Still not working.

The latest nixpkgs does not support overriding the name so I am removing it now for compatibility.

ansible/environments/colo/host_vars/mrmanager

@@ -6,6 +6,7 @@ zfs_snapshot_datasets:
     include: false
   - path: zdata/k8spersistent
 sshd_enabled: true
+loader_conf: "mrmanager_loader.conf"
 rc_conf: "mrmanager_rc.conf"
 network_rc: "mrmanager_network.conf"
 routing_rc: "mrmanager_routing.conf"
@@ -13,8 +14,6 @@ pf_config: "mrmanager_pf.conf"
 pflog_conf:
   - name: 0
     dev: pflog0
-  - name: 1
-    dev: pflog1
 cputype: "amd"
 hwpstate: true
 etc_hosts: {}
@@ -52,3 +51,7 @@ users:
       - yubikey
       - main_fido
       - backup_fido
+  mole:
+    initialize: true
+    authorized_keys:
+      - mole

ansible/environments/colo/hosts

@@ -1,3 +1,2 @@
 [server]
-#mrmanager ansible_user=talexander ansible_host=10.217.2.1 ansible_become_method=doas
+mrmanager ansible_user=talexander ansible_host=10.217.2.1
-mrmanager ansible_user=talexander ansible_host=74.80.180.138 ansible_become_method=doas

ansible/environments/home/host_vars/homeserver

@@ -1,4 +1,6 @@
 os_flavor: "freebsd"
+custom_repo: "https://freebsdpkg.fizz.buzz/repo/14broadwell-default-computer"
+pkgbase_url: "https://freebsdpkg.fizz.buzz/pkgbase/14broadwell-repo/FreeBSD:14:amd64/latest"
 zfs_snapshot_datasets:
   - path: zroot/freebsd/computer/be
   - path: zmass/encrypted/vm
@@ -24,6 +26,7 @@ users:
 sshd_enabled: true
 sshd_conf: "sshd_config"
 prefer_ipv6: true
+dummynet_config: "dnctl.conf"
 pf_config: "homeserver_pf.conf"
 pflog_conf:
   - name: 0
@@ -50,6 +53,9 @@ jail_list:
   - name: dagger
     conf:
       src: dagger
+  - name: olddagger
+    conf:
+      src: olddagger
   - name: sftp
     conf:
       src: sftp
@@ -61,6 +67,9 @@ jail_list:
   - name: certificate
     conf:
       src: certificate
+  - name: momlaptop
+    conf:
+      src: momlaptop
   # - name: mumble
   #   conf:
   #     src: mumble
@@ -75,3 +84,10 @@ bhyve_bemount: "on"
 wireguard_directory: homeserver
 enabled_wireguard:
   - wgh
+linfi:
+  enabled: true
+  zfs_dataset: zmass/unencrypted/vm/linfi
+  zfs_mountpoint: /vm/linfi
+  driver_blocklist: "ath if_ath if_ath_pci ath_hal if_iwm if_iwlwifi"
+  pci_blocklist: "6/0/0"
+  amd: false

ansible/environments/home/hosts

@@ -1,3 +1,2 @@
 [headless]
-#homeserver ansible_user=talexander ansible_host=homeserver
+homeserver ansible_user=talexander ansible_host=homeserver
-homeserver ansible_user=talexander ansible_host=172.16.16.32

ansible/environments/jail/host_vars/momlaptop

@@ -0,0 +1 @@
+os_flavor: freebsd

ansible/environments/jail/hosts

@@ -8,3 +8,4 @@ public_dns ansible_ssh_host=public_dns@10.217.2.1 ansible_connection=sshjail
 sftp ansible_ssh_host=sftp@homeserver ansible_connection=sshjail
 bastion ansible_ssh_host=bastion@homeserver ansible_connection=sshjail
 certificate ansible_ssh_host=certificate@homeserver ansible_connection=sshjail
+momlaptop ansible_ssh_host=momlaptop@homeserver ansible_connection=sshjail

ansible/playbook.yaml

@@ -53,7 +53,7 @@
     - javascript
     - launch_keyboard
     - lvfs
-    # - restaurant_health_rating
+    - restaurant_health_rating
     - wasm
     - noise_suppression
 
@@ -82,7 +82,7 @@
   vars:
     ansible_become: True
   roles:
-    # - sudo
+    - sudo
     - doas
     - users
     - package_manager
@@ -104,7 +104,6 @@
     - wireguard
     - emacs
     - mrmanager
-    - ndproxy
 
 - hosts: admin_git:public_dns
   vars:
@@ -127,8 +126,16 @@
   vars:
     ansible_become: True
   roles:
+    - linfi
     - framework_laptop
 
+- hosts: homeserver
+  vars:
+    ansible_become: True
+  roles:
+    - linfi
+    - homeserver
+
 - hosts: odowork
   vars:
     ansible_become: True
@@ -153,3 +160,9 @@
     ansible_become: True
   roles:
     - jail_certificate
+
+- hosts: momlaptop
+  vars:
+    ansible_become: True
+  roles:
+    - jail_momlaptop

ansible/roles/base/files/gitconfig_home

@@ -1,54 +1,35 @@
 [user]
 	email = tom@fizz.buzz
 	name = Tom Alexander
-	signingkey = 36C99E8B3C39D85F
+	signingkey = D3A179C9A53C0EDE
 [push]
-	default = simple # (default since 2.0)
+	default = simple
 [alias]
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
-        authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
 	gpgsign = true
-	verbose = true
 [pull]
 	rebase = true
 [log]
 	date = local
 [init]
 	defaultBranch = main
+
+# Use meld for `git difftool` and `git mergetool`
 [diff]
-	tool = meld # Use meld for `git difftool` and `git mergetool`
+	tool = meld
-	algorithm = histogram
-	colorMoved = plain
-	mnemonicPrefix = true
-	renames = true
 [difftool]
 	prompt = false
 [difftool "meld"]
 	cmd = meld "$LOCAL" "$REMOTE"
 [merge]
 	tool = meld
-	conflictStyle = zdiff3
 [mergetool "meld"]
         # Make the middle pane start with partially-merged contents:
 	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
         # Make the middle pane start without any merge progress:
 	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
-[column]
-	ui = auto
-[branch]
-	sort = -committerdate
-[tag]
-	sort = version:refname
-[fetch]
-	prune = true
-	pruneTags = true
-	all = true
-[rebase]
-	autoSquash = true
-	autoStash = true
-	updateRefs = false

ansible/roles/base/files/gitconfig_work

@@ -1,38 +1,33 @@
 [user]
 	email = ThomasA.Alexander@hmhn.org
 	name = Tom Alexander
-	signingkey = 36C99E8B3C39D85F
+	signingkey = D3A179C9A53C0EDE
 [push]
-	default = simple # (default since 2.0)
+	default = simple
 [alias]
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
-        authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
 	gpgsign = true
-	verbose = true
 [pull]
 	rebase = true
 [log]
 	date = local
 [init]
 	defaultBranch = main
+
+# Use meld for `git difftool` and `git mergetool`
 [diff]
-	tool = meld # Use meld for `git difftool` and `git mergetool`
+	tool = meld
-	algorithm = histogram
-	colorMoved = plain
-	mnemonicPrefix = true
-	renames = true
 [difftool]
 	prompt = false
 [difftool "meld"]
 	cmd = meld "$LOCAL" "$REMOTE"
 [merge]
 	tool = meld
-	conflictStyle = zdiff3
 [mergetool "meld"]
         # Make the middle pane start with partially-merged contents:
 	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
@@ -40,19 +35,3 @@
 	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
 [includeIf "gitdir:/bridge/"]
 	path = /bridge/git/machine_setup/ansible/roles/base/files/gitconfig_home
-[includeIf "gitdir:/persist/"]
-	path = /bridge/git/machine_setup/ansible/roles/base/files/gitconfig_home
-[column]
-	ui = auto
-[branch]
-	sort = -committerdate
-[tag]
-	sort = version:refname
-[fetch]
-	prune = true
-	pruneTags = true
-	all = true
-[rebase]
-	autoSquash = true
-	autoStash = true
-	updateRefs = false

ansible/roles/base/files/homeserver_loader.conf

@@ -1,4 +1,3 @@
 security.bsd.allow_destructive_dtrace=0
 cryptodev_load="YES"
 zfs_load="YES"
-devmatch_blocklist="if_iwm"

ansible/roles/base/files/homeserver_rc.conf

@@ -2,7 +2,8 @@ clear_tmp_enable="YES"
 syslogd_flags="-ss"
 sendmail_enable="NONE"
 hostname="computer"
+local_unbound_enable="NO"
+sshd_enable="YES"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="NO"
 zfs_enable="YES"
-kld_list="${kld_list} if_iwlwifi"

ansible/roles/base/files/login.conf

@@ -32,7 +32,7 @@ default:\
 	:cputime=unlimited:\
 	:datasize=unlimited:\
 	:stacksize=unlimited:\
-	:memorylocked=64K:\
+	:memorylocked=128M:\
 	:memoryuse=unlimited:\
 	:filesize=unlimited:\
 	:coredumpsize=unlimited:\
@@ -46,6 +46,7 @@ default:\
 	:umtxp=unlimited:\
 	:pipebuf=unlimited:\
 	:priority=0:\
+	:ignoretime@:\
 	:umask=022:\
 	:charset=UTF-8:\
 	:lang=en_US.UTF-8:
@@ -148,6 +149,7 @@ russian|Russian Users Accounts:\
 #	:requirehome:\
 #	:passwordtime=90d:\
 #	:umask=002:\
+#	:ignoretime@:\
 #	:tc=default:
 #
 #
@@ -172,6 +174,7 @@ russian|Russian Users Accounts:\
 ##
 #staff:\
 #	:ignorenologin:\
+#	:ignoretime:\
 #	:requirehome@:\
 #	:accounted@:\
 #	:path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
@@ -262,6 +265,7 @@ russian|Russian Users Accounts:\
 ## - no time accounting, restricted to access via dialin lines
 ##
 #site:\
+#	:ignoretime:\
 #	:passwordtime@:\
 #	:refreshtime@:\
 #	:refreshperiod@:\

ansible/roles/base/meta/main.yaml

@@ -1,3 +1,3 @@
 dependencies:
   - fstab
-  # - termcap
+  - termcap

ansible/roles/base/tasks/freebsd.yaml

@@ -77,27 +77,27 @@
     owner: root
     group: wheel
   loop:
-    # - src: bemount.bash
+    - src: bemount.bash
-    #   dest: /usr/local/bin/bemount
+      dest: /usr/local/bin/bemount
     - src: watch_freebsd
       dest: /usr/local/bin/ww
 
-# - name: Install rc script
+- name: Install rc script
-#   copy:
+  copy:
-#     src: "files/{{ item.src }}"
+    src: "files/{{ item.src }}"
-#     dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
-#     owner: root
+    owner: root
-#     group: wheel
+    group: wheel
-#     mode: 0755
+    mode: 0755
-#   loop:
+  loop:
-#     - src: bemount_rc.sh
+    - src: bemount_rc.sh
-#       dest: bemount
+      dest: bemount
 
