diff options
| author | Paul Buetow <paul@buetow.org> | 2026-01-19 15:36:27 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-01-19 15:36:27 +0200 |
| commit | 55229ad06ed229c859082bb34085f277af7d8bea (patch) | |
| tree | 4c530ca0bc8ff53cd3cdf3259a7c1a21814fdd3f /frontends | |
| parent | 8d55f785e6df35381a971adcc6ee5f8518eaac22 (diff) | |
| parent | 4d87a596c3188f07732a26a1cc4abb875289b969 (diff) | |
Merge branch 'master' of codeberg.org:snonux/conf
Diffstat (limited to 'frontends')
| -rw-r--r-- | frontends/AGENTS.md | 71 | ||||
| -rw-r--r-- | frontends/Rexfile | 50 | ||||
| -rw-r--r-- | frontends/etc/acme-client.conf.tpl | 18 | ||||
| -rw-r--r-- | frontends/etc/gogios.json.tpl | 21 | ||||
| -rw-r--r-- | frontends/etc/hosts.wg.append | 22 | ||||
| -rw-r--r-- | frontends/etc/httpd.conf.tpl | 3 | ||||
| -rw-r--r-- | frontends/etc/login.conf.d/daemon | 4 | ||||
| -rw-r--r-- | frontends/etc/mail/reject-domains | 0 | ||||
| -rw-r--r-- | frontends/etc/mail/reject-recipients | 0 | ||||
| -rw-r--r-- | frontends/etc/mail/reject-senders | 0 | ||||
| -rw-r--r-- | frontends/etc/mail/smtpd.conf.tpl | 11 |
11 files changed, 191 insertions, 9 deletions
diff --git a/frontends/AGENTS.md b/frontends/AGENTS.md index d989eca..2f1c295 100644 --- a/frontends/AGENTS.md +++ b/frontends/AGENTS.md @@ -251,3 +251,74 @@ After deploying: ssh rex@server "doas rcctl check httpd" ssh rex@server "doas rcctl check relayd" ``` +<<<<<<< HEAD +||||||| 7b4d629 +======= + +## Relayd TLS Certificate Loading with Many Keypairs + +### File Descriptor Limits - SOLUTION CONFIRMED + +When relayd loads many TLS certificates (67+ keypairs in this deployment), it requires increased file descriptor limits beyond the default daemon class limits of 1024. + +**Root cause**: The default OpenBSD daemon login class has: +``` +:openfiles-max=1024: +:openfiles-cur=1024: +``` + +This limits relayd to 1024 open files, causing SNI matching to fail silently for certificates beyond a certain threshold. + +**Solution**: Increase the daemon login class limits in `/etc/login.conf`: + +```bash +# Modify /etc/login.conf +# Change from: +daemon:\ + :ignorenologin:\ + :datasize=4096M:\ + :maxproc=infinity:\ + :openfiles-max=1024: + :openfiles-cur=1024: + +# Change to: +daemon:\ + :ignorenologin:\ + :datasize=4096M:\ + :maxproc=infinity:\ + :openfiles-max=4096: + :openfiles-cur=4096: +``` + +After modifying `/etc/login.conf`, rebuild the login.conf database: +```bash +doas rm /etc/login.conf.db +doas cap_mkdb /etc/login.conf +doas rcctl restart relayd +``` + +**Verification**: Check that relayd has the increased limit: +```bash +doas relayd -dvv 2>&1 | grep "socket_rlimit" | head -1 +# Should show: socket_rlimit: max open files 4096 +``` + +### SNI Matching Issues with Multiple Certificates + +**Issue resolved**: With the file descriptor limit increased to 4096, relayd now properly loads and matches all 67 TLS keypairs via SNI. + +**What was happening before the fix**: +- Relayd hit the 1024 file descriptor limit while loading certificates +- SNI matching failed for certificates beyond the threshold +- Relayd defaulted to serving the first certificate in the list (`foo.zone`) +- Accessing `gogios.buetow.org` would return the `foo.zone` certificate + +**After increasing limits**: +- All 67 certificates load successfully +- SNI matching works correctly for all domains +- `gogios.buetow.org` now