Update for pkgbase rebuild of homeserver.

Remove rg jail and add ipv6 to wireguard.
Update for rebuild of mrmanager.
2026-04-14 15:39:22 -04:00 · 2026-04-04 21:18:42 -04:00 · 2026-03-26 18:17:38 -04:00 · 2025-12-07 14:31:15 -05:00 · 2025-12-07 14:19:24 -05:00 · 2025-12-07 10:32:56 -05:00
480 changed files with 10085 additions and 2137 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,3 +1,5 @@
 cargo_credentials.toml filter=git-crypt diff=git-crypt
 **/wireguard_configs/** filter=git-crypt diff=git-crypt
 *.key filter=git-crypt diff=git-crypt
 credentials filter=git-crypt diff=git-crypt
 htpasswd filter=git-crypt diff=git-crypt
--- a/TODO.org
+++ b/TODO.org
@@ -0,0 +1,5 @@
 * to-do
 ** Switch to overlay driver when zfs 2.2 is released
 This might fix some stability issues (like a container getting stuck in a terminating state), may improve performance (since the zfs driver is noticably slower than overlay on ext4 on a zvol), and will avoid a lot of noise in my zfs dataset lists
 ref: https://github.com/moby/moby/issues/40132
--- a/ansible/environments/colo/host_vars/mrmanager
+++ b/ansible/environments/colo/host_vars/mrmanager
@@ -1,8 +1,11 @@
 os_flavor: "freebsd"
 zfs_snapshot_datasets:
-  - zroot/freebsd/main/be
+  - path: zroot/freebsd/main/be
  - path: zdata/vm
  - path: zdata/vm/poudriere/disk0
    include: false
  - path: zdata/k8spersistent
 sshd_enabled: true
 loader_conf: "mrmanager_loader.conf"
 rc_conf: "mrmanager_rc.conf"
 network_rc: "mrmanager_network.conf"
 routing_rc: "mrmanager_routing.conf"
@@ -10,13 +13,16 @@ pf_config: "mrmanager_pf.conf"
 pflog_conf:
  - name: 0
    dev: pflog0
  - name: 1
    dev: pflog1
 cputype: "amd"
 hwpstate: true
 etc_hosts: {}
 wireguard_directory: mrmanager
 enabled_wireguard:
  - colo
 jail_zfs_dataset: zdata/jail
-jail_zfs_dataset_mountpoint: /jail/main
+jail_zfs_dataset_mountpoint: /jail
 jail_canmount: "on"
 jail_list:
  - name: nat_dhcp
@@ -35,3 +41,14 @@ bhyve_dataset: zdata/vm
 bhyve_canmount: "on"
 # efi_dev: /dev/gpt/EFI
 devfs_rules: "mrmanager_devfs.rules"
 users:
  talexander:
    initialize: true
    uid: 11235
    gid: 11235
    groups:
      - name: wheel
    authorized_keys:
      - yubikey
      - main_fido
      - backup_fido
--- a/ansible/environments/colo/hosts
+++ b/ansible/environments/colo/hosts
@@ -1,2 +1,3 @@
 [server]
-mrmanager ansible_user=talexander ansible_host=10.217.2.1
+#mrmanager ansible_user=talexander ansible_host=10.217.2.1 ansible_become_method=doas
 mrmanager ansible_user=talexander ansible_host=74.80.180.138 ansible_become_method=doas
--- a/ansible/environments/home/host_vars/homeserver
+++ b/ansible/environments/home/host_vars/homeserver
@@ -1,8 +1,29 @@
 os_flavor: "freebsd"
 zfs_snapshot_datasets:
-  - zroot/freebsd/computer/be/default
+  - path: zroot/freebsd/computer/be
  - path: zmass/encrypted/vm
  - path: zmass/encrypted/data
 users:
  talexander:
    initialize: true
    uid: 11235
    gid: 11235
    groups:
      - name: wheel
      - name: video
      - name: u2f
      - name: operator # To be able to shutdown without root
      - name: webcamd
        gid: 145
    authorized_keys:
      - yubikey
      - main_fido
      - backup_fido
      - homeassistant
    gitconfig: "gitconfig_home"
 sshd_enabled: true
 sshd_conf: "sshd_config"
 prefer_ipv6: true
 pf_config: "homeserver_pf.conf"
 pflog_conf:
  - name: 0
@@ -10,15 +31,11 @@ pflog_conf:
 network_rc: "homeserver_network.conf"
 rc_conf: "homeserver_rc.conf"
 loader_conf: "homeserver_loader.conf"
 netgraph_config: "setup_netgraph_homeserver"
 cputype: "intel"
 cpu_opt: broadwell
 hwpstate: false
-build_user:
+devfs_rules: "homeserver_devfs.rules"
  name: talexander
  group: talexander
 jail_zfs_dataset: zmass/encrypted/jails
-jail_zfs_dataset_mountpoint: /jail/main
+jail_zfs_dataset_mountpoint: /jail
 jail_canmount: "on"
 jail_bemount: "on"
 jail_list:
@@ -33,15 +50,27 @@ jail_list:
  - name: dagger
    conf:
      src: dagger
-  - name: mumble
+  - name: sftp
    conf:
-      src: mumble
+      src: sftp
-    persist:
+    fstab: sftp_fstab
-      - name: mumbledb
+  - name: bastion
-        mount: /var/db/murmur
+    conf:
      src: bastion
    fstab: fstab_bastion
  - name: certificate
    conf:
      src: certificate
  # - name: mumble
  #   conf:
  #     src: mumble
  #   persist:
  #     - name: mumbledb
  #       mount: /var/db/murmur
 bhyve_dataset: zmass/encrypted/vm
-bhyve_list: []
+# Disable mounting bhyve dataset so it doesn't hide the unencrypted linfi vm
-bhyve_canmount: "on"
+bhyve_canmount: "off"
 bhyve_mountpoint: "none"
 bhyve_bemount: "on"
 wireguard_directory: homeserver
 enabled_wireguard:
--- a/ansible/environments/home/hosts
+++ b/ansible/environments/home/hosts
@@ -1,2 +1,3 @@
 [headless]
-homeserver ansible_user=talexander ansible_host=10.216.1.1
+#homeserver ansible_user=talexander ansible_host=homeserver
 homeserver ansible_user=talexander ansible_host=172.16.16.32
--- a/ansible/environments/jail/host_vars/bastion
+++ b/ansible/environments/jail/host_vars/bastion
@@ -0,0 +1 @@
 os_flavor: freebsd
--- a/ansible/environments/jail/host_vars/certificate
+++ b/ansible/environments/jail/host_vars/certificate
@@ -0,0 +1 @@
 os_flavor: freebsd
--- a/ansible/environments/jail/host_vars/sftp
+++ b/ansible/environments/jail/host_vars/sftp
@@ -0,0 +1,6 @@
 os_flavor: "freebsd"
 users:
  nochainstounlock:
    initialize: true
    uid: 11235
    gid: 11235
--- a/ansible/environments/jail/hosts
+++ b/ansible/environments/jail/hosts
@@ -1,7 +1,10 @@
 [jail]
 nat_dhcp ansible_connection=jail
-homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@172.16.16.2 ansible_connection=sshjail
+homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@homeserver ansible_connection=sshjail
 mrmanager_nat_dhcp ansible_ssh_host=nat_dhcp@10.217.2.1 ansible_connection=sshjail
 nat_dhcp@172.16.16.2 ansible_connection=sshjail
 admin_git ansible_ssh_host=admin_git@10.217.2.1 ansible_connection=sshjail
 public_dns ansible_ssh_host=public_dns@10.217.2.1 ansible_connection=sshjail
 sftp ansible_ssh_host=sftp@homeserver ansible_connection=sshjail
 bastion ansible_ssh_host=bastion@homeserver ansible_connection=sshjail
 certificate ansible_ssh_host=certificate@homeserver ansible_connection=sshjail
--- a/ansible/environments/laptop/group_vars/all
+++ b/ansible/environments/laptop/group_vars/all
@@ -1,2 +1,28 @@
 timezone: "America/New_York"
 install_bluetooth: true
 emacs_flavor: "full"
 ssh_hosts:
  - name: poudriere
    proxy_jump: talexander@mrmanager
    host_name: 10.215.1.203
  - name: controller0
    proxy_jump: talexander@mrmanager
    host_name: 10.215.1.204
  - name: controller1
    proxy_jump: talexander@mrmanager
    host_name: 10.215.1.205
  - name: controller2
    proxy_jump: talexander@mrmanager
    host_name: 10.215.1.206
  - name: worker0
    proxy_jump: talexander@mrmanager
    host_name: 10.215.1.207
  - name: worker1
    proxy_jump: talexander@mrmanager
    host_name: 10.215.1.208
  - name: worker2
    proxy_jump: talexander@mrmanager
    host_name: 10.215.1.209
  - name: brianai
    proxy_jump: talexander@mrmanager
    host_name: 10.215.1.215
--- a/ansible/environments/laptop/host_vars/odofreebsd
+++ b/ansible/environments/laptop/host_vars/odofreebsd
@@ -1,25 +1,25 @@
 os_flavor: "freebsd"
-custom_repo: 13amd64-default-framework
+custom_repo: "https://freebsdpkg.fizz.buzz/repo/currentznver4-default-framework"
 pkgbase_url: "https://freebsdpkg.fizz.buzz/pkgbase/currentznver4-repo/FreeBSD:15:amd64/latest"
 zfs_snapshot_datasets:
-  - zroot/freebsd/release/be/default
+  - path: zroot/freebsd/current/be/default
 sshd_enabled: true
 sshd_conf: "sshd_config"
 pf_config: "odofreebsd_pf.conf"
 pflog_conf:
 - name: 0
   dev: pflog0
 prefer_ipv6: true
 dummynet_config: "dnctl.conf"
 network_rc: "odofreebsd_network.conf"
 rc_conf: "odofreebsd_rc.conf"
 loader_conf: "odofreebsd_loader.conf"
 install_graphics: true
-graphics_driver: "intel"
+graphics_driver: "amd"
-cputype: "intel"
+cputype: "amd"
 cpu_opt: tigerlake
 hwpstate: true
-cores: 8
+cores: 16
-build_user:
+sound_system: "oss"
  name: talexander
  group: talexander
 users:
  talexander:
    initialize: true
@@ -31,6 +31,8 @@ users:
      - name: u2f
      - name: operator # To be able to shutdown without root
      - name: webcamd
        gid: 145
      - name: realtime
    authorized_keys:
      - yubikey
      - main_fido
@@ -38,16 +40,18 @@ users:
      - homeassistant
    gitconfig: "gitconfig_home"
 devfs_rules: "odo_devfs.rules"
-jail_zfs_dataset: zroot/freebsd/release/jails
+jail_zfs_dataset: zroot/freebsd/current/jails
-jail_zfs_dataset_mountpoint: /jail/main
+jail_zfs_dataset_mountpoint: /jail
 jail_canmount: "on"
 jail_list:
  - name: nat_dhcp
    enabled: true
    conf:
      src: nat_dhcp
-bhyve_dataset: zroot/freebsd/release/vm
+bhyve_dataset: zroot/freebsd/current/vm
-bhyve_list: []
+bhyve_bemount: off
-efi_dev: /dev/gpt/EFI
+# efi_dev: /dev/gpt/EFI
 efi_dev: /dev/diskid/DISK-SJB7N717610407Q0Hp1
 sway_conf_files:
  - launch_gpg
 wireguard_directory: odo
@@ -55,3 +59,10 @@ enabled_wireguard:
  - wgh
  - drmario
  - colo
 linfi:
  enabled: true
  zfs_dataset: zroot/freebsd/current/vm/linfi
  zfs_mountpoint: /vm/linfi
  driver_blocklist: "if_iwm if_iwlwifi"
  pci_blocklist: "1/0/0"
  amd: true
--- a/ansible/environments/laptop/host_vars/odolinux
+++ b/ansible/environments/laptop/host_vars/odolinux
@@ -16,12 +16,13 @@ users:
      - backup_fido
      - homeassistant
    gitconfig: "gitconfig_home"
 periodic_scrub_pools: [zroot]
 zfs_snapshot_datasets:
  # - zroot/linux/archmain/home
-  - zroot/linux/archmain/be
+  - path: zroot/linux/archmain/be
-  - zroot/data/bridge/family_disks
+  - path: zroot/data/bridge/family_disks
 install_graphics: true
-graphics_driver: "intel"
+graphics_driver: "amd"
 build_user:
  name: talexander
  group: talexander
@@ -30,10 +31,9 @@ enabled_wireguard:
  - wgh
  - drmario
  - colo
-cputype: "intel"
+cputype: "amd"
 hwpstate: true
-cores: 8
+cores: 16
 sway_conf_files:
  - rofimoji
-docker_storage_driver: zfs # alternatively overlay2
+docker_storage_driver: overlay2 # alternatively zfs
 docker_zfs_dataset: zroot/linux/archmain/docker
--- a/ansible/environments/laptop/host_vars/odowork
+++ b/ansible/environments/laptop/host_vars/odowork
@@ -0,0 +1,37 @@
 os_flavor: "linux"
 hostname: odowork
 etc_hosts: {}
 users:
  talexander:
    initialize: true
    uid: 11235
    gid: 1000
    groups:
      - name: wheel
      - name: users
      - name: docker
      - name: libvirt
      - name: uucp
    authorized_keys:
      - yubikey
      - main_fido
      - backup_fido
    gitconfig: "gitconfig_work"
 periodic_scrub_pools: [zroot]
 zfs_snapshot_datasets:
  - path: zroot/linux/archwork/be
 install_graphics: true
 graphics_driver: "amd"
 pgp_key: "gpg_work.asc"
 build_user:
  name: talexander
  group: talexander
 # wireguard_directory: odowork
 # enabled_wireguard: []
 cputype: "amd"
 hwpstate: true
 cores: 16
 sway_conf_files:
