ansible/environments/home/host_vars/homeserver

@@ -4,7 +4,6 @@ pkgbase_url: "https://freebsdpkg.fizz.buzz/pkgbase/14broadwell-repo/FreeBSD:14:a
 zfs_snapshot_datasets:
   - path: zroot/freebsd/computer/be
   - path: zmass/encrypted/vm
-  - path: zmass/encrypted/data
 users:
   talexander:
     initialize: true
@@ -25,8 +24,6 @@ users:
     gitconfig: "gitconfig_home"
 sshd_enabled: true
 sshd_conf: "sshd_config"
-prefer_ipv6: true
-dummynet_config: "dnctl.conf"
 pf_config: "homeserver_pf.conf"
 pflog_conf:
   - name: 0

ansible/environments/laptop/host_vars/odofreebsd

@@ -5,12 +5,10 @@ zfs_snapshot_datasets:
   - path: zroot/freebsd/current/be/default
 sshd_enabled: true
 sshd_conf: "sshd_config"
-pf_config: "odofreebsd_pf.conf"
+#pf_config: "odofreebsd_pf.conf"
-pflog_conf:
+#pflog_conf:
- - name: 0
+#  - name: 0
-   dev: pflog0
+#    dev: pflog0
-prefer_ipv6: true
-dummynet_config: "dnctl.conf"
 network_rc: "odofreebsd_network.conf"
 rc_conf: "odofreebsd_rc.conf"
 loader_conf: "odofreebsd_loader.conf"
@@ -42,7 +40,6 @@ users:
 devfs_rules: "odo_devfs.rules"
 jail_zfs_dataset: zroot/freebsd/current/jails
 jail_zfs_dataset_mountpoint: /jail
-jail_canmount: "on"
 jail_list:
   - name: nat_dhcp
     enabled: true

ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash

@@ -105,8 +105,7 @@ function start_vm {
     local bridge_name="$BRIDGE_NAME"
     local ip_range="$IP_RANGE" # for raw this value does not matter
 
-    local mac_address
+    local mac_address=$(calculate_mac_address "$name")
-    mac_address=$(calculate_mac_address "$name")
 
     local additional_args=()
 
@@ -246,8 +245,7 @@ function ng_exists {
 
 function calculate_mac_address {
     local name="$1"
-    local source
+    local source=$(md5 -r -s "$name" | awk '{print $1}')
-    source=$(md5 -r -s "$name" | awk '{print $1}')
     echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
 }
 

ansible/roles/dummynet/files/dnctl.conf

@@ -1,2 +0,0 @@
-dnctl pipe 1 config bw 100KByte/s
-dnctl pipe 2 config

ansible/roles/dummynet/files/dnctl_rc.conf

@@ -1,2 +0,0 @@
-dnctl_enable="YES"
-dnctl_rules="/etc/dnctl.conf"

ansible/roles/dummynet/tasks/common.yaml

@@ -1,55 +0,0 @@
-# - name: Create directories
-#   file:
-#     name: "{{ item }}"
-#     state: directory
-#     mode: 0755
-#     owner: root
-#     group: wheel
-#   loop:
-#     - /foo/bar
-
-# - name: Install scripts
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     mode: 0755
-#     owner: root
-#     group: wheel
-#   loop:
-#     - src: foo.bash
-#       dest: /usr/local/bin/foo
-
-# - name: Install Configuration
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     mode: 0600
-#     owner: root
-#     group: wheel
-#   loop:
-#     - src: foo.conf
-#       dest: /usr/local/etc/foo.conf
-
-# - name: Clone Source
-#   git:
-#     repo: "https://foo.bar/baz.git"
-#     dest: /foo/bar
-#     version: "v1.0.2"
-#     force: true
-#   diff: false
-
-- import_tasks: tasks/freebsd.yaml
-  when: 'os_flavor == "freebsd"'
-
-- import_tasks: tasks/linux.yaml
-  when: 'os_flavor == "linux"'
-
-- include_tasks:
-    file: tasks/peruser.yaml
-    apply:
-      become: yes
-      become_user: "{{ initialize_user }}"
-  when: users is defined
-  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
-  loop_control:
-    loop_var: initialize_user

ansible/roles/dummynet/tasks/freebsd.yaml

@@ -1,20 +0,0 @@
-- name: Install Configuration
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "{{ item.dest }}"
-    mode: 0600
-    owner: root
-    group: wheel
-  loop:
-    - src: "{{ dummynet_config }}"
-      dest: /etc/dnctl.conf
-
-- name: Install service configuration
-  copy:
-    src: "files/{{ item }}_rc.conf"
-    dest: "/etc/rc.conf.d/{{ item }}"
-    mode: 0644
-    owner: root
-    group: wheel
-  loop:
-    - dnctl

ansible/roles/dummynet/tasks/linux.yaml

@@ -1,29 +0,0 @@
-# - name: Build aur packages
-#   register: buildaur
-#   become_user: "{{ build_user.name }}"
-#   command: "aurutils-sync --no-view {{ item }}"
-#   args:
-#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
-#   loop:
-#     - foo
-
-# - name: Update cache
-#   when: buildaur.changed
-#   pacman:
-#     name: []
-#     state: present
-#     update_cache: true
-
-# - name: Install packages
-#   package:
-#     name:
-#       - foo
-#     state: present
-
-# - name: Enable services
-#   systemd:
-#     enabled: yes
-#     name: "{{ item }}"
-#     daemon_reload: yes
-#   loop:
-#     - foo.service

ansible/roles/dummynet/tasks/main.yaml

@@ -1,2 +0,0 @@
-- import_tasks: tasks/common.yaml
-  when: (dummynet_config is defined and os_flavor == "freebsd") or (os_flavor == "linux")

ansible/roles/dummynet/tasks/peruser.yaml

@@ -1,29 +0,0 @@
-- include_role:
-    name: per_user
-
-# - name: Create directories
-#   file:
-#     name: "{{ account_homedir.stdout }}/{{ item }}"
-#     state: directory
-#     mode: 0700
-#     owner: "{{ account_name.stdout }}"
-#     group: "{{ group_name.stdout }}"
-#   loop:
-#     - ".config/foo"
-
-# - name: Copy files
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
-#     mode: 0600
-#     owner: "{{ account_name.stdout }}"
-#     group: "{{ group_name.stdout }}"
-#   loop:
-#     - src: foo.conf
-#       dest: .config/foo/foo.conf
-
-- import_tasks: tasks/peruser_freebsd.yaml
-  when: 'os_flavor == "freebsd"'
-
-- import_tasks: tasks/peruser_linux.yaml
-  when: 'os_flavor == "linux"'

ansible/roles/emacs/files/early-init.el

@@ -1,7 +1,7 @@
-(setq gc-cons-threshold (* 128 1024 1024)) ;; 128MiB Increase garbage collection threshold for performance (default 800000)
+(setq gc-cons-threshold (* 128 1024 1024)) ;; Increase garbage collection threshold for performance (default 800000)
 ;; Increase amount of data read from processes, default 4k
 (when (version<= "27.0" emacs-version)
-  (setq read-process-output-max (* 10 1024 1024)) ;; 10MiB
+  (setq read-process-output-max (* 1024 1024)) ;; 1mb
   )
 
