From 2ef2026ae9c48829bedfba5a5ff961850c1a4b91 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Fri, 16 Jan 2026 23:57:04 +0200 Subject: Add WireGuard mesh hosts file template Created hosts.wg.append with IPv4 and IPv6 addresses for all 10 WireGuard mesh hosts (blowfish, fishfinger, f0-f2, r0-r2, earth, pixel7pro). This file can be appended to /etc/hosts on mesh participants to enable hostname resolution for WireGuard mesh addresses. Applied to blowfish and fishfinger OpenBSD gateways. Co-Authored-By: Claude Sonnet 4.5 --- frontends/etc/hosts.wg.append | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 frontends/etc/hosts.wg.append (limited to 'frontends') diff --git a/frontends/etc/hosts.wg.append b/frontends/etc/hosts.wg.append new file mode 100644 index 0000000..f410d66 --- /dev/null +++ b/frontends/etc/hosts.wg.append @@ -0,0 +1,22 @@ +# WireGuard mesh IPv4 and IPv6 addresses +192.168.2.110 blowfish.wg0.wan.buetow.org blowfish.wg0 +192.168.2.111 fishfinger.wg0.wan.buetow.org fishfinger.wg0 +192.168.2.120 r0.wg0.wan.buetow.org r0.wg0 +192.168.2.121 r1.wg0.wan.buetow.org r1.wg0 +192.168.2.122 r2.wg0.wan.buetow.org r2.wg0 +192.168.2.130 f0.wg0.wan.buetow.org f0.wg0 +192.168.2.131 f1.wg0.wan.buetow.org f1.wg0 +192.168.2.132 f2.wg0.wan.buetow.org f2.wg0 +192.168.2.200 earth.wg0.wan.buetow.org earth.wg0 +192.168.2.201 pixel7pro.wg0.wan.buetow.org pixel7pro.wg0 + +fd42:beef:cafe:2::110 blowfish.wg0.wan.buetow.org blowfish.wg0 +fd42:beef:cafe:2::111 fishfinger.wg0.wan.buetow.org fishfinger.wg0 +fd42:beef:cafe:2::120 r0.wg0.wan.buetow.org r0.wg0 +fd42:beef:cafe:2::121 r1.wg0.wan.buetow.org r1.wg0 +fd42:beef:cafe:2::122 r2.wg0.wan.buetow.org r2.wg0 +fd42:beef:cafe:2::130 f0.wg0.wan.buetow.org f0.wg0 +fd42:beef:cafe:2::131 f1.wg0.wan.buetow.org f1.wg0 +fd42:beef:cafe:2::132 f2.wg0.wan.buetow.org f2.wg0 +fd42:beef:cafe:2::200 earth.wg0.wan.buetow.org earth.wg0 +fd42:beef:cafe:2::201 pixel7pro.wg0.wan.buetow.org pixel7pro.wg0 -- cgit v1.2.3 From 56b7be608fdbbc4631b34d12e5c1f390eb69d129 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 17 Jan 2026 17:00:23 +0200 Subject: update --- frontends/AGENTS.md | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++ frontends/Rexfile | 4 ++++ 2 files changed, 71 insertions(+) (limited to 'frontends') diff --git a/frontends/AGENTS.md b/frontends/AGENTS.md index d989eca..1051c18 100644 --- a/frontends/AGENTS.md +++ b/frontends/AGENTS.md @@ -251,3 +251,70 @@ After deploying: ssh rex@server "doas rcctl check httpd" ssh rex@server "doas rcctl check relayd" ``` + +## Relayd TLS Certificate Loading with Many Keypairs + +### File Descriptor Limits - SOLUTION CONFIRMED + +When relayd loads many TLS certificates (67+ keypairs in this deployment), it requires increased file descriptor limits beyond the default daemon class limits of 1024. + +**Root cause**: The default OpenBSD daemon login class has: +``` +:openfiles-max=1024: +:openfiles-cur=1024: +``` + +This limits relayd to 1024 open files, causing SNI matching to fail silently for certificates beyond a certain threshold. + +**Solution**: Increase the daemon login class limits in `/etc/login.conf`: + +```bash +# Modify /etc/login.conf +# Change from: +daemon:\ + :ignorenologin:\ + :datasize=4096M:\ + :maxproc=infinity:\ + :openfiles-max=1024: + :openfiles-cur=1024: + +# Change to: +daemon:\ + :ignorenologin:\ + :datasize=4096M:\ + :maxproc=infinity:\ + :openfiles-max=4096: + :openfiles-cur=4096: +``` + +After modifying `/etc/login.conf`, rebuild the login.conf database: +```bash +doas rm /etc/login.conf.db +doas cap_mkdb /etc/login.conf +doas rcctl restart relayd +``` + +**Verification**: Check that relayd has the increased limit: +```bash +doas relayd -dvv 2>&1 | grep "socket_rlimit" | head -1 +# Should show: socket_rlimit: max open files 4096 +``` + +### SNI Matching Issues with Multiple Certificates + +**Issue resolved**: With the file descriptor limit increased to 4096, relayd now properly loads and matches all 67 TLS keypairs via SNI. + +**What was happening before the fix**: +- Relayd hit the 1024 file descriptor limit while loading certificates +- SNI matching failed for certificates beyond the threshold +- Relayd defaulted to serving the first certificate in the list (`foo.zone`) +- Accessing `gogios.buetow.org` would return the `foo.zone` certificate + +**After increasing limits**: +- All 67 certificates load successfully +- SNI matching works correctly for all domains +- `gogios.buetow.org` now correctly serves the `gogios.buetow.org` certificate + +**References**: +- IRCNow wiki: "TLS Acceleration with relayd" - documents file descriptor requirements +- Stack Exchange: "OpenBSD, relayd and acme-client" (Nov 2022) diff --git a/frontends/Rexfile b/frontends/Rexfile index 5194265..53b1036 100644 --- a/frontends/Rexfile +++ b/frontends/Rexfile @@ -290,6 +290,10 @@ task 'relayd', sub { append_if_no_such_line '/etc/rc.conf.local', 'relayd_flags='; + # Increase daemon login class file descriptor limits for relayd with many TLS certs + run 'doas sed -i "s/:openfiles-max=1024:/:openfiles-max=4096:/; s/:openfiles-cur=1024:/:openfiles-cur=4096:/" /etc/login.conf'; + run 'doas rm -f /etc/login.conf.db && doas cap_mkdb /etc/login.conf'; + file '/etc/relayd.conf', content => template( './etc/relayd.conf.tpl', -- cgit v1.2.3 From 59ffcfb8820533e8b8ee8fa86a7d50b7e11e23ef Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 17 Jan 2026 17:13:21 +0200 Subject: fix --- frontends/Rexfile | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'frontends') diff --git a/frontends/Rexfile b/frontends/Rexfile index 53b1036..c59bb58 100644 --- a/frontends/Rexfile +++ b/frontends/Rexfile @@ -291,8 +291,14 @@ task 'relayd', append_if_no_such_line '/etc/rc.conf.local', 'relayd_flags='; # Increase daemon login class file descriptor limits for relayd with many TLS certs - run 'doas sed -i "s/:openfiles-max=1024:/:openfiles-max=4096:/; s/:openfiles-cur=1024:/:openfiles-cur=4096:/" /etc/login.conf'; - run 'doas rm -f /etc/login.conf.db && doas cap_mkdb /etc/login.conf'; + file '/etc/login.conf.d/daemon', + source => './etc/login.conf.d/daemon', + owner => 'root', + group => 'wheel', + mode => '644', + on_change => sub { + run 'doas rm -f /etc/login.conf.db && doas cap_mkdb /etc/login.conf'; + }; file '/etc/relayd.conf', content => template( -- cgit v1.2.3 From c4970d51fbaf85ee2ce3a950fc75d9fffc53b62d Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 17 Jan 2026 17:14:22 +0200 Subject: add daemon --- frontends/etc/login.conf.d/daemon | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 frontends/etc/login.conf.d/daemon (limited to 'frontends') diff --git a/frontends/etc/login.conf.d/daemon b/frontends/etc/login.conf.d/daemon new file mode 100644 index 0000000..a995fe9 --- /dev/null +++ b/frontends/etc/login.conf.d/daemon @@ -0,0 +1,4 @@ +daemon:\ + :openfiles-max=4096:\ + :openfiles-cur=4096:\ + :tc=default: -- cgit v1.2.3 From 7a996ed2f657562dd05dee2548db15d044f4fdeb Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 17 Jan 2026 17:22:41 +0200 Subject: fix tls --- frontends/etc/acme-client.conf.tpl | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) (limited to 'frontends') diff --git a/frontends/etc/acme-client.conf.tpl b/frontends/etc/acme-client.conf.tpl index 6d0e2df..685794c 100644 --- a/frontends/etc/acme-client.conf.tpl +++ b/frontends/etc/acme-client.conf.tpl @@ -23,7 +23,8 @@ authority buypass-test { contact "mailto:me@example.com" } -<% for my $host (@$acme_hosts) { -%> +<% for my $host (@$acme_hosts) { + next if $host eq 'blowfish.buetow.org' or $host eq 'fishfinger.buetow.org'; -%> domain <%= $host %> { alternative names { www.