In this phlog post I will share notes about how I setup tccr.it as
a gopher server running NetBSD and geomyidae.


Services needed and rc.conf adjustments
---------------------------------------
After installing NetBSD I have adjusted `/etc/rc.conf' in order to
disable some services that I do not need and enable NPF, blacklistd
and OpenSSH:

 | blacklistd=yes
 | npf=yes
 | inetd=no
 | ip6addrctl=yes
 | ip6addrctl_policy=ipv4_prefer
 | postfix=no
 | sshd=yes
 | virecover=no


blacklistd(8) configuration
---------------------------
For blacklistd I have just setup a rule to block ssh, after 3 failed attempts
for 6 hours (`/etc/blacklistd.conf'):

 | # Blacklist rule
 | # adr/mask:port type    proto   owner           name    nfail   disable
 | [local]
 | ssh             stream  *       *               *       3       6h


npf(7) configuration
--------------------
The NPF configuration is also pretty straightforward.
We would like to permit anything outbound and only permit ssh and
gopher inbound (`/etc/npf.conf'):

 | $services_tcp_in = { ssh, gopher }
 | 
 | alg "icmp"
 | 
 | procedure "log" {
 |         log: npflog0
 | }
 | 
 | group default {
 |         ruleset "blacklistd"
 | 
 |         pass final on lo0 all
 | 
 |         pass stateful in final proto tcp to any port $services_tcp_in
 | 
 |         pass stateful out final proto icmp to any
 |         pass stateful out final proto tcp to any
 |         pass stateful out final proto udp to any
 | 
 |         block all apply "log"
 | }

`ruleset "blacklistd"' is a dynamic rule that will be populated by
blacklistd(8) as needed.  Everything on lo0 interface is passed
through.  Inbound we just permit the `$services_tcp_in' (ssh and
gopher).  Outbound we permit everything (icmp, tcp and udp).
If something is not matched by a rule above it is blocked and logged
by passing it to the `npflog0' interface.


sshd(8) configuration
---------------------
`/etc/sshd/sshd_config' was adjusted in order to disable password
authentication:

 | [...]
 | # To disable password authentication, set this and UsePam to no
 | PasswordAuthentication no
 | [...]
 | UsePam no
 | [...]


geomyidae configuration
-----------------------
We would like that geomyidae drops privilege to geomyidae user and
nobody group and use `/var/gopher' as base directory (these are
already the default but we will need to specify them because we
need to add other flags too!).  We also pass `-c' to chroot(2) in
the base directory, disable the execution of any {D,}CGI script
(`-e'), set the hostname via `-h' for directory listings and pass
`-4' to only use IPv4... Let's add the corresponding lines in
`/etc/rc.conf'!:

 | geomyidae=yes
 | geomyidae_flags="-u geomyidae -g nobody -b /var/gopher -c -e -h tccr.it -4"


daily(5), weekly(5) and root's crontab adjustments
--------------------------------------------------
We would like to fetch pkg-vulnerabilities every day!:

 | # echo "fetch_pkg_vulnerabilities=yes" >> /etc/daily.conf

...and because we do not use locate(1) we can avoid weekly rebuilding
the database:

 | # echo "rebuild_locatedb=no" >> /etc/weekly.conf

Because no mail server is running we can remove all
`...  | sendmail -t' in the root crontab (please note though that
we will miss the {daily,weekly} email, but we can see last run of
them as `/var/log/{daily,weekly}.out'!):

 | # crontab -e
 | [...]
 | # do daily/weekly/monthly maintenance
 | 15      3       *       *       *       /bin/sh /etc/daily 2>&1 | tee /var/log/daily.out
 | 30      4       *       *       6       /bin/sh /etc/weekly 2>&1 | tee /var/log/weekly.out
 | #30     5       1       *       *       /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out


That's all!