Update for pkgbase rebuild of homeserver.

Remove rg jail and add ipv6 to wireguard.
Update for rebuild of mrmanager.
2026-04-14 15:39:22 -04:00 · 2026-04-04 21:18:42 -04:00 · 2026-03-26 18:17:38 -04:00 · 2025-12-07 14:31:15 -05:00 · 2025-12-07 14:19:24 -05:00 · 2025-12-07 10:32:56 -05:00
477 changed files with 10020 additions and 2109 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,3 +1,5 @@
 cargo_credentials.toml filter=git-crypt diff=git-crypt
 **/wireguard_configs/** filter=git-crypt diff=git-crypt
 *.key filter=git-crypt diff=git-crypt
+credentials filter=git-crypt diff=git-crypt
+htpasswd filter=git-crypt diff=git-crypt
--- a/TODO.org
+++ b/TODO.org
@@ -0,0 +1,5 @@
+* to-do
+** Switch to overlay driver when zfs 2.2 is released
+This might fix some stability issues (like a container getting stuck in a terminating state), may improve performance (since the zfs driver is noticably slower than overlay on ext4 on a zvol), and will avoid a lot of noise in my zfs dataset lists
+
+ref: https://github.com/moby/moby/issues/40132
--- a/ansible/environments/colo/host_vars/mrmanager
+++ b/ansible/environments/colo/host_vars/mrmanager
@@ -1,8 +1,11 @@
 os_flavor: "freebsd"
 zfs_snapshot_datasets:
-  - zroot/freebsd/main/be
+  - path: zroot/freebsd/main/be
+  - path: zdata/vm
+  - path: zdata/vm/poudriere/disk0
+    include: false
+  - path: zdata/k8spersistent
 sshd_enabled: true
-loader_conf: "mrmanager_loader.conf"
 rc_conf: "mrmanager_rc.conf"
 network_rc: "mrmanager_network.conf"
 routing_rc: "mrmanager_routing.conf"
@@ -10,13 +13,16 @@ pf_config: "mrmanager_pf.conf"
 pflog_conf:
  - name: 0
    dev: pflog0
+  - name: 1
+    dev: pflog1
 cputype: "amd"
+hwpstate: true
 etc_hosts: {}
 wireguard_directory: mrmanager
 enabled_wireguard:
  - colo
 jail_zfs_dataset: zdata/jail
-jail_zfs_dataset_mountpoint: /jail/main
+jail_zfs_dataset_mountpoint: /jail
 jail_canmount: "on"
 jail_list:
  - name: nat_dhcp
@@ -35,3 +41,14 @@ bhyve_dataset: zdata/vm
 bhyve_canmount: "on"
 # efi_dev: /dev/gpt/EFI
 devfs_rules: "mrmanager_devfs.rules"
+users:
+  talexander:
+    initialize: true
+    uid: 11235
+    gid: 11235
+    groups:
+      - name: wheel
+    authorized_keys:
+      - yubikey
+      - main_fido
+      - backup_fido
--- a/ansible/environments/colo/hosts
+++ b/ansible/environments/colo/hosts
@@ -1,2 +1,3 @@
 [server]
-mrmanager ansible_user=talexander ansible_host=10.217.2.1
+#mrmanager ansible_user=talexander ansible_host=10.217.2.1 ansible_become_method=doas
+mrmanager ansible_user=talexander ansible_host=74.80.180.138 ansible_become_method=doas
--- a/ansible/environments/home/host_vars/homeserver
+++ b/ansible/environments/home/host_vars/homeserver
@@ -1,8 +1,29 @@
 os_flavor: "freebsd"
 zfs_snapshot_datasets:
-  - zroot/freebsd/computer/be/default
+  - path: zroot/freebsd/computer/be
+  - path: zmass/encrypted/vm
+  - path: zmass/encrypted/data
+users:
+  talexander:
+    initialize: true
+    uid: 11235
+    gid: 11235
+    groups:
+      - name: wheel
+      - name: video
+      - name: u2f
+      - name: operator # To be able to shutdown without root
+      - name: webcamd
+        gid: 145
+    authorized_keys:
+      - yubikey
+      - main_fido
+      - backup_fido
+      - homeassistant
+    gitconfig: "gitconfig_home"
 sshd_enabled: true
 sshd_conf: "sshd_config"
+prefer_ipv6: true
 pf_config: "homeserver_pf.conf"
 pflog_conf:
  - name: 0
@@ -10,15 +31,11 @@ pflog_conf:
 network_rc: "homeserver_network.conf"
 rc_conf: "homeserver_rc.conf"
 loader_conf: "homeserver_loader.conf"
-netgraph_config: "setup_netgraph_homeserver"
 cputype: "intel"
-cpu_opt: broadwell
 hwpstate: false
-build_user:
-  name: talexander
-  group: talexander
+devfs_rules: "homeserver_devfs.rules"
 jail_zfs_dataset: zmass/encrypted/jails
-jail_zfs_dataset_mountpoint: /jail/main
+jail_zfs_dataset_mountpoint: /jail
 jail_canmount: "on"
 jail_bemount: "on"
 jail_list:
@@ -33,15 +50,27 @@ jail_list:
  - name: dagger
    conf:
      src: dagger
-  - name: mumble
+  - name: sftp
    conf:
-      src: mumble
-    persist:
-      - name: mumbledb
-        mount: /var/db/murmur
+      src: sftp
+    fstab: sftp_fstab
+  - name: bastion
+    conf:
+      src: bastion
+    fstab: fstab_bastion
+  - name: certificate
+    conf:
+      src: certificate
+  # - name: mumble
+  #   conf:
+  #     src: mumble
+  #   persist:
+  #     - name: mumbledb
+  #       mount: /var/db/murmur
 bhyve_dataset: zmass/encrypted/vm
-bhyve_list: []
-bhyve_canmount: "on"
+# Disable mounting bhyve dataset so it doesn't hide the unencrypted linfi vm
+bhyve_canmount: "off"
+bhyve_mountpoint: "none"
 bhyve_bemount: "on"
 wireguard_directory: homeserver
 enabled_wireguard:
--- a/ansible/environments/home/hosts
+++ b/ansible/environments/home/hosts
@@ -1,2 +1,3 @@
 [headless]
-homeserver ansible_user=talexander ansible_host=10.216.1.1
+#homeserver ansible_user=talexander ansible_host=homeserver
+homeserver ansible_user=talexander ansible_host=172.16.16.32
--- a/ansible/environments/jail/host_vars/bastion
+++ b/ansible/environments/jail/host_vars/bastion
@@ -0,0 +1 @@
+os_flavor: freebsd
--- a/ansible/environments/jail/host_vars/certificate
+++ b/ansible/environments/jail/host_vars/certificate
@@ -0,0 +1 @@
+os_flavor: freebsd
--- a/ansible/environments/jail/host_vars/sftp
+++ b/ansible/environments/jail/host_vars/sftp
@@ -0,0 +1,6 @@
+os_flavor: "freebsd"
+users:
+  nochainstounlock:
+    initialize: true
+    uid: 11235
+    gid: 11235
--- a/ansible/environments/jail/hosts
+++ b/ansible/environments/jail/hosts
@@ -1,7 +1,10 @@
 [jail]
 nat_dhcp ansible_connection=jail
-homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@172.16.16.2 ansible_connection=sshjail
+homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@homeserver ansible_connection=sshjail
 mrmanager_nat_dhcp ansible_ssh_host=nat_dhcp@10.217.2.1 ansible_connection=sshjail
 nat_dhcp@172.16.16.2 ansible_connection=sshjail
 admin_git ansible_ssh_host=admin_git@10.217.2.1 ansible_connection=sshjail
 public_dns ansible_ssh_host=public_dns@10.217.2.1 ansible_connection=sshjail
+sftp ansible_ssh_host=sftp@homeserver ansible_connection=sshjail
+bastion ansible_ssh_host=bastion@homeserver ansible_connection=sshjail
+certificate ansible_ssh_host=certificate@homeserver ansible_connection=sshjail
--- a/ansible/environments/laptop/group_vars/all
+++ b/ansible/environments/laptop/group_vars/all
@@ -1,2 +1,28 @@
 timezone: "America/New_York"
 install_bluetooth: true
+emacs_flavor: "full"
+ssh_hosts:
+  - name: poudriere
+    proxy_jump: talexander@mrmanager
+    host_name: 10.215.1.203
+  - name: controller0
+    proxy_jump: talexander@mrmanager
+    host_name: 10.215.1.204
+  - name: controller1
+    proxy_jump: talexander@mrmanager
+    host_name: 10.215.1.205
+  - name: controller2
+    proxy_jump: talexander@mrmanager
+    host_name: 10.215.1.206
+  - name: worker0
+    proxy_jump: talexander@mrmanager
+    host_name: 10.215.1.207
+  - name: worker1
+    proxy_jump: talexander@mrmanager
+    host_name: 10.215.1.208
+  - name: worker2
+    proxy_jump: talexander@mrmanager
+    host_name: 10.215.1.209
+  - name: brianai
+    proxy_jump: talexander@mrmanager
+    host_name: 10.215.1.215
--- a/ansible/environments/laptop/host_vars/odofreebsd
+++ b/ansible/environments/laptop/host_vars/odofreebsd
@@ -1,25 +1,25 @@
 os_flavor: "freebsd"
-custom_repo: 13amd64-default-framework
+custom_repo: "https://freebsdpkg.fizz.buzz/repo/currentznver4-default-framework"
+pkgbase_url: "https://freebsdpkg.fizz.buzz/pkgbase/currentznver4-repo/FreeBSD:15:amd64/latest"
 zfs_snapshot_datasets:
-  - zroot/freebsd/release/be/default
+  - path: zroot/freebsd/current/be/default
 sshd_enabled: true
 sshd_conf: "sshd_config"
 pf_config: "odofreebsd_pf.conf"
 pflog_conf:
-  - name: 0
-    dev: pflog0
+ - name: 0
+   dev: pflog0
+prefer_ipv6: true
+dummynet_config: "dnctl.conf"
 network_rc: "odofreebsd_network.conf"
 rc_conf: "odofreebsd_rc.conf"
 loader_conf: "odofreebsd_loader.conf"
 install_graphics: true
-graphics_driver: "intel"
-cputype: "intel"
-cpu_opt: tigerlake
+graphics_driver: "amd"
+cputype: "amd"
 hwpstate: true
-cores: 8
-build_user:
-  name: talexander
-  group: talexander
+cores: 16
+sound_system: "oss"
 users:
  talexander:
    initialize: true
@@ -31,6 +31,8 @@ users:
      - name: u2f
      - name: operator # To be able to shutdown without root
      - name: webcamd
+        gid: 145
+      - name: realtime
    authorized_keys:
      - yubikey
      - main_fido
@@ -38,16 +40,18 @@ users:
      - homeassistant
    gitconfig: "gitconfig_home"
 devfs_rules: "odo_devfs.rules"
-jail_zfs_dataset: zroot/freebsd/release/jails
-jail_zfs_dataset_mountpoint: /jail/main
+jail_zfs_dataset: zroot/freebsd/current/jails
+jail_zfs_dataset_mountpoint: /jail
+jail_canmount: "on"
 jail_list:
  - name: nat_dhcp
    enabled: true
    conf:
      src: nat_dhcp
-bhyve_dataset: zroot/freebsd/release/vm
-bhyve_list: []
-efi_dev: /dev/gpt/EFI
+bhyve_dataset: zroot/freebsd/current/vm
+bhyve_bemount: off
+# efi_dev: /dev/gpt/EFI
+efi_dev: /dev/diskid/DISK-SJB7N717610407Q0Hp1
 sway_conf_files:
  - launch_gpg
 wireguard_directory: odo
@@ -55,3 +59,10 @@ enabled_wireguard:
  - wgh
  - drmario
  - colo
+linfi:
+  enabled: true
+  zfs_dataset: zroot/freebsd/current/vm/linfi
+  zfs_mountpoint: /vm/linfi
+  driver_blocklist: "if_iwm if_iwlwifi"
+  pci_blocklist: "1/0/0"
+  amd: true
--- a/ansible/environments/laptop/host_vars/odolinux
+++ b/ansible/environments/laptop/host_vars/odolinux
@@ -16,12 +16,13 @@ users:
      - backup_fido
      - homeassistant
    gitconfig: "gitconfig_home"
+periodic_scrub_pools: [zroot]
 zfs_snapshot_datasets:
  # - zroot/linux/archmain/home
-  - zroot/linux/archmain/be
-  - zroot/data/bridge/family_disks
+  - path: zroot/linux/archmain/be
+  - path: zroot/data/bridge/family_disks
 install_graphics: true
-graphics_driver: "intel"
+graphics_driver: "amd"
 build_user:
  name: talexander
  group: talexander
@@ -30,10 +31,9 @@ enabled_wireguard:
  - wgh
  - drmario
  - colo
-cputype: "intel"
+cputype: "amd"
 hwpstate: true
-cores: 8
+cores: 16
 sway_conf_files:
  - rofimoji
-docker_storage_driver: zfs # alternatively overlay2
-docker_zfs_dataset: zroot/linux/archmain/docker
+docker_storage_driver: overlay2 # alternatively zfs
--- a/ansible/environments/laptop/host_vars/odowork
+++ b/ansible/environments/laptop/host_vars/odowork
@@ -0,0 +1,37 @@
+os_flavor: "linux"
+hostname: odowork
+etc_hosts: {}
+users:
+  talexander:
+    initialize: true
+    uid: 11235
+    gid: 1000
+    groups:
+      - name: wheel
+      - name: users
+      - name: docker
+      - name: libvirt
+      - name: uucp
+    authorized_keys:
+      - yubikey
+      - main_fido
+      - backup_fido
+    gitconfig: "gitconfig_work"
+periodic_scrub_pools: [zroot]
+zfs_snapshot_datasets:
+  - path: zroot/linux/archwork/be
+install_graphics: true
+graphics_driver: "amd"
+pgp_key: "gpg_work.asc"
+build_user:
+  name: talexander
+  group: talexander
+# wireguard_directory: odowork
+# enabled_wireguard: []
+cputype: "amd"
+hwpstate: true
+cores: 16
+sway_conf_files:
+  - rofimoji
+docker_storage_driver: overlay2 # alternatively zfs
+closed_source_vscode: true
--- a/ansible/environments/laptop/hosts
+++ b/ansible/environments/laptop/hosts
@@ -1,3 +1,4 @@
 [gui]
 odolinux ansible_connection=local ansible_host=127.0.0.1
 odofreebsd ansible_connection=local ansible_host=127.0.0.1
+odowork ansible_connection=local ansible_host=127.0.0.1
--- a/ansible/environments/vm/host_vars/poudrieremrmanager
+++ b/ansible/environments/vm/host_vars/poudrieremrmanager
@@ -1,13 +1,30 @@
 os_flavor: "freebsd"
+sshd_enabled: true
+custom_repo: "file:///usr/local/poudriere/data/packages/currentznver4-default-framework"
+pkgbase_url: "file:///usr/local/poudriere/data/images/currentznver4-repo/FreeBSD:15:amd64/latest"
 poudriere_builds:
-  - jail: 13amd64
-    ports: default
-    set: framework
-    version: 13.2-RELEASE
-  # - jail: current
+  # - jail: 13amd64
  #   ports: default
  #   set: framework
-  #   version: CURRENT
-  #   revision: af01b4722577903f91acc44f01bdcb8cdb2d65ad
-  #   kernel: CUSTOM
-  #   branch: main
+  #   version: 13.2-RELEASE
+  - jail: currentznver4
+    ports: default
+    set: framework
+    version: CURRENT
+    # revision: 66d37dbedfbf2dc94ccf49e6983c3652d5909b91
+    kernel: CUSTOM
+    branch: main
+    srcconf: currentznver4_src.conf
+  # - jail: 14broadwell
+  #   ports: default
+  #   set: computer
+  #   version: 14.0-RELEASE
+  #   kernel: GENERIC
+  #   srcconf: 14broadwell_src.conf
+  - jail: 14broadwell
+    ports: default
+    set: computer
+    version: CURRENT
+    kernel: CUSTOM
+    branch: releng/14.1
+    srcconf: 14broadwell_src.conf
--- a/ansible/environments/vm/hosts
+++ b/ansible/environments/vm/hosts
@@ -6,4 +6,3 @@ poudrieremrmanager ansible_user=root ansible_host=poudriere
 #    Host poudriere
 #       ProxyJump talexander@mrmanager
 #       HostName 10.215.1.203
-#
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@@ -20,12 +20,14 @@
    - build
    - sound
    - graphics
+    - power_management
    - gpg
    - fonts
    - alacritty
    - sway
    - emacs
    - firefox
+    - chromium
    - devfs
    - ssh_client
    - sshfs
@@ -41,14 +43,19 @@
    - ansible
    - wireguard
    - portshaker
-    - poudriere
    - android
    - latex
+    - python
    - pyenv
    - webcam
    - docker
    - vscode
    - javascript
+    - launch_keyboard
+    - lvfs
+    # - restaurant_health_rating
+    - wasm
+    - noise_suppression

