Update for pkgbase rebuild of homeserver.

Currently, I get a lot of dropped packets on 6ghz. I suspect it is a bug in the drivers/firmware.

.gitattributes

@@ -1,3 +1,5 @@
 cargo_credentials.toml filter=git-crypt diff=git-crypt
 **/wireguard_configs/** filter=git-crypt diff=git-crypt
 *.key filter=git-crypt diff=git-crypt
+credentials filter=git-crypt diff=git-crypt
+htpasswd filter=git-crypt diff=git-crypt

ansible/environments/colo/host_vars/mrmanager

@@ -6,7 +6,6 @@ zfs_snapshot_datasets:
     include: false
   - path: zdata/k8spersistent
 sshd_enabled: true
-loader_conf: "mrmanager_loader.conf"
 rc_conf: "mrmanager_rc.conf"
 network_rc: "mrmanager_network.conf"
 routing_rc: "mrmanager_routing.conf"
@@ -14,13 +13,16 @@ pf_config: "mrmanager_pf.conf"
 pflog_conf:
   - name: 0
     dev: pflog0
+  - name: 1
+    dev: pflog1
 cputype: "amd"
+hwpstate: true
 etc_hosts: {}
 wireguard_directory: mrmanager
 enabled_wireguard:
   - colo
 jail_zfs_dataset: zdata/jail
-jail_zfs_dataset_mountpoint: /jail/main
+jail_zfs_dataset_mountpoint: /jail
 jail_canmount: "on"
 jail_list:
   - name: nat_dhcp
@@ -50,7 +52,3 @@ users:
       - yubikey
       - main_fido
       - backup_fido
-  mole:
-    initialize: true
-    authorized_keys:
-      - mole

ansible/environments/colo/hosts

@@ -1,2 +1,3 @@
 [server]
-mrmanager ansible_user=talexander ansible_host=10.217.2.1
+#mrmanager ansible_user=talexander ansible_host=10.217.2.1 ansible_become_method=doas
+mrmanager ansible_user=talexander ansible_host=74.80.180.138 ansible_become_method=doas

ansible/environments/home/host_vars/homeserver

@@ -2,8 +2,28 @@ os_flavor: "freebsd"
 zfs_snapshot_datasets:
   - path: zroot/freebsd/computer/be
   - path: zmass/encrypted/vm
+  - path: zmass/encrypted/data
+users:
+  talexander:
+    initialize: true
+    uid: 11235
+    gid: 11235
+    groups:
+      - name: wheel
+      - name: video
+      - name: u2f
+      - name: operator # To be able to shutdown without root
+      - name: webcamd
+        gid: 145
+    authorized_keys:
+      - yubikey
+      - main_fido
+      - backup_fido
+      - homeassistant
+    gitconfig: "gitconfig_home"
 sshd_enabled: true
 sshd_conf: "sshd_config"
+prefer_ipv6: true
 pf_config: "homeserver_pf.conf"
 pflog_conf:
   - name: 0
@@ -11,12 +31,11 @@ pflog_conf:
 network_rc: "homeserver_network.conf"
 rc_conf: "homeserver_rc.conf"
 loader_conf: "homeserver_loader.conf"
-netgraph_config: "setup_netgraph_homeserver"
 cputype: "intel"
 hwpstate: false
 devfs_rules: "homeserver_devfs.rules"
 jail_zfs_dataset: zmass/encrypted/jails
-jail_zfs_dataset_mountpoint: /jail/main
+jail_zfs_dataset_mountpoint: /jail
 jail_canmount: "on"
 jail_bemount: "on"
 jail_list:
@@ -31,15 +50,27 @@ jail_list:
   - name: dagger
     conf:
       src: dagger
-  - name: mumble
+  - name: sftp
     conf:
-      src: mumble
-    persist:
-      - name: mumbledb
-        mount: /var/db/murmur
+      src: sftp
+    fstab: sftp_fstab
+  - name: bastion
+    conf:
+      src: bastion
+    fstab: fstab_bastion
+  - name: certificate
+    conf:
+      src: certificate
+  # - name: mumble
+  #   conf:
+  #     src: mumble
+  #   persist:
+  #     - name: mumbledb
+  #       mount: /var/db/murmur
 bhyve_dataset: zmass/encrypted/vm
-bhyve_list: []
-bhyve_canmount: "on"
+# Disable mounting bhyve dataset so it doesn't hide the unencrypted linfi vm
+bhyve_canmount: "off"
+bhyve_mountpoint: "none"
 bhyve_bemount: "on"
 wireguard_directory: homeserver
 enabled_wireguard:

ansible/environments/home/hosts

@@ -1,2 +1,3 @@
 [headless]
-homeserver ansible_user=talexander ansible_host=10.216.1.1
+#homeserver ansible_user=talexander ansible_host=homeserver
+homeserver ansible_user=talexander ansible_host=172.16.16.32

ansible/environments/jail/host_vars/bastion

@@ -0,0 +1 @@
+os_flavor: freebsd

ansible/environments/jail/host_vars/certificate

@@ -0,0 +1 @@
+os_flavor: freebsd

ansible/environments/jail/host_vars/sftp

@@ -0,0 +1,6 @@
+os_flavor: "freebsd"
+users:
+  nochainstounlock:
+    initialize: true
+    uid: 11235
+    gid: 11235

ansible/environments/jail/hosts

@@ -1,7 +1,10 @@
 [jail]
 nat_dhcp ansible_connection=jail
-homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@172.16.16.2 ansible_connection=sshjail
+homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@homeserver ansible_connection=sshjail
 mrmanager_nat_dhcp ansible_ssh_host=nat_dhcp@10.217.2.1 ansible_connection=sshjail
 nat_dhcp@172.16.16.2 ansible_connection=sshjail
 admin_git ansible_ssh_host=admin_git@10.217.2.1 ansible_connection=sshjail
 public_dns ansible_ssh_host=public_dns@10.217.2.1 ansible_connection=sshjail
+sftp ansible_ssh_host=sftp@homeserver ansible_connection=sshjail
+bastion ansible_ssh_host=bastion@homeserver ansible_connection=sshjail
+certificate ansible_ssh_host=certificate@homeserver ansible_connection=sshjail

ansible/environments/laptop/host_vars/odofreebsd

@@ -1,13 +1,16 @@
 os_flavor: "freebsd"
-custom_repo: current-default-framework
+custom_repo: "https://freebsdpkg.fizz.buzz/repo/currentznver4-default-framework"
+pkgbase_url: "https://freebsdpkg.fizz.buzz/pkgbase/currentznver4-repo/FreeBSD:15:amd64/latest"
 zfs_snapshot_datasets:
   - path: zroot/freebsd/current/be/default
 sshd_enabled: true
 sshd_conf: "sshd_config"
-#pf_config: "odofreebsd_pf.conf"
-#pflog_conf:
-#  - name: 0
-#    dev: pflog0
+pf_config: "odofreebsd_pf.conf"
+pflog_conf:
+ - name: 0
+   dev: pflog0
+prefer_ipv6: true
+dummynet_config: "dnctl.conf"
 network_rc: "odofreebsd_network.conf"
 rc_conf: "odofreebsd_rc.conf"
 loader_conf: "odofreebsd_loader.conf"
@@ -16,6 +19,7 @@ graphics_driver: "amd"
 cputype: "amd"
 hwpstate: true
 cores: 16
+sound_system: "oss"
 users:
   talexander:
     initialize: true
@@ -28,6 +32,7 @@ users:
       - name: operator # To be able to shutdown without root
       - name: webcamd
         gid: 145
+      - name: realtime
     authorized_keys:
       - yubikey
       - main_fido
@@ -36,15 +41,17 @@ users:
     gitconfig: "gitconfig_home"
 devfs_rules: "odo_devfs.rules"
 jail_zfs_dataset: zroot/freebsd/current/jails
-jail_zfs_dataset_mountpoint: /jail/main
+jail_zfs_dataset_mountpoint: /jail
+jail_canmount: "on"
 jail_list:
   - name: nat_dhcp
     enabled: true
     conf:
       src: nat_dhcp
 bhyve_dataset: zroot/freebsd/current/vm
-bhyve_list: []
-efi_dev: /dev/gpt/EFI
+bhyve_bemount: off
+# efi_dev: /dev/gpt/EFI
+efi_dev: /dev/diskid/DISK-SJB7N717610407Q0Hp1
 sway_conf_files:
   - launch_gpg
 wireguard_directory: odo
@@ -52,3 +59,10 @@ enabled_wireguard:
   - wgh
   - drmario
   - colo
+linfi:
+  enabled: true
+  zfs_dataset: zroot/freebsd/current/vm/linfi
+  zfs_mountpoint: /vm/linfi
+  driver_blocklist: "if_iwm if_iwlwifi"
+  pci_blocklist: "1/0/0"
+  amd: true

ansible/environments/laptop/host_vars/odolinux

@@ -16,6 +16,7 @@ users:
       - backup_fido
       - homeassistant
     gitconfig: "gitconfig_home"
+periodic_scrub_pools: [zroot]
 zfs_snapshot_datasets:
   # - zroot/linux/archmain/home
   - path: zroot/linux/archmain/be

ansible/environments/laptop/host_vars/odowork

@@ -17,6 +17,7 @@ users:
       - main_fido
       - backup_fido
     gitconfig: "gitconfig_work"
+periodic_scrub_pools: [zroot]
 zfs_snapshot_datasets:
   - path: zroot/linux/archwork/be
 install_graphics: true

ansible/environments/vm/host_vars/poudrieremrmanager

@@ -1,4 +1,6 @@
 os_flavor: "freebsd"
+sshd_enabled: true
+custom_repo: "file:///usr/local/poudriere/data/packages/currentznver4-default-framework"
 pkgbase_url: "file:///usr/local/poudriere/data/images/currentznver4-repo/FreeBSD:15:amd64/latest"
 poudriere_builds:
   # - jail: 13amd64
@@ -10,6 +12,19 @@ poudriere_builds:
     set: framework
     version: CURRENT
     # revision: 66d37dbedfbf2dc94ccf49e6983c3652d5909b91
-    kernel: GENERIC-NODEBUG
+    kernel: CUSTOM
     branch: main
     srcconf: currentznver4_src.conf
+  # - jail: 14broadwell
+  #   ports: default
+  #   set: computer
+  #   version: 14.0-RELEASE
+  #   kernel: GENERIC
+  #   srcconf: 14broadwell_src.conf
+  - jail: 14broadwell
+    ports: default
+    set: computer
+    version: CURRENT
+    kernel: CUSTOM
+    branch: releng/14.1
+    srcconf: 14broadwell_src.conf

ansible/playbook.yaml

@@ -27,6 +27,7 @@
     - sway
     - emacs
     - firefox
+    - chromium
     - devfs
     - ssh_client
     - sshfs
@@ -52,8 +53,9 @@
     - javascript
     - launch_keyboard
     - lvfs
-    - restaurant_health_rating
+    # - restaurant_health_rating
     - wasm
+    - noise_suppression
 
 - hosts: nat_dhcp:homeserver_nat_dhcp:mrmanager_nat_dhcp
   vars:
@@ -66,8 +68,12 @@
     ansible_become: True
   roles:
     - sudo # for poudboot script
+    - doas
     - fstab
     - package_manager
+    - zsh
+    - termcap
+    - sshd
     - portshaker
     - poudriere
     - poudrierenginx
@@ -76,7 +82,7 @@
   vars:
     ansible_become: True
   roles:
-    - sudo
+    # - sudo
     - doas
     - users
     - package_manager
@@ -98,6 +104,7 @@
     - wireguard
     - emacs
     - mrmanager
+    - ndproxy
 
 - hosts: admin_git:public_dns
   vars:
@@ -122,14 +129,27 @@
   roles:
     - framework_laptop
 
