Add support for setting the group owning the file.

This is remove duplication between the individual hosts folders.

.gitattributes

@@ -1,3 +1,5 @@
 cargo_credentials.toml filter=git-crypt diff=git-crypt
 **/wireguard_configs/** filter=git-crypt diff=git-crypt
 *.key filter=git-crypt diff=git-crypt
+credentials filter=git-crypt diff=git-crypt
+htpasswd filter=git-crypt diff=git-crypt

ansible/environments/colo/host_vars/mrmanager

@@ -15,12 +15,13 @@ pflog_conf:
   - name: 0
     dev: pflog0
 cputype: "amd"
+hwpstate: true
 etc_hosts: {}
 wireguard_directory: mrmanager
 enabled_wireguard:
   - colo
 jail_zfs_dataset: zdata/jail
-jail_zfs_dataset_mountpoint: /jail/main
+jail_zfs_dataset_mountpoint: /jail
 jail_canmount: "on"
 jail_list:
   - name: nat_dhcp

ansible/environments/home/host_vars/homeserver

@@ -1,9 +1,32 @@
 os_flavor: "freebsd"
+custom_repo: "https://freebsdpkg.fizz.buzz/repo/14broadwell-default-computer"
+pkgbase_url: "https://freebsdpkg.fizz.buzz/pkgbase/14broadwell-repo/FreeBSD:14:amd64/latest"
 zfs_snapshot_datasets:
   - path: zroot/freebsd/computer/be
   - path: zmass/encrypted/vm
+  - path: zmass/encrypted/data
+users:
+  talexander:
+    initialize: true
+    uid: 11235
+    gid: 11235
+    groups:
+      - name: wheel
+      - name: video
+      - name: u2f
+      - name: operator # To be able to shutdown without root
+      - name: webcamd
+        gid: 145
+    authorized_keys:
+      - yubikey
+      - main_fido
+      - backup_fido
+      - homeassistant
+    gitconfig: "gitconfig_home"
 sshd_enabled: true
 sshd_conf: "sshd_config"
+prefer_ipv6: true
+dummynet_config: "dnctl.conf"
 pf_config: "homeserver_pf.conf"
 pflog_conf:
   - name: 0
@@ -11,12 +34,11 @@ pflog_conf:
 network_rc: "homeserver_network.conf"
 rc_conf: "homeserver_rc.conf"
 loader_conf: "homeserver_loader.conf"
-netgraph_config: "setup_netgraph_homeserver"
 cputype: "intel"
 hwpstate: false
 devfs_rules: "homeserver_devfs.rules"
 jail_zfs_dataset: zmass/encrypted/jails
-jail_zfs_dataset_mountpoint: /jail/main
+jail_zfs_dataset_mountpoint: /jail
 jail_canmount: "on"
 jail_bemount: "on"
 jail_list:
@@ -31,16 +53,41 @@ jail_list:
   - name: dagger
     conf:
       src: dagger
-  - name: mumble
+  - name: olddagger
     conf:
-      src: mumble
+      src: olddagger
-    persist:
+  - name: sftp
-      - name: mumbledb
+    conf:
-        mount: /var/db/murmur
+      src: sftp
+    fstab: sftp_fstab
+  - name: bastion
+    conf:
+      src: bastion
+    fstab: fstab_bastion
+  - name: certificate
+    conf:
+      src: certificate
+  - name: momlaptop
+    conf:
+      src: momlaptop
+  # - name: mumble
+  #   conf:
+  #     src: mumble
+  #   persist:
+  #     - name: mumbledb
+  #       mount: /var/db/murmur
 bhyve_dataset: zmass/encrypted/vm
-bhyve_list: []
+# Disable mounting bhyve dataset so it doesn't hide the unencrypted linfi vm
-bhyve_canmount: "on"
+bhyve_canmount: "off"
+bhyve_mountpoint: "none"
 bhyve_bemount: "on"
 wireguard_directory: homeserver
 enabled_wireguard:
   - wgh
+linfi:
+  enabled: true
+  zfs_dataset: zmass/unencrypted/vm/linfi
+  zfs_mountpoint: /vm/linfi
+  driver_blocklist: "ath if_ath if_ath_pci ath_hal if_iwm if_iwlwifi"
+  pci_blocklist: "6/0/0"
+  amd: false

ansible/environments/home/hosts

@@ -1,2 +1,2 @@
 [headless]
-homeserver ansible_user=talexander ansible_host=10.216.1.1
+homeserver ansible_user=talexander ansible_host=homeserver

ansible/environments/jail/host_vars/bastion

@@ -0,0 +1 @@
+os_flavor: freebsd

ansible/environments/jail/host_vars/certificate

@@ -0,0 +1 @@
+os_flavor: freebsd

ansible/environments/jail/host_vars/momlaptop

@@ -0,0 +1 @@
+os_flavor: freebsd

ansible/environments/jail/host_vars/sftp

@@ -0,0 +1,6 @@
+os_flavor: "freebsd"
+users:
+  nochainstounlock:
+    initialize: true
+    uid: 11235
+    gid: 11235

ansible/environments/jail/hosts

@@ -1,7 +1,11 @@
 [jail]
 nat_dhcp ansible_connection=jail
-homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@172.16.16.2 ansible_connection=sshjail
+homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@homeserver ansible_connection=sshjail
 mrmanager_nat_dhcp ansible_ssh_host=nat_dhcp@10.217.2.1 ansible_connection=sshjail
 nat_dhcp@172.16.16.2 ansible_connection=sshjail
 admin_git ansible_ssh_host=admin_git@10.217.2.1 ansible_connection=sshjail
 public_dns ansible_ssh_host=public_dns@10.217.2.1 ansible_connection=sshjail
+sftp ansible_ssh_host=sftp@homeserver ansible_connection=sshjail
+bastion ansible_ssh_host=bastion@homeserver ansible_connection=sshjail
+certificate ansible_ssh_host=certificate@homeserver ansible_connection=sshjail
+momlaptop ansible_ssh_host=momlaptop@homeserver ansible_connection=sshjail

ansible/environments/laptop/host_vars/odofreebsd

@@ -1,13 +1,16 @@
 os_flavor: "freebsd"
-custom_repo: current-default-framework
+custom_repo: "https://freebsdpkg.fizz.buzz/repo/currentznver4-default-framework"
+pkgbase_url: "https://freebsdpkg.fizz.buzz/pkgbase/currentznver4-repo/FreeBSD:15:amd64/latest"
 zfs_snapshot_datasets:
   - path: zroot/freebsd/current/be/default
 sshd_enabled: true
 sshd_conf: "sshd_config"
-#pf_config: "odofreebsd_pf.conf"
+pf_config: "odofreebsd_pf.conf"
-#pflog_conf:
+pflog_conf:
-#  - name: 0
+ - name: 0
-#    dev: pflog0
+   dev: pflog0
+prefer_ipv6: true
+dummynet_config: "dnctl.conf"
 network_rc: "odofreebsd_network.conf"
 rc_conf: "odofreebsd_rc.conf"
 loader_conf: "odofreebsd_loader.conf"
@@ -16,6 +19,7 @@ graphics_driver: "amd"
 cputype: "amd"
 hwpstate: true
 cores: 16
+sound_system: "oss"
 users:
   talexander:
     initialize: true
@@ -28,6 +32,7 @@ users:
       - name: operator # To be able to shutdown without root
       - name: webcamd
         gid: 145
+      - name: realtime
     authorized_keys:
       - yubikey
       - main_fido
@@ -36,15 +41,17 @@ users:
     gitconfig: "gitconfig_home"
 devfs_rules: "odo_devfs.rules"
 jail_zfs_dataset: zroot/freebsd/current/jails
-jail_zfs_dataset_mountpoint: /jail/main
+jail_zfs_dataset_mountpoint: /jail
+jail_canmount: "on"
 jail_list:
   - name: nat_dhcp
     enabled: true
     conf:
       src: nat_dhcp
 bhyve_dataset: zroot/freebsd/current/vm
-bhyve_list: []
+bhyve_bemount: off
-efi_dev: /dev/gpt/EFI
+# efi_dev: /dev/gpt/EFI
+efi_dev: /dev/diskid/DISK-SJB7N717610407Q0Hp1
 sway_conf_files:
   - launch_gpg
 wireguard_directory: odo
@@ -52,3 +59,10 @@ enabled_wireguard:
   - wgh
   - drmario
   - colo
+linfi:
+  enabled: true
+  zfs_dataset: zroot/freebsd/current/vm/linfi
+  zfs_mountpoint: /vm/linfi
+  driver_blocklist: "if_iwm if_iwlwifi"
+  pci_blocklist: "1/0/0"
+  amd: true

ansible/environments/laptop/host_vars/odolinux

@@ -16,6 +16,7 @@ users:
       - backup_fido
       - homeassistant
     gitconfig: "gitconfig_home"
+periodic_scrub_pools: [zroot]
 zfs_snapshot_datasets:
   # - zroot/linux/archmain/home
   - path: zroot/linux/archmain/be

ansible/environments/laptop/host_vars/odowork

@@ -17,6 +17,7 @@ users:
       - main_fido
       - backup_fido
     gitconfig: "gitconfig_work"
+periodic_scrub_pools: [zroot]
 zfs_snapshot_datasets:
   - path: zroot/linux/archwork/be
 install_graphics: true