 - hosts: nat_dhcp:homeserver_nat_dhcp:mrmanager_nat_dhcp
  vars:
@@ -61,7 +68,12 @@
    ansible_become: True
  roles:
    - sudo # for poudboot script
+    - doas
    - fstab
+    - package_manager
+    - zsh
+    - termcap
+    - sshd
    - portshaker
    - poudriere
    - poudrierenginx
@@ -70,7 +82,7 @@
  vars:
    ansible_become: True
  roles:
-    - sudo
+    # - sudo
    - doas
    - users
    - package_manager
@@ -92,6 +104,7 @@
    - wireguard
    - emacs
    - mrmanager
+    - ndproxy

 - hosts: admin_git:public_dns
  vars:
@@ -109,3 +122,34 @@
    - doas
    - users
    - public_dns
+
+- hosts: odolinux:odofreebsd:odowork
+  vars:
+    ansible_become: True
+  roles:
+    - framework_laptop
+
+- hosts: odowork
+  vars:
+    ansible_become: True
+  roles:
+    - odowork
+
+- hosts: sftp
+  vars:
+    ansible_become: True
+  roles:
+    - users
+    - sftp
+
+- hosts: bastion
+  vars:
+    ansible_become: True
+  roles:
+    - jail_bastion
+
+- hosts: certificate
+  vars:
+    ansible_become: True
+  roles:
+    - jail_certificate
--- a/ansible/roles/alacritty/files/alacritty.toml
+++ b/ansible/roles/alacritty/files/alacritty.toml
@@ -0,0 +1,44 @@
+[colors]
+draw_bold_text_with_bright_colors = true
+indexed_colors = []
+
+[colors.bright]
+black = "0x666666"
+blue = "0x7aa6da"
+cyan = "0x54ced6"
+green = "0x9ec400"
+magenta = "0xb77ee0"
+red = "0xff3334"
+white = "0xffffff"
+yellow = "0xe7c547"
+
+[colors.normal]
+black = "0x000000"
+blue = "0x7aa6da"
+cyan = "0x70c0ba"
+green = "0xb9ca4a"
+magenta = "0xc397d8"
+red = "0xd54e53"
+white = "0xeaeaea"
+yellow = "0xe6c547"
+
+[colors.primary]
+background = "0x000000"
+foreground = "0xeaeaea"
+
+[font]
+size = 11.0
+
+[[hints.enabled]]
+command = "xdg-open"
+post_processing = true
+regex = "(ipfs:|ipns:|magnet:|mailto:|gemini:|gopher:|https:|http:|news:|file:|git:|ssh:|ftp:)[^\u0000-\u001F\u007F-<>\"\\s{-}\\^⟨⟩`]+"
+
+[hints.enabled.mouse]
+enabled = false
+mods = "None"
+
+[scrolling]
+history = 10000
+# Lines moved per scroll.
+multiplier = 3
--- a/ansible/roles/alacritty/files/alacritty.yml
+++ b/ansible/roles/alacritty/files/alacritty.yml
@@ -1,103 +0,0 @@
-# If `true`, bold text is drawn using the bright color variants.
-draw_bold_text_with_bright_colors: true
-
-colors:
-  # Default colors
-  primary:
-    background: "0x000000"
-    foreground: "0xeaeaea"
-
-    # Bright and dim foreground colors
-    #
-    # The dimmed foreground color is calculated automatically if it is not present.
-    # If the bright foreground color is not set, or `draw_bold_text_with_bright_colors`
-    # is `false`, the normal foreground color will be used.
-    #dim_foreground: '0x9a9a9a'
-    #bright_foreground: '0xffffff'
-
-  # Cursor colors
-  #
-  # Colors which should be used to draw the terminal cursor. If these are unset,
-  # the cursor color will be the inverse of the cell color.
-  #cursor:
-  #  text: '0x000000'
-  #  cursor: '0xffffff'
-
-  # Selection colors
-  #
-  # Colors which should be used to draw the selection area. If selection
-  # background is unset, selection color will be the inverse of the cell colors.
-  # If only text is unset the cell text color will remain the same.
-  #selection:
-  #  text: '0xeaeaea'
-  #  background: '0x404040'
-
-  # Normal colors
-  normal:
-    black: "0x000000"
-    red: "0xd54e53"
-    green: "0xb9ca4a"
-    yellow: "0xe6c547"
-    blue: "0x7aa6da"
-    magenta: "0xc397d8"
-    cyan: "0x70c0ba"
-    white: "0xeaeaea"
-
-  # Bright colors
-  bright:
-    black: "0x666666"
-    red: "0xff3334"
-    green: "0x9ec400"
-    yellow: "0xe7c547"
-    blue: "0x7aa6da"
-    magenta: "0xb77ee0"
-    cyan: "0x54ced6"
-    white: "0xffffff"
-
-  # Dim colors
-  #
-  # If the dim colors are not set, they will be calculated automatically based
-  # on the `normal` colors.
-  #dim:
-  #  black:   '0x000000'
-  #  red:     '0x8c3336'
-  #  green:   '0x7a8530'
-  #  yellow:  '0x97822e'
-  #  blue:    '0x506d8f'
-  #  magenta: '0x80638e'
-  #  cyan:    '0x497e7a'
-  #  white:   '0x9a9a9a'
-
-  # Indexed Colors
-  #
-  # The indexed colors include all colors from 16 to 256.
-  # When these are not set, they're filled with sensible defaults.
-  #
-  # Example:
-  #   `- { index: 16, color: '0xff00ff' }`
-  #
-  indexed_colors: []
-
-scrolling:
-  # Maximum number of lines in the scrollback buffer.
-  # Specifying '0' will disable scrolling.
-  history: 10000
-
-  # Number of lines the viewport will move for every line scrolled when
-  # scrollback is enabled (history > 0).
-  multiplier: 3
-
-font:
-  size: 11.0
-
-hints:
-  enabled:
-    # Disable opening links when clicked
-    - regex:
-        "(ipfs:|ipns:|magnet:|mailto:|gemini:|gopher:|https:|http:|news:|file:|git:|ssh:|ftp:)\
-        [^\u0000-\u001F\u007F-\u009F<>\"\\s{-}\\^⟨⟩`]+"
-      command: xdg-open
-      post_processing: true
-      mouse:
-        enabled: false
-        mods: None
--- a/ansible/roles/alacritty/tasks/peruser.yaml
+++ b/ansible/roles/alacritty/tasks/peruser.yaml
@@ -19,8 +19,8 @@
    owner: "{{ account_name.stdout }}"
    group: "{{ group_name.stdout }}"
  loop:
-    - src: alacritty.yml
-      dest: .config/alacritty/alacritty.yml
+    - src: alacritty.toml
+      dest: .config/alacritty/alacritty.toml

 - import_tasks: tasks/peruser_freebsd.yaml
  when: 'os_flavor == "freebsd"'
--- a/ansible/roles/android/tasks/linux.yaml
+++ b/ansible/roles/android/tasks/linux.yaml
@@ -13,10 +13,12 @@
 #     name: []
 #     state: present
 #     update_cache: true
-    
+
 - name: Install packages
  package:
    name:
      - gvfs
      - gvfs-mtp
+      - android-udev # Access android over USB without root.
+      - android-tools # For fastboot to flash phones.
    state: present
--- a/ansible/roles/ansible/tasks/freebsd.yaml
+++ b/ansible/roles/ansible/tasks/freebsd.yaml
@@ -1,6 +1,6 @@
 - name: Install packages
  package:
    name:
-      - py39-ansible
+      - py311-ansible
      - ansible-sshjail
    state: present
--- a/ansible/roles/autofs/files/auto_master
+++ b/ansible/roles/autofs/files/auto_master
@@ -1,4 +1,3 @@
-# $FreeBSD$
 #
 # Automounter master map, see auto_master(5) for details.
 #
--- a/ansible/roles/base/files/alacritty.termcap
+++ b/ansible/roles/base/files/alacritty.termcap
@@ -1,24 +0,0 @@
-#	Reconstructed via infocmp from file: /usr/share/terminfo/a/alacritty
-# (untranslatable capabilities removed to fit entry within 1023 bytes)
-# (sgr removed to fit entry within 1023 bytes)
-# (acsc removed to fit entry within 1023 bytes)
-# (terminfo-only capabilities suppressed to fit entry within 1023 bytes)
-alacritty|alacritty terminal emulator:\
-	:am:bs:hs:mi:ms:xn:\
-	:co#80:it#8:li#24:\
-	:AL=\E[%dL:DC=\E[%dP:DL=\E[%dM:DO=\E[%dB:IC=\E[%d@:\
-	:K2=\EOE:LE=\E[%dD:RI=\E[%dC:SF=\E[%dS:SR=\E[%dT:\
-	:UP=\E[%dA:ae=\E(B:al=\E[L:as=\E(0:bl=^G:bt=\E[Z:cd=\E[J:\
-	:ce=\E[K:cl=\E[H\E[2J:cm=\E[%i%d;%dH:cr=\r:\
-	:cs=\E[%i%d;%dr:ct=\E[3g:dc=\E[P:dl=\E[M:do=\n:\
-	:ds=\E]2;\007:ec=\E[%dX:ei=\E[4l:fs=^G:ho=\E[H:im=\E[4h:\
-	:is=\E[!p\E[?3;4l\E[4l\E>:k1=\EOP:k2=\EOQ:k3=\EOR:\
-	:k4=\EOS:k5=\E[15~:k6=\E[17~:k7=\E[18~:k8=\E[19~:\
-	:k9=\E[20~:kD=\E[3~:kI=\E[2~:kN=\E[6~:kP=\E[5~:kb=\177:\
-	:kd=\EOB:ke=\E[?1l\E>:kh=\EOH:kl=\EOD:kr=\EOC:\
-	:ks=\E[?1h\E=:ku=\EOA:le=^H:mb=\E[5m:md=\E[1m:me=\E[0m:\
-	:mh=\E[2m:mm=\E[?1034h:mo=\E[?1034l:mr=\E[7m:nd=\E[C:\
-	:rc=\E8:sc=\E7:se=\E[27m:sf=\n:so=\E[7m:sr=\EM:st=\EH:ta=^I:\
-	:te=\E[?1049l\E[23;0;0t:ti=\E[?1049h\E[22;0;0t:\
-	:ts=\E]2;:ue=\E[24m:up=\E[A:us=\E[4m:vb=\E[?5h\E[?5l:\
-	:ve=\E[?12l\E[?25h:vi=\E[?25l:vs=\E[?12;25h:
--- a/ansible/roles/base/files/bbr_loader.conf
+++ b/ansible/roles/base/files/bbr_loader.conf
@@ -0,0 +1 @@
+tcp_bbr_load="YES"
--- a/ansible/roles/base/files/cleartmp_rc.conf
+++ b/ansible/roles/base/files/cleartmp_rc.conf
@@ -0,0 +1 @@
+clear_tmp_enable="YES"
--- a/ansible/roles/base/files/decode_jwt.bash
+++ b/ansible/roles/base/files/decode_jwt.bash
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+#
+# Decode the contents of a JWT
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+exec jq -R 'split(".") | .[0],.[1] | gsub("-"; "+") | gsub("_"; "/") | gsub("%3D"; "=")| @base64d | fromjson'
--- a/ansible/roles/base/files/disk_labels_loader.conf
+++ b/ansible/roles/base/files/disk_labels_loader.conf
@@ -1,8 +1,12 @@
-# Disabling both of these will make /dev/gpt/* populated
+# Populates the /dev/diskid
+kern.geom.label.disk_ident.enable="1"
+
+
+
+# Populates /dev/gpt but only if kern.geom.label.disk_ident.enable is disabled.
 #
 # This uses gpt partition labels which you can set with:
 #
 #     gpart modify -l EFI -i 1 nvd0