<%= $host %> } domain key "/etc/ssl/private/<%= $host %>.key" @@ -36,10 +37,3 @@ domain standby.<%= $host %> { sign with letsencrypt } <% } -%> - -# For the server itself (e.g. TLS, or monitoring) -domain <%= "$hostname.$domain" %> { - domain key "/etc/ssl/private/<%= "$hostname.$domain" %>.key" - domain full chain certificate "/etc/ssl/<%= "$hostname.$domain" %>.fullchain.pem" - sign with letsencrypt -} -- cgit v1.2.3 From 19defb02691f020470b7e28d81ae331b8d8f9bd9 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 17 Jan 2026 21:08:37 +0200 Subject: adjust monitoring checks --- frontends/Rexfile | 11 +++++++++++ frontends/etc/gogios.json.tpl | 6 +++--- frontends/etc/mail/smtpd.conf.tpl | 11 +++++++++++ 3 files changed, 25 insertions(+), 3 deletions(-) (limited to 'frontends') diff --git a/frontends/Rexfile b/frontends/Rexfile index c59bb58..971e162 100644 --- a/frontends/Rexfile +++ b/frontends/Rexfile @@ -344,6 +344,17 @@ task 'smtpd', mode => '644', on_change => sub { service 'smtpd' => 'restart' }; + # Reject lists for blocking unwanted senders/domains/recipients + Rex::Logger::info('Dealing with mail reject lists'); + for my $reject_list (qw/reject-senders reject-domains reject-recipients/) { + file "/etc/mail/$reject_list", + source => "./etc/mail/$reject_list", + owner => 'root', + group => 'wheel', + mode => '644', + on_change => sub { service 'smtpd' => 'restart' }; + } + Rex::Logger::info('Dealing with smtpd.conf'); file '/etc/mail/smtpd.conf', content => template('./etc/mail/smtpd.conf.tpl'), diff --git a/frontends/etc/gogios.json.tpl b/frontends/etc/gogios.json.tpl index 49221c5..8e4bcdb 100644 --- a/frontends/etc/gogios.json.tpl +++ b/frontends/etc/gogios.json.tpl @@ -23,9 +23,9 @@ <% for my $proto (4, 6) { -%> "Check Ping<%= $proto %> <%= $host %>.wg0.wan.buetow.org": { "Plugin": "<%= $plugin_dir %>/check_ping", - "Args": ["-H", "<%= $host %>.wg0.wan.buetow.org", "-<%= $proto %>", "-w", "100,10%", "-c", "200,15%"], + "Args": ["-H", "<%= $host %>.wg0.wan.buetow.org", "-<%= $proto %>", "-w", "100,20%", "-c", "200,30%"], "RandomSpread": 10, - "Retries": 3, + "Retries": 5, "RetryInterval": 3 }, <% } -%> @@ -117,7 +117,7 @@ "Plugin": "<%= $plugin_dir %>/check_procs", "RandomSpread": 10, "RunInterval": 300, - "Args": ["-w", "80", "-c", "100"] + "Args": ["-w", "100", "-c", "150"] }, "Check Disk <%= $hostname %>": { "Plugin": "<%= $plugin_dir %>/check_disk", diff --git a/frontends/etc/mail/smtpd.conf.tpl b/frontends/etc/mail/smtpd.conf.tpl index 7764b34..b43302d 100644 --- a/frontends/etc/mail/smtpd.conf.tpl +++ b/frontends/etc/mail/smtpd.conf.tpl @@ -10,6 +10,11 @@ table aliases file:/etc/mail/aliases table virtualdomains file:/etc/mail/virtualdomains table virtualusers file:/etc/mail/virtualusers +# Reject lists for blocking unwanted senders/domains/recipients +table reject-senders file:/etc/mail/reject-senders +table reject-domains file:/etc/mail/reject-domains +table reject-recipients file:/etc/mail/reject-recipients + listen on socket listen on all tls pki "buetow_org_tls" hostname "<%= "$hostname.$domain" %>" #listen on all @@ -18,6 +23,12 @@ action localmail mbox alias action receive mbox virtual action outbound relay +# Reject rules (processed before accept rules) +# reject-senders: full addresses, reject-domains: patterns like *@domain.com +match from any mail-from reject +match from any mail-from reject +match from any for rcpt-to reject + match from any for domain action receive match from local for local action localmail match from local for any action outbound -- cgit v1.2.3 From 535711aa372648fc81d3e8f01ad2b5c12561cb95 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sun, 