Disable optimizations for quick iteration.

Everything got dimmer in 6.14 so I am reducing the abmlevel.

.gitattributes

@@ -1,3 +1,5 @@
 cargo_credentials.toml filter=git-crypt diff=git-crypt
 **/wireguard_configs/** filter=git-crypt diff=git-crypt
 *.key filter=git-crypt diff=git-crypt
+credentials filter=git-crypt diff=git-crypt
+htpasswd filter=git-crypt diff=git-crypt

ansible/environments/colo/host_vars/mrmanager

@@ -15,12 +15,13 @@ pflog_conf:
   - name: 0
     dev: pflog0
 cputype: "amd"
+hwpstate: true
 etc_hosts: {}
 wireguard_directory: mrmanager
 enabled_wireguard:
   - colo
 jail_zfs_dataset: zdata/jail
-jail_zfs_dataset_mountpoint: /jail/main
+jail_zfs_dataset_mountpoint: /jail
 jail_canmount: "on"
 jail_list:
   - name: nat_dhcp

ansible/environments/home/host_vars/homeserver

@@ -1,9 +1,32 @@
 os_flavor: "freebsd"
+custom_repo: "https://freebsdpkg.fizz.buzz/repo/14broadwell-default-computer"
+pkgbase_url: "https://freebsdpkg.fizz.buzz/pkgbase/14broadwell-repo/FreeBSD:14:amd64/latest"
 zfs_snapshot_datasets:
   - path: zroot/freebsd/computer/be
   - path: zmass/encrypted/vm
+  - path: zmass/encrypted/data
+users:
+  talexander:
+    initialize: true
+    uid: 11235
+    gid: 11235
+    groups:
+      - name: wheel
+      - name: video
+      - name: u2f
+      - name: operator # To be able to shutdown without root
+      - name: webcamd
+        gid: 145
+    authorized_keys:
+      - yubikey
+      - main_fido
+      - backup_fido
+      - homeassistant
+    gitconfig: "gitconfig_home"
 sshd_enabled: true
 sshd_conf: "sshd_config"
+prefer_ipv6: true
+dummynet_config: "dnctl.conf"
 pf_config: "homeserver_pf.conf"
 pflog_conf:
   - name: 0
@@ -11,16 +34,11 @@ pflog_conf:
 network_rc: "homeserver_network.conf"
 rc_conf: "homeserver_rc.conf"
 loader_conf: "homeserver_loader.conf"
-netgraph_config: "setup_netgraph_homeserver"
 cputype: "intel"
-cpu_opt: broadwell
 hwpstate: false
-build_user:
-  name: talexander
-  group: talexander
 devfs_rules: "homeserver_devfs.rules"
 jail_zfs_dataset: zmass/encrypted/jails
-jail_zfs_dataset_mountpoint: /jail/main
+jail_zfs_dataset_mountpoint: /jail
 jail_canmount: "on"
 jail_bemount: "on"
 jail_list:
@@ -35,16 +53,41 @@ jail_list:
   - name: dagger
     conf:
       src: dagger
-  - name: mumble
+  - name: olddagger
     conf:
-      src: mumble
-    persist:
-      - name: mumbledb
-        mount: /var/db/murmur
+      src: olddagger
+  - name: sftp
+    conf:
+      src: sftp
+    fstab: sftp_fstab
+  - name: bastion
+    conf:
+      src: bastion
+    fstab: fstab_bastion
+  - name: certificate
+    conf:
+      src: certificate
+  - name: momlaptop
+    conf:
+      src: momlaptop
+  # - name: mumble
+  #   conf:
+  #     src: mumble
+  #   persist:
+  #     - name: mumbledb
+  #       mount: /var/db/murmur
 bhyve_dataset: zmass/encrypted/vm
-bhyve_list: []
-bhyve_canmount: "on"
+# Disable mounting bhyve dataset so it doesn't hide the unencrypted linfi vm
+bhyve_canmount: "off"
+bhyve_mountpoint: "none"
 bhyve_bemount: "on"
 wireguard_directory: homeserver
 enabled_wireguard:
   - wgh
+linfi:
+  enabled: true
+  zfs_dataset: zmass/unencrypted/vm/linfi
+  zfs_mountpoint: /vm/linfi
+  driver_blocklist: "ath if_ath if_ath_pci ath_hal if_iwm if_iwlwifi"
+  pci_blocklist: "6/0/0"
+  amd: false

ansible/environments/home/hosts

@@ -1,2 +1,2 @@
 [headless]
-homeserver ansible_user=talexander ansible_host=10.216.1.1
+homeserver ansible_user=talexander ansible_host=homeserver

ansible/environments/jail/host_vars/bastion

@@ -0,0 +1 @@
+os_flavor: freebsd

ansible/environments/jail/host_vars/certificate

@@ -0,0 +1 @@
+os_flavor: freebsd

ansible/environments/jail/host_vars/momlaptop

@@ -0,0 +1 @@
+os_flavor: freebsd

ansible/environments/jail/host_vars/sftp

@@ -0,0 +1,6 @@
+os_flavor: "freebsd"
+users:
+  nochainstounlock:
+    initialize: true
+    uid: 11235
+    gid: 11235

ansible/environments/jail/hosts

@@ -1,7 +1,11 @@
 [jail]
 nat_dhcp ansible_connection=jail
-homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@172.16.16.2 ansible_connection=sshjail
+homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@homeserver ansible_connection=sshjail
 mrmanager_nat_dhcp ansible_ssh_host=nat_dhcp@10.217.2.1 ansible_connection=sshjail
 nat_dhcp@172.16.16.2 ansible_connection=sshjail
 admin_git ansible_ssh_host=admin_git@10.217.2.1 ansible_connection=sshjail
 public_dns ansible_ssh_host=public_dns@10.217.2.1 ansible_connection=sshjail
+sftp ansible_ssh_host=sftp@homeserver ansible_connection=sshjail
+bastion ansible_ssh_host=bastion@homeserver ansible_connection=sshjail
+certificate ansible_ssh_host=certificate@homeserver ansible_connection=sshjail
+momlaptop ansible_ssh_host=momlaptop@homeserver ansible_connection=sshjail

ansible/environments/laptop/group_vars/all

@@ -1,3 +1,28 @@
 timezone: "America/New_York"
 install_bluetooth: true
 emacs_flavor: "full"
+ssh_hosts:
+  - name: poudriere
+    proxy_jump: talexander@mrmanager
+    host_name: 10.215.1.203
+  - name: controller0
+    proxy_jump: talexander@mrmanager
+    host_name: 10.215.1.204
+  - name: controller1
+    proxy_jump: talexander@mrmanager
+    host_name: 10.215.1.205
+  - name: controller2
+    proxy_jump: talexander@mrmanager
+    host_name: 10.215.1.206
+  - name: worker0
+    proxy_jump: talexander@mrmanager
+    host_name: 10.215.1.207
+  - name: worker1
+    proxy_jump: talexander@mrmanager
+    host_name: 10.215.1.208
+  - name: worker2
+    proxy_jump: talexander@mrmanager
+    host_name: 10.215.1.209
+  - name: brianai
+    proxy_jump: talexander@mrmanager
+    host_name: 10.215.1.215

ansible/environments/laptop/host_vars/odofreebsd

@@ -1,25 +1,25 @@
 os_flavor: "freebsd"
-custom_repo: 13amd64-default-framework
+custom_repo: "https://freebsdpkg.fizz.buzz/repo/currentznver4-default-framework"
+pkgbase_url: "https://freebsdpkg.fizz.buzz/pkgbase/currentznver4-repo/FreeBSD:15:amd64/latest"
 zfs_snapshot_datasets:
-  - path: zroot/freebsd/release/be/default
+  - path: zroot/freebsd/current/be/default
 sshd_enabled: true
 sshd_conf: "sshd_config"
 pf_config: "odofreebsd_pf.conf"
 pflog_conf:
  - name: 0
    dev: pflog0
+prefer_ipv6: true
+dummynet_config: "dnctl.conf"
 network_rc: "odofreebsd_network.conf"
 rc_conf: "odofreebsd_rc.conf"
 loader_conf: "odofreebsd_loader.conf"
 install_graphics: true
 graphics_driver: "amd"
 cputype: "amd"
-cpu_opt: tigerlake
 hwpstate: true
 cores: 16
-build_user:
-  name: talexander
-  group: talexander
+sound_system: "oss"
 users:
   talexander:
     initialize: true
@@ -31,6 +31,8 @@ users:
       - name: u2f
       - name: operator # To be able to shutdown without root
       - name: webcamd
+        gid: 145
+      - name: realtime
     authorized_keys:
       - yubikey
       - main_fido
@@ -38,16 +40,18 @@ users:
       - homeassistant
     gitconfig: "gitconfig_home"
 devfs_rules: "odo_devfs.rules"
-jail_zfs_dataset: zroot/freebsd/release/jails
-jail_zfs_dataset_mountpoint: /jail/main
+jail_zfs_dataset: zroot/freebsd/current/jails
+jail_zfs_dataset_mountpoint: /jail
+jail_canmount: "on"
 jail_list:
   - name: nat_dhcp
     enabled: true
     conf:
       src: nat_dhcp
-bhyve_dataset: zroot/freebsd/release/vm
-bhyve_list: []
-efi_dev: /dev/gpt/EFI
+bhyve_dataset: zroot/freebsd/current/vm
+bhyve_bemount: off
+# efi_dev: /dev/gpt/EFI
+efi_dev: /dev/diskid/DISK-SJB7N717610407Q0Hp1
 sway_conf_files:
   - launch_gpg
 wireguard_directory: odo
@@ -55,3 +59,10 @@ enabled_wireguard:
   - wgh
   - drmario
   - colo
+linfi:
+  enabled: true
+  zfs_dataset: zroot/freebsd/current/vm/linfi
+  zfs_mountpoint: /vm/linfi
+  driver_blocklist: "if_iwm if_iwlwifi"
+  pci_blocklist: "1/0/0"
+  amd: true