-# kern.geom.label.disk_ident.enable="0"
 # kern.geom.label.gptid.enable="1"
--- a/ansible/roles/base/files/git_fix_author.bash
+++ b/ansible/roles/base/files/git_fix_author.bash
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+git filter-branch --env-filter '
+WRONG_EMAIL="old@email.foo"
+NEW_NAME="New Name"
+NEW_EMAIL="new@email.buzz"
+
+if [ "$GIT_COMMITTER_EMAIL" = "$WRONG_EMAIL" ]
+then
+    export GIT_COMMITTER_NAME="$NEW_NAME"
+    export GIT_COMMITTER_EMAIL="$NEW_EMAIL"
+fi
+if [ "$GIT_AUTHOR_EMAIL" = "$WRONG_EMAIL" ]
+then
+    export GIT_AUTHOR_NAME="$NEW_NAME"
+    export GIT_AUTHOR_EMAIL="$NEW_EMAIL"
+fi
+' --tag-name-filter cat --commit-filter 'git commit-tree -S "$@";' -- --branches --tags
--- a/ansible/roles/base/files/gitconfig_home
+++ b/ansible/roles/base/files/gitconfig_home
@@ -1,19 +1,54 @@
 [user]
 	email = tom@fizz.buzz
 	name = Tom Alexander
-	signingkey = D3A179C9A53C0EDE
+	signingkey = 36C99E8B3C39D85F
 [push]
-	default = simple
+	default = simple # (default since 2.0)
 [alias]
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
+	amend = commit --amend --no-edit
+        authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
 	gpgsign = true
+	verbose = true
 [pull]
 	rebase = true
 [log]
 	date = local
 [init]
-	defaultBranch = master
+	defaultBranch = main
+[diff]
+	tool = meld # Use meld for `git difftool` and `git mergetool`
+	algorithm = histogram
+	colorMoved = plain
+	mnemonicPrefix = true
+	renames = true
+[difftool]
+	prompt = false
+[difftool "meld"]
+	cmd = meld "$LOCAL" "$REMOTE"
+[merge]
+	tool = meld
+	conflictStyle = zdiff3
+[mergetool "meld"]
+        # Make the middle pane start with partially-merged contents:
+	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
+        # Make the middle pane start without any merge progress:
+	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
+[column]
+	ui = auto
+[branch]
+	sort = -committerdate
+[tag]
+	sort = version:refname
+[fetch]
+	prune = true
+	pruneTags = true
+	all = true
+[rebase]
+	autoSquash = true
+	autoStash = true
+	updateRefs = false
--- a/ansible/roles/base/files/gitconfig_work
+++ b/ansible/roles/base/files/gitconfig_work
@@ -0,0 +1,58 @@
+[user]
+	email = ThomasA.Alexander@hmhn.org
+	name = Tom Alexander
+	signingkey = 36C99E8B3C39D85F
+[push]
+	default = simple # (default since 2.0)
+[alias]
+	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
+	bh = log --oneline --branches=* --remotes=* --graph --decorate
+	amend = commit --amend --no-edit
+        authorcount = shortlog --summary --numbered --all --no-merges
+[core]
+	excludesfile = ~/.gitignore_global
+[commit]
+	gpgsign = true
+	verbose = true
+[pull]
+	rebase = true
+[log]
+	date = local
+[init]
+	defaultBranch = main
+[diff]
+	tool = meld # Use meld for `git difftool` and `git mergetool`
+	algorithm = histogram
+	colorMoved = plain
+	mnemonicPrefix = true
+	renames = true
+[difftool]
+	prompt = false
+[difftool "meld"]
+	cmd = meld "$LOCAL" "$REMOTE"
+[merge]
+	tool = meld
+	conflictStyle = zdiff3
+[mergetool "meld"]
+        # Make the middle pane start with partially-merged contents:
+	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
+        # Make the middle pane start without any merge progress:
+	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
+[includeIf "gitdir:/bridge/"]
+	path = /bridge/git/machine_setup/ansible/roles/base/files/gitconfig_home
+[includeIf "gitdir:/persist/"]
+	path = /bridge/git/machine_setup/ansible/roles/base/files/gitconfig_home
+[column]
+	ui = auto
+[branch]
+	sort = -committerdate
+[tag]
+	sort = version:refname
+[fetch]
+	prune = true
+	pruneTags = true
+	all = true
+[rebase]
+	autoSquash = true
+	autoStash = true
+	updateRefs = false
--- a/ansible/roles/base/files/gitignore_global
+++ b/ansible/roles/base/files/gitignore_global
@@ -1,2 +1,8 @@
 .idea
 .python-version
+
+# Emacs per-directory settings
+.dir-locals.el
+
+# C/C++ Language Server compile commands
+compile_commands.json
--- a/ansible/roles/base/files/homeserver_loader.conf
+++ b/ansible/roles/base/files/homeserver_loader.conf
@@ -1,5 +1,4 @@
 security.bsd.allow_destructive_dtrace=0
-kern.geom.label.disk_ident.enable="0"
-kern.geom.label.gptid.enable="0"
 cryptodev_load="YES"
 zfs_load="YES"
+devmatch_blocklist="if_iwm"
--- a/ansible/roles/base/files/homeserver_rc.conf
+++ b/ansible/roles/base/files/homeserver_rc.conf
@@ -2,8 +2,7 @@ clear_tmp_enable="YES"
 syslogd_flags="-ss"
 sendmail_enable="NONE"
 hostname="computer"
-local_unbound_enable="NO"
-sshd_enable="YES"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="NO"
 zfs_enable="YES"
+kld_list="${kld_list} if_iwlwifi"
--- a/ansible/roles/base/files/login.conf
+++ b/ansible/roles/base/files/login.conf
@@ -7,7 +7,6 @@
 # This file controls resource limits, accounting limits and
 # default user environment settings.
 #
-# $FreeBSD$
 #

 # Default settings effectively disable resource limits, see the
@@ -45,8 +44,8 @@ default:\
 	:pseudoterminals=unlimited:\
 	:kqueues=unlimited:\
 	:umtxp=unlimited:\
+	:pipebuf=unlimited:\
 	:priority=0:\
-	:ignoretime@:\
 	:umask=022:\
 	:charset=UTF-8:\
 	:lang=en_US.UTF-8:
@@ -149,7 +148,6 @@ russian|Russian Users Accounts:\
 #	:requirehome:\
 #	:passwordtime=90d:\
 #	:umask=002:\
-#	:ignoretime@:\
 #	:tc=default:
 #
 #
@@ -174,7 +172,6 @@ russian|Russian Users Accounts:\
 ##
 #staff:\
 #	:ignorenologin:\
-#	:ignoretime:\
 #	:requirehome@:\
 #	:accounted@:\
 #	:path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
@@ -265,7 +262,6 @@ russian|Russian Users Accounts:\
 ## - no time accounting, restricted to access via dialin lines
 ##
 #site:\
-#	:ignoretime:\
 #	:passwordtime@:\
 #	:refreshtime@:\
 #	:refreshperiod@:\
--- a/ansible/roles/base/files/odofreebsd_loader.conf
+++ b/ansible/roles/base/files/odofreebsd_loader.conf
@@ -1,6 +1,3 @@
 security.bsd.allow_destructive_dtrace=0
-kern.geom.label.disk_ident.enable="0"
-kern.geom.label.gptid.enable="0"
 cryptodev_load="YES"
 zfs_load="YES"
-
--- a/ansible/roles/base/files/odofreebsd_rc.conf
+++ b/ansible/roles/base/files/odofreebsd_rc.conf
@@ -1,8 +1,6 @@
-clear_tmp_enable="YES"
 syslogd_flags="-ss"
 sendmail_enable="NONE"
 hostname="odo"
-sshd_enable="YES"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="NO"
 zfs_enable="YES"
--- a/ansible/roles/base/files/tmux.conf
+++ b/ansible/roles/base/files/tmux.conf
@@ -1,4 +1,4 @@
-set-option -g mouse on
+# set-option -g mouse on
 set-option -g history-limit 20000
 # set -g @plugin 'tmux-plugins/tmux-yank'
 # Emacs style
--- a/ansible/roles/base/files/watch_freebsd
+++ b/ansible/roles/base/files/watch_freebsd
@@ -10,7 +10,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 function cleanup {
    switch_to_main_screen
 }
-for sig in EXIT INT QUIT HUP TERM; do
+for sig in EXIT; do
  trap "set +e; cleanup; exit" "$sig"
 done

--- a/ansible/roles/base/files/mrmanager_loader.conf
+++ b/ansible/roles/base/files/mrmanager_loader.conf
--- a/ansible/roles/base/meta/main.yaml
+++ b/ansible/roles/base/meta/main.yaml
@@ -1,2 +1,3 @@
 dependencies:
  - fstab
+  # - termcap
--- a/ansible/roles/base/tasks/common.yaml
+++ b/ansible/roles/base/tasks/common.yaml
@@ -16,20 +16,19 @@
      - wget
      - colordiff
      - ipcalc
-      - kdiff3
      - tcpdump
      - moreutils # for ts [%Y-%m-%d %H:%M:%.S]
      - ddrescue
+      - dmidecode
    state: present

- name: Set timezone
-  file:
-    src: "/usr/share/zoneinfo/{{ timezone|default('UTC') }}"
-    dest: /etc/localtime
-    owner: root
-    # TODO: Arch Linux is changing the group to root instead of wheel. Maybe make this a variable?
-    group: wheel
-    state: link
+- name: Install packages
+  when: install_graphics
+  package:
+    name:
+      - kdiff3
+      - meld
+    state: present

 - name: Install scripts
  copy:
@@ -47,6 +46,10 @@
      dest: /usr/local/bin/git_find_merged_branches
    - src: cleanup_temporary_files
      dest: /usr/local/bin/cleanup_temporary_files
+    - src: git_fix_author.bash
+      dest: /usr/local/bin/git_fix_author
+    - src: decode_jwt.bash
+      dest: /usr/local/bin/decode_jwt

 - import_tasks: tasks/freebsd.yaml
  when: 'os_flavor == "freebsd"'
--- a/ansible/roles/base/tasks/freebsd.yaml
+++ b/ansible/roles/base/tasks/freebsd.yaml
@@ -1,3 +1,11 @@
+- name: Set timezone
+  file:
+    src: "/usr/share/zoneinfo/{{ timezone|default('UTC') }}"
+    dest: /etc/localtime
+    owner: root
+    group: wheel
+    state: link
+
 - name: Install packages
  package:
    name:
@@ -5,29 +13,18 @@
      - gsed
      - gmake
      - rust-coreutils
+      - shuf
    state: present

- name: See if the alacritty termcap has been added
-  lineinfile:
-    name: /usr/share/misc/termcap
-    regexp: |-
-      ^alacritty\|
-    state: absent
-  check_mode: yes
-  changed_when: false
-  register: alacritty_cap
-
- name: Append alacritty termcap info
-  blockinfile:
-    path: /usr/share/misc/termcap
-    block: "{{ lookup('file', 'alacritty.termcap') }}"
-    marker: "# {mark} ANSIBLE MANAGED BLOCK alacritty"
-  when: not alacritty_cap.found
-  register: wrote_alacritty_cap
-
- name: Update cap_mkdb
-  command: cap_mkdb /usr/share/misc/termcap
-  when: wrote_alacritty_cap.changed
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - cleartmp

