From 2c9845db4bc00221bc3c2343a020208f7f532166 Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Thu, 31 Oct 2024 21:36:39 -0400
Subject: many fixes

---
 files/etc/auto_master.common                       |  1 -
 files/etc/cron.d/freeradius.radius_server          |  2 +-
 files/etc/cron.d/prosody.xmpp_server               |  4 +-
 files/etc/devfs.rules.desktop                      |  1 +
 files/etc/login.access.freebsd                     |  5 +-
 files/etc/pam.d/login.freebsd                      |  5 ++
 files/etc/pam.d/sshd.freebsd                       |  5 ++
 .../local/etc/asterisk/queues.conf.asterisk_server | 20 +++++---
 .../policies/managed/policies.json.desktop         | 60 +++++++++++++++-------
 .../dovecot-ldap-userdb.conf.ext.imap_server       | 10 ++--
 .../etc/icinga2/conf.d/services.conf.icinga_server | 29 +++++++----
 .../icinga2/conf.d/templates.conf.icinga_server    |  4 +-
 files/usr/local/etc/postfix/main.cf.smtp_server    |  3 +-
 files/usr/local/etc/postfix/master.cf.smtp_server  |  3 +-
 .../local/etc/poudriere.d/make.conf.pkg_repository |  4 +-
 .../local/etc/poudriere.d/pkglist.pkg_repository   |  8 ++-
 .../local/etc/prosody/prosody.cfg.lua.xmpp_server  |  2 +
 .../etc/rspamd/local.d/logging.inc.smtp_server     |  2 +-
 files/usr/local/etc/xdg/kdeglobals.desktop         |  5 ++
 files/usr/local/etc/xdg/kdeglobals.laptop          |  1 +
 .../local/etc/xdg/kdeglobals.roadwarrior_laptop    |  1 +
 .../lib/firefox/distribution/policies.json.desktop | 55 ++++++++++++++++----
 .../lib/libreoffice/program/sofficerc.desktop      |  4 +-
 .../local/libexec/poudriere-cron.pkg_repository    |  8 +--
 .../local/libexec/prosody-acme-proxy.xmpp_server   |  2 +-
 .../libexec/prosody-update-roster.xmpp_server      | 12 +++--
 files/usr/local/sbin/jailctl.freebsd_hypervisor    | 14 ++---
 .../local/share/applications/gajim.desktop.desktop | 20 ++++++++
 .../local/share/applications/gajim.desktop.laptop  |  1 +
 .../applications/gajim.desktop.roadwarrior_laptop  |  1 +
 pki                                                | 34 +++++++++++-
 scripts/hostclass/asterisk_server                  |  7 +++
 scripts/hostclass/bitwarden_server                 |  1 +
 scripts/hostclass/dav_server                       | 12 +++++
 scripts/hostclass/desktop                          | 17 ++++--
 scripts/hostclass/idm_server/90-idm                |  5 +-
 scripts/hostclass/nfs_server/10-nfs                |  1 +
 scripts/hostclass/pkg_repository                   | 10 ++--
 scripts/hostclass/public_webserver                 |  6 +--
 scripts/hostclass/smtp_server/20-postfix           |  5 +-
 scripts/hostclass/unifi_controller                 |  4 ++
 scripts/hostclass/xmpp_server                      | 28 +++++-----
 scripts/hostname/desktop2                          | 24 +++++++++
 scripts/hostname/nfs1/10-homedirs                  |  6 ++-
 scripts/hostname/nfs1/20-shares                    | 34 +++++++-----
 scripts/hostname/nfs1/30-autofs                    | 10 ++--
 scripts/os/freebsd/10-bootloader                   |  2 +-
 scripts/os/freebsd/50-idm                          |  8 ++-
 scripts/os/freebsd/80-microcode                    | 12 +++--
 vars/hostclass/desktop                             | 14 +++--
 vars/hostclass/xmpp_server                         |  6 ++-
 vars/hostname/alcatraz1                            |  4 ++
 vars/hostname/xmpp1                                |  1 -
 53 files changed, 399 insertions(+), 144 deletions(-)
 create mode 100644 files/usr/local/etc/xdg/kdeglobals.desktop
 create mode 120000 files/usr/local/etc/xdg/kdeglobals.laptop
 create mode 120000 files/usr/local/etc/xdg/kdeglobals.roadwarrior_laptop
 create mode 100644 files/usr/local/share/applications/gajim.desktop.desktop
 create mode 120000 files/usr/local/share/applications/gajim.desktop.laptop
 create mode 120000 files/usr/local/share/applications/gajim.desktop.roadwarrior_laptop
 create mode 100644 scripts/hostname/desktop2
 create mode 100644 vars/hostname/alcatraz1