ansible/environments/laptop/host_vars/odolinux

@@ -16,6 +16,7 @@ users:
       - backup_fido
       - homeassistant
     gitconfig: "gitconfig_home"
+periodic_scrub_pools: [zroot]
 zfs_snapshot_datasets:
   # - zroot/linux/archmain/home
   - path: zroot/linux/archmain/be
@@ -36,4 +37,3 @@ cores: 16
 sway_conf_files:
   - rofimoji
 docker_storage_driver: overlay2 # alternatively zfs
-docker_zfs_dataset: zroot/linux/archmain/docker

ansible/environments/laptop/host_vars/odowork

@@ -0,0 +1,37 @@
+os_flavor: "linux"
+hostname: odowork
+etc_hosts: {}
+users:
+  talexander:
+    initialize: true
+    uid: 11235
+    gid: 1000
+    groups:
+      - name: wheel
+      - name: users
+      - name: docker
+      - name: libvirt
+      - name: uucp
+    authorized_keys:
+      - yubikey
+      - main_fido
+      - backup_fido
+    gitconfig: "gitconfig_work"
+periodic_scrub_pools: [zroot]
+zfs_snapshot_datasets:
+  - path: zroot/linux/archwork/be
+install_graphics: true
+graphics_driver: "amd"
+pgp_key: "gpg_work.asc"
+build_user:
+  name: talexander
+  group: talexander
+# wireguard_directory: odowork
+# enabled_wireguard: []
+cputype: "amd"
+hwpstate: true
+cores: 16
+sway_conf_files:
+  - rofimoji
+docker_storage_driver: overlay2 # alternatively zfs
+closed_source_vscode: true

ansible/environments/laptop/hosts

@@ -1,3 +1,4 @@
 [gui]
 odolinux ansible_connection=local ansible_host=127.0.0.1
 odofreebsd ansible_connection=local ansible_host=127.0.0.1
+odowork ansible_connection=local ansible_host=127.0.0.1

ansible/environments/vm/host_vars/freebsdupdatemrmanager

@@ -1,5 +0,0 @@
-os_flavor: "freebsd"
-cpu_opt: tigerlake
-build_user:
-  name: root
-  group: wheel

ansible/environments/vm/host_vars/poudrieremrmanager

@@ -1,13 +1,30 @@
 os_flavor: "freebsd"
+sshd_enabled: true
+custom_repo: "file:///usr/local/poudriere/data/packages/currentznver4-default-framework"
+pkgbase_url: "file:///usr/local/poudriere/data/images/currentznver4-repo/FreeBSD:15:amd64/latest"
 poudriere_builds:
-  - jail: 13amd64
-    ports: default
-    set: framework
-    version: 13.2-RELEASE
-  # - jail: current
+  # - jail: 13amd64
   #   ports: default
   #   set: framework
-  #   version: CURRENT
-  #   revision: af01b4722577903f91acc44f01bdcb8cdb2d65ad
-  #   kernel: CUSTOM
-  #   branch: main
+  #   version: 13.2-RELEASE
+  - jail: currentznver4
+    ports: default
+    set: framework
+    version: CURRENT
+    # revision: 66d37dbedfbf2dc94ccf49e6983c3652d5909b91
+    kernel: CUSTOM
+    branch: main
+    srcconf: currentznver4_src.conf
+  # - jail: 14broadwell
+  #   ports: default
+  #   set: computer
+  #   version: 14.0-RELEASE
+  #   kernel: GENERIC
+  #   srcconf: 14broadwell_src.conf
+  - jail: 14broadwell
+    ports: default
+    set: computer
+    version: CURRENT
+    kernel: CUSTOM
+    branch: releng/14.1
+    srcconf: 14broadwell_src.conf

ansible/environments/vm/hosts

@@ -1,13 +1,8 @@
 [vm]
 poudriereodo ansible_user=builder ansible_host=10.213.177.12
 poudrieremrmanager ansible_user=root ansible_host=poudriere
-freebsdupdatemrmanager ansible_user=root ansible_host=freebsdupdate
 #
 # Put in ~/.ssh/config
 #    Host poudriere
 #       ProxyJump talexander@mrmanager
 #       HostName 10.215.1.203
-#
-#    Host freebsdupdate
-#       ProxyJump talexander@mrmanager
-#       HostName 10.215.1.213

ansible/playbook.yaml

@@ -27,6 +27,7 @@
     - sway
     - emacs
     - firefox
+    - chromium
     - devfs
     - ssh_client
     - sshfs
@@ -42,9 +43,9 @@
     - ansible
     - wireguard
     - portshaker
-    - poudriere
     - android
     - latex
+    - python
     - pyenv
     - webcam
     - docker
@@ -53,6 +54,8 @@
     - launch_keyboard
     - lvfs
     - restaurant_health_rating
+    - wasm
+    - noise_suppression
 
 - hosts: nat_dhcp:homeserver_nat_dhcp:mrmanager_nat_dhcp
   vars:
@@ -65,11 +68,15 @@
     ansible_become: True
   roles:
     - sudo # for poudboot script
+    - doas
     - fstab
+    - package_manager
+    - zsh
+    - termcap
+    - sshd
     - portshaker
     - poudriere
     - poudrierenginx
-    - freebsd_update_server
 
 - hosts: mrmanager
   vars:
@@ -115,30 +122,47 @@
     - users
     - public_dns
 
-- hosts: odolinux:odofreebsd
+- hosts: odolinux:odofreebsd:odowork
   vars:
     ansible_become: True
   roles:
+    - linfi
     - framework_laptop
 
-- hosts: odofreebsd
-  vars:
-    ansible_become: True
-  roles:
-    - freebsd_update_server
-
-- hosts: freebsdupdatemrmanager
-  vars:
-    ansible_become: True
-  roles:
-    - sudo # for poudboot script
-    - doas
-    - fstab
-    - build
-    - freebsd_update_server
-
 - hosts: homeserver
   vars:
     ansible_become: True
   roles:
+    - linfi
     - homeserver
+
+- hosts: odowork
+  vars:
+    ansible_become: True
+  roles:
+    - odowork
+
+- hosts: sftp
+  vars:
+    ansible_become: True
+  roles:
+    - users
+    - sftp
+
+- hosts: bastion
+  vars:
+    ansible_become: True
+  roles:
+    - jail_bastion
+
+- hosts: certificate
+  vars:
+    ansible_become: True
+  roles:
+    - jail_certificate
+
+- hosts: momlaptop
+  vars:
+    ansible_become: True
+  roles:
+    - jail_momlaptop

ansible/roles/alacritty/files/alacritty.toml

@@ -0,0 +1,44 @@
+[colors]
+draw_bold_text_with_bright_colors = true
+indexed_colors = []
+
+[colors.bright]
+black = "0x666666"
+blue = "0x7aa6da"
+cyan = "0x54ced6"
+green = "0x9ec400"
+magenta = "0xb77ee0"
+red = "0xff3334"
+white = "0xffffff"
+yellow = "0xe7c547"
+
+[colors.normal]
+black = "0x000000"
+blue = "0x7aa6da"
+cyan = "0x70c0ba"
+green = "0xb9ca4a"
+magenta = "0xc397d8"
+red = "0xd54e53"
+white = "0xeaeaea"
+yellow = "0xe6c547"
+
+[colors.primary]
+background = "0x000000"
+foreground = "0xeaeaea"
+
+[font]
+size = 11.0
+
+[[hints.enabled]]
+command = "xdg-open"
+post_processing = true
+regex = "(ipfs:|ipns:|magnet:|mailto:|gemini:|gopher:|https:|http:|news:|file:|git:|ssh:|ftp:)[^\u0000-\u001F\u007F-Ÿ<>\"\\s{-}\\^⟨⟩`]+"
+
+[hints.enabled.mouse]
+enabled = false
+mods = "None"
+
+[scrolling]
+history = 10000
+# Lines moved per scroll.
+multiplier = 3

ansible/roles/alacritty/files/alacritty.yml

@@ -1,103 +0,0 @@
-# If `true`, bold text is drawn using the bright color variants.
-draw_bold_text_with_bright_colors: true
-
-colors:
-  # Default colors
-  primary:
-    background: "0x000000"
-    foreground: "0xeaeaea"
-
-    # Bright and dim foreground colors
-    #
-    # The dimmed foreground color is calculated automatically if it is not present.
-    # If the bright foreground color is not set, or `draw_bold_text_with_bright_colors`
-    # is `false`, the normal foreground color will be used.
-    #dim_foreground: '0x9a9a9a'
-    #bright_foreground: '0xffffff'
-
-  # Cursor colors
-  #
-  # Colors which should be used to draw the terminal cursor. If these are unset,
-  # the cursor color will be the inverse of the cell color.
-  #cursor:
-  #  text: '0x000000'
-  #  cursor: '0xffffff'
-
-  # Selection colors
-  #
-  # Colors which should be used to draw the selection area. If selection
-  # background is unset, selection color will be the inverse of the cell colors.
-  # If only text is unset the cell text color will remain the same.
-  #selection:
-  #  text: '0xeaeaea'
-  #  background: '0x404040'
-
-  # Normal colors
-  normal:
-    black: "0x000000"
-    red: "0xd54e53"
-    green: "0xb9ca4a"
-    yellow: "0xe6c547"
-    blue: "0x7aa6da"
-    magenta: "0xc397d8"
-    cyan: "0x70c0ba"
-    white: "0xeaeaea"
-
-  # Bright colors
-  bright:
-    black: "0x666666"
-    red: "0xff3334"
-    green: "0x9ec400"
-    yellow: "0xe7c547"
-    blue: "0x7aa6da"
-    magenta: "0xb77ee0"
-    cyan: "0x54ced6"
-    white: "0xffffff"
-
-  # Dim colors
-  #
-  # If the dim colors are not set, they will be calculated automatically based
-  # on the `normal` colors.
-  #dim:
-  #  black:   '0x000000'
-  #  red:     '0x8c3336'
-  #  green:   '0x7a8530'
-  #  yellow:  '0x97822e'
-  #  blue:    '0x506d8f'
-  #  magenta: '0x80638e'
-  #  cyan:    '0x497e7a'
-  #  white:   '0x9a9a9a'
-
-  # Indexed Colors
-  #
-  # The indexed colors include all colors from 16 to 256.
-  # When these are not set, they're filled with sensible defaults.
-  #
-  # Example:
-  #   `- { index: 16, color: '0xff00ff' }`
-  #
-  indexed_colors: []
-
-scrolling:
-  # Maximum number of lines in the scrollback buffer.
-  # Specifying '0' will disable scrolling.
-  history: 10000
-
-  # Number of lines the viewport will move for every line scrolled when
-  # scrollback is enabled (history > 0).
-  multiplier: 3
-
-font:
-  size: 11.0
-
-hints:
-  enabled:
-    # Disable opening links when clicked
-    - regex:
-        "(ipfs:|ipns:|magnet:|mailto:|gemini:|gopher:|https:|http:|news:|file:|git:|ssh:|ftp:)\
-        [^\u0000-\u001F\u007F-\u009F<>\"\\s{-}\\^⟨⟩`]+"
-      command: xdg-open
-      post_processing: true
-      mouse:
-        enabled: false
-        mods: None

