Ten Things To Do After Installing FreeBSD
The top ten things I configure on a new installation.
Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.
- Follow @BastilleBSD on Mastodon
- Join the discussion BastilleBSD on Discord
- Join the discussion BastilleBSD on Telegram
- Subscribe to BastilleBSD on YouTube
- Support BastilleBSD on Patreon
1. ~/.hushlogin
Makes login quieter. (man login)
touch ~/.hushlogin
2. Apply Patches
Apply updates to the host. (man freebsd-update)
freebsd-update fetch install
reboot
freebsd-update install
3. disable atime (ZFS)
zfs set atime=off zroot
4. install required packages
Bootstrap the binary package manager and install core packages.
Virtual Hardware
pkg install vim git-lite zsh htop tree node_exporter doas bastille rocinante
Physical Hardware
pkg install vim git-lite zsh htop tree smartmontools node_exporter doas devcpu-data bastille rocinante
5. configure zsh shell
fetch https://git.io/antigen -o /usr/local/share/zsh/antigen.zsh
cat <<EOF>~/.zshrc
source /usr/local/share/zsh/antigen.zsh
antigen use oh-my-zsh
antigen bundle zsh-users/zsh-syntax-highlighting
antigen bundle zsh-users/zsh-autosuggestions
antigen bundle zsh-users/zsh-completions
antigen theme gentoo
antigen bundle genpass
antigen apply
EOF
chsh -s /usr/local/bin/zsh
zsh
6. configure doas
Add any new admins to the wheel group.
Create /usr/local/etc/doas.conf
and populate with a simple ruleset.
cat <<EOF>/usr/local/etc/doas.conf
permit nopass :wheel
EOF
7. generate SSH keys
Delete the auto-generated SSH keys and regenerate using only good key types.
rm /etc/ssh/ssh_host_*
sysrc sshd_dsa_enable="no"
sysrc sshd_ecdsa_enable="no"
sysrc sshd_ed25519_enable="yes"
sysrc sshd_rsa_enable="yes"
service sshd keygen
service sshd restart
8. network & firewall
sysrc cloned_interfaces+=lo1
sysrc ifconfig_lo1_name=bastille0
service netif cloneup
cat <<EOF>/etc/pf.conf
ext_if="vtnet0" ## <- change vtnet0 to match host interface
set block-policy return
scrub in on \$ext_if all fragment reassemble
set skip on lo
table <jails> persist
nat on \$ext_if from <jails> to any -> (\$ext_if:0)
rdr-anchor "rdr/*"
block in all
pass out quick keep state
pass in inet proto tcp from any to any port ssh flags S/SA keep state
pass in inet proto tcp from any to any port bootps flags S/SA keep state
pass in inet proto tcp from any to any port {9100,9124} flags S/SA keep state
EOF
sysrc pf_enable=YES
service pf start
9. metrics (prom_sysctl & node_exporter)
sysrc inetd_enable=YES
sysrc node_exporter_enable=YES
sysrc node_exporter_args="--collector.devstat --collector.ntp"
service inetd start
service node_exporter start
10. bastille
sysrc -f /usr/local/etc/bastill/bastille.conf bastille_zfs_enable=YES
sysrc -f /usr/local/etc/bastill/bastille.conf bastille_zfs_zpool=zroot
sysrc bastille_enable=YES
bastille bootstrap 13.0-RELEASE update
Bonus (hardware only)
1. microcode update (amd / intel)
sysrc microcode_update_enable=YES
service microcode_update start
2. NTP aka What time is it?
--- a/etc/ntp.conf 2021-04-09 00:25:48.000000000 -0600
+++ b/etc/ntp.conf 2021-12-23 21:51:41.700029000 -0700
@@ -30,6 +30,9 @@
# The option `iburst' is used for faster initial synchronization.
#
pool 0.freebsd.pool.ntp.org iburst
+pool 1.freebsd.pool.ntp.org iburst
+pool 2.freebsd.pool.ntp.org iburst
+pool 3.freebsd.pool.ntp.org iburst
#
# If you want to pick yourself which country's public NTP server
sysrc ntpd_enable=YES
service ntpd restart
3. smartd
sysrc smartd_enable=YES
service smartd start