoint
echo "/home/_openbsd/www -ro -alldirs 127.0.0.1" >> /etc/exports

# add /home/_openbsd/www mount to var/www/openbsd in fstab
echo 127.0.0.1:/home/_openbsd/www /var/www/openbsd nfs ro,noauto 0 0 >> /etc/fstab

# create the directory's mountpoint
mkdir -p /var/www/openbsd

# mount it
mount /var/www/openbsd

# ensure /home/_openbsd has the good owner
chown -R _openbsd:_openbsd /home/_openbsd

# add a cronjob for git
echo '0 1 * * * git -C ${HOME}/www pull -f' >> /var/cron/tabs/_openbsd
# or for cvs
echo '0 1 * * * cd ${HOME}/www && cvs up -dP' >> /var/cron/tabs/_openbsd

# configure nginx (clear text)
cat > /etc/nginx/conf.d/openbsd.my.domain.conf << EOF
server {
        listen *:80;
        server_name openbsd.my.domain;
        include /etc/nginx/default/acme.conf;

        location ~ .* {
                return 301 https://$host$uri;
        }
}
EOF

# reload nginx
nginx reload

# configure acme
cat >> /etc/acme-client.conf << EOF
domain my.domain {
        alternative names { openbsd.my.domain }
        domain key "/etc/ssl/private/my.domain.key"
        domain certificate "/etc/ssl/my.domain.crt"
        domain full chain certificate "/etc/ssl/my.domain.fullchain.pem"
        sign with letsencrypt
}
EOF

# get certificates
acme-client my.domain

# create nginx ssl configuration
cat > /etc/nginx/conf.d/openbsd.my.domain.ssl.conf << EOF
server {
        listen *:443 ssl;
        server_name openbsd.my.domain;
        root /var/www/openbsd;
        ssl_certificate /etc/ssl/my.domain.fullchain.pem;
        ssl_certificate_key /etc/ssl/private/my.domain.key;
        include /etc/nginx/default/security.conf;

        location / {
                autoindex on;
        }
}
EOF

# reload nginx
nginx reload

# configure your domain with your own IP
# don't forget to modify the serial
echo openbsd IN A 77.89.73.80 >> /var/nsd/zones/master/domain/my.zone
echo openbsd IN AAAA 4348:414e:4745:4d45:4e4f::1 >> /var/nsd/zones/master/domain/my.zone

# reload nsd zone
nsd-control reload my.domain

# enjoy
lynx https://openbsd.my.domain

# Create NetBSD website mirror

# create _netbsd user
adduser -noconfig -class daemon -group _netbsd -shell nologin -batch _netbsd

# clone from cvs repository
cd /home/_netbsd && cvs -qz5 -danoncvs.netbsd.org:/cvsroot co htdocs

# exports /home/_netbsd/www as nfs mountpoint
echo "/home/_netbsd/htdocs -ro -alldirs 127.0.0.1" >> /etc/exports

# add /home/_netbsd/htdocs mount to /var/www/netbsd in fstab
echo 127.0.0.1:/home/_netbsd/htdocs /var/www/netbsd nfs ro,noauto 0 0 >> /etc/fstab

# create the directory's mountpoint
mkdir -p /var/www/netbsd

# mount it
mount /var/www/netbsd

# ensure /home/_netbsd has the good owner
chown -R _netbsd:_netbsd /home/_netbsd

# add a cronjob for git
echo '0 1 * * * git -C ${HOME}/htdocs pull -f' >> /var/cron/tabs/_netbsd
# or for cvs
echo '0 1 * * * cd ${HOME}/htdocs && cvs up -dP' >> /var/cron/tabs/_netbsd

# configure nginx (clear text)
cat > /etc/nginx/conf.d/netbsdbsd.my.domain.conf << EOF
server {
        listen *:80;
        server_name netbsd.my.domain;
        include /etc/nginx/default/acme.conf;

        location ~ .* {
                return 301 https://$host$uri;
        }
}
EOF

# reload nginx
nginx reload

# configure acme
cat >> /etc/acme-client.conf << EOF
domain my.domain {
        alternative names { netbsd.my.domain }
        domain key "/etc/ssl/private/my.domain.key"
        domain certificate "/etc/ssl/my.domain.crt"
        domain full chain certificate "/etc/ssl/my.domain.fullchain.pem"
        sign with letsencrypt
}
EOF

# get certificates
acme-client my.domain

# create nginx ssl configuration
cat > /etc/nginx/conf.d/netbsd.my.domain.ssl.conf << EOF
server {
        listen *:443 ssl;
        server_name netbsd.my.domain;
        root /var/www/netbsd;
        ssl_certificate /etc/ssl/my.domain.fullchain.pem;
        ssl_certificate_key /etc/ssl/private/my.domain.key;
        include /etc/nginx/default/security.conf;

        location / {
                autoindex on;
        }
}
EOF

# reload nginx
nginx reload

# configure your domain with your own IP
# don't forget to modify the serial
echo netbsd IN A 77.89.73.80 >> /var/nsd/zones/master/domain/my.zone
echo netbsd IN AAAA 4348:414e:4745:4d45:4e4f::1 >> /var/nsd/zones/master/domain/my.zone

# reload nsd zone
nsd-control reload my.domain

# enjoy
lynx https://netbsd.my.domain