Configure kernel preemption.

1.5 came out recently, so no gateway providers support it.

ansible/environments/home/host_vars/homeserver

@@ -77,8 +77,17 @@ jail_list:
   #     - name: mumbledb
   #       mount: /var/db/murmur
 bhyve_dataset: zmass/encrypted/vm
-bhyve_canmount: "on"
+# Disable mounting bhyve dataset so it doesn't hide the unencrypted linfi vm
+bhyve_canmount: "off"
+bhyve_mountpoint: "none"
 bhyve_bemount: "on"
 wireguard_directory: homeserver
 enabled_wireguard:
   - wgh
+linfi:
+  enabled: true
+  zfs_dataset: zmass/unencrypted/vm/linfi
+  zfs_mountpoint: /vm/linfi
+  driver_blocklist: "ath if_ath if_ath_pci ath_hal if_iwm if_iwlwifi"
+  pci_blocklist: "6/0/0"
+  amd: false

ansible/environments/home/hosts

@@ -1,2 +1,2 @@
 [headless]
-homeserver ansible_user=talexander ansible_host=10.216.1.1
+homeserver ansible_user=talexander ansible_host=homeserver

ansible/environments/laptop/host_vars/odofreebsd

@@ -59,3 +59,10 @@ enabled_wireguard:
   - wgh
   - drmario
   - colo
+linfi:
+  enabled: true
+  zfs_dataset: zroot/freebsd/current/vm/linfi
+  zfs_mountpoint: /vm/linfi
+  driver_blocklist: "if_iwm if_iwlwifi"
+  pci_blocklist: "1/0/0"
+  amd: true

ansible/playbook.yaml

@@ -126,12 +126,14 @@
   vars:
     ansible_become: True
   roles:
+    - linfi
     - framework_laptop
 
 - hosts: homeserver
   vars:
     ansible_become: True
   roles:
+    - linfi
     - homeserver
 
 - hosts: odowork

ansible/roles/base/files/bbr_loader.conf

@@ -0,0 +1 @@
+tcp_bbr_load="YES"

ansible/roles/base/files/gitconfig_home

@@ -8,6 +8,7 @@
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
+	authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]

ansible/roles/base/files/gitconfig_work

@@ -8,6 +8,7 @@
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
+	authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]

ansible/roles/base/files/login.conf

@@ -44,6 +44,7 @@ default:\
 	:pseudoterminals=unlimited:\
 	:kqueues=unlimited:\
 	:umtxp=unlimited:\
+	:pipebuf=unlimited:\
 	:priority=0:\
 	:ignoretime@:\
 	:umask=022:\

ansible/roles/base/tasks/freebsd.yaml

@@ -39,18 +39,6 @@
   command: cap_mkdb /etc/login.conf
   when: login_config.changed
 
-- name: Enable periodic scrub
-  community.general.sysrc:
-    name: daily_scrub_zfs_enable
-    value: "YES"
-    path: /etc/periodic.conf.local
-
-- name: Set scrub interval
-  community.general.sysrc:
-    name: daily_scrub_zfs_default_threshold
-    value: "7"
-    path: /etc/periodic.conf.local
-
 - name: Install loader.conf
   copy:
     src: "{{loader_conf}}"
@@ -134,3 +122,51 @@
       value: 65
     - name: net.inet6.ip6.hlim
       value: 65
+
+- name: Log periodic output instead of getting it as mail
+  blockinfile:
+    path: "/etc/periodic.conf.local"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK log"
+    # create: true
+    mode: 0644
+    owner: root
+    group: wheel
+    block: |
+      daily_output=/var/log/daily.log
+      weekly_output=/var/log/weekly.log
+      monthly_output=/var/log/monthly.log
+
+- name: Enable periodic zfs scrub
+  when: install_zfs
+  blockinfile:
+    path: "/etc/periodic.conf.local"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK zfs"
+    # create: true
+    mode: 0644
+    owner: root
+    group: wheel
+    block: |
+      daily_scrub_zfs_enable="YES"
+      daily_scrub_zfs_default_threshold="7"
+
+# Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
+- name: Install loader.conf
+  copy:
+    src: "files/{{ item }}_loader.conf"
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - bbr
+
+- name: Configure sysctls
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    reload: false
+    sysctl_file: "/etc/sysctl.conf.local"
+  loop:
+    - name: net.inet.tcp.functions_default
+      value: "bbr"

ansible/roles/devfs/files/homeserver_devfs.rules

@@ -17,3 +17,9 @@ add include $devfsrules_hide_all
 add include $devfsrules_unhide_basic
 add include $devfsrules_unhide_login
 add path 'bpf*' unhide
+
+[tajailrand=15]
+add include $devfsrules_hide_all
+add include $devfsrules_unhide_basic
+add include $devfsrules_unhide_login
+add path urandom unhide

ansible/roles/docker/tasks/linux.yaml

@@ -3,6 +3,7 @@
     name:
       - docker
       - docker-compose
+      - docker-buildx
     state: present
 
 - name: Create docker zfs dataset

ansible/roles/emacs/files/elisp/lang-nix.el

@@ -0,0 +1,22 @@
+(require 'common-lsp)
+(require 'util-tree-sitter)
+
+(use-package nix-mode
+  :mode (("\\.nix\\'" . nix-mode)
+         )
+  :commands nix-mode
+  :hook (
+         (nix-mode . (lambda ()
+                             ;; (eglot-ensure)
+                             ;; (defclass my/eglot-nix (eglot-lsp-server) ()
+                             ;;   :documentation
+                             ;;   "Own eglot server class.")
+
+                             ;; (add-to-list 'eglot-server-programs
+                             ;;              '(nix-mode . (my/eglot-nix "nixd")))
+                             ;; (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+                             ))
+         )
+  )
+
+(provide 'lang-nix)

ansible/roles/emacs/files/init.el

@@ -36,4 +36,6 @@
 
 (require 'lang-xml)
 
+(require 'lang-nix)
+
 (load-directory autoload-directory)

ansible/roles/emacs/meta/main.yaml

@@ -7,3 +7,5 @@ dependencies:
     when: 'emacs_flavor == "full"'
   - role: terraform
     when: 'emacs_flavor == "full"'
+  - role: nix
+    when: 'emacs_flavor == "full"'

ansible/roles/firefox/defaults/main.yaml

@@ -26,7 +26,9 @@ firefox_config:
   # Disable battery status, used to track users.
   dom.battery.enabled: false
   # Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
-  dom.event.clipboardevents.enabled: false
+  #
+  # This breaks copying from BigQuery https://github.com/microsoft/monaco-editor/issues/1540
+  # dom.event.clipboardevents.enabled: false
   # Isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains.
   privacy.firstparty.isolate: true
   # Do not preload URLs that auto-complete in the address bar.

ansible/roles/firewall/files/homeserver_pf.conf

@@ -1,5 +1,5 @@
-ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
+ext_if = "{ igb0 igb1 ix0 ix1 linfi_host }"
-not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
+not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !linfi_host }"
 jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
 restricted_nat_v4 = "{ 10.215.2.0/24 }"
@@ -19,17 +19,17 @@ unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }"
 set skip on lo
 
 # queueing
-# altq on wlan0 cbq queue { def, stuff }
+# altq on linfi_host cbq queue { def, stuff }
 # queue def cbq(default borrow)
 # queue stuff bandwidth	8Mb cbq { dagger }
 # queue dagger cbq(borrow)
 
 # redirections
-nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0)
+nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (linfi_host)
 rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
 
 # cloak
-nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (wlan0)
+nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (linfi_host)
 rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 172.16.0.1 port 53
 
 # bastion
@@ -42,6 +42,10 @@ nat pass on restricted_nat proto {tcp, udp} from 10.215.1.217/32 to 10.215.2.2 p
 rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
 nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1
 
+# cloak -> dagger old
+rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8083 -> 10.215.2.2 port 8083
+nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8083 -> 10.215.2.1
+
 # -> sftp
 # TODO: Limit bandwidth for sftp
 rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22

ansible/roles/firewall/files/mrmanager_pf.conf

@@ -33,7 +33,7 @@ scrub in on $ext_if all fragment reassemble
 
 # redirections
 nat on $ext_if inet from ! ($ext_if) to ! ($ext_if) -> ($ext_if)
-rdr pass proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53
+rdr pass on jail_nat proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53
 
 rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 -> 10.215.1.204 port 6443
 rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
@@ -63,6 +63,7 @@ pass quick on $allow
 
 # Single interface kubernetes cluster is working with the following run on mrmanager:
 #   doas route add -host 74.80.180.139 -interface jail_nat
+#   doas route add -net 10.129.0.0/16 -interface jail_nat
 #   doas sysctl net.link.ether.inet.proxyall=1
 # Plus this in pf.conf:
 #   pass quick from any to 74.80.180.139

ansible/roles/firewall/files/odofreebsd_pf.conf

@@ -1,5 +1,5 @@
-ext_if = "{ wlan0 }"
+ext_if = "{ linfi_host }"
-not_ext_if = "{ !wlan0 }"
+not_ext_if = "{ !linfi_host }"
 jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
 rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
@@ -16,7 +16,7 @@ udp_pass_in = "{ 53 51820 }"
 set skip on lo
 
