Bastille is very nice to use. You can spin up a jail with a simple `doas bastille create myjail 10.0.0.1` or whatever. Bastillefiles stand in as Dockerfile analogs, if you want to go that route (you have to create the jail, then apply the template, rather than doing it in a single command).

One nice thing is cloning a jail (which can be done live if using ZFS) to spin up a dev/test environment on a different IP. Or setting up a jail to try some different configurations and not having to worry about resetting things on your main host.

I've set up a storage jail with no network access, then a couple of service jails that dip into it at various mount points/permissions. It's total overkill for what I'm doing, but the point is to learn, tinker, and have fun.