Merge branch 'poudriere'

.gitattributes

@@ -1,2 +1,3 @@
 cargo_credentials.toml filter=git-crypt diff=git-crypt
 **/wireguard_configs/** filter=git-crypt diff=git-crypt
+*.key filter=git-crypt diff=git-crypt

ansible/environments/vm/host_vars/poudriereodo

@@ -0,0 +1,13 @@
+os_flavor: "freebsd"
+poudriere_builds:
+  - jail: 13amd64
+    ports: default
+    set: framework
+    version: 13.1-RELEASE
+  - jail: current
+    ports: default
+    set: framework
+    version: CURRENT
+    revision: af01b4722577903f91acc44f01bdcb8cdb2d65ad
+    kernel: CUSTOM
+    branch: main

ansible/environments/vm/hosts

@@ -0,0 +1,2 @@
+[vm]
+poudriereodo ansible_user=builder ansible_host=10.213.177.12

ansible/playbook.yaml

@@ -1,4 +1,4 @@
-- hosts: all:!jail
+- hosts: all:!jail:!vm
   vars:
     ansible_become: True
   roles:
@@ -36,9 +36,18 @@
     - google_cloud_sdk
     - ansible
     - wireguard
+    - portshaker
+    - poudriere
 
 - hosts: nat_dhcp:homeserver_nat_dhcp
   vars:
     ansible_become: True
   roles:
     - jail_nat_dhcp
+
+- hosts: poudriereodo
+  vars:
+    ansible_become: True
+  roles:
+    - portshaker
+    - poudriere

ansible/roles/ansible/tasks/linux.yaml

@@ -13,16 +13,26 @@
 #     name: []
 #     state: present
 #     update_cache: true
-    
+
 - name: Install packages
   package:
     name:
       - ansible
     state: present
 
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - /usr/share/ansible/plugins/connection_plugins
+
 - name: Install sshjail plugin
   ansible.builtin.get_url:
     url: https://raw.githubusercontent.com/austinhyde/ansible-sshjail/e712c537ecdfc7a660f222fbac4172dd715fc130/sshjail.py
     dest: /usr/share/ansible/plugins/connection_plugins/sshjail.py
-    mode: '0555'
+    mode: "0555"
     checksum: sha512:730c887ae7bbf2de34da44fb10a45fdeff649e3f2447df821c93ef02a21ecbef7db2fd57f1fc85fcd0b5b86fa30aa2b9ef143865d1e5086620c7dbe0633207cd

ansible/roles/base/files/cleanup_temporary_files

@@ -1,4 +1,4 @@
 #!/usr/bin/env bash
 #
 # Delete temporary files on entire disk
-find / -type f -name '*.orig' -delete -or -name '*~' -or -name '*.core' -delete -print
+find / -type f '(' -name '*.orig' -or -name '*~' -or -name '*.core' ')' -delete -print 2>/dev/null

ansible/roles/base/files/homeserver_rc.conf

@@ -2,7 +2,7 @@ clear_tmp_enable="YES"
 syslogd_flags="-ss"
 sendmail_enable="NONE"
 hostname="computer"
-local_unbound_enable="YES"
+local_unbound_enable="NO"
 sshd_enable="YES"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="NO"

ansible/roles/base/files/odofreebsd_rc.conf

@@ -2,7 +2,6 @@ clear_tmp_enable="YES"
 syslogd_flags="-ss"
 sendmail_enable="NONE"
 hostname="odo"
-local_unbound_enable="YES"
 sshd_enable="YES"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="NO"

ansible/roles/bhyve/files/arch.conf

@@ -13,10 +13,25 @@ console="tmux"
 cpu=1
 memory=1024M
 
-disk0_type="virtio-blk"
+disk0_type="nvme"
 disk0_name="disk0"
 disk0_dev="sparse-zvol"
 virt_random="yes"  # virtio-rnd
 