  - rofimoji
 docker_storage_driver: overlay2 # alternatively zfs
 closed_source_vscode: true
--- a/ansible/environments/laptop/hosts
+++ b/ansible/environments/laptop/hosts
@@ -1,3 +1,4 @@
 [gui]
 odolinux ansible_connection=local ansible_host=127.0.0.1
 odofreebsd ansible_connection=local ansible_host=127.0.0.1
 odowork ansible_connection=local ansible_host=127.0.0.1
--- a/ansible/environments/vm/host_vars/poudrieremrmanager
+++ b/ansible/environments/vm/host_vars/poudrieremrmanager
@@ -1,13 +1,30 @@
 os_flavor: "freebsd"
 sshd_enabled: true
 custom_repo: "file:///usr/local/poudriere/data/packages/currentznver4-default-framework"
 pkgbase_url: "file:///usr/local/poudriere/data/images/currentznver4-repo/FreeBSD:15:amd64/latest"
 poudriere_builds:
-  - jail: 13amd64
+  # - jail: 13amd64
    ports: default
    set: framework
    version: 13.2-RELEASE
  # - jail: current
  #   ports: default
  #   set: framework
-  #   version: CURRENT
+  #   version: 13.2-RELEASE
-  #   revision: af01b4722577903f91acc44f01bdcb8cdb2d65ad
+  - jail: currentznver4
-  #   kernel: CUSTOM
+    ports: default
-  #   branch: main
+    set: framework
    version: CURRENT
    # revision: 66d37dbedfbf2dc94ccf49e6983c3652d5909b91
    kernel: CUSTOM
    branch: main
    srcconf: currentznver4_src.conf
  # - jail: 14broadwell
  #   ports: default
  #   set: computer
  #   version: 14.0-RELEASE
  #   kernel: GENERIC
  #   srcconf: 14broadwell_src.conf
  - jail: 14broadwell
    ports: default
    set: computer
    version: CURRENT
    kernel: CUSTOM
    branch: releng/14.1
    srcconf: 14broadwell_src.conf
--- a/ansible/environments/vm/hosts
+++ b/ansible/environments/vm/hosts
@@ -6,4 +6,3 @@ poudrieremrmanager ansible_user=root ansible_host=poudriere
 #    Host poudriere
 #       ProxyJump talexander@mrmanager
 #       HostName 10.215.1.203
 #
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@@ -20,12 +20,14 @@
    - build
    - sound
    - graphics
    - power_management
    - gpg
    - fonts
    - alacritty
    - sway
    - emacs
    - firefox
    - chromium
    - devfs
    - ssh_client
    - sshfs
@@ -41,14 +43,19 @@
    - ansible
    - wireguard
    - portshaker
    - poudriere
    - android
    - latex
    - python
    - pyenv
    - webcam
    - docker
    - vscode
    - javascript
    - launch_keyboard
    - lvfs
    # - restaurant_health_rating
    - wasm
    - noise_suppression
 - hosts: nat_dhcp:homeserver_nat_dhcp:mrmanager_nat_dhcp
  vars:
@@ -61,7 +68,12 @@
    ansible_become: True
  roles:
    - sudo # for poudboot script
    - doas
    - fstab
    - package_manager
    - zsh
    - termcap
    - sshd
    - portshaker
    - poudriere
    - poudrierenginx
@@ -70,28 +82,29 @@
  vars:
    ansible_become: True
  roles:
-    - sudo
+    # - sudo
    - doas
    - users
-    # - package_manager
+    - package_manager
-    # - zfs
+    - zfs
-    # - zrepl
+    - zrepl
-    # - zsh
+    - zsh
-    # - network
+    - network
-    # - sshd
+    - sshd
-    # - base
+    - base
    - firewall
-    # - cpu
+    - cpu
-    # - ntp
+    - ntp
-    # - nvme
+    - nvme
-    # - hosts
+    - hosts
-    # - build
+    - build
-    # - devfs
+    - devfs
-    # - jail
+    - jail
-    # - bhyve
+    - bhyve
-    # - wireguard
+    - wireguard
-    # - plainmacs
+    - emacs
-    # - mrmanager
+    - mrmanager
    - ndproxy
 - hosts: admin_git:public_dns
  vars:
@@ -109,3 +122,34 @@
    - doas
    - users
    - public_dns
 - hosts: odolinux:odofreebsd:odowork
  vars:
    ansible_become: True
  roles:
    - framework_laptop
 - hosts: odowork
  vars:
    ansible_become: True
  roles:
    - odowork
 - hosts: sftp
  vars:
    ansible_become: True
  roles:
    - users
    - sftp
 - hosts: bastion
  vars:
    ansible_become: True
  roles:
    - jail_bastion
 - hosts: certificate
  vars:
    ansible_become: True
  roles:
    - jail_certificate
--- a/ansible/roles/alacritty/files/alacritty.toml
+++ b/ansible/roles/alacritty/files/alacritty.toml
@@ -0,0 +1,44 @@
 [colors]
 draw_bold_text_with_bright_colors = true
 indexed_colors = []
 [colors.bright]
 black = "0x666666"
 blue = "0x7aa6da"
 cyan = "0x54ced6"
 green = "0x9ec400"
 magenta = "0xb77ee0"
 red = "0xff3334"
 white = "0xffffff"
 yellow = "0xe7c547"
 [colors.normal]
 black = "0x000000"
 blue = "0x7aa6da"
 cyan = "0x70c0ba"
 green = "0xb9ca4a"
 magenta = "0xc397d8"
 red = "0xd54e53"
 white = "0xeaeaea"
 yellow = "0xe6c547"
 [colors.primary]
 background = "0x000000"
 foreground = "0xeaeaea"
 [font]
 size = 11.0
 [[hints.enabled]]
 command = "xdg-open"
 post_processing = true
 regex = "(ipfs:|ipns:|magnet:|mailto:|gemini:|gopher:|https:|http:|news:|file:|git:|ssh:|ftp:)[^\u0000-\u001F\u007F-<>\"\\s{-}\\^⟨⟩`]+"
 [hints.enabled.mouse]
 enabled = false
 mods = "None"
 [scrolling]
 history = 10000
 # Lines moved per scroll.
 multiplier = 3
--- a/ansible/roles/alacritty/files/alacritty.yml
+++ b/ansible/roles/alacritty/files/alacritty.yml
@@ -1,103 +0,0 @@
 # If `true`, bold text is drawn using the bright color variants.
 draw_bold_text_with_bright_colors: true
 colors:
  # Default colors
  primary:
    background: "0x000000"
    foreground: "0xeaeaea"
    # Bright and dim foreground colors
    #
    # The dimmed foreground color is calculated automatically if it is not present.
    # If the bright foreground color is not set, or `draw_bold_text_with_bright_colors`
    # is `false`, the normal foreground color will be used.
    #dim_foreground: '0x9a9a9a'
    #bright_foreground: '0xffffff'
  # Cursor colors
  #
  # Colors which should be used to draw the terminal cursor. If these are unset,
  # the cursor color will be the inverse of the cell color.
  #cursor:
  #  text: '0x000000'
  #  cursor: '0xffffff'
  # Selection colors
  #
  # Colors which should be used to draw the selection area. If selection
  # background is unset, selection color will be the inverse of the cell colors.
  # If only text is unset the cell text color will remain the same.
  #selection:
  #  text: '0xeaeaea'
  #  background: '0x404040'
  # Normal colors
  normal:
    black: "0x000000"
    red: "0xd54e53"
    green: "0xb9ca4a"
    yellow: "0xe6c547"
    blue: "0x7aa6da"
    magenta: "0xc397d8"
    cyan: "0x70c0ba"
    white: "0xeaeaea"
  # Bright colors
  bright:
    black: "0x666666"
    red: "0xff3334"
    green: "0x9ec400"
    yellow: "0xe7c547"
    blue: "0x7aa6da"
    magenta: "0xb77ee0"
    cyan: "0x54ced6"
    white: "0xffffff"
  # Dim colors
  #
  # If the dim colors are not set, they will be calculated automatically based
  # on the `normal` colors.
  #dim:
  #  black:   '0x000000'
  #  red:     '0x8c3336'
  #  green:   '0x7a8530'
  #  yellow:  '0x97822e'
  #  blue:    '0x506d8f'
  #  magenta: '0x80638e'
  #  cyan:    '0x497e7a'
  #  white:   '0x9a9a9a'
  # Indexed Colors
  #
  # The indexed colors include all colors from 16 to 256.
  # When these are not set, they're filled with sensible defaults.
  #
  # Example:
  #   `- { index: 16, color: '0xff00ff' }`
  #
  indexed_colors: []
 scrolling:
  # Maximum number of lines in the scrollback buffer.
  # Specifying '0' will disable scrolling.
  history: 10000
  # Number of lines the viewport will move for every line scrolled when
  # scrollback is enabled (history > 0).
  multiplier: 3
 font:
  size: 11.0
 hints:
  enabled:
    # Disable opening links when clicked
    - regex:
        "(ipfs:|ipns:|magnet:|mailto:|gemini:|gopher:|https:|http:|news:|file:|git:|ssh:|ftp:)\
        [^\u0000-\u001F\u007F-\u009F<>\"\\s{-}\\^⟨⟩`]+"
      command: xdg-open
      post_processing: true
      mouse:
        enabled: false
        mods: None
--- a/ansible/roles/alacritty/tasks/peruser.yaml
+++ b/ansible/roles/alacritty/tasks/peruser.yaml
@@ -19,8 +19,8 @@
    owner: "{{ account_name.stdout }}"
    group: "{{ group_name.stdout }}"
  loop:
-    - src: alacritty.yml
+    - src: alacritty.toml
-      dest: .config/alacritty/alacritty.yml
+      dest: .config/alacritty/alacritty.toml
 - import_tasks: tasks/peruser_freebsd.yaml
  when: 'os_flavor == "freebsd"'
--- a/ansible/roles/android/tasks/linux.yaml
+++ b/ansible/roles/android/tasks/linux.yaml
@@ -19,4 +19,6 @@
    name:
      - gvfs
      - gvfs-mtp
      - android-udev # Access android over USB without root.
      - android-tools # For fastboot to flash phones.
    state: present
--- a/ansible/roles/ansible/tasks/freebsd.yaml
+++ b/ansible/roles/ansible/tasks/freebsd.yaml
@@ -1,6 +1,6 @@
 - name: Install packages
  package:
    name:
-      - py39-ansible
+      - py311-ansible
      - ansible-sshjail
    state: present
--- a/ansible/roles/autofs/files/auto_master
+++ b/ansible/roles/autofs/files/auto_master
@@ -1,4 +1,3 @@
 # $FreeBSD$
 #
 # Automounter master map, see auto_master(5) for details.
 #
--- a/ansible/roles/base/files/alacritty.termcap
+++ b/ansible/roles/base/files/alacritty.termcap
@@ -1,24 +0,0 @@
 #	Reconstructed via infocmp from file: /usr/share/terminfo/a/alacritty
 # (untranslatable capabilities removed to fit entry within 1023 bytes)
 # (sgr removed to fit entry within 1023 bytes)
 # (acsc removed to fit entry within 1023 bytes)
 # (terminfo-only capabilities suppressed to fit entry within 1023 bytes)
 alacritty|alacritty terminal emulator:\
 	:am:bs:hs:mi:ms:xn:\
 	:co#80:it#8:li#24:\
 	:AL=\E[%dL:DC=\E[%dP:DL=\E[%dM:DO=\E[%dB:IC=\E[%d@:\
 	:K2=\EOE:LE=\E[%dD:RI=\E[%dC:SF=\E[%dS:SR=\E[%dT:\
 	:UP=\E[%dA:ae=\E(B:al=\E[L:as=\E(0:bl=^G:bt=\E[Z:cd=\E[J:\
 	:ce=\E[K:cl=\E[H\E[2J:cm=\E[%i%d;%dH:cr=\r:\
 	:cs=\E[%i%d;%dr:ct=\E[3g:dc=\E[P:dl=\E[M:do=\n:\
 	:ds=\E]2;\007:ec=\E[%dX:ei=\E[4l:fs=^G:ho=\E[H:im=\E[4h:\
 	:is=\E[!p\E[?3;4l\E[4l\E>:k1=\EOP:k2=\EOQ:k3=\EOR:\
 	:k4=\EOS:k5=\E[15~:k6=\E[17~:k7=\E[18~:k8=\E[19~:\
 	:k9=\E[20~:kD=\E[3~:kI=\E[2~:kN=\E[6~:kP=\E[5~:kb=\177:\
 	:kd=\EOB:ke=\E[?1l\E>:kh=\EOH:kl=\EOD:kr=\EOC:\
 	:ks=\E[?1h\E=:ku=\EOA:le=^H:mb=\E[5m:md=\E[1m:me=\E[0m:\
 	:mh=\E[2m:mm=\E[?1034h:mo=\E[?1034l:mr=\E[7m:nd=\E[C:\
 	:rc=\E8:sc=\E7:se=\E[27m:sf=\n:so=\E[7m:sr=\EM:st=\EH:ta=^I:\
 	:te=\E[?1049l\E[23;0;0t:ti=\E[?1049h\E[22;0;0t:\
 	:ts=\E]2;:ue=\E[24m:up=\E[A:us=\E[4m:vb=\E[?5h\E[?5l:\
 	:ve=\E[?12l\E[?25h:vi=\E[?25l:vs=\E[?12;25h:
--- a/ansible/roles/base/files/bbr_loader.conf
+++ b/ansible/roles/base/files/bbr_loader.conf
@@ -0,0 +1 @@
 tcp_bbr_load="YES"
--- a/ansible/roles/base/files/cleartmp_rc.conf
+++ b/ansible/roles/base/files/cleartmp_rc.conf
@@ -0,0 +1 @@
 clear_tmp_enable="YES"
--- a/ansible/roles/base/files/decode_jwt.bash
+++ b/ansible/roles/base/files/decode_jwt.bash
@@ -0,0 +1,8 @@
 #!/usr/bin/env bash
 #
 # Decode the contents of a JWT
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 exec jq -R 'split(".") | .[0],.[1] | gsub("-"; "+") | gsub("_"; "/") | gsub("%3D"; "=")| @base64d | fromjson'
--- a/ansible/roles/base/files/disk_labels_loader.conf
+++ b/ansible/roles/base/files/disk_labels_loader.conf
@@ -1,8 +1,12 @@
-# Disabling both of these will make /dev/gpt/* populated
+# Populates the /dev/diskid
 kern.geom.label.disk_ident.enable="1"
