Leaving KeePassXC behind and getting a Hetzner CAX cloud server in one move.
IPv6 address for vio0? (or 'autoconf' or 'none') [none] autoconf
This you? Let’s fix /etc/hostname.vio0:
inet autoconf
inet6 $addr
Add IPv6 gateway (/etc/mygate):
fe80::1%vio0
Add the missing Hetzner recursive name servers (/etc/resolv.conf):
nameserver 185.12.64.1 # resolvd: vio0
nameserver 185.12.64.2 # resolvd: vio0
nameserver 2a01:4ff:ff00::add:1
nameserver 2a01:4ff:ff00::add:2
lookup file bind
I’m not using a subdomain for this. Add /etc/httpd.conf and run rcctl -d start httpd as root.
server "example.com" {
listen on * port 80
root "/htdocs/example.com"
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
From the relayd.conf manpage:
keypair name
The relay will attempt to look up a private key in /etc/ssl/private/name:port.key and a public certificate in /etc/ssl/name:port.crt, where port is the specified port that the relay listens on. If these files are not present, the relay will continue to look in /etc/ssl/private/name.key and /etc/ssl/name.crt. This option can be specified multiple times for TLS Server Name Indication. If not specified, a keypair will be loaded using the specified IP address of the relay as name. See ssl(8) for details about TLS server certificates.
An optional OCSP staple file will be used during TLS handshakes with this server if it is found as a non-empty file in /etc/ssl/name:port.ocsp or /etc/ssl/name.ocsp. The file should contain a DER-format OCSP response retrieved from an OCSP server for the certificate in use, and can be created using ocspcheck(8).
Configure /etc/acme-client.conf:
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory"
account key "/etc/ssl/private/letsencrypt.key"
}
domain example.com {
alternative names { www.example.com }
domain key "/etc/ssl/private/example.com.key"
domain certificate "/etc/ssl/example.com.crt.leaf"
domain full chain certificate "/etc/ssl/example.com.crt"
sign with letsencrypt
}
Now run acme-client -v example.com and crontab -e.
0 0 * * * acme-client example.com && rcctl restart relayd
$ cat /etc/relayd.conf
table <vaultwarden-default-host> { 127.0.0.1 }
table <vaultwarden-websocket-host> { 127.0.0.1 }
http protocol vaultwarden-https {
match request header append "X-Real-IP" value "$REMOTE_ADDR"
match request header append "Host" value "$HOST"
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
match request path "/*" forward to <vaultwarden-default-host>
match request path "/notifications/hub" forward to \
<vaultwarden-websocket-host>
match request path "/notifications/hub/negotiate" forward to \
<vaultwarden-default-host>
tcp { nodelay, sack, backlog 128 }
tls keypair example.com
tls { no tlsv1.0, ciphers HIGH }
http websockets
}
relay vaultwarden-https-relay {
listen on egress port 443 tls
protocol vaultwarden-https
forward to <vaultwarden-default-host> port 8000
}
As root:
# pkg_add vaultwarden vaultwarden-web
# vi /var/vaultwarden/.env
Example config:
DATA_FOLDER=data
ENABLE_WEBSOCKET=true
DOMAIN=https://example.com
LOG_FILE=data/vaultwarden.log
LOG_LEVEL=error
Disable signups after yourself.
As root: rcctl -d start relayd vaultwarden. You can now import data to your vault.
OpenBSD IPv6-only Networking & Firewall
Enable HTTPS with acme-client(1) and Let’s Encrypt on OpenBSD
Self hosted - Problem connecting server - Android #272
OpenBSD, Let’s Encrypt, and Full Certificate Chains
Run Your Own LastPass on Hardened OpenBSD
OpenBSD 7.5 - relayd -> vaultwarden - websockets not working
Import Data to your Vault