From a8822d0bfb6d3372ebc07a7da9af21e2223ead8b Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sat, 11 Apr 2026 12:49:59 -0400
Subject: [PATCH] Update for pkgbase rebuild of homeserver.

---
 .../environments/home/host_vars/homeserver    |  16 --
 ansible/environments/home/hosts               |   3 +-
 ansible/environments/jail/host_vars/momlaptop |   1 -
 ansible/environments/jail/hosts               |   1 -
 ansible/playbook.yaml                         |  14 -
 .../roles/base/files/homeserver_loader.conf   |   1 +
 ansible/roles/base/files/homeserver_rc.conf   |   3 +-
 ansible/roles/base/files/login.conf           |   2 +
 ansible/roles/dummynet/files/dnctl.conf       |   2 -
 ansible/roles/dummynet/files/dummynet         |  28 --
 ansible/roles/dummynet/files/dummynet_rc.conf |   2 -
 ansible/roles/dummynet/tasks/common.yaml      |  55 ----
 ansible/roles/dummynet/tasks/freebsd.yaml     |  30 ---
 ansible/roles/dummynet/tasks/linux.yaml       |  29 ---
 ansible/roles/dummynet/tasks/main.yaml        |   2 -
 ansible/roles/dummynet/tasks/peruser.yaml     |  29 ---
 .../roles/dummynet/tasks/peruser_freebsd.yaml |   0
 .../roles/dummynet/tasks/peruser_linux.yaml   |   0
 .../roles/firewall/files/homeserver_pf.conf   |  95 +++----
 ansible/roles/firewall/meta/main.yaml         |   2 -
 ansible/roles/gpg/tasks/freebsd.yaml          |   2 +-
 .../roles/homeserver/files/decrypt_disks.bash |  10 -
 ansible/roles/homeserver/tasks/common.yaml    |  55 ----
 ansible/roles/homeserver/tasks/freebsd.yaml   |  10 -
 ansible/roles/homeserver/tasks/linux.yaml     |  29 ---
 ansible/roles/homeserver/tasks/main.yaml      |   2 -
 ansible/roles/homeserver/tasks/peruser.yaml   |  29 ---
 .../homeserver/tasks/peruser_freebsd.yaml     |   0
 .../roles/homeserver/tasks/peruser_linux.yaml |   0
 ansible/roles/hosts/defaults/main.yaml        |   2 +-
 ansible/roles/jail/files/jails/dagger.conf    |   2 +
 ansible/roles/jail/files/jails/momlaptop.conf |  15 --
 ansible/roles/jail/files/jails/olddagger.conf |  14 -
 ansible/roles/jail/templates/new_jail.bash.j2 |  62 ++---
 .../jail_momlaptop/files/headers.include      |  15 --
 ansible/roles/jail_momlaptop/files/htpasswd   | Bin 61 -> 0 bytes
 .../roles/jail_momlaptop/files/newsyslog.conf |   2 -
 ansible/roles/jail_momlaptop/files/nginx.conf |  48 ----
 .../roles/jail_momlaptop/files/nginx_rc.conf  |   1 -
 .../roles/jail_momlaptop/files/proxy.include  |   9 -
 .../jail_momlaptop/files/tls_settings.include |   3 -
 ansible/roles/jail_momlaptop/meta/main.yaml   |   2 -
 .../roles/jail_momlaptop/tasks/common.yaml    |  55 ----
 .../roles/jail_momlaptop/tasks/freebsd.yaml   |  81 ------
 ansible/roles/jail_momlaptop/tasks/linux.yaml |  29 ---
 ansible/roles/jail_momlaptop/tasks/main.yaml  |   2 -
 .../roles/jail_momlaptop/tasks/peruser.yaml   |  29 ---
 .../jail_momlaptop/tasks/peruser_freebsd.yaml |   0
 .../jail_momlaptop/tasks/peruser_linux.yaml   |   0
 .../roles/jail_nat_dhcp/files/kea-dhcp4.conf  |   5 -
 ansible/roles/linfi/defaults/main.yaml        |   7 -
 ansible/roles/linfi/files/launch_linfi.bash   | 239 ------------------
 ansible/roles/linfi/files/linfi_rc.conf       |   1 -
 ansible/roles/linfi/meta/main.yaml            |   3 -
 ansible/roles/linfi/tasks/common.yaml         |  55 ----
 ansible/roles/linfi/tasks/freebsd.yaml        |  50 ----
 ansible/roles/linfi/tasks/linux.yaml          |  29 ---
 ansible/roles/linfi/tasks/main.yaml           |   2 -
 ansible/roles/linfi/tasks/peruser.yaml        |  29 ---
 .../roles/linfi/tasks/peruser_freebsd.yaml    |   0
 ansible/roles/linfi/tasks/peruser_linux.yaml  |   0
 .../roles/linfi/templates/devmatch_rc.conf.j2 |   2 -
 ansible/roles/linfi/templates/linfi.j2        |  46 ----
 .../linfi/templates/linfi_loader.conf.j2      |   5 -
 .../network/files/homeserver_network.conf     |   8 +-
 .../roles/package_manager/tasks/freebsd.yaml  |  54 ----
 ansible/roles/public_dns/files/master.db      |   1 -
 ansible/roles/sshd/files/sshd_config          |  12 +-
 ansible/run.bash                              |   2 -
 69 files changed, 89 insertions(+), 1284 deletions(-)
 delete mode 100644 ansible/environments/jail/host_vars/momlaptop
 delete mode 100644 ansible/roles/dummynet/files/dnctl.conf
 delete mode 100644 ansible/roles/dummynet/files/dummynet
 delete mode 100644 ansible/roles/dummynet/files/dummynet_rc.conf
 delete mode 100644 ansible/roles/dummynet/tasks/common.yaml
 delete mode 100644 ansible/roles/dummynet/tasks/freebsd.yaml
 delete mode 100644 ansible/roles/dummynet/tasks/linux.yaml
 delete mode 100644 ansible/roles/dummynet/tasks/main.yaml
 delete mode 100644 ansible/roles/dummynet/tasks/peruser.yaml
 delete mode 100644 ansible/roles/dummynet/tasks/peruser_freebsd.yaml
 delete mode 100644 ansible/roles/dummynet/tasks/peruser_linux.yaml
 delete mode 100644 ansible/roles/firewall/meta/main.yaml
 delete mode 100644 ansible/roles/homeserver/files/decrypt_disks.bash
 delete mode 100644 ansible/roles/homeserver/tasks/common.yaml
 delete mode 100644 ansible/roles/homeserver/tasks/freebsd.yaml
 delete mode 100644 ansible/roles/homeserver/tasks/linux.yaml
 delete mode 100644 ansible/roles/homeserver/tasks/main.yaml
 delete mode 100644 ansible/roles/homeserver/tasks/peruser.yaml
 delete mode 100644 ansible/roles/homeserver/tasks/peruser_freebsd.yaml
 delete mode 100644 ansible/roles/homeserver/tasks/peruser_linux.yaml
 delete mode 100644 ansible/roles/jail/files/jails/momlaptop.conf
 delete mode 100644 ansible/roles/jail/files/jails/olddagger.conf
 delete mode 100644 ansible/roles/jail_momlaptop/files/headers.include
 delete mode 100644 ansible/roles/jail_momlaptop/files/htpasswd
 delete mode 100644 ansible/roles/jail_momlaptop/files/newsyslog.conf
 delete mode 100644 ansible/roles/jail_momlaptop/files/nginx.conf
 delete mode 100644 ansible/roles/jail_momlaptop/files/nginx_rc.conf
 delete mode 100644 ansible/roles/jail_momlaptop/files/proxy.include
 delete mode 100644 ansible/roles/jail_momlaptop/files/tls_settings.include
 delete mode 100644 ansible/roles/jail_momlaptop/meta/main.yaml
 delete mode 100644 ansible/roles/jail_momlaptop/tasks/common.yaml
 delete mode 100644 ansible/roles/jail_momlaptop/tasks/freebsd.yaml
 delete mode 100644 ansible/roles/jail_momlaptop/tasks/linux.yaml
 delete mode 100644 ansible/roles/jail_momlaptop/tasks/main.yaml
 delete mode 100644 ansible/roles/jail_momlaptop/tasks/peruser.yaml
 delete mode 100644 ansible/roles/jail_momlaptop/tasks/peruser_freebsd.yaml
 delete mode 100644 ansible/roles/jail_momlaptop/tasks/peruser_linux.yaml
 delete mode 100644 ansible/roles/linfi/defaults/main.yaml
 delete mode 100644 ansible/roles/linfi/files/launch_linfi.bash
 delete mode 100644 ansible/roles/linfi/files/linfi_rc.conf
 delete mode 100644 ansible/roles/linfi/meta/main.yaml
 delete mode 100644 ansible/roles/linfi/tasks/common.yaml
 delete mode 100644 ansible/roles/linfi/tasks/freebsd.yaml
 delete mode 100644 ansible/roles/linfi/tasks/linux.yaml
 delete mode 100644 ansible/roles/linfi/tasks/main.yaml
 delete mode 100644 ansible/roles/linfi/tasks/peruser.yaml
 delete mode 100644 ansible/roles/linfi/tasks/peruser_freebsd.yaml
 delete mode 100644 ansible/roles/linfi/tasks/peruser_linux.yaml
 delete mode 100644 ansible/roles/linfi/templates/devmatch_rc.conf.j2
 delete mode 100644 ansible/roles/linfi/templates/linfi.j2
 delete mode 100644 ansible/roles/linfi/templates/linfi_loader.conf.j2

