Things to do after the first complete boot of FreeBSD

From Notes to self
Revision as of 16:30, 11 June 2025 by Verbovet (talk | contribs)
Jump to navigation Jump to search

Setting up the root account

  • $ ssh-copy-id -i ~/.ssh/id_rsa.pub (from a remote machine)
  • Switch pkg(8) from Quarterly to Latest:
# mkdir -p /usr/local/etc/pkg/repos
# echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest" }' > /usr/local/etc/pkg/repos/FreeBSD.conf
:and
# echo 'FreeBSD-kmods: { url: "pkg+https://pkg.FreeBSD.org/${ABI}/kmods_latest_${VERSION_MINOR}" }' >> /usr/local/etc/pkg/repos/FreeBSD.conf
:or
# echo "FreeBSD-kmods: { enabled: no }" >> /usr/local/etc/pkg/repos/FreeBSD.conf
  • # pkg install git vim
  • $ mkdir -p ~/.config/vim/pack/vendor/start
  • $ scp vimrc <host>:.config/vim (from a remote machine)
  • $ cd ~/.config/vim/pack/vendor/start
  • $ git clone --depth 1 https://github.com/ojroques/vim-oscyank
  • /etc/ssh/sshd_config
Port 26
AddressFamily inet
ListenAddress x.x.x.x
PermitRootLogin no/prohibit-password
PasswordAuthentication no
KbdInteractiveAuthentication no
PrintMotd no
PrintLastLog no
UseDNS no
  • /etc/ssh/ssh_config
Host *
AddressFamily inet
  • # pkg install bash bash-completion bash-completion-freebsd
  • # ln -s bash /usr/local/bin/sh
  • # passwd toor
  • # chsh -s /usr/local/bin/sh toor
  • /usr/local/etc/profile
# vim:ft=sh

EDITOR=ee
if [ -x /usr/local/bin/vim ]; then
  EDITOR=vim
fi
export EDITOR
export VISUAL="${EDITOR}"
export PAGER=less
export LESS="I"
export HISTSIZE=1000
export HISTFILESIZE=2000
export HISTCONTROL=ignoreboth:erasedups

# set ENV to a file invoked each time sh is started for interactive use.
export ENV=/usr/local/etc/shrc
  • /usr/local/etc/shrc
# vim:ft=sh

currid=$(id -u)

if [ "$EDITOR" = "vim" ]; then
  alias vi='vim'
fi
alias h='fc -l'
alias history='fc -l'
alias m="$PAGER"
alias ls='ls -FG'
alias ll='ls -Al'
alias mc='mc -u'
alias cal='LC_TIME=ru_RU.UTF-8 ncal'
alias man='LC_ALL=en_US.UTF-8 man'
alias myip='fetch -q4o - https://api.nic.ru/dyndns/checkip/ \
  | rev | cut -d" " -f1 | rev | cut -d"<" -f1'
alias myip2='fetch -q4o - http://whatismyip.akamai.com/; printf "\n"'
if [ "$currid" = 0 ]; then
  alias updatedb='/etc/periodic/weekly/310.locate'
fi

# disable XON/XOFF flow control (ctrl-s, ctrl-q)
stty -ixon

if [ "$(ps -o comm= -p $$)" = "bash" ]; then
  shopt -s checkwinsize histappend
  if [ -f /usr/local/share/bash-completion/bash_completion.sh ]; then
    . /usr/local/share/bash-completion/bash_completion.sh
  fi
fi

PS1="\u@\h:\w \\$ "

mkcd() {
  if [ "$#" -eq 1 ]; then
    mkdir -p "$1"
    cd "$1"
  else
    echo "mkcd expects exactly one argument"
  fi
  find . -type d -prune ! -empty \
    -exec printf "%s\n" "Directory '$1' is not empty." \;
}

if [ -f /usr/local/etc/shrc.local ]; then
  . /usr/local/etc/shrc.local
fi

unset currid
  • /usr/local/etc/shrc.local
# vim:ft=sh

if tty | fgrep -q pts && [ "$(ps -o comm= -p $$)" = "bash" ]; then
  case ${currid} in
    0) PS1="\[\e]2;\u@\h:\w\a$(tput setaf 5)\]\u@\h:\w #\[$(tput sgr0)\] ";;
    *) PS1="\[\e]2;\u@\h:\w\a$(tput setaf 2)\]\u@\h:\w $\[$(tput sgr0)\] ";;
  esac
fi
  • # rm /root/.profile /root/.shrc
  • In /etc/login.conf
  • To setenv, add to the end
LC_COLLATE=C.UTF-8,\
LC_MESSAGES=en_US.UTF-8,\
LC_MONETARY=en_US.UTF-8,\
LC_NUMERIC=en_US.UTF-8,\
LC_TIME=en_GB.UTF-8:\
  • substitute :lang=C.UTF-8: with :lang=ru_RU.UTF-8:
  • add :hushlogin:
  • change path if necessary
  • # cap_mkdb /etc/login.conf
  • /root/.config/bash_completion
# vim:ft=sh