 # Populates /dev/gpt but only if kern.geom.label.disk_ident.enable is disabled.
 #
 # This uses gpt partition labels which you can set with:
 #
 #     gpart modify -l EFI -i 1 nvd0
 # kern.geom.label.disk_ident.enable="0"
 # kern.geom.label.gptid.enable="1"
--- a/ansible/roles/base/files/git_fix_author.bash
+++ b/ansible/roles/base/files/git_fix_author.bash
@@ -0,0 +1,22 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 git filter-branch --env-filter '
 WRONG_EMAIL="old@email.foo"
 NEW_NAME="New Name"
 NEW_EMAIL="new@email.buzz"
 if [ "$GIT_COMMITTER_EMAIL" = "$WRONG_EMAIL" ]
 then
    export GIT_COMMITTER_NAME="$NEW_NAME"
    export GIT_COMMITTER_EMAIL="$NEW_EMAIL"
 fi
 if [ "$GIT_AUTHOR_EMAIL" = "$WRONG_EMAIL" ]
 then
    export GIT_AUTHOR_NAME="$NEW_NAME"
    export GIT_AUTHOR_EMAIL="$NEW_EMAIL"
 fi
 ' --tag-name-filter cat --commit-filter 'git commit-tree -S "$@";' -- --branches --tags
--- a/ansible/roles/base/files/gitconfig_home
+++ b/ansible/roles/base/files/gitconfig_home
@@ -1,19 +1,54 @@
 [user]
 	email = tom@fizz.buzz
 	name = Tom Alexander
-	signingkey = D3A179C9A53C0EDE
+	signingkey = 36C99E8B3C39D85F
 [push]
-	default = simple
+	default = simple # (default since 2.0)
 [alias]
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
        authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
 	gpgsign = true
 	verbose = true
 [pull]
 	rebase = true
 [log]
 	date = local
 [init]
-	defaultBranch = master
+	defaultBranch = main
 [diff]
 	tool = meld # Use meld for `git difftool` and `git mergetool`
 	algorithm = histogram
 	colorMoved = plain
 	mnemonicPrefix = true
 	renames = true
 [difftool]
 	prompt = false
 [difftool "meld"]
 	cmd = meld "$LOCAL" "$REMOTE"
 [merge]
 	tool = meld
 	conflictStyle = zdiff3
 [mergetool "meld"]
        # Make the middle pane start with partially-merged contents:
 	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
        # Make the middle pane start without any merge progress:
 	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
 [column]
 	ui = auto
 [branch]
 	sort = -committerdate
 [tag]
 	sort = version:refname
 [fetch]
 	prune = true
 	pruneTags = true
 	all = true
 [rebase]
 	autoSquash = true
 	autoStash = true
 	updateRefs = false
--- a/ansible/roles/base/files/gitconfig_work
+++ b/ansible/roles/base/files/gitconfig_work
@@ -0,0 +1,58 @@
 [user]
 	email = ThomasA.Alexander@hmhn.org
 	name = Tom Alexander
 	signingkey = 36C99E8B3C39D85F
 [push]
 	default = simple # (default since 2.0)
 [alias]
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
        authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
 	gpgsign = true
 	verbose = true
 [pull]
 	rebase = true
 [log]
 	date = local
 [init]
 	defaultBranch = main
 [diff]
 	tool = meld # Use meld for `git difftool` and `git mergetool`
 	algorithm = histogram
 	colorMoved = plain
 	mnemonicPrefix = true
 	renames = true
 [difftool]
 	prompt = false
 [difftool "meld"]
 	cmd = meld "$LOCAL" "$REMOTE"
 [merge]
 	tool = meld
 	conflictStyle = zdiff3
 [mergetool "meld"]
        # Make the middle pane start with partially-merged contents:
 	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
        # Make the middle pane start without any merge progress:
 	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
 [includeIf "gitdir:/bridge/"]
 	path = /bridge/git/machine_setup/ansible/roles/base/files/gitconfig_home
 [includeIf "gitdir:/persist/"]
 	path = /bridge/git/machine_setup/ansible/roles/base/files/gitconfig_home
 [column]
 	ui = auto
 [branch]
 	sort = -committerdate
 [tag]
 	sort = version:refname
 [fetch]
 	prune = true
 	pruneTags = true
 	all = true
 [rebase]
 	autoSquash = true
 	autoStash = true
 	updateRefs = false
--- a/ansible/roles/base/files/gitignore_global
+++ b/ansible/roles/base/files/gitignore_global
@@ -1,2 +1,8 @@
 .idea
 .python-version
 # Emacs per-directory settings
 .dir-locals.el
 # C/C++ Language Server compile commands
 compile_commands.json
--- a/ansible/roles/base/files/homeserver_loader.conf
+++ b/ansible/roles/base/files/homeserver_loader.conf
@@ -1,5 +1,4 @@
 security.bsd.allow_destructive_dtrace=0
 kern.geom.label.disk_ident.enable="0"
 kern.geom.label.gptid.enable="0"
 cryptodev_load="YES"
 zfs_load="YES"
 devmatch_blocklist="if_iwm"
--- a/ansible/roles/base/files/homeserver_rc.conf
+++ b/ansible/roles/base/files/homeserver_rc.conf
@@ -2,8 +2,7 @@ clear_tmp_enable="YES"
 syslogd_flags="-ss"
 sendmail_enable="NONE"
 hostname="computer"
 local_unbound_enable="NO"
 sshd_enable="YES"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="NO"
 zfs_enable="YES"
 kld_list="${kld_list} if_iwlwifi"
--- a/ansible/roles/base/files/login.conf
+++ b/ansible/roles/base/files/login.conf
@@ -7,7 +7,6 @@
 # This file controls resource limits, accounting limits and
 # default user environment settings.
 #
 # $FreeBSD$
 #
 # Default settings effectively disable resource limits, see the
@@ -45,8 +44,8 @@ default:\
 	:pseudoterminals=unlimited:\
 	:kqueues=unlimited:\
 	:umtxp=unlimited:\
 	:pipebuf=unlimited:\
 	:priority=0:\
 	:ignoretime@:\
 	:umask=022:\
 	:charset=UTF-8:\
 	:lang=en_US.UTF-8:
@@ -149,7 +148,6 @@ russian|Russian Users Accounts:\
 #	:requirehome:\
 #	:passwordtime=90d:\
 #	:umask=002:\
 #	:ignoretime@:\
 #	:tc=default:
 #
 #
@@ -174,7 +172,6 @@ russian|Russian Users Accounts:\
 ##
 #staff:\
 #	:ignorenologin:\
 #	:ignoretime:\
 #	:requirehome@:\
 #	:accounted@:\
 #	:path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
@@ -265,7 +262,6 @@ russian|Russian Users Accounts:\
 ## - no time accounting, restricted to access via dialin lines
 ##
 #site:\
 #	:ignoretime:\
 #	:passwordtime@:\
 #	:refreshtime@:\
 #	:refreshperiod@:\
--- a/ansible/roles/base/files/odofreebsd_loader.conf
+++ b/ansible/roles/base/files/odofreebsd_loader.conf
@@ -1,6 +1,3 @@
 security.bsd.allow_destructive_dtrace=0
 kern.geom.label.disk_ident.enable="0"
 kern.geom.label.gptid.enable="0"
 cryptodev_load="YES"
 zfs_load="YES"
--- a/ansible/roles/base/files/odofreebsd_rc.conf
+++ b/ansible/roles/base/files/odofreebsd_rc.conf
@@ -1,8 +1,6 @@
 clear_tmp_enable="YES"
 syslogd_flags="-ss"
 sendmail_enable="NONE"
 hostname="odo"
 sshd_enable="YES"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="NO"
 zfs_enable="YES"
--- a/ansible/roles/base/files/tmux.conf
+++ b/ansible/roles/base/files/tmux.conf
@@ -1,4 +1,4 @@
-set-option -g mouse on
+# set-option -g mouse on
 set-option -g history-limit 20000
 # set -g @plugin 'tmux-plugins/tmux-yank'
 # Emacs style
--- a/ansible/roles/base/files/watch_freebsd
+++ b/ansible/roles/base/files/watch_freebsd
@@ -10,7 +10,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 function cleanup {
    switch_to_main_screen
 }
-for sig in EXIT INT QUIT HUP TERM; do
+for sig in EXIT; do
  trap "set +e; cleanup; exit" "$sig"
 done
--- a/ansible/roles/base/files/mrmanager_loader.conf
+++ b/ansible/roles/base/files/mrmanager_loader.conf
--- a/ansible/roles/base/meta/main.yaml
+++ b/ansible/roles/base/meta/main.yaml
@@ -1,2 +1,3 @@
 dependencies:
  - fstab
  # - termcap
--- a/ansible/roles/base/tasks/common.yaml
+++ b/ansible/roles/base/tasks/common.yaml
@@ -16,20 +16,19 @@
      - wget
      - colordiff
      - ipcalc
      - kdiff3
      - tcpdump
      - moreutils # for ts [%Y-%m-%d %H:%M:%.S]
      - ddrescue
      - dmidecode
    state: present
- name: Set timezone
+- name: Install packages
-  file:
+  when: install_graphics
-    src: "/usr/share/zoneinfo/{{ timezone|default('UTC') }}"
+  package:
-    dest: /etc/localtime
+    name:
-    owner: root
+      - kdiff3
-    # TODO: Arch Linux is changing the group to root instead of wheel. Maybe make this a variable?