diff --git a/ansible/environments/home/host_vars/homeserver b/ansible/environments/home/host_vars/homeserver
index 5010a77b..ceaa3bef 100644
--- a/ansible/environments/home/host_vars/homeserver
+++ b/ansible/environments/home/host_vars/homeserver
@@ -1,6 +1,4 @@
 os_flavor: "freebsd"
-custom_repo: "https://freebsdpkg.fizz.buzz/repo/14broadwell-default-computer"
-pkgbase_url: "https://freebsdpkg.fizz.buzz/pkgbase/14broadwell-repo/FreeBSD:14:amd64/latest"
 zfs_snapshot_datasets:
   - path: zroot/freebsd/computer/be
   - path: zmass/encrypted/vm
@@ -26,7 +24,6 @@ users:
 sshd_enabled: true
 sshd_conf: "sshd_config"
 prefer_ipv6: true
-dummynet_config: "dnctl.conf"
 pf_config: "homeserver_pf.conf"
 pflog_conf:
   - name: 0
@@ -53,9 +50,6 @@ jail_list:
   - name: dagger
     conf:
       src: dagger
-  - name: olddagger
-    conf:
-      src: olddagger
   - name: sftp
     conf:
       src: sftp
@@ -67,9 +61,6 @@ jail_list:
   - name: certificate
     conf:
       src: certificate
-  - name: momlaptop
-    conf:
-      src: momlaptop
   # - name: mumble
   #   conf:
   #     src: mumble
@@ -84,10 +75,3 @@ bhyve_bemount: "on"
 wireguard_directory: homeserver
 enabled_wireguard:
   - wgh
-linfi:
-  enabled: true
-  zfs_dataset: zmass/unencrypted/vm/linfi
-  zfs_mountpoint: /vm/linfi
-  driver_blocklist: "ath if_ath if_ath_pci ath_hal if_iwm if_iwlwifi"
-  pci_blocklist: "6/0/0"
-  amd: false
diff --git a/ansible/environments/home/hosts b/ansible/environments/home/hosts
index 5c227793..ab4572a9 100644
--- a/ansible/environments/home/hosts
+++ b/ansible/environments/home/hosts
@@ -1,2 +1,3 @@
 [headless]
-homeserver ansible_user=talexander ansible_host=homeserver
+#homeserver ansible_user=talexander ansible_host=homeserver
+homeserver ansible_user=talexander ansible_host=172.16.16.32
diff --git a/ansible/environments/jail/host_vars/momlaptop b/ansible/environments/jail/host_vars/momlaptop
deleted file mode 100644
index 466c9103..00000000
--- a/ansible/environments/jail/host_vars/momlaptop
+++ /dev/null
@@ -1 +0,0 @@
-os_flavor: freebsd
diff --git a/ansible/environments/jail/hosts b/ansible/environments/jail/hosts
index 6f9c45f8..0e22aa2a 100644
--- a/ansible/environments/jail/hosts
+++ b/ansible/environments/jail/hosts
@@ -8,4 +8,3 @@ public_dns ansible_ssh_host=public_dns@10.217.2.1 ansible_connection=sshjail
 sftp ansible_ssh_host=sftp@homeserver ansible_connection=sshjail
 bastion ansible_ssh_host=bastion@homeserver ansible_connection=sshjail
 certificate ansible_ssh_host=certificate@homeserver ansible_connection=sshjail
-momlaptop ansible_ssh_host=momlaptop@homeserver ansible_connection=sshjail
diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml
index 2f07aa0a..5f637142 100644
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@@ -127,16 +127,8 @@
   vars:
     ansible_become: True
   roles:
-    - linfi
     - framework_laptop
 
-- hosts: homeserver
-  vars:
-    ansible_become: True
-  roles:
-    - linfi
-    - homeserver
-
 - hosts: odowork
   vars:
     ansible_become: True
@@ -161,9 +153,3 @@
     ansible_become: True
   roles:
     - jail_certificate
-
-- hosts: momlaptop
-  vars:
-    ansible_become: True
-  roles:
-    - jail_momlaptop
diff --git a/ansible/roles/base/files/homeserver_loader.conf b/ansible/roles/base/files/homeserver_loader.conf
index 26cade0f..df7d23b8 100644
--- a/ansible/roles/base/files/homeserver_loader.conf
+++ b/ansible/roles/base/files/homeserver_loader.conf
@@ -1,3 +1,4 @@
 security.bsd.allow_destructive_dtrace=0
 cryptodev_load="YES"
 zfs_load="YES"
+devmatch_blocklist="if_iwm"
diff --git a/ansible/roles/base/files/homeserver_rc.conf b/ansible/roles/base/files/homeserver_rc.conf
index f2e45da2..26d0c307 100644
--- a/ansible/roles/base/files/homeserver_rc.conf
+++ b/ansible/roles/base/files/homeserver_rc.conf
@@ -2,8 +2,7 @@ clear_tmp_enable="YES"
 syslogd_flags="-ss"
 sendmail_enable="NONE"
 hostname="computer"
-local_unbound_enable="NO"
-sshd_enable="YES"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="NO"
 zfs_enable="YES"
+kld_list="${kld_list} if_iwlwifi"
diff --git a/ansible/roles/base/files/login.conf b/ansible/roles/base/files/login.conf
index 18ce37dd..3be52ee8 100644
--- a/ansible/roles/base/files/login.conf
+++ b/ansible/roles/base/files/login.conf
@@ -23,6 +23,7 @@
 
