hackacad.net

Compact guide for building an OpenClaw workspace focused on child protection, minimal retention, local models, direct-message-only behavior, and guardian escalation.

OpenClaw is not just for automation. With strict guard rails and local models, it can become a private daily helper and a protection layer for children in chats.

For those you haven’t heard of Sylve: Sylve is pretty new VM and Jailmanager for FreeBSD. As stated on the projects page:

[!WARNING] This project is still in development so expect breaking changes!

Sneak peek:

1. Prerequisites

Make sure you have Sylve installed and configured correctly.
Repository: https://github.com/AlchemillaHQ/Sylve There is a nice documentation by gyptazy as well: Sylve: Manage bhyve VMs and Clusters on FreeBSD

1.1 Create a new ZFS dataset for the VM

• Datacenter → Your Hostname → Storage → ZFS → Datasets → Volumes → + NEW
• Create a dataset sized and configured to your needs.

1.2 Create a virtual switch

• Network → Switches → Standard → + NEW
• For most local use cases, enable DHCP.

1.3 Download the Windows ISO

• Get a Windows 10 ISO (e.g., Windows 10 LTSC):
  http://www.microsoft.com/en-us/evalcenter/download-windows-10-enterprise
• In Sylve: Utilities → Downloader → + NEW
  Paste the download link and wait for the download to complete.

---

2. Create the VM

Click Create VM and set the following options.

If you want to try it on MacOS you can use this tutorial https://hackacad.net/post/2025-07-12-local-chatbot-rag-with-freebsd-knowledge/

Out of multiple conversations with people at BSD conferences, I noticed that many would love to see a chatbot that provides precise information on FreeBSD—for users, admins, and developers.

I strongly believe that there should not be an official chat.freebsd.org. Local chatbots work well and can be tweaked to fit personal needs.

This how-to is for demo cases. Proper authentication, firewalling, jail separation etc. is mandatory for production!

If you want to try it on MacOS you can use this tutorial https://hackacad.net/post/2025-07-15-local-chatbot-rag-with-freebsd-knowledge-freebsd-host/

Out of multiple conversations with people at BSD conferences, I noticed that many would love to see a chatbot that provides precise information on FreeBSD—for users, admins, and developers.

I strongly believe that there should not be an official chat.freebsd.org. Local chatbots work well and can be tweaked to fit personal needs.

This documentation is written for macOS with Apple Silicon (because of the GPU support), but should work on other OSes as well.

Overview

This tutorial walks you through downloading and configuring the FreeBSD 14.2 image for Raspberry Pi Compute Module 4 (CM4). You’ll enable SSH access, configure the system, and install a custom EFI loader. If you are using a Compute Blade, this guide will work for you as well.

Prerequisites

1. Raspberry Pi CM4 or a system with an eMMC/SD card.
2. FreeBSD environment or a system capable of running the required commands.
3. Your SSH public key for remote access.
4. Basic familiarity with Unix commands.
5. A reliable internet connection.

---

Step 1: Download and Modify the FreeBSD RPI Image

1. Download the FreeBSD image for ARM64 Raspberry Pi:

If you want to test OpenSearch Data Prepper on FreeBSD.

Optional

bastille create dataprepper 14.0-RELEASE 192.168.0.222/24
bastille console dataprepper

Install dependencies and load the source files

pkg install openjdk17 bash
fetch https://artifacts.opensearch.org/data-prepper/2.7.0/opensearch-data-prepper-jdk-2.7.0-linux-x64.tar.gz
tar xvzf opensearch-data-prepper-jdk-2.7.0-linux-x64.tar.gz

Fix JAVA_HOME and Shebang, you can use the following small patch for this:

fetch https://hackacad.net/files/dataprepper.patch
patch -p0 < dataprepper.patch

copy and edit one or more exmaple pipelines

cd opensearch-data-prepper-jdk-2.7.0-linux-x64
cp examples/log-ingestion/log_pipeline.yaml pipelines/

Remove bundled Java

rm -r openjdk

Run Data Prepper

bin/data-prepper

done.

Since I wasn’t happy with my hosting provider anymore I chose to switch to a local data center.

Migrating multiple hosts with multiple jails isn’t very scalable, so here’s a script to help you with that.

You can easily automate that using ansible if have a larger number of hosts.

I suggest you use ZFS, otherwise change the compression format from .xz to .txz (in the for loop an import script).

How to create secure remote access with zero trust policy

This short how-to should give you some ideas on how to create secure web access to your web services without VPN.

First of all: You can stop reading (and probably using Internet after all) if you don’t trust any content providers. I will use Cloudflare, OPNsense, Solokeys and Github for this Demo. You need a fixed IP-address or just use Cloudflare’s DynDNS service as well.

UPDATE 21/09/19:

Everything has been comitted and merged upstream. So you can simply run:

pkg install opensearch

STALE Want to try out OpenSearch on FreeBSD?