ansible/environments/vm/host_vars/poudrieremrmanager

@@ -1,4 +1,6 @@
 os_flavor: "freebsd"
+sshd_enabled: true
+custom_repo: "file:///usr/local/poudriere/data/packages/currentznver4-default-framework"
 pkgbase_url: "file:///usr/local/poudriere/data/images/currentznver4-repo/FreeBSD:15:amd64/latest"
 poudriere_builds:
   # - jail: 13amd64
@@ -10,6 +12,19 @@ poudriere_builds:
     set: framework
     version: CURRENT
     # revision: 66d37dbedfbf2dc94ccf49e6983c3652d5909b91
-    kernel: GENERIC-NODEBUG
+    kernel: CUSTOM
     branch: main
     srcconf: currentznver4_src.conf
+  # - jail: 14broadwell
+  #   ports: default
+  #   set: computer
+  #   version: 14.0-RELEASE
+  #   kernel: GENERIC
+  #   srcconf: 14broadwell_src.conf
+  - jail: 14broadwell
+    ports: default
+    set: computer
+    version: CURRENT
+    kernel: CUSTOM
+    branch: releng/14.1
+    srcconf: 14broadwell_src.conf

ansible/playbook.yaml

@@ -27,6 +27,7 @@
     - sway
     - emacs
     - firefox
+    - chromium
     - devfs
     - ssh_client
     - sshfs
@@ -54,6 +55,7 @@
     - lvfs
     - restaurant_health_rating
     - wasm
+    - noise_suppression
 
 - hosts: nat_dhcp:homeserver_nat_dhcp:mrmanager_nat_dhcp
   vars:
@@ -66,8 +68,12 @@
     ansible_become: True
   roles:
     - sudo # for poudboot script
+    - doas
     - fstab
     - package_manager
+    - zsh
+    - termcap
+    - sshd
     - portshaker
     - poudriere
     - poudrierenginx
@@ -120,12 +126,14 @@
   vars:
     ansible_become: True
   roles:
+    - linfi
     - framework_laptop
 
 - hosts: homeserver
   vars:
     ansible_become: True
   roles:
+    - linfi
     - homeserver
 
 - hosts: odowork
@@ -133,3 +141,28 @@
     ansible_become: True
   roles:
     - odowork
+
+- hosts: sftp
+  vars:
+    ansible_become: True
+  roles:
+    - users
+    - sftp
+
+- hosts: bastion
+  vars:
+    ansible_become: True
+  roles:
+    - jail_bastion
+
+- hosts: certificate
+  vars:
+    ansible_become: True
+  roles:
+    - jail_certificate
+
+- hosts: momlaptop
+  vars:
+    ansible_become: True
+  roles:
+    - jail_momlaptop

ansible/roles/ansible/tasks/freebsd.yaml

@@ -1,6 +1,6 @@
 - name: Install packages
   package:
     name:
-      - py39-ansible
+      - py311-ansible
       - ansible-sshjail
     state: present

ansible/roles/base/files/alacritty.termcap

@@ -1,24 +0,0 @@
-#	Reconstructed via infocmp from file: /usr/share/terminfo/a/alacritty
-# (untranslatable capabilities removed to fit entry within 1023 bytes)
-# (sgr removed to fit entry within 1023 bytes)
-# (acsc removed to fit entry within 1023 bytes)
-# (terminfo-only capabilities suppressed to fit entry within 1023 bytes)
-alacritty|alacritty terminal emulator:\
-	:am:bs:hs:mi:ms:xn:\
-	:co#80:it#8:li#24:\
-	:AL=\E[%dL:DC=\E[%dP:DL=\E[%dM:DO=\E[%dB:IC=\E[%d@:\
-	:K2=\EOE:LE=\E[%dD:RI=\E[%dC:SF=\E[%dS:SR=\E[%dT:\
-	:UP=\E[%dA:ae=\E(B:al=\E[L:as=\E(0:bl=^G:bt=\E[Z:cd=\E[J:\
-	:ce=\E[K:cl=\E[H\E[2J:cm=\E[%i%d;%dH:cr=\r:\
-	:cs=\E[%i%d;%dr:ct=\E[3g:dc=\E[P:dl=\E[M:do=\n:\
-	:ds=\E]2;\007:ec=\E[%dX:ei=\E[4l:fs=^G:ho=\E[H:im=\E[4h:\
-	:is=\E[!p\E[?3;4l\E[4l\E>:k1=\EOP:k2=\EOQ:k3=\EOR:\
-	:k4=\EOS:k5=\E[15~:k6=\E[17~:k7=\E[18~:k8=\E[19~:\
-	:k9=\E[20~:kD=\E[3~:kI=\E[2~:kN=\E[6~:kP=\E[5~:kb=\177:\
-	:kd=\EOB:ke=\E[?1l\E>:kh=\EOH:kl=\EOD:kr=\EOC:\
-	:ks=\E[?1h\E=:ku=\EOA:le=^H:mb=\E[5m:md=\E[1m:me=\E[0m:\
-	:mh=\E[2m:mm=\E[?1034h:mo=\E[?1034l:mr=\E[7m:nd=\E[C:\
-	:rc=\E8:sc=\E7:se=\E[27m:sf=\n:so=\E[7m:sr=\EM:st=\EH:ta=^I:\
-	:te=\E[?1049l\E[23;0;0t:ti=\E[?1049h\E[22;0;0t:\
-	:ts=\E]2;:ue=\E[24m:up=\E[A:us=\E[4m:vb=\E[?5h\E[?5l:\
-	:ve=\E[?12l\E[?25h:vi=\E[?25l:vs=\E[?12;25h:

ansible/roles/base/files/bbr_loader.conf

@@ -0,0 +1 @@
+tcp_bbr_load="YES"

ansible/roles/base/files/cleartmp_rc.conf

@@ -0,0 +1 @@
+clear_tmp_enable="YES"

ansible/roles/base/files/decode_jwt.bash

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+#
+# Decode the contents of a JWT
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+exec jq -R 'split(".") | .[0],.[1] | gsub("-"; "+") | gsub("_"; "/") | gsub("%3D"; "=")| @base64d | fromjson'

ansible/roles/base/files/disk_labels_loader.conf

@@ -1,8 +1,12 @@
-# Disabling both of these will make /dev/gpt/* populated
+# Populates the /dev/diskid
+kern.geom.label.disk_ident.enable="1"
+
+
+
+# Populates /dev/gpt but only if kern.geom.label.disk_ident.enable is disabled.
 #
 # This uses gpt partition labels which you can set with:
 #
 #     gpart modify -l EFI -i 1 nvd0
 
-# kern.geom.label.disk_ident.enable="0"
 # kern.geom.label.gptid.enable="1"

ansible/roles/base/files/gitconfig_work

@@ -33,5 +33,5 @@
 	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
         # Make the middle pane start without any merge progress:
 	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
-[includeIf "gitdir:/bridge/git/machine_setup/"]
+[includeIf "gitdir:/bridge/"]
 	path = /bridge/git/machine_setup/ansible/roles/base/files/gitconfig_home

ansible/roles/base/files/gitignore_global

@@ -1,3 +1,8 @@
 .idea
 .python-version
+
+# Emacs per-directory settings
 .dir-locals.el
+
+# C/C++ Language Server compile commands
+compile_commands.json

ansible/roles/base/files/homeserver_loader.conf

@@ -1,5 +1,3 @@
 security.bsd.allow_destructive_dtrace=0
-kern.geom.label.disk_ident.enable="0"
-kern.geom.label.gptid.enable="0"
 cryptodev_load="YES"
 zfs_load="YES"

ansible/roles/base/files/login.conf

@@ -32,7 +32,7 @@ default:\
 	:cputime=unlimited:\
 	:datasize=unlimited:\
 	:stacksize=unlimited:\
-	:memorylocked=64K:\
+	:memorylocked=128M:\
 	:memoryuse=unlimited:\
 	:filesize=unlimited:\
 	:coredumpsize=unlimited:\
@@ -44,6 +44,7 @@ default:\
 	:pseudoterminals=unlimited:\
 	:kqueues=unlimited:\
 	:umtxp=unlimited:\
+	:pipebuf=unlimited:\
 	:priority=0:\
 	:ignoretime@:\
 	:umask=022:\

ansible/roles/base/files/odofreebsd_loader.conf

@@ -1,6 +1,3 @@
 security.bsd.allow_destructive_dtrace=0
-kern.geom.label.disk_ident.enable="0"
-kern.geom.label.gptid.enable="0"
 cryptodev_load="YES"
 zfs_load="YES"
-

ansible/roles/base/files/odofreebsd_rc.conf

@@ -1,13 +1,6 @@
-clear_tmp_enable="YES"
 syslogd_flags="-ss"
 sendmail_enable="NONE"
 hostname="odo"
-wlans_iwlwifi0="wlan0"
-ifconfig_wlan0="WPA DHCP"
-ifconfig_wlan0_ipv6="inet6 accept_rtadv"
-sshd_enable="YES"
-ntpd_enable="YES"
-powerd_enable="YES"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="NO"
 zfs_enable="YES"

ansible/roles/base/files/tmux.conf

@@ -1,4 +1,4 @@
-set-option -g mouse on
+# set-option -g mouse on
 set-option -g history-limit 20000
 # set -g @plugin 'tmux-plugins/tmux-yank'
 # Emacs style

ansible/roles/base/files/watch_freebsd

@@ -10,7 +10,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 function cleanup {
     switch_to_main_screen
 }
-for sig in EXIT INT QUIT HUP TERM; do
+for sig in EXIT; do
   trap "set +e; cleanup; exit" "$sig"
 done
 

ansible/roles/base/meta/main.yaml

@@ -1,2 +1,3 @@
 dependencies:
   - fstab
+  - termcap

ansible/roles/base/tasks/common.yaml

@@ -16,21 +16,19 @@
       - wget
       - colordiff
       - ipcalc
-      - kdiff3
-      - meld
       - tcpdump
       - moreutils # for ts [%Y-%m-%d %H:%M:%.S]
       - ddrescue
+      - dmidecode
     state: present
 