 default:\
 	:passwd_format=blf:\
+	:copyright=/etc/COPYRIGHT:\
 	:welcome=/var/run/motd:\
 	:setenv=BLOCKSIZE=K:\
 	:mail=/var/mail/$:\
@@ -126,6 +127,7 @@ russian|Russian Users Accounts:\
 ## standard - standard user defaults
 ##
 #standard:\
+#	:copyright=/etc/COPYRIGHT:\
 #	:welcome=/var/run/motd:\
 #	:setenv=BLOCKSIZE=K:\
 #	:mail=/var/mail/$:\
diff --git a/ansible/roles/dummynet/files/dnctl.conf b/ansible/roles/dummynet/files/dnctl.conf
deleted file mode 100644
index ddf46db7..00000000
--- a/ansible/roles/dummynet/files/dnctl.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-pipe 1 config bw 100KByte/s
-pipe 2 config
diff --git a/ansible/roles/dummynet/files/dummynet b/ansible/roles/dummynet/files/dummynet
deleted file mode 100644
index 4be9f0c7..00000000
--- a/ansible/roles/dummynet/files/dummynet
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/bin/sh
-#
-#
-
-# PROVIDE: dummynet
-# BEFORE: pf ipfw
-# KEYWORD: nojailvnet
-
-. /etc/rc.subr
-
-name="dummynet"
-desc="Dummynet packet queuing and scheduling"
-rcvar="${name}_enable"
-load_rc_config $name
-start_cmd="${name}_start"
-required_files="$dummynet_rules"
-required_modules="dummynet"
-
-dummynet_start()
-{
-	startmsg -n "Enabling ${name}"
-        cat "$dnctl_rules" | while read l; do
-          dnctl $l
-        done
-	startmsg '.'
-}
-
-run_rc_command $*
diff --git a/ansible/roles/dummynet/files/dummynet_rc.conf b/ansible/roles/dummynet/files/dummynet_rc.conf
deleted file mode 100644
index 4ecb447e..00000000
--- a/ansible/roles/dummynet/files/dummynet_rc.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-dummynet_enable="YES"
-dummynet_rules="/etc/dnctl.conf"
diff --git a/ansible/roles/dummynet/tasks/common.yaml b/ansible/roles/dummynet/tasks/common.yaml
deleted file mode 100644
index bef243ab..00000000
--- a/ansible/roles/dummynet/tasks/common.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
-# - name: Create directories
-#   file:
-#     name: "{{ item }}"
-#     state: directory
-#     mode: 0755
-#     owner: root
-#     group: wheel
-#   loop:
-#     - /foo/bar
-
-# - name: Install scripts
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     mode: 0755
-#     owner: root
-#     group: wheel
-#   loop:
-#     - src: foo.bash
-#       dest: /usr/local/bin/foo
-
-# - name: Install Configuration
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     mode: 0600
-#     owner: root
-#     group: wheel
-#   loop:
-#     - src: foo.conf
-#       dest: /usr/local/etc/foo.conf
-
-# - name: Clone Source
-#   git:
-#     repo: "https://foo.bar/baz.git"
-#     dest: /foo/bar
-#     version: "v1.0.2"
-#     force: true
-#   diff: false
-
-- import_tasks: tasks/freebsd.yaml
-  when: 'os_flavor == "freebsd"'
-
-- import_tasks: tasks/linux.yaml
-  when: 'os_flavor == "linux"'
-
-- include_tasks:
-    file: tasks/peruser.yaml
-    apply:
-      become: yes
-      become_user: "{{ initialize_user }}"
-  when: users is defined
-  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
-  loop_control:
-    loop_var: initialize_user
diff --git a/ansible/roles/dummynet/tasks/freebsd.yaml b/ansible/roles/dummynet/tasks/freebsd.yaml
deleted file mode 100644
index b485d88e..00000000
--- a/ansible/roles/dummynet/tasks/freebsd.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-- name: Install Configuration
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "{{ item.dest }}"
-    mode: 0600
-    owner: root
-    group: wheel
-  loop:
-    - src: "{{ dummynet_config }}"
-      dest: /etc/dnctl.conf
-
-- name: Install rc script
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
-    owner: root
-    group: wheel
-    mode: 0755
-  loop:
-    - src: dummynet
-
-- name: Install service configuration
-  copy:
-    src: "files/{{ item }}_rc.conf"
-    dest: "/etc/rc.conf.d/{{ item }}"
-    mode: 0644
-    owner: root
-    group: wheel
-  loop:
-    - dummynet
diff --git a/ansible/roles/dummynet/tasks/linux.yaml b/ansible/roles/dummynet/tasks/linux.yaml
deleted file mode 100644
index bbbb0967..00000000
--- a/ansible/roles/dummynet/tasks/linux.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-# - name: Build aur packages
-#   register: buildaur
-#   become_user: "{{ build_user.name }}"
-#   command: "aurutils-sync --no-view {{ item }}"
-#   args:
-#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
-#   loop:
-#     - foo
-
-# - name: Update cache
-#   when: buildaur.changed
-#   pacman:
-#     name: []
-#     state: present
-#     update_cache: true
-
-# - name: Install packages
-#   package:
-#     name:
-#       - foo
-#     state: present
-
-# - name: Enable services
-#   systemd:
-#     enabled: yes
-#     name: "{{ item }}"
-#     daemon_reload: yes
-#   loop:
-#     - foo.service
diff --git a/ansible/roles/dummynet/tasks/main.yaml b/ansible/roles/dummynet/tasks/main.yaml
deleted file mode 100644
index 482c6e1e..00000000
--- a/ansible/roles/dummynet/tasks/main.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-- import_tasks: tasks/common.yaml
-  when: (dummynet_config is defined and os_flavor == "freebsd") or (os_flavor == "linux")
diff --git a/ansible/roles/dummynet/tasks/peruser.yaml b/ansible/roles/dummynet/tasks/peruser.yaml
deleted file mode 100644
index 111e886d..00000000
--- a/ansible/roles/dummynet/tasks/peruser.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-- include_role:
-    name: per_user
-
-# - name: Create directories
-#   file:
-#     name: "{{ account_homedir.stdout }}/{{ item }}"
-#     state: directory
-#     mode: 0700
-#     owner: "{{ account_name.stdout }}"
-#     group: "{{ group_name.stdout }}"
-#   loop:
-#     - ".config/foo"
-
-# - name: Copy files
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
-#     mode: 0600
-#     owner: "{{ account_name.stdout }}"
-#     group: "{{ group_name.stdout }}"
-#   loop:
-#     - src: foo.conf
-#       dest: .config/foo/foo.conf
-
-- import_tasks: tasks/peruser_freebsd.yaml
-  when: 'os_flavor == "freebsd"'
-
-- import_tasks: tasks/peruser_linux.yaml
-  when: 'os_flavor == "linux"'
diff --git a/ansible/roles/dummynet/tasks/peruser_freebsd.yaml b/ansible/roles/dummynet/tasks/peruser_freebsd.yaml
deleted file mode 100644
index e69de29b..00000000
diff --git a/ansible/roles/dummynet/tasks/peruser_linux.yaml b/ansible/roles/dummynet/tasks/peruser_linux.yaml
deleted file mode 100644
index e69de29b..00000000
diff --git a/ansible/roles/firewall/files/homeserver_pf.conf b/ansible/roles/firewall/files/homeserver_pf.conf
index aa8fede2..84edc5ff 100644
--- a/ansible/roles/firewall/files/homeserver_pf.conf
+++ b/ansible/roles/firewall/files/homeserver_pf.conf
@@ -1,9 +1,20 @@
-ext_if = "{ igb0 igb1 ix0 ix1 linfi_host }"
-not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !linfi_host }"
-jail_nat_v4 = "{ 10.215.1.0/24 }"
-not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
-restricted_nat_v4 = "{ 10.215.2.0/24 }"
-not_restricted_nat_v4 = "{ any, !10.215.2.0/24 }"
+# TODO: ipv6 RFC 6296 - Network Prefix Translation?
+# match out on $ext_if inet6 from fd00:db8::/48 binat-to 2001:db8::/48
+# TODO: Maybe ipv6 icmp rules from https://oneuptime.com/blog/post/2026-03-20-configure-ipv6-firewall-pf-freebsd/view
+
+#
+# restricted_nat 10.215.2.1/24
+# jail_nat 10.215.1.1/24
+#
+
+#
+# External connections -> 172.16.16.32:8081
+# rdr to bastion 10.215.1.217
+# snat to bridge?
+#
+
+ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
+not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
 rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
 
 dhcp = "{ bootpc, bootps }"
@@ -11,69 +22,29 @@ allow = "{ wgh wgf }"
 
 tcp_pass_in = "{ 22 }"
 udp_pass_in = "{ 53 51820 }"
-unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }"
 
 # Rules must be in order: options, normalization, queueing, translation, filtering
 
 # options
 set skip on lo
 
+# normalization
+
 # queueing
-# altq on linfi_host cbq queue { def, stuff }
-# queue def cbq(default borrow)
-# queue stuff bandwidth	8Mb cbq { dagger }
-# queue dagger cbq(borrow)
 
-# redirections
-nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (linfi_host)
-rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
+# translation
+nat pass on $ext_if proto {tcp, udp} tagged NATOUT -> (wlan0)
+nat pass on restricted_nat proto {tcp, udp} tagged NATRESTRICTED -> (restricted_nat)
+nat pass on jail_nat proto {tcp, udp} tagged NATJAIL -> (jail_nat)
 
-# cloak
-nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (linfi_host)
-rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 172.16.0.1 port 53
-
-# bastion
-rdr pass on $ext_if inet proto {tcp, udp} from { any, !10.215.1.0/24, !10.215.2.0/24 } to any port 8081 -> 10.215.1.217 port 443
-nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.217 port 443 -> 10.215.1.1
-nat pass on restricted_nat proto {tcp, udp} from 10.215.1.217/32 to 10.215.2.2 port 8081 -> 10.215.2.1
-
-
-# cloak -> olddagger
-rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
-nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1
-
-# cloak -> dagger old
-rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8083 -> 10.215.2.2 port 8083
-nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8083 -> 10.215.2.1
-
-# -> sftp
-# TODO: Limit bandwidth for sftp
-rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22
-nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215.1.1
-
-# Forward ports for unifi controller
-# rdr pass on $ext_if inet proto {tcp, udp} from any to any port 65022 -> 10.213.177.8 port 22
-rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202
-
-# -> momlaptop
-rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8033 -> 10.215.1.218 port 443
-nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.218 port 443 -> 10.215.1.1
+# external -> bastion
+rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8081 tag NATJAIL -> 10.215.1.217 port 443
+# external -> sftp
+rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8022 tag NATJAIL -> 10.215.1.216 port 22
 
 # filtering
-# match in on jail_nat from any to any dnpipe(1, 2)
-# match in on restricted_nat from any to any dnpipe(1, 2)
-
 block log all
-pass out on $ext_if
-
-pass in on jail_nat
-# Allow traffic from my machine to the jails/virtual machines
-pass out on jail_nat from $jail_nat_v4
-pass out on jail_nat proto {udp, tcp} from any to 10.215.1.202 port $unifi_ports
-pass out on restricted_nat proto {udp, tcp} from any to 10.215.2.2 port 8081
-
-# TODO: limit bandwidth for dagger here
-pass in on restricted_nat proto {udp, tcp} from any to any port { 53 51820 }
+pass out on $ext_if from (wlan0)
 
 # We pass on the interfaces listed in allow rather than skipping on
 # them because changes to pass rules will update when running a
@@ -85,5 +56,11 @@ pass quick on $allow
 pass on $ext_if proto icmp all
 pass on $ext_if proto icmp6 all
 