ansible/roles/alacritty/tasks/peruser.yaml

@@ -19,8 +19,8 @@
     owner: "{{ account_name.stdout }}"
     group: "{{ group_name.stdout }}"
   loop:
-    - src: alacritty.yml
-      dest: .config/alacritty/alacritty.yml
+    - src: alacritty.toml
+      dest: .config/alacritty/alacritty.toml
 
 - import_tasks: tasks/peruser_freebsd.yaml
   when: 'os_flavor == "freebsd"'

ansible/roles/android/tasks/linux.yaml

@@ -19,4 +19,6 @@
     name:
       - gvfs
       - gvfs-mtp
+      - android-udev # Access android over USB without root.
+      - android-tools # For fastboot to flash phones.
     state: present

ansible/roles/ansible/tasks/freebsd.yaml

@@ -1,6 +1,6 @@
 - name: Install packages
   package:
     name:
-      - py39-ansible
+      - py311-ansible
       - ansible-sshjail
     state: present

ansible/roles/base/files/alacritty.termcap

@@ -1,24 +0,0 @@
-#	Reconstructed via infocmp from file: /usr/share/terminfo/a/alacritty
-# (untranslatable capabilities removed to fit entry within 1023 bytes)
-# (sgr removed to fit entry within 1023 bytes)
-# (acsc removed to fit entry within 1023 bytes)
-# (terminfo-only capabilities suppressed to fit entry within 1023 bytes)
-alacritty|alacritty terminal emulator:\
-	:am:bs:hs:mi:ms:xn:\
-	:co#80:it#8:li#24:\
-	:AL=\E[%dL:DC=\E[%dP:DL=\E[%dM:DO=\E[%dB:IC=\E[%d@:\
-	:K2=\EOE:LE=\E[%dD:RI=\E[%dC:SF=\E[%dS:SR=\E[%dT:\
-	:UP=\E[%dA:ae=\E(B:al=\E[L:as=\E(0:bl=^G:bt=\E[Z:cd=\E[J:\
-	:ce=\E[K:cl=\E[H\E[2J:cm=\E[%i%d;%dH:cr=\r:\
-	:cs=\E[%i%d;%dr:ct=\E[3g:dc=\E[P:dl=\E[M:do=\n:\
-	:ds=\E]2;\007:ec=\E[%dX:ei=\E[4l:fs=^G:ho=\E[H:im=\E[4h:\
-	:is=\E[!p\E[?3;4l\E[4l\E>:k1=\EOP:k2=\EOQ:k3=\EOR:\
-	:k4=\EOS:k5=\E[15~:k6=\E[17~:k7=\E[18~:k8=\E[19~:\
-	:k9=\E[20~:kD=\E[3~:kI=\E[2~:kN=\E[6~:kP=\E[5~:kb=\177:\
-	:kd=\EOB:ke=\E[?1l\E>:kh=\EOH:kl=\EOD:kr=\EOC:\
-	:ks=\E[?1h\E=:ku=\EOA:le=^H:mb=\E[5m:md=\E[1m:me=\E[0m:\
-	:mh=\E[2m:mm=\E[?1034h:mo=\E[?1034l:mr=\E[7m:nd=\E[C:\
-	:rc=\E8:sc=\E7:se=\E[27m:sf=\n:so=\E[7m:sr=\EM:st=\EH:ta=^I:\
-	:te=\E[?1049l\E[23;0;0t:ti=\E[?1049h\E[22;0;0t:\
-	:ts=\E]2;:ue=\E[24m:up=\E[A:us=\E[4m:vb=\E[?5h\E[?5l:\
-	:ve=\E[?12l\E[?25h:vi=\E[?25l:vs=\E[?12;25h:

ansible/roles/base/files/bbr_loader.conf

@@ -0,0 +1 @@
+tcp_bbr_load="YES"

ansible/roles/base/files/cleartmp_rc.conf

@@ -0,0 +1 @@
+clear_tmp_enable="YES"

ansible/roles/base/files/decode_jwt.bash

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+#
+# Decode the contents of a JWT
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+exec jq -R 'split(".") | .[0],.[1] | gsub("-"; "+") | gsub("_"; "/") | gsub("%3D"; "=")| @base64d | fromjson'

ansible/roles/base/files/disk_labels_loader.conf

@@ -1,8 +1,12 @@
-# Disabling both of these will make /dev/gpt/* populated
+# Populates the /dev/diskid
+kern.geom.label.disk_ident.enable="1"
+
+
+
+# Populates /dev/gpt but only if kern.geom.label.disk_ident.enable is disabled.
 #
 # This uses gpt partition labels which you can set with:
 #
 #     gpart modify -l EFI -i 1 nvd0
 
-# kern.geom.label.disk_ident.enable="0"
 # kern.geom.label.gptid.enable="1"

ansible/roles/base/files/gitconfig_home

@@ -8,6 +8,7 @@
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
+	authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
@@ -18,3 +19,18 @@
 	date = local
 [init]
 	defaultBranch = main
+
+# Use meld for `git difftool` and `git mergetool`
+[diff]
+	tool = meld
+[difftool]
+	prompt = false
+[difftool "meld"]
+	cmd = meld "$LOCAL" "$REMOTE"
+[merge]
+	tool = meld
+[mergetool "meld"]
+        # Make the middle pane start with partially-merged contents:
+	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
+        # Make the middle pane start without any merge progress:
+	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"

ansible/roles/base/files/gitconfig_work

@@ -0,0 +1,38 @@
+[user]
+	email = ThomasA.Alexander@hmhn.org
+	name = Tom Alexander
+	signingkey = D3A179C9A53C0EDE
+[push]
+	default = simple
+[alias]
+	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
+	bh = log --oneline --branches=* --remotes=* --graph --decorate
+	amend = commit --amend --no-edit
+	authorcount = shortlog --summary --numbered --all --no-merges
+[core]
+	excludesfile = ~/.gitignore_global
+[commit]
+	gpgsign = true
+[pull]
+	rebase = true
+[log]
+	date = local
+[init]
+	defaultBranch = main
+
+# Use meld for `git difftool` and `git mergetool`
+[diff]
+	tool = meld
+[difftool]
+	prompt = false
+[difftool "meld"]
+	cmd = meld "$LOCAL" "$REMOTE"
+[merge]
+	tool = meld
+[mergetool "meld"]
+        # Make the middle pane start with partially-merged contents:
+	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
+        # Make the middle pane start without any merge progress:
+	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
+[includeIf "gitdir:/bridge/"]
+	path = /bridge/git/machine_setup/ansible/roles/base/files/gitconfig_home

ansible/roles/base/files/gitignore_global

@@ -1,3 +1,8 @@
 .idea
 .python-version
+
+# Emacs per-directory settings
 .dir-locals.el
+
+# C/C++ Language Server compile commands
+compile_commands.json

ansible/roles/base/files/homeserver_loader.conf

@@ -1,5 +1,3 @@
 security.bsd.allow_destructive_dtrace=0
-kern.geom.label.disk_ident.enable="0"
-kern.geom.label.gptid.enable="0"
 cryptodev_load="YES"
 zfs_load="YES"

ansible/roles/base/files/login.conf

@@ -32,7 +32,7 @@ default:\
 	:cputime=unlimited:\
 	:datasize=unlimited:\
 	:stacksize=unlimited:\
-	:memorylocked=64K:\
+	:memorylocked=128M:\
 	:memoryuse=unlimited:\
 	:filesize=unlimited:\
 	:coredumpsize=unlimited:\
@@ -44,6 +44,7 @@ default:\
 	:pseudoterminals=unlimited:\
 	:kqueues=unlimited:\
 	:umtxp=unlimited:\
+	:pipebuf=unlimited:\
 	:priority=0:\
 	:ignoretime@:\
 	:umask=022:\

ansible/roles/base/files/odofreebsd_loader.conf

@@ -1,6 +1,3 @@
 security.bsd.allow_destructive_dtrace=0
-kern.geom.label.disk_ident.enable="0"
-kern.geom.label.gptid.enable="0"
 cryptodev_load="YES"
 zfs_load="YES"
-

ansible/roles/base/files/odofreebsd_rc.conf

@@ -1,8 +1,6 @@
-clear_tmp_enable="YES"
 syslogd_flags="-ss"
 sendmail_enable="NONE"
 hostname="odo"
-sshd_enable="YES"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="NO"
 zfs_enable="YES"

ansible/roles/base/files/tmux.conf

@@ -1,4 +1,4 @@
-set-option -g mouse on
+# set-option -g mouse on
 set-option -g history-limit 20000
 # set -g @plugin 'tmux-plugins/tmux-yank'
 # Emacs style

ansible/roles/base/files/watch_freebsd

@@ -10,7 +10,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 function cleanup {
     switch_to_main_screen
 }
-for sig in EXIT INT QUIT HUP TERM; do
+for sig in EXIT; do
   trap "set +e; cleanup; exit" "$sig"
 done
 

ansible/roles/base/meta/main.yaml

@@ -1,2 +1,3 @@
 dependencies:
   - fstab
+  - termcap

ansible/roles/base/tasks/common.yaml

@@ -16,20 +16,19 @@
       - wget
       - colordiff
       - ipcalc
-      - kdiff3
       - tcpdump
       - moreutils # for ts [%Y-%m-%d %H:%M:%.S]
       - ddrescue
+      - dmidecode
     state: present
 
