• OpenBSD

  • Installing Zabbix-server on OBSD 7.3

I am writing this post and for others as I am installing Zabbix-server, zabbix-agent with postgresql with letsencrypt if anyone can help out wherever I am wrong or needs improvement please let me know. This post will help others as well who are struggling.
Zabbixserver+ zabbixweb+ postgresql+letsencrypt

  1. Copying doas in /etc

cp /etc/examples/doas.conf /etc

adding lines in doas.conf

#my change to not ask password once entered
permit persist  :wheel
  1. Copy of acme-client from examples

cp /etc/examples/acme-client.conf /etc

  1. Configure with your FQDN 
    #
# $OpenBSD: acme-client.conf,v 1.4 2020/09/17 09:13:06 florian Exp $
#
authority letsencrypt {
        api url "https://acme-v02.api.letsencrypt.org/directory"
        account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
        api url "https://acme-staging-v02.api.letsencrypt.org/directory"
        account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

authority buypass {
        api url "https://api.buypass.com/acme/directory"
        account key "/etc/acme/buypass-privkey.pem"
        contact "mailto:me@example.com"
}

authority buypass-test {
        api url "https://api.test4.buypass.no/acme/directory"
        account key "/etc/acme/buypass-test-privkey.pem"
        contact "mailto:me@example.com"
}

domain yourdomain.com {
#       alternative names { secure.domain.com }
        domain key "/etc/ssl/private/domain.com.key"
        domain full chain certificate "/etc/ssl/domain.com.fullchain.pem"
        sign with letsencrypt
}
  2. Installing all the packages ( if any missing let me know )

pkg_add zabbix-server-6.2.6-pgsql zabbix-web-6.2.6p0 zabbix-agent-6.2.6p0 postgresql-server-15.2p0 postgresql-client-15.2

  1. sysctl limits need to be set

vi /etc/sysctl.conf

`When using PostgreSQL at least the following sysctl limits need to be set:

kern.seminfo.semmni=30
kern.seminfo.semmns=120
kern.shminfo.shmall=524288`

6.login with user _postgres

su - _postgresql

mkdir /var/postgresql/data

initdb -D /var/postgresql/data -U postgres \
      -W -A scram-sha-256 -E UTF-8 --locale=en_US.UTF-8

Starting postgresql while logged in user _postgres

pg_ctl -D /var/postgresql/data -l logfile start
$ exit

create the database and user for Zabbix

$ createuser -U postgres --pwprompt --no-superuser --createdb --no-createrole zabbix
$ createdb -U zabbix zabbix

Import initial schema and data

$ cd /usr/local/share/zabbix/schema/postgresql
$ cat schema.sql | psql -U zabbix zabbix
$ cat images.sql | psql -U zabbix zabbix
$ cat data.sql | psql -U zabbix zabbix

6.Bottom of the login.conf file
vi /etc/login.conf

 zabbix_server:\
	:openfiles-cur=1024:\
	:openfiles-max=2048:\
	:tc=daemon:


 postgresql:\
 	:openfiles=1024:\
        :tc=daemon:
  1. backing up server and agent original config.
cp /etc/zabbix/zabbix_agentd.conf  /etc/zabbix/zabbix_agentd.conf.original
cp /etc/zabbix/zabbix_server.conf  /etc/zabbix/zabbix_server.conf.original
  1. Directory and copying files for httpd chroot to make DNS work.
mkdir -p /var/www/etc
cp /etc/resolv.conf /var/www/etc
cp /etc/hosts /var/www/etc
  1. Adding httpd.conf one can copy from examples

cp /etc/examples/httpd.conf /etc

# $OpenBSD: httpd.conf,v 1.22 2020/11/04 10:34:18 denis Exp $

ext_addr="*"
domain="yourdomain.com"
prefork 3

server $domain {
        listen on $ext_addr port 80
        block return 301 "https://$SERVER_NAME$REQUEST_URI"
}

server $domain {
        root "/zabbix"
        listen on $ext_addr tls port 443
        tls {
                certificate "/etc/ssl/yourdomain.com.fullchain.pem"
                key "/etc/ssl/private/yourdomain.com.key"
                ciphers "secure"
        }
                hsts max-age 16000000
                hsts preload