-pass in on $ext_if proto tcp to any port $tcp_pass_in
-pass in on $ext_if proto udp to any port $udp_pass_in
+pass in on $ext_if proto tcp to (wlan0) port $tcp_pass_in
+pass in on $ext_if proto udp to (wlan0) port $udp_pass_in
+
+
+# Allow DNS and wireguard from cloak
+pass in on restricted_nat proto {udp, tcp} from 10.215.2.2 to any port { 53 51820 } tag NATOUT
+# bastion -> cloak
+pass in on jail_nat proto {udp, tcp} from 10.215.1.217 to 10.215.2.2 port 8081 tag NATRESTRICTED
diff --git a/ansible/roles/firewall/meta/main.yaml b/ansible/roles/firewall/meta/main.yaml
deleted file mode 100644
index 67d64d26..00000000
--- a/ansible/roles/firewall/meta/main.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-dependencies:
-  - dummynet
diff --git a/ansible/roles/gpg/tasks/freebsd.yaml b/ansible/roles/gpg/tasks/freebsd.yaml
index ad852915..14bfbeb2 100644
--- a/ansible/roles/gpg/tasks/freebsd.yaml
+++ b/ansible/roles/gpg/tasks/freebsd.yaml
@@ -3,7 +3,7 @@
     name:
       - gnupg
       - pcsc-tools
-      - ccid
+      # - ccid
       #      - linux_libusb
       - pinentry
     state: present
diff --git a/ansible/roles/homeserver/files/decrypt_disks.bash b/ansible/roles/homeserver/files/decrypt_disks.bash
deleted file mode 100644
index 474fc392..00000000
--- a/ansible/roles/homeserver/files/decrypt_disks.bash
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-#
-# Decrypt and mount the disks after a fresh reboot.
-set -euo pipefail
-IFS=$'\n\t'
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-zfs load-key -r zmass/encrypted
-zfs mount -a
-service bemount start
diff --git a/ansible/roles/homeserver/tasks/common.yaml b/ansible/roles/homeserver/tasks/common.yaml
deleted file mode 100644
index bef243ab..00000000
--- a/ansible/roles/homeserver/tasks/common.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
-# - name: Create directories
-#   file:
-#     name: "{{ item }}"
-#     state: directory
-#     mode: 0755
-#     owner: root
-#     group: wheel
-#   loop:
-#     - /foo/bar
-
-# - name: Install scripts
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     mode: 0755
-#     owner: root
-#     group: wheel
-#   loop:
-#     - src: foo.bash
-#       dest: /usr/local/bin/foo
-
-# - name: Install Configuration
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     mode: 0600
-#     owner: root
-#     group: wheel
-#   loop:
-#     - src: foo.conf
-#       dest: /usr/local/etc/foo.conf
-
-# - name: Clone Source
-#   git:
-#     repo: "https://foo.bar/baz.git"
-#     dest: /foo/bar
-#     version: "v1.0.2"
-#     force: true
-#   diff: false
-
-- import_tasks: tasks/freebsd.yaml
-  when: 'os_flavor == "freebsd"'
-
-- import_tasks: tasks/linux.yaml
-  when: 'os_flavor == "linux"'
-
-- include_tasks:
-    file: tasks/peruser.yaml
-    apply:
-      become: yes
-      become_user: "{{ initialize_user }}"
-  when: users is defined
-  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
-  loop_control:
-    loop_var: initialize_user
diff --git a/ansible/roles/homeserver/tasks/freebsd.yaml b/ansible/roles/homeserver/tasks/freebsd.yaml
deleted file mode 100644
index aeabf39e..00000000
--- a/ansible/roles/homeserver/tasks/freebsd.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-- name: Install scripts
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "{{ item.dest }}"
-    mode: 0755
-    owner: root
-    group: wheel
-  loop:
-    - src: decrypt_disks.bash
-      dest: /usr/local/bin/decrypt_disks
diff --git a/ansible/roles/homeserver/tasks/linux.yaml b/ansible/roles/homeserver/tasks/linux.yaml
deleted file mode 100644
index bbbb0967..00000000
--- a/ansible/roles/homeserver/tasks/linux.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-# - name: Build aur packages
-#   register: buildaur
-#   become_user: "{{ build_user.name }}"
-#   command: "aurutils-sync --no-view {{ item }}"
-#   args:
-#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
-#   loop:
-#     - foo
-
-# - name: Update cache
-#   when: buildaur.changed
-#   pacman:
-#     name: []
-#     state: present
-#     update_cache: true
-
-# - name: Install packages
-#   package:
-#     name:
-#       - foo
-#     state: present
-
-# - name: Enable services
-#   systemd:
-#     enabled: yes
-#     name: "{{ item }}"
-#     daemon_reload: yes
-#   loop:
-#     - foo.service
diff --git a/ansible/roles/homeserver/tasks/main.yaml b/ansible/roles/homeserver/tasks/main.yaml
deleted file mode 100644
index 6805b9dc..00000000
--- a/ansible/roles/homeserver/tasks/main.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-- import_tasks: tasks/common.yaml
-  # when: foo is defined
diff --git a/ansible/roles/homeserver/tasks/peruser.yaml b/ansible/roles/homeserver/tasks/peruser.yaml
deleted file mode 100644
index 111e886d..00000000
--- a/ansible/roles/homeserver/tasks/peruser.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-- include_role:
-    name: per_user
-
-# - name: Create directories
-#   file:
-#     name: "{{ account_homedir.stdout }}/{{ item }}"
-#     state: directory
-#     mode: 0700
-#     owner: "{{ account_name.stdout }}"
-#     group: "{{ group_name.stdout }}"
-#   loop:
-#     - ".config/foo"
-
-# - name: Copy files
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
-#     mode: 0600
-#     owner: "{{ account_name.stdout }}"
-#     group: "{{ group_name.stdout }}"
-#   loop:
-#     - src: foo.conf
-#       dest: .config/foo/foo.conf
-
-- import_tasks: tasks/peruser_freebsd.yaml
-  when: 'os_flavor == "freebsd"'
-
-- import_tasks: tasks/peruser_linux.yaml
-  when: 'os_flavor == "linux"'
diff --git a/ansible/roles/homeserver/tasks/peruser_freebsd.yaml b/ansible/roles/homeserver/tasks/peruser_freebsd.yaml
deleted file mode 100644
index e69de29b..00000000
diff --git a/ansible/roles/homeserver/tasks/peruser_linux.yaml b/ansible/roles/homeserver/tasks/peruser_linux.yaml
deleted file mode 100644
index e69de29b..00000000
diff --git a/ansible/roles/hosts/defaults/main.yaml b/ansible/roles/hosts/defaults/main.yaml
index a6504973..ea109708 100644
--- a/ansible/roles/hosts/defaults/main.yaml
+++ b/ansible/roles/hosts/defaults/main.yaml
@@ -1,5 +1,5 @@
 etc_hosts:
-  10.216.1.1:
+  10.216.1.32:
     - homeserver
   10.216.1.6:
     - media
diff --git a/ansible/roles/jail/files/jails/dagger.conf b/ansible/roles/jail/files/jails/dagger.conf
index 060642c8..3f22927d 100644
--- a/ansible/roles/jail/files/jails/dagger.conf
+++ b/ansible/roles/jail/files/jails/dagger.conf
@@ -1,5 +1,7 @@
 dagger {
     path = "/jail/${name}";
+    allow.chflags = 1;
+
     vnet;
     vnet.interface += "dagger";
 
diff --git a/ansible/roles/jail/files/jails/momlaptop.conf b/ansible/roles/jail/files/jails/momlaptop.conf
deleted file mode 100644
index d9e551a4..00000000
--- a/ansible/roles/jail/files/jails/momlaptop.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-momlaptop {
-    path = "/jail/${name}";
-    vnet;
-    exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
-    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
-    vnet.interface += "jail${name}";
-
-    devfs_ruleset = 14;
-    mount.devfs;
-    mount.fstab = "/etc/fstab.${name}";
-
-    exec.start += "/bin/sh /etc/rc";
-    exec.stop = "/bin/sh /etc/rc.shutdown jail";
-    exec.consolelog = "/var/log/jail_${name}_console.log";
-}
diff --git a/ansible/roles/jail/files/jails/olddagger.conf b/ansible/roles/jail/files/jails/olddagger.conf
deleted file mode 100644
index 88289194..00000000
--- a/ansible/roles/jail/files/jails/olddagger.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-olddagger {
-    path = "/jail/${name}";
-    vnet;
-    vnet.interface += "olddagger";
-
-    exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
-    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
-
-    mount.fstab = "/etc/fstab.${name}";
-
-    exec.start += "/bin/sh /etc/rc";
-    exec.stop = "/bin/sh /etc/rc.shutdown jail";
-    exec.consolelog = "/var/log/jail_${name}_console.log";
-}
diff --git a/ansible/roles/jail/templates/new_jail.bash.j2 b/ansible/roles/jail/templates/new_jail.bash.j2
index bee6bfcf..c8dfd2e8 100644
--- a/ansible/roles/jail/templates/new_jail.bash.j2
+++ b/ansible/roles/jail/templates/new_jail.bash.j2
@@ -26,7 +26,7 @@ function by_src {
 }
 
 function by_bin {
-    DESTRELEASE=14.3-RELEASE
+    DESTRELEASE=15.0-RELEASE
     DESTARCH=`uname -m`
     SOURCEURL=http://ftp.freebsd.org/pub/FreeBSD/releases/$DESTARCH/$DESTRELEASE/
     for component in base ports; do fetch $SOURCEURL/$component.txz -o - | tar -xf - -C "$DESTDIR" ; done
@@ -34,34 +34,34 @@ function by_bin {
 }
 
