updates for 15.1 - now our minimum version

author: Cullum Smith <cullum@sacredheartsc.com> 2026-06-02 20:56:13 -0400
committer: Cullum Smith <cullum@sacredheartsc.com> 2026-06-02 20:56:13 -0400
commit: f2ff9e3d90cb024d4b4486170720fe6d1a1cd220 (patch)
tree: ddd2835e32536f0c6a52bba2a9657f0e14d8af3e
parent: d7961b803da9bc2af0503c6c23455bb4cdc54d09 (diff)
download: infrastructure-f2ff9e3d90cb024d4b4486170720fe6d1a1cd220.tar.gz
29 files changed, 291 insertions, 97 deletions
diff --git a/docs/10-bootstrapping.md b/docs/10-bootstrapping.md
index bb3082f..472c7f9 100644
--- a/docs/10-bootstrapping.md
+++ b/docs/10-bootstrapping.md
@@ -61,12 +61,15 @@ are also set with this command.
       -e allow.raw_sockets=true \
       -e allow.socket_af=true \
       -e allow.mlock=true \
+      -e allow.chflags=true \
       -e sysvmsg=new \
       -e sysvsem=new \
       -e sysvshm=new \
       -e children.max=1000 \
       pkg1 freebsd14.1
 
+Edit the jail config file to set the devfs ruleset to 1001 so you can use filemon.
+
 Now you are ready to build all the packages and create the repository. `boxconf`
 assumes that any host named `pkg[0-1]` has the `pkg_repository` hostclass.
 
diff --git a/files/etc/cron.d/poudriere.pkg_repository b/files/etc/cron.d/poudriere.pkg_repository
index dc9c598..8394189 100644
--- a/files/etc/cron.d/poudriere.pkg_repository
+++ b/files/etc/cron.d/poudriere.pkg_repository
@@ -1 +1 @@
-@weekly root lockf -t 0 /tmp/poudriere-cron.lock /usr/local/libexec/poudriere-cron $(echo "$poudriere_versions" | tr . _) idm $(echo "$poudriere_idm_versions" | tr . _)
+@weekly root lockf -t 0 /tmp/poudriere-cron.lock /usr/local/libexec/poudriere-cron base ${poudriere_base_versions} ports ${poudriere_port_versions}"
diff --git a/files/etc/devfs.rules.freebsd_hypervisor b/files/etc/devfs.rules.freebsd_hypervisor
index fe40b9c..7cd087e 100644
--- a/files/etc/devfs.rules.freebsd_hypervisor
+++ b/files/etc/devfs.rules.freebsd_hypervisor
@@ -2,3 +2,7 @@
 [devfsrules_jail_vnet_bpf=${hypervisor_jail_bpf_ruleset}]
 add include \$devfsrules_jail_vnet
 add path 'bpf*' unhide
+
+[devfsrules_jail_vnet_filemon=${hypervisor_jail_filemon_ruleset}]
+add include \$devfsrules_jail_vnet
+add path 'filemon' unhide
diff --git a/files/etc/krb5.conf.idm_server b/files/etc/krb5.conf.idm_server
index 5d4d1a0..98c3389 100644
--- a/files/etc/krb5.conf.idm_server
+++ b/files/etc/krb5.conf.idm_server
@@ -4,6 +4,8 @@
   dns_lookup_realm = false
   allow_weak_crypto = false
   permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
+  default_keytab_name = FILE:/var/krb5/user/%{euid}/keytab
+  default_client_keytab_name = FILE:/var/krb5/user/%{euid}/client.keytab
   forwardable = true
   ticket_lifetime = ${krb5_ticket_lifetime}
   renew_lifetime = ${krb5_renew_lifetime}
diff --git a/files/usr/local/etc/nginx/vhosts.conf.pkg_repository b/files/usr/local/etc/nginx/vhosts.conf.pkg_repository
index 73c5754..557c5b1 100644
--- a/files/usr/local/etc/nginx/vhosts.conf.pkg_repository
+++ b/files/usr/local/etc/nginx/vhosts.conf.pkg_repository
@@ -4,7 +4,7 @@ server {
   listen       443      ssl default_server;
   listen       [::]:443 ssl default_server;
   server_name  ${fqdn};
-  root         ${poudriere_data_dir}/data/packages;
+  root         ${poudriere_webroot};
 