 - name: Install login.conf
  copy:
@@ -42,18 +39,6 @@
  command: cap_mkdb /etc/login.conf
  when: login_config.changed

- name: Enable periodic scrub
-  community.general.sysrc:
-    name: daily_scrub_zfs_enable
-    value: "YES"
-    path: /etc/periodic.conf.local
-
- name: Set scrub interval
-  community.general.sysrc:
-    name: daily_scrub_zfs_default_threshold
-    value: "7"
-    path: /etc/periodic.conf.local
-
 - name: Install loader.conf
  copy:
    src: "{{loader_conf}}"
@@ -92,27 +77,27 @@
    owner: root
    group: wheel
  loop:
-    - src: bemount.bash
-      dest: /usr/local/bin/bemount
+    # - src: bemount.bash
+    #   dest: /usr/local/bin/bemount
    - src: watch_freebsd
      dest: /usr/local/bin/ww

- name: Install rc script
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
-    owner: root
-    group: wheel
-    mode: 0755
-  loop:
-    - src: bemount_rc.sh
-      dest: bemount
+# - name: Install rc script
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+#     owner: root
+#     group: wheel
+#     mode: 0755
+#   loop:
+#     - src: bemount_rc.sh
+#       dest: bemount

- name: Enable bemount
-  community.general.sysrc:
-    name: bemount_enable
-    value: "YES"
-    path: /etc/rc.conf.d/bemount
+# - name: Enable bemount
+#   community.general.sysrc:
+#     name: bemount_enable
+#     value: "YES"
+#     path: /etc/rc.conf.d/bemount

 - name: Install loader.conf
  copy:
@@ -122,4 +107,67 @@
    owner: root
    group: wheel
  loop:
+    - zfs
    - disk_labels
+
+- name: Configure sysctls
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    reload: false
+    sysctl_file: "/etc/sysctl.conf.local"
+  loop:
+    # Adjust ttl
+    - name: net.inet.ip.ttl
+      value: 65
+    - name: net.inet6.ip6.hlim
+      value: 65
+
+- name: Log periodic output instead of getting it as mail
+  blockinfile:
+    path: "/etc/periodic.conf.local"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK log"
+    create: true
+    mode: 0644
+    owner: root
+    group: wheel
+    block: |
+      daily_output=/var/log/daily.log
+      weekly_output=/var/log/weekly.log
+      monthly_output=/var/log/monthly.log
+
+- name: Enable periodic zfs scrub
+  when: install_zfs
+  blockinfile:
+    path: "/etc/periodic.conf.local"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK zfs"
+    create: true
+    mode: 0644
+    owner: root
+    group: wheel
+    block: |
+      daily_scrub_zfs_enable="YES"
+      daily_scrub_zfs_default_threshold="14"
+
+# Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
+- name: Install loader.conf
+  copy:
+    src: "files/{{ item }}_loader.conf"
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - bbr
+
+- name: Configure sysctls
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    reload: false
+    sysctl_file: "/etc/sysctl.conf.local"
+  loop:
+    - name: net.inet.tcp.functions_default
+      value: "bbr"
--- a/ansible/roles/base/tasks/linux.yaml
+++ b/ansible/roles/base/tasks/linux.yaml
@@ -1,3 +1,11 @@
+- name: Set timezone
+  file:
+    src: "/usr/share/zoneinfo/{{ timezone|default('UTC') }}"
+    dest: /etc/localtime
+    owner: root
+    group: root
+    state: link
+
 - name: Install packages
  package:
    name:
@@ -7,6 +15,9 @@
      - bind # dig
      - man-db
      - uutils-coreutils
+      - usbutils # for lsusb
+      - bolt
+      - whois
    state: present

 - name: Start pkgfile update service
@@ -16,17 +27,6 @@
    daemon_reload: yes
    enabled: yes

-# Of questionable value since I don't use swap on my machines
- name: Configure sysctls for swap
-  sysctl:
-    name: "{{ item.name }}"
-    value: "{{ item.value }}"
-    state: present
-    sysctl_file: /etc/sysctl.d/swap.conf
-  loop:
-    - name: vm.swappiness
-      value: 10
-
 - name: Install scripts
  copy:
    src: "files/{{ item.src }}"
@@ -39,3 +39,41 @@
      dest: /usr/local/bin/mount_disk_image
    - src: watch_linux
      dest: /usr/local/bin/ww
+
+- name: Configure sysctls
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    sysctl_file: /etc/sysctl.d/{{ item.file }}
+  loop:
+    # Of questionable value since I don't use swap on my machines
+    - name: vm.swappiness
+      value: 10
+      file: swap.conf
+    # Enable TCP packetization-layer PMTUD when an ICMP black hole is detected.
+    - name: net.ipv4.tcp_mtu_probing
+      value: 1
+      file: tcp.conf
+    # Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
+    - name: net.ipv4.tcp_congestion_control
+      value: bbr
+      file: tcp.conf
+    # Don't do a slow start after a connection has been idle for a single RTO.
+    - name: net.ipv4.tcp_slow_start_after_idle
+      value: 0
+      file: tcp.conf
+    # 3x time to accumulate filesystem changes before flushing to disk.
+    - name: vm.dirty_writeback_centisecs
+      value: 1500
+      file: power.conf
+    # Adjust ttl
+    - name: net.ipv4.ip_default_ttl
+      value: 65
+      file: ttl.conf
+    - name: net.ipv6.conf.all.hop_limit
+      value: 65
+      file: ttl.conf
+    - name: net.ipv6.conf.default.hop_limit
+      value: 65
+      file: ttl.conf
--- a/ansible/roles/bhyve/defaults/main.yaml
+++ b/ansible/roles/bhyve/defaults/main.yaml
@@ -1,2 +1 @@
 bhyve_mountpoint: "/vm"
-bhyve_list: []
--- a/ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash
+++ b/ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash
@@ -30,6 +30,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
 : ${VNC_ENABLE:="NO"}
 : ${VNC_LISTEN:="127.0.0.1:5900"}
+: ${VNC_WIDTH:="1920"}
+: ${VNC_HEIGHT:="1080"}

 if [ "$VERBOSE" = "YES" ]; then
    set -x
@@ -39,14 +41,14 @@ fi

 function cleanup {
    for vm in "${vms[@]}"; do
-        log "Destroying bhyve vm $f"
+        log "Destroying bhyve vm $vm"
        bhyvectl "--vm=$vm" --destroy
-        log "Destroyed bhyve vm $f"
+        log "Destroyed bhyve vm $vm"
    done
 }
 vms=()
-for sig in EXIT INT QUIT HUP TERM; do
-  trap "set +e; cleanup" "$sig"
+for sig in EXIT; do
+  trap "set +e; sleep 10; cleanup" "$sig"
 done

 function die {
@@ -74,13 +76,6 @@ function main {
    fi
 }

-function die {
-    local status_code="$1"
-    shift
-    (>&2 echo "${@}")
-    exit "$status_code"
-}
-
 function create_disk {
    local zfs_path="$1"
    local mount_path="$2"
@@ -112,7 +107,8 @@ function start_vm {
    local bridge_name="$BRIDGE_NAME"
    local ip_range="$IP_RANGE" # for raw this value does not matter

-    local mac_address=$(calculate_mac_address "$name")
+    local mac_address
+    mac_address=$(calculate_mac_address "$name")

    local additional_args=()

@@ -144,10 +140,10 @@ function start_vm {

    # TODO: Look into using nmdm instead of stdio for serial console
    if [ -n "$mount_cd" ]; then
-        additional_args+=("-s" "3,ahci-cd,$mount_cd")
+        additional_args+=("-s" "5,ahci-cd,$mount_cd")
    fi
    if [ "$VNC_ENABLE" = "YES" ]; then
-        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=1920,h=1080")
+        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
    fi
    vms+=("$name")
    while true; do
@@ -157,7 +153,10 @@ function start_vm {
            -D \
            -c $CPU_CORES \
            -m $MEMORY \
+            -S \
            -H \
+            -P \
+            -o 'rtc.use_localtime=false' \
            -s 0,hostbridge \
            -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
            -s 30,xhci,tablet \
@@ -170,6 +169,7 @@ function start_vm {
        set +x
        if [ $exit_code -eq 0 ]; then
            echo "Rebooting."
+            sleep 5
        elif [ $exit_code -eq 1 ]; then
            echo "Powered off."
            break
@@ -217,7 +217,7 @@ EOF
 mkpeer ${host_interface_name}: bridge ether link0
 name ${host_interface_name}:ether $bridge_name
 EOF
-        ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" "$ip_range" up
+        ifconfig "$(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2)" name "${host_interface_name}" "$ip_range" up
    fi
 }

@@ -251,7 +251,8 @@ function ng_exists {

 function calculate_mac_address {
    local name="$1"
-    local source=$(md5 -r -s "$name" | awk '{print $1}')
+    local source
+    source=$(md5 -r -s "$name" | awk '{print $1}')
    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
 }