 function by_pkg {
-    # current https://pkg.freebsd.org/FreeBSD:15:amd64/base_latest
-    # 14/stable https://pkg.freebsd.org/FreeBSD:14:amd64/base_latest
-    # 14.1 https://pkg.freebsd.org/FreeBSD:14:amd64/base_release_1
-    local config
-    config=$(cat <<EOF
-base: {
-    url: "https://pkg.freebsd.org/FreeBSD:14:amd64/base_release_1",
-    mirror_type: "none",
-    enabled: yes,
-    priority: 100
-}
-EOF
-             )
-    IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") install --repository base --yes --glob 'FreeBSD-*'
+    TERM=xterm BSDINSTALL_CHROOT="$DESTDIR" bsdinstall pkgbase --jail
+
+#     local config
+#     config=$(cat <<EOF
+# FreeBSD-base: {
+#     url: "https://pkg.FreeBSD.org/FreeBSD:15:amd64/base_release_0",
+#     mirror_type: "none",
+#     enabled: yes,
+#     priority: 100
+# }
+# EOF
+#              )
+#     IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") update --repository FreeBSD-base
+#     IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") install --repository FreeBSD-base --yes --glob 'FreeBSD-*'
     switch_to_latest_packages
-    local in_jail_config
-    in_jail_config=$(cat <<EOF
-base: {
-    url: "pkg+https://pkg.freebsd.org/\${ABI}/base_release_1",
-    mirror_type: "srv",
-    signature_type: "fingerprints",
-    fingerprints: "/usr/share/keys/pkg",
-    enabled: yes,
-    priority: 100
-}
-EOF
-             )
-    cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$in_jail_config"
+#     local in_jail_config
+#     in_jail_config=$(cat <<EOF
+# FreeBSD-base: {
+#     url: "pkg+https://pkg.FreeBSD.org/\${ABI}/base_release_\${VERSION_MINOR}",
+#     mirror_type: "srv",
+#     signature_type: "fingerprints",
+#     fingerprints: "/usr/share/keys/pkgbase-\${VERSION_MAJOR}",
+#     enabled: yes,
+#     priority: 100
+# }
+# EOF
+#              )
+#     cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$in_jail_config"
     # Post-install remove extra packages
     # pkg remove --glob 'FreeBSD-*-lib32*' 'FreeBSD-*-dbg*' FreeBSD-src
 }
@@ -69,13 +69,13 @@ EOF
 function switch_to_latest_packages {
     local latest_pkg
     latest_pkg=$(cat <<EOF
-FreeBSD: {
-  url: "pkg+http://pkg.FreeBSD.org/\${ABI}/latest"
+FreeBSD-ports: {
+  url: "pkg+https://pkg.FreeBSD.org/\${ABI}/latest"
 }
 EOF
               )
     mkdir -p "$DESTDIR/usr/local/etc/pkg/repos"
-    cat > "$DESTDIR/usr/local/etc/pkg/repos/FreeBSD.conf" <<<"$latest_pkg"
+    cat > "$DESTDIR/usr/local/etc/pkg/repos/FreeBSD-ports.conf" <<<"$latest_pkg"
 }
 
 if [ "$1" = "src" ]; then
diff --git a/ansible/roles/jail_momlaptop/files/headers.include b/ansible/roles/jail_momlaptop/files/headers.include
deleted file mode 100644
index 47901d23..00000000
--- a/ansible/roles/jail_momlaptop/files/headers.include
+++ /dev/null
@@ -1,15 +0,0 @@
-# Enable HTTP Strict Transport Security (HSTS) to force clients to
-# always connect via HTTPS (do not use if only testing)
-add_header Strict-Transport-Security "max-age=31536000;" always;
-# Enable cross-site filter (XSS) and tell browser to block detected
-# attacks
-add_header X-XSS-Protection "1; mode=block" always;
-# Prevent some browsers from MIME-sniffing a response away from the
-# declared Content-Type
-add_header X-Content-Type-Options "nosniff" always;
-# Disallow the site to be rendered within a frame (clickjacking
-# protection)
-add_header X-Frame-Options "DENY" always;
-
-# Indicate that we are serving http3 on port 443
-add_header Alt-Svc 'h3=":8033"; ma=864000';
diff --git a/ansible/roles/jail_momlaptop/files/htpasswd b/ansible/roles/jail_momlaptop/files/htpasswd
deleted file mode 100644
index bd2c49ea0c213ce93946e70fc917ae7687eea667..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 61
zcmV-D0K)$OM@dveQdv+`0C?H0H}i4uO)t2s(JIk8lknNbtucCHDT&3kGeCz-ivhFs
Tv4^T=9t9197Kr(aeVl_JSi~Ga