-- hosts: homeserver
-  vars:
-    ansible_become: True
-  roles:
-    - homeserver
-
 - hosts: odowork
   vars:
     ansible_become: True
   roles:
     - odowork
+
+- hosts: sftp
+  vars:
+    ansible_become: True
+  roles:
+    - users
+    - sftp
+
+- hosts: bastion
+  vars:
+    ansible_become: True
+  roles:
+    - jail_bastion
+
+- hosts: certificate
+  vars:
+    ansible_become: True
+  roles:
+    - jail_certificate

ansible/roles/ansible/tasks/freebsd.yaml

@@ -1,6 +1,6 @@
 - name: Install packages
   package:
     name:
-      - py39-ansible
+      - py311-ansible
       - ansible-sshjail
     state: present

ansible/roles/base/files/alacritty.termcap

@@ -1,24 +0,0 @@
-#	Reconstructed via infocmp from file: /usr/share/terminfo/a/alacritty
-# (untranslatable capabilities removed to fit entry within 1023 bytes)
-# (sgr removed to fit entry within 1023 bytes)
-# (acsc removed to fit entry within 1023 bytes)
-# (terminfo-only capabilities suppressed to fit entry within 1023 bytes)
-alacritty|alacritty terminal emulator:\
-	:am:bs:hs:mi:ms:xn:\
-	:co#80:it#8:li#24:\
-	:AL=\E[%dL:DC=\E[%dP:DL=\E[%dM:DO=\E[%dB:IC=\E[%d@:\
-	:K2=\EOE:LE=\E[%dD:RI=\E[%dC:SF=\E[%dS:SR=\E[%dT:\
-	:UP=\E[%dA:ae=\E(B:al=\E[L:as=\E(0:bl=^G:bt=\E[Z:cd=\E[J:\
-	:ce=\E[K:cl=\E[H\E[2J:cm=\E[%i%d;%dH:cr=\r:\
-	:cs=\E[%i%d;%dr:ct=\E[3g:dc=\E[P:dl=\E[M:do=\n:\
-	:ds=\E]2;\007:ec=\E[%dX:ei=\E[4l:fs=^G:ho=\E[H:im=\E[4h:\
-	:is=\E[!p\E[?3;4l\E[4l\E>:k1=\EOP:k2=\EOQ:k3=\EOR:\
-	:k4=\EOS:k5=\E[15~:k6=\E[17~:k7=\E[18~:k8=\E[19~:\
-	:k9=\E[20~:kD=\E[3~:kI=\E[2~:kN=\E[6~:kP=\E[5~:kb=\177:\
-	:kd=\EOB:ke=\E[?1l\E>:kh=\EOH:kl=\EOD:kr=\EOC:\
-	:ks=\E[?1h\E=:ku=\EOA:le=^H:mb=\E[5m:md=\E[1m:me=\E[0m:\
-	:mh=\E[2m:mm=\E[?1034h:mo=\E[?1034l:mr=\E[7m:nd=\E[C:\
-	:rc=\E8:sc=\E7:se=\E[27m:sf=\n:so=\E[7m:sr=\EM:st=\EH:ta=^I:\
-	:te=\E[?1049l\E[23;0;0t:ti=\E[?1049h\E[22;0;0t:\
-	:ts=\E]2;:ue=\E[24m:up=\E[A:us=\E[4m:vb=\E[?5h\E[?5l:\
-	:ve=\E[?12l\E[?25h:vi=\E[?25l:vs=\E[?12;25h:

ansible/roles/base/files/bbr_loader.conf

@@ -0,0 +1 @@
+tcp_bbr_load="YES"

ansible/roles/base/files/cleartmp_rc.conf

@@ -0,0 +1 @@
+clear_tmp_enable="YES"

ansible/roles/base/files/decode_jwt.bash

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+#
+# Decode the contents of a JWT
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+exec jq -R 'split(".") | .[0],.[1] | gsub("-"; "+") | gsub("_"; "/") | gsub("%3D"; "=")| @base64d | fromjson'

ansible/roles/base/files/disk_labels_loader.conf

@@ -1,8 +1,12 @@
-# Disabling both of these will make /dev/gpt/* populated
+# Populates the /dev/diskid
+kern.geom.label.disk_ident.enable="1"
+
+
+
+# Populates /dev/gpt but only if kern.geom.label.disk_ident.enable is disabled.
 #
 # This uses gpt partition labels which you can set with:
 #
 #     gpart modify -l EFI -i 1 nvd0
 
-# kern.geom.label.disk_ident.enable="0"
 # kern.geom.label.gptid.enable="1"

ansible/roles/base/files/gitconfig_home

@@ -1,35 +1,54 @@
 [user]
 	email = tom@fizz.buzz
 	name = Tom Alexander
-	signingkey = D3A179C9A53C0EDE
+	signingkey = 36C99E8B3C39D85F
 [push]
-	default = simple
+	default = simple # (default since 2.0)
 [alias]
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
+        authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
 	gpgsign = true
+	verbose = true
 [pull]
 	rebase = true
 [log]
 	date = local
 [init]
 	defaultBranch = main
-
-# Use meld for `git difftool` and `git mergetool`
 [diff]
-	tool = meld
+	tool = meld # Use meld for `git difftool` and `git mergetool`
+	algorithm = histogram
+	colorMoved = plain
+	mnemonicPrefix = true
+	renames = true
 [difftool]
 	prompt = false
 [difftool "meld"]
 	cmd = meld "$LOCAL" "$REMOTE"
 [merge]
 	tool = meld
+	conflictStyle = zdiff3
 [mergetool "meld"]
         # Make the middle pane start with partially-merged contents:
 	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
         # Make the middle pane start without any merge progress:
 	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
+[column]
+	ui = auto
+[branch]
+	sort = -committerdate
+[tag]
+	sort = version:refname
+[fetch]
+	prune = true
+	pruneTags = true
+	all = true
+[rebase]
+	autoSquash = true
+	autoStash = true
+	updateRefs = false

ansible/roles/base/files/gitconfig_work

@@ -1,37 +1,58 @@
 [user]
 	email = ThomasA.Alexander@hmhn.org
 	name = Tom Alexander
-	signingkey = D3A179C9A53C0EDE
+	signingkey = 36C99E8B3C39D85F
 [push]
-	default = simple
+	default = simple # (default since 2.0)
 [alias]
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
+        authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
 	gpgsign = true
+	verbose = true
 [pull]
 	rebase = true
 [log]
 	date = local
 [init]
 	defaultBranch = main
-
-# Use meld for `git difftool` and `git mergetool`
 [diff]
-	tool = meld
+	tool = meld # Use meld for `git difftool` and `git mergetool`
+	algorithm = histogram
+	colorMoved = plain
+	mnemonicPrefix = true
+	renames = true
 [difftool]
 	prompt = false
 [difftool "meld"]
 	cmd = meld "$LOCAL" "$REMOTE"
 [merge]
 	tool = meld
+	conflictStyle = zdiff3
 [mergetool "meld"]
         # Make the middle pane start with partially-merged contents:
 	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
         # Make the middle pane start without any merge progress:
 	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
-[includeIf "gitdir:/bridge/git/machine_setup/"]
+[includeIf "gitdir:/bridge/"]
 	path = /bridge/git/machine_setup/ansible/roles/base/files/gitconfig_home
+[includeIf "gitdir:/persist/"]
+	path = /bridge/git/machine_setup/ansible/roles/base/files/gitconfig_home
+[column]
+	ui = auto
+[branch]
+	sort = -committerdate
+[tag]
+	sort = version:refname
+[fetch]
+	prune = true
+	pruneTags = true
+	all = true
+[rebase]
+	autoSquash = true
+	autoStash = true
+	updateRefs = false

ansible/roles/base/files/gitignore_global

@@ -1,3 +1,8 @@
 .idea
 .python-version
+
+# Emacs per-directory settings
 .dir-locals.el
+
+# C/C++ Language Server compile commands
+compile_commands.json

ansible/roles/base/files/homeserver_loader.conf

@@ -1,5 +1,4 @@
 security.bsd.allow_destructive_dtrace=0
-kern.geom.label.disk_ident.enable="0"
-kern.geom.label.gptid.enable="0"
 cryptodev_load="YES"
 zfs_load="YES"
+devmatch_blocklist="if_iwm"

ansible/roles/base/files/homeserver_rc.conf

@@ -2,8 +2,7 @@ clear_tmp_enable="YES"
 syslogd_flags="-ss"
 sendmail_enable="NONE"
 hostname="computer"
-local_unbound_enable="NO"
-sshd_enable="YES"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="NO"
 zfs_enable="YES"
+kld_list="${kld_list} if_iwlwifi"

ansible/roles/base/files/login.conf

@@ -44,8 +44,8 @@ default:\
 	:pseudoterminals=unlimited:\
 	:kqueues=unlimited:\
 	:umtxp=unlimited:\
+	:pipebuf=unlimited:\
 	:priority=0:\
-	:ignoretime@:\
 	:umask=022:\
 	:charset=UTF-8:\
 	:lang=en_US.UTF-8:
@@ -148,7 +148,6 @@ russian|Russian Users Accounts:\
 #	:requirehome:\
 #	:passwordtime=90d:\
 #	:umask=002:\
-#	:ignoretime@:\
 #	:tc=default:
 #
 #
@@ -173,7 +172,6 @@ russian|Russian Users Accounts:\
 ##
 #staff:\
 #	:ignorenologin:\
-#	:ignoretime:\
 #	:requirehome@:\
 #	:accounted@:\
 #	:path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
@@ -264,7 +262,6 @@ russian|Russian Users Accounts:\
 ## - no time accounting, restricted to access via dialin lines
 ##
 #site:\
-#	:ignoretime:\
 #	:passwordtime@:\
 #	:refreshtime@:\
 #	:refreshperiod@:\

ansible/roles/base/files/odofreebsd_loader.conf

@@ -1,6 +1,3 @@
 security.bsd.allow_destructive_dtrace=0
-kern.geom.label.disk_ident.enable="0"
-kern.geom.label.gptid.enable="0"
 cryptodev_load="YES"
 zfs_load="YES"
-

ansible/roles/base/files/odofreebsd_rc.conf

@@ -1,13 +1,6 @@
-clear_tmp_enable="YES"
 syslogd_flags="-ss"
 sendmail_enable="NONE"
 hostname="odo"
-wlans_iwlwifi0="wlan0"
-ifconfig_wlan0="WPA DHCP"
-ifconfig_wlan0_ipv6="inet6 accept_rtadv"
-sshd_enable="YES"
-ntpd_enable="YES"
-powerd_enable="YES"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="NO"
 zfs_enable="YES"

ansible/roles/base/files/tmux.conf

@@ -1,4 +1,4 @@
-set-option -g mouse on
+# set-option -g mouse on
 set-option -g history-limit 20000
 # set -g @plugin 'tmux-plugins/tmux-yank'
 # Emacs style

ansible/roles/base/files/watch_freebsd

@@ -10,7 +10,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 function cleanup {
     switch_to_main_screen
 }
-for sig in EXIT INT QUIT HUP TERM; do
+for sig in EXIT; do
   trap "set +e; cleanup; exit" "$sig"
 done
 

ansible/roles/base/meta/main.yaml

@@ -1,2 +1,3 @@
 dependencies:
   - fstab
+  # - termcap

ansible/roles/base/tasks/common.yaml

@@ -16,21 +16,19 @@
       - wget
       - colordiff
       - ipcalc
-      - kdiff3
-      - meld
       - tcpdump
       - moreutils # for ts [%Y-%m-%d %H:%M:%.S]
       - ddrescue
+      - dmidecode
     state: present
 
-- name: Set timezone
-  file:
-    src: "/usr/share/zoneinfo/{{ timezone|default('UTC') }}"
-    dest: /etc/localtime
-    owner: root
-    # TODO: Arch Linux is changing the group to root instead of wheel. Maybe make this a variable?
-    group: wheel
-    state: link
+- name: Install packages
+  when: install_graphics
+  package:
+    name:
+      - kdiff3
+      - meld
+    state: present
 
 - name: Install scripts
   copy:
@@ -50,6 +48,8 @@
       dest: /usr/local/bin/cleanup_temporary_files
     - src: git_fix_author.bash
       dest: /usr/local/bin/git_fix_author
+    - src: decode_jwt.bash
+      dest: /usr/local/bin/decode_jwt
 
 - import_tasks: tasks/freebsd.yaml
   when: 'os_flavor == "freebsd"'

ansible/roles/base/tasks/freebsd.yaml

@@ -1,3 +1,11 @@
+- name: Set timezone
+  file:
+    src: "/usr/share/zoneinfo/{{ timezone|default('UTC') }}"
+    dest: /etc/localtime
+    owner: root
+    group: wheel
+    state: link
+
 - name: Install packages
   package:
     name:
@@ -5,29 +13,18 @@
       - gsed
       - gmake
       - rust-coreutils
+      - shuf
     state: present
 
-- name: See if the alacritty termcap has been added
-  lineinfile:
-    name: /usr/share/misc/termcap
-    regexp: |-
-      ^alacritty\|
-    state: absent
-  check_mode: yes
-  changed_when: false
-  register: alacritty_cap
-
-- name: Append alacritty termcap info
-  blockinfile:
-    path: /usr/share/misc/termcap
-    block: "{{ lookup('file', 'alacritty.termcap') }}"
-    marker: "# {mark} ANSIBLE MANAGED BLOCK alacritty"
-  when: not alacritty_cap.found
-  register: wrote_alacritty_cap
-
-- name: Update cap_mkdb
-  command: cap_mkdb /usr/share/misc/termcap
-  when: wrote_alacritty_cap.changed
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - cleartmp
 
 - name: Install login.conf
   copy:
@@ -42,18 +39,6 @@
   command: cap_mkdb /etc/login.conf
   when: login_config.changed
 
-- name: Enable periodic scrub
-  community.general.sysrc:
-    name: daily_scrub_zfs_enable
-    value: "YES"
-    path: /etc/periodic.conf.local
-
-- name: Set scrub interval
-  community.general.sysrc:
-    name: daily_scrub_zfs_default_threshold
-    value: "7"
-    path: /etc/periodic.conf.local
-
 - name: Install loader.conf
   copy:
     src: "{{loader_conf}}"
@@ -92,27 +77,27 @@
     owner: root
     group: wheel
   loop:
-    - src: bemount.bash
-      dest: /usr/local/bin/bemount
+    # - src: bemount.bash
+    #   dest: /usr/local/bin/bemount
     - src: watch_freebsd
       dest: /usr/local/bin/ww
 