 # Creates a link to host_bridge1's link3 hook to the vmlink hook on a type socket
 bhyve_options="-s 2:0,virtio-net,netgraph,path=host_bridge1:,peerhook=link3"
+
+# Share a host directory to the guest via 9pfs.
+#
+# Inside the VM run:
+#   mount -t virtfs -o trans=virtio sharename /some/vm/path
+#   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
+#   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 sharename /path/to/mountpoint
+# bhyve_options="-s 28,virtio-9p,sharename=/"
+
+# Enable Sound
+# bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
+
+# Lower the priority of the VM [-20 highest, 20 only run when system idle] default: 0
+#
+# priority="20"

ansible/roles/firewall/files/homeserver_pf.conf

@@ -44,4 +44,4 @@ pass quick on $ext_if proto udp from any port $dhcp to any port $dhcp
 
 pass in on host_uplink0 proto udp from any to any port { 53 51820 }
 pass out on host_uplink0 proto tcp from any to any port 8081
-pass in on host_uplink1
+pass on host_uplink1

ansible/roles/firewall/files/odofreebsd_pf.conf

@@ -42,4 +42,4 @@ pass quick on $ext_if proto udp from any port $dhcp to any port $dhcp
 
 pass in on host_uplink0 proto udp from any to any port { 53 51820 }
 pass out on host_uplink0 proto tcp from any to any port 8081
-pass in on host_uplink1
+pass on host_uplink1

ansible/roles/hosts/tasks/common.yaml

@@ -1,7 +1,7 @@
 - name: Set the /etc/hosts
   ansible.builtin.lineinfile:
     path: /etc/hosts
-    regexp: '^{{ item.key | regex_escape() }}'
+    regexp: '^{{ item.key | regex_escape() }}\s+'
     line: "{{ item.key }}		{{ item.value | join(' ') }}"
   loop: "{{ etc_hosts | dict2items }}"
 

ansible/roles/jail_nat_dhcp/files/dhcpd.conf

@@ -9,4 +9,5 @@ subnet 10.213.177.0 netmask 255.255.255.0 {
   range 10.213.177.10 10.213.177.250;
   option broadcast-address 10.213.177.255;
   option routers 10.213.177.1;
+  option domain-name-servers 10.213.177.1;
 }

ansible/roles/network/files/local_unbound_rc.conf

@@ -0,0 +1,6 @@
+# For some unknown reason, enabling local unbound with DNS over TLS breaks network connectivity a couple minutes later
+local_unbound_enable="NO"
+local_unbound_tls="YES"
+local_unbound_forwarders="1.0.0.1@853#cloudflare-dns.com 1.1.1.1@853#cloudflare-dns.com 2606:4700:4700::1111@853#cloudflare-dns.com 2606:4700:4700::1001@853#cloudflare-dns.com"
+# local_unbound_forwarders="194.242.2.2@853#doh.mullvad.net"
+# local_unbound_forwarders="194.242.2.2@853#doh.mullvad.net 2a07:e340::2@853#doh.mullvad.net 1.0.0.1@853#cloudflare-dns.com 1.1.1.1@853#cloudflare-dns.com 2606:4700:4700::1111@853#cloudflare-dns.com 2606:4700:4700::1001@853#cloudflare-dns.com"

ansible/roles/network/files/mullvlad_dns_over_tls.conf

@@ -0,0 +1,3 @@
+[Resolve]
+DNS=194.242.2.2#doh.mullvad.net [2a07:e340::2]#doh.mullvad.net
+DNSOverTLS=yes

ansible/roles/network/tasks/freebsd.yaml

@@ -1,3 +1,4 @@
+# MANUAL: I had to run `sudo service local_unbound setup`
 - name: Install configuration
   copy:
     src: "files/{{ item.src }}"
@@ -35,3 +36,13 @@
     # - name: net.inet6.ip6.use_tempaddr # Enable privacy addresses
     #   value: "1"
     # - name: net.inet6.ip6.prefer_tempaddr # Prefer privacy addresses
+
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - local_unbound

ansible/roles/network/tasks/linux.yaml

@@ -1,6 +1,20 @@
-# - name: Install packages
-#   pacman:
-#     name:
-#       - foo
-#     state: present
-#     update_cache: true
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - /etc/systemd/resolved.conf.d
+
+- name: Copy files
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0600
+    owner: root
+    group: wheel
+  loop:
+    - src: mullvlad_dns_over_tls.conf
+      dest: /etc/systemd/resolved.conf.d/mullvlad_dns_over_tls.conf

ansible/roles/portshaker/files/freebsd

@@ -0,0 +1,10 @@
+#!/bin/sh
+. /usr/local/share/portshaker/portshaker.subr
+if [ "$1" != '--' ]; then
+  err 1 "Extra arguments"
+fi
+shift
+method="git"
+git_clone_uri="https://git.FreeBSD.org/ports.git"
+git_branch="main"
+run_portshaker_command $*

