Still not working.

The latest nixpkgs does not support overriding the name so I am removing it now for compatibility.

ansible/environments/home/host_vars/homeserver

@@ -67,6 +67,9 @@ jail_list:
   - name: certificate
     conf:
       src: certificate
+  - name: momlaptop
+    conf:
+      src: momlaptop
   # - name: mumble
   #   conf:
   #     src: mumble
@@ -74,9 +77,17 @@ jail_list:
   #     - name: mumbledb
   #       mount: /var/db/murmur
 bhyve_dataset: zmass/encrypted/vm
-bhyve_list: []
+# Disable mounting bhyve dataset so it doesn't hide the unencrypted linfi vm
-bhyve_canmount: "on"
+bhyve_canmount: "off"
+bhyve_mountpoint: "none"
 bhyve_bemount: "on"
 wireguard_directory: homeserver
 enabled_wireguard:
   - wgh
+linfi:
+  enabled: true
+  zfs_dataset: zmass/unencrypted/vm/linfi
+  zfs_mountpoint: /vm/linfi
+  driver_blocklist: "ath if_ath if_ath_pci ath_hal if_iwm if_iwlwifi"
+  pci_blocklist: "6/0/0"
+  amd: false

ansible/environments/home/hosts

@@ -1,2 +1,2 @@
 [headless]
-homeserver ansible_user=talexander ansible_host=10.216.1.1
+homeserver ansible_user=talexander ansible_host=homeserver

ansible/environments/jail/host_vars/momlaptop

@@ -0,0 +1 @@
+os_flavor: freebsd

ansible/environments/jail/hosts

@@ -8,3 +8,4 @@ public_dns ansible_ssh_host=public_dns@10.217.2.1 ansible_connection=sshjail
 sftp ansible_ssh_host=sftp@homeserver ansible_connection=sshjail
 bastion ansible_ssh_host=bastion@homeserver ansible_connection=sshjail
 certificate ansible_ssh_host=certificate@homeserver ansible_connection=sshjail
+momlaptop ansible_ssh_host=momlaptop@homeserver ansible_connection=sshjail

ansible/environments/laptop/host_vars/odofreebsd

@@ -49,7 +49,7 @@ jail_list:
     conf:
       src: nat_dhcp
 bhyve_dataset: zroot/freebsd/current/vm
-bhyve_list: []
+bhyve_bemount: off
 # efi_dev: /dev/gpt/EFI
 efi_dev: /dev/diskid/DISK-SJB7N717610407Q0Hp1
 sway_conf_files:
@@ -59,3 +59,10 @@ enabled_wireguard:
   - wgh
   - drmario
   - colo
+linfi:
+  enabled: true
+  zfs_dataset: zroot/freebsd/current/vm/linfi
+  zfs_mountpoint: /vm/linfi
+  driver_blocklist: "if_iwm if_iwlwifi"
+  pci_blocklist: "1/0/0"
+  amd: true

ansible/environments/vm/host_vars/poudrieremrmanager

@@ -1,4 +1,5 @@
 os_flavor: "freebsd"
+sshd_enabled: true
 custom_repo: "file:///usr/local/poudriere/data/packages/currentznver4-default-framework"
 pkgbase_url: "file:///usr/local/poudriere/data/images/currentznver4-repo/FreeBSD:15:amd64/latest"
 poudriere_builds:

ansible/playbook.yaml

@@ -27,6 +27,7 @@
     - sway
     - emacs
     - firefox
+    - chromium
     - devfs
     - ssh_client
     - sshfs
@@ -67,9 +68,12 @@
     ansible_become: True
   roles:
     - sudo # for poudboot script
+    - doas
     - fstab
     - package_manager
+    - zsh
     - termcap
+    - sshd
     - portshaker
     - poudriere
     - poudrierenginx
@@ -122,12 +126,14 @@
   vars:
     ansible_become: True
   roles:
+    - linfi
     - framework_laptop
 
 - hosts: homeserver
   vars:
     ansible_become: True
   roles:
+    - linfi
     - homeserver
 
 - hosts: odowork
@@ -154,3 +160,9 @@
     ansible_become: True
   roles:
     - jail_certificate
+
+- hosts: momlaptop
+  vars:
+    ansible_become: True
+  roles:
+    - jail_momlaptop

ansible/roles/base/files/bbr_loader.conf

@@ -0,0 +1 @@
+tcp_bbr_load="YES"

ansible/roles/base/files/login.conf

@@ -44,6 +44,7 @@ default:\
 	:pseudoterminals=unlimited:\
 	:kqueues=unlimited:\
 	:umtxp=unlimited:\
+	:pipebuf=unlimited:\
 	:priority=0:\
 	:ignoretime@:\
 	:umask=022:\

ansible/roles/base/files/watch_freebsd

@@ -10,7 +10,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 function cleanup {
     switch_to_main_screen
 }
-for sig in EXIT INT QUIT HUP TERM; do
+for sig in EXIT; do
   trap "set +e; cleanup; exit" "$sig"
 done
 

ansible/roles/base/tasks/common.yaml

@@ -19,6 +19,7 @@
       - tcpdump
       - moreutils # for ts [%Y-%m-%d %H:%M:%.S]
       - ddrescue
+      - dmidecode
     state: present
 
 - name: Install packages

ansible/roles/base/tasks/freebsd.yaml

@@ -13,6 +13,7 @@
       - gsed
       - gmake
       - rust-coreutils
+      - shuf
     state: present
 
 - name: Install service configuration
@@ -38,18 +39,6 @@
   command: cap_mkdb /etc/login.conf
   when: login_config.changed
 
-- name: Enable periodic scrub
-  community.general.sysrc:
-    name: daily_scrub_zfs_enable
-    value: "YES"
-    path: /etc/periodic.conf.local
-
-- name: Set scrub interval
-  community.general.sysrc:
-    name: daily_scrub_zfs_default_threshold
-    value: "7"
-    path: /etc/periodic.conf.local
-
 - name: Install loader.conf
   copy:
     src: "{{loader_conf}}"
@@ -119,3 +108,65 @@
     group: wheel
   loop:
     - disk_labels
+
+- name: Configure sysctls
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    reload: false
+    sysctl_file: "/etc/sysctl.conf.local"
+  loop:
+    # Adjust ttl
+    - name: net.inet.ip.ttl
+      value: 65
+    - name: net.inet6.ip6.hlim
+      value: 65
+
+- name: Log periodic output instead of getting it as mail
+  blockinfile:
+    path: "/etc/periodic.conf.local"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK log"
+    # create: true
+    mode: 0644
+    owner: root
+    group: wheel
+    block: |
+      daily_output=/var/log/daily.log
+      weekly_output=/var/log/weekly.log
+      monthly_output=/var/log/monthly.log
+
+- name: Enable periodic zfs scrub
+  when: install_zfs
+  blockinfile:
+    path: "/etc/periodic.conf.local"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK zfs"
+    # create: true
+    mode: 0644
+    owner: root
+    group: wheel
+    block: |
+      daily_scrub_zfs_enable="YES"
+      daily_scrub_zfs_default_threshold="7"
+
+# Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
+- name: Install loader.conf
+  copy:
+    src: "files/{{ item }}_loader.conf"
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - bbr
+
+- name: Configure sysctls
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    reload: false
+    sysctl_file: "/etc/sysctl.conf.local"
+  loop:
+    - name: net.inet.tcp.functions_default
+      value: "bbr"

ansible/roles/base/tasks/linux.yaml

@@ -67,3 +67,13 @@
     - name: vm.dirty_writeback_centisecs
       value: 1500
       file: power.conf
+    # Adjust ttl
+    - name: net.ipv4.ip_default_ttl
+      value: 65
+      file: ttl.conf
+    - name: net.ipv6.conf.all.hop_limit
+      value: 65
+      file: ttl.conf
+    - name: net.ipv6.conf.default.hop_limit
+      value: 65
+      file: ttl.conf

ansible/roles/bhyve/defaults/main.yaml

@@ -1,2 +1 @@
 bhyve_mountpoint: "/vm"
-bhyve_list: []

ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash

@@ -30,6 +30,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
 : ${VNC_ENABLE:="NO"}
 : ${VNC_LISTEN:="127.0.0.1:5900"}
+: ${VNC_WIDTH:="1920"}
+: ${VNC_HEIGHT:="1080"}
 
 if [ "$VERBOSE" = "YES" ]; then
     set -x
@@ -45,7 +47,7 @@ function cleanup {
     done
 }
 vms=()
-for sig in EXIT INT QUIT HUP TERM; do
+for sig in EXIT; do
   trap "set +e; sleep 10; cleanup" "$sig"
 done
 
