Cradicle Explorer
HardenedBSD-Documentation
/ own-infra.md
own-infra.md
  1  # How to create your own production build base + packages build environment
  2  
  3  ## Creating the base update artifact
  4  
  5  HardenedBSD provides a tool to build binary updates for base, called
  6  `hbsd-update-build`. This is a shell script that builds the update artifact that
  7  can be built once and installed many times on disparate systems.
  8  
  9  `hbsd-update-build` assumes that `/usr/src` is populated and a `make buildworld`
 10  has been done previously. It will use this to build a chroot in which it builds
 11  the binary update artifact.
 12  
 13  Configuring `hbsd-update-build` for your environment is simple. For a list of
 14  all the settings you can change in `hbsd-update-build`, look at the
 15  `setup_environment` function in `/usr/sbin/hbsd-update-build`.
 16  
 17  If I were to want to build a 13-STABLE update artifact, I would create a config
 18  file with the following settings:
 19  
 20  ```
 21  BRANCH="hardened/13-stable/master"
 22  INTEGRIFORCE=0
 23  UNSIGNED=1
 24  ```
 25  
 26  Then, I would run `hbsd-update-build`, passing `-c /path/to/config` as an
 27  argument.
 28  
 29  At the end of the build process, `hbsd-update-build` will print out a single
 30  line with two words separated by a space. The first word is the status, whether
 31  the build succeeded ("OK") or failed ("FAILED"). The second word, if the build
 32  succeeded, is the version string that should be placed in a file called
 33  `update-latest.txt`.
 34  
 35  The `update-latest.txt` file should be placed in the same directory from which
 36  you will serve (likely via HTTP(S)) the update artifact. You can find the
 37  resulting artifact at its default location of /builds/updater/output.
 38  
 39  So, when `hbsd-update-build` completes, if it was successfull, I should see a
 40  message like:
 41  
 42  ```
 43  OK 1670383090|hbsd-v1400003-1ed85d694008e8ca6fa3edd10cf9720e75c169d1|sha256:084d308d478a734c88ac21bf61dd80a389b3c6ecb0d3cc3bb5954b451391b83c
 44  ```
 45  
 46  I would create a file called `update-latest.txt` that would contain:
 47  
 48  ```
 49  1670383090|hbsd-v1400003-1ed85d694008e8ca6fa3edd10cf9720e75c169d1|sha256:084d308d478a734c88ac21bf61dd80a389b3c6ecb0d3cc3bb5954b451391b83c
 50  ```
 51  
 52  I would set my HTTP(S) web server (in my case, nginx) to expose the directory:
 53  
 54  ```
 55  http {
 56      ... snip ...
 57  
 58      server {
 59          ... snip ...
 60  
 61          location /updates {
 62                  alias /builds/updater/output;
 63                  autoindex on;
 64          }
 65      }
 66  }
 67  ```
 68  
 69  ## Building packages
 70  
 71  I would use the `poudriere-hbsd` port/package build packages. I would follow the
 72  steps documented by the FreeBSD project to set up Poudriere.
 73  
 74  There are a few crucial bits needed in `poudriere.conf`:
 75  
 76  ```
 77  JAIL_PARAMS="hardening.pax.aslr.status=1 hardening.pax.pageexec.status=1 hardening.pax.mprotect.status=1 hardening.pax.disallow_map32bit.status=1 hardening.pax.segvguard.status=1 allow.unprivileged_proc_debug=1 allow.extattr=1 hardening.harden_rtld=0"
 78  BUILD_AS_NON_ROOT=no
 79  ```
 80  
 81  Make sure to use the following for src and ports when configuring Poudriere:
 82  
 83  src repo: https://git.hardenedbsd.org/HardenedBSD/HardenedBSD.git
 84  ports repo: https://git.hardenedbsd.org/HardenedBSD/ports.git
 85  
 86  src branch:
 87   * 14-current: hardened/current/master
 88   * 13-stable: hardened/13-stable/master
 89  
 90  ports branch: hardenedbsd/main
 91  
 92  ## Configuring hbsd-update
 93  
 94  Here's the config file I use for my home infrastructure:
 95  
 96  ```
 97  dnsrec=""
 98  capath="/usr/share/keys/hbsd-update/trusted"
 99  baseurl="http://hbsd-build-02.ip6.home.lan/updates"
100  dnssec="no"
101  unsigned=1
102  ```
103  
104  Then I put hbsd-update to use that config file
105  
106  ```
107  # hbsd-update -V \
108      -b name_of_zfs_boot_environment_to_install_into \
109      -c /path/to/home/config/file
110  ```
111  
112  ## Configuring pkg
113  
114  I disable the main HardenedBSD repo by creating
115  `/usr/local/etc/pkg/repos/HardenedBSD.conf` with the following text:
116  
117  ```
118  HardenedBSD: {
119      enabled: no
120  }
121  ```
122  
123  Then I create my local repo config by creating
124  `/usr/local/etc/pkg/repos/local.conf` with the following text:
125  
126  ```
127  Local_Repo: {
128      url: "http://hbsd-build-02.ip6.home.lan/pkg/${ABI}",
129      mirror_type: "http",
130      enabled: yes
131  }
132  ```