Right now there is no official support or port for OpenSearch on FreeBSD, so I created a small hotfix for a demo installation. As I like to run everything on BastilleBSD I added basic support for jails as well (due to missing default loopback interface).

In case your poudriere ports are no longer beeing updated via poudriere ports -u :

Did you hear about the Git migration?

The easiest way should be deleting the old ports tree and refetch it.

poudriere ports -d default
poudriere ports -c -m git+https

Done.

Upgrade BastilleBSD jails from source

Using bastille upgrade 12.1-RELEASE 12.2-RELEASE is the prefered way of upgrading. If you need to do that air-gapped or with a special release (like -HEAD) you can use this tutorial.

before you start: make sure your host system is not behind the jails release

svnlite checkout https://svn.freebsd.org/base/head /usr/src

If you want to fetch a special branch you can svnlite checkout one of the following branches: ‘release/12.2.0’ ‘releng/12.2’ ‘stable/12’ e.g. svnlite checkout https://svn.freebsd.org/base/releng/12.2 /usr/src

Create a jailed Ubuntu Linux with Bastille on FreeBSD 12.2

Make sure Bastille is installed and configured. click here

This is not offically supported, so don’t use it in production! update 2021/02/11: Auto Installer

You could try the following POC for automated jail creation:

DO NOT USE THIS IN PRODUCTION!

THIS MIGHT BREAK YOUR RUNNING INSTALLATION

git clone -b linux_compat https://github.com/hackacad/bastille
cd bastille && make install
bastille bootstrap bionic
bastille create -L linuxjail bionic (ipaddress) (interface)
bastille console linuxjail

Manual installation

This how-to is based on

HowTo create jails with Bastille 0.8 TDLR of https://github.com/BastilleBSD/bastille/ (updated for Bastille 0.8.20210115) install bastille

Bastille is very active so make sure you switch to latest pkg mirror

vim /etc/pkg/FreeBSD.conf

FreeBSD: {
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}

enable bastille

sysrc bastille_enable=YES

create virtual network bridge

sysrc cloned_interfaces+=lo1
sysrc ifconfig_lo1_name="bastille0"
service netif cloneup

edit /etc/pf.conf (add the lines without #)

ext_if="em0"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if)

## Enable dynamic rdr (see below) bastille 0.7+
rdr-anchor "rdr/*"

block in all
pass out quick keep state
antispoof for $ext_if inet #disable for VNET
pass in inet proto tcp from any to any port ssh flags S/SA keep state

add ZFS support (check zpool with “zpool list”)

This a short how-to for creating a FreeBSD pkg mirror using BastilleBSD and Poudriere.

Two things:

Yes! This is not a full how to for creating a mirror, but I assume you’re able to spawn a webserver and move files on the filesystem.

Yes! You could do more automation using templates. At the time we started playing with poudriere with bastille didn’t have the features it has now (0.8).

on the jail host:

Bastille is very active so make sure you switch to latest pkg mirror

If you want/need to add password authentication to your FreeBSD Elasticsearch cluster (this should work on any FreeBSD with elasticsearch7)

TLDR; (again)

Add the following lines to your /usr/local/etc/elasticsearch/elasticsearch.yml:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

and restart elasticsearch.

service elasticsearch restart

Make sure curl is installed:

pkg install curl

Link the installed Java into the bundled directory (this is neither recommended nor supported but it does the trick)

mkdir -p /usr/local/lib/elasticsearch/jdk/bin

ln -s /usr/local/bin/java /usr/local/lib/elasticsearch/jdk/bin/java

And run the password setup utility (this might take up to 2 minutes)

This is a short how-to for securing Saltstack communication via spiped.
(most of it is based on the how-to I wrote on securing Elasticsearch with spiped)

At first: install spiped FreeBSD

pkg install spiped

Debian/Ubuntu

apt install spiped

CentOS (fo those who haven’t migrated yet)

vim /etc/yum.repos.d/spiped.repo

[lsde-spiped]
name=spiped repo
baseurl=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/epel-7-$basearch/
type=rpm-md
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/pubkey.gpg
repo_gpgcheck=0
enabled=1
enabled_metadata=1

install spiped

yum clean all
yum install spiped

generate symmetric encryption key

dd if=/dev/urandom of=/root/saltpipe.key bs=32 count=1

and copy the key file onto every client

OpenSSH 8.2p1 with FIDO2 support was recently added to MacOS (via Homebrew) and FreeBSD (via ports/pkg).

Here’s a short how-to securely login to your FreeBSD servers via FIDO2 (Yubikey, Solokey et. al.).