--- a/ansible/roles/bhyve/files/bhyverc.bash
+++ b/ansible/roles/bhyve/files/bhyverc.bash
@@ -0,0 +1,478 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# Share a host directory to the guest via 9pfs.
+#
+# Inside the VM run:
+#   mount -t virtfs -o trans=virtio sharename /some/vm/path
+#   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
+#   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 bind9p /path/to/mountpoint
+# bhyve_options="-s 28,virtio-9p,sharename=/"
+
+# Enable Sound
+# bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
+
+# Example usage:
+#
+#   doas bhyverc create-disk zdata/vm/poudriere /vm/poudriere 10
+#   doas bhyverc start poudriere zdata/vm/poudriere /vm/poudriere /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
+#   doas bhyverc start poudriere zdata/vm/poudriere /vm/poudriere
+
+
+: ${VERBOSE:="NO"} # or YES
+if [ "$VERBOSE" = "YES" ]; then
+    set -x
+fi
+
+: ${CPU_CORES:="1"}
+: ${MEMORY:="1G"}
+: ${NETWORK:="NAT"} # or RAW or BOTH
+: ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
+: ${INTERFACE_NAME:="jail_nat"} # or the external interface like lagg0 for RAW networks
+: ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
+: ${VNC_ENABLE:="NO"}
+: ${VNC_LISTEN:="127.0.0.1:5900"}
+: ${VNC_WIDTH:="1920"}
+: ${VNC_HEIGHT:="1080"}
+: ${BIND9P:=""}
+: ${PREVENT_OOM:="NO"}
+: "${CD:=}"
+
+: ${SHUTDOWN_TIMEOUT:="600"} # 10 minutes
+
+
+
+############## Setup #########################
+
+
+function die {
+    local status_code="$1"
+    shift
+    (>&2 echo "${@}")
+    exit "$status_code"
+}
+
+function log {
+    (>&2 echo "${@}")
+}
+
+############## Program #########################
+
+function main {
+    local cmd
+    cmd=$1
+    shift
+    if [ "$cmd" = "start" ]; then
+        init
+        start "${@}"
+    elif [ "$cmd" = "stop" ]; then
+        init
+        stop "${@}"
+    elif [ "$cmd" = "status" ]; then
+        init
+        status "${@}"
+    elif [ "$cmd" = "console" ]; then
+        init
+        console "${@}"
+    elif [ "$cmd" = "_start_body" ]; then
+        init
+        start_body "${@}"
+    elif [ "$cmd" = "create-disk" ]; then
+        create_disk "${@}"
+    else
+        (>&2 echo "Unknown command: $cmd")
+        exit 1
+    fi
+}
+
+function start {
+    local num_vms="$#"
+    if [ "$num_vms" -eq 0 ]; then
+        log "No VMs specified."
+        return 0
+    fi
+
+    while [ "$#" -gt 0 ]; do
+        local name="$1"
+        shift 1
+        log "Starting VM $name."
+        start_one "$name"
+        [ "$#" -eq 0 ] || sleep 5
+    done
+}
+
+function start_one {
+    local name="$1"
+    local tmux_name="$name"
+    /usr/local/bin/tmux new-session -d -s "$tmux_name" "$0" "_start_body" "$name"
+    # /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=NO VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /home/talexander/launch_opnsense.bash"
+}
+
+function launch_pidfile {
+    local pidfile="$1"
+    shift 1
+    mkdir -p "$(dirname "$pidfile")"
+    cat > "${pidfile}" <<< "$$"
+    set -x
+    exec "${@}"
+}
+export -f launch_pidfile
+
+function stop {
+    local num_vms="$#"
+    if [ "$num_vms" -eq 0 ]; then
+        log "No VMs specified."
+        return 0
+    fi
+
+    while [ "$#" -gt 0 ]; do
+        local name="$1"
+        shift 1
+        log "Stopping VM $name."
+        stop_one "$name"
+        [ "$#" -eq 0 ] || sleep 5
+    done
+}
+
+function stop_one {
+    local name="$1"
+    local pidfile="/run/bhyverc/${name}/pid"
+
+    if [ ! -e "$pidfile" ]; then
+        log "Pid file $pidfile does not exist."
+        return 0
+    fi
+
+    local bhyve_pid
+    bhyve_pid=$(cat "$pidfile")
+
+    if ps -p "$bhyve_pid" >/dev/null; then
+        # Send ACPI shutdown command
+        log "Sending ACPI shutdown to ${name}:${bhyve_pid}."
+        kill -SIGTERM "$bhyve_pid"
+    fi
+
+    local timeout_start timeout_end
+    timeout_start=$(date +%s)
+    while ps -p "$bhyve_pid" >/dev/null; do
+        timeout_end=$(date +%s)
+        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
+            log "${name}:${bhyve_pid} took more than $SHUTDOWN_TIMEOUT seconds to shut down. Hard powering down."
+            break
+        fi
+
+        log "Waiting for ${name}:${bhyve_pid} to exit."
+        sleep 2
+    done
+
+    bhyvectl "--vm=$name" --destroy || true
+
+    local timeout_start timeout_end
+    timeout_start=$(date +%s)
+    while ps -p "$bhyve_pid" >/dev/null; do
+        timeout_end=$(date +%s)
+        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
+            log "${name}:${bhyve_pid} took more than $SHUTDOWN_TIMEOUT seconds to hard power down. Giving up."
+            break
+        fi
+
+        log "Waiting for ${name}:${bhyve_pid} to hard power down."
+        sleep 2
+    done
+
+    rm -f "$pidfile"
+
+    log "Finished stopping $name."
+}
+
+function status {
+    local num_vms="$#"
+
+    if [ "$num_vms" -gt 0 ]; then
+        for name in "$@"; do
+            status_one "$name"
+        done
+    else
+        log "No VMs specified."
+    fi
+}
+
+function status_one {
+    local name="$1"
+    local pidfile="/run/bhyverc/${name}/pid"
+
+    if [ ! -e "$pidfile" ]; then
+        log "$name is not running."
+        return 0
+    fi
+
+    local bhyve_pid
+    bhyve_pid=$(cat "$pidfile")
+
+    if ! ps -p "$bhyve_pid" >/dev/null; then
+        log "$name is not running."
+        return 0
+    fi
+
+    log "$name is running as pid $bhyve_pid."
+}
+
+function console {
+    local num_vms="$#"
+
+    if [ "$num_vms" -gt 0 ]; then
+        for name in "$@"; do
+            log "Attaching to console of VM $name."
+            console_one "$name"
+        done
+    else
+        log "No VMs specified."
+    fi
+}
+
+function console_one {
+    local name="$1"
+    local tmux_name="$name"
+    exec tmux a -t "$tmux_name"
+}
+
+function init {
+    mkdir -p /run/bhyverc
+}
+
+############## Bhyve ###########################
+
+function create_disk {
+    local zfs_path="$1"
+    local mount_path="$2"
+    local gigabytes="$3"
+    zfs create -o "mountpoint=$mount_path" "$zfs_path"
+    cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
+    tee "${mount_path}/settings" <<EOF
+CPU_CORES="$CPU_CORES"
+MEMORY="$MEMORY"
+NETWORK="$NETWORK"
+IP_RANGE="$IP_RANGE"
+BRIDGE_NAME="$BRIDGE_NAME"
+INTERFACE_NAME="$INTERFACE_NAME"
+EOF
+    zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none "$zfs_path/disk0"
+}
+
+function start_body {
+    local name="$1"
+    local zfs_path="zdata/vm/$name"
+    local mount_path="/vm/$name"
+
+    if [ -e "${mount_path}/settings" ]; then
+        source "${mount_path}/settings"
+    fi
+
+    local mount_cd="$CD"
+
+    local host_interface_name="$INTERFACE_NAME" # for raw, external interface
+    local bridge_name="$BRIDGE_NAME"
+    local ip_range="$IP_RANGE" # for raw this value does not matter
+
+    local mac_address
+    mac_address=$(calculate_mac_address "$name")
+
+    if [ "$PREVENT_OOM" = "YES" ]; then
+        protect -d -i -p "$$"
+    fi
+
+    local entry parsed_item
+    local additional_args=()
+    local next_pcie_slot=10
+
+    if [ "$NETWORK" = "NAT" ]; then
+        assert_bridge "$host_interface_name" "$bridge_name" "$ip_range"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+    elif [ "$NETWORK" = "RAW" ]; then
+        assert_raw "$host_interface_name" "$bridge_name"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+    elif [ "$NETWORK" = "BOTH" ]; then
+        assert_bridge "jail_nat" "$bridge_name" "$ip_range"
+        assert_raw "$host_interface_name" "bridge_raw"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        local raw_bridge_link_name=$(detect_available_link "bridge_raw")
+        local raw_mac_address=$(calculate_mac_address "${name}_raw")
+        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+        additional_args+=("-s" "3:0,virtio-net,netgraph,path=bridge_raw:,peerhook=${raw_bridge_link_name},mac=${raw_mac_address}")
+    else
+        die 1 "Unrecognized NETWORK type $NETWORK"
+    fi
+
+    if [ -n "$BIND9P" ]; then
+        if [[ "$BIND9P" = *":"* ]]; then
+            IFS=':' read -ra entry <<<"$BIND9P"
+            for item in "${entry[@]}"; do
+                IFS='=' read -ra parsed_item <<<"$item"
+                additional_args+=("-s" "${next_pcie_slot},virtio-9p,${parsed_item[0]}=${parsed_item[1]}")
+                next_pcie_slot=$((next_pcie_slot+1))
+            done
+        else
+            additional_args+=("-s" "${next_pcie_slot},virtio-9p,bind9p=${BIND9P}")
+            next_pcie_slot=$((next_pcie_slot+1))
+        fi
+    fi
+
+
+    # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
+         # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
+             # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
+            # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
+
+    # TODO: Look into using nmdm instead of stdio for serial console
+    if [ -n "$mount_cd" ]; then
+        additional_args+=("-s" "5,ahci-cd,$mount_cd")
+    fi
+    if [ "$VNC_ENABLE" = "YES" ]; then
+        additional_args+=("-s" "${next_pcie_slot},fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
+        next_pcie_slot=$((next_pcie_slot+1))
+    fi
+    vms+=("$name")
+    while true; do
+        local pidfile="/run/bhyverc/${name}/pid"
+        trap "set +e; stop_one '${name}'" EXIT
+
+        local launch_cmd=()
+        launch_cmd+=(
+            launch_pidfile "$pidfile"
+            bhyve
+            -D
+            -c "$CPU_CORES"
+            -m "$MEMORY"
+            -S
+            -H
+            -o 'rtc.use_localtime=false'
+            -s "0,hostbridge"
+            -s "4,nvme,/dev/zvol/${zfs_path}/disk0"
+            -s "${next_pcie_slot},xhci,tablet"
+            -s "$((next_pcie_slot+1)),lpc" -l "com1,stdio"
+            -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd"
+            "${additional_args[@]}"
+            "$name"
+        )
+        set +e
+        rm -f "$pidfile"
+        (
+            IFS=$' \n\t'
+            set -ex
+            bash -c "${launch_cmd[*]}"
+        )
+        local exit_code=$?
+        log "Exit code ${exit_code}"
+        set -e
+        if [ $exit_code -eq 0 ]; then
+            echo "Rebooting."
+            sleep 5
+        elif [ $exit_code -eq 1 ]; then
+            echo "Powered off."
+            break
+        elif [ $exit_code -eq 2 ]; then
+            echo "Halted."
+            break
+        elif [ $exit_code -eq 3 ]; then
+            echo "Triple fault."
+            break
+        elif [ $exit_code -eq 4 ]; then
+            echo "Exited due to an error."
+            break
+        fi
+    done
+}
+
+function detect_available_link {
+    local bridge_name="$1"
+    local linknum=1
+    while true; do
+        local link_name="link${linknum}"
+        if ! ng_exists "${bridge_name}:${link_name}"; then
+            echo "$link_name"
+            return
+        fi
+        linknum=$((linknum + 1))
+        if [ "$linknum" -gt 90 ]; then
+            (>&2 echo "No available links on bridge $bridge_name")
+            exit 1
+        fi
+    done
+}
+
+function assert_bridge {
+    local host_interface_name="$1"
+    local bridge_name="$2"
+    local ip_range="$3"
+
+    if ! ng_exists "${bridge_name}:"; then
+        ngctl -d -f - <<EOF
+mkpeer . eiface hook ether
+name .:hook $host_interface_name
+EOF
+        ngctl -d -f - <<EOF
+mkpeer ${host_interface_name}: bridge ether link0
+name ${host_interface_name}:ether $bridge_name
+EOF
+        ifconfig "$(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2)" name "${host_interface_name}" "$ip_range" up
+    fi
+}
+
+function assert_raw {
+    local extif="$1"
+    local bridge_name="$2"
+
+    kldload -n ng_bridge ng_eiface ng_ether
+
+    if ! ng_exists "${bridge_name}:"; then
+        ngctlcat <<EOF
+# Create a bridge.
+mkpeer $extif: bridge lower link0
+# Assign a name to the bridge.
+name $extif:lower ${bridge_name}
+# Since the host is also using $extif, we need to connect the upper hook also. Otherwise we will lose connectivity.
+connect $extif: ${bridge_name}: upper link1
+
+# Enable promiscuous mode so the host ethernet adapter accepts packets for all addresses
+msg $extif: setpromisc 1
+
+# Do not overwrite source address on packets
+msg $extif: setautosrc 0
+EOF
+    fi
+}
+
+function ng_exists {
+    ngctl status "${1}" >/dev/null 2>&1
+}
+
+function calculate_mac_address {
+    local name="$1"
+    local source
+    source=$(md5 -r -s "$name" | awk '{print $1}')
+    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
+}
+
+function find_available_port {
+    local start_port="$1"
+    local port="$start_port"
+    while true; do
+        sockstat -P tcp -p 443
+        port=$((port + 1))
+    done
+}
+
+function ngctlcat {
+    if [ "$VERBOSE" = "YES" ]; then
+        tee /dev/tty | ngctl -d -f -
+    else
+        ngctl -d -f -
+    fi
+}
+
+main "${@}"
--- a/ansible/roles/bhyve/files/bhyverc.sh
+++ b/ansible/roles/bhyve/files/bhyverc.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+#
+# REQUIRE: LOGIN FILESYSTEMS
+# PROVIDE: bhyverc
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+name=bhyverc
+rcvar=${name}_enable
+start_cmd="${name}_start"
+stop_cmd="${name}_stop"
+status_cmd="${name}_status"
+console_cmd="${name}_console"
+extra_commands="console"
+load_rc_config $name
+
+bhyverc_start() {
+    export PATH="$PATH:/usr/local/bin"
+    exec /usr/local/bin/bhyverc start "${@}"
+}
+
+bhyverc_status() {
+    export PATH="$PATH:/usr/local/bin"
+    exec /usr/local/bin/bhyverc status "${@}"
+}
+
+bhyverc_stop() {
+    export PATH="$PATH:/usr/local/bin"
+    exec /usr/local/bin/bhyverc stop "${@}"
+}
+
+bhyverc_console() {
+    export PATH="$PATH:/usr/local/bin"
+    exec /usr/local/bin/bhyverc console "${@}"
+}
+
+run_rc_command "$@"
--- a/ansible/roles/bhyve/tasks/freebsd.yaml
+++ b/ansible/roles/bhyve/tasks/freebsd.yaml
@@ -22,6 +22,25 @@
  loop:
    - src: bhyve_netgraph_bridge.bash
      dest: /usr/local/bin/bhyve_netgraph_bridge
+    - src: bhyverc.bash
+      dest: /usr/local/bin/bhyverc
+
+- name: Install rc script
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+    owner: root
+    group: wheel
+    mode: 0755
+  loop:
+    - src: bhyverc.sh
+      dest: bhyverc
+
+- name: Enable bhyverc
+  community.general.sysrc:
+    name: bhyverc_enable
+    value: "YES"
+    path: /etc/rc.conf.d/bhyverc

 - name: Create zfs dataset
  zfs:
--- a/ansible/roles/blank/tasks/common.yaml
+++ b/ansible/roles/blank/tasks/common.yaml
@@ -1,3 +1,43 @@
+# - name: Create directories
+#   file:
+#     name: "{{ item }}"
+#     state: directory
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - /foo/bar
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+# - name: Install Configuration
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0600
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.conf
+#       dest: /usr/local/etc/foo.conf
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
 - import_tasks: tasks/freebsd.yaml
  when: 'os_flavor == "freebsd"'

--- a/ansible/roles/blank/tasks/linux.yaml
+++ b/ansible/roles/blank/tasks/linux.yaml
@@ -13,7 +13,7 @@
 #     name: []
 #     state: present
 #     update_cache: true
-    
+
 # - name: Install packages
 #   package:
 #     name:
--- a/ansible/roles/build/defaults/main.yaml
+++ b/ansible/roles/build/defaults/main.yaml
@@ -1 +0,0 @@
-freebsd_version: "releng/13.2"
--- a/ansible/roles/build/files/CUSTOM
+++ b/ansible/roles/build/files/CUSTOM
@@ -1,6 +0,0 @@
-include GENERIC-NODEBUG
-
-# Disable Intel SD/MMC controller for reading eMMC
-nodevice sdhci
-
-ident   CUSTOM
--- a/ansible/roles/build/files/aurutils-nuke
+++ b/ansible/roles/build/files/aurutils-nuke
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+#
+# If something is very wrong in pacman, this removes the keyring and the entire custom repo, then sets up pacman's keyring again. Running the ansible playbook is necessary to get the custom repo added.
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+doas rm -rf /var/cache/pacman/custom/ /etc/pacman.d/conf.d/aurutils.conf
+doas rm -rf /etc/pacman.d/gnupg
+doas pacman-key --init
+doas pacman-key --populate archlinux
+doas pacman -S archlinux-keyring
--- a/ansible/roles/build/files/aurutils-sync
+++ b/ansible/roles/build/files/aurutils-sync
@@ -5,4 +5,4 @@ set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