correctly serves the `gogios.buetow.org` certificate + +**References**: +- IRCNow wiki: "TLS Acceleration with relayd" - documents file descriptor requirements +- Stack Exchange: "OpenBSD, relayd and acme-client" (Nov 2022) +>>>>>>> 529caf525d3c8594bcf0208697629827113dc1fc diff --git a/frontends/Rexfile b/frontends/Rexfile index 5194265..f9bf79f 100644 --- a/frontends/Rexfile +++ b/frontends/Rexfile @@ -85,6 +85,25 @@ our @f3s_hosts = our @acme_hosts = qw/foo.zone dtail.dev buetow.org git.buetow.org paul.buetow.org joern.buetow.org dory.buetow.org ecat.buetow.org blog.buetow.org znc.buetow.org stats.foo.zone irregular.ninja alt.irregular.ninja snonux.foo gogios.buetow.org blowfish.buetow.org fishfinger.buetow.org/; push @acme_hosts, @f3s_hosts; +<<<<<<< HEAD +||||||| 7b4d629 +our @dns_zones = qw/buetow.org dtail.dev foo.zone irregular.ninja snonux.foo/; +our @dns_zones_remove = qw/paul.cyou/; +our @acme_hosts = qw/buetow.org git.buetow.org paul.buetow.org dory.buetow.org solarcat.buetow.org fotos.buetow.org znc.buetow.org dtail.dev foo.zone irregular.ninja alt.irregular.ninja snonux.foo/; +======= + +# WireGuard IP addresses for ping checks +our %wg0_ips = ( + 'blowfish' => { '4' => '192.168.2.110', '6' => 'fd42:beef:cafe:2::110' }, + 'fishfinger' => { '4' => '192.168.2.111', '6' => 'fd42:beef:cafe:2::111' }, + 'f0' => { '4' => '192.168.2.130', '6' => 'fd42:beef:cafe:2::130' }, + 'f1' => { '4' => '192.168.2.131', '6' => 'fd42:beef:cafe:2::131' }, + 'f2' => { '4' => '192.168.2.132', '6' => 'fd42:beef:cafe:2::132' }, + 'r0' => { '4' => '192.168.2.120', '6' => 'fd42:beef:cafe:2::120' }, + 'r1' => { '4' => '192.168.2.121', '6' => 'fd42:beef:cafe:2::121' }, + 'r2' => { '4' => '192.168.2.122', '6' => 'fd42:beef:cafe:2::122' }, +); +>>>>>>> 529caf525d3c8594bcf0208697629827113dc1fc # UTILITY TASKS @@ -290,6 +309,16 @@ task 'relayd', sub { append_if_no_such_line '/etc/rc.conf.local', 'relayd_flags='; + # Increase daemon login class file descriptor limits for relayd with many TLS certs + file '/etc/login.conf.d/daemon', + source => './etc/login.conf.d/daemon', + owner => 'root', + group => 'wheel', + mode => '644', + on_change => sub { + run 'doas rm -f /etc/login.conf.db && doas cap_mkdb /etc/login.conf'; + }; + file '/etc/relayd.conf', content => template( './etc/relayd.conf.tpl', @@ -334,6 +363,17 @@ task 'smtpd', mode => '644', on_change => sub { service 'smtpd' => 'restart' }; + # Reject lists for blocking unwanted senders/domains/recipients + Rex::Logger::info('Dealing with mail reject lists'); + for my $reject_list (qw/reject-senders reject-domains reject-recipients/) { + file "/etc/mail/$reject_list", + source => "./etc/mail/$reject_list", + owner => 'root', + group => 'wheel', + mode => '644', + on_change => sub { service 'smtpd' => 'restart' }; + } + Rex::Logger::info('Dealing with smtpd.conf'); file '/etc/mail/smtpd.conf', content => template('./etc/mail/smtpd.conf.tpl'), @@ -484,7 +524,17 @@ task 'gogios', mode => '755'; file '/etc/gogios.json', +<<<<<<< HEAD content => template( './etc/gogios.json.tpl', acme_hosts => \@acme_hosts ), +||||||| 7b4d629 + file '/var/run/gogios', + ensure => 'directory', + owner => '_gogios', + group => '_gogios', + mode => '755'; +======= + content => template( './etc/gogios.json.tpl', acme_hosts => \@acme_hosts, wg0_ips => \%wg0_ips ), +>>>>>>> 529caf525d3c8594bcf0208697629827113dc1fc