-- name: Install rc script
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
-    owner: root
-    group: wheel
-    mode: 0755
-  loop:
-    - src: bemount_rc.sh
-      dest: bemount
+# - name: Install rc script
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+#     owner: root
+#     group: wheel
+#     mode: 0755
+#   loop:
+#     - src: bemount_rc.sh
+#       dest: bemount
 
-- name: Enable bemount
-  community.general.sysrc:
-    name: bemount_enable
-    value: "YES"
-    path: /etc/rc.conf.d/bemount
+# - name: Enable bemount
+#   community.general.sysrc:
+#     name: bemount_enable
+#     value: "YES"
+#     path: /etc/rc.conf.d/bemount
 
 - name: Install loader.conf
   copy:
@@ -122,4 +107,67 @@
     owner: root
     group: wheel
   loop:
+    - zfs
     - disk_labels
+
+- name: Configure sysctls
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    reload: false
+    sysctl_file: "/etc/sysctl.conf.local"
+  loop:
+    # Adjust ttl
+    - name: net.inet.ip.ttl
+      value: 65
+    - name: net.inet6.ip6.hlim
+      value: 65
+
+- name: Log periodic output instead of getting it as mail
+  blockinfile:
+    path: "/etc/periodic.conf.local"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK log"
+    create: true
+    mode: 0644
+    owner: root
+    group: wheel
+    block: |
+      daily_output=/var/log/daily.log
+      weekly_output=/var/log/weekly.log
+      monthly_output=/var/log/monthly.log
+
+- name: Enable periodic zfs scrub
+  when: install_zfs
+  blockinfile:
+    path: "/etc/periodic.conf.local"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK zfs"
+    create: true
+    mode: 0644
+    owner: root
+    group: wheel
+    block: |
+      daily_scrub_zfs_enable="YES"
+      daily_scrub_zfs_default_threshold="14"
+
+# Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
+- name: Install loader.conf
+  copy:
+    src: "files/{{ item }}_loader.conf"
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - bbr
+
+- name: Configure sysctls
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    reload: false
+    sysctl_file: "/etc/sysctl.conf.local"
+  loop:
+    - name: net.inet.tcp.functions_default
+      value: "bbr"

ansible/roles/base/tasks/linux.yaml

@@ -1,3 +1,11 @@
+- name: Set timezone
+  file:
+    src: "/usr/share/zoneinfo/{{ timezone|default('UTC') }}"
+    dest: /etc/localtime
+    owner: root
+    group: root
+    state: link
+
 - name: Install packages
   package:
     name:
@@ -9,6 +17,7 @@
       - uutils-coreutils
       - usbutils # for lsusb
       - bolt
+      - whois
     state: present
 
 - name: Start pkgfile update service
@@ -18,17 +27,6 @@
     daemon_reload: yes
     enabled: yes
 
-# Of questionable value since I don't use swap on my machines
-- name: Configure sysctls for swap
-  sysctl:
-    name: "{{ item.name }}"
-    value: "{{ item.value }}"
-    state: present
-    sysctl_file: /etc/sysctl.d/swap.conf
-  loop:
-    - name: vm.swappiness
-      value: 10
-
 - name: Install scripts
   copy:
     src: "files/{{ item.src }}"
@@ -41,3 +39,41 @@
       dest: /usr/local/bin/mount_disk_image
     - src: watch_linux
       dest: /usr/local/bin/ww
+
+- name: Configure sysctls
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    sysctl_file: /etc/sysctl.d/{{ item.file }}
+  loop:
+    # Of questionable value since I don't use swap on my machines
+    - name: vm.swappiness
+      value: 10
+      file: swap.conf
+    # Enable TCP packetization-layer PMTUD when an ICMP black hole is detected.
+    - name: net.ipv4.tcp_mtu_probing
+      value: 1
+      file: tcp.conf
+    # Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
+    - name: net.ipv4.tcp_congestion_control
+      value: bbr
+      file: tcp.conf
+    # Don't do a slow start after a connection has been idle for a single RTO.
+    - name: net.ipv4.tcp_slow_start_after_idle
+      value: 0
+      file: tcp.conf
+    # 3x time to accumulate filesystem changes before flushing to disk.
+    - name: vm.dirty_writeback_centisecs
+      value: 1500
+      file: power.conf
+    # Adjust ttl
+    - name: net.ipv4.ip_default_ttl
+      value: 65
+      file: ttl.conf
+    - name: net.ipv6.conf.all.hop_limit
+      value: 65
+      file: ttl.conf
+    - name: net.ipv6.conf.default.hop_limit
+      value: 65
+      file: ttl.conf

ansible/roles/bhyve/defaults/main.yaml

@@ -1,2 +1 @@
 bhyve_mountpoint: "/vm"
-bhyve_list: []

ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash

@@ -30,6 +30,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
 : ${VNC_ENABLE:="NO"}
 : ${VNC_LISTEN:="127.0.0.1:5900"}
+: ${VNC_WIDTH:="1920"}
+: ${VNC_HEIGHT:="1080"}
 
 if [ "$VERBOSE" = "YES" ]; then
     set -x
@@ -45,7 +47,7 @@ function cleanup {
     done
 }
 vms=()
-for sig in EXIT INT QUIT HUP TERM; do
+for sig in EXIT; do
   trap "set +e; sleep 10; cleanup" "$sig"
 done
 
@@ -105,7 +107,8 @@ function start_vm {
     local bridge_name="$BRIDGE_NAME"
     local ip_range="$IP_RANGE" # for raw this value does not matter
 
-    local mac_address=$(calculate_mac_address "$name")
+    local mac_address
+    mac_address=$(calculate_mac_address "$name")
 
     local additional_args=()
 
@@ -140,7 +143,7 @@ function start_vm {
         additional_args+=("-s" "5,ahci-cd,$mount_cd")
     fi
     if [ "$VNC_ENABLE" = "YES" ]; then
-        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=1920,h=1080")
+        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
     fi
     vms+=("$name")
     while true; do
@@ -150,7 +153,10 @@ function start_vm {
             -D \
             -c $CPU_CORES \
             -m $MEMORY \
+            -S \
             -H \
+            -P \
+            -o 'rtc.use_localtime=false' \
             -s 0,hostbridge \
             -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
             -s 30,xhci,tablet \
@@ -211,7 +217,7 @@ EOF
 mkpeer ${host_interface_name}: bridge ether link0
 name ${host_interface_name}:ether $bridge_name
 EOF
-        ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" "$ip_range" up
+        ifconfig "$(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2)" name "${host_interface_name}" "$ip_range" up
     fi
 }
 
@@ -245,7 +251,8 @@ function ng_exists {
 
 function calculate_mac_address {
     local name="$1"
-    local source=$(md5 -r -s "$name" | awk '{print $1}')
+    local source
+    source=$(md5 -r -s "$name" | awk '{print $1}')
     echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
 }
 