-GPGKEY=27DE40D9B8455C1B exec aur sync --makepkg-conf /etc/aurutils/makepkg.conf -c --sign "$@"
+GPGKEY=4278299FB84F6875 exec aur sync --makepkg-conf /etc/aurutils/makepkg.conf -c --sign "$@"
--- a/ansible/roles/build/files/freebsd_update_step1
+++ b/ansible/roles/build/files/freebsd_update_step1
@@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-#
-# Build and installs whatever is in /usr/src. Run step 1, reboot, then step 2.
-set -euo pipefail
-IFS=$'\n\t'
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-cores=$(sysctl -n hw.ncpu)
-
-if sudo etcupdate status | grep -qE '^  C '; then
-    >&2 echo 'Conflicts remain in etcupdate. Run `etcupdate resolve` to fix them first.'
-    exit 1
-fi
-
-cd /usr/src
-
-make -j "$cores" clean
-make -j "$cores" buildworld buildkernel
-sudo make installkernel
-
-echo "FreeBSD update step 1 done. Please reboot."
--- a/ansible/roles/build/files/freebsd_update_step2
+++ b/ansible/roles/build/files/freebsd_update_step2
@@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-#
-# Build and installs whatever is in /usr/src. Run step 1, reboot, then step 2.
-set -euo pipefail
-IFS=$'\n\t'
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-sudo etcupdate -p
-
-cd /usr/src
-sudo make installworld
-sudo etcupdate -B
-
-if sudo etcupdate status | grep -qE '^  C '; then
-    >&2 echo 'Conflicts in etcupdate. Run `etcupdate resolve` to fix them first.'
-    exit 1
-fi
-
-echo "FreeBSD update step 2 done. Please reboot."
--- a/ansible/roles/build/files/gpg.asc
+++ b/ansible/roles/build/files/gpg.asc
@@ -1,34 +1,27 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----

-mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
-0H+RsWG0HVRvbSBBbGV4YW5kZXIgPHRvbUBmaXp6LmJ1eno+iJAEExYIADgWIQS4
-SBWTY8KHeReVS+En3kDZuEVcGwUCXZwWGgIbAwULCQgHAgYVCAkKCwIEFgIDAQIe
-AQIXgAAKCRAn3kDZuEVcG9glAQDX3Bzaz9sQpycc40LeLxSKQsWplfJigfr8wWOg
-C15TywEAqkTtCrTNsltdZERLMre7qnv/6RSo54OW0C4pdN7UUAa0HlRvbSBBbGV4
-YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A
-2bhFXBsFAl+w+R0CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQJ95A2bhF
-XBt6fgD+NOYnw9gz5K/q3H5LE/JvqzCSHezJmeGgif0CuU4m1/MA+gPDKME7syEt
-JsTpELEMrxWWpDW0tD/W1iJE7roGYPQPtB9Ub20gQWxleGFuZGVyIDx0b21AaGFy
-bW9uaWMuYWk+iJAEExYIADgWIQS4SBWTY8KHeReVS+En3kDZuEVcGwUCX7D5RAIb
-AwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAn3kDZuEVcGzjDAP9pM1ScstOk
-ti+oRAsNSk8qsjIsCT9O5voDS0Q7plWlcwD/btKVFO9tPLsXhyvdB+NSwueVs7TA
-kRVjlW3hktpefg24OARdnBYaEgorBgEEAZdVAQUBAQdArbTYQgDBMG7EBFTKA6+f
-4CWgwl26Lf2b6cyCGfUw2j4DAQgHiHgEGBYIACAWIQS4SBWTY8KHeReVS+En3kDZ
-uEVcGwUCXZwWGgIbDAAKCRAn3kDZuEVcG03MAQCrkjrE+MhtvbfGaHGHlwz9QnF0
-Z519YzK8Xr8m0O+09QEA9BFCfkAzBM4D4JKeWJh/tmN9U6UexzLrRdY+W9cugAm4
-MwRdnBbKFgkrBgEEAdpHDwEBB0A/IgvgQaDhPkk72raSlUPLZaMyJfPedlfBhbgY
-uhNiSIj1BBgWCAAmAhsCFiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsFAl+w+hYFCQe4
-fcwAgXYgBBkWCAAdFiEEgeZEOZZ1UC6xJRa606F5yaU8Dt4FAl2cFsoACgkQ06F5
-yaU8Dt6MngD+Krs3aYyHH6i85ebVESgBI8XeXhgACM4exepw+0UcoYkBAKK4DvV3
-oJD6o1ku6Rr8pUH962SQm8PO9pO2JBBAb6ADCRAn3kDZuEVcG9uAAP43vUsbe24/
-6tjEezAW0a4L2E1u4HNU8t53lolngs1kswEAy1HBdYEMR9TovX/kMeBHLcz1J2pM
-VRSV0JnJhj5eZwa4MwRdnBcBFgkrBgEEAdpHDwEBB0BrvpOZa4q6JHVuc1XUVQTq
-hDgLwD5SJBvzHSTXPYOZMoh+BBgWCAAmAhsgFiEEuEgVk2PCh3kXlUvhJ95A2bhF
-XBsFAl+w+hYFCQe4fZUACgkQJ95A2bhFXBs3NgEA3SFYTgRVstidfoEpEZV4DdSL
-kXaOwN3Eyba4UniClyMA/2CCxQt24vu19TyvUtOXWCp9Zi8SyIqoeiXQ4ZmhhnQO
-uDgEXZwXKBIKKwYBBAGXVQEFAQEHQA7S3cFTEu6iROopVyF4UBl3hQrEAbOc9CW+
-xXKFZYgSAwEIB4h+BBgWCAAmAhsMFiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsFAl+w
-+hcFCQe4fW4ACgkQJ95A2bhFXBtUXAEAyEJCUNVSJ7qvQv5IXuwbYTX2Mh7JU3+F
-GJHO7AWBXCQA/2aLAi9kYmz9ba770XYwTeBZIv9Y6UIwIwVmFdYHC/EM
-=a/z4
+mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
+Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
+0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
+HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
+/MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
+eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
+AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
+n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
+8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
+HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
+fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
+AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
+gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
+mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
+nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
+KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
+B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
+CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
+/j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
+Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
+BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
+rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
+7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
+=OfDR
 -----END PGP PUBLIC KEY BLOCK-----
--- a/ansible/roles/build/files/gpg_work.asc
+++ b/ansible/roles/build/files/gpg_work.asc
@@ -0,0 +1,27 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
+Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
+0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
+HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
+/MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
+eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
+AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
+n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
+8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
+HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
+fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
+AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
+gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
+mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
+nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
+KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
+B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
+CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
+/j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
+Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
+BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
+rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
+7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
+=OfDR
+-----END PGP PUBLIC KEY BLOCK-----
--- a/ansible/roles/build/files/make.conf
+++ b/ansible/roles/build/files/make.conf
@@ -1,3 +0,0 @@
-KERNCONF=CUSTOM
-
-BUILD_STATIC=YES
--- a/ansible/roles/build/files/pacman-x86_64.conf
+++ b/ansible/roles/build/files/pacman-x86_64.conf
@@ -31,10 +31,11 @@ Architecture = auto
 # Misc options
 #UseSyslog
 #Color
-#TotalDownload
+NoProgressBar
 # We cannot check disk space from within a chroot environment
 #CheckSpace
-#VerbosePkgLists
+VerbosePkgLists
+ParallelDownloads = 5

 # By default, pacman accepts packages signed by keys that its local keyring
 # trusts (see pacman-key and its man page), as well as unsigned packages.
@@ -69,32 +70,24 @@ LocalFileSigLevel = Optional
 # repo name header and Include lines. You can add preferred servers immediately
 # after the header, and they will be used before the default mirrors.

-#[testing]
+#[core-testing]
 #Include = /etc/pacman.d/mirrorlist

 [core]
 Include = /etc/pacman.d/mirrorlist

+#[extra-testing]
+#Include = /etc/pacman.d/mirrorlist
+
 [extra]
 Include = /etc/pacman.d/mirrorlist

-#[community-testing]
-#Include = /etc/pacman.d/mirrorlist
-
-[community]
-Include = /etc/pacman.d/mirrorlist
-
-# If you want to run 32 bit applications on your x86_64 system,
-# enable the multilib repositories as required here.
-
-#[multilib-testing]
-#Include = /etc/pacman.d/mirrorlist
-
-[multilib]
-Include = /etc/pacman.d/mirrorlist
-
 # An example of a custom package repository.  See the pacman manpage for
 # tips on creating your own repositories.
 #[custom]
 #SigLevel = Optional TrustAll
 #Server = file:///home/custompkgs
+
+[custom]
+SigLevel = Required
+Server = file:///var/cache/pacman/custom
--- a/ansible/roles/build/meta/main.yaml
+++ b/ansible/roles/build/meta/main.yaml
@@ -1,3 +1,5 @@
 dependencies:
-  - users
-  - gpg
+  - role: users
+    when: 'os_flavor == "linux"'
+  - role: gpg
+    when: 'os_flavor == "linux"'
--- a/ansible/roles/build/tasks/common.yaml
+++ b/ansible/roles/build/tasks/common.yaml
@@ -3,12 +3,3 @@

 - import_tasks: tasks/linux.yaml
  when: 'os_flavor == "linux"'
-
- include_tasks:
-    file: tasks/peruser.yaml
-    apply:
-      become: yes
-      become_user: "{{ initialize_user }}"
-  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
-  loop_control:
-    loop_var: initialize_user
--- a/ansible/roles/build/tasks/freebsd.yaml
+++ b/ansible/roles/build/tasks/freebsd.yaml
@@ -1,94 +0,0 @@
- name: Install packages
-  package:
-    name:
-      - git
-    state: present
-
- name: Create directories
-  file:
-    name: "{{ item }}"
-    state: directory
-    mode: 0755
-    owner: "{{ build_user.name }}"
-    group: "{{ build_user.group }}"
-  loop:
-    - "/usr/src"
-    # - "/usr/ports"
-    - "/usr/obj"
-
- name: chown the FreeBSD source
-  file:
-    name: "{{ item }}"
-    state: directory
-    owner: "{{ build_user.name }}"
-    group: "{{ build_user.group }}"
-    recurse: true
-  loop:
-    - "/usr/src"
-
- name: Clone FreeBSD Source
-  git:
-    repo: "https://git.FreeBSD.org/src.git"
-    dest: /usr/src
-    version: "{{ freebsd_version }}"
-    force: true
-  become: true
-  become_user: "{{ build_user.name }}"
-  diff: false
-
-# - name: Clone Ports Tree
-#   git:
-#     repo: "https://git.FreeBSD.org/ports.git"
-#     dest: /usr/ports
-#     version: "main"
-#     force: true
-#     update: false
-#   become: true
-#   become_user: "{{ build_user.name }}"
-#   diff: false
-
- name: Install Configuration
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "{{ item.dest }}"
-    mode: 0644
-    owner: root
-    group: wheel
-  loop:
-    - src: make.conf
-      dest: /etc/make.conf
-
- name: Install Configuration
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "{{ item.dest }}"
-    mode: 0644
-    owner: "{{ build_user.name }}"
-    group: "{{ build_user.group }}"
-  loop:
-    - src: CUSTOM
-      dest: /usr/src/sys/amd64/conf/CUSTOM
-
- name: Install Configuration
-  template:
-    src: "templates/{{ item.src }}.j2"
-    dest: "{{ item.dest }}"
-    mode: 0644
-    owner: root
-    group: wheel
-  loop:
-    - src: src.conf
-      dest: /etc/src.conf
-
- name: Install scripts
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "{{ item.dest }}"
-    mode: 0700
-    owner: "{{ build_user.name }}"
-    group: "{{ build_user.group }}"
-  loop:
-    - src: freebsd_update_step1
-      dest: /usr/local/bin/freebsd_update_step1
-    - src: freebsd_update_step2
-      dest: /usr/local/bin/freebsd_update_step2
--- a/ansible/roles/build/tasks/linux.yaml
+++ b/ansible/roles/build/tasks/linux.yaml
@@ -39,12 +39,12 @@
 - name: Trust my signing key
  command: pacman-key -a -
  args:
-    stdin: "{{ lookup('file', 'gpg.asc') }}"
-  when: '"B848159363C2877917954BE127DE40D9B8455C1B" not in pacmankeys.stdout'
+    stdin: "{{ lookup('file', pgp_key|default('gpg.asc')) }}"
+  when: '"D272C8D6167F26859467666F4278299FB84F6875" not in pacmankeys.stdout'
  register: my_key_imported

 - name: Sign my signing key
-  command: pacman-key --lsign-key "B848159363C2877917954BE127DE40D9B8455C1B"
+  command: pacman-key --lsign-key "D272C8D6167F26859467666F4278299FB84F6875"
  when: my_key_imported.changed

