HardenedBSD support

[Follpvosten]

I've recently played around with the ideas in this repo and made some templates; I've also successfully created a HardenedBSD-based template, and since HBSD is 99% FreeBSD, it would be a very minor change to add support for it.

The only required change would be in config.sh, where the lines:

freebsd-update fetch --not-running-from-cron | cat
freebsd-update install --not-running-from-cron || echo "No updates available"

would be replaced with:

# hardenedbsd support
if which hbsd-update; then
    hbsd-update
else
    freebsd-update fetch --not-running-from-cron | cat
    freebsd-update install --not-running-from-cron || echo "No updates available"
fi

I would open a PR directly, but first I wanted to ask here how you would like to merge this into the README - just applying the same changes as in config.sh or differently?

(I also plan to play with some different BSDs, I already have ISOs for Dragonfly and NetBSD added, and probably OpenBSD at some point; but other than maybe Dragonfly, these are probably too different from FreeBSD to be included here, so I would probably create a new repo or a hard fork for those.)

Edit: Ah, and I am aware that everyone who wants to use this for hbsd will currently need to ask support to include the ISO. Don't know if that's good, but don't know what to do about it either. That means this should probably also be mentioned in the README.

[paulc]

Hi,

Apologies for the delay looking at this - I haven't had to look at the repository for a while so missed the issue. I haven't used HardenedBSD myself but happy to include patch (in latest version). I have also made some slight updates (specifically ensuring the dhclient was restarted properly) and a couple of utils to make image maintenance easier.

I have removed the copy of config.sh in the README as this was getting difficult to maintain and replaced with a link so this shouldn't be a problem.

In terms of other BSD variants - the scripts are fairly hardwired for FreeBSD at the moment and don't want them to get too complex so having a separate repository for other BSDs sounds like the best idea.

As an aside I wonder if you have tried any of the new Hetzner CPX instances (AMD CPU) - FreeBSD boots but doesn't recognise any of the virtualised network/disk interfaces which is a shame as it runs really well on the classic CX instances.

[Follpvosten]

Hi and thanks for the answer, as well as thanks for already including my patch! I agree with the other points.

Also yes, I've also noticed the issue with the CPX instances, that caused some headaches when I tried to use one of those to compile ports. I suspect it's a hypervisor configuration issue, not sure if we can do a lot about it (we should probably file a support ticket tho, since the FreeBSD ISOs are kinda semi-officially supported).

By the way, I've deviated from your setup guide in one point: I've used zfs instead of ufs. I've also managed to successfully expand the pool's vdev to a bigger drive using gpart recover/zpool online (this sadly requires a reboot with root-on-zfs so it can't really be automated, but it's possible). I use zfs for the dataset capabilities, free incremental backups and filesystem-level compression. Maybe the option to use zfs could be mentioned in the guide as well? I could contribute a minimal guide to the readme.

[paulc]

Thanks, I'll add a point about ZFS in the README (though the setup guide is only really to get people started and I would assume that people will customise as needed). My preference was to use UFS as the root FS as it is simpler and more suited to the low memory instances - what I do is use a userdata script to setup a ZFS volume using the additional space on the larger instances which seems to work fairly well.

if gpart show da0 | grep -qs CORRUPT
then
    # Wrong disk size - fix and add zfs partition
    gpart recover da0
    gpart add -t freebsd-zfs da0
    zpool create zroot $(gpart show da0 | awk '/freebsd-zfs/ { print "/dev/da0p" $3 }')
fi

I did raise a support ticket on the CPX instances however I just got a 'FreeBSD isn't supported' response which is a shame as CX instances work really well (and they do provide a FreeBSD rescue image so there is some sort of support). I wonder if it might be worth you also raising so that they know that this impacts multiple users.

As an aside, you might be interested in the https://github.com/paulc/freebsd-ipv6-jail repository which I am working on for the 'second-stage' configuration on images setup using hcloud-freebsd using the userdata function to bootstrap the installation. Rough idea is that you can keep a setup generic FreeBSD image and then customise as needed for specific requirements.

[Follpvosten]

As for the CPX issue, yeah I agree, and I'll write a ticket when I get to it. The repo looks interesting, however I've recently started to use Ansible, which nicely integrates with hcloud and also with FreeBSD, so I don't really have a need for it right now.