We’re excited to announce BastilleBSD, a new FreeBSD-based distribution designed for modern system administrators, privacy-conscious users, and DevOps professionals. BastilleBSD is built to be secure-by-default, automated from first boot, and ready for serious work—right out of the box.
This is more than just FreeBSD with pre-installed packages. BastilleBSD is a curated, hardened FreeBSD experience with a modern toolset and sane defaults, tailored for both servers and power users.
What’s Included: Bastille – Container automation for FreeBSD, pre-installed and auto-configured.
Rocinante – Host configuration management using Bastillefile-style templates.
Modern shells and tools – Zsh (default), with bash, fish, vim-tiny, git-tiny, htop, and more.
Pre-configured automation – On first boot, BastilleBSD automatically:
Runs ‘bastille setup’, configuring the host networking, ZFS storage, and a secure firewall
Bootstraps the host release and applies latest patches
Privacy & Security by Default: Hardened sysctl values inspired by HardenedBSD
Secure SSH defaults (no DSA/ECDSA, modern ciphers, stricter MACs/KEX)
Firewall (pf) enabled out of the box
doas configured for the wheel group – no sudo required
DNS-over-HTTPS with blocky, preconfigured to forward encrypted DNS to privacy-friendly Quad9
openntpd – lightweight and privacy-respecting time sync, already set up
smartd – pre-installed and ready to monitor drive health
Plus: Uses pkg-base by default — no freebsd-update needed
Custom boot graphics and branding
Clean ZFS defaults, periodic snapshots optional
BastilleBSD is fully compatible with FreeBSD and will track upstream point releases (e.g., BastilleBSD-14.3-RELEASE). This is a distribution for people who want FreeBSD to just work with modern tools, privacy-first defaults, and zero guesswork.
Get it, test it, break it! We’re eager to hear your feedback and ideas for future improvements.
🖥️ Download: https://download.bastillebsd.org
@BastilleBSD I welcome this alternative, but I’m not ready yet to use it 🙂
@BastilleBSD Also, let me play devil’s advocate for a minute :bsdhead:
Why produce a derivative, when the same™ could have been accomplished with a Rocinante template? 🤔
“secure by default” and “hardened” means it sends all your DNS queries to Quad9? hmm…
You don’t need to use it if you have a preferred solution but I think Quad9 is a good privacy-friendly choice considering the alternatives.
Quad9 will never log/record enduser IP addresses. Ever.
@lw @BastilleBSD to be honest, I don’t love that, too. And I’m not a fan of DNS over https - but they’re open to suggestions, so we could maybe suggest to change this
I see others comment that they dislike DoH too, but nobody offers viable alternatives. How else do you recommend encrypting DNS queries other than DoT? (DoH and DoT being similar implementations. I have reasons for selecting DoH over DoT, but open to hearing alternate solutions if you have any).
personally, i think DoT/DoH is a great idea, but i run my own DNS servers that support DoT and DoH.
but i think you’re referring to the trend of software that ignores the administrator’s preferences and forces all DNS traffic to an *external* DoH server (like Quad9), and yes, this is not great.
@lw @stefano @BastilleBSD Due to the nature of BSDs, shouldn’t there be a settings file where this can be changed manually?
@catavz @lw @BastilleBSD there is
Looking forward to trying this out!
