From fb679924bccdd245c0957004e29ae3a191552a90 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Thu, 4 Jul 2024 01:31:07 -0400
Subject: [PATCH] Enable ipv6 privacy extensions and build ipfw for dummynet.

---
 ansible/roles/network/files/main.conf         |  1 -
 ansible/roles/network/tasks/freebsd.yaml      | 12 +++---
 ansible/roles/network/tasks/linux.yaml        | 20 ++++++++++
 .../poudriere/files/14broadwell_src.conf      | 37 ++++++++++++-------
 .../poudriere/files/currentznver4_src.conf    |  4 +-
 5 files changed, 52 insertions(+), 22 deletions(-)

diff --git a/ansible/roles/network/files/main.conf b/ansible/roles/network/files/main.conf
index e97aef2..0388cd5 100644
--- a/ansible/roles/network/files/main.conf
+++ b/ansible/roles/network/files/main.conf
@@ -1,5 +1,4 @@
 [Network]
-EnableIPv6=true
 # NameResolvingService=resolvconf
 NameResolvingService=systemd
 
diff --git a/ansible/roles/network/tasks/freebsd.yaml b/ansible/roles/network/tasks/freebsd.yaml
index b7c0996..7b1434a 100644
--- a/ansible/roles/network/tasks/freebsd.yaml
+++ b/ansible/roles/network/tasks/freebsd.yaml
@@ -42,12 +42,12 @@
     state: present
     sysctl_file: "/etc/sysctl.conf.local"
   loop:
-    []
-    # - name: net.inet6.ip6.accept_rtadv # Enable stateless autoconfiguration (SLAAC)
-    #   value: "1"
-    # - name: net.inet6.ip6.use_tempaddr # Enable privacy addresses
-    #   value: "1"
-    # - name: net.inet6.ip6.prefer_tempaddr # Prefer privacy addresses
+    - name: net.inet6.ip6.accept_rtadv # Enable stateless autoconfiguration (SLAAC)
+      value: "1"
+    - name: net.inet6.ip6.use_tempaddr # Enable privacy addresses
+      value: "1"
+    - name: net.inet6.ip6.prefer_tempaddr # Prefer privacy addresses
+      value: "1"
 
 - name: Install service configuration
   copy:
diff --git a/ansible/roles/network/tasks/linux.yaml b/ansible/roles/network/tasks/linux.yaml
index 0cde23b..67b2cc1 100644
--- a/ansible/roles/network/tasks/linux.yaml
+++ b/ansible/roles/network/tasks/linux.yaml
@@ -29,6 +29,26 @@
     - src: 10-wired.network
       dest: /etc/systemd/network/10-wired.network
 
+- name: Configure sysctls
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    sysctl_file: /etc/sysctl.d/{{ item.file }}
+  loop:
+    # Enable IPv6 Privacy Extensions
+    - name: net.ipv6.conf.all.use_tempaddr
+      value: 2
+      file: 40-ipv6.conf
+    # Enable IPv6 Privacy Extensions
+    - name: net.ipv6.conf.default.use_tempaddr
+      value: 2
+      file: 40-ipv6.conf
+    # Enable IPv6 Privacy Extensions
+    # - name: net.ipv6.conf.nic.use_tempaddr
+    #   value: 2
+    #   file: 40-ipv6.conf
+
 - name: Enable services
   systemd:
     enabled: yes
diff --git a/ansible/roles/poudriere/files/14broadwell_src.conf b/ansible/roles/poudriere/files/14broadwell_src.conf
index 52f5601..0b09ee5 100644
--- a/ansible/roles/poudriere/files/14broadwell_src.conf
+++ b/ansible/roles/poudriere/files/14broadwell_src.conf
@@ -3,28 +3,37 @@ WITH_MALLOC_PRODUCTION=YES
 WITHOUT_LLVM_ASSERTIONS=YES
 WITH_REPRODUCIBLE_BUILD=YES
 
+WITHOUT_DEBUG_FILES=YES
+WITHOUT_ASSERT_DEBUG=YES
+WITHOUT_LLVM_TARGET_ALL=YES
+WITHOUT_LIB32=YES
+WITHOUT_HTML=YES
+
+WITHOUT_OFED=YES # OpenFabrics Enterprise Distributio
+WITHOUT_FLOPPY=YES
+WITHOUT_IPFILTER=YES
+WITHOUT_GAMES=YES
+WITH_SORT_THREADS=YES
+WITHOUT_TESTS=YES
+WITHOUT_USB_GADGET_EXAMPLES=YES
+WITHOUT_HYPERV=YES
+WITHOUT_LEGACY_CONSOLE=YES
+
 # Would be fun to experiment with:
 # WITHOUT_SOURCELESS=YES
-# WITHOUT_GAMES=YES
-# WITHOUT_KERBEROS=YES
-# WITHOUT_LEGACY_CONSOLE=YES
-# WITHOUT_LIB32=YES
 # WITHOUT_LOADER_GELI=YES
 # WITHOUT_MLX5TOOL=YES
 # WITHOUT_NDIS=YES
-# WITHOUT_OFED=YES
 # WITHOUT_PPP=YES
-# WITH_SORT_THREADS=YES
 # WITHOUT_TALK=YES
 # WITHOUT_TCSH=YES
-
-
-# Questionable Optimizations
-WITHOUT_FLOPPY=YES
-WITHOUT_HTML=YES
-WITHOUT_IPFW=YES
-WITHOUT_IPFILTER=YES
-WITHOUT_LLVM_TARGET_ALL=YES
+# WITHOUT_KERNEL_SYMBOLS=YES
 
 # Commented out because maybe I want email alerts for failing disks
 # WITHOUT_MAIL=YES
+
+# Some ports like curl depend on kerberos by default. I figure I'd rather just have kerberos built into the base system than depend on a port.
+# WITHOUT_KERBEROS=YES
+
+# Need to enable IPFW for dummynet
+# WITHOUT_IPFW=YES
diff --git a/ansible/roles/poudriere/files/currentznver4_src.conf b/ansible/roles/poudriere/files/currentznver4_src.conf
index 0fb130c..6991e33 100644
--- a/ansible/roles/poudriere/files/currentznver4_src.conf
+++ b/ansible/roles/poudriere/files/currentznver4_src.conf
@@ -11,7 +11,6 @@ WITHOUT_HTML=YES
 
 WITHOUT_OFED=YES # OpenFabrics Enterprise Distributio
 WITHOUT_FLOPPY=YES
-WITHOUT_IPFW=YES
 WITHOUT_IPFILTER=YES
 WITHOUT_GAMES=YES
 WITH_SORT_THREADS=YES
@@ -35,3 +34,6 @@ WITHOUT_LEGACY_CONSOLE=YES
 
 # Some ports like curl depend on kerberos by default. I figure I'd rather just have kerberos built into the base system than depend on a port.
 # WITHOUT_KERBEROS=YES
+
+# Need to enable IPFW for dummynet
+# WITHOUT_IPFW=YES