Disable nfsd.

The firewall was not working so all traffic was making it through to the host system.

ansible/environments/colo/host_vars/mrmanager

@@ -14,6 +14,8 @@ pf_config: "mrmanager_pf.conf"
 pflog_conf:
   - name: 0
     dev: pflog0
+  - name: 1
+    dev: pflog1
 cputype: "amd"
 hwpstate: true
 etc_hosts: {}

ansible/playbook.yaml

@@ -53,7 +53,7 @@
     - javascript
     - launch_keyboard
     - lvfs
-    - restaurant_health_rating
+    # - restaurant_health_rating
     - wasm
     - noise_suppression
 

ansible/roles/base/files/gitconfig_home

@@ -3,33 +3,52 @@
 	name = Tom Alexander
 	signingkey = D3A179C9A53C0EDE
 [push]
-	default = simple
+	default = simple # (default since 2.0)
 [alias]
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
+        authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
 	gpgsign = true
+	verbose = true
 [pull]
 	rebase = true
 [log]
 	date = local
 [init]
 	defaultBranch = main
-
-# Use meld for `git difftool` and `git mergetool`
 [diff]
-	tool = meld
+	tool = meld # Use meld for `git difftool` and `git mergetool`
+	algorithm = histogram
+	colorMoved = plain
+	mnemonicPrefix = true
+	renames = true
 [difftool]
 	prompt = false
 [difftool "meld"]
 	cmd = meld "$LOCAL" "$REMOTE"
 [merge]
 	tool = meld
+	conflictStyle = zdiff3
 [mergetool "meld"]
         # Make the middle pane start with partially-merged contents:
 	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
         # Make the middle pane start without any merge progress:
 	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
+[column]
+	ui = auto
+[branch]
+	sort = -committerdate
+[tag]
+	sort = version:refname
+[fetch]
+	prune = true
+	pruneTags = true
+	all = true
+[rebase]
+	autoSquash = true
+	autoStash = true
+	updateRefs = false

ansible/roles/base/files/gitconfig_work

@@ -3,31 +3,36 @@
 	name = Tom Alexander
 	signingkey = D3A179C9A53C0EDE
 [push]
-	default = simple
+	default = simple # (default since 2.0)
 [alias]
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
+        authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
 	gpgsign = true
+	verbose = true
 [pull]
 	rebase = true
 [log]
 	date = local
 [init]
 	defaultBranch = main
-
-# Use meld for `git difftool` and `git mergetool`
 [diff]
-	tool = meld
+	tool = meld # Use meld for `git difftool` and `git mergetool`
+	algorithm = histogram
+	colorMoved = plain
+	mnemonicPrefix = true
+	renames = true
 [difftool]
 	prompt = false
 [difftool "meld"]
 	cmd = meld "$LOCAL" "$REMOTE"
 [merge]
 	tool = meld
+	conflictStyle = zdiff3
 [mergetool "meld"]
         # Make the middle pane start with partially-merged contents:
 	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
@@ -35,3 +40,19 @@
 	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
 [includeIf "gitdir:/bridge/"]
 	path = /bridge/git/machine_setup/ansible/roles/base/files/gitconfig_home
+[includeIf "gitdir:/persist/"]
+	path = /bridge/git/machine_setup/ansible/roles/base/files/gitconfig_home
+[column]
+	ui = auto
+[branch]
+	sort = -committerdate
+[tag]
+	sort = version:refname
+[fetch]
+	prune = true
+	pruneTags = true
+	all = true
+[rebase]
+	autoSquash = true
+	autoStash = true
+	updateRefs = false

ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash

@@ -153,6 +153,7 @@ function start_vm {
             -D \
             -c $CPU_CORES \
             -m $MEMORY \
+            -S \
             -H \
             -P \
             -o 'rtc.use_localtime=false' \
@@ -216,7 +217,7 @@ EOF
 mkpeer ${host_interface_name}: bridge ether link0
 name ${host_interface_name}:ether $bridge_name
 EOF
-        ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" "$ip_range" up
+        ifconfig "$(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2)" name "${host_interface_name}" "$ip_range" up
     fi
 }
 

