lewis.moe / bspds-sandbox
this repo has no description
fork atom
bspds-sandbox / docs / install-openbsd.md
at 7e0d55c42276f001322bc4cb44840d8d71c22094 7.4 kB view raw view rendered
1# BSPDS Production Installation on OpenBSD 2> **Warning**: These instructions are untested and theoretical, written from the top of Lewis' head. They may contain errors or omissions. This warning will be removed once the guide has been verified. 3This guide covers installing BSPDS on OpenBSD 7.8 (current release as of December 2025). 4## Prerequisites 5- A VPS with at least 2GB RAM and 20GB disk 6- A domain name pointing to your server's IP 7- Root access (or doas configured) 8## Why nginx over relayd? 9OpenBSD's native `relayd` supports WebSockets but does **not** support HTTP/2. For a modern PDS deployment, we recommend nginx which provides HTTP/2, WebSocket support, and automatic OCSP stapling. 10## 1. System Setup 11```sh 12pkg_add curl git 13``` 14## 2. Install Rust 15```sh 16pkg_add rust 17``` 18OpenBSD 7.8 ships Rust 1.82+. For the latest stable (1.92+), use rustup: 19```sh 20pkg_add rustup 21rustup-init -y 22source ~/.cargo/env 23rustup default stable 24``` 25## 3. Install postgres 26OpenBSD 7.8 includes PostgreSQL 17 (PostgreSQL 18 may not yet be in ports): 27```sh 28pkg_add postgresql-server postgresql-client 29mkdir -p /var/postgresql/data 30chown _postgresql:_postgresql /var/postgresql/data 31su - _postgresql -c "initdb -D /var/postgresql/data -U postgres -A scram-sha-256" 32rcctl enable postgresql 33rcctl start postgresql 34psql -U postgres -c "CREATE USER bspds WITH PASSWORD 'your-secure-password';" 35psql -U postgres -c "CREATE DATABASE pds OWNER bspds;" 36psql -U postgres -c "GRANT ALL PRIVILEGES ON DATABASE pds TO bspds;" 37``` 38## 4. Install minio 39OpenBSD doesn't have a minio package. Options: 40**Option A: Use an external S3-compatible service (recommended for production)** 41aws s3, backblaze b2, or upcloud managed object storage. Skip to step 5 and configure the S3 credentials in step 9. 42**Option B: Build minio from source** 43```sh 44pkg_add go 45mkdir -p /tmp/minio-build && cd /tmp/minio-build 46ftp -o minio.tar.gz https://github.com/minio/minio/archive/refs/tags/RELEASE.2025-10-15T17-29-55Z.tar.gz 47tar xzf minio.tar.gz 48cd minio-* 49go build -o minio . 50cp minio /usr/local/bin/ 51mkdir -p /var/minio/data 52useradd -d /var/minio -s /sbin/nologin _minio 53chown -R _minio:_minio /var/minio 54cat > /etc/minio.conf << 'EOF' 55MINIO_ROOT_USER=minioadmin 56MINIO_ROOT_PASSWORD=your-minio-password 57EOF 58chmod 600 /etc/minio.conf 59cat > /etc/rc.d/minio << 'EOF' 60#!/bin/ksh 61daemon="/usr/local/bin/minio" 62daemon_user="_minio" 63daemon_flags="server /var/minio/data --console-address :9001" 64. /etc/rc.d/rc.subr 65rc_pre() { 66 . /etc/minio.conf 67 export MINIO_ROOT_USER MINIO_ROOT_PASSWORD 68} 69rc_cmd $1 70EOF 71chmod +x /etc/rc.d/minio 72rcctl enable minio 73rcctl start minio 74``` 75Create the blob bucket: 76```sh 77ftp -o /usr/local/bin/mc https://dl.min.io/client/mc/release/openbsd-amd64/mc 78chmod +x /usr/local/bin/mc 79mc alias set local http://localhost:9000 minioadmin your-minio-password 80mc mb local/pds-blobs 81``` 82## 5. Install redis 83OpenBSD has redis in ports (valkey may not be available yet): 84```sh 85pkg_add redis 86rcctl enable redis 87rcctl start redis 88``` 89## 6. Install deno (for frontend build) 90```sh 91curl -fsSL https://deno.land/install.sh | sh 92export PATH="$HOME/.deno/bin:$PATH" 93echo 'export PATH="$HOME/.deno/bin:$PATH"' >> ~/.profile 94``` 95## 7. Clone and Build BSPDS 96```sh 97mkdir -p /opt && cd /opt 98git clone https://tangled.org/lewis.moe/bspds-sandbox bspds 99cd bspds 100cd frontend 101deno task build 102cd .. 