-- name: Set timezone
+- name: Install packages
-  file:
+  when: install_graphics
-    src: "/usr/share/zoneinfo/{{ timezone|default('UTC') }}"
+  package:
-    dest: /etc/localtime
+    name:
-    owner: root
+      - kdiff3
-    # TODO: Arch Linux is changing the group to root instead of wheel. Maybe make this a variable?
+      - meld
-    group: wheel
+    state: present
-    state: link
 
 - name: Install scripts
   copy:
@@ -50,6 +48,8 @@
       dest: /usr/local/bin/cleanup_temporary_files
     - src: git_fix_author.bash
       dest: /usr/local/bin/git_fix_author
+    - src: decode_jwt.bash
+      dest: /usr/local/bin/decode_jwt
 
 - import_tasks: tasks/freebsd.yaml
   when: 'os_flavor == "freebsd"'

ansible/roles/base/tasks/freebsd.yaml

@@ -1,3 +1,11 @@
+- name: Set timezone
+  file:
+    src: "/usr/share/zoneinfo/{{ timezone|default('UTC') }}"
+    dest: /etc/localtime
+    owner: root
+    group: wheel
+    state: link
+
 - name: Install packages
   package:
     name:
@@ -5,29 +13,18 @@
       - gsed
       - gmake
       - rust-coreutils
+      - shuf
     state: present
 
-- name: See if the alacritty termcap has been added
+- name: Install service configuration
-  lineinfile:
+  copy:
-    name: /usr/share/misc/termcap
+    src: "files/{{ item }}_rc.conf"
-    regexp: |-
+    dest: "/etc/rc.conf.d/{{ item }}"
-      ^alacritty\|
+    mode: 0644
-    state: absent
+    owner: root
-  check_mode: yes
+    group: wheel
-  changed_when: false
+  loop:
-  register: alacritty_cap
+    - cleartmp
-
-- name: Append alacritty termcap info
-  blockinfile:
-    path: /usr/share/misc/termcap
-    block: "{{ lookup('file', 'alacritty.termcap') }}"
-    marker: "# {mark} ANSIBLE MANAGED BLOCK alacritty"
-  when: not alacritty_cap.found
-  register: wrote_alacritty_cap
-
-- name: Update cap_mkdb
-  command: cap_mkdb /usr/share/misc/termcap
-  when: wrote_alacritty_cap.changed
 
 - name: Install login.conf
   copy:
@@ -42,18 +39,6 @@
   command: cap_mkdb /etc/login.conf
   when: login_config.changed
 
-- name: Enable periodic scrub
-  community.general.sysrc:
-    name: daily_scrub_zfs_enable
-    value: "YES"
-    path: /etc/periodic.conf.local
-
-- name: Set scrub interval
-  community.general.sysrc:
-    name: daily_scrub_zfs_default_threshold
-    value: "7"
-    path: /etc/periodic.conf.local
-
 - name: Install loader.conf
   copy:
     src: "{{loader_conf}}"
@@ -123,3 +108,65 @@
     group: wheel
   loop:
     - disk_labels
+
+- name: Configure sysctls
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    reload: false
+    sysctl_file: "/etc/sysctl.conf.local"
+  loop:
+    # Adjust ttl
+    - name: net.inet.ip.ttl
+      value: 65
+    - name: net.inet6.ip6.hlim
+      value: 65
+
+- name: Log periodic output instead of getting it as mail
+  blockinfile:
+    path: "/etc/periodic.conf.local"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK log"
+    # create: true
+    mode: 0644
+    owner: root
+    group: wheel
+    block: |
+      daily_output=/var/log/daily.log
+      weekly_output=/var/log/weekly.log
+      monthly_output=/var/log/monthly.log
+
+- name: Enable periodic zfs scrub
+  when: install_zfs
+  blockinfile:
+    path: "/etc/periodic.conf.local"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK zfs"
+    # create: true
+    mode: 0644
+    owner: root
+    group: wheel
+    block: |
+      daily_scrub_zfs_enable="YES"
+      daily_scrub_zfs_default_threshold="7"
+
+# Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
+- name: Install loader.conf
+  copy:
+    src: "files/{{ item }}_loader.conf"
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - bbr
+
+- name: Configure sysctls
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    reload: false
+    sysctl_file: "/etc/sysctl.conf.local"
+  loop:
+    - name: net.inet.tcp.functions_default
+      value: "bbr"

ansible/roles/base/tasks/linux.yaml

@@ -1,3 +1,11 @@
+- name: Set timezone
+  file:
+    src: "/usr/share/zoneinfo/{{ timezone|default('UTC') }}"
+    dest: /etc/localtime
+    owner: root
+    group: root
+    state: link
+
 - name: Install packages
   package:
     name:
@@ -9,6 +17,7 @@
       - uutils-coreutils
       - usbutils # for lsusb
       - bolt
+      - whois
     state: present
 
 - name: Start pkgfile update service
@@ -18,17 +27,6 @@
     daemon_reload: yes
     enabled: yes
 
-# Of questionable value since I don't use swap on my machines
-- name: Configure sysctls for swap
-  sysctl:
-    name: "{{ item.name }}"
-    value: "{{ item.value }}"
-    state: present
-    sysctl_file: /etc/sysctl.d/swap.conf
-  loop:
-    - name: vm.swappiness
-      value: 10
-
 - name: Install scripts
   copy:
     src: "files/{{ item.src }}"
@@ -41,3 +39,41 @@
       dest: /usr/local/bin/mount_disk_image
     - src: watch_linux
       dest: /usr/local/bin/ww
+
+- name: Configure sysctls
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    sysctl_file: /etc/sysctl.d/{{ item.file }}
+  loop:
+    # Of questionable value since I don't use swap on my machines
+    - name: vm.swappiness
+      value: 10
+      file: swap.conf
+    # Enable TCP packetization-layer PMTUD when an ICMP black hole is detected.
+    - name: net.ipv4.tcp_mtu_probing
+      value: 1
+      file: tcp.conf
+    # Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
+    - name: net.ipv4.tcp_congestion_control
+      value: bbr
+      file: tcp.conf
+    # Don't do a slow start after a connection has been idle for a single RTO.
+    - name: net.ipv4.tcp_slow_start_after_idle
+      value: 0
+      file: tcp.conf
+    # 3x time to accumulate filesystem changes before flushing to disk.
+    - name: vm.dirty_writeback_centisecs
+      value: 1500
+      file: power.conf
+    # Adjust ttl
+    - name: net.ipv4.ip_default_ttl
+      value: 65
+      file: ttl.conf
+    - name: net.ipv6.conf.all.hop_limit
+      value: 65
+      file: ttl.conf
+    - name: net.ipv6.conf.default.hop_limit
+      value: 65
+      file: ttl.conf

ansible/roles/bhyve/defaults/main.yaml

@@ -1,2 +1 @@
 bhyve_mountpoint: "/vm"
-bhyve_list: []

ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash

@@ -30,6 +30,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
 : ${VNC_ENABLE:="NO"}
 : ${VNC_LISTEN:="127.0.0.1:5900"}
+: ${VNC_WIDTH:="1920"}
+: ${VNC_HEIGHT:="1080"}
 
 if [ "$VERBOSE" = "YES" ]; then
     set -x
@@ -45,7 +47,7 @@ function cleanup {
     done
 }
 vms=()
-for sig in EXIT INT QUIT HUP TERM; do
+for sig in EXIT; do
   trap "set +e; sleep 10; cleanup" "$sig"
 done
 
@@ -105,7 +107,8 @@ function start_vm {
     local bridge_name="$BRIDGE_NAME"
     local ip_range="$IP_RANGE" # for raw this value does not matter
 
-    local mac_address=$(calculate_mac_address "$name")
+    local mac_address
+    mac_address=$(calculate_mac_address "$name")
 
     local additional_args=()
 
