Below are the steps I take to personalise new FreeBSD servers which I run on my home network. The steps could easily be automated, I just don’t deploy new FreeBSD servers at home often enough to justify it.
# Update the base system:
$ freebsd-update fetch $ freebsd-update install # If kernel was patched don't forget to: $ shutdown -r now
# Schedule future security updates to be applied daily:
$ printf '@daily root freebsd-update cron' >> /etc/cron
# Map the root account to your email address and send a test mail:
$ printf 'root: firstname.lastname@example.org' >> /etc/aliases $ newaliases $ service restart sendmail $ printf 'test\n' | mail -s "test message" root
# Set the timezone:
# Now the timezone is set, we need to enable the NTP daemon so that our servers time stays in sync. I use the default FreeBSD servers in /etc/ntp.conf:
$ printf 'ntpd_enable="YES"\nntpd_sync_on_start="YES"' >> /etc/rc.conf
# Now start the NTP daemon:
$ service ntpd start
# Configure the firewall to only allow SSH:
$ printf 'firewall_enable="YES"\nfirewall_quiet="YES"\nfirewall_type="workstation"\nfirewall_myservices="22/tcp"\nfirewall_allowservices="any"\nfirewall_logdeny="YES"' >> /etc/rc.conf
# Limit the number of logs per IP address, to prevent the logs filling up with traffic from a single persistent user:
$ printf 'net.inet.ip.fw.verbose_limit=5' >> /etc/sysctl.conf $ sysctl net.inet.ip.fw.verbose_limit=5
# Start the firewall:
$ service ipfw start
# Install subversion using pkg and then pull down the ports tree:
$ pkg install subversion $ svn checkout https://svn.FreeBSD.org/ports/head /usr/ports
# Install some tools I can’t live without:
$ cd /usr/ports/shells/zsh && make install clean $ zsh $ cd /usr/ports/*/vim-lite && make install clean $ cd /usr/ports/*/git && make install clean $ cd /usr/ports/*/screen && make install clean
# Change the default shell for your user to zsh – note, you need to be careful here, as using a shell from ports could get bricked, you might want to compile zsh statically and then transfer it into /bin/ if you are concerned about this. Otherwise, do this and don’t forget to change the username:
$ chsh -s /usr/local/bin/zsh YOUR_USER
# Alias vi -> vim because old habits die hard, we also want to set the variable WITHOUT_X11 to try and stop X11/graphical components finding their way onto our server:
$ printf 'alias vi=vim\nexport WITHOUT_X11=YES' >> ~/.zshrc
# Create a .vimrc file with mouse support disabled (who uses a mouse in vim?!) and with the background set to dark, so we don’t get dark blue comments:
$ printf 'set background=dark\nset mouse-=a' >> ~/.vimrc
# Install oh-my-zsh, a handy tool for enhancing your zsh command-line experience.
$ sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
# Change the theme and plugins for oh-my-zsh:
$ sed -i '.bak' 's/ZSH_THEME=\".*\"/ZSH_THEME=\"pygmalio\"/;s/plugins=\(.*\)/plugins=\(git screen nyan vi-mode\)/' "$HOME/.zshrc"
That’s about it to get what I consider my ‘baseline’.