From f371c3436fed8a0de809ea59a8f9becf36276bf7 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Wed, 13 Jul 2022 12:01:37 +0000
Subject: [PATCH] Fix OpenBSD installs

---
 playbooks/dna-gw.yml                | 44 +++++++++++++++++++++++++----
 roles/dhcpd/templates/dhcpd.conf.j2 |  2 --
 roles/pf/files/pf.conf.gw_home      |  4 +--
 3 files changed, 41 insertions(+), 9 deletions(-)

diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml
index 67c4b5f..6bda529 100644
--- a/playbooks/dna-gw.yml
+++ b/playbooks/dna-gw.yml
@@ -23,10 +23,15 @@
     - name: use configured dns servers and domain name
       copy:
         dest: /etc/dhclient.conf
-        content: "ignore domain-name-servers, domain-name;"
+        content: "ignore domain-name-servers, domain-name;\n"
         mode: 0644
         owner: root
         group: "{{ ansible_wheel }}"
+    - name: disable resolvd
+      ansible.builtin.service:
+        name: resolvd
+        state: stopped
+        enabled: false
 
     - name: enable ip forwarding
       sysctl:
@@ -59,20 +64,49 @@
         group: "{{ ansible_wheel }}"
     - name: create tftp pxeboot loader for openbssd
       get_url:
-        url: "https://mirrors.foo.sh/openbsd/6.9/amd64/pxeboot"
-        checksum: sha1:e04ff88afbd41fbd33fc68bdb027c0f5bf8d29af
+        url: "https://mirrors.foo.sh/openbsd/7.1/amd64/pxeboot"
+        checksum: sha1:2acf476afc545f099840945bc03c23de321f421f
         dest: /srv/tftpboot/pxeboot
         mode: 0644
         owner: root
         group: "{{ ansible_wheel }}"
     - name: create tftp ramdisk for openbsd
       get_url:
-        url: "https://mirrors.foo.sh/openbsd/6.9/amd64/bsd.rd"
-        checksum: sha1:4d9df57080b89e954cef28366db52f2d66e66426
+        url: "https://mirrors.foo.sh/openbsd/7.1/amd64/bsd.rd"
+        checksum: sha1:3ed026859ab7fb54b4e279b65f3d3e58a56dda5d
         dest: /srv/tftpboot/bsd.rd
         mode: 0644
         owner: root
         group: "{{ ansible_wheel }}"
+    - name: create install.conf for openbsd
+      get_url:
+        url: "https://boot.foo.sh/openbsd/install.conf"
+        checksum: sha1:f6270708dad3f759df02eefeab300d9b8670f3d4
+        dest: /srv/tftpboot/install.conf
+        mode: 0644
+        owner: root
+        group: "{{ ansible_wheel }}"
+
+    - name: copy custom nginx config
+      copy:
+        dest: /etc/nginx/conf.d/172.20.20.1.conf
+        content: |
+          server {
+            listen 172.20.20.1:80;
+            server_name 172.20.20.1;
+            location / {
+              location /install.conf {
+                alias /srv/tftpboot/install.conf;
+              }
+              location / {
+                deny all;
+              }
+            }
+          }
+        mode: 0644
+        owner: root
+        group: "{{ ansible_wheel }}"
+      notify: restart nginx
 
     - name: copy dns private key
       copy:
diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2
index 8bc3116..063a27f 100644
--- a/roles/dhcpd/templates/dhcpd.conf.j2
+++ b/roles/dhcpd/templates/dhcpd.conf.j2
@@ -40,8 +40,6 @@ class "OpenBSD" {
     match if not exists vendor-class-identifier and not exists user-class;
 
     next-server 172.20.20.10;
-    filename "auto_install";
-    option tftp-server-name "boot.foo.sh/openbsd";
 }
 
 shared-network FOOSH {
diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home
index 01f709a..a71029d 100644
--- a/roles/pf/files/pf.conf.gw_home
+++ b/roles/pf/files/pf.conf.gw_home
@@ -56,8 +56,8 @@ pass in quick on $int_if proto tcp from $int_net to self port domain-s
 pass in quick on $int_if proto udp from $int_net to self port tftp
 
 # allow http and https from outside
-pass in quick on $ext_if proto tcp from any to self port http
-pass in quick on $ext_if proto tcp from any to self port https
+pass in quick proto tcp from any to self port http
+pass in quick proto tcp from any to self port https
 
 # block rest of packets coming to me
 block in quick from any to self