+      - meld
-    group: wheel
+    state: present
    state: link
 - name: Install scripts
  copy:
@@ -47,6 +46,10 @@
      dest: /usr/local/bin/git_find_merged_branches
    - src: cleanup_temporary_files
      dest: /usr/local/bin/cleanup_temporary_files
    - src: git_fix_author.bash
      dest: /usr/local/bin/git_fix_author
    - src: decode_jwt.bash
      dest: /usr/local/bin/decode_jwt
 - import_tasks: tasks/freebsd.yaml
  when: 'os_flavor == "freebsd"'
--- a/ansible/roles/base/tasks/freebsd.yaml
+++ b/ansible/roles/base/tasks/freebsd.yaml
@@ -1,3 +1,11 @@
 - name: Set timezone
  file:
    src: "/usr/share/zoneinfo/{{ timezone|default('UTC') }}"
    dest: /etc/localtime
    owner: root
    group: wheel
    state: link
 - name: Install packages
  package:
    name:
@@ -5,29 +13,18 @@
      - gsed
      - gmake
      - rust-coreutils
      - shuf
    state: present
- name: See if the alacritty termcap has been added
+- name: Install service configuration
-  lineinfile:
+  copy:
-    name: /usr/share/misc/termcap
+    src: "files/{{ item }}_rc.conf"
-    regexp: |-
+    dest: "/etc/rc.conf.d/{{ item }}"
-      ^alacritty\|
+    mode: 0644
-    state: absent
+    owner: root
-  check_mode: yes
+    group: wheel
-  changed_when: false
+  loop:
-  register: alacritty_cap
+    - cleartmp
 - name: Append alacritty termcap info
  blockinfile:
    path: /usr/share/misc/termcap
    block: "{{ lookup('file', 'alacritty.termcap') }}"
    marker: "# {mark} ANSIBLE MANAGED BLOCK alacritty"
  when: not alacritty_cap.found
  register: wrote_alacritty_cap
 - name: Update cap_mkdb
  command: cap_mkdb /usr/share/misc/termcap
  when: wrote_alacritty_cap.changed
 - name: Install login.conf
  copy:
@@ -42,18 +39,6 @@
  command: cap_mkdb /etc/login.conf
  when: login_config.changed
 - name: Enable periodic scrub
  community.general.sysrc:
    name: daily_scrub_zfs_enable
    value: "YES"
    path: /etc/periodic.conf.local
 - name: Set scrub interval
  community.general.sysrc:
    name: daily_scrub_zfs_default_threshold
    value: "7"
    path: /etc/periodic.conf.local
 - name: Install loader.conf
  copy:
    src: "{{loader_conf}}"
@@ -92,27 +77,27 @@
    owner: root
    group: wheel
  loop:
-    - src: bemount.bash
+    # - src: bemount.bash
-      dest: /usr/local/bin/bemount
+    #   dest: /usr/local/bin/bemount
    - src: watch_freebsd
      dest: /usr/local/bin/ww
- name: Install rc script
+# - name: Install rc script
-  copy:
+#   copy:
-    src: "files/{{ item.src }}"
+#     src: "files/{{ item.src }}"
-    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+#     dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
-    owner: root
+#     owner: root
-    group: wheel
+#     group: wheel
-    mode: 0755
+#     mode: 0755
-  loop:
+#   loop:
-    - src: bemount_rc.sh
+#     - src: bemount_rc.sh
-      dest: bemount
+#       dest: bemount
- name: Enable bemount
+# - name: Enable bemount
-  community.general.sysrc:
+#   community.general.sysrc:
-    name: bemount_enable
+#     name: bemount_enable
-    value: "YES"
+#     value: "YES"
-    path: /etc/rc.conf.d/bemount
+#     path: /etc/rc.conf.d/bemount
 - name: Install loader.conf
  copy:
@@ -122,4 +107,67 @@
    owner: root
    group: wheel
  loop:
    - zfs
    - disk_labels
 - name: Configure sysctls
  sysctl:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    state: present
    reload: false
    sysctl_file: "/etc/sysctl.conf.local"
  loop:
    # Adjust ttl
    - name: net.inet.ip.ttl
      value: 65
    - name: net.inet6.ip6.hlim
      value: 65
 - name: Log periodic output instead of getting it as mail
  blockinfile:
    path: "/etc/periodic.conf.local"
    marker: "# {mark} ANSIBLE MANAGED BLOCK log"
    create: true
    mode: 0644
    owner: root
    group: wheel
    block: |
      daily_output=/var/log/daily.log
      weekly_output=/var/log/weekly.log
      monthly_output=/var/log/monthly.log
 - name: Enable periodic zfs scrub
  when: install_zfs
  blockinfile:
    path: "/etc/periodic.conf.local"
    marker: "# {mark} ANSIBLE MANAGED BLOCK zfs"
    create: true
    mode: 0644
    owner: root
    group: wheel
    block: |
      daily_scrub_zfs_enable="YES"
      daily_scrub_zfs_default_threshold="14"
 # Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
 - name: Install loader.conf
  copy:
    src: "files/{{ item }}_loader.conf"
    dest: "/boot/loader.conf.d/{{ item }}.conf"
    mode: 0644
    owner: root
    group: wheel
  loop:
    - bbr
 - name: Configure sysctls
  sysctl:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    state: present
    reload: false
    sysctl_file: "/etc/sysctl.conf.local"
  loop:
    - name: net.inet.tcp.functions_default
      value: "bbr"
--- a/ansible/roles/base/tasks/linux.yaml
+++ b/ansible/roles/base/tasks/linux.yaml
@@ -1,3 +1,11 @@
 - name: Set timezone
  file:
    src: "/usr/share/zoneinfo/{{ timezone|default('UTC') }}"
    dest: /etc/localtime
    owner: root
    group: root
    state: link
 - name: Install packages
  package:
    name:
@@ -7,6 +15,9 @@
      - bind # dig
      - man-db
      - uutils-coreutils
      - usbutils # for lsusb
      - bolt
      - whois
    state: present
 - name: Start pkgfile update service
@@ -16,17 +27,6 @@
    daemon_reload: yes
    enabled: yes
 # Of questionable value since I don't use swap on my machines
 - name: Configure sysctls for swap
  sysctl:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    state: present
    sysctl_file: /etc/sysctl.d/swap.conf
  loop:
    - name: vm.swappiness
      value: 10
 - name: Install scripts
  copy:
    src: "files/{{ item.src }}"
@@ -39,3 +39,41 @@
      dest: /usr/local/bin/mount_disk_image
    - src: watch_linux
      dest: /usr/local/bin/ww
 - name: Configure sysctls
  sysctl:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    state: present
    sysctl_file: /etc/sysctl.d/{{ item.file }}
  loop:
    # Of questionable value since I don't use swap on my machines
    - name: vm.swappiness
      value: 10
      file: swap.conf
    # Enable TCP packetization-layer PMTUD when an ICMP black hole is detected.
    - name: net.ipv4.tcp_mtu_probing
      value: 1
      file: tcp.conf
    # Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
    - name: net.ipv4.tcp_congestion_control
      value: bbr
      file: tcp.conf
    # Don't do a slow start after a connection has been idle for a single RTO.
    - name: net.ipv4.tcp_slow_start_after_idle
      value: 0
      file: tcp.conf
    # 3x time to accumulate filesystem changes before flushing to disk.
    - name: vm.dirty_writeback_centisecs
      value: 1500
      file: power.conf
    # Adjust ttl
    - name: net.ipv4.ip_default_ttl
      value: 65
      file: ttl.conf
    - name: net.ipv6.conf.all.hop_limit
      value: 65
      file: ttl.conf
    - name: net.ipv6.conf.default.hop_limit
      value: 65
      file: ttl.conf
--- a/ansible/roles/bhyve/defaults/main.yaml
+++ b/ansible/roles/bhyve/defaults/main.yaml
@@ -1,2 +1 @@
 bhyve_mountpoint: "/vm"
 bhyve_list: []
--- a/ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash
+++ b/ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash
@@ -30,11 +30,40 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
 : ${VNC_ENABLE:="NO"}
 : ${VNC_LISTEN:="127.0.0.1:5900"}
 : ${VNC_WIDTH:="1920"}
 : ${VNC_HEIGHT:="1080"}
 if [ "$VERBOSE" = "YES" ]; then
    set -x
 fi
 ############## Setup #########################
 function cleanup {
    for vm in "${vms[@]}"; do
        log "Destroying bhyve vm $vm"
        bhyvectl "--vm=$vm" --destroy
        log "Destroyed bhyve vm $vm"
    done
 }
 vms=()
 for sig in EXIT; do
  trap "set +e; sleep 10; cleanup" "$sig"
 done
 function die {
    local status_code="$1"
    shift
    (>&2 echo "${@}")
    exit "$status_code"
 }
 function log {
    (>&2 echo "${@}")
 }
 ############## Program #########################
 function main {
    local cmd="$1"
    shift 1
@@ -47,13 +76,6 @@ function main {
    fi
 }
 function die {
    local status_code="$1"
    shift
    (>&2 echo "${@}")
    exit "$status_code"
 }
 function create_disk {
    local zfs_path="$1"
    local mount_path="$2"
@@ -85,7 +107,8 @@ function start_vm {
    local bridge_name="$BRIDGE_NAME"
    local ip_range="$IP_RANGE" # for raw this value does not matter
-    local mac_address=$(calculate_mac_address "$name")
+    local mac_address
    mac_address=$(calculate_mac_address "$name")
    local additional_args=()
@@ -117,11 +140,12 @@ function start_vm {
    # TODO: Look into using nmdm instead of stdio for serial console
    if [ -n "$mount_cd" ]; then
-        additional_args+=("-s" "3,ahci-cd,$mount_cd")
+        additional_args+=("-s" "5,ahci-cd,$mount_cd")
    fi
    if [ "$VNC_ENABLE" = "YES" ]; then
-        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=1920,h=1080")
+        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
    fi
    vms+=("$name")
    while true; do
        set -x
        set +e
@@ -129,7 +153,10 @@ function start_vm {
            -D \
            -c $CPU_CORES \
            -m $MEMORY \
            -S \
            -H \
            -P \
            -o 'rtc.use_localtime=false' \
            -s 0,hostbridge \
            -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
            -s 30,xhci,tablet \
@@ -142,6 +169,7 @@ function start_vm {
        set +x
        if [ $exit_code -eq 0 ]; then
            echo "Rebooting."
            sleep 5
        elif [ $exit_code -eq 1 ]; then
            echo "Powered off."
            break
@@ -156,9 +184,6 @@ function start_vm {
            break
        fi
    done
    bhyvectl "--vm=$name" --destroy
    echo "Destroyed bhyve vm."
 }
 function detect_available_link {
@@ -192,7 +217,7 @@ EOF
 mkpeer ${host_interface_name}: bridge ether link0
 name ${host_interface_name}:ether $bridge_name
 EOF
-        ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" "$ip_range" up
+        ifconfig "$(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2)" name "${host_interface_name}" "$ip_range" up
    fi
 }
@@ -226,7 +251,8 @@ function ng_exists {
 function calculate_mac_address {
    local name="$1"
-    local source=$(md5 -r -s "$name" | awk '{print $1}')
+    local source
    source=$(md5 -r -s "$name" | awk '{print $1}')
    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
 }
--- a/ansible/roles/bhyve/files/bhyverc.bash
+++ b/ansible/roles/bhyve/files/bhyverc.bash
@@ -0,0 +1,478 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # Share a host directory to the guest via 9pfs.
 #
 # Inside the VM run:
 #   mount -t virtfs -o trans=virtio sharename /some/vm/path
 #   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
 #   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 bind9p /path/to/mountpoint
 # bhyve_options="-s 28,virtio-9p,sharename=/"
 # Enable Sound
 # bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
 # Example usage:
 #
 #   doas bhyverc create-disk zdata/vm/poudriere /vm/poudriere 10
 #   doas bhyverc start poudriere zdata/vm/poudriere /vm/poudriere /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
 #   doas bhyverc start poudriere zdata/vm/poudriere /vm/poudriere
 : ${VERBOSE:="NO"} # or YES
 if [ "$VERBOSE" = "YES" ]; then
    set -x
 fi
 : ${CPU_CORES:="1"}
 : ${MEMORY:="1G"}
 : ${NETWORK:="NAT"} # or RAW or BOTH
 : ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
 : ${INTERFACE_NAME:="jail_nat"} # or the external interface like lagg0 for RAW networks
 : ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
 : ${VNC_ENABLE:="NO"}
 : ${VNC_LISTEN:="127.0.0.1:5900"}
 : ${VNC_WIDTH:="1920"}
 : ${VNC_HEIGHT:="1080"}
 : ${BIND9P:=""}
 : ${PREVENT_OOM:="NO"}
 : "${CD:=}"
 : ${SHUTDOWN_TIMEOUT:="600"} # 10 minutes
 ############## Setup #########################
 function die {
    local status_code="$1"
    shift
    (>&2 echo "${@}")
    exit "$status_code"
 }
 function log {
    (>&2 echo "${@}")
 }
 ############## Program #########################
 function main {
    local cmd
    cmd=$1
    shift
    if [ "$cmd" = "start" ]; then
        init
        start "${@}"
    elif [ "$cmd" = "stop" ]; then
        init
        stop "${@}"
    elif [ "$cmd" = "status" ]; then
        init
        status "${@}"
    elif [ "$cmd" = "console" ]; then
        init
        console "${@}"
    elif [ "$cmd" = "_start_body" ]; then
        init
        start_body "${@}"
    elif [ "$cmd" = "create-disk" ]; then
        create_disk "${@}"
    else
        (>&2 echo "Unknown command: $cmd")
        exit 1
    fi
 }
 function start {
    local num_vms="$#"
    if [ "$num_vms" -eq 0 ]; then
        log "No VMs specified."
        return 0
    fi
    while [ "$#" -gt 0 ]; do
        local name="$1"
        shift 1
        log "Starting VM $name."
        start_one "$name"
        [ "$#" -eq 0 ] || sleep 5
    done
 }
 function start_one {
    local name="$1"
    local tmux_name="$name"
    /usr/local/bin/tmux new-session -d -s "$tmux_name" "$0" "_start_body" "$name"
    # /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=NO VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /home/talexander/launch_opnsense.bash"
 }
 function launch_pidfile {
    local pidfile="$1"
    shift 1
    mkdir -p "$(dirname "$pidfile")"
    cat > "${pidfile}" <<< "$$"
    set -x
    exec "${@}"
 }
 export -f launch_pidfile
 function stop {
    local num_vms="$#"
    if [ "$num_vms" -eq 0 ]; then
        log "No VMs specified."
        return 0
    fi
    while [ "$#" -gt 0 ]; do
        local name="$1"
        shift 1
        log "Stopping VM $name."
        stop_one "$name"
        [ "$#" -eq 0 ] || sleep 5
    done
 }
 function stop_one {
    local name="$1"
    local pidfile="/run/bhyverc/${name}/pid"
    if [ ! -e "$pidfile" ]; then
        log "Pid file $pidfile does not exist."
        return 0
    fi
    local bhyve_pid
    bhyve_pid=$(cat "$pidfile")
    if ps -p "$bhyve_pid" >/dev/null; then
        # Send ACPI shutdown command
        log "Sending ACPI shutdown to ${name}:${bhyve_pid}."
        kill -SIGTERM "$bhyve_pid"
    fi
    local timeout_start timeout_end
    timeout_start=$(date +%s)
    while ps -p "$bhyve_pid" >/dev/null; do
        timeout_end=$(date +%s)
        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
            log "${name}:${bhyve_pid} took more than $SHUTDOWN_TIMEOUT seconds to shut down. Hard powering down."
            break
        fi
        log "Waiting for ${name}:${bhyve_pid} to exit."
        sleep 2
    done
    bhyvectl "--vm=$name" --destroy || true
    local timeout_start timeout_end
    timeout_start=$(date +%s)
    while ps -p "$bhyve_pid" >/dev/null; do
        timeout_end=$(date +%s)
        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
            log "${name}:${bhyve_pid} took more than $SHUTDOWN_TIMEOUT seconds to hard power down. Giving up."
            break
        fi
        log "Waiting for ${name}:${bhyve_pid} to hard power down."
        sleep 2
    done
    rm -f "$pidfile"
    log "Finished stopping $name."