 ;; Suppress warnings

ansible/roles/emacs/files/plainmacs

@@ -15,8 +15,7 @@ INIT_SCRIPT=$(cat <<EOF
   ;; Set default font
   (set-face-attribute 'default nil :height 100 :width 'regular :weight 'regular :family "Cascadia Mono")
   ;; Set fallback font for unicode glyphs
-  (when (display-graphic-p)
+  (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji"))
-    (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji")))
   (menu-bar-mode -1)
   (when (fboundp 'tool-bar-mode)
     (tool-bar-mode -1))

ansible/roles/emacs/files/plainmacs_init.el

@@ -11,8 +11,7 @@
   ;; Set default font
   (set-face-attribute 'default nil :height 100 :width 'regular :weight 'regular :family "Cascadia Mono")
   ;; Set fallback font for unicode glyphs
-  (when (display-graphic-p)
+  (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji"))
-    (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji")))
   (menu-bar-mode -1)
   (when (fboundp 'tool-bar-mode)
     (tool-bar-mode -1))

ansible/roles/firefox/defaults/main.yaml

@@ -13,11 +13,3 @@ firefox_config:
   browser.newtabpage.activity-stream.feeds.section.topstories: false
   browser.newtabpage.pinned: "[]"
   browser.newtabpage.activity-stream.section.highlights.includePocket: false
-  # Disable cache when devtools are open.
-  devtools.cache.disabled: true
-  # Do not track header.
-  privacy.donottrackheader.enabled: true
-  # Tell websites not to share or sell my data.
-  privacy.globalprivacycontrol.enabled: true
-  # Disable "studies" (slice testing)
-  app.shield.optoutstudies.enabled: false

ansible/roles/firewall/files/homeserver_pf.conf

@@ -4,7 +4,6 @@ jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
 restricted_nat_v4 = "{ 10.215.2.0/24 }"
 not_restricted_nat_v4 = "{ any, !10.215.2.0/24 }"
-rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
 
 dhcp = "{ bootpc, bootps }"
 allow = "{ wgh wgf }"
@@ -33,32 +32,28 @@ nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (wlan0)
 rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 172.16.0.1 port 53
 
 # bastion
-rdr pass on $ext_if inet proto {tcp, udp} from { any, !10.215.1.0/24, !10.215.2.0/24 } to any port 8081 -> 10.215.1.217 port 443
+rdr pass on $ext_if inet proto tcp from { any, !10.215.1.0/24, !10.215.2.0/24 } to any port 8081 -> 10.215.1.217 port 443
 nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.217 port 443 -> 10.215.1.1
 nat pass on restricted_nat proto {tcp, udp} from 10.215.1.217/32 to 10.215.2.2 port 8081 -> 10.215.2.1
 
 
 # cloak -> olddagger
-rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
+rdr pass on $ext_if inet proto tcp from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
 nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1
 
 # -> sftp
 # TODO: Limit bandwidth for sftp
-rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22
+rdr pass on $ext_if inet proto tcp from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22
 nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215.1.1
 
 # Forward ports for unifi controller
-# rdr pass on $ext_if inet proto {tcp, udp} from any to any port 65022 -> 10.213.177.8 port 22
+# rdr pass on $ext_if inet proto tcp from any to any port 65022 -> 10.213.177.8 port 22
 rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202
 
 # filtering
 block log all
 pass out on $ext_if
 
-# match in on jail_nat from any to any dnpipe 1
-# match in on jail_nat from any to $rfc1918 dnpipe 2
-# match in on restricted_nat from any to any dnpipe 1
-
 pass in on jail_nat
 # Allow traffic from my machine to the jails/virtual machines
 pass out on jail_nat from $jail_nat_v4

ansible/roles/firewall/files/odofreebsd_pf.conf

@@ -2,10 +2,10 @@ ext_if = "{ wlan0 }"
 not_ext_if = "{ !wlan0 }"
 jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
-rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
+dns_redirect = "{ 10.193.223.1 10.213.177.1 10.215.1.1 }"
 
 dhcp = "{ bootpc, bootps }"
-allow = "{ wgf wgh drmario colo }"
+#allow = "{ wgf wgh drmario colo }"
 
 tcp_pass_in = "{ 22 }"
 udp_pass_in = "{ 53 51820 }"
@@ -16,8 +16,8 @@ udp_pass_in = "{ 53 51820 }"
 set skip on lo
 
 # redirections
-nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0)
+#nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0)
-rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
+#rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53
 
 # Redirect jaeger ports to virtual machine.
 # nat pass on lo inet from 127.0.0.0/24 to 127.0.0.0/24 port {6831 6832 16686 14268} -> (jail_nat)
@@ -27,18 +27,16 @@ rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.1
 block log all
 pass out on $ext_if
 
-pass in on jail_nat
+#pass in on jail_nat
-# match in on jail_nat from any to any dnpipe 1
-# match in on jail_nat from any to $rfc1918 dnpipe 2
 # Allow traffic from my machine to the jails/virtual machines
-pass out on jail_nat from $jail_nat_v4
+#pass out on jail_nat from $jail_nat_v4
 
 # We pass on the interfaces listed in allow rather than skipping on
 # them because changes to pass rules will update when running a
 # `service pf reload` but interfaces that we `skip` will not update (I
 # forget if its from adding, removing, or both. TODO: test to figure
 # it out). Also skipped interfaces are not subject to nat/rdr rules.
-pass quick on $allow
+#pass quick on $allow
 
 pass on $ext_if proto icmp all
 pass on $ext_if proto icmp6 all

ansible/roles/firewall/meta/main.yaml

@@ -1,2 +0,0 @@
-dependencies:
-  - dummynet

ansible/roles/jail/files/jail_netgraph_bridge.bash

@@ -23,15 +23,11 @@ function start_jail {
     jail_interface_name=$(sanitize_interface_name "$2")
     ip_range="$3"
 
-    local mac_address
-    mac_address=$(calculate_mac_address "$jail_interface_name")
-
     assert_bridge "$host_interface_name" "$bridge_name" "$ip_range"
 
     bridge_link_name=$(detect_available_link "${bridge_name}")
     ngctl -d -f - <<EOF
 mkpeer ${bridge_name}: eiface $bridge_link_name ether
-msg ${bridge_name}:$bridge_link_name set $mac_address
 name ${bridge_name}:$bridge_link_name $jail_interface_name
 EOF
     ifconfig $(ngctl msg "${jail_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${jail_interface_name}" up
@@ -125,11 +121,4 @@ function sanitize_interface_name {
     echo "${1:0:15}"
 }
 
-function calculate_mac_address {
-    local name="$1"
-    local source
-    source=$(md5 -r -s "$name" | awk '{print $1}')
-    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
-}
-
 main "${@}"

ansible/roles/jail/files/jails/admin_git.conf

@@ -2,7 +2,7 @@ admin_git {
     path = "/jail/${name}";
     vnet;
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
-    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
+    exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
     vnet.interface += "jail${name}";
 
     devfs_ruleset = 14;

ansible/roles/jail/files/jails/bastion.conf

@@ -2,7 +2,7 @@ bastion {
     path = "/jail/${name}";
     vnet;
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
-    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
+    exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
     vnet.interface += "jail${name}";
 
     devfs_ruleset = 14;

ansible/roles/jail/files/jails/certificate.conf

@@ -2,7 +2,7 @@ certificate {
     path = "/jail/${name}";
     vnet;
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
-    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
+    exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
     vnet.interface += "jail${name}";
 
     devfs_ruleset = 14;

ansible/roles/jail/files/jails/cloak.conf

@@ -4,8 +4,8 @@ cloak {
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start restricted_nat jail${name} 10.215.2.1/24";
     # Create a dummy interface that is never used, just to create the cloak bridge that is used by children.
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak dummy${name} 192.168.1.0/24";
-    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop cloak dummy{name}";
+    exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop cloak dummy{name}";
-    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop restricted_nat jail${name}";
+    exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop restricted_nat jail${name}";
     vnet.interface += "jail${name}";
     vnet.interface += "cloak";
 

ansible/roles/jail/files/jails/dagger.conf

@@ -4,7 +4,7 @@ dagger {
     vnet.interface += "dagger";
 
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
-    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
+    exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
 
     mount.fstab = "/etc/fstab.${name}";
 

ansible/roles/jail/files/jails/nat_dhcp.conf

@@ -2,7 +2,7 @@ nat_dhcp {
     path = "/jail/${name}";
     vnet;
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
-    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
+    exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
     vnet.interface += "jail${name}";
 
     devfs_ruleset = 14;

ansible/roles/jail/files/jails/olddagger.conf

@@ -4,7 +4,7 @@ olddagger {
     vnet.interface += "olddagger";
 