@@ -140,7 +143,7 @@ function start_vm {
         additional_args+=("-s" "5,ahci-cd,$mount_cd")
     fi
     if [ "$VNC_ENABLE" = "YES" ]; then
-        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=1920,h=1080")
+        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
     fi
     vms+=("$name")
     while true; do
@@ -151,6 +154,8 @@ function start_vm {
             -c $CPU_CORES \
             -m $MEMORY \
             -H \
+            -P \
+            -o 'rtc.use_localtime=false' \
             -s 0,hostbridge \
             -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
             -s 30,xhci,tablet \
@@ -245,7 +250,8 @@ function ng_exists {
 
 function calculate_mac_address {
     local name="$1"
-    local source=$(md5 -r -s "$name" | awk '{print $1}')
+    local source
+    source=$(md5 -r -s "$name" | awk '{print $1}')
     echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
 }
 

ansible/roles/chromium/files/chromium-flags.conf

@@ -0,0 +1,2 @@
+--ozone-platform-hint=auto
+--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE

ansible/roles/chromium/meta/main.yaml

@@ -0,0 +1,2 @@
+dependencies:
+  - users

ansible/roles/chromium/tasks/common.yaml

@@ -0,0 +1,55 @@
+# - name: Create directories
+#   file:
+#     name: "{{ item }}"
+#     state: directory
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - /foo/bar
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+# - name: Install Configuration
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0600
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.conf
+#       dest: /usr/local/etc/foo.conf
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user

ansible/roles/chromium/tasks/freebsd.yaml

@@ -0,0 +1,5 @@
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present

ansible/roles/chromium/tasks/linux.yaml

@@ -0,0 +1,7 @@
+# Check chrome://gpu/ to confirm hardware video decoding and vulkan rendering is working.
+
+- name: Install packages
+  package:
+    name:
+      - chromium
+    state: present

ansible/roles/chromium/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: install_graphics

ansible/roles/chromium/tasks/peruser.yaml

@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'

ansible/roles/chromium/tasks/peruser_linux.yaml

@@ -0,0 +1,10 @@
+- name: Copy files
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+    mode: 0600
+    owner: "{{ account_name.stdout }}"
+    group: "{{ group_name.stdout }}"
+  loop:
+    - src: chromium-flags.conf
+      dest: .config/chromium-flags.conf

ansible/roles/cpu/tasks/freebsd_amd.yaml

@@ -27,3 +27,14 @@
     group: wheel
   loop:
     - aesni
+
+- name: Install loader.conf
+  when: hwpstate is defined and hwpstate
+  copy:
+    src: "files/{{ item }}_loader.conf"
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - per_core_hwpstate

ansible/roles/cpu/tasks/freebsd_intel.yaml

@@ -78,4 +78,4 @@
     owner: root
     group: wheel
   loop:
-    - percorespeedshift
+    - per_core_hwpstate

ansible/roles/devfs/files/homeserver_devfs.rules

@@ -17,3 +17,9 @@ add include $devfsrules_hide_all
 add include $devfsrules_unhide_basic
 add include $devfsrules_unhide_login
 add path 'bpf*' unhide
+
+[tajailrand=15]
+add include $devfsrules_hide_all
+add include $devfsrules_unhide_basic
+add include $devfsrules_unhide_login
+add path urandom unhide

ansible/roles/docker/tasks/linux.yaml

@@ -2,6 +2,8 @@
   package:
     name:
       - docker
+      - docker-compose
+      - docker-buildx
     state: present
 
 - name: Create docker zfs dataset

ansible/roles/dummynet/files/dnctl.conf

@@ -0,0 +1,2 @@
+pipe 1 config bw 100KByte/s
+pipe 2 config

ansible/roles/dummynet/files/dummynet

@@ -0,0 +1,28 @@
+#!/bin/sh
+#
+#
+
+# PROVIDE: dummynet
+# BEFORE: pf ipfw
+# KEYWORD: nojailvnet
+
+. /etc/rc.subr
+
+name="dummynet"
+desc="Dummynet packet queuing and scheduling"
+rcvar="${name}_enable"
+load_rc_config $name
+start_cmd="${name}_start"
+required_files="$dummynet_rules"
+required_modules="dummynet"
+
+dummynet_start()
+{
+	startmsg -n "Enabling ${name}"
+        cat "$dnctl_rules" | while read l; do
+          dnctl $l
+        done
+	startmsg '.'
+}
+
+run_rc_command $*

ansible/roles/dummynet/files/dummynet_rc.conf

@@ -0,0 +1,2 @@
+dummynet_enable="YES"
+dummynet_rules="/etc/dnctl.conf"

ansible/roles/dummynet/tasks/common.yaml

@@ -0,0 +1,55 @@
+# - name: Create directories
+#   file:
+#     name: "{{ item }}"
+#     state: directory
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - /foo/bar
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+# - name: Install Configuration
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0600
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.conf
+#       dest: /usr/local/etc/foo.conf
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user

ansible/roles/dummynet/tasks/freebsd.yaml

@@ -0,0 +1,30 @@
+- name: Install Configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0600
+    owner: root
+    group: wheel
+  loop:
+    - src: "{{ dummynet_config }}"
+      dest: /etc/dnctl.conf
+
+- name: Install rc script
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+    owner: root
+    group: wheel
+    mode: 0755
+  loop:
+    - src: dummynet
+
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - dummynet

ansible/roles/dummynet/tasks/linux.yaml

@@ -0,0 +1,29 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - foo
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present
+
+# - name: Enable services
+#   systemd:
+#     enabled: yes
+#     name: "{{ item }}"
+#     daemon_reload: yes
+#   loop:
+#     - foo.service

ansible/roles/dummynet/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: (dummynet_config is defined and os_flavor == "freebsd") or (os_flavor == "linux")

ansible/roles/dummynet/tasks/peruser.yaml

@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'

ansible/roles/emacs/files/early-init.el

@@ -1,7 +1,7 @@
-(setq gc-cons-threshold (* 128 1024 1024)) ;; Increase garbage collection threshold for performance (default 800000)
+(setq gc-cons-threshold (* 128 1024 1024)) ;; 128MiB Increase garbage collection threshold for performance (default 800000)
 ;; Increase amount of data read from processes, default 4k
 (when (version<= "27.0" emacs-version)
-  (setq read-process-output-max (* 1024 1024)) ;; 1mb
+  (setq read-process-output-max (* 10 1024 1024)) ;; 10MiB
   )
 
 ;; Suppress warnings

ansible/roles/emacs/files/elisp/lang-c.el

@@ -0,0 +1,49 @@
+(require 'common-lsp)
+(require 'util-tree-sitter)
+
+(defun locate-compile-commands-file ()
+  "See if compile_commands.json exists."
+  ;; This can be generated by prefixing the make command with `intercept-build15 --append`
+  (let ((compile-commands-file (locate-dominating-file (buffer-file-name) "compile_commands.json")))
+    compile-commands-file
+    )
+  )
+
+(defun activate-c-eglot ()
+  "Activate eglot for the c family of languages."
+  (when (locate-compile-commands-file)
+    (eglot-ensure)
+    (defclass my/eglot-c (eglot-lsp-server) ()
+      :documentation
+      "Own eglot server class.")
+
+    (add-to-list 'eglot-server-programs
+                 '(c-ts-mode . (my/eglot-c "/usr/local/bin/clangd15")))
+    (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+    )
+  )
+
+(use-package c-mode
+  :mode (
+         ("\\.c\\'" . c-ts-mode)
+         ("\\.h\\'" . c-or-c++-ts-mode)
+         )
+  :commands (c-mode c-ts-mode)
+  :pin manual
+  :ensure nil
+  :hook (
+         (c-ts-mode . (lambda ()
+                        (activate-c-eglot)
+                        ))
+         )
+  :init
+  (add-to-list 'major-mode-remap-alist '(c-mode . c-ts-mode))
+  (add-to-list 'major-mode-remap-alist '(c++-mode . c++-ts-mode))
+  (add-to-list 'major-mode-remap-alist '(c-or-c++-mode . c-or-c++-ts-mode))
+  (add-to-list 'treesit-language-source-alist '(c "https://github.com/tree-sitter/tree-sitter-c"))
+  (add-to-list 'treesit-language-source-alist '(cpp "https://github.com/tree-sitter/tree-sitter-cpp"))
+  (unless (treesit-ready-p 'c) (treesit-install-language-grammar 'c))
+  (unless (treesit-ready-p 'cpp) (treesit-install-language-grammar 'cpp))
+  )
+
+(provide 'lang-c)

ansible/roles/emacs/files/elisp/lang-nix.el

@@ -0,0 +1,22 @@
+(require 'common-lsp)
+(require 'util-tree-sitter)
+
+(use-package nix-mode
+  :mode (("\\.nix\\'" . nix-mode)
+         )
+  :commands nix-mode
+  :hook (
+         (nix-mode . (lambda ()
+                             ;; (eglot-ensure)
+                             ;; (defclass my/eglot-nix (eglot-lsp-server) ()
+                             ;;   :documentation
+                             ;;   "Own eglot server class.")
+
+                             ;; (add-to-list 'eglot-server-programs
+                             ;;              '(nix-mode . (my/eglot-nix "nixd")))
+                             ;; (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+                             ))
+         )
+  )
+
+(provide 'lang-nix)

ansible/roles/emacs/files/elisp/lang-org.el

@@ -4,6 +4,8 @@
   :bind (
          ("C-c l" . org-store-link)
          ("C-c a" . org-agenda)
+         ("C--" . org-timestamp-down)
+         ("C-=" . org-timestamp-up)
          )
   :hook (
          (org-mode . (lambda ()

ansible/roles/emacs/files/elisp/lang-python.el

@@ -57,19 +57,29 @@
   :pin manual
   :hook (
          (python-ts-mode . (lambda ()
-                          (when (executable-find "poetry")
+                             (when-linux
-                            (add-poetry-venv-to-path)
+                               (when (executable-find "poetry")
-                            (let ((venv (locate-venv-poetry))) (when venv
+                                 (add-poetry-venv-to-path)
-                                                                 (setq eglot-workspace-configuration
+                                 (let ((venv (locate-venv-poetry))) (when venv
-                                                                       (list (cons ':python (list ':venvPath venv ':pythonPath (concat venv "/bin/python")))))
+                                                                      (setq eglot-workspace-configuration
-                                                                 ))
+                                                                            (list (cons ':python (list ':venvPath venv ':pythonPath (concat venv "/bin/python")))))
-                            )
+                                                                      ))
-                          (when-linux
+                                 )
-                            (eglot-ensure)
+                               (eglot-ensure)
-                            )
+                               )
 