@@ -141,7 +143,7 @@ function start_vm {
         additional_args+=("-s" "5,ahci-cd,$mount_cd")
     fi
     if [ "$VNC_ENABLE" = "YES" ]; then
-        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=1920,h=1080")
+        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
     fi
     vms+=("$name")
     while true; do
@@ -152,6 +154,8 @@ function start_vm {
             -c $CPU_CORES \
             -m $MEMORY \
             -H \
+            -P \
+            -o 'rtc.use_localtime=false' \
             -s 0,hostbridge \
             -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
             -s 30,xhci,tablet \

ansible/roles/chromium/files/chromium-flags.conf

@@ -0,0 +1,2 @@
+--ozone-platform-hint=auto
+--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE

ansible/roles/chromium/meta/main.yaml

@@ -0,0 +1,2 @@
+dependencies:
+  - users

ansible/roles/chromium/tasks/common.yaml

@@ -0,0 +1,55 @@
+# - name: Create directories
+#   file:
+#     name: "{{ item }}"
+#     state: directory
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - /foo/bar
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+# - name: Install Configuration
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0600
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.conf
+#       dest: /usr/local/etc/foo.conf
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user

ansible/roles/chromium/tasks/freebsd.yaml

@@ -0,0 +1,5 @@
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present

ansible/roles/chromium/tasks/linux.yaml

@@ -0,0 +1,7 @@
+# Check chrome://gpu/ to confirm hardware video decoding and vulkan rendering is working.
+
+- name: Install packages
+  package:
+    name:
+      - chromium
+    state: present

ansible/roles/chromium/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: install_graphics

ansible/roles/chromium/tasks/peruser.yaml

@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'

ansible/roles/chromium/tasks/peruser_linux.yaml

@@ -0,0 +1,10 @@
+- name: Copy files
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+    mode: 0600
+    owner: "{{ account_name.stdout }}"
+    group: "{{ group_name.stdout }}"
+  loop:
+    - src: chromium-flags.conf
+      dest: .config/chromium-flags.conf

ansible/roles/devfs/files/homeserver_devfs.rules

@@ -17,3 +17,9 @@ add include $devfsrules_hide_all
 add include $devfsrules_unhide_basic
 add include $devfsrules_unhide_login
 add path 'bpf*' unhide
+
+[tajailrand=15]
+add include $devfsrules_hide_all
+add include $devfsrules_unhide_basic
+add include $devfsrules_unhide_login
+add path urandom unhide

ansible/roles/docker/tasks/linux.yaml

@@ -2,6 +2,8 @@
   package:
     name:
       - docker
+      - docker-compose
+      - docker-buildx
     state: present
 
 - name: Create docker zfs dataset

ansible/roles/dummynet/files/dnctl.conf

@@ -1,2 +1,2 @@
-dnctl pipe 1 config bw 100KByte/s
+pipe 1 config bw 100KByte/s
-dnctl pipe 2 config
+pipe 2 config

ansible/roles/dummynet/files/dnctl_rc.conf

@@ -1,2 +0,0 @@
-dnctl_enable="YES"
-dnctl_rules="/etc/dnctl.conf"

ansible/roles/dummynet/files/dummynet

@@ -0,0 +1,28 @@
+#!/bin/sh
+#
+#
+
+# PROVIDE: dummynet
+# BEFORE: pf ipfw
+# KEYWORD: nojailvnet
+
+. /etc/rc.subr
+
+name="dummynet"
+desc="Dummynet packet queuing and scheduling"
+rcvar="${name}_enable"
+load_rc_config $name
+start_cmd="${name}_start"
+required_files="$dummynet_rules"
+required_modules="dummynet"
+
+dummynet_start()
+{
+	startmsg -n "Enabling ${name}"
+        cat "$dnctl_rules" | while read l; do
+          dnctl $l
+        done
+	startmsg '.'
+}
+
+run_rc_command $*

ansible/roles/dummynet/files/dummynet_rc.conf

@@ -0,0 +1,2 @@
+dummynet_enable="YES"
+dummynet_rules="/etc/dnctl.conf"

ansible/roles/dummynet/tasks/freebsd.yaml

@@ -9,6 +9,16 @@
     - src: "{{ dummynet_config }}"
       dest: /etc/dnctl.conf
 
+- name: Install rc script
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+    owner: root
+    group: wheel
+    mode: 0755
+  loop:
+    - src: dummynet
+
 - name: Install service configuration
   copy:
     src: "files/{{ item }}_rc.conf"
@@ -17,4 +27,4 @@
     owner: root
     group: wheel
   loop:
-    - dnctl
+    - dummynet

ansible/roles/emacs/files/elisp/lang-nix.el

@@ -0,0 +1,22 @@
+(require 'common-lsp)
+(require 'util-tree-sitter)
+
+(use-package nix-mode
+  :mode (("\\.nix\\'" . nix-mode)
+         )
+  :commands nix-mode
+  :hook (
+         (nix-mode . (lambda ()
+                             ;; (eglot-ensure)
+                             ;; (defclass my/eglot-nix (eglot-lsp-server) ()
+                             ;;   :documentation
+                             ;;   "Own eglot server class.")
+
+                             ;; (add-to-list 'eglot-server-programs
+                             ;;              '(nix-mode . (my/eglot-nix "nixd")))
+                             ;; (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+                             ))
+         )
+  )
+
+(provide 'lang-nix)

ansible/roles/emacs/files/elisp/lang-org.el

@@ -4,6 +4,8 @@
   :bind (
          ("C-c l" . org-store-link)
          ("C-c a" . org-agenda)
+         ("C--" . org-timestamp-down)
+         ("C-=" . org-timestamp-up)
          )
   :hook (
          (org-mode . (lambda ()

ansible/roles/emacs/files/init.el

@@ -36,4 +36,6 @@
 
 (require 'lang-xml)
 
+(require 'lang-nix)
+
 (load-directory autoload-directory)

ansible/roles/emacs/meta/main.yaml

@@ -7,3 +7,5 @@ dependencies:
     when: 'emacs_flavor == "full"'
   - role: terraform
     when: 'emacs_flavor == "full"'
+  - role: nix
+    when: 'emacs_flavor == "full"'

ansible/roles/firefox/defaults/main.yaml

@@ -21,3 +21,25 @@ firefox_config:
   privacy.globalprivacycontrol.enabled: true
   # Disable "studies" (slice testing)
   app.shield.optoutstudies.enabled: false
+  # Disable attribution which is used by advertisers to track you.
+  dom.private-attribution.submission.enabled: false
+  # Disable battery status, used to track users.
+  dom.battery.enabled: false
+  # Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
+  #
+  # This breaks copying from BigQuery https://github.com/microsoft/monaco-editor/issues/1540
+  # dom.event.clipboardevents.enabled: false
+  # Isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains.
+  privacy.firstparty.isolate: true
+  # Do not preload URLs that auto-complete in the address bar.
+  browser.urlbar.speculativeConnect.enabled: false
+  # Do not resist fingerprinting because that tells websites to use light mode.
+  # https://bugzilla.mozilla.org/show_bug.cgi?id=1732114
+  privacy.resistFingerprinting: null # (default false)
+  # Instead, enable fingerprinting protection, which allows configuring an override.
+  privacy.fingerprintingProtection: true
+  # Allow sending dark mode preference to websites.
+  # Allow sending timezone to websites.
+  privacy.fingerprintingProtection.overrides: "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked"
+  # Disable weather on new tab page
+  browser.newtabpage.activity-stream.showWeather: false

ansible/roles/firefox/tasks/peruser.yaml

@@ -10,12 +10,21 @@
   register: firefox_about_config
 
 - name: Configure Firefox about:config
+  when: item[1].value != None
   lineinfile:
     path: "{{ item[0].path }}"
     regexp: '"{{ item[1].key }}", [^")\n]*\)'
     line: 'user_pref("{{ item[1].key }}", {{ item[1].value | to_json }});'
   loop: "{{ firefox_about_config.files | product(firefox_config | dict2items) | list }}"
 
+- name: Configure Firefox about:config
+  when: item[1].value == None
+  lineinfile:
+    path: "{{ item[0].path }}"
+    regexp: '"{{ item[1].key }}", [^")\n]*\)'
+    state: absent
+  loop: "{{ firefox_about_config.files | product(firefox_config | dict2items) | list }}"
+
 - import_tasks: tasks/peruser_freebsd.yaml
   when: 'os_flavor == "freebsd"'
 

ansible/roles/firewall/files/homeserver_pf.conf

@@ -1,5 +1,5 @@
-ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
+ext_if = "{ igb0 igb1 ix0 ix1 linfi_host }"
-not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
+not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !linfi_host }"
 jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
 restricted_nat_v4 = "{ 10.215.2.0/24 }"
@@ -19,17 +19,17 @@ unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }"
 set skip on lo
 
 # queueing
-# altq on wlan0 cbq queue { def, stuff }
+# altq on linfi_host cbq queue { def, stuff }
 # queue def cbq(default borrow)
 # queue stuff bandwidth	8Mb cbq { dagger }
 # queue dagger cbq(borrow)
 
 # redirections
-nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0)
+nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (linfi_host)
 rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
 
 # cloak
-nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (wlan0)
+nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (linfi_host)
 rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 172.16.0.1 port 53
 
 # bastion
@@ -42,6 +42,10 @@ nat pass on restricted_nat proto {tcp, udp} from 10.215.1.217/32 to 10.215.2.2 p
 rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
 nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1
 
+# cloak -> dagger old
+rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8083 -> 10.215.2.2 port 8083
+nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8083 -> 10.215.2.1
+
 # -> sftp
 # TODO: Limit bandwidth for sftp
 rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22
@@ -51,14 +55,17 @@ nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215
 # rdr pass on $ext_if inet proto {tcp, udp} from any to any port 65022 -> 10.213.177.8 port 22
 rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202
 
+# -> momlaptop
+rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8033 -> 10.215.1.218 port 443
+nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.218 port 443 -> 10.215.1.1
+
 # filtering
+# match in on jail_nat from any to any dnpipe(1, 2)
+# match in on restricted_nat from any to any dnpipe(1, 2)
+
 block log all
 pass out on $ext_if
 
-# match in on jail_nat from any to any dnpipe 1
-# match in on jail_nat from any to $rfc1918 dnpipe 2
-# match in on restricted_nat from any to any dnpipe 1
-
 pass in on jail_nat
 # Allow traffic from my machine to the jails/virtual machines
 pass out on jail_nat from $jail_nat_v4

ansible/roles/firewall/files/mrmanager_pf.conf

@@ -33,7 +33,7 @@ scrub in on $ext_if all fragment reassemble
 
 # redirections
 nat on $ext_if inet from ! ($ext_if) to ! ($ext_if) -> ($ext_if)
-rdr pass proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53
+rdr pass on jail_nat proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53
 
 rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 -> 10.215.1.204 port 6443
 rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
@@ -63,6 +63,7 @@ pass quick on $allow
 