 # redirections
-nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0)
+nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (linfi_host)
 rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
 
 # Redirect jaeger ports to virtual machine.

ansible/roles/framework_laptop/files/wifi_us_modprobe.conf

@@ -0,0 +1 @@
+options cfg80211 ieee80211_regdom=US

ansible/roles/framework_laptop/tasks/linux.yaml

@@ -30,6 +30,7 @@
     - iwlwifi
     - snd_hda_intel
     - disable_sp5100_watchdog
+    - wifi_us
 
 - name: Configure kernel command line
   zfs:
@@ -74,3 +75,26 @@
 
 # doas mkdir /tmp/emulated_tpm
 # doas swtpm socket --tpmstate dir=/tmp/emulated_tpm --ctrl type=unixio,path=/tmp/emulated_tpm/swtpm-sock --log level=20 --tpm2
+
+- name: Build aur packages
+  register: buildaur
+  become_user: "{{ build_user.name }}"
+  command: "aurutils-sync --no-view {{ item }}"
+  args:
+    creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+  loop:
+    - fw-ectool-git
+
+- name: Update cache
+  when: buildaur.changed
+  pacman:
+    name: []
+    state: present
+    update_cache: true
+
+- name: Install packages
+  package:
+    name:
+      - fw-ectool-git
+      - wireless-regdb
+    state: present

ansible/roles/jail/files/fstab_bastion

@@ -1,4 +1,4 @@
 tmpfs /jail/bastion/tmp tmpfs rw,mode=777 0 0
 tmpfs /jail/bastion/var/run tmpfs rw,mode=755 0 0
 
-/jail/certificate/usr/local/etc/letsencrypt/archive/stuff.fizz.buzz       /jail/bastion/stuff.fizz.buzz     nullfs    ro,noexec     0      0
+/jail/certificate/usr/local/etc/letsencrypt       /jail/bastion/letsencrypt     nullfs    ro,noexec     0      0

ansible/roles/jail/files/jails/dagger.conf

@@ -6,6 +6,8 @@ dagger {
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
     exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
 
+    devfs_ruleset = 15;
+    mount.devfs;
     mount.fstab = "/etc/fstab.${name}";
 
     exec.start += "/bin/sh /etc/rc";

ansible/roles/jail_bastion/files/nginx.conf

@@ -36,8 +36,8 @@ http {
 
         include conf.d/tls_settings.include;
         # RSA
-        ssl_certificate /stuff.fizz.buzz/fullchain1.pem;
+        ssl_certificate /letsencrypt/live/stuff.fizz.buzz/fullchain.pem;
-        ssl_certificate_key /stuff.fizz.buzz/privkey1.pem;
+        ssl_certificate_key /letsencrypt/live/stuff.fizz.buzz/privkey.pem;
 
         # Nginx by default only allows file uploads up to 1M in size
         client_max_body_size 50M;

ansible/roles/jail_bastion/tasks/freebsd.yaml

@@ -17,7 +17,7 @@
     owner: root
     group: wheel
   loop:
-    - /stuff.fizz.buzz
+    - /letsencrypt
     - /etc/rc.conf.d
     - /usr/local/etc/nginx/conf.d
 

ansible/roles/kubernetes/files/k8s_remove_finalizers_pipeline_runs

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+kubectl get pipelinerun --all-namespaces -o go-template='{{range .items}}{{.metadata.namespace}}/{{.metadata.name}}{{"\n"}}{{end}}' | while read p; do namespace=$(cut -d '/' -f 1 <<<"$p"); name=$(cut -d '/' -f 2 <<<"$p"); kubectl patch pipelinerun -n "$namespace" "$name" -p '{"metadata":{"finalizers":null}}' --type=merge; done

ansible/roles/linfi/defaults/main.yaml

@@ -0,0 +1,7 @@
+# linfi:
+#   enabled: true
+#   zfs_dataset: zroot/freebsd/current/vm/linfi
+#   zfs_mountpoint: /vm/linfi
+#   driver_blocklist: "if_iwm if_iwlwifi"
+#   pci_blocklist: "1/0/0"
+#   amd: true

ansible/roles/linfi/files/launch_linfi.bash

@@ -0,0 +1,239 @@
+#!/usr/local/bin/bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# Share a host directory to the guest via 9pfs.
+#
+# Inside the VM run:
+#   mount -t virtfs -o trans=virtio sharename /some/vm/path
+#   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
+#   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 sharename /path/to/mountpoint
+# bhyve_options="-s 28,virtio-9p,sharename=/"
+
+# Enable Sound
+# bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
+
+# Example usage:
+#
+#   doas bhyve_netgraph_bridge create-disk zdata/vm/poudriere /vm/poudriere 10
+#   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
+#   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere
+
+: ${VERBOSE:="NO"} # or YES
+: ${CPU_CORES:="1"}
+: ${MEMORY:="1G"}
+: ${NETWORK:="NAT"} # or RAW or BOTH
+: ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
+: ${INTERFACE_NAME:="linfi_host"} # or the external interface like lagg0 for RAW networks
+: ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
+: ${VNC_ENABLE:="NO"}
+: ${VNC_LISTEN:="127.0.0.1:5900"}
+: ${VNC_WIDTH:="1920"}
+: ${VNC_HEIGHT:="1080"}
+: ${PASSTHROUGH:="1/0/0"}
+
+if [ "$VERBOSE" = "YES" ]; then
+    set -x
+fi
+
+############## Setup #########################
+
+function cleanup {
+    for vm in "${vms[@]}"; do
+        log "Destroying bhyve vm $vm"
+        bhyvectl "--vm=$vm" --destroy
+        log "Destroyed bhyve vm $vm"
+    done
+}
+vms=()
+for sig in EXIT; do
+  trap "set +e; sleep 10; cleanup" "$sig"
+done
+
+function die {
+    local status_code="$1"
+    shift
+    (>&2 echo "${@}")
+    exit "$status_code"
+}
+
+function log {
+    (>&2 echo "${@}")
+}
+
+############## Program #########################
+
+function main {
+    local cmd="$1"
+    shift 1
+    if [ "$cmd" = "create-disk" ]; then
+        create_disk "${@}"
+    elif [ "$cmd" = "start" ]; then
+        start_vm "${@}"
+    else
+        die 1 "Unrecognized command $cmd"
+    fi
+}
+
+function create_disk {
+    local zfs_path="$1"
+    local mount_path="$2"
+    local gigabytes="$3"
+    zfs create -o "mountpoint=$mount_path" "$zfs_path"
+    cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
+    tee "${mount_path}/settings" <<EOF
+CPU_CORES="$CPU_CORES"
+MEMORY="$MEMORY"
+NETWORK="$NETWORK"
+IP_RANGE="$IP_RANGE"
+BRIDGE_NAME="$BRIDGE_NAME"
+INTERFACE_NAME="$INTERFACE_NAME"
+EOF
+    zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none -o volblocksize=64K "$zfs_path/disk0"
+}
+
+function start_vm {
+    local name="$1"
+    local zfs_path="$2"
+    local mount_path="$3"
+    local mount_cd="${4:-}"
+
+    if [ -e "${mount_path}/settings" ]; then
+        source "${mount_path}/settings"
+    fi
+
+    local additional_args=()
+    local host_interface_name="linfi_host"
+    local bridge_name="linfi_bridge"
+
+    assert_bridge "$host_interface_name" "$bridge_name"
+    local mac_address
+    mac_address=$(calculate_mac_address "$name")
+    local bridge_link_name
+    bridge_link_name=$(detect_available_link "${bridge_name}")
+    additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+
+
+    # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
+         # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
+             # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
+            # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
+
+    # TODO: Look into using nmdm instead of stdio for serial console
+    if [ -n "$mount_cd" ]; then
+        additional_args+=("-s" "5,ahci-cd,$mount_cd")
+    fi
+    if [ "$VNC_ENABLE" = "YES" ]; then
+        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
+    fi
+    vms+=("$name")
+
+    while true; do
+        set -x
+        set +e
+        bhyve \
+            -D \
+            -c sockets=1,cores=1,threads=1 \
+            -m "$MEMORY" \
+            -H \
+            -w \
+            -o 'rtc.use_localtime=false' \
+            -s 0,hostbridge \
+            -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
+            -S \
+            -s "7,passthru,${PASSTHROUGH}" \
+            -s 30,xhci,tablet \
+            -s 31,lpc -l com1,stdio \
+            -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd" \
+            -U '08421734-875e-11ef-a0f3-f426796942c7' \
+            "${additional_args[@]}" \
+            "$name"
+        local exit_code=$?
+        set -e
+        set +x
+        if [ $exit_code -eq 0 ]; then
+            echo "Rebooting."
+            sleep 5
+        elif [ $exit_code -eq 1 ]; then
+            echo "Powered off."
+            break
+        elif [ $exit_code -eq 2 ]; then
+            echo "Halted."
+            break
+        elif [ $exit_code -eq 3 ]; then
+            echo "Triple fault."
+            break
+        elif [ $exit_code -eq 4 ]; then
+            echo "Exited due to an error."
+            break
+        fi
+    done
+}
+
+function detect_available_link {
+    local bridge_name="$1"
+    local linknum=1
+    while true; do
+        local link_name="link${linknum}"
+        if ! ng_exists "${bridge_name}:${link_name}"; then
+            echo "$link_name"
+            return
+        fi
+        linknum=$((linknum + 1))
+        if [ "$linknum" -gt 90 ]; then
+            (>&2 echo "No available links on bridge $bridge_name")
+            exit 1
+        fi
+    done
+}
+
+function assert_bridge {
+    local host_interface_name="$1"
+    local bridge_name="$2"
+
+    if ! ng_exists "${bridge_name}:"; then
+        ngctl -d -f - <<EOF
+mkpeer . eiface hook ether
+name .:hook $host_interface_name
+EOF
+        ngctl -d -f - <<EOF
+mkpeer ${host_interface_name}: bridge ether link0
+name ${host_interface_name}:ether $bridge_name
+EOF
+        ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" 192.168.253.2/24 up
+        route add default 192.168.253.1
+    fi
+}
+
+function ng_exists {
+    ngctl status "${1}" >/dev/null 2>&1
+}
+
+function calculate_mac_address {
+    local name="$1"
+    local source
+    source=$(md5 -r -s "$name" | awk '{print $1}')
+    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
+}
+
+function find_available_port {
+    local start_port="$1"
+    local port="$start_port"
+    while true; do
+        sockstat -P tcp -p 443
+        port=$((port + 1))
+    done
+}
+
+function ngctlcat {
+    if [ "$VERBOSE" = "YES" ]; then
+        tee /dev/tty | ngctl -d -f -
+    else
+        ngctl -d -f -
+    fi
+}
+
+
+main "${@}"

