AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible on OpenBSD 7.6 Automation Complete Guide

By Luca Berton · Published 2024-01-01 · Category: installation

Automate OpenBSD 7.6 servers with Ansible: pkg_add, rc.conf.local, pf firewall, OpenSSH defaults, syspatch, and OpenBSD-specific modules.

OpenBSD 7.6 (October 2024) is the security-focused BSD release. It ships LibreSSL 4.0, OpenSSH 9.9 (with PQ KEX), pf firewall, syspatch for binary patches, and sysupgrade for major-version upgrades. Two releases are supported at any time (7.5 and 7.6 currently). Ansible's role on OpenBSD is mostly bootstrapping packages, dropping pf.conf, managing rc.conf.local, and orchestrating syspatch/sysupgrade.

OpenBSD 7.6 release facts

| Item | Value | |---|---| | Release | 2024-10-08 | | Default shell | ksh | | Package tool | pkg_add / pkg_delete | | Init | rc.d (BSD-style) | | Firewall | pf | | Patch tool | syspatch | | Upgrade tool | sysupgrade |

See also: Ansible on FreeBSD 14 Automation Complete Guide

Ansible-core compatibility

Use ansible-core 2.18 LTS. Bootstrap Python:

pkg_add python-3.10
[openbsd76]
obsd76-01.example.com

[openbsd76:vars]
ansible_user=root
ansible_python_interpreter=/usr/local/bin/python3.10

Baseline playbook

- name: OpenBSD 7.6 baseline
  hosts: openbsd76
  tasks:
    - name: Install baseline packages
      community.general.openbsd_pkg:
        name:
          - vim--no_x11
          - curl
          - rsync
          - htop--
          - tmux
          - sudo--
          - py3-pip
        state: present

- name: Apply syspatch
      ansible.builtin.command: syspatch
      register: sp
      changed_when: "'Installing patch' in sp.stdout"

See also: Ansible AWS: Complete Guide to Cloud Automation (2026)

rc.conf.local

- name: Manage rc.conf.local
  hosts: openbsd76
  tasks:
    - name: Enable httpd
      ansible.builtin.lineinfile:
        path: /etc/rc.conf.local
        create: true
        regexp: '^httpd_flags='
        line: 'httpd_flags=""'
        mode: "0644"

- name: Disable apmd
      ansible.builtin.lineinfile:
        path: /etc/rc.conf.local
        regexp: '^apmd_flags='
        line: 'apmd_flags="NO"'

pf firewall

- name: Configure pf on OpenBSD
  hosts: openbsd76
  handlers:
    - name: reload pf
      ansible.builtin.command: pfctl -f /etc/pf.conf
  tasks:
    - name: Drop pf.conf
      ansible.builtin.copy:
        dest: /etc/pf.conf
        mode: "0600"
        content: |
          set skip on lo
          set block-policy drop
          match in all scrub (no-df max-mss 1440)
          block in
          pass in proto tcp to any port {22, 80, 443} keep state
          pass out keep state
      notify: reload pf

See also: Ansible Become: Privilege Escalation with sudo, su & runas (Complete Guide)

OpenSSH defaults (already strict)

- name: Reinforce SSH defaults
  hosts: openbsd76
  handlers:
    - name: restart sshd
      ansible.builtin.command: rcctl restart sshd
  tasks:
    - name: Tight sshd_config
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?{{ item.k }}'
        line: '{{ item.k }} {{ item.v }}'
      loop:
        - { k: 'PermitRootLogin',        v: 'no' }
        - { k: 'PasswordAuthentication', v: 'no' }
        - { k: 'KbdInteractiveAuthentication', v: 'no' }
      notify: restart sshd

sysupgrade orchestration (major version upgrades)

- name: Run sysupgrade
  hosts: openbsd75_upgrade
  tasks:
    - name: Stage next release
      ansible.builtin.command: sysupgrade -r
      async: 1800
      poll: 0

- name: Wait for SSH after reboot
      ansible.builtin.wait_for_connection:
        delay: 30
        timeout: 600


- name: Run pkg_add -u
      ansible.builtin.command: pkg_add -u
      register: pa
      changed_when: "'Update' in pa.stdout"

Best practices

• OpenBSD's defaults are already tight — avoid weakening them with copy/paste configs from Linux. • Schedule syspatch weekly via Ansible; OpenBSD does not auto-apply. • Keep pf.conf in Git; treat it like infrastructure code. • OpenBSD doesn't ship systemd or PAM — translate Linux idioms (e.g. service -> rcctl).

Conclusion

OpenBSD 7.6 + Ansible delivers minimal, security-first servers. Use community.general.openbsd_pkg, lineinfile for rc.conf.local, the copy module for pf.conf, and orchestrate syspatch and sysupgrade to keep the fleet current.

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home