ansible/roles/portshaker/files/myrepo

@@ -0,0 +1,10 @@
+#!/bin/sh
+. /usr/local/share/portshaker/portshaker.subr
+if [ "$1" != '--' ]; then
+  err 1 "Extra arguments"
+fi
+shift
+method="git"
+git_clone_uri="https://code.fizz.buzz/talexander/ta_ports.git"
+git_branch="master"
+run_portshaker_command $*

ansible/roles/portshaker/files/portshaker.conf

@@ -0,0 +1,8 @@
+#---[ Base directory for mirrored Ports Trees ]---
+mirror_base_dir="/var/cache/portshaker"
+
+#---[ Directories where to merge ports ]---
+ports_trees="main"
+
+main_ports_tree="/usr/local/portshaker/trees/main"
+main_merge_from="freebsd myrepo"

ansible/roles/portshaker/tasks/common.yaml

@@ -0,0 +1,15 @@
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user

ansible/roles/portshaker/tasks/freebsd.yaml

@@ -0,0 +1,51 @@
+# Update ports tree:
+#   portshaker -U
+#   portshaker -M
+#
+# Force build:
+#   poudriere bulk -J 4 -C -j current -p default -z testing sysutils/kubectx
+#
+# Test build with interactive shell
+#   poudriere testport -i -J 4 -j current -p default -z testing sysutils/kubectx
+#   optional add -w to save the work directory
+
+- name: Install packages
+  package:
+    name:
+      - portshaker
+      - git
+    state: present
+
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - /usr/local/portshaker/trees
+
+- name: Install Configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - src: portshaker.conf
+      dest: /usr/local/etc/portshaker.conf
+
+- name: Install Scripts
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - src: freebsd
+      dest: /usr/local/etc/portshaker.d/freebsd
+    - src: myrepo
+      dest: /usr/local/etc/portshaker.d/myrepo

ansible/roles/portshaker/tasks/linux.yaml

@@ -0,0 +1,21 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - foo
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+    
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present

ansible/roles/portshaker/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: poudriere_builds is defined and poudriere_builds

ansible/roles/portshaker/tasks/peruser.yaml

@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'

ansible/roles/poudriere/defaults/main.yaml

@@ -0,0 +1 @@
+poudriere_perf_flags: "-J 16"

ansible/roles/poudriere/files/poudboot

@@ -0,0 +1,23 @@
+#!/bin/sh
+# /usr/local/etc/rc.d/poudboot
+#
+# REQUIRE: FILESYSTEM kld
+# PROVIDE: poudboot
+# AFTER: netif
+
+. /etc/rc.subr
+name=poudboot
+rcvar=${name}_enable
+start_cmd="${name}_start"
+stop_cmd="${name}_stop"
+load_rc_config $name
+
+poudboot_start() {
+    /usr/local/bin/poudboot start
+}
+
+poudboot_stop() {
+    /usr/local/bin/poudboot stop
+}
+
+run_rc_command "$1"

ansible/roles/poudriere/files/poudboot.bash

@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+#
+# Run poudriere at system boot. Useful for virtual machines so launching the VM also kicks off a build.
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+function main {
+    COMMAND="$1"
+    shift 1
+
+    if [ "$COMMAND" = "start" ]; then
+        cmd_start "${@}"
+    elif [ "$COMMAND" = "stop" ]; then
+        cmd_stop "${@}"
+    else
+        die 1 "Unrecognized command: $COMMAND"
+    fi
+}
+
+function die {
+    exit_code="$1"
+    shift 1
+    (>&2 echo "${@}")
+    exit "$exit_code"
+}
+
+function abort_if_jobs_running {
+    if [[ $(sudo poudriere status) != *"No running builds"* ]]; then
+        echo "There is already a poudriere build in progress, exiting."
+        exit 0
+    fi
+}
+
+function build {
+    poudriere pkgclean -y "$@"
+    poudriere bulk -J "${POUDRIERE_JOBS:-1}" "$@"
+}
+
+function cmd_start {
+    abort_if_jobs_running
+
+    # Allow command failures without quitting the script because some
+    # package sets might fail whereas others may succeed based on which
+    # packages are in each set.
+    set +e
+
+    for conf in /opt/poudriere/build_configs/*; do
+        (
+            source "$conf"
+            build -j "$JAIL" -p "$PORTS" -z "$SET" -f /usr/local/etc/poudriere.d/$JAIL-$PORTS-$SET-pkglist
+        )
+    done
+
+    # Re-enable exiting on failed commands
+    set -e
+
+    # Cleanup old unused dist files
+    for conf in /opt/poudriere/build_configs/*; do
+        (
+            source "$conf"
+            poudriere distclean -y -p "$PORTS" -f /usr/local/etc/poudriere.d/$JAIL-$PORTS-$SET-pkglist
+        )
+    done
+
+    poudriere logclean -y 180
+}
+
+function cmd_stop {
+    echo "cmd_stop not implemented."
+}
+
+main "${@}"