diff --git a/files/etc/auto_master.common b/files/etc/auto_master.common
index 37f3e34..d82114c 100644
--- a/files/etc/auto_master.common
+++ b/files/etc/auto_master.common
@@ -1,2 +1 @@
-/net -hosts -nobrowse,nosuid,intr
 +auto_master
diff --git a/files/etc/cron.d/freeradius.radius_server b/files/etc/cron.d/freeradius.radius_server
index 20f3ada..2081fbd 100644
--- a/files/etc/cron.d/freeradius.radius_server
+++ b/files/etc/cron.d/freeradius.radius_server
@@ -1,2 +1,2 @@
 MAILTO=root
-@daily ${freeradius_user} find ${freeradius_tlscache_dir} -mindepth 1 -mtime +2 -exec rm -vf {} +
+@daily ${freeradius_user} find ${freeradius_tlscache_dir} -mindepth 1 -mtime +2 -exec rm -f {} +
diff --git a/files/etc/cron.d/prosody.xmpp_server b/files/etc/cron.d/prosody.xmpp_server
index b95f010..a73153a 100644
--- a/files/etc/cron.d/prosody.xmpp_server
+++ b/files/etc/cron.d/prosody.xmpp_server
@@ -1,3 +1,3 @@
 MAILTO=root
-0 0 * * * * ${prosody_local_user} /usr/local/libexec/prosody-acme-proxy -q ${prosody_user}@${prosody_acme_host} ${prosody_domains}
-0 0 * * * * ${prosody_local_user} /usr/local/libexec/prosody-update-roster ${prosody_access_role} > ${prosody_roster_path}
+0 0 * * * * ${prosody_local_user} /usr/local/libexec/prosody-acme-proxy -q ${prosody_username}@${prosody_acme_host} ${prosody_domains}
+0 0 * * * * ${prosody_local_user} /usr/local/libexec/prosody-update-roster ${prosody_access_role} ${prosody_roster_path}
diff --git a/files/etc/devfs.rules.desktop b/files/etc/devfs.rules.desktop
index 4c10d43..ec38210 100644
--- a/files/etc/devfs.rules.desktop
+++ b/files/etc/devfs.rules.desktop
@@ -2,3 +2,4 @@
 add path 'drm/*'       mode 0660 group ${desktop_access_role}
 add path 'backlight/*' mode 0660 group ${desktop_access_role}
 add path 'video*'      mode 0660 group ${desktop_access_role}
+add path 'usb/*'       mode 0660 group ${desktop_access_role}
diff --git a/files/etc/login.access.freebsd b/files/etc/login.access.freebsd
index c2d6fc1..ee83dd5 100644
--- a/files/etc/login.access.freebsd
+++ b/files/etc/login.access.freebsd
@@ -2,7 +2,10 @@
 +:root:ALL
 +:${icinga_local_user}:ALL
 
-$(if [ -n "${login_access_groups:-}" ] || [ -n "${login_access_users:-}" ]; then
+$(if [ -n "${acmeproxy_client_group:-}" ]; then
+  echo "+:(${acmeproxy_client_group}):ALL"
+fi
+if [ -n "${login_access_groups:-}" ] || [ -n "${login_access_users:-}" ]; then
   printf -- '-:ALL EXCEPT '
 if [ -n "${login_access_groups:-}" ]; then
   printf    '(%s) ' ${login_access_groups}
diff --git a/files/etc/pam.d/login.freebsd b/files/etc/pam.d/login.freebsd
index ae50bbe..bb215ec 100644
--- a/files/etc/pam.d/login.freebsd
+++ b/files/etc/pam.d/login.freebsd
@@ -12,6 +12,11 @@ session   required    pam_lastlog.so    no_fail
 session   required    pam_xdg.so
 session   required    /usr/local/lib/security/pam_krb5.so
 session   optional    /usr/local/lib/pam_mkhomedir.so mode=0700
+$(if [ "$BOXCONF_VIRTUALIZATION_TYPE" != jail ] && [ "${enable_autofs:-}" != false ]; then
+cat <<EOF
+session   optional    pam_exec.so /usr/local/libexec/pam-create-local-homedir
+EOF
+fi)
 
 password  sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
 password  required    pam_unix.so no_warn try_first_pass
diff --git a/files/etc/pam.d/sshd.freebsd b/files/etc/pam.d/sshd.freebsd
index 1f81b48..e00fb13 100644
--- a/files/etc/pam.d/sshd.freebsd
+++ b/files/etc/pam.d/sshd.freebsd
@@ -8,6 +8,11 @@ account   required    pam_unix.so
 
 session   required    /usr/local/lib/security/pam_krb5.so
 session   required    /usr/local/lib/pam_mkhomedir.so mode=0700
+$(if [ "$BOXCONF_VIRTUALIZATION_TYPE" != jail ] && [ "${enable_autofs:-}" != false ]; then
+cat <<EOF
+session   optional    pam_exec.so /usr/local/libexec/pam-create-local-homedir
+EOF
+fi)
 
 password  sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
 password  required    pam_unix.so no_warn try_first_pass
diff --git a/files/usr/local/etc/asterisk/queues.conf.asterisk_server b/files/usr/local/etc/asterisk/queues.conf.asterisk_server
index 87b8ed4..8849690 100644
--- a/files/usr/local/etc/asterisk/queues.conf.asterisk_server
+++ b/files/usr/local/etc/asterisk/queues.conf.asterisk_server
@@ -6,12 +6,12 @@ shared_lastcall         = yes
 log_membername_as_agent = yes
 