 # Single interface kubernetes cluster is working with the following run on mrmanager:
 #   doas route add -host 74.80.180.139 -interface jail_nat
+#   doas route add -net 10.129.0.0/16 -interface jail_nat
 #   doas sysctl net.link.ether.inet.proxyall=1
 # Plus this in pf.conf:
 #   pass quick from any to 74.80.180.139

ansible/roles/firewall/files/odofreebsd_pf.conf

@@ -1,5 +1,5 @@
-ext_if = "{ wlan0 }"
+ext_if = "{ linfi_host }"
-not_ext_if = "{ !wlan0 }"
+not_ext_if = "{ !linfi_host }"
 jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
 rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
@@ -16,7 +16,7 @@ udp_pass_in = "{ 53 51820 }"
 set skip on lo
 
 # redirections
-nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0)
+nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (linfi_host)
 rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
 
 # Redirect jaeger ports to virtual machine.

ansible/roles/framework_laptop/files/disable_wifi_powersave_loader.conf

@@ -0,0 +1,3 @@
+  # Disable power save for wifi card because power save caused video stuttering in google meet on Linux. Both of these are currently the default on FreeBSD but I'm saving it just in case that default changes.
+compat.linuxkpi.iwlwifi_power_save="0"
+compat.linuxkpi.iwlwifi_mvm_power_scheme="1"

ansible/roles/framework_laptop/files/iwlwifi_modprobe.conf

@@ -1,5 +1,13 @@
-options iwlwifi power_save=1
+# Manually disable power save:
+# iw wlan0 set power_save off
 
-options iwlwifi uapsd_disable=0
+## High power:
+options iwlwifi power_save=0
+# options iwlwifi uapsd_disable=1
+options iwlmvm power_scheme=1 # 1-active, 2-balanced, 3-low power, default: 2 (int)
 
-options iwlmvm power_scheme=3
+## Low power:
+# options iwlwifi power_save=1
+# ? power_level:default power save level (range from 1 - 5, default: 1) (int)
+# options iwlwifi uapsd_disable=0
+# options iwlmvm power_scheme=3

ansible/roles/framework_laptop/files/launch_windows.bash

@@ -0,0 +1,285 @@
+#!/usr/local/bin/bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# Share a host directory to the guest via 9pfs.
+#
+# Inside the VM run:
+#   mount -t virtfs -o trans=virtio sharename /some/vm/path
+#   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
+#   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 sharename /path/to/mountpoint
+# bhyve_options="-s 28,virtio-9p,sharename=/"
+
+# Enable Sound
+# bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
+
+# Example usage:
+#
+#   doas bhyve_netgraph_bridge create-disk zdata/vm/poudriere /vm/poudriere 10
+#   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
+#   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere
+
+: ${VERBOSE:="NO"} # or YES
+: ${CPU_CORES:="1"}
+: ${MEMORY:="1G"}
+: ${NETWORK:="NAT"} # or RAW or BOTH
+: ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
+: ${INTERFACE_NAME:="jail_nat"} # or the external interface like lagg0 for RAW networks
+: ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
+: ${VNC_ENABLE:="NO"}
+: ${VNC_LISTEN:="127.0.0.1:5900"}
+: ${VNC_WIDTH:="1920"}
+: ${VNC_HEIGHT:="1080"}
+
+if [ "$VERBOSE" = "YES" ]; then
+    set -x
+fi
+
+############## Setup #########################
+
+function cleanup {
+    for vm in "${vms[@]}"; do
+        log "Destroying bhyve vm $vm"
+        bhyvectl "--vm=$vm" --destroy
+        log "Destroyed bhyve vm $vm"
+    done
+}
+vms=()
+for sig in EXIT; do
+  trap "set +e; sleep 10; cleanup" "$sig"
+done
+
+function die {
+    local status_code="$1"
+    shift
+    (>&2 echo "${@}")
+    exit "$status_code"
+}
+
+function log {
+    (>&2 echo "${@}")
+}
+
+############## Program #########################
+
+function main {
+    local cmd="$1"
+    shift 1
+    if [ "$cmd" = "create-disk" ]; then
+        create_disk "${@}"
+    elif [ "$cmd" = "start" ]; then
+        start_vm "${@}"
+    else
+        die 1 "Unrecognized command $cmd"
+    fi
+}
+
+function create_disk {
+    local zfs_path="$1"
+    local mount_path="$2"
+    local gigabytes="$3"
+    zfs create -o "mountpoint=$mount_path" "$zfs_path"
+    cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
+    tee "${mount_path}/settings" <<EOF
+CPU_CORES="$CPU_CORES"
+MEMORY="$MEMORY"
+NETWORK="$NETWORK"
+IP_RANGE="$IP_RANGE"
+BRIDGE_NAME="$BRIDGE_NAME"
+INTERFACE_NAME="$INTERFACE_NAME"
+EOF
+    zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none -o volblocksize=64K "$zfs_path/disk0"
+}
+
+function start_vm {
+    local name="$1"
+    local zfs_path="$2"
+    local mount_path="$3"
+    local mount_cd="${4:-}"
+
+    if [ -e "${mount_path}/settings" ]; then
+        source "${mount_path}/settings"
+    fi
+
+    local host_interface_name="$INTERFACE_NAME" # for raw, external interface
+    local bridge_name="$BRIDGE_NAME"
+    local ip_range="$IP_RANGE" # for raw this value does not matter
+
+    local mac_address
+    mac_address=$(calculate_mac_address "$name")
+
+    local additional_args=()
+
+    if [ "$NETWORK" = "NAT" ]; then
+        assert_bridge "$host_interface_name" "$bridge_name" "$ip_range"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        additional_args+=("-s" "2:0,e1000,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+    elif [ "$NETWORK" = "RAW" ]; then
+        assert_raw "$host_interface_name" "$bridge_name"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+    elif [ "$NETWORK" = "BOTH" ]; then
+        assert_bridge "jail_nat" "$bridge_name" "$ip_range"
+        assert_raw "$host_interface_name" "bridge_raw"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        local raw_bridge_link_name=$(detect_available_link "bridge_raw")
+        local raw_mac_address=$(calculate_mac_address "${name}_raw")
+        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+        additional_args+=("-s" "3:0,virtio-net,netgraph,path=bridge_raw:,peerhook=${raw_bridge_link_name},mac=${raw_mac_address}")
+    elif [ "$NETWORK" = "NONE" ]; then
+        (>&2 echo "Not using any network.")
+    else
+        die 1 "Unrecognized NETWORK type $NETWORK"
+    fi
+
+
+    # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
+         # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
+             # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
+            # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
+
+    # TODO: Look into using nmdm instead of stdio for serial console
+    if [ -n "$mount_cd" ]; then
+        additional_args+=("-s" "5,ahci-cd,$mount_cd")
+    fi
+    if [ "$VNC_ENABLE" = "YES" ]; then
+        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT,wait")
+    fi
+    vms+=("$name")
+    # Removes CPU_CORES because windows must be a single CPU in bhyve
+    # -c $CPU_CORES \
+        # We need tpm
+    #             -l "tpm,passthru,/dev/tpm0" \
+                    # -S \
+    while true; do
+        set -x
+        set +e
+        bhyve \
+            -D \
+            -c sockets=1,cores=2,threads=2 \
+            -m $MEMORY \
+            -H \
+            -w \
+            -o 'rtc.use_localtime=false' \
+            -s 0,hostbridge \
+            -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
+            -s 16,hda,play=/dev/dsp,rec=/dev/dsp \
+            -s 30,xhci,tablet \
+            -s 31,lpc -l com1,stdio \
+            -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd" \
+            -U '5a63bcd1-5cb4-4401-8a6f-d4042fb928a6' \
+            "${additional_args[@]}" \
+            "$name"
+        local exit_code=$?
+        set -e
+        set +x
+        if [ $exit_code -eq 0 ]; then
+            echo "Rebooting."
+            sleep 5
+        elif [ $exit_code -eq 1 ]; then
+            echo "Powered off."
+            break
+        elif [ $exit_code -eq 2 ]; then
+            echo "Halted."
+            break
+        elif [ $exit_code -eq 3 ]; then
+            echo "Triple fault."
+            break
+        elif [ $exit_code -eq 4 ]; then
+            echo "Exited due to an error."
+            break
+        fi
+    done
+}
+
+function detect_available_link {
+    local bridge_name="$1"
+    local linknum=1
+    while true; do
+        local link_name="link${linknum}"
+        if ! ng_exists "${bridge_name}:${link_name}"; then
+            echo "$link_name"
+            return
+        fi
+        linknum=$((linknum + 1))
+        if [ "$linknum" -gt 90 ]; then
+            (>&2 echo "No available links on bridge $bridge_name")
+            exit 1
+        fi
+    done
+}
+
+function assert_bridge {
+    local host_interface_name="$1"
+    local bridge_name="$2"
+    local ip_range="$3"
+
+    if ! ng_exists "${bridge_name}:"; then
+        ngctl -d -f - <<EOF
+mkpeer . eiface hook ether
+name .:hook $host_interface_name
+EOF
+        ngctl -d -f - <<EOF
+mkpeer ${host_interface_name}: bridge ether link0
+name ${host_interface_name}:ether $bridge_name
+EOF
+        ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" "$ip_range" up
+    fi
+}
+
+function assert_raw {
+    local extif="$1"
+    local bridge_name="$2"
+
+    kldload -n ng_bridge ng_eiface ng_ether
+
+    if ! ng_exists "${bridge_name}:"; then
+        ngctlcat <<EOF
+# Create a bridge.
+mkpeer $extif: bridge lower link0
+# Assign a name to the bridge.
+name $extif:lower ${bridge_name}
+# Since the host is also using $extif, we need to connect the upper hook also. Otherwise we will lose connectivity.
+connect $extif: ${bridge_name}: upper link1
+
+# Enable promiscuous mode so the host ethernet adapter accepts packets for all addresses
+msg $extif: setpromisc 1
+
+# Do not overwrite source address on packets
+msg $extif: setautosrc 0
+EOF
+    fi
+}
+
+function ng_exists {
+    ngctl status "${1}" >/dev/null 2>&1
+}
+
+function calculate_mac_address {
+    local name="$1"
+    local source
+    source=$(md5 -r -s "$name" | awk '{print $1}')
+    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
+}
+
+function find_available_port {
+    local start_port="$1"
+    local port="$start_port"
+    while true; do
+        sockstat -P tcp -p 443
+        port=$((port + 1))
+    done
+}
+
+function ngctlcat {
+    if [ "$VERBOSE" = "YES" ]; then
+        tee /dev/tty | ngctl -d -f -
+    else
+        ngctl -d -f -
+    fi
+}
+
+
+main "${@}"