ansible/roles/linfi/files/linfi_rc.conf

@@ -0,0 +1 @@
+linfi_enable="YES"

ansible/roles/linfi/meta/main.yaml

@@ -0,0 +1,3 @@
+dependencies:
+  - role: bhyve
+    when: 'os_flavor == "freebsd"'

ansible/roles/linfi/tasks/common.yaml

@@ -0,0 +1,55 @@
+# - name: Create directories
+#   file:
+#     name: "{{ item }}"
+#     state: directory
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - /foo/bar
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+# - name: Install Configuration
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0600
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.conf
+#       dest: /usr/local/etc/foo.conf
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user

ansible/roles/linfi/tasks/freebsd.yaml

@@ -0,0 +1,50 @@
+- name: Install loader.conf
+  template:
+    src: "templates/{{ item }}_loader.conf.j2"
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - linfi
+
+- name: Install scripts
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - src: launch_linfi.bash
+      dest: /usr/local/bin/launch_linfi
+
+- name: Install rc script
+  template:
+    src: "templates/{{ item.src }}.j2"
+    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+    owner: root
+    group: wheel
+    mode: 0755
+  loop:
+    - src: linfi
+
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - linfi
+
+- name: Install service configuration
+  template:
+    src: "templates/{{ item }}_rc.conf.j2"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - devmatch

ansible/roles/linfi/tasks/linux.yaml

@@ -0,0 +1,29 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - foo
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present
+
+# - name: Enable services
+#   systemd:
+#     enabled: yes
+#     name: "{{ item }}"
+#     daemon_reload: yes
+#   loop:
+#     - foo.service

ansible/roles/linfi/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: linfi is defined and linfi.enabled

ansible/roles/linfi/tasks/peruser.yaml

@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'

ansible/roles/linfi/templates/devmatch_rc.conf.j2

@@ -0,0 +1,2 @@
+devmatch_enable="YES"
+devmatch_blocklist="{{ linfi.driver_blocklist }}"

ansible/roles/linfi/templates/linfi.j2

@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# PROVIDE: linfi
+# REQUIRE: LOGIN
+# KEYWORD: shutdown nojail
+. /etc/rc.subr
+name=linfi
+rcvar=${name}_enable
+start_cmd="${name}_start"
+stop_cmd="${name}_stop"
+status_cmd="${name}_status"
+load_rc_config $name
+
+tmux_name="linfi"
+
+linfi_start() {
+    /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env PASSTHROUGH='{{ linfi.pci_blocklist }}' /usr/local/bin/bash /usr/local/bin/launch_linfi start linfi {{ linfi.zfs_dataset }} {{ linfi.zfs_mountpoint }}"
+    # /vm/.iso/alpine-extended-3.20.3-x86_64.iso
+}
+
+linfi_status() {
+    if /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null; then
+        echo "$tmux_name is running."
+    else
+        echo "$tmux_name is not running."
+        return 1
+    fi
+}
+
+linfi_stop() {
+    /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null && (
+        /usr/local/bin/tmux kill-session -t $tmux_name
+        sleep 10
+        bhyvectl --vm=linfi --destroy
+        # kill `cat /var/run/linfi.pid`
+    )
+    linfi_wait_for_end
+}
+
+linfi_wait_for_end() {
+    while /usr/local/bin/tmux has-session -t $tmux_name 2>dev/null; do
+        sleep 1
+    done
+}
+
+run_rc_command "$1"

ansible/roles/linfi/templates/linfi_loader.conf.j2

@@ -0,0 +1,5 @@
+vmm_load="YES"
+pptdevs="{{ linfi.pci_blocklist }}"
+{% if linfi.amd %}
+hw.vmm.amdvi.enable="1"
+{% endif %}

ansible/roles/media/files/cast_file_vaapi

@@ -4,7 +4,23 @@ set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
+: ${VIDEO_BITRATE:="1M"} # Only for encoding modes targeting bitrate
+: ${AUDIO_BITRATE:="192k"}
 
+############## Setup #########################
+
+function die {
+    local status_code="$1"
+    shift
+    (>&2 echo "${@}")
+    exit "$status_code"
+}
+
+function log {
+    (>&2 echo "${@}")
+}
+
+############## Program #########################
 
 function main {
     local cmd
@@ -12,24 +28,10 @@ function main {
     shift
     if [ "$cmd" = "copy" ]; then
         copy "${@}"
-    elif [ "$cmd" = "h264" ]; then
+    elif [ "$cmd" = "convert" ]; then
-        h264 "${@}"
+        convert "${@}"
-    elif [ "$cmd" = "preprocess_hardware_h264" ]; then
+    elif [ "$cmd" = "stream" ]; then
-        preprocess_hardware_h264 "${@}"
+        stream "${@}"
-    elif [ "$cmd" = "software_h264" ]; then
-        software_h264 "${@}"
-    elif [ "$cmd" = "vp9" ]; then
-        vp9 "${@}"
-    elif [ "$cmd" = "preprocess_hardware_vp9" ]; then
-        preprocess_hardware_vp9 "${@}"
-    elif [ "$cmd" = "vp8" ]; then
-        vp8 "${@}"
-    elif [ "$cmd" = "software_vp8" ]; then
-        software_vp8 "${@}"
-    elif [ "$cmd" = "preprocess_h264" ]; then
-        preprocess_h264 "${@}"
-    elif [ "$cmd" = "preprocess_vp8" ]; then
-        preprocess_vp8 "${@}"
     elif [ "$cmd" = "webcam" ]; then
         webcam "${@}"
     elif [ "$cmd" = "encode_webcam" ]; then
@@ -60,219 +62,106 @@ function copy {
         "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
 }
 
-function h264 {
+function convert {
-    local file_to_cast
+    local args=()
-    file_to_cast="$3"
+    local acceleration_type="$1" # "software" or "hardware"
+    local codec="$2" # "h264" or "av1"
+    local file_to_cast="$3"
+    local file_to_save="$4"
+
+
+
+    # Verify parameters
+
+
+    if [ "$acceleration_type" == "software" ]; then
+        true
+    elif [ "$acceleration_type" == "hardware" ]; then
+        true
+    else
+        die 1 "Unknown acceleration type: $acceleration_type"
+    fi
+
+    if [ "$codec" == "h264" ]; then
+        true
+    elif [ "$codec" == "av1" ]; then
+        true
+    else
+        die 1 "Unknown codec: $codec"
+    fi
+
+
+
+    # Build command
+
+
+
+    if [ "$acceleration_type" == "software" ]; then
+        true
+    elif [ "$acceleration_type" == "hardware" ]; then
+        args+=(-vaapi_device /dev/dri/renderD128)
+    fi
+
+    args+=(-i "$file_to_cast")
+
+    if [ "$codec" == "h264" ]; then
+        if [ "$acceleration_type" == "software" ]; then
+            args+=(-c:v h264)
+            args+=(-profile:v high)
+            args+=(-b:v "$VIDEO_BITRATE")
+        elif [ "$acceleration_type" == "hardware" ]; then
+            args+=(-vf 'format=nv12|vaapi,hwupload')
+            args+=(-c:v h264_vaapi)
+            args+=(-profile:v high)
+            args+=(-b:v "$VIDEO_BITRATE")
+        fi
+    elif [ "$codec" == "av1" ]; then
+        if [ "$acceleration_type" == "software" ]; then
+            args+=(-c:v libsvtav1)
+            args+=(-preset 4) # [0-13] default 10, lower = higher quality / slower encode
+            args+=(-crf 20) # [0-63] default 35, lower = higher quality / larger file
+            # Parameters: https://gitlab.com/AOMediaCodec/SVT-AV1/-/blob/master/Docs/Parameters.md
+            # fast-decode [0-2] default 0 (off), higher = faster decode
+            # tune [0-2] default 1, Specifies whether to use PSNR or VQ as the tuning metric [0 = VQ, 1 = PSNR, 2 = SSIM]
+            # film-grain-denoise, setting to 0 uses the original frames instead of denoising the film grain
+            args+=(-svtav1-params "fast-decode=1:film-grain-denoise=0")
+        elif [ "$acceleration_type" == "hardware" ]; then
+            # -c:v av1_amf -quality quality
+            args+=(-vf 'format=nv12|vaapi,hwupload')
+            args+=(-c:v av1_vaapi)
+            args+=(-b:v "$VIDEO_BITRATE")
+        fi
+    fi
 
-    local USERNAME PASSWORD
-    USERNAME="$1"
-    PASSWORD="$2"
 
-    set -x
 
     # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    </dev/null exec ffmpeg \
+    args+=(-bf 0)
-        -re \
+    args+=(-strict -2)
-        -stream_loop -1 \
+    args+=(-c:a opus)
-        -init_hw_device vaapi=foo:/dev/dri/renderD128 \
+    args+=(-ac 2)
-        -hwaccel vaapi \
+    args+=(-b:a "$AUDIO_BITRATE")
-        -hwaccel_output_format vaapi \
+    args+=(-ar 48000)
-        -hwaccel_device foo \
+    args+=("$file_to_save")
-        -i "$file_to_cast" \
+    set -x
-        -filter_hw_device foo \
+    </dev/null exec ffmpeg "${args[@]}"
-        -vf 'format=nv12|vaapi,hwupload' \
-        -c:v h264_vaapi \
-        -bf 0 \
-        -strict -2 \
-        -c:a opus \
-        -b:a 320k \
-        -ar 48000 \
-        -f rtsp \
-        -rtsp_transport tcp \
-        "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
 }
 
-function preprocess_hardware_h264 {
+function stream {
-    local file_to_cast file_to_save
+    local args=()
-    file_to_cast="$1"
+    local acceleration_type="$1" # "software" or "hardware"
-    file_to_save="$2"
+    local codec="$2" # "h264" or "av1"
 
-    set -x
+    local USERNAME="$3"
+    local PASSWORD="$4"
+    local file_to_cast="$5"
 
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    </dev/null exec ffmpeg \
-        -init_hw_device vaapi=foo:/dev/dri/renderD128 \
-        -hwaccel vaapi \
-        -hwaccel_output_format vaapi \
-        -hwaccel_device foo \
-        -i "$file_to_cast" \
-        -filter_hw_device foo \
-        -vf 'format=nv12|vaapi,hwupload' \
-        -c:v h264_vaapi \
-        -b:v 2M \
-        -profile:v high \
-        -bf 0 \
-        -strict -2 \
-        -c:a opus \
-        -ac 2 \
-        -b:a 320k \
-        -ar 48000 \
-        "$file_to_save"
-}
 
-function software_h264 {
+    args+=(-re -stream_loop -1)
-    local file_to_cast
-    file_to_cast="$3"
 
-    local USERNAME PASSWORD
+    args+=(-f rtsp)
-    USERNAME="$1"
+    args+=(-rtsp_transport tcp)
-    PASSWORD="$2"
+    args+=("rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch")
-
-    set -x
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    </dev/null exec ffmpeg \
-        -re \
-        -stream_loop -1 \
-        -i "$file_to_cast" \
-        -c:v h264 \
-        -bf 0 \
-        -c:a opus \
-        -b:a 320k \
-        -ar 48000 \
-        -f rtsp \
-        -rtsp_transport tcp \
-        "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
-}
-
-function preprocess_h264 {
-    local file_to_cast file_to_save
-    file_to_cast="$1"
-    file_to_save="$2"
-
-    set -x
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    </dev/null exec ffmpeg \
-        -i "$file_to_cast" \
-        -c:v h264 \
-        -bf 0 \
-        -c:a opus \
-        -b:a 320k \
-        -ar 48000 \
-        "$file_to_save"
-}
-
-function vp9 {
-    local file_to_cast
-    file_to_cast="$3"
-
-    local USERNAME PASSWORD
-    USERNAME="$1"
-    PASSWORD="$2"
-
-    set -x
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    </dev/null exec ffmpeg \
-        -re \
-        -stream_loop -1 \
-        -init_hw_device vaapi=foo:/dev/dri/renderD128 \
-        -hwaccel vaapi \
-        -hwaccel_output_format vaapi \
-        -hwaccel_device foo \
-        -i "$file_to_cast" \
-        -filter_hw_device foo \
-        -vf 'format=nv12|vaapi,hwupload' \
-        -c:v vp9_vaapi \
-        -bf 0 \
-        -strict -2 \
-        -c:a opus \
-        -b:a 320k \
-        -ar 48000 \
-        -f rtsp \
-        -rtsp_transport tcp \
-        "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
-}
-
-function preprocess_hardware_vp9 {
-    local file_to_cast file_to_save
-    file_to_cast="$1"
-    file_to_save="$2"
-
-    set -x
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    </dev/null exec ffmpeg \
-        -init_hw_device vaapi=foo:/dev/dri/renderD128 \
-        -hwaccel vaapi \
-        -hwaccel_output_format vaapi \
-        -hwaccel_device foo \
-        -i "$file_to_cast" \
-        -filter_hw_device foo \
-        -vf 'format=nv12|vaapi,hwupload' \
-        -c:v vp9_vaapi \
-        -bf 0 \
-        -strict -2 \
-        -c:a opus \
-        -b:a 320k \
-        -ar 48000 \
-        "$file_to_save"
-}
-
-function software_vp8 {
-    local USERNAME PASSWORD
-    USERNAME="$1"
-    PASSWORD="$2"
-
-    local file_to_cast
-    file_to_cast="$3"
-
-    set -x
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    # -strict -2 :: Enable support for experimental codecs like opus.
-    # -b:v 2M :: Target 2 megabit/s
-    # -crf 10 :: Target a quality level and adjust bitrate accordingly. This should be preferred, but ideally both should be used.
-    </dev/null exec ffmpeg \
-        -re \
-        -stream_loop -1 \
-        -i "$file_to_cast" \
-        -c:v vp8 \
-        -b:v 2M \
-        -crf 10 \
-        -bf 0 \
-        -c:a opus \
-        -b:a 320k \
-        -ar 48000 \
-        -strict -2 \
-        -f rtsp \
-        -rtsp_transport tcp \
-        "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
-}
-
-function preprocess_vp8 {
-    local file_to_cast file_to_save
-    file_to_cast="$1"
-    file_to_save="$2"
-
-    set -x
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    # -strict -2 :: Enable support for experimental codecs like opus.
-    # -b:v 2M :: Target 2 megabit/s
-    # -crf 10 :: Target a quality level and adjust bitrate accordingly. This should be preferred, but ideally both should be used.
-    </dev/null exec ffmpeg \
-        -i "$file_to_cast" \
-        -c:v vp8 \
-        -b:v 2M \
-        -crf 10 \
-        -bf 0 \
-        -c:a opus \
-        -b:a 320k \
-        -ar 48000 \
-        -strict -2 \
-        "$file_to_save"
 }
 
 function webcam {

ansible/roles/media/tasks/linux.yaml

@@ -1,3 +1,5 @@
+# Maybe install https://github.com/alexheretic/ab-av1 to find good crf values for encoding
+
 - name: Build aur packages
   register: buildaur
   become_user: "{{ build_user.name }}"

ansible/roles/network/files/homeserver_network.conf

@@ -1,4 +1,4 @@
-wlans_ath0="wlan0"
+# wlans_ath0="wlan0"
-ifconfig_wlan0="WPA DHCP"
+# ifconfig_wlan0="WPA DHCP"
-ifconfig_wlan0_ipv6="inet6 accept_rtadv"
+# ifconfig_wlan0_ipv6="inet6 accept_rtadv"
-ipv6_cpe_wanif="wlan0"
+# ipv6_cpe_wanif="wlan0"

ansible/roles/network/files/main.conf

@@ -1,3 +1,6 @@
 [General]
 EnableNetworkConfiguration=true
 # AddressRandomization=network
+
+# Needed for Qualcomm WCN785x
+ControlPortOverNL80211=false

ansible/roles/network/files/mrmanager_network.conf

@@ -3,3 +3,5 @@ ifconfig_igb0="up"
 ifconfig_igb1="up"
 ifconfig_lagg0="up laggproto failover laggport igb0 laggport igb1"
 ifconfig_lagg0_alias0="inet 74.80.180.138 netmask 255.255.255.248"
+ifconfig_lagg0_ipv6="inet6 2620:11f:7001:7::2/64"
+ifconfig_lagg0_alias1="inet6 2620:11f:7001:7::3 prefixlen 64"