ansible/roles/bhyve/files/bhyverc.bash

@@ -0,0 +1,459 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# Share a host directory to the guest via 9pfs.
+#
+# Inside the VM run:
+#   mount -t virtfs -o trans=virtio sharename /some/vm/path
+#   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
+#   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 bind9p /path/to/mountpoint
+# bhyve_options="-s 28,virtio-9p,sharename=/"
+
+# Enable Sound
+# bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
+
+# Example usage:
+#
+#   doas bhyverc create-disk zdata/vm/poudriere /vm/poudriere 10
+#   doas bhyverc start poudriere zdata/vm/poudriere /vm/poudriere /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
+#   doas bhyverc start poudriere zdata/vm/poudriere /vm/poudriere
+
+
+: ${VERBOSE:="NO"} # or YES
+if [ "$VERBOSE" = "YES" ]; then
+    set -x
+fi
+
+: ${CPU_CORES:="1"}
+: ${MEMORY:="1G"}
+: ${NETWORK:="NAT"} # or RAW or BOTH
+: ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
+: ${INTERFACE_NAME:="jail_nat"} # or the external interface like lagg0 for RAW networks
+: ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
+: ${VNC_ENABLE:="NO"}
+: ${VNC_LISTEN:="127.0.0.1:5900"}
+: ${VNC_WIDTH:="1920"}
+: ${VNC_HEIGHT:="1080"}
+: ${BIND9P:=""}
+: "${CD:=}"
+
+: ${SHUTDOWN_TIMEOUT:="600"} # 10 minutes
+
+
+
+############## Setup #########################
+
+
+function die {
+    local status_code="$1"
+    shift
+    (>&2 echo "${@}")
+    exit "$status_code"
+}
+
+function log {
+    (>&2 echo "${@}")
+}
+
+############## Program #########################
+
+function main {
+    local cmd
+    cmd=$1
+    shift
+    if [ "$cmd" = "start" ]; then
+        init
+        start "${@}"
+    elif [ "$cmd" = "stop" ]; then
+        init
+        stop "${@}"
+    elif [ "$cmd" = "status" ]; then
+        init
+        status "${@}"
+    elif [ "$cmd" = "console" ]; then
+        init
+        console "${@}"
+    elif [ "$cmd" = "_start_body" ]; then
+        init
+        start_body "${@}"
+    elif [ "$cmd" = "create-disk" ]; then
+        create_disk "${@}"
+    else
+        (>&2 echo "Unknown command: $cmd")
+        exit 1
+    fi
+}
+
+function start {
+    local num_vms="$#"
+    if [ "$num_vms" -eq 0 ]; then
+        log "No VMs specified."
+        return 0
+    fi
+
+    while [ "$#" -gt 0 ]; do
+        local name="$1"
+        shift 1
+        log "Starting VM $name."
+        start_one "$name"
+        [ "$#" -eq 0 ] || sleep 5
+    done
+}
+
+function start_one {
+    local name="$1"
+    local tmux_name="$name"
+    /usr/local/bin/tmux new-session -d -s "$tmux_name" "$0" "_start_body" "$name"
+    # /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=NO VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /home/talexander/launch_opnsense.bash"
+}
+
+function launch_pidfile {
+    local pidfile="$1"
+    shift 1
+    mkdir -p "$(dirname "$pidfile")"
+    cat > "${pidfile}" <<< "$$"
+    set -x
+    exec "${@}"
+}
+export -f launch_pidfile
+
+function stop {
+    local num_vms="$#"
+    if [ "$num_vms" -eq 0 ]; then
+        log "No VMs specified."
+        return 0
+    fi
+
+    while [ "$#" -gt 0 ]; do
+        local name="$1"
+        shift 1
+        log "Stopping VM $name."
+        stop_one "$name"
+        [ "$#" -eq 0 ] || sleep 5
+    done
+}
+
+function stop_one {
+    local name="$1"
+    local pidfile="/run/bhyverc/${name}/pid"
+
+    if [ ! -e "$pidfile" ]; then
+        log "Pid file $pidfile does not exist."
+        return 0
+    fi
+
+    local bhyve_pid
+    bhyve_pid=$(cat "$pidfile")
+
+    if ps -p "$bhyve_pid" >/dev/null; then
+        # Send ACPI shutdown command
+        log "Sending ACPI shutdown to ${name}:${bhyve_pid}."
+        kill -SIGTERM "$bhyve_pid"
+    fi
+
+    local timeout_start timeout_end
+    timeout_start=$(date +%s)
+    while ps -p "$bhyve_pid" >/dev/null; do
+        timeout_end=$(date +%s)
+        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
+            log "${name}:${bhyve_pid} took more than $SHUTDOWN_TIMEOUT seconds to shut down. Hard powering down."