 }
 function status {
    local num_vms="$#"
    if [ "$num_vms" -gt 0 ]; then
        for name in "$@"; do
            status_one "$name"
        done
    else
        log "No VMs specified."
    fi
 }
 function status_one {
    local name="$1"
    local pidfile="/run/bhyverc/${name}/pid"
    if [ ! -e "$pidfile" ]; then
        log "$name is not running."
        return 0
    fi
    local bhyve_pid
    bhyve_pid=$(cat "$pidfile")
    if ! ps -p "$bhyve_pid" >/dev/null; then
        log "$name is not running."
        return 0
    fi
    log "$name is running as pid $bhyve_pid."
 }
 function console {
    local num_vms="$#"
    if [ "$num_vms" -gt 0 ]; then
        for name in "$@"; do
            log "Attaching to console of VM $name."
            console_one "$name"
        done
    else
        log "No VMs specified."
    fi
 }
 function console_one {
    local name="$1"
    local tmux_name="$name"
    exec tmux a -t "$tmux_name"
 }
 function init {
    mkdir -p /run/bhyverc
 }
 ############## Bhyve ###########################
 function create_disk {
    local zfs_path="$1"
    local mount_path="$2"
    local gigabytes="$3"
    zfs create -o "mountpoint=$mount_path" "$zfs_path"
    cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
    tee "${mount_path}/settings" <<EOF
 CPU_CORES="$CPU_CORES"
 MEMORY="$MEMORY"
 NETWORK="$NETWORK"
 IP_RANGE="$IP_RANGE"
 BRIDGE_NAME="$BRIDGE_NAME"
 INTERFACE_NAME="$INTERFACE_NAME"
 EOF
    zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none "$zfs_path/disk0"
 }
 function start_body {
    local name="$1"
    local zfs_path="zdata/vm/$name"
    local mount_path="/vm/$name"
    if [ -e "${mount_path}/settings" ]; then
        source "${mount_path}/settings"
    fi
    local mount_cd="$CD"
    local host_interface_name="$INTERFACE_NAME" # for raw, external interface
    local bridge_name="$BRIDGE_NAME"
    local ip_range="$IP_RANGE" # for raw this value does not matter
    local mac_address
    mac_address=$(calculate_mac_address "$name")
    if [ "$PREVENT_OOM" = "YES" ]; then
        protect -d -i -p "$$"
    fi
    local entry parsed_item
    local additional_args=()
    local next_pcie_slot=10
    if [ "$NETWORK" = "NAT" ]; then
        assert_bridge "$host_interface_name" "$bridge_name" "$ip_range"
        local bridge_link_name=$(detect_available_link "${bridge_name}")
        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
    elif [ "$NETWORK" = "RAW" ]; then
        assert_raw "$host_interface_name" "$bridge_name"
        local bridge_link_name=$(detect_available_link "${bridge_name}")
        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
    elif [ "$NETWORK" = "BOTH" ]; then
        assert_bridge "jail_nat" "$bridge_name" "$ip_range"
        assert_raw "$host_interface_name" "bridge_raw"
        local bridge_link_name=$(detect_available_link "${bridge_name}")
        local raw_bridge_link_name=$(detect_available_link "bridge_raw")
        local raw_mac_address=$(calculate_mac_address "${name}_raw")
        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
        additional_args+=("-s" "3:0,virtio-net,netgraph,path=bridge_raw:,peerhook=${raw_bridge_link_name},mac=${raw_mac_address}")
    else
        die 1 "Unrecognized NETWORK type $NETWORK"
    fi
    if [ -n "$BIND9P" ]; then
        if [[ "$BIND9P" = *":"* ]]; then
            IFS=':' read -ra entry <<<"$BIND9P"
            for item in "${entry[@]}"; do
                IFS='=' read -ra parsed_item <<<"$item"
                additional_args+=("-s" "${next_pcie_slot},virtio-9p,${parsed_item[0]}=${parsed_item[1]}")
                next_pcie_slot=$((next_pcie_slot+1))
            done
        else
            additional_args+=("-s" "${next_pcie_slot},virtio-9p,bind9p=${BIND9P}")
            next_pcie_slot=$((next_pcie_slot+1))
        fi
    fi
    # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
         # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
             # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
            # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
    # TODO: Look into using nmdm instead of stdio for serial console
    if [ -n "$mount_cd" ]; then
        additional_args+=("-s" "5,ahci-cd,$mount_cd")
    fi
    if [ "$VNC_ENABLE" = "YES" ]; then
        additional_args+=("-s" "${next_pcie_slot},fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
        next_pcie_slot=$((next_pcie_slot+1))
    fi
    vms+=("$name")
    while true; do
        local pidfile="/run/bhyverc/${name}/pid"
        trap "set +e; stop_one '${name}'" EXIT
        local launch_cmd=()
        launch_cmd+=(
            launch_pidfile "$pidfile"
            bhyve
            -D
            -c "$CPU_CORES"
            -m "$MEMORY"
            -S
            -H
            -o 'rtc.use_localtime=false'
            -s "0,hostbridge"
            -s "4,nvme,/dev/zvol/${zfs_path}/disk0"
            -s "${next_pcie_slot},xhci,tablet"
            -s "$((next_pcie_slot+1)),lpc" -l "com1,stdio"
            -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd"
            "${additional_args[@]}"
            "$name"
        )
        set +e
        rm -f "$pidfile"
        (
            IFS=$' \n\t'
            set -ex
            bash -c "${launch_cmd[*]}"
        )
        local exit_code=$?
        log "Exit code ${exit_code}"
        set -e
        if [ $exit_code -eq 0 ]; then
            echo "Rebooting."
            sleep 5
        elif [ $exit_code -eq 1 ]; then
            echo "Powered off."
            break
        elif [ $exit_code -eq 2 ]; then
            echo "Halted."
            break
        elif [ $exit_code -eq 3 ]; then
            echo "Triple fault."
            break
        elif [ $exit_code -eq 4 ]; then
            echo "Exited due to an error."
            break
        fi
    done
 }
 function detect_available_link {
    local bridge_name="$1"
    local linknum=1
    while true; do
        local link_name="link${linknum}"
        if ! ng_exists "${bridge_name}:${link_name}"; then
            echo "$link_name"
            return
        fi
        linknum=$((linknum + 1))
        if [ "$linknum" -gt 90 ]; then
            (>&2 echo "No available links on bridge $bridge_name")
            exit 1
        fi
    done
 }
 function assert_bridge {
    local host_interface_name="$1"
    local bridge_name="$2"
    local ip_range="$3"
    if ! ng_exists "${bridge_name}:"; then
        ngctl -d -f - <<EOF
 mkpeer . eiface hook ether
 name .:hook $host_interface_name
 EOF
        ngctl -d -f - <<EOF
 mkpeer ${host_interface_name}: bridge ether link0
 name ${host_interface_name}:ether $bridge_name
 EOF
        ifconfig "$(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2)" name "${host_interface_name}" "$ip_range" up
    fi
 }
 function assert_raw {
    local extif="$1"
    local bridge_name="$2"
    kldload -n ng_bridge ng_eiface ng_ether
    if ! ng_exists "${bridge_name}:"; then
        ngctlcat <<EOF
 # Create a bridge.
 mkpeer $extif: bridge lower link0
 # Assign a name to the bridge.
 name $extif:lower ${bridge_name}
 # Since the host is also using $extif, we need to connect the upper hook also. Otherwise we will lose connectivity.
 connect $extif: ${bridge_name}: upper link1
 # Enable promiscuous mode so the host ethernet adapter accepts packets for all addresses
 msg $extif: setpromisc 1
 # Do not overwrite source address on packets
 msg $extif: setautosrc 0
 EOF
    fi
 }
 function ng_exists {
    ngctl status "${1}" >/dev/null 2>&1
 }
 function calculate_mac_address {
    local name="$1"
    local source
    source=$(md5 -r -s "$name" | awk '{print $1}')
    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
 }
 function find_available_port {
    local start_port="$1"
    local port="$start_port"
    while true; do
        sockstat -P tcp -p 443
        port=$((port + 1))
    done
 }
 function ngctlcat {
    if [ "$VERBOSE" = "YES" ]; then
        tee /dev/tty | ngctl -d -f -
    else
        ngctl -d -f -
    fi
 }
 main "${@}"
--- a/ansible/roles/bhyve/files/bhyverc.sh
+++ b/ansible/roles/bhyve/files/bhyverc.sh
@@ -0,0 +1,37 @@
 #!/bin/sh
 #
 # REQUIRE: LOGIN FILESYSTEMS
 # PROVIDE: bhyverc
 # KEYWORD: shutdown
 . /etc/rc.subr
 name=bhyverc
 rcvar=${name}_enable
 start_cmd="${name}_start"
 stop_cmd="${name}_stop"
 status_cmd="${name}_status"
 console_cmd="${name}_console"
 extra_commands="console"
 load_rc_config $name
 bhyverc_start() {
    export PATH="$PATH:/usr/local/bin"
    exec /usr/local/bin/bhyverc start "${@}"
 }
 bhyverc_status() {
    export PATH="$PATH:/usr/local/bin"
    exec /usr/local/bin/bhyverc status "${@}"
 }
 bhyverc_stop() {
    export PATH="$PATH:/usr/local/bin"
    exec /usr/local/bin/bhyverc stop "${@}"
 }
 bhyverc_console() {
    export PATH="$PATH:/usr/local/bin"
    exec /usr/local/bin/bhyverc console "${@}"
 }
 run_rc_command "$@"
--- a/ansible/roles/bhyve/tasks/freebsd.yaml
+++ b/ansible/roles/bhyve/tasks/freebsd.yaml
@@ -22,6 +22,25 @@
  loop:
    - src: bhyve_netgraph_bridge.bash
      dest: /usr/local/bin/bhyve_netgraph_bridge
    - src: bhyverc.bash
      dest: /usr/local/bin/bhyverc
 - name: Install rc script
  copy:
    src: "files/{{ item.src }}"
    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
    owner: root
    group: wheel
    mode: 0755
  loop:
    - src: bhyverc.sh
      dest: bhyverc
 - name: Enable bhyverc
  community.general.sysrc:
    name: bhyverc_enable
    value: "YES"
    path: /etc/rc.conf.d/bhyverc
 - name: Create zfs dataset
  zfs:
--- a/ansible/roles/blank/tasks/common.yaml
+++ b/ansible/roles/blank/tasks/common.yaml
@@ -1,3 +1,43 @@
 # - name: Create directories
 #   file:
 #     name: "{{ item }}"
 #     state: directory
 #     mode: 0755
 #     owner: root
 #     group: wheel
 #   loop:
 #     - /foo/bar
 # - name: Install scripts
 #   copy:
 #     src: "files/{{ item.src }}"
 #     dest: "{{ item.dest }}"
 #     mode: 0755
 #     owner: root
 #     group: wheel
 #   loop:
 #     - src: foo.bash
 #       dest: /usr/local/bin/foo
 # - name: Install Configuration
 #   copy:
 #     src: "files/{{ item.src }}"
 #     dest: "{{ item.dest }}"
 #     mode: 0600
 #     owner: root
 #     group: wheel
 #   loop:
 #     - src: foo.conf
 #       dest: /usr/local/etc/foo.conf
 # - name: Clone Source
 #   git:
 #     repo: "https://foo.bar/baz.git"
 #     dest: /foo/bar
 #     version: "v1.0.2"
 #     force: true
 #   diff: false
 - import_tasks: tasks/freebsd.yaml
  when: 'os_flavor == "freebsd"'
--- a/ansible/roles/build/defaults/main.yaml
+++ b/ansible/roles/build/defaults/main.yaml
@@ -1 +0,0 @@
 freebsd_version: "releng/13.2"
--- a/ansible/roles/build/files/CUSTOM
+++ b/ansible/roles/build/files/CUSTOM
@@ -1,6 +0,0 @@
 include GENERIC-NODEBUG
 # Disable Intel SD/MMC controller for reading eMMC
 nodevice sdhci
 ident   CUSTOM
--- a/ansible/roles/build/files/aurutils-nuke
+++ b/ansible/roles/build/files/aurutils-nuke
@@ -0,0 +1,12 @@
 #!/usr/bin/env bash
 #
 # If something is very wrong in pacman, this removes the keyring and the entire custom repo, then sets up pacman's keyring again. Running the ansible playbook is necessary to get the custom repo added.
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 doas rm -rf /var/cache/pacman/custom/ /etc/pacman.d/conf.d/aurutils.conf
 doas rm -rf /etc/pacman.d/gnupg
 doas pacman-key --init
 doas pacman-key --populate archlinux
 doas pacman -S archlinux-keyring
--- a/ansible/roles/build/files/aurutils-sync
+++ b/ansible/roles/build/files/aurutils-sync
@@ -5,4 +5,4 @@ set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-GPGKEY=27DE40D9B8455C1B exec aur sync --makepkg-conf /etc/aurutils/makepkg.conf -c --sign "$@"
+GPGKEY=4278299FB84F6875 exec aur sync --makepkg-conf /etc/aurutils/makepkg.conf -c --sign "$@"
--- a/ansible/roles/build/files/aurutils-update-devel-packages
+++ b/ansible/roles/build/files/aurutils-update-devel-packages
@@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 #
 # Update packages in aurutils with -git suffix.
 #
 # This has to be done manually because aurutils does not check for new git commits every time we run an update.
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 pacman -Slq custom | grep -E -- '-git$' | xargs aurutils-sync --no-ver --reset "$@"
--- a/ansible/roles/build/files/freebsd_update_step1
+++ b/ansible/roles/build/files/freebsd_update_step1
@@ -1,20 +0,0 @@
 #!/usr/bin/env bash
 #
 # Build and installs whatever is in /usr/src. Run step 1, reboot, then step 2.
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 cores=$(sysctl -n hw.ncpu)
 if sudo etcupdate status | grep -qE '^  C '; then
    >&2 echo 'Conflicts remain in etcupdate. Run `etcupdate resolve` to fix them first.'
    exit 1
 fi
 cd /usr/src
 make -j "$cores" clean
 make -j "$cores" buildworld buildkernel
 sudo make installkernel
 echo "FreeBSD update step 1 done. Please reboot."