-                          (add-hook 'before-save-hook 'python-fmt nil 'local)
+                             ;; (when-freebsd
-                          ))
+                             ;;   (eglot-ensure)
+                             ;;   (defclass my/eglot-pylyzer (eglot-lsp-server) ()
+                             ;;     :documentation
+                             ;;     "Own eglot server class.")
+
+                             ;;   (add-to-list 'eglot-server-programs
+                             ;;                '(python-ts-mode . (my/eglot-pylyzer "pylyzer" "--server")))
+                             ;;   )
+
+                             (add-hook 'before-save-hook 'python-fmt nil 'local)
+                             ))
          )
   :bind ((:map python-ts-mode-map ([backspace] . python-backspace))
          )

ansible/roles/emacs/files/elisp/lang-rust.el

@@ -57,7 +57,7 @@
   :init
   (add-to-list 'major-mode-remap-alist '(rust-mode . rust-ts-mode))
   (add-to-list 'treesit-language-source-alist '(rust "https://github.com/tree-sitter/tree-sitter-rust"))
-  (unless (treesit-ready-p 'yaml) (treesit-install-language-grammar 'rust))
+  (unless (treesit-ready-p 'rust) (treesit-install-language-grammar 'rust))
   :config
   ;; Add keybindings for interacting with Cargo
   (use-package cargo

ansible/roles/emacs/files/elisp/lang-xml.el

@@ -0,0 +1,17 @@
+(defun xml-fmt ()
+  "Run xmllint --format."
+  (run-command-on-buffer "xmllint" "--format" "-")
+  )
+
+(use-package nxml-mode
+  :commands (nxml-mode)
+  :pin manual
+  :ensure nil
+  :hook (
+         (nxml-mode . (lambda ()
+                        (add-hook 'before-save-hook 'xml-fmt nil 'local)
+                        ))
+         )
+  )
+
+(provide 'lang-xml)

ansible/roles/emacs/files/init.el

@@ -32,4 +32,10 @@
 
 (require 'lang-dockerfile)
 
+(require 'lang-c)
+
+(require 'lang-xml)
+
+(require 'lang-nix)
+
 (load-directory autoload-directory)

ansible/roles/emacs/files/plainmacs

@@ -15,7 +15,8 @@ INIT_SCRIPT=$(cat <<EOF
   ;; Set default font
   (set-face-attribute 'default nil :height 100 :width 'regular :weight 'regular :family "Cascadia Mono")
   ;; Set fallback font for unicode glyphs
-  (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji"))
+  (when (display-graphic-p)
+    (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji")))
   (menu-bar-mode -1)
   (when (fboundp 'tool-bar-mode)
     (tool-bar-mode -1))

ansible/roles/emacs/files/plainmacs_init.el

@@ -11,7 +11,8 @@
   ;; Set default font
   (set-face-attribute 'default nil :height 100 :width 'regular :weight 'regular :family "Cascadia Mono")
   ;; Set fallback font for unicode glyphs
-  (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji"))
+  (when (display-graphic-p)
+    (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji")))
   (menu-bar-mode -1)
   (when (fboundp 'tool-bar-mode)
     (tool-bar-mode -1))

ansible/roles/emacs/meta/main.yaml

@@ -5,3 +5,7 @@ dependencies:
     when: 'emacs_flavor == "full"'
   - role: python
     when: 'emacs_flavor == "full"'
+  - role: terraform
+    when: 'emacs_flavor == "full"'
+  - role: nix
+    when: 'emacs_flavor == "full"'

ansible/roles/emacs/tasks/freebsd.yaml

@@ -1,27 +1,35 @@
 - name: Install packages
+  when: install_graphics
   package:
     name:
       - emacs
     state: present
 
+- name: Install packages
+  when: not install_graphics
+  package:
+    name:
+      - emacs-nox
+    state: present
+
 - name: Install packages
   when: 'emacs_flavor == "full"'
   package:
     name:
-      - py39-pygments
+      - py311-pygments
       - inkscape # to support SVGs in LaTeX
       # - prettier # typescript formatting
       - aspell
       - en-aspell
       - unzip # for extracting mspyls
-      - py39-isort
+      - py311-isort
-      - py39-black
+      - py311-black
       - zip # for odt export from org-mode
       - gnuplot # used for exporting graphs from org-mode
       # - pyright
       - sqlite3 # for sqlite code blocks in org-mode
       # - terraform-ls # Terraform language server
-      - py39-ptvsd
+      - py311-ptvsd
       - hs-ShellCheck
       # - gopls
     state: present

ansible/roles/firefox/defaults/main.yaml

@@ -1,5 +1,6 @@
 firefox_config:
   # identity.sync.tokenserver.uri: "https://ffsync.fizz.buzz/token/1.0/sync/1.5"
+  media.hardware-video-decoding.force-enabled: true
   media.ffmpeg.vaapi.enabled: true
   doh-rollout.doorhanger-decision: "UIDisabled"
   dom.security.https_only_mode: true
@@ -12,3 +13,33 @@ firefox_config:
   browser.newtabpage.activity-stream.feeds.section.topstories: false
   browser.newtabpage.pinned: "[]"
   browser.newtabpage.activity-stream.section.highlights.includePocket: false
+  # Disable cache when devtools are open.
+  devtools.cache.disabled: true
+  # Do not track header.
+  privacy.donottrackheader.enabled: true
+  # Tell websites not to share or sell my data.
+  privacy.globalprivacycontrol.enabled: true
+  # Disable "studies" (slice testing)
+  app.shield.optoutstudies.enabled: false
+  # Disable attribution which is used by advertisers to track you.
+  dom.private-attribution.submission.enabled: false
+  # Disable battery status, used to track users.
+  dom.battery.enabled: false
+  # Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
+  #
+  # This breaks copying from BigQuery https://github.com/microsoft/monaco-editor/issues/1540
+  # dom.event.clipboardevents.enabled: false
+  # Isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains.
+  privacy.firstparty.isolate: true
+  # Do not preload URLs that auto-complete in the address bar.
+  browser.urlbar.speculativeConnect.enabled: false
+  # Do not resist fingerprinting because that tells websites to use light mode.
+  # https://bugzilla.mozilla.org/show_bug.cgi?id=1732114
+  privacy.resistFingerprinting: null # (default false)
+  # Instead, enable fingerprinting protection, which allows configuring an override.
+  privacy.fingerprintingProtection: true
+  # Allow sending dark mode preference to websites.
+  # Allow sending timezone to websites.
+  privacy.fingerprintingProtection.overrides: "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked"
+  # Disable weather on new tab page
+  browser.newtabpage.activity-stream.showWeather: false

ansible/roles/firefox/tasks/peruser.yaml

@@ -10,12 +10,21 @@
   register: firefox_about_config
 
 - name: Configure Firefox about:config
+  when: item[1].value != None
   lineinfile:
     path: "{{ item[0].path }}"
     regexp: '"{{ item[1].key }}", [^")\n]*\)'
     line: 'user_pref("{{ item[1].key }}", {{ item[1].value | to_json }});'
   loop: "{{ firefox_about_config.files | product(firefox_config | dict2items) | list }}"
 
+- name: Configure Firefox about:config
+  when: item[1].value == None
+  lineinfile:
+    path: "{{ item[0].path }}"
+    regexp: '"{{ item[1].key }}", [^")\n]*\)'
+    state: absent
+  loop: "{{ firefox_about_config.files | product(firefox_config | dict2items) | list }}"
+
 - import_tasks: tasks/peruser_freebsd.yaml
   when: 'os_flavor == "freebsd"'
 

ansible/roles/firewall/files/homeserver_pf.conf

@@ -1,9 +1,10 @@
-ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
+ext_if = "{ igb0 igb1 ix0 ix1 linfi_host }"
-not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
+not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !linfi_host }"
 jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
 restricted_nat_v4 = "{ 10.215.2.0/24 }"
 not_restricted_nat_v4 = "{ any, !10.215.2.0/24 }"
+rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
 
 dhcp = "{ bootpc, bootps }"
 allow = "{ wgh wgf }"
@@ -17,22 +18,51 @@ unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }"
 # options
 set skip on lo
 
+# queueing
+# altq on linfi_host cbq queue { def, stuff }
+# queue def cbq(default borrow)
+# queue stuff bandwidth	8Mb cbq { dagger }
+# queue dagger cbq(borrow)
+
 # redirections
-nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0)
+nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (linfi_host)
-rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53
+rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
 