+            break
+        fi
+
+        log "Waiting for ${name}:${bhyve_pid} to exit."
+        sleep 2
+    done
+
+    bhyvectl "--vm=$name" --destroy || true
+
+    local timeout_start timeout_end
+    timeout_start=$(date +%s)
+    while ps -p "$bhyve_pid" >/dev/null; do
+        timeout_end=$(date +%s)
+        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
+            log "${name}:${bhyve_pid} took more than $SHUTDOWN_TIMEOUT seconds to hard power down. Giving up."
+            break
+        fi
+
+        log "Waiting for ${name}:${bhyve_pid} to hard power down."
+        sleep 2
+    done
+
+    rm -f "$pidfile"
+
+    log "Finished stopping $name."
+}
+
+function status {
+    local num_vms="$#"
+
+    if [ "$num_vms" -gt 0 ]; then
+        for name in "$@"; do
+            status_one "$name"
+        done
+    else
+        log "No VMs specified."
+    fi
+}
+
+function status_one {
+    local name="$1"
+    local pidfile="/run/bhyverc/${name}/pid"
+
+    if [ ! -e "$pidfile" ]; then
+        log "$name is not running."
+        return 0
+    fi
+
+    local bhyve_pid
+    bhyve_pid=$(cat "$pidfile")
+
+    if ! ps -p "$bhyve_pid" >/dev/null; then
+        log "$name is not running."
+        return 0
+    fi
+
+    log "$name is running as pid $bhyve_pid."
+}
+
+function console {
+    local num_vms="$#"
+
+    if [ "$num_vms" -gt 0 ]; then
+        for name in "$@"; do
+            log "Attaching to console of VM $name."
+            console_one "$name"
+        done
+    else
+        log "No VMs specified."
+    fi
+}
+
+function console_one {
+    local name="$1"
+    local tmux_name="$name"
+    exec tmux a -t "$tmux_name"
+}
+
+function init {
+    mkdir -p /run/bhyverc
+}
+
+############## Bhyve ###########################
+
+function create_disk {
+    local zfs_path="$1"
+    local mount_path="$2"
+    local gigabytes="$3"
+    zfs create -o "mountpoint=$mount_path" "$zfs_path"
+    cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
+    tee "${mount_path}/settings" <<EOF
+CPU_CORES="$CPU_CORES"
+MEMORY="$MEMORY"
+NETWORK="$NETWORK"
+IP_RANGE="$IP_RANGE"
+BRIDGE_NAME="$BRIDGE_NAME"
+INTERFACE_NAME="$INTERFACE_NAME"
+EOF
+    zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none "$zfs_path/disk0"
+}
+
+function start_body {
+    local name="$1"
+    local zfs_path="zdata/vm/$name"
+    local mount_path="/vm/$name"
+    local mount_cd="$CD"
+
+    if [ -e "${mount_path}/settings" ]; then
+        source "${mount_path}/settings"
+    fi
+
+    local host_interface_name="$INTERFACE_NAME" # for raw, external interface
+    local bridge_name="$BRIDGE_NAME"
+    local ip_range="$IP_RANGE" # for raw this value does not matter
+
+    local mac_address
+    mac_address=$(calculate_mac_address "$name")
+
+    local additional_args=()
+
+    if [ "$NETWORK" = "NAT" ]; then
+        assert_bridge "$host_interface_name" "$bridge_name" "$ip_range"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+    elif [ "$NETWORK" = "RAW" ]; then
+        assert_raw "$host_interface_name" "$bridge_name"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+    elif [ "$NETWORK" = "BOTH" ]; then
+        assert_bridge "jail_nat" "$bridge_name" "$ip_range"
+        assert_raw "$host_interface_name" "bridge_raw"
+        local bridge_link_name=$(detect_available_link "${bridge_name}")
+        local raw_bridge_link_name=$(detect_available_link "bridge_raw")
+        local raw_mac_address=$(calculate_mac_address "${name}_raw")
+        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
+        additional_args+=("-s" "3:0,virtio-net,netgraph,path=bridge_raw:,peerhook=${raw_bridge_link_name},mac=${raw_mac_address}")
+    else
+        die 1 "Unrecognized NETWORK type $NETWORK"
+    fi
+
+    if [ -n "$BIND9P" ]; then
+        additional_args+=("-s" "28,virtio-9p,bind9p=${BIND9P}")
+    fi
+
+
+    # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
+         # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
+             # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
+            # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
+
+    # TODO: Look into using nmdm instead of stdio for serial console
+    if [ -n "$mount_cd" ]; then
+        additional_args+=("-s" "5,ahci-cd,$mount_cd")
+    fi
+    if [ "$VNC_ENABLE" = "YES" ]; then
+        additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
+    fi
+    vms+=("$name")
+    while true; do
+        local pidfile="/run/bhyverc/${name}/pid"
+        trap "set +e; stop_one '${name}'" EXIT
+
+        local launch_cmd=()
+        launch_cmd+=(
+            launch_pidfile "$pidfile"
+            bhyve
+            -D
+            -c "$CPU_CORES"
+            -m "$MEMORY"
+            -S
+            -H
+            -o 'rtc.use_localtime=false'
+            -s "0,hostbridge"
+            -s "4,nvme,/dev/zvol/${zfs_path}/disk0"
+            -s "30,xhci,tablet"
+            -s "31,lpc" -l "com1,stdio"
+            -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd"
+            "${additional_args[@]}"
+            "$name"
+        )
+        set +e
+        rm -f "$pidfile"
+        (
+            IFS=$' \n\t'
+            set -ex
+            bash -c "${launch_cmd[*]}"
+        )
+        local exit_code=$?
+        log "Exit code ${exit_code}"
+        set -e
+        if [ $exit_code -eq 0 ]; then
+            echo "Rebooting."
+            sleep 5
+        elif [ $exit_code -eq 1 ]; then
+            echo "Powered off."
+            break
+        elif [ $exit_code -eq 2 ]; then
+            echo "Halted."
+            break
+        elif [ $exit_code -eq 3 ]; then
+            echo "Triple fault."
+            break
+        elif [ $exit_code -eq 4 ]; then
+            echo "Exited due to an error."
+            break
+        fi
+    done
+}
+
+function detect_available_link {
+    local bridge_name="$1"
+    local linknum=1
+    while true; do
+        local link_name="link${linknum}"
+        if ! ng_exists "${bridge_name}:${link_name}"; then
+            echo "$link_name"
+            return
+        fi
+        linknum=$((linknum + 1))
+        if [ "$linknum" -gt 90 ]; then
+            (>&2 echo "No available links on bridge $bridge_name")
+            exit 1
+        fi
+    done
+}
+
+function assert_bridge {
+    local host_interface_name="$1"
+    local bridge_name="$2"
+    local ip_range="$3"
+
+    if ! ng_exists "${bridge_name}:"; then
+        ngctl -d -f - <<EOF
+mkpeer . eiface hook ether
+name .:hook $host_interface_name
+EOF
+        ngctl -d -f - <<EOF
+mkpeer ${host_interface_name}: bridge ether link0
+name ${host_interface_name}:ether $bridge_name
+EOF
+        ifconfig "$(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2)" name "${host_interface_name}" "$ip_range" up
+    fi
+}
+
+function assert_raw {
+    local extif="$1"
+    local bridge_name="$2"
+
+    kldload -n ng_bridge ng_eiface ng_ether
+
+    if ! ng_exists "${bridge_name}:"; then
+        ngctlcat <<EOF
+# Create a bridge.
+mkpeer $extif: bridge lower link0
+# Assign a name to the bridge.
+name $extif:lower ${bridge_name}
+# Since the host is also using $extif, we need to connect the upper hook also. Otherwise we will lose connectivity.
+connect $extif: ${bridge_name}: upper link1
+
+# Enable promiscuous mode so the host ethernet adapter accepts packets for all addresses
+msg $extif: setpromisc 1
+
+# Do not overwrite source address on packets
+msg $extif: setautosrc 0
+EOF
+    fi
+}
+
+function ng_exists {
+    ngctl status "${1}" >/dev/null 2>&1
+}
+
+function calculate_mac_address {
+    local name="$1"
+    local source
+    source=$(md5 -r -s "$name" | awk '{print $1}')
+    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
+}
+
+function find_available_port {
+    local start_port="$1"
+    local port="$start_port"
+    while true; do
+        sockstat -P tcp -p 443
+        port=$((port + 1))
+    done
+}
+
+function ngctlcat {
+    if [ "$VERBOSE" = "YES" ]; then
+        tee /dev/tty | ngctl -d -f -
+    else
+        ngctl -d -f -
+    fi
+}
+
+main "${@}"