diff --git a/ansible/roles/jail_momlaptop/files/newsyslog.conf b/ansible/roles/jail_momlaptop/files/newsyslog.conf
deleted file mode 100644
index 78a612b6..00000000
--- a/ansible/roles/jail_momlaptop/files/newsyslog.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-# logfilename          [owner:group]    mode count size when  flags [/pid_file] [sig_num]
-/var/log/nginx/*.log			640  5	   1000	@T00 GYC /var/run/nginx.pid SIGUSR1
diff --git a/ansible/roles/jail_momlaptop/files/nginx.conf b/ansible/roles/jail_momlaptop/files/nginx.conf
deleted file mode 100644
index d5f226ef..00000000
--- a/ansible/roles/jail_momlaptop/files/nginx.conf
+++ /dev/null
@@ -1,48 +0,0 @@
-worker_processes  auto;
-user  www www;
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    include       mime.types;
-    default_type  application/octet-stream;
-
-    types {
-        text/plain log;
-    }
-
-    sendfile        on;
-    tcp_nopush     on;
-    tcp_nodelay    on;
-    gzip  on;
-
-    include conf.d/headers.include;
-
-    server {
-        listen 443 quic reuseport;
-        listen [::]:443 quic reuseport;
-        listen 443 ssl;
-        listen [::]:443 ssl;
-        http2  on;
-
-        server_name momlaptop.fizz.buzz;
-
-        include conf.d/tls_settings.include;
-        # RSA
-        ssl_certificate /momlaptop.fizz.buzz/tls.crt;
-        ssl_certificate_key /momlaptop.fizz.buzz/tls.key;
-
-        # Nginx by default only allows file uploads up to 50M in size
-        client_max_body_size 50M;
-
-        location / {
-            auth_basic           "Stuff";
-            auth_basic_user_file conf.d/htpasswd;
-
-            alias /srv/http/;
-            autoindex on;
-        }
-    }
-}
diff --git a/ansible/roles/jail_momlaptop/files/nginx_rc.conf b/ansible/roles/jail_momlaptop/files/nginx_rc.conf
deleted file mode 100644
index c104d8be..00000000
--- a/ansible/roles/jail_momlaptop/files/nginx_rc.conf
+++ /dev/null
@@ -1 +0,0 @@
-nginx_enable="YES"
diff --git a/ansible/roles/jail_momlaptop/files/proxy.include b/ansible/roles/jail_momlaptop/files/proxy.include
deleted file mode 100644
index 3e54c146..00000000
--- a/ansible/roles/jail_momlaptop/files/proxy.include
+++ /dev/null
@@ -1,9 +0,0 @@
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header Host $http_host;
-proxy_set_header X-Real-IP $remote_addr;
-proxy_set_header X-Forwarded-Proto $scheme;
-# Settings for keepalive module for upstreams
-proxy_http_version 1.1;
-proxy_set_header Connection "";
-# Requests sent with early data are subject to replay attacks so the application needs to protect against that by using the Early-Data header.
-# proxy_set_header Early-Data $ssl_early_data;
diff --git a/ansible/roles/jail_momlaptop/files/tls_settings.include b/ansible/roles/jail_momlaptop/files/tls_settings.include
deleted file mode 100644
index e26fde8b..00000000
--- a/ansible/roles/jail_momlaptop/files/tls_settings.include
+++ /dev/null
@@ -1,3 +0,0 @@
-ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-ssl_prefer_server_ciphers on;
diff --git a/ansible/roles/jail_momlaptop/meta/main.yaml b/ansible/roles/jail_momlaptop/meta/main.yaml
deleted file mode 100644
index ecea872c..00000000
--- a/ansible/roles/jail_momlaptop/meta/main.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-dependencies:
-  - syslog
diff --git a/ansible/roles/jail_momlaptop/tasks/common.yaml b/ansible/roles/jail_momlaptop/tasks/common.yaml
deleted file mode 100644
index f146487b..00000000
--- a/ansible/roles/jail_momlaptop/tasks/common.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
-# - name: Create directories
-#   file:
-#     name: "{{ item }}"
-#     state: directory
-#     mode: 0755
-#     owner: root
-#     group: wheel
-#   loop:
-#     - /foo/bar
-
-# - name: Install scripts
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     mode: 0755
-#     owner: root
-#     group: wheel
-#   loop:
-#     - src: foo.bash
-#       dest: /usr/local/bin/foo
-
-# - name: Install Configuration
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     mode: 0600
-#     owner: root
-#     group: wheel
-#   loop:
-#     - src: foo.conf
-#       dest: /usr/local/etc/foo.conf
-
-# - name: Clone Source
-#   git:
-#     repo: "https://foo.bar/baz.git"
-#     dest: /foo/bar
-#     version: "v1.0.2"
-#     force: true
-#   diff: false
-
-- import_tasks: tasks/freebsd.yaml
-  when: 'os_flavor == "freebsd"'
-
-- import_tasks: tasks/linux.yaml
-  when: 'os_flavor == "linux"'
-
-# - include_tasks:
-#     file: tasks/peruser.yaml
-#     apply:
-#       become: yes
-#       become_user: "{{ initialize_user }}"
-#   when: users is defined
-#   loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
-#   loop_control:
-#     loop_var: initialize_user
diff --git a/ansible/roles/jail_momlaptop/tasks/freebsd.yaml b/ansible/roles/jail_momlaptop/tasks/freebsd.yaml
deleted file mode 100644
index a80bae25..00000000
--- a/ansible/roles/jail_momlaptop/tasks/freebsd.yaml
+++ /dev/null
@@ -1,81 +0,0 @@
-- name: Create www group
-  group:
-    name: www
-
-- name: Create www user
-  user:
-    name: www
-    home: /srv/http
-    createhome: false
-    group: www
-
-- name: Create directories
-  file:
-    name: "{{ item }}"
-    state: directory
-    mode: 0755
-    owner: root
-    group: wheel
-  loop:
-    - /momlaptop.fizz.buzz
-    - /etc/rc.conf.d
-    - /usr/local/etc/nginx/conf.d
-
-- name: Create directories
-  file:
-    name: "{{ item }}"
-    state: directory
-    mode: 0755
-    owner: www
-    group: www
-  loop:
-    - /srv/http
-
-- name: Install packages
-  package:
-    name:
-      - nginx
-    state: present
-
-# validate fails because nginx config relies on a local mime.types
-- name: Install Configuration
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "{{ item.dest }}"
-    mode: 0644
-    owner: root
-    group: wheel
-  loop:
-    - src: nginx.conf
-      dest: /usr/local/etc/nginx/nginx.conf
-    - src: headers.include
-      dest: /usr/local/etc/nginx/conf.d/headers.include
-    - src: proxy.include
-      dest: /usr/local/etc/nginx/conf.d/proxy.include
-    - src: tls_settings.include
-      dest: /usr/local/etc/nginx/conf.d/tls_settings.include
-      # Generate htpasswd with `htpasswd -c files/htpasswd user1`
-      # or `printf "USER:$(openssl passwd)\n" >> files/htpasswd`
-    - src: htpasswd
-      dest: /usr/local/etc/nginx/conf.d/htpasswd
-
-- name: Install newsyslog configuration
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "{{ item.dest }}"
-    mode: 0600
-    owner: root
-    group: wheel
-  loop:
-    - src: newsyslog.conf
-      dest: /usr/local/etc/newsyslog.conf.d/nginx.conf
-
-- name: Install service configuration
-  copy:
-    src: "files/{{ item }}_rc.conf"
-    dest: "/etc/rc.conf.d/{{ item }}"
-    mode: 0644
-    owner: root
-    group: wheel
-  loop:
-    - nginx
diff --git a/ansible/roles/jail_momlaptop/tasks/linux.yaml b/ansible/roles/jail_momlaptop/tasks/linux.yaml
deleted file mode 100644
index bbbb0967..00000000
--- a/ansible/roles/jail_momlaptop/tasks/linux.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-# - name: Build aur packages
-#   register: buildaur
-#   become_user: "{{ build_user.name }}"
-#   command: "aurutils-sync --no-view {{ item }}"
-#   args:
-#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
-#   loop:
-#     - foo
-
-# - name: Update cache
-#   when: buildaur.changed
-#   pacman:
-#     name: []
-#     state: present
-#     update_cache: true
-
-# - name: Install packages
-#   package:
-#     name:
-#       - foo
-#     state: present
-
-# - name: Enable services
-#   systemd:
-#     enabled: yes
-#     name: "{{ item }}"
-#     daemon_reload: yes
-#   loop:
-#     - foo.service
diff --git a/ansible/roles/jail_momlaptop/tasks/main.yaml b/ansible/roles/jail_momlaptop/tasks/main.yaml
deleted file mode 100644
index 6805b9dc..00000000
--- a/ansible/roles/jail_momlaptop/tasks/main.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-- import_tasks: tasks/common.yaml
-  # when: foo is defined
diff --git a/ansible/roles/jail_momlaptop/tasks/peruser.yaml b/ansible/roles/jail_momlaptop/tasks/peruser.yaml
deleted file mode 100644
index 111e886d..00000000
--- a/ansible/roles/jail_momlaptop/tasks/peruser.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-- include_role:
-    name: per_user
-
-# - name: Create directories
-#   file:
-#     name: "{{ account_homedir.stdout }}/{{ item }}"
-#     state: directory
-#     mode: 0700
-#     owner: "{{ account_name.stdout }}"
-#     group: "{{ group_name.stdout }}"
-#   loop:
-#     - ".config/foo"
-
-# - name: Copy files
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
-#     mode: 0600
-#     owner: "{{ account_name.stdout }}"
-#     group: "{{ group_name.stdout }}"
-#   loop:
-#     - src: foo.conf
-#       dest: .config/foo/foo.conf
-
-- import_tasks: tasks/peruser_freebsd.yaml
-  when: 'os_flavor == "freebsd"'
-
-- import_tasks: tasks/peruser_linux.yaml
-  when: 'os_flavor == "linux"'
diff --git a/ansible/roles/jail_momlaptop/tasks/peruser_freebsd.yaml b/ansible/roles/jail_momlaptop/tasks/peruser_freebsd.yaml
deleted file mode 100644
index e69de29b..00000000
diff --git a/ansible/roles/jail_momlaptop/tasks/peruser_linux.yaml b/ansible/roles/jail_momlaptop/tasks/peruser_linux.yaml
deleted file mode 100644
index e69de29b..00000000
diff --git a/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf b/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf
index d38fa0e5..9ab11022 100644
--- a/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf
+++ b/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf
@@ -90,11 +90,6 @@
                         "hw-address": "06:ca:1a:10:74:09",
                         "ip-address": "10.215.1.217"
                     },
-                    {
-                        // momlaptop - hard-coded in rc.conf, reproduced here to reserve ip
-                        "hw-address": "06:85:69:c5:6a:d6",
-                        "ip-address": "10.215.1.218"
-                    },
                     {
                         // hydra
                         "hw-address": "06:84:36:68:03:77",
diff --git a/ansible/roles/linfi/defaults/main.yaml b/ansible/roles/linfi/defaults/main.yaml
deleted file mode 100644
index 67825a66..00000000
--- a/ansible/roles/linfi/defaults/main.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-# linfi:
-#   enabled: true
-#   zfs_dataset: zroot/freebsd/current/vm/linfi
-#   zfs_mountpoint: /vm/linfi
-#   driver_blocklist: "if_iwm if_iwlwifi"
-#   pci_blocklist: "1/0/0"
-#   amd: true
diff --git a/ansible/roles/linfi/files/launch_linfi.bash b/ansible/roles/linfi/files/launch_linfi.bash
deleted file mode 100644
index 3b5d8e91..00000000
--- a/ansible/roles/linfi/files/launch_linfi.bash
+++ /dev/null
@@ -1,239 +0,0 @@
-#!/usr/local/bin/bash
-#
-set -euo pipefail
-IFS=$'\n\t'
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-# Share a host directory to the guest via 9pfs.
-#
-# Inside the VM run:
-#   mount -t virtfs -o trans=virtio sharename /some/vm/path
-#   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
-#   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 sharename /path/to/mountpoint
-# bhyve_options="-s 28,virtio-9p,sharename=/"
-
-# Enable Sound
-# bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
-
-# Example usage:
-#
-#   doas bhyve_netgraph_bridge create-disk zdata/vm/poudriere /vm/poudriere 10
-#   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
-#   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere
-
-: ${VERBOSE:="NO"} # or YES
-: ${CPU_CORES:="1"}
-: ${MEMORY:="1G"}
-: ${NETWORK:="NAT"} # or RAW or BOTH
-: ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
-: ${INTERFACE_NAME:="linfi_host"} # or the external interface like lagg0 for RAW networks
-: ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
-: ${VNC_ENABLE:="NO"}
-: ${VNC_LISTEN:="127.0.0.1:5900"}
-: ${VNC_WIDTH:="1920"}
-: ${VNC_HEIGHT:="1080"}
-: ${PASSTHROUGH:="1/0/0"}
-
-if [ "$VERBOSE" = "YES" ]; then
-    set -x
-fi
-
-############## Setup #########################
-
-function cleanup {
-    for vm in "${vms[@]}"; do
-        log "Destroying bhyve vm $vm"
-        bhyvectl "--vm=$vm" --destroy
-        log "Destroyed bhyve vm $vm"
-    done
-}
-vms=()
-for sig in EXIT; do
-  trap "set +e; sleep 10; cleanup" "$sig"
-done
-
-function die {
-    local status_code="$1"
-    shift
-    (>&2 echo "${@}")
-    exit "$status_code"
-}
-
-function log {
-    (>&2 echo "${@}")
-}
-
-############## Program #########################
-
-function main {
-    local cmd="$1"
-    shift 1
-    if [ "$cmd" = "create-disk" ]; then
-        create_disk "${@}"
-    elif [ "$cmd" = "start" ]; then
-        start_vm "${@}"
-    else
-        die 1 "Unrecognized command $cmd"
-    fi
-}
-
-function create_disk {
-    local zfs_path="$1"
-    local mount_path="$2"
-    local gigabytes="$3"
-    zfs create -o "mountpoint=$mount_path" "$zfs_path"
-    cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
-    tee "${mount_path}/settings" <<EOF
-CPU_CORES="$CPU_CORES"
-MEMORY="$MEMORY"
-NETWORK="$NETWORK"
-IP_RANGE="$IP_RANGE"
-BRIDGE_NAME="$BRIDGE_NAME"
-INTERFACE_NAME="$INTERFACE_NAME"
-EOF
-    zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none -o volblocksize=64K "$zfs_path/disk0"
-}
-
-function start_vm {
-    local name="$1"
-    local zfs_path="$2"
-    local mount_path="$3"
-    local mount_cd="${4:-}"
-
-    if [ -e "${mount_path}/settings" ]; then
-        source "${mount_path}/settings"
-    fi
-
-    local additional_args=()
-    local host_interface_name="linfi_host"
-    local bridge_name="linfi_bridge"
-
-    assert_bridge "$host_interface_name" "$bridge_name"
-    local mac_address
-    mac_address=$(calculate_mac_address "$name")
-    local bridge_link_name
-    bridge_link_name=$(detect_available_link "${bridge_name}")
-    additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
-
-
-    # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
-         # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
-             # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
-            # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
-
-    # TODO: Look into using nmdm instead of stdio for serial console
-    if [ -n "$mount_cd" ]; then
-        additional_args+=("-s" "5,ahci-cd,$mount_cd")
-    fi
-    if [ "$VNC_ENABLE" = "YES" ]; then
-        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
-    fi
-    vms+=("$name")
-
-    while true; do
-        set -x
-        set +e
-        bhyve \
-            -D \
-            -c sockets=1,cores=1,threads=1 \
-            -m "$MEMORY" \
-            -H \
-            -w \
-            -o 'rtc.use_localtime=false' \
-            -s 0,hostbridge \
-            -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
-            -S \
-            -s "7,passthru,${PASSTHROUGH}" \
-            -s 30,xhci,tablet \
-            -s 31,lpc -l com1,stdio \
-            -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd" \
-            -U '08421734-875e-11ef-a0f3-f426796942c7' \
-            "${additional_args[@]}" \
-            "$name"
-        local exit_code=$?
-        set -e
-        set +x
-        if [ $exit_code -eq 0 ]; then
-            echo "Rebooting."
-            sleep 5
-        elif [ $exit_code -eq 1 ]; then
-            echo "Powered off."
-            break
-        elif [ $exit_code -eq 2 ]; then
-            echo "Halted."
-            break
-        elif [ $exit_code -eq 3 ]; then
-            echo "Triple fault."
-            break
-        elif [ $exit_code -eq 4 ]; then
-            echo "Exited due to an error."
-            break
-        fi
-    done
-}
-
-function detect_available_link {
-    local bridge_name="$1"
-    local linknum=1
-    while true; do
-        local link_name="link${linknum}"
-        if ! ng_exists "${bridge_name}:${link_name}"; then
-            echo "$link_name"
-            return
-        fi
-        linknum=$((linknum + 1))
-        if [ "$linknum" -gt 90 ]; then
-            (>&2 echo "No available links on bridge $bridge_name")
-            exit 1
-        fi
-    done
-}
-
-function assert_bridge {
-    local host_interface_name="$1"
-    local bridge_name="$2"
-
-    if ! ng_exists "${bridge_name}:"; then
-        ngctl -d -f - <<EOF
-mkpeer . eiface hook ether
-name .:hook $host_interface_name
-EOF
-        ngctl -d -f - <<EOF
-mkpeer ${host_interface_name}: bridge ether link0
-name ${host_interface_name}:ether $bridge_name
-EOF
-        ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" 192.168.253.2/24 up
-        route add default 192.168.253.1
-    fi
-}
-
-function ng_exists {
-    ngctl status "${1}" >/dev/null 2>&1
-}
-
-function calculate_mac_address {
-    local name="$1"
-    local source
-    source=$(md5 -r -s "$name" | awk '{print $1}')
-    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
-}
-
-function find_available_port {
-    local start_port="$1"
-    local port="$start_port"
-    while true; do
-        sockstat -P tcp -p 443
-        port=$((port + 1))
-    done
-}
-
-function ngctlcat {
-    if [ "$VERBOSE" = "YES" ]; then
-        tee /dev/tty | ngctl -d -f -
-    else
-        ngctl -d -f -
-    fi
-}
-
-
-main "${@}"
diff --git a/ansible/roles/linfi/files/linfi_rc.conf b/ansible/roles/linfi/files/linfi_rc.conf
deleted file mode 100644
index c29e7f76..00000000
--- a/ansible/roles/linfi/files/linfi_rc.conf
+++ /dev/null
@@ -1 +0,0 @@
-linfi_enable="YES"
diff --git a/ansible/roles/linfi/meta/main.yaml b/ansible/roles/linfi/meta/main.yaml
deleted file mode 100644
index 4fc8499b..00000000
--- a/ansible/roles/linfi/meta/main.yaml
+++ /dev/null
@@ -1,3 +0,0 @@
-dependencies:
-  - role: bhyve
-    when: 'os_flavor == "freebsd"'
diff --git a/ansible/roles/linfi/tasks/common.yaml b/ansible/roles/linfi/tasks/common.yaml
deleted file mode 100644
index bef243ab..00000000
--- a/ansible/roles/linfi/tasks/common.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
-# - name: Create directories
-#   file:
-#     name: "{{ item }}"
-#     state: directory
-#     mode: 0755
-#     owner: root
-#     group: wheel
-#   loop:
-#     - /foo/bar
-
-# - name: Install scripts
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     mode: 0755
-#     owner: root
-#     group: wheel
-#   loop:
-#     - src: foo.bash
-#       dest: /usr/local/bin/foo
-
-# - name: Install Configuration
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     mode: 0600
-#     owner: root
-#     group: wheel
-#   loop:
-#     - src: foo.conf
-#       dest: /usr/local/etc/foo.conf
-
-# - name: Clone Source
-#   git:
-#     repo: "https://foo.bar/baz.git"
-#     dest: /foo/bar
-#     version: "v1.0.2"
-#     force: true
-#   diff: false
-
-- import_tasks: tasks/freebsd.yaml
-  when: 'os_flavor == "freebsd"'
-
-- import_tasks: tasks/linux.yaml
-  when: 'os_flavor == "linux"'
-
-- include_tasks:
-    file: tasks/peruser.yaml
-    apply:
-      become: yes
-      become_user: "{{ initialize_user }}"
-  when: users is defined
-  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
-  loop_control:
-    loop_var: initialize_user
diff --git a/ansible/roles/linfi/tasks/freebsd.yaml b/ansible/roles/linfi/tasks/freebsd.yaml
deleted file mode 100644
index aec1ef1e..00000000
--- a/ansible/roles/linfi/tasks/freebsd.yaml
+++ /dev/null
@@ -1,50 +0,0 @@
-- name: Install loader.conf
-  template:
-    src: "templates/{{ item }}_loader.conf.j2"
-    dest: "/boot/loader.conf.d/{{ item }}.conf"
-    mode: 0644
-    owner: root
-    group: wheel
-  loop:
-    - linfi
-
-- name: Install scripts
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "{{ item.dest }}"
-    mode: 0755
-    owner: root
-    group: wheel
-  loop:
-    - src: launch_linfi.bash
-      dest: /usr/local/bin/launch_linfi
-
-- name: Install rc script
-  template:
-    src: "templates/{{ item.src }}.j2"
-    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
-    owner: root
-    group: wheel
-    mode: 0755
-  loop:
-    - src: linfi
-
-- name: Install service configuration
-  copy:
-    src: "files/{{ item }}_rc.conf"
-    dest: "/etc/rc.conf.d/{{ item }}"
-    mode: 0644
-    owner: root
-    group: wheel
-  loop:
-    - linfi
-
-- name: Install service configuration
-  template:
-    src: "templates/{{ item }}_rc.conf.j2"
-    dest: "/etc/rc.conf.d/{{ item }}"
-    mode: 0644
-    owner: root
-    group: wheel
-  loop:
-    - devmatch
diff --git a/ansible/roles/linfi/tasks/linux.yaml b/ansible/roles/linfi/tasks/linux.yaml
deleted file mode 100644
index bbbb0967..00000000
--- a/ansible/roles/linfi/tasks/linux.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-# - name: Build aur packages
-#   register: buildaur
-#   become_user: "{{ build_user.name }}"
-#   command: "aurutils-sync --no-view {{ item }}"
-#   args:
-#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
-#   loop:
-#     - foo
-
-# - name: Update cache
-#   when: buildaur.changed
-#   pacman:
-#     name: []
-#     state: present
-#     update_cache: true
-
-# - name: Install packages
-#   package:
-#     name:
-#       - foo
-#     state: present
-
-# - name: Enable services
-#   systemd:
-#     enabled: yes
-#     name: "{{ item }}"
-#     daemon_reload: yes
-#   loop:
-#     - foo.service
diff --git a/ansible/roles/linfi/tasks/main.yaml b/ansible/roles/linfi/tasks/main.yaml
deleted file mode 100644
index 9d714690..00000000
--- a/ansible/roles/linfi/tasks/main.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-- import_tasks: tasks/common.yaml
-  when: linfi is defined and linfi.enabled
diff --git a/ansible/roles/linfi/tasks/peruser.yaml b/ansible/roles/linfi/tasks/peruser.yaml
deleted file mode 100644
index 111e886d..00000000
--- a/ansible/roles/linfi/tasks/peruser.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-- include_role:
-    name: per_user
-
-# - name: Create directories
-#   file:
-#     name: "{{ account_homedir.stdout }}/{{ item }}"
-#     state: directory
-#     mode: 0700
-#     owner: "{{ account_name.stdout }}"
-#     group: "{{ group_name.stdout }}"
-#   loop:
-#     - ".config/foo"
-
-# - name: Copy files
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
-#     mode: 0600
-#     owner: "{{ account_name.stdout }}"
-#     group: "{{ group_name.stdout }}"
-#   loop:
-#     - src: foo.conf
-#       dest: .config/foo/foo.conf
-
-- import_tasks: tasks/peruser_freebsd.yaml
-  when: 'os_flavor == "freebsd"'
-
-- import_tasks: tasks/peruser_linux.yaml
-  when: 'os_flavor == "linux"'
diff --git a/ansible/roles/linfi/tasks/peruser_freebsd.yaml b/ansible/roles/linfi/tasks/peruser_freebsd.yaml
deleted file mode 100644
index e69de29b..00000000
diff --git a/ansible/roles/linfi/tasks/peruser_linux.yaml b/ansible/roles/linfi/tasks/peruser_linux.yaml
deleted file mode 100644
index e69de29b..00000000
diff --git a/ansible/roles/linfi/templates/devmatch_rc.conf.j2 b/ansible/roles/linfi/templates/devmatch_rc.conf.j2
deleted file mode 100644
index 6b158a6c..00000000
--- a/ansible/roles/linfi/templates/devmatch_rc.conf.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-devmatch_enable="YES"
-devmatch_blocklist="{{ linfi.driver_blocklist }}"
diff --git a/ansible/roles/linfi/templates/linfi.j2 b/ansible/roles/linfi/templates/linfi.j2
deleted file mode 100644
index 3d8cc3a5..00000000
--- a/ansible/roles/linfi/templates/linfi.j2
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/sh
-#
-# PROVIDE: linfi
-# REQUIRE: LOGIN
-# KEYWORD: shutdown nojail
-. /etc/rc.subr
-name=linfi
-rcvar=${name}_enable
-start_cmd="${name}_start"
-stop_cmd="${name}_stop"
-status_cmd="${name}_status"
-load_rc_config $name
-
-tmux_name="linfi"
-
-linfi_start() {
-    /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env PASSTHROUGH='{{ linfi.pci_blocklist }}' /usr/local/bin/bash /usr/local/bin/launch_linfi start linfi {{ linfi.zfs_dataset }} {{ linfi.zfs_mountpoint }}"
-    # /vm/.iso/alpine-extended-3.20.3-x86_64.iso
-}
-
-linfi_status() {
-    if /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null; then
-        echo "$tmux_name is running."
-    else
-        echo "$tmux_name is not running."
-        return 1
-    fi
-}
-
-linfi_stop() {
-    /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null && (
-        /usr/local/bin/tmux kill-session -t $tmux_name
-        sleep 10
-        bhyvectl --vm=linfi --destroy
-        # kill `cat /var/run/linfi.pid`
-    )
-    linfi_wait_for_end
-}
-
-linfi_wait_for_end() {
-    while /usr/local/bin/tmux has-session -t $tmux_name 2>dev/null; do
-        sleep 1
-    done
-}
-
-run_rc_command "$1"
diff --git a/ansible/roles/linfi/templates/linfi_loader.conf.j2 b/ansible/roles/linfi/templates/linfi_loader.conf.j2
deleted file mode 100644
index ffbabb5d..00000000
--- a/ansible/roles/linfi/templates/linfi_loader.conf.j2
+++ /dev/null
@@ -1,5 +0,0 @@
-vmm_load="YES"
-pptdevs="{{ linfi.pci_blocklist }}"
-{% if linfi.amd %}
-hw.vmm.amdvi.enable="1"
-{% endif %}
diff --git a/ansible/roles/network/files/homeserver_network.conf b/ansible/roles/network/files/homeserver_network.conf
index 69e68f1c..c80ac420 100644
--- a/ansible/roles/network/files/homeserver_network.conf
+++ b/ansible/roles/network/files/homeserver_network.conf
@@ -1,4 +1,4 @@
-# wlans_ath0="wlan0"
-# ifconfig_wlan0="WPA DHCP"
-# ifconfig_wlan0_ipv6="inet6 accept_rtadv"
-# ipv6_cpe_wanif="wlan0"
+wlans_iwlwifi0="wlan0"
+ifconfig_wlan0="WPA DHCP"
+ifconfig_wlan0_ipv6="inet6 accept_rtadv"
+ipv6_cpe_wanif="wlan0"
diff --git a/ansible/roles/package_manager/tasks/freebsd.yaml b/ansible/roles/package_manager/tasks/freebsd.yaml
index 4631cdb7..9ef9ca1b 100644
--- a/ansible/roles/package_manager/tasks/freebsd.yaml
+++ b/ansible/roles/package_manager/tasks/freebsd.yaml
@@ -26,60 +26,6 @@
     - src: pkg.conf
       dest: /usr/local/etc/pkg.conf
 