ansible/roles/bhyve/files/bhyverc.bash

@@ -0,0 +1,478 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# Share a host directory to the guest via 9pfs.
+#
+# Inside the VM run:
+#   mount -t virtfs -o trans=virtio sharename /some/vm/path
+#   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
+#   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 bind9p /path/to/mountpoint
+# bhyve_options="-s 28,virtio-9p,sharename=/"
+
+# Enable Sound
+# bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
+
+# Example usage:
+#
+#   doas bhyverc create-disk zdata/vm/poudriere /vm/poudriere 10
+#   doas bhyverc start poudriere zdata/vm/poudriere /vm/poudriere /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
+#   doas bhyverc start poudriere zdata/vm/poudriere /vm/poudriere
+
+
+: ${VERBOSE:="NO"} # or YES
+if [ "$VERBOSE" = "YES" ]; then
+    set -x
+fi
+
+: ${CPU_CORES:="1"}
+: ${MEMORY:="1G"}
+: ${NETWORK:="NAT"} # or RAW or BOTH
+: ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
+: ${INTERFACE_NAME:="jail_nat"} # or the external interface like lagg0 for RAW networks
+: ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
+: ${VNC_ENABLE:="NO"}
+: ${VNC_LISTEN:="127.0.0.1:5900"}
+: ${VNC_WIDTH:="1920"}
+: ${VNC_HEIGHT:="1080"}
+: ${BIND9P:=""}
+: ${PREVENT_OOM:="NO"}
+: "${CD:=}"
+
+: ${SHUTDOWN_TIMEOUT:="600"} # 10 minutes
+
+
+
+############## Setup #########################
+
+
+function die {
+    local status_code="$1"
+    shift
+    (>&2 echo "${@}")
+    exit "$status_code"
+}
+
+function log {
+    (>&2 echo "${@}")
+}
+
+############## Program #########################
+
+function main {
+    local cmd
+    cmd=$1
+    shift
+    if [ "$cmd" = "start" ]; then
+        init
+        start "${@}"
+    elif [ "$cmd" = "stop" ]; then
+        init
+        stop "${@}"
+    elif [ "$cmd" = "status" ]; then
+        init
+        status "${@}"
+    elif [ "$cmd" = "console" ]; then
+        init
+        console "${@}"
+    elif [ "$cmd" = "_start_body" ]; then
+        init
+        start_body "${@}"
+    elif [ "$cmd" = "create-disk" ]; then
+        create_disk "${@}"
+    else
+        (>&2 echo "Unknown command: $cmd")
+        exit 1
+    fi
+}
+
+function start {
+    local num_vms="$#"
+    if [ "$num_vms" -eq 0 ]; then
+        log "No VMs specified."
+        return 0
+    fi
+
+    while [ "$#" -gt 0 ]; do
+        local name="$1"
+        shift 1
+        log "Starting VM $name."
+        start_one "$name"
+        [ "$#" -eq 0 ] || sleep 5
+    done
+}
+
+function start_one {
+    local name="$1"
+    local tmux_name="$name"
+    /usr/local/bin/tmux new-session -d -s "$tmux_name" "$0" "_start_body" "$name"
+    # /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=NO VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /home/talexander/launch_opnsense.bash"
+}
+
+function launch_pidfile {
+    local pidfile="$1"
+    shift 1
+    mkdir -p "$(dirname "$pidfile")"
+    cat > "${pidfile}" <<< "$$"
+    set -x
+    exec "${@}"
+}
+export -f launch_pidfile
+
+function stop {
+    local num_vms="$#"
+    if [ "$num_vms" -eq 0 ]; then
+        log "No VMs specified."
+        return 0
+    fi
+
+    while [ "$#" -gt 0 ]; do
+        local name="$1"
+        shift 1
+        log "Stopping VM $name."
+        stop_one "$name"
+        [ "$#" -eq 0 ] || sleep 5
+    done
+}
+
+function stop_one {
+    local name="$1"
+    local pidfile="/run/bhyverc/${name}/pid"
+
+    if [ ! -e "$pidfile" ]; then
+        log "Pid file $pidfile does not exist."
+        return 0
+    fi
+
+    local bhyve_pid
+    bhyve_pid=$(cat "$pidfile")
+
+    if ps -p "$bhyve_pid" >/dev/null; then
+        # Send ACPI shutdown command
+        log "Sending ACPI shutdown to ${name}:${bhyve_pid}."
+        kill -SIGTERM "$bhyve_pid"
+    fi
+
+    local timeout_start timeout_end
+    timeout_start=$(date +%s)
+    while ps -p "$bhyve_pid" >/dev/null; do
+        timeout_end=$(date +%s)
+        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
+            log "${name}:${bhyve_pid} took more than $SHUTDOWN_TIMEOUT seconds to shut down. Hard powering down."
+            break
+        fi
+
+        log "Waiting for ${name}:${bhyve_pid} to exit."
+        sleep 2
+    done
+
+    bhyvectl "--vm=$name" --destroy || true
+
+    local timeout_start timeout_end
+    timeout_start=$(date +%s)
+    while ps -p "$bhyve_pid" >/dev/null; do
+        timeout_end=$(date +%s)
+        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
+            log "${name}:${bhyve_pid} took more than $SHUTDOWN_TIMEOUT seconds to hard power down. Giving up."
+            break
+        fi
+
+        log "Waiting for ${name}:${bhyve_pid} to hard power down."
+        sleep 2
+    done
+
+    rm -f "$pidfile"
+
+    log "Finished stopping $name."
+}
+
+function status {
+    local num_vms="$#"
+
+    if [ "$num_vms" -gt 0 ]; then
+        for name in "$@"; do
+            status_one "$name"
+        done
+    else
+        log "No VMs specified."
+    fi
+}
+
+function status_one {
+    local name="$1"
+    local pidfile="/run/bhyverc/${name}/pid"
+
+    if [ ! -e "$pidfile" ]; then
+        log "$name is not running."
+        return 0
+    fi
+
+    local bhyve_pid
+    bhyve_pid=$(cat "$pidfile")
+
+    if ! ps -p "$bhyve_pid" >/dev/null; then
+        log "$name is not running."
+        return 0
+    fi
+
+    log "$name is running as pid $bhyve_pid."
+}
+
+function console {
+    local num_vms="$#"
+
+    if [ "$num_vms" -gt 0 ]; then
+        for name in "$@"; do
+            log "Attaching to console of VM $name."
+            console_one "$name"
+        done
+    else
+        log "No VMs specified."
+    fi
+}
+
+function console_one {
+    local name="$1"
+    local tmux_name="$name"
+    exec tmux a -t "$tmux_name"
+}
+
+function init {
+    mkdir -p /run/bhyverc
+}
+
+############## Bhyve ###########################
+
+function create_disk {
+    local zfs_path="$1"
+    local mount_path="$2"
+    local gigabytes="$3"
+    zfs create -o "mountpoint=$mount_path" "$zfs_path"
+    cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
+    tee "${mount_path}/settings" <<EOF
+CPU_CORES="$CPU_CORES"
+MEMORY="$MEMORY"
+NETWORK="$NETWORK"
+IP_RANGE="$IP_RANGE"
+BRIDGE_NAME="$BRIDGE_NAME"
+INTERFACE_NAME="$INTERFACE_NAME"
+EOF
+    zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none "$zfs_path/disk0"
+}
+
+function start_body {
+    local name="$1"
+    local zfs_path="zdata/vm/$name"
+    local mount_path="/vm/$name"
+
+    if [ -e "${mount_path}/settings" ]; then
+        source "${mount_path}/settings"
+    fi
+
+    local mount_cd="$CD"
+
+    local host_interface_name="$INTERFACE_NAME" # for raw, external interface
+    local bridge_name="$BRIDGE_NAME"
+    local ip_range="$IP_RANGE" # for raw this value does not matter
+
+    local mac_address
+    mac_address=$(calculate_mac_address "$name")
+
+    if [ "$PREVENT_OOM" = "YES" ]; then
+        protect -d -i -p "$$"
+    fi
+
+    local entry parsed_item
+    local additional_args=()
+    local next_pcie_slot=10
+
+    if [ "$NETWORK" = "NAT" ]; then
+        assert_bridge "$host_interface_name" "$bridge_name" "$ip_range"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+    elif [ "$NETWORK" = "RAW" ]; then
+        assert_raw "$host_interface_name" "$bridge_name"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+    elif [ "$NETWORK" = "BOTH" ]; then
+        assert_bridge "jail_nat" "$bridge_name" "$ip_range"
+        assert_raw "$host_interface_name" "bridge_raw"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        local raw_bridge_link_name=$(detect_available_link "bridge_raw")
+        local raw_mac_address=$(calculate_mac_address "${name}_raw")
+        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+        additional_args+=("-s" "3:0,virtio-net,netgraph,path=bridge_raw:,peerhook=${raw_bridge_link_name},mac=${raw_mac_address}")
+    else
+        die 1 "Unrecognized NETWORK type $NETWORK"
+    fi
+
+    if [ -n "$BIND9P" ]; then
+        if [[ "$BIND9P" = *":"* ]]; then
+            IFS=':' read -ra entry <<<"$BIND9P"
+            for item in "${entry[@]}"; do
+                IFS='=' read -ra parsed_item <<<"$item"
+                additional_args+=("-s" "${next_pcie_slot},virtio-9p,${parsed_item[0]}=${parsed_item[1]}")
+                next_pcie_slot=$((next_pcie_slot+1))
+            done
+        else
+            additional_args+=("-s" "${next_pcie_slot},virtio-9p,bind9p=${BIND9P}")
+            next_pcie_slot=$((next_pcie_slot+1))
+        fi
+    fi
+
+
+    # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
+         # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
+             # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
+            # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
+
+    # TODO: Look into using nmdm instead of stdio for serial console
+    if [ -n "$mount_cd" ]; then
+        additional_args+=("-s" "5,ahci-cd,$mount_cd")
+    fi
+    if [ "$VNC_ENABLE" = "YES" ]; then
+        additional_args+=("-s" "${next_pcie_slot},fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
+        next_pcie_slot=$((next_pcie_slot+1))
+    fi
+    vms+=("$name")
+    while true; do
+        local pidfile="/run/bhyverc/${name}/pid"
+        trap "set +e; stop_one '${name}'" EXIT
+
+        local launch_cmd=()
+        launch_cmd+=(
+            launch_pidfile "$pidfile"
+            bhyve
+            -D
+            -c "$CPU_CORES"
+            -m "$MEMORY"
+            -S
+            -H
+            -o 'rtc.use_localtime=false'
+            -s "0,hostbridge"
+            -s "4,nvme,/dev/zvol/${zfs_path}/disk0"
+            -s "${next_pcie_slot},xhci,tablet"
+            -s "$((next_pcie_slot+1)),lpc" -l "com1,stdio"
+            -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd"
+            "${additional_args[@]}"
+            "$name"
+        )
+        set +e
+        rm -f "$pidfile"
+        (
+            IFS=$' \n\t'
+            set -ex
+            bash -c "${launch_cmd[*]}"
+        )
+        local exit_code=$?
+        log "Exit code ${exit_code}"
+        set -e
+        if [ $exit_code -eq 0 ]; then
+            echo "Rebooting."
+            sleep 5
+        elif [ $exit_code -eq 1 ]; then
+            echo "Powered off."
+            break
+        elif [ $exit_code -eq 2 ]; then
+            echo "Halted."
+            break
+        elif [ $exit_code -eq 3 ]; then
+            echo "Triple fault."
+            break
+        elif [ $exit_code -eq 4 ]; then
+            echo "Exited due to an error."
+            break
+        fi
+    done
+}
+
+function detect_available_link {
+    local bridge_name="$1"
+    local linknum=1
+    while true; do
+        local link_name="link${linknum}"
+        if ! ng_exists "${bridge_name}:${link_name}"; then
+            echo "$link_name"
+            return
+        fi
+        linknum=$((linknum + 1))
+        if [ "$linknum" -gt 90 ]; then
+            (>&2 echo "No available links on bridge $bridge_name")
+            exit 1
+        fi
+    done
+}
+
+function assert_bridge {
+    local host_interface_name="$1"
+    local bridge_name="$2"
+    local ip_range="$3"
+
+    if ! ng_exists "${bridge_name}:"; then
+        ngctl -d -f - <<EOF
+mkpeer . eiface hook ether
+name .:hook $host_interface_name
+EOF
+        ngctl -d -f - <<EOF
+mkpeer ${host_interface_name}: bridge ether link0
+name ${host_interface_name}:ether $bridge_name
+EOF
+        ifconfig "$(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2)" name "${host_interface_name}" "$ip_range" up
+    fi
+}
+
+function assert_raw {
+    local extif="$1"
+    local bridge_name="$2"
+
+    kldload -n ng_bridge ng_eiface ng_ether
+
+    if ! ng_exists "${bridge_name}:"; then
+        ngctlcat <<EOF
+# Create a bridge.
+mkpeer $extif: bridge lower link0
+# Assign a name to the bridge.
+name $extif:lower ${bridge_name}
+# Since the host is also using $extif, we need to connect the upper hook also. Otherwise we will lose connectivity.
+connect $extif: ${bridge_name}: upper link1
+
+# Enable promiscuous mode so the host ethernet adapter accepts packets for all addresses
+msg $extif: setpromisc 1
+
+# Do not overwrite source address on packets
+msg $extif: setautosrc 0
+EOF
+    fi
+}
+
+function ng_exists {
+    ngctl status "${1}" >/dev/null 2>&1
+}
+
+function calculate_mac_address {
+    local name="$1"
+    local source
+    source=$(md5 -r -s "$name" | awk '{print $1}')
+    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
+}
+
+function find_available_port {
+    local start_port="$1"
+    local port="$start_port"
+    while true; do
+        sockstat -P tcp -p 443
+        port=$((port + 1))
+    done
+}
+
+function ngctlcat {
+    if [ "$VERBOSE" = "YES" ]; then
+        tee /dev/tty | ngctl -d -f -
+    else
+        ngctl -d -f -
+    fi
+}
+
+main "${@}"

ansible/roles/bhyve/files/bhyverc.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+#
+# REQUIRE: LOGIN FILESYSTEMS
+# PROVIDE: bhyverc
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+name=bhyverc
+rcvar=${name}_enable
+start_cmd="${name}_start"
+stop_cmd="${name}_stop"
+status_cmd="${name}_status"
+console_cmd="${name}_console"
+extra_commands="console"
+load_rc_config $name
+
+bhyverc_start() {
+    export PATH="$PATH:/usr/local/bin"
+    exec /usr/local/bin/bhyverc start "${@}"
+}
+
+bhyverc_status() {
+    export PATH="$PATH:/usr/local/bin"
+    exec /usr/local/bin/bhyverc status "${@}"
+}
+
+bhyverc_stop() {
+    export PATH="$PATH:/usr/local/bin"
+    exec /usr/local/bin/bhyverc stop "${@}"
+}
+
+bhyverc_console() {
+    export PATH="$PATH:/usr/local/bin"
+    exec /usr/local/bin/bhyverc console "${@}"
+}
+
+run_rc_command "$@"

ansible/roles/bhyve/tasks/freebsd.yaml

@@ -22,6 +22,25 @@
   loop:
     - src: bhyve_netgraph_bridge.bash
       dest: /usr/local/bin/bhyve_netgraph_bridge
+    - src: bhyverc.bash
+      dest: /usr/local/bin/bhyverc
+
+- name: Install rc script
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+    owner: root
+    group: wheel
+    mode: 0755
+  loop:
+    - src: bhyverc.sh
+      dest: bhyverc
+
+- name: Enable bhyverc
+  community.general.sysrc:
+    name: bhyverc_enable
+    value: "YES"
+    path: /etc/rc.conf.d/bhyverc
 
 - name: Create zfs dataset
   zfs:

ansible/roles/build/files/aurutils-sync

@@ -5,4 +5,4 @@ set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
-GPGKEY=27DE40D9B8455C1B exec aur sync --makepkg-conf /etc/aurutils/makepkg.conf -c --sign "$@"
+GPGKEY=4278299FB84F6875 exec aur sync --makepkg-conf /etc/aurutils/makepkg.conf -c --sign "$@"

ansible/roles/build/files/gpg.asc

@@ -1,27 +1,27 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
-0H+RsWG0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
-uEgVk2PCh3kXlUvhJ95A2bhFXBsFAl+w+R0CGwMFCwkIBwIGFQoJCAsCBBYCAwEC
-HgECF4AACgkQJ95A2bhFXBt6fgD+NOYnw9gz5K/q3H5LE/JvqzCSHezJmeGgif0C
-uU4m1/MA+gPDKME7syEtJsTpELEMrxWWpDW0tD/W1iJE7roGYPQPtB1Ub20gQWxl
-eGFuZGVyIDx0b21AZml6ei5idXp6PoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A
-2bhFXBsFAl2cFhoCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQJ95A2bhF
-XBvYJQEA19wc2s/bEKcnHONC3i8UikLFqZXyYoH6/MFjoAteU8sBAKpE7Qq0zbJb
-XWRESzK3u6p7/+kUqOeDltAuKXTe1FAGuDMEXZwWyhYJKwYBBAHaRw8BAQdAPyIL
-4EGg4T5JO9q2kpVDy2WjMiXz3nZXwYW4GLoTYkiI9QQYFggAJgIbAhYhBLhIFZNj
-wod5F5VL4SfeQNm4RVwbBQJlC4ZhBQkLMdaXAIF2IAQZFggAHRYhBIHmRDmWdVAu
-sSUWutOhecmlPA7eBQJdnBbKAAoJENOhecmlPA7ejJ4A/iq7N2mMhx+ovOXm1REo
-ASPF3l4YAAjOHsXqcPtFHKGJAQCiuA71d6CQ+qNZLuka/KVB/etkkJvDzvaTtiQQ
-QG+gAwkQJ95A2bhFXBtRDgEAqymMavroD5c/4+M/EZ3/d8wxfA9E3Fb/1mt4c2Zr
-NnkBAKYOM+pz/pncFnV+kF7h7TQEEYuGw1JhJVT/duA4lwsLuDMEXZwXARYJKwYB
-BAHaRw8BAQdAa76TmWuKuiR1bnNV1FUE6oQ4C8A+UiQb8x0k1z2DmTKIfgQYFggA
-JgIbIBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkLMdZgAAoJECfeQNm4
-RVwb8TkA/RkBu9Ev8iDE5nvn8YF8FRiY56Z5d+SBPG4VvrCzXrmlAP46wUjIRpkM
-rTbb1GMbvYnkeOrBs/qiWjEtHHc3ZLMWD7g4BF2cFygSCisGAQQBl1UBBQEBB0AO
-0t3BUxLuokTqKVcheFAZd4UKxAGznPQlvsVyhWWIEgMBCAeIfgQYFggAJgIbDBYh
-BLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkLMdY5AAoJECfeQNm4RVwbXscA
-/A8zRRTCwQKxJ8iz5jmTcVFAhl2vD781Dtv8NvcWd5t8APwIwcuFVZZA3yayhIxi
-3aqYpMRxpn2t6Nswax1MIM8DBQ==
-=dzEV
+mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
+Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
+0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
+HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
+/MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
+eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
+AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
+n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
+8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
+HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
+fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
+AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
+gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
+mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
+nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
+KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
+B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
+CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
+/j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
+Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
+BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
+rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
+7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
+=OfDR
 -----END PGP PUBLIC KEY BLOCK-----

