Setting up a NetBSD system

what version?

do you want to use binary packages or build those from the pkgsrc tree? If you want binary you may have to check online whether there are builds for the latest release OR NOT. To me it looks like not only the MAJOR release version matters, but also the MINOR. For example mail/alpine did not run on 7.1.2 although it was built for 7.0 (libgssapi.so.10 not found).

in case you want the latest release no matter what, that is fine,

cd /usr/
ls -lhF | grep pkgsrc
wget http://cdn.netbsd.org/pub/pkgsrc/current/pkgsrc.tar.gz
tar xzf pkgsrc.tar.gz
cd /usr/pkgsrc/bootstrap/
./bootstrap

network setup on serial console

assuming a blind install, you now need to choose your shell,

chpass -s /bin/ksh root
useradd -D -s /bin/ksh

setup network,

ifconfig -a
cd /etc
vi ifconfig.NETIF
#inet IP/PREFIX up
vi mygate
vi myname
cp -pi hosts hosts.dist
vi hosts
vi /etc/resolv.conf # new file
service network restart

setup the SSH daemon,

cd /etc/
cp -pi rc.conf rc.conf.dist
vi rc.conf

#no_swap=yes
#savecore=no
sshd=yes

cd /etc/ssh/
cp -pi sshd_config sshd_config.dist
vi sshd_config

Port XXX
AllowGroups wheel
PermitRootLogin without-password
PasswordAuthentication no

/etc/rc.d/sshd start
#passwd

make it accessible from your workstation,

mkdir ~/.ssh/
chmod 700 ~/.ssh/
cd ~/.ssh/
vi authorized_keys

YOUR WORKSTATION PUBLIC KEY IN OPENSSH FORMAT HERE
#cat ~/.ssh/id_ecdsa.pub
##cat ~/.ssh/id_ed25519.pub

chmod 600 authorized_keys

now check that your server is reachable remotely and finally exit the serial console,

^D

now remotely

define your timezone,

ll /etc/localtime
ln -sf ../usr/share/zoneinfo/Europe/Moscow /etc/localtime
#ln -sf ../usr/share/zoneinfo/Europe/Paris /etc/localtime

remove skeletons for FTP users,

ls -alhF /etc/skel.dist/
mv /etc/skel/ /etc/skel.dist/
mkdir /etc/skel/

note. NetBSD complains if non existing /etc/skel/.

tweak your administration env,

cp -pi /etc/profile /etc/profile.dist
vi /etc/profile

export ENV=/etc/shrc

some handy aliases to add into the existing case condition,

cp -pi /etc/shrc /etc/shrc.dist
vi /etc/shrc

export PATH=/usr/local/bin:/usr/local/sbin:/usr/pkg/bin:/usr/pkg/sbin:/bin:/sbin:/usr/bin:/usr/sbin:$HOME/bin
export PASSIVE_FTP=yes

case "$-" in *i*)
    #export PKG_PATH="http://cdn.NetBSD.org/pub/pkgsrc/packages/$(uname -s)/$(uname -m)/$(uname -r|cut -f '12' -d.)/All/"
    export PKG_PATH="http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/8.0/All/"
    [[ -z $HOST ]] && HOST=`uname -n`
    (( `id -u` == 0 )) && PS1='${HOST%%\.*}# ' || PS1='${HOST%%\.*}> '
    set -o emacs
    ( set -o tabcomplete 2>/dev/null ) && set -o tabcomplete
    bind -m '^L'='clear^M'
    alias ll='ls -alhF'
        alias l='ls -altrhF'
    #alias cp='cp -i'
    #alias mv='mv -i'
    #alias rm='rm -i'
    alias reboot='echo THIS IS NOT A GNU SYSTEM, use shutdown -r now'
    alias halt='echo THIS IS NOT A GNU SYSTEM, use shutdown -h or -p now'
    alias netstata='netstat -an -f inet -f inet6'
    alias runq='postfix flush'
    ;;
esac

    . /etc/profile
#. /etc/shrc

install a few packages (list here),

pkg_add \
    alpine \
    curl \
    e2fsprogs \
    git \
    iftop \
    iperf3 \
    lftp \
    lynx \
    mc \
    netcat \
    nmap \
    pwgen \
    screen \
    tmux \
    trafshow \
    vim \
    wget

indexing,

/usr/libexec/locate.updatedb

disable atrun, new log every day and enable the monthly cron job for root,

crontab -e

setup the outgoing messages,

cd /etc/postfix/
mv -i main.cf main.cf.dist
sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d' main.cf.dist > main.cf
vi main.cf

eventually define a smarthost,

relayhost = SMARTHOST

and fix your origin so the bounces are also sent to your MX (assuming you have setup an FQDN in /etc/myname, otherwise fix with myhostname = or mydomain =),

mydomain = YOUR_DOMAIN
myorigin = $mydomain

service postfix restart

and setup an email alias for root,

vi /etc/mail/aliases

root:       REAL_EMAIL

newaliases
tail -F /var/log/maillog &
date | mailx -s `hostname` root
mailq

enable package daily audits,

cd ~/
ftp -a ftp://ftp.fr.netbsd.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities
rm -f pkg-vulnerabilities

cat /usr/pkg/etc/audit-packages.conf
mkdir -p /usr/pkg/etc/
cat > /usr/pkg/etc/audit-packages.conf <<-EOF
VUL_SOURCE="ftp://ftp.fr.netbsd.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities"
EOF

pkg_admin fetch-pkg-vulnerabilities
pkg_admin audit

cat >> /etc/daily.conf <<-EOF
fetch_pkg_vulnerabilities=YES
check_pkg_vulnerabilities=YES
EOF

which pkg_admin
crontab -e

#NOT piping to mailx nor redirecting to /dev/null
0 3 * * * /usr/sbin/pkg_admin fetch-pkg-vulnerabilities
9 3 * * * /usr/sbin/pkg_admin audit
#0 3 * * * /usr/pkg/sbin/pkg_admin fetch-pkg-vulnerabilities
#9 3 * * * /usr/pkg/sbin/pkg_admin audit

not needed for xen guests (clock synced with dom0)

setup ntp,

mv -i /etc/ntp.conf /etc/ntp.conf.dist
sed '/^$/d;/^#/d;' /etc/ntp.conf.dist > /etc/ntp.conf
vi /etc/ntp.conf

#server          ntp.obspm.fr
#server          ntp1.online.net
#server          ntp2.online.net

#server 0.ru.pool.ntp.org
#server 1.ru.pool.ntp.org
#server 2.ru.pool.ntp.org
#server 3.ru.pool.ntp.org

vi /etc/rc.conf

ntpdate=yes ntpdate_flags="-u -b -s"
ntpd=yes    ntpd_flags=""

grep ^server /etc/ntp.conf
ntpdate -u ...
service ntpd start
ntpq -p

Note. the ntpdate service looks at ^server into /etc/ntp.conf at boot time.

testing

for easy troubleshooting (revert back to the defaults for production), setup syslog daemon,

cp -pi /etc/syslog.conf /etc/syslog.conf.dist                     
vi /etc/syslog.conf

#*.info;auth,authpriv,cron,ftp,kern,lpr,mail.none       /var/log/messages
#kern.debug                                             /var/log/messages
*.*     /var/log/messages

service syslogd restart