 $(for queue in ${asterisk_queues:-}; do
-  eval "queue_strategy=\${asterisk_queue_${queue}_strategy}"
+  eval "queue_strategy=\${asterisk_queue_${queue}_strategy:-ringall}"
   eval "queue_timeout=\${asterisk_queue_${queue}_timeout:-15}"
   eval "queue_retry=\${asterisk_queue_${queue}_retry:-5}"
   eval "queue_ringinuse=\${asterisk_queue_${queue}_ringinuse:-yes}"
-  eval "queue_members=\${asterisk_queue_${queue}_members}"
-  echo "\
+  eval "queue_members=\${asterisk_queue_${queue}_members:-}"
+  cat <<EOF
 [${queue}]
 strategy                    = ${queue_strategy}
 timeout                     = ${queue_timeout}
@@ -24,8 +24,12 @@ periodic-announce-frequency = 0
 joinempty                   = yes
 leavewhenempty              = no
 ringinuse                   = ${queue_ringinuse}
-timeoutrestart              = yes"
-for member in $queue_members; do
-  eval "member_name=\${asterisk_ext_${member}_cid_name}"
-  echo "member => PJSIP/${member},0,${member_name},PJSIP/${member}"
-done; done)
+timeoutrestart              = yes
+EOF
+  for member in $queue_members; do
+    eval "member_name=\${asterisk_ext_${member}_cid_name}"
+    cat <<EOF
+member => PJSIP/${member},0,${member_name},PJSIP/${member}
+EOF
+  done
+done)
diff --git a/files/usr/local/etc/chromium/policies/managed/policies.json.desktop b/files/usr/local/etc/chromium/policies/managed/policies.json.desktop
index 93544cf..1391d09 100644
--- a/files/usr/local/etc/chromium/policies/managed/policies.json.desktop
+++ b/files/usr/local/etc/chromium/policies/managed/policies.json.desktop
@@ -14,15 +14,6 @@
   "CloudReportingEnabled": false,
   "DefaultBrowserSettingEnabled": false,
   "DefaultCookiesSetting": 1,
-  "DefaultSearchProviderEnabled": true,
-  "DefaultSearchProviderName": "DuckDuckGo",
-  "DefaultSearchProviderIconURL": "https://duckduckgo.com/favicon.ico",
-  "DefaultSearchProviderEncodings": [
-    "UTF-8"
-  ],
-  "DefaultSearchProviderSearchURL": "https://duckduckgo.com/?q={searchTerms}",
-  "DefaultSearchProviderSuggestURL":"https://duckduckgo.com/ac/?q={searchTerms}&type=list",
-  "DefaultSearchProviderNewTabURL":"https://duckduckgo.com/chrome_newtab",
   "DnsOverHttpsMode": "off",
   "EnableAuthNegotiatePort": true,
   "EnableMediaRouter": false,
@@ -44,9 +35,45 @@
     {
       "toplevel_name": "Internal"
     },
+    {
+      "name": "Bitwarden",
+      "url": "https://bitwarden.${domain}/"
+    },
+    {
+      "name": "CUPS",
+      "url": "https://cups.${domain}/"
+    },
+    {
+      "name": "DAViCal",
+      "url": "https://dav.${domain}/"
+    },
+    {
+      "name": "Icinga",
+      "url": "https://icinga.${domain}/"
+    },
+    {
+      "name": "Invidious",
+      "url": "https://invidious.${domain}/"
+    },
     {
       "name": "Poudriere",
       "url": "http://pkg.${domain}/poudriere"
+    },
+    {
+      "name": "Rspamd",
+      "url": "https://smtp.${domain}/"
+    },
+    {
+      "name": "Tiny Tiny RSS",
+      "url": "https://ttrss.${domain}/"
+    },
+    {
+      "name": "UniFi Controller",
+      "url": "https://unifi.${domain}/"
+    },
+    {
+      "name": "ZNC",
+      "url": "https://znc.${domain}/"
     }
   ],
   "ExtensionSettings": {
@@ -67,25 +94,22 @@
     "extensions": {
       "cjpalhdlnbpafiamejdnhcphjbkeiagm": {
         "toOverwrite": {
-          "selectedFilterLists": [
+          "filterLists": [
             "user-filters",
             "ublock-filters",
             "ublock-badware",
             "ublock-privacy",
-            "ublock-abuse",
+            "ublock-quick-fixes",
             "ublock-unbreak",
-            "ublock-annoyances",
-            "ublock-cookies-easylist",
-            "fanboy-cookiemonster",
             "easylist",
             "easyprivacy",
+            "adguard-spyware-url",
             "urlhaus-1",
             "plowe-0",
-            "fanboy-annoyance",
-            "fanboy-social",
+            "fanboy-cookiemonster",
+            "ublock-cookies-easylist",
             "fanboy-thirdparty_social",
-            "adguard-spyware-url",
-            "ublock-quick-fixes"
+            "ublock-annoyances"
           ]
         },
         "toAdd": {
diff --git a/files/usr/local/etc/dovecot/dovecot-ldap-userdb.conf.ext.imap_server b/files/usr/local/etc/dovecot/dovecot-ldap-userdb.conf.ext.imap_server
index fc939a6..6a7ce4e 100644
--- a/files/usr/local/etc/dovecot/dovecot-ldap-userdb.conf.ext.imap_server
+++ b/files/usr/local/etc/dovecot/dovecot-ldap-userdb.conf.ext.imap_server
@@ -6,11 +6,11 @@ sasl_realm = ${realm}
 