ansible/roles/bhyve/files/bhyverc.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+#
+# REQUIRE: LOGIN FILESYSTEMS
+# PROVIDE: bhyverc
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+name=bhyverc
+rcvar=${name}_enable
+start_cmd="${name}_start"
+stop_cmd="${name}_stop"
+status_cmd="${name}_status"
+console_cmd="${name}_console"
+extra_commands="console"
+load_rc_config $name
+
+bhyverc_start() {
+    export PATH="$PATH:/usr/local/bin"
+    exec /usr/local/bin/bhyverc start "${@}"
+}
+
+bhyverc_status() {
+    export PATH="$PATH:/usr/local/bin"
+    exec /usr/local/bin/bhyverc status "${@}"
+}
+
+bhyverc_stop() {
+    export PATH="$PATH:/usr/local/bin"
+    exec /usr/local/bin/bhyverc stop "${@}"
+}
+
+bhyverc_console() {
+    export PATH="$PATH:/usr/local/bin"
+    exec /usr/local/bin/bhyverc console "${@}"
+}
+
+run_rc_command "$@"

ansible/roles/bhyve/tasks/freebsd.yaml

@@ -22,6 +22,25 @@
   loop:
     - src: bhyve_netgraph_bridge.bash
       dest: /usr/local/bin/bhyve_netgraph_bridge
+    - src: bhyverc.bash
+      dest: /usr/local/bin/bhyverc
+
+- name: Install rc script
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+    owner: root
+    group: wheel
+    mode: 0755
+  loop:
+    - src: bhyverc.sh
+      dest: bhyverc
+
+- name: Enable bhyverc
+  community.general.sysrc:
+    name: bhyverc_enable
+    value: "YES"
+    path: /etc/rc.conf.d/bhyverc
 
 - name: Create zfs dataset
   zfs:

ansible/roles/chromium/files/chromium-flags.conf

@@ -1,2 +1,2 @@
 --ozone-platform-hint=auto
---enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE
+--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,AcceleratedVideoEncoder

ansible/roles/emacs/files/elisp/base-extensions.el

@@ -51,17 +51,27 @@
 ;; Persist history over Emacs restarts. Vertico sorts by history position.
 (use-package savehist
   ;; This is an emacs built-in but we're pulling the latest version
+  :pin gnu
   :config
   (savehist-mode))
 
 (use-package which-key
+  :pin gnu
   :diminish
   :config
   (which-key-mode))
 
 (use-package windmove
-  :config
+  ;; This is an emacs built-in but we're pulling the latest version
-  (windmove-default-keybindings))
+  :pin gnu
+  :bind
+  (
+   ("S-<up>" . windmove-up)
+   ("S-<right>" . windmove-right)
+   ("S-<down>" . windmove-down)
+   ("S-<left>" . windmove-left)
+   )
+  )
 
 (setq tramp-default-method "ssh")
 

ansible/roles/emacs/files/elisp/base.el

@@ -63,6 +63,9 @@
  show-trailing-whitespace t
  ;; Remove the line when killing it with ctrl-k
  kill-whole-line t
+
+ ;; Show the current project in the mode line
+ project-mode-line t
  )
 
 ;; (setq-default fringes-outside-margins t)

ansible/roles/emacs/files/elisp/lang-cmake.el

@@ -0,0 +1,18 @@
+(require 'common-lsp)
+
+(use-package cmake-mode
+  :commands cmake-mode
+  :hook (
+         (cmake-mode . (lambda ()
+                         (eglot-ensure)
+                         (defclass my/eglot-cmake (eglot-lsp-server) ()
+                           :documentation
+                           "Own eglot server class.")
+
+                         (add-to-list 'eglot-server-programs
+                                      '(cmake-mode . (my/eglot-cmake "cmake-language-server")))
+                         ))
+         )
+  )
+
+(provide 'lang-cmake)

ansible/roles/emacs/files/elisp/lang-nix.el

@@ -7,15 +7,15 @@
   :commands nix-mode
   :hook (
          (nix-mode . (lambda ()
-                             ;; (eglot-ensure)
+                       (eglot-ensure)
-                             ;; (defclass my/eglot-nix (eglot-lsp-server) ()
+                       (defclass my/eglot-nix (eglot-lsp-server) ()
-                             ;;   :documentation
+                         :documentation
-                             ;;   "Own eglot server class.")
+                         "Own eglot server class.")
 
-                             ;; (add-to-list 'eglot-server-programs
+                       (add-to-list 'eglot-server-programs
-                             ;;              '(nix-mode . (my/eglot-nix "nixd")))
+                                    '(nix-mode . (my/eglot-nix "nixd")))
-                             ;; (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+                       (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
-                             ))
+                       ))
          )
   )
 

ansible/roles/emacs/files/elisp/lang-org.el

@@ -1,16 +1,23 @@
 (use-package org
   :ensure nil
   :commands org-mode
-  :bind (
+  :bind (:map org-mode-map
          ("C-c l" . org-store-link)
          ("C-c a" . org-agenda)
-         ("C--" . org-timestamp-down)
+         ("S-<up>" . org-shiftup)
-         ("C-=" . org-timestamp-up)
+         ("S-<right>" . org-shiftright)
+         ("S-<down>" . org-shiftdown)
+         ("S-<left>" . org-shiftleft)
          )
   :hook (
          (org-mode . (lambda ()
                        (org-indent-mode +1)
-                        ))
+                       ))
+         ;; Make windmove work in Org mode:
+         (org-shiftup-final . windmove-up)
+         (org-shiftleft-final . windmove-left)
+         (org-shiftdown-final . windmove-down)
+         (org-shiftright-final . windmove-right)
          )
   :config
   (require 'org-tempo)
@@ -38,6 +45,8 @@
 