 # cloak
-nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (wlan0)
+nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (linfi_host)
-rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 1.1.1.1 port 53
+rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 172.16.0.1 port 53
 
-rdr pass on $ext_if inet proto tcp from $not_restricted_nat_v4 to any port 8081 -> 10.215.2.2 port 8081
+# bastion
-nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8081 -> 10.215.2.1
+rdr pass on $ext_if inet proto {tcp, udp} from { any, !10.215.1.0/24, !10.215.2.0/24 } to any port 8081 -> 10.215.1.217 port 443
+nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.217 port 443 -> 10.215.1.1
+nat pass on restricted_nat proto {tcp, udp} from 10.215.1.217/32 to 10.215.2.2 port 8081 -> 10.215.2.1
+
+
+# cloak -> olddagger
+rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
+nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1
+
+# cloak -> dagger old
+rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8083 -> 10.215.2.2 port 8083
+nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8083 -> 10.215.2.1
+
+# -> sftp
+# TODO: Limit bandwidth for sftp
+rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22
+nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215.1.1
 
 # Forward ports for unifi controller
-# rdr pass on $ext_if inet proto tcp from any to any port 65022 -> 10.213.177.8 port 22
+# rdr pass on $ext_if inet proto {tcp, udp} from any to any port 65022 -> 10.213.177.8 port 22
 rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202
 
+# -> momlaptop
+rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8033 -> 10.215.1.218 port 443
+nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.218 port 443 -> 10.215.1.1
+
 # filtering
+# match in on jail_nat from any to any dnpipe(1, 2)
+# match in on restricted_nat from any to any dnpipe(1, 2)
+
 block log all
 pass out on $ext_if
 
@@ -42,6 +72,7 @@ pass out on jail_nat from $jail_nat_v4
 pass out on jail_nat proto {udp, tcp} from any to 10.215.1.202 port $unifi_ports
 pass out on restricted_nat proto {udp, tcp} from any to 10.215.2.2 port 8081
 
+# TODO: limit bandwidth for dagger here
 pass in on restricted_nat proto {udp, tcp} from any to any port { 53 51820 }
 
 # We pass on the interfaces listed in allow rather than skipping on

ansible/roles/firewall/files/mrmanager_pf.conf

@@ -33,7 +33,7 @@ scrub in on $ext_if all fragment reassemble
 
 # redirections
 nat on $ext_if inet from ! ($ext_if) to ! ($ext_if) -> ($ext_if)
-rdr pass proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53
+rdr pass on jail_nat proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53
 
 rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 -> 10.215.1.204 port 6443
 rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
@@ -63,6 +63,7 @@ pass quick on $allow
 
 # Single interface kubernetes cluster is working with the following run on mrmanager:
 #   doas route add -host 74.80.180.139 -interface jail_nat
+#   doas route add -net 10.129.0.0/16 -interface jail_nat
 #   doas sysctl net.link.ether.inet.proxyall=1
 # Plus this in pf.conf:
 #   pass quick from any to 74.80.180.139

ansible/roles/firewall/files/odofreebsd_pf.conf

@@ -1,11 +1,11 @@
-ext_if = "{ wlan0 }"
+ext_if = "{ linfi_host }"
-not_ext_if = "{ !wlan0 }"
+not_ext_if = "{ !linfi_host }"
 jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
-dns_redirect = "{ 10.193.223.1 10.213.177.1 10.215.1.1 }"
+rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
 
 dhcp = "{ bootpc, bootps }"
-#allow = "{ wgf wgh drmario colo }"
+allow = "{ wgf wgh drmario colo }"
 
 tcp_pass_in = "{ 22 }"
 udp_pass_in = "{ 53 51820 }"
@@ -16,8 +16,8 @@ udp_pass_in = "{ 53 51820 }"
 set skip on lo
 
 # redirections
-#nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0)
+nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (linfi_host)
-#rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53
+rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
 
 # Redirect jaeger ports to virtual machine.
 # nat pass on lo inet from 127.0.0.0/24 to 127.0.0.0/24 port {6831 6832 16686 14268} -> (jail_nat)
@@ -27,16 +27,18 @@ set skip on lo
 block log all
 pass out on $ext_if
 
-#pass in on jail_nat
+pass in on jail_nat
+# match in on jail_nat from any to any dnpipe 1
+# match in on jail_nat from any to $rfc1918 dnpipe 2
 # Allow traffic from my machine to the jails/virtual machines
-#pass out on jail_nat from $jail_nat_v4
+pass out on jail_nat from $jail_nat_v4
 
 # We pass on the interfaces listed in allow rather than skipping on
 # them because changes to pass rules will update when running a
 # `service pf reload` but interfaces that we `skip` will not update (I
 # forget if its from adding, removing, or both. TODO: test to figure
 # it out). Also skipped interfaces are not subject to nat/rdr rules.
-#pass quick on $allow
+pass quick on $allow
 
 pass on $ext_if proto icmp all
 pass on $ext_if proto icmp6 all

ansible/roles/firewall/meta/main.yaml

@@ -0,0 +1,2 @@
+dependencies:
+  - dummynet

ansible/roles/framework_laptop/files/disable_sp5100_watchdog_modprobe.conf

@@ -0,0 +1,2 @@
+# Disable the hardware watchdog inside AMD 700 chipset series for power savings.
+blacklist sp5100_tco

ansible/roles/framework_laptop/files/disable_wifi_powersave_loader.conf

@@ -0,0 +1,3 @@
+  # Disable power save for wifi card because power save caused video stuttering in google meet on Linux. Both of these are currently the default on FreeBSD but I'm saving it just in case that default changes.
+compat.linuxkpi.iwlwifi_power_save="0"
+compat.linuxkpi.iwlwifi_mvm_power_scheme="1"

ansible/roles/framework_laptop/files/gpe10-boot.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Disable gpe10 interrupt on boot
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/sh -c "echo disable > /sys/firmware/acpi/interrupts/gpe10"
+
+[Install]
+WantedBy=multi-user.target

ansible/roles/framework_laptop/files/gpe10-sleep.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Enable gpe10 interrupt for sleep
+Before=sleep.target
+StopWhenUnneeded=true
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/sh -c "echo enable > /sys/firmware/acpi/interrupts/gpe10"
+ExecStop=/bin/sh -c "echo disable > /sys/firmware/acpi/interrupts/gpe10"
+
+[Install]
+WantedBy=sleep.target

ansible/roles/framework_laptop/files/iwlwifi_modprobe.conf

@@ -0,0 +1,13 @@
+# Manually disable power save:
+# iw wlan0 set power_save off
+
+## High power:
+options iwlwifi power_save=0
+# options iwlwifi uapsd_disable=1
+options iwlmvm power_scheme=1 # 1-active, 2-balanced, 3-low power, default: 2 (int)
+
+## Low power:
+# options iwlwifi power_save=1
+# ? power_level:default power save level (range from 1 - 5, default: 1) (int)
+# options iwlwifi uapsd_disable=0
+# options iwlmvm power_scheme=3