ansible/roles/poudriere/files/poudriere.conf

@@ -0,0 +1,350 @@
+
+# Poudriere can optionally use ZFS for its ports/jail storage. For
+# ZFS define ZPOOL, otherwise set NO_ZFS=yes
+#
+#### ZFS
+# The pool where poudriere will create all the filesystems it needs
+# poudriere will use ${ZPOOL}/${ZROOTFS} as its root
+#
+# You need at least 7GB of free space in this pool to have a working
+# poudriere.
+#
+#ZPOOL=zroot
+ZPOOL=zroot
+
+### NO ZFS
+# To not use ZFS, define NO_ZFS=yes
+#NO_ZFS=yes
+
+# root of the poudriere zfs filesystem, by default /poudriere
+# ZROOTFS=/poudriere
+ZROOTFS=/poudriere
+
+# the host where to download sets for the jails setup
+# You can specify here a host or an IP
+# replace _PROTO_ by http or ftp
+# replace _CHANGE_THIS_ by the hostname of the mirrors where you want to fetch
+# by default: ftp://ftp.freebsd.org
+#
+# Also note that every protocols supported by fetch(1) are supported here, even
+# file:///
+# Suggested: https://download.FreeBSD.org
+FREEBSD_HOST=https://download.FreeBSD.org
+
+# By default the jails have no /etc/resolv.conf, you will need to set
+# RESOLV_CONF to a file on your hosts system that will be copied has
+# /etc/resolv.conf for the jail, except if you don't need it (using an http
+# proxy for example)
+RESOLV_CONF=/etc/resolv.conf
+
+# The directory where poudriere will store jails and ports
+BASEFS=/usr/local/poudriere
+
+# The directory where the jail will store the packages and logs
+# by default a zfs filesystem will be created and set to
+# ${BASEFS}/data
+#
+#POUDRIERE_DATA=${BASEFS}/data
+
+# Use portlint to check ports sanity
+USE_PORTLINT=no
+
+# When building packages, a memory device can be used to speedup the build.
+# Only one of MFSSIZE or USE_TMPFS is supported. TMPFS is generally faster
+# and will expand to the needed amount of RAM. MFS is a slower since it
+# uses UFS and several abstraction layers.
+
+# If set WRKDIRPREFIX will be mdmfs of the given size (mM or gG)
+#MFSSIZE=4G
+
+# Use tmpfs(5)
+# This can be a space-separated list of options:
+# wrkdir    - Use tmpfs(5) for port building WRKDIRPREFIX
+# data      - Use tmpfs(5) for poudriere cache/temp build data
+# localbase - Use tmpfs(5) for LOCALBASE (installing ports for packaging/testing)
+# all       - Run the entire build in memory, including builder jails.
+# yes       - Enables tmpfs(5) for wrkdir and data
+# no        - Disable use of tmpfs(5)
+# EXAMPLE: USE_TMPFS="wrkdir data"
+USE_TMPFS=all
+# USE_TMPFS=yes
+# USE_TMPFS=no
+
+# How much memory to limit tmpfs size to for *each builder* in GiB
+# (default: none)
+#TMPFS_LIMIT=8
+TMPFS_LIMIT=16
+
+# How much memory to limit jail processes to for *each builder*
+# in GiB (default: none)
+#MAX_MEMORY=8
+
+# How many file descriptors to limit each jail process to (default: 1024)
+# This can also be set per PKGBASE, such as MAX_FILES_RStudio=2048.
+# Package names with hyphens (-) should be replaced with underscores (_).
+#MAX_FILES=1024
+
+# If set the given directory will be used for the distfiles
+# This allows to share the distfiles between jails and ports tree
+# If this is "no", poudriere must be supplied a ports tree that already has
+# the required distfiles.
+DISTFILES_CACHE=/usr/ports/distfiles
+
+# If set the ports tree marked to use git will use the defined
+# mirror (default: git.FreeBSD.org/port.git)
+#
+# Example to use github mirror:
+#GIT_BASEURL=https://github.com/freebsd/freebsd-src.git
+
+# If set the source tree marked to use git will use the defined
+# mirror (default: git.FreeBSD.org/src.git)
+#
+# Example to use github mirror:
+#GIT_PORTSURL=https://github.com/freebsd/freebsd-ports.git
+
+# If set the ports tree or source tree marked to use svn will use the defined
+# mirror (default: svn.FreeBSD.org)
+# The SSL fingerprints are published here:
+# https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/svn.html#svn-mirrors
+#SVN_HOST=svn.FreeBSD.org
+
+# Automatic OPTION change detection
+# When bulk building packages, compare the options from kept packages to
+# the current options to be built. If they differ, the existing package
+# will be deleted and the port will be rebuilt.
+# Valid options: yes, no, verbose
+# verbose will display the old and new options
+#CHECK_CHANGED_OPTIONS=verbose
+