   ssl_certificate      ${poudriere_https_cert};
   ssl_certificate_key  ${poudriere_https_key};
diff --git a/files/usr/local/etc/pkg/repos/FreeBSD.conf.common b/files/usr/local/etc/pkg/repos/FreeBSD.conf.common
index dd7ce6e..bc67e60 100644
--- a/files/usr/local/etc/pkg/repos/FreeBSD.conf.common
+++ b/files/usr/local/etc/pkg/repos/FreeBSD.conf.common
@@ -2,3 +2,4 @@ FreeBSD: { enabled: no}
 FreeBSD-kmods: { enabled: no}
 FreeBSD-ports: { enabled: no}
 FreeBSD-ports-kmods: { enabled: no }
+FreeBSD-base: { enabled: no }
diff --git a/files/usr/local/etc/pkg/repos/onprem.conf.freebsd b/files/usr/local/etc/pkg/repos/onprem.conf.freebsd
index cd87b7e..a577fc2 100644
--- a/files/usr/local/etc/pkg/repos/onprem.conf.freebsd
+++ b/files/usr/local/etc/pkg/repos/onprem.conf.freebsd
@@ -1,6 +1,20 @@
-${site}: {
+${site}-ports: {
   enabled: yes,
   url: "http://${pkg_host}/\${ABI}/latest",
   signature_type: "pubkey",
   pubkey: "/usr/local/etc/pkg/repos/repo.crt"
 }
+
+${site}-kmods: {
+  enabled: yes,
+  url: "http://${pkg_host}/\${ABI}/kmods_latest_\${VERSION_MINOR}",
+  signature_type: "pubkey",
+  pubkey: "/usr/local/etc/pkg/repos/repo.crt"
+}
+
+${site}-base: {
+  enabled: yes,
+  url: "http://${pkg_host}/\${ABI}/base_release_\${VERSION_MINOR}",
+  signature_type: "pubkey",
+  pubkey: "/usr/local/etc/pkg/repos/repo.crt"
+}
diff --git a/files/usr/local/etc/pkg/repos/onprem.conf.idm_server b/files/usr/local/etc/pkg/repos/onprem.conf.idm_server
index a7950b1..3f01328 100644
--- a/files/usr/local/etc/pkg/repos/onprem.conf.idm_server
+++ b/files/usr/local/etc/pkg/repos/onprem.conf.idm_server
@@ -1,9 +1,23 @@
 # The "-idm" set is a special poudriere build for the IDM servers that builds
 # openldap26-server with GSSAPI_BASE. This workaround is necessary to avoid a
 # circular dependency with krb5 and cyrus-sasl2-gssapi.
-${site}: {
+${site}-ports: {
   enabled: yes,
-  url: "http://${pkg_host}/\${ABI}/latest-idm",
+  url: "http://${pkg_host}/\${ABI}/idm_latest",
+  signature_type: "pubkey",
+  pubkey: "/usr/local/etc/pkg/repos/repo.crt"
+}
+
+${site}-kmods: {
+  enabled: yes,
+  url: "http://${pkg_host}/\${ABI}/kmods_latest_\${VERSION_MINOR}",
+  signature_type: "pubkey",
+  pubkey: "/usr/local/etc/pkg/repos/repo.crt"
+}
+
+${site}-base: {
+  enabled: yes,
+  url: "http://${pkg_host}/\${ABI}/base_release_\${VERSION_MINOR}",
   signature_type: "pubkey",
   pubkey: "/usr/local/etc/pkg/repos/repo.crt"
 }
diff --git a/files/usr/local/etc/pkg/repos/onprem.conf.pkg_repository b/files/usr/local/etc/pkg/repos/onprem.conf.pkg_repository
index ec75151..5a26375 100644
--- a/files/usr/local/etc/pkg/repos/onprem.conf.pkg_repository
+++ b/files/usr/local/etc/pkg/repos/onprem.conf.pkg_repository
@@ -1,5 +1,17 @@
-${site}: {
+${site}-ports: {
   enabled: yes,
-  url: "file://${poudriere_data_dir}/data/packages/\${ABI}/latest",
+  url: "file://${poudriere_webroot}/\${ABI}/latest",
+  signature_type: "none",
+}
+
+${site}-kmods: {
+  enabled: yes,
+  url: "file://${poudriere_webroot}/\${ABI}/kmods_latest_\${VERSION_MINOR}",
+  signature_type: "none",
+}
+
+${site}-base: {
+  enabled: yes,
+  url: "file://${poudriere_webroot}/\${ABI}/base_release_\${VERSION_MINOR}",
   signature_type: "none",
 }
diff --git a/files/usr/local/etc/pkg/repos/repo.crt.readme b/files/usr/local/etc/pkg/repos/repo.crt.readme
index 1c1ad53..95428c3 100644
--- a/files/usr/local/etc/pkg/repos/repo.crt.readme
+++ b/files/usr/local/etc/pkg/repos/repo.crt.readme
@@ -1,3 +1,3 @@
 Generate this file using:
 