-- name: Install Configuration
-  when: custom_repo is not defined
-  register: changed_config
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "{{ item.dest }}"
-    mode: 0644
-    owner: root
-    group: wheel
-  loop:
-    - src: FreeBSD-ports.conf
-      dest: /usr/local/etc/pkg/repos/FreeBSD-ports.conf
-
-- name: Install Configuration
-  when: custom_repo is defined
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "{{ item.dest }}"
-    mode: 0644
-    owner: root
-    group: wheel
-  loop:
-    - src: disable_freebsd_upstream.conf
-      dest: /usr/local/etc/pkg/repos/FreeBSD.conf
-    - src: poudriere.pub
-      dest: /usr/local/etc/pkg/poudriere.pub
-
-- name: Install Configuration
-  when: custom_repo is defined
-  register: changed_config
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: wheel
-    mode: 0644
-  loop:
-    - { src: custom.conf.j2, dest: /usr/local/etc/pkg/repos/custom.conf }
-
-- name: Install Configuration
-  when: pkgbase_url is defined
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: wheel
-    mode: 0644
-  loop:
-    - { src: pkgbase.conf.j2, dest: /usr/local/etc/pkg/repos/pkgbase.conf }
-
-# - name: Replace all packages with packages from new repo
-#   command: pkg upgrade -f -y
-#   when: changed_config.changed
-
 - name: Install scripts
   copy:
     src: "files/{{ item.src }}"
diff --git a/ansible/roles/public_dns/files/master.db b/ansible/roles/public_dns/files/master.db
index 96715bcf..76a26754 100644
--- a/ansible/roles/public_dns/files/master.db
+++ b/ansible/roles/public_dns/files/master.db
@@ -75,4 +75,3 @@ home     IN A     68.197.252.22
 opstunnel IN CNAME home.fizz.buzz.
 stream IN CNAME home.fizz.buzz.
 stuff IN CNAME home.fizz.buzz.
-momlaptop IN CNAME home.fizz.buzz.
diff --git a/ansible/roles/sshd/files/sshd_config b/ansible/roles/sshd/files/sshd_config
index e879dc45..4a8b5c75 100644
--- a/ansible/roles/sshd/files/sshd_config
+++ b/ansible/roles/sshd/files/sshd_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
+#	$OpenBSD: sshd_config,v 1.105 2024/12/03 14:12:47 dtucker Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -56,12 +56,15 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 
-# Change to yes to enable built-in password authentication.
+# Change to "yes" to enable built-in password authentication.
 # Note that passwords may also be accepted via KbdInteractiveAuthentication.
 #PasswordAuthentication no
 #PermitEmptyPasswords no
 