owner => 'root', group => 'wheel', mode => '744'; diff --git a/frontends/etc/acme-client.conf.tpl b/frontends/etc/acme-client.conf.tpl index 6d0e2df..32ae9fb 100644 --- a/frontends/etc/acme-client.conf.tpl +++ b/frontends/etc/acme-client.conf.tpl @@ -23,7 +23,18 @@ authority buypass-test { contact "mailto:me@example.com" } +<<<<<<< HEAD <% for my $host (@$acme_hosts) { -%> +||||||| 7b4d629 +<% for my $host (@$acme_hosts) { -%> +<% for my $prefix ('', 'www.', 'standby.') { -%> +domain <%= $prefix.$host %> { + domain key "/etc/ssl/private/<%= $prefix.$host %>.key" + domain full chain certificate "/etc/ssl/<%= $prefix.$host %>.fullchain.pem" +======= +<% for my $host (@$acme_hosts) { + next if $host eq 'blowfish.buetow.org' or $host eq 'fishfinger.buetow.org'; -%> +>>>>>>> 529caf525d3c8594bcf0208697629827113dc1fc domain <%= $host %> { alternative names { www.<%= $host %> } domain key "/etc/ssl/private/<%= $host %>.key" @@ -36,10 +47,3 @@ domain standby.<%= $host %> { sign with letsencrypt } <% } -%> - -# For the server itself (e.g. TLS, or monitoring) -domain <%= "$hostname.$domain" %> { - domain key "/etc/ssl/private/<%= "$hostname.$domain" %>.key" - domain full chain certificate "/etc/ssl/<%= "$hostname.$domain" %>.fullchain.pem" - sign with letsencrypt -} diff --git a/frontends/etc/gogios.json.tpl b/frontends/etc/gogios.json.tpl index 49221c5..509b371 100644 --- a/frontends/etc/gogios.json.tpl +++ b/frontends/etc/gogios.json.tpl @@ -14,6 +14,7 @@ "Plugin": "<%= $plugin_dir %>/check_ping", "Args": ["-H", "<%= $host %>.buetow.org", "-<%= $proto %>", "-w", "100,10%", "-c", "200,15%"], "RandomSpread": 10, +<<<<<<< HEAD "Retries": 3, "RetryInterval": 3 }, @@ -25,11 +26,25 @@ "Plugin": "<%= $plugin_dir %>/check_ping", "Args": ["-H", "<%= $host %>.wg0.wan.buetow.org", "-<%= $proto %>", "-w", "100,10%", "-c", "200,15%"], "RandomSpread": 10, +||||||| 7b4d629 +======= +>>>>>>> 529caf525d3c8594bcf0208697629827113dc1fc "Retries": 3, "RetryInterval": 3 }, <% } -%> <% } -%> + <% for my $host (qw(blowfish fishfinger f0 f1 f2 r0 r1 r2)) { -%> + <% for my $proto (4, 6) { -%> + "Check Ping<%= $proto %> <%= $host %>.wg0.wan.buetow.org": { + "Plugin": "<%= $plugin_dir %>/check_ping", + "Args": ["-H", "<%= $wg0_ips->{$host}->{$proto} %>", "-<%= $proto %>", "-w", "40,20%", "-c", "80,30%"], + "RandomSpread": 10, + "Retries": 5, + "RetryInterval": 3 + }, + <% } -%> + <% } -%> <% for my $host (qw(fishfinger blowfish)) { -%> "Check DTail <%= $host %>.buetow.org": { "Plugin": "/usr/local/bin/dtailhealth", @@ -117,7 +132,13 @@ "Plugin": "<%= $plugin_dir %>/check_procs", "RandomSpread": 10, "RunInterval": 300, +<<<<<<< HEAD + "Args": ["-w", "80", "-c", "100"] +||||||| 7b4d629 "Args": ["-w", "80", "-c", "100"] +======= + "Args": ["-w", "100", "-c", "150"] +>>>>>>> 529caf525d3c8594bcf0208697629827113dc1fc }, "Check Disk <%= $hostname %>": { "Plugin": "<%= $plugin_dir %>/check_disk", diff --git a/frontends/etc/hosts.wg.append b/frontends/etc/hosts.wg.append new file mode 100644 index 0000000..f410d66 --- /dev/null +++ b/frontends/etc/hosts.wg.append @@ -0,0 +1,22 @@ +# WireGuard mesh IPv4 and IPv6 addresses +192.168.2.110 blowfish.wg0.wan.buetow.org blowfish.wg0 +192.168.2.111 fishfinger.wg0.wan.buetow.org fishfinger.wg0 +192.168.2.120 r0.wg0.wan.buetow.org r0.wg0 +192.168.2.121 r1.wg0.wan.buetow.org r1.wg0 +192.168.2.122 r2.wg0.wan.buetow.org