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
-    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
+    exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
 
     mount.fstab = "/etc/fstab.${name}";
 

ansible/roles/jail/files/jails/public_dns.conf

@@ -2,7 +2,7 @@ public_dns {
     path = "/jail/${name}";
     vnet;
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
-    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
+    exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
     vnet.interface += "jail${name}";
 
     devfs_ruleset = 14;

ansible/roles/jail/files/jails/sample.conf

@@ -2,7 +2,7 @@ sample {
     path = "/jail/${name}";
     vnet;
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
-    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
+    exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
     vnet.interface += "jail${name}";
 
     devfs_ruleset = 14;

ansible/roles/jail/files/jails/sftp.conf

@@ -2,7 +2,7 @@ sftp {
     path = "/jail/${name}";
     vnet;
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
-    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
+    exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
     vnet.interface += "jail${name}";
 
     devfs_ruleset = 14;

ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf

@@ -80,13 +80,13 @@
                         "ip-address": "10.215.1.215"
                     },
                     {
-                        // sftp - hard-coded in rc.conf, reproduced here to reserve ip
+                        // sftp
-                        "hw-address": "06:7b:e0:08:16:5d",
+                        "hw-address": "58:9c:fc:10:ff:ab",
                         "ip-address": "10.215.1.216"
                     },
                     {
-                        // bastion - hard-coded in rc.conf, reproduced here to reserve ip
+                        // bastion
-                        "hw-address": "06:ca:1a:10:74:09",
+                        "hw-address": "58:9c:fc:10:ff:a2",
                         "ip-address": "10.215.1.217"
                     }
                 ]

ansible/roles/media/files/cast_file_vaapi

@@ -1,179 +1,11 @@
 #!/usr/bin/env bash
 #
-set -euo pipefail
-IFS=$'\n\t'
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
+ffmpeg -re -vaapi_device /dev/dri/renderD128 -i "$1" -vf 'format=nv12,hwupload' -c:v h264_vaapi -r 30 -g 30 -loop -1 -c:a aac -b:a 160k -ar 44100 -strict -2 -f flv rtmp:172.16.16.44/live/test &
+ffmpegpid=$!
 
+sleep 1
+castnow --exit 'https://broadcast.fizz.buzz/hls/hls/test.m3u8'
+wait "$ffmpegpid"
 
-function main {
+sleep 10
-    local cmd
-    cmd=$1
-    shift
-    if [ "$cmd" = "copy" ]; then
-        copy "${@}"
-    elif [ "$cmd" = "h264" ]; then
-        h264 "${@}"
-    elif [ "$cmd" = "software_h264" ]; then
-        software_h264 "${@}"
-    elif [ "$cmd" = "preprocess_h264" ]; then
-        preprocess_h264 "${@}"
-    elif [ "$cmd" = "preprocess_vp8" ]; then
-        preprocess_vp8 "${@}"
-    elif [ "$cmd" = "webcam" ]; then
-        webcam "${@}"
-    elif [ "$cmd" = "encode_webcam" ]; then
-        encode_webcam "${@}"
-    else
-        (>&2 echo "Unknown command: $cmd")
-        exit 1
-    fi
-}
-
-function copy {
-    local file_to_cast
-    file_to_cast="$3"
-
-    local USERNAME PASSWORD
-    USERNAME="$1"
-    PASSWORD="$2"
-
-    exec ffmpeg \
-        -re \
-        -stream_loop -1 \
-        -i "$file_to_cast" \
-        -c copy \
-        -f rtsp \
-        -rtsp_transport udp \
-        "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
-}
-
-function h264 {
-    local file_to_cast
-    file_to_cast="$3"
-
-    local USERNAME PASSWORD
-    USERNAME="$1"
-    PASSWORD="$2"
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    exec ffmpeg \
-        -re \
-        -stream_loop -1 \
-        -init_hw_device vaapi=foo:/dev/dri/renderD128 \
-        -hwaccel vaapi \
-        -hwaccel_output_format vaapi \
-        -hwaccel_device foo \
-        -i "$file_to_cast" \
-        -filter_hw_device foo \
-        -vf 'format=nv12|vaapi,hwupload' \
-        -c:v h264_vaapi \
-        -bf 0 \
-        -c:a aac \
-        -b:a 160k \
-        -ar 44100 \
-        -f rtsp \
-        -rtsp_transport udp \
-        "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
-}
-
-function software_h264 {
-    local file_to_cast
-    file_to_cast="$3"
-
-    local USERNAME PASSWORD
-    USERNAME="$1"
-    PASSWORD="$2"
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    exec ffmpeg \
-        -re \
-        -stream_loop -1 \
-        -i "$file_to_cast" \
-        -c:v h264 \
-        -bf 0 \
-        -c:a aac \
-        -b:a 160k \
-        -ar 44100 \
-        -f rtsp \
-        -rtsp_transport udp \
-        "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
-}
-
-function preprocess_h264 {
-    local file_to_cast file_to_save
-    file_to_cast="$1"
-    file_to_save="$2"
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    exec ffmpeg \
-        -i "$file_to_cast" \
-        -c:v h264 \
-        -bf 0 \
-        -c:a aac \
-        -b:a 160k \
-        -ar 44100 \
-        "$file_to_save"
-}
-
-function preprocess_vp8 {
-    local file_to_cast file_to_save
-    file_to_cast="$1"
-    file_to_save="$2"
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    # -strict -2 :: Enable support for experimental codecs like opus.
-    # -b:v 1M :: Target 1 megabit/s
-    # -crf 10 :: Target a quality level and adjust bitrate accordingly. This should be preferred, but ideally both should be used.
-    exec ffmpeg \
-        -i "$file_to_cast" \
-        -c:v vp8 \
-        -b:v 1M \
-        -crf 10 \
-        -bf 0 \
-        -c:a opus \
-        -b:a 320k \
-        -ar 48000 \
-        -strict -2 \
-        "$file_to_save"
-}
-
-function webcam {
-    # Uses on-webcam h264 encoding.
-
-    local USERNAME PASSWORD
-    USERNAME="$1"
-    PASSWORD="$2"
-
-    exec ffmpeg \
-        -re \
-        -input_format h264 \
-        -video_size 1920x1080 \
-        -i /dev/video0 \
-        -c:v copy \
-        -an \
-        -f rtsp \
-        -rtsp_transport udp \
-        "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
-}
-
-function encode_webcam {
-    # Uses hardware accelerated gpu-based encoding.
-
-    local USERNAME PASSWORD
-    USERNAME="$1"
-    PASSWORD="$2"
-
-    exec ffmpeg \
-        -re \
-        -vaapi_device /dev/dri/renderD128 \
-        -i /dev/video0 \
-        -vf 'format=nv12,hwupload' \
-        -c:v h264_vaapi \
-        -an \
-        -f rtsp \
-        -rtsp_transport udp \
-        "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
-}
-
-main "${@}"

ansible/roles/media/tasks/linux.yaml

@@ -1,22 +1,5 @@
-- name: Build aur packages
-  register: buildaur
-  become_user: "{{ build_user.name }}"
-  command: "aurutils-sync --no-view {{ item }}"
-  args:
-    creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
-  loop:
-    - go-chromecast-git
-
-- name: Update cache
-  when: buildaur.changed
-  pacman:
-    name: []
-    state: present
-    update_cache: true
-
 - name: Install packages
   package:
     name:
       - yt-dlp
-      - go-chromecast-git
     state: present

ansible/roles/network/defaults/main.yaml

@@ -1 +0,0 @@
-prefer_ipv6: false

ansible/roles/network/files/homeserver_network.conf

@@ -1,4 +1,3 @@
 wlans_ath0="wlan0"
 ifconfig_wlan0="WPA DHCP"
 ifconfig_wlan0_ipv6="inet6 accept_rtadv"
-ipv6_cpe_wanif="wlan0"

ansible/roles/network/files/odofreebsd_network.conf

@@ -1,4 +1,3 @@
 wlans_iwlwifi0="wlan0"
 ifconfig_wlan0="WPA DHCP"
 ifconfig_wlan0_ipv6="inet6 accept_rtadv"
-ipv6_cpe_wanif="wlan0"