-# Change to no to disable PAM authentication
+# Change to "no" to disable keyboard-interactive authentication.  Depending on
+# the system's configuration, this may involve passwords, challenge-response,
+# one-time passwords or some combination of these and other methods.
+# Keyboard interactive authentication is also used for PAM authentication.
 #KbdInteractiveAuthentication yes
 KbdInteractiveAuthentication no
 
@@ -105,7 +108,8 @@ KbdInteractiveAuthentication no
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
-#UseBlacklist no
+#UseBlocklist no
+#VersionAddendum FreeBSD-20250801
 
 # no default banner path
 #Banner none
diff --git a/ansible/run.bash b/ansible/run.bash
index 631cd1bb..91910078 100755
--- a/ansible/run.bash
+++ b/ansible/run.bash
@@ -34,8 +34,6 @@ elif [ "$target" = "certificate" ]; then
     ansible-playbook -v -i environments/jail playbook.yaml --diff --limit certificate "${@}"
 elif [ "$target" = "bastion" ]; then
     ansible-playbook -v -i environments/jail playbook.yaml --diff --limit bastion "${@}"
-elif [ "$target" = "momlaptop" ]; then
-    ansible-playbook -v -i environments/jail playbook.yaml --diff --limit momlaptop "${@}"
 elif [ "$target" = "vm_poudriereodo" ]; then
     ansible-playbook -v -i environments/vm playbook.yaml --diff --limit poudriereodo "${@}"
 elif [ "$target" = "vm_poudrieremrmanager" ]; then