   ;; TODO: There is an option to set the compiler, could be better than manually doing this here https://orgmode.org/manual/LaTeX_002fPDF-export-commands.html
   ;; (setq org-latex-compiler "lualatex")
+  ;; TODO: nixos latex page recommends this line, figure out what it does / why its needed:
+  ;; (setq org-preview-latex-default-process 'dvisvgm)
   (setq org-latex-pdf-process
         '("lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
           "lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"

ansible/roles/emacs/files/elisp/util-tree-sitter.el

@@ -4,6 +4,8 @@
   :commands (treesit-install-language-grammar treesit-ready-p)
   :init
   (setq treesit-language-source-alist '())
+  :custom
+  (treesit-max-buffer-size 209715200) ;; 200MiB
   :config
   ;; Default to the max level of detail in treesitter highlighting. This
   ;; can be overridden in each language's use-package call with:

ansible/roles/emacs/files/init.el

@@ -38,4 +38,6 @@
 
 (require 'lang-nix)
 
+(require 'lang-cmake)
+
 (load-directory autoload-directory)

ansible/roles/firefox/defaults/main.yaml

@@ -40,6 +40,6 @@ firefox_config:
   privacy.fingerprintingProtection: true
   # Allow sending dark mode preference to websites.
   # Allow sending timezone to websites.
-  privacy.fingerprintingProtection.overrides: "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked"
+  privacy.fingerprintingProtection.overrides: "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked,-CanvasImageExtractionPrompt,-CanvasExtractionFromThirdPartiesIsBlocked"
   # Disable weather on new tab page
   browser.newtabpage.activity-stream.showWeather: false

ansible/roles/firefox/tasks/linux.yaml

@@ -3,4 +3,5 @@
     name:
       - libfido2
       - firefox-developer-edition
+      - speech-dispatcher # For TTS
     state: present

ansible/roles/firewall/files/mrmanager_pf.conf

@@ -2,7 +2,8 @@ ext_if = "lagg0"
 not_ext_if = "{ !lagg0 }"
 jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
-pub_k8s = "{ 74.80.180.136/29, !74.80.180.138 }"
+# pub_k8s = "{ 74.80.180.136/29, !74.80.180.138 }"
+pub_k8s = "{ 74.80.180.137, 74.80.180.139, 74.80.180.140, 74.80.180.141, 74.80.180.142 }"
 
 dhcp = "{ bootpc, bootps }"
 allow = "{ colo }"
@@ -35,18 +36,22 @@ scrub in on $ext_if all fragment reassemble
 nat on $ext_if inet from ! ($ext_if) to ! ($ext_if) -> ($ext_if)
 rdr pass on jail_nat proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53
 
-rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 -> 10.215.1.204 port 6443
+rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
 rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
 
-rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 19993 -> 10.215.1.204 port 19993
+rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 19993 tag REDIRINTERNAL -> 10.215.1.204 port 19993
 rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 19993 tag REDIRINTERNAL -> 10.215.1.204 port 19993
 
-rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65099 -> 10.215.1.210 port 22
+rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65099 tag REDIRINTERNAL -> 10.215.1.210 port 22
 rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 65099 tag REDIRINTERNAL -> 10.215.1.210 port 22
 
-rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 53 -> 10.215.1.211 port 53
+# log (to pflog1)
+rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 53 tag REDIRINTERNAL -> 10.215.1.211 port 53
 rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 53 tag REDIRINTERNAL -> 10.215.1.211 port 53
 
+rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65122 tag REDIRINTERNAL -> 10.215.1.219 port 22
+rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 65122 tag REDIRINTERNAL -> 10.215.1.219 port 22
+
 nat pass tagged REDIRINTERNAL -> (jail_nat)
 nat pass tagged REDIREXTERNAL -> ($ext_if)
 

ansible/roles/framework_laptop/files/screen_brightness_tmpfiles.conf

@@ -1,2 +1,2 @@
 # Set screen brightness. Ever since enabling adaptive brightness management, my brightness ends up sinking lower on re-boots (I suspect it is saving the actual brightness rather than the set brightness). This forces the brightness back to the level I prefer.
-w- /sys/class/backlight/amdgpu_bl0/brightness - - - - 85
+w- /sys/class/backlight/amdgpu_bl0/brightness - - - - 21845

ansible/roles/framework_laptop/tasks/linux.yaml

@@ -34,7 +34,7 @@
 
 - name: Configure kernel command line
   zfs:
-    name: "zroot/linux"
+    name: "zroot/linux/archwork/be"
     state: present
     extra_zfs_properties:
       # amdgpu.abmlevel=3 :: Automatically reduce screen brightness but tweak colors to compensate for power reduction.