ansible/roles/network/tasks/freebsd.yaml

@@ -42,6 +42,8 @@
     state: present
     sysctl_file: "/etc/sysctl.conf.local"
   loop:
+    - name: net.inet6.ip6.accept_rtadv # Enable stateless autoconfiguration (SLAAC)
+      value: "1"
     - name: net.inet6.ip6.use_tempaddr # Enable privacy addresses
       value: "1"
     - name: net.inet6.ip6.prefer_tempaddr # Prefer privacy addresses
@@ -56,21 +58,3 @@
     group: wheel
   loop:
     - local_unbound
-
-- name: Prefer ipv6
-  when: prefer_ipv6
-  blockinfile:
-    path: "/etc/rc.conf.d/ip6addrctl"
-    marker: "# {mark} ANSIBLE MANAGED BLOCK"
-    create: true
-    mode: 0600
-    owner: root
-    group: wheel
-    block: |
-      ip6addrctl_policy="ipv6_prefer"
-
-- name: Don't Prefer ipv6
-  when: not prefer_ipv6
-  file:
-    path: "/etc/rc.conf.d/ip6addrctl"
-    state: absent

ansible/roles/vscode/files/settings.json

@@ -33,6 +33,5 @@
   },
   "black-formatter.importStrategy": "fromEnvironment",
   "workbench.statusBar.visible": false,
-  "git.openRepositoryInParentFolders": "never",
+  "git.openRepositoryInParentFolders": "never"
-  "files.autoSave": "afterDelay"
 }

router/REFIND_SETUP

@@ -1 +0,0 @@
-Get xfs driver from https://github.com/pbatard/EfiFs

router/k8s-stream.yaml

@@ -1,14 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: stream-cert
-  namespace: default
-spec:
-  dnsNames:
-    - "home.fizz.buzz"
-    - "stream.fizz.buzz"
-  secretName: stream-cert
-  issuerRef:
-    name: letsencrypt-prd
-    kind: ClusterIssuer
-    group: cert-manager.io

router/launch_mediamtx.bash

@@ -1,151 +0,0 @@
-#!/usr/local/bin/bash
-#
-set -euo pipefail
-IFS=$'\n\t'
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-: ${CD:=""}
-: ${VNC_ENABLE:="NO"}
-: ${VNC_LISTEN:="127.0.0.1:5900"}
-: ${PID_FILE:="/var/run/mediamtx.pid"}
-
-############## Setup #########################
-
-function cleanup {
-    for vm in "${vms[@]}"; do
-        log "Destroying bhyve vm $vm"
-        bhyvectl "--vm=$vm" --destroy
-        log "Destroyed bhyve vm $vm"
-    done
-}
-vms=()
-for sig in EXIT INT QUIT HUP TERM; do
-  trap "set +e; sleep 10; cleanup" "$sig"
-done
-
-function die {
-    local status_code="$1"
-    shift
-    (>&2 echo "${@}")
-    exit "$status_code"
-}
-
-function log {
-    (>&2 echo "${@}")
-}
-
-############## Program #########################
-
-function main {
-    start_vm
-}
-
-function start_vm {
-    local name="mediamtx"
-
-
-
-    # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
-         # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
-             # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
-            # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
-
-    # TODO: Look into using nmdm instead of stdio for serial console
-    if [ -n "$CD" ]; then
-        additional_args+=("-s" "5,ahci-cd,$CD")
-    fi
-    if [ "$VNC_ENABLE" = "YES" ]; then
-        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=1920,h=1080")
-    fi
-
-    local bridge_name="bridge_vm"
-    wait_for_bridge "$bridge_name"
-
-    local mac_address
-    mac_address=$(calculate_mac_address "$name")
-
-    local bridge_link_name
-    bridge_link_name=$(detect_available_link "${bridge_name}")
-
-    # additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
-    additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}" "-s" "3,ahci-cd,/home/talexander/disk.iso")
-    vms+=("$name")
-    while true; do
-        set -x
-        set +e
-        bhyve \
-            -D \
-            -c 1 \
-            -m 3G \
-            -H \
-            -o 'rtc.use_localtime=false' \
-            -s 0,hostbridge \
-            -s "4,nvme,/dev/zvol/zroot/vm/mediamtx/disk0" \
-            -s 30,xhci,tablet \
-            -s 31,lpc -l com1,stdio \
-            -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,/vm/mediamtx/BHYVE_UEFI_VARS.fd" \
-            "${additional_args[@]}" \
-            "$name"
-        # local bhyvepid=$!
-        # echo "$bhyvepid" > "$PID_FILE"
-        # wait $bhyvepid
-        local exit_code=$?
-        set +x
-        set -e
-        if [ $exit_code -eq 0 ]; then
-            echo "Rebooting."
-            sleep 5
-        elif [ $exit_code -eq 1 ]; then
-            echo "Powered off."
-            break
-        elif [ $exit_code -eq 2 ]; then
-            echo "Halted."
-            break
-        elif [ $exit_code -eq 3 ]; then
-            echo "Triple fault."
-            break
-        elif [ $exit_code -eq 4 ]; then
-            echo "Exited due to an error."
-            break
-        fi
-    done
-}
-
-function ng_exists {
-    ngctl status "${1}" >/dev/null 2>&1
-}
-
-function wait_for_bridge {
-    local bridge_name="$1"
-    while ! ng_exists "${bridge_name}:"; do
-        echo "${bridge_name} does not yet exist, sleeping."
-        sleep 10
-    done
-}
-
-function detect_available_link {
-    local bridge_name="$1"
-    local linknum=1
-    while true; do
-        local link_name="link${linknum}"
-        if ! ng_exists "${bridge_name}:${link_name}"; then
-            echo "$link_name"
-            return
-        fi
-        linknum=$((linknum + 1))
-        if [ "$linknum" -gt 90 ]; then
-            (>&2 echo "No available links on bridge $bridge_name")
-            exit 1
-        fi
-    done
-}
-
-function calculate_mac_address {
-    local name="$1"
-    local source
-    source=$(md5 -r -s "$name" | awk '{print $1}')
-    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
-}
-
-
-main "${@}"

router/launch_opnsense.bash

@@ -73,7 +73,7 @@ function start_vm {
         set +e
         bhyve \
             -D \
-            -c 4 \
+            -c 6 \
             -m 8G \
             -H \
             -o 'rtc.use_localtime=false' \

router/mediamtx_rc.bash

@@ -1,48 +0,0 @@
-#!/bin/sh
-#
-# PROVIDE: mediamtx
-# REQUIRE: LOGIN opnsense
-# KEYWORD: shutdown
-
-. /etc/rc.subr
-
-name=mediamtx
-rcvar=${name}_enable
-start_cmd="${name}_start"
-stop_cmd="${name}_stop"
-status_cmd="${name}_status"
-load_rc_config $name
-
-tmux_name="mediamtx"
-
-mediamtx_start() {
-    /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=YES VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /home/talexander/launch_mediamtx.bash"
-    # /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=NO VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /home/talexander/launch_mediamtx.bash"
-}
-
-mediamtx_status() {
-    if /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null; then
-	echo "$tmux_name is running."
-    else
-	echo "$tmux_name is not running."
-	return 1
-    fi
-}
-
-mediamtx_stop() {
-    /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null && (
-        /usr/local/bin/tmux kill-session -t $tmux_name
-        sleep 10
-        bhyvectl --vm=mediamtx --destroy
-        # kill `cat /var/run/mediamtx.pid`
-    )
-    mediamtx_wait_for_end
-}
-
-mediamtx_wait_for_end() {
-    while /usr/local/bin/tmux has-session -t $tmux_name 2>dev/null; do
-        sleep 1
-    done
-}
-
-run_rc_command "$1"

router/opnsense_rc.bash

@@ -1,11 +1,10 @@
 #!/bin/sh
 #
+# REQUIRE: FILESYSTEMS kld
 # PROVIDE: opnsense
-# REQUIRE: LOGIN
+# BEFORE: netif
-# KEYWORD: shutdown
 