18 Jan 2026 09:45:16 +0200 Subject: add --- frontends/etc/mail/reject-domains | 0 frontends/etc/mail/reject-recipients | 0 frontends/etc/mail/reject-senders | 0 3 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 frontends/etc/mail/reject-domains create mode 100644 frontends/etc/mail/reject-recipients create mode 100644 frontends/etc/mail/reject-senders (limited to 'frontends') diff --git a/frontends/etc/mail/reject-domains b/frontends/etc/mail/reject-domains new file mode 100644 index 0000000..e69de29 diff --git a/frontends/etc/mail/reject-recipients b/frontends/etc/mail/reject-recipients new file mode 100644 index 0000000..e69de29 diff --git a/frontends/etc/mail/reject-senders b/frontends/etc/mail/reject-senders new file mode 100644 index 0000000..e69de29 -- cgit v1.2.3 From f400a656ceeb0c08428745bd59e5ad30edba6ff9 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sun, 18 Jan 2026 16:42:30 +0200 Subject: fix alerts --- frontends/Rexfile | 14 +++++++++++++- frontends/etc/gogios.json.tpl | 2 +- frontends/etc/httpd.conf.tpl | 3 +-- 3 files changed, 15 insertions(+), 4 deletions(-) (limited to 'frontends') diff --git a/frontends/Rexfile b/frontends/Rexfile index 971e162..9cce066 100644 --- a/frontends/Rexfile +++ b/frontends/Rexfile @@ -86,6 +86,18 @@ our @acme_hosts = qw/foo.zone dtail.dev buetow.org git.buetow.org paul.buetow.org joern.buetow.org dory.buetow.org ecat.buetow.org blog.buetow.org znc.buetow.org stats.foo.zone irregular.ninja alt.irregular.ninja snonux.foo gogios.buetow.org blowfish.buetow.org fishfinger.buetow.org/; push @acme_hosts, @f3s_hosts; +# WireGuard IP addresses for ping checks +our %wg0_ips = ( + 'blowfish' => { '4' => '192.168.2.110', '6' => 'fd42:beef:cafe:2::110' }, + 'fishfinger' => { '4' => '192.168.2.111', '6' => 'fd42:beef:cafe:2::111' }, + 'f0' => { '4' => '192.168.2.130', '6' => 'fd42:beef:cafe:2::130' }, + 'f1' => { '4' => '192.168.2.131', '6' => 'fd42:beef:cafe:2::131' }, + 'f2' => { '4' => '192.168.2.132', '6' => 'fd42:beef:cafe:2::132' }, + 'r0' => { '4' => '192.168.2.120', '6' => 'fd42:beef:cafe:2::120' }, + 'r1' => { '4' => '192.168.2.121', '6' => 'fd42:beef:cafe:2::121' }, + 'r2' => { '4' => '192.168.2.122', '6' => 'fd42:beef:cafe:2::122' }, +); + # UTILITY TASKS task 'id', group => 'frontends', sub { say run 'id' }; @@ -505,7 +517,7 @@ task 'gogios', mode => '755'; file '/etc/gogios.json', - content => template( './etc/gogios.json.tpl', acme_hosts => \@acme_hosts ), + content => template( './etc/gogios.json.tpl', acme_hosts => \@acme_hosts, wg0_ips => \%wg0_ips ), owner => 'root', group => 'wheel', mode => '744'; diff --git a/frontends/etc/gogios.json.tpl b/frontends/etc/gogios.json.tpl index 8e4bcdb..03b4cab 100644 --- a/frontends/etc/gogios.json.tpl +++ b/frontends/etc/gogios.json.tpl @@ -23,7 +23,7 @@ <% for my $proto (4, 6) { -%> "Check Ping<%= $proto %> <%= $host %>.wg0.wan.buetow.org": { "Plugin": "<%= $plugin_dir %>/check_ping", - "Args": ["-H", "<%= $host %>.wg0.wan.buetow.org", "-<%= $proto %>", "-w", "100,20%", "-c", "200,30%"], + "Args": ["-H", "<%= $wg0_ips->{$host}->{$proto} %>", "-<%= $proto %>", "-w", "40,20%", "-c", "80,30%"], "RandomSpread": 10, "Retries": 5, "RetryInterval": 3 diff --git a/frontends/etc/httpd.conf.tpl b/frontends/etc/httpd.conf.tpl index 6f0c51a..6a313ae 100644 --- a/frontends/etc/httpd.conf.tpl +++ b/frontends/etc/httpd.conf.tpl @@ -94,13 +94,12 @@ server "<%= $prefix %>paul.buetow.org" { } <% } -%> -# Redirect to gitub.dtail.dev <% for my $prefix (@prefixes) { -%> server "<%= $prefix %>dtail.dev" { listen on * port 8080 log style forwarded location * { - block return 302 "https://github.dtail.dev$REQUEST_URI" + block return 302 "https://codeberg.org/snonux/dtail" } } <% } -%> -- cgit v1.2.3