-    openssl rsa -in site/files/usr/local/etc/ssl/repo.key.pkg_repository -pubout -out site/files/usr/local/etc/ssl/repo.crt.freebsd
+    openssl rsa -in site/files/usr/local/etc/poudriere.d/repo.key.pkg_repository -pubout -out site/files/usr/local/etc/pkg/repos/repo.crt.freebsd
diff --git a/files/usr/local/etc/poudriere.conf.pkg_repository b/files/usr/local/etc/poudriere.conf.pkg_repository
index bc9ca75..dad233c 100644
--- a/files/usr/local/etc/poudriere.conf.pkg_repository
+++ b/files/usr/local/etc/poudriere.conf.pkg_repository
@@ -8,7 +8,7 @@ PARALLEL_JOBS=${poudriere_jobs}
 USE_PORTLINT=no
 USE_TMPFS=yes
 DISTFILES_CACHE=/usr/ports/distfiles
-PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/repo.key
+PKG_REPO_SIGNING_KEY=${poudriere_conf_dir}/repo.key
 URL_BASE=http://${fqdn}/poudriere/
 ALLOW_MAKE_JOBS_PACKAGES='${poudriere_allow_make_jobs_packages:-}'
 PRIORITY_BOOST='${poudriere_priority_boost:-}'
diff --git a/files/usr/local/etc/poudriere.d/kmods-pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/kmods-pkglist.pkg_repository
new file mode 100644
index 0000000..a2cedff
--- /dev/null
+++ b/files/usr/local/etc/poudriere.d/kmods-pkglist.pkg_repository
@@ -0,0 +1,2 @@
+graphics/drm-kmod
+net/wifi-firmware-iwlwifi-kmod@all
diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
index 24f2faf..b13cc24 100644
--- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
+++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
@@ -29,6 +29,7 @@ deskutils/py-vdirsyncer
 devel/android-tools
 devel/ccache
 devel/cgit
+devel/gdb
 devel/git@lite
 devel/gitolite
 devel/php${php_version}-gettext
@@ -54,7 +55,6 @@ finance/gnucash
 ftp/php${php_version}-curl
 graphics/ImageMagick7
 graphics/digikam
-graphics/drm-kmod
 graphics/gimp
 graphics/kdegraphics
 graphics/p5-Image-ExifTool
@@ -126,10 +126,10 @@ net/rsync
 net/socat
 net/syncthing
 net/turnserver
-net/wifi-firmware-iwlwifi-kmod@all
 net/wireguard-tools
 ports-mgmt/pkg
 ports-mgmt/poudriere
+ports-mgmt/poudriere-devel
 print/cups
 print/cups-filters
 print/pdftk
diff --git a/files/usr/local/etc/poudriere.d/src-env.conf.pkg_repository b/files/usr/local/etc/poudriere.d/src-env.conf.pkg_repository
new file mode 100644
index 0000000..ee9fc6f
--- /dev/null
+++ b/files/usr/local/etc/poudriere.d/src-env.conf.pkg_repository
@@ -0,0 +1 @@
+WITH_META_MODE="YES"
diff --git a/files/usr/local/etc/poudriere.d/src.conf.pkg_repository b/files/usr/local/etc/poudriere.d/src.conf.pkg_repository
new file mode 100644
index 0000000..6b524a2
--- /dev/null
+++ b/files/usr/local/etc/poudriere.d/src.conf.pkg_repository
@@ -0,0 +1,6 @@
+WITHOUT_ASSERT_DEBUG="YES"
+WITHOUT_LLVM_ASSERTIONS="YES"
+WITHOUT_TESTS="YES"
+WITHOUT_CLEAN="YES"
+WITH_MALLOC_PRODUCTION="YES"
+WITH_REPRODUCIBLE_BUILD="YES"
diff --git a/files/usr/local/etc/ssl/repo.key.readme b/files/usr/local/etc/ssl/repo.key.readme
index 3b14bc6..fbb13cb 100644
--- a/files/usr/local/etc/ssl/repo.key.readme
+++ b/files/usr/local/etc/ssl/repo.key.readme
@@ -1,4 +1,4 @@
 Generate this file using:
 
-    openssl genrsa -out site/files/usr/local/etc/ssl/repo.key.pkg_repository 4096
-    ./vault encrypt site/files/usr/local/etc/ssl/repo.key.pkg_repository
+    openssl genrsa -out site/files/usr/local/etc/poudriere.d/repo.key.pkg_repository 4096
+    ./vault encrypt site/files/usr/local/etc/poudriere.d/repo.key.pkg_repository
diff --git a/files/usr/local/lib/firefox/distribution/policies.json.desktop b/files/usr/local/lib/firefox/distribution/policies.json.desktop
index f03055b..daa5b70 100644
--- a/files/usr/local/lib/firefox/distribution/policies.json.desktop
+++ b/files/usr/local/lib/firefox/distribution/policies.json.desktop
@@ -125,6 +125,12 @@
       "SponsoredPocket": false,
       "Snippets": false
     },
+    "AIControls": {
+      "Default": {
+        "Value": "blocked",
+        "Locked": true
+      }
+    },
     "ManagedBookmarks": [
       {
         "toplevel_name": "Intranet"
@@ -219,6 +225,34 @@
       "browser.newtabpage.activity-stream.feeds.section.topstories": {
         "Value": false,
         "Status": "locked"
+      },
+      "browser.newtabpage.activity-stream.showSponsoredCheckboxes": {
+        "Value": false,
+        "Status": "locked"
+      },
+      "browser.newtabpage.activity-stream.widgets.system.weather.enabled": {
+        "Value": false,
+        "Status": "default"
+      },
+      "browser.urlbar.suggest.quicksuggest.all": {
+        "Value": false,
+        "Status": "locked"
+      },
+      "browser.tabs.groups.smart.userEnabled": {
+        "Value": false,
+        "Status": "default"
+      },
+      "signon.management.page.breach-alerts.enabled": {
+        "Value": false,
+        "Status": "locked"
+      },
+      "privacy.fingerprintingProtection.pbmode": {
+        "Value": false,
+        "Status": "default"
+      },
+      "signon.firefoxRelay.feature": {
+        "Value": "disabled",
+        "Status": "locked"
       }
     }
   }
diff --git a/files/usr/local/libexec/poudriere-cron.pkg_repository b/files/usr/local/libexec/poudriere-cron.pkg_repository
index aa5ebbb..fca251d 100644
--- a/files/usr/local/libexec/poudriere-cron.pkg_repository
+++ b/files/usr/local/libexec/poudriere-cron.pkg_repository
@@ -14,22 +14,37 @@ for patch in /usr/local/etc/poudriere.d/patches/*.patch; do
   patch -s -d /usr/local/poudriere/ports/latest -u < "$patch"
 done
 
