Ten Things To Do After Installing FreeBSD

The top ten things I configure on a new installation.

The top ten things I configure on a new installation.

Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.

1. ~/.hushlogin

Makes login quieter. (man login)

touch ~/.hushlogin

2. Apply Patches

Apply updates to the host. (man freebsd-update)

freebsd-update fetch install
freebsd-update install

3. disable atime (ZFS)

zfs set atime=off zroot

4. install required packages

Bootstrap the binary package manager and install core packages.

Virtual Hardware

pkg install vim git-lite zsh htop tree node_exporter doas bastille rocinante

Physical Hardware

pkg install vim git-lite zsh htop tree smartmontools node_exporter doas devcpu-data bastille rocinante

5. configure zsh shell

fetch https://git.io/antigen -o /usr/local/share/zsh/antigen.zsh
cat <<EOF>~/.zshrc
source /usr/local/share/zsh/antigen.zsh
antigen use oh-my-zsh
antigen bundle zsh-users/zsh-syntax-highlighting
antigen bundle zsh-users/zsh-autosuggestions
antigen bundle zsh-users/zsh-completions
antigen theme gentoo
antigen bundle genpass
antigen apply
chsh -s /usr/local/bin/zsh

6. configure doas

Add any new admins to the wheel group.

Create /usr/local/etc/doas.conf and populate with a simple ruleset.

cat <<EOF>/usr/local/etc/doas.conf
permit nopass :wheel

7. generate SSH keys

Delete the auto-generated SSH keys and regenerate using only good key types.

rm /etc/ssh/ssh_host_*
sysrc sshd_dsa_enable="no"
sysrc sshd_ecdsa_enable="no"
sysrc sshd_ed25519_enable="yes"
sysrc sshd_rsa_enable="yes"
service sshd keygen
service sshd restart

8. network & firewall

sysrc cloned_interfaces+=lo1
sysrc ifconfig_lo1_name=bastille0
service netif cloneup
cat <<EOF>/etc/pf.conf
ext_if="vtnet0" ## <- change vtnet0 to match host interface

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"

block in all
pass out quick keep state
pass in inet proto tcp from any to any port ssh flags S/SA keep state
pass in inet proto tcp from any to any port bootps flags S/SA keep state
pass in inet proto tcp from any to any port {9100,9124} flags S/SA keep state
sysrc pf_enable=YES
service pf start

9. metrics (prom_sysctl & node_exporter)

sysrc inetd_enable=YES
sysrc node_exporter_enable=YES
sysrc node_exporter_args="--collector.devstat --collector.ntp"
service inetd start
service node_exporter start

10. bastille

sysrc -f /usr/local/etc/bastill/bastille.conf bastille_zfs_enable=YES
sysrc -f /usr/local/etc/bastill/bastille.conf bastille_zfs_zpool=zroot
sysrc bastille_enable=YES

bastille bootstrap 13.1-RELEASE update

Bonus (hardware only)

1. microcode update (amd / intel)

sysrc microcode_update_enable=YES
service microcode_update start

2. NTP aka What time is it?

--- a/etc/ntp.conf	2021-04-09 00:25:48.000000000 -0600
+++ b/etc/ntp.conf	2021-12-23 21:51:41.700029000 -0700
@@ -30,6 +30,9 @@
 # The option `iburst' is used for faster initial synchronization.
 pool 0.freebsd.pool.ntp.org iburst
+pool 1.freebsd.pool.ntp.org iburst
+pool 2.freebsd.pool.ntp.org iburst
+pool 3.freebsd.pool.ntp.org iburst

 # If you want to pick yourself which country's public NTP server
sysrc ntpd_enable=YES
service ntpd restart

3. smartd

sysrc smartd_enable=YES
service smartd start
Christer Edwards
Creator of Bastille

FreeBSD die-hard, software developer, author, educator, man behind BastilleBSD. I build cool stuff.