 base = ${users_basedn}
 user_filter = (|(mailAddress=%u)(uid=%u))
-user_attrs = \
-  =user=%{ldap:uid}, \
-  =uid=${dovecot_vmail_uid}, \
-  =gid=${dovecot_vmail_uid}, \
-  =home=${dovecot_vmail_dir}/%{ldap:uid} \
+user_attrs = \\
+  =user=%{ldap:uid}, \\
+  =uid=${dovecot_vmail_uid}, \\
+  =gid=${dovecot_vmail_uid}, \\
+  =home=${dovecot_vmail_dir}/%{ldap:uid}, \\
   mailQuota=quota_rule=\*:storage=%{ldap:mailQuota}
 
 iterate_attrs = uid=user
diff --git a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server
index 4340192..116fe44 100644
--- a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server
+++ b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server
@@ -219,6 +219,20 @@ apply Service "cups-cert" {
   assign where ("cups-servers" in host.groups)
 }
 
+apply Service for (vhost in host.vars.xmpp_vhosts) {
+  check_command = "tcp"
+  name = vhost + "-xmpp"
+  display_name = vhost + " xmpp"
+  vars.tcp_port = 5223
+  vars.tcp_ssl = true
+  vars.tcp_sni = vhost
+  vars.tcp_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit}
+  vars.tcp_wtime = ${icinga_response_time_warn}
+  vars.tcp_ctime = ${icinga_response_time_crit}
+  vars.tcp_send = "<stream:stream to='" + vhost + "' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams'>"
+  vars.tcp_expect = "<?xml version='1.0'"
+}
+
 // Expect HTTP 200
 apply Service "http" {
   check_command = "http"
@@ -289,7 +303,6 @@ apply Service "https" {
   vars.http_warn_time = ${icinga_response_time_warn}
   vars.http_critical_time = ${icinga_response_time_crit}
   assign where ("pkg-repositories"  in host.groups
-             || "xmpp-servers"      in host.groups
              || "znc-servers"       in host.groups
              || "bitwarden-servers" in host.groups)
 }
@@ -331,7 +344,6 @@ apply Service "https-cert" {
              || "pkg-repositories"  in host.groups
              || "unifi-controllers" in host.groups
              || "web-servers"       in host.groups
-             || "xmpp-servers"      in host.groups
              || "znc-servers"       in host.groups
              || "bitwarden-servers" in host.groups
              || "dav-servers"       in host.groups
@@ -342,11 +354,11 @@ apply Service "https-cert" {
              && !host.vars.https_vhosts)
 }
 
-// Expect HTTPS 200
+// Certificate validity
 apply Service for (vhost in host.vars.https_vhosts) {
   check_command = "http"
-  name = vhost + "-cert"
-  display_name = vhost + " certificate"
+  name = vhost + "-https-cert"
+  display_name = vhost + " https certificate"
   vars.http_vhost = vhost
   vars.http_expect = "HTTP/1.1 200 OK"
   vars.http_ssl = true
@@ -354,13 +366,12 @@ apply Service for (vhost in host.vars.https_vhosts) {
   vars.http_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit}
 }
 
-// Certificate validity
+// Expect HTTPS 200
 apply Service for (vhost in host.vars.https_vhosts) {
   check_command = "http"
-  name = vhost
-  display_name = vhost
+  name = vhost + "-https-status"
+  display_name = vhost + " https status"
   vars.http_vhost = vhost
-  vars.http_expect = "HTTP/1.1 200 OK"
   vars.http_ssl = true
   vars.http_sni = true
   vars.http_expect = "HTTP/1.1 200 OK"
diff --git a/files/usr/local/etc/icinga2/conf.d/templates.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/templates.conf.icinga_server
index 0ebe46e..cd1cda1 100644
--- a/files/usr/local/etc/icinga2/conf.d/templates.conf.icinga_server
+++ b/files/usr/local/etc/icinga2/conf.d/templates.conf.icinga_server
@@ -7,8 +7,8 @@ template Host "generic-host" default {
 
 template Service "generic-service" default {
   max_check_attempts = 5
-  check_interval = 1m
-  retry_interval = 30s
+  check_interval = 5m
+  retry_interval = 1m
 }
 
