Sidenote: some of the search results coming up https://docs.freebsd.org/en/books/handbook/security/ https://github.com/wravoc/harden-freebsd (comments at https://forums.freebsd.org/threads/my-freebsd-hardening-script.89523/) https://www.freebsdsoftware.org/blog/hardening-freebsd-server/ https://vez.mrsk.me/freebsd-defaults https://hardenedbsd.org/content/about

I honestly feel like this post is a plant -- it’s far too perfect. You’ve captured the exact 'cattle vs. pets' tension that kept some of my services on Linux for a long time, even when I really wanted them on FreeBSD. Truth be told, I built daemonless.io because I'm bored to death of system administration. I love the FreeBSD kingdom, but I have zero desire to spend my life hand-cranking /etc files or manually patching 'pets' every time they drift. The 'Jailer’s Trap' you mentioned is real; the second you jexec in to tweak a config, you’ve lost the battle for reproducibility. By bringing OCI-native immutability to Jails, you get that 'cattle' workflow—Podman-friendly, layered images, and reproducible environments—without leaving the kernel we actually want to live in. > @nibori said: > > Thank you for your attention, now let's get an other beer. > Next round is on me. Cheers!