ansible/roles/framework_laptop/files/wifi_us_modprobe.conf

@@ -0,0 +1 @@
+options cfg80211 ieee80211_regdom=US

ansible/roles/framework_laptop/files/windows

@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# REQUIRE: LOGIN
+# PROVIDE: windows
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+name=windows
+rcvar=${name}_enable
+start_cmd="${name}_start"
+stop_cmd="${name}_stop"
+status_cmd="${name}_status"
+load_rc_config $name
+
+tmux_name="windows"
+
+windows_start() {
+   /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=YES VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /usr/local/bin/launch_windows start windows zroot/freebsd/current/vm/windows /vm/windows /vm/.iso/Win11_23H2_English_x64v2.iso"
+}
+
+windows_status() {
+    if /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null; then
+        echo "$tmux_name is running."
+    else
+        echo "$tmux_name is not running."
+        return 1
+    fi
+}
+
+windows_stop() {
+    /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null && (
+        /usr/local/bin/tmux kill-session -t $tmux_name
+        sleep 10
+        bhyvectl --vm=windows --destroy
+        # kill `cat /var/run/windows.pid`
+    )
+    windows_wait_for_end
+}
+
+windows_wait_for_end() {
+    while /usr/local/bin/tmux has-session -t $tmux_name 2>dev/null; do
+        sleep 1
+    done
+}
+
+run_rc_command "$1"

ansible/roles/framework_laptop/meta/main.yaml

@@ -0,0 +1,3 @@
+dependencies:
+  - role: bhyve
+    when: 'os_flavor == "freebsd"'

ansible/roles/framework_laptop/tasks/freebsd.yaml

@@ -1,5 +1,30 @@
-# - name: Install packages
+- name: Install loader.conf
-#   package:
+  copy:
-#     name:
+    src: "files/{{ item }}_loader.conf"
-#       - foo
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
-#     state: present
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - disable_wifi_powersave
+
+- name: Install scripts
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - src: launch_windows.bash
+      dest: /usr/local/bin/launch_windows
+
+- name: Install rc script
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+    owner: root
+    group: wheel
+    mode: 0755
+  loop:
+    - src: windows

ansible/roles/framework_laptop/tasks/linux.yaml

@@ -30,6 +30,7 @@
     - iwlwifi
     - snd_hda_intel
     - disable_sp5100_watchdog
+    - wifi_us
 
 - name: Configure kernel command line
   zfs:
@@ -42,7 +43,8 @@
       # amd_pstate=passive :: Fully automated hardware pstate control.
       # amd_pstate=active :: Same as passive except we can set the energy performance preference (EPP) to suggest how much we prefer performance or energy efficiency.
       # amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds.
-      "org.zfsbootmenu:commandline": "rw quiet amdgpu.abmlevel=3 pcie_aspm=force pcie_aspm.policy=powersupersave nowatchdog"
+      # amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32
+      "org.zfsbootmenu:commandline": "rw quiet amdgpu.abmlevel=3 pcie_aspm=force pcie_aspm.policy=powersupersave nowatchdog amdgpu.dcdebugmask=0x10"
 
 - name: Install Configuration
   copy:
@@ -65,3 +67,34 @@
   loop:
     - gpe10-boot.service
     - gpe10-sleep.service
+# install swtpm
+# install edk2-ovmf for /usr/share/ovmf/OVMF.fd
+# install qemu-system-x86
+
+# doas qemu-system-x86_64 -cdrom /vm/.iso/Win11_23H2_English_x64v2.iso -cpu Skylake-Client-v3 -enable-kvm -m 8192 —device chardev,socket,id=chrtpm,path=/tmp/emulated_tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -smp 2 -device intel-hda -device hda-duplex -usb -nic user,ipv6=off,model=rtl8139,mac=84:1b:77:c9:03:a6 -bios /usr/share/edk2/x64/OVMF.fd -drive file=/dev/zvol/zroot/freebsd/current/vm/windows/disk0,format=raw,media=disk,if=none,id=nvm -device nvme,drive=nvm,serial=foo,opt_io_size=4096,min_io_size=4096,logical_block_size=4096,physical_block_size=4096
+
+# doas mkdir /tmp/emulated_tpm
+# doas swtpm socket --tpmstate dir=/tmp/emulated_tpm --ctrl type=unixio,path=/tmp/emulated_tpm/swtpm-sock --log level=20 --tpm2
+
+- name: Build aur packages
+  register: buildaur
+  become_user: "{{ build_user.name }}"
+  command: "aurutils-sync --no-view {{ item }}"
+  args:
+    creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+  loop:
+    - fw-ectool-git
+
+- name: Update cache
+  when: buildaur.changed
+  pacman:
+    name: []
+    state: present
+    update_cache: true
+
+- name: Install packages
+  package:
+    name:
+      - fw-ectool-git
+      - wireless-regdb
+    state: present

ansible/roles/graphics/tasks/freebsd_intel.yaml

@@ -8,7 +8,6 @@
       - libva-utils # for vainfo
       - vdpauinfo # for vdpauinfo
       - libvdpau-va-gl # vdpau support
-      - igt-gpu-tools # for intel_gpu_top
       - vulkan-tools # For vulkaninfo
     state: present
 

ansible/roles/jail/files/fstab_bastion

@@ -1,4 +1,4 @@
 tmpfs /jail/bastion/tmp tmpfs rw,mode=777 0 0
 tmpfs /jail/bastion/var/run tmpfs rw,mode=755 0 0
 
-/jail/certificate/usr/local/etc/letsencrypt/archive/stuff.fizz.buzz       /jail/bastion/stuff.fizz.buzz     nullfs    ro,noexec     0      0
+/jail/certificate/usr/local/etc/letsencrypt       /jail/bastion/letsencrypt     nullfs    ro,noexec     0      0

ansible/roles/jail/files/jails/dagger.conf

@@ -6,6 +6,8 @@ dagger {
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
     exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
 
+    devfs_ruleset = 15;
+    mount.devfs;
     mount.fstab = "/etc/fstab.${name}";
 
     exec.start += "/bin/sh /etc/rc";

ansible/roles/jail/files/jails/momlaptop.conf

@@ -0,0 +1,15 @@
+momlaptop {
+    path = "/jail/${name}";
+    vnet;
+    exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
+    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
+    vnet.interface += "jail${name}";
+
+    devfs_ruleset = 14;
+    mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";
+
+    exec.start += "/bin/sh /etc/rc";
+    exec.stop = "/bin/sh /etc/rc.shutdown jail";
+    exec.consolelog = "/var/log/jail_${name}_console.log";
+}

ansible/roles/jail_bastion/files/nginx.conf

@@ -36,8 +36,8 @@ http {
 
         include conf.d/tls_settings.include;
         # RSA
-        ssl_certificate /stuff.fizz.buzz/fullchain1.pem;
+        ssl_certificate /letsencrypt/live/stuff.fizz.buzz/fullchain.pem;
-        ssl_certificate_key /stuff.fizz.buzz/privkey1.pem;
+        ssl_certificate_key /letsencrypt/live/stuff.fizz.buzz/privkey.pem;
 
         # Nginx by default only allows file uploads up to 1M in size
         client_max_body_size 50M;

ansible/roles/jail_bastion/tasks/freebsd.yaml

@@ -17,7 +17,7 @@
     owner: root
     group: wheel
   loop:
-    - /stuff.fizz.buzz
+    - /letsencrypt
     - /etc/rc.conf.d
     - /usr/local/etc/nginx/conf.d
 

ansible/roles/jail_momlaptop/files/headers.include

@@ -0,0 +1,15 @@
+# Enable HTTP Strict Transport Security (HSTS) to force clients to
+# always connect via HTTPS (do not use if only testing)
+add_header Strict-Transport-Security "max-age=31536000;" always;
+# Enable cross-site filter (XSS) and tell browser to block detected
+# attacks
+add_header X-XSS-Protection "1; mode=block" always;
+# Prevent some browsers from MIME-sniffing a response away from the
+# declared Content-Type
+add_header X-Content-Type-Options "nosniff" always;
+# Disallow the site to be rendered within a frame (clickjacking
+# protection)
+add_header X-Frame-Options "DENY" always;
+
+# Indicate that we are serving http3 on port 443
+add_header Alt-Svc 'h3=":8033"; ma=864000';

ansible/roles/jail_momlaptop/files/newsyslog.conf

@@ -0,0 +1,2 @@
+# logfilename          [owner:group]    mode count size when  flags [/pid_file] [sig_num]
+/var/log/nginx/*.log			640  5	   1000	@T00 GYC /var/run/nginx.pid SIGUSR1