-- name: Set timezone
-  file:
-    src: "/usr/share/zoneinfo/{{ timezone|default('UTC') }}"
-    dest: /etc/localtime
-    owner: root
-    # TODO: Arch Linux is changing the group to root instead of wheel. Maybe make this a variable?
-    group: wheel
-    state: link
+- name: Install packages
+  when: install_graphics
+  package:
+    name:
+      - kdiff3
+      - meld
+    state: present
 
 - name: Install scripts
   copy:
@@ -49,6 +48,8 @@
       dest: /usr/local/bin/cleanup_temporary_files
     - src: git_fix_author.bash
       dest: /usr/local/bin/git_fix_author
+    - src: decode_jwt.bash
+      dest: /usr/local/bin/decode_jwt
 
 - import_tasks: tasks/freebsd.yaml
   when: 'os_flavor == "freebsd"'

ansible/roles/base/tasks/freebsd.yaml

@@ -1,3 +1,11 @@
+- name: Set timezone
+  file:
+    src: "/usr/share/zoneinfo/{{ timezone|default('UTC') }}"
+    dest: /etc/localtime
+    owner: root
+    group: wheel
+    state: link
+
 - name: Install packages
   package:
     name:
@@ -5,29 +13,18 @@
       - gsed
       - gmake
       - rust-coreutils
+      - shuf
     state: present
 
-- name: See if the alacritty termcap has been added
-  lineinfile:
-    name: /usr/share/misc/termcap
-    regexp: |-
-      ^alacritty\|
-    state: absent
-  check_mode: yes
-  changed_when: false
-  register: alacritty_cap
-
-- name: Append alacritty termcap info
-  blockinfile:
-    path: /usr/share/misc/termcap
-    block: "{{ lookup('file', 'alacritty.termcap') }}"
-    marker: "# {mark} ANSIBLE MANAGED BLOCK alacritty"
-  when: not alacritty_cap.found
-  register: wrote_alacritty_cap
-
-- name: Update cap_mkdb
-  command: cap_mkdb /usr/share/misc/termcap
-  when: wrote_alacritty_cap.changed
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - cleartmp
 
 - name: Install login.conf
   copy:
@@ -42,18 +39,6 @@
   command: cap_mkdb /etc/login.conf
   when: login_config.changed
 
-- name: Enable periodic scrub
-  community.general.sysrc:
-    name: daily_scrub_zfs_enable
-    value: "YES"
-    path: /etc/periodic.conf.local
-
-- name: Set scrub interval
-  community.general.sysrc:
-    name: daily_scrub_zfs_default_threshold
-    value: "7"
-    path: /etc/periodic.conf.local
-
 - name: Install loader.conf
   copy:
     src: "{{loader_conf}}"
@@ -123,3 +108,65 @@
     group: wheel
   loop:
     - disk_labels
+
+- name: Configure sysctls
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    reload: false
+    sysctl_file: "/etc/sysctl.conf.local"
+  loop:
+    # Adjust ttl
+    - name: net.inet.ip.ttl
+      value: 65
+    - name: net.inet6.ip6.hlim
+      value: 65
+
+- name: Log periodic output instead of getting it as mail
+  blockinfile:
+    path: "/etc/periodic.conf.local"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK log"
+    # create: true
+    mode: 0644
+    owner: root
+    group: wheel
+    block: |
+      daily_output=/var/log/daily.log
+      weekly_output=/var/log/weekly.log
+      monthly_output=/var/log/monthly.log
+
+- name: Enable periodic zfs scrub
+  when: install_zfs
+  blockinfile:
+    path: "/etc/periodic.conf.local"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK zfs"
+    # create: true
+    mode: 0644
+    owner: root
+    group: wheel
+    block: |
+      daily_scrub_zfs_enable="YES"
+      daily_scrub_zfs_default_threshold="7"
+
+# Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
+- name: Install loader.conf
+  copy:
+    src: "files/{{ item }}_loader.conf"
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - bbr
+
+- name: Configure sysctls
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    reload: false
+    sysctl_file: "/etc/sysctl.conf.local"
+  loop:
+    - name: net.inet.tcp.functions_default
+      value: "bbr"

ansible/roles/base/tasks/linux.yaml

@@ -1,3 +1,11 @@
+- name: Set timezone
+  file:
+    src: "/usr/share/zoneinfo/{{ timezone|default('UTC') }}"
+    dest: /etc/localtime
+    owner: root
+    group: root
+    state: link
+
 - name: Install packages
   package:
     name:
@@ -8,6 +16,8 @@
       - man-db
       - uutils-coreutils
       - usbutils # for lsusb
+      - bolt
+      - whois
     state: present
 
 - name: Start pkgfile update service
@@ -17,17 +27,6 @@
     daemon_reload: yes
     enabled: yes
 
-# Of questionable value since I don't use swap on my machines
-- name: Configure sysctls for swap
-  sysctl:
-    name: "{{ item.name }}"
-    value: "{{ item.value }}"
-    state: present
-    sysctl_file: /etc/sysctl.d/swap.conf
-  loop:
-    - name: vm.swappiness
-      value: 10
-
 - name: Install scripts
   copy:
     src: "files/{{ item.src }}"
@@ -40,3 +39,41 @@
       dest: /usr/local/bin/mount_disk_image
     - src: watch_linux
       dest: /usr/local/bin/ww
+
+- name: Configure sysctls
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    sysctl_file: /etc/sysctl.d/{{ item.file }}
+  loop:
+    # Of questionable value since I don't use swap on my machines
+    - name: vm.swappiness
+      value: 10
+      file: swap.conf
+    # Enable TCP packetization-layer PMTUD when an ICMP black hole is detected.
+    - name: net.ipv4.tcp_mtu_probing
+      value: 1
+      file: tcp.conf
+    # Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
+    - name: net.ipv4.tcp_congestion_control
+      value: bbr
+      file: tcp.conf
+    # Don't do a slow start after a connection has been idle for a single RTO.
+    - name: net.ipv4.tcp_slow_start_after_idle
+      value: 0
+      file: tcp.conf
+    # 3x time to accumulate filesystem changes before flushing to disk.
+    - name: vm.dirty_writeback_centisecs
+      value: 1500
+      file: power.conf
+    # Adjust ttl
+    - name: net.ipv4.ip_default_ttl
+      value: 65
+      file: ttl.conf
+    - name: net.ipv6.conf.all.hop_limit
+      value: 65
+      file: ttl.conf
+    - name: net.ipv6.conf.default.hop_limit
+      value: 65
+      file: ttl.conf

ansible/roles/bhyve/defaults/main.yaml

@@ -1,2 +1 @@
 bhyve_mountpoint: "/vm"
-bhyve_list: []

ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash

@@ -30,6 +30,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
 : ${VNC_ENABLE:="NO"}
 : ${VNC_LISTEN:="127.0.0.1:5900"}
+: ${VNC_WIDTH:="1920"}
+: ${VNC_HEIGHT:="1080"}
 
 if [ "$VERBOSE" = "YES" ]; then
     set -x
@@ -45,7 +47,7 @@ function cleanup {
     done
 }
 vms=()
-for sig in EXIT INT QUIT HUP TERM; do
+for sig in EXIT; do
   trap "set +e; sleep 10; cleanup" "$sig"
 done
 
@@ -74,13 +76,6 @@ function main {
     fi
 }
 
-function die {
-    local status_code="$1"
-    shift
-    (>&2 echo "${@}")
-    exit "$status_code"
-}
-
 function create_disk {
     local zfs_path="$1"
     local mount_path="$2"
@@ -112,7 +107,8 @@ function start_vm {
     local bridge_name="$BRIDGE_NAME"
     local ip_range="$IP_RANGE" # for raw this value does not matter
 
-    local mac_address=$(calculate_mac_address "$name")
+    local mac_address
+    mac_address=$(calculate_mac_address "$name")
 
     local additional_args=()
 