 template User "generic-user" default {
diff --git a/files/usr/local/etc/postfix/main.cf.smtp_server b/files/usr/local/etc/postfix/main.cf.smtp_server
index 155c18c..72c0448 100644
--- a/files/usr/local/etc/postfix/main.cf.smtp_server
+++ b/files/usr/local/etc/postfix/main.cf.smtp_server
@@ -19,7 +19,6 @@ setgid_group      = maildrop
 import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C POSTLOG_SERVICE POSTLOG_HOSTNAME KRB5_KTNAME=${postfix_keytab} KRB5_CLIENT_KTNAME=${postfix_keytab}
 
 myorigin      = ${postfix_myorigin}
-myhostname    = ${postfix_public_fqdn}
 mynetworks    = 127.0.0.0/8 [::1]/128 [fe80::]/64 ${postfix_mynetworks}
 mydestination =
 
@@ -100,6 +99,8 @@ smtpd_relay_restrictions =
   permit_sasl_authenticated,
   reject_unauth_destination
 smtpd_recipient_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
   reject_unknown_recipient_domain,
   reject_unlisted_recipient,
   reject_unauth_destination,
diff --git a/files/usr/local/etc/postfix/master.cf.smtp_server b/files/usr/local/etc/postfix/master.cf.smtp_server
index e0b5bbb..9dce9be 100644
--- a/files/usr/local/etc/postfix/master.cf.smtp_server
+++ b/files/usr/local/etc/postfix/master.cf.smtp_server
@@ -1,4 +1,5 @@
 smtp      inet  n       -       n       -       -       smtpd
+  -o myhostname=${postfix_public_fqdn}
 submission inet n       -       n       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
@@ -16,7 +17,7 @@ proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
 smtp      unix  -       -       n       -       -       smtp
 relay     unix  -       -       n       -       -       smtp
-        -o syslog_name=postfix/$service_name
+        -o syslog_name=postfix/\$service_name
 showq     unix  n       -       n       -       -       showq
 error     unix  -       -       n       -       -       error
 retry     unix  -       -       n       -       -       error
diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository
index 3a80736..a4677f4 100644
--- a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository
+++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository
@@ -4,7 +4,7 @@ DEFAULT_VERSIONS+=${poudriere_default_versions:-}
 MAKE_JOBS_NUMBER=${poudriere_make_jobs_number}
 
 # Global port options
-OPTIONS_UNSET=TEST DEBUG GSSAPI_HEIMDAL GSSAPI_BASE GSSAPI_NONE HEIMDAL HEIMDAL_BASE NLS DOCS AVAHI LIBWRAP MYSQL MSQLND ODBC READLINE PULSEAUDIO UPNP BASH ZSH INFO ALSA SAMBA WAYLAND PLATFORM_WAYLAND PIPEWIRE TCP_WRAPPERS COMPAT32
+OPTIONS_UNSET=TEST DEBUG GSSAPI_HEIMDAL GSSAPI_BASE GSSAPI_NONE HEIMDAL HEIMDAL_BASE NLS DOCS AVAHI LIBWRAP MYSQL MSQLND ODBC READLINE PULSEAUDIO UPNP BASH ZSH INFO ALSA SAMBA WAYLAND PLATFORM_WAYLAND PIPEWIRE TCP_WRAPPERS COMPAT32 JACK
 OPTIONS_SET=GSSAPI GSSAPI_MIT MIT NONFREE LIBEDIT
 