--- a/ansible/roles/build/files/freebsd_update_step2
+++ b/ansible/roles/build/files/freebsd_update_step2
@@ -1,19 +0,0 @@
 #!/usr/bin/env bash
 #
 # Build and installs whatever is in /usr/src. Run step 1, reboot, then step 2.
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 sudo etcupdate -p
 cd /usr/src
 sudo make installworld
 sudo etcupdate -B
 if sudo etcupdate status | grep -qE '^  C '; then
    >&2 echo 'Conflicts in etcupdate. Run `etcupdate resolve` to fix them first.'
    exit 1
 fi
 echo "FreeBSD update step 2 done. Please reboot."
--- a/ansible/roles/build/files/gpg.asc
+++ b/ansible/roles/build/files/gpg.asc
@@ -1,34 +1,27 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
+mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
-0H+RsWG0HVRvbSBBbGV4YW5kZXIgPHRvbUBmaXp6LmJ1eno+iJAEExYIADgWIQS4
+Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
-SBWTY8KHeReVS+En3kDZuEVcGwUCXZwWGgIbAwULCQgHAgYVCAkKCwIEFgIDAQIe
+0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
-AQIXgAAKCRAn3kDZuEVcG9glAQDX3Bzaz9sQpycc40LeLxSKQsWplfJigfr8wWOg
+HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
-C15TywEAqkTtCrTNsltdZERLMre7qnv/6RSo54OW0C4pdN7UUAa0HlRvbSBBbGV4
+/MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
-YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A
+eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
-2bhFXBsFAl+w+R0CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQJ95A2bhF
+AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
-XBt6fgD+NOYnw9gz5K/q3H5LE/JvqzCSHezJmeGgif0CuU4m1/MA+gPDKME7syEt
+n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
-JsTpELEMrxWWpDW0tD/W1iJE7roGYPQPtB9Ub20gQWxleGFuZGVyIDx0b21AaGFy
+8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
-bW9uaWMuYWk+iJAEExYIADgWIQS4SBWTY8KHeReVS+En3kDZuEVcGwUCX7D5RAIb
+HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
-AwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAn3kDZuEVcGzjDAP9pM1ScstOk
+fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
-ti+oRAsNSk8qsjIsCT9O5voDS0Q7plWlcwD/btKVFO9tPLsXhyvdB+NSwueVs7TA
+AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
-kRVjlW3hktpefg24OARdnBYaEgorBgEEAZdVAQUBAQdArbTYQgDBMG7EBFTKA6+f
+gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
-4CWgwl26Lf2b6cyCGfUw2j4DAQgHiHgEGBYIACAWIQS4SBWTY8KHeReVS+En3kDZ
+mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
-uEVcGwUCXZwWGgIbDAAKCRAn3kDZuEVcG03MAQCrkjrE+MhtvbfGaHGHlwz9QnF0
+nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
-Z519YzK8Xr8m0O+09QEA9BFCfkAzBM4D4JKeWJh/tmN9U6UexzLrRdY+W9cugAm4
+KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
-MwRdnBbKFgkrBgEEAdpHDwEBB0A/IgvgQaDhPkk72raSlUPLZaMyJfPedlfBhbgY
+B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
-uhNiSIj1BBgWCAAmAhsCFiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsFAl+w+hYFCQe4
+CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
-fcwAgXYgBBkWCAAdFiEEgeZEOZZ1UC6xJRa606F5yaU8Dt4FAl2cFsoACgkQ06F5
+/j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
-yaU8Dt6MngD+Krs3aYyHH6i85ebVESgBI8XeXhgACM4exepw+0UcoYkBAKK4DvV3
+Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
-oJD6o1ku6Rr8pUH962SQm8PO9pO2JBBAb6ADCRAn3kDZuEVcG9uAAP43vUsbe24/
+BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
-6tjEezAW0a4L2E1u4HNU8t53lolngs1kswEAy1HBdYEMR9TovX/kMeBHLcz1J2pM
+rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
-VRSV0JnJhj5eZwa4MwRdnBcBFgkrBgEEAdpHDwEBB0BrvpOZa4q6JHVuc1XUVQTq
+7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
-hDgLwD5SJBvzHSTXPYOZMoh+BBgWCAAmAhsgFiEEuEgVk2PCh3kXlUvhJ95A2bhF
+=OfDR
 XBsFAl+w+hYFCQe4fZUACgkQJ95A2bhFXBs3NgEA3SFYTgRVstidfoEpEZV4DdSL
 kXaOwN3Eyba4UniClyMA/2CCxQt24vu19TyvUtOXWCp9Zi8SyIqoeiXQ4ZmhhnQO
 uDgEXZwXKBIKKwYBBAGXVQEFAQEHQA7S3cFTEu6iROopVyF4UBl3hQrEAbOc9CW+
 xXKFZYgSAwEIB4h+BBgWCAAmAhsMFiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsFAl+w
 +hcFCQe4fW4ACgkQJ95A2bhFXBtUXAEAyEJCUNVSJ7qvQv5IXuwbYTX2Mh7JU3+F
 GJHO7AWBXCQA/2aLAi9kYmz9ba770XYwTeBZIv9Y6UIwIwVmFdYHC/EM
 =a/z4
 -----END PGP PUBLIC KEY BLOCK-----
--- a/ansible/roles/build/files/gpg_work.asc
+++ b/ansible/roles/build/files/gpg_work.asc
@@ -0,0 +1,27 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
 Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
 0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
 HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
 /MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
 eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
 AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
 n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
 8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
 HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
 fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
 AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
 gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
 mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
 nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
 KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
 B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
 CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
 /j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
 Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
 BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
 rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
 7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
 =OfDR
 -----END PGP PUBLIC KEY BLOCK-----
--- a/ansible/roles/build/files/make.conf
+++ b/ansible/roles/build/files/make.conf
@@ -1,3 +0,0 @@
 KERNCONF=CUSTOM
 BUILD_STATIC=YES
--- a/ansible/roles/build/files/pacman-x86_64.conf
+++ b/ansible/roles/build/files/pacman-x86_64.conf
@@ -31,10 +31,11 @@ Architecture = auto
 # Misc options
 #UseSyslog
 #Color
-#TotalDownload
+NoProgressBar
 # We cannot check disk space from within a chroot environment
 #CheckSpace
-#VerbosePkgLists
+VerbosePkgLists
 ParallelDownloads = 5
 # By default, pacman accepts packages signed by keys that its local keyring
 # trusts (see pacman-key and its man page), as well as unsigned packages.
@@ -69,32 +70,24 @@ LocalFileSigLevel = Optional
 # repo name header and Include lines. You can add preferred servers immediately
 # after the header, and they will be used before the default mirrors.
-#[testing]
+#[core-testing]
 #Include = /etc/pacman.d/mirrorlist
 [core]
 Include = /etc/pacman.d/mirrorlist
 #[extra-testing]
 #Include = /etc/pacman.d/mirrorlist
 [extra]
 Include = /etc/pacman.d/mirrorlist
 #[community-testing]
 #Include = /etc/pacman.d/mirrorlist
 [community]
 Include = /etc/pacman.d/mirrorlist
 # If you want to run 32 bit applications on your x86_64 system,
 # enable the multilib repositories as required here.
 #[multilib-testing]
 #Include = /etc/pacman.d/mirrorlist
 [multilib]
 Include = /etc/pacman.d/mirrorlist
 # An example of a custom package repository.  See the pacman manpage for
 # tips on creating your own repositories.
 #[custom]
 #SigLevel = Optional TrustAll
 #Server = file:///home/custompkgs
 [custom]
 SigLevel = Required
 Server = file:///var/cache/pacman/custom
--- a/ansible/roles/build/meta/main.yaml
+++ b/ansible/roles/build/meta/main.yaml
@@ -1,3 +1,5 @@
 dependencies:
-  - users
+  - role: users
-  - gpg
+    when: 'os_flavor == "linux"'
  - role: gpg
    when: 'os_flavor == "linux"'
--- a/ansible/roles/build/tasks/common.yaml
+++ b/ansible/roles/build/tasks/common.yaml
@@ -3,12 +3,3 @@
 - import_tasks: tasks/linux.yaml
  when: 'os_flavor == "linux"'
 - include_tasks:
    file: tasks/peruser.yaml
    apply:
      become: yes
      become_user: "{{ initialize_user }}"
  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
  loop_control:
    loop_var: initialize_user
--- a/ansible/roles/build/tasks/freebsd.yaml
+++ b/ansible/roles/build/tasks/freebsd.yaml
@@ -1,94 +0,0 @@
 - name: Install packages
  package:
    name:
      - git
    state: present
 - name: Create directories
  file:
    name: "{{ item }}"
    state: directory
    mode: 0755
    owner: "{{ build_user.name }}"
    group: "{{ build_user.group }}"
  loop:
    - "/usr/src"
    # - "/usr/ports"
    - "/usr/obj"
 - name: chown the FreeBSD source
  file:
    name: "{{ item }}"
    state: directory
    owner: "{{ build_user.name }}"
    group: "{{ build_user.group }}"
    recurse: true
  loop:
    - "/usr/src"
 - name: Clone FreeBSD Source
  git:
    repo: "https://git.FreeBSD.org/src.git"
    dest: /usr/src
    version: "{{ freebsd_version }}"
    force: true
  become: true
  become_user: "{{ build_user.name }}"
  diff: false
 # - name: Clone Ports Tree
 #   git:
 #     repo: "https://git.FreeBSD.org/ports.git"
 #     dest: /usr/ports
 #     version: "main"
 #     force: true
 #     update: false
 #   become: true
 #   become_user: "{{ build_user.name }}"
 #   diff: false
 - name: Install Configuration
  copy:
    src: "files/{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0644
    owner: root
    group: wheel
  loop:
    - src: make.conf
      dest: /etc/make.conf
 - name: Install Configuration
  copy:
    src: "files/{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0644
    owner: "{{ build_user.name }}"
    group: "{{ build_user.group }}"
  loop:
    - src: CUSTOM
      dest: /usr/src/sys/amd64/conf/CUSTOM
 - name: Install Configuration
  template:
    src: "templates/{{ item.src }}.j2"
    dest: "{{ item.dest }}"
    mode: 0644
    owner: root
    group: wheel
  loop:
    - src: src.conf
      dest: /etc/src.conf
 - name: Install scripts
  copy:
    src: "files/{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0700
    owner: "{{ build_user.name }}"
    group: "{{ build_user.group }}"
  loop:
    - src: freebsd_update_step1
      dest: /usr/local/bin/freebsd_update_step1
    - src: freebsd_update_step2
      dest: /usr/local/bin/freebsd_update_step2
--- a/ansible/roles/build/tasks/linux.yaml
+++ b/ansible/roles/build/tasks/linux.yaml
@@ -39,12 +39,12 @@
 - name: Trust my signing key
  command: pacman-key -a -
  args:
-    stdin: "{{ lookup('file', 'gpg.asc') }}"
+    stdin: "{{ lookup('file', pgp_key|default('gpg.asc')) }}"
-  when: '"B848159363C2877917954BE127DE40D9B8455C1B" not in pacmankeys.stdout'
+  when: '"D272C8D6167F26859467666F4278299FB84F6875" not in pacmankeys.stdout'
  register: my_key_imported
 - name: Sign my signing key
-  command: pacman-key --lsign-key "B848159363C2877917954BE127DE40D9B8455C1B"
+  command: pacman-key --lsign-key "D272C8D6167F26859467666F4278299FB84F6875"
  when: my_key_imported.changed
 - name: Build the aurutils package
@@ -89,17 +89,26 @@
  loop:
    - src: aurutils.conf
      dest: /etc/pacman.d/conf.d/
-    - src: pacman-custom.conf
+    - src: pacman-x86_64.conf
      dest: /etc/aurutils/
    - src: makepkg.conf # TODO: Is this needed or can I use the default from devtools?