ansible/roles/jail_momlaptop/files/nginx.conf

@@ -0,0 +1,48 @@
+worker_processes  auto;
+user  www www;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    types {
+        text/plain log;
+    }
+
+    sendfile        on;
+    tcp_nopush     on;
+    tcp_nodelay    on;
+    gzip  on;
+
+    include conf.d/headers.include;
+
+    server {
+        listen 443 quic reuseport;
+        listen [::]:443 quic reuseport;
+        listen 443 ssl;
+        listen [::]:443 ssl;
+        http2  on;
+
+        server_name momlaptop.fizz.buzz;
+
+        include conf.d/tls_settings.include;
+        # RSA
+        ssl_certificate /momlaptop.fizz.buzz/tls.crt;
+        ssl_certificate_key /momlaptop.fizz.buzz/tls.key;
+
+        # Nginx by default only allows file uploads up to 50M in size
+        client_max_body_size 50M;
+
+        location / {
+            auth_basic           "Stuff";
+            auth_basic_user_file conf.d/htpasswd;
+
+            alias /srv/http/;
+            autoindex on;
+        }
+    }
+}

ansible/roles/jail_momlaptop/files/nginx_rc.conf

@@ -0,0 +1 @@
+nginx_enable="YES"

ansible/roles/jail_momlaptop/files/proxy.include

@@ -0,0 +1,9 @@
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-Proto $scheme;
+# Settings for keepalive module for upstreams
+proxy_http_version 1.1;
+proxy_set_header Connection "";
+# Requests sent with early data are subject to replay attacks so the application needs to protect against that by using the Early-Data header.
+# proxy_set_header Early-Data $ssl_early_data;

ansible/roles/jail_momlaptop/files/tls_settings.include

@@ -0,0 +1,3 @@
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ssl_prefer_server_ciphers on;

ansible/roles/jail_momlaptop/meta/main.yaml

@@ -0,0 +1,2 @@
+dependencies:
+  - syslog

ansible/roles/jail_momlaptop/tasks/common.yaml

@@ -0,0 +1,55 @@
+# - name: Create directories
+#   file:
+#     name: "{{ item }}"
+#     state: directory
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - /foo/bar
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+# - name: Install Configuration
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0600
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.conf
+#       dest: /usr/local/etc/foo.conf
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+# - include_tasks:
+#     file: tasks/peruser.yaml
+#     apply:
+#       become: yes
+#       become_user: "{{ initialize_user }}"
+#   when: users is defined
+#   loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+#   loop_control:
+#     loop_var: initialize_user

ansible/roles/jail_momlaptop/tasks/freebsd.yaml

@@ -0,0 +1,81 @@
+- name: Create www group
+  group:
+    name: www
+
+- name: Create www user
+  user:
+    name: www
+    home: /srv/http
+    createhome: false
+    group: www
+
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - /momlaptop.fizz.buzz
+    - /etc/rc.conf.d
+    - /usr/local/etc/nginx/conf.d
+
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: www
+    group: www
+  loop:
+    - /srv/http
+
+- name: Install packages
+  package:
+    name:
+      - nginx
+    state: present
+
+# validate fails because nginx config relies on a local mime.types
+- name: Install Configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - src: nginx.conf
+      dest: /usr/local/etc/nginx/nginx.conf
+    - src: headers.include
+      dest: /usr/local/etc/nginx/conf.d/headers.include
+    - src: proxy.include
+      dest: /usr/local/etc/nginx/conf.d/proxy.include
+    - src: tls_settings.include
+      dest: /usr/local/etc/nginx/conf.d/tls_settings.include
+      # Generate htpasswd with `htpasswd -c files/htpasswd user1`
+      # or `printf "USER:$(openssl passwd)\n" >> files/htpasswd`
+    - src: htpasswd
+      dest: /usr/local/etc/nginx/conf.d/htpasswd
+
+- name: Install newsyslog configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0600
+    owner: root
+    group: wheel
+  loop:
+    - src: newsyslog.conf
+      dest: /usr/local/etc/newsyslog.conf.d/nginx.conf
+
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - nginx

ansible/roles/jail_momlaptop/tasks/linux.yaml

@@ -0,0 +1,29 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - foo
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present
+
+# - name: Enable services
+#   systemd:
+#     enabled: yes
+#     name: "{{ item }}"
+#     daemon_reload: yes
+#   loop:
+#     - foo.service

ansible/roles/jail_momlaptop/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  # when: foo is defined

ansible/roles/jail_momlaptop/tasks/peruser.yaml

@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'

ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf

@@ -6,6 +6,7 @@
         "subnet4": [
             {
                 "subnet": "10.215.1.0/24",
+                "id": 1,
                 "pools": [ { "pool": "10.215.1.10-10.215.1.200" } ],
                 "option-data": [
                     {
@@ -61,12 +62,12 @@
                     },
                     {
                         // admin_git
-                        "hw-address": "58:9c:fc:10:fc:5a",
+                        "hw-address": "06:4c:9f:0e:e2:cc",
                         "ip-address": "10.215.1.210"
                     },
                     {
                         // public_dns
-                        "hw-address": "58:9c:fc:10:ff:80",
+                        "hw-address": "06:81:a6:f4:ab:24",
                         "ip-address": "10.215.1.211"
                     },
                     {
@@ -88,6 +89,11 @@
                         // bastion - hard-coded in rc.conf, reproduced here to reserve ip
                         "hw-address": "06:ca:1a:10:74:09",
                         "ip-address": "10.215.1.217"
+                    },
+                    {
+                        // momlaptop - hard-coded in rc.conf, reproduced here to reserve ip
+                        "hw-address": "06:85:69:c5:6a:d6",
+                        "ip-address": "10.215.1.218"
                     }
                 ]
             }

ansible/roles/kubernetes/files/k8s_remove_finalizers_pipeline_runs

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+kubectl get pipelinerun --all-namespaces -o go-template='{{range .items}}{{.metadata.namespace}}/{{.metadata.name}}{{"\n"}}{{end}}' | while read p; do namespace=$(cut -d '/' -f 1 <<<"$p"); name=$(cut -d '/' -f 2 <<<"$p"); kubectl patch pipelinerun -n "$namespace" "$name" -p '{"metadata":{"finalizers":null}}' --type=merge; done

ansible/roles/kubernetes/files/kshell

@@ -13,7 +13,7 @@ function cleanup {
     done
 }
 pods=()
-for sig in EXIT INT QUIT HUP TERM; do
+for sig in EXIT; do
   trap "set +e; cleanup" "$sig"
 done
 