On your MacOS client:

Open a terminal and install libfido2 and openssh (8.2p1)

brew install openssh libfido2

Generate you ecdsa key with libfido2.
Insert your FIDO2 usb stick and run (push the auth button on your key when prompted):

Stop the running jail and export it:

iocage stop jailname
iocage export jailname

Move the backup files (.zip and .sha256) into Bastille backup dir (default: /usr/local/bastille/backups/):

mv /iocage/images/jailname_2020-03-26.* /usr/local/bastille/backups/

for remote systems you could use rsync:

rsync -avh /iocage/images/jailname_2020-03-26.* root@10.0.1.10:/usr/local/bastille/backups/

Import the iocage backup file (use zip file name)

bastille import jailname_2020-03-26.zip
```</pr```e>

Set your new ip address and interface:

vim /usr/local/bastille/jails/jailname/jail.conf

interface = bastille0;
ip4.addr = "192.168.0.1";

You can use you primary network interface instead of the virtual bastille0 interface as well if you know what you’re doing.

Go to 2021 version HowTo create jails with Bastille TDLR of https://github.com/BastilleBSD/bastille/ install bastille

Bastille is very active so make sure you switch to latest pkg mirror

vim /etc/pkg/FreeBSD.conf

FreeBSD: {
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}

enable bastille

sysrc bastille_enable=YES

create virtual network bridge

sysrc cloned_interfaces+=lo1
sysrc ifconfig_lo1_name="bastille0"
service netif cloneup

edit /etc/pf.conf (add the lines without #)

ext_if="em0"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if)

block in all
pass out quick modulate state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state

add ZFS support (check zpool with “zpool list”)

TLDR for Redmine on FreeBSD 11.2

install redmine and a bunch of dependencies

UPDATE 2019/03/11 redmine pkg is currently not available on quaterly mirror (make sure you use latest branch in /etc/pkg/FreeBSD.conf)

pkg install redmine apache24 mysql56-server mysql56-client rubygem-passenger-apache

vim /usr/local/etc/apache24/httpd.conf

add the following lines to your httpd.conf or Inlcudes/redmine.conf

LoadModule passenger_module /usr/local/lib/ruby/gems/2.4/gems/passenger-6.0.0/buildout/apache2/mod_passenger.so
PassengerRoot /usr/local/lib/ruby/gems/2.4/gems/passenger-6.0.0
PassengerRuby /usr/local/bin/ruby24

to use ssl uncomment the following lines and set Listen port to 443
LoadModule ssl_module libexec/apache24/mod_ssl.so
SSLEngine on
SSLCertificateFile "/usr/local/etc/apache24/YOUR_SSL.crt"
SSLCertificateKeyFile "/usr/local/etc/apache24/YOUR_SSL.key"

RailsEnv production PassengerDefaultUser www DocumentRoot /usr/local/www/redmine/public/ <Directory “/usr/local/www/redmine/public/"> Allow from all Options -MultiViews Require all granted

HowTo Secure Elasticsearch using spiped on FreeBSD, Debian and CentOS Spiped makes it really easy to secure connections between clients and Elasticsearch databases. Keep in mind that the symmetric key (once compromised) can be used to intercept/mitm all connections.

install spiped

FreeBSD

pkg install spiped

Debian/Ubuntu

apt install spiped

CentOS

vim /etc/yum.repos.d/spiped.repo

[lsde-spiped]
name=Copr repo for spiped owned by lsde
baseurl=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/> epel-7-$basearch/
type=rpm-md
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/pubkey.gpg
repo_gpgcheck=0
enabled=1
enabled_metadata=1

install spiped

Logstash services failes on FreeBSD (11.x)

[2018-11-06T12:24:56,663][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[2018-11-06T12:24:56,664][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}

Did you add procfs/fdesc in /etc/fstab?

vim /etc/fstab

fdesc   /dev/fd      fdescfs       rw    0    0
proc    /proc        procfs        rw    0    0

mount -a

If your Salt Minion fails to start with [salt.utils.process:754 ][ERROR ][5542] An un-handled exception from the multiprocessing process > ‘SignalHandlingMultiprocessingProcess-1:59’ was caught: Traceback (most recent call last): File “/usr/local/lib/python3.5/dist-packages/salt/utils/process.py”, line 747, in _run return self._original_run() […] File “/usr/lib/python3.5/asyncio/base_events.py”, line 411, in run_forever ‘Cannot run the event loop while another loop is running’) RuntimeError: Cannot run the event loop while another loop is running

You might be running Tornado version 5+

If you try to run Elasticsearch in a Jail without an external IP address you might get an error like:

No up-and-running loopback addresses found, got [name:lo1 (lo1)]

How to solve it?

You need to bind your Elasticsearch to your primary IP address:

vim /usr/local/etc/elasticsearch/elasticsearch.yml:

network.host: 10.10.10.2

If you see the following error after pkg upgrade or pkg install Shared object “libdl.so.1” not found

Your FreeBSD version might be outdated. This currently happens on FreeBSD 11.1 if you use the latest/qarterly pkg mirror.

How to fix it?

freebsd-update -upgrade -r 11.2-RELEASE 
reboot 
freebsd-update install 
pkg update && pkg upgrade

pw: user 'username' disappeared during update

How to fix it?

/usr/sbin/pwd_mkdb -p /etc/master.passwd