-# - name: Enable bemount
+- name: Enable bemount
-#   community.general.sysrc:
+  community.general.sysrc:
-#     name: bemount_enable
+    name: bemount_enable
-#     value: "YES"
+    value: "YES"
-#     path: /etc/rc.conf.d/bemount
+    path: /etc/rc.conf.d/bemount
 
 - name: Install loader.conf
   copy:
@@ -107,7 +107,6 @@
     owner: root
     group: wheel
   loop:
-    - zfs
     - disk_labels
 
 - name: Configure sysctls
@@ -128,7 +127,7 @@
   blockinfile:
     path: "/etc/periodic.conf.local"
     marker: "# {mark} ANSIBLE MANAGED BLOCK log"
-    create: true
+    # create: true
     mode: 0644
     owner: root
     group: wheel
@@ -142,13 +141,13 @@
   blockinfile:
     path: "/etc/periodic.conf.local"
     marker: "# {mark} ANSIBLE MANAGED BLOCK zfs"
-    create: true
+    # create: true
     mode: 0644
     owner: root
     group: wheel
     block: |
       daily_scrub_zfs_enable="YES"
-      daily_scrub_zfs_default_threshold="14"
+      daily_scrub_zfs_default_threshold="7"
 
 # Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
 - name: Install loader.conf

ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash

@@ -153,7 +153,6 @@ function start_vm {
             -D \
             -c $CPU_CORES \
             -m $MEMORY \
-            -S \
             -H \
             -P \
             -o 'rtc.use_localtime=false' \
@@ -217,7 +216,7 @@ EOF
 mkpeer ${host_interface_name}: bridge ether link0
 name ${host_interface_name}:ether $bridge_name
 EOF
-        ifconfig "$(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2)" name "${host_interface_name}" "$ip_range" up
+        ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" "$ip_range" up
     fi
 }
 

ansible/roles/bhyve/files/bhyverc.bash

@@ -1,478 +0,0 @@
-#!/usr/bin/env bash
-#
-set -euo pipefail
-IFS=$'\n\t'
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-# Share a host directory to the guest via 9pfs.
-#
-# Inside the VM run:
-#   mount -t virtfs -o trans=virtio sharename /some/vm/path
-#   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
-#   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 bind9p /path/to/mountpoint
-# bhyve_options="-s 28,virtio-9p,sharename=/"
-
-# Enable Sound
-# bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
-
-# Example usage:
-#
-#   doas bhyverc create-disk zdata/vm/poudriere /vm/poudriere 10
-#   doas bhyverc start poudriere zdata/vm/poudriere /vm/poudriere /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
-#   doas bhyverc start poudriere zdata/vm/poudriere /vm/poudriere
-
-
-: ${VERBOSE:="NO"} # or YES
-if [ "$VERBOSE" = "YES" ]; then
-    set -x
-fi
-
-: ${CPU_CORES:="1"}
-: ${MEMORY:="1G"}
-: ${NETWORK:="NAT"} # or RAW or BOTH
-: ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
-: ${INTERFACE_NAME:="jail_nat"} # or the external interface like lagg0 for RAW networks
-: ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
-: ${VNC_ENABLE:="NO"}
-: ${VNC_LISTEN:="127.0.0.1:5900"}
-: ${VNC_WIDTH:="1920"}
-: ${VNC_HEIGHT:="1080"}
-: ${BIND9P:=""}
-: ${PREVENT_OOM:="NO"}
-: "${CD:=}"
-
-: ${SHUTDOWN_TIMEOUT:="600"} # 10 minutes
-
-
-
-############## Setup #########################
-
-
-function die {
-    local status_code="$1"
-    shift
-    (>&2 echo "${@}")
-    exit "$status_code"
-}
-
-function log {
-    (>&2 echo "${@}")
-}
-
-############## Program #########################
-
-function main {
-    local cmd
-    cmd=$1
-    shift
-    if [ "$cmd" = "start" ]; then
-        init
-        start "${@}"
-    elif [ "$cmd" = "stop" ]; then
-        init
-        stop "${@}"
-    elif [ "$cmd" = "status" ]; then
-        init
-        status "${@}"
-    elif [ "$cmd" = "console" ]; then
-        init
-        console "${@}"
-    elif [ "$cmd" = "_start_body" ]; then
-        init
-        start_body "${@}"
-    elif [ "$cmd" = "create-disk" ]; then
-        create_disk "${@}"
-    else
-        (>&2 echo "Unknown command: $cmd")
-        exit 1
-    fi
-}
-
-function start {
-    local num_vms="$#"
-    if [ "$num_vms" -eq 0 ]; then
-        log "No VMs specified."
-        return 0
-    fi
-
-    while [ "$#" -gt 0 ]; do
-        local name="$1"
-        shift 1
-        log "Starting VM $name."
-        start_one "$name"
-        [ "$#" -eq 0 ] || sleep 5
-    done
-}
-
-function start_one {
-    local name="$1"
-    local tmux_name="$name"
-    /usr/local/bin/tmux new-session -d -s "$tmux_name" "$0" "_start_body" "$name"
-    # /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=NO VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /home/talexander/launch_opnsense.bash"
-}
-
-function launch_pidfile {
-    local pidfile="$1"
-    shift 1
-    mkdir -p "$(dirname "$pidfile")"
-    cat > "${pidfile}" <<< "$$"
-    set -x
-    exec "${@}"
-}
-export -f launch_pidfile
-
-function stop {
-    local num_vms="$#"
-    if [ "$num_vms" -eq 0 ]; then
-        log "No VMs specified."
-        return 0
-    fi
-
-    while [ "$#" -gt 0 ]; do
-        local name="$1"
-        shift 1
-        log "Stopping VM $name."
-        stop_one "$name"
-        [ "$#" -eq 0 ] || sleep 5
-    done
-}
-
-function stop_one {
-    local name="$1"
-    local pidfile="/run/bhyverc/${name}/pid"
-
-    if [ ! -e "$pidfile" ]; then
-        log "Pid file $pidfile does not exist."
-        return 0
-    fi
-
-    local bhyve_pid
-    bhyve_pid=$(cat "$pidfile")
-
-    if ps -p "$bhyve_pid" >/dev/null; then
-        # Send ACPI shutdown command
-        log "Sending ACPI shutdown to ${name}:${bhyve_pid}."
-        kill -SIGTERM "$bhyve_pid"
-    fi
-
-    local timeout_start timeout_end
-    timeout_start=$(date +%s)
-    while ps -p "$bhyve_pid" >/dev/null; do
-        timeout_end=$(date +%s)
-        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
-            log "${name}:${bhyve_pid} took more than $SHUTDOWN_TIMEOUT seconds to shut down. Hard powering down."
-            break
-        fi
-
-        log "Waiting for ${name}:${bhyve_pid} to exit."
-        sleep 2
-    done
-
-    bhyvectl "--vm=$name" --destroy || true
-
-    local timeout_start timeout_end
-    timeout_start=$(date +%s)
-    while ps -p "$bhyve_pid" >/dev/null; do
-        timeout_end=$(date +%s)
-        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
-            log "${name}:${bhyve_pid} took more than $SHUTDOWN_TIMEOUT seconds to hard power down. Giving up."
-            break
-        fi
-
-        log "Waiting for ${name}:${bhyve_pid} to hard power down."
-        sleep 2
-    done
-
-    rm -f "$pidfile"
-
-    log "Finished stopping $name."
-}
-
-function status {
-    local num_vms="$#"
-
-    if [ "$num_vms" -gt 0 ]; then
-        for name in "$@"; do
-            status_one "$name"
-        done
-    else
-        log "No VMs specified."
-    fi
-}
-
-function status_one {
-    local name="$1"
-    local pidfile="/run/bhyverc/${name}/pid"
-
-    if [ ! -e "$pidfile" ]; then
-        log "$name is not running."
-        return 0
-    fi
-
-    local bhyve_pid
-    bhyve_pid=$(cat "$pidfile")
-
-    if ! ps -p "$bhyve_pid" >/dev/null; then
-        log "$name is not running."
-        return 0
-    fi
-
-    log "$name is running as pid $bhyve_pid."
-}
-
-function console {
-    local num_vms="$#"
-
-    if [ "$num_vms" -gt 0 ]; then
-        for name in "$@"; do
-            log "Attaching to console of VM $name."
-            console_one "$name"
-        done
-    else
-        log "No VMs specified."
-    fi
-}
-
-function console_one {
-    local name="$1"
-    local tmux_name="$name"
-    exec tmux a -t "$tmux_name"
-}
-
-function init {
-    mkdir -p /run/bhyverc
-}
-
-############## Bhyve ###########################
-
-function create_disk {
-    local zfs_path="$1"
-    local mount_path="$2"
-    local gigabytes="$3"
-    zfs create -o "mountpoint=$mount_path" "$zfs_path"
-    cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
-    tee "${mount_path}/settings" <<EOF
-CPU_CORES="$CPU_CORES"
-MEMORY="$MEMORY"
-NETWORK="$NETWORK"
-IP_RANGE="$IP_RANGE"
-BRIDGE_NAME="$BRIDGE_NAME"
-INTERFACE_NAME="$INTERFACE_NAME"
-EOF
-    zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none "$zfs_path/disk0"
-}
-
-function start_body {
-    local name="$1"
-    local zfs_path="zdata/vm/$name"
-    local mount_path="/vm/$name"
-
-    if [ -e "${mount_path}/settings" ]; then
-        source "${mount_path}/settings"
-    fi
-
-    local mount_cd="$CD"
-
-    local host_interface_name="$INTERFACE_NAME" # for raw, external interface
-    local bridge_name="$BRIDGE_NAME"
-    local ip_range="$IP_RANGE" # for raw this value does not matter
-
-    local mac_address
-    mac_address=$(calculate_mac_address "$name")
-
-    if [ "$PREVENT_OOM" = "YES" ]; then
-        protect -d -i -p "$$"
-    fi
-
-    local entry parsed_item
-    local additional_args=()
-    local next_pcie_slot=10
-
-    if [ "$NETWORK" = "NAT" ]; then
-        assert_bridge "$host_interface_name" "$bridge_name" "$ip_range"
-        local bridge_link_name=$(detect_available_link "${bridge_name}")
-        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
-    elif [ "$NETWORK" = "RAW" ]; then
-        assert_raw "$host_interface_name" "$bridge_name"
-        local bridge_link_name=$(detect_available_link "${bridge_name}")
-        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
-    elif [ "$NETWORK" = "BOTH" ]; then
-        assert_bridge "jail_nat" "$bridge_name" "$ip_range"
-        assert_raw "$host_interface_name" "bridge_raw"
-        local bridge_link_name=$(detect_available_link "${bridge_name}")
-        local raw_bridge_link_name=$(detect_available_link "bridge_raw")
-        local raw_mac_address=$(calculate_mac_address "${name}_raw")
-        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
-        additional_args+=("-s" "3:0,virtio-net,netgraph,path=bridge_raw:,peerhook=${raw_bridge_link_name},mac=${raw_mac_address}")
-    else
-        die 1 "Unrecognized NETWORK type $NETWORK"
-    fi
-
-    if [ -n "$BIND9P" ]; then
-        if [[ "$BIND9P" = *":"* ]]; then
-            IFS=':' read -ra entry <<<"$BIND9P"
-            for item in "${entry[@]}"; do
-                IFS='=' read -ra parsed_item <<<"$item"
-                additional_args+=("-s" "${next_pcie_slot},virtio-9p,${parsed_item[0]}=${parsed_item[1]}")
-                next_pcie_slot=$((next_pcie_slot+1))
-            done
-        else
-            additional_args+=("-s" "${next_pcie_slot},virtio-9p,bind9p=${BIND9P}")
-            next_pcie_slot=$((next_pcie_slot+1))
-        fi
-    fi
-
-
-    # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
-         # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
-             # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
-            # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
-
-    # TODO: Look into using nmdm instead of stdio for serial console
-    if [ -n "$mount_cd" ]; then
-        additional_args+=("-s" "5,ahci-cd,$mount_cd")
-    fi
-    if [ "$VNC_ENABLE" = "YES" ]; then
-        additional_args+=("-s" "${next_pcie_slot},fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
-        next_pcie_slot=$((next_pcie_slot+1))
-    fi
-    vms+=("$name")
-    while true; do
-        local pidfile="/run/bhyverc/${name}/pid"
-        trap "set +e; stop_one '${name}'" EXIT
-
-        local launch_cmd=()
-        launch_cmd+=(
-            launch_pidfile "$pidfile"
-            bhyve
-            -D
-            -c "$CPU_CORES"
-            -m "$MEMORY"
-            -S
-            -H
-            -o 'rtc.use_localtime=false'
-            -s "0,hostbridge"
-            -s "4,nvme,/dev/zvol/${zfs_path}/disk0"
-            -s "${next_pcie_slot},xhci,tablet"
-            -s "$((next_pcie_slot+1)),lpc" -l "com1,stdio"
-            -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd"
-            "${additional_args[@]}"
-            "$name"
-        )
-        set +e
-        rm -f "$pidfile"
-        (
-            IFS=$' \n\t'
-            set -ex
-            bash -c "${launch_cmd[*]}"
-        )
-        local exit_code=$?
-        log "Exit code ${exit_code}"
-        set -e
-        if [ $exit_code -eq 0 ]; then
-            echo "Rebooting."
-            sleep 5
-        elif [ $exit_code -eq 1 ]; then
-            echo "Powered off."
-            break
-        elif [ $exit_code -eq 2 ]; then
-            echo "Halted."
-            break
-        elif [ $exit_code -eq 3 ]; then
-            echo "Triple fault."
-            break
-        elif [ $exit_code -eq 4 ]; then
-            echo "Exited due to an error."
-            break
-        fi
-    done
-}
-
-function detect_available_link {
-    local bridge_name="$1"
-    local linknum=1
-    while true; do
-        local link_name="link${linknum}"
-        if ! ng_exists "${bridge_name}:${link_name}"; then
-            echo "$link_name"
-            return
-        fi
-        linknum=$((linknum + 1))
-        if [ "$linknum" -gt 90 ]; then
-            (>&2 echo "No available links on bridge $bridge_name")
-            exit 1
-        fi
-    done
-}
-
-function assert_bridge {
-    local host_interface_name="$1"
-    local bridge_name="$2"
-    local ip_range="$3"
-
-    if ! ng_exists "${bridge_name}:"; then
-        ngctl -d -f - <<EOF
-mkpeer . eiface hook ether
-name .:hook $host_interface_name
-EOF
-        ngctl -d -f - <<EOF
-mkpeer ${host_interface_name}: bridge ether link0
-name ${host_interface_name}:ether $bridge_name
-EOF
-        ifconfig "$(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2)" name "${host_interface_name}" "$ip_range" up
-    fi
-}
-
-function assert_raw {
-    local extif="$1"
-    local bridge_name="$2"
-
-    kldload -n ng_bridge ng_eiface ng_ether
-
-    if ! ng_exists "${bridge_name}:"; then
-        ngctlcat <<EOF
-# Create a bridge.
-mkpeer $extif: bridge lower link0
-# Assign a name to the bridge.
-name $extif:lower ${bridge_name}
-# Since the host is also using $extif, we need to connect the upper hook also. Otherwise we will lose connectivity.
-connect $extif: ${bridge_name}: upper link1
-
-# Enable promiscuous mode so the host ethernet adapter accepts packets for all addresses
-msg $extif: setpromisc 1
-
-# Do not overwrite source address on packets
-msg $extif: setautosrc 0
-EOF
-    fi
-}
-
-function ng_exists {
-    ngctl status "${1}" >/dev/null 2>&1
-}
-
-function calculate_mac_address {
-    local name="$1"
-    local source
-    source=$(md5 -r -s "$name" | awk '{print $1}')
-    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
-}
-
-function find_available_port {
-    local start_port="$1"
-    local port="$start_port"
-    while true; do
-        sockstat -P tcp -p 443
-        port=$((port + 1))
-    done
-}
-
-function ngctlcat {
-    if [ "$VERBOSE" = "YES" ]; then
-        tee /dev/tty | ngctl -d -f -
-    else
-        ngctl -d -f -
-    fi
-}
-
-main "${@}"