@@ -147,7 +143,7 @@ function start_vm {
         additional_args+=("-s" "5,ahci-cd,$mount_cd")
     fi
     if [ "$VNC_ENABLE" = "YES" ]; then
-        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=1920,h=1080")
+        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
     fi
     vms+=("$name")
     while true; do
@@ -158,6 +154,8 @@ function start_vm {
             -c $CPU_CORES \
             -m $MEMORY \
             -H \
+            -P \
+            -o 'rtc.use_localtime=false' \
             -s 0,hostbridge \
             -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
             -s 30,xhci,tablet \
@@ -252,7 +250,8 @@ function ng_exists {
 
 function calculate_mac_address {
     local name="$1"
-    local source=$(md5 -r -s "$name" | awk '{print $1}')
+    local source
+    source=$(md5 -r -s "$name" | awk '{print $1}')
     echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
 }
 

ansible/roles/build/defaults/main.yaml

@@ -1,2 +0,0 @@
-# freebsd_version: "releng/13.2"
-freebsd_version: "9c80d66ec1b4c5b9ac7aaf5b0fdbb1628d49c181"

ansible/roles/build/files/CUSTOM

@@ -1,6 +0,0 @@
-include GENERIC-NODEBUG
-
-# Disable Intel SD/MMC controller for reading eMMC
-nodevice sdhci
-
-ident   CUSTOM

ansible/roles/build/files/find_packages_that_installed_kernel_modules.bash

@@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-#
-# List installed packages that install a kernel module.
-set -euo pipefail
-IFS=$'\n\t'
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-: ${PORTSDIR:="/usr/ports"}
-
-function main {
-    if [ "$#" -ne 0 ]; then
-        (>&2 echo "This script takes no positional parameters.")
-        exit 1
-    fi
-    local module
-    doas find / -type f -name '*.ko' | sort | while read module; do
-        local provides=$(pkg provides "$module")
-        if [ -n "$provides" ]; then
-            package_name=$(grep 'Name    : ' <<<"$provides" | sed 's/Name    : //g')
-            # module_file=$(grep 'Filename: ' <<<"$provides" | sed 's/Filename: //g')
-            echo "$package_name"
-        fi
-    done
-}
-
-main "${@}"

ansible/roles/build/files/find_popular_ports_options.bash

@@ -1,36 +0,0 @@
-#!/usr/bin/env bash
-#
-# Find which port options appear the most in ports.
-set -euo pipefail
-IFS=$'\n\t'
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-: ${PORTSDIR:="/usr/ports"}
-
-function main {
-    if [ "$#" -ne 0 ]; then
-        (>&2 echo "This script takes no positional parameters.")
-        exit 1
-    fi
-    local folder
-    find_port_folders | while read folder; do
-        set +e
-        dump_port_options "$folder"
-        set -e
-    done | sort | uniq -c | sort -nr
-}
-
-function find_port_folders {
-    local mf
-    find "$PORTSDIR" -type f -name Makefile -mindepth 3 -maxdepth 3 | sort | while read mf; do
-        dirname "$mf"
-    done
-}
-
-function dump_port_options {
-    local folder="$1"
-    local portopts=$(make -C "$folder" -V OPTIONS_DEFINE)
-    echo "$portopts" | grep -oE --line-buffered '[^ ]*'
-}
-
-main "${@}"

ansible/roles/build/files/find_ports_containing_option.bash

@@ -1,41 +0,0 @@
-#!/usr/bin/env bash
-#
-# List ports containing an option matching the first parameter to the script.
-set -euo pipefail
-IFS=$'\n\t'
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-: ${PORTSDIR:="/usr/ports"}
-
-function main {
-    if [ "$#" -ne 1 ]; then
-        (>&2 echo "Pass exactly 1 option name to this script.")
-        exit 1
-    fi
-    local find_option_name=$1
-    local folder
-    find_port_folders | while read folder; do
-        set +e
-        dump_port_options "$folder" | grep -qE "^${find_option_name}$"
-        has_opt=$?;
-        set -e
-        if [ $has_opt -eq 0 ]; then
-            echo "$folder"
-        fi
-    done
-}
-
-function find_port_folders {
-    local mf
-    find "$PORTSDIR" -type f -name Makefile -mindepth 3 -maxdepth 3 | sort | while read mf; do
-        dirname "$mf"
-    done
-}
-
-function dump_port_options {
-    local folder="$1"
-    local portopts=$(make -C "$folder" -V OPTIONS_DEFINE)
-    echo "$portopts" | grep -oE --line-buffered '[^ ]*'
-}
-
-main "${@}"

ansible/roles/build/files/freebsd_update_step1

@@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-#
-# Build and installs whatever is in /usr/src. Run step 1, reboot, then step 2.
-set -euo pipefail
-IFS=$'\n\t'
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-cores=$(sysctl -n hw.ncpu)
-
-if sudo etcupdate status | grep -qE '^  C '; then
-    >&2 echo 'Conflicts remain in etcupdate. Run `etcupdate resolve` to fix them first.'
-    exit 1
-fi
-
-cd /usr/src
-
-make -j "$cores" clean
-make -j "$cores" buildworld buildkernel
-sudo make installkernel
-
-echo "FreeBSD update step 1 done. Please reboot."

ansible/roles/build/files/freebsd_update_step2

@@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-#
-# Build and installs whatever is in /usr/src. Run step 1, reboot, then step 2.
-set -euo pipefail
-IFS=$'\n\t'
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-sudo etcupdate -p
-
-cd /usr/src
-sudo make installworld
-sudo etcupdate -B
-
-if sudo etcupdate status | grep -qE '^  C '; then
-    >&2 echo 'Conflicts in etcupdate. Run `etcupdate resolve` to fix them first.'
-    exit 1
-fi
-
-echo "FreeBSD update step 2 done. Please reboot."

ansible/roles/build/files/gpg_work.asc

@@ -0,0 +1,27 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
+0H+RsWG0LVRob21hcyBBbGV4YW5kZXIgPFRob21hc0EuQWxleGFuZGVyQGhtaG4u
+b3JnPoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsFAmULicsCGwMFCwkI
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQJ95A2bhFXBsUtQD9GWPdWc/nSmO0Gp7p
+DzxrieliriAnO+ZCHp31mFbMtToBAPxPYN9y4kgSiXhLiFLoRK5k5FCspksTSitg
+0CbXDE4LuDgEXZwWGhIKKwYBBAGXVQEFAQEHQK202EIAwTBuxARUygOvn+AloMJd
+ui39m+nMghn1MNo+AwEIB4h4BBgWCAAgFiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsF
+Al2cFhoCGwwACgkQJ95A2bhFXBtNzAEAq5I6xPjIbb23xmhxh5cM/UJxdGedfWMy
+vF6/JtDvtPUBAPQRQn5AMwTOA+CSnliYf7ZjfVOlHscy60XWPlvXLoAJuDMEXZwW
+yhYJKwYBBAHaRw8BAQdAPyIL4EGg4T5JO9q2kpVDy2WjMiXz3nZXwYW4GLoTYkiI
+9QQYFggAJgIbAhYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZhBQkLMdaXAIF2
+IAQZFggAHRYhBIHmRDmWdVAusSUWutOhecmlPA7eBQJdnBbKAAoJENOhecmlPA7e
+jJ4A/iq7N2mMhx+ovOXm1REoASPF3l4YAAjOHsXqcPtFHKGJAQCiuA71d6CQ+qNZ
+Luka/KVB/etkkJvDzvaTtiQQQG+gAwkQJ95A2bhFXBtRDgEAqymMavroD5c/4+M/
+EZ3/d8wxfA9E3Fb/1mt4c2ZrNnkBAKYOM+pz/pncFnV+kF7h7TQEEYuGw1JhJVT/
+duA4lwsLuDMEXZwXARYJKwYBBAHaRw8BAQdAa76TmWuKuiR1bnNV1FUE6oQ4C8A+
+UiQb8x0k1z2DmTKIfgQYFggAJgIbIBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJl
+C4ZwBQkLMdZgAAoJECfeQNm4RVwb8TkA/RkBu9Ev8iDE5nvn8YF8FRiY56Z5d+SB
+PG4VvrCzXrmlAP46wUjIRpkMrTbb1GMbvYnkeOrBs/qiWjEtHHc3ZLMWD7g4BF2c
+FygSCisGAQQBl1UBBQEBB0AO0t3BUxLuokTqKVcheFAZd4UKxAGznPQlvsVyhWWI
+EgMBCAeIfgQYFggAJgIbDBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkL
+MdY5AAoJECfeQNm4RVwbXscA/A8zRRTCwQKxJ8iz5jmTcVFAhl2vD781Dtv8NvcW
+d5t8APwIwcuFVZZA3yayhIxi3aqYpMRxpn2t6Nswax1MIM8DBQ==
+=0HtE
+-----END PGP PUBLIC KEY BLOCK-----

ansible/roles/build/tasks/freebsd.yaml

@@ -1,100 +0,0 @@
-- name: Install packages
-  package:
-    name:
-      - git
-    state: present
-
-- name: Create directories
-  file:
-    name: "{{ item }}"
-    state: directory
-    mode: 0755
-    owner: "{{ build_user.name }}"
-    group: "{{ build_user.group }}"
-  loop:
-    - "/usr/src"
-    # - "/usr/ports"
-    - "/usr/obj"
-
-- name: chown the FreeBSD source
-  file:
-    name: "{{ item }}"
-    state: directory
-    owner: "{{ build_user.name }}"
-    group: "{{ build_user.group }}"
-    recurse: true
-  loop:
-    - "/usr/src"
-
-- name: Clone FreeBSD Source
-  git:
-    repo: "https://git.FreeBSD.org/src.git"
-    dest: /usr/src
-    version: "{{ freebsd_version }}"
-    force: true
-  become: true
-  become_user: "{{ build_user.name }}"
-  diff: false
-
-# - name: Clone Ports Tree
-#   git:
-#     repo: "https://git.FreeBSD.org/ports.git"
-#     dest: /usr/ports
-#     version: "main"
-#     force: true
-#     update: false
-#   become: true
-#   become_user: "{{ build_user.name }}"
-#   diff: false
-
-- name: Install Configuration
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "{{ item.dest }}"
-    mode: 0644
-    owner: root
-    group: wheel
-  loop:
-    - src: make.conf
-      dest: /etc/make.conf
-
-- name: Install Configuration
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "{{ item.dest }}"
-    mode: 0644
-    owner: "{{ build_user.name }}"
-    group: "{{ build_user.group }}"
-  loop:
-    - src: CUSTOM
-      dest: /usr/src/sys/amd64/conf/CUSTOM
-
-- name: Install Configuration
-  template:
-    src: "templates/{{ item.src }}.j2"
-    dest: "{{ item.dest }}"
-    mode: 0644
-    owner: root
-    group: wheel
-  loop:
-    - src: src.conf
-      dest: /etc/src.conf
-
-- name: Install scripts
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "{{ item.dest }}"
-    mode: 0700
-    owner: "{{ build_user.name }}"
-    group: "{{ build_user.group }}"
-  loop:
-    - src: freebsd_update_step1
-      dest: /usr/local/bin/freebsd_update_step1
-    - src: freebsd_update_step2
-      dest: /usr/local/bin/freebsd_update_step2
-    - src: find_popular_ports_options.bash
-      dest: /usr/local/bin/find_popular_ports_options
-    - src: find_ports_containing_option.bash
-      dest: /usr/local/bin/find_ports_containing_option
-    - src: find_packages_that_installed_kernel_modules.bash
-      dest: /usr/local/bin/find_packages_that_installed_kernel_modules

ansible/roles/build/tasks/linux.yaml

@@ -39,7 +39,7 @@
 - name: Trust my signing key
   command: pacman-key -a -
   args:
-    stdin: "{{ lookup('file', 'gpg.asc') }}"
+    stdin: "{{ lookup('file', pgp_key|default('gpg.asc')) }}"
   when: '"B848159363C2877917954BE127DE40D9B8455C1B" not in pacmankeys.stdout'
   register: my_key_imported
 