+# Automatic Dependency change detection
+# When bulk building packages, compare the dependencies from kept packages to
+# the current dependencies for every port. If they differ, the existing package
+# will be deleted and the port will be rebuilt. This helps catch changes such
+# as DEFAULT_RUBY_VERSION, PERL_VERSION, WITHOUT_X11 that change dependencies
+# for many ports.
+# Valid options: yes, no
+# Default: yes
+#CHECK_CHANGED_DEPS=yes
+
+# Consider bad dependency lines on the wrong PKGNAME as fatal.
+# For example:
+#    BUILD_DEPENDS=  p5-List-MoreUtils>=0:lang/p5-List-MoreUtils
+# If this port's PKGNAME were really "List-MoreUtils" then it would
+# not be recorded into the resulting package.  The next build with
+# CHECK_CHANGED_DEPS enabled would consider it a "new dependency"
+# since it is in the port but not in the package.  This is usually
+# a warning but can be made fatal instead by enabling this option.
+# Default: no
+#BAD_PKGNAME_DEPS_ARE_FATAL=yes
+
+
+# Path to the RSA key to sign the PKG repo with. See pkg-repo(8)
+#PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key
+PKG_REPO_SIGNING_KEY=/usr/local/etc/poudriere.d/poudriere.key
+
+# Command to sign the PKG repo with. See pkg-repo(8)
+# This produces a repo that supports SIGNATURE_TYPE=FINGERPRINTS
+# Default: not set
+#SIGNING_COMMAND=ssh signing-server sign.sh
+
+# Repo signing command execution context
+# If SIGNING_COMMAND is set, run pkg-repo(8) on the host?
+#   no  -   Run in the jail
+#   yes -   Run on the host
+# Default: no
+#PKG_REPO_FROM_HOST=yes
+
+# ccache support. Supply the path to your ccache cache directory.
+# It will be mounted into the jail and be shared among all jails.
+# It is recommended that extra ccache configuration be done with
+# ccache -o rather than from the environment.
+#CCACHE_DIR=/var/cache/ccache
+
+# Static ccache support from host.  This uses the existing
+# ccache from the host in the build jail.  This is useful for
+# using ccache+memcached which cannot easily be bootstrapped
+# otherwise.  The path to the PREFIX where ccache was installed
+# must be used here, and ccache must have been built statically.
+# Note also that ccache+memcached will require network access
+# which is normally disabled.  Separately setting RESTRICT_NETWORKING=no
+# may be required for non-localhost memcached servers.
+#CCACHE_STATIC_PREFIX=/usr/local
+
+# The jails normally only allow network access during the 'make fetch'
+# phase.  This is a security restriction to prevent random things
+# ran during a build from accessing the network.  Disabling this
+# is not advised.  ALLOW_NETWORKING_PACKAGES may be used to allow networking
+# for a subset of packages only.
+#RESTRICT_NETWORKING=yes
+#ALLOW_NETWORKING_PACKAGES="npm-foo"
+
+# parallel build support.
+#
+# By default poudriere uses hw.ncpu to determine the number of builders.
+# You can override this default by changing PARALLEL_JOBS here, or
+# by specifying the -J flag to bulk/testport.
+#
+# Example to define PARALLEL_JOBS to one single job
+# PARALLEL_JOBS=1
+PARALLEL_JOBS=1
+
+# How many jobs should be used for preparing the build? These tend to
+# be more IO bound and may be worth tweaking. Default: PARALLEL_JOBS * 1.25
+# PREPARE_PARALLEL_JOBS=1
+
+
+# If set, failed builds will save the WRKDIR to ${POUDRIERE_DATA}/wrkdirs
+# SAVE_WRKDIR=yes
+
+# Choose the default format for the workdir packing: could be tar,tgz,tbz,txz
+# default is tbz
+# WRKDIR_ARCHIVE_FORMAT=tbz
+WRKDIR_ARCHIVE_FORMAT=txz
+
+# Disable Linux support
+# NOLINUX=yes
+
+# By default poudriere sets FORCE_PACKAGE
+# To disable it (useful when building public packages):
+# NO_FORCE_PACKAGE=yes
+
+# By default poudriere sets PACKAGE_BUILDING
+# To disable it:
+# NO_PACKAGE_BUILDING=yes
+
+# If you are using a proxy define it here:
+# export HTTP_PROXY=bla
+# export FTP_PROXY=bla
+#
+# Cleanout the restricted packages
+# NO_RESTRICTED=yes
+
+# By default MAKE_JOBS is disabled to allow only one process per cpu
+# Use the following to allow it anyway
+# ALLOW_MAKE_JOBS=yes
+ALLOW_MAKE_JOBS=yes
+
+# List of packages that will always be allowed to use MAKE_JOBS
+# regardless of ALLOW_MAKE_JOBS. This is useful for allowing ports
+# which holdup the rest of the queue to build more quickly.