-idm=false
-for jail in "$@"; do
-  if [ "$jail" = idm ]; then
-    idm=true
-    continue
-  fi
+target='?'
+for arg in "$@"; do
+  case $arg in
+    base|ports) target=$arg ; continue ;;
+    *) version=$arg ;;
+  esac
 
-  poudriere jail -u  -j "$jail" > /dev/null
+  jail=$(echo "$version" | tr /. _)
 
-  if [ "$idm" = true ]; then
-    poudriere bulk     -j "$jail"        -f /usr/local/etc/poudriere.d/idm-pkglist   -p "$ports_tree" -z idm
-    poudriere pkgclean -j "$jail"        -f /usr/local/etc/poudriere.d/idm-pkglist   -p "$ports_tree" -z idm -y > /dev/null 2>&1
-  else
-    poudriere bulk     -j "$jail"        -f /usr/local/etc/poudriere.d/pkglist       -p "$ports_tree"
-    poudriere pkgclean -j "$jail"        -f /usr/local/etc/poudriere.d/pkglist       -p "$ports_tree" -y        > /dev/null 2>&1
-  fi
+  case $target in
+    base)
+      srcdir="/usr/local/poudriere/jails/${jail}/usr/src"
+      git -C "$srcdir" fetch
+      local_rev=$(git -C "$srcdir" rev-parse HEAD)
+      upstream_rev=$(git -C "$srcdir" rev-parse '@{u}')
+
+      if [ "$localrev" != "$upstream_rev" ]; then
+        poudriere jail -u -j "$jail"
+      fi
+
+      poudriere bulk     -j "$jail" -f /usr/local/etc/poudriere.d/kmods-pkglist -p latest -z kmods
+      poudriere pkgclean -j "$jail" -f /usr/local/etc/poudriere.d/kmods-pkglist -p latest -z kmods -y > /dev/null 2>&1
+      ;;
+    ports)
+      poudriere bulk     -j "$jail" -f /usr/local/etc/poudriere.d/pkglist -p latest
+      poudriere pkgclean -j "$jail" -f /usr/local/etc/poudriere.d/pkglist -p latest -y > /dev/null 2>&1
+
+      poudriere bulk     -j "$jail" -f /usr/local/etc/poudriere.d/idm-pkglist -p latest -z idm
+      poudriere pkgclean -j "$jail" -f /usr/local/etc/poudriere.d/idm-pkglist -p latest -z idm -y > /dev/null 2>&1
+      ;;
+  esac
 done
 
 poudriere distclean -p "$ports_tree" -a -y > /dev/null
diff --git a/files/usr/local/sbin/jailctl.freebsd_hypervisor b/files/usr/local/sbin/jailctl.freebsd_hypervisor
index a855445..686f97c 100644
--- a/files/usr/local/sbin/jailctl.freebsd_hypervisor
+++ b/files/usr/local/sbin/jailctl.freebsd_hypervisor
@@ -755,6 +755,12 @@ cmd::reprovision(){
     jail::stop "$jail"
   fi
 
+  # umount all jailed filesystems
+  zfs list -Ho mountpoint,mounted -r "${JAIL_DATASET}/${jail}/data" \
+    | awk '$2 == "yes" {print $1}' \
+    | sort -r \
+    | xargs -t -n1 -I{} umount "${JAIL_HOME}/${jail}/os{}"
+
   local snapshot old_quota old_ifconfig old_defaultrouter old_hostname old_resolvconf
 
   # Get the latest snapshot for the template (if not specified).
@@ -892,7 +898,7 @@ cmd::status(){
     | rs -c= -C' ' -T \
     | column -t
   printf -- '\n----------------------------- PROCESSES ------------------------------\n'
-  ps -auxdr -J "$jail"
+  ps -uxdr -J "$jail"
 }
 
 cmd::update_release(){
@@ -1052,18 +1058,59 @@ template::exists(){
 
 template::download_release(){
   # Download a given FreeBSD release and create a template jail.
-  local release=$1 arch base_tarball template
+  local release=$1 arch major minor key repo_url repo_name pkg_config template
 
   arch=$(uname -p)
-  base_tarball="https://download.freebsd.org/releases/${arch}/${release}/base.txz"
+  major=${release%.*}
+  minor=${release#*.}
+  repo_name="FreeBSD-base-release-${minor}"
+  repo_url="https://pkg.freebsd.org/FreeBSD:${major}:${arch}/base_release_${minor}"
+
+  repo_dir=$(mktemp -d /tmp/repoctl-pkg.XXXXXX)
+  chmod 755 "$repo_dir"
+  mkdir "${repo_dir}/trusted"
+
+  fetch -o "${repo_dir}/trusted" "https://cgit.freebsd.org/src/plain/share/keys/pkgbase-${major}/trusted/awskms-${major}"
+  fetch -o "${repo_dir}/trusted" "https://cgit.freebsd.org/src/plain/share/keys/pkgbase-${major}/trusted/backup-signing-${major}"
+
+  cat <<EOF > "${repo_dir}/FreeBSD-base.conf"
+${repo_name}: {
+  url: "pkg+https://pkg.FreeBSD.org/FreeBSD:${major}:${arch}/base_release_${minor}",
+  mirror_type: "srv",
+  signature_type: "fingerprints",
+  fingerprints: "/usr/share/keys/pkgbase-${major}",
+  enabled: yes
+}
+EOF
 
