BastilleBSD

joined 2 years ago
[–] BastilleBSD@blendit.bsd.cafe 1 points 2 hours ago (1 children)

I see others comment that they dislike DoH too, but nobody offers viable alternatives. How else do you recommend encrypting DNS queries other than DoT? (DoH and DoT being similar implementations. I have reasons for selecting DoH over DoT, but open to hearing alternate solutions if you have any).

[–] BastilleBSD@blendit.bsd.cafe 1 points 2 hours ago

You don't need to use it if you have a preferred solution but I think Quad9 is a good privacy-friendly choice considering the alternatives.

Quad9 will never log/record enduser IP addresses. Ever.

 

We're excited to announce BastilleBSD, a new FreeBSD-based distribution designed for modern system administrators, privacy-conscious users, and DevOps professionals. BastilleBSD is built to be secure-by-default, automated from first boot, and ready for serious work—right out of the box.

This is more than just FreeBSD with pre-installed packages. BastilleBSD is a curated, hardened FreeBSD experience with a modern toolset and sane defaults, tailored for both servers and power users.

What's Included: Bastille – Container automation for FreeBSD, pre-installed and auto-configured.

Rocinante – Host configuration management using Bastillefile-style templates.

Modern shells and tools – Zsh (default), with bash, fish, vim-tiny, git-tiny, htop, and more.

Pre-configured automation – On first boot, BastilleBSD automatically:

Runs 'bastille setup', configuring the host networking, ZFS storage, and a secure firewall

Bootstraps the host release and applies latest patches

Privacy & Security by Default: Hardened sysctl values inspired by HardenedBSD

Secure SSH defaults (no DSA/ECDSA, modern ciphers, stricter MACs/KEX)

Firewall (pf) enabled out of the box

doas configured for the wheel group – no sudo required

DNS-over-HTTPS with blocky, preconfigured to forward encrypted DNS to privacy-friendly Quad9

openntpd – lightweight and privacy-respecting time sync, already set up

smartd – pre-installed and ready to monitor drive health

Plus: Uses pkg-base by default — no freebsd-update needed

Custom boot graphics and branding

Clean ZFS defaults, periodic snapshots optional

BastilleBSD is fully compatible with FreeBSD and will track upstream point releases (e.g., BastilleBSD-14.3-RELEASE). This is a distribution for people who want FreeBSD to just work with modern tools, privacy-first defaults, and zero guesswork.

Get it, test it, break it! We're eager to hear your feedback and ideas for future improvements.

🖥️ Download: https://download.bastillebsd.org/

 

We spent the weekend putting the final touches on Bastille 0.10.20231125!

Major features and fixes include:

  • bootstrap #FreeBSD BETA and RC releases
  • bootstrap EOL #FreeBSD releases (>=9.0)
  • improved jail startup dependency using rcorder(8)
  • combine create options, eg: -CV, -TB, etc
  • fixes to bastille setup
  • more!
 

Bastille has merged support for bootstrapping end-of-life (EOL) FreeBSD releases as far back as 9.0-RELEASE. This extends support for legacy applications, testing and secure sandboxing for FreeBSD applications all the way back to 2012!

It goes without saying, any experimentation you do on ancient releases is your responsibility. We're excited to see what you do with this new feature, but please don't bring us the skeletal remains of years-old bugs in unsupported FreeBSD releases.