 - name: Build the aurutils package
@@ -89,17 +89,26 @@
  loop:
    - src: aurutils.conf
      dest: /etc/pacman.d/conf.d/
-    - src: pacman-custom.conf
+    - src: pacman-x86_64.conf
      dest: /etc/aurutils/
    - src: makepkg.conf # TODO: Is this needed or can I use the default from devtools?
      dest: /etc/aurutils/

+- name: chown the custom package db
+  file:
+    path: "{{ item }}"
+    owner: "{{ build_user.name }}"
+    recurse: true
+  loop:
+    - /var/cache/pacman/custom/
+
 - name: Create custom repo db
-  command: repo-add --sign /var/cache/pacman/custom/custom.db.tar
+  # shell: repo-add --new --sign /var/cache/pacman/custom/custom.db.tar "/home/{{ build_user.name }}/.config/ansible_deploy/aurutils/aurutils-*-any.pkg.tar.*"
+  command: repo-add --new --sign /var/cache/pacman/custom/custom.db.tar
  become: true
  become_user: "{{ build_user.name }}"
  args:
-    creates: /var/cache/pacman/custom/custom.db.tar
+    creates: /var/cache/pacman/custom/custom.db.tar.sig

 - name: Install scripts
  copy:
@@ -111,6 +120,8 @@
  loop:
    - src: aurutils-purge
      dest: /usr/local/bin/aurutils-purge
+    - src: aurutils-nuke
+      dest: /usr/local/bin/aurutils-nuke
    - src: aurutils-sync
      dest: /usr/local/bin/aurutils-sync
    - src: aurutils-update-devel-packages
--- a/ansible/roles/build/templates/src.conf.j2
+++ b/ansible/roles/build/templates/src.conf.j2
@@ -1,22 +0,0 @@
-{% if cpu_opt is defined and cpu_opt %}
-CPUTYPE?={{ cpu_opt }}
-{% endif %}
-OPTIMIZED_CFLAGS=YES
-BUILD_OPTIMIZED=YES
-WITH_CPUFLAGS=YES
-WITH_MALLOC_PRODUCTION=YES
-WITHOUT_LLVM_ASSERTIONS=YES
-WITH_REPRODUCIBLE_BUILD=YES
-
-# Would be fun to experiment with:
-# WITHOUT_SOURCELESS=YES
-
-# Questionable Optimizations
-WITHOUT_FLOPPY=YES
-WITHOUT_HTML=YES
-WITHOUT_IPFW=YES
-WITHOUT_IPFILTER=YES
-WITHOUT_LLVM_TARGET_ALL=YES
-# Commented out because maybe I want email alerts for failing disks
-# WITHOUT_MAIL=YES
-# WITHOUT_SENDMAIL=YES
--- a/ansible/roles/chromium/files/chromium-flags.conf
+++ b/ansible/roles/chromium/files/chromium-flags.conf
@@ -0,0 +1,2 @@
+--ozone-platform-hint=auto
+--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,AcceleratedVideoEncoder
--- a/ansible/roles/kubernetes/meta/main.yaml
+++ b/ansible/roles/kubernetes/meta/main.yaml
@@ -1,2 +1,2 @@
 dependencies:
-  - build
+  - users
--- a/ansible/roles/chromium/tasks/common.yaml
+++ b/ansible/roles/chromium/tasks/common.yaml
@@ -0,0 +1,55 @@
+# - name: Create directories
+#   file:
+#     name: "{{ item }}"
+#     state: directory
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - /foo/bar
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+# - name: Install Configuration
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0600
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.conf
+#       dest: /usr/local/etc/foo.conf
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user
--- a/ansible/roles/chromium/tasks/freebsd.yaml
+++ b/ansible/roles/chromium/tasks/freebsd.yaml
@@ -0,0 +1,5 @@
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present
--- a/ansible/roles/chromium/tasks/linux.yaml
+++ b/ansible/roles/chromium/tasks/linux.yaml
@@ -0,0 +1,7 @@
+# Check chrome://gpu/ to confirm hardware video decoding and vulkan rendering is working.
+
+- name: Install packages
+  package:
+    name:
+      - chromium
+    state: present
--- a/ansible/roles/chromium/tasks/main.yaml
+++ b/ansible/roles/chromium/tasks/main.yaml
@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: install_graphics
--- a/ansible/roles/chromium/tasks/peruser.yaml
+++ b/ansible/roles/chromium/tasks/peruser.yaml
--- a/ansible/roles/chromium/tasks/peruser_freebsd.yaml
+++ b/ansible/roles/chromium/tasks/peruser_freebsd.yaml
--- a/ansible/roles/chromium/tasks/peruser_linux.yaml
+++ b/ansible/roles/chromium/tasks/peruser_linux.yaml
@@ -0,0 +1,10 @@
+- name: Copy files
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+    mode: 0600
+    owner: "{{ account_name.stdout }}"
+    group: "{{ group_name.stdout }}"
+  loop:
+    - src: chromium-flags.conf
+      dest: .config/chromium-flags.conf
--- a/ansible/roles/cpu/files/aesni_loader.conf
+++ b/ansible/roles/cpu/files/aesni_loader.conf
@@ -1 +0,0 @@
-aesni_load="YES"
--- a/ansible/roles/cpu/files/amd_microcode_rc.conf
+++ b/ansible/roles/cpu/files/amd_microcode_rc.conf
@@ -0,0 +1 @@
+microcode_update_enable="YES"
--- a/ansible/roles/cpu/files/cpu_set_perf_perc_freebsd
+++ b/ansible/roles/cpu/files/cpu_set_perf_perc_freebsd
@@ -7,6 +7,12 @@ IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

 perc=$1
+if [ "$perc" -gt 100 ]; then
+    perc=100
+fi
+if [ "$perc" -lt 0 ]; then
+    perc=0
+fi
 epp=$((100 - perc))

 sysctl -N dev.hwpstate_intel | grep -E 'dev.hwpstate_intel.[0-9]+.epp' | while read var; do
--- a/ansible/roles/cpu/files/cpu_set_perf_perc_linux
+++ b/ansible/roles/cpu/files/cpu_set_perf_perc_linux
@@ -1,15 +0,0 @@
-#!/usr/bin/env bash
-#
-# Tell speedshift whether to maximize CPU performance (100) or energy
-# efficiency (0).
-set -euo pipefail
-IFS=$'\n\t'
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-perc=$1
-
-if [ $perc -lt 50 ]; then
-    echo "power" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
-else
-    echo "performance" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
-fi
--- a/ansible/roles/cpu/files/cpu_set_perf_perc_linux_amd
+++ b/ansible/roles/cpu/files/cpu_set_perf_perc_linux_amd
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+#
+# Tell hardware p-states whether to maximize CPU performance (100) or
+# energy efficiency (0).
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+perc=$1
+
+if [ "$perc" -gt 80 ]; then
+    echo performance | tee /sys/firmware/acpi/platform_profile
+elif [ "$perc" -ge 20 ]; then
+    echo balanced | tee /sys/firmware/acpi/platform_profile
+else
+    echo low-power | tee /sys/firmware/acpi/platform_profile
+fi
+
+if [ "$perc" -ge 80 ]; then
+    echo "performance" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
+elif [ "$perc" -ge 60 ]; then
+    echo "balance_performance" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
+elif [ "$perc" -ge 40 ]; then
+    echo "default" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
+elif [ "$perc" -ge 20 ]; then
+    echo "balance_power" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
+else
+    echo "power" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
+fi
--- a/ansible/roles/cpu/files/cpu_set_perf_perc_linux_intel
+++ b/ansible/roles/cpu/files/cpu_set_perf_perc_linux_intel
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+#
+# Tell speedshift whether to maximize CPU performance (100) or energy
+# efficiency (0). If set to 101 this will enable turboboost.
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+perc=$1
+
+if [ "$perc" -gt 100 ]; then
+    echo 0 | tee /sys/devices/system/cpu/intel_pstate/no_turbo
+else
+    echo 1 | tee /sys/devices/system/cpu/intel_pstate/no_turbo
+fi
+
+if [ "$perc" -ge 80 ]; then
+    echo "performance" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
+elif [ "$perc" -ge 60 ]; then
+    echo "balance_performance" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
+elif [ "$perc" -ge 40 ]; then
+    echo "default" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
+elif [ "$perc" -ge 20 ]; then
+    echo "balance_power" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
+else
+    echo "power" | tee /sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
+fi
--- a/ansible/roles/cpu/files/cryptodev_loader.conf
+++ b/ansible/roles/cpu/files/cryptodev_loader.conf
@@ -0,0 +1 @@
+cryptodev_load="YES"
--- a/ansible/roles/cpu/files/intel_microcode_loader.conf
+++ b/ansible/roles/cpu/files/intel_microcode_loader.conf
@@ -0,0 +1,6 @@
+# Load Intel microcode at boot before the kernel does feature detection.
+#
+# The alternative would have been /etc/rc.conf with:
+#   microcode_update_enable="YES"
+cpu_microcode_load="YES"
+cpu_microcode_name="/boot/firmware/intel-ucode.bin"
--- a/ansible/roles/cpu/files/per_core_hwpstate_loader.conf
+++ b/ansible/roles/cpu/files/per_core_hwpstate_loader.conf
--- a/ansible/roles/cpu/files/platform_profile_tmpfiles.conf
+++ b/ansible/roles/cpu/files/platform_profile_tmpfiles.conf
@@ -0,0 +1,2 @@
+# Favor energy efficiency for platform profile (EC / system, not CPU)
+w- /sys/firmware/acpi/platform_profile - - - - low-power
--- a/ansible/roles/cpu/tasks/freebsd_amd.yaml
+++ b/ansible/roles/cpu/tasks/freebsd_amd.yaml
@@ -1,3 +1,9 @@
+- name: Install packages
+  package:
+    name:
+      - cpu-microcode-amd
+    state: present
+
 - name: Install loader.conf
  copy:
    src: "files/{{ item }}_loader.conf"
@@ -17,8 +23,10 @@
    group: wheel
  loop:
    - power_profile
+    - amd_microcode

 - name: Install loader.conf
+  when: hwpstate is defined and hwpstate
  copy:
    src: "files/{{ item }}_loader.conf"
    dest: "/boot/loader.conf.d/{{ item }}.conf"
@@ -26,4 +34,5 @@
    owner: root
    group: wheel
  loop:
-    - aesni
+    - per_core_hwpstate
+    - cryptodev
--- a/ansible/roles/cpu/tasks/freebsd_intel.yaml
+++ b/ansible/roles/cpu/tasks/freebsd_intel.yaml
@@ -3,6 +3,7 @@
    name:
      - lscpu # need to kldload cpuctl
      - powermon # need to kldload cpuctl
+      - cpu-microcode-intel
    state: present

 - name: Install loader.conf
@@ -15,7 +16,7 @@
  loop:
    - coretemp
    - cpuctl
-    - aesni
+    - intel_microcode

 - name: Install service configuration
  copy:
@@ -76,4 +77,5 @@
    owner: root
    group: wheel
  loop:
-    - percorespeedshift
+    - per_core_hwpstate
+    - cryptodev
--- a/ansible/roles/cpu/tasks/linux_amd.yaml
+++ b/ansible/roles/cpu/tasks/linux_amd.yaml
@@ -0,0 +1,40 @@
+- name: Install packages
+  package:
+    name:
+      - powertop
+    state: present
+
+- name: Favor energy efficiency for hardware p-states
+  when: hwpstate is defined and hwpstate and cores is defined
+  template:
+    src: "templates/{{ item.src }}.j2"
+    dest: "{{ item.dest }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - src: energy_performance_preference.conf
+      dest: /etc/tmpfiles.d/energy_performance_preference.conf
+
+- name: Install tmpfiles.d configuration
+  when: hwpstate is defined and hwpstate and cores is defined
+  copy:
+    src: "files/{{ item }}_tmpfiles.conf"
+    dest: "/etc/tmpfiles.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - platform_profile
+
+- name: Install scripts
+  when: hwpstate is defined and hwpstate
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - src: cpu_set_perf_perc_linux_amd
+      dest: /usr/local/bin/cpu_set_perf_perc
--- a/ansible/roles/cpu/tasks/linux_intel.yaml
+++ b/ansible/roles/cpu/tasks/linux_intel.yaml
@@ -19,7 +19,7 @@
  template:
    src: "templates/{{ item.src }}.j2"
    dest: "{{ item.dest }}"
-    mode: 0755
+    mode: 0644
    owner: root
    group: wheel
  loop:
@@ -35,5 +35,5 @@
    owner: root
    group: wheel
  loop:
-    - src: cpu_set_perf_perc_linux
+    - src: cpu_set_perf_perc_linux_intel
      dest: /usr/local/bin/cpu_set_perf_perc
--- a/ansible/roles/cpu/templates/energy_performance_preference.conf.j2
+++ b/ansible/roles/cpu/templates/energy_performance_preference.conf.j2
@@ -1,4 +1,4 @@
-# Favor energy efficiency for Speed Shift
+# Favor energy efficiency for hardware p-states
 {% for core in range(0, cores, 1) %}
 w- /sys/devices/system/cpu/cpufreq/policy{{core}}/energy_performance_preference - - - - power
 {% endfor %}
--- a/ansible/roles/devfs/files/homeserver_devfs.rules
+++ b/ansible/roles/devfs/files/homeserver_devfs.rules
@@ -0,0 +1,25 @@
+# [localrules=10]
+# add path 'input/*' mode 0660 group video
+# add path 'usb/*' mode 0660 group usb
+
+[tajailwg=13]
+add include $devfsrules_hide_all
+add include $devfsrules_unhide_basic
+add include $devfsrules_unhide_login
+add path 'bpf*' unhide
+add path pf unhide
+add path pflog unhide
+add path pfsynv unhide
+add path 'tun*' unhide
+
+[tajaildhcp=14]
+add include $devfsrules_hide_all
+add include $devfsrules_unhide_basic
+add include $devfsrules_unhide_login
+add path 'bpf*' unhide
+
+[tajailrand=15]
+add include $devfsrules_hide_all
+add include $devfsrules_unhide_basic
+add include $devfsrules_unhide_login
+add path urandom unhide
--- a/ansible/roles/docker/tasks/linux.yaml
+++ b/ansible/roles/docker/tasks/linux.yaml
@@ -2,6 +2,8 @@
  package:
    name:
      - docker
+      - docker-compose
+      - docker-buildx
    state: present