 . /etc/rc.subr
-
 name=opnsense
 rcvar=${name}_enable
 start_cmd="${name}_start"

router/stream.yml

@@ -1,727 +0,0 @@
-#
-# How to update cert:
-#
-#   kubectl apply -f k8s-stream.yaml
-#   kubectl wait --for=condition=ready=true --timeout=300s -n default certificate stream-cert
-#   decrypt_k8s_secret -n default stream-cert | jq -r '.["tls.crt"]' | tee server.crt
-#   decrypt_k8s_secret -n default stream-cert | jq -r '.["tls.key"]' | tee server.key
-#   kdel -f k8s-stream.yaml
-#   gpg_auth scp stream.yml server.crt server.key 172.16.16.251:~/ ; gpg_auth ssh 172.16.16.251 doas install -o root -g root -m 0644 stream.yml server.crt /etc/mediamtx/ ; gpg_auth ssh 172.16.16.251 doas install -o root -g root -m 0600 server.key /etc/mediamtx/
-
-###############################################
-# Global settings
-
-# Settings in this section are applied anywhere.
-
-###############################################
-# Global settings -> General
-
-# Verbosity of the program; available values are "error", "warn", "info", "debug".
-logLevel: info
-# Destinations of log messages; available values are "stdout", "file" and "syslog".
-logDestinations: [stdout]
-# If "file" is in logDestinations, this is the file which will receive the logs.
-logFile: mediamtx.log
-
-# Timeout of read operations.
-readTimeout: 10s
-# Timeout of write operations.
-writeTimeout: 10s
-# Size of the queue of outgoing packets.
-# A higher value allows to increase throughput, a lower value allows to save RAM.
-writeQueueSize: 512
-# Maximum size of outgoing UDP packets.
-# This can be decreased to avoid fragmentation on networks with a low UDP MTU.
-udpMaxPayloadSize: 1472
-
-# Command to run when a client connects to the server.
-# This is terminated with SIGINT when a client disconnects from the server.
-# The following environment variables are available:
-# * RTSP_PORT: RTSP server port
-# * MTX_CONN_TYPE: connection type
-# * MTX_CONN_ID: connection ID
-runOnConnect:
-# Restart the command if it exits.
-runOnConnectRestart: no
-# Command to run when a client disconnects from the server.
-# Environment variables are the same of runOnConnect.
-runOnDisconnect:
-
-###############################################
-# Global settings -> Authentication
-
-# Authentication method. Available values are:
-# * internal: users are stored in the configuration file
-# * http: an external HTTP URL is contacted to perform authentication
-# * jwt: an external identity server provides authentication through JWTs
-authMethod: internal
-
-# Internal authentication.
-# list of users.
-authInternalUsers:
-  # Default unprivileged user.
-  # Username. 'any' means any user, including anonymous ones.
-  - user: any
-    # Password. Not used in case of 'any' user.
-    pass:
-    # IPs or networks allowed to use this user. An empty list means any IP.
-    ips: []
-    # List of permissions.
-    permissions:
-      []
-      # # Available actions are: publish, read, playback, api, metrics, pprof.
-      # - action: publish
-      #   # Paths can be set to further restrict access to a specific path.
-      #   # An empty path means any path.
-      #   # Regular expressions can be used by using a tilde as prefix.
-      #   path:
-      # - action: read
-      #   path:
-      # - action: playback
-      #   path:
-  - user: heyheyyouyou
-    # Password. Not used in case of 'any' user.
-    pass: idontlikeyourgirlfriend
-    # IPs or networks allowed to use this user. An empty list means any IP.
-    ips: []
-    # List of permissions.
-    permissions:
-      # Available actions are: publish, read, playback, api, metrics, pprof.
-      - action: publish
-        # Paths can be set to further restrict access to a specific path.
-        # An empty path means any path.
-        # Regular expressions can be used by using a tilde as prefix.
-        path:
-      - action: read
-        path:
-      - action: playback
-        path:
-
-    # Default administrator.
-    # This allows to use API, metrics and PPROF without authentication,
-    # if the IP is localhost.
-  - user: any
-    pass:
-    ips: ["127.0.0.1", "::1"]
-    permissions:
-      - action: api
-      - action: metrics
-      - action: pprof
-
-# HTTP-based authentication.
-# URL called to perform authentication. Every time a user wants
-# to authenticate, the server calls this URL with the POST method
-# and a body containing:
-# {
-#   "user": "user",
-#   "password": "password",
-#   "ip": "ip",
-#   "action": "publish|read|playback|api|metrics|pprof",
-#   "path": "path",
-#   "protocol": "rtsp|rtmp|hls|webrtc|srt",
-#   "id": "id",
-#   "query": "query"
-# }
-# If the response code is 20x, authentication is accepted, otherwise
-# it is discarded.
-authHTTPAddress:
-# Actions to exclude from HTTP-based authentication.
-# Format is the same as the one of user permissions.
-authHTTPExclude:
-  - action: api
-  - action: metrics
-  - action: pprof
-
-# JWT-based authentication.
-# Users have to login through an external identity server and obtain a JWT.
-# This JWT must contain the claim "mediamtx_permissions" with permissions,
-# for instance:
-# {
-#  ...
-#  "mediamtx_permissions": [
-#     {
-#       "action": "publish",
-#       "path": "somepath"
-#     }
-#   ]
-# }
-# Users are expected to pass the JWT in the Authorization header or as a query parameter.
-# This is the JWKS URL that will be used to pull (once) the public key that allows
-# to validate JWTs.
-authJWTJWKS:
-
-###############################################
-# Global settings -> Control API
-
-# Enable controlling the server through the Control API.
-api: no
-# Address of the Control API listener.
-apiAddress: :9997
-# Enable TLS/HTTPS on the Control API server.
-apiEncryption: no
-# Path to the server key. This is needed only when encryption is yes.
-# This can be generated with:
-# openssl genrsa -out server.key 2048
-# openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
-apiServerKey: /etc/mediamtx/server.key
-# Path to the server certificate.
-apiServerCert: /etc/mediamtx/server.crt
-# Value of the Access-Control-Allow-Origin header provided in every HTTP response.
-apiAllowOrigin: "*"
-# List of IPs or CIDRs of proxies placed before the HTTP server.
-# If the server receives a request from one of these entries, IP in logs
-# will be taken from the X-Forwarded-For header.
-apiTrustedProxies: []
-
-###############################################
-# Global settings -> Metrics
-
-# Enable Prometheus-compatible metrics.
-metrics: no
-# Address of the metrics HTTP listener.
-metricsAddress: :9998
-# Enable TLS/HTTPS on the Metrics server.
-metricsEncryption: no
-# Path to the server key. This is needed only when encryption is yes.
-# This can be generated with:
-# openssl genrsa -out server.key 2048
-# openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
-metricsServerKey: /etc/mediamtx/server.key
-# Path to the server certificate.
-metricsServerCert: /etc/mediamtx/server.crt
-# Value of the Access-Control-Allow-Origin header provided in every HTTP response.
-metricsAllowOrigin: "*"
-# List of IPs or CIDRs of proxies placed before the HTTP server.
-# If the server receives a request from one of these entries, IP in logs
-# will be taken from the X-Forwarded-For header.
-metricsTrustedProxies: []
-
-###############################################
-# Global settings -> PPROF
-
-# Enable pprof-compatible endpoint to monitor performances.
-pprof: no
-# Address of the pprof listener.
-pprofAddress: :9999
-# Enable TLS/HTTPS on the pprof server.
-pprofEncryption: no
-# Path to the server key. This is needed only when encryption is yes.
-# This can be generated with:
-# openssl genrsa -out server.key 2048
-# openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
-pprofServerKey: /etc/mediamtx/server.key
-# Path to the server certificate.
-pprofServerCert: /etc/mediamtx/server.crt
-# Value of the Access-Control-Allow-Origin header provided in every HTTP response.
-pprofAllowOrigin: "*"
-# List of IPs or CIDRs of proxies placed before the HTTP server.
-# If the server receives a request from one of these entries, IP in logs
-# will be taken from the X-Forwarded-For header.
-pprofTrustedProxies: []
-
-###############################################
-# Global settings -> Playback server
-
-# Enable downloading recordings from the playback server.
-playback: no
-# Address of the playback server listener.
-playbackAddress: :9996
-# Enable TLS/HTTPS on the playback server.
-playbackEncryption: no
-# Path to the server key. This is needed only when encryption is yes.
-# This can be generated with:
-# openssl genrsa -out server.key 2048
-# openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
-playbackServerKey: /etc/mediamtx/server.key
-# Path to the server certificate.
-playbackServerCert: /etc/mediamtx/server.crt
-# Value of the Access-Control-Allow-Origin header provided in every HTTP response.
-playbackAllowOrigin: "*"
-# List of IPs or CIDRs of proxies placed before the HTTP server.
-# If the server receives a request from one of these entries, IP in logs
-# will be taken from the X-Forwarded-For header.
-playbackTrustedProxies: []
-
-###############################################
-# Global settings -> RTSP server
-
-# Enable publishing and reading streams with the RTSP protocol.
-rtsp: yes
-# List of enabled RTSP transport protocols.
-# UDP is the most performant, but doesn't work when there's a NAT/firewall between
-# server and clients, and doesn't support encryption.
-# UDP-multicast allows to save bandwidth when clients are all in the same LAN.
-# TCP is the most versatile, and does support encryption.
-# The handshake is always performed with TCP.
-protocols: [udp, multicast, tcp]
-# Encrypt handshakes and TCP streams with TLS (RTSPS).
-# Available values are "no", "strict", "optional".
-encryption: "no"
-# Address of the TCP/RTSP listener. This is needed only when encryption is "no" or "optional".
-rtspAddress: :8554