+#ALLOW_MAKE_JOBS_PACKAGES="pkg ccache py*"
+
+# Timestamp every line of build logs
+# Default: no
+#TIMESTAMP_LOGS=no
+
+# URL where your POUDRIERE_DATA/logs are hosted
+# This will be used for giving URL hints to the HTML output when
+# scheduling and starting builds
+# URL_BASE=https://freebsdpkg.fizz.buzz/logs
+
+
+# This defines the max time (in seconds) that a command may run for a build
+# before it is killed for taking too long. Default: 86400
+#MAX_EXECUTION_TIME=86400
+# 2 days
+MAX_EXECUTION_TIME=172800
+
+# This defines the time (in seconds) before a command is considered to
+# be in a runaway state for having no output on stdout. Default: 7200
+#NOHANG_TIME=7200
+NOHANG_TIME=14400
+
+
+# The repository is updated atomically if set yes. This leaves the
+# repository untouched until the build completes. This involves using
+# hardlinks and symlinks. The operations are fast, but can be intrusive
+# for remote syncing or backups.
+# Recommended to always keep on.
+# Default: yes
+#ATOMIC_PACKAGE_REPOSITORY=yes
+
+# When using ATOMIC_PACKAGE_REPOSITORY, commit the packages if some
+# packages fail to build. Ignored ports are considered successful.
+# This can be set to 'no' to only commit the packages once no failures
+# are encountered.
+# Default: yes
+#COMMIT_PACKAGES_ON_FAILURE=yes
+COMMIT_PACKAGES_ON_FAILURE=no
+
+# Keep older package repositories. This can be used to rollback a system
+# or to bisect issues by changing the repository to one of the older
+# versions and reinstalling everything with `pkg upgrade -f`
+# ATOMIC_PACKAGE_REPOSITORY is required for this.
+# Default: no
+#KEEP_OLD_PACKAGES=no
+
+# How many old package repositories to keep with KEEP_OLD_PACKAGES
+# Default: 5
+#KEEP_OLD_PACKAGES_COUNT=5
+
+# Make testing errors fatal.
+# If set to 'no', ports with test failure will be marked as failed but still
+# packaged to permit testing dependent ports (useful for bulk -t -a)
+# Default: yes
+#PORTTESTING_FATAL=yes
+
+# Define the building jail hostname to be used when building the packages
+# Some port/packages hardcode the hostname of the host during build time
+# This is a necessary setup for reproducible builds.
+#BUILDER_HOSTNAME=pkg.FreeBSD.org
+
+# Define to get a predictable timestamp on the ports tree
+# This is a necessary setup for reproducible builds.
+#PRESERVE_TIMESTAMP=yes
+
+# Define to yes to build and stage as a regular user
+# Default: yes, unless CCACHE_DIR is set and CCACHE_DIR_NON_ROOT_SAFE is not
+# set.  Note that to use ccache with BUILD_AS_NON_ROOT you will need to
+# use a non-shared CCACHE_DIR that is only built by PORTBUILD_USER and chowned
+# to that user.  Then set CCACHE_DIR_NON_ROOT_SAFE to yes.
+#BUILD_AS_NON_ROOT=no
+
+# Define to the username to build as when BUILD_AS_NON_ROOT is yes.
+# Default: nobody (uid PORTBUILD_UID)
+#PORTBUILD_USER=nobody
+
+# Define to the uid to use for PORTBUILD_USER if the user does not
+# already exist in the jail.
+# Default: 65532
+#PORTBUILD_UID=65534
+
+# Define pkgname globs to boost priority for
+# Default: none
+#PRIORITY_BOOST="pypy openoffice*"
+
+# Define format for buildnames
+# Default: %Y-%m-%d_%Hh%Mm%Ss
+# ISO8601:
+#BUILDNAME_FORMAT="%FT%T%z"
+
+# Define format for build duration times
+# Default: %H:%M:%S
+#DURATION_FORMAT="%H:%M:%S"
+
+# Use colors when in a TTY
+# Default: yes
+#USE_COLORS=yes
+
+# Only build what is requested. Do not rebuild build deps if nothing requested
+# depends on them. This can create an inconsistent repository if you often
+# build one-off packages but expect the repository to stay consistent.
+# Defaut: yes
+#TRIM_ORPHANED_BUILD_DEPS=yes
+
+# A list of directories to exclude from leftover and filesystem violation
+# mtree checks.  Ccache is used here as an example but is already
+# excluded by default.  There is no need to add it here unless a
+# special configuration is used where it is a problem.
+# Default: none
+#LOCAL_MTREE_EXCLUDES="/usr/obj /var/tmp/ccache"
+
+# Set to hosted to use the /data directory instead of inline style HTML
+# Default: inline
+#HTML_TYPE="hosted"
+HTML_TYPE="hosted"
+
+# Set to track remaining ports in the HTML interface.  This can slow down
+# processing of the queue slightly, especially for bulk -a builds.
+# Default: no
+#HTML_TRACK_REMAINING=yes