   template::release2name template "$release"
 
   zfs create -v -p $ZFS_OPTS "${JAIL_DATASET}/templates/${template}"
+  mkdir -p "${JAIL_HOME}/templates/${template}/usr/share/keys/pkgbase-${major}"
+  cp -a "${repo_dir}/trusted" "${JAIL_HOME}/templates/${template}/usr/share/keys/pkgbase-${major}"
 
-  if ! fetch "$base_tarball" -o - | tar xzf - -C "${JAIL_HOME}/templates/${template}"; then
+  if ! pkg --rootdir "${JAIL_HOME}/templates/${template}" \
+         --repo-conf-dir="$repo_dir" \
+         -o IGNORE_OSVERSION=yes \
+         -o ASSUME_ALWAYS_YES=yes \
+         update -r "$repo_name"
+  then
     zfs destroy -v "${JAIL_DATASET}/templates/${template}"
-    die "failed to extract base tarball for ${release}"
+    rm -rf "$repo_dir"
+    die "failed to update pkgbase repo for ${release}"
+  fi
+
+  if ! pkg --rootdir "${JAIL_HOME}/templates/${template}" \
+         --repo-conf-dir="$repo_dir" \
+         -o IGNORE_OSVERSION=yes \
+         -o ASSUME_ALWAYS_YES=yes \
+         install \
+         -r "$repo_name" \
+         FreeBSD-set-base-jail
+  then
+    zfs destroy -v "${JAIL_DATASET}/templates/${template}"
+    rm -rf "$repo_dir"
+    die "failed to bootstrap pkgbase for ${release}"
   fi
 
   template::update_release "$template"
@@ -1071,17 +1118,37 @@ template::download_release(){
 
 template::release2name(){
   # Convert a FreeBSD release version to a template name.
-  # e.g. for "13.2-RELEASE", return "freebsd13.2".
-  setvar "$1" "freebsd${2%-*}"
+  # e.g. for "13.2", return "freebsd13.2".
+  setvar "$1" "freebsd${2}"
 }
 
 template::update_release(){
   # Run freebsd-update within a the given template and take a fresh snapshot.
-  local template=$1 snapshot release
+  local template=$1 snapshot release major minor arch abi
+
+  arch=$(uname -p)
+  release=${template#freebsd}
+  major=${release%.*}
+  minor=${release#*.}
+  abi="FreeBSD:${major}:${arch}"
 
-  release=$("${JAIL_HOME}/templates/${template}/bin/freebsd-version" -u | sed 's/-p[0-9]*$//')
+  pkg --rootdir "${JAIL_HOME}/templates/${template}" \
+    --repo-conf-dir="${JAIL_HOME}/templates/${template}/etc/pkg" \
+    -o IGNORE_OSVERSION=yes \
+    -o ASSUME_ALWAYS_YES=yes \
+    -o VERSION_MAJOR="$major" \
+    -o VERSION_MINOR="$minor" \
+    -o ABI="$abi" \
+    update -r FreeBSD-base
 
-  PAGER=/bin/cat freebsd-update -b "${JAIL_HOME}/templates/${template}" --not-running-from-cron --currently-running "$release" fetch install
+  pkg --rootdir "${JAIL_HOME}/templates/${template}" \
+    --repo-conf-dir="${JAIL_HOME}/templates/${template}/etc/pkg" \
+    -o IGNORE_OSVERSION=yes \
+    -o ASSUME_ALWAYS_YES=yes \
+    -o VERSION_MAJOR="$major" \
+    -o VERSION_MINOR="$minor" \
+    -o ABI="$abi" \
+    upgrade -r FreeBSD-base
 
   snapshot=$("${JAIL_HOME}/templates/${template}/bin/freebsd-version")
   template::exists "${template}@${snapshot}" || zfs snapshot "${JAIL_DATASET}/templates/${template}@${snapshot}"
diff --git a/scripts/hostclass/desktop b/scripts/hostclass/desktop
index f783000..e105004 100644
--- a/scripts/hostclass/desktop
+++ b/scripts/hostclass/desktop
@@ -106,7 +106,7 @@ install_file -m 0644 \
 set_sysctl \
   net.local.stream.recvspace=65536 \
   net.local.stream.sendspace=65536 \
-  kern.sched.preempt_thresh=224 \
+  kern.sched.ule.preempt_thresh=224 \
   vfs.usermount=1
 
 set_loader_conf \
diff --git a/scripts/hostclass/freebsd_hypervisor b/scripts/hostclass/freebsd_hypervisor
index fcf46ba..5f6082e 100644
--- a/scripts/hostclass/freebsd_hypervisor
+++ b/scripts/hostclass/freebsd_hypervisor
@@ -20,12 +20,13 @@
 : ${hypervisor_jail_default_zfs_opts:='-o compress=lz4'}
 
 hypervisor_jail_bpf_ruleset=1000
+hypervisor_jail_filemon_ruleset=1001
 
 # Required for vnet jails.
 set_sysctl net.link.tap.up_on_open=1
 
 # Required to for kerberized NFS within jails.
-sysrc -v kld_list+='kgssapi kgssapi_krb5'
+sysrc -v kld_list+='kgssapi kgssapi_krb5 filemon'
 
 # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262189
 set_sysctl vfs.zfs.vol.mode=2
diff --git a/scripts/hostclass/idm_server/10-slapd b/scripts/hostclass/idm_server/10-slapd
index dcce783..1e565d0 100644
--- a/scripts/hostclass/idm_server/10-slapd
+++ b/scripts/hostclass/idm_server/10-slapd
@@ -1,15 +1,5 @@
 #!/bin/sh
 
-case $BOXCONF_OS_VERSION in
-  14.*)
-    : # ok
-    ;;
-  *)
-    # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291828
-    die "Only FreeBSD versions < 15 are supported for hostclass idm_server!"
-    ;;
-esac
-
 : ${slapd_root_dn:='cn=admin'}
 : ${slapd_replicator_dn:="cn=replicator,${basedn}"}
 : ${slapd_result_size_limit:='10000'}
@@ -52,17 +42,6 @@ zfs set \
   com.sun:auto-snapshot:weekly=true \
   "${state_dataset}/openldap-data"
 
-# To prevent a circular dependency in poudriere, we have to make a special "set"
-# of packages for the IDM hosts in which cyrus-sasl-gssapi is built with the
-# Heimdal libraries in base, rather than MIT.
-#
-# Heimdal does not support the KRB5_KTNAME environment variable with slapd.
-# However, you *can* specify a keytab by creating a ~/.krb5/config file in
-# the slapd user's home directory.
-pw user mod "$slapd_user" -d "$slapd_conf_dir"
-install_directory -m 0755 "${slapd_conf_dir}/.krb5"
-install_template -m 0644 "${slapd_conf_dir}/.krb5/config"
-
 # Copy TLS certificate for LDAP server.
 install_certificate     -o "$slapd_user" -g "$slapd_user" slapd "$slapd_tls_cert"
 install_certificate_key -o "$slapd_user" -g "$slapd_user" slapd "$slapd_tls_key"
diff --git a/scripts/hostclass/idm_server/90-idm b/scripts/hostclass/idm_server/90-idm
index 26e673b..3296c82 100644
--- a/scripts/hostclass/idm_server/90-idm
+++ b/scripts/hostclass/idm_server/90-idm
@@ -50,13 +50,26 @@ EOF
 # Create state dataset to persist keytabs across OS rebuilds.
 create_dataset -o "mountpoint=${keytab_dir}" "${state_dataset}/keytabs"
 
+install_directory -m 0755 \
+  /var/krb5 \
+  /var/krb5/user
+
 # Export host keytab.
 [ -f "${keytab_dir}/host.keytab" ] || /usr/local/sbin/kadmin.local ktadd -k "${keytab_dir}/host.keytab" -q "host/${fqdn}"
 ln -snfv "${keytab_dir}/host.keytab" /etc/krb5.keytab
 
+install_directory -o root -m 0700 /var/krb5/user/0
+ln -snfv "${keytab_dir}/host.keytab" /var/krb5/user/0/keytab
+ln -snfv "${keytab_dir}/host.keytab" /var/krb5/user/0/client.keytab
+
 # Export slapd keytab.
 [ -f "$slapd_keytab" ] || /usr/local/sbin/kadmin.local ktadd -k "$slapd_keytab" -q "ldap/${fqdn}"
-chown "$slapd_user" "$slapd_keytab"
+chgrp "$slapd_user" "$slapd_keytab"
+chmod 640 "$slapd_keytab"
+
+slapd_uid=$(id -u "$slapd_user")
+install_directory -o "$slapd_user" -m 0700 "/var/krb5/user/${slapd_uid}"
+ln -snfv "$slapd_keytab" "/var/krb5/user/${slapd_uid}/keytab"
 
 # Install PAM/NSS integration packages.
 pkg install -y \
diff --git a/scripts/hostclass/imap_server/10-solr b/scripts/hostclass/imap_server/10-solr
index c7bd080..5b6a792 100644
--- a/scripts/hostclass/imap_server/10-solr
+++ b/scripts/hostclass/imap_server/10-solr
@@ -79,4 +79,6 @@ install_file -m 0644 -o "$solr_user" -g "$solr_user" \
 rm -f "${solr_data_dir}/dovecot/conf/managed-schema.xml"
 
 # Restart solr.
-service solr restart
+service solr stop
+sleep 1
+service solr start
diff --git a/scripts/hostclass/imap_server/20-tika b/scripts/hostclass/imap_server/20-tika
index 1491461..65774fb 100644
--- a/scripts/hostclass/imap_server/20-tika
+++ b/scripts/hostclass/imap_server/20-tika
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-: ${tika_version:='3.3.0'}
+: ${tika_version:='3.3.1'}
 : ${tika_uid:='787'}
 
 tika_user=tika
diff --git a/scripts/hostclass/pkg_repository b/scripts/hostclass/pkg_repository
index 2094552..1cfe707 100644
--- a/scripts/hostclass/pkg_repository
+++ b/scripts/hostclass/pkg_repository
@@ -1,7 +1,7 @@
 #!/bin/sh
 
