{"id":13538783,"url":"https://github.com/vedetta-com/vedetta","last_synced_at":"2025-04-09T16:21:08.736Z","repository":{"id":215851181,"uuid":"94138693","full_name":"vedetta-com/vedetta","owner":"vedetta-com","description":"OpenBSD Router Boilerplate","archived":false,"fork":false,"pushed_at":"2019-07-29T14:30:42.000Z","size":934,"stargazers_count":297,"open_issues_count":2,"forks_count":31,"subscribers_count":29,"default_branch":"master","last_synced_at":"2025-04-09T16:20:50.875Z","etag":null,"topics":["boilerplate","dns-server","firewall","gateway","http-server","ipv4","ipv6","openbsd","relay-server","router","sdn","software-defined-network","vpn"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"isc","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vedetta-com.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-06-12T20:43:58.000Z","updated_at":"2025-03-03T03:00:12.000Z","dependencies_parsed_at":"2024-01-17T22:13:53.400Z","dependency_job_id":"10c20f9b-c8e0-4a14-8ce9-c275a5d4a5a1","html_url":"https://github.com/vedetta-com/vedetta","commit_stats":null,"previous_names":["vedetta-com/vedetta"],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vedetta-com%2Fvedetta","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vedetta-com%2Fvedetta/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vedetta-com%2Fvedetta/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vedetta-com%2Fvedetta/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vedetta-com","download_url":"https://codeload.github.com/vedetta-com/vedetta/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248065287,"owners_count":21041872,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["boilerplate","dns-server","firewall","gateway","http-server","ipv4","ipv6","openbsd","relay-server","router","sdn","software-defined-network","vpn"],"created_at":"2024-08-01T09:01:15.960Z","updated_at":"2025-04-09T16:21:08.701Z","avatar_url":"https://github.com/vedetta-com.png","language":"Shell","funding_links":[],"categories":["Shell","\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e工具","Non-official OpenBSD websites","OpenBSD Provisioning"],"sub_categories":["\u003ca id=\"31185b925d5152c7469b963809ceb22d\"\u003e\u003c/a\u003e新添加的","Related projects","Interviews with OpenBSD developers"],"readme":"# vedetta (alpha)\n*Open*BSD Router Boilerplate\n\n![Vedetta Logo](https://avatars2.githubusercontent.com/u/29383850)\n## About\n\u003e an opinionated, best practice, vanilla OpenBSD base configuration for bare-metal, or cloud routers\n\nWhat would an OpenBSD router configured using examples from the OpenBSD FAQ and Manual pages look like?\n\n## Features\nShare what you've got, keep what you need:\n* [acme-client](https://man.openbsd.org/acme-client) - Automatic Certificate Management Environment (ACME) client\n  - *Configure:*\n    - [`etc/acme`](src/etc/acme)\n    - [`etc/acme-client.conf`](src/etc/acme-client.conf)\n    - [`etc/httpd.conf`](src/etc/httpd.conf)\n    - [`etc/pf.conf`](src/etc/pf.conf)\n    - [`etc/relayd.conf`](src/etc/relayd.conf)\n    - [`etc/ssl/acme`](src/etc/ssl/acme)\n    - [`var/cron/tabs/root`](src/var/cron/tabs/root)\n    - `var/www/acme`\n    - [`var/www/htdocs/freedns.afraid.org`](src/var/www/htdocs/freedns.afraid.org)\n  - *Usage:*\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`acme-client`](https://man.openbsd.org/acme-client)` -vAD freedns.afraid.org`\n    - [`ocspcheck`](https://man.openbsd.org/ocspcheck)` -vNo /etc/ssl/acme/freedns.afraid.org.ocsp.resp.der /etc/ssl/acme/freedns.afraid.org.fullchain.pem`\n* [authpf](https://man.openbsd.org/authpf) - authenticating gateway user shell\n  - *Configure:*\n    - [`etc/authpf`](src/etc/authpf)\n    - [`etc/login.conf`](src/etc/login.conf)\n    - [`etc/pf.conf`](src/etc/pf.conf)\n    - [`etc/ssh/sshd_config`](src/etc/ssh/sshd_config)\n  - *Usage:*\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` reload sshd`\n    - [`ssh`](https://man.openbsd.org/ssh)` pauth@freedns.afraid.org`\n* [autoinstall](https://man.openbsd.org/autoinstall) - unattended OpenBSD installation and upgrade ([pxeboot](https://man.openbsd.org/pxeboot) and [mirror](https://www.openbsd.org/ftp.html) example)\n  - *Configure:*\n    - [`etc/dhcpd.conf`](src/etc/dhcpd.conf)\n    - [`etc/httpd.conf`](src/etc/httpd.conf)\n    - [`etc/pf.conf`](src/etc/pf.conf)\n    - [`tftpboot`](src/tftpboot)\n    - [`var/www/htdocs/boot.vedetta.lan`](src/var/www/htdocs/boot.vedetta.lan)\n    - `mount host:/path/name /var/www/pub`\n  - *Usage:*\n    - `mkdir -p /tftpboot/etc`\n    - `cd /tftpboot \u0026\u0026 ftp https://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/bsd.rd`\n    - `cp /usr/mdec/pxeboot /tftpboot/`\n    - `chmod 555 -R /tftpboot`\n    - `cd /tftpboot \u0026\u0026 ln -s pxeboot auto_install`\n    - `echo \"boot bsd.rd\" \u003e /tftpboot/etc/boot.conf \u0026\u0026 chmod 444 /tftpboot/etc/boot.conf`\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` set tftpd flags -l boot.vedetta.lan -v /tftpboot`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` set tftpproxy flags -v`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` restart dhcpd httpd`[`tftpd`](https://man.openbsd.org/tftpd) [`tftpproxy`](https://man.openbsd.org/tftp-proxy)\n* [dhclient](https://man.openbsd.org/dhclient) - Dynamic Host Configuration Protocol (DHCP) client\n  - *Configure:*\n    - [`etc/dhclient.conf`](src/etc/dhclient.conf)\n    - [`etc/hostname.em0`](src/etc/hostname.em0)\n    - [`etc/pf.conf`](src/etc/pf.conf)\n  - *Usage:*\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`sh`](https://man.openbsd.org/sh)` /etc/netstart em0` *or*\n    - [`dhclient`](https://man.openbsd.org/dhclient)` em0`\n* [dhcpd](https://man.openbsd.org/dhcpd) - Dynamic Host Configuration Protocol (DHCP) server\n  - *Configure:*\n    - [`etc/dhcpd.conf`](src/etc/dhcpd.conf)\n    - [`etc/pf.conf`](src/etc/pf.conf)\n  - *Usage:*\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` set dhcpd flags athn0 em1 em2`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` start dhcpd`\n* (optional) [wide-dhcpv6](https://github.com/openbsd/ports/tree/master/net/wide-dhcpv6) - client and server for the WIDE DHCPv6 protocol\n  - *Configure:*\n    - [`etc/dhcp6s.conf`](src/etc/dhcp6s.conf)\n    - `etc/dhcp6c.conf`\n    - [`etc/pf.conf`](src/etc/pf.conf)\n    - [`etc/rc.d/dhcp6c`](src/etc/rc.d/dhcp6c)\n    - [`etc/rc.d/dhcp6s`](src/etc/rc.d/dhcp6s)\n    - [`etc/rad.conf`](src/etc/rad.conf)\n  - *Usage:*\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` set dhcp6s flags -c /etc/dhcp6s.conf -dD -k /etc/dhcp6sctlkey em1`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` start dhcp6s`\n* [ftp-proxy](https://man.openbsd.org/ftp-proxy) - Internet File Transfer Protocol proxy daemon\n  - *Configure:*\n    - [`etc/pf.conf`](src/etc/pf.conf)\n  - *Usage:*\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` set ftp-proxy flags -b 10.10.10.10 -T FTP_PROXY`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` set ftp-proxy6 flags -b fd80:1fe9:fcee:1337::ace:face -T FTP_PROXY6`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` start