 # Per-port options
@@ -87,6 +87,8 @@ sysutils_htop_SET=LSOF
 sysutils_k3b_UNSET=EMOVIX VCDIMAGER
 sysutils_rsyslog8_SET=GSSAPI RELP OPENSSL
 sysutils_rsyslog8_UNSET=GCRYPT
+textproc_en-hunspell_SET=US_LARGE
+textproc_en-hunspell_UNSET=US_STANDARD
 www_chromium_SET=WIDEVINE
 www_firefox_UNSET=PROFILE JACK
 www_nginx_SET=HTTPV3 HTTPV3_QTLS HTTP_AUTH_KRB5 HTTP_AUTH_LDAP
diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
index 8542c20..e90bc1b 100644
--- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
+++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
@@ -4,7 +4,7 @@ archivers/php${php_version}-zip
 archivers/unzip
 archivers/zip
 audio/elisa
-audio/juk
+audio/gsound
 audio/kid3@kf5
 audio/kmix
 audio/virtual_oss
@@ -18,6 +18,8 @@ databases/php${php_version}-pgsql
 databases/postgresql${postgresql_version}-client
 databases/postgresql${postgresql_version}-server
 databases/redis
+deskutils/py-vdirsyncer
+devel/android-tools
 devel/ccache
 devel/cgit
 devel/electron30
@@ -71,7 +73,7 @@ multimedia/v4l-utils
 multimedia/v4l_compat
 multimedia/vdpauinfo
 multimedia/webcamd
-net-im/dino
+net-im/farstream
 net-im/gajim
 net-im/prosody
 net-im/prosody-modules
@@ -115,6 +117,7 @@ security/sshpass
 security/sudo
 security/vaultwarden
 security/wpa_supplicant
+sysutils/android-file-transfer-qt5
 sysutils/cpu-microcode
 sysutils/htop
 sysutils/k3b
@@ -129,6 +132,7 @@ sysutils/stow
 sysutils/tmux
 sysutils/tree
 sysutils/zfstools
+textproc/en-hunspell
 textproc/hs-pandoc
 textproc/jq
 textproc/p5-YAML
diff --git a/files/usr/local/etc/prosody/prosody.cfg.lua.xmpp_server b/files/usr/local/etc/prosody/prosody.cfg.lua.xmpp_server
index 083a6ce..7936cac 100644
--- a/files/usr/local/etc/prosody/prosody.cfg.lua.xmpp_server
+++ b/files/usr/local/etc/prosody/prosody.cfg.lua.xmpp_server
@@ -47,6 +47,8 @@ reload_modules = { "groups", "tls" }
 groups_file = "${prosody_roster_path}"
 
 s2s_secure_auth = true
+c2s_direct_tls_ports = { ${prosody_c2s_tls_port} }
+s2s_direct_tls_ports = { ${prosody_s2s_tls_port} }
 