ansible/roles/bhyve/files/bhyverc.sh

@@ -1,37 +0,0 @@
-#!/bin/sh
-#
-# REQUIRE: LOGIN FILESYSTEMS
-# PROVIDE: bhyverc
-# KEYWORD: shutdown
-
-. /etc/rc.subr
-name=bhyverc
-rcvar=${name}_enable
-start_cmd="${name}_start"
-stop_cmd="${name}_stop"
-status_cmd="${name}_status"
-console_cmd="${name}_console"
-extra_commands="console"
-load_rc_config $name
-
-bhyverc_start() {
-    export PATH="$PATH:/usr/local/bin"
-    exec /usr/local/bin/bhyverc start "${@}"
-}
-
-bhyverc_status() {
-    export PATH="$PATH:/usr/local/bin"
-    exec /usr/local/bin/bhyverc status "${@}"
-}
-
-bhyverc_stop() {
-    export PATH="$PATH:/usr/local/bin"
-    exec /usr/local/bin/bhyverc stop "${@}"
-}
-
-bhyverc_console() {
-    export PATH="$PATH:/usr/local/bin"
-    exec /usr/local/bin/bhyverc console "${@}"
-}
-
-run_rc_command "$@"

ansible/roles/bhyve/tasks/freebsd.yaml

@@ -22,25 +22,6 @@
   loop:
     - src: bhyve_netgraph_bridge.bash
       dest: /usr/local/bin/bhyve_netgraph_bridge
-    - src: bhyverc.bash
-      dest: /usr/local/bin/bhyverc
-
-- name: Install rc script
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
-    owner: root
-    group: wheel
-    mode: 0755
-  loop:
-    - src: bhyverc.sh
-      dest: bhyverc
-
-- name: Enable bhyverc
-  community.general.sysrc:
-    name: bhyverc_enable
-    value: "YES"
-    path: /etc/rc.conf.d/bhyverc
 
 - name: Create zfs dataset
   zfs:

ansible/roles/build/files/aurutils-sync

@@ -5,4 +5,4 @@ set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
-GPGKEY=4278299FB84F6875 exec aur sync --makepkg-conf /etc/aurutils/makepkg.conf -c --sign "$@"
+GPGKEY=27DE40D9B8455C1B exec aur sync --makepkg-conf /etc/aurutils/makepkg.conf -c --sign "$@"

ansible/roles/build/files/gpg.asc

@@ -1,27 +1,27 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
+mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
-Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
+0H+RsWG0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
-0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
+uEgVk2PCh3kXlUvhJ95A2bhFXBsFAl+w+R0CGwMFCwkIBwIGFQoJCAsCBBYCAwEC
-HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
+HgECF4AACgkQJ95A2bhFXBt6fgD+NOYnw9gz5K/q3H5LE/JvqzCSHezJmeGgif0C
-/MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
+uU4m1/MA+gPDKME7syEtJsTpELEMrxWWpDW0tD/W1iJE7roGYPQPtB1Ub20gQWxl
-eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
+eGFuZGVyIDx0b21AZml6ei5idXp6PoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A
-AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
+2bhFXBsFAl2cFhoCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQJ95A2bhF
-n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
+XBvYJQEA19wc2s/bEKcnHONC3i8UikLFqZXyYoH6/MFjoAteU8sBAKpE7Qq0zbJb
-8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
+XWRESzK3u6p7/+kUqOeDltAuKXTe1FAGuDMEXZwWyhYJKwYBBAHaRw8BAQdAPyIL
-HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
+4EGg4T5JO9q2kpVDy2WjMiXz3nZXwYW4GLoTYkiI9QQYFggAJgIbAhYhBLhIFZNj
-fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
+wod5F5VL4SfeQNm4RVwbBQJlC4ZhBQkLMdaXAIF2IAQZFggAHRYhBIHmRDmWdVAu
-AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
+sSUWutOhecmlPA7eBQJdnBbKAAoJENOhecmlPA7ejJ4A/iq7N2mMhx+ovOXm1REo
-gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
+ASPF3l4YAAjOHsXqcPtFHKGJAQCiuA71d6CQ+qNZLuka/KVB/etkkJvDzvaTtiQQ
-mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
+QG+gAwkQJ95A2bhFXBtRDgEAqymMavroD5c/4+M/EZ3/d8wxfA9E3Fb/1mt4c2Zr
-nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
+NnkBAKYOM+pz/pncFnV+kF7h7TQEEYuGw1JhJVT/duA4lwsLuDMEXZwXARYJKwYB
-KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
+BAHaRw8BAQdAa76TmWuKuiR1bnNV1FUE6oQ4C8A+UiQb8x0k1z2DmTKIfgQYFggA
-B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
+JgIbIBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkLMdZgAAoJECfeQNm4
-CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
+RVwb8TkA/RkBu9Ev8iDE5nvn8YF8FRiY56Z5d+SBPG4VvrCzXrmlAP46wUjIRpkM
-/j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
+rTbb1GMbvYnkeOrBs/qiWjEtHHc3ZLMWD7g4BF2cFygSCisGAQQBl1UBBQEBB0AO
-Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
+0t3BUxLuokTqKVcheFAZd4UKxAGznPQlvsVyhWWIEgMBCAeIfgQYFggAJgIbDBYh
-BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
+BLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkLMdY5AAoJECfeQNm4RVwbXscA
-rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
+/A8zRRTCwQKxJ8iz5jmTcVFAhl2vD781Dtv8NvcWd5t8APwIwcuFVZZA3yayhIxi
-7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
+3aqYpMRxpn2t6Nswax1MIM8DBQ==
-=OfDR
+=dzEV
 -----END PGP PUBLIC KEY BLOCK-----