-: ${poudriere_versions:='15.0-RELEASE'}
-: ${poudriere_idm_versions:='14.4-RELEASE'}
+: ${poudriere_base_versions:='releng/15.1'}
+: ${poudriere_port_versions:='releng/15.1'}
 : ${poudriere_jobs:="$nproc"}
 : ${poudriere_dataset:="${state_dataset:-zroot}"}
 : ${poudriere_make_jobs_number:='4'}
@@ -15,6 +15,7 @@ poudriere_https_key="${nginx_conf_dir}/poudriere.key"
 poudriere_data_dir=/usr/local/poudriere
 poudriere_conf_dir=/usr/local/etc/poudriere.d
 poudriere_patch_dir="${poudriere_conf_dir}/patches"
+poudriere_webroot=/usr/local/www/packages
 
 # Create poudriere datasets.
 create_dataset -o "mountpoint=${poudriere_data_dir}" "${state_dataset}/poudriere"
@@ -31,7 +32,7 @@ zfs set sync=disabled "${poudriere_dataset}/poudriere"
 # These packages are needed to bootstrap poudriere. On the first run, they'll
 # be installed from the public FreeBSD repos.
 pkg install -y \
-  poudriere \
+  poudriere-devel \
   git-lite \
   nginx \
   ccache
@@ -40,13 +41,17 @@ pkg install -y \
 install_template -m 0644 \
   /usr/local/etc/poudriere.conf \
  "${poudriere_conf_dir}/make.conf" \
+ "${poudriere_conf_dir}/src.conf" \
+ "${poudriere_conf_dir}/src-env.conf" \
  "${poudriere_conf_dir}/idm-make.conf" \
  "${poudriere_conf_dir}/pkglist" \
+ "${poudriere_conf_dir}/kmods-pkglist" \
  "${poudriere_conf_dir}/idm-pkglist"
-install_file -m 0400 /usr/local/etc/ssl/repo.key
+install_file -m 0400 "${poudriere_conf_dir}/repo.key"
 install_directory -m 0755 /usr/ports/distfiles
 install_directory -m 0755 -o nobody -g nobody "${poudriere_data_dir}/ccache"
 install_template -m 0644 -o nobody -g nobody "${poudriere_data_dir}/ccache/ccache.conf"
+install_directory -m 0755 "$poudriere_webroot"
 
 # Copy TLS certificate for nginx.
 install_certificate     nginx "$poudriere_https_cert"
@@ -79,33 +84,60 @@ for patch in "${poudriere_patch_dir}/"*.patch; do
   patch -d "${poudriere_data_dir}/ports/latest" -u < "$patch"
 done
 
-# For each specified FreeBSD version, build all packages.
-for version in $poudriere_versions; do
-  jail=$(echo "$version" | tr . _)
-  abi="FreeBSD:${version%%.*}:$(uname -p)"
+for version in $poudriere_base_versions; do
+  jail=$(echo "$version" | tr /. _)
+  branch=${version%/*}
+  major=${version#*/}
+  major=${major%.*}
+  minor=${version##*.}
+  abi="FreeBSD:${major}:amd64"
+
+  if [ -d "${poudriere_data_dir}/jails/${jail}" ]; then
+    srcdir="${poudriere_data_dir}/jails/${jail}/usr/src"
+    git -C "$srcdir" fetch
+    local_rev=$(git -C "$srcdir" rev-parse HEAD)
+    upstream_rev=$(git -C "$srcdir" rev-parse '@{u}')
 
-  [ -d "${poudriere_data_dir}/jails/${jail}" ] || poudriere jail -c -j "$jail" -v "$version"
+    if [ "$local_rev" = "$upstream_rev" ]; then
+      log "pkgbase jail ${jail} is already up to date"
+    else
+      log "updating pkgbase jail ${jail}"
+      poudriere jail -u -j "$jail"
+    fi
+  else
+    poudriere jail -c -b -B -j "$jail" -v "$version" -m git+https -K GENERIC
+  fi
 
-  poudriere jail -u  -j "$jail"
-  poudriere bulk -v  -j "$jail" -f "${poudriere_conf_dir}/pkglist"     -p latest ||:
-  poudriere pkgclean -j "$jail" -f "${poudriere_conf_dir}/pkglist"     -p latest -y ||:
+  poudriere bulk -v  -j "$jail" -f "${poudriere_conf_dir}/kmods-pkglist" -p latest -z kmods ||:
+  poudriere pkgclean -j "$jail" -f "${poudriere_conf_dir}/kmods-pkglist" -p latest -z kmods -y ||:
 
