We're excited to announce BastilleBSD, a new FreeBSD-based distribution designed for modern system administrators, privacy-conscious users, and DevOps professionals. BastilleBSD is built to be secure-by-default, automated from first boot, and ready for serious work—right out of the box.
This is more than just FreeBSD with pre-installed packages. BastilleBSD is a curated, hardened FreeBSD experience with a modern toolset and sane defaults, tailored for both servers and power users.
What's Included:
Bastille – Container automation for FreeBSD, pre-installed and auto-configured.
Rocinante – Host configuration management using Bastillefile-style templates.
Modern shells and tools – Zsh (default), with bash, fish, vim-tiny, git-tiny, htop, and more.
Pre-configured automation – On first boot, BastilleBSD automatically:
Runs 'bastille setup', configuring the host networking, ZFS storage, and a secure firewall
Bootstraps the host release and applies latest patches
Privacy & Security by Default:
Hardened sysctl values inspired by HardenedBSD
Secure SSH defaults (no DSA/ECDSA, modern ciphers, stricter MACs/KEX)
Firewall (pf) enabled out of the box
doas configured for the wheel group – no sudo required
DNS-over-HTTPS with blocky, preconfigured to forward encrypted DNS to privacy-friendly Quad9
openntpd – lightweight and privacy-respecting time sync, already set up
smartd – pre-installed and ready to monitor drive health
Plus:
Uses pkg-base by default — no freebsd-update needed
Custom boot graphics and branding
Clean ZFS defaults, periodic snapshots optional
BastilleBSD is fully compatible with FreeBSD and will track upstream point releases (e.g., BastilleBSD-14.3-RELEASE). This is a distribution for people who want FreeBSD to just work with modern tools, privacy-first defaults, and zero guesswork.
Get it, test it, break it!
We're eager to hear your feedback and ideas for future improvements.
🖥️ Download: https://download.bastillebsd.org/
I see others comment that they dislike DoH too, but nobody offers viable alternatives. How else do you recommend encrypting DNS queries other than DoT? (DoH and DoT being similar implementations. I have reasons for selecting DoH over DoT, but open to hearing alternate solutions if you have any).