r2.wg0 +192.168.2.130 f0.wg0.wan.buetow.org f0.wg0 +192.168.2.131 f1.wg0.wan.buetow.org f1.wg0 +192.168.2.132 f2.wg0.wan.buetow.org f2.wg0 +192.168.2.200 earth.wg0.wan.buetow.org earth.wg0 +192.168.2.201 pixel7pro.wg0.wan.buetow.org pixel7pro.wg0 + +fd42:beef:cafe:2::110 blowfish.wg0.wan.buetow.org blowfish.wg0 +fd42:beef:cafe:2::111 fishfinger.wg0.wan.buetow.org fishfinger.wg0 +fd42:beef:cafe:2::120 r0.wg0.wan.buetow.org r0.wg0 +fd42:beef:cafe:2::121 r1.wg0.wan.buetow.org r1.wg0 +fd42:beef:cafe:2::122 r2.wg0.wan.buetow.org r2.wg0 +fd42:beef:cafe:2::130 f0.wg0.wan.buetow.org f0.wg0 +fd42:beef:cafe:2::131 f1.wg0.wan.buetow.org f1.wg0 +fd42:beef:cafe:2::132 f2.wg0.wan.buetow.org f2.wg0 +fd42:beef:cafe:2::200 earth.wg0.wan.buetow.org earth.wg0 +fd42:beef:cafe:2::201 pixel7pro.wg0.wan.buetow.org pixel7pro.wg0 diff --git a/frontends/etc/httpd.conf.tpl b/frontends/etc/httpd.conf.tpl index 6f0c51a..6a313ae 100644 --- a/frontends/etc/httpd.conf.tpl +++ b/frontends/etc/httpd.conf.tpl @@ -94,13 +94,12 @@ server "<%= $prefix %>paul.buetow.org" { } <% } -%> -# Redirect to gitub.dtail.dev <% for my $prefix (@prefixes) { -%> server "<%= $prefix %>dtail.dev" { listen on * port 8080 log style forwarded location * { - block return 302 "https://github.dtail.dev$REQUEST_URI" + block return 302 "https://codeberg.org/snonux/dtail" } } <% } -%> diff --git a/frontends/etc/login.conf.d/daemon b/frontends/etc/login.conf.d/daemon new file mode 100644 index 0000000..a995fe9 --- /dev/null +++ b/frontends/etc/login.conf.d/daemon @@ -0,0 +1,4 @@ +daemon:\ + :openfiles-max=4096:\ + :openfiles-cur=4096:\ + :tc=default: diff --git a/frontends/etc/mail/reject-domains b/frontends/etc/mail/reject-domains new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/frontends/etc/mail/reject-domains diff --git a/frontends/etc/mail/reject-recipients b/frontends/etc/mail/reject-recipients new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/frontends/etc/mail/reject-recipients diff --git a/frontends/etc/mail/reject-senders b/frontends/etc/mail/reject-senders new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/frontends/etc/mail/reject-senders diff --git a/frontends/etc/mail/smtpd.conf.tpl b/frontends/etc/mail/smtpd.conf.tpl index 7764b34..b43302d 100644 --- a/frontends/etc/mail/smtpd.conf.tpl +++ b/frontends/etc/mail/smtpd.conf.tpl @@ -10,6 +10,11 @@ table aliases file:/etc/mail/aliases table virtualdomains file:/etc/mail/virtualdomains table virtualusers file:/etc/mail/virtualusers +# Reject lists for blocking unwanted senders/domains/recipients +table reject-senders file:/etc/mail/reject-senders +table reject-domains file:/etc/mail/reject-domains +table reject-recipients file:/etc/mail/reject-recipients + listen on socket listen on all tls pki "buetow_org_tls" hostname "<%= "$hostname.$domain" %>" #listen on all @@ -18,6 +23,12 @@ action localmail mbox alias <aliases> action receive mbox virtual <virtualusers> action outbound relay +# Reject rules (processed before accept rules) +# reject-senders: full addresses, reject-domains: patterns like *@domain.com +match from any mail-from <reject-senders> reject +match from any mail-from <reject-domains> reject +match from any for rcpt-to <reject-recipients> reject + match from any for domain <virtualdomains> action receive match from local for local action localmail match from local for any action outbound |