ansible/roles/build/files/gpg_work.asc

@@ -1,27 +1,27 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
-0H+RsWG0LVRob21hcyBBbGV4YW5kZXIgPFRob21hc0EuQWxleGFuZGVyQGhtaG4u
-b3JnPoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsFAmULicsCGwMFCwkI
-BwIGFQoJCAsCBBYCAwECHgECF4AACgkQJ95A2bhFXBsUtQD9GWPdWc/nSmO0Gp7p
-DzxrieliriAnO+ZCHp31mFbMtToBAPxPYN9y4kgSiXhLiFLoRK5k5FCspksTSitg
-0CbXDE4LuDgEXZwWGhIKKwYBBAGXVQEFAQEHQK202EIAwTBuxARUygOvn+AloMJd
-ui39m+nMghn1MNo+AwEIB4h4BBgWCAAgFiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsF
-Al2cFhoCGwwACgkQJ95A2bhFXBtNzAEAq5I6xPjIbb23xmhxh5cM/UJxdGedfWMy
-vF6/JtDvtPUBAPQRQn5AMwTOA+CSnliYf7ZjfVOlHscy60XWPlvXLoAJuDMEXZwW
-yhYJKwYBBAHaRw8BAQdAPyIL4EGg4T5JO9q2kpVDy2WjMiXz3nZXwYW4GLoTYkiI
-9QQYFggAJgIbAhYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZhBQkLMdaXAIF2
-IAQZFggAHRYhBIHmRDmWdVAusSUWutOhecmlPA7eBQJdnBbKAAoJENOhecmlPA7e
-jJ4A/iq7N2mMhx+ovOXm1REoASPF3l4YAAjOHsXqcPtFHKGJAQCiuA71d6CQ+qNZ
-Luka/KVB/etkkJvDzvaTtiQQQG+gAwkQJ95A2bhFXBtRDgEAqymMavroD5c/4+M/
-EZ3/d8wxfA9E3Fb/1mt4c2ZrNnkBAKYOM+pz/pncFnV+kF7h7TQEEYuGw1JhJVT/
-duA4lwsLuDMEXZwXARYJKwYBBAHaRw8BAQdAa76TmWuKuiR1bnNV1FUE6oQ4C8A+
-UiQb8x0k1z2DmTKIfgQYFggAJgIbIBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJl
-C4ZwBQkLMdZgAAoJECfeQNm4RVwb8TkA/RkBu9Ev8iDE5nvn8YF8FRiY56Z5d+SB
-PG4VvrCzXrmlAP46wUjIRpkMrTbb1GMbvYnkeOrBs/qiWjEtHHc3ZLMWD7g4BF2c
-FygSCisGAQQBl1UBBQEBB0AO0t3BUxLuokTqKVcheFAZd4UKxAGznPQlvsVyhWWI
-EgMBCAeIfgQYFggAJgIbDBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkL
-MdY5AAoJECfeQNm4RVwbXscA/A8zRRTCwQKxJ8iz5jmTcVFAhl2vD781Dtv8NvcW
-d5t8APwIwcuFVZZA3yayhIxi3aqYpMRxpn2t6Nswax1MIM8DBQ==
-=0HtE
+mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
+Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
+0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
+HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
+/MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
+eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
+AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
+n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
+8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
+HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
+fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
+AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
+gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
+mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
+nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
+KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
+B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
+CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
+/j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
+Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
+BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
+rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
+7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
+=OfDR
 -----END PGP PUBLIC KEY BLOCK-----

ansible/roles/build/tasks/linux.yaml

@@ -40,11 +40,11 @@
   command: pacman-key -a -
   args:
     stdin: "{{ lookup('file', pgp_key|default('gpg.asc')) }}"
-  when: '"B848159363C2877917954BE127DE40D9B8455C1B" not in pacmankeys.stdout'
+  when: '"D272C8D6167F26859467666F4278299FB84F6875" not in pacmankeys.stdout'
   register: my_key_imported
 
 - name: Sign my signing key
-  command: pacman-key --lsign-key "B848159363C2877917954BE127DE40D9B8455C1B"
+  command: pacman-key --lsign-key "D272C8D6167F26859467666F4278299FB84F6875"
   when: my_key_imported.changed
 
 - name: Build the aurutils package
@@ -103,7 +103,8 @@
     - /var/cache/pacman/custom/
 
 - name: Create custom repo db
-  command: repo-add --new --sign /var/cache/pacman/custom/custom.db.tar "/home/{{ build_user.name }}/.config/ansible_deploy/aurutils/aurutils-*-any.pkg.tar.*"
+  # shell: repo-add --new --sign /var/cache/pacman/custom/custom.db.tar "/home/{{ build_user.name }}/.config/ansible_deploy/aurutils/aurutils-*-any.pkg.tar.*"
+  command: repo-add --new --sign /var/cache/pacman/custom/custom.db.tar
   become: true
   become_user: "{{ build_user.name }}"
   args:

ansible/roles/chromium/files/chromium-flags.conf

@@ -0,0 +1,2 @@
+--ozone-platform-hint=auto
+--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,AcceleratedVideoEncoder

ansible/roles/chromium/meta/main.yaml

@@ -0,0 +1,2 @@
+dependencies:
+  - users

ansible/roles/chromium/tasks/freebsd.yaml

@@ -0,0 +1,5 @@
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present

ansible/roles/chromium/tasks/linux.yaml

@@ -0,0 +1,7 @@
+# Check chrome://gpu/ to confirm hardware video decoding and vulkan rendering is working.
+
+- name: Install packages
+  package:
+    name:
+      - chromium
+    state: present

ansible/roles/chromium/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: install_graphics

ansible/roles/chromium/tasks/peruser_linux.yaml

@@ -0,0 +1,10 @@
+- name: Copy files
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+    mode: 0600
+    owner: "{{ account_name.stdout }}"
+    group: "{{ group_name.stdout }}"
+  loop:
+    - src: chromium-flags.conf
+      dest: .config/chromium-flags.conf

ansible/roles/cpu/files/aesni_loader.conf

@@ -1 +0,0 @@
-aesni_load="YES"

ansible/roles/cpu/files/amd_microcode_rc.conf

@@ -0,0 +1 @@
+microcode_update_enable="YES"

ansible/roles/cpu/files/cryptodev_loader.conf

@@ -0,0 +1 @@
+cryptodev_load="YES"

ansible/roles/cpu/tasks/freebsd_amd.yaml

@@ -1,3 +1,9 @@
+- name: Install packages
+  package:
+    name:
+      - cpu-microcode-amd
+    state: present
+
 - name: Install loader.conf
   copy:
     src: "files/{{ item }}_loader.conf"
@@ -17,8 +23,10 @@
     group: wheel
   loop:
     - power_profile
+    - amd_microcode
 
 - name: Install loader.conf
+  when: hwpstate is defined and hwpstate
   copy:
     src: "files/{{ item }}_loader.conf"
     dest: "/boot/loader.conf.d/{{ item }}.conf"
@@ -26,4 +34,5 @@
     owner: root
     group: wheel
   loop:
-    - aesni
+    - per_core_hwpstate
+    - cryptodev

ansible/roles/cpu/tasks/freebsd_intel.yaml

@@ -16,7 +16,6 @@
   loop:
     - coretemp
     - cpuctl
-    - aesni
     - intel_microcode
 
 - name: Install service configuration
@@ -78,4 +77,5 @@
     owner: root
     group: wheel
   loop:
-    - percorespeedshift
+    - per_core_hwpstate
+    - cryptodev

ansible/roles/devfs/files/homeserver_devfs.rules

@@ -17,3 +17,9 @@ add include $devfsrules_hide_all
 add include $devfsrules_unhide_basic
 add include $devfsrules_unhide_login
 add path 'bpf*' unhide
+
+[tajailrand=15]
+add include $devfsrules_hide_all
+add include $devfsrules_unhide_basic
+add include $devfsrules_unhide_login
+add path urandom unhide

ansible/roles/docker/tasks/linux.yaml

@@ -2,6 +2,8 @@
   package:
     name:
       - docker
+      - docker-compose
+      - docker-buildx
     state: present
 
 - name: Create docker zfs dataset

ansible/roles/emacs/files/early-init.el

@@ -1,7 +1,7 @@
-(setq gc-cons-threshold (* 128 1024 1024)) ;; Increase garbage collection threshold for performance (default 800000)
+(setq gc-cons-threshold (* 128 1024 1024)) ;; 128MiB Increase garbage collection threshold for performance (default 800000)
 ;; Increase amount of data read from processes, default 4k
 (when (version<= "27.0" emacs-version)
-  (setq read-process-output-max (* 1024 1024)) ;; 1mb
+  (setq read-process-output-max (* 10 1024 1024)) ;; 10MiB
   )
 
 ;; Suppress warnings

ansible/roles/emacs/files/elisp/base-extensions.el

@@ -51,17 +51,27 @@
 ;; Persist history over Emacs restarts. Vertico sorts by history position.
 (use-package savehist
   ;; This is an emacs built-in but we're pulling the latest version
+  :pin gnu
   :config
   (savehist-mode))
 
 (use-package which-key
+  :pin gnu
   :diminish
   :config
   (which-key-mode))
 
 (use-package windmove
-  :config
-  (windmove-default-keybindings))
+  ;; This is an emacs built-in but we're pulling the latest version
+  :pin gnu
+  :bind
+  (
+   ("S-<up>" . windmove-up)
+   ("S-<right>" . windmove-right)
+   ("S-<down>" . windmove-down)
+   ("S-<left>" . windmove-left)
+   )
+  )
 
 (setq tramp-default-method "ssh")
 

ansible/roles/emacs/files/elisp/base.el

@@ -63,6 +63,9 @@
  show-trailing-whitespace t
  ;; Remove the line when killing it with ctrl-k
  kill-whole-line t
+
+ ;; Show the current project in the mode line
+ project-mode-line t
  )
 
 ;; (setq-default fringes-outside-margins t)

ansible/roles/emacs/files/elisp/lang-c.el

@@ -0,0 +1,49 @@
+(require 'common-lsp)
+(require 'util-tree-sitter)
+
+(defun locate-compile-commands-file ()
+  "See if compile_commands.json exists."
+  ;; This can be generated by prefixing the make command with `intercept-build15 --append`
+  (let ((compile-commands-file (locate-dominating-file (buffer-file-name) "compile_commands.json")))
+    compile-commands-file
+    )
+  )
+
+(defun activate-c-eglot ()
+  "Activate eglot for the c family of languages."
+  (when (locate-compile-commands-file)
+    (eglot-ensure)
+    (defclass my/eglot-c (eglot-lsp-server) ()
+      :documentation
+      "Own eglot server class.")
+
+    (add-to-list 'eglot-server-programs
+                 '(c-ts-mode . (my/eglot-c "/usr/local/bin/clangd15")))
+    (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+    )
+  )
+
+(use-package c-mode
+  :mode (
+         ("\\.c\\'" . c-ts-mode)
+         ("\\.h\\'" . c-or-c++-ts-mode)
+         )
+  :commands (c-mode c-ts-mode)
+  :pin manual
+  :ensure nil
+  :hook (
+         (c-ts-mode . (lambda ()
+                        (activate-c-eglot)
+                        ))
+         )
+  :init
+  (add-to-list 'major-mode-remap-alist '(c-mode . c-ts-mode))
+  (add-to-list 'major-mode-remap-alist '(c++-mode . c++-ts-mode))
+  (add-to-list 'major-mode-remap-alist '(c-or-c++-mode . c-or-c++-ts-mode))
+  (add-to-list 'treesit-language-source-alist '(c "https://github.com/tree-sitter/tree-sitter-c"))
+  (add-to-list 'treesit-language-source-alist '(cpp "https://github.com/tree-sitter/tree-sitter-cpp"))
+  (unless (treesit-ready-p 'c) (treesit-install-language-grammar 'c))
+  (unless (treesit-ready-p 'cpp) (treesit-install-language-grammar 'cpp))
+  )
+
+(provide 'lang-c)

ansible/roles/emacs/files/elisp/lang-cmake.el

@@ -0,0 +1,18 @@
+(require 'common-lsp)
+
+(use-package cmake-mode
+  :commands cmake-mode
+  :hook (
+         (cmake-mode . (lambda ()
+                         (eglot-ensure)
+                         (defclass my/eglot-cmake (eglot-lsp-server) ()
+                           :documentation
+                           "Own eglot server class.")
+
+                         (add-to-list 'eglot-server-programs
+                                      '(cmake-mode . (my/eglot-cmake "cmake-language-server")))
+                         ))
+         )
+  )
+
+(provide 'lang-cmake)