        # Increase connection limits to extend the lifetime
    connection { max requests 500, timeout 3600 }
    connection { max request body 8388608 }

    directory {
                index "index.php"
    }

    location "/conf/*" {
                block return 401
    }

        location "*.php" {
                fastcgi socket "/run/php-fpm.sock"
        }
}

# Include MIME types instead of the built-in ones
types {
        include "/usr/share/misc/mime.types"
}

Hold on still need to work arround and add things

Thanking you.

  • Jay likes this.

Seems like a perfect match for OpenBSD 7.3, excellent idea. I just myself choose it for penultimate security for my new web and email hosting on Vultr.

In my setup I tried acme-client, Certbot and acme.sh and I found acme.sh to superior.

  • It did not want to use Python, like Certbot which has so many insecure libraries in the repositories.
  • It uses ZeroSSL and does not limit cert attempts per hour, or per host.
  • Automatically added a perfect cron job
  • Implements a DNS API to automate MX and TXT records for OpenSMTPD.

You can easily remove the certs and script if you don't like it.

http://acme.sh forwards you to the Github repo https://github.com/acmesh-official/acme.sh

Looking forward to hearing how it went.

    wravoc

    It's true!
    But sometimes, acme-client bug without any reason, this tool can be 'fickle/capricious' for no reason!

    Implements a DNS API to automate MX and TXT records for OpenSMTPD.

    How?

    It did not want to use Python, like Certbot which has so many insecure libraries in the repositories

    Certainly, but it runs correctly always time!

        CiotBSD

        Yeah, acme-client cannot use the DNS protocol like Certbot but acme.sh has a superb shell script where all you need to do is:

        export VULTR_API_KEY="<Your API key>"
        ./acme.sh --issue --dns dns_vultr -d example.com -d www.example.com
        The VULTR_API_KEY will be saved in ~/.acme.sh/account.conf and will be reused when needed.

        So when setting up an email server using OpenSMTPD, which is super secure, as it's part of the OpenBSD project, you'll need to setup DKIM records in your DNS zone. However, every 90 days you need to get a new cert you need to change those DKIM records in DNS, so that is uber handy for the script to do it for you.

        I'm going to write an article about how to do it on Vultr since they're offering $600 per article written if accepted. It's only $6/mo for OpenBSD 7.3 on a premium AMD EPYC CPU, 1GB Memory, 2TB bandwidth, 25GB with instant one-time snapshot backup feature too, for pennies.

        If anyone is interested I can give you $100 credit after you pay for $10 of hosting. At that price that would be a free year of OpenBSD 7.3 "High Compute (AMD), Cloud Compute" lowest level boots up and starts serving my website and email in like 5 seconds. My page in OpenBSD httpd servers in 497ms, you can't even see it load. Instant emails over IMAP using dovecot (see article below).

        $100 account credit, referral.
        https://www.vultr.com/?ref=9439731

        Here is the article I used to setup my email server, it works great! Although it was written long ago, you'll need to read my comment on the article posted yesterday on the fix for 7.3 and Rspamd 3.4 in a hosted environment.

        https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/

        I just started with BSD so I'm in no way even really good at it, but I can help you with it since I've must've set it up like 5 times to get it perfect! I also worked in the computer industry all my life, including at many NOCs, and I have great documentation!

        • Jay likes this.

          Oh, and in contrary to the article I used acme.sh to make a wildcard SSL certificate which also covered mail.example.com whilst preserving my httpd.conf main website.

          • Jay likes this.
          16 days later
          5 days later

          I am having difficulty in connecting agent anything else please let me know

          15 days later

          wravoc

          It is not Prometheus so it is different but thanks.
          I have no experience but I placed my hands dirty to learn and do it all alone but struggling still.