Edge / Branch Office Server — your branch office is a self-contained datacenter that fits in a shoebox.
A branch office needs DNS, DHCP, file sharing, and a VPN tunnel back to HQ. Traditionally that means four appliances, a support contract, and a prayer. With kldload, one box does everything — and it replicates itself to headquarters every hour so you can rebuild it from scratch if it catches fire. Install the server profile, configure the services, point syncoid at HQ, and walk away.
The recipe
Step 1: Install the server profile
# Boot the kldload USB, pick server profile
# After install, create datasets for branch office services
kdir /srv/branch
kdir /srv/branch/shares
kdir /srv/branch/dns
kdir /srv/branch/vpnStep 2: Configure dnsmasq for DNS + DHCP
# Install dnsmasq
kpkg install dnsmasq
# Configure DNS + DHCP for the branch LAN
cat > /etc/dnsmasq.d/branch.conf <<'DNSMASQ'
# Listen on the LAN interface only
interface=eth1
bind-interfaces
# DHCP range for the branch
dhcp-range=10.20.1.100,10.20.1.200,255.255.255.0,12h
# Gateway and DNS
dhcp-option=option:router,10.20.1.1
dhcp-option=option:dns-server,10.20.1.1
# Local domain
domain=branch01.corp.local
local=/branch01.corp.local/
# Forward everything else to HQ DNS over the tunnel
server=10.0.0.1
DNSMASQ
systemctl enable --now dnsmasqStep 3: NFS file shares
# Create shared directories
kdir /srv/branch/shares/engineering
kdir /srv/branch/shares/sales
kdir /srv/branch/shares/common
# Set quotas
zfs set quota=100G rpool/srv/branch/shares/engineering
zfs set quota=50G rpool/srv/branch/shares/sales
zfs set quota=20G rpool/srv/branch/shares/common
# Export via NFS
cat > /etc/exports <<'NFS'
/srv/branch/shares/engineering 10.20.1.0/24(rw,sync,no_subtree_check)
/srv/branch/shares/sales 10.20.1.0/24(rw,sync,no_subtree_check)
/srv/branch/shares/common 10.20.1.0/24(rw,sync,no_subtree_check)
NFS
systemctl enable --now nfs-server
exportfs -aStep 4: WireGuard tunnel to HQ
# Generate keys
wg genkey | tee /srv/branch/vpn/private.key | wg pubkey > /srv/branch/vpn/public.key
chmod 600 /srv/branch/vpn/private.key
# Configure the tunnel
cat > /etc/wireguard/wg-hq.conf <<'WG'
[Interface]
PrivateKey = BRANCH_PRIVATE_KEY_HERE
Address = 10.0.0.10/24
DNS = 10.0.0.1
[Peer]
PublicKey = HQ_PUBLIC_KEY_HERE
Endpoint = hq.corp.example.com:51820
AllowedIPs = 10.0.0.0/24,172.16.0.0/16
PersistentKeepalive = 25
WG
# Bring it up and keep it up
systemctl enable --now wg-quick@wg-hqStep 5: ZFS replication to HQ for disaster recovery
# Install Sanoid for snapshot management
kpkg install sanoid
# Snapshot policy for branch data
cat > /etc/sanoid/sanoid.conf <<'SANOID'
[rpool/srv/branch]
use_template = branch
recursive = yes
[template_branch]
autosnap = yes
autoprune = yes
hourly = 24
daily = 30
weekly = 4
monthly = 6
SANOID
systemctl enable --now sanoid.timer
# Replicate to HQ over the WireGuard tunnel
cat > /etc/cron.d/syncoid-hq <<'CRON'
0 * * * * root syncoid --recursive --no-sync-snap rpool/srv/branch hq-backup:tank/branches/branch01/srv >> /var/log/syncoid.log 2>&1
30 * * * * root syncoid --recursive --no-sync-snap rpool/ROOT hq-backup:tank/branches/branch01/ROOT >> /var/log/syncoid.log 2>&1
CRONWhat you get
One box, all services
DNS, DHCP, NFS, VPN — running on a single server with ZFS underneath. No appliance sprawl, no management planes, no web portals to click through.
Hourly replication to HQ
Syncoid sends only changed blocks over the WireGuard tunnel. A branch with 500GB of data and 1GB of daily changes? The hourly sync takes seconds.
Per-service datasets
Engineering gets 100GB. Sales gets 50GB. Each has its own snapshots, its own quota, its own replication stream. One department can't fill the disk for everyone.
Rebuildable from zero
The entire branch server — OS, configs, data — replicates to HQ. If the hardware dies, receive the backup onto a new box and ship it out. Full recovery in hours, not weeks.