ansible/roles/emacs/files/elisp/lang-d2.el

@@ -0,0 +1,16 @@
+(defun d2-format-buffer ()
+  "Run prettier."
+  (interactive)
+  (run-command-on-buffer "d2" "fmt" "-")
+  )
+
+(use-package d2-mode
+  :commands (d2-mode)
+  :hook (
+         (d2-mode . (lambda ()
+                      ;; (add-hook 'before-save-hook 'd2-format-buffer nil 'local)
+                      ))
+         )
+  )
+
+(provide 'lang-d2)

ansible/roles/emacs/files/elisp/lang-nix.el

@@ -0,0 +1,22 @@
+(require 'common-lsp)
+(require 'util-tree-sitter)
+
+(use-package nix-mode
+  :mode (("\\.nix\\'" . nix-mode)
+         )
+  :commands nix-mode
+  :hook (
+         (nix-mode . (lambda ()
+                       (eglot-ensure)
+                       (defclass my/eglot-nix (eglot-lsp-server) ()
+                         :documentation
+                         "Own eglot server class.")
+
+                       (add-to-list 'eglot-server-programs
+                                    '(nix-mode . (my/eglot-nix "nixd")))
+                       (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+                       ))
+         )
+  )
+
+(provide 'lang-nix)

ansible/roles/emacs/files/elisp/lang-org.el

@@ -1,14 +1,23 @@
 (use-package org
   :ensure nil
   :commands org-mode
-  :bind (
+  :bind (:map org-mode-map
          ("C-c l" . org-store-link)
          ("C-c a" . org-agenda)
+         ("S-<up>" . org-shiftup)
+         ("S-<right>" . org-shiftright)
+         ("S-<down>" . org-shiftdown)
+         ("S-<left>" . org-shiftleft)
          )
   :hook (
          (org-mode . (lambda ()
                        (org-indent-mode +1)
-                        ))
+                       ))
+         ;; Make windmove work in Org mode:
+         (org-shiftup-final . windmove-up)
+         (org-shiftleft-final . windmove-left)
+         (org-shiftdown-final . windmove-down)
+         (org-shiftright-final . windmove-right)
          )
   :config
   (require 'org-tempo)
@@ -36,6 +45,8 @@
 
   ;; TODO: There is an option to set the compiler, could be better than manually doing this here https://orgmode.org/manual/LaTeX_002fPDF-export-commands.html
   ;; (setq org-latex-compiler "lualatex")
+  ;; TODO: nixos latex page recommends this line, figure out what it does / why its needed:
+  ;; (setq org-preview-latex-default-process 'dvisvgm)
   (setq org-latex-pdf-process
         '("lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
           "lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
@@ -76,4 +87,8 @@
 (use-package gnuplot)
 (use-package graphviz-dot-mode)
 
+(use-package htmlize
+  ;; For syntax highlighting when exporting to HTML.
+  )
+
 (provide 'lang-org)

ansible/roles/emacs/files/elisp/lang-python.el

@@ -57,19 +57,29 @@
   :pin manual
   :hook (
          (python-ts-mode . (lambda ()
-                          (when (executable-find "poetry")
-                            (add-poetry-venv-to-path)
-                            (let ((venv (locate-venv-poetry))) (when venv
-                                                                 (setq eglot-workspace-configuration
-                                                                       (list (cons ':python (list ':venvPath venv ':pythonPath (concat venv "/bin/python")))))
-                                                                 ))
-                            )
-                          (when-linux
-                            (eglot-ensure)
-                            )
+                             (when-linux
+                               (when (executable-find "poetry")
+                                 (add-poetry-venv-to-path)
+                                 (let ((venv (locate-venv-poetry))) (when venv
+                                                                      (setq eglot-workspace-configuration
+                                                                            (list (cons ':python (list ':venvPath venv ':pythonPath (concat venv "/bin/python")))))
+                                                                      ))
+                                 )
+                               (eglot-ensure)
+                               )
 
-                          (add-hook 'before-save-hook 'python-fmt nil 'local)
-                          ))
+                             ;; (when-freebsd
+                             ;;   (eglot-ensure)
+                             ;;   (defclass my/eglot-pylyzer (eglot-lsp-server) ()
+                             ;;     :documentation
+                             ;;     "Own eglot server class.")
+
+                             ;;   (add-to-list 'eglot-server-programs
+                             ;;                '(python-ts-mode . (my/eglot-pylyzer "pylyzer" "--server")))
+                             ;;   )
+
+                             (add-hook 'before-save-hook 'python-fmt nil 'local)
+                             ))
          )
   :bind ((:map python-ts-mode-map ([backspace] . python-backspace))
          )

ansible/roles/emacs/files/elisp/lang-rust.el

@@ -57,7 +57,7 @@
   :init
   (add-to-list 'major-mode-remap-alist '(rust-mode . rust-ts-mode))
   (add-to-list 'treesit-language-source-alist '(rust "https://github.com/tree-sitter/tree-sitter-rust"))
-  (unless (treesit-ready-p 'yaml) (treesit-install-language-grammar 'rust))
+  (unless (treesit-ready-p 'rust) (treesit-install-language-grammar 'rust))
   :config
   ;; Add keybindings for interacting with Cargo
   (use-package cargo

ansible/roles/emacs/files/elisp/lang-xml.el

@@ -0,0 +1,17 @@
+(defun xml-fmt ()
+  "Run xmllint --format."
+  (run-command-on-buffer "xmllint" "--format" "-")
+  )
+
+(use-package nxml-mode
+  :commands (nxml-mode)
+  :pin manual
+  :ensure nil
+  :hook (
+         (nxml-mode . (lambda ()
+                        (add-hook 'before-save-hook 'xml-fmt nil 'local)
+                        ))
+         )
+  )
+
+(provide 'lang-xml)

ansible/roles/emacs/files/elisp/util-tree-sitter.el

@@ -4,6 +4,8 @@
   :commands (treesit-install-language-grammar treesit-ready-p)
   :init
   (setq treesit-language-source-alist '())
+  :custom
+  (treesit-max-buffer-size 209715200) ;; 200MiB
   :config
   ;; Default to the max level of detail in treesitter highlighting. This
   ;; can be overridden in each language's use-package call with:

ansible/roles/emacs/files/init.el

@@ -32,4 +32,14 @@
 
 (require 'lang-dockerfile)
 
+(require 'lang-c)
+
+(require 'lang-xml)
+
+(require 'lang-nix)
+
+(require 'lang-cmake)
+
+(require 'lang-d2)
+
 (load-directory autoload-directory)

ansible/roles/emacs/files/plainmacs

@@ -15,7 +15,8 @@ INIT_SCRIPT=$(cat <<EOF
   ;; Set default font
   (set-face-attribute 'default nil :height 100 :width 'regular :weight 'regular :family "Cascadia Mono")
   ;; Set fallback font for unicode glyphs
-  (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji"))
+  (when (display-graphic-p)
+    (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji")))
   (menu-bar-mode -1)
   (when (fboundp 'tool-bar-mode)
     (tool-bar-mode -1))

ansible/roles/emacs/files/plainmacs_init.el

@@ -11,7 +11,8 @@
   ;; Set default font
   (set-face-attribute 'default nil :height 100 :width 'regular :weight 'regular :family "Cascadia Mono")
   ;; Set fallback font for unicode glyphs
-  (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji"))
+  (when (display-graphic-p)
+    (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji")))
   (menu-bar-mode -1)
   (when (fboundp 'tool-bar-mode)
     (tool-bar-mode -1))

ansible/roles/emacs/meta/main.yaml

@@ -5,3 +5,7 @@ dependencies:
     when: 'emacs_flavor == "full"'
   - role: python
     when: 'emacs_flavor == "full"'
+  - role: terraform
+    when: 'emacs_flavor == "full"'
+  - role: nix
+    when: 'emacs_flavor == "full"'

ansible/roles/emacs/tasks/freebsd.yaml

@@ -1,27 +1,35 @@
 - name: Install packages
+  when: install_graphics
   package:
     name:
       - emacs
     state: present
 
+- name: Install packages
+  when: not install_graphics
+  package:
+    name:
+      - emacs-nox
+    state: present
+
 - name: Install packages
   when: 'emacs_flavor == "full"'
   package:
     name:
-      - py39-pygments
+      - py311-pygments
       - inkscape # to support SVGs in LaTeX
       # - prettier # typescript formatting
       - aspell
       - en-aspell
       - unzip # for extracting mspyls
-      - py39-isort
-      - py39-black
+      - py311-isort
+      - py311-black
       - zip # for odt export from org-mode
       - gnuplot # used for exporting graphs from org-mode
       # - pyright
       - sqlite3 # for sqlite code blocks in org-mode
       # - terraform-ls # Terraform language server
-      - py39-ptvsd
+      - py311-ptvsd
       - hs-ShellCheck
       # - gopls
     state: present

ansible/roles/emacs/tasks/linux.yaml

@@ -15,6 +15,7 @@
       - typescript-language-server
       - shellcheck
       - vscode-css-languageserver
+      - d2 # Generating diagrams
     state: present
 
 - name: Create directories

ansible/roles/firefox/defaults/main.yaml

@@ -1,14 +1,44 @@
 firefox_config:
   # identity.sync.tokenserver.uri: "https://ffsync.fizz.buzz/token/1.0/sync/1.5"
+  media.hardware-video-decoding.force-enabled: true
   media.ffmpeg.vaapi.enabled: true
   doh-rollout.doorhanger-decision: "UIDisabled"
   dom.security.https_only_mode: true
   dom.security.https_only_mode_ever_enabled: true
   extensions.activeThemeID: "firefox-compact-dark@mozilla.org"
   # Disable ads
-  extensions.pocket.enabled: false
   browser.newtabpage.activity-stream.showSponsored: false
   browser.newtabpage.activity-stream.showSponsoredTopSites: false
   browser.newtabpage.activity-stream.feeds.section.topstories: false
   browser.newtabpage.pinned: "[]"
   browser.newtabpage.activity-stream.section.highlights.includePocket: false
+  # Disable cache when devtools are open.
+  devtools.cache.disabled: true
+  # Do not track header.
+  privacy.donottrackheader.enabled: true
+  # Tell websites not to share or sell my data.
+  privacy.globalprivacycontrol.enabled: true
+  # Disable "studies" (slice testing)
+  app.shield.optoutstudies.enabled: false
+  # Disable battery status, used to track users.
+  dom.battery.enabled: false
+  # Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
+  #
+  # This breaks copying from BigQuery https://github.com/microsoft/monaco-editor/issues/1540
+  # dom.event.clipboardevents.enabled: false
+  # Isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains.
+  privacy.firstparty.isolate: true
+  # Do not preload URLs that auto-complete in the address bar.
+  browser.urlbar.speculativeConnect.enabled: false
+  # Do not resist fingerprinting because that tells websites to use light mode.
+  # https://bugzilla.mozilla.org/show_bug.cgi?id=1732114
+  privacy.resistFingerprinting: null # (default false)
+  # Instead, enable fingerprinting protection, which allows configuring an override.
+  privacy.fingerprintingProtection: true
+  # Allow sending dark mode preference to websites.
+  # Allow sending timezone to websites.
+  privacy.fingerprintingProtection.overrides: "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked,-CanvasImageExtractionPrompt,-CanvasExtractionFromThirdPartiesIsBlocked"
+  # Disable weather on new tab page
+  browser.newtabpage.activity-stream.showWeather: false
+  browser.ml.chat.enabled: false
+  browser.ml.enabled: false

ansible/roles/firefox/tasks/linux.yaml

@@ -3,4 +3,5 @@
     name:
       - libfido2
       - firefox-developer-edition
+      - speech-dispatcher # For TTS
     state: present

ansible/roles/firefox/tasks/peruser.yaml

@@ -10,12 +10,21 @@
   register: firefox_about_config
 
 - name: Configure Firefox about:config
+  when: item[1].value != None
   lineinfile:
     path: "{{ item[0].path }}"
     regexp: '"{{ item[1].key }}", [^")\n]*\)'
     line: 'user_pref("{{ item[1].key }}", {{ item[1].value | to_json }});'
   loop: "{{ firefox_about_config.files | product(firefox_config | dict2items) | list }}"
 
+- name: Configure Firefox about:config
+  when: item[1].value == None
+  lineinfile:
+    path: "{{ item[0].path }}"
+    regexp: '"{{ item[1].key }}", [^")\n]*\)'
+    state: absent
+  loop: "{{ firefox_about_config.files | product(firefox_config | dict2items) | list }}"
+
 - import_tasks: tasks/peruser_freebsd.yaml
   when: 'os_flavor == "freebsd"'
 

ansible/roles/firewall/files/homeserver_pf.conf

@@ -1,48 +1,50 @@
+# TODO: ipv6 RFC 6296 - Network Prefix Translation?
+# match out on $ext_if inet6 from fd00:db8::/48 binat-to 2001:db8::/48
+# TODO: Maybe ipv6 icmp rules from https://oneuptime.com/blog/post/2026-03-20-configure-ipv6-firewall-pf-freebsd/view
+
+#
+# restricted_nat 10.215.2.1/24
+# jail_nat 10.215.1.1/24
+#
+
+#
+# External connections -> 172.16.16.32:8081
+# rdr to bastion 10.215.1.217
+# snat to bridge?
+#
+
 ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
 not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
-jail_nat_v4 = "{ 10.215.1.0/24 }"
-not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
-restricted_nat_v4 = "{ 10.215.2.0/24 }"
-not_restricted_nat_v4 = "{ any, !10.215.2.0/24 }"
+rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
 
 dhcp = "{ bootpc, bootps }"
 allow = "{ wgh wgf }"
 
 tcp_pass_in = "{ 22 }"
 udp_pass_in = "{ 53 51820 }"
-unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }"
 