ansible/roles/poudriere/files/poudriere.d/13amd64-default-framework-make.conf

@@ -0,0 +1,17 @@
+# Disable CPUTYPE optimizations when compiling gcc48 because tigerlake is not included in gcc4.8
+#
+# Disable CPUTYPE optimizations when compiling ripgrep because the build is failing https://github.com/BurntSushi/ripgrep/issues/1721
+#
+# Disable CPUTYPE optimizations for firefox due to failing build.
+#
+# Example from bottom of /usr/share/examples/etc/make.conf
+.if ${.CURDIR:N*/lang/gcc48*} && ${.CURDIR:N*/lang/gcc10*} && ${.CURDIR:N*/textproc/ripgrep*} && ${.CURDIR:N*/www/firefox*}
+# Disabling tigerlake optimizations because qemu's TCG does not support avx512
+#
+#CPUTYPE?=tigerlake
+CPUTYPE?=x86-64-v3
+.endif
+OPTIMIZED_CFLAGS=YES
+BUILD_OPTIMIZED=YES
+WITH_CPUFLAGS=YES
+BUILD_STATIC=YES

ansible/roles/poudriere/meta/main.yaml

@@ -0,0 +1,2 @@
+dependencies:
+  - portshaker

ansible/roles/poudriere/tasks/common.yaml

@@ -0,0 +1,15 @@
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user

ansible/roles/poudriere/tasks/freebsd.yaml

@@ -0,0 +1,140 @@
+#
+# Get CPU type:
+# sh -c "clang -v -fsyntax-only -march=native -x c /dev/null 2>&1 | grep -e '-target-cpu' | sed -e 's|.*-target-cpu \([[:alnum:]]*\) .*|\1|'"
+#
+# Check the CPU type:
+# make -C /usr/src CPUTYPE=broadwell -V MACHINE_CPU
+#
+# Generate options file for ports
+# poudriere options -j 12amd64 -p default -z stream -f /usr/local/etc/poudriere.d/12amd64-default-stream-pkglist
+#
+# Generate options file for specific ports
+# poudriere options -j 12amd64 -p default -z stream -c lang/gcc48
+#
+# Build the packages
+# poudriere bulk -j 12amd64 -p default -z stream -f /usr/local/etc/poudriere.d/12amd64-default-stream-pkglist
+#
+# List installed packages
+# pkg query -e '%a = 0' '%o' | sort
+#
+# Consider setting the following in the poudriere vm-bhyve config:
+# priority="20"
+
+- name: Install packages
+  package:
+    name:
+      - poudriere
+      - bash
+      - rsync
+      - flock
+    state: present
+
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    # - /usr/ports/distfiles
+    - /opt/poudriere/build_configs
+    - /usr/local/poudriere/data/logs/bulk
+
+- name: Install Configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0600
+    owner: root
+    group: wheel
+  loop:
+    - src: poudriere.conf
+      dest: /usr/local/etc/poudriere.conf
+    - src: poudriere.key
+      dest: /usr/local/etc/poudriere.d/poudriere.key
+#     - src: poudriere_deploy_ed25519
+#       dest: /usr/local/etc/poudriere.d/poudriere_deploy_ed25519
+
+# - name: Install Configuration directory
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: poudriere.d
+#       dest: /usr/local/etc/
+
+- name: Install scripts
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - src: poudboot.bash
+      dest: /usr/local/bin/poudboot
+
+- name: Install Configuration
+  template:
+    src: "build_config.j2"
+    dest: "/opt/poudriere/build_configs/{{ item.jail }}-{{ item.ports }}-{{ item.set }}"
+    owner: root
+    group: wheel
+    mode: 0600
+  loop: "{{ poudriere_builds }}"
+
+- name: Install rc script
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+    owner: root