ansible/roles/launch_keyboard/files/launch_keyboard_layout.json

@@ -508,98 +508,372 @@
     ]
   },
   "key_leds": {
-    "K00": null,
+    "K00": [
-    "K01": null,
+      0,
-    "K02": null,
+      0
-    "K03": null,
+    ],
-    "K04": null,
+    "K01": [
-    "K05": null,
+      0,
-    "K06": null,
+      0
-    "K07": null,
+    ],
-    "K08": null,
+    "K02": [
-    "K09": null,
+      0,
-    "K0A": null,
+      0
-    "K0B": null,
+    ],
-    "K0C": null,
+    "K03": [
-    "K0D": null,
+      0,
-    "K0E": null,
+      0
-    "K10": null,
+    ],
-    "K11": null,
+    "K04": [
-    "K12": null,
+      0,
-    "K13": null,
+      0
-    "K14": null,
+    ],
-    "K15": null,
+    "K05": [
-    "K16": null,
+      0,
-    "K17": null,
+      0
-    "K18": null,
+    ],
-    "K19": null,
+    "K06": [
-    "K1A": null,
+      0,
-    "K1B": null,
+      0
-    "K1C": null,
+    ],
-    "K1D": null,
+    "K07": [
-    "K1E": null,
+      0,
-    "K20": null,
+      0
-    "K21": null,
+    ],
-    "K22": null,
+    "K08": [
-    "K23": null,
+      0,
-    "K24": null,
+      0
-    "K25": null,
+    ],
-    "K26": null,
+    "K09": [
-    "K27": null,
+      0,
-    "K28": null,
+      0
-    "K29": null,
+    ],
-    "K2A": null,
+    "K0A": [
-    "K2B": null,
+      0,
-    "K2C": null,
+      0
-    "K2D": null,
+    ],
-    "K2E": null,
+    "K0B": [
-    "K30": null,
+      0,
-    "K31": null,
+      0
-    "K32": null,
+    ],
-    "K33": null,
+    "K0C": [
-    "K34": null,
+      0,
-    "K35": null,
+      0
-    "K36": null,
+    ],
-    "K37": null,
+    "K0D": [
-    "K38": null,
+      0,
-    "K39": null,
+      0
-    "K3A": null,
+    ],
-    "K3B": null,
+    "K0E": [
-    "K3C": null,
+      0,
-    "K3D": null,
+      0
-    "K40": null,
+    ],
-    "K41": null,
+    "K10": [
-    "K42": null,
+      0,
-    "K43": null,
+      0
-    "K44": null,
+    ],
-    "K45": null,
+    "K11": [
-    "K46": null,
+      0,
-    "K47": null,
+      0
-    "K48": null,
+    ],
-    "K49": null,
+    "K12": [
-    "K4A": null,
+      0,
-    "K4B": null,
+      0
-    "K4C": null,
+    ],
-    "K50": null,
+    "K13": [
-    "K51": null,
+      0,
-    "K52": null,
+      0
-    "K53": null,
+    ],
-    "K54": null,
+    "K14": [
-    "K55": null,
+      0,
-    "K56": null,
+      0
-    "K57": null,
+    ],
-    "K58": null,
+    "K15": [
-    "K59": null,
+      0,
-    "K5A": null,
+      0
-    "K5B": null
+    ],
+    "K16": [
+      0,
+      0
+    ],
+    "K17": [
+      0,
+      0
+    ],
+    "K18": [
+      0,
+      0
+    ],
+    "K19": [
+      0,
+      0
+    ],
+    "K1A": [
+      0,
+      0
+    ],
+    "K1B": [
+      0,
+      0
+    ],
+    "K1C": [
+      0,
+      0
+    ],
+    "K1D": [
+      0,
+      0
+    ],
+    "K1E": [
+      0,
+      0
+    ],
+    "K20": [
+      0,
+      0
+    ],
+    "K21": [
+      0,
+      0
+    ],
+    "K22": [
+      0,
+      0
+    ],
+    "K23": [
+      0,
+      0
+    ],
+    "K24": [
+      0,
+      0
+    ],
+    "K25": [
+      0,
+      0
+    ],
+    "K26": [
+      0,
+      0
+    ],
+    "K27": [
+      0,
+      0
+    ],
+    "K28": [
+      0,
+      0
+    ],
+    "K29": [
+      0,
+      0
+    ],
+    "K2A": [
+      0,
+      0
+    ],
+    "K2B": [
+      0,
+      0
+    ],
+    "K2C": [
+      0,
+      0
+    ],
+    "K2D": [
+      0,
+      0
+    ],
+    "K2E": [
+      0,
+      0
+    ],
+    "K30": [
+      0,
+      0
+    ],
+    "K31": [
+      0,
+      0
+    ],
+    "K32": [
+      0,
+      0
+    ],
+    "K33": [
+      0,
+      0
+    ],
+    "K34": [
+      0,
+      0
+    ],
+    "K35": [
+      0,
+      0
+    ],
+    "K36": [
+      0,
+      0
+    ],
+    "K37": [
+      0,
+      0
+    ],
+    "K38": [
+      0,
+      0
+    ],
+    "K39": [
+      0,
+      0
+    ],
+    "K3A": [
+      0,
+      0
+    ],
+    "K3B": [
+      0,
+      0
+    ],
+    "K3C": [
+      0,
+      0
+    ],
+    "K3D": [
+      0,
+      0
+    ],
+    "K40": [
+      0,
+      0
+    ],
+    "K41": [
+      0,
+      0
+    ],
+    "K42": [
+      0,
+      0
+    ],
+    "K43": [
+      0,
+      0
+    ],
+    "K44": [
+      0,
+      0
+    ],
+    "K45": [
+      0,
+      0
+    ],
+    "K46": [
+      0,
+      0
+    ],
+    "K47": [
+      0,
+      0
+    ],
+    "K48": [
+      0,
+      0
+    ],
+    "K49": [
+      0,
+      0
+    ],
+    "K4A": [
+      0,
+      0
+    ],
+    "K4B": [
+      0,
+      0
+    ],
+    "K4C": [
+      0,
+      0
+    ],
+    "K50": [
+      0,
+      0
+    ],
+    "K51": [
+      0,
+      0
+    ],
+    "K52": [
+      0,
+      0
+    ],
+    "K53": [
+      0,
+      0
+    ],
+    "K54": [
+      0,
+      0
+    ],
+    "K55": [
+      0,
+      0
+    ],
+    "K56": [
+      0,
+      0
+    ],
+    "K57": [
+      0,
+      0
+    ],
+    "K58": [
+      0,
+      0
+    ],
+    "K59": [
+      0,
+      0
+    ],
+    "K5A": [
+      0,
+      0
+    ],
+    "K5B": [
+      0,
+      0
+    ]
   },
   "layers": [
     {
       "mode": [
-        7,
+        0,
         127
       ],
-      "brightness": 135,
+      "brightness": 109,
+      "color": [
+        0,
+        0
+      ]
+    },
+    {
+      "mode": [
+        13,
+        127
+      ],
+      "brightness": 109,
+      "color": [
+        21,
+        255
+      ]
+    },
+    {
+      "mode": [
+        13,
+        127
+      ],
+      "brightness": 109,
       "color": [
         142,
         255
@@ -610,29 +884,7 @@
         13,
         127
       ],
-      "brightness": 135,
+      "brightness": 109,
-      "color": [
-        142,
-        255
-      ]
-    },
-    {
-      "mode": [
-        13,
-        127
-      ],
-      "brightness": 135,
-      "color": [
-        142,
-        255
-      ]
-    },
-    {
-      "mode": [
-        13,
-        127
-      ],
-      "brightness": 135,
       "color": [
         142,
         255

ansible/roles/linfi/defaults/main.yaml

@@ -0,0 +1,7 @@
+# linfi:
+#   enabled: true
+#   zfs_dataset: zroot/freebsd/current/vm/linfi
+#   zfs_mountpoint: /vm/linfi
+#   driver_blocklist: "if_iwm if_iwlwifi"
+#   pci_blocklist: "1/0/0"
+#   amd: true

ansible/roles/linfi/files/launch_linfi.bash

@@ -0,0 +1,239 @@
+#!/usr/local/bin/bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# Share a host directory to the guest via 9pfs.
+#
+# Inside the VM run:
+#   mount -t virtfs -o trans=virtio sharename /some/vm/path
+#   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
+#   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 sharename /path/to/mountpoint
+# bhyve_options="-s 28,virtio-9p,sharename=/"
+
+# Enable Sound
+# bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
+
+# Example usage:
+#
+#   doas bhyve_netgraph_bridge create-disk zdata/vm/poudriere /vm/poudriere 10
+#   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
+#   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere
+
+: ${VERBOSE:="NO"} # or YES
+: ${CPU_CORES:="1"}
+: ${MEMORY:="1G"}
+: ${NETWORK:="NAT"} # or RAW or BOTH
+: ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
+: ${INTERFACE_NAME:="linfi_host"} # or the external interface like lagg0 for RAW networks
+: ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
+: ${VNC_ENABLE:="NO"}
+: ${VNC_LISTEN:="127.0.0.1:5900"}
+: ${VNC_WIDTH:="1920"}
+: ${VNC_HEIGHT:="1080"}
+: ${PASSTHROUGH:="1/0/0"}
+
+if [ "$VERBOSE" = "YES" ]; then
+    set -x
+fi
+
+############## Setup #########################
+
+function cleanup {
+    for vm in "${vms[@]}"; do
+        log "Destroying bhyve vm $vm"
+        bhyvectl "--vm=$vm" --destroy
+        log "Destroyed bhyve vm $vm"
+    done
+}
+vms=()
+for sig in EXIT; do
+  trap "set +e; sleep 10; cleanup" "$sig"
+done
+
+function die {
+    local status_code="$1"
+    shift
+    (>&2 echo "${@}")
+    exit "$status_code"
+}
+
+function log {
+    (>&2 echo "${@}")
+}
+
+############## Program #########################
+
+function main {
+    local cmd="$1"
+    shift 1
+    if [ "$cmd" = "create-disk" ]; then
+        create_disk "${@}"
+    elif [ "$cmd" = "start" ]; then
+        start_vm "${@}"
+    else
+        die 1 "Unrecognized command $cmd"
+    fi
+}
+
+function create_disk {
+    local zfs_path="$1"
+    local mount_path="$2"
+    local gigabytes="$3"
+    zfs create -o "mountpoint=$mount_path" "$zfs_path"
+    cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
+    tee "${mount_path}/settings" <<EOF
+CPU_CORES="$CPU_CORES"
+MEMORY="$MEMORY"
+NETWORK="$NETWORK"
+IP_RANGE="$IP_RANGE"
+BRIDGE_NAME="$BRIDGE_NAME"
+INTERFACE_NAME="$INTERFACE_NAME"
+EOF
+    zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none -o volblocksize=64K "$zfs_path/disk0"
+}
+
+function start_vm {
+    local name="$1"
+    local zfs_path="$2"
+    local mount_path="$3"
+    local mount_cd="${4:-}"
+
+    if [ -e "${mount_path}/settings" ]; then
+        source "${mount_path}/settings"
+    fi
+
+    local additional_args=()
+    local host_interface_name="linfi_host"
+    local bridge_name="linfi_bridge"
+
+    assert_bridge "$host_interface_name" "$bridge_name"
+    local mac_address
+    mac_address=$(calculate_mac_address "$name")
+    local bridge_link_name
+    bridge_link_name=$(detect_available_link "${bridge_name}")
+    additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+
+
+    # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
+         # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
+             # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
+            # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
+
+    # TODO: Look into using nmdm instead of stdio for serial console
+    if [ -n "$mount_cd" ]; then
+        additional_args+=("-s" "5,ahci-cd,$mount_cd")
+    fi
+    if [ "$VNC_ENABLE" = "YES" ]; then
+        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
+    fi
+    vms+=("$name")
+
+    while true; do
+        set -x
+        set +e
+        bhyve \
+            -D \
+            -c sockets=1,cores=1,threads=1 \
+            -m "$MEMORY" \
+            -H \
+            -w \
+            -o 'rtc.use_localtime=false' \
+            -s 0,hostbridge \
+            -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
+            -S \
+            -s "7,passthru,${PASSTHROUGH}" \
+            -s 30,xhci,tablet \
+            -s 31,lpc -l com1,stdio \
+            -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd" \
+            -U '08421734-875e-11ef-a0f3-f426796942c7' \
+            "${additional_args[@]}" \
+            "$name"
+        local exit_code=$?
+        set -e
+        set +x
+        if [ $exit_code -eq 0 ]; then
+            echo "Rebooting."
+            sleep 5
+        elif [ $exit_code -eq 1 ]; then
+            echo "Powered off."
+            break
+        elif [ $exit_code -eq 2 ]; then
+            echo "Halted."
+            break
+        elif [ $exit_code -eq 3 ]; then
+            echo "Triple fault."
+            break
+        elif [ $exit_code -eq 4 ]; then
+            echo "Exited due to an error."
+            break
+        fi
+    done
+}
+
+function detect_available_link {
+    local bridge_name="$1"
+    local linknum=1
+    while true; do
+        local link_name="link${linknum}"
+        if ! ng_exists "${bridge_name}:${link_name}"; then
+            echo "$link_name"
+            return
+        fi
+        linknum=$((linknum + 1))
+        if [ "$linknum" -gt 90 ]; then
+            (>&2 echo "No available links on bridge $bridge_name")
+            exit 1
+        fi
+    done
+}
+
+function assert_bridge {
+    local host_interface_name="$1"
+    local bridge_name="$2"
+
+    if ! ng_exists "${bridge_name}:"; then
+        ngctl -d -f - <<EOF
+mkpeer . eiface hook ether
+name .:hook $host_interface_name
+EOF
+        ngctl -d -f - <<EOF
+mkpeer ${host_interface_name}: bridge ether link0
+name ${host_interface_name}:ether $bridge_name
+EOF
+        ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" 192.168.253.2/24 up
+        route add default 192.168.253.1
+    fi
+}
+
+function ng_exists {
+    ngctl status "${1}" >/dev/null 2>&1
+}
+
+function calculate_mac_address {
+    local name="$1"
+    local source
+    source=$(md5 -r -s "$name" | awk '{print $1}')
+    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
+}
+
+function find_available_port {
+    local start_port="$1"
+    local port="$start_port"
+    while true; do
+        sockstat -P tcp -p 443
+        port=$((port + 1))
+    done
+}
+
+function ngctlcat {
+    if [ "$VERBOSE" = "YES" ]; then
+        tee /dev/tty | ngctl -d -f -
+    else
+        ngctl -d -f -
+    fi
+}
+
+
+main "${@}"