ansible/roles/framework_laptop/files/launch_windows.bash

@@ -0,0 +1,285 @@
+#!/usr/local/bin/bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# Share a host directory to the guest via 9pfs.
+#
+# Inside the VM run:
+#   mount -t virtfs -o trans=virtio sharename /some/vm/path
+#   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
+#   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 sharename /path/to/mountpoint
+# bhyve_options="-s 28,virtio-9p,sharename=/"
+
+# Enable Sound
+# bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
+
+# Example usage:
+#
+#   doas bhyve_netgraph_bridge create-disk zdata/vm/poudriere /vm/poudriere 10
+#   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
+#   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere
+
+: ${VERBOSE:="NO"} # or YES
+: ${CPU_CORES:="1"}
+: ${MEMORY:="1G"}
+: ${NETWORK:="NAT"} # or RAW or BOTH
+: ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
+: ${INTERFACE_NAME:="jail_nat"} # or the external interface like lagg0 for RAW networks
+: ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
+: ${VNC_ENABLE:="NO"}
+: ${VNC_LISTEN:="127.0.0.1:5900"}
+: ${VNC_WIDTH:="1920"}
+: ${VNC_HEIGHT:="1080"}
+
+if [ "$VERBOSE" = "YES" ]; then
+    set -x
+fi
+
+############## Setup #########################
+
+function cleanup {
+    for vm in "${vms[@]}"; do
+        log "Destroying bhyve vm $vm"
+        bhyvectl "--vm=$vm" --destroy
+        log "Destroyed bhyve vm $vm"
+    done
+}
+vms=()
+for sig in EXIT; do
+  trap "set +e; sleep 10; cleanup" "$sig"
+done
+
+function die {
+    local status_code="$1"
+    shift
+    (>&2 echo "${@}")
+    exit "$status_code"
+}
+
+function log {
+    (>&2 echo "${@}")
+}
+
+############## Program #########################
+
+function main {
+    local cmd="$1"
+    shift 1
+    if [ "$cmd" = "create-disk" ]; then
+        create_disk "${@}"
+    elif [ "$cmd" = "start" ]; then
+        start_vm "${@}"
+    else
+        die 1 "Unrecognized command $cmd"
+    fi
+}
+
+function create_disk {
+    local zfs_path="$1"
+    local mount_path="$2"
+    local gigabytes="$3"
+    zfs create -o "mountpoint=$mount_path" "$zfs_path"
+    cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
+    tee "${mount_path}/settings" <<EOF
+CPU_CORES="$CPU_CORES"
+MEMORY="$MEMORY"
+NETWORK="$NETWORK"
+IP_RANGE="$IP_RANGE"
+BRIDGE_NAME="$BRIDGE_NAME"
+INTERFACE_NAME="$INTERFACE_NAME"
+EOF
+    zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none -o volblocksize=64K "$zfs_path/disk0"
+}
+
+function start_vm {
+    local name="$1"
+    local zfs_path="$2"
+    local mount_path="$3"
+    local mount_cd="${4:-}"
+
+    if [ -e "${mount_path}/settings" ]; then
+        source "${mount_path}/settings"
+    fi
+
+    local host_interface_name="$INTERFACE_NAME" # for raw, external interface
+    local bridge_name="$BRIDGE_NAME"
+    local ip_range="$IP_RANGE" # for raw this value does not matter
+
+    local mac_address
+    mac_address=$(calculate_mac_address "$name")
+
+    local additional_args=()
+
+    if [ "$NETWORK" = "NAT" ]; then
+        assert_bridge "$host_interface_name" "$bridge_name" "$ip_range"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        additional_args+=("-s" "2:0,e1000,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+    elif [ "$NETWORK" = "RAW" ]; then
+        assert_raw "$host_interface_name" "$bridge_name"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+    elif [ "$NETWORK" = "BOTH" ]; then
+        assert_bridge "jail_nat" "$bridge_name" "$ip_range"
+        assert_raw "$host_interface_name" "bridge_raw"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        local raw_bridge_link_name=$(detect_available_link "bridge_raw")
+        local raw_mac_address=$(calculate_mac_address "${name}_raw")
+        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+        additional_args+=("-s" "3:0,virtio-net,netgraph,path=bridge_raw:,peerhook=${raw_bridge_link_name},mac=${raw_mac_address}")
+    elif [ "$NETWORK" = "NONE" ]; then
+        (>&2 echo "Not using any network.")
+    else
+        die 1 "Unrecognized NETWORK type $NETWORK"
+    fi
+
+
+    # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
+         # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
+             # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
+            # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
+
+    # TODO: Look into using nmdm instead of stdio for serial console
+    if [ -n "$mount_cd" ]; then
+        additional_args+=("-s" "5,ahci-cd,$mount_cd")
+    fi
+    if [ "$VNC_ENABLE" = "YES" ]; then
+        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT,wait")
+    fi
+    vms+=("$name")
+    # Removes CPU_CORES because windows must be a single CPU in bhyve
+    # -c $CPU_CORES \
+        # We need tpm
+    #             -l "tpm,passthru,/dev/tpm0" \
+                    # -S \
+    while true; do
+        set -x
+        set +e
+        bhyve \
+            -D \
+            -c sockets=1,cores=2,threads=2 \
+            -m $MEMORY \
+            -H \
+            -w \
+            -o 'rtc.use_localtime=false' \
+            -s 0,hostbridge \
+            -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
+            -s 16,hda,play=/dev/dsp,rec=/dev/dsp \
+            -s 30,xhci,tablet \
+            -s 31,lpc -l com1,stdio \
+            -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd" \
+            -U '5a63bcd1-5cb4-4401-8a6f-d4042fb928a6' \
+            "${additional_args[@]}" \
+            "$name"
+        local exit_code=$?
+        set -e
+        set +x
+        if [ $exit_code -eq 0 ]; then
+            echo "Rebooting."
+            sleep 5
+        elif [ $exit_code -eq 1 ]; then
+            echo "Powered off."
+            break
+        elif [ $exit_code -eq 2 ]; then
+            echo "Halted."
+            break
+        elif [ $exit_code -eq 3 ]; then
+            echo "Triple fault."
+            break
+        elif [ $exit_code -eq 4 ]; then
+            echo "Exited due to an error."
+            break
+        fi
+    done
+}
+
+function detect_available_link {
+    local bridge_name="$1"
+    local linknum=1
+    while true; do
+        local link_name="link${linknum}"
+        if ! ng_exists "${bridge_name}:${link_name}"; then
+            echo "$link_name"
+            return
+        fi
+        linknum=$((linknum + 1))
+        if [ "$linknum" -gt 90 ]; then
+            (>&2 echo "No available links on bridge $bridge_name")
+            exit 1
+        fi
+    done
+}
+
+function assert_bridge {
+    local host_interface_name="$1"
+    local bridge_name="$2"
+    local ip_range="$3"
+
+    if ! ng_exists "${bridge_name}:"; then
+        ngctl -d -f - <<EOF
+mkpeer . eiface hook ether
+name .:hook $host_interface_name
+EOF
+        ngctl -d -f - <<EOF
+mkpeer ${host_interface_name}: bridge ether link0
+name ${host_interface_name}:ether $bridge_name
+EOF
+        ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" "$ip_range" up
+    fi
+}
+
+function assert_raw {
+    local extif="$1"
+    local bridge_name="$2"
+
+    kldload -n ng_bridge ng_eiface ng_ether
+
+    if ! ng_exists "${bridge_name}:"; then
+        ngctlcat <<EOF
+# Create a bridge.
+mkpeer $extif: bridge lower link0
+# Assign a name to the bridge.
+name $extif:lower ${bridge_name}
+# Since the host is also using $extif, we need to connect the upper hook also. Otherwise we will lose connectivity.
+connect $extif: ${bridge_name}: upper link1
+
+# Enable promiscuous mode so the host ethernet adapter accepts packets for all addresses
+msg $extif: setpromisc 1
+
+# Do not overwrite source address on packets
+msg $extif: setautosrc 0
+EOF
+    fi
+}
+
+function ng_exists {
+    ngctl status "${1}" >/dev/null 2>&1
+}
+
+function calculate_mac_address {
+    local name="$1"
+    local source
+    source=$(md5 -r -s "$name" | awk '{print $1}')
+    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
+}
+
+function find_available_port {
+    local start_port="$1"
+    local port="$start_port"
+    while true; do
+        sockstat -P tcp -p 443
+        port=$((port + 1))
+    done
+}
+
+function ngctlcat {
+    if [ "$VERBOSE" = "YES" ]; then
+        tee /dev/tty | ngctl -d -f -
+    else
+        ngctl -d -f -
+    fi
+}
+
+
+main "${@}"

ansible/roles/framework_laptop/files/snd_hda_intel_modprobe.conf

@@ -0,0 +1,2 @@
+# Sound power-saving was causing chat notifications to be inaudible.
+# options snd_hda_intel power_save=1

ansible/roles/framework_laptop/files/wifi_us_modprobe.conf

@@ -0,0 +1 @@
+options cfg80211 ieee80211_regdom=US

ansible/roles/framework_laptop/files/windows

@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# REQUIRE: LOGIN
+# PROVIDE: windows
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+name=windows
+rcvar=${name}_enable
+start_cmd="${name}_start"
+stop_cmd="${name}_stop"
+status_cmd="${name}_status"
+load_rc_config $name
+
+tmux_name="windows"
+
+windows_start() {
+   /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=YES VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /usr/local/bin/launch_windows start windows zroot/freebsd/current/vm/windows /vm/windows /vm/.iso/Win11_23H2_English_x64v2.iso"
+}
+
+windows_status() {
+    if /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null; then
+        echo "$tmux_name is running."
+    else
+        echo "$tmux_name is not running."
+        return 1
+    fi
+}
+
+windows_stop() {
+    /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null && (
+        /usr/local/bin/tmux kill-session -t $tmux_name
+        sleep 10
+        bhyvectl --vm=windows --destroy
+        # kill `cat /var/run/windows.pid`
+    )
+    windows_wait_for_end
+}
+
+windows_wait_for_end() {
+    while /usr/local/bin/tmux has-session -t $tmux_name 2>dev/null; do
+        sleep 1
+    done
+}
+
+run_rc_command "$1"

ansible/roles/framework_laptop/meta/main.yaml

@@ -0,0 +1,3 @@
+dependencies:
+  - role: bhyve
+    when: 'os_flavor == "freebsd"'

ansible/roles/framework_laptop/tasks/freebsd.yaml

@@ -1,5 +1,30 @@
-# - name: Install packages
+- name: Install loader.conf
-#   package:
+  copy:
-#     name:
+    src: "files/{{ item }}_loader.conf"
-#       - foo
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
-#     state: present
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - disable_wifi_powersave
+
+- name: Install scripts
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - src: launch_windows.bash
+      dest: /usr/local/bin/launch_windows
+
+- name: Install rc script
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+    owner: root
+    group: wheel
+    mode: 0755
+  loop:
+    - src: windows