 # Rules must be in order: options, normalization, queueing, translation, filtering
 
 # options
 set skip on lo
 
-# redirections
-nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0)
-rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53
+# normalization
 
-# cloak
-nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (wlan0)
-rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 1.1.1.1 port 53
+# queueing
 
-rdr pass on $ext_if inet proto tcp from $not_restricted_nat_v4 to any port 8081 -> 10.215.2.2 port 8081
-nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8081 -> 10.215.2.1
+# translation
+nat pass on $ext_if proto {tcp, udp} tagged NATOUT -> (wlan0)
+nat pass on restricted_nat proto {tcp, udp} tagged NATRESTRICTED -> (restricted_nat)
+nat pass on jail_nat proto {tcp, udp} tagged NATJAIL -> (jail_nat)
 
-# Forward ports for unifi controller
-# rdr pass on $ext_if inet proto tcp from any to any port 65022 -> 10.213.177.8 port 22
-rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202
+# external -> bastion
+rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8081 tag NATJAIL -> 10.215.1.217 port 443
+# external -> sftp
+rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8022 tag NATJAIL -> 10.215.1.216 port 22
 
 # filtering
 block log all
-pass out on $ext_if
-
-pass in on jail_nat
-# Allow traffic from my machine to the jails/virtual machines
-pass out on jail_nat from $jail_nat_v4
-pass out on jail_nat proto {udp, tcp} from any to 10.215.1.202 port $unifi_ports
-pass out on restricted_nat proto {udp, tcp} from any to 10.215.2.2 port 8081
-
-pass in on restricted_nat proto {udp, tcp} from any to any port { 53 51820 }
+pass out on $ext_if from (wlan0)
 
 # We pass on the interfaces listed in allow rather than skipping on
 # them because changes to pass rules will update when running a
@@ -54,5 +56,11 @@ pass quick on $allow
 pass on $ext_if proto icmp all
 pass on $ext_if proto icmp6 all
 
-pass in on $ext_if proto tcp to any port $tcp_pass_in
-pass in on $ext_if proto udp to any port $udp_pass_in
+pass in on $ext_if proto tcp to (wlan0) port $tcp_pass_in
+pass in on $ext_if proto udp to (wlan0) port $udp_pass_in
+
+
+# Allow DNS and wireguard from cloak
+pass in on restricted_nat proto {udp, tcp} from 10.215.2.2 to any port { 53 51820 } tag NATOUT
+# bastion -> cloak
+pass in on jail_nat proto {udp, tcp} from 10.215.1.217 to 10.215.2.2 port 8081 tag NATRESTRICTED

ansible/roles/firewall/files/mrmanager_pf.conf

@@ -2,7 +2,8 @@ ext_if = "lagg0"
 not_ext_if = "{ !lagg0 }"
 jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
-pub_k8s = "{ 74.80.180.136/29, !74.80.180.138 }"
+# pub_k8s = "{ 74.80.180.136/29, !74.80.180.138 }"
+pub_k8s = "{ 74.80.180.137, 74.80.180.139, 74.80.180.140, 74.80.180.141, 74.80.180.142, 2620:11f:7001:7:ffff:dddd::/112 }"
 
 dhcp = "{ bootpc, bootps }"
 allow = "{ colo }"
@@ -33,20 +34,25 @@ scrub in on $ext_if all fragment reassemble
 
 # redirections
 nat on $ext_if inet from ! ($ext_if) to ! ($ext_if) -> ($ext_if)
-rdr pass proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53
+rdr pass on jail_nat proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53
+rdr pass on jail_nat proto {tcp, udp} from any to 2620:11f:7001:7:ffff:ffff:0ad7:0101 port 53 tag REDIREXTERNAL -> 2606:4700:4700::1111 port 53
 
-rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 -> 10.215.1.204 port 6443
+rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
 rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
 
-rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 19993 -> 10.215.1.204 port 19993
+rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 19993 tag REDIRINTERNAL -> 10.215.1.204 port 19993
 rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 19993 tag REDIRINTERNAL -> 10.215.1.204 port 19993
 
-rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65099 -> 10.215.1.210 port 22
+rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65099 tag REDIRINTERNAL -> 10.215.1.210 port 22
 rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 65099 tag REDIRINTERNAL -> 10.215.1.210 port 22
 
-rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 53 -> 10.215.1.211 port 53
+# log (to pflog1)
+rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 53 tag REDIRINTERNAL -> 10.215.1.211 port 53
 rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 53 tag REDIRINTERNAL -> 10.215.1.211 port 53
 
+rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65122 tag REDIRINTERNAL -> 10.215.1.219 port 22
+rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 65122 tag REDIRINTERNAL -> 10.215.1.219 port 22
+
 nat pass tagged REDIRINTERNAL -> (jail_nat)
 nat pass tagged REDIREXTERNAL -> ($ext_if)
 
@@ -63,6 +69,11 @@ pass quick on $allow
 
 # Single interface kubernetes cluster is working with the following run on mrmanager:
 #   doas route add -host 74.80.180.139 -interface jail_nat
+#   doas route add -net 10.129.0.0/16 -interface jail_nat
+#   doas route -6 add -net '2620:11f:7001:7:ffff:ffff:0ad7:0100/120' -interface jail_nat
+#   doas route -6 add -net '2620:11f:7001:7:ffff:eeee::/96' -interface jail_nat
+#   doas route -6 add -net '2620:11f:7001:7:ffff:dddd::/112' -interface jail_nat
+#   doas ifconfig jail_nat inet6 2620:11f:7001:7:ffff:ffff:0ad7:0101/120
 #   doas sysctl net.link.ether.inet.proxyall=1
 # Plus this in pf.conf:
 #   pass quick from any to 74.80.180.139
@@ -72,6 +83,10 @@ pass in on jail_nat
 # Allow traffic from my machine to the jails/virtual machines
 pass out on jail_nat from (jail_nat:network)
 
+#pass quick in on $ext_if proto {tcp6, udp6} from any to 2620:11f:7001:7:ffff:ffff:0ad7:0100/120
+pass in quick on $ext_if from any to 2620:11f:7001:7:ffff:ffff:0ad7:0100/120
+pass out quick on jail_nat to 2620:11f:7001:7:ffff:ffff:0ad7:0100/120
+
 
 pass in on $ext_if proto tcp to any port $tcp_pass_in
 pass in on $ext_if proto udp to any port $udp_pass_in

ansible/roles/firewall/files/odofreebsd_pf.conf

@@ -1,11 +1,11 @@
-ext_if = "{ wlan0 }"
-not_ext_if = "{ !wlan0 }"
+ext_if = "{ linfi_host }"
+not_ext_if = "{ !linfi_host }"
 jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
-dns_redirect = "{ 10.193.223.1 10.213.177.1 10.215.1.1 }"
+rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
 
 dhcp = "{ bootpc, bootps }"
-#allow = "{ wgf wgh drmario colo }"
+allow = "{ wgf wgh drmario colo }"
 
 tcp_pass_in = "{ 22 }"
 udp_pass_in = "{ 53 51820 }"
@@ -16,8 +16,8 @@ udp_pass_in = "{ 53 51820 }"
 set skip on lo
 
 # redirections
-#nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0)
-#rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53
+nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (linfi_host)
+rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
 
 # Redirect jaeger ports to virtual machine.
 # nat pass on lo inet from 127.0.0.0/24 to 127.0.0.0/24 port {6831 6832 16686 14268} -> (jail_nat)
@@ -27,16 +27,18 @@ set skip on lo
 block log all
 pass out on $ext_if
 
-#pass in on jail_nat
+pass in on jail_nat
+# match in on jail_nat from any to any dnpipe 1
+# match in on jail_nat from any to $rfc1918 dnpipe 2
 # Allow traffic from my machine to the jails/virtual machines
-#pass out on jail_nat from $jail_nat_v4
+pass out on jail_nat from $jail_nat_v4
 
 # We pass on the interfaces listed in allow rather than skipping on
 # them because changes to pass rules will update when running a
 # `service pf reload` but interfaces that we `skip` will not update (I
 # forget if its from adding, removing, or both. TODO: test to figure
 # it out). Also skipped interfaces are not subject to nat/rdr rules.
-#pass quick on $allow
+pass quick on $allow
 
 pass on $ext_if proto icmp all
 pass on $ext_if proto icmp6 all

ansible/roles/framework_laptop/files/disable_sp5100_watchdog_modprobe.conf

@@ -0,0 +1,2 @@
+# Disable the hardware watchdog inside AMD 700 chipset series for power savings.
+blacklist sp5100_tco

ansible/roles/framework_laptop/files/disable_wifi_powersave_loader.conf

@@ -0,0 +1,3 @@
+  # Disable power save for wifi card because power save caused video stuttering in google meet on Linux. Both of these are currently the default on FreeBSD but I'm saving it just in case that default changes.
+compat.linuxkpi.iwlwifi_power_save="0"
+compat.linuxkpi.iwlwifi_mvm_power_scheme="1"

ansible/roles/framework_laptop/files/gpe10-boot.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Disable gpe10 interrupt on boot
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/sh -c "echo disable > /sys/firmware/acpi/interrupts/gpe10"
+
+[Install]
+WantedBy=multi-user.target

ansible/roles/framework_laptop/files/gpe10-sleep.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Enable gpe10 interrupt for sleep
+Before=sleep.target
+StopWhenUnneeded=true
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/sh -c "echo enable > /sys/firmware/acpi/interrupts/gpe10"
+ExecStop=/bin/sh -c "echo disable > /sys/firmware/acpi/interrupts/gpe10"
+
+[Install]
+WantedBy=sleep.target

ansible/roles/framework_laptop/files/iwlwifi_modprobe.conf

@@ -0,0 +1,13 @@
+# Manually disable power save:
+# iw wlan0 set power_save off
+
+## High power:
+options iwlwifi power_save=0
+# options iwlwifi uapsd_disable=1
+options iwlmvm power_scheme=1 # 1-active, 2-balanced, 3-low power, default: 2 (int)
+
+## Low power:
+# options iwlwifi power_save=1
+# ? power_level:default power save level (range from 1 - 5, default: 1) (int)
+# options iwlwifi uapsd_disable=0
+# options iwlmvm power_scheme=3