 limits = {
   c2s = {
diff --git a/files/usr/local/etc/rspamd/local.d/logging.inc.smtp_server b/files/usr/local/etc/rspamd/local.d/logging.inc.smtp_server
index 7e38af5..da081e0 100644
--- a/files/usr/local/etc/rspamd/local.d/logging.inc.smtp_server
+++ b/files/usr/local/etc/rspamd/local.d/logging.inc.smtp_server
@@ -1,2 +1,2 @@
 type = syslog;
-facility = mail;
+facility = daemon;
diff --git a/files/usr/local/etc/xdg/kdeglobals.desktop b/files/usr/local/etc/xdg/kdeglobals.desktop
new file mode 100644
index 0000000..5d121aa
--- /dev/null
+++ b/files/usr/local/etc/xdg/kdeglobals.desktop
@@ -0,0 +1,5 @@
+# Broken with consolekit: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221452
+# VT switch causes loss of graphics acceleration: https://github.com/freebsd/drm-kmod/issues/175
+[KDE Action Restrictions]
+action/start_new_session=false
+action/switch_user=false
diff --git a/files/usr/local/etc/xdg/kdeglobals.laptop b/files/usr/local/etc/xdg/kdeglobals.laptop
new file mode 120000
index 0000000..9c8c680
--- /dev/null
+++ b/files/usr/local/etc/xdg/kdeglobals.laptop
@@ -0,0 +1 @@
+kdeglobals.desktop
\ No newline at end of file
diff --git a/files/usr/local/etc/xdg/kdeglobals.roadwarrior_laptop b/files/usr/local/etc/xdg/kdeglobals.roadwarrior_laptop
new file mode 120000
index 0000000..9c8c680
--- /dev/null
+++ b/files/usr/local/etc/xdg/kdeglobals.roadwarrior_laptop
@@ -0,0 +1 @@
+kdeglobals.desktop
\ No newline at end of file
diff --git a/files/usr/local/lib/firefox/distribution/policies.json.desktop b/files/usr/local/lib/firefox/distribution/policies.json.desktop
index de93355..aa2de1b 100644
--- a/files/usr/local/lib/firefox/distribution/policies.json.desktop
+++ b/files/usr/local/lib/firefox/distribution/policies.json.desktop
@@ -22,25 +22,22 @@
       "Extensions": {
         "uBlock0@raymondhill.net": {
           "toOverwrite": {
-            "selectedFilterLists": [
+            "filterLists": [
               "user-filters",
               "ublock-filters",
               "ublock-badware",
               "ublock-privacy",
-              "ublock-abuse",
+              "ublock-quick-fixes",
               "ublock-unbreak",
-              "ublock-annoyances",
-              "ublock-cookies-easylist",
-              "fanboy-cookiemonster",
               "easylist",
               "easyprivacy",
+              "adguard-spyware-url",
               "urlhaus-1",
               "plowe-0",
-              "fanboy-annoyance",
-              "fanboy-social",
+              "fanboy-cookiemonster",
+              "ublock-cookies-easylist",
               "fanboy-thirdparty_social",
-              "adguard-spyware-url",
-              "ublock-quick-fixes"
+              "ublock-annoyances"
             ]
           },
           "toAdd": {
@@ -115,8 +112,44 @@
         "toplevel_name": "Intranet"
       },
       {
-        "url": "http://pkg.${domain}/poudriere/",
-        "name": "Poudriere"
+        "name": "Bitwarden",
+        "url": "https://bitwarden.${domain}/"
+      },
+      {
+        "name": "CUPS",
+        "url": "https://cups.${domain}/"
+      },
+      {
+        "name": "DAViCal",
+        "url": "https://dav.${domain}/"
+      },
+      {
+        "name": "Icinga",
+        "url": "https://icinga.${domain}/"
+      },
+      {
+        "name": "Invidious",
+        "url": "https://invidious.${domain}/"
+      },
+      {
+        "name": "Poudriere",
+        "url": "http://pkg.${domain}/poudriere"
+      },
+      {
+        "name": "Rspamd",
+        "url": "https://smtp.${domain}/"
+      },
+      {
+        "name": "Tiny Tiny RSS",
+        "url": "https://ttrss.${domain}/"
+      },
+      {
+        "name": "UniFi Controller",
+        "url": "https://unifi.${domain}/"
+      },
+      {
+        "name": "ZNC",
+        "url": "https://znc.${domain}/"
       }
     ],
     "ExtensionUpdate": true,
diff --git a/files/usr/local/lib/libreoffice/program/sofficerc.desktop b/files/usr/local/lib/libreoffice/program/sofficerc.desktop
index 77574a4..2a600b0 100644
--- a/files/usr/local/lib/libreoffice/program/sofficerc.desktop
+++ b/files/usr/local/lib/libreoffice/program/sofficerc.desktop
@@ -1,8 +1,8 @@
 [Bootstrap]
 CrashDirectory=${$BRAND_BASE_DIR/program/bootstraprc:UserInstallation}/crash
-CrashDumpEnable=true
+CrashDumpEnable=false
 HideEula=1
-Logo=0
+Logo=1
 NativeProgress=false
 ProgressBarColor=0,0,0
 ProgressFrameColor=102,102,102
diff --git a/files/usr/local/libexec/poudriere-cron.pkg_repository b/files/usr/local/libexec/poudriere-cron.pkg_repository
index f7a5c1c..dce1830 100644
--- a/files/usr/local/libexec/poudriere-cron.pkg_repository
+++ b/files/usr/local/libexec/poudriere-cron.pkg_repository
@@ -15,9 +15,11 @@ for patch in /usr/local/etc/poudriere.d/patches/*.patch; do
 done
 
 for jail in "$@"; do
-  poudriere jail -u -j "$jail" > /dev/null
-  poudriere bulk -j "$jail" -f  /usr/local/etc/poudriere.d/idm-pkglist -p "$ports_tree" -z