      dest: /etc/aurutils/
 - name: chown the custom package db
  file:
    path: "{{ item }}"
    owner: "{{ build_user.name }}"
    recurse: true
  loop:
    - /var/cache/pacman/custom/
 - name: Create custom repo db
-  command: repo-add --sign /var/cache/pacman/custom/custom.db.tar
+  # shell: repo-add --new --sign /var/cache/pacman/custom/custom.db.tar "/home/{{ build_user.name }}/.config/ansible_deploy/aurutils/aurutils-*-any.pkg.tar.*"
  command: repo-add --new --sign /var/cache/pacman/custom/custom.db.tar
  become: true
  become_user: "{{ build_user.name }}"
  args:
-    creates: /var/cache/pacman/custom/custom.db.tar
+    creates: /var/cache/pacman/custom/custom.db.tar.sig
 - name: Install scripts
  copy:
@@ -111,8 +120,12 @@
  loop:
    - src: aurutils-purge
      dest: /usr/local/bin/aurutils-purge
    - src: aurutils-nuke
      dest: /usr/local/bin/aurutils-nuke
    - src: aurutils-sync
      dest: /usr/local/bin/aurutils-sync
    - src: aurutils-update-devel-packages
      dest: /usr/local/bin/
 - name: build aurutils inside aurutils
  become_user: "{{ build_user.name }}"
--- a/ansible/roles/build/templates/src.conf.j2
+++ b/ansible/roles/build/templates/src.conf.j2
@@ -1,22 +0,0 @@
 {% if cpu_opt is defined and cpu_opt %}
 CPUTYPE?={{ cpu_opt }}
 {% endif %}
 OPTIMIZED_CFLAGS=YES
 BUILD_OPTIMIZED=YES
 WITH_CPUFLAGS=YES
 WITH_MALLOC_PRODUCTION=YES
 WITHOUT_LLVM_ASSERTIONS=YES
 WITH_REPRODUCIBLE_BUILD=YES
 # Would be fun to experiment with:
 # WITHOUT_SOURCELESS=YES
 # Questionable Optimizations
 WITHOUT_FLOPPY=YES
 WITHOUT_HTML=YES
 WITHOUT_IPFW=YES
 WITHOUT_IPFILTER=YES
 WITHOUT_LLVM_TARGET_ALL=YES
 # Commented out because maybe I want email alerts for failing disks
 # WITHOUT_MAIL=YES
 # WITHOUT_SENDMAIL=YES
--- a/ansible/roles/chromium/files/chromium-flags.conf
+++ b/ansible/roles/chromium/files/chromium-flags.conf
@@ -0,0 +1,2 @@
 --ozone-platform-hint=auto
 --enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,AcceleratedVideoEncoder
--- a/ansible/roles/kubernetes/meta/main.yaml
+++ b/ansible/roles/kubernetes/meta/main.yaml
@@ -1,2 +1,2 @@
 dependencies:
-  - build
+  - users
--- a/ansible/roles/chromium/tasks/common.yaml
+++ b/ansible/roles/chromium/tasks/common.yaml
@@ -0,0 +1,55 @@
 # - name: Create directories
 #   file:
 #     name: "{{ item }}"
 #     state: directory
 #     mode: 0755
 #     owner: root
 #     group: wheel
 #   loop:
 #     - /foo/bar
 # - name: Install scripts
 #   copy:
 #     src: "files/{{ item.src }}"
 #     dest: "{{ item.dest }}"
 #     mode: 0755
 #     owner: root
 #     group: wheel
 #   loop:
 #     - src: foo.bash
 #       dest: /usr/local/bin/foo
 # - name: Install Configuration
 #   copy:
 #     src: "files/{{ item.src }}"
 #     dest: "{{ item.dest }}"
 #     mode: 0600
 #     owner: root
 #     group: wheel
 #   loop:
 #     - src: foo.conf
 #       dest: /usr/local/etc/foo.conf
 # - name: Clone Source
 #   git:
 #     repo: "https://foo.bar/baz.git"
 #     dest: /foo/bar
 #     version: "v1.0.2"
 #     force: true
 #   diff: false
 - import_tasks: tasks/freebsd.yaml
  when: 'os_flavor == "freebsd"'
 - import_tasks: tasks/linux.yaml
  when: 'os_flavor == "linux"'
 - include_tasks:
    file: tasks/peruser.yaml
    apply:
      become: yes
      become_user: "{{ initialize_user }}"
  when: users is defined
  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
  loop_control:
    loop_var: initialize_user
--- a/ansible/roles/chromium/tasks/freebsd.yaml
+++ b/ansible/roles/chromium/tasks/freebsd.yaml
@@ -0,0 +1,5 @@
 # - name: Install packages
 #   package:
 #     name:
 #       - foo
 #     state: present
--- a/ansible/roles/chromium/tasks/linux.yaml
+++ b/ansible/roles/chromium/tasks/linux.yaml
@@ -0,0 +1,7 @@
 # Check chrome://gpu/ to confirm hardware video decoding and vulkan rendering is working.
 - name: Install packages
  package:
    name:
      - chromium
    state: present
--- a/ansible/roles/chromium/tasks/main.yaml
+++ b/ansible/roles/chromium/tasks/main.yaml
@@ -0,0 +1,2 @@
 - import_tasks: tasks/common.yaml
  when: install_graphics
--- a/ansible/roles/chromium/tasks/peruser.yaml
+++ b/ansible/roles/chromium/tasks/peruser.yaml
--- a/ansible/roles/chromium/tasks/peruser_freebsd.yaml
+++ b/ansible/roles/chromium/tasks/peruser_freebsd.yaml
--- a/ansible/roles/chromium/tasks/peruser_linux.yaml
+++ b/ansible/roles/chromium/tasks/peruser_linux.yaml
@@ -0,0 +1,10 @@
 - name: Copy files
  copy:
    src: "files/{{ item.src }}"
    dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
    mode: 0600
    owner: "{{ account_name.stdout }}"
    group: "{{ group_name.stdout }}"
  loop:
    - src: chromium-flags.conf
      dest: .config/chromium-flags.conf
--- a/ansible/roles/cpu/files/aesni_loader.conf
+++ b/ansible/roles/cpu/files/aesni_loader.conf
@@ -1 +0,0 @@
 aesni_load="YES"
--- a/ansible/roles/cpu/files/amd_microcode_rc.conf
+++ b/ansible/roles/cpu/files/amd_microcode_rc.conf
@@ -0,0 +1 @@
 microcode_update_enable="YES"
--- a/ansible/roles/cpu/files/cpu_set_perf_perc_freebsd
+++ b/ansible/roles/cpu/files/cpu_set_perf_perc_freebsd
@@ -7,6 +7,12 @@ IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 perc=$1
 if [ "$perc" -gt 100 ]; then
    perc=100
 fi
 if [ "$perc" -lt 0 ]; then
    perc=0
 fi
 epp=$((100 - perc))
 sysctl -N dev.hwpstate_intel | grep -E 'dev.hwpstate_intel.[0-9]+.epp' | while read var; do
--- a/ansible/roles/cpu/files/cpu_set_perf_perc_linux
+++ b/ansible/roles/cpu/files/cpu_set_perf_perc_linux
@@ -1,15 +0,0 @@
 #!/usr/bin/env bash
 #
 # Tell speedshift whether to maximize CPU performance (100) or energy
 # efficiency (0).
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 perc=$1
 if [ $perc -lt 50 ]; then
    echo "power" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
 else
    echo "performance" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
 fi
--- a/ansible/roles/cpu/files/cpu_set_perf_perc_linux_amd
+++ b/ansible/roles/cpu/files/cpu_set_perf_perc_linux_amd
@@ -0,0 +1,29 @@
 #!/usr/bin/env bash
 #
 # Tell hardware p-states whether to maximize CPU performance (100) or
 # energy efficiency (0).
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 perc=$1
 if [ "$perc" -gt 80 ]; then
    echo performance | tee /sys/firmware/acpi/platform_profile
 elif [ "$perc" -ge 20 ]; then
    echo balanced | tee /sys/firmware/acpi/platform_profile
 else
    echo low-power | tee /sys/firmware/acpi/platform_profile
 fi
 if [ "$perc" -ge 80 ]; then
    echo "performance" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
 elif [ "$perc" -ge 60 ]; then
    echo "balance_performance" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
 elif [ "$perc" -ge 40 ]; then
    echo "default" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
 elif [ "$perc" -ge 20 ]; then
    echo "balance_power" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
 else
    echo "power" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
 fi
--- a/ansible/roles/cpu/files/cpu_set_perf_perc_linux_intel
+++ b/ansible/roles/cpu/files/cpu_set_perf_perc_linux_intel
@@ -0,0 +1,27 @@
 #!/usr/bin/env bash
 #
 # Tell speedshift whether to maximize CPU performance (100) or energy
 # efficiency (0). If set to 101 this will enable turboboost.
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 perc=$1
 if [ "$perc" -gt 100 ]; then
    echo 0 | tee /sys/devices/system/cpu/intel_pstate/no_turbo
 else
    echo 1 | tee /sys/devices/system/cpu/intel_pstate/no_turbo
 fi
 if [ "$perc" -ge 80 ]; then
    echo "performance" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
 elif [ "$perc" -ge 60 ]; then
    echo "balance_performance" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
 elif [ "$perc" -ge 40 ]; then
    echo "default" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
 elif [ "$perc" -ge 20 ]; then
    echo "balance_power" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
 else
    echo "power" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
 fi
--- a/ansible/roles/cpu/files/cryptodev_loader.conf
+++ b/ansible/roles/cpu/files/cryptodev_loader.conf
@@ -0,0 +1 @@
 cryptodev_load="YES"
--- a/ansible/roles/cpu/files/intel_microcode_loader.conf
+++ b/ansible/roles/cpu/files/intel_microcode_loader.conf
@@ -0,0 +1,6 @@
 # Load Intel microcode at boot before the kernel does feature detection.
 #
 # The alternative would have been /etc/rc.conf with:
 #   microcode_update_enable="YES"
 cpu_microcode_load="YES"
 cpu_microcode_name="/boot/firmware/intel-ucode.bin"
--- a/ansible/roles/cpu/files/per_core_hwpstate_loader.conf
+++ b/ansible/roles/cpu/files/per_core_hwpstate_loader.conf
--- a/ansible/roles/cpu/files/platform_profile_tmpfiles.conf
+++ b/ansible/roles/cpu/files/platform_profile_tmpfiles.conf
@@ -0,0 +1,2 @@
 # Favor energy efficiency for platform profile (EC / system, not CPU)
 w- /sys/firmware/acpi/platform_profile - - - - low-power
--- a/ansible/roles/cpu/tasks/freebsd_amd.yaml
+++ b/ansible/roles/cpu/tasks/freebsd_amd.yaml
@@ -1,3 +1,9 @@
 - name: Install packages
  package:
    name:
      - cpu-microcode-amd
    state: present
 - name: Install loader.conf
  copy:
    src: "files/{{ item }}_loader.conf"
@@ -17,8 +23,10 @@
    group: wheel
  loop:
    - power_profile
    - amd_microcode
 - name: Install loader.conf
  when: hwpstate is defined and hwpstate
  copy:
    src: "files/{{ item }}_loader.conf"
    dest: "/boot/loader.conf.d/{{ item }}.conf"
@@ -26,4 +34,5 @@
    owner: root
    group: wheel
  loop:
-    - aesni
+    - per_core_hwpstate
    - cryptodev
--- a/ansible/roles/cpu/tasks/freebsd_intel.yaml
+++ b/ansible/roles/cpu/tasks/freebsd_intel.yaml
@@ -3,6 +3,7 @@
    name:
      - lscpu # need to kldload cpuctl
      - powermon # need to kldload cpuctl
      - cpu-microcode-intel
    state: present
 - name: Install loader.conf
@@ -15,7 +16,7 @@
  loop:
    - coretemp
    - cpuctl
-    - aesni
+    - intel_microcode
 - name: Install service configuration
  copy:
@@ -76,4 +77,5 @@
    owner: root
    group: wheel
  loop:
-    - percorespeedshift
+    - per_core_hwpstate
    - cryptodev
--- a/ansible/roles/cpu/tasks/linux_amd.yaml
+++ b/ansible/roles/cpu/tasks/linux_amd.yaml
@@ -0,0 +1,40 @@
 - name: Install packages
  package:
    name:
      - powertop
    state: present
 - name: Favor energy efficiency for hardware p-states
  when: hwpstate is defined and hwpstate and cores is defined
  template:
    src: "templates/{{ item.src }}.j2"
    dest: "{{ item.dest }}"
    mode: 0644
    owner: root
    group: wheel
  loop:
    - src: energy_performance_preference.conf
      dest: /etc/tmpfiles.d/energy_performance_preference.conf
 - name: Install tmpfiles.d configuration
  when: hwpstate is defined and hwpstate and cores is defined
  copy:
    src: "files/{{ item }}_tmpfiles.conf"
    dest: "/etc/tmpfiles.d/{{ item }}.conf"
    mode: 0644
    owner: root
    group: wheel
  loop:
    - platform_profile
 - name: Install scripts
  when: hwpstate is defined and hwpstate
  copy:
    src: "files/{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0755
    owner: root
    group: wheel
  loop:
    - src: cpu_set_perf_perc_linux_amd
      dest: /usr/local/bin/cpu_set_perf_perc
--- a/ansible/roles/cpu/tasks/linux_intel.yaml
+++ b/ansible/roles/cpu/tasks/linux_intel.yaml
@@ -19,7 +19,7 @@
  template:
    src: "templates/{{ item.src }}.j2"
    dest: "{{ item.dest }}"
-    mode: 0755
+    mode: 0644
    owner: root
    group: wheel
  loop:
@@ -35,5 +35,5 @@
    owner: root
    group: wheel
  loop:
-    - src: cpu_set_perf_perc_linux
+    - src: cpu_set_perf_perc_linux_intel
      dest: /usr/local/bin/cpu_set_perf_perc
--- a/ansible/roles/cpu/templates/energy_performance_preference.conf.j2
+++ b/ansible/roles/cpu/templates/energy_performance_preference.conf.j2
@@ -1,4 +1,4 @@
-# Favor energy efficiency for Speed Shift
+# Favor energy efficiency for hardware p-states
 {% for core in range(0, cores, 1) %}
 w- /sys/devices/system/cpu/cpufreq/policy{{core}}/energy_performance_preference - - - - power
 {% endfor %}
--- a/ansible/roles/devfs/files/homeserver_devfs.rules
+++ b/ansible/roles/devfs/files/homeserver_devfs.rules
@@ -0,0 +1,25 @@
 # [localrules=10]
 # add path 'input/*' mode 0660 group video
 # add path 'usb/*' mode 0660 group usb
 [tajailwg=13]
 add include $devfsrules_hide_all
 add include $devfsrules_unhide_basic
 add include $devfsrules_unhide_login
 add path 'bpf*' unhide
 add path pf unhide
 add path pflog unhide
 add path pfsynv unhide
 add path 'tun*' unhide
 [tajaildhcp=14]
 add include $devfsrules_hide_all
 add include $devfsrules_unhide_basic
 add include $devfsrules_unhide_login
 add path 'bpf*' unhide
 [tajailrand=15]
 add include $devfsrules_hide_all
 add include $devfsrules_unhide_basic
 add include $devfsrules_unhide_login
 add path urandom unhide
--- a/ansible/roles/docker/tasks/linux.yaml
+++ b/ansible/roles/docker/tasks/linux.yaml
@@ -2,6 +2,8 @@
  package:
    name:
      - docker
      - docker-compose
      - docker-buildx
    state: present
 - name: Create docker zfs dataset
--- a/ansible/roles/emacs/defaults/main.yaml
+++ b/ansible/roles/emacs/defaults/main.yaml
@@ -0,0 +1 @@
 emacs_flavor: "plain" # or full for systems where I do real development.