@@ -89,13 +89,21 @@
   loop:
     - src: aurutils.conf
       dest: /etc/pacman.d/conf.d/
-    - src: pacman-custom.conf
+    - src: pacman-x86_64.conf
       dest: /etc/aurutils/
     - src: makepkg.conf # TODO: Is this needed or can I use the default from devtools?
       dest: /etc/aurutils/
 
+- name: chown the custom package db
+  file:
+    path: "{{ item }}"
+    owner: "{{ build_user.name }}"
+    recurse: true
+  loop:
+    - /var/cache/pacman/custom/
+
 - name: Create custom repo db
-  command: repo-add --sign /var/cache/pacman/custom/custom.db.tar
+  command: repo-add --new --sign /var/cache/pacman/custom/custom.db.tar "/home/{{ build_user.name }}/.config/ansible_deploy/aurutils/aurutils-*-any.pkg.tar.*"
   become: true
   become_user: "{{ build_user.name }}"
   args:

ansible/roles/build/templates/src.conf.j2

@@ -1,35 +0,0 @@
-{% if cpu_opt is defined and cpu_opt %}
-CPUTYPE?={{ cpu_opt }}
-{% endif %}
-KERNCONF=CUSTOM
-WITH_MALLOC_PRODUCTION=YES
-WITHOUT_LLVM_ASSERTIONS=YES
-WITH_REPRODUCIBLE_BUILD=YES
-PORTS_MODULES+=graphics/drm-kmod
-PORTS_MODULES+=graphics/gpu-firmware-intel-kmod
-PORTS_MODULES+=net/wireguard-kmod
-
-# Would be fun to experiment with:
-# WITHOUT_SOURCELESS=YES
-# WITHOUT_GAMES=YES
-# WITHOUT_KERBEROS=YES
-# WITHOUT_LEGACY_CONSOLE=YES
-# WITHOUT_LIB32=YES
-# WITHOUT_LOADER_GELI=YES
-# WITHOUT_MLX5TOOL=YES
-# WITHOUT_NDIS=YES
-# WITHOUT_OFED=YES
-# WITHOUT_PPP=YES
-# WITH_SORT_THREADS=YES
-# WITHOUT_TALK=YES
-# WITHOUT_TCSH=YES
-
-
-# Questionable Optimizations
-WITHOUT_FLOPPY=YES
-WITHOUT_HTML=YES
-WITHOUT_IPFW=YES
-WITHOUT_IPFILTER=YES
-WITHOUT_LLVM_TARGET_ALL=YES
-# Commented out because maybe I want email alerts for failing disks
-# WITHOUT_MAIL=YES

ansible/roles/chromium/files/chromium-flags.conf

@@ -0,0 +1,2 @@
+--ozone-platform-hint=auto
+--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE

ansible/roles/chromium/meta/main.yaml

@@ -1,2 +1,2 @@
 dependencies:
-  - build
+  - users

ansible/roles/chromium/tasks/common.yaml

@@ -0,0 +1,55 @@
+# - name: Create directories
+#   file:
+#     name: "{{ item }}"
+#     state: directory
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - /foo/bar
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+# - name: Install Configuration
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0600
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.conf
+#       dest: /usr/local/etc/foo.conf
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user

ansible/roles/chromium/tasks/freebsd.yaml

@@ -0,0 +1,5 @@
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present

ansible/roles/chromium/tasks/linux.yaml

@@ -0,0 +1,7 @@
+# Check chrome://gpu/ to confirm hardware video decoding and vulkan rendering is working.
+
+- name: Install packages
+  package:
+    name:
+      - chromium
+    state: present

ansible/roles/chromium/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: install_graphics

ansible/roles/chromium/tasks/peruser_linux.yaml

@@ -0,0 +1,10 @@
+- name: Copy files
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+    mode: 0600
+    owner: "{{ account_name.stdout }}"
+    group: "{{ group_name.stdout }}"
+  loop:
+    - src: chromium-flags.conf
+      dest: .config/chromium-flags.conf

ansible/roles/cpu/tasks/freebsd_amd.yaml

@@ -27,3 +27,14 @@
     group: wheel
   loop:
     - aesni
+
+- name: Install loader.conf
+  when: hwpstate is defined and hwpstate
+  copy:
+    src: "files/{{ item }}_loader.conf"
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - per_core_hwpstate

ansible/roles/cpu/tasks/freebsd_intel.yaml

@@ -78,4 +78,4 @@
     owner: root
     group: wheel
   loop:
-    - percorespeedshift
+    - per_core_hwpstate

ansible/roles/devfs/files/homeserver_devfs.rules

@@ -17,3 +17,9 @@ add include $devfsrules_hide_all
 add include $devfsrules_unhide_basic
 add include $devfsrules_unhide_login
 add path 'bpf*' unhide
+
+[tajailrand=15]
+add include $devfsrules_hide_all
+add include $devfsrules_unhide_basic
+add include $devfsrules_unhide_login
+add path urandom unhide

ansible/roles/docker/tasks/linux.yaml

@@ -2,6 +2,8 @@
   package:
     name:
       - docker
+      - docker-compose
+      - docker-buildx
     state: present
 
 - name: Create docker zfs dataset

ansible/roles/dummynet/files/dnctl.conf

@@ -0,0 +1,2 @@
+pipe 1 config bw 100KByte/s
+pipe 2 config

ansible/roles/dummynet/files/dummynet

@@ -0,0 +1,28 @@
+#!/bin/sh
+#
+#
+
+# PROVIDE: dummynet
+# BEFORE: pf ipfw
+# KEYWORD: nojailvnet
+
+. /etc/rc.subr
+
+name="dummynet"
+desc="Dummynet packet queuing and scheduling"
+rcvar="${name}_enable"
+load_rc_config $name
+start_cmd="${name}_start"
+required_files="$dummynet_rules"
+required_modules="dummynet"
+
+dummynet_start()
+{
+	startmsg -n "Enabling ${name}"
+        cat "$dnctl_rules" | while read l; do
+          dnctl $l
+        done
+	startmsg '.'
+}
+
+run_rc_command $*

ansible/roles/dummynet/files/dummynet_rc.conf

@@ -0,0 +1,2 @@
+dummynet_enable="YES"
+dummynet_rules="/etc/dnctl.conf"

ansible/roles/dummynet/tasks/common.yaml

@@ -0,0 +1,55 @@
+# - name: Create directories
+#   file:
+#     name: "{{ item }}"
+#     state: directory
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - /foo/bar
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+# - name: Install Configuration
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0600
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.conf
+#       dest: /usr/local/etc/foo.conf
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user

ansible/roles/dummynet/tasks/freebsd.yaml

@@ -0,0 +1,30 @@
+- name: Install Configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0600
+    owner: root
+    group: wheel
+  loop:
+    - src: "{{ dummynet_config }}"
+      dest: /etc/dnctl.conf
+
+- name: Install rc script
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+    owner: root
+    group: wheel
+    mode: 0755
+  loop:
+    - src: dummynet
+
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - dummynet

ansible/roles/dummynet/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: (dummynet_config is defined and os_flavor == "freebsd") or (os_flavor == "linux")

ansible/roles/dummynet/tasks/peruser.yaml

@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'

ansible/roles/emacs/files/early-init.el

@@ -1,7 +1,7 @@
-(setq gc-cons-threshold 100000000) ;; Increase garbage collection threshold for performance (default 800000)
+(setq gc-cons-threshold (* 128 1024 1024)) ;; 128MiB Increase garbage collection threshold for performance (default 800000)
 ;; Increase amount of data read from processes, default 4k
-(when (>= emacs-major-version 27)
-  (setq read-process-output-max (* 1024 1024)) ;; 1mb
+(when (version<= "27.0" emacs-version)
+  (setq read-process-output-max (* 10 1024 1024)) ;; 10MiB
   )
 
 ;; Suppress warnings

ansible/roles/emacs/files/elisp/base.el

@@ -36,6 +36,8 @@
  ;; Don't pop up a small window at the bottom of emacs at launch.
  inhibit-startup-screen t
  inhibit-startup-message t
+ ;; Don't show the list of buffers when opening many files.
+ inhibit-startup-buffer-menu t
  ;; Give the scratch buffer a clean slate.
  initial-major-mode 'fundamental-mode
  initial-scratch-message nil
@@ -81,4 +83,12 @@
 (setopt auto-revert-check-vc-info t)
 (global-auto-revert-mode)
 
+;;;;; Performance
+;; Run garbage collect when emacs is idle
+(run-with-idle-timer 5 t (lambda () (garbage-collect)))
+(add-function :after after-focus-change-function
+              (lambda ()
+                (unless (frame-focus-state)
+                  (garbage-collect))))
+
 (provide 'base)

ansible/roles/emacs/files/elisp/common-lsp.el

@@ -38,6 +38,7 @@
   :hook (eglot-managed-mode . company-mode)
   :config
   (setq company-backends '((company-capf)))
+  (setq company-idle-delay 0) ;; Default 0.2
   )
 