ansible/roles/network/files/mrmanager_routing.conf

@@ -1,3 +1,4 @@
 defaultrouter="74.80.180.137"
+ipv6_defaultrouter="2620:11f:7001:7::1"
 gateway_enable="YES"
 ipv6_gateway_enable="YES"

ansible/roles/network/files/next_hop_freebsd.bash

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+exec route get "${@}"

ansible/roles/network/files/next_hop_linux.bash

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+exec ip route get "${@}"

ansible/roles/network/files/odofreebsd_network.conf

@@ -1,4 +1,4 @@
-wlans_iwlwifi0="wlan0"
+# wlans_iwlwifi0="wlan0"
-ifconfig_wlan0="WPA DHCP"
+# ifconfig_wlan0="WPA DHCP"
-ifconfig_wlan0_ipv6="inet6 accept_rtadv"
+# ifconfig_wlan0_ipv6="inet6 accept_rtadv"
-ipv6_cpe_wanif="wlan0"
+# ipv6_cpe_wanif="wlan0"

ansible/roles/network/tasks/freebsd.yaml

@@ -75,3 +75,14 @@
   file:
     path: "/etc/rc.conf.d/ip6addrctl"
     state: absent
+
+- name: Install scripts
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - src: next_hop_freebsd.bash
+      dest: /usr/local/bin/next_hop

ansible/roles/network/tasks/linux.yaml

@@ -58,3 +58,14 @@
     - iwd.service
     # - systemd-networkd.service
     - systemd-resolved.service
+
+- name: Install scripts
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - src: next_hop_linux.bash
+      dest: /usr/local/bin/next_hop

ansible/roles/nix/tasks/common.yaml

@@ -0,0 +1,55 @@
+# - name: Create directories
+#   file:
+#     name: "{{ item }}"
+#     state: directory
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - /foo/bar
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+# - name: Install Configuration
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0600
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.conf
+#       dest: /usr/local/etc/foo.conf
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user

ansible/roles/nix/tasks/freebsd.yaml

@@ -0,0 +1,5 @@
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present

ansible/roles/nix/tasks/linux.yaml

@@ -0,0 +1,21 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - nixd
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+
+# - name: Install packages
+#   package:
+#     name:
+#       - nixd
+#     state: present

ansible/roles/nix/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  # when: foo is defined

ansible/roles/nix/tasks/peruser.yaml

@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'

ansible/roles/portshaker/files/freebsd

@@ -5,6 +5,7 @@ if [ "$1" != '--' ]; then
 fi
 shift
 method="git"
-git_clone_uri="https://git.FreeBSD.org/ports.git"
+git_clone_uri="https://code.fizz.buzz/mirror/freebsd-ports.git"
+# git_clone_uri="https://git.FreeBSD.org/ports.git"
 git_branch="main"
 run_portshaker_command $*

ansible/roles/portshaker/files/myrepo

@@ -5,6 +5,6 @@ if [ "$1" != '--' ]; then
 fi
 shift
 method="git"
-git_clone_uri="https://code.fizz.buzz/talexander/ta_ports.git"
+git_clone_uri="https://code.fizz.buzz/talexander/fizzbuzz_ports.git"
-git_branch="master"
+git_branch="main"
 run_portshaker_command $*

ansible/roles/portshaker/files/portshaker.conf

@@ -5,5 +5,5 @@ mirror_base_dir="/var/cache/portshaker"
 ports_trees="main"
 
 main_ports_tree="/usr/local/portshaker/trees/main"
-# main_merge_from="freebsd myrepo"
+main_merge_from="freebsd myrepo"
-main_merge_from="freebsd"
+# main_merge_from="freebsd"

ansible/roles/poudriere/files/poudriere.d/14broadwell-default-computer-make.conf

@@ -1,5 +1,12 @@
 CPUTYPE?=broadwell
 
+# CPU optimizations for go
+.if ${.CURDIR:M*/lang/go*}
+OPTIONS_UNSET+=V1
+OPTIONS_SET+=V3
+.endif
+
+
 # Disable static for subversion because /usr/local/lib/libutf8proc.a not found despite utf8proc being installed
 #
 # Disable static for netpbm because "ld: error: undefined symbol: libdeflate_free_compressor" which is "referenced by tif_zip.o:(ZIPVSetField) in archive /usr/local/lib/libtiff.a"

ansible/roles/poudriere/files/poudriere.d/currentznver4-default-framework-make.conf

@@ -7,6 +7,11 @@ CPUTYPE?=x86-64-v4
 CPUTYPE?=znver4
 .endif
 
+# CPU optimizations for go
+.if ${.CURDIR:M*/lang/go*}
+OPTIONS_UNSET+=V1
+OPTIONS_SET+=V4
+.endif
 
 
 OPTIONS_SET+=OPTIMIZED_CFLAGS
@@ -28,6 +33,7 @@ OPTIONS_SET+=STATIC LTO
 
 .if ${.CURDIR:M*/editors/emacs*}
 OPTIONS_SET+=NATIVECOMP PGTK
+OPTIONS_UNSET+=XPM
 .endif
 
 .if ${.CURDIR:M*/www/firefox*}

ansible/roles/poudriere/files/poudriere.d/currentznver4-default-framework-pkglist

@@ -1,3 +1,4 @@
+#sysutils/kubeswitch
 accessibility/wlsunset
 archivers/unrar
 archivers/unzip
@@ -59,6 +60,7 @@ net/rsync
 net/tcpdump
 net/wireguard-tools
 net/wlvncc
+ports-mgmt/modules2tuple
 ports-mgmt/pkg
 ports-mgmt/pkg-provides
 ports-mgmt/portshaker
@@ -103,6 +105,7 @@ sysutils/pv
 sysutils/radeontop
 sysutils/rust-coreutils
 sysutils/shuf
+sysutils/stern
 sysutils/terraform
 sysutils/tmux
 sysutils/tree

ansible/roles/rust/defaults/main.yaml

@@ -1,4 +1,4 @@
 # Check that rust-analyzer is valid for date on https://rust-lang.github.io/rustup-components-history/
-rust_date: "2024-05-06"
+rust_date: "2024-09-30"
 # rust_analyzer_version: 2024-04-29
 rust_analyzer_version: package

ansible/roles/rust/files/cargo_config.toml

@@ -1,2 +1,12 @@
 [target.x86_64-unknown-linux-gnu]
 rustflags = ["-C", "target-cpu=native", "-Zthreads=0"]
+
+[unstable]
+codegen-backend = true
+
+[profile.dev]
+codegen-backend = "cranelift"
+
+[profile.dev.package."*"]
+codegen-backend = "llvm"
+opt-level = 3

ansible/roles/sftp/tasks/common.yaml

@@ -64,6 +64,23 @@
 #     force: true
 #   diff: false
 
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0700
+    owner: nochainstounlock
+    group: nochainstounlock
+  loop:
+    - /home/nochainstounlock/.ssh
+
+- name: Set authorized keys
+  authorized_key:
+    user: nochainstounlock
+    key: |
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMrjXsXjtxEm47XnRZfo67kJULoc0NBLrB0lPYFiS2Ar kodi@neelix
+    exclusive: true
+
 - import_tasks: tasks/freebsd.yaml
   when: 'os_flavor == "freebsd"'
 

ansible/roles/sshd/files/keys/yubikey.pub

@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky cardno:000611194908
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8

ansible/roles/sway/files/config

@@ -21,6 +21,9 @@ set $term alacritty
 # set $menu dmenu_path | dmenu | xargs swaymsg exec
 set $menu wofi --show drun --gtk-dark
 