-  install_directory -m 0755 "${poudriere_data_dir}/data/packages/${abi}"
-  ln -snfv "../${jail}-latest" "${poudriere_data_dir}/data/packages/${abi}/latest"
+  install_directory -m 0755 "${poudriere_webroot}/${abi}"
+  if [ "$branch" = releng ]; then
+    ln -snfv "${poudriere_data_dir}/data/images/${jail}-repo/${abi}/latest" "${poudriere_webroot}/${abi}/base_release_${minor}"
+    ln -snfv "${poudriere_data_dir}/data/packages/${jail}-latest-kmods"     "${poudriere_webroot}/${abi}/kmods_latest_${minor}"
+  elif [ "$branch" = stable ]; then
+    ln -snfv "${poudriere_data_dir}/data/images/${jail}-repo/${abi}/latest" "${poudriere_webroot}/${abi}/base_latest"
+    ln -snfv "${poudriere_data_dir}/data/packages/${jail}-latest-kmods"     "${poudriere_webroot}/${abi}/kmods_latest"
+  fi
 done
 
-for version in $poudriere_idm_versions; do
-  jail=$(echo "$version" | tr . _)
-  abi="FreeBSD:${version%%.*}:$(uname -p)"
+# For each specified FreeBSD version, build all packages.
+for version in $poudriere_port_versions; do
+  jail=$(echo "$version" | tr /. _)
+  branch=${version%/*}
+  major=${version#*/}
+  major=${major%.*}
+  minor=${version##*.}
+  abi="FreeBSD:${major}:amd64"
 
-  [ -d "${poudriere_data_dir}/jails/${jail}" ] || poudriere jail -c -j "$jail" -v "$version"
+  poudriere bulk -v  -j "$jail" -f "${poudriere_conf_dir}/pkglist" -p latest ||:
+  poudriere pkgclean -j "$jail" -f "${poudriere_conf_dir}/pkglist" -p latest -y ||:
 
-  poudriere jail -u  -j "$jail"
   poudriere bulk -v  -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm ||:
   poudriere pkgclean -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm -y ||:
 
-  install_directory -m 0755 "${poudriere_data_dir}/data/packages/${abi}"
-  ln -snfv "../${jail}-latest-idm" "${poudriere_data_dir}/data/packages/${abi}/latest-idm"
+  ln -snfv "${poudriere_data_dir}/data/packages/${jail}-latest"      "${poudriere_webroot}/${abi}/latest"
+  ln -snfv "${poudriere_data_dir}/data/packages/${jail}-latest-idm"  "${poudriere_webroot}/${abi}/idm_latest"
 done
 
 # Clean stale distfiles and logs.
@@ -118,7 +150,7 @@ install_directory -m 0555 "${poudriere_data_dir}/data/packages/poudriere"
 
 # Create cron job to update packages automatically.
 install_file -m 0555 /usr/local/libexec/poudriere-cron
-install_template -m 0644 /etc/cron.d/poudriere
+install_file -m 0644 /etc/cron.d/poudriere
 
 # Now that we have a valid repo, switch the pkg repo to the local filesystem.
 install_directory -m 0755 \
diff --git a/scripts/hostname/desktop1 b/scripts/hostname/desktop1
index 3fb96db..085dee4 100644
--- a/scripts/hostname/desktop1
+++ b/scripts/hostname/desktop1
@@ -22,3 +22,6 @@ service virtual_oss restart
 
 set_loader_conf "hint.pcm.${recording_device}.mic=${microphone_gain}"
 set_loader_conf "hint.pcm.${playback_device}.pcm=100"
+
+set_loader_conf "exec=copy_staging enable"
+
diff --git a/scripts/os/freebsd/10-sysctls b/scripts/os/freebsd/10-sysctls
index c8eae77..3e269c4 100644
--- a/scripts/os/freebsd/10-sysctls
+++ b/scripts/os/freebsd/10-sysctls
@@ -1,17 +1,5 @@
 #!/bin/sh
 
-case $BOXCONF_OS_VERSION in
-  13.*)
-    set_sysctl \
-      net.inet.ip.check_interface=1 \
-      net.inet.tcp.rfc6675_pipe=1
-    ;;
-  *)
-    set_sysctl \
-      net.inet.ip.rfc1122_strong_es=1
-    ;;
-esac
-
 load_kernel_module cc_htcp
 
 set_sysctl \
@@ -19,6 +7,7 @@ set_sysctl \
   net.inet.ip.process_options=0 \
   net.inet.ip.random_id=1 \
   net.inet.ip.redirect=0 \
+  net.inet.ip.rfc1122_strong_es=1 \
   net.inet.tcp.abc_l_var=44 \
   net.inet.tcp.always_keepalive=0 \
   net.inet.tcp.cc.abe=1 \
diff --git a/site b/site
-Subproject cf9380d9ed1b2f58d48a2a75d0ef4fd4f29c568
+Subproject d1def1e1ed2dfbde73297bec83dbd01d02334a3
author	Cullum Smith <cullum@sacredheartsc.com>	2026-06-02 20:56:13 -0400
committer	Cullum Smith <cullum@sacredheartsc.com>	2026-06-02 20:56:13 -0400
commit	f2ff9e3d90cb024d4b4486170720fe6d1a1cd220 (patch)
tree	ddd2835e32536f0c6a52bba2a9657f0e14d8af3e
parent	d7961b803da9bc2af0503c6c23455bb4cdc54d09 (diff)
download	infrastructure-f2ff9e3d90cb024d4b4486170720fe6d1a1cd220.tar.gz