ansible/roles/build/files/gpg_work.asc

@@ -1,27 +1,27 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
+mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
-Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
+0H+RsWG0LVRob21hcyBBbGV4YW5kZXIgPFRob21hc0EuQWxleGFuZGVyQGhtaG4u
-0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
+b3JnPoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsFAmULicsCGwMFCwkI
-HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQJ95A2bhFXBsUtQD9GWPdWc/nSmO0Gp7p
-/MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
+DzxrieliriAnO+ZCHp31mFbMtToBAPxPYN9y4kgSiXhLiFLoRK5k5FCspksTSitg
-eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
+0CbXDE4LuDgEXZwWGhIKKwYBBAGXVQEFAQEHQK202EIAwTBuxARUygOvn+AloMJd
-AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
+ui39m+nMghn1MNo+AwEIB4h4BBgWCAAgFiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsF
-n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
+Al2cFhoCGwwACgkQJ95A2bhFXBtNzAEAq5I6xPjIbb23xmhxh5cM/UJxdGedfWMy
-8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
+vF6/JtDvtPUBAPQRQn5AMwTOA+CSnliYf7ZjfVOlHscy60XWPlvXLoAJuDMEXZwW
-HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
+yhYJKwYBBAHaRw8BAQdAPyIL4EGg4T5JO9q2kpVDy2WjMiXz3nZXwYW4GLoTYkiI
-fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
+9QQYFggAJgIbAhYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZhBQkLMdaXAIF2
-AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
+IAQZFggAHRYhBIHmRDmWdVAusSUWutOhecmlPA7eBQJdnBbKAAoJENOhecmlPA7e
-gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
+jJ4A/iq7N2mMhx+ovOXm1REoASPF3l4YAAjOHsXqcPtFHKGJAQCiuA71d6CQ+qNZ
-mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
+Luka/KVB/etkkJvDzvaTtiQQQG+gAwkQJ95A2bhFXBtRDgEAqymMavroD5c/4+M/
-nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
+EZ3/d8wxfA9E3Fb/1mt4c2ZrNnkBAKYOM+pz/pncFnV+kF7h7TQEEYuGw1JhJVT/
-KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
+duA4lwsLuDMEXZwXARYJKwYBBAHaRw8BAQdAa76TmWuKuiR1bnNV1FUE6oQ4C8A+
-B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
+UiQb8x0k1z2DmTKIfgQYFggAJgIbIBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJl
-CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
+C4ZwBQkLMdZgAAoJECfeQNm4RVwb8TkA/RkBu9Ev8iDE5nvn8YF8FRiY56Z5d+SB
-/j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
+PG4VvrCzXrmlAP46wUjIRpkMrTbb1GMbvYnkeOrBs/qiWjEtHHc3ZLMWD7g4BF2c
-Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
+FygSCisGAQQBl1UBBQEBB0AO0t3BUxLuokTqKVcheFAZd4UKxAGznPQlvsVyhWWI
-BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
+EgMBCAeIfgQYFggAJgIbDBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkL
-rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
+MdY5AAoJECfeQNm4RVwbXscA/A8zRRTCwQKxJ8iz5jmTcVFAhl2vD781Dtv8NvcW
-7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
+d5t8APwIwcuFVZZA3yayhIxi3aqYpMRxpn2t6Nswax1MIM8DBQ==
-=OfDR
+=0HtE
 -----END PGP PUBLIC KEY BLOCK-----

ansible/roles/build/tasks/linux.yaml

@@ -40,11 +40,11 @@
   command: pacman-key -a -
   args:
     stdin: "{{ lookup('file', pgp_key|default('gpg.asc')) }}"
-  when: '"D272C8D6167F26859467666F4278299FB84F6875" not in pacmankeys.stdout'
+  when: '"B848159363C2877917954BE127DE40D9B8455C1B" not in pacmankeys.stdout'
   register: my_key_imported
 
 - name: Sign my signing key
-  command: pacman-key --lsign-key "D272C8D6167F26859467666F4278299FB84F6875"
+  command: pacman-key --lsign-key "B848159363C2877917954BE127DE40D9B8455C1B"
   when: my_key_imported.changed
 
 - name: Build the aurutils package
@@ -103,8 +103,7 @@
     - /var/cache/pacman/custom/
 
 - name: Create custom repo db
-  # shell: repo-add --new --sign /var/cache/pacman/custom/custom.db.tar "/home/{{ build_user.name }}/.config/ansible_deploy/aurutils/aurutils-*-any.pkg.tar.*"
+  command: repo-add --new --sign /var/cache/pacman/custom/custom.db.tar "/home/{{ build_user.name }}/.config/ansible_deploy/aurutils/aurutils-*-any.pkg.tar.*"
-  command: repo-add --new --sign /var/cache/pacman/custom/custom.db.tar
   become: true
   become_user: "{{ build_user.name }}"
   args:

ansible/roles/chromium/files/chromium-flags.conf

@@ -1,2 +1,2 @@
 --ozone-platform-hint=auto
---enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,AcceleratedVideoEncoder
+--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE

ansible/roles/cpu/files/aesni_loader.conf

@@ -0,0 +1 @@
+aesni_load="YES"

ansible/roles/cpu/files/amd_microcode_rc.conf

@@ -1 +0,0 @@
-microcode_update_enable="YES"

ansible/roles/cpu/files/cryptodev_loader.conf

@@ -1 +0,0 @@
-cryptodev_load="YES"

ansible/roles/cpu/tasks/freebsd_amd.yaml

@@ -1,9 +1,3 @@
-- name: Install packages
-  package:
-    name:
-      - cpu-microcode-amd
-    state: present
-
 - name: Install loader.conf
   copy:
     src: "files/{{ item }}_loader.conf"
@@ -23,7 +17,16 @@
     group: wheel
   loop:
     - power_profile
-    - amd_microcode
+
+- name: Install loader.conf
+  copy:
+    src: "files/{{ item }}_loader.conf"
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - aesni
 
 - name: Install loader.conf
   when: hwpstate is defined and hwpstate
@@ -35,4 +38,3 @@
     group: wheel
   loop:
     - per_core_hwpstate
-    - cryptodev

ansible/roles/cpu/tasks/freebsd_intel.yaml

@@ -16,6 +16,7 @@
   loop:
     - coretemp
     - cpuctl
+    - aesni
     - intel_microcode
 
 - name: Install service configuration
@@ -78,4 +79,3 @@
     group: wheel
   loop:
     - per_core_hwpstate
-    - cryptodev

ansible/roles/dummynet/files/dnctl.conf

@@ -0,0 +1,2 @@
+pipe 1 config bw 100KByte/s
+pipe 2 config

ansible/roles/dummynet/files/dummynet

@@ -0,0 +1,28 @@
+#!/bin/sh
+#
+#
+
+# PROVIDE: dummynet
+# BEFORE: pf ipfw
+# KEYWORD: nojailvnet
+
+. /etc/rc.subr
+
+name="dummynet"
+desc="Dummynet packet queuing and scheduling"
+rcvar="${name}_enable"
+load_rc_config $name
+start_cmd="${name}_start"
+required_files="$dummynet_rules"
+required_modules="dummynet"
+
+dummynet_start()
+{
+	startmsg -n "Enabling ${name}"
+        cat "$dnctl_rules" | while read l; do
+          dnctl $l
+        done
+	startmsg '.'
+}
+
+run_rc_command $*

ansible/roles/dummynet/files/dummynet_rc.conf

@@ -0,0 +1,2 @@
+dummynet_enable="YES"
+dummynet_rules="/etc/dnctl.conf"

ansible/roles/dummynet/tasks/freebsd.yaml

@@ -0,0 +1,30 @@
+- name: Install Configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0600
+    owner: root
+    group: wheel
+  loop:
+    - src: "{{ dummynet_config }}"
+      dest: /etc/dnctl.conf
+
+- name: Install rc script
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+    owner: root
+    group: wheel
+    mode: 0755
+  loop:
+    - src: dummynet
+
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - dummynet

ansible/roles/dummynet/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: (dummynet_config is defined and os_flavor == "freebsd") or (os_flavor == "linux")

ansible/roles/emacs/files/elisp/base-extensions.el

@@ -51,27 +51,17 @@
 ;; Persist history over Emacs restarts. Vertico sorts by history position.
 (use-package savehist
   ;; This is an emacs built-in but we're pulling the latest version
-  :pin gnu
   :config
   (savehist-mode))
 
 (use-package which-key
-  :pin gnu
   :diminish
   :config
   (which-key-mode))
 
 (use-package windmove
-  ;; This is an emacs built-in but we're pulling the latest version
+  :config
-  :pin gnu
+  (windmove-default-keybindings))
-  :bind
-  (
-   ("S-<up>" . windmove-up)
-   ("S-<right>" . windmove-right)
-   ("S-<down>" . windmove-down)
-   ("S-<left>" . windmove-left)
-   )
-  )
 
 (setq tramp-default-method "ssh")
 

ansible/roles/emacs/files/elisp/base.el

@@ -63,9 +63,6 @@
  show-trailing-whitespace t
  ;; Remove the line when killing it with ctrl-k
  kill-whole-line t
-
- ;; Show the current project in the mode line
- project-mode-line t
  )
 
 ;; (setq-default fringes-outside-margins t)

ansible/roles/emacs/files/elisp/lang-d2.el

@@ -1,16 +0,0 @@
-(defun d2-format-buffer ()
-  "Run prettier."
-  (interactive)
-  (run-command-on-buffer "d2" "fmt" "-")
-  )
-
-(use-package d2-mode
-  :commands (d2-mode)
-  :hook (
-         (d2-mode . (lambda ()
-                      ;; (add-hook 'before-save-hook 'd2-format-buffer nil 'local)
-                      ))
-         )
-  )
-
-(provide 'lang-d2)

ansible/roles/emacs/files/elisp/lang-nix.el

@@ -7,14 +7,14 @@
   :commands nix-mode
   :hook (
          (nix-mode . (lambda ()
-                       (eglot-ensure)
+                             ;; (eglot-ensure)
-                       (defclass my/eglot-nix (eglot-lsp-server) ()
+                             ;; (defclass my/eglot-nix (eglot-lsp-server) ()
-                         :documentation
+                             ;;   :documentation
-                         "Own eglot server class.")
+                             ;;   "Own eglot server class.")
 