ansible/roles/jail/templates/new_jail.bash.j2

@@ -26,7 +26,7 @@ function by_src {
 }
 
 function by_bin {
-    DESTRELEASE=13.2-RELEASE
+    DESTRELEASE=14.1-RELEASE
     DESTARCH=`uname -m`
     SOURCEURL=http://ftp.freebsd.org/pub/FreeBSD/releases/$DESTARCH/$DESTRELEASE/
     for component in base ports; do fetch $SOURCEURL/$component.txz -o - | tar -xf - -C "$DESTDIR" ; done

ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf

@@ -94,7 +94,18 @@
                         // momlaptop - hard-coded in rc.conf, reproduced here to reserve ip
                         "hw-address": "06:85:69:c5:6a:d6",
                         "ip-address": "10.215.1.218"
+                    },
+                    {
+                        // hydra
+                        "hw-address": "06:84:36:68:03:77",
+                        "ip-address": "10.215.1.219"
+                    },
+                    {
+                        // certificate - hard-coded in rc.conf, reproduced here to reserve ip
+                        "hw-address": "06:7b:e0:08:16:5d",
+                        "ip-address": "10.215.1.220"
                     }
+
                 ]
             }
         ],

ansible/roles/kanshi/files/config_kanshi

@@ -1,3 +1,11 @@
+profile office {
+	output eDP-1 disable
+	output "Dell Inc. DELL C2722DE 6PH6T83" enable
+}
+profile office2 {
+	output eDP-1 disable
+	output "BOE 0x0BCA Unknown" enable
+}
 profile docked {
 	output eDP-1 disable
 	output "Dell Inc. DELL U3014 P1V6N35M329L" enable

ansible/roles/mrmanager/files/nfsd_rc.conf

@@ -1 +1,4 @@
 nfs_server_enable="YES"
+# nfsv4_server_enable="YES"
+# nfsv4_server_only="YES"
+nfs_server_flags="-u -t --minthreads 1 --maxthreads 32"

ansible/roles/mrmanager/tasks/freebsd.yaml

@@ -8,37 +8,37 @@
     - name: net.link.ether.inet.proxyall
       value: "1"
 
-- name: Install service configuration
+# - name: Install service configuration
-  copy:
+#   copy:
-    src: "files/{{ item }}_rc.conf"
+#     src: "files/{{ item }}_rc.conf"
-    dest: "/etc/rc.conf.d/{{ item }}"
+#     dest: "/etc/rc.conf.d/{{ item }}"
-    mode: 0644
+#     mode: 0644
-    owner: root
+#     owner: root
-    group: wheel
+#     group: wheel
-  loop:
+#   loop:
-    - nfsd
+#     - nfsd
-    - mountd
+#     - mountd
-    - lockd
+#     - lockd
-    - statd
+#     - statd
-    - rpcbind
+#     - rpcbind
 
-- name: Create zfs datasets
+# - name: Create zfs datasets
-  zfs:
+#   zfs:
-    name: zdata/k8spersistent
+#     name: zdata/k8spersistent
-    state: present
+#     state: present
-    extra_zfs_properties:
+#     extra_zfs_properties:
-      sharenfs: "-network 10.215.1.0/24,-alldirs,-maproot=root:root"
+#       sharenfs: "-network 10.215.1.0/24,-alldirs,-maproot=root:root"
-      mountpoint: /k8spersistent
+#       mountpoint: /k8spersistent
 
-- name: Update ownership
+# - name: Update ownership
-  file:
+#   file:
-    name: "{{ item }}"
+#     name: "{{ item }}"
-    state: directory
+#     state: directory
-    mode: 0777
+#     mode: 0777
-    owner: root
+#     owner: root
-    group: wheel
+#     group: wheel
-  loop:
+#   loop:
-    - /k8spersistent
+#     - /k8spersistent
 
 - name: Install scripts
   copy:

ansible/roles/package_manager/files/pacman.conf

@@ -81,12 +81,6 @@ Include = /etc/pacman.d/mirrorlist
 [extra]
 Include = /etc/pacman.d/mirrorlist
 
-#[community-testing]
-#Include = /etc/pacman.d/mirrorlist
-
-[community]
-Include = /etc/pacman.d/mirrorlist
-
 # If you want to run 32 bit applications on your x86_64 system,
 # enable the multilib repositories as required here.
 