+# Do not show a title bar on windows
+default_border pixel 2
+
 bindsym $mod+grave exec $term
 
 include ~/.config/sway/config.d/*.conf

ansible/roles/sway/files/sway_config_files/screenshots.conf

@@ -3,7 +3,7 @@
 bindsym $mod+print exec slurp | grim -g - "$HOME/$(date +'screenshot_%Y-%m-%d-%H%M%S.png')"
 bindsym print exec grim "$HOME/$(date +'screenshot_%Y-%m-%d-%H%M%S.png')"
 # Maybe add --audio flag? can optionally specify specific device name from `pactl list sources | grep Name`
-bindsym $mod+Shift+print exec wl-screenrec -g "$(slurp)" -f "$HOME/$(date +'screencast_%Y-%m-%d-%H%M%S.mkv')"
+bindsym $mod+Shift+print exec wl-screenrec -g "$(slurp)" --codec av1 -f "$HOME/$(date +'screencast_%Y-%m-%d-%H%M%S.mkv')"
-bindsym Shift+print exec wl-screenrec -f "$HOME/$(date +'screencast_%Y-%m-%d-%H%M%S.mkv')"
+bindsym Shift+print exec wl-screenrec --codec av1 -f "$HOME/$(date +'screencast_%Y-%m-%d-%H%M%S.mkv')"
-bindsym $mod+ctrl+Shift+print exec killall -SIGINT wl-sceenrec
+bindsym $mod+ctrl+Shift+print exec pkill -SIGINT wl-screenrec
 # Need to make a hotkey to end the recording

ansible/roles/waybar/files/style.css

@@ -149,6 +149,11 @@ tooltip {
   padding-bottom: 2px;
 }
 
+#window {
+  padding-left: 10px;
+  padding-right: 10px;
+}
+
 #network {
   /* No styles */
 }

ansible/roles/waybar/files/waybar_config.json

@@ -1,6 +1,7 @@
 {
   // "height": 10, // Waybar height (to be removed for auto height)
   "modules-left": ["sway/workspaces", "sway/mode"],
+  "modules-center": ["sway/window"],
   "modules-right": ["custom/night_mode", "custom/temperature", "custom/sound", "custom/available_memory", "custom/battery", "idle_inhibitor", "custom/clock", "tray"],
   "sway/workspaces": {
     "disable-scroll": true
@@ -8,6 +9,9 @@
   "sway/mode": {
     "format": "<span style=\"italic\">{}</span>"
   },
+  "sway/window": {
+    "format": "{title}"
+  },
   "idle_inhibitor": {
     "format": "{icon}",
     "format-icons": {

ansible/roles/waybar/files/waybar_scripts/waybar_night_mode.bash

@@ -8,7 +8,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 SLEEP_INTERVAL=${SLEEP_INTERVAL:-30}
 
 # ◓◒●◌◎
-# 🟠🟡🟢🟣🟤
+# 🔴🔵🟠🟡🟢🟣🟤
 # 🟥🟦🟧🟨🟩🟪🟫
 # ☀☯⭐🌝🌞⏾
 # 🌑🌓🌗🌕
@@ -42,7 +42,7 @@ function main {
     local night_mode_icon night_mode_text night_mode_class
     night_mode_mode="auto"
     night_mode_class=""
-    wlsunset -l 40.7 -L -74.0 &
+    wlsunset -S 07:00 -s 22:00 &
     wlsunset_pid=$!
 
     while true; do

ansible/roles/zfs/tasks/linux.yaml

@@ -1,7 +1,8 @@
 - name: Install packages
   package:
     name:
-      - linux-lts-headers
+      # - linux-lts-headers
+      - linux-headers
     state: present
 
 - name: Check trusted gpg keys
@@ -26,7 +27,7 @@
   args:
     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
   loop:
-    - zfs-dkms
+    - zfs-dkms-git
     - zfs-utils
 
 - name: Update cache
@@ -39,7 +40,7 @@
 - name: Install packages
   package:
     name:
-      - zfs-dkms
+      - zfs-dkms-git
       - zfs-utils
     state: present
 

nix/configuration/.gitignore

@@ -0,0 +1 @@
+result

nix/configuration/README.org

@@ -0,0 +1,12 @@
+* To-do
+** Perhaps use overlay for /etc for speedup
+#+begin_src nix
+  system.etc.overlay.enable = true;
+#+end_src
+** read https://nixos.org/manual/nixos/stable/
+** Performance for mini pc
+#+begin_src nix
+  security.pam.loginLimits = [
+    { domain = "@users"; item = "rtprio"; type = "-"; value = 1; }
+  ];
+#+end_src

nix/configuration/configuration.nix

@@ -0,0 +1,293 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  alias_nix_pin_revision = pkgs.writeShellScriptBin "nix-pin-revision" ''
+    # Usage: nix-pin-revision nixpkgs 'github:NixOS/nixpkgs/00c21e4c93d963c50d4c0c89bfa84ed6e0694df2'
+    exec nix flake lock --override-input "''${@}"
+  '';
+in
+{
+  imports = [
+    ./roles/2ship2harkinian
+    ./roles/alacritty
+    ./roles/amd_s2idle
+    ./roles/android
+    ./roles/ansible
+    ./roles/ares
+    ./roles/base
+    ./roles/bluetooth
+    ./roles/boot
+    ./roles/build_in_ram
+    ./roles/chromecast
+    ./roles/chromium
+    ./roles/d2
+    ./roles/direnv
+    ./roles/disko
+    ./roles/distributed_build
+    ./roles/doas
+    ./roles/docker
+    ./roles/dont_use_substituters
+    ./roles/ecc
+    ./roles/emacs
+    ./roles/emulate_isa
+    ./roles/esim
+    ./roles/firefox
+    ./roles/firewall
+    ./roles/flux
+    ./roles/fonts
+    ./roles/gcloud
+    ./roles/git
+    ./roles/global_options
+    ./roles/gnome_keyring
+    ./roles/gnuplot
+    ./roles/gpg
+    ./roles/graphics
+    ./roles/graphviz
+    ./roles/hydra
+    ./roles/image_based_appliance
+    ./roles/iso
+    ./roles/iso_mount
+    ./roles/jujutsu
+    ./roles/kanshi
+    ./roles/kernel
+    ./roles/kodi
+    ./roles/kubernetes
+    ./roles/latex
+    ./roles/launch_keyboard
+    ./roles/lvfs
+    ./roles/media
+    ./roles/memtest86
+    ./roles/minimal_base
+    ./roles/network
+    ./roles/nix_index
+    ./roles/nix_repl
+    ./roles/nix_worker
+    ./roles/nixdev
+    ./roles/nvme
+    ./roles/openpgp_card_tools
+    ./roles/optimized_build
+    ./roles/pcsx2
+    ./roles/podman
+    ./roles/postgresql_client
+    ./roles/python
+    ./roles/qemu
+    ./roles/recovery
+    ./roles/reset
+    ./roles/rpcs3
+    ./roles/rust
+    ./roles/sequoia
+    ./roles/shadps4
+    ./roles/shikane
+    ./roles/shipwright
+    ./roles/sm64ex
+    ./roles/sops
+    ./roles/sound
+    ./roles/spaghettikart
+    ./roles/ssh
+    ./roles/sshd
+    ./roles/steam
+    ./roles/steam_run_free
+    ./roles/sway
+    ./roles/tekton
+    ./roles/terraform
+    ./roles/thunderbolt
+    ./roles/user
+    ./roles/uutils
+    ./roles/vnc_client
+    ./roles/vscode
+    ./roles/wasm
+    ./roles/waybar
+    ./roles/webcam
+    ./roles/wine
+    ./roles/wireguard
+    ./roles/yubikey
+    ./roles/zfs
+    ./roles/zrepl
+    ./roles/zsh
+    ./util/install_files
+    ./util/unfree_polyfill
+  ];
+
+  config = {
+    nix.settings.experimental-features = [
+      "nix-command"
+      "flakes"
+      "ca-derivations"
+      # "blake3-hashes"
+      # "git-hashing"
+    ];
+    nix.settings.trusted-users = [ "@wheel" ];
+    nix.settings.connect-timeout = 5;
+    nix.settings.min-free = 128000000;
+    nix.settings.max-free = 1000000000;
+    nix.settings.fallback = true;
+    nix.settings.warn-dirty = false;
+    nix.settings.fsync-metadata = true;
+    # Ensure store paths are durably written to disk before registering the paths so a crash mid-build does not leave us in a corrupted state.
+    nix.settings.fsync-store-paths = true;
+
+    hardware.enableRedistributableFirmware = true;
+
+    # Keep outputs so we can build offline.
+    nix.settings.keep-outputs = true;
+    nix.settings.keep-derivations = true;
+
+    # Automatic garbage collection
+    nix.gc = lib.mkIf (!config.me.buildingPortable) {
+      # Runs nix-collect-garbage --delete-older-than 5d
+      # automatic = true;
+      automatic = false;
+      persistent = true;
+      dates = "monthly";
+      # randomizedDelaySec = "14m";
+      options = "--delete-older-than 30d";
+    };
+    nix.settings.auto-optimise-store = !config.me.buildingPortable;
+
+    environment.systemPackages = [
+      alias_nix_pin_revision
+    ];
+
+    environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
+      hideMounts = true;
+      directories = [
+        "/var/lib/nixos" # Contains user information (uids/gids)
+        "/var/lib/systemd" # Systemd state directory for random seed, persistent timers, core dumps, persist hardware state like backlight and rfkill
+        "/var/log/journal" # Logs, alternatively set `services.journald.storage = "volatile";` to write to /run/log/journal
+      ];
+      files = [
+        "/etc/machine-id" # Systemd unique machine id "otherwise, the system journal may fail to list earlier boots, etc"
+      ];
+    };
+
+    # Write a list of the currently installed packages to /etc/current-system-packages
+    # environment.etc."current-system-packages".text =
+    #   let
+    #     packages = builtins.map (p: "${p.name}") config.environment.systemPackages;
+    #     sortedUnique = builtins.sort builtins.lessThan (lib.unique packages);
+    #     formatted = builtins.concatStringsSep "\n" sortedUnique;
+    #   in
+    #   formatted;
+
+    # nixpkgs.overlays = [
+    #   (final: prev: {
+    #     foot = throw "foo";
+    #   })
+    # ];
+
+    nixpkgs.overlays =
+      let
+        disableTests = (
+          # Example: (disableTests "coreutils")
+          package_name:
+          (final: prev: {
+            "${package_name}" = prev."${package_name}".overrideAttrs (old: {
+              doCheck = false;
+              doInstallCheck = false;
+            });
+          })
+        );
+        disableTestsPython = (
+          # Example: (disableTestsPython "scipy")
+          package_name:
+          (final: prev: {
+            pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
+              (python-final: python-prev: {
+                "${package_name}" = python-prev."${package_name}".overridePythonAttrs (oldAttrs: {
+                  doCheck = false;
+                });
+              })
+            ];
+          })
+        );
+        disableOptimizations = (
+          # Example: (disableOptimizations "coreutils")
+          package_name:
+          (final: prev: {
+            "${package_name}" = final.unoptimized."${package_name}";
+          })
+        );
+        disableOptimizationsScope = (
+          # Example: (disableOptimizationsScope "kdePackages" "qtbase")
+          scope: package_name:
+          (final: prev: {
+            "${scope}" = prev."${scope}".overrideScope (
+              scopeFinal: scopePrev: {
+                "${package_name}" = final.unoptimized."${scope}"."${package_name}";
+              }
+            );
+          })
+        );
+        disableOptimizationsPython3 = (
+          # Example: (disableOptimizationsPython3 "scipy")
+          package_name:
+          (final: prev: {
+            python3Packages = prev.python3Packages.override {
+              overrides = python-final: python-prev: {
+                "${package_name}" = final.unoptimized.python3.pkgs."${package_name}";
+              };
+            };
+          })
+        );
+      in
+      [
+        (disableTests "deno") # Tests use too much disk space
+        (disableOptimizations "libtpms")
+        (disableOptimizationsPython3 "scipy")
+        (disableOptimizations "assimp")
+        (disableOptimizations "gsl")
+        (final: prev: {
+          rpcs3 = prev.rpcs3.override {
+            glew = (final.glew.override { enableEGL = false; });
+          };
+        })
+        (final: prev: {
+          fwupd = prev.fwupd.overrideAttrs (
+            finalAttrs: prevAttrs: {
+              version = "2.1.5";
+              src = final.fetchFromGitHub {
+                owner = "fwupd";
+                repo = "fwupd";
+                tag = finalAttrs.version;
+                hash = "sha256-DzQ+N99ZmFRqZc2rN6PSqmoIMXUyrE8Kkn+KnT/AWPc=";
+              };
+            }
+          );
+        })
+
+        # Works but probably sets python2's scipy to be python3:
+        #
+        # (final: prev: {
+        #   pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
+        #     (python-final: python-prev: {
+        #       scipy = final.unoptimized.python3Packages.scipy;
+        #     })
+        #   ];
+        # })
+      ];
+
+    # This option defines the first version of NixOS you have installed on this particular machine,
+    # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+    #
+    # Most users should NEVER change this value after the initial install, for any reason,
+    # even if you've upgraded your system to a new NixOS release.
+    #
+    # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+    # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+    # to actually do that.
+    #
+    # This value being lower than the current NixOS release does NOT mean your system is
+    # out of date, out of support, or vulnerable.
+    #
+    # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+    # and migrated your data accordingly.
+    #
+    # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+    system.stateVersion = "24.11"; # Did you read the comment?
+  };
+}

nix/configuration/flake.lock

@@ -0,0 +1,273 @@
+{
+  "nodes": {
+    "crane": {
+      "locked": {
+        "lastModified": 1731098351,
+        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1780894562,
+        "narHash": "sha256-c3430xwxwhHipl3jigUGMMBfpaMylDqytW/kdmB3ZGs=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "24fed06cac83bcc44ac8efbb57cab1a82fa0bedc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "impermanence",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1768598210,
+        "narHash": "sha256-kkgA32s/f4jaa4UG+2f8C225Qvclxnqs76mf8zvTVPg=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "c47b2cc64a629f8e075de52e4742de688f930dc6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "impermanence": {
+      "inputs": {
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769548169,
+        "narHash": "sha256-03+JxvzmfwRu+5JafM0DLbxgHttOQZkUtDWBmeUkN8Y=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "7b1d382faf603b6d264f58627330f9faa5cba149",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1737639419,
+        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v0.4.2",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1780749050,
+        "narHash": "sha256-3av0pIjlOWQ6rDbNOmpUSvbNnJkGORQKKjb4LtCZsIY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a799d3e3886da994fa307f817a6bc705ae538eeb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-google": {
+      "locked": {
+        "lastModified": 1779893571,
+        "narHash": "sha256-wiwMyVCtmjRjlFCe2zaumCE6LRV9GzzN0ZH25NQkbAU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "45f6cfaa4605b706c870e75bd74bdb5e97eee11e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "45f6cfaa4605b706c870e75bd74bdb5e97eee11e",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1730741070,
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1731363552,
+        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "disko": "disko",
+        "impermanence": "impermanence",
+        "lanzaboote": "lanzaboote",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-google": "nixpkgs-google"
+      }
+    },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731897198,
+        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

nix/configuration/flake.nix

@@ -0,0 +1,135 @@
+# TODO maybe use `nix eval --raw .#odo.iso.outPath`
+
+#
+# Install on a new machine:
+#
+# Set
+#   me.disko.enable = true;
+#   me.disko.offline.enable = true;
+#
+# Run
+#   doas disko --mode destroy,format,mount hosts/recovery/disk-config.nix
+#   doas nixos-install --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --flake ".#recovery"
+
+{
+  description = "My system configuration";
+
+  inputs = {
+    impermanence = {
+      url = "github:nix-community/impermanence";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-google.url = "github:NixOS/nixpkgs/45f6cfaa4605b706c870e75bd74bdb5e97eee11e";
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.4.2";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      nixpkgs-google,
+      disko,
+      impermanence,
+      lanzaboote,
+      ...
+    }:
+    let
+      forAllSystems = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed;
+      nodes = {
+        odo = {
+          system = "x86_64-linux";
+        };
+        odowork = {
+          system = "x86_64-linux";
+        };
+        quark = {
+          system = "x86_64-linux";
+        };
+        recovery = {
+          system = "x86_64-linux";
+        };
+        i_only_boot_zfs = {
+          system = "x86_64-linux";
+        };
+        hydra = {
+          system = "x86_64-linux";
+        };
+        family_disks = {
+          system = "x86_64-linux";
+        };
+      };
+      nixosConfigs = builtins.mapAttrs (
+        hostname: nodeConfig: format:
+        nixpkgs.lib.nixosSystem {
+          specialArgs = {
+            inherit self;
+
+            this_nixos_config = self.nixosConfigurations."${hostname}";
+
+            all_nixos_configs = self.nixosConfigurations;
+          };
+          modules = [
+            impermanence.nixosModules.impermanence
+            lanzaboote.nixosModules.lanzaboote
+            disko.nixosModules.disko
+            ./configuration.nix
+            (./. + "/hosts/${hostname}")
+            (./. + "/formats/${format}.nix")
+            {
+              config = {
+                nixpkgs.hostPlatform.system = nodeConfig.system;
+                nixpkgs.overlays = [
+                  (final: prev: {
+                    # stable = nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
+                    unoptimized = import nixpkgs {
+                      system = prev.stdenv.hostPlatform.system;
+                      hostPlatform.gcc.arch = "default";
+                      hostPlatform.gcc.tune = "default";
+                    };
+                    google = import nixpkgs-google {
+                      system = prev.stdenv.hostPlatform.system;
+                    };
+                  })
+                ];
+              };
+            }
+          ];
+        }
+      ) nodes;
+      installerConfig =
+        hostname: nodeConfig:
+        nixpkgs.lib.nixosSystem {
+          specialArgs = {
+            targetSystem = self.nixosConfigurations."${hostname}";
+          };
+          modules = [
+            ./formats/installer.nix
+            ({ nixpkgs.hostPlatform.system = nodeConfig.system; })
+          ];
+        };
+    in
+    {
+      nixosConfigurations = (builtins.mapAttrs (name: value: value "toplevel") nixosConfigs);
+    }
+    // {
+      packages = (
+        forAllSystems (
+          system:
+          (builtins.mapAttrs (hostname: nodeConfig: {
+            iso = (nixosConfigs."${hostname}" "iso").config.system.build.isoImage;
+            vm_iso = (nixosConfigs."${hostname}" "vm_iso").config.system.build.isoImage;
+            sd = (nixosConfigs."${hostname}" "sd").config.system.build.sdImage;
+            installer = (installerConfig hostname nodes."${hostname}").config.system.build.isoImage;
+          }) (nixpkgs.lib.attrsets.filterAttrs (hostname: nodeConfig: nodeConfig.system == system) nodes))
+        )
+      );
+    };
+}