--- a/ansible/roles/emacs/files/base.el
+++ b/ansible/roles/emacs/files/base.el
@@ -1,106 +0,0 @@
 (package-initialize)
 (add-to-list 'package-archives
             '("melpa" . "https://melpa.org/packages/")
             )
 (when (not package-archive-contents)
  (package-refresh-contents))
 (unless (package-installed-p 'use-package)
  (package-install 'use-package))
 (use-package auto-package-update
   :ensure t
   :config
   (setq auto-package-update-delete-old-versions t
         auto-package-update-interval 14)
   (auto-package-update-maybe))
 (defconst private-dir  (expand-file-name "private" user-emacs-directory))
 (defconst temp-dir (format "%s/cache" private-dir)
  "Hostname-based elisp temp directories")
 ;; Emacs customizations
 (setq-default
 inhibit-startup-screen              t
 initial-scratch-message             nil
 ;; Send prompts to mini-buffer not the GUI
 use-dialog-box                      nil
 confirm-nonexistent-file-or-buffer  t
 save-interprogram-paste-before-kill t
 mouse-yank-at-point                 t
 require-final-newline               t
 visible-bell                        nil
 ring-bell-function                  'ignore
 custom-file                         "~/.emacs.d/.custom.el"
 ;; http://ergoemacs.org/emacs/emacs_stop_cursor_enter_prompt.html
 minibuffer-prompt-properties
 '(read-only t point-entered minibuffer-avoid-prompt face minibuffer-prompt)
 ;; Disable non selected window highlight
 cursor-in-non-selected-windows     nil
 highlight-nonselected-windows      nil
 ;; PATH
 exec-path                          (append exec-path '("/usr/local/bin/"))
 indent-tabs-mode                   nil
 tab-width                          4
 inhibit-startup-message            t
 fringes-outside-margins            t
 x-select-enable-clipboard          t
 use-package-always-ensure          t
 ispell-program-name                "aspell"
 browse-url-browser-function        'browse-url-generic
 browse-url-generic-program         "firefox-developer-edition"
 frame-title-format                 '("" invocation-name ": "(:eval (if (buffer-file-name)
                                                                        (abbreviate-file-name (buffer-file-name))
                                                                      "%b")))
 ;; mouse-wheel-progressive-speed      nil ;; Don't accelerate mouse wheel
 ;; mouse-wheel-scroll-amount '(5 ((shift) . 3))
 use-short-answers                  t
 package-native-compile             t
 delete-selection-mode              t
 )
 (defun assert-directory (p)
  (unless (file-exists-p p) (make-directory p t))
  p
  )
 (assert-directory (concat temp-dir "/auto-save-list/"))
 (setq autoload-directory (concat user-emacs-directory (file-name-as-directory "elisp") (file-name-as-directory "autoload")))
 (add-to-list 'load-path (assert-directory autoload-directory))
 ;; Bookmarks
 (setq
 ;; persistent bookmarks
 bookmark-save-flag                      t
 bookmark-default-file              (concat temp-dir "/bookmarks"))
 ;; Backups enabled, use nil to disable
 (setq
 history-length                     1000
 backup-inhibited                   nil
 make-backup-files                  nil
 auto-save-default                  nil
 auto-save-list-file-name           (concat temp-dir "/autosave")
 create-lockfiles                   nil
 backup-directory-alist            `((".*" . ,(concat temp-dir "/backup/")))
 auto-save-file-name-transforms    `((".*" ,(concat temp-dir "/auto-save-list/") t)))
 ;; Disable toolbar & menubar
 (menu-bar-mode -1)
 (when (fboundp 'tool-bar-mode)
  (tool-bar-mode -1))
 (when (  fboundp 'scroll-bar-mode)
  (scroll-bar-mode -1))
 (context-menu-mode +1)
 ;; Delete trailing whitespace before save
 (add-hook 'before-save-hook 'delete-trailing-whitespace)
 (use-package diminish)
 (provide 'base)
 ;;; base ends here
--- a/ansible/roles/emacs/files/common-lsp.el
+++ b/ansible/roles/emacs/files/common-lsp.el
@@ -1,41 +0,0 @@
 (use-package eglot
  :commands (eglot eglot-ensure)
  :bind (:map eglot-mode-map
              ;; M-.
              ;; ([remap xref-find-definitions] . lsp-ui-peek-find-definitions)
              ;; M-?
              ;; ([remap xref-find-references] . lsp-ui-peek-find-references)
              ("C-c C-a" . eglot-code-actions)
              )
  :hook (
         (eglot-managed-mode . (lambda ()
                                 (when (eglot-managed-p)
                                   (corfu-mode +1)
                                   )
                                 ))
         )
  :config
  ;; Increase garbage collection threshold for performance (default 800000)
  (setq gc-cons-threshold 100000000)
  ;; Increase amount of data read from processes, default 4k
  (when (>= emacs-major-version 27)
    (setq read-process-output-max (* 1024 1024)) ;; 1mb
    )
  (set-face-attribute 'eglot-highlight-symbol-face nil :background "#0291a1" :foreground "black")
  (set-face-attribute 'eglot-mode-line nil :inherit 'mode-line :bold nil)
  (use-package consult-eglot
    :bind (
           :map eglot-mode-map
           ;; C-M-.
           ([remap xref-find-apropos] . #'consult-eglot-symbols)
           )
    )
  :custom
  (eglot-autoshutdown t "Shut down server when last buffer is killed.")
  (eglot-sync-connect 0 "Don't block on language server starting.")
  )
 (provide 'common-lsp)
--- a/ansible/roles/emacs/files/early-init.el
+++ b/ansible/roles/emacs/files/early-init.el
@@ -0,0 +1,25 @@
 (setq gc-cons-threshold (* 128 1024 1024)) ;; 128MiB Increase garbage collection threshold for performance (default 800000)
 ;; Increase amount of data read from processes, default 4k
 (when (version<= "27.0" emacs-version)
  (setq read-process-output-max (* 10 1024 1024)) ;; 10MiB
  )
 ;; Suppress warnings
 (setq byte-compile-warnings '(not obsolete))
 (setq warning-suppress-log-types '((comp) (bytecomp)))
 (setq native-comp-async-report-warnings-errors 'silent)
 ;; Set up default visual settings
 (setq frame-resize-pixelwise t)
 ;; Disable toolbar & menubar
 (menu-bar-mode -1)
 (when (fboundp 'tool-bar-mode)
  (tool-bar-mode -1))
 (when (display-graphic-p)
  (context-menu-mode +1))
 (setq default-frame-alist '((fullscreen . maximized)
                            (vertical-scroll-bars . nil)
                            (horizontal-scroll-bars . nil)
                            ;; Set dark colors in early-init to prevent flashes of white.
                            (background-color . "#000000")))
--- a/ansible/roles/emacs/files/elisp/base-extensions.el
+++ b/ansible/roles/emacs/files/elisp/base-extensions.el
@@ -1,5 +1,7 @@
 (use-package diminish)
 ;; Eglot recommends pulling the latest of the standard libraries it
-;; uses from ELPA if you're not tracking the current emacs development
+;; uses from ELPA if you're not tracking the current.config/emacsevelopment
 ;; branch.
 (use-package xref
  :pin gnu
@@ -27,46 +29,56 @@
  :config
  (dashboard-setup-startup-hook))
 (use-package ediff
  :config
  (setq ediff-window-setup-function 'ediff-setup-windows-plain)
  (setq-default ediff-highlight-all-diffs 'nil)
  (setq ediff-diff-options "-w"))
 (when (version<= "26.0.50" emacs-version )
  (add-hook 'prog-mode-hook 'display-line-numbers-mode)
  (add-hook 'prog-mode-hook 'column-number-mode)
  )
-(use-package page-break-lines)
+;; Display a horizontal line instead of ^L for page break characters
 (use-package page-break-lines
  :diminish
  :config
  (global-page-break-lines-mode +1)
  )
 (use-package recentf
  ;; This is an emacs built-in but we're pulling the latest version
  :config
  (setq recentf-max-saved-items 100)
-  (setq recentf-save-file (recentf-expand-file-name "~/.emacs.d/private/cache/recentf"))
+  (setq recentf-save-file (recentf-expand-file-name "~/.config/emacs/private/cache/recentf"))
  (recentf-mode 1))
 ;; Persist history over Emacs restarts. Vertico sorts by history position.
 (use-package savehist
  ;; This is an emacs built-in but we're pulling the latest version
  :pin gnu
  :config
  (savehist-mode))
 (use-package which-key
  :pin gnu
  :diminish
  :config
  (which-key-mode))
 (use-package windmove
-  :config
+  ;; This is an emacs built-in but we're pulling the latest version
-  (windmove-default-keybindings))
+  :pin gnu
  :bind
  (
   ("S-<up>" . windmove-up)
   ("S-<right>" . windmove-right)
   ("S-<down>" . windmove-down)
   ("S-<left>" . windmove-left)
   )
  )
 (setq tramp-default-method "ssh")
 (use-package dockerfile-mode)
 (use-package nginx-mode
  :mode (
         ("headers\\.include\\'" . nginx-mode)
         )
  :config
  (setq nginx-indent-level 4))
--- a/ansible/roles/emacs/files/elisp/base-functions.el
+++ b/ansible/roles/emacs/files/elisp/base-functions.el
@@ -55,6 +55,14 @@
                 ))
    (mapc load-it (directory-files dir nil "\\.el$"))))
 (defun generate-vc-link ()
  (interactive)
  (or
   (generate-github-link)
   (generate-source-hut-link)
   )
  )
 (defun generate-github-link ()
  "Generate a permalink to the current line."
  (interactive)
@@ -69,10 +77,37 @@
           (let* (
                 (gh-org (match-string 2 repository-url))
                 (gh-repo (match-string 3 repository-url))
-                 (full-url (format "https://github.com/%s/%s/blob/%s/%s#L%s" gh-org gh-repo current-rev relative-path line-number))
+                 (full-url (format "https://github.com/%s/%s/blob/%s/%s?plain=1#L%s" gh-org gh-repo current-rev relative-path line-number))
                 )
             (message "%s" full-url)
             (kill-new full-url)
             t
             )
           )
      )
    )
  )
 (defun generate-source-hut-link ()
  "Generate a permalink to the current line."
  (interactive)
  (let (
        (current-rev (vc-working-revision buffer-file-name))
        (line-number (line-number-at-pos))
        (repository-url (vc-git-repository-url buffer-file-name))
        (relative-path (file-relative-name buffer-file-name (vc-root-dir)))
        )
    (message "Using repo url %s" repository-url)
    (save-match-data
      (and (string-match "https://git.sr.ht/\\([^/]+\\)/\\([^/]+\\)" repository-url)
           (let* (
                 (sh-org (match-string 1 repository-url))
                 (sh-repo (match-string 2 repository-url))
                 (full-url (format "https://git.sr.ht/%s/%s/tree/%s/%s#L%s" sh-org sh-repo current-rev relative-path line-number))
                 )
             (message "%s" full-url)
             (kill-new full-url)
             t
             )
           )
      )
--- a/ansible/roles/emacs/files/elisp/base-global-keys.el
+++ b/ansible/roles/emacs/files/elisp/base-global-keys.el
@@ -7,6 +7,6 @@
 ;; dabbrev-expand. Seems to be some sort of dumb-expand. Accidentally hitting it when trying to use M-?
 (global-unset-key (kbd "M-/"))
-(global-set-key (kbd "C-x g l") 'generate-github-link)
+(global-set-key (kbd "C-x g l") 'generate-vc-link)
 (provide 'base-global-keys)
--- a/Show More
+++ b/Show More
`@@ -1,2 +1 @@`
	`bhyve_mountpoint: "/vm"`	`bhyve_mountpoint: "/vm"`
	`bhyve_list: []`
		`@@ -0,0 +1,2 @@`
							`--ozone-platform-hint=auto`
							`--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,AcceleratedVideoEncoder`
`@@ -1,2 +1,2 @@`
	`dependencies:`	`dependencies:`
	`- build`	`- users`
		`@@ -0,0 +1,2 @@`
							`- import_tasks: tasks/common.yaml`
							`when: install_graphics`
		`@@ -0,0 +1,2 @@`
							`# Favor energy efficiency for platform profile (EC / system, not CPU)`
							`w- /sys/firmware/acpi/platform_profile - - - - low-power`
		`@@ -0,0 +1 @@`
							`emacs_flavor: "plain" # or full for systems where I do real development.`