 - name: Create docker zfs dataset
--- a/ansible/roles/emacs/defaults/main.yaml
+++ b/ansible/roles/emacs/defaults/main.yaml
@@ -0,0 +1 @@
+emacs_flavor: "plain" # or full for systems where I do real development.
--- a/ansible/roles/emacs/files/base.el
+++ b/ansible/roles/emacs/files/base.el
@@ -1,106 +0,0 @@
-(package-initialize)
-(add-to-list 'package-archives
-             '("melpa" . "https://melpa.org/packages/")
-             )
-
-(when (not package-archive-contents)
-  (package-refresh-contents))
-
-(unless (package-installed-p 'use-package)
-  (package-install 'use-package))
-
-(use-package auto-package-update
-   :ensure t
-   :config
-   (setq auto-package-update-delete-old-versions t
-         auto-package-update-interval 14)
-   (auto-package-update-maybe))
-
-(defconst private-dir  (expand-file-name "private" user-emacs-directory))
-(defconst temp-dir (format "%s/cache" private-dir)
-  "Hostname-based elisp temp directories")
-
-;; Emacs customizations
-(setq-default
- inhibit-startup-screen              t
- initial-scratch-message             nil
- ;; Send prompts to mini-buffer not the GUI
- use-dialog-box                      nil
- confirm-nonexistent-file-or-buffer  t
- save-interprogram-paste-before-kill t
- mouse-yank-at-point                 t
- require-final-newline               t
- visible-bell                        nil
- ring-bell-function                  'ignore
- custom-file                         "~/.emacs.d/.custom.el"
- ;; http://ergoemacs.org/emacs/emacs_stop_cursor_enter_prompt.html
- minibuffer-prompt-properties
- '(read-only t point-entered minibuffer-avoid-prompt face minibuffer-prompt)
-
- ;; Disable non selected window highlight
- cursor-in-non-selected-windows     nil
- highlight-nonselected-windows      nil
- ;; PATH
- exec-path                          (append exec-path '("/usr/local/bin/"))
- indent-tabs-mode                   nil
- tab-width                          4
- inhibit-startup-message            t
- fringes-outside-margins            t
- x-select-enable-clipboard          t
- use-package-always-ensure          t
- ispell-program-name                "aspell"
- browse-url-browser-function        'browse-url-generic
- browse-url-generic-program         "firefox-developer-edition"
- frame-title-format                 '("" invocation-name ": "(:eval (if (buffer-file-name)
-                                                                        (abbreviate-file-name (buffer-file-name))
-                                                                      "%b")))
- ;; mouse-wheel-progressive-speed      nil ;; Don't accelerate mouse wheel
- ;; mouse-wheel-scroll-amount '(5 ((shift) . 3))
- use-short-answers                  t
- package-native-compile             t
- delete-selection-mode              t
- )
-
-(defun assert-directory (p)
-  (unless (file-exists-p p) (make-directory p t))
-  p
-  )
-(assert-directory (concat temp-dir "/auto-save-list/"))
-(setq autoload-directory (concat user-emacs-directory (file-name-as-directory "elisp") (file-name-as-directory "autoload")))
-(add-to-list 'load-path (assert-directory autoload-directory))
-
-
-
-;; Bookmarks
-(setq
- ;; persistent bookmarks
- bookmark-save-flag                      t
- bookmark-default-file              (concat temp-dir "/bookmarks"))
-
-;; Backups enabled, use nil to disable
-(setq
- history-length                     1000
- backup-inhibited                   nil
- make-backup-files                  nil
- auto-save-default                  nil
- auto-save-list-file-name           (concat temp-dir "/autosave")
- create-lockfiles                   nil
- backup-directory-alist            `((".*" . ,(concat temp-dir "/backup/")))
- auto-save-file-name-transforms    `((".*" ,(concat temp-dir "/auto-save-list/") t)))
-
-;; Disable toolbar & menubar
-(menu-bar-mode -1)
-(when (fboundp 'tool-bar-mode)
-  (tool-bar-mode -1))
-(when (  fboundp 'scroll-bar-mode)
-  (scroll-bar-mode -1))
-
-(context-menu-mode +1)
-
-;; Delete trailing whitespace before save
-(add-hook 'before-save-hook 'delete-trailing-whitespace)
-
-(use-package diminish)
-
-(provide 'base)
-;;; base ends here
--- a/ansible/roles/emacs/files/common-lsp.el
+++ b/ansible/roles/emacs/files/common-lsp.el
@@ -1,41 +0,0 @@
-(use-package eglot
-  :commands (eglot eglot-ensure)
-  :bind (:map eglot-mode-map
-              ;; M-.
-              ;; ([remap xref-find-definitions] . lsp-ui-peek-find-definitions)
-              ;; M-?
-              ;; ([remap xref-find-references] . lsp-ui-peek-find-references)
-              ("C-c C-a" . eglot-code-actions)
-              )
-  :hook (
-         (eglot-managed-mode . (lambda ()
-                                 (when (eglot-managed-p)
-                                   (corfu-mode +1)
-                                   )
-                                 ))
-         )
-  :config
-  ;; Increase garbage collection threshold for performance (default 800000)
-  (setq gc-cons-threshold 100000000)
-
-  ;; Increase amount of data read from processes, default 4k
-  (when (>= emacs-major-version 27)
-    (setq read-process-output-max (* 1024 1024)) ;; 1mb
-    )
-
-  (set-face-attribute 'eglot-highlight-symbol-face nil :background "#0291a1" :foreground "black")
-  (set-face-attribute 'eglot-mode-line nil :inherit 'mode-line :bold nil)
-
-  (use-package consult-eglot
-    :bind (
-           :map eglot-mode-map
-           ;; C-M-.
-           ([remap xref-find-apropos] . #'consult-eglot-symbols)
-           )
-    )
-  :custom
-  (eglot-autoshutdown t "Shut down server when last buffer is killed.")
-  (eglot-sync-connect 0 "Don't block on language server starting.")
-  )
-
-(provide 'common-lsp)
--- a/ansible/roles/emacs/files/early-init.el
+++ b/ansible/roles/emacs/files/early-init.el
@@ -0,0 +1,25 @@
+(setq gc-cons-threshold (* 128 1024 1024)) ;; 128MiB Increase garbage collection threshold for performance (default 800000)
+;; Increase amount of data read from processes, default 4k
+(when (version<= "27.0" emacs-version)
+  (setq read-process-output-max (* 10 1024 1024)) ;; 10MiB
+  )
+
+;; Suppress warnings
+(setq byte-compile-warnings '(not obsolete))
+(setq warning-suppress-log-types '((comp) (bytecomp)))
+(setq native-comp-async-report-warnings-errors 'silent)
+
+;; Set up default visual settings
+(setq frame-resize-pixelwise t)
+;; Disable toolbar & menubar
+(menu-bar-mode -1)
+(when (fboundp 'tool-bar-mode)
+  (tool-bar-mode -1))
+(when (display-graphic-p)
+  (context-menu-mode +1))
+
+(setq default-frame-alist '((fullscreen . maximized)
+                            (vertical-scroll-bars . nil)
+                            (horizontal-scroll-bars . nil)
+                            ;; Set dark colors in early-init to prevent flashes of white.
+                            (background-color . "#000000")))
--- a/ansible/roles/emacs/files/elisp/base-extensions.el
+++ b/ansible/roles/emacs/files/elisp/base-extensions.el
@@ -1,5 +1,7 @@
+(use-package diminish)
+
 ;; Eglot recommends pulling the latest of the standard libraries it
-;; uses from ELPA if you're not tracking the current emacs development
+;; uses from ELPA if you're not tracking the current.config/emacsevelopment
 ;; branch.
 (use-package xref
  :pin gnu
@@ -27,46 +29,56 @@
  :config
  (dashboard-setup-startup-hook))

-(use-package ediff
-  :config
-  (setq ediff-window-setup-function 'ediff-setup-windows-plain)
-  (setq-default ediff-highlight-all-diffs 'nil)
-  (setq ediff-diff-options "-w"))
-
 (when (version<= "26.0.50" emacs-version )
  (add-hook 'prog-mode-hook 'display-line-numbers-mode)
  (add-hook 'prog-mode-hook 'column-number-mode)
  )

-(use-package page-break-lines)
+;; Display a horizontal line instead of ^L for page break characters
+(use-package page-break-lines
+  :diminish
+  :config
+  (global-page-break-lines-mode +1)
+  )

 (use-package recentf
  ;; This is an emacs built-in but we're pulling the latest version
  :config
  (setq recentf-max-saved-items 100)
-  (setq recentf-save-file (recentf-expand-file-name "~/.emacs.d/private/cache/recentf"))
+  (setq recentf-save-file (recentf-expand-file-name "~/.config/emacs/private/cache/recentf"))
  (recentf-mode 1))

 ;; Persist history over Emacs restarts. Vertico sorts by history position.
 (use-package savehist
  ;; This is an emacs built-in but we're pulling the latest version
+  :pin gnu
  :config
  (savehist-mode))

 (use-package which-key
+  :pin gnu
  :diminish
  :config
  (which-key-mode))

 (use-package windmove
-  :config
-  (windmove-default-keybindings))
+  ;; This is an emacs built-in but we're pulling the latest version
+  :pin gnu
+  :bind
+  (
+   ("S-<up>" . windmove-up)
+   ("S-<right>" . windmove-right)
+   ("S-<down>" . windmove-down)
+   ("S-<left>" . windmove-left)
+   )
+  )

 (setq tramp-default-method "ssh")

-(use-package dockerfile-mode)
-
 (use-package nginx-mode
+  :mode (
+         ("headers\\.include\\'" . nginx-mode)
+         )
  :config
  (setq nginx-indent-level 4))

--- a/ansible/roles/emacs/files/elisp/base-functions.el
+++ b/ansible/roles/emacs/files/elisp/base-functions.el
@@ -53,7 +53,15 @@
  (let ((load-it (lambda (f)
                   (load-file (concat (file-name-as-directory dir) f)))
                 ))
-       (mapc load-it (directory-files dir nil "\\.el$"))))
+    (mapc load-it (directory-files dir nil "\\.el$"))))
+
+(defun generate-vc-link ()
+  (interactive)
+  (or
+   (generate-github-link)
+   (generate-source-hut-link)
+   )
+  )

 (defun generate-github-link ()
  "Generate a permalink to the current line."
@@ -69,10 +77,37 @@
           (let* (
                 (gh-org (match-string 2 repository-url))
                 (gh-repo (match-string 3 repository-url))
-                 (full-url (format "https://github.com/%s/%s/blob/%s/%s#L%s" gh-org gh-repo current-rev relative-path line-number))
+                 (full-url (format "https://github.com/%s/%s/blob/%s/%s?plain=1#L%s" gh-org gh-repo current-rev relative-path line-number))
                 )
             (message "%s" full-url)
             (kill-new full-url)
+             t
+             )
+           )
+      )
+    )
+  )
+
+(defun generate-source-hut-link ()
+  "Generate a permalink to the current line."
+  (interactive)
+  (let (
+        (current-rev (vc-working-revision buffer-file-name))
+        (line-number (line-number-at-pos))
+        (repository-url (vc-git-repository-url buffer-file-name))
+        (relative-path (file-relative-name buffer-file-name (vc-root-dir)))
+        )
+    (message "Using repo url %s" repository-url)
+    (save-match-data
+      (and (string-match "https://git.sr.ht/\\([^/]+\\)/\\([^/]+\\)" repository-url)
+           (let* (
+                 (sh-org (match-string 1 repository-url))
+                 (sh-repo (match-string 2 repository-url))
+                 (full-url (format "https://git.sr.ht/%s/%s/tree/%s/%s#L%s" sh-org sh-repo current-rev relative-path line-number))
+                 )
+             (message "%s" full-url)
+             (kill-new full-url)
+             t
             )
           )
      )
--- a/ansible/roles/emacs/files/elisp/base-global-keys.el
+++ b/ansible/roles/emacs/files/elisp/base-global-keys.el
@@ -7,6 +7,6 @@
 ;; dabbrev-expand. Seems to be some sort of dumb-expand. Accidentally hitting it when trying to use M-?
 (global-unset-key (kbd "M-/"))

-(global-set-key (kbd "C-x g l") 'generate-github-link)
+(global-set-key (kbd "C-x g l") 'generate-vc-link)

 (provide 'base-global-keys)
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`emacs_flavor: "plain" # or full for systems where I do real development.`