103cargo build --release 104``` 105## 8. Install sqlx-cli and Run Migrations 106```sh 107cargo install sqlx-cli --no-default-features --features postgres 108export DATABASE_URL="postgres://bspds:your-secure-password@localhost:5432/pds" 109sqlx migrate run 110``` 111## 9. Configure BSPDS 112```sh 113mkdir -p /etc/bspds 114cp /opt/bspds/.env.example /etc/bspds/bspds.conf 115chmod 600 /etc/bspds/bspds.conf 116``` 117Edit `/etc/bspds/bspds.conf` and fill in your values. Generate secrets with: 118```sh 119openssl rand -base64 48 120``` 121## 10. Create rc.d Service 122```sh 123useradd -d /var/empty -s /sbin/nologin _bspds 124cp /opt/bspds/target/release/bspds /usr/local/bin/ 125mkdir -p /var/bspds 126cp -r /opt/bspds/frontend/dist /var/bspds/frontend 127chown -R _bspds:_bspds /var/bspds 128cat > /etc/rc.d/bspds << 'EOF' 129#!/bin/ksh 130daemon="/usr/local/bin/bspds" 131daemon_user="_bspds" 132daemon_logger="daemon.info" 133. /etc/rc.d/rc.subr 134rc_pre() { 135 export FRONTEND_DIR=/var/bspds/frontend 136 while IFS='=' read -r key value; do 137 case "$key" in 138 \#*|"") continue ;; 139 esac 140 export "$key=$value" 141 done < /etc/bspds/bspds.conf 142} 143rc_cmd $1 144EOF 145chmod +x /etc/rc.d/bspds 146rcctl enable bspds 147rcctl start bspds 148``` 149## 11. Install and Configure nginx 150```sh 151pkg_add nginx 152cat > /etc/nginx/nginx.conf << 'EOF' 153worker_processes 1; 154events { 155 worker_connections 1024; 156} 157http { 158 include mime.types; 159 server { 160 listen 80; 161 listen [::]:80; 162 server_name pds.example.com; 163 location /.well-known/acme-challenge/ { 164 root /var/www/acme; 165 } 166 location / { 167 return 301 https://$host$request_uri; 168 } 169 } 170 server { 171 listen 443 ssl http2; 172 listen [::]:443 ssl http2; 173 server_name pds.example.com; 174 ssl_certificate /etc/ssl/pds.example.com.fullchain.pem; 175 ssl_certificate_key /etc/ssl/private/pds.example.com.key; 176 ssl_protocols TLSv1.2 TLSv1.3; 177 ssl_ciphers HIGH:!aNULL:!MD5; 178 ssl_prefer_server_ciphers on; 179 ssl_session_cache shared:SSL:10m; 180 location / { 181 proxy_pass http://127.0.0.1:3000; 182 proxy_http_version 1.1; 183 proxy_set_header Upgrade $http_upgrade; 184 proxy_set_header Connection "upgrade"; 185 proxy_set_header Host $host; 186 proxy_set_header X-Real-IP $remote_addr; 187 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 188 proxy_set_header X-Forwarded-Proto $scheme; 189 proxy_read_timeout 86400; 190 } 191 } 192} 193EOF 194mkdir -p /var/www/acme 195rcctl enable nginx 196``` 197## 12. Obtain SSL Certificate with acme-client 198OpenBSD's native acme-client works well: 199```sh 200cat >> /etc/acme-client.conf << 'EOF' 201authority letsencrypt { 202 api url "https://acme-v02.api.letsencrypt.org/directory" 203 account key "/etc/acme/letsencrypt-privkey.pem" 204} 205domain pds.example.com { 206 domain key "/etc/ssl/private/pds.example.com.key" 207 domain full chain certificate "/etc/ssl/pds.example.com.fullchain.pem" 208 sign with letsencrypt 209} 210EOF 211mkdir -p /etc/acme 212rcctl start nginx 213acme-client -v pds.example.com 214rcctl restart nginx 215``` 216Set up auto-renewal in root's crontab: 217```sh 218crontab -e 219``` 220Add: 221``` 2220 0 * * * acme-client pds.example.com && rcctl reload nginx 223``` 224## 13. Configure Packet Filter (pf) 225```sh 226cat >> /etc/pf.conf << 'EOF' 227# BSPDS rules 228pass in on egress proto tcp from any to any port { 22, 80, 443 } 229EOF 230pfctl -f /etc/pf.conf 231``` 232## 14. Verify Installation 233```sh 234rcctl check bspds 235ftp -o - https://pds.example.com/xrpc/_health 236ftp -o - https://pds.example.com/.well-known/atproto-did 237``` 238## Maintenance 239View logs: 240```sh 241tail -f /var/log/daemon 242``` 243Update BSPDS: 244```sh 245cd /opt/bspds 246git pull 247cd frontend && deno task build && cd .. 248cargo build --release 249rcctl stop bspds 250cp target/release/bspds /usr/local/bin/ 251cp -r frontend/dist /var/bspds/frontend 252DATABASE_URL="postgres://bspds:your-secure-password@localhost:5432/pds" sqlx migrate run 253rcctl start bspds 254``` 255Backup database: 256```sh 257pg_dump -U postgres pds > /var/backups/pds-$(date +%Y%m%d).sql 258```