 ;; (use-package company-box

ansible/roles/emacs/files/elisp/lang-c.el

@@ -0,0 +1,49 @@
+(require 'common-lsp)
+(require 'util-tree-sitter)
+
+(defun locate-compile-commands-file ()
+  "See if compile_commands.json exists."
+  ;; This can be generated by prefixing the make command with `intercept-build15 --append`
+  (let ((compile-commands-file (locate-dominating-file (buffer-file-name) "compile_commands.json")))
+    compile-commands-file
+    )
+  )
+
+(defun activate-c-eglot ()
+  "Activate eglot for the c family of languages."
+  (when (locate-compile-commands-file)
+    (eglot-ensure)
+    (defclass my/eglot-c (eglot-lsp-server) ()
+      :documentation
+      "Own eglot server class.")
+
+    (add-to-list 'eglot-server-programs
+                 '(c-ts-mode . (my/eglot-c "/usr/local/bin/clangd15")))
+    (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+    )
+  )
+
+(use-package c-mode
+  :mode (
+         ("\\.c\\'" . c-ts-mode)
+         ("\\.h\\'" . c-or-c++-ts-mode)
+         )
+  :commands (c-mode c-ts-mode)
+  :pin manual
+  :ensure nil
+  :hook (
+         (c-ts-mode . (lambda ()
+                        (activate-c-eglot)
+                        ))
+         )
+  :init
+  (add-to-list 'major-mode-remap-alist '(c-mode . c-ts-mode))
+  (add-to-list 'major-mode-remap-alist '(c++-mode . c++-ts-mode))
+  (add-to-list 'major-mode-remap-alist '(c-or-c++-mode . c-or-c++-ts-mode))
+  (add-to-list 'treesit-language-source-alist '(c "https://github.com/tree-sitter/tree-sitter-c"))
+  (add-to-list 'treesit-language-source-alist '(cpp "https://github.com/tree-sitter/tree-sitter-cpp"))
+  (unless (treesit-ready-p 'c) (treesit-install-language-grammar 'c))
+  (unless (treesit-ready-p 'cpp) (treesit-install-language-grammar 'cpp))
+  )
+
+(provide 'lang-c)

ansible/roles/emacs/files/elisp/lang-javascript.el

@@ -23,6 +23,52 @@
   (run-command-on-buffer "jq" "--monochrome-output" ".")
   )
 
+(defun configure-typescript-language-server ()
+  "Configures the typescript language server."
+  (when-linux
+    ;; Either initializationOptions or workspace/didChangeConfiguration works.
+    (setq eglot-workspace-configuration
+          (list (cons ':typescript '(:inlayHints (:includeInlayParameterNameHints
+                                                  "all"
+                                                  :includeInlayParameterNameHintsWhenArgumentMatchesName
+                                                  t
+                                                  :includeInlayFunctionParameterTypeHints
+                                                  t
+                                                  :includeInlayVariableTypeHints
+                                                  t
+                                                  :includeInlayVariableTypeHintsWhenTypeMatchesName
+                                                  t
+                                                  :includeInlayPRopertyDeclarationTypeHints
+                                                  t
+                                                  :includeInlayFunctionLikeReturnTypeHints
+                                                  t
+                                                  :includeInlayEnumMemberValueHints
+                                                  t)))))
+    (eglot-ensure)
+    ;; (defclass my/eglot-typescript (eglot-lsp-server) ()
+    ;;   :documentation
+    ;;   "Own eglot server class.")
+
+    ;; (add-to-list 'eglot-server-programs
+    ;;              '((js-mode js-ts-mode tsx-ts-mode typescript-ts-mode typescript-mode) . (my/eglot-typescript "typescript-language-server" "--stdio" :initializationOptions (:preferences (:includeInlayParameterNameHints
+    ;;                                                                                                                                                                                        "all"
+    ;;                                                                                                                                                                                        :includeInlayParameterNameHintsWhenArgumentMatchesName
+    ;;                                                                                                                                                                                        t
+    ;;                                                                                                                                                                                        :includeInlayFunctionParameterTypeHints
+    ;;                                                                                                                                                                                        t
+    ;;                                                                                                                                                                                        :includeInlayVariableTypeHints
+    ;;                                                                                                                                                                                        t
+    ;;                                                                                                                                                                                        :includeInlayVariableTypeHintsWhenTypeMatchesName
+    ;;                                                                                                                                                                                        t
+    ;;                                                                                                                                                                                        :includeInlayPRopertyDeclarationTypeHints
+    ;;                                                                                                                                                                                        t
+    ;;                                                                                                                                                                                        :includeInlayFunctionLikeReturnTypeHints
+    ;;                                                                                                                                                                                        t
+    ;;                                                                                                                                                                                        :includeInlayEnumMemberValueHints
+    ;;                                                                                                                                                                                        t)))))
+    )
+  )
+
 (use-package tsx-ts-mode
   :ensure nil
   :pin manual
@@ -33,7 +79,7 @@
   :hook (
          (tsx-ts-mode . (lambda ()
                           (when-linux
-                            (eglot-ensure)
+                            (configure-typescript-language-server)
                             )
                           ))
          )
@@ -52,9 +98,7 @@
   :commands (typescript-ts-mode)
   :hook (
          (typescript-ts-mode . (lambda ()
-                                 (when-linux
-                                   (eglot-ensure)
-                                   )
+                                 (configure-typescript-language-server)
                                  ))
          )
   :init
@@ -81,6 +125,12 @@
   (unless (treesit-ready-p 'javascript) (treesit-install-language-grammar 'javascript))
   )
 
+(defun prettier-fmt ()
+  "Run prettier."
+  (run-command-on-buffer "prettier" "--stdin-filepath" buffer-file-name)
+  )
+
+
 (use-package css-ts-mode
   :ensure nil
   :pin manual
@@ -88,9 +138,23 @@
          ("\\.css\\'" . css-ts-mode)
          )
   :commands (css-ts-mode)
+  :custom (css-indent-offset 2)
   :init
   (add-to-list 'treesit-language-source-alist '(css "https://github.com/tree-sitter/tree-sitter-css"))
   (unless (treesit-ready-p 'css) (treesit-install-language-grammar 'css))
+  :hook (
+         (css-ts-mode . (lambda ()
+                             (eglot-ensure)
+                             (defclass my/eglot-css (eglot-lsp-server) ()
+                               :documentation
+                               "Own eglot server class.")
+
+                             (add-to-list 'eglot-server-programs
+                                          '(css-ts-mode . (my/eglot-css "vscode-css-language-server" "--stdio")))
+                             ;; (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+                             (add-hook 'before-save-hook 'prettier-fmt nil 'local)
+                             ))
+         )
   )
 
 

ansible/roles/emacs/files/elisp/lang-nix.el

@@ -0,0 +1,22 @@
+(require 'common-lsp)
+(require 'util-tree-sitter)
+
+(use-package nix-mode
+  :mode (("\\.nix\\'" . nix-mode)
+         )
+  :commands nix-mode
+  :hook (
+         (nix-mode . (lambda ()
+                             ;; (eglot-ensure)
+                             ;; (defclass my/eglot-nix (eglot-lsp-server) ()
+                             ;;   :documentation
+                             ;;   "Own eglot server class.")
+
+                             ;; (add-to-list 'eglot-server-programs
+                             ;;              '(nix-mode . (my/eglot-nix "nixd")))
+                             ;; (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+                             ))
+         )
+  )
+
+(provide 'lang-nix)

ansible/roles/emacs/files/elisp/lang-org.el

@@ -4,6 +4,8 @@
   :bind (
          ("C-c l" . org-store-link)
          ("C-c a" . org-agenda)
+         ("C--" . org-timestamp-down)
+         ("C-=" . org-timestamp-up)
          )
   :hook (
          (org-mode . (lambda ()

ansible/roles/emacs/files/elisp/lang-python.el

@@ -57,6 +57,7 @@
   :pin manual
   :hook (
          (python-ts-mode . (lambda ()
+                             (when-linux
                                (when (executable-find "poetry")
                                  (add-poetry-venv-to-path)
                                  (let ((venv (locate-venv-poetry))) (when venv
@@ -64,10 +65,19 @@
                                                                             (list (cons ':python (list ':venvPath venv ':pythonPath (concat venv "/bin/python")))))
                                                                       ))
                                  )
-                          (when-linux
                                (eglot-ensure)
                                )
 
+                             ;; (when-freebsd
+                             ;;   (eglot-ensure)
+                             ;;   (defclass my/eglot-pylyzer (eglot-lsp-server) ()
+                             ;;     :documentation
+                             ;;     "Own eglot server class.")
+
+                             ;;   (add-to-list 'eglot-server-programs
+                             ;;                '(python-ts-mode . (my/eglot-pylyzer "pylyzer" "--server")))
+                             ;;   )
+
                              (add-hook 'before-save-hook 'python-fmt nil 'local)
                              ))
          )

ansible/roles/emacs/files/elisp/lang-rust.el

@@ -57,7 +57,7 @@
   :init
   (add-to-list 'major-mode-remap-alist '(rust-mode . rust-ts-mode))
   (add-to-list 'treesit-language-source-alist '(rust "https://github.com/tree-sitter/tree-sitter-rust"))
-  (unless (treesit-ready-p 'yaml) (treesit-install-language-grammar 'rust))
+  (unless (treesit-ready-p 'rust) (treesit-install-language-grammar 'rust))
   :config
   ;; Add keybindings for interacting with Cargo
   (use-package cargo

ansible/roles/emacs/files/elisp/lang-xml.el

@@ -0,0 +1,17 @@
+(defun xml-fmt ()
+  "Run xmllint --format."
+  (run-command-on-buffer "xmllint" "--format" "-")
+  )
+
+(use-package nxml-mode
+  :commands (nxml-mode)
+  :pin manual
+  :ensure nil
+  :hook (
+         (nxml-mode . (lambda ()
+                        (add-hook 'before-save-hook 'xml-fmt nil 'local)
+                        ))
+         )
+  )
+
+(provide 'lang-xml)

ansible/roles/emacs/files/elisp/util-vertico.el

@@ -21,7 +21,7 @@
   (vertico-count 20)
   )
 