ansible/roles/framework_laptop/files/launch_windows.bash

@@ -0,0 +1,285 @@
+#!/usr/local/bin/bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# Share a host directory to the guest via 9pfs.
+#
+# Inside the VM run:
+#   mount -t virtfs -o trans=virtio sharename /some/vm/path
+#   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
+#   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 sharename /path/to/mountpoint
+# bhyve_options="-s 28,virtio-9p,sharename=/"
+
+# Enable Sound
+# bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
+
+# Example usage:
+#
+#   doas bhyve_netgraph_bridge create-disk zdata/vm/poudriere /vm/poudriere 10
+#   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
+#   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere
+
+: ${VERBOSE:="NO"} # or YES
+: ${CPU_CORES:="1"}
+: ${MEMORY:="1G"}
+: ${NETWORK:="NAT"} # or RAW or BOTH
+: ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
+: ${INTERFACE_NAME:="jail_nat"} # or the external interface like lagg0 for RAW networks
+: ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
+: ${VNC_ENABLE:="NO"}
+: ${VNC_LISTEN:="127.0.0.1:5900"}
+: ${VNC_WIDTH:="1920"}
+: ${VNC_HEIGHT:="1080"}
+
+if [ "$VERBOSE" = "YES" ]; then
+    set -x
+fi
+
+############## Setup #########################
+
+function cleanup {
+    for vm in "${vms[@]}"; do
+        log "Destroying bhyve vm $vm"
+        bhyvectl "--vm=$vm" --destroy
+        log "Destroyed bhyve vm $vm"
+    done
+}
+vms=()
+for sig in EXIT; do
+  trap "set +e; sleep 10; cleanup" "$sig"
+done
+
+function die {
+    local status_code="$1"
+    shift
+    (>&2 echo "${@}")
+    exit "$status_code"
+}
+
+function log {
+    (>&2 echo "${@}")
+}
+
+############## Program #########################
+
+function main {
+    local cmd="$1"
+    shift 1
+    if [ "$cmd" = "create-disk" ]; then
+        create_disk "${@}"
+    elif [ "$cmd" = "start" ]; then
+        start_vm "${@}"
+    else
+        die 1 "Unrecognized command $cmd"
+    fi
+}
+
+function create_disk {
+    local zfs_path="$1"
+    local mount_path="$2"
+    local gigabytes="$3"
+    zfs create -o "mountpoint=$mount_path" "$zfs_path"
+    cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
+    tee "${mount_path}/settings" <<EOF
+CPU_CORES="$CPU_CORES"
+MEMORY="$MEMORY"
+NETWORK="$NETWORK"
+IP_RANGE="$IP_RANGE"
+BRIDGE_NAME="$BRIDGE_NAME"
+INTERFACE_NAME="$INTERFACE_NAME"
+EOF
+    zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none -o volblocksize=64K "$zfs_path/disk0"
+}
+
+function start_vm {
+    local name="$1"
+    local zfs_path="$2"
+    local mount_path="$3"
+    local mount_cd="${4:-}"
+
+    if [ -e "${mount_path}/settings" ]; then
+        source "${mount_path}/settings"
+    fi
+
+    local host_interface_name="$INTERFACE_NAME" # for raw, external interface
+    local bridge_name="$BRIDGE_NAME"
+    local ip_range="$IP_RANGE" # for raw this value does not matter
+
+    local mac_address
+    mac_address=$(calculate_mac_address "$name")
+
+    local additional_args=()
+
+    if [ "$NETWORK" = "NAT" ]; then
+        assert_bridge "$host_interface_name" "$bridge_name" "$ip_range"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        additional_args+=("-s" "2:0,e1000,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+    elif [ "$NETWORK" = "RAW" ]; then
+        assert_raw "$host_interface_name" "$bridge_name"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+    elif [ "$NETWORK" = "BOTH" ]; then
+        assert_bridge "jail_nat" "$bridge_name" "$ip_range"
+        assert_raw "$host_interface_name" "bridge_raw"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        local raw_bridge_link_name=$(detect_available_link "bridge_raw")
+        local raw_mac_address=$(calculate_mac_address "${name}_raw")
+        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+        additional_args+=("-s" "3:0,virtio-net,netgraph,path=bridge_raw:,peerhook=${raw_bridge_link_name},mac=${raw_mac_address}")
+    elif [ "$NETWORK" = "NONE" ]; then
+        (>&2 echo "Not using any network.")
+    else
+        die 1 "Unrecognized NETWORK type $NETWORK"
+    fi
+
+
+    # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
+         # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
+             # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
+            # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
+
+    # TODO: Look into using nmdm instead of stdio for serial console
+    if [ -n "$mount_cd" ]; then
+        additional_args+=("-s" "5,ahci-cd,$mount_cd")
+    fi
+    if [ "$VNC_ENABLE" = "YES" ]; then
+        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT,wait")
+    fi
+    vms+=("$name")
+    # Removes CPU_CORES because windows must be a single CPU in bhyve
+    # -c $CPU_CORES \
+        # We need tpm
+    #             -l "tpm,passthru,/dev/tpm0" \
+                    # -S \
+    while true; do
+        set -x
+        set +e
+        bhyve \
+            -D \
+            -c sockets=1,cores=2,threads=2 \
+            -m $MEMORY \
+            -H \
+            -w \
+            -o 'rtc.use_localtime=false' \
+            -s 0,hostbridge \
+            -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
+            -s 16,hda,play=/dev/dsp,rec=/dev/dsp \
+            -s 30,xhci,tablet \
+            -s 31,lpc -l com1,stdio \
+            -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd" \
+            -U '5a63bcd1-5cb4-4401-8a6f-d4042fb928a6' \
+            "${additional_args[@]}" \
+            "$name"
+        local exit_code=$?
+        set -e
+        set +x
+        if [ $exit_code -eq 0 ]; then
+            echo "Rebooting."
+            sleep 5
+        elif [ $exit_code -eq 1 ]; then
+            echo "Powered off."
+            break
+        elif [ $exit_code -eq 2 ]; then
+            echo "Halted."
+            break
+        elif [ $exit_code -eq 3 ]; then
+            echo "Triple fault."
+            break
+        elif [ $exit_code -eq 4 ]; then
+            echo "Exited due to an error."
+            break
+        fi
+    done
+}
+
+function detect_available_link {
+    local bridge_name="$1"
+    local linknum=1
+    while true; do
+        local link_name="link${linknum}"
+        if ! ng_exists "${bridge_name}:${link_name}"; then
+            echo "$link_name"
+            return
+        fi
+        linknum=$((linknum + 1))
+        if [ "$linknum" -gt 90 ]; then
+            (>&2 echo "No available links on bridge $bridge_name")
+            exit 1
+        fi
+    done
+}
+
+function assert_bridge {
+    local host_interface_name="$1"
+    local bridge_name="$2"
+    local ip_range="$3"
+
+    if ! ng_exists "${bridge_name}:"; then
+        ngctl -d -f - <<EOF
+mkpeer . eiface hook ether
+name .:hook $host_interface_name
+EOF
+        ngctl -d -f - <<EOF
+mkpeer ${host_interface_name}: bridge ether link0
+name ${host_interface_name}:ether $bridge_name
+EOF
+        ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" "$ip_range" up
+    fi
+}
+
+function assert_raw {
+    local extif="$1"
+    local bridge_name="$2"
+
+    kldload -n ng_bridge ng_eiface ng_ether
+
+    if ! ng_exists "${bridge_name}:"; then
+        ngctlcat <<EOF
+# Create a bridge.
+mkpeer $extif: bridge lower link0
+# Assign a name to the bridge.
+name $extif:lower ${bridge_name}
+# Since the host is also using $extif, we need to connect the upper hook also. Otherwise we will lose connectivity.
+connect $extif: ${bridge_name}: upper link1
+
+# Enable promiscuous mode so the host ethernet adapter accepts packets for all addresses
+msg $extif: setpromisc 1
+
+# Do not overwrite source address on packets
+msg $extif: setautosrc 0
+EOF
+    fi
+}
+
+function ng_exists {
+    ngctl status "${1}" >/dev/null 2>&1
+}
+
+function calculate_mac_address {
+    local name="$1"
+    local source
+    source=$(md5 -r -s "$name" | awk '{print $1}')
+    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
+}
+
+function find_available_port {
+    local start_port="$1"
+    local port="$start_port"
+    while true; do
+        sockstat -P tcp -p 443
+        port=$((port + 1))
+    done
+}
+
+function ngctlcat {
+    if [ "$VERBOSE" = "YES" ]; then
+        tee /dev/tty | ngctl -d -f -
+    else
+        ngctl -d -f -
+    fi
+}
+
+
+main "${@}"

ansible/roles/framework_laptop/files/screen_brightness_tmpfiles.conf

@@ -1,2 +1,2 @@
 # Set screen brightness. Ever since enabling adaptive brightness management, my brightness ends up sinking lower on re-boots (I suspect it is saving the actual brightness rather than the set brightness). This forces the brightness back to the level I prefer.
-w- /sys/class/backlight/amdgpu_bl0/brightness - - - - 85
+w- /sys/class/backlight/amdgpu_bl0/brightness - - - - 21845

ansible/roles/framework_laptop/files/snd_hda_intel_modprobe.conf

@@ -0,0 +1,2 @@
+# Sound power-saving was causing chat notifications to be inaudible.
+# options snd_hda_intel power_save=1

ansible/roles/framework_laptop/files/wifi_us_modprobe.conf

@@ -0,0 +1 @@
+options cfg80211 ieee80211_regdom=US

ansible/roles/framework_laptop/files/windows

@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# REQUIRE: LOGIN
+# PROVIDE: windows
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+name=windows
+rcvar=${name}_enable
+start_cmd="${name}_start"
+stop_cmd="${name}_stop"
+status_cmd="${name}_status"
+load_rc_config $name
+
+tmux_name="windows"
+
+windows_start() {
+   /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=YES VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /usr/local/bin/launch_windows start windows zroot/freebsd/current/vm/windows /vm/windows /vm/.iso/Win11_23H2_English_x64v2.iso"
+}
+
+windows_status() {
+    if /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null; then
+        echo "$tmux_name is running."
+    else
+        echo "$tmux_name is not running."
+        return 1
+    fi
+}
+
+windows_stop() {
+    /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null && (
+        /usr/local/bin/tmux kill-session -t $tmux_name
+        sleep 10
+        bhyvectl --vm=windows --destroy
+        # kill `cat /var/run/windows.pid`
+    )
+    windows_wait_for_end
+}
+
+windows_wait_for_end() {
+    while /usr/local/bin/tmux has-session -t $tmux_name 2>dev/null; do
+        sleep 1
+    done
+}
+
+run_rc_command "$1"

ansible/roles/framework_laptop/meta/main.yaml

@@ -0,0 +1,3 @@
+dependencies:
+  - role: bhyve
+    when: 'os_flavor == "freebsd"'

ansible/roles/framework_laptop/tasks/freebsd.yaml

@@ -1,5 +1,30 @@
-# - name: Install packages
-#   package:
-#     name:
-#       - foo
-#     state: present
+- name: Install loader.conf
+  copy:
+    src: "files/{{ item }}_loader.conf"
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - disable_wifi_powersave
+
+- name: Install scripts
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - src: launch_windows.bash
+      dest: /usr/local/bin/launch_windows
+
+- name: Install rc script
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+    owner: root
+    group: wheel
+    mode: 0755
+  loop:
+    - src: windows

ansible/roles/framework_laptop/tasks/linux.yaml

@@ -18,3 +18,83 @@
     group: wheel
   loop:
     - screen_brightness
+
+- name: Install module config
+  copy:
+    src: "files/{{ item }}_modprobe.conf"
+    dest: "/etc/modprobe.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - iwlwifi
+    - snd_hda_intel
+    - disable_sp5100_watchdog
+    - wifi_us
+
+- name: Configure kernel command line
+  zfs:
+    name: "zroot/linux/archwork/be"
+    state: present
+    extra_zfs_properties:
+      # amdgpu.abmlevel=3 :: Automatically reduce screen brightness but tweak colors to compensate for power reduction.
+      # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
+      # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
+      # amd_pstate=passive :: Fully automated hardware pstate control.
+      # amd_pstate=active :: Same as passive except we can set the energy performance preference (EPP) to suggest how much we prefer performance or energy efficiency.
+      # amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds.
+      # amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32
+      "org.zfsbootmenu:commandline": "rw quiet amdgpu.abmlevel=2 pcie_aspm=force pcie_aspm.policy=powersupersave nowatchdog amdgpu.dcdebugmask=0x10"
+
+- name: Install Configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0600
+    owner: root
+    group: wheel
+  loop:
+    - src: gpe10-boot.service
+      dest: /etc/systemd/system/gpe10-boot.service
+    - src: gpe10-sleep.service
+      dest: /etc/systemd/system/gpe10-sleep.service
+
+- name: Enable services
+  systemd:
+    enabled: yes
+    name: "{{ item }}"
+    daemon_reload: yes
+  loop:
+    - gpe10-boot.service
+    - gpe10-sleep.service
+# install swtpm
+# install edk2-ovmf for /usr/share/ovmf/OVMF.fd
+# install qemu-system-x86
+
+# doas qemu-system-x86_64 -cdrom /vm/.iso/Win11_23H2_English_x64v2.iso -cpu Skylake-Client-v3 -enable-kvm -m 8192 —device chardev,socket,id=chrtpm,path=/tmp/emulated_tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -smp 2 -device intel-hda -device hda-duplex -usb -nic user,ipv6=off,model=rtl8139,mac=84:1b:77:c9:03:a6 -bios /usr/share/edk2/x64/OVMF.fd -drive file=/dev/zvol/zroot/freebsd/current/vm/windows/disk0,format=raw,media=disk,if=none,id=nvm -device nvme,drive=nvm,serial=foo,opt_io_size=4096,min_io_size=4096,logical_block_size=4096,physical_block_size=4096
+
+# doas mkdir /tmp/emulated_tpm
+# doas swtpm socket --tpmstate dir=/tmp/emulated_tpm --ctrl type=unixio,path=/tmp/emulated_tpm/swtpm-sock --log level=20 --tpm2
+
+- name: Build aur packages
+  register: buildaur
+  become_user: "{{ build_user.name }}"
+  command: "aurutils-sync --no-view {{ item }}"
+  args:
+    creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+  loop:
+    - fw-ectool-git
+
+- name: Update cache
+  when: buildaur.changed
+  pacman:
+    name: []
+    state: present
+    update_cache: true
+
+- name: Install packages
+  package:
+    name:
+      - fw-ectool-git
+      - wireless-regdb
+    state: present

ansible/roles/google_cloud_sdk/files/google_logging_link.py

@@ -0,0 +1,14 @@
+#!/usr/bin/env python
+#
+# Generate a link to google cloud logging by passing in a logging query.
+import sys
+import urllib.parse
+
+def main():
+    query = "\n".join([line.strip() for line in sys.stdin.readlines()])
+    query = urllib.parse.quote(query)
+    query = query + "?project=project-id-here"
+    print(query)
+
+if __name__ == "__main__":
+    main()

ansible/roles/google_cloud_sdk/tasks/common.yaml

@@ -1,3 +1,14 @@
+- name: Install scripts
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - src: google_logging_link.py
+      dest: /usr/local/bin/google_logging_link
+
 - import_tasks: tasks/freebsd.yaml
   when: 'os_flavor == "freebsd"'