+    group: wheel
+    mode: 0755
+  loop:
+    - src: poudboot
+
+- name: Get ports tree list
+  command: poudriere ports -ln
+  register: poudriere_ports_tree_list
+  changed_when: false
+  check_mode: no
+
+- name: Configure the ports tree
+  command: poudriere ports -c -m null -M /usr/local/portshaker/trees/main -p default
+  when: '"default" not in poudriere_ports_tree_list.stdout_lines'
+
+- name: Get jail list
+  command: poudriere jail -l -n -q
+  register: poudriere_jail_list
+  changed_when: false
+  check_mode: no
+
+- name: Create the jails
+  when: item.version != "CURRENT"
+  command: |-
+    poudriere jail {{poudriere_perf_flags}} -c -j {{ item.jail }} -v {{ item.version }}
+  args:
+    creates: "/usr/local/poudriere/jails/{{ item.jail }}"
+  loop: "{{ poudriere_builds }}"
+
+- name: Create the jails
+  when: item.version == "CURRENT"
+  # -D clones the entire history instead of just the most recent commit
+  command: |-
+    poudriere jail {{poudriere_perf_flags}} -c -j {{ item.jail }} -v {{ item.branch|default("main") }} -a amd64 -m git -D -U https://git.FreeBSD.org/src.git -K {{ item.kernel|default("GENERIC") }}
+  args:
+    creates: "/usr/local/poudriere/jails/{{ item.jail }}"
+  loop: "{{ poudriere_builds }}"
+
+# - name: Get current jail version
+#   command: poudriere jail -i -j current
+#   register: current_jail_version
+#   changed_when: false
+#   check_mode: no
+
+# - name: Set current jail version
+#   command: "poudriere jail -u {{poudriere_perf_flags}} -j current -t {{ freebsd_version }}"
+#   when: freebsd_version[:9] not in current_jail_version.stdout

ansible/roles/poudriere/tasks/linux.yaml

@@ -0,0 +1,21 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - foo
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+    
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present

ansible/roles/poudriere/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: poudriere_builds is defined and poudriere_builds

ansible/roles/poudriere/tasks/peruser.yaml

@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'

ansible/roles/poudriere/templates/build_config.j2

@@ -0,0 +1,3 @@
+JAIL={{ item.jail }}
+PORTS={{ item.ports }}
+SET={{ item.set }}

ansible/roles/sway/files/launch_sway_freebsd.bash

@@ -11,6 +11,8 @@ if [[ ! -v XDG_RUNTIME_DIR ]]; then
 
 fi
 
+export XDG_CURRENT_DESKTOP=sway
+
 # Enable wayland support for firefox
 export MOZ_ENABLE_WAYLAND=1
 

ansible/roles/sway/files/launch_sway_linux.bash

@@ -5,4 +5,6 @@ set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
+export XDG_CURRENT_DESKTOP=sway
+
 exec sway -d &> $HOME/.config/swaylog

ansible/run.bash

@@ -26,7 +26,8 @@ elif [ "$target" = "jail_nat_dhcp" ]; then
     ansible-playbook -v -i environments/jail playbook.yaml --diff --limit nat_dhcp "${@}"
 elif [ "$target" = "jail_homeserver_nat_dhcp" ]; then
     ansible-playbook -v -i environments/jail playbook.yaml --diff --limit homeserver_nat_dhcp "${@}"
-    #
+elif [ "$target" = "vm_poudriereodo" ]; then
+    ansible-playbook -v -i environments/vm playbook.yaml --diff --limit poudriereodo "${@}"
 else
     die 1 "Unrecognized target"
 fi