-;; Create an ivy-like experience when selecting files.
+;; Create an ido/ivy-like experience when selecting files.
 (use-package vertico-directory
   :after vertico
   :ensure nil

ansible/roles/emacs/files/init.el

@@ -32,4 +32,10 @@
 
 (require 'lang-dockerfile)
 
+(require 'lang-c)
+
+(require 'lang-xml)
+
+(require 'lang-nix)
+
 (load-directory autoload-directory)

ansible/roles/emacs/files/plainmacs

@@ -15,7 +15,8 @@ INIT_SCRIPT=$(cat <<EOF
   ;; Set default font
   (set-face-attribute 'default nil :height 100 :width 'regular :weight 'regular :family "Cascadia Mono")
   ;; Set fallback font for unicode glyphs
-  (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji"))
+  (when (display-graphic-p)
+    (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji")))
   (menu-bar-mode -1)
   (when (fboundp 'tool-bar-mode)
     (tool-bar-mode -1))

ansible/roles/emacs/files/plainmacs_init.el

@@ -11,7 +11,8 @@
   ;; Set default font
   (set-face-attribute 'default nil :height 100 :width 'regular :weight 'regular :family "Cascadia Mono")
   ;; Set fallback font for unicode glyphs
-  (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji"))
+  (when (display-graphic-p)
+    (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji")))
   (menu-bar-mode -1)
   (when (fboundp 'tool-bar-mode)
     (tool-bar-mode -1))

ansible/roles/emacs/meta/main.yaml

@@ -3,3 +3,9 @@ dependencies:
   - fonts
   - role: rust
     when: 'emacs_flavor == "full"'
+  - role: python
+    when: 'emacs_flavor == "full"'
+  - role: terraform
+    when: 'emacs_flavor == "full"'
+  - role: nix
+    when: 'emacs_flavor == "full"'

ansible/roles/emacs/tasks/common.yaml

@@ -3,6 +3,7 @@
   package:
     name:
       - aspell
+      - graphviz # used for exporting graphviz dot charts from org-mode
     state: present
 
 - name: Install scripts

ansible/roles/emacs/tasks/freebsd.yaml

@@ -1,28 +1,35 @@
 - name: Install packages
+  when: install_graphics
   package:
     name:
       - emacs
     state: present
 
+- name: Install packages
+  when: not install_graphics
+  package:
+    name:
+      - emacs-nox
+    state: present
+
 - name: Install packages
   when: 'emacs_flavor == "full"'
   package:
     name:
-      - py39-pygments
+      - py311-pygments
       - inkscape # to support SVGs in LaTeX
       # - prettier # typescript formatting
       - aspell
       - en-aspell
       - unzip # for extracting mspyls
-      - py39-isort
-      - py39-black
+      - py311-isort
+      - py311-black
       - zip # for odt export from org-mode
       - gnuplot # used for exporting graphs from org-mode
-      - graphviz # used for exporting graphviz dot charts from org-mode
       # - pyright
       - sqlite3 # for sqlite code blocks in org-mode
       # - terraform-ls # Terraform language server
-      - py39-ptvsd
+      - py311-ptvsd
       - hs-ShellCheck
       # - gopls
     state: present

ansible/roles/emacs/tasks/linux.yaml

@@ -14,6 +14,7 @@
       - gopls
       - typescript-language-server
       - shellcheck
+      - vscode-css-languageserver
     state: present
 
 - name: Create directories

ansible/roles/firefox/defaults/main.yaml

@@ -1,5 +1,6 @@
 firefox_config:
   # identity.sync.tokenserver.uri: "https://ffsync.fizz.buzz/token/1.0/sync/1.5"
+  media.hardware-video-decoding.force-enabled: true
   media.ffmpeg.vaapi.enabled: true
   doh-rollout.doorhanger-decision: "UIDisabled"
   dom.security.https_only_mode: true
@@ -11,3 +12,34 @@ firefox_config:
   browser.newtabpage.activity-stream.showSponsoredTopSites: false
   browser.newtabpage.activity-stream.feeds.section.topstories: false
   browser.newtabpage.pinned: "[]"
+  browser.newtabpage.activity-stream.section.highlights.includePocket: false
+  # Disable cache when devtools are open.
+  devtools.cache.disabled: true
+  # Do not track header.
+  privacy.donottrackheader.enabled: true
+  # Tell websites not to share or sell my data.
+  privacy.globalprivacycontrol.enabled: true
+  # Disable "studies" (slice testing)
+  app.shield.optoutstudies.enabled: false
+  # Disable attribution which is used by advertisers to track you.
+  dom.private-attribution.submission.enabled: false
+  # Disable battery status, used to track users.
+  dom.battery.enabled: false
+  # Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
+  #
+  # This breaks copying from BigQuery https://github.com/microsoft/monaco-editor/issues/1540
+  # dom.event.clipboardevents.enabled: false
+  # Isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains.
+  privacy.firstparty.isolate: true
+  # Do not preload URLs that auto-complete in the address bar.
+  browser.urlbar.speculativeConnect.enabled: false
+  # Do not resist fingerprinting because that tells websites to use light mode.
+  # https://bugzilla.mozilla.org/show_bug.cgi?id=1732114
+  privacy.resistFingerprinting: null # (default false)
+  # Instead, enable fingerprinting protection, which allows configuring an override.
+  privacy.fingerprintingProtection: true
+  # Allow sending dark mode preference to websites.
+  # Allow sending timezone to websites.
+  privacy.fingerprintingProtection.overrides: "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked"
+  # Disable weather on new tab page
+  browser.newtabpage.activity-stream.showWeather: false

ansible/roles/firefox/tasks/peruser.yaml

@@ -10,12 +10,21 @@
   register: firefox_about_config
 
 - name: Configure Firefox about:config
+  when: item[1].value != None
   lineinfile:
     path: "{{ item[0].path }}"
     regexp: '"{{ item[1].key }}", [^")\n]*\)'
     line: 'user_pref("{{ item[1].key }}", {{ item[1].value | to_json }});'
   loop: "{{ firefox_about_config.files | product(firefox_config | dict2items) | list }}"
 
+- name: Configure Firefox about:config
+  when: item[1].value == None
+  lineinfile:
+    path: "{{ item[0].path }}"
+    regexp: '"{{ item[1].key }}", [^")\n]*\)'
+    state: absent
+  loop: "{{ firefox_about_config.files | product(firefox_config | dict2items) | list }}"
+
 - import_tasks: tasks/peruser_freebsd.yaml
   when: 'os_flavor == "freebsd"'
 

ansible/roles/firewall/files/homeserver_pf.conf

@@ -1,9 +1,10 @@
-ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
-not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
+ext_if = "{ igb0 igb1 ix0 ix1 linfi_host }"
+not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !linfi_host }"
 jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
 restricted_nat_v4 = "{ 10.215.2.0/24 }"
 not_restricted_nat_v4 = "{ any, !10.215.2.0/24 }"
+rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
 
 dhcp = "{ bootpc, bootps }"
 allow = "{ wgh wgf }"
@@ -17,22 +18,51 @@ unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }"
 # options
 set skip on lo
 
+# queueing
+# altq on linfi_host cbq queue { def, stuff }
+# queue def cbq(default borrow)
+# queue stuff bandwidth	8Mb cbq { dagger }
+# queue dagger cbq(borrow)
+
 # redirections
-nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0)
-rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53
+nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (linfi_host)
+rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
 
 # cloak
-nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (wlan0)
-rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 1.1.1.1 port 53
+nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (linfi_host)
+rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 172.16.0.1 port 53
 
-rdr pass on $ext_if inet proto tcp from $not_restricted_nat_v4 to any port 8081 -> 10.215.2.2 port 8081
-nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8081 -> 10.215.2.1
+# bastion
+rdr pass on $ext_if inet proto {tcp, udp} from { any, !10.215.1.0/24, !10.215.2.0/24 } to any port 8081 -> 10.215.1.217 port 443
+nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.217 port 443 -> 10.215.1.1
+nat pass on restricted_nat proto {tcp, udp} from 10.215.1.217/32 to 10.215.2.2 port 8081 -> 10.215.2.1
+
+
+# cloak -> olddagger
+rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
+nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1
+
+# cloak -> dagger old
+rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8083 -> 10.215.2.2 port 8083
+nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8083 -> 10.215.2.1
+
+# -> sftp
+# TODO: Limit bandwidth for sftp
+rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22
+nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215.1.1
 
 # Forward ports for unifi controller
-# rdr pass on $ext_if inet proto tcp from any to any port 65022 -> 10.213.177.8 port 22
+# rdr pass on $ext_if inet proto {tcp, udp} from any to any port 65022 -> 10.213.177.8 port 22
 rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202
 
+# -> momlaptop
+rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8033 -> 10.215.1.218 port 443
+nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.218 port 443 -> 10.215.1.1
+
 # filtering
+# match in on jail_nat from any to any dnpipe(1, 2)
+# match in on restricted_nat from any to any dnpipe(1, 2)
+
 block log all
 pass out on $ext_if
 
@@ -42,6 +72,7 @@ pass out on jail_nat from $jail_nat_v4
 pass out on jail_nat proto {udp, tcp} from any to 10.215.1.202 port $unifi_ports
 pass out on restricted_nat proto {udp, tcp} from any to 10.215.2.2 port 8081
 
+# TODO: limit bandwidth for dagger here
 pass in on restricted_nat proto {udp, tcp} from any to any port { 53 51820 }
 
 # We pass on the interfaces listed in allow rather than skipping on