ftp-proxy ftp-proxy6`\n* [hostname.if](https://man.openbsd.org/hostname.if) - interface-specific configuration files with Dual IP stack implementation\n  - *Configure:*\n    - [`etc/hostname.athn0`](src/etc/hostname.athn0)\n    - [`etc/hostname.em0`](src/etc/hostname.em0)\n    - [`etc/hostname.em1`](src/etc/hostname.em1)\n    - [`etc/hostname.em2`](src/etc/hostname.em2)\n    - [`etc/hostname.enc1`](src/etc/hostname.enc1)\n    - [`etc/hostname.gif0`](src/etc/hostname.gif0)\n    - [`etc/hostname.switch0`](src/etc/hostname.switch0)\n    - [`etc/hostname.tun0`](src/etc/hostname.tun0)\n    - [`etc/hostname.vether0`](src/etc/hostname.vether0)\n    - [`etc/hostname.vlan5`](src/etc/hostname.vlan5)\n    - [`etc/hostname.vlan7`](src/etc/hostname.vlan7)\n  - *Usage:*\n    - `sh /etc/netstart`\n* [hotplugd](https://man.openbsd.org/hotplugd) - devices hot plugging monitor daemon\n  - *Configure:*\n    - [`etc/hotplug/attach`](src/etc/hotplug/attach)\n    - `etc/hotplug/detach`\n    - `chmod 750 /etc/hotplug/{attach,detach}`\n  - *Usage:*\n    - [`rcctl`](https://man.openbsd.org/rcctl)` enable hotplugd`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` start hotplugd`\n* [httpd](https://man.openbsd.org/httpd) - HTTP daemon as primary, fallback, and [autoinstall](https://man.openbsd.org/autoinstall)\n  - *Configure:*\n    - [`etc/httpd.conf`](src/etc/httpd.conf)\n    - [`etc/newsyslog.conf`](src/etc/newsyslog.conf)\n    - [`etc/pf.conf`](src/etc/pf.conf)\n    - [`etc/ssl/acme/freedns.afraid.org.fullchain.pem`](src/etc/ssl/acme/freedns.afraid.org.fullchain.pem)\n    - [`etc/ssl/acme/freedns.afraid.org.ocsp.resp.der`](src/etc/ssl/acme/freedns.afraid.org.ocsp.resp.der)\n    - [`etc/ssl/acme/private/freedns.afraid.org.key`](src/etc/ssl/acme/private/freedns.afraid.org.key)\n    - [`var/www/htdocs`](src/var/www/htdocs)\n  - *Usage:*\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` reload syslogd`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` enable httpd`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` start httpd`\n* [ifstated](https://man.openbsd.org/ifstated) - Interface State daemon to reconnect, update IP, and log\n  - *Configure:*\n    - [`etc/ifstated.conf`](src/etc/ifstated.conf)\n  - *Usage:*\n    - [`rcctl`](https://man.openbsd.org/rcctl)` enable ifstated`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` start ifstated`\n* IKEv2 VPN (IPv4 and IPv6)\n  - *Configure:*\n    - `etc/iked`\n    - [`etc/iked.conf`](src/etc/iked.conf)\n    - [`etc/iked-vedetta.conf`](src/etc/iked-vedetta.conf)\n    - [`etc/ipsec.conf`](src/etc/ipsec.conf)\n    - [`etc/pf.conf`](src/etc/pf.conf)\n    - `etc/ssl/ikeca.cnf`\n    - `etc/ssl/vedetta`\n  - *Usage:*\n    - [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta create`\n    - [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta install`\n    - [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate freedns.afraid.org create`\n    - [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate freedns.afraid.org install`\n    - [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate mobile.vedetta.lan create`\n    - `cd /etc/iked/export`\n    - [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate mobile.vedetta.lan export`\n    - `tar -C /etc/iked/export -xzpf mobile.vedetta.lan.tgz`\n    - [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate mobile.vedetta.lan revoke`\n    - [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta key mobile.vedetta.lan delete`\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` enable