-# Address of the TCP/TLS/RTSPS listener. This is needed only when encryption is "strict" or "optional".
-rtspsAddress: :8322
-# Address of the UDP/RTP listener. This is needed only when "udp" is in protocols.
-rtpAddress: :8000
-# Address of the UDP/RTCP listener. This is needed only when "udp" is in protocols.
-rtcpAddress: :8001
-# IP range of all UDP-multicast listeners. This is needed only when "multicast" is in protocols.
-multicastIPRange: 224.1.0.0/16
-# Port of all UDP-multicast/RTP listeners. This is needed only when "multicast" is in protocols.
-multicastRTPPort: 8002
-# Port of all UDP-multicast/RTCP listeners. This is needed only when "multicast" is in protocols.
-multicastRTCPPort: 8003
-# Path to the server key. This is needed only when encryption is "strict" or "optional".
-# This can be generated with:
-# openssl genrsa -out server.key 2048
-# openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
-serverKey: /etc/mediamtx/server.key
-# Path to the server certificate. This is needed only when encryption is "strict" or "optional".
-serverCert: /etc/mediamtx/server.crt
-# Authentication methods. Available are "basic" and "digest".
-# "digest" doesn't provide any additional security and is available for compatibility only.
-rtspAuthMethods: [basic]
-
-###############################################
-# Global settings -> RTMP server
-
-# Enable publishing and reading streams with the RTMP protocol.
-rtmp: yes
-# Address of the RTMP listener. This is needed only when encryption is "no" or "optional".
-rtmpAddress: :1935
-# Encrypt connections with TLS (RTMPS).
-# Available values are "no", "strict", "optional".
-rtmpEncryption: "no"
-# Address of the RTMPS listener. This is needed only when encryption is "strict" or "optional".
-rtmpsAddress: :1936
-# Path to the server key. This is needed only when encryption is "strict" or "optional".
-# This can be generated with:
-# openssl genrsa -out server.key 2048
-# openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
-rtmpServerKey: /etc/mediamtx/server.key
-# Path to the server certificate. This is needed only when encryption is "strict" or "optional".
-rtmpServerCert: /etc/mediamtx/server.crt
-
-###############################################
-# Global settings -> HLS server
-
-# Enable reading streams with the HLS protocol.
-hls: yes
-# Address of the HLS listener.
-hlsAddress: :8888
-# Enable TLS/HTTPS on the HLS server.
-# This is required for Low-Latency HLS.
-hlsEncryption: yes
-# Path to the server key. This is needed only when encryption is yes.
-# This can be generated with:
-# openssl genrsa -out server.key 2048
-# openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
-hlsServerKey: /etc/mediamtx/server.key
-# Path to the server certificate.
-hlsServerCert: /etc/mediamtx/server.crt
-# Value of the Access-Control-Allow-Origin header provided in every HTTP response.
-# This allows to play the HLS stream from an external website.
-hlsAllowOrigin: "*"
-# List of IPs or CIDRs of proxies placed before the HLS server.
-# If the server receives a request from one of these entries, IP in logs
-# will be taken from the X-Forwarded-For header.
-hlsTrustedProxies: []
-# By default, HLS is generated only when requested by a user.
-# This option allows to generate it always, avoiding the delay between request and generation.
-hlsAlwaysRemux: no
-# Variant of the HLS protocol to use. Available options are:
-# * mpegts - uses MPEG-TS segments, for maximum compatibility.
-# * fmp4 - uses fragmented MP4 segments, more efficient.
-# * lowLatency - uses Low-Latency HLS.
-hlsVariant: lowLatency
-# Number of HLS segments to keep on the server.
-# Segments allow to seek through the stream.
-# Their number doesn't influence latency.
-hlsSegmentCount: 7
-# Minimum duration of each segment.
-# A player usually puts 3 segments in a buffer before reproducing the stream.
-# The final segment duration is also influenced by the interval between IDR frames,
-# since the server changes the duration in order to include at least one IDR frame
-# in each segment.
-hlsSegmentDuration: 1s
-# Minimum duration of each part.
-# A player usually puts 3 parts in a buffer before reproducing the stream.
-# Parts are used in Low-Latency HLS in place of segments.
-# Part duration is influenced by the distance between video/audio samples
-# and is adjusted in order to produce segments with a similar duration.
-hlsPartDuration: 200ms
-# Maximum size of each segment.
-# This prevents RAM exhaustion.
-hlsSegmentMaxSize: 50M
-# Directory in which to save segments, instead of keeping them in the RAM.
-# This decreases performance, since reading from disk is less performant than
-# reading from RAM, but allows to save RAM.
-hlsDirectory: ""
-# The muxer will be closed when there are no
-# reader requests and this amount of time has passed.
-hlsMuxerCloseAfter: 60s
-
-###############################################
-# Global settings -> WebRTC server
-
-# Enable publishing and reading streams with the WebRTC protocol.
-webrtc: yes
-# Address of the WebRTC HTTP listener.
-webrtcAddress: :8889
-# Enable TLS/HTTPS on the WebRTC server.
-webrtcEncryption: yes
-# Path to the server key.
-# This can be generated with:
-# openssl genrsa -out server.key 2048
-# openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
-webrtcServerKey: /etc/mediamtx/server.key
-# Path to the server certificate.
-webrtcServerCert: /etc/mediamtx/server.crt
-# Value of the Access-Control-Allow-Origin header provided in every HTTP response.
-# This allows to play the WebRTC stream from an external website.
-webrtcAllowOrigin: "*"
-# List of IPs or CIDRs of proxies placed before the WebRTC server.
-# If the server receives a request from one of these entries, IP in logs
-# will be taken from the X-Forwarded-For header.
-webrtcTrustedProxies: []
-# Address of a local UDP listener that will receive connections.
-# Use a blank string to disable.
-webrtcLocalUDPAddress: :8189
-# Address of a local TCP listener that will receive connections.
-# This is disabled by default since TCP is less efficient than UDP and
-# introduces a progressive delay when network is congested.
-webrtcLocalTCPAddress: ""
-# WebRTC clients need to know the IP of the server.
-# Gather IPs from interfaces and send them to clients.
-webrtcIPsFromInterfaces: no
-# List of interfaces whose IPs will be sent to clients.
-# An empty value means to use all available interfaces.
-webrtcIPsFromInterfacesList: []
-# List of additional hosts or IPs to send to clients.
-webrtcAdditionalHosts: [68.197.252.15, stream.fizz.buzz]
-# webrtcAdditionalHosts: []
-# ICE servers. Needed only when local listeners can't be reached by clients.
-# STUN servers allows to obtain and share the public IP of the server.
-# TURN/TURNS servers forces all traffic through them.
-webrtcICEServers2:
-  []
-  # - url: stun:stun.cloudflare.com:3478
-  # - url: stun:stun.l.google.com:19302
-  # if user is "AUTH_SECRET", then authentication is secret based.
-  # the secret must be inserted into the password field.
-  # username: ''
-  # password: ''
-  # clientOnly: false
-# Time to wait for the WebRTC handshake to complete.
-webrtcHandshakeTimeout: 10s
-# Maximum time to gather video tracks.
-webrtcTrackGatherTimeout: 2s
-
-###############################################
-# Global settings -> SRT server
-
-# Enable publishing and reading streams with the SRT protocol.
-srt: yes
-# Address of the SRT listener.
-srtAddress: :8890
-
-###############################################
-# Default path settings
-
-# Settings in "pathDefaults" are applied anywhere,
-# unless they are overridden in "paths".
-pathDefaults:
-  ###############################################
-  # Default path settings -> General
-
-  # Source of the stream. This can be:
-  # * publisher -> the stream is provided by a RTSP, RTMP, WebRTC or SRT client
-  # * rtsp://existing-url -> the stream is pulled from another RTSP server / camera
-  # * rtsps://existing-url -> the stream is pulled from another RTSP server / camera with RTSPS
-  # * rtmp://existing-url -> the stream is pulled from another RTMP server / camera
-  # * rtmps://existing-url -> the stream is pulled from another RTMP server / camera with RTMPS
-  # * http://existing-url/stream.m3u8 -> the stream is pulled from another HLS server / camera
-  # * https://existing-url/stream.m3u8 -> the stream is pulled from another HLS server / camera with HTTPS
-  # * udp://ip:port -> the stream is pulled with UDP, by listening on the specified IP and port
-  # * srt://existing-url -> the stream is pulled from another SRT server / camera
-  # * whep://existing-url -> the stream is pulled from another WebRTC server / camera
-  # * wheps://existing-url -> the stream is pulled from another WebRTC server / camera with HTTPS
-  # * redirect -> the stream is provided by another path or server
-  # * rpiCamera -> the stream is provided by a Raspberry Pi Camera
-  # If path name is a regular expression, $G1, G2, etc will be replaced
-  # with regular expression groups.
-  source: publisher
-  # If the source is a URL, and the source certificate is self-signed
-  # or invalid, you can provide the fingerprint of the certificate in order to
-  # validate it anyway. It can be obtained by running:
-  # openssl s_client -connect source_ip:source_port </dev/null 2>/dev/null | sed -n '/BEGIN/,/END/p' > server.crt
-  # openssl x509 -in server.crt -noout -fingerprint -sha256 | cut -d "=" -f2 | tr -d ':'
-  sourceFingerprint:
-  # If the source is a URL, it will be pulled only when at least
-  # one reader is connected, saving bandwidth.
-  sourceOnDemand: no
-  # If sourceOnDemand is "yes", readers will be put on hold until the source is
-  # ready or until this amount of time has passed.
-  sourceOnDemandStartTimeout: 10s
-  # If sourceOnDemand is "yes", the source will be closed when there are no
-  # readers connected and this amount of time has passed.
-  sourceOnDemandCloseAfter: 10s
-  # Maximum number of readers. Zero means no limit.
-  maxReaders: 0