-                       (add-to-list 'eglot-server-programs
+                             ;; (add-to-list 'eglot-server-programs
-                                    '(nix-mode . (my/eglot-nix "nixd")))
+                             ;;              '(nix-mode . (my/eglot-nix "nixd")))
-                       (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+                             ;; (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
                              ))
          )
   )

ansible/roles/emacs/files/elisp/lang-org.el

@@ -1,23 +1,16 @@
 (use-package org
   :ensure nil
   :commands org-mode
-  :bind (:map org-mode-map
+  :bind (
          ("C-c l" . org-store-link)
          ("C-c a" . org-agenda)
-         ("S-<up>" . org-shiftup)
+         ("C--" . org-timestamp-down)
-         ("S-<right>" . org-shiftright)
+         ("C-=" . org-timestamp-up)
-         ("S-<down>" . org-shiftdown)
-         ("S-<left>" . org-shiftleft)
          )
   :hook (
          (org-mode . (lambda ()
                        (org-indent-mode +1)
                         ))
-         ;; Make windmove work in Org mode:
-         (org-shiftup-final . windmove-up)
-         (org-shiftleft-final . windmove-left)
-         (org-shiftdown-final . windmove-down)
-         (org-shiftright-final . windmove-right)
          )
   :config
   (require 'org-tempo)
@@ -45,8 +38,6 @@
 
   ;; TODO: There is an option to set the compiler, could be better than manually doing this here https://orgmode.org/manual/LaTeX_002fPDF-export-commands.html
   ;; (setq org-latex-compiler "lualatex")
-  ;; TODO: nixos latex page recommends this line, figure out what it does / why its needed:
-  ;; (setq org-preview-latex-default-process 'dvisvgm)
   (setq org-latex-pdf-process
         '("lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
           "lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
@@ -87,8 +78,4 @@
 (use-package gnuplot)
 (use-package graphviz-dot-mode)
 
-(use-package htmlize
-  ;; For syntax highlighting when exporting to HTML.
-  )
-
 (provide 'lang-org)

ansible/roles/emacs/files/elisp/util-tree-sitter.el

@@ -4,8 +4,6 @@
   :commands (treesit-install-language-grammar treesit-ready-p)
   :init
   (setq treesit-language-source-alist '())
-  :custom
-  (treesit-max-buffer-size 209715200) ;; 200MiB
   :config
   ;; Default to the max level of detail in treesitter highlighting. This
   ;; can be overridden in each language's use-package call with:

ansible/roles/emacs/files/init.el

@@ -38,8 +38,4 @@
 
 (require 'lang-nix)
 
-(require 'lang-cmake)
-
-(require 'lang-d2)
-
 (load-directory autoload-directory)

ansible/roles/emacs/tasks/linux.yaml

@@ -15,7 +15,6 @@
       - typescript-language-server
       - shellcheck
       - vscode-css-languageserver
-      - d2 # Generating diagrams
     state: present
 
 - name: Create directories

ansible/roles/firefox/defaults/main.yaml

@@ -7,6 +7,7 @@ firefox_config:
   dom.security.https_only_mode_ever_enabled: true
   extensions.activeThemeID: "firefox-compact-dark@mozilla.org"
   # Disable ads
+  extensions.pocket.enabled: false
   browser.newtabpage.activity-stream.showSponsored: false
   browser.newtabpage.activity-stream.showSponsoredTopSites: false
   browser.newtabpage.activity-stream.feeds.section.topstories: false
@@ -20,6 +21,8 @@ firefox_config:
   privacy.globalprivacycontrol.enabled: true
   # Disable "studies" (slice testing)
   app.shield.optoutstudies.enabled: false
+  # Disable attribution which is used by advertisers to track you.
+  dom.private-attribution.submission.enabled: false
   # Disable battery status, used to track users.
   dom.battery.enabled: false
   # Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
@@ -37,8 +40,6 @@ firefox_config:
   privacy.fingerprintingProtection: true
   # Allow sending dark mode preference to websites.
   # Allow sending timezone to websites.
-  privacy.fingerprintingProtection.overrides: "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked,-CanvasImageExtractionPrompt,-CanvasExtractionFromThirdPartiesIsBlocked"
+  privacy.fingerprintingProtection.overrides: "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked"
   # Disable weather on new tab page
   browser.newtabpage.activity-stream.showWeather: false
-  browser.ml.chat.enabled: false
-  browser.ml.enabled: false

ansible/roles/firefox/tasks/linux.yaml

@@ -3,5 +3,4 @@
     name:
       - libfido2
       - firefox-developer-edition
-      - speech-dispatcher # For TTS
     state: present

ansible/roles/firewall/files/homeserver_pf.conf

@@ -1,20 +1,9 @@
-# TODO: ipv6 RFC 6296 - Network Prefix Translation?
+ext_if = "{ igb0 igb1 ix0 ix1 linfi_host }"
-# match out on $ext_if inet6 from fd00:db8::/48 binat-to 2001:db8::/48
+not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !linfi_host }"
-# TODO: Maybe ipv6 icmp rules from https://oneuptime.com/blog/post/2026-03-20-configure-ipv6-firewall-pf-freebsd/view
+jail_nat_v4 = "{ 10.215.1.0/24 }"
-
+not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
-#
+restricted_nat_v4 = "{ 10.215.2.0/24 }"
-# restricted_nat 10.215.2.1/24
+not_restricted_nat_v4 = "{ any, !10.215.2.0/24 }"
-# jail_nat 10.215.1.1/24
-#
-
-#
-# External connections -> 172.16.16.32:8081
-# rdr to bastion 10.215.1.217
-# snat to bridge?
-#
-
-ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
-not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
 rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
 
 dhcp = "{ bootpc, bootps }"
@@ -22,29 +11,69 @@ allow = "{ wgh wgf }"
 
 tcp_pass_in = "{ 22 }"
 udp_pass_in = "{ 53 51820 }"
+unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }"
 
 # Rules must be in order: options, normalization, queueing, translation, filtering
 
 # options
 set skip on lo
 
-# normalization
-
 # queueing
+# altq on linfi_host cbq queue { def, stuff }
+# queue def cbq(default borrow)
+# queue stuff bandwidth	8Mb cbq { dagger }
+# queue dagger cbq(borrow)
 
-# translation
+# redirections
-nat pass on $ext_if proto {tcp, udp} tagged NATOUT -> (wlan0)
+nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (linfi_host)
-nat pass on restricted_nat proto {tcp, udp} tagged NATRESTRICTED -> (restricted_nat)
+rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
-nat pass on jail_nat proto {tcp, udp} tagged NATJAIL -> (jail_nat)
 
-# external -> bastion
+# cloak
-rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8081 tag NATJAIL -> 10.215.1.217 port 443
+nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (linfi_host)
-# external -> sftp
+rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 172.16.0.1 port 53
-rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8022 tag NATJAIL -> 10.215.1.216 port 22
+
+# bastion
+rdr pass on $ext_if inet proto {tcp, udp} from { any, !10.215.1.0/24, !10.215.2.0/24 } to any port 8081 -> 10.215.1.217 port 443
+nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.217 port 443 -> 10.215.1.1
+nat pass on restricted_nat proto {tcp, udp} from 10.215.1.217/32 to 10.215.2.2 port 8081 -> 10.215.2.1
+
+
+# cloak -> olddagger
+rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
+nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1
+
+# cloak -> dagger old
+rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8083 -> 10.215.2.2 port 8083
+nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8083 -> 10.215.2.1
+
+# -> sftp
+# TODO: Limit bandwidth for sftp
+rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22
+nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215.1.1
+
+# Forward ports for unifi controller
+# rdr pass on $ext_if inet proto {tcp, udp} from any to any port 65022 -> 10.213.177.8 port 22
+rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202
+
+# -> momlaptop
+rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8033 -> 10.215.1.218 port 443
+nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.218 port 443 -> 10.215.1.1
 
 # filtering
+# match in on jail_nat from any to any dnpipe(1, 2)
+# match in on restricted_nat from any to any dnpipe(1, 2)
+
 block log all
-pass out on $ext_if from (wlan0)
+pass out on $ext_if
+
+pass in on jail_nat
+# Allow traffic from my machine to the jails/virtual machines
+pass out on jail_nat from $jail_nat_v4
+pass out on jail_nat proto {udp, tcp} from any to 10.215.1.202 port $unifi_ports
+pass out on restricted_nat proto {udp, tcp} from any to 10.215.2.2 port 8081
+
+# TODO: limit bandwidth for dagger here
+pass in on restricted_nat proto {udp, tcp} from any to any port { 53 51820 }
 
 # We pass on the interfaces listed in allow rather than skipping on
 # them because changes to pass rules will update when running a
@@ -56,11 +85,5 @@ pass quick on $allow
 pass on $ext_if proto icmp all
 pass on $ext_if proto icmp6 all
 
-pass in on $ext_if proto tcp to (wlan0) port $tcp_pass_in
+pass in on $ext_if proto tcp to any port $tcp_pass_in
-pass in on $ext_if proto udp to (wlan0) port $udp_pass_in
+pass in on $ext_if proto udp to any port $udp_pass_in
-
-
-# Allow DNS and wireguard from cloak
-pass in on restricted_nat proto {udp, tcp} from 10.215.2.2 to any port { 53 51820 } tag NATOUT
-# bastion -> cloak
-pass in on jail_nat proto {udp, tcp} from 10.215.1.217 to 10.215.2.2 port 8081 tag NATRESTRICTED

ansible/roles/firewall/files/mrmanager_pf.conf

@@ -2,8 +2,7 @@ ext_if = "lagg0"
 not_ext_if = "{ !lagg0 }"
 jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
-# pub_k8s = "{ 74.80.180.136/29, !74.80.180.138 }"
+pub_k8s = "{ 74.80.180.136/29, !74.80.180.138 }"
-pub_k8s = "{ 74.80.180.137, 74.80.180.139, 74.80.180.140, 74.80.180.141, 74.80.180.142, 2620:11f:7001:7:ffff:dddd::/112 }"
 
 dhcp = "{ bootpc, bootps }"
 allow = "{ colo }"
@@ -35,24 +34,19 @@ scrub in on $ext_if all fragment reassemble
 # redirections
 nat on $ext_if inet from ! ($ext_if) to ! ($ext_if) -> ($ext_if)
 rdr pass on jail_nat proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53
-rdr pass on jail_nat proto {tcp, udp} from any to 2620:11f:7001:7:ffff:ffff:0ad7:0101 port 53 tag REDIREXTERNAL -> 2606:4700:4700::1111 port 53
 
-rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
+rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 -> 10.215.1.204 port 6443
 rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
 
-rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 19993 tag REDIRINTERNAL -> 10.215.1.204 port 19993
+rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 19993 -> 10.215.1.204 port 19993
 rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 19993 tag REDIRINTERNAL -> 10.215.1.204 port 19993
 
-rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65099 tag REDIRINTERNAL -> 10.215.1.210 port 22
+rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65099 -> 10.215.1.210 port 22
 rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 65099 tag REDIRINTERNAL -> 10.215.1.210 port 22
 
-# log (to pflog1)
+rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 53 -> 10.215.1.211 port 53
-rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 53 tag REDIRINTERNAL -> 10.215.1.211 port 53
 rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 53 tag REDIRINTERNAL -> 10.215.1.211 port 53
 
-rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65122 tag REDIRINTERNAL -> 10.215.1.219 port 22
-rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 65122 tag REDIRINTERNAL -> 10.215.1.219 port 22
-
 nat pass tagged REDIRINTERNAL -> (jail_nat)
 nat pass tagged REDIREXTERNAL -> ($ext_if)
 
@@ -70,10 +64,6 @@ pass quick on $allow
 # Single interface kubernetes cluster is working with the following run on mrmanager:
 #   doas route add -host 74.80.180.139 -interface jail_nat
 #   doas route add -net 10.129.0.0/16 -interface jail_nat
-#   doas route -6 add -net '2620:11f:7001:7:ffff:ffff:0ad7:0100/120' -interface jail_nat
-#   doas route -6 add -net '2620:11f:7001:7:ffff:eeee::/96' -interface jail_nat
-#   doas route -6 add -net '2620:11f:7001:7:ffff:dddd::/112' -interface jail_nat
-#   doas ifconfig jail_nat inet6 2620:11f:7001:7:ffff:ffff:0ad7:0101/120
 #   doas sysctl net.link.ether.inet.proxyall=1
 # Plus this in pf.conf:
 #   pass quick from any to 74.80.180.139
@@ -83,10 +73,6 @@ pass in on jail_nat
 # Allow traffic from my machine to the jails/virtual machines
 pass out on jail_nat from (jail_nat:network)
 
-#pass quick in on $ext_if proto {tcp6, udp6} from any to 2620:11f:7001:7:ffff:ffff:0ad7:0100/120
-pass in quick on $ext_if from any to 2620:11f:7001:7:ffff:ffff:0ad7:0100/120
-pass out quick on jail_nat to 2620:11f:7001:7:ffff:ffff:0ad7:0100/120
-
 
 pass in on $ext_if proto tcp to any port $tcp_pass_in
 pass in on $ext_if proto udp to any port $udp_pass_in

ansible/roles/firewall/meta/main.yaml

@@ -0,0 +1,2 @@
+dependencies:
+  - dummynet

ansible/roles/framework_laptop/files/screen_brightness_tmpfiles.conf

@@ -1,2 +1,2 @@
 # Set screen brightness. Ever since enabling adaptive brightness management, my brightness ends up sinking lower on re-boots (I suspect it is saving the actual brightness rather than the set brightness). This forces the brightness back to the level I prefer.
-w- /sys/class/backlight/amdgpu_bl0/brightness - - - - 21845
+w- /sys/class/backlight/amdgpu_bl0/brightness - - - - 85

ansible/roles/framework_laptop/tasks/linux.yaml

@@ -34,7 +34,7 @@
 
 - name: Configure kernel command line
   zfs:
-    name: "zroot/linux/archwork/be"
+    name: "zroot/linux"
     state: present
     extra_zfs_properties:
       # amdgpu.abmlevel=3 :: Automatically reduce screen brightness but tweak colors to compensate for power reduction.
@@ -44,7 +44,7 @@
       # amd_pstate=active :: Same as passive except we can set the energy performance preference (EPP) to suggest how much we prefer performance or energy efficiency.
       # amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds.
       # amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32
-      "org.zfsbootmenu:commandline": "rw quiet amdgpu.abmlevel=2 pcie_aspm=force pcie_aspm.policy=powersupersave nowatchdog amdgpu.dcdebugmask=0x10"
+      "org.zfsbootmenu:commandline": "rw quiet amdgpu.abmlevel=3 pcie_aspm=force pcie_aspm.policy=powersupersave nowatchdog amdgpu.dcdebugmask=0x10"
 
 - name: Install Configuration
   copy:

ansible/roles/gpg/files/gpg.asc

@@ -1,27 +1,27 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
+mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
-Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
+0H+RsWG0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
-0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
+uEgVk2PCh3kXlUvhJ95A2bhFXBsFAl+w+R0CGwMFCwkIBwIGFQoJCAsCBBYCAwEC
-HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
+HgECF4AACgkQJ95A2bhFXBt6fgD+NOYnw9gz5K/q3H5LE/JvqzCSHezJmeGgif0C
-/MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
+uU4m1/MA+gPDKME7syEtJsTpELEMrxWWpDW0tD/W1iJE7roGYPQPtB1Ub20gQWxl
-eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
+eGFuZGVyIDx0b21AZml6ei5idXp6PoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A
-AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
+2bhFXBsFAl2cFhoCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQJ95A2bhF
-n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
+XBvYJQEA19wc2s/bEKcnHONC3i8UikLFqZXyYoH6/MFjoAteU8sBAKpE7Qq0zbJb
-8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
+XWRESzK3u6p7/+kUqOeDltAuKXTe1FAGuDMEXZwWyhYJKwYBBAHaRw8BAQdAPyIL
-HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
+4EGg4T5JO9q2kpVDy2WjMiXz3nZXwYW4GLoTYkiI9QQYFggAJgIbAhYhBLhIFZNj
-fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
+wod5F5VL4SfeQNm4RVwbBQJlC4ZhBQkLMdaXAIF2IAQZFggAHRYhBIHmRDmWdVAu
-AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
+sSUWutOhecmlPA7eBQJdnBbKAAoJENOhecmlPA7ejJ4A/iq7N2mMhx+ovOXm1REo
-gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
+ASPF3l4YAAjOHsXqcPtFHKGJAQCiuA71d6CQ+qNZLuka/KVB/etkkJvDzvaTtiQQ
-mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
+QG+gAwkQJ95A2bhFXBtRDgEAqymMavroD5c/4+M/EZ3/d8wxfA9E3Fb/1mt4c2Zr
-nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
+NnkBAKYOM+pz/pncFnV+kF7h7TQEEYuGw1JhJVT/duA4lwsLuDMEXZwXARYJKwYB
-KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
+BAHaRw8BAQdAa76TmWuKuiR1bnNV1FUE6oQ4C8A+UiQb8x0k1z2DmTKIfgQYFggA
-B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
+JgIbIBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkLMdZgAAoJECfeQNm4
-CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
+RVwb8TkA/RkBu9Ev8iDE5nvn8YF8FRiY56Z5d+SBPG4VvrCzXrmlAP46wUjIRpkM
-/j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
+rTbb1GMbvYnkeOrBs/qiWjEtHHc3ZLMWD7g4BF2cFygSCisGAQQBl1UBBQEBB0AO
-Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
+0t3BUxLuokTqKVcheFAZd4UKxAGznPQlvsVyhWWIEgMBCAeIfgQYFggAJgIbDBYh
-BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
+BLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkLMdY5AAoJECfeQNm4RVwbXscA
-rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
+/A8zRRTCwQKxJ8iz5jmTcVFAhl2vD781Dtv8NvcWd5t8APwIwcuFVZZA3yayhIxi
-7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
+3aqYpMRxpn2t6Nswax1MIM8DBQ==
-=OfDR
+=dzEV
 -----END PGP PUBLIC KEY BLOCK-----

ansible/roles/gpg/files/gpg_work.asc

@@ -1,27 +1,27 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
+mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
-Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
+0H+RsWG0LVRob21hcyBBbGV4YW5kZXIgPFRob21hc0EuQWxleGFuZGVyQGhtaG4u
-0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
+b3JnPoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsFAmULicsCGwMFCwkI
-HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQJ95A2bhFXBsUtQD9GWPdWc/nSmO0Gp7p
-/MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
+DzxrieliriAnO+ZCHp31mFbMtToBAPxPYN9y4kgSiXhLiFLoRK5k5FCspksTSitg
-eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
+0CbXDE4LuDgEXZwWGhIKKwYBBAGXVQEFAQEHQK202EIAwTBuxARUygOvn+AloMJd
-AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
+ui39m+nMghn1MNo+AwEIB4h4BBgWCAAgFiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsF
-n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
+Al2cFhoCGwwACgkQJ95A2bhFXBtNzAEAq5I6xPjIbb23xmhxh5cM/UJxdGedfWMy
-8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
+vF6/JtDvtPUBAPQRQn5AMwTOA+CSnliYf7ZjfVOlHscy60XWPlvXLoAJuDMEXZwW
-HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
+yhYJKwYBBAHaRw8BAQdAPyIL4EGg4T5JO9q2kpVDy2WjMiXz3nZXwYW4GLoTYkiI
-fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
+9QQYFggAJgIbAhYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZhBQkLMdaXAIF2
-AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
+IAQZFggAHRYhBIHmRDmWdVAusSUWutOhecmlPA7eBQJdnBbKAAoJENOhecmlPA7e
-gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
+jJ4A/iq7N2mMhx+ovOXm1REoASPF3l4YAAjOHsXqcPtFHKGJAQCiuA71d6CQ+qNZ
-mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
+Luka/KVB/etkkJvDzvaTtiQQQG+gAwkQJ95A2bhFXBtRDgEAqymMavroD5c/4+M/
-nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
+EZ3/d8wxfA9E3Fb/1mt4c2ZrNnkBAKYOM+pz/pncFnV+kF7h7TQEEYuGw1JhJVT/
-KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
+duA4lwsLuDMEXZwXARYJKwYBBAHaRw8BAQdAa76TmWuKuiR1bnNV1FUE6oQ4C8A+
-B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
+UiQb8x0k1z2DmTKIfgQYFggAJgIbIBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJl
-CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
+C4ZwBQkLMdZgAAoJECfeQNm4RVwb8TkA/RkBu9Ev8iDE5nvn8YF8FRiY56Z5d+SB
-/j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
+PG4VvrCzXrmlAP46wUjIRpkMrTbb1GMbvYnkeOrBs/qiWjEtHHc3ZLMWD7g4BF2c
-Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
+FygSCisGAQQBl1UBBQEBB0AO0t3BUxLuokTqKVcheFAZd4UKxAGznPQlvsVyhWWI
-BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
+EgMBCAeIfgQYFggAJgIbDBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkL
-rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
+MdY5AAoJECfeQNm4RVwbXscA/A8zRRTCwQKxJ8iz5jmTcVFAhl2vD781Dtv8NvcW
-7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
+d5t8APwIwcuFVZZA3yayhIxi3aqYpMRxpn2t6Nswax1MIM8DBQ==
-=OfDR
+=0HtE
 -----END PGP PUBLIC KEY BLOCK-----

ansible/roles/gpg/tasks/freebsd.yaml

@@ -3,7 +3,7 @@
     name:
       - gnupg
       - pcsc-tools
-      # - ccid
+      - ccid
       #      - linux_libusb
       - pinentry
     state: present

ansible/roles/homeserver/files/decrypt_disks.bash

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+# Decrypt and mount the disks after a fresh reboot.
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+zfs load-key -r zmass/encrypted
+zfs mount -a
+service bemount start

ansible/roles/homeserver/tasks/common.yaml

@@ -0,0 +1,55 @@
+# - name: Create directories
+#   file:
+#     name: "{{ item }}"
+#     state: directory
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - /foo/bar
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+# - name: Install Configuration
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0600
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.conf
+#       dest: /usr/local/etc/foo.conf
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user

ansible/roles/homeserver/tasks/freebsd.yaml

@@ -0,0 +1,10 @@
+- name: Install scripts
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - src: decrypt_disks.bash
+      dest: /usr/local/bin/decrypt_disks

ansible/roles/homeserver/tasks/linux.yaml

@@ -0,0 +1,29 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - foo
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present
+
+# - name: Enable services
+#   systemd:
+#     enabled: yes
+#     name: "{{ item }}"
+#     daemon_reload: yes
+#   loop:
+#     - foo.service

ansible/roles/homeserver/tasks/peruser.yaml

@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'

ansible/roles/hosts/defaults/main.yaml

@@ -1,5 +1,5 @@
 etc_hosts:
-  10.216.1.32:
+  10.216.1.1:
     - homeserver
   10.216.1.6:
     - media

ansible/roles/jail/files/jails/dagger.conf

@@ -1,7 +1,5 @@
 dagger {
     path = "/jail/${name}";
-    allow.chflags = 1;
-
     vnet;
     vnet.interface += "dagger";
 

ansible/roles/jail/files/jails/momlaptop.conf

@@ -0,0 +1,15 @@
+momlaptop {
+    path = "/jail/${name}";
+    vnet;
+    exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
+    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
+    vnet.interface += "jail${name}";
+
+    devfs_ruleset = 14;
+    mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";
+
+    exec.start += "/bin/sh /etc/rc";
+    exec.stop = "/bin/sh /etc/rc.shutdown jail";
+    exec.consolelog = "/var/log/jail_${name}_console.log";
+}

ansible/roles/jail/files/jails/olddagger.conf

@@ -0,0 +1,14 @@
+olddagger {
+    path = "/jail/${name}";
+    vnet;
+    vnet.interface += "olddagger";
+
+    exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
+    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
+
+    mount.fstab = "/etc/fstab.${name}";
+
+    exec.start += "/bin/sh /etc/rc";
+    exec.stop = "/bin/sh /etc/rc.shutdown jail";
+    exec.consolelog = "/var/log/jail_${name}_console.log";
+}

ansible/roles/jail/templates/new_jail.bash.j2

@@ -26,7 +26,7 @@ function by_src {
 }
 
 function by_bin {
-    DESTRELEASE=15.0-RELEASE
+    DESTRELEASE=13.2-RELEASE
     DESTARCH=`uname -m`
     SOURCEURL=http://ftp.freebsd.org/pub/FreeBSD/releases/$DESTARCH/$DESTRELEASE/
     for component in base ports; do fetch $SOURCEURL/$component.txz -o - | tar -xf - -C "$DESTDIR" ; done
@@ -34,34 +34,34 @@ function by_bin {
 }
 
 function by_pkg {
-    TERM=xterm BSDINSTALL_CHROOT="$DESTDIR" bsdinstall pkgbase --jail
+    # current https://pkg.freebsd.org/FreeBSD:15:amd64/base_latest
-
+    # 14/stable https://pkg.freebsd.org/FreeBSD:14:amd64/base_latest
-#     local config
+    # 14.1 https://pkg.freebsd.org/FreeBSD:14:amd64/base_release_1
-#     config=$(cat <<EOF
+    local config
-# FreeBSD-base: {
+    config=$(cat <<EOF
-#     url: "https://pkg.FreeBSD.org/FreeBSD:15:amd64/base_release_0",
+base: {
-#     mirror_type: "none",
+    url: "https://pkg.freebsd.org/FreeBSD:14:amd64/base_release_1",
-#     enabled: yes,
+    mirror_type: "none",
-#     priority: 100
+    enabled: yes,
-# }
+    priority: 100
-# EOF
+}
-#              )
+EOF
-#     IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") update --repository FreeBSD-base
+             )
-#     IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") install --repository FreeBSD-base --yes --glob 'FreeBSD-*'
+    IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") install --repository base --yes --glob 'FreeBSD-*'
     switch_to_latest_packages
-#     local in_jail_config
+    local in_jail_config
-#     in_jail_config=$(cat <<EOF
+    in_jail_config=$(cat <<EOF
-# FreeBSD-base: {
+base: {
-#     url: "pkg+https://pkg.FreeBSD.org/\${ABI}/base_release_\${VERSION_MINOR}",
+    url: "pkg+https://pkg.freebsd.org/\${ABI}/base_release_1",
-#     mirror_type: "srv",
+    mirror_type: "srv",
-#     signature_type: "fingerprints",
+    signature_type: "fingerprints",
-#     fingerprints: "/usr/share/keys/pkgbase-\${VERSION_MAJOR}",
+    fingerprints: "/usr/share/keys/pkg",
-#     enabled: yes,
+    enabled: yes,
-#     priority: 100
+    priority: 100
-# }
+}
-# EOF
+EOF
-#              )
+             )
-#     cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$in_jail_config"
+    cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$in_jail_config"
     # Post-install remove extra packages
     # pkg remove --glob 'FreeBSD-*-lib32*' 'FreeBSD-*-dbg*' FreeBSD-src
 }
@@ -69,13 +69,13 @@ function by_pkg {
 function switch_to_latest_packages {
     local latest_pkg
     latest_pkg=$(cat <<EOF
-FreeBSD-ports: {
+FreeBSD: {
-  url: "pkg+https://pkg.FreeBSD.org/\${ABI}/latest"
+  url: "pkg+http://pkg.FreeBSD.org/\${ABI}/latest"
 }
 EOF
               )
     mkdir -p "$DESTDIR/usr/local/etc/pkg/repos"
-    cat > "$DESTDIR/usr/local/etc/pkg/repos/FreeBSD-ports.conf" <<<"$latest_pkg"
+    cat > "$DESTDIR/usr/local/etc/pkg/repos/FreeBSD.conf" <<<"$latest_pkg"
 }
 
 if [ "$1" = "src" ]; then

ansible/roles/jail_momlaptop/files/headers.include

@@ -0,0 +1,15 @@
+# Enable HTTP Strict Transport Security (HSTS) to force clients to
+# always connect via HTTPS (do not use if only testing)
+add_header Strict-Transport-Security "max-age=31536000;" always;
+# Enable cross-site filter (XSS) and tell browser to block detected
+# attacks
+add_header X-XSS-Protection "1; mode=block" always;
+# Prevent some browsers from MIME-sniffing a response away from the
+# declared Content-Type
+add_header X-Content-Type-Options "nosniff" always;
+# Disallow the site to be rendered within a frame (clickjacking
+# protection)
+add_header X-Frame-Options "DENY" always;
+
+# Indicate that we are serving http3 on port 443
+add_header Alt-Svc 'h3=":8033"; ma=864000';

ansible/roles/jail_momlaptop/files/newsyslog.conf

@@ -0,0 +1,2 @@
+# logfilename          [owner:group]    mode count size when  flags [/pid_file] [sig_num]
+/var/log/nginx/*.log			640  5	   1000	@T00 GYC /var/run/nginx.pid SIGUSR1

ansible/roles/jail_momlaptop/files/nginx.conf

@@ -0,0 +1,48 @@
+worker_processes  auto;
+user  www www;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    types {
+        text/plain log;
+    }
+
+    sendfile        on;
+    tcp_nopush     on;
+    tcp_nodelay    on;
+    gzip  on;
+
+    include conf.d/headers.include;
+
+    server {
+        listen 443 quic reuseport;
+        listen [::]:443 quic reuseport;
+        listen 443 ssl;
+        listen [::]:443 ssl;
+        http2  on;
+
+        server_name momlaptop.fizz.buzz;
+
+        include conf.d/tls_settings.include;
+        # RSA
+        ssl_certificate /momlaptop.fizz.buzz/tls.crt;
+        ssl_certificate_key /momlaptop.fizz.buzz/tls.key;
+
+        # Nginx by default only allows file uploads up to 50M in size
+        client_max_body_size 50M;
+
+        location / {
+            auth_basic           "Stuff";
+            auth_basic_user_file conf.d/htpasswd;
+
+            alias /srv/http/;
+            autoindex on;
+        }
+    }
+}

ansible/roles/jail_momlaptop/files/nginx_rc.conf

@@ -0,0 +1 @@
+nginx_enable="YES"

ansible/roles/jail_momlaptop/files/proxy.include

@@ -0,0 +1,9 @@
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-Proto $scheme;
+# Settings for keepalive module for upstreams
+proxy_http_version 1.1;
+proxy_set_header Connection "";
+# Requests sent with early data are subject to replay attacks so the application needs to protect against that by using the Early-Data header.
+# proxy_set_header Early-Data $ssl_early_data;

ansible/roles/jail_momlaptop/files/tls_settings.include

@@ -0,0 +1,3 @@
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ssl_prefer_server_ciphers on;

ansible/roles/jail_momlaptop/meta/main.yaml

@@ -0,0 +1,2 @@
+dependencies:
+  - syslog

ansible/roles/jail_momlaptop/tasks/common.yaml

@@ -0,0 +1,55 @@
+# - name: Create directories
+#   file:
+#     name: "{{ item }}"
+#     state: directory
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - /foo/bar
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+# - name: Install Configuration
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0600
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.conf
+#       dest: /usr/local/etc/foo.conf
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+# - include_tasks:
+#     file: tasks/peruser.yaml
+#     apply:
+#       become: yes
+#       become_user: "{{ initialize_user }}"
+#   when: users is defined
+#   loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+#   loop_control:
+#     loop_var: initialize_user

ansible/roles/jail_momlaptop/tasks/freebsd.yaml

@@ -0,0 +1,81 @@
+- name: Create www group
+  group:
+    name: www
+
+- name: Create www user
+  user:
+    name: www
+    home: /srv/http
+    createhome: false
+    group: www
+
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - /momlaptop.fizz.buzz
+    - /etc/rc.conf.d
+    - /usr/local/etc/nginx/conf.d
+
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: www
+    group: www
+  loop:
+    - /srv/http
+
+- name: Install packages
+  package:
+    name:
+      - nginx
+    state: present
+
+# validate fails because nginx config relies on a local mime.types
+- name: Install Configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - src: nginx.conf
+      dest: /usr/local/etc/nginx/nginx.conf
+    - src: headers.include
+      dest: /usr/local/etc/nginx/conf.d/headers.include
+    - src: proxy.include
+      dest: /usr/local/etc/nginx/conf.d/proxy.include
+    - src: tls_settings.include
+      dest: /usr/local/etc/nginx/conf.d/tls_settings.include
+      # Generate htpasswd with `htpasswd -c files/htpasswd user1`
+      # or `printf "USER:$(openssl passwd)\n" >> files/htpasswd`
+    - src: htpasswd
+      dest: /usr/local/etc/nginx/conf.d/htpasswd
+
+- name: Install newsyslog configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0600
+    owner: root
+    group: wheel
+  loop:
+    - src: newsyslog.conf
+      dest: /usr/local/etc/newsyslog.conf.d/nginx.conf
+
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - nginx

ansible/roles/jail_momlaptop/tasks/linux.yaml

@@ -0,0 +1,29 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - foo
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present
+
+# - name: Enable services
+#   systemd:
+#     enabled: yes
+#     name: "{{ item }}"
+#     daemon_reload: yes
+#   loop:
+#     - foo.service

ansible/roles/jail_momlaptop/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  # when: foo is defined

ansible/roles/jail_momlaptop/tasks/peruser.yaml

@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'

ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf

@@ -91,52 +91,10 @@
                         "ip-address": "10.215.1.217"
                     },
                     {
-                        // hydra
+                        // momlaptop - hard-coded in rc.conf, reproduced here to reserve ip
-                        "hw-address": "06:84:36:68:03:77",
+                        "hw-address": "06:85:69:c5:6a:d6",
-                        "ip-address": "10.215.1.219"
+                        "ip-address": "10.215.1.218"
-                    },
-                    {
-                        // certificate - hard-coded in rc.conf, reproduced here to reserve ip
-                        "hw-address": "06:7b:e0:08:16:5d",
-                        "ip-address": "10.215.1.220"
-                    },
-                    {
-                        // nix controller0 - hard-coded in nix config, reproduced here to reserve ip
-                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01dd
-                        "hw-address": "06:7b:e0:08:16:01",
-                        "ip-address": "10.215.1.221"
-                    },
-                    {
-                        // nix controller1 - hard-coded in nix config, reproduced here to reserve ip
-                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01de
-                        "hw-address": "06:7b:e0:08:16:02",
-                        "ip-address": "10.215.1.222"
-                    },
-                    {
-                        // nix controller2 - hard-coded in nix config, reproduced here to reserve ip
-                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01df
-                        "hw-address": "06:7b:e0:08:16:03",
-                        "ip-address": "10.215.1.223"
-                    },
-                    {
-                        // nix worker0 - hard-coded in nix config, reproduced here to reserve ip
-                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01e0
-                        "hw-address": "06:7b:e0:08:16:04",
-                        "ip-address": "10.215.1.224"
-                    },
-                    {
-                        // nix worker1 - hard-coded in nix config, reproduced here to reserve ip
-                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01e1
-                        "hw-address": "06:7b:e0:08:16:05",
-                        "ip-address": "10.215.1.225"
-                    },
-                    {
-                        // nix worker2 - hard-coded in nix config, reproduced here to reserve ip
-                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01e2
-                        "hw-address": "06:7b:e0:08:16:06",
-                        "ip-address": "10.215.1.226"
                     }
-
                 ]
             }
         ],

ansible/roles/javascript/tasks/linux.yaml

@@ -1,3 +1,19 @@
+- name: Build aur packages
+  register: buildaur
+  become_user: "{{ build_user.name }}"
+  command: "aurutils-sync --no-view {{ item }}"
+  args:
+    creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+  loop:
+    - nvm
+
+- name: Update cache
+  when: buildaur.changed
+  pacman:
+    name: []
+    state: present
+    update_cache: true
+
 - name: Install packages
   package:
     name:

ansible/roles/kanshi/files/config_kanshi

@@ -1,11 +1,3 @@
-profile office {
-	output eDP-1 disable
-	output "Dell Inc. DELL C2722DE 6PH6T83" enable
-}
-profile office2 {
-	output eDP-1 disable
-	output "BOE 0x0BCA Unknown" enable
-}
 profile docked {
 	output eDP-1 disable
 	output "Dell Inc. DELL U3014 P1V6N35M329L" enable

ansible/roles/linfi/defaults/main.yaml

@@ -0,0 +1,7 @@
+# linfi:
+#   enabled: true
+#   zfs_dataset: zroot/freebsd/current/vm/linfi
+#   zfs_mountpoint: /vm/linfi
+#   driver_blocklist: "if_iwm if_iwlwifi"
+#   pci_blocklist: "1/0/0"
+#   amd: true

ansible/roles/linfi/files/launch_linfi.bash

@@ -0,0 +1,239 @@
+#!/usr/local/bin/bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# Share a host directory to the guest via 9pfs.
+#
+# Inside the VM run:
+#   mount -t virtfs -o trans=virtio sharename /some/vm/path
+#   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
+#   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 sharename /path/to/mountpoint
+# bhyve_options="-s 28,virtio-9p,sharename=/"
+
+# Enable Sound
+# bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
+
+# Example usage:
+#
+#   doas bhyve_netgraph_bridge create-disk zdata/vm/poudriere /vm/poudriere 10
+#   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
+#   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere
+
+: ${VERBOSE:="NO"} # or YES
+: ${CPU_CORES:="1"}
+: ${MEMORY:="1G"}
+: ${NETWORK:="NAT"} # or RAW or BOTH
+: ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
+: ${INTERFACE_NAME:="linfi_host"} # or the external interface like lagg0 for RAW networks
+: ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
+: ${VNC_ENABLE:="NO"}
+: ${VNC_LISTEN:="127.0.0.1:5900"}
+: ${VNC_WIDTH:="1920"}
+: ${VNC_HEIGHT:="1080"}
+: ${PASSTHROUGH:="1/0/0"}
+
+if [ "$VERBOSE" = "YES" ]; then
+    set -x
+fi
+
+############## Setup #########################
+
+function cleanup {
+    for vm in "${vms[@]}"; do
+        log "Destroying bhyve vm $vm"
+        bhyvectl "--vm=$vm" --destroy
+        log "Destroyed bhyve vm $vm"
+    done
+}
+vms=()
+for sig in EXIT; do
+  trap "set +e; sleep 10; cleanup" "$sig"
+done
+
+function die {
+    local status_code="$1"
+    shift
+    (>&2 echo "${@}")
+    exit "$status_code"
+}
+
+function log {
+    (>&2 echo "${@}")
+}
+
+############## Program #########################
+
+function main {
+    local cmd="$1"
+    shift 1
+    if [ "$cmd" = "create-disk" ]; then
+        create_disk "${@}"
+    elif [ "$cmd" = "start" ]; then
+        start_vm "${@}"
+    else
+        die 1 "Unrecognized command $cmd"
+    fi
+}
+
+function create_disk {
+    local zfs_path="$1"
+    local mount_path="$2"
+    local gigabytes="$3"
+    zfs create -o "mountpoint=$mount_path" "$zfs_path"
+    cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
+    tee "${mount_path}/settings" <<EOF
+CPU_CORES="$CPU_CORES"
+MEMORY="$MEMORY"
+NETWORK="$NETWORK"
+IP_RANGE="$IP_RANGE"
+BRIDGE_NAME="$BRIDGE_NAME"
+INTERFACE_NAME="$INTERFACE_NAME"
+EOF
+    zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none -o volblocksize=64K "$zfs_path/disk0"
+}
+
+function start_vm {
+    local name="$1"
+    local zfs_path="$2"
+    local mount_path="$3"
+    local mount_cd="${4:-}"
+
+    if [ -e "${mount_path}/settings" ]; then
+        source "${mount_path}/settings"
+    fi
+
+    local additional_args=()
+    local host_interface_name="linfi_host"
+    local bridge_name="linfi_bridge"
+
+    assert_bridge "$host_interface_name" "$bridge_name"
+    local mac_address
+    mac_address=$(calculate_mac_address "$name")
+    local bridge_link_name
+    bridge_link_name=$(detect_available_link "${bridge_name}")
+    additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+
+
+    # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
+         # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
+             # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
+            # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
+
+    # TODO: Look into using nmdm instead of stdio for serial console
+    if [ -n "$mount_cd" ]; then
+        additional_args+=("-s" "5,ahci-cd,$mount_cd")
+    fi
+    if [ "$VNC_ENABLE" = "YES" ]; then
+        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
+    fi
+    vms+=("$name")
+
+    while true; do
+        set -x
+        set +e
+        bhyve \
+            -D \
+            -c sockets=1,cores=1,threads=1 \
+            -m "$MEMORY" \
+            -H \
+            -w \
+            -o 'rtc.use_localtime=false' \
+            -s 0,hostbridge \
+            -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
+            -S \
+            -s "7,passthru,${PASSTHROUGH}" \
+            -s 30,xhci,tablet \
+            -s 31,lpc -l com1,stdio \
+            -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd" \
+            -U '08421734-875e-11ef-a0f3-f426796942c7' \
+            "${additional_args[@]}" \
+            "$name"
+        local exit_code=$?
+        set -e
+        set +x
+        if [ $exit_code -eq 0 ]; then
+            echo "Rebooting."
+            sleep 5
+        elif [ $exit_code -eq 1 ]; then
+            echo "Powered off."
+            break
+        elif [ $exit_code -eq 2 ]; then
+            echo "Halted."
+            break
+        elif [ $exit_code -eq 3 ]; then
+            echo "Triple fault."
+            break
+        elif [ $exit_code -eq 4 ]; then
+            echo "Exited due to an error."
+            break
+        fi
+    done
+}
+
+function detect_available_link {
+    local bridge_name="$1"
+    local linknum=1
+    while true; do
+        local link_name="link${linknum}"
+        if ! ng_exists "${bridge_name}:${link_name}"; then
+            echo "$link_name"
+            return
+        fi
+        linknum=$((linknum + 1))
+        if [ "$linknum" -gt 90 ]; then
+            (>&2 echo "No available links on bridge $bridge_name")
+            exit 1
+        fi
+    done
+}
+
+function assert_bridge {
+    local host_interface_name="$1"
+    local bridge_name="$2"
+
+    if ! ng_exists "${bridge_name}:"; then
+        ngctl -d -f - <<EOF
+mkpeer . eiface hook ether
+name .:hook $host_interface_name
+EOF
+        ngctl -d -f - <<EOF
+mkpeer ${host_interface_name}: bridge ether link0
+name ${host_interface_name}:ether $bridge_name
+EOF
+        ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" 192.168.253.2/24 up
+        route add default 192.168.253.1
+    fi
+}
+
+function ng_exists {
+    ngctl status "${1}" >/dev/null 2>&1
+}
+
+function calculate_mac_address {
+    local name="$1"
+    local source
+    source=$(md5 -r -s "$name" | awk '{print $1}')
+    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
+}
+
+function find_available_port {
+    local start_port="$1"
+    local port="$start_port"
+    while true; do
+        sockstat -P tcp -p 443
+        port=$((port + 1))
+    done
+}
+
+function ngctlcat {
+    if [ "$VERBOSE" = "YES" ]; then
+        tee /dev/tty | ngctl -d -f -
+    else
+        ngctl -d -f -
+    fi
+}
+
+
+main "${@}"

ansible/roles/linfi/files/linfi_rc.conf

@@ -0,0 +1 @@
+linfi_enable="YES"

ansible/roles/linfi/meta/main.yaml

@@ -0,0 +1,3 @@
+dependencies:
+  - role: bhyve
+    when: 'os_flavor == "freebsd"'

ansible/roles/linfi/tasks/common.yaml

@@ -0,0 +1,55 @@
+# - name: Create directories
+#   file:
+#     name: "{{ item }}"
+#     state: directory
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - /foo/bar
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+# - name: Install Configuration
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0600
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.conf
+#       dest: /usr/local/etc/foo.conf
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user

ansible/roles/linfi/tasks/freebsd.yaml

@@ -0,0 +1,50 @@
+- name: Install loader.conf
+  template:
+    src: "templates/{{ item }}_loader.conf.j2"
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - linfi
+
+- name: Install scripts
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - src: launch_linfi.bash
+      dest: /usr/local/bin/launch_linfi
+
+- name: Install rc script
+  template:
+    src: "templates/{{ item.src }}.j2"
+    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+    owner: root
+    group: wheel
+    mode: 0755
+  loop:
+    - src: linfi
+
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - linfi
+
+- name: Install service configuration
+  template:
+    src: "templates/{{ item }}_rc.conf.j2"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - devmatch

ansible/roles/linfi/tasks/linux.yaml

@@ -0,0 +1,29 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - foo
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present
+
+# - name: Enable services
+#   systemd:
+#     enabled: yes
+#     name: "{{ item }}"
+#     daemon_reload: yes
+#   loop:
+#     - foo.service

ansible/roles/linfi/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: linfi is defined and linfi.enabled

ansible/roles/linfi/tasks/peruser.yaml

@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'

ansible/roles/linfi/templates/devmatch_rc.conf.j2

@@ -0,0 +1,2 @@
+devmatch_enable="YES"
+devmatch_blocklist="{{ linfi.driver_blocklist }}"