We’re excited to announce BastilleBSD, a new FreeBSD-based distribution designed for modern system administrators, privacy-conscious users, and DevOps professionals. BastilleBSD is built to be secure-by-default, automated from first boot, and ready for serious work—right out of the box.
This is more than just FreeBSD with pre-installed packages. BastilleBSD is a curated, hardened FreeBSD experience with a modern toolset and sane defaults, tailored for both servers and power users.
What’s Included: Bastille – Container automation for FreeBSD, pre-installed and auto-configured.
Rocinante – Host configuration management using Bastillefile-style templates.
Modern shells and tools – Zsh (default), with bash, fish, vim-tiny, git-tiny, htop, and more.
Pre-configured automation – On first boot, BastilleBSD automatically:
Runs ‘bastille setup’, configuring the host networking, ZFS storage, and a secure firewall
Bootstraps the host release and applies latest patches
Privacy & Security by Default: Hardened sysctl values inspired by HardenedBSD
Secure SSH defaults (no DSA/ECDSA, modern ciphers, stricter MACs/KEX)
Firewall (pf) enabled out of the box
doas configured for the wheel group – no sudo required
DNS-over-HTTPS with blocky, preconfigured to forward encrypted DNS to privacy-friendly Quad9
openntpd – lightweight and privacy-respecting time sync, already set up
smartd – pre-installed and ready to monitor drive health
Plus: Uses pkg-base by default — no freebsd-update needed
Custom boot graphics and branding
Clean ZFS defaults, periodic snapshots optional
BastilleBSD is fully compatible with FreeBSD and will track upstream point releases (e.g., BastilleBSD-14.3-RELEASE). This is a distribution for people who want FreeBSD to just work with modern tools, privacy-first defaults, and zero guesswork.
Get it, test it, break it! We’re eager to hear your feedback and ideas for future improvements.
🖥️ Download: https://download.bastillebsd.org
I see others comment that they dislike DoH too, but nobody offers viable alternatives. How else do you recommend encrypting DNS queries other than DoT? (DoH and DoT being similar implementations. I have reasons for selecting DoH over DoT, but open to hearing alternate solutions if you have any).
@BastilleBSD in general, I prefer to treat dns as dns, not as a https request. But it’s my personal preference and I see use cases for that.
I’d personally install unbound locally and ask the root servers, but this won’t be encrypted
Stubby for DoT as an option to choose during the Install…
@BastilleBSD @stefano
Quad9 may be the default value. Those who want to change it are provided with a way to do so, similar to Firefox settings.