-  # SRT encryption passphrase require to read from this path
-  srtReadPassphrase:
-  # If the stream is not available, redirect readers to this path.
-  # It can be can be a relative path (i.e. /otherstream) or an absolute RTSP URL.
-  fallback:
-
-  ###############################################
-  # Default path settings -> Record
-
-  # Record streams to disk.
-  record: no
-  # Path of recording segments.
-  # Extension is added automatically.
-  # Available variables are %path (path name), %Y %m %d %H %M %S %f %s (time in strftime format)
-  recordPath: ./recordings/%path/%Y-%m-%d_%H-%M-%S-%f
-  # Format of recorded segments.
-  # Available formats are "fmp4" (fragmented MP4) and "mpegts" (MPEG-TS).
-  recordFormat: fmp4
-  # fMP4 segments are concatenation of small MP4 files (parts), each with this duration.
-  # MPEG-TS segments are concatenation of 188-bytes packets, flushed to disk with this period.
-  # When a system failure occurs, the last part gets lost.
-  # Therefore, the part duration is equal to the RPO (recovery point objective).
-  recordPartDuration: 1s
-  # Minimum duration of each segment.
-  recordSegmentDuration: 1h
-  # Delete segments after this timespan.
-  # Set to 0s to disable automatic deletion.
-  recordDeleteAfter: 24h
-
-  ###############################################
-  # Default path settings -> Publisher source (when source is "publisher")
-
-  # Allow another client to disconnect the current publisher and publish in its place.
-  overridePublisher: yes
-  # SRT encryption passphrase required to publish to this path
-  srtPublishPassphrase:
-
-  ###############################################
-  # Default path settings -> RTSP source (when source is a RTSP or a RTSPS URL)
-
-  # Transport protocol used to pull the stream. available values are "automatic", "udp", "multicast", "tcp".
-  rtspTransport: automatic
-  # Support sources that don't provide server ports or use random server ports. This is a security issue
-  # and must be used only when interacting with sources that require it.
-  rtspAnyPort: no
-  # Range header to send to the source, in order to start streaming from the specified offset.
-  # available values:
-  # * clock: Absolute time
-  # * npt: Normal Play Time
-  # * smpte: SMPTE timestamps relative to the start of the recording
-  rtspRangeType:
-  # Available values:
-  # * clock: UTC ISO 8601 combined date and time string, e.g. 20230812T120000Z
-  # * npt: duration such as "300ms", "1.5m" or "2h45m", valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-  # * smpte: duration such as "300ms", "1.5m" or "2h45m", valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-  rtspRangeStart:
-
-  ###############################################
-  # Default path settings -> Redirect source (when source is "redirect")
-
-  # RTSP URL which clients will be redirected to.
-  sourceRedirect:
-
-  ###############################################
-  # Default path settings -> Raspberry Pi Camera source (when source is "rpiCamera")
-
-  # ID of the camera
-  rpiCameraCamID: 0
-  # width of frames
-  rpiCameraWidth: 1920
-  # height of frames
-  rpiCameraHeight: 1080
-  # flip horizontally
-  rpiCameraHFlip: false
-  # flip vertically
-  rpiCameraVFlip: false
-  # brightness [-1, 1]
-  rpiCameraBrightness: 0
-  # contrast [0, 16]
-  rpiCameraContrast: 1
-  # saturation [0, 16]
-  rpiCameraSaturation: 1
-  # sharpness [0, 16]
-  rpiCameraSharpness: 1
-  # exposure mode.
-  # values: normal, short, long, custom
-  rpiCameraExposure: normal
-  # auto-white-balance mode.
-  # values: auto, incandescent, tungsten, fluorescent, indoor, daylight, cloudy, custom
-  rpiCameraAWB: auto
-  # auto-white-balance fixed gains. This can be used in place of rpiCameraAWB.
-  # format: [red,blue]
-  rpiCameraAWBGains: [0, 0]
-  # denoise operating mode.
-  # values: off, cdn_off, cdn_fast, cdn_hq
-  rpiCameraDenoise: "off"
-  # fixed shutter speed, in microseconds.
-  rpiCameraShutter: 0
-  # metering mode of the AEC/AGC algorithm.
-  # values: centre, spot, matrix, custom
-  rpiCameraMetering: centre
-  # fixed gain
-  rpiCameraGain: 0
-  # EV compensation of the image [-10, 10]
-  rpiCameraEV: 0
-  # Region of interest, in format x,y,width,height
-  rpiCameraROI:
-  # whether to enable HDR on Raspberry Camera 3.
-  rpiCameraHDR: false
-  # tuning file
-  rpiCameraTuningFile:
-  # sensor mode, in format [width]:[height]:[bit-depth]:[packing]
-  # bit-depth and packing are optional.
-  rpiCameraMode:
-  # frames per second
-  rpiCameraFPS: 30
-  # period between IDR frames
-  rpiCameraIDRPeriod: 60
-  # bitrate
-  rpiCameraBitrate: 1000000
-  # H264 profile
-  rpiCameraProfile: main
-  # H264 level
-  rpiCameraLevel: "4.1"
-  # Autofocus mode
-  # values: auto, manual, continuous
-  rpiCameraAfMode: continuous
-  # Autofocus range
-  # values: normal, macro, full
-  rpiCameraAfRange: normal
-  # Autofocus speed
-  # values: normal, fast
-  rpiCameraAfSpeed: normal
-  # Lens position (for manual autofocus only), will be set to focus to a specific distance
-  # calculated by the following formula: d = 1 / value
-  # Examples: 0 moves the lens to infinity.
-  #           0.5 moves the lens to focus on objects 2m away.
-  #           2 moves the lens to focus on objects 50cm away.
-  rpiCameraLensPosition: 0.0
-  # Specifies the autofocus window, in the form x,y,width,height where the coordinates
-  # are given as a proportion of the entire image.
-  rpiCameraAfWindow:
-  # enables printing text on each frame.
-  rpiCameraTextOverlayEnable: false
-  # text that is printed on each frame.
-  # format is the one of the strftime() function.
-  rpiCameraTextOverlay: "%Y-%m-%d %H:%M:%S - MediaMTX"
-
-  ###############################################
-  # Default path settings -> Hooks
-
-  # Command to run when this path is initialized.
-  # This can be used to publish a stream when the server is launched.
-  # This is terminated with SIGINT when the program closes.
-  # The following environment variables are available:
-  # * MTX_PATH: path name
-  # * RTSP_PORT: RTSP server port
-  # * G1, G2, ...: regular expression groups, if path name is
-  #   a regular expression.
-  runOnInit:
-  # Restart the command if it exits.
-  runOnInitRestart: no
-
-  # Command to run when this path is requested by a reader
-  # and no one is publishing to this path yet.
-  # This can be used to publish a stream on demand.
-  # This is terminated with SIGINT when there are no readers anymore.
-  # The following environment variables are available:
-  # * MTX_PATH: path name
-  # * MTX_QUERY: query parameters (passed by first reader)
-  # * RTSP_PORT: RTSP server port
-  # * G1, G2, ...: regular expression groups, if path name is
-  #   a regular expression.
-  runOnDemand:
-  # Restart the command if it exits.
-  runOnDemandRestart: no
-  # Readers will be put on hold until the runOnDemand command starts publishing
-  # or until this amount of time has passed.
-  runOnDemandStartTimeout: 10s
-  # The command will be closed when there are no
-  # readers connected and this amount of time has passed.
-  runOnDemandCloseAfter: 10s
-  # Command to run when there are no readers anymore.
-  # Environment variables are the same of runOnDemand.
-  runOnUnDemand:
-
-  # Command to run when the stream is ready to be read, whenever it is
-  # published by a client or pulled from a server / camera.
-  # This is terminated with SIGINT when the stream is not ready anymore.
-  # The following environment variables are available:
-  # * MTX_PATH: path name
-  # * MTX_QUERY: query parameters (passed by publisher)
-  # * RTSP_PORT: RTSP server port
-  # * G1, G2, ...: regular expression groups, if path name is
-  #   a regular expression.
-  # * MTX_SOURCE_TYPE: source type
-  # * MTX_SOURCE_ID: source ID
-  runOnReady:
-  # Restart the command if it exits.
-  runOnReadyRestart: no
-  # Command to run when the stream is not available anymore.
-  # Environment variables are the same of runOnReady.
-  runOnNotReady:
-
-  # Command to run when a client starts reading.
-  # This is terminated with SIGINT when a client stops reading.
-  # The following environment variables are available:
-  # * MTX_PATH: path name
-  # * MTX_QUERY: query parameters (passed by reader)
-  # * RTSP_PORT: RTSP server port
-  # * G1, G2, ...: regular expression groups, if path name is
-  #   a regular expression.
-  # * MTX_READER_TYPE: reader type
-  # * MTX_READER_ID: reader ID
-  runOnRead:
-  # Restart the command if it exits.
-  runOnReadRestart: no
-  # Command to run when a client stops reading.
-  # Environment variables are the same of runOnRead.
-  runOnUnread:
-
-  # Command to run when a recording segment is created.
-  # The following environment variables are available:
-  # * MTX_PATH: path name
-  # * RTSP_PORT: RTSP server port
-  # * G1, G2, ...: regular expression groups, if path name is
-  #   a regular expression.
-  # * MTX_SEGMENT_PATH: segment file path
-  runOnRecordSegmentCreate:
-
-  # Command to run when a recording segment is complete.
-  # The following environment variables are available:
-  # * MTX_PATH: path name
-  # * RTSP_PORT: RTSP server port
-  # * G1, G2, ...: regular expression groups, if path name is
-  #   a regular expression.
-  # * MTX_SEGMENT_PATH: segment file path
-  # * MTX_SEGMENT_DURATION: segment duration
-  runOnRecordSegmentComplete:
-
-###############################################
-# Path settings
-
-# Settings in "paths" are applied to specific paths, and the map key
-# is the name of the path.
-# Any setting in "pathDefaults" can be overridden here.
-# It's possible to use regular expressions by using a tilde as prefix,
-# for example "~^(test1|test2)$" will match both "test1" and "test2",
-# for example "~^prefix" will match all paths that start with "prefix".
-paths:
-  # example:
-  # my_camera:
-  #   source: rtsp://my_camera
-
-  # Settings under path "all_others" are applied to all paths that
-  # do not match another entry.
-  all_others:

