Although there isn't a Nebula package already in the OpenBSD repos the way some other OS's have it, I was happy to see that builds for OpenBSD are published automatically on GitHub. So what does it take to get it up and running as a proper background service on OpenBSD?
Sure enough, the official quick start guide
can be used for OpenBSD with only one special consideration: this part of the
example config
that sets the device name must be changed to be tun0 (or any other digit) instead of nebula1:
# Name of the device. If not set, a default will be chosen by the OS.
# For macOS: if set, must be in the form `utun[0-9]+`.
# For NetBSD: Required to be set, must be in the form `tun[0-9]+`
dev: tun0The problem is that now it is up to us to set up a system service (aka system daemon)
to avoid having to start Nebula manually every time the machine reboots.
Thankfully, through the magic of RTFM
and looking at other services for examples, we can create our own file and place it in
/etc/rc.d/ where the other service config files live on OpenBSD.
So let's do it! Create /etc/rc.d/nebula and paste this into it:
#!/bin/ksh
daemon="/usr/local/sbin/nebula"
daemon_flags="-config /etc/nebula/config.yml"
daemon_logfile="/var/log/nebula"
. /etc/rc.d/rc.subr
rc_bg=YES
rc_reload=NO
rc_start() {
rc_exec "${daemon} ${daemon_flags} >> ${daemon_logfile} 2>&1"
}
rc_cmd $1I chose to place my Nebula binary at /usr/local/sbin/nebula,
so feel free to change the file accordingly if you put it somewhere else.
As you can see, Nebula will output its logs to /var/log/nebula
which is very handy, except that the log file will grow forever if we don't do something about it.
We can use OpenBSD's newsyslog
utility to rotate the logs for us automatically.
All we have to do is add this line to the bottom of /etc/newsyslog.conf:
/var/log/nebula 640 5 300 * ZWe're almost done. Just as a sanity check, let's look at the files we've created and the permissions and ownerships we should probably give them (although maybe you prefer to set up a dedicated user to run the nebula service). Here's what mine look like:
-rw------- 1 root wheel 248B Jan 1 00:00 /etc/nebula/ca.crt
-rw-r--r-- 1 root wheel 13.6K Jan 1 00:00 /etc/nebula/config.yml
-rw------- 1 root wheel 305B Jan 1 00:00 /etc/nebula/host.crt
-rw------- 1 root wheel 128B Jan 1 00:00 /etc/nebula/host.key
-rwxr-xr-x 1 root bin 259B Jan 1 00:00 /etc/rc.d/nebula
-rwxr-xr-x 1 root bin 19.9M Jan 1 00:00 /usr/local/sbin/nebula
-rwxr-xr-x 1 root bin 8.2M Jan 1 00:00 /usr/local/sbin/nebula-cert
-rw-r----- 1 root wheel 67B Jan 1 00:00 /var/log/nebulaIt's done! We can now run the commands to enable and start the service:
rcctl enable nebula
rcctl start nebulaDon't forget to edit your firewall rules if you're exposing a port for lighthouse purposes!