OpenBSD's {daily,weekly,monthly}.local are underrated ··· holsta.dk

OpenBSD's {daily,weekly,monthly}.local are underrated

2025-04-04 · openbsd

Waaay too few people seem to be using OpenBSD’s standard files and instead manage their own crontab entries and scripts. I recommend you mantain and deploy identical scripts across your entire fleet, and check for the presence of files and services to automatically behave correctly on each host.

Obligatory man pages:

daily, weekly, monthly – periodic system maintenance

syspatch

You will almost certainly want to combine a tool from ports, checkrestart, with your syspatch usage:

syspatch && checkrestart | awk '{ print $2 }' | \
	sort -u | xargs doas rcctl restart

Combine with random sleeps to spread load and outages.

pkg_add

Even when running -release or -stable, new packages are sometimes released with bug fixes. Every night, update only the packages that ask no questions and clean up old packages while we are here.

pkg_add -uI && pkg_delete -a

acme-client

If you have internet-exposed services that make use of certificates, you will want to update them frequently.

if [ -f /etc/acme-client.conf ]; then
        next_part "Renewing ACME certs"
        awk '/^domain/ { print $2 }' < /etc/acme-client.conf | \
                xargs -n1 acme-client
        if [ -f /etc/httpd.conf ]; then
          next_part "Restarting httpd"
                rcctl restart httpd
        fi
        if [ -f /etc/relayd.conf ]; then
          next_part "Restarting relayd"
                rcctl restart relayd 
        fi
fi

Source code updates

Having your daily.local check if reposync is installed, /cvs exists and /usr/src exists, and then updating src and ports means you never have to think about having the latest OpenBSD source code on your systems.

if [ -d /cvs/CVSROOT -a -x /usr/local/bin/reposync ]; then
        next_part "Update CVS mirror"
        mkdir -p /var/db/reposync
        UMASK=002 time /usr/local/bin/reposync -q \
                $CVSREPOSERVER
fi

if [ -f /usr/ports/Makefile ]; then
        next_part "Update ports checkout" 
        srcup /usr/ports 
        (cd /usr/ports && make fix-permissions)
fi

if [ -f /usr/src/Makefile ]; then
        next_part "Update src checkout"
        srcup /usr/src
fi

srcup is a wrapper that always invokes the correct version control tool (CVS, git, hg, got, etc) as needed. I do nightly updates of 30 repos, just to have them available.

Backups?

Most people would need backups to run more often than just once per day, but maybe moving backups off-site could happen here, as part of your regular routine?

Automatically testing backups could also happen here. Most daemons let you run invocations where you point to alternative config and data locations. Can you actually read and deploy a local service? How long does it take?

Integrity checks

I spent many years collecting CDs and carefully ripping them to FLAC files. Every month I run the flac integrity tools. Sneakily, I deliberately placed a corrupted FLAC file in my collection and it gets reported every month.

find /var/audio -name *.flac -print0 | xargs -0 flac -st

01 - Isole - (S) - By Blood - (08_19s).flac: *** Got error code 0:FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC