Disable optimizations for quick iteration.

Switch to using my fork of nixpkgs.
Pull in improvements from nixpkgs PR.
2025-09-19 19:08:31 -04:00 · 2025-09-19 19:08:30 -04:00 · 2025-09-06 20:32:25 -04:00 · 2025-09-06 17:39:04 -04:00 · 2025-09-04 18:51:14 -04:00 · 2025-09-04 18:51:14 -04:00
379 changed files with 43234 additions and 1108 deletions
--- a/ansible/environments/colo/host_vars/mrmanager
+++ b/ansible/environments/colo/host_vars/mrmanager
@@ -6,6 +6,7 @@ zfs_snapshot_datasets:
    include: false
  - path: zdata/k8spersistent
 sshd_enabled: true
 loader_conf: "mrmanager_loader.conf"
 rc_conf: "mrmanager_rc.conf"
 network_rc: "mrmanager_network.conf"
 routing_rc: "mrmanager_routing.conf"
@@ -13,8 +14,6 @@ pf_config: "mrmanager_pf.conf"
 pflog_conf:
  - name: 0
    dev: pflog0
  - name: 1
    dev: pflog1
 cputype: "amd"
 hwpstate: true
 etc_hosts: {}
@@ -52,3 +51,7 @@ users:
      - yubikey
      - main_fido
      - backup_fido
  mole:
    initialize: true
    authorized_keys:
      - mole
--- a/ansible/environments/colo/hosts
+++ b/ansible/environments/colo/hosts
@@ -1,3 +1,2 @@
 [server]
-#mrmanager ansible_user=talexander ansible_host=10.217.2.1 ansible_become_method=doas
+mrmanager ansible_user=talexander ansible_host=10.217.2.1
 mrmanager ansible_user=talexander ansible_host=74.80.180.138 ansible_become_method=doas
--- a/ansible/environments/home/host_vars/homeserver
+++ b/ansible/environments/home/host_vars/homeserver
@@ -1,4 +1,6 @@
 os_flavor: "freebsd"
 custom_repo: "https://freebsdpkg.fizz.buzz/repo/14broadwell-default-computer"
 pkgbase_url: "https://freebsdpkg.fizz.buzz/pkgbase/14broadwell-repo/FreeBSD:14:amd64/latest"
 zfs_snapshot_datasets:
  - path: zroot/freebsd/computer/be
  - path: zmass/encrypted/vm
@@ -24,6 +26,7 @@ users:
 sshd_enabled: true
 sshd_conf: "sshd_config"
 prefer_ipv6: true
 dummynet_config: "dnctl.conf"
 pf_config: "homeserver_pf.conf"
 pflog_conf:
  - name: 0
@@ -50,6 +53,9 @@ jail_list:
  - name: dagger
    conf:
      src: dagger
  - name: olddagger
    conf:
      src: olddagger
  - name: sftp
    conf:
      src: sftp
@@ -61,6 +67,9 @@ jail_list:
  - name: certificate
    conf:
      src: certificate
  - name: momlaptop
    conf:
      src: momlaptop
  # - name: mumble
  #   conf:
  #     src: mumble
@@ -75,3 +84,10 @@ bhyve_bemount: "on"
 wireguard_directory: homeserver
 enabled_wireguard:
  - wgh
 linfi:
  enabled: true
  zfs_dataset: zmass/unencrypted/vm/linfi
  zfs_mountpoint: /vm/linfi
  driver_blocklist: "ath if_ath if_ath_pci ath_hal if_iwm if_iwlwifi"
  pci_blocklist: "6/0/0"
  amd: false
--- a/ansible/environments/home/hosts
+++ b/ansible/environments/home/hosts
@@ -1,3 +1,2 @@
 [headless]
-#homeserver ansible_user=talexander ansible_host=homeserver
+homeserver ansible_user=talexander ansible_host=homeserver
 homeserver ansible_user=talexander ansible_host=172.16.16.32
--- a/ansible/environments/jail/host_vars/momlaptop
+++ b/ansible/environments/jail/host_vars/momlaptop
@@ -0,0 +1 @@
 os_flavor: freebsd
--- a/ansible/environments/jail/hosts
+++ b/ansible/environments/jail/hosts
@@ -8,3 +8,4 @@ public_dns ansible_ssh_host=public_dns@10.217.2.1 ansible_connection=sshjail
 sftp ansible_ssh_host=sftp@homeserver ansible_connection=sshjail
 bastion ansible_ssh_host=bastion@homeserver ansible_connection=sshjail
 certificate ansible_ssh_host=certificate@homeserver ansible_connection=sshjail
 momlaptop ansible_ssh_host=momlaptop@homeserver ansible_connection=sshjail
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@@ -53,7 +53,7 @@
    - javascript
    - launch_keyboard
    - lvfs
-    # - restaurant_health_rating
+    - restaurant_health_rating
    - wasm
    - noise_suppression
@@ -82,7 +82,7 @@
  vars:
    ansible_become: True
  roles:
-    # - sudo
+    - sudo
    - doas
    - users
    - package_manager
@@ -104,7 +104,6 @@
    - wireguard
    - emacs
    - mrmanager
    - ndproxy
 - hosts: admin_git:public_dns
  vars:
@@ -127,8 +126,16 @@
  vars:
    ansible_become: True
  roles:
    - linfi
    - framework_laptop
 - hosts: homeserver
  vars:
    ansible_become: True
  roles:
    - linfi
    - homeserver
 - hosts: odowork
  vars:
    ansible_become: True
@@ -153,3 +160,9 @@
    ansible_become: True
  roles:
    - jail_certificate
 - hosts: momlaptop
  vars:
    ansible_become: True
  roles:
    - jail_momlaptop
--- a/ansible/roles/base/files/gitconfig_home
+++ b/ansible/roles/base/files/gitconfig_home
@@ -1,54 +1,36 @@
 [user]
 	email = tom@fizz.buzz
 	name = Tom Alexander
-	signingkey = 36C99E8B3C39D85F
+	signingkey = D3A179C9A53C0EDE
 [push]
-	default = simple # (default since 2.0)
+	default = simple
 [alias]
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
-        authorcount = shortlog --summary --numbered --all --no-merges
+	authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
 	gpgsign = true
 	verbose = true
 [pull]
 	rebase = true
 [log]
 	date = local
 [init]
 	defaultBranch = main
 # Use meld for `git difftool` and `git mergetool`
 [diff]
-	tool = meld # Use meld for `git difftool` and `git mergetool`
+	tool = meld
 	algorithm = histogram
 	colorMoved = plain
 	mnemonicPrefix = true
 	renames = true
 [difftool]
 	prompt = false
 [difftool "meld"]
 	cmd = meld "$LOCAL" "$REMOTE"
 [merge]
 	tool = meld
 	conflictStyle = zdiff3
 [mergetool "meld"]
        # Make the middle pane start with partially-merged contents:
 	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
        # Make the middle pane start without any merge progress:
 	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
 [column]
 	ui = auto
 [branch]
 	sort = -committerdate
 [tag]
 	sort = version:refname
 [fetch]
 	prune = true
 	pruneTags = true
 	all = true
 [rebase]
 	autoSquash = true
 	autoStash = true
 	updateRefs = false
--- a/ansible/roles/base/files/gitconfig_work
+++ b/ansible/roles/base/files/gitconfig_work
@@ -1,38 +1,34 @@
 [user]
 	email = ThomasA.Alexander@hmhn.org
 	name = Tom Alexander
-	signingkey = 36C99E8B3C39D85F
+	signingkey = D3A179C9A53C0EDE
 [push]
-	default = simple # (default since 2.0)
+	default = simple
 [alias]
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
-        authorcount = shortlog --summary --numbered --all --no-merges
+	authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
 	gpgsign = true
 	verbose = true
 [pull]
 	rebase = true
 [log]
 	date = local
 [init]
 	defaultBranch = main
 # Use meld for `git difftool` and `git mergetool`
 [diff]
-	tool = meld # Use meld for `git difftool` and `git mergetool`
+	tool = meld
 	algorithm = histogram
 	colorMoved = plain
 	mnemonicPrefix = true
 	renames = true
 [difftool]
 	prompt = false
 [difftool "meld"]
 	cmd = meld "$LOCAL" "$REMOTE"
 [merge]
 	tool = meld
 	conflictStyle = zdiff3
 [mergetool "meld"]
        # Make the middle pane start with partially-merged contents:
 	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
@@ -40,19 +36,3 @@
 	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
 [includeIf "gitdir:/bridge/"]
 	path = /bridge/git/machine_setup/ansible/roles/base/files/gitconfig_home
 [includeIf "gitdir:/persist/"]
 	path = /bridge/git/machine_setup/ansible/roles/base/files/gitconfig_home
 [column]
 	ui = auto
 [branch]
 	sort = -committerdate
 [tag]
 	sort = version:refname
 [fetch]
 	prune = true
 	pruneTags = true
 	all = true
 [rebase]
 	autoSquash = true
 	autoStash = true
 	updateRefs = false
--- a/ansible/roles/base/files/homeserver_loader.conf
+++ b/ansible/roles/base/files/homeserver_loader.conf
@@ -1,4 +1,3 @@
 security.bsd.allow_destructive_dtrace=0
 cryptodev_load="YES"
 zfs_load="YES"
 devmatch_blocklist="if_iwm"
--- a/ansible/roles/base/files/homeserver_rc.conf
+++ b/ansible/roles/base/files/homeserver_rc.conf
@@ -2,7 +2,8 @@ clear_tmp_enable="YES"
 syslogd_flags="-ss"
 sendmail_enable="NONE"
 hostname="computer"
 local_unbound_enable="NO"
 sshd_enable="YES"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="NO"
 zfs_enable="YES"
 kld_list="${kld_list} if_iwlwifi"
--- a/ansible/roles/base/files/login.conf
+++ b/ansible/roles/base/files/login.conf
@@ -32,7 +32,7 @@ default:\
 	:cputime=unlimited:\
 	:datasize=unlimited:\
 	:stacksize=unlimited:\
-	:memorylocked=64K:\
+	:memorylocked=128M:\
 	:memoryuse=unlimited:\
 	:filesize=unlimited:\
 	:coredumpsize=unlimited:\
@@ -46,6 +46,7 @@ default:\
 	:umtxp=unlimited:\
 	:pipebuf=unlimited:\
 	:priority=0:\
 	:ignoretime@:\
 	:umask=022:\
 	:charset=UTF-8:\
 	:lang=en_US.UTF-8:
@@ -148,6 +149,7 @@ russian|Russian Users Accounts:\
 #	:requirehome:\
 #	:passwordtime=90d:\
 #	:umask=002:\
 #	:ignoretime@:\
 #	:tc=default:
 #
 #
@@ -172,6 +174,7 @@ russian|Russian Users Accounts:\
 ##
 #staff:\
 #	:ignorenologin:\
 #	:ignoretime:\
 #	:requirehome@:\
 #	:accounted@:\
 #	:path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
@@ -262,6 +265,7 @@ russian|Russian Users Accounts:\
 ## - no time accounting, restricted to access via dialin lines
 ##
 #site:\
 #	:ignoretime:\
 #	:passwordtime@:\
 #	:refreshtime@:\
 #	:refreshperiod@:\
--- a/ansible/roles/base/files/mrmanager_loader.conf
+++ b/ansible/roles/base/files/mrmanager_loader.conf
--- a/ansible/roles/base/meta/main.yaml
+++ b/ansible/roles/base/meta/main.yaml
@@ -1,3 +1,3 @@
 dependencies:
  - fstab
-  # - termcap
+  - termcap
--- a/ansible/roles/base/tasks/freebsd.yaml
+++ b/ansible/roles/base/tasks/freebsd.yaml
@@ -77,27 +77,27 @@
    owner: root
    group: wheel
  loop:
-    # - src: bemount.bash
+    - src: bemount.bash
-    #   dest: /usr/local/bin/bemount
+      dest: /usr/local/bin/bemount
    - src: watch_freebsd
      dest: /usr/local/bin/ww
-# - name: Install rc script
+- name: Install rc script
-#   copy:
+  copy:
-#     src: "files/{{ item.src }}"
+    src: "files/{{ item.src }}"
-#     dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
-#     owner: root
+    owner: root
-#     group: wheel
+    group: wheel
-#     mode: 0755
+    mode: 0755
-#   loop:
+  loop:
-#     - src: bemount_rc.sh
+    - src: bemount_rc.sh
-#       dest: bemount
+      dest: bemount
-# - name: Enable bemount
+- name: Enable bemount
-#   community.general.sysrc:
+  community.general.sysrc:
-#     name: bemount_enable
+    name: bemount_enable
-#     value: "YES"
+    value: "YES"
-#     path: /etc/rc.conf.d/bemount
+    path: /etc/rc.conf.d/bemount
 - name: Install loader.conf
  copy:
@@ -107,7 +107,6 @@
    owner: root
    group: wheel
  loop:
    - zfs
    - disk_labels
 - name: Configure sysctls
@@ -128,7 +127,7 @@
  blockinfile:
    path: "/etc/periodic.conf.local"
    marker: "# {mark} ANSIBLE MANAGED BLOCK log"
-    create: true
+    # create: true
    mode: 0644
    owner: root
    group: wheel
@@ -142,13 +141,13 @@
  blockinfile:
    path: "/etc/periodic.conf.local"
    marker: "# {mark} ANSIBLE MANAGED BLOCK zfs"
-    create: true
+    # create: true
    mode: 0644
    owner: root
    group: wheel
    block: |
      daily_scrub_zfs_enable="YES"
-      daily_scrub_zfs_default_threshold="14"
+      daily_scrub_zfs_default_threshold="7"
 # Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
 - name: Install loader.conf
--- a/ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash
+++ b/ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash
@@ -153,7 +153,6 @@ function start_vm {
            -D \
            -c $CPU_CORES \
            -m $MEMORY \
            -S \
            -H \
            -P \
            -o 'rtc.use_localtime=false' \
@@ -217,7 +216,7 @@ EOF
 mkpeer ${host_interface_name}: bridge ether link0
 name ${host_interface_name}:ether $bridge_name
 EOF
-        ifconfig "$(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2)" name "${host_interface_name}" "$ip_range" up
+        ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" "$ip_range" up
    fi
 }
--- a/ansible/roles/bhyve/files/bhyverc.bash
+++ b/ansible/roles/bhyve/files/bhyverc.bash
@@ -1,478 +0,0 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # Share a host directory to the guest via 9pfs.
 #
 # Inside the VM run:
 #   mount -t virtfs -o trans=virtio sharename /some/vm/path
 #   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
 #   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 bind9p /path/to/mountpoint
 # bhyve_options="-s 28,virtio-9p,sharename=/"
 # Enable Sound
 # bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
 # Example usage:
 #
 #   doas bhyverc create-disk zdata/vm/poudriere /vm/poudriere 10
 #   doas bhyverc start poudriere zdata/vm/poudriere /vm/poudriere /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
 #   doas bhyverc start poudriere zdata/vm/poudriere /vm/poudriere
 : ${VERBOSE:="NO"} # or YES
 if [ "$VERBOSE" = "YES" ]; then
    set -x
 fi
 : ${CPU_CORES:="1"}
 : ${MEMORY:="1G"}
 : ${NETWORK:="NAT"} # or RAW or BOTH
 : ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
 : ${INTERFACE_NAME:="jail_nat"} # or the external interface like lagg0 for RAW networks
 : ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
 : ${VNC_ENABLE:="NO"}
 : ${VNC_LISTEN:="127.0.0.1:5900"}
 : ${VNC_WIDTH:="1920"}
 : ${VNC_HEIGHT:="1080"}
 : ${BIND9P:=""}
 : ${PREVENT_OOM:="NO"}
 : "${CD:=}"
 : ${SHUTDOWN_TIMEOUT:="600"} # 10 minutes
 ############## Setup #########################
 function die {
    local status_code="$1"
    shift
    (>&2 echo "${@}")
    exit "$status_code"
 }
 function log {
    (>&2 echo "${@}")
 }
 ############## Program #########################
 function main {
    local cmd
    cmd=$1
    shift
    if [ "$cmd" = "start" ]; then
        init
        start "${@}"
    elif [ "$cmd" = "stop" ]; then
        init
        stop "${@}"
    elif [ "$cmd" = "status" ]; then
        init
        status "${@}"
    elif [ "$cmd" = "console" ]; then
        init
        console "${@}"
    elif [ "$cmd" = "_start_body" ]; then
        init
        start_body "${@}"
    elif [ "$cmd" = "create-disk" ]; then
        create_disk "${@}"
    else
        (>&2 echo "Unknown command: $cmd")
        exit 1
    fi
 }
 function start {
    local num_vms="$#"
    if [ "$num_vms" -eq 0 ]; then
        log "No VMs specified."
        return 0
    fi
    while [ "$#" -gt 0 ]; do
        local name="$1"
        shift 1
        log "Starting VM $name."
        start_one "$name"
        [ "$#" -eq 0 ] || sleep 5
    done
 }
 function start_one {
    local name="$1"
    local tmux_name="$name"
    /usr/local/bin/tmux new-session -d -s "$tmux_name" "$0" "_start_body" "$name"
    # /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=NO VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /home/talexander/launch_opnsense.bash"
 }
 function launch_pidfile {
    local pidfile="$1"
    shift 1
    mkdir -p "$(dirname "$pidfile")"
    cat > "${pidfile}" <<< "$$"
    set -x
    exec "${@}"
 }
 export -f launch_pidfile
 function stop {
    local num_vms="$#"
    if [ "$num_vms" -eq 0 ]; then
        log "No VMs specified."
        return 0
    fi
    while [ "$#" -gt 0 ]; do
        local name="$1"
        shift 1
        log "Stopping VM $name."
        stop_one "$name"
        [ "$#" -eq 0 ] || sleep 5
    done
 }
 function stop_one {
    local name="$1"
    local pidfile="/run/bhyverc/${name}/pid"
    if [ ! -e "$pidfile" ]; then
        log "Pid file $pidfile does not exist."
        return 0
    fi
    local bhyve_pid
    bhyve_pid=$(cat "$pidfile")
    if ps -p "$bhyve_pid" >/dev/null; then
        # Send ACPI shutdown command
        log "Sending ACPI shutdown to ${name}:${bhyve_pid}."
        kill -SIGTERM "$bhyve_pid"
    fi
    local timeout_start timeout_end
    timeout_start=$(date +%s)
    while ps -p "$bhyve_pid" >/dev/null; do
        timeout_end=$(date +%s)
        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
            log "${name}:${bhyve_pid} took more than $SHUTDOWN_TIMEOUT seconds to shut down. Hard powering down."
            break
        fi
        log "Waiting for ${name}:${bhyve_pid} to exit."
        sleep 2
    done
    bhyvectl "--vm=$name" --destroy || true
    local timeout_start timeout_end
    timeout_start=$(date +%s)
    while ps -p "$bhyve_pid" >/dev/null; do
        timeout_end=$(date +%s)
        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
            log "${name}:${bhyve_pid} took more than $SHUTDOWN_TIMEOUT seconds to hard power down. Giving up."
            break
        fi
        log "Waiting for ${name}:${bhyve_pid} to hard power down."
        sleep 2
    done
    rm -f "$pidfile"
    log "Finished stopping $name."
 }
 function status {
    local num_vms="$#"
    if [ "$num_vms" -gt 0 ]; then
        for name in "$@"; do
            status_one "$name"
        done
    else
        log "No VMs specified."
    fi
 }
 function status_one {
    local name="$1"
    local pidfile="/run/bhyverc/${name}/pid"
    if [ ! -e "$pidfile" ]; then
        log "$name is not running."
        return 0
    fi
    local bhyve_pid
    bhyve_pid=$(cat "$pidfile")
    if ! ps -p "$bhyve_pid" >/dev/null; then
        log "$name is not running."
        return 0
    fi
    log "$name is running as pid $bhyve_pid."
 }
 function console {
    local num_vms="$#"
    if [ "$num_vms" -gt 0 ]; then
        for name in "$@"; do
            log "Attaching to console of VM $name."
            console_one "$name"
        done
    else
        log "No VMs specified."
    fi
 }
 function console_one {
    local name="$1"
    local tmux_name="$name"
    exec tmux a -t "$tmux_name"
 }
 function init {
    mkdir -p /run/bhyverc
 }
 ############## Bhyve ###########################
 function create_disk {
    local zfs_path="$1"
    local mount_path="$2"
    local gigabytes="$3"
    zfs create -o "mountpoint=$mount_path" "$zfs_path"
    cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
    tee "${mount_path}/settings" <<EOF
 CPU_CORES="$CPU_CORES"
 MEMORY="$MEMORY"
 NETWORK="$NETWORK"
 IP_RANGE="$IP_RANGE"
 BRIDGE_NAME="$BRIDGE_NAME"
 INTERFACE_NAME="$INTERFACE_NAME"
 EOF
    zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none "$zfs_path/disk0"
 }
 function start_body {
    local name="$1"
    local zfs_path="zdata/vm/$name"
    local mount_path="/vm/$name"
    if [ -e "${mount_path}/settings" ]; then
        source "${mount_path}/settings"
    fi
    local mount_cd="$CD"
    local host_interface_name="$INTERFACE_NAME" # for raw, external interface
    local bridge_name="$BRIDGE_NAME"
    local ip_range="$IP_RANGE" # for raw this value does not matter
    local mac_address
    mac_address=$(calculate_mac_address "$name")
    if [ "$PREVENT_OOM" = "YES" ]; then
        protect -d -i -p "$$"
    fi
    local entry parsed_item
    local additional_args=()
    local next_pcie_slot=10
    if [ "$NETWORK" = "NAT" ]; then
        assert_bridge "$host_interface_name" "$bridge_name" "$ip_range"
        local bridge_link_name=$(detect_available_link "${bridge_name}")
        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
    elif [ "$NETWORK" = "RAW" ]; then
        assert_raw "$host_interface_name" "$bridge_name"
        local bridge_link_name=$(detect_available_link "${bridge_name}")
        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
    elif [ "$NETWORK" = "BOTH" ]; then
        assert_bridge "jail_nat" "$bridge_name" "$ip_range"
        assert_raw "$host_interface_name" "bridge_raw"
        local bridge_link_name=$(detect_available_link "${bridge_name}")
        local raw_bridge_link_name=$(detect_available_link "bridge_raw")
        local raw_mac_address=$(calculate_mac_address "${name}_raw")
        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
        additional_args+=("-s" "3:0,virtio-net,netgraph,path=bridge_raw:,peerhook=${raw_bridge_link_name},mac=${raw_mac_address}")
    else
        die 1 "Unrecognized NETWORK type $NETWORK"
    fi
    if [ -n "$BIND9P" ]; then
        if [[ "$BIND9P" = *":"* ]]; then
            IFS=':' read -ra entry <<<"$BIND9P"
            for item in "${entry[@]}"; do
                IFS='=' read -ra parsed_item <<<"$item"
                additional_args+=("-s" "${next_pcie_slot},virtio-9p,${parsed_item[0]}=${parsed_item[1]}")
                next_pcie_slot=$((next_pcie_slot+1))
            done
        else
            additional_args+=("-s" "${next_pcie_slot},virtio-9p,bind9p=${BIND9P}")
            next_pcie_slot=$((next_pcie_slot+1))
        fi
    fi
    # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
         # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
             # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
            # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
    # TODO: Look into using nmdm instead of stdio for serial console
    if [ -n "$mount_cd" ]; then
        additional_args+=("-s" "5,ahci-cd,$mount_cd")
    fi
    if [ "$VNC_ENABLE" = "YES" ]; then
        additional_args+=("-s" "${next_pcie_slot},fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
        next_pcie_slot=$((next_pcie_slot+1))
    fi
    vms+=("$name")
    while true; do
        local pidfile="/run/bhyverc/${name}/pid"
        trap "set +e; stop_one '${name}'" EXIT
        local launch_cmd=()
        launch_cmd+=(
            launch_pidfile "$pidfile"
            bhyve
            -D
            -c "$CPU_CORES"
            -m "$MEMORY"
            -S
            -H
            -o 'rtc.use_localtime=false'
            -s "0,hostbridge"
            -s "4,nvme,/dev/zvol/${zfs_path}/disk0"
            -s "${next_pcie_slot},xhci,tablet"
            -s "$((next_pcie_slot+1)),lpc" -l "com1,stdio"
            -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd"
            "${additional_args[@]}"
            "$name"
        )
        set +e
        rm -f "$pidfile"
        (
            IFS=$' \n\t'
            set -ex
            bash -c "${launch_cmd[*]}"
        )
        local exit_code=$?
        log "Exit code ${exit_code}"
        set -e
        if [ $exit_code -eq 0 ]; then
            echo "Rebooting."
            sleep 5
        elif [ $exit_code -eq 1 ]; then
            echo "Powered off."
            break
        elif [ $exit_code -eq 2 ]; then
            echo "Halted."
            break
        elif [ $exit_code -eq 3 ]; then
            echo "Triple fault."
            break
        elif [ $exit_code -eq 4 ]; then
            echo "Exited due to an error."
            break
        fi
    done
 }
 function detect_available_link {
    local bridge_name="$1"
    local linknum=1
    while true; do
        local link_name="link${linknum}"
        if ! ng_exists "${bridge_name}:${link_name}"; then
            echo "$link_name"
            return
        fi
        linknum=$((linknum + 1))
        if [ "$linknum" -gt 90 ]; then
            (>&2 echo "No available links on bridge $bridge_name")
            exit 1
        fi
    done
 }
 function assert_bridge {
    local host_interface_name="$1"
    local bridge_name="$2"
    local ip_range="$3"
    if ! ng_exists "${bridge_name}:"; then
        ngctl -d -f - <<EOF
 mkpeer . eiface hook ether
 name .:hook $host_interface_name
 EOF
        ngctl -d -f - <<EOF
 mkpeer ${host_interface_name}: bridge ether link0
 name ${host_interface_name}:ether $bridge_name
 EOF
        ifconfig "$(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2)" name "${host_interface_name}" "$ip_range" up
    fi
 }
 function assert_raw {
    local extif="$1"
    local bridge_name="$2"
    kldload -n ng_bridge ng_eiface ng_ether
    if ! ng_exists "${bridge_name}:"; then
        ngctlcat <<EOF
 # Create a bridge.
 mkpeer $extif: bridge lower link0
 # Assign a name to the bridge.
 name $extif:lower ${bridge_name}
 # Since the host is also using $extif, we need to connect the upper hook also. Otherwise we will lose connectivity.
 connect $extif: ${bridge_name}: upper link1
 # Enable promiscuous mode so the host ethernet adapter accepts packets for all addresses
 msg $extif: setpromisc 1
 # Do not overwrite source address on packets
 msg $extif: setautosrc 0
 EOF
    fi
 }
 function ng_exists {
    ngctl status "${1}" >/dev/null 2>&1
 }
 function calculate_mac_address {
    local name="$1"
    local source
    source=$(md5 -r -s "$name" | awk '{print $1}')
    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
 }
 function find_available_port {
    local start_port="$1"
    local port="$start_port"
    while true; do
        sockstat -P tcp -p 443
        port=$((port + 1))
    done
 }
 function ngctlcat {
    if [ "$VERBOSE" = "YES" ]; then
        tee /dev/tty | ngctl -d -f -
    else
        ngctl -d -f -
    fi
 }
 main "${@}"
--- a/ansible/roles/bhyve/files/bhyverc.sh
+++ b/ansible/roles/bhyve/files/bhyverc.sh
@@ -1,37 +0,0 @@
 #!/bin/sh
 #
 # REQUIRE: LOGIN FILESYSTEMS
 # PROVIDE: bhyverc
 # KEYWORD: shutdown
 . /etc/rc.subr
 name=bhyverc
 rcvar=${name}_enable
 start_cmd="${name}_start"
 stop_cmd="${name}_stop"
 status_cmd="${name}_status"
 console_cmd="${name}_console"
 extra_commands="console"
 load_rc_config $name
 bhyverc_start() {
    export PATH="$PATH:/usr/local/bin"
    exec /usr/local/bin/bhyverc start "${@}"
 }
 bhyverc_status() {
    export PATH="$PATH:/usr/local/bin"
    exec /usr/local/bin/bhyverc status "${@}"
 }
 bhyverc_stop() {
    export PATH="$PATH:/usr/local/bin"
    exec /usr/local/bin/bhyverc stop "${@}"
 }
 bhyverc_console() {
    export PATH="$PATH:/usr/local/bin"
    exec /usr/local/bin/bhyverc console "${@}"
 }
 run_rc_command "$@"
--- a/ansible/roles/bhyve/tasks/freebsd.yaml
+++ b/ansible/roles/bhyve/tasks/freebsd.yaml
@@ -22,25 +22,6 @@
  loop:
    - src: bhyve_netgraph_bridge.bash
      dest: /usr/local/bin/bhyve_netgraph_bridge
    - src: bhyverc.bash
      dest: /usr/local/bin/bhyverc
 - name: Install rc script
  copy:
    src: "files/{{ item.src }}"
    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
    owner: root
    group: wheel
    mode: 0755
  loop:
    - src: bhyverc.sh
      dest: bhyverc
 - name: Enable bhyverc
  community.general.sysrc:
    name: bhyverc_enable
    value: "YES"
    path: /etc/rc.conf.d/bhyverc
 - name: Create zfs dataset
  zfs:
--- a/ansible/roles/build/files/aurutils-sync
+++ b/ansible/roles/build/files/aurutils-sync
@@ -5,4 +5,4 @@ set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-GPGKEY=4278299FB84F6875 exec aur sync --makepkg-conf /etc/aurutils/makepkg.conf -c --sign "$@"
+GPGKEY=27DE40D9B8455C1B exec aur sync --makepkg-conf /etc/aurutils/makepkg.conf -c --sign "$@"
--- a/ansible/roles/build/files/gpg.asc
+++ b/ansible/roles/build/files/gpg.asc
@@ -1,27 +1,27 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
+mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
-Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
+0H+RsWG0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
-0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
+uEgVk2PCh3kXlUvhJ95A2bhFXBsFAl+w+R0CGwMFCwkIBwIGFQoJCAsCBBYCAwEC
-HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
+HgECF4AACgkQJ95A2bhFXBt6fgD+NOYnw9gz5K/q3H5LE/JvqzCSHezJmeGgif0C
-/MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
+uU4m1/MA+gPDKME7syEtJsTpELEMrxWWpDW0tD/W1iJE7roGYPQPtB1Ub20gQWxl
-eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
+eGFuZGVyIDx0b21AZml6ei5idXp6PoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A
-AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
+2bhFXBsFAl2cFhoCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQJ95A2bhF
-n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
+XBvYJQEA19wc2s/bEKcnHONC3i8UikLFqZXyYoH6/MFjoAteU8sBAKpE7Qq0zbJb
-8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
+XWRESzK3u6p7/+kUqOeDltAuKXTe1FAGuDMEXZwWyhYJKwYBBAHaRw8BAQdAPyIL
-HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
+4EGg4T5JO9q2kpVDy2WjMiXz3nZXwYW4GLoTYkiI9QQYFggAJgIbAhYhBLhIFZNj
-fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
+wod5F5VL4SfeQNm4RVwbBQJlC4ZhBQkLMdaXAIF2IAQZFggAHRYhBIHmRDmWdVAu
-AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
+sSUWutOhecmlPA7eBQJdnBbKAAoJENOhecmlPA7ejJ4A/iq7N2mMhx+ovOXm1REo
-gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
+ASPF3l4YAAjOHsXqcPtFHKGJAQCiuA71d6CQ+qNZLuka/KVB/etkkJvDzvaTtiQQ
-mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
+QG+gAwkQJ95A2bhFXBtRDgEAqymMavroD5c/4+M/EZ3/d8wxfA9E3Fb/1mt4c2Zr
-nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
+NnkBAKYOM+pz/pncFnV+kF7h7TQEEYuGw1JhJVT/duA4lwsLuDMEXZwXARYJKwYB
-KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
+BAHaRw8BAQdAa76TmWuKuiR1bnNV1FUE6oQ4C8A+UiQb8x0k1z2DmTKIfgQYFggA
-B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
+JgIbIBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkLMdZgAAoJECfeQNm4
-CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
+RVwb8TkA/RkBu9Ev8iDE5nvn8YF8FRiY56Z5d+SBPG4VvrCzXrmlAP46wUjIRpkM
-/j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
+rTbb1GMbvYnkeOrBs/qiWjEtHHc3ZLMWD7g4BF2cFygSCisGAQQBl1UBBQEBB0AO
-Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
+0t3BUxLuokTqKVcheFAZd4UKxAGznPQlvsVyhWWIEgMBCAeIfgQYFggAJgIbDBYh
-BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
+BLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkLMdY5AAoJECfeQNm4RVwbXscA
-rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
+/A8zRRTCwQKxJ8iz5jmTcVFAhl2vD781Dtv8NvcWd5t8APwIwcuFVZZA3yayhIxi
-7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
+3aqYpMRxpn2t6Nswax1MIM8DBQ==
-=OfDR
+=dzEV
 -----END PGP PUBLIC KEY BLOCK-----
--- a/ansible/roles/build/files/gpg_work.asc
+++ b/ansible/roles/build/files/gpg_work.asc
@@ -1,27 +1,27 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
+mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
-Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
+0H+RsWG0LVRob21hcyBBbGV4YW5kZXIgPFRob21hc0EuQWxleGFuZGVyQGhtaG4u
-0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
+b3JnPoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsFAmULicsCGwMFCwkI
-HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQJ95A2bhFXBsUtQD9GWPdWc/nSmO0Gp7p
-/MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
+DzxrieliriAnO+ZCHp31mFbMtToBAPxPYN9y4kgSiXhLiFLoRK5k5FCspksTSitg
-eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
+0CbXDE4LuDgEXZwWGhIKKwYBBAGXVQEFAQEHQK202EIAwTBuxARUygOvn+AloMJd
-AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
+ui39m+nMghn1MNo+AwEIB4h4BBgWCAAgFiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsF
-n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
+Al2cFhoCGwwACgkQJ95A2bhFXBtNzAEAq5I6xPjIbb23xmhxh5cM/UJxdGedfWMy
-8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
+vF6/JtDvtPUBAPQRQn5AMwTOA+CSnliYf7ZjfVOlHscy60XWPlvXLoAJuDMEXZwW
-HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
+yhYJKwYBBAHaRw8BAQdAPyIL4EGg4T5JO9q2kpVDy2WjMiXz3nZXwYW4GLoTYkiI
-fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
+9QQYFggAJgIbAhYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZhBQkLMdaXAIF2
-AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
+IAQZFggAHRYhBIHmRDmWdVAusSUWutOhecmlPA7eBQJdnBbKAAoJENOhecmlPA7e
-gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
+jJ4A/iq7N2mMhx+ovOXm1REoASPF3l4YAAjOHsXqcPtFHKGJAQCiuA71d6CQ+qNZ
-mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
+Luka/KVB/etkkJvDzvaTtiQQQG+gAwkQJ95A2bhFXBtRDgEAqymMavroD5c/4+M/
-nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
+EZ3/d8wxfA9E3Fb/1mt4c2ZrNnkBAKYOM+pz/pncFnV+kF7h7TQEEYuGw1JhJVT/
-KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
+duA4lwsLuDMEXZwXARYJKwYBBAHaRw8BAQdAa76TmWuKuiR1bnNV1FUE6oQ4C8A+
-B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
+UiQb8x0k1z2DmTKIfgQYFggAJgIbIBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJl
-CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
+C4ZwBQkLMdZgAAoJECfeQNm4RVwb8TkA/RkBu9Ev8iDE5nvn8YF8FRiY56Z5d+SB
-/j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
+PG4VvrCzXrmlAP46wUjIRpkMrTbb1GMbvYnkeOrBs/qiWjEtHHc3ZLMWD7g4BF2c
-Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
+FygSCisGAQQBl1UBBQEBB0AO0t3BUxLuokTqKVcheFAZd4UKxAGznPQlvsVyhWWI
-BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
+EgMBCAeIfgQYFggAJgIbDBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkL
-rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
+MdY5AAoJECfeQNm4RVwbXscA/A8zRRTCwQKxJ8iz5jmTcVFAhl2vD781Dtv8NvcW
-7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
+d5t8APwIwcuFVZZA3yayhIxi3aqYpMRxpn2t6Nswax1MIM8DBQ==
-=OfDR
+=0HtE
 -----END PGP PUBLIC KEY BLOCK-----
--- a/ansible/roles/build/tasks/linux.yaml
+++ b/ansible/roles/build/tasks/linux.yaml
@@ -40,11 +40,11 @@
  command: pacman-key -a -
  args:
    stdin: "{{ lookup('file', pgp_key|default('gpg.asc')) }}"
-  when: '"D272C8D6167F26859467666F4278299FB84F6875" not in pacmankeys.stdout'
+  when: '"B848159363C2877917954BE127DE40D9B8455C1B" not in pacmankeys.stdout'
  register: my_key_imported
 - name: Sign my signing key
-  command: pacman-key --lsign-key "D272C8D6167F26859467666F4278299FB84F6875"
+  command: pacman-key --lsign-key "B848159363C2877917954BE127DE40D9B8455C1B"
  when: my_key_imported.changed
 - name: Build the aurutils package
@@ -103,8 +103,7 @@
    - /var/cache/pacman/custom/
 - name: Create custom repo db
-  # shell: repo-add --new --sign /var/cache/pacman/custom/custom.db.tar "/home/{{ build_user.name }}/.config/ansible_deploy/aurutils/aurutils-*-any.pkg.tar.*"
+  command: repo-add --new --sign /var/cache/pacman/custom/custom.db.tar "/home/{{ build_user.name }}/.config/ansible_deploy/aurutils/aurutils-*-any.pkg.tar.*"
  command: repo-add --new --sign /var/cache/pacman/custom/custom.db.tar
  become: true
  become_user: "{{ build_user.name }}"
  args:
--- a/ansible/roles/chromium/files/chromium-flags.conf
+++ b/ansible/roles/chromium/files/chromium-flags.conf
@@ -1,2 +1,2 @@
 --ozone-platform-hint=auto
--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,AcceleratedVideoEncoder
+--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE
--- a/ansible/roles/cpu/files/aesni_loader.conf
+++ b/ansible/roles/cpu/files/aesni_loader.conf
@@ -0,0 +1 @@
 aesni_load="YES"
--- a/ansible/roles/cpu/files/amd_microcode_rc.conf
+++ b/ansible/roles/cpu/files/amd_microcode_rc.conf
@@ -1 +0,0 @@
 microcode_update_enable="YES"
--- a/ansible/roles/cpu/files/cryptodev_loader.conf
+++ b/ansible/roles/cpu/files/cryptodev_loader.conf
@@ -1 +0,0 @@
 cryptodev_load="YES"
--- a/ansible/roles/cpu/tasks/freebsd_amd.yaml
+++ b/ansible/roles/cpu/tasks/freebsd_amd.yaml
@@ -1,9 +1,3 @@
 - name: Install packages
  package:
    name:
      - cpu-microcode-amd
    state: present
 - name: Install loader.conf
  copy:
    src: "files/{{ item }}_loader.conf"
@@ -23,7 +17,16 @@
    group: wheel
  loop:
    - power_profile
-    - amd_microcode
+
 - name: Install loader.conf
  copy:
    src: "files/{{ item }}_loader.conf"
    dest: "/boot/loader.conf.d/{{ item }}.conf"
    mode: 0644
    owner: root
    group: wheel
  loop:
    - aesni
 - name: Install loader.conf
  when: hwpstate is defined and hwpstate
@@ -35,4 +38,3 @@
    group: wheel
  loop:
    - per_core_hwpstate
    - cryptodev
--- a/ansible/roles/cpu/tasks/freebsd_intel.yaml
+++ b/ansible/roles/cpu/tasks/freebsd_intel.yaml
@@ -16,6 +16,7 @@
  loop:
    - coretemp
    - cpuctl
    - aesni
    - intel_microcode
 - name: Install service configuration
@@ -78,4 +79,3 @@
    group: wheel
  loop:
    - per_core_hwpstate
    - cryptodev
--- a/ansible/roles/dummynet/files/dnctl.conf
+++ b/ansible/roles/dummynet/files/dnctl.conf
@@ -0,0 +1,2 @@
 pipe 1 config bw 100KByte/s
 pipe 2 config
--- a/ansible/roles/dummynet/files/dummynet
+++ b/ansible/roles/dummynet/files/dummynet
@@ -0,0 +1,28 @@
 #!/bin/sh
 #
 #
 # PROVIDE: dummynet
 # BEFORE: pf ipfw
 # KEYWORD: nojailvnet
 . /etc/rc.subr
 name="dummynet"
 desc="Dummynet packet queuing and scheduling"
 rcvar="${name}_enable"
 load_rc_config $name
 start_cmd="${name}_start"
 required_files="$dummynet_rules"
 required_modules="dummynet"
 dummynet_start()
 {
 	startmsg -n "Enabling ${name}"
        cat "$dnctl_rules" | while read l; do
          dnctl $l
        done
 	startmsg '.'
 }
 run_rc_command $*
--- a/ansible/roles/dummynet/files/dummynet_rc.conf
+++ b/ansible/roles/dummynet/files/dummynet_rc.conf
@@ -0,0 +1,2 @@
 dummynet_enable="YES"
 dummynet_rules="/etc/dnctl.conf"
--- a/ansible/roles/dummynet/tasks/common.yaml
+++ b/ansible/roles/dummynet/tasks/common.yaml
--- a/ansible/roles/dummynet/tasks/freebsd.yaml
+++ b/ansible/roles/dummynet/tasks/freebsd.yaml
@@ -0,0 +1,30 @@
 - name: Install Configuration
  copy:
    src: "files/{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0600
    owner: root
    group: wheel
  loop:
    - src: "{{ dummynet_config }}"
      dest: /etc/dnctl.conf
 - name: Install rc script
  copy:
    src: "files/{{ item.src }}"
    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
    owner: root
    group: wheel
    mode: 0755
  loop:
    - src: dummynet
 - name: Install service configuration
  copy:
    src: "files/{{ item }}_rc.conf"
    dest: "/etc/rc.conf.d/{{ item }}"
    mode: 0644
    owner: root
    group: wheel
  loop:
    - dummynet
--- a/ansible/roles/dummynet/tasks/linux.yaml
+++ b/ansible/roles/dummynet/tasks/linux.yaml
--- a/ansible/roles/dummynet/tasks/main.yaml
+++ b/ansible/roles/dummynet/tasks/main.yaml
@@ -0,0 +1,2 @@
 - import_tasks: tasks/common.yaml
  when: (dummynet_config is defined and os_flavor == "freebsd") or (os_flavor == "linux")
--- a/ansible/roles/dummynet/tasks/peruser.yaml
+++ b/ansible/roles/dummynet/tasks/peruser.yaml
--- a/ansible/roles/dummynet/tasks/peruser_freebsd.yaml
+++ b/ansible/roles/dummynet/tasks/peruser_freebsd.yaml
--- a/ansible/roles/dummynet/tasks/peruser_linux.yaml
+++ b/ansible/roles/dummynet/tasks/peruser_linux.yaml
--- a/ansible/roles/emacs/files/elisp/base-extensions.el
+++ b/ansible/roles/emacs/files/elisp/base-extensions.el
@@ -51,27 +51,17 @@
 ;; Persist history over Emacs restarts. Vertico sorts by history position.
 (use-package savehist
  ;; This is an emacs built-in but we're pulling the latest version
  :pin gnu
  :config
  (savehist-mode))
 (use-package which-key
  :pin gnu
  :diminish
  :config
  (which-key-mode))
 (use-package windmove
-  ;; This is an emacs built-in but we're pulling the latest version
+  :config
-  :pin gnu
+  (windmove-default-keybindings))
  :bind
  (
   ("S-<up>" . windmove-up)
   ("S-<right>" . windmove-right)
   ("S-<down>" . windmove-down)
   ("S-<left>" . windmove-left)
   )
  )
 (setq tramp-default-method "ssh")
--- a/ansible/roles/emacs/files/elisp/base.el
+++ b/ansible/roles/emacs/files/elisp/base.el
@@ -63,9 +63,6 @@
 show-trailing-whitespace t
 ;; Remove the line when killing it with ctrl-k
 kill-whole-line t
 ;; Show the current project in the mode line
 project-mode-line t
 )
 ;; (setq-default fringes-outside-margins t)
--- a/ansible/roles/emacs/files/elisp/lang-nix.el
+++ b/ansible/roles/emacs/files/elisp/lang-nix.el
@@ -7,15 +7,15 @@
  :commands nix-mode
  :hook (
         (nix-mode . (lambda ()
-                       (eglot-ensure)
+                             ;; (eglot-ensure)
-                       (defclass my/eglot-nix (eglot-lsp-server) ()
+                             ;; (defclass my/eglot-nix (eglot-lsp-server) ()
-                         :documentation
+                             ;;   :documentation
-                         "Own eglot server class.")
+                             ;;   "Own eglot server class.")
-                       (add-to-list 'eglot-server-programs
+                             ;; (add-to-list 'eglot-server-programs
-                                    '(nix-mode . (my/eglot-nix "nixd")))
+                             ;;              '(nix-mode . (my/eglot-nix "nixd")))
-                       (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+                             ;; (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
-                       ))
+                             ))
         )
  )
--- a/ansible/roles/emacs/files/elisp/lang-org.el
+++ b/ansible/roles/emacs/files/elisp/lang-org.el
@@ -1,23 +1,16 @@
 (use-package org
  :ensure nil
  :commands org-mode
-  :bind (:map org-mode-map
+  :bind (
         ("C-c l" . org-store-link)
         ("C-c a" . org-agenda)
-         ("S-<up>" . org-shiftup)
+         ("C--" . org-timestamp-down)
-         ("S-<right>" . org-shiftright)
+         ("C-=" . org-timestamp-up)
         ("S-<down>" . org-shiftdown)
         ("S-<left>" . org-shiftleft)
         )
  :hook (
         (org-mode . (lambda ()
                       (org-indent-mode +1)
-                       ))
+                        ))
         ;; Make windmove work in Org mode:
         (org-shiftup-final . windmove-up)
         (org-shiftleft-final . windmove-left)
         (org-shiftdown-final . windmove-down)
         (org-shiftright-final . windmove-right)
         )
  :config
  (require 'org-tempo)
@@ -45,8 +38,6 @@
  ;; TODO: There is an option to set the compiler, could be better than manually doing this here https://orgmode.org/manual/LaTeX_002fPDF-export-commands.html
  ;; (setq org-latex-compiler "lualatex")
  ;; TODO: nixos latex page recommends this line, figure out what it does / why its needed:
  ;; (setq org-preview-latex-default-process 'dvisvgm)
  (setq org-latex-pdf-process
        '("lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
          "lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
@@ -87,8 +78,4 @@
 (use-package gnuplot)
 (use-package graphviz-dot-mode)
 (use-package htmlize
  ;; For syntax highlighting when exporting to HTML.
  )
 (provide 'lang-org)
--- a/ansible/roles/emacs/files/elisp/util-tree-sitter.el
+++ b/ansible/roles/emacs/files/elisp/util-tree-sitter.el
@@ -4,8 +4,6 @@
  :commands (treesit-install-language-grammar treesit-ready-p)
  :init
  (setq treesit-language-source-alist '())
  :custom
  (treesit-max-buffer-size 209715200) ;; 200MiB
  :config
  ;; Default to the max level of detail in treesitter highlighting. This
  ;; can be overridden in each language's use-package call with:
--- a/ansible/roles/emacs/files/init.el
+++ b/ansible/roles/emacs/files/init.el
@@ -38,8 +38,4 @@
 (require 'lang-nix)
 (require 'lang-cmake)
 (require 'lang-d2)
 (load-directory autoload-directory)
--- a/ansible/roles/emacs/tasks/linux.yaml
+++ b/ansible/roles/emacs/tasks/linux.yaml
@@ -15,7 +15,6 @@
      - typescript-language-server
      - shellcheck
      - vscode-css-languageserver
      - d2 # Generating diagrams
    state: present
 - name: Create directories
--- a/ansible/roles/firefox/defaults/main.yaml
+++ b/ansible/roles/firefox/defaults/main.yaml
@@ -7,6 +7,7 @@ firefox_config:
  dom.security.https_only_mode_ever_enabled: true
  extensions.activeThemeID: "firefox-compact-dark@mozilla.org"
  # Disable ads
  extensions.pocket.enabled: false
  browser.newtabpage.activity-stream.showSponsored: false
  browser.newtabpage.activity-stream.showSponsoredTopSites: false
  browser.newtabpage.activity-stream.feeds.section.topstories: false
@@ -20,6 +21,8 @@ firefox_config:
  privacy.globalprivacycontrol.enabled: true
  # Disable "studies" (slice testing)
  app.shield.optoutstudies.enabled: false
  # Disable attribution which is used by advertisers to track you.
  dom.private-attribution.submission.enabled: false
  # Disable battery status, used to track users.
  dom.battery.enabled: false
  # Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
@@ -37,8 +40,6 @@ firefox_config:
  privacy.fingerprintingProtection: true
  # Allow sending dark mode preference to websites.
  # Allow sending timezone to websites.
-  privacy.fingerprintingProtection.overrides: "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked,-CanvasImageExtractionPrompt,-CanvasExtractionFromThirdPartiesIsBlocked"
+  privacy.fingerprintingProtection.overrides: "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked"
  # Disable weather on new tab page
  browser.newtabpage.activity-stream.showWeather: false
  browser.ml.chat.enabled: false
  browser.ml.enabled: false
--- a/ansible/roles/firefox/tasks/linux.yaml
+++ b/ansible/roles/firefox/tasks/linux.yaml
@@ -3,5 +3,4 @@
    name:
      - libfido2
      - firefox-developer-edition
      - speech-dispatcher # For TTS
    state: present
--- a/ansible/roles/firewall/files/homeserver_pf.conf
+++ b/ansible/roles/firewall/files/homeserver_pf.conf
@@ -1,20 +1,9 @@
-# TODO: ipv6 RFC 6296 - Network Prefix Translation?
+ext_if = "{ igb0 igb1 ix0 ix1 linfi_host }"
-# match out on $ext_if inet6 from fd00:db8::/48 binat-to 2001:db8::/48
+not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !linfi_host }"
-# TODO: Maybe ipv6 icmp rules from https://oneuptime.com/blog/post/2026-03-20-configure-ipv6-firewall-pf-freebsd/view
+jail_nat_v4 = "{ 10.215.1.0/24 }"
-
+not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
-#
+restricted_nat_v4 = "{ 10.215.2.0/24 }"
-# restricted_nat 10.215.2.1/24
+not_restricted_nat_v4 = "{ any, !10.215.2.0/24 }"
 # jail_nat 10.215.1.1/24
 #
 #
 # External connections -> 172.16.16.32:8081
 # rdr to bastion 10.215.1.217
 # snat to bridge?
 #
 ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
 not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
 rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
 dhcp = "{ bootpc, bootps }"
@@ -22,29 +11,69 @@ allow = "{ wgh wgf }"
 tcp_pass_in = "{ 22 }"
 udp_pass_in = "{ 53 51820 }"
 unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }"
 # Rules must be in order: options, normalization, queueing, translation, filtering
 # options
 set skip on lo
 # normalization
 # queueing
 # altq on linfi_host cbq queue { def, stuff }
 # queue def cbq(default borrow)
 # queue stuff bandwidth	8Mb cbq { dagger }
 # queue dagger cbq(borrow)
-# translation
+# redirections
-nat pass on $ext_if proto {tcp, udp} tagged NATOUT -> (wlan0)
+nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (linfi_host)
-nat pass on restricted_nat proto {tcp, udp} tagged NATRESTRICTED -> (restricted_nat)
+rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
 nat pass on jail_nat proto {tcp, udp} tagged NATJAIL -> (jail_nat)
-# external -> bastion
+# cloak
-rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8081 tag NATJAIL -> 10.215.1.217 port 443
+nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (linfi_host)
-# external -> sftp
+rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 172.16.0.1 port 53
-rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8022 tag NATJAIL -> 10.215.1.216 port 22
+
 # bastion
 rdr pass on $ext_if inet proto {tcp, udp} from { any, !10.215.1.0/24, !10.215.2.0/24 } to any port 8081 -> 10.215.1.217 port 443
 nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.217 port 443 -> 10.215.1.1
 nat pass on restricted_nat proto {tcp, udp} from 10.215.1.217/32 to 10.215.2.2 port 8081 -> 10.215.2.1
 # cloak -> olddagger
 rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
 nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1
 # cloak -> dagger old
 rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8083 -> 10.215.2.2 port 8083
 nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8083 -> 10.215.2.1
 # -> sftp
 # TODO: Limit bandwidth for sftp
 rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22
 nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215.1.1
 # Forward ports for unifi controller
 # rdr pass on $ext_if inet proto {tcp, udp} from any to any port 65022 -> 10.213.177.8 port 22
 rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202
 # -> momlaptop
 rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8033 -> 10.215.1.218 port 443
 nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.218 port 443 -> 10.215.1.1
 # filtering
 # match in on jail_nat from any to any dnpipe(1, 2)
 # match in on restricted_nat from any to any dnpipe(1, 2)
 block log all
-pass out on $ext_if from (wlan0)
+pass out on $ext_if
 pass in on jail_nat
 # Allow traffic from my machine to the jails/virtual machines
 pass out on jail_nat from $jail_nat_v4
 pass out on jail_nat proto {udp, tcp} from any to 10.215.1.202 port $unifi_ports
 pass out on restricted_nat proto {udp, tcp} from any to 10.215.2.2 port 8081
 # TODO: limit bandwidth for dagger here
 pass in on restricted_nat proto {udp, tcp} from any to any port { 53 51820 }
 # We pass on the interfaces listed in allow rather than skipping on
 # them because changes to pass rules will update when running a
@@ -56,11 +85,5 @@ pass quick on $allow
 pass on $ext_if proto icmp all
 pass on $ext_if proto icmp6 all
-pass in on $ext_if proto tcp to (wlan0) port $tcp_pass_in
+pass in on $ext_if proto tcp to any port $tcp_pass_in
-pass in on $ext_if proto udp to (wlan0) port $udp_pass_in
+pass in on $ext_if proto udp to any port $udp_pass_in
 # Allow DNS and wireguard from cloak
 pass in on restricted_nat proto {udp, tcp} from 10.215.2.2 to any port { 53 51820 } tag NATOUT
 # bastion -> cloak
 pass in on jail_nat proto {udp, tcp} from 10.215.1.217 to 10.215.2.2 port 8081 tag NATRESTRICTED
--- a/ansible/roles/firewall/files/mrmanager_pf.conf
+++ b/ansible/roles/firewall/files/mrmanager_pf.conf
@@ -2,8 +2,7 @@ ext_if = "lagg0"
 not_ext_if = "{ !lagg0 }"
 jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
-# pub_k8s = "{ 74.80.180.136/29, !74.80.180.138 }"
+pub_k8s = "{ 74.80.180.136/29, !74.80.180.138 }"
 pub_k8s = "{ 74.80.180.137, 74.80.180.139, 74.80.180.140, 74.80.180.141, 74.80.180.142, 2620:11f:7001:7:ffff:dddd::/112 }"
 dhcp = "{ bootpc, bootps }"
 allow = "{ colo }"
@@ -35,24 +34,19 @@ scrub in on $ext_if all fragment reassemble
 # redirections
 nat on $ext_if inet from ! ($ext_if) to ! ($ext_if) -> ($ext_if)
 rdr pass on jail_nat proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53
 rdr pass on jail_nat proto {tcp, udp} from any to 2620:11f:7001:7:ffff:ffff:0ad7:0101 port 53 tag REDIREXTERNAL -> 2606:4700:4700::1111 port 53
-rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
+rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 -> 10.215.1.204 port 6443
 rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
-rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 19993 tag REDIRINTERNAL -> 10.215.1.204 port 19993
+rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 19993 -> 10.215.1.204 port 19993
 rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 19993 tag REDIRINTERNAL -> 10.215.1.204 port 19993
-rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65099 tag REDIRINTERNAL -> 10.215.1.210 port 22
+rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65099 -> 10.215.1.210 port 22
 rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 65099 tag REDIRINTERNAL -> 10.215.1.210 port 22
-# log (to pflog1)
+rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 53 -> 10.215.1.211 port 53
 rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 53 tag REDIRINTERNAL -> 10.215.1.211 port 53
 rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 53 tag REDIRINTERNAL -> 10.215.1.211 port 53
 rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65122 tag REDIRINTERNAL -> 10.215.1.219 port 22
 rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 65122 tag REDIRINTERNAL -> 10.215.1.219 port 22
 nat pass tagged REDIRINTERNAL -> (jail_nat)
 nat pass tagged REDIREXTERNAL -> ($ext_if)
@@ -70,10 +64,6 @@ pass quick on $allow
 # Single interface kubernetes cluster is working with the following run on mrmanager:
 #   doas route add -host 74.80.180.139 -interface jail_nat
 #   doas route add -net 10.129.0.0/16 -interface jail_nat
 #   doas route -6 add -net '2620:11f:7001:7:ffff:ffff:0ad7:0100/120' -interface jail_nat
 #   doas route -6 add -net '2620:11f:7001:7:ffff:eeee::/96' -interface jail_nat
 #   doas route -6 add -net '2620:11f:7001:7:ffff:dddd::/112' -interface jail_nat
 #   doas ifconfig jail_nat inet6 2620:11f:7001:7:ffff:ffff:0ad7:0101/120
 #   doas sysctl net.link.ether.inet.proxyall=1
 # Plus this in pf.conf:
 #   pass quick from any to 74.80.180.139
@@ -83,10 +73,6 @@ pass in on jail_nat
 # Allow traffic from my machine to the jails/virtual machines
 pass out on jail_nat from (jail_nat:network)
 #pass quick in on $ext_if proto {tcp6, udp6} from any to 2620:11f:7001:7:ffff:ffff:0ad7:0100/120
 pass in quick on $ext_if from any to 2620:11f:7001:7:ffff:ffff:0ad7:0100/120
 pass out quick on jail_nat to 2620:11f:7001:7:ffff:ffff:0ad7:0100/120
 pass in on $ext_if proto tcp to any port $tcp_pass_in
 pass in on $ext_if proto udp to any port $udp_pass_in
--- a/ansible/roles/firewall/meta/main.yaml
+++ b/ansible/roles/firewall/meta/main.yaml
@@ -0,0 +1,2 @@
 dependencies:
  - dummynet
--- a/ansible/roles/framework_laptop/files/screen_brightness_tmpfiles.conf
+++ b/ansible/roles/framework_laptop/files/screen_brightness_tmpfiles.conf
@@ -1,2 +1,2 @@
 # Set screen brightness. Ever since enabling adaptive brightness management, my brightness ends up sinking lower on re-boots (I suspect it is saving the actual brightness rather than the set brightness). This forces the brightness back to the level I prefer.
-w- /sys/class/backlight/amdgpu_bl0/brightness - - - - 21845
+w- /sys/class/backlight/amdgpu_bl0/brightness - - - - 85
--- a/ansible/roles/framework_laptop/tasks/linux.yaml
+++ b/ansible/roles/framework_laptop/tasks/linux.yaml
@@ -34,7 +34,7 @@
 - name: Configure kernel command line
  zfs:
-    name: "zroot/linux/archwork/be"
+    name: "zroot/linux"
    state: present
    extra_zfs_properties:
      # amdgpu.abmlevel=3 :: Automatically reduce screen brightness but tweak colors to compensate for power reduction.
@@ -44,7 +44,7 @@
      # amd_pstate=active :: Same as passive except we can set the energy performance preference (EPP) to suggest how much we prefer performance or energy efficiency.
      # amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds.
      # amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32
-      "org.zfsbootmenu:commandline": "rw quiet amdgpu.abmlevel=2 pcie_aspm=force pcie_aspm.policy=powersupersave nowatchdog amdgpu.dcdebugmask=0x10"
+      "org.zfsbootmenu:commandline": "rw quiet amdgpu.abmlevel=3 pcie_aspm=force pcie_aspm.policy=powersupersave nowatchdog amdgpu.dcdebugmask=0x10"
 - name: Install Configuration
  copy:
--- a/ansible/roles/gpg/files/gpg.asc
+++ b/ansible/roles/gpg/files/gpg.asc
@@ -1,27 +1,27 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
+mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
-Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
+0H+RsWG0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
-0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
+uEgVk2PCh3kXlUvhJ95A2bhFXBsFAl+w+R0CGwMFCwkIBwIGFQoJCAsCBBYCAwEC
-HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
+HgECF4AACgkQJ95A2bhFXBt6fgD+NOYnw9gz5K/q3H5LE/JvqzCSHezJmeGgif0C
-/MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
+uU4m1/MA+gPDKME7syEtJsTpELEMrxWWpDW0tD/W1iJE7roGYPQPtB1Ub20gQWxl
-eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
+eGFuZGVyIDx0b21AZml6ei5idXp6PoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A
-AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
+2bhFXBsFAl2cFhoCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQJ95A2bhF
-n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
+XBvYJQEA19wc2s/bEKcnHONC3i8UikLFqZXyYoH6/MFjoAteU8sBAKpE7Qq0zbJb
-8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
+XWRESzK3u6p7/+kUqOeDltAuKXTe1FAGuDMEXZwWyhYJKwYBBAHaRw8BAQdAPyIL
-HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
+4EGg4T5JO9q2kpVDy2WjMiXz3nZXwYW4GLoTYkiI9QQYFggAJgIbAhYhBLhIFZNj
-fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
+wod5F5VL4SfeQNm4RVwbBQJlC4ZhBQkLMdaXAIF2IAQZFggAHRYhBIHmRDmWdVAu
-AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
+sSUWutOhecmlPA7eBQJdnBbKAAoJENOhecmlPA7ejJ4A/iq7N2mMhx+ovOXm1REo
-gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
+ASPF3l4YAAjOHsXqcPtFHKGJAQCiuA71d6CQ+qNZLuka/KVB/etkkJvDzvaTtiQQ
-mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
+QG+gAwkQJ95A2bhFXBtRDgEAqymMavroD5c/4+M/EZ3/d8wxfA9E3Fb/1mt4c2Zr
-nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
+NnkBAKYOM+pz/pncFnV+kF7h7TQEEYuGw1JhJVT/duA4lwsLuDMEXZwXARYJKwYB
-KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
+BAHaRw8BAQdAa76TmWuKuiR1bnNV1FUE6oQ4C8A+UiQb8x0k1z2DmTKIfgQYFggA
-B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
+JgIbIBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkLMdZgAAoJECfeQNm4
-CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
+RVwb8TkA/RkBu9Ev8iDE5nvn8YF8FRiY56Z5d+SBPG4VvrCzXrmlAP46wUjIRpkM
-/j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
+rTbb1GMbvYnkeOrBs/qiWjEtHHc3ZLMWD7g4BF2cFygSCisGAQQBl1UBBQEBB0AO
-Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
+0t3BUxLuokTqKVcheFAZd4UKxAGznPQlvsVyhWWIEgMBCAeIfgQYFggAJgIbDBYh
-BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
+BLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkLMdY5AAoJECfeQNm4RVwbXscA
-rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
+/A8zRRTCwQKxJ8iz5jmTcVFAhl2vD781Dtv8NvcWd5t8APwIwcuFVZZA3yayhIxi
-7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
+3aqYpMRxpn2t6Nswax1MIM8DBQ==
-=OfDR
+=dzEV
 -----END PGP PUBLIC KEY BLOCK-----
--- a/ansible/roles/gpg/files/gpg_work.asc
+++ b/ansible/roles/gpg/files/gpg_work.asc
@@ -1,27 +1,27 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
+mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
-Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
+0H+RsWG0LVRob21hcyBBbGV4YW5kZXIgPFRob21hc0EuQWxleGFuZGVyQGhtaG4u
-0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
+b3JnPoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsFAmULicsCGwMFCwkI
-HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQJ95A2bhFXBsUtQD9GWPdWc/nSmO0Gp7p
-/MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
+DzxrieliriAnO+ZCHp31mFbMtToBAPxPYN9y4kgSiXhLiFLoRK5k5FCspksTSitg
-eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
+0CbXDE4LuDgEXZwWGhIKKwYBBAGXVQEFAQEHQK202EIAwTBuxARUygOvn+AloMJd
-AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
+ui39m+nMghn1MNo+AwEIB4h4BBgWCAAgFiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsF
-n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
+Al2cFhoCGwwACgkQJ95A2bhFXBtNzAEAq5I6xPjIbb23xmhxh5cM/UJxdGedfWMy
-8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
+vF6/JtDvtPUBAPQRQn5AMwTOA+CSnliYf7ZjfVOlHscy60XWPlvXLoAJuDMEXZwW
-HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
+yhYJKwYBBAHaRw8BAQdAPyIL4EGg4T5JO9q2kpVDy2WjMiXz3nZXwYW4GLoTYkiI
-fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
+9QQYFggAJgIbAhYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZhBQkLMdaXAIF2
-AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
+IAQZFggAHRYhBIHmRDmWdVAusSUWutOhecmlPA7eBQJdnBbKAAoJENOhecmlPA7e
-gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
+jJ4A/iq7N2mMhx+ovOXm1REoASPF3l4YAAjOHsXqcPtFHKGJAQCiuA71d6CQ+qNZ
-mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
+Luka/KVB/etkkJvDzvaTtiQQQG+gAwkQJ95A2bhFXBtRDgEAqymMavroD5c/4+M/
-nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
+EZ3/d8wxfA9E3Fb/1mt4c2ZrNnkBAKYOM+pz/pncFnV+kF7h7TQEEYuGw1JhJVT/
-KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
+duA4lwsLuDMEXZwXARYJKwYBBAHaRw8BAQdAa76TmWuKuiR1bnNV1FUE6oQ4C8A+
-B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
+UiQb8x0k1z2DmTKIfgQYFggAJgIbIBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJl
-CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
+C4ZwBQkLMdZgAAoJECfeQNm4RVwb8TkA/RkBu9Ev8iDE5nvn8YF8FRiY56Z5d+SB
-/j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
+PG4VvrCzXrmlAP46wUjIRpkMrTbb1GMbvYnkeOrBs/qiWjEtHHc3ZLMWD7g4BF2c
-Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
+FygSCisGAQQBl1UBBQEBB0AO0t3BUxLuokTqKVcheFAZd4UKxAGznPQlvsVyhWWI
-BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
+EgMBCAeIfgQYFggAJgIbDBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkL
-rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
+MdY5AAoJECfeQNm4RVwbXscA/A8zRRTCwQKxJ8iz5jmTcVFAhl2vD781Dtv8NvcW
-7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
+d5t8APwIwcuFVZZA3yayhIxi3aqYpMRxpn2t6Nswax1MIM8DBQ==
-=OfDR
+=0HtE
 -----END PGP PUBLIC KEY BLOCK-----
--- a/ansible/roles/gpg/tasks/freebsd.yaml
+++ b/ansible/roles/gpg/tasks/freebsd.yaml
@@ -3,7 +3,7 @@
    name:
      - gnupg
      - pcsc-tools
-      # - ccid
+      - ccid
      #      - linux_libusb
      - pinentry
    state: present
--- a/ansible/roles/homeserver/files/decrypt_disks.bash
+++ b/ansible/roles/homeserver/files/decrypt_disks.bash
@@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 #
 # Decrypt and mount the disks after a fresh reboot.
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 zfs load-key -r zmass/encrypted
 zfs mount -a
 service bemount start
--- a/ansible/roles/homeserver/tasks/common.yaml
+++ b/ansible/roles/homeserver/tasks/common.yaml
@@ -0,0 +1,55 @@
 # - name: Create directories
 #   file:
 #     name: "{{ item }}"
 #     state: directory
 #     mode: 0755
 #     owner: root
 #     group: wheel
 #   loop:
 #     - /foo/bar
 # - name: Install scripts
 #   copy:
 #     src: "files/{{ item.src }}"
 #     dest: "{{ item.dest }}"
 #     mode: 0755
 #     owner: root
 #     group: wheel
 #   loop:
 #     - src: foo.bash
 #       dest: /usr/local/bin/foo
 # - name: Install Configuration
 #   copy:
 #     src: "files/{{ item.src }}"
 #     dest: "{{ item.dest }}"
 #     mode: 0600
 #     owner: root
 #     group: wheel
 #   loop:
 #     - src: foo.conf
 #       dest: /usr/local/etc/foo.conf
 # - name: Clone Source
 #   git:
 #     repo: "https://foo.bar/baz.git"
 #     dest: /foo/bar
 #     version: "v1.0.2"
 #     force: true
 #   diff: false
 - import_tasks: tasks/freebsd.yaml
  when: 'os_flavor == "freebsd"'
 - import_tasks: tasks/linux.yaml
  when: 'os_flavor == "linux"'
 - include_tasks:
    file: tasks/peruser.yaml
    apply:
      become: yes
      become_user: "{{ initialize_user }}"
  when: users is defined
  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
  loop_control:
    loop_var: initialize_user
--- a/ansible/roles/homeserver/tasks/freebsd.yaml
+++ b/ansible/roles/homeserver/tasks/freebsd.yaml
@@ -0,0 +1,10 @@
 - name: Install scripts
  copy:
    src: "files/{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0755
    owner: root
    group: wheel
  loop:
    - src: decrypt_disks.bash
      dest: /usr/local/bin/decrypt_disks
--- a/ansible/roles/homeserver/tasks/linux.yaml
+++ b/ansible/roles/homeserver/tasks/linux.yaml
@@ -0,0 +1,29 @@
 # - name: Build aur packages
 #   register: buildaur
 #   become_user: "{{ build_user.name }}"
 #   command: "aurutils-sync --no-view {{ item }}"
 #   args:
 #     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
 #   loop:
 #     - foo
 # - name: Update cache
 #   when: buildaur.changed
 #   pacman:
 #     name: []
 #     state: present
 #     update_cache: true
 # - name: Install packages
 #   package:
 #     name:
 #       - foo
 #     state: present
 # - name: Enable services
 #   systemd:
 #     enabled: yes
 #     name: "{{ item }}"
 #     daemon_reload: yes
 #   loop:
 #     - foo.service
--- a/ansible/roles/homeserver/tasks/main.yaml
+++ b/ansible/roles/homeserver/tasks/main.yaml
--- a/ansible/roles/homeserver/tasks/peruser.yaml
+++ b/ansible/roles/homeserver/tasks/peruser.yaml
@@ -0,0 +1,29 @@
 - include_role:
    name: per_user
 # - name: Create directories
 #   file:
 #     name: "{{ account_homedir.stdout }}/{{ item }}"
 #     state: directory
 #     mode: 0700
 #     owner: "{{ account_name.stdout }}"
 #     group: "{{ group_name.stdout }}"
 #   loop:
 #     - ".config/foo"
 # - name: Copy files
 #   copy:
 #     src: "files/{{ item.src }}"
 #     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
 #     mode: 0600
 #     owner: "{{ account_name.stdout }}"
 #     group: "{{ group_name.stdout }}"
 #   loop:
 #     - src: foo.conf
 #       dest: .config/foo/foo.conf
 - import_tasks: tasks/peruser_freebsd.yaml
  when: 'os_flavor == "freebsd"'
 - import_tasks: tasks/peruser_linux.yaml
  when: 'os_flavor == "linux"'
--- a/ansible/roles/homeserver/tasks/peruser_freebsd.yaml
+++ b/ansible/roles/homeserver/tasks/peruser_freebsd.yaml
--- a/ansible/roles/homeserver/tasks/peruser_linux.yaml
+++ b/ansible/roles/homeserver/tasks/peruser_linux.yaml
--- a/ansible/roles/hosts/defaults/main.yaml
+++ b/ansible/roles/hosts/defaults/main.yaml
@@ -1,5 +1,5 @@
 etc_hosts:
-  10.216.1.32:
+  10.216.1.1:
    - homeserver
  10.216.1.6:
    - media
--- a/ansible/roles/jail/files/jails/dagger.conf
+++ b/ansible/roles/jail/files/jails/dagger.conf
@@ -1,7 +1,5 @@
 dagger {
    path = "/jail/${name}";
    allow.chflags = 1;
    vnet;
    vnet.interface += "dagger";
--- a/ansible/roles/jail/files/jails/momlaptop.conf
+++ b/ansible/roles/jail/files/jails/momlaptop.conf
@@ -0,0 +1,15 @@
 momlaptop {
    path = "/jail/${name}";
    vnet;
    exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
    vnet.interface += "jail${name}";
    devfs_ruleset = 14;
    mount.devfs;
    mount.fstab = "/etc/fstab.${name}";
    exec.start += "/bin/sh /etc/rc";
    exec.stop = "/bin/sh /etc/rc.shutdown jail";
    exec.consolelog = "/var/log/jail_${name}_console.log";
 }
--- a/ansible/roles/jail/files/jails/olddagger.conf
+++ b/ansible/roles/jail/files/jails/olddagger.conf
@@ -0,0 +1,14 @@
 olddagger {
    path = "/jail/${name}";
    vnet;
    vnet.interface += "olddagger";
    exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
    mount.fstab = "/etc/fstab.${name}";
    exec.start += "/bin/sh /etc/rc";
    exec.stop = "/bin/sh /etc/rc.shutdown jail";
    exec.consolelog = "/var/log/jail_${name}_console.log";
 }
--- a/ansible/roles/jail/templates/new_jail.bash.j2
+++ b/ansible/roles/jail/templates/new_jail.bash.j2
@@ -26,7 +26,7 @@ function by_src {
 }
 function by_bin {
-    DESTRELEASE=15.0-RELEASE
+    DESTRELEASE=13.2-RELEASE
    DESTARCH=`uname -m`
    SOURCEURL=http://ftp.freebsd.org/pub/FreeBSD/releases/$DESTARCH/$DESTRELEASE/
    for component in base ports; do fetch $SOURCEURL/$component.txz -o - | tar -xf - -C "$DESTDIR" ; done
@@ -34,34 +34,34 @@ function by_bin {
 }
 function by_pkg {
-    TERM=xterm BSDINSTALL_CHROOT="$DESTDIR" bsdinstall pkgbase --jail
+    # current https://pkg.freebsd.org/FreeBSD:15:amd64/base_latest
-
+    # 14/stable https://pkg.freebsd.org/FreeBSD:14:amd64/base_latest
-#     local config
+    # 14.1 https://pkg.freebsd.org/FreeBSD:14:amd64/base_release_1
-#     config=$(cat <<EOF
+    local config
-# FreeBSD-base: {
+    config=$(cat <<EOF
-#     url: "https://pkg.FreeBSD.org/FreeBSD:15:amd64/base_release_0",
+base: {
-#     mirror_type: "none",
+    url: "https://pkg.freebsd.org/FreeBSD:14:amd64/base_release_1",
-#     enabled: yes,
+    mirror_type: "none",
-#     priority: 100
+    enabled: yes,
-# }
+    priority: 100
-# EOF
+}
-#              )
+EOF
-#     IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") update --repository FreeBSD-base
+             )
-#     IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") install --repository FreeBSD-base --yes --glob 'FreeBSD-*'
+    IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") install --repository base --yes --glob 'FreeBSD-*'
    switch_to_latest_packages
-#     local in_jail_config
+    local in_jail_config
-#     in_jail_config=$(cat <<EOF
+    in_jail_config=$(cat <<EOF
-# FreeBSD-base: {
+base: {
-#     url: "pkg+https://pkg.FreeBSD.org/\${ABI}/base_release_\${VERSION_MINOR}",
+    url: "pkg+https://pkg.freebsd.org/\${ABI}/base_release_1",
-#     mirror_type: "srv",
+    mirror_type: "srv",
-#     signature_type: "fingerprints",
+    signature_type: "fingerprints",
-#     fingerprints: "/usr/share/keys/pkgbase-\${VERSION_MAJOR}",
+    fingerprints: "/usr/share/keys/pkg",
-#     enabled: yes,
+    enabled: yes,
-#     priority: 100
+    priority: 100
-# }
+}
-# EOF
+EOF
-#              )
+             )
-#     cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$in_jail_config"
+    cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$in_jail_config"
    # Post-install remove extra packages
    # pkg remove --glob 'FreeBSD-*-lib32*' 'FreeBSD-*-dbg*' FreeBSD-src
 }
@@ -69,13 +69,13 @@ function by_pkg {
 function switch_to_latest_packages {
    local latest_pkg
    latest_pkg=$(cat <<EOF
-FreeBSD-ports: {
+FreeBSD: {
-  url: "pkg+https://pkg.FreeBSD.org/\${ABI}/latest"
+  url: "pkg+http://pkg.FreeBSD.org/\${ABI}/latest"
 }
 EOF
              )
    mkdir -p "$DESTDIR/usr/local/etc/pkg/repos"
-    cat > "$DESTDIR/usr/local/etc/pkg/repos/FreeBSD-ports.conf" <<<"$latest_pkg"
+    cat > "$DESTDIR/usr/local/etc/pkg/repos/FreeBSD.conf" <<<"$latest_pkg"
 }
 if [ "$1" = "src" ]; then
--- a/ansible/roles/jail_momlaptop/files/headers.include
+++ b/ansible/roles/jail_momlaptop/files/headers.include
@@ -0,0 +1,15 @@
 # Enable HTTP Strict Transport Security (HSTS) to force clients to
 # always connect via HTTPS (do not use if only testing)
 add_header Strict-Transport-Security "max-age=31536000;" always;
 # Enable cross-site filter (XSS) and tell browser to block detected
 # attacks
 add_header X-XSS-Protection "1; mode=block" always;
 # Prevent some browsers from MIME-sniffing a response away from the
 # declared Content-Type
 add_header X-Content-Type-Options "nosniff" always;
 # Disallow the site to be rendered within a frame (clickjacking
 # protection)
 add_header X-Frame-Options "DENY" always;
 # Indicate that we are serving http3 on port 443
 add_header Alt-Svc 'h3=":8033"; ma=864000';
--- a/ansible/roles/jail_momlaptop/files/htpasswd
+++ b/ansible/roles/jail_momlaptop/files/htpasswd
--- a/ansible/roles/jail_momlaptop/files/newsyslog.conf
+++ b/ansible/roles/jail_momlaptop/files/newsyslog.conf
@@ -0,0 +1,2 @@
 # logfilename          [owner:group]    mode count size when  flags [/pid_file] [sig_num]
 /var/log/nginx/*.log			640  5	   1000	@T00 GYC /var/run/nginx.pid SIGUSR1
--- a/ansible/roles/jail_momlaptop/files/nginx.conf
+++ b/ansible/roles/jail_momlaptop/files/nginx.conf
@@ -0,0 +1,48 @@
 worker_processes  auto;
 user  www www;
 events {
    worker_connections  1024;
 }
 http {
    include       mime.types;
    default_type  application/octet-stream;
    types {
        text/plain log;
    }
    sendfile        on;
    tcp_nopush     on;
    tcp_nodelay    on;
    gzip  on;
    include conf.d/headers.include;
    server {
        listen 443 quic reuseport;
        listen [::]:443 quic reuseport;
        listen 443 ssl;
        listen [::]:443 ssl;
        http2  on;
        server_name momlaptop.fizz.buzz;
        include conf.d/tls_settings.include;
        # RSA
        ssl_certificate /momlaptop.fizz.buzz/tls.crt;
        ssl_certificate_key /momlaptop.fizz.buzz/tls.key;
        # Nginx by default only allows file uploads up to 50M in size
        client_max_body_size 50M;
        location / {
            auth_basic           "Stuff";
            auth_basic_user_file conf.d/htpasswd;
            alias /srv/http/;
            autoindex on;
        }
    }
 }
--- a/ansible/roles/jail_momlaptop/files/nginx_rc.conf
+++ b/ansible/roles/jail_momlaptop/files/nginx_rc.conf
@@ -0,0 +1 @@
 nginx_enable="YES"
--- a/ansible/roles/jail_momlaptop/files/proxy.include
+++ b/ansible/roles/jail_momlaptop/files/proxy.include
@@ -0,0 +1,9 @@
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header Host $http_host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-Proto $scheme;
 # Settings for keepalive module for upstreams
 proxy_http_version 1.1;
 proxy_set_header Connection "";
 # Requests sent with early data are subject to replay attacks so the application needs to protect against that by using the Early-Data header.
 # proxy_set_header Early-Data $ssl_early_data;
--- a/ansible/roles/jail_momlaptop/files/tls_settings.include
+++ b/ansible/roles/jail_momlaptop/files/tls_settings.include
@@ -0,0 +1,3 @@
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
 ssl_prefer_server_ciphers on;
--- a/ansible/roles/jail_momlaptop/meta/main.yaml
+++ b/ansible/roles/jail_momlaptop/meta/main.yaml
@@ -0,0 +1,2 @@
 dependencies:
  - syslog
--- a/ansible/roles/jail_momlaptop/tasks/common.yaml
+++ b/ansible/roles/jail_momlaptop/tasks/common.yaml
@@ -0,0 +1,55 @@
 # - name: Create directories
 #   file:
 #     name: "{{ item }}"
 #     state: directory
 #     mode: 0755
 #     owner: root
 #     group: wheel
 #   loop:
 #     - /foo/bar
 # - name: Install scripts
 #   copy:
 #     src: "files/{{ item.src }}"
 #     dest: "{{ item.dest }}"
 #     mode: 0755
 #     owner: root
 #     group: wheel
 #   loop:
 #     - src: foo.bash
 #       dest: /usr/local/bin/foo
 # - name: Install Configuration
 #   copy:
 #     src: "files/{{ item.src }}"
 #     dest: "{{ item.dest }}"
 #     mode: 0600
 #     owner: root
 #     group: wheel
 #   loop:
 #     - src: foo.conf
 #       dest: /usr/local/etc/foo.conf
 # - name: Clone Source
 #   git:
 #     repo: "https://foo.bar/baz.git"
 #     dest: /foo/bar
 #     version: "v1.0.2"
 #     force: true
 #   diff: false
 - import_tasks: tasks/freebsd.yaml
  when: 'os_flavor == "freebsd"'
 - import_tasks: tasks/linux.yaml
  when: 'os_flavor == "linux"'
 # - include_tasks:
 #     file: tasks/peruser.yaml
 #     apply:
 #       become: yes
 #       become_user: "{{ initialize_user }}"
 #   when: users is defined
 #   loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
 #   loop_control:
 #     loop_var: initialize_user
--- a/ansible/roles/jail_momlaptop/tasks/freebsd.yaml
+++ b/ansible/roles/jail_momlaptop/tasks/freebsd.yaml
@@ -0,0 +1,81 @@
 - name: Create www group
  group:
    name: www
 - name: Create www user
  user:
    name: www
    home: /srv/http
    createhome: false
    group: www
 - name: Create directories
  file:
    name: "{{ item }}"
    state: directory
    mode: 0755
    owner: root
    group: wheel
  loop:
    - /momlaptop.fizz.buzz
    - /etc/rc.conf.d
    - /usr/local/etc/nginx/conf.d
 - name: Create directories
  file:
    name: "{{ item }}"
    state: directory
    mode: 0755
    owner: www
    group: www
  loop:
    - /srv/http
 - name: Install packages
  package:
    name:
      - nginx
    state: present
 # validate fails because nginx config relies on a local mime.types
 - name: Install Configuration
  copy:
    src: "files/{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0644
    owner: root
    group: wheel
  loop:
    - src: nginx.conf
      dest: /usr/local/etc/nginx/nginx.conf
    - src: headers.include
      dest: /usr/local/etc/nginx/conf.d/headers.include
    - src: proxy.include
      dest: /usr/local/etc/nginx/conf.d/proxy.include
    - src: tls_settings.include
      dest: /usr/local/etc/nginx/conf.d/tls_settings.include
      # Generate htpasswd with `htpasswd -c files/htpasswd user1`
      # or `printf "USER:$(openssl passwd)\n" >> files/htpasswd`
    - src: htpasswd
      dest: /usr/local/etc/nginx/conf.d/htpasswd
 - name: Install newsyslog configuration
  copy:
    src: "files/{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0600
    owner: root
    group: wheel
  loop:
    - src: newsyslog.conf
      dest: /usr/local/etc/newsyslog.conf.d/nginx.conf
 - name: Install service configuration
  copy:
    src: "files/{{ item }}_rc.conf"
    dest: "/etc/rc.conf.d/{{ item }}"
    mode: 0644
    owner: root
    group: wheel
  loop:
    - nginx
--- a/ansible/roles/jail_momlaptop/tasks/linux.yaml
+++ b/ansible/roles/jail_momlaptop/tasks/linux.yaml
@@ -0,0 +1,29 @@
 # - name: Build aur packages
 #   register: buildaur
 #   become_user: "{{ build_user.name }}"
 #   command: "aurutils-sync --no-view {{ item }}"
 #   args:
 #     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
 #   loop:
 #     - foo
 # - name: Update cache
 #   when: buildaur.changed
 #   pacman:
 #     name: []
 #     state: present
 #     update_cache: true
 # - name: Install packages
 #   package:
 #     name:
 #       - foo
 #     state: present
 # - name: Enable services
 #   systemd:
 #     enabled: yes
 #     name: "{{ item }}"
 #     daemon_reload: yes
 #   loop:
 #     - foo.service
--- a/ansible/roles/jail_momlaptop/tasks/main.yaml
+++ b/ansible/roles/jail_momlaptop/tasks/main.yaml
@@ -0,0 +1,2 @@
 - import_tasks: tasks/common.yaml
  # when: foo is defined
--- a/ansible/roles/jail_momlaptop/tasks/peruser.yaml
+++ b/ansible/roles/jail_momlaptop/tasks/peruser.yaml
@@ -0,0 +1,29 @@
 - include_role:
    name: per_user
 # - name: Create directories
 #   file:
 #     name: "{{ account_homedir.stdout }}/{{ item }}"
 #     state: directory
 #     mode: 0700
 #     owner: "{{ account_name.stdout }}"
 #     group: "{{ group_name.stdout }}"
 #   loop:
 #     - ".config/foo"
 # - name: Copy files
 #   copy:
 #     src: "files/{{ item.src }}"
 #     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
 #     mode: 0600
 #     owner: "{{ account_name.stdout }}"
 #     group: "{{ group_name.stdout }}"
 #   loop:
 #     - src: foo.conf
 #       dest: .config/foo/foo.conf
 - import_tasks: tasks/peruser_freebsd.yaml
  when: 'os_flavor == "freebsd"'
 - import_tasks: tasks/peruser_linux.yaml
  when: 'os_flavor == "linux"'
--- a/ansible/roles/jail_momlaptop/tasks/peruser_freebsd.yaml
+++ b/ansible/roles/jail_momlaptop/tasks/peruser_freebsd.yaml
--- a/ansible/roles/jail_momlaptop/tasks/peruser_linux.yaml
+++ b/ansible/roles/jail_momlaptop/tasks/peruser_linux.yaml
--- a/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf
+++ b/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf
@@ -91,52 +91,10 @@
                        "ip-address": "10.215.1.217"
                    },
                    {
-                        // hydra
+                        // momlaptop - hard-coded in rc.conf, reproduced here to reserve ip
-                        "hw-address": "06:84:36:68:03:77",
+                        "hw-address": "06:85:69:c5:6a:d6",
-                        "ip-address": "10.215.1.219"
+                        "ip-address": "10.215.1.218"
                    },
                    {
                        // certificate - hard-coded in rc.conf, reproduced here to reserve ip
                        "hw-address": "06:7b:e0:08:16:5d",
                        "ip-address": "10.215.1.220"
                    },
                    {
                        // nix controller0 - hard-coded in nix config, reproduced here to reserve ip
                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01dd
                        "hw-address": "06:7b:e0:08:16:01",
                        "ip-address": "10.215.1.221"
                    },
                    {
                        // nix controller1 - hard-coded in nix config, reproduced here to reserve ip
                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01de
                        "hw-address": "06:7b:e0:08:16:02",
                        "ip-address": "10.215.1.222"
                    },
                    {
                        // nix controller2 - hard-coded in nix config, reproduced here to reserve ip
                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01df
                        "hw-address": "06:7b:e0:08:16:03",
                        "ip-address": "10.215.1.223"
                    },
                    {
                        // nix worker0 - hard-coded in nix config, reproduced here to reserve ip
                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01e0
                        "hw-address": "06:7b:e0:08:16:04",
                        "ip-address": "10.215.1.224"
                    },
                    {
                        // nix worker1 - hard-coded in nix config, reproduced here to reserve ip
                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01e1
                        "hw-address": "06:7b:e0:08:16:05",
                        "ip-address": "10.215.1.225"
                    },
                    {
                        // nix worker2 - hard-coded in nix config, reproduced here to reserve ip
                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01e2
                        "hw-address": "06:7b:e0:08:16:06",
                        "ip-address": "10.215.1.226"
                    }
                ]
            }
        ],
--- a/ansible/roles/javascript/tasks/linux.yaml
+++ b/ansible/roles/javascript/tasks/linux.yaml
@@ -1,3 +1,19 @@
 - name: Build aur packages
  register: buildaur
  become_user: "{{ build_user.name }}"
  command: "aurutils-sync --no-view {{ item }}"
  args:
    creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
  loop:
    - nvm
 - name: Update cache
  when: buildaur.changed
  pacman:
    name: []
    state: present
    update_cache: true
 - name: Install packages
  package:
    name:
--- a/ansible/roles/kanshi/files/config_kanshi
+++ b/ansible/roles/kanshi/files/config_kanshi
@@ -1,11 +1,3 @@
 profile office {
 	output eDP-1 disable
 	output "Dell Inc. DELL C2722DE 6PH6T83" enable
 }
 profile office2 {
 	output eDP-1 disable
 	output "BOE 0x0BCA Unknown" enable
 }
 profile docked {
 	output eDP-1 disable
 	output "Dell Inc. DELL U3014 P1V6N35M329L" enable
--- a/ansible/roles/linfi/defaults/main.yaml
+++ b/ansible/roles/linfi/defaults/main.yaml
@@ -0,0 +1,7 @@
 # linfi:
 #   enabled: true
 #   zfs_dataset: zroot/freebsd/current/vm/linfi
 #   zfs_mountpoint: /vm/linfi
 #   driver_blocklist: "if_iwm if_iwlwifi"
 #   pci_blocklist: "1/0/0"
 #   amd: true
--- a/ansible/roles/linfi/files/launch_linfi.bash
+++ b/ansible/roles/linfi/files/launch_linfi.bash
@@ -0,0 +1,239 @@
 #!/usr/local/bin/bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # Share a host directory to the guest via 9pfs.
 #
 # Inside the VM run:
 #   mount -t virtfs -o trans=virtio sharename /some/vm/path
 #   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
 #   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 sharename /path/to/mountpoint
 # bhyve_options="-s 28,virtio-9p,sharename=/"
 # Enable Sound
 # bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
 # Example usage:
 #
 #   doas bhyve_netgraph_bridge create-disk zdata/vm/poudriere /vm/poudriere 10
 #   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
 #   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere
 : ${VERBOSE:="NO"} # or YES
 : ${CPU_CORES:="1"}
 : ${MEMORY:="1G"}
 : ${NETWORK:="NAT"} # or RAW or BOTH
 : ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
 : ${INTERFACE_NAME:="linfi_host"} # or the external interface like lagg0 for RAW networks
 : ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
 : ${VNC_ENABLE:="NO"}
 : ${VNC_LISTEN:="127.0.0.1:5900"}
 : ${VNC_WIDTH:="1920"}
 : ${VNC_HEIGHT:="1080"}
 : ${PASSTHROUGH:="1/0/0"}
 if [ "$VERBOSE" = "YES" ]; then
    set -x
 fi
 ############## Setup #########################
 function cleanup {
    for vm in "${vms[@]}"; do
        log "Destroying bhyve vm $vm"
        bhyvectl "--vm=$vm" --destroy
        log "Destroyed bhyve vm $vm"
    done
 }
 vms=()
 for sig in EXIT; do
  trap "set +e; sleep 10; cleanup" "$sig"
 done
 function die {
    local status_code="$1"
    shift
    (>&2 echo "${@}")
    exit "$status_code"
 }
 function log {
    (>&2 echo "${@}")
 }
 ############## Program #########################
 function main {
    local cmd="$1"
    shift 1
    if [ "$cmd" = "create-disk" ]; then
        create_disk "${@}"
    elif [ "$cmd" = "start" ]; then
        start_vm "${@}"
    else
        die 1 "Unrecognized command $cmd"
    fi
 }
 function create_disk {
    local zfs_path="$1"
    local mount_path="$2"
    local gigabytes="$3"
    zfs create -o "mountpoint=$mount_path" "$zfs_path"
    cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
    tee "${mount_path}/settings" <<EOF
 CPU_CORES="$CPU_CORES"
 MEMORY="$MEMORY"
 NETWORK="$NETWORK"
 IP_RANGE="$IP_RANGE"
 BRIDGE_NAME="$BRIDGE_NAME"
 INTERFACE_NAME="$INTERFACE_NAME"
 EOF
    zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none -o volblocksize=64K "$zfs_path/disk0"
 }
 function start_vm {
    local name="$1"
    local zfs_path="$2"
    local mount_path="$3"
    local mount_cd="${4:-}"
    if [ -e "${mount_path}/settings" ]; then
        source "${mount_path}/settings"
    fi
    local additional_args=()
    local host_interface_name="linfi_host"
    local bridge_name="linfi_bridge"
    assert_bridge "$host_interface_name" "$bridge_name"
    local mac_address
    mac_address=$(calculate_mac_address "$name")
    local bridge_link_name
    bridge_link_name=$(detect_available_link "${bridge_name}")
    additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
    # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
         # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
             # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
            # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
    # TODO: Look into using nmdm instead of stdio for serial console
    if [ -n "$mount_cd" ]; then
        additional_args+=("-s" "5,ahci-cd,$mount_cd")
    fi
    if [ "$VNC_ENABLE" = "YES" ]; then
        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
    fi
    vms+=("$name")
    while true; do
        set -x
        set +e
        bhyve \
            -D \
            -c sockets=1,cores=1,threads=1 \
            -m "$MEMORY" \
            -H \
            -w \
            -o 'rtc.use_localtime=false' \
            -s 0,hostbridge \
            -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
            -S \
            -s "7,passthru,${PASSTHROUGH}" \
            -s 30,xhci,tablet \
            -s 31,lpc -l com1,stdio \
            -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd" \
            -U '08421734-875e-11ef-a0f3-f426796942c7' \
            "${additional_args[@]}" \
            "$name"
        local exit_code=$?
        set -e
        set +x
        if [ $exit_code -eq 0 ]; then
            echo "Rebooting."
            sleep 5
        elif [ $exit_code -eq 1 ]; then
            echo "Powered off."
            break
        elif [ $exit_code -eq 2 ]; then
            echo "Halted."
            break
        elif [ $exit_code -eq 3 ]; then
            echo "Triple fault."
            break
        elif [ $exit_code -eq 4 ]; then
            echo "Exited due to an error."
            break
        fi
    done
 }
 function detect_available_link {
    local bridge_name="$1"
    local linknum=1
    while true; do
        local link_name="link${linknum}"
        if ! ng_exists "${bridge_name}:${link_name}"; then
            echo "$link_name"
            return
        fi
        linknum=$((linknum + 1))
        if [ "$linknum" -gt 90 ]; then
            (>&2 echo "No available links on bridge $bridge_name")
            exit 1
        fi
    done
 }
 function assert_bridge {
    local host_interface_name="$1"
    local bridge_name="$2"
    if ! ng_exists "${bridge_name}:"; then
        ngctl -d -f - <<EOF
 mkpeer . eiface hook ether
 name .:hook $host_interface_name
 EOF
        ngctl -d -f - <<EOF
 mkpeer ${host_interface_name}: bridge ether link0
 name ${host_interface_name}:ether $bridge_name
 EOF
        ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" 192.168.253.2/24 up
        route add default 192.168.253.1
    fi
 }
 function ng_exists {
    ngctl status "${1}" >/dev/null 2>&1
 }
 function calculate_mac_address {
    local name="$1"
    local source
    source=$(md5 -r -s "$name" | awk '{print $1}')
    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
 }
 function find_available_port {
    local start_port="$1"
    local port="$start_port"
    while true; do
        sockstat -P tcp -p 443
        port=$((port + 1))
    done
 }
 function ngctlcat {
    if [ "$VERBOSE" = "YES" ]; then
        tee /dev/tty | ngctl -d -f -
    else
        ngctl -d -f -
    fi
 }
 main "${@}"
--- a/ansible/roles/linfi/files/linfi_rc.conf
+++ b/ansible/roles/linfi/files/linfi_rc.conf
@@ -0,0 +1 @@
 linfi_enable="YES"
--- a/ansible/roles/linfi/meta/main.yaml
+++ b/ansible/roles/linfi/meta/main.yaml
@@ -0,0 +1,3 @@
 dependencies:
  - role: bhyve
    when: 'os_flavor == "freebsd"'
--- a/ansible/roles/linfi/tasks/common.yaml
+++ b/ansible/roles/linfi/tasks/common.yaml
@@ -0,0 +1,55 @@
 # - name: Create directories
 #   file:
 #     name: "{{ item }}"
 #     state: directory
 #     mode: 0755
 #     owner: root
 #     group: wheel
 #   loop:
 #     - /foo/bar
 # - name: Install scripts
 #   copy:
 #     src: "files/{{ item.src }}"
 #     dest: "{{ item.dest }}"
 #     mode: 0755
 #     owner: root
 #     group: wheel
 #   loop:
 #     - src: foo.bash
 #       dest: /usr/local/bin/foo
 # - name: Install Configuration
 #   copy:
 #     src: "files/{{ item.src }}"
 #     dest: "{{ item.dest }}"
 #     mode: 0600
 #     owner: root
 #     group: wheel
 #   loop:
 #     - src: foo.conf
 #       dest: /usr/local/etc/foo.conf
 # - name: Clone Source
 #   git:
 #     repo: "https://foo.bar/baz.git"
 #     dest: /foo/bar
 #     version: "v1.0.2"
 #     force: true
 #   diff: false
 - import_tasks: tasks/freebsd.yaml
  when: 'os_flavor == "freebsd"'
 - import_tasks: tasks/linux.yaml
  when: 'os_flavor == "linux"'
 - include_tasks:
    file: tasks/peruser.yaml
    apply:
      become: yes
      become_user: "{{ initialize_user }}"
  when: users is defined
  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
  loop_control:
    loop_var: initialize_user
--- a/ansible/roles/linfi/tasks/freebsd.yaml
+++ b/ansible/roles/linfi/tasks/freebsd.yaml
@@ -0,0 +1,50 @@
 - name: Install loader.conf
  template:
    src: "templates/{{ item }}_loader.conf.j2"
    dest: "/boot/loader.conf.d/{{ item }}.conf"
    mode: 0644
    owner: root
    group: wheel
  loop:
    - linfi
 - name: Install scripts
  copy:
    src: "files/{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0755
    owner: root
    group: wheel
  loop:
    - src: launch_linfi.bash
      dest: /usr/local/bin/launch_linfi
 - name: Install rc script
  template:
    src: "templates/{{ item.src }}.j2"
    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
    owner: root
    group: wheel
    mode: 0755
  loop:
    - src: linfi
 - name: Install service configuration
  copy:
    src: "files/{{ item }}_rc.conf"
    dest: "/etc/rc.conf.d/{{ item }}"
    mode: 0644
    owner: root
    group: wheel
  loop:
    - linfi
 - name: Install service configuration
  template:
    src: "templates/{{ item }}_rc.conf.j2"
    dest: "/etc/rc.conf.d/{{ item }}"
    mode: 0644
    owner: root
    group: wheel
  loop:
    - devmatch
--- a/ansible/roles/linfi/tasks/linux.yaml
+++ b/ansible/roles/linfi/tasks/linux.yaml
@@ -0,0 +1,29 @@
 # - name: Build aur packages
 #   register: buildaur
 #   become_user: "{{ build_user.name }}"
 #   command: "aurutils-sync --no-view {{ item }}"
 #   args:
 #     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
 #   loop:
 #     - foo
 # - name: Update cache
 #   when: buildaur.changed
 #   pacman:
 #     name: []
 #     state: present
 #     update_cache: true
 # - name: Install packages
 #   package:
 #     name:
 #       - foo
 #     state: present
 # - name: Enable services
 #   systemd:
 #     enabled: yes
 #     name: "{{ item }}"
 #     daemon_reload: yes
 #   loop:
 #     - foo.service
--- a/ansible/roles/linfi/tasks/main.yaml
+++ b/ansible/roles/linfi/tasks/main.yaml
@@ -0,0 +1,2 @@
 - import_tasks: tasks/common.yaml
  when: linfi is defined and linfi.enabled
--- a/ansible/roles/linfi/tasks/peruser.yaml
+++ b/ansible/roles/linfi/tasks/peruser.yaml
@@ -0,0 +1,29 @@
 - include_role:
    name: per_user
 # - name: Create directories
 #   file:
 #     name: "{{ account_homedir.stdout }}/{{ item }}"
 #     state: directory
 #     mode: 0700
 #     owner: "{{ account_name.stdout }}"
 #     group: "{{ group_name.stdout }}"
 #   loop:
 #     - ".config/foo"
 # - name: Copy files
 #   copy:
 #     src: "files/{{ item.src }}"
 #     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
 #     mode: 0600
 #     owner: "{{ account_name.stdout }}"
 #     group: "{{ group_name.stdout }}"
 #   loop:
 #     - src: foo.conf
 #       dest: .config/foo/foo.conf
 - import_tasks: tasks/peruser_freebsd.yaml
  when: 'os_flavor == "freebsd"'
 - import_tasks: tasks/peruser_linux.yaml
  when: 'os_flavor == "linux"'
--- a/ansible/roles/linfi/tasks/peruser_freebsd.yaml
+++ b/ansible/roles/linfi/tasks/peruser_freebsd.yaml
--- a/ansible/roles/linfi/tasks/peruser_linux.yaml
+++ b/ansible/roles/linfi/tasks/peruser_linux.yaml
--- a/ansible/roles/linfi/templates/devmatch_rc.conf.j2
+++ b/ansible/roles/linfi/templates/devmatch_rc.conf.j2
@@ -0,0 +1,2 @@
 devmatch_enable="YES"
 devmatch_blocklist="{{ linfi.driver_blocklist }}"
--- a/ansible/roles/linfi/templates/linfi.j2
+++ b/ansible/roles/linfi/templates/linfi.j2
@@ -0,0 +1,46 @@
 #!/bin/sh
 #
 # PROVIDE: linfi
 # REQUIRE: LOGIN
 # KEYWORD: shutdown nojail
 . /etc/rc.subr
 name=linfi
 rcvar=${name}_enable
 start_cmd="${name}_start"
 stop_cmd="${name}_stop"
 status_cmd="${name}_status"
 load_rc_config $name
 tmux_name="linfi"
 linfi_start() {
    /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env PASSTHROUGH='{{ linfi.pci_blocklist }}' /usr/local/bin/bash /usr/local/bin/launch_linfi start linfi {{ linfi.zfs_dataset }} {{ linfi.zfs_mountpoint }}"
    # /vm/.iso/alpine-extended-3.20.3-x86_64.iso
 }
 linfi_status() {
    if /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null; then
        echo "$tmux_name is running."
    else
        echo "$tmux_name is not running."
        return 1
    fi
 }
 linfi_stop() {
    /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null && (
        /usr/local/bin/tmux kill-session -t $tmux_name
        sleep 10
        bhyvectl --vm=linfi --destroy
        # kill `cat /var/run/linfi.pid`
    )
    linfi_wait_for_end
 }
 linfi_wait_for_end() {
    while /usr/local/bin/tmux has-session -t $tmux_name 2>dev/null; do
        sleep 1
    done
 }
 run_rc_command "$1"
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`--ozone-platform-hint=auto`	`--ozone-platform-hint=auto`
	`--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,AcceleratedVideoEncoder`	`--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE`
		`@@ -0,0 +1,2 @@`
							`pipe 1 config bw 100KByte/s`
							`pipe 2 config`
		`@@ -0,0 +1,2 @@`
							`dummynet_enable="YES"`
							`dummynet_rules="/etc/dnctl.conf"`
		`@@ -0,0 +1,2 @@`
							`- import_tasks: tasks/common.yaml`
							`when: (dummynet_config is defined and os_flavor == "freebsd") or (os_flavor == "linux")`
`@@ -1,2 +1,2 @@`
	`# Set screen brightness. Ever since enabling adaptive brightness management, my brightness ends up sinking lower on re-boots (I suspect it is saving the actual brightness rather than the set brightness). This forces the brightness back to the level I prefer.`	`# Set screen brightness. Ever since enabling adaptive brightness management, my brightness ends up sinking lower on re-boots (I suspect it is saving the actual brightness rather than the set brightness). This forces the brightness back to the level I prefer.`
	`w- /sys/class/backlight/amdgpu_bl0/brightness - - - - 21845`	`w- /sys/class/backlight/amdgpu_bl0/brightness - - - - 85`
		`@@ -0,0 +1,2 @@`
							`# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num]`
							`/var/log/nginx/*.log 640 5 1000 @T00 GYC /var/run/nginx.pid SIGUSR1`
		`@@ -0,0 +1,2 @@`
							`- import_tasks: tasks/common.yaml`
							`# when: foo is defined`
		`@@ -0,0 +1,2 @@`
							`- import_tasks: tasks/common.yaml`
							`when: linfi is defined and linfi.enabled`
		`@@ -0,0 +1,2 @@`
							`devmatch_enable="YES"`
							`devmatch_blocklist="{{ linfi.driver_blocklist }}"`