### mkcd ###
_mkcd()
{
  local cur prev words cword split
  _init_completion -s || return
  $split && return 0
  _filedir -d
}
complete -F _mkcd mkcd

# pkg install terminfo-db

System mail

/etc/dma/dma.conf 

SMARTHOST smtp.yandex.ru
PORT 465
AUTHPATH /etc/dma/auth.conf
SECURETRANSFER
  • /etc/dma/auth.conf
<ya-user>@yandex.ru|smtp.yandex.ru:<password>
  • chgrp mail /etc/dma/auth.conf
  • chmod 640 /etc/dma/auth.conf
  • /etc/mail/aliases
*: alik@ejik.org
  • # sysrc dma_flushq_enable=yes

Network

  • /etc/hosts.allow
sshd : ALL : allow
ALL : ALL : deny
  • # sysrc pf_enable=yes
  • /etc/pf.conf
# macros

ext_if = "igc0"
icmp_types = "{ echoreq, unreach, redir, timex }"
tcp_services = "{ 26 }"

# tables

# options
set skip on lo0

# ethernet

# normalization

# queueing

# translation

# filtering
match in on { lo0 $ext_if } scrub (no-df random-id reassemble tcp)

antispoof quick for { lo0 $ext_if }

block all
pass out quick inet
pass in quick on $ext_if inet proto icmp to ($ext_if) icmp-type $icmp_types
pass in quick on $ext_if inet proto tcp to ($ext_if) port $tcp_services
  • # service pf start
  • sysrc kld_list+="tcp_bbr"
  • /etc/sysctl.conf
# use the bbr tcp stack
net.inet.tcp.functions_default=bbr

Further configuration

  • # sysrc var_run_enable=yes
  • # pkg install smartmontools
  • /usr/local/etc/smartd.conf
/dev/ada...  -a -o on -S on -I 9 -I 190 -I 194 -m root -s (S/../.././04)

For SSD, substitute S in parentheses with L. Attributes not tracked:

9   power-on hours
190 temperature
194 also temperature
  • # sysrc smartd_enable="YES"
  • # cp /etc/periodic/weekly/310.locate /usr/local/etc/periodic/daily/
  • # sed -i -e 's/weekly_locate/daily_locate/' /usr/local/etc/periodic/daily/310.locate
  • /etc/periodic.conf
# 310.locate
daily_locate_enable="YES"
weekly_locate_enable="NO"

daily_show_success="NO"
daily_show_info="NO"
weekly_show_success="NO"
weekly_show_info="NO"
monthly_show_success="NO"
monthly_show_info="NO"
daily_status_security_inline="YES"
security_show_success="NO"
security_show_info="NO"
security_status_pkgaudit_enable="NO"

daily_scrub_zfs_enable="YES"

>>> For ssd:
daily_trim_zfs_enable="YES"
  • # pkg install cpu-microcode-amd (or -intel)
  • /boot/loader.conf
cpuctl_load="YES"
cpu_microcode_load="YES"
cpu_microcode_name="/boot/firmware/amd-ucode.bin" (or intel-)
  • # pkg install chrony
  • /usr/local/etc/chrony.conf
server ntp1.vniiftri.ru iburst
server ntp2.vniiftri.ru iburst
server ntp3.vniiftri.ru iburst
server ntp4.vniiftri.ru iburst
server ntp5.vniiftri.ru iburst
server ntp.msk-ix.ru iburst

!pool 0.freebsd.pool.ntp.org iburst

>>>Uncomment:
makestep 1.0 3
dumpdir /var/db/chrony

>>>Add to the end:
# command port 323 disabled
cmdport 0
  • # sysrc chronyd_enable=yes
  • # crontab -e
0 2 * * * /usr/sbin/freebsd-update cron

Setting up users accounts

  • ~/.config/bash_completion
# vim:ft=sh

### mkcd ###
_mkcd()
{
  local cur prev words cword split
  _init_completion -s || return
  $split && return 0
  _filedir -d
}
complete -F _mkcd mkcd

### toor ###
source /usr/local/share/bash-completion/completions/sudo
complete -F _comp_cmd_sudo toor
Retrieved from "https://alik.ejik.org/index.php?title=Things_to_do_after_the_first_complete_boot_of_FreeBSD&oldid=2664"