ipsec`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` set iked flags -6`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` start iked`\n* IKEv1 VPN (IPv4)\n  - *Configure:*\n    - `etc/isakmpd` \n    - [`etc/ipsec.conf`](src/etc/ipsec.conf)\n    - [`etc/ipsec-vedetta.conf`](src/etc/ipsec-vedetta.conf)\n    - [`etc/npppd`](src/etc/npppd)\n    - [`etc/pf.conf`](src/etc/pf.conf)\n    - `etc/ssl/ikeca.cnf` \n    - `etc/ssl/vedetta` \n  - *Usage:*\n    - [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta create`\n    - [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta install /etc/isakmpd`\n    - [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate freedns.afraid.org create`\n    - [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate freedns.afraid.org install /etc/isakmpd`\n    - [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate mobile.vedetta.lan create`\n    - `cd /etc/isakmpd/export`\n    - [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate mobile.vedetta.lan export`\n    - `tar -C /etc/isakmpd/export -xzpf mobile.vedetta.lan.tgz`\n    - [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate mobile.vedetta.lan revoke`\n    - [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta key mobile.vedetta.lan delete`\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` enable ipsec npppd`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` set isakmpd flags -K`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` start npppd isakmpd`\n    - [`ipsecctl`](https://man.openbsd.org/ipsecctl)` -d -f /etc/ipsec-vedetta.conf`\n* [nsd](https://man.openbsd.org/nsd) - Name Server Daemon (NSD) as authoritative DNS nameserver for LAN\n  - *Configure:*\n    - [`etc/pf.conf`](src/etc/pf.conf)\n    - [`var/nsd`](src/var/nsd)\n  - *Usage:*\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` enable nsd`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` start nsd`\n* [ntpd](https://man.openbsd.org/ntpd) - Network Time Protocol daemon\n  - *Configure:*\n    - [`etc/ntpd.conf`](src/etc/ntpd.conf)\n    - [`etc/pf.conf`](src/etc/pf.conf)\n  - *Usage:*\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` enable ntpd`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` start ntpd`\n* [pf](https://man.openbsd.org/pf) - packet filter with IP based adblock\n  - *Configure:*\n    - [`etc/pf.conf`](src/etc/pf.conf)\n    - [`usr/local/bin/adhosts.sh`](src/usr/local/bin/adhosts.sh)\n    - [`usr/local/bin/malware.sh`](src/usr/local/bin/malware.sh)\n    - [`var/cron/tabs/root`](src/var/cron/tabs/root)\n  - *Usage:*\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -vvs queue`\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -s info`\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -s states`\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -vvs rules`\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -v -s rules -R 4`\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -s memory`\n    - `tcpdump -n -e -ttt -r /var/log/pflog`\n    - `tcpdump -neq -ttt -i pflog0`\n* [rebound](https://man.openbsd.org/rebound) - DNS proxy\n  - *Configure:*\n    - [`etc/dhclient.conf`](src/etc/dhclient.conf)\n    - [`etc/resolv.conf`](src/etc/resolv.conf)\n    - [`etc/pf.conf`](src/etc/pf.conf)\n  - *Usage:*\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - `dig ipv6.google.com aaaa`\n* [relayd](https://man.openbsd.org/relayd) - relay daemon for loadbalancing, SSL/TLS acceleration, DNS-sanitizing, SSH gateway, transparent HTTP proxy, and TLS inspection ([MITM](https://github.com/vedetta-com/vedetta/issues/82#issuecomment-363907251))\n  - *Configure:*\n    - [`etc/acme-client.conf`](src/etc/acme-client.conf)\n    - [`etc/httpd.conf`](src/etc/httpd.conf)\n    - [`etc/pf.conf`](src/etc/pf.conf)\n    - [`etc/relayd.conf`](src/etc/relayd.conf)\n    - [`usr/local/bin/get-pin.sh`](src/usr/local/bin/get-pin.sh)\n    - `cd `[`/etc/ssl`](src/etc/ssl)\n    - `ln -s acme/freedns.afraid.org.fullchain.pem 10.10.10.11:443.crt`\n    - `ln -s acme/freedns.afraid.org.fullchain.pem fd80:1fe9:fcee:1337::ace:babe:443.crt`\n    - `cd `[`/etc/ssl/private`](src/etc/ssl/private)\n    - `ln -s ../acme/private/freedns.afraid.org.key 10.10.10.11:443.key`\n    - `ln -s ../acme/private/freedns.afraid.org.key fd80:1fe9:fcee:1337::ace:babe:443.key`\n    - `mkdir -p /etc/ssl/relayd/private`\n    - `openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/relayd/private/ca.key -out /etc/ssl/relayd/ca.crt`\n    - `echo 'subjectAltName=DNS:relay.vedetta.lan' \u003e /etc/ssl/relayd/server.ext`\n    - `openssl genrsa -out /etc/ssl/relayd/private/relay.vedetta.lan.key 2048`\n    - `openssl req -new -key /etc/ssl/relayd/private/relay.vedetta.lan.key -out /etc/ssl/relayd/private/relay.vedetta.lan.csr -nodes`\n    - `openssl x509 -sha256 -req -days 365 -in /etc/ssl/relayd/private/relay.vedetta.lan.csr -CA /etc/ssl/relayd/ca.crt -CAkey /etc/ssl/relayd/private/ca.key -CAcreateserial -extfile /etc/ssl/relayd/server.ext -out /etc/ssl/relayd/relay.vedetta.lan.crt`\n    - `cd /etc/ssl`\n    - `ln -s relayd/relay.vedetta.lan.crt 127.0.0.1.crt`\n    - `ln -s relayd/relay.vedetta.lan.crt ::1.crt`\n    - `cd /etc/ssl/private`\n    - `ln -s ../relayd/private/relay.vedetta.lan.key 127.0.0.1.key`\n    - `ln -s ../relayd/private/relay.vedetta.lan.key ::1.key`\n  - *Usage:*\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` enable relayd`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` start relayd`\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -T add -t httpfilter $ip`\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -T add -t tlsinspect $ip`\n* [rad](https://man.openbsd.org/rad) - router advertisement daemon\n  - *Configure:*\n    - [`etc/pf.conf`](src/etc/pf.conf)\n    - [`etc/rad.conf`](src/etc/rad.conf)\n  - *Usage:*\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` enable rad`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` start rad`\n* [sensorsd](https://man.openbsd.org/sensorsd) - hardware sensors monitor\n  - *Configure:*\n    - [`etc/sensorsd.conf`](src/etc/sensorsd.conf)\n  - *Usage:*\n    - [`rcctl`](https://man.openbsd.org/rcctl)` enable sensorsd`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` start sensorsd`\n* [slaacd](https://man.openbsd.org/slaacd) - a stateless address autoconfiguration daemon\n  - *Configure:*\n    - [`ifconfig`](https://man.openbsd.org/ifconfig)` em0 inet6 autoconf`\n  - *Usage:*\n    - [`slaacctl`](https://man.openbsd.org/slaacctl)` show interface em0`\n* [smtpd](https://man.openbsd.org/smtpd) - Simple Mail Transfer Protocol daemon, see [Caesonia](https://github.com/vedetta-com/caesonia/)\n  - *Configure:*\n    - [`etc/mail/aliases`](src/etc/mail/aliases)\n    - [`etc/mail/smtpd.conf`](src/etc/mail/smtpd.conf)\n    - `touch `[`/etc/mail/secrets`](src/etc/mail/secrets)\n    - `chmod 640 /etc/mail/secrets`\n    - `chown root:_smtpd /etc/mail/secrets`\n    - `echo \"puffy puffy@example.com:password\" \u003e /etc/mail/secrets`\n  - *Usage:*\n    - [`rcctl`](https://man.openbsd.org/rcctl)` restart smtpd`\n* [sshd](https://man.openbsd.org/sshd) - OpenSSH