ansible/roles/linfi/files/linfi_rc.conf

@@ -0,0 +1 @@
+linfi_enable="YES"

ansible/roles/linfi/meta/main.yaml

@@ -0,0 +1,3 @@
+dependencies:
+  - role: bhyve
+    when: 'os_flavor == "freebsd"'

ansible/roles/linfi/tasks/common.yaml

@@ -0,0 +1,55 @@
+# - name: Create directories
+#   file:
+#     name: "{{ item }}"
+#     state: directory
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - /foo/bar
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+# - name: Install Configuration
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0600
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.conf
+#       dest: /usr/local/etc/foo.conf
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user

ansible/roles/linfi/tasks/freebsd.yaml

@@ -0,0 +1,50 @@
+- name: Install loader.conf
+  template:
+    src: "templates/{{ item }}_loader.conf.j2"
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - linfi
+
+- name: Install scripts
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - src: launch_linfi.bash
+      dest: /usr/local/bin/launch_linfi
+
+- name: Install rc script
+  template:
+    src: "templates/{{ item.src }}.j2"
+    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+    owner: root
+    group: wheel
+    mode: 0755
+  loop:
+    - src: linfi
+
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - linfi
+
+- name: Install service configuration
+  template:
+    src: "templates/{{ item }}_rc.conf.j2"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - devmatch

ansible/roles/linfi/tasks/linux.yaml

@@ -0,0 +1,29 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - foo
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present
+
+# - name: Enable services
+#   systemd:
+#     enabled: yes
+#     name: "{{ item }}"
+#     daemon_reload: yes
+#   loop:
+#     - foo.service

ansible/roles/linfi/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: linfi is defined and linfi.enabled

ansible/roles/linfi/tasks/peruser.yaml

@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'

ansible/roles/linfi/templates/devmatch_rc.conf.j2

@@ -0,0 +1,2 @@
+devmatch_enable="YES"
+devmatch_blocklist="{{ linfi.driver_blocklist }}"

ansible/roles/linfi/templates/linfi.j2

@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# PROVIDE: linfi
+# REQUIRE: LOGIN
+# KEYWORD: shutdown nojail
+. /etc/rc.subr
+name=linfi
+rcvar=${name}_enable
+start_cmd="${name}_start"
+stop_cmd="${name}_stop"
+status_cmd="${name}_status"
+load_rc_config $name
+
+tmux_name="linfi"
+
+linfi_start() {
+    /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env PASSTHROUGH='{{ linfi.pci_blocklist }}' /usr/local/bin/bash /usr/local/bin/launch_linfi start linfi {{ linfi.zfs_dataset }} {{ linfi.zfs_mountpoint }}"
+    # /vm/.iso/alpine-extended-3.20.3-x86_64.iso
+}
+
+linfi_status() {
+    if /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null; then
+        echo "$tmux_name is running."
+    else
+        echo "$tmux_name is not running."
+        return 1
+    fi
+}
+
+linfi_stop() {
+    /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null && (
+        /usr/local/bin/tmux kill-session -t $tmux_name
+        sleep 10
+        bhyvectl --vm=linfi --destroy
+        # kill `cat /var/run/linfi.pid`
+    )
+    linfi_wait_for_end
+}
+
+linfi_wait_for_end() {
+    while /usr/local/bin/tmux has-session -t $tmux_name 2>dev/null; do
+        sleep 1
+    done
+}
+
+run_rc_command "$1"

ansible/roles/linfi/templates/linfi_loader.conf.j2

@@ -0,0 +1,5 @@
+vmm_load="YES"
+pptdevs="{{ linfi.pci_blocklist }}"
+{% if linfi.amd %}
+hw.vmm.amdvi.enable="1"
+{% endif %}

ansible/roles/media/files/cast_file_vaapi

@@ -4,7 +4,23 @@ set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
+: ${VIDEO_BITRATE:="1M"} # Only for encoding modes targeting bitrate
+: ${AUDIO_BITRATE:="192k"}
 
+############## Setup #########################
+
+function die {
+    local status_code="$1"
+    shift
+    (>&2 echo "${@}")
+    exit "$status_code"
+}
+
+function log {
+    (>&2 echo "${@}")
+}
+
+############## Program #########################
 
 function main {
     local cmd
@@ -12,14 +28,10 @@ function main {
     shift
     if [ "$cmd" = "copy" ]; then
         copy "${@}"
-    elif [ "$cmd" = "h264" ]; then
+    elif [ "$cmd" = "convert" ]; then
-        h264 "${@}"
+        convert "${@}"
-    elif [ "$cmd" = "software_h264" ]; then
+    elif [ "$cmd" = "stream" ]; then
-        software_h264 "${@}"
+        stream "${@}"
-    elif [ "$cmd" = "preprocess_h264" ]; then
-        preprocess_h264 "${@}"
-    elif [ "$cmd" = "preprocess_vp8" ]; then
-        preprocess_vp8 "${@}"
     elif [ "$cmd" = "webcam" ]; then
         webcam "${@}"
     elif [ "$cmd" = "encode_webcam" ]; then
@@ -38,104 +50,118 @@ function copy {
     USERNAME="$1"
     PASSWORD="$2"
 
-    exec ffmpeg \
+    set -x
+    </dev/null exec ffmpeg \
         -re \
         -stream_loop -1 \
         -i "$file_to_cast" \
         -c copy \
+        -strict experimental \
         -f rtsp \
-        -rtsp_transport udp \
+        -rtsp_transport tcp \
         "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
 }
 
-function h264 {
+function convert {
-    local file_to_cast
+    local args=()
-    file_to_cast="$3"
+    local acceleration_type="$1" # "software" or "hardware"
+    local codec="$2" # "h264" or "av1"
+    local file_to_cast="$3"
+    local file_to_save="$4"
+
+
+
+    # Verify parameters
+
+
+    if [ "$acceleration_type" == "software" ]; then
+        true
+    elif [ "$acceleration_type" == "hardware" ]; then
+        true
+    else
+        die 1 "Unknown acceleration type: $acceleration_type"
+    fi
+
+    if [ "$codec" == "h264" ]; then
+        true
+    elif [ "$codec" == "av1" ]; then
+        true
+    else
+        die 1 "Unknown codec: $codec"
+    fi
+
+
+
+    # Build command
+
+
+
+    if [ "$acceleration_type" == "software" ]; then
+        true
+    elif [ "$acceleration_type" == "hardware" ]; then
+        args+=(-vaapi_device /dev/dri/renderD128)
+    fi
+
+    args+=(-i "$file_to_cast")
+
+    if [ "$codec" == "h264" ]; then
+        if [ "$acceleration_type" == "software" ]; then
+            args+=(-c:v h264)
+            args+=(-profile:v high)
+            args+=(-b:v "$VIDEO_BITRATE")
+        elif [ "$acceleration_type" == "hardware" ]; then
+            args+=(-vf 'format=nv12|vaapi,hwupload')
+            args+=(-c:v h264_vaapi)
+            args+=(-profile:v high)
+            args+=(-b:v "$VIDEO_BITRATE")
+        fi
+    elif [ "$codec" == "av1" ]; then
+        if [ "$acceleration_type" == "software" ]; then
+            args+=(-c:v libsvtav1)
+            args+=(-preset 4) # [0-13] default 10, lower = higher quality / slower encode
+            args+=(-crf 20) # [0-63] default 35, lower = higher quality / larger file
+            # Parameters: https://gitlab.com/AOMediaCodec/SVT-AV1/-/blob/master/Docs/Parameters.md
+            # fast-decode [0-2] default 0 (off), higher = faster decode
+            # tune [0-2] default 1, Specifies whether to use PSNR or VQ as the tuning metric [0 = VQ, 1 = PSNR, 2 = SSIM]
+            # film-grain-denoise, setting to 0 uses the original frames instead of denoising the film grain
+            args+=(-svtav1-params "fast-decode=1:film-grain-denoise=0")
+        elif [ "$acceleration_type" == "hardware" ]; then
+            # -c:v av1_amf -quality quality
+            args+=(-vf 'format=nv12|vaapi,hwupload')
+            args+=(-c:v av1_vaapi)
+            args+=(-b:v "$VIDEO_BITRATE")
+        fi
+    fi
+
 