ansible/roles/framework_laptop/tasks/linux.yaml

@@ -18,3 +18,83 @@
     group: wheel
   loop:
     - screen_brightness
+
+- name: Install module config
+  copy:
+    src: "files/{{ item }}_modprobe.conf"
+    dest: "/etc/modprobe.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - iwlwifi
+    - snd_hda_intel
+    - disable_sp5100_watchdog
+    - wifi_us
+
+- name: Configure kernel command line
+  zfs:
+    name: "zroot/linux"
+    state: present
+    extra_zfs_properties:
+      # amdgpu.abmlevel=3 :: Automatically reduce screen brightness but tweak colors to compensate for power reduction.
+      # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
+      # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
+      # amd_pstate=passive :: Fully automated hardware pstate control.
+      # amd_pstate=active :: Same as passive except we can set the energy performance preference (EPP) to suggest how much we prefer performance or energy efficiency.
+      # amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds.
+      # amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32
+      "org.zfsbootmenu:commandline": "rw quiet amdgpu.abmlevel=3 pcie_aspm=force pcie_aspm.policy=powersupersave nowatchdog amdgpu.dcdebugmask=0x10"
+
+- name: Install Configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0600
+    owner: root
+    group: wheel
+  loop:
+    - src: gpe10-boot.service
+      dest: /etc/systemd/system/gpe10-boot.service
+    - src: gpe10-sleep.service
+      dest: /etc/systemd/system/gpe10-sleep.service
+
+- name: Enable services
+  systemd:
+    enabled: yes
+    name: "{{ item }}"
+    daemon_reload: yes
+  loop:
+    - gpe10-boot.service
+    - gpe10-sleep.service
+# install swtpm
+# install edk2-ovmf for /usr/share/ovmf/OVMF.fd
+# install qemu-system-x86
+
+# doas qemu-system-x86_64 -cdrom /vm/.iso/Win11_23H2_English_x64v2.iso -cpu Skylake-Client-v3 -enable-kvm -m 8192 —device chardev,socket,id=chrtpm,path=/tmp/emulated_tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -smp 2 -device intel-hda -device hda-duplex -usb -nic user,ipv6=off,model=rtl8139,mac=84:1b:77:c9:03:a6 -bios /usr/share/edk2/x64/OVMF.fd -drive file=/dev/zvol/zroot/freebsd/current/vm/windows/disk0,format=raw,media=disk,if=none,id=nvm -device nvme,drive=nvm,serial=foo,opt_io_size=4096,min_io_size=4096,logical_block_size=4096,physical_block_size=4096
+
+# doas mkdir /tmp/emulated_tpm
+# doas swtpm socket --tpmstate dir=/tmp/emulated_tpm --ctrl type=unixio,path=/tmp/emulated_tpm/swtpm-sock --log level=20 --tpm2
+
+- name: Build aur packages
+  register: buildaur
+  become_user: "{{ build_user.name }}"
+  command: "aurutils-sync --no-view {{ item }}"
+  args:
+    creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+  loop:
+    - fw-ectool-git
+
+- name: Update cache
+  when: buildaur.changed
+  pacman:
+    name: []
+    state: present
+    update_cache: true
+
+- name: Install packages
+  package:
+    name:
+      - fw-ectool-git
+      - wireless-regdb
+    state: present

ansible/roles/google_cloud_sdk/files/google_logging_link.py

@@ -0,0 +1,14 @@
+#!/usr/bin/env python
+#
+# Generate a link to google cloud logging by passing in a logging query.
+import sys
+import urllib.parse
+
+def main():
+    query = "\n".join([line.strip() for line in sys.stdin.readlines()])
+    query = urllib.parse.quote(query)
+    query = query + "?project=project-id-here"
+    print(query)
+
+if __name__ == "__main__":
+    main()

ansible/roles/google_cloud_sdk/tasks/common.yaml

@@ -1,3 +1,14 @@
+- name: Install scripts
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - src: google_logging_link.py
+      dest: /usr/local/bin/google_logging_link
+
 - import_tasks: tasks/freebsd.yaml
   when: 'os_flavor == "freebsd"'
 

ansible/roles/graphics/files/amd_adaptive_backlight_management_loader.conf

@@ -0,0 +1 @@
+hw.amdgpu.abmlevel=3

ansible/roles/graphics/tasks/freebsd_amd.yaml

@@ -2,34 +2,25 @@
   package:
     name:
       - drm-kmod
-#      - libva-intel-media-driver # va-api support for broadwell (2014) and newer.
-#      - libva-intel-driver # va-api support until after coffeelake (2017).
       - vulkan-loader
       - libva-utils # for vainfo
       - vdpauinfo # for vdpauinfo
       - libvdpau-va-gl # vdpau support
-#      - igt-gpu-tools # for intel_gpu_top
+      - mesa-gallium-va # Accelerated video decoding
+      - mesa-gallium-vdpau # Accelerated video decoding
+      - radeontop
       - vulkan-tools # For vulkaninfo
     state: present
 
-# - name: Configure vdpau to use va-api driver
+- name: Install loader.conf
-#   copy:
+  copy:
-#     src: vdpau.sh
+    src: "files/{{ item }}_loader.conf"
-#     dest: /etc/profile.d/vdpau.sh
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
-#     mode: 0644
+    mode: 0644
-#     owner: root
+    owner: root
-#     group: root
+    group: wheel
-
+  loop:
-#- name: Install loader.conf
+    - amd_adaptive_backlight_management
-#  copy:
-#    src: "files/{{ item }}_loader.conf"
-#    dest: "/boot/loader.conf.d/{{ item }}.conf"
-#    mode: 0644
-#    owner: root
-#    group: wheel
-#  loop:
-#    - intel_power
-#    - intel_hw_accel_video
 
 - name: Install service configuration
   copy:

ansible/roles/graphics/tasks/freebsd_intel.yaml

@@ -8,7 +8,6 @@
       - libva-utils # for vainfo
       - vdpauinfo # for vdpauinfo
       - libvdpau-va-gl # vdpau support
-      - igt-gpu-tools # for intel_gpu_top
       - vulkan-tools # For vulkaninfo
     state: present
 

ansible/roles/graphics/tasks/linux_amd.yaml

@@ -17,4 +17,5 @@
       - vdpauinfo # for vdpauinfo
       - vulkan-tools # For vulkaninfo
       - radeontop
+      - nvtop
     state: present

ansible/roles/jail/files/fstab_bastion

@@ -0,0 +1,4 @@
+tmpfs /jail/bastion/tmp tmpfs rw,mode=777 0 0
+tmpfs /jail/bastion/var/run tmpfs rw,mode=755 0 0
+
+/jail/certificate/usr/local/etc/letsencrypt       /jail/bastion/letsencrypt     nullfs    ro,noexec     0      0

ansible/roles/jail/files/jail_netgraph_bridge.bash

@@ -23,11 +23,15 @@ function start_jail {
     jail_interface_name=$(sanitize_interface_name "$2")
     ip_range="$3"
 
+    local mac_address
+    mac_address=$(calculate_mac_address "$jail_interface_name")
+
     assert_bridge "$host_interface_name" "$bridge_name" "$ip_range"
 
     bridge_link_name=$(detect_available_link "${bridge_name}")
     ngctl -d -f - <<EOF
 mkpeer ${bridge_name}: eiface $bridge_link_name ether
+msg ${bridge_name}:$bridge_link_name set $mac_address
 name ${bridge_name}:$bridge_link_name $jail_interface_name
 EOF
     ifconfig $(ngctl msg "${jail_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${jail_interface_name}" up
@@ -121,4 +125,11 @@ function sanitize_interface_name {
     echo "${1:0:15}"
 }
 
+function calculate_mac_address {
+    local name="$1"
+    local source
+    source=$(md5 -r -s "$name" | awk '{print $1}')
+    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
+}
+
 main "${@}"

ansible/roles/jail/files/jails/admin_git.conf

@@ -1,12 +1,13 @@
 admin_git {
-    path = "/jail/main/jails/${name}";
+    path = "/jail/${name}";
     vnet;
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
-    exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
+    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
     vnet.interface += "jail${name}";
 
     devfs_ruleset = 14;
     mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";
 
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";

ansible/roles/jail/files/jails/bastion.conf

@@ -0,0 +1,15 @@
+bastion {
+    path = "/jail/${name}";
+    vnet;
+    exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
+    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
+    vnet.interface += "jail${name}";
+
+    devfs_ruleset = 14;
+    mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";
+
+    exec.start += "/bin/sh /etc/rc";
+    exec.stop = "/bin/sh /etc/rc.shutdown jail";
+    exec.consolelog = "/var/log/jail_${name}_console.log";
+}

ansible/roles/jail/files/jails/certificate.conf

@@ -0,0 +1,15 @@
+certificate {
+    path = "/jail/${name}";
+    vnet;
+    exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
+    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
+    vnet.interface += "jail${name}";
+
+    devfs_ruleset = 14;
+    mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";
+
+    exec.start += "/bin/sh /etc/rc";
+    exec.stop = "/bin/sh /etc/rc.shutdown jail";
+    exec.consolelog = "/var/log/jail_${name}_console.log";
+}

ansible/roles/jail/files/jails/cloak.conf

@@ -1,13 +1,17 @@
 cloak {
-    path = "/jail/main/jails/${name}";
+    path = "/jail/${name}";
     vnet;
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start restricted_nat jail${name} 10.215.2.1/24";
-    exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop restricted_nat jail${name}";
+    # Create a dummy interface that is never used, just to create the cloak bridge that is used by children.
+    exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak dummy${name} 192.168.1.0/24";
+    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop cloak dummy{name}";
+    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop restricted_nat jail${name}";
     vnet.interface += "jail${name}";
     vnet.interface += "cloak";
 
     devfs_ruleset = 13;
     mount.devfs; # To expose tun device
+    mount.fstab = "/etc/fstab.${name}";
 
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";