this post was submitted on 15 Jul 2025
16 points (100.0% liked)

BlendIT BSD Cafe - FreeBSD

236 readers
1 users here now

Welcome to the "FreeBSD" community at the BSD Cafe BlendIT server!

Join us in our bustling virtual cafe, where we savor the finest virtual pastries and discuss all things FreeBSD. We're thrilled to have you here, and we hope this place becomes your go-to spot for all matters concerning FreeBSD. Whether you're a seasoned FreeBSD enthusiast, a curious newcomer, or simply intrigued by the world of BSD operating systems, this space is open for discussions, questions, and knowledge exchange. Feel free to introduce yourself, pose questions, share your experiences, or engage in conversations about FreeBSD's robustness, performance, and its thriving community. We foster a warm and respectful environment where everyone can learn and contribute. So, take a seat in our bustling cafe, treat yourself to a virtual pastry, and let's dive into the exciting world of FreeBSD together! Your insights and questions are highly valued, and we eagerly anticipate enlightening conversations within this community.

founded 2 years ago
MODERATORS
[email protected]
16
Introducing BastilleBSD: A Modern, Secure-by-Default FreeBSD Distribution with Built-in Automation and Privacy (bastillebsd.org)
submitted 1 day ago by [email protected] to c/[email protected]
11 comments fedilink hide all child comments
 

We're excited to announce BastilleBSD, a new FreeBSD-based distribution designed for modern system administrators, privacy-conscious users, and DevOps professionals. BastilleBSD is built to be secure-by-default, automated from first boot, and ready for serious work—right out of the box.

This is more than just FreeBSD with pre-installed packages. BastilleBSD is a curated, hardened FreeBSD experience with a modern toolset and sane defaults, tailored for both servers and power users.

What's Included: Bastille – Container automation for FreeBSD, pre-installed and auto-configured.

Rocinante – Host configuration management using Bastillefile-style templates.

Modern shells and tools – Zsh (default), with bash, fish, vim-tiny, git-tiny, htop, and more.

Pre-configured automation – On first boot, BastilleBSD automatically:

Runs 'bastille setup', configuring the host networking, ZFS storage, and a secure firewall

Bootstraps the host release and applies latest patches

Privacy & Security by Default: Hardened sysctl values inspired by HardenedBSD

Secure SSH defaults (no DSA/ECDSA, modern ciphers, stricter MACs/KEX)

Firewall (pf) enabled out of the box

doas configured for the wheel group – no sudo required

DNS-over-HTTPS with blocky, preconfigured to forward encrypted DNS to privacy-friendly Quad9

openntpd – lightweight and privacy-respecting time sync, already set up

smartd – pre-installed and ready to monitor drive health

Plus: Uses pkg-base by default — no freebsd-update needed

Custom boot graphics and branding

Clean ZFS defaults, periodic snapshots optional

BastilleBSD is fully compatible with FreeBSD and will track upstream point releases (e.g., BastilleBSD-14.3-RELEASE). This is a distribution for people who want FreeBSD to just work with modern tools, privacy-first defaults, and zero guesswork.

Get it, test it, break it! We're eager to hear your feedback and ideas for future improvements.

🖥️ Download: https://download.bastillebsd.org/

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 1 day ago (2 children)

@lw @BastilleBSD to be honest, I don't love that, too. And I'm not a fan of DNS over https - but they're open to suggestions, so we could maybe suggest to change this

[–] [email protected] 1 points 1 day ago (2 children)

I see others comment that they dislike DoH too, but nobody offers viable alternatives. How else do you recommend encrypting DNS queries other than DoT? (DoH and DoT being similar implementations. I have reasons for selecting DoH over DoT, but open to hearing alternate solutions if you have any).

[–] [email protected] 1 points 1 day ago

Stubby for DoT as an option to choose during the Install..

[–] [email protected] 1 points 1 day ago

@BastilleBSD in general, I prefer to treat dns as dns, not as a https request. But it's my personal preference and I see use cases for that.
I'd personally install unbound locally and ask the root servers, but this won't be encrypted

[–] [email protected] 3 points 1 day ago (1 children)

@stefano

personally, i think DoT/DoH is a great idea, but i run my own DNS servers that support DoT and DoH.

but i think you're referring to the trend of software that ignores the administrator's preferences and forces all DNS traffic to an *external* DoH server (like Quad9), and yes, this is not great.

@BastilleBSD

[–] [email protected] 1 points 1 day ago

I don't think it is for power users so I am fine with this choice.