ansible/roles/public_dns/files/master.db

@@ -23,6 +23,9 @@ $ORIGIN fizz.buzz.
 ; Allows receivers to know you send your mail via Fastmail, and other servers
 IN TXT v=spf1 include:spf.messagingengine.com ?all
 
+; Tell receivers what to do with fake email
+_dmarc IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@fizz.buzz;"
+
 ns1     IN A     74.80.180.138
 ns2     IN A     74.80.180.138
 

ansible/roles/sway/files/config

@@ -23,6 +23,7 @@ set $menu wofi --show drun --gtk-dark
 
 # Do not show a title bar on windows
 default_border pixel 2
+hide_edge_borders smart_no_gaps
 
 bindsym $mod+grave exec $term
 

ansible/roles/sway/files/start_screen_share.bash

@@ -5,6 +5,6 @@ set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
-makoctl set-mode do-not-disturb
+makoctl mode -s do-not-disturb
 
 swaymsg output "'Dell Inc. DELL U3014 P1V6N35M329L'" scale 2

ansible/roles/sway/files/stop_screen_share.bash

@@ -5,6 +5,6 @@ set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
-makoctl set-mode default
+makoctl mode -s default
 
 swaymsg output "'Dell Inc. DELL U3014 P1V6N35M329L'" scale 1

ansible/roles/vscode/files/keybindings.json

@@ -20,6 +20,12 @@
         "command": "-workbench.action.navigateBack",
         "when": "canNavigateBack"
     },
+  {
+    // This isn't quite right. In emacs it would go back to the last location you performed an action which could include navigation. This goes back to the place where you last changed the text. Either way, close enough.
+        "key": "ctrl+x ctrl+x",
+        "command": "workbench.action.navigateToLastEditLocation",
+        "when": "canNavigateToLastEditLocation"
+    },
     {
         "key": "shift+alt+/",
         "command": "editor.action.goToReferences",

ansible/roles/vscode/files/settings.json

@@ -18,6 +18,7 @@
   "workbench.editor.showTabs": "none",
   "workbench.activityBar.location": "hidden",
   "window.menuBarVisibility": "toggle",
+  "window.commandCenter": false,
   "explorer.autoReveal": false,
   "[python]": {
     "editor.defaultFormatter": "ms-python.black-formatter",
@@ -31,11 +32,25 @@
     "editor.defaultFormatter": "hashicorp.terraform",
     "editor.formatOnSave": true
   },
+  "[typescript]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode",
+    "editor.formatOnSave": true
+  },
+  "[typescriptreact]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode",
+    "editor.formatOnSave": true
+  },
+  "javascript.autoClosingTags": false,
+  "typescript.autoClosingTags": false,
   "black-formatter.importStrategy": "fromEnvironment",
   "workbench.statusBar.visible": false,
   "git.openRepositoryInParentFolders": "never",
   "files.autoSave": "afterDelay",
   "editor.rulers": [
     100
-  ]
+  ],
+  "workbench.secondarySideBar.defaultVisibility": "hidden",
+  "editor.autoClosingBrackets": "never",
+  "editor.autoSurround": "never",
+  "workbench.editor.navigationScope": "editorGroup"
 }

ansible/roles/zfs/tasks/linux.yaml

@@ -27,7 +27,8 @@
   args:
     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
   loop:
-    - zfs-dkms-git
+    # - zfs-dkms-git
+    - zfs-dkms
     - zfs-utils
 
 - name: Update cache
@@ -40,7 +41,8 @@
 - name: Install packages
   package:
     name:
-      - zfs-dkms-git
+      # - zfs-dkms-git
+      - zfs-dkms
       - zfs-utils
     state: present
 

router/launch_mediamtx.bash

@@ -78,6 +78,8 @@ function start_vm {
             -D \
             -c 2 \
             -m 3G \
+            -H \
+            -S \
             -o 'rtc.use_localtime=false' \
             -s 0,hostbridge \
             -s "4,nvme,/dev/zvol/zroot/vm/mediamtx/disk0" \

router/launch_opnsense.bash

@@ -76,6 +76,7 @@ function start_vm {
             -c 4 \
             -m 8G \
             -H \
+            -S \
             -o 'rtc.use_localtime=false' \
             -s 0,hostbridge \
             -s "4,nvme,/dev/zvol/zroot/vm/opnsense/disk0" \

router/launch_unifi.bash

@@ -78,6 +78,7 @@ function start_vm {
             -c 1 \
             -m 3G \
             -H \
+            -S \
             -o 'rtc.use_localtime=false' \
             -s 0,hostbridge \
             -s "4,nvme,/dev/zvol/zroot/vm/unifi/disk0" \