Enable quic and add CUSTOM kernel.

ansible/roles/jail_bastion/files/headers.include

@@ -10,3 +10,6 @@ add_header X-Content-Type-Options "nosniff" always;
 # Disallow the site to be rendered within a frame (clickjacking
 # protection)
 add_header X-Frame-Options "DENY" always;
+
+# Indicate that we are serving http3 on port 443
+add_header Alt-Svc 'h3=":443"; ma=864000';

ansible/roles/jail_bastion/files/nginx.conf

@@ -26,6 +26,8 @@ http {
     }
 
     server {
+        listen 443 quic reuseport;
+        listen [::]:443 quic reuseport;
         listen 443 ssl;
         listen [::]:443 ssl;
         http2  on;

ansible/roles/jail_bastion/files/proxy.include

@@ -5,3 +5,5 @@ proxy_set_header X-Forwarded-Proto $scheme;
 # Settings for keepalive module for upstreams
 proxy_http_version 1.1;
 proxy_set_header Connection "";
+# Requests sent with early data are subject to replay attacks so the application needs to protect against that by using the Early-Data header.
+# proxy_set_header Early-Data $ssl_early_data;

ansible/roles/poudriere/files/poudriere_delete_jail.bash

@@ -12,5 +12,7 @@ if ! grep -q "${jail_name}" <<<"$jail_list"; then
 fi
 
 poudriere jail -d -j "$jail_name" -C all
+rm -rf /usr/local/poudriere/data/images/${jail_name}-repo \
+   /usr/obj/usr/local/poudriere/jails/${jail_name}
 
 echo "Deleted jail $jail_name"

ansible/roles/poudriere/tasks/freebsd.yaml

@@ -123,6 +123,7 @@
 
 - name: Create the jails
   when: item.version != "CURRENT"
+  check_mode: false
   command: |-
     echo poudriere jail {{poudriere_perf_flags}} -c -j {{ item.jail }} -v {{ item.version }} -a amd64 -K {{ item.kernel|default("GENERIC") }} -B -b
   args:
@@ -131,6 +132,7 @@
 
 - name: Create the jails
   when: item.version == "CURRENT"
+  check_mode: false
   # -D clones the entire history instead of just the most recent commit
   # -B to build the pkgbase packages
   # -b to build the jail OS from source