nix/configuration/formats/installer.nix

@@ -0,0 +1,74 @@
+{
+  config,
+  pkgs,
+  lib,
+  modulesPath,
+  targetSystem,
+  ...
+}:
+let
+  installer = pkgs.writeShellApplication {
+    name = "installer";
+    runtimeInputs = with pkgs; [
+      # clevis
+      dosfstools
+      e2fsprogs
+      gawk
+      nixos-install-tools
+      util-linux
+      config.nix.package
+    ];
+    text = ''
+      set -euo pipefail
+
+      ${targetSystem.config.system.build.diskoScript}
+
+      nixos-install --no-channel-copy --no-root-password --option substituters "" --system ${targetSystem.config.system.build.toplevel}
+    '';
+  };
+  installerFailsafe = pkgs.writeShellScript "failsafe" ''
+    ${lib.getExe installer} || echo "ERROR: Installation failure!"
+    sleep 3600
+  '';
+in
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/iso-image.nix")
+    (modulesPath + "/profiles/all-hardware.nix")
+  ];
+
+  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_18;
+  # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux;
+  boot.zfs.package = pkgs.zfs_unstable;
+  boot.kernelParams = [
+    "quiet"
+    "systemd.unit=getty.target"
+  ];
+  boot.supportedFilesystems.zfs = true;
+  boot.initrd.systemd.enable = true;
+
+  networking.hostId = "04581ecf";
+
+  isoImage.makeEfiBootable = true;
+  isoImage.makeUsbBootable = true;
+  isoImage.squashfsCompression = "zstd -Xcompression-level 15";
+
+  environment.systemPackages = [
+    installer
+  ];
+
+  systemd.services."getty@tty1" = {
+    overrideStrategy = "asDropin";
+    serviceConfig = {
+      ExecStart = [
+        ""
+        installerFailsafe
+      ];
+      Restart = "no";
+      StandardInput = "null";
+    };
+  };
+
+  # system.stateVersion = lib.mkDefault lib.trivial.release;
+  system.stateVersion = "24.11";
+}

nix/configuration/formats/iso.nix

@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  modulesPath,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/iso-image.nix")
+  ];
+
+  config = {
+    isoImage.makeEfiBootable = true;
+    isoImage.makeUsbBootable = true;
+
+    networking.dhcpcd.enable = true;
+    networking.useDHCP = true;
+
+    me.buildingPortable = true;
+    me.disko.enable = true;
+    me.disko.offline.enable = true;
+    me.mountPersistence = lib.mkForce false;
+    # me.optimizations.enable = lib.mkForce false;
+
+    # Not doing image_based_appliance because this might be an install ISO, in which case we'd need nix to do the install.
+    # me.image_based_appliance.enable = true;
+
+    # TODO: Should I use this instead of doing a mkIf for the disk config?
+    # disko.enableConfig = false;
+
+    # Faster image generation for testing/development.
+    isoImage.squashfsCompression = "zstd -Xcompression-level 15";
+  };
+}

nix/configuration/formats/sd.nix

@@ -0,0 +1,32 @@
+{
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/sd-card/sd-image.nix")
+  ];
+
+  config = {
+    isoImage.makeEfiBootable = true;
+    isoImage.makeUsbBootable = true;
+
+    boot.loader.grub.enable = false;
+    boot.loader.generic-extlinux-compatible.enable = true;
+
+    # TODO: image based appliance?
+
+    # TODO: Maybe this?
+    # fileSystems = {
+    #   "/" = {
+    #     device = "/dev/disk/by-label/NIXOS_SD";
+    #     fsType = "ext4";
+    #     options = [
+    #       "noatime"
+    #       "norelatime"
+    #     ];
+    #   };
+    # };
+  };
+}

nix/configuration/formats/toplevel.nix

@@ -0,0 +1 @@
+{ }

nix/configuration/formats/vm_iso.nix

@@ -0,0 +1,22 @@
+{
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/iso-image.nix")
+    (modulesPath + "/profiles/qemu-guest.nix") # VirtIO kernel modules
+  ];
+
+  config = {
+    isoImage.makeEfiBootable = true;
+    isoImage.makeUsbBootable = true;
+
+    networking.dhcpcd.enable = true;
+    networking.useDHCP = true;
+
+    me.image_based_appliance.enable = true;
+  };
+}

nix/configuration/hosts/family_disks/DEPLOY_BOOT

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=family_disks
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#family_disks" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/family_disks/DEPLOY_SWITCH

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=family_disks
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#family_disks" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/family_disks/ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#family_disks.iso" --repair --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/family_disks/SELF_BOOT

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#family_disks" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/family_disks/SELF_BUILD

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+: "${NOM:="true"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#family_disks" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/family_disks/SELF_SWITCH

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#family_disks" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/family_disks/default.nix

@@ -0,0 +1,75 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./wrapped-disk-config.nix
+    ./distributed_build.nix
+    ./power_management.nix
+  ];
+
+  config = {
+    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+    networking.hostId = "908cbf04";
+
+    networking.hostName = "family_disks"; # Define your hostname.
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.enable = true;
+    me.boot.secure = false;
+    me.mountPersistence = true;
+
+    # Toggle to start writing the extlinux config which will be used by zfsbootmenu
+    boot.loader.generic-extlinux-compatible.enable = true;
+    boot.loader.systemd-boot.enable = lib.mkForce false;
+
+    me.rollback.dataset = [
+      "zroot/linux/nix/root@blank"
+      "zroot/linux/nix/home@blank"
+    ];
+
+    me.optimizations = {
+      enable = true;
+      arch = "skylake";
+      # build_arch = "x86-64-v3";
+      system_features = [
+        "gccarch-znver4"
+        "gccarch-skylake"
+        "gccarch-kabylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Early KMS
+    # boot.initrd.kernelModules = [ "amdgpu" ];
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable light sensor
+    # hardware.sensor.iio.enable = lib.mkDefault true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # Only run nix builders at idle priority for a more responsive system. Do not set on servers, just end-user devices.
+    nix.daemonCPUSchedPolicy = "idle";
+
+    me.build_in_ram.enable = true;
+    me.dont_use_substituters.enable = true;
+    me.minimal_base.enable = true;
+    me.recovery.enable = true;
+  };
+}

nix/configuration/hosts/family_disks/disk-config.nix

@@ -0,0 +1,155 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/efi";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+            options = {
+              # encryption = "aes-256-gcm";
+              # keyformat = "passphrase";
+              # # keylocation = "file:///tmp/secret.key";
+            };
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/boot" = {
+            type = "zfs_fs";
+            options = {
+              mountpoint = "legacy";
+              "org.zfsbootmenu:active" = "on";
+            };
+            mountpoint = "/boot";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/boot@blank$' || zfs snapshot zroot/linux/nix/boot@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              # recordsize = "16MiB";
+              # compression = "zstd-19";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/boot".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+
+  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
+  boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
+}

nix/configuration/hosts/family_disks/distributed_build.nix

@@ -0,0 +1,19 @@
+{
+  imports = [ ];
+
+  config = {
+    me.distributed_build.enable = true;
+    me.distributed_build.machines.quark = {
+      enable = false;
+      additional_config = {
+        speedFactor = 2;
+      };
+    };
+    me.distributed_build.machines.hydra = {
+      enable = true;
+      additional_config = {
+        speedFactor = 2;
+      };
+    };
+  };
+}

nix/configuration/hosts/family_disks/hardware-configuration.nix

@@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  config = {
+    boot.initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+    ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    # networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+
+    hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  };
+}

nix/configuration/hosts/family_disks/power_management.nix

@@ -0,0 +1,75 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    environment.systemPackages = with pkgs; [
+      powertop
+    ];
+
+    # amdgpu.abmlevel=3 :: Automatically reduce screen brightness but tweak colors to compensate for power reduction.
+    # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
+    # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
+    # amd_pstate=passive :: Fully automated hardware pstate control.
+    # amd_pstate=active :: Same as passive except we can set the energy performance preference (EPP) to suggest how much we prefer performance or energy efficiency.
+    # amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds.
+    # amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32
+    boot.kernelParams = [
+      "amdgpu.abmlevel=2"
+      "pcie_aspm=force"
+      # "pcie_aspm.policy=powersupersave"
+      "nowatchdog"
+      # I don't see a measurable benefit from these two:
+      # "cpufreq.default_governor=powersave"
+      # "initcall_blacklist=cpufreq_gov_userspace_init"
+    ];
+
+    systemd.tmpfiles.rules = [
+      "w- /sys/firmware/acpi/platform_profile - - - - low-power"
+      "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0"
+    ];
+
+    boot.extraModprobeConfig = ''
+      # Disable the hardware watchdog inside AMD 700 chipset series for power savings.
+      blacklist sp5100_tco
+
+      # Sound power-saving was causing chat notifications to be inaudible.
+      # options snd_hda_intel power_save=1
+    '';
+  };
+}

nix/configuration/hosts/family_disks/wrapped-disk-config.nix

@@ -0,0 +1,7 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix)

nix/configuration/hosts/hydra/DEPLOY_BOOT

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=hydra
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/DEPLOY_SWITCH

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=hydra
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#hydra.iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/SELF_BOOT

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/SELF_BUILD

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --repair --log-format internal-json -v "${@}" |& nom --json