router/unifi/docker-compose/docker-compose.yaml

@@ -1,4 +1,4 @@
-# docker compose up -d
+# docker-compose up -d
 ---
 version: "2.1"
 services:
@@ -19,7 +19,7 @@ services:
       - MONGO_TLS= #optional
       - MONGO_AUTHSOURCE= #optional
     volumes:
-      - /home/talexander/unifi:/config
+      - /data/unifi:/config
     ports:
       - 80:8080
       - 443:8443
@@ -37,6 +37,6 @@ services:
     image: mongo:7.0.5
     container_name: unifi-db
     volumes:
-      - /home/talexander/mongodb:/data/db
+      - /data/mongodb:/data/db
       - ./init_mongo.js:/docker-entrypoint-initdb.d/init-mongo.js:ro
     restart: unless-stopped

router/unifi_rc.bash

@@ -1,12 +1,11 @@
 #!/bin/sh
 #
+# REQUIRE: FILESYSTEMS kld
 # PROVIDE: unifi
-# REQUIRE: LOGIN opnsense
+# BEFORE: netif
-# KEYWORD: shutdown
 
 . /etc/rc.subr
-
+name=opnsense
-name=unifi
 rcvar=${name}_enable
 start_cmd="${name}_start"
 stop_cmd="${name}_stop"
@@ -15,12 +14,12 @@ load_rc_config $name
 
 tmux_name="unifi"
 
-unifi_start() {
+opnsense_start() {
-    /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=YES VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /home/talexander/launch_unifi.bash"
+    # /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=YES VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /home/talexander/launch_opnsense.bash"
-    # /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=NO VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /home/talexander/launch_unifi.bash"
+    /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=NO VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /home/talexander/launch_unifi.bash"
 }
 
-unifi_status() {
+opnsense_status() {
     if /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null; then
 	echo "$tmux_name is running."
     else
@@ -29,17 +28,17 @@ unifi_status() {
     fi
 }
 
-unifi_stop() {
+opnsense_stop() {
     /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null && (
         /usr/local/bin/tmux kill-session -t $tmux_name
         sleep 10
         bhyvectl --vm=unifi --destroy
-        # kill `cat /var/run/unifi.pid`
+        # kill `cat /var/run/opnsense.pid`
     )
-    unifi_wait_for_end
+    opnsense_wait_for_end
 }
 
-unifi_wait_for_end() {
+opnsense_wait_for_end() {
     while /usr/local/bin/tmux has-session -t $tmux_name 2>dev/null; do
         sleep 1
     done