-    local USERNAME PASSWORD
-    USERNAME="$1"
-    PASSWORD="$2"
 
     # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    exec ffmpeg \
+    args+=(-bf 0)
-        -re \
+    args+=(-strict -2)
-        -stream_loop -1 \
+    args+=(-c:a opus)
-        -init_hw_device vaapi=foo:/dev/dri/renderD128 \
+    args+=(-ac 2)
-        -hwaccel vaapi \
+    args+=(-b:a "$AUDIO_BITRATE")
-        -hwaccel_output_format vaapi \
+    args+=(-ar 48000)
-        -hwaccel_device foo \
+    args+=("$file_to_save")
-        -i "$file_to_cast" \
+    set -x
-        -filter_hw_device foo \
+    </dev/null exec ffmpeg "${args[@]}"
-        -vf 'format=nv12|vaapi,hwupload' \
-        -c:v h264_vaapi \
-        -bf 0 \
-        -c:a aac \
-        -b:a 160k \
-        -ar 44100 \
-        -f rtsp \
-        -rtsp_transport udp \
-        "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
 }
 
-function software_h264 {
+function stream {
-    local file_to_cast
+    local args=()
-    file_to_cast="$3"
+    local acceleration_type="$1" # "software" or "hardware"
+    local codec="$2" # "h264" or "av1"
 
-    local USERNAME PASSWORD
+    local USERNAME="$3"
-    USERNAME="$1"
+    local PASSWORD="$4"
-    PASSWORD="$2"
+    local file_to_cast="$5"
 
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    exec ffmpeg \
-        -re \
-        -stream_loop -1 \
-        -i "$file_to_cast" \
-        -c:v h264 \
-        -bf 0 \
-        -c:a aac \
-        -b:a 160k \
-        -ar 44100 \
-        -f rtsp \
-        -rtsp_transport udp \
-        "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
-}
 
-function preprocess_h264 {
+    args+=(-re -stream_loop -1)
-    local file_to_cast file_to_save
-    file_to_cast="$1"
-    file_to_save="$2"
 
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
+    args+=(-f rtsp)
-    exec ffmpeg \
+    args+=(-rtsp_transport tcp)
-        -i "$file_to_cast" \
+    args+=("rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch")
-        -c:v h264 \
-        -bf 0 \
-        -c:a aac \
-        -b:a 160k \
-        -ar 44100 \
-        "$file_to_save"
-}
-
-function preprocess_vp8 {
-    local file_to_cast file_to_save
-    file_to_cast="$1"
-    file_to_save="$2"
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    # -strict -2 :: Enable support for experimental codecs like opus.
-    # -b:v 1M :: Target 1 megabit/s
-    # -crf 10 :: Target a quality level and adjust bitrate accordingly. This should be preferred, but ideally both should be used.
-    exec ffmpeg \
-        -i "$file_to_cast" \
-        -c:v vp8 \
-        -b:v 1M \
-        -crf 10 \
-        -bf 0 \
-        -c:a opus \
-        -b:a 320k \
-        -ar 48000 \
-        -strict -2 \
-        "$file_to_save"
 }
 
 function webcam {
@@ -145,7 +171,9 @@ function webcam {
     USERNAME="$1"
     PASSWORD="$2"
 
-    exec ffmpeg \
+    set -x
+
+    </dev/null exec ffmpeg \
         -re \
         -input_format h264 \
         -video_size 1920x1080 \
@@ -153,7 +181,7 @@ function webcam {
         -c:v copy \
         -an \
         -f rtsp \
-        -rtsp_transport udp \
+        -rtsp_transport tcp \
         "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
 }
 
@@ -164,7 +192,9 @@ function encode_webcam {
     USERNAME="$1"
     PASSWORD="$2"
 
-    exec ffmpeg \
+    set -x
+
+    </dev/null exec ffmpeg \
         -re \
         -vaapi_device /dev/dri/renderD128 \
         -i /dev/video0 \
@@ -172,8 +202,36 @@ function encode_webcam {
         -c:v h264_vaapi \
         -an \
         -f rtsp \
-        -rtsp_transport udp \
+        -rtsp_transport tcp \
         "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
 }
 
+function speed_up_preprocess_vp8 {
+    local file_to_cast file_to_save
+    file_to_cast="$1"
+    file_to_save="$2"
+
+    set -x
+
+    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
+    # -strict -2 :: Enable support for experimental codecs like opus.
+    # -b:v 2M :: Target 2 megabit/s
+    # -crf 10 :: Target a quality level and adjust bitrate accordingly. This should be preferred, but ideally both should be used.
+    # Could also use -filter_complex "[0:v]setpts=0.5*PTS[v];[0:a]atempo=2.0[a]" -map "[v]" -map "[a]"
+    </dev/null exec ffmpeg \
+               -i "$file_to_cast" \
+               -filter:v "setpts=0.66666666*PTS" \
+               -filter:a "atempo=1.5" \
+               -c:v vp8 \
+               -b:v 2M \
+               -crf 10 \
+               -bf 0 \
+               -c:a opus \
+               -b:a 320k \
+               -ar 48000 \
+               -strict -2 \
+               "$file_to_save"
+}
+
+
 main "${@}"

ansible/roles/media/tasks/freebsd.yaml

@@ -5,3 +5,17 @@
       # - youtube_dl
       - yt-dlp
     state: present
+
+- name: Install packages
+  when: install_graphics
+  package:
+    name:
+      - mkvtoolnix # for mkvmerge
+    state: present
+
+- name: Install packages
+  when: not install_graphics
+  package:
+    name:
+      - mkvtoolnix-nogui # for mkvmerge
+    state: present

ansible/roles/media/tasks/linux.yaml

@@ -1,3 +1,5 @@
+# Maybe install https://github.com/alexheretic/ab-av1 to find good crf values for encoding
+
 - name: Build aur packages
   register: buildaur
   become_user: "{{ build_user.name }}"
@@ -19,4 +21,5 @@
     name:
       - yt-dlp
       - go-chromecast-git
+      - mkvtoolnix-cli # for mkvmerge
     state: present

ansible/roles/network/files/homeserver_network.conf

@@ -1,4 +1,4 @@
-wlans_ath0="wlan0"
+# wlans_ath0="wlan0"
-ifconfig_wlan0="WPA DHCP"
+# ifconfig_wlan0="WPA DHCP"
-ifconfig_wlan0_ipv6="inet6 accept_rtadv"
+# ifconfig_wlan0_ipv6="inet6 accept_rtadv"
-ipv6_cpe_wanif="wlan0"
+# ipv6_cpe_wanif="wlan0"

ansible/roles/network/files/main.conf

@@ -1,10 +1,6 @@
-[Network]
-# NameResolvingService=resolvconf
-NameResolvingService=systemd
-
 [General]
-EnableNetworkConfiguration=True
+EnableNetworkConfiguration=true
-# route_priority_offset=300
+# AddressRandomization=network
 
-# [Scan]
+# Needed for Qualcomm WCN785x
-# DisablePeriodicScan=true
+ControlPortOverNL80211=false

ansible/roles/network/files/mrmanager_network.conf

@@ -3,3 +3,5 @@ ifconfig_igb0="up"
 ifconfig_igb1="up"
 ifconfig_lagg0="up laggproto failover laggport igb0 laggport igb1"
 ifconfig_lagg0_alias0="inet 74.80.180.138 netmask 255.255.255.248"
+ifconfig_lagg0_ipv6="inet6 2620:11f:7001:7::2/64"
+ifconfig_lagg0_alias1="inet6 2620:11f:7001:7::3 prefixlen 64"

ansible/roles/network/files/mrmanager_routing.conf

@@ -1,3 +1,4 @@
 defaultrouter="74.80.180.137"
+ipv6_defaultrouter="2620:11f:7001:7::1"
 gateway_enable="YES"
 ipv6_gateway_enable="YES"

ansible/roles/network/files/next_hop_freebsd.bash

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+exec route get "${@}"

ansible/roles/network/files/next_hop_linux.bash

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+exec ip route get "${@}"

ansible/roles/network/files/odofreebsd_network.conf

@@ -1,4 +1,4 @@
-wlans_iwlwifi0="wlan0"
+# wlans_iwlwifi0="wlan0"
-ifconfig_wlan0="WPA DHCP"
+# ifconfig_wlan0="WPA DHCP"
-ifconfig_wlan0_ipv6="inet6 accept_rtadv"
+# ifconfig_wlan0_ipv6="inet6 accept_rtadv"
-ipv6_cpe_wanif="wlan0"
+# ipv6_cpe_wanif="wlan0"

ansible/roles/network/tasks/freebsd.yaml

@@ -40,6 +40,7 @@
     name: "{{ item.name }}"
     value: "{{ item.value }}"
     state: present
+    reload: false
     sysctl_file: "/etc/sysctl.conf.local"
   loop:
     - name: net.inet6.ip6.use_tempaddr # Enable privacy addresses
@@ -74,3 +75,14 @@
   file:
     path: "/etc/rc.conf.d/ip6addrctl"
     state: absent
+
+- name: Install scripts
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - src: next_hop_freebsd.bash
+      dest: /usr/local/bin/next_hop

ansible/roles/network/tasks/linux.yaml

@@ -58,3 +58,14 @@
     - iwd.service
     # - systemd-networkd.service
     - systemd-resolved.service
+
+- name: Install scripts
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - src: next_hop_linux.bash
+      dest: /usr/local/bin/next_hop

ansible/roles/nix/tasks/common.yaml

@@ -0,0 +1,55 @@
+# - name: Create directories
+#   file:
+#     name: "{{ item }}"
+#     state: directory
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - /foo/bar
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+# - name: Install Configuration
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0600
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.conf
+#       dest: /usr/local/etc/foo.conf
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user