SSH daemon with internal-sftp\n  - *Configure:*\n    - [`etc/pf.conf`](src/etc/pf.conf)\n    - [`etc/ssh`](src/etc/ssh)\n  - *Usage:*\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` start sshd`\n* [switchd](https://man.openbsd.org/switchd) - software-defined networking (SDN) sflow controller\n  - *Configure:*\n    - [`etc/hostname.switch0`](src/etc/hostname.switch0)\n    - [`etc/pf.conf`](src/etc/pf.conf)\n    - [`etc/switchd.conf`](src/etc/switchd.conf)\n  - *Usage:*\n    - `sh /etc/netstart switch0`\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` enable switchd`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` start switchd`\n    - [`switchctl`](https://man.openbsd.org/switchctl)` connect /dev/switch0`\n* [syslogd](https://man.openbsd.org/syslogd) - log system messages\n  - *Configure:*\n    - [`etc/newsyslog.conf`](src/etc/newsyslog.conf)\n    - [`var/cron/tabs/root`](src/var/cron/tabs/root)\n  - *Usage:*\n* [unbound](https://man.openbsd.org/unbound) - Unbound DNS validating resolver from root nameservers, with caching and DNS based adblock\n  - *Configure:*\n    - [`etc/dhclient.conf`](src/etc/dhclient.conf)\n    - [`etc/resolv.conf`](src/etc/resolv.conf)\n    - [`etc/pf.conf`](src/etc/pf.conf)\n    - [`usr/local/bin/dnsblock.sh`](src/usr/local/bin/dnsblock.sh)\n    - [`var/cron/tabs/root`](src/var/cron/tabs/root)\n    - [`var/unbound`](src/var/unbound)\n  - *Usage:*\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` enable unbound`\n    - [`rcctl`](https://man.openbsd.org/rcctl)` start unbound`\n\nSysadmin:\n* [crontab](https://man.openbsd.org/crontab) - maintain crontab files for individual users\n  - *Configure:*\n    - [`var/cron`](src/var/cron)\n  - *Usage:*\n    - [`crontab`](https://man.openbsd.org/crontab)` -e`\n* [doas](https://man.openbsd.org/doas) - execute commands as another user\n  - *Configure:*\n    - [`etc/doas.conf`](src/etc/doas.conf)\n  - *Usage:*\n    - [`doas`](https://man.openbsd.org/doas)` tmux`\n* [ftp](https://man.openbsd.org/ftp) - Internet file transfer program\n  - *Configure:*\n    - [`etc/pf.conf`](src/etc/pf.conf)\n  - *Usage:*\n    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`\n    - [`ftp`](https://man.openbsd.org/ftp)` -o - \"https://www.openbsd.org/donations.html\"`\n* [mail](https://man.openbsd.org/mail) - send and receive mail, for daily reading\n  - *Usage:*\n    - [`mail`](https://man.openbsd.org/mail)\n* [syspatch](https://man.openbsd.org/syspatch) - manage base system binary patches\n  - *Configure:*\n    - `etc/installurl`\n    - [`var/cron/tabs/root`](src/var/cron/tabs/root)\n  - *Usage:*\n    - [`syspatch`](https://man.openbsd.org/syspatch)` -c`\n* [systat](https://man.openbsd.org/systat) - display system statistics\n  - *Usage:*\n    - [`systat`](https://man.openbsd.org/systat)` queues`\n    - [`systat`](https://man.openbsd.org/systat)` pf`\n    - [`systat`](https://man.openbsd.org/systat)` states`\n    - [`systat`](https://man.openbsd.org/systat)` rules`\n* [tmux](https://man.openbsd.org/tmux) - terminal multiplexer\n  - *Configure:*\n    - `~/.tmux.conf`\n  - *Usage:*\n    - [`tmux`](https://man.openbsd.org/tmux)\n\n## Hardware\nOpenBSD likes small form factor, low-power, lots of ECC memory, AES-NI support, open source boot, and the fastest supported network cards. This configuration has been tested on [APU2](https://pcengines.ch/apu2c4.htm).\n\n## Install\nEncryption is the easiest method for media sanitization and disposal. OpenBSD supports [full disk encryption](https://www.openbsd.org/faq/faq14.html#softraidFDE) using a [keydisk](https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk) (e.g. a USB stick).\n\nPartitions are important for [security, stability, and integrity](https://www.openbsd.org/faq/faq4.html#Partitioning). A minimum partition layout [example for router](src/var/www/htdocs/boot.vedetta.lan/disklabel.min) with (upgrade itself) binary base, and no packages (comfortable fit on flash memory cards/drives):\n\n| Filesystem | Mount       | Size    |\n|:---------- |:----------- | -------:|\n| a          | /           |    512M |\n| b          | /swap       |   1024M |\n| d          | /var        |    512M |\n| e          | /var/log    |    128M |\n| f          | /tmp        |   1024M |\n| g          | /usr        |   1024M |\n| h          | /usr/local  |     64M |\n| i          | /home       |     16M |\n| *Total*    |             |**4304M**|\n\n## SSL\nIt's best practice to create CAs on a single purpose secure machine, with no network access.\n\nSpecify which certificate authorities (CAs) are allowed to issue certificates for your domain, by adding [DNS Certification Authority Authorization (CAA)](https://tools.ietf.org/html/rfc6844) Resource Record (RR) to [`var/nsd/zones/master/vedetta.lan.zone`](src/var/nsd/zones/master/vedetta.lan.zone)\n\nRevoke certificates as often as possible.\n\n## SSH\n\n[SSH fingerprints verified by DNS](http://man.openbsd.org/ssh#VERIFYING_HOST_KEYS) is done by adding Secure Shell (Key) Fingerprint (SSHFP) Resource Record (RR) to [`var/nsd/zones/master/vedetta.lan.zone`](src/var/nsd/zones/master/vedetta.lan.zone): `ssh-keygen -r vedetta.lan.`  \nVerify: `dig -t SSHFP vedetta.lan`  \nUsage: `ssh -o \"VerifyHostKeyDNS ask\" acolyte.vedetta.lan`\n\nManage keys with [ssh-agent](https://man.openbsd.org/ssh-agent).\n\nDetect tampered keyfiles or man in the middle attacks with [ssh-keyscan](http://man.openbsd.org/ssh-keyscan).\n\nControl access to local users with [principals](https://github.com/vedetta-com/vedetta/blob/master/src/usr/local/share/doc/vedetta/OpenSSH_Principals.md).\n\n## Firewall\nGuests can use the DNS nameserver to access the ad-free web, while authenticated users gain desired permissions. It's best to authenticate an IP after connecting to VPN. There are three users in this one person scenario: one for wheel, one for sftp, and one for authpf.\n\n## Performance\nConsider using [mount_mfs](https://man.openbsd.org/mount_mfs) in order to reduce wear and tear, as well as to speed up the system. Remember to set the [sticky bit](https://man.openbsd.org/chmod.1#1000) on mfs /tmp, see [etc/fstab](src/etc/fstab).\n\n## Caveats\n* VPN with IKEv2 or IKEv1, not both. *While there are many tecnologies for VPN, only IKEv2 and IKEv1 are standard (considerable effort was put into testing and securing)*\n* relayd does not support CRL, SNI, nor OCSP (yet)\n* httpd without custom error pages (can be patched)\n* 11n is max WiFi mode, [is this enough?](https://arstechnica.com/information-technology/2017/03/802-eleventy-what-a-deep-dive-into-why-wi-fi-kind-of-sucks/)\n\n## Support\nVia [issues](https://github.com/vedetta-com/vedetta/issues) and [#vedetta:matrix.org](https://riot.im/app/#/room/#vedetta:matrix.org)\n\n## Contribute\nWant to help out? :star: [Fork this repo](https://github.com/vedetta-com/vedetta/fork) :star:\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvedetta-com%2Fvedetta","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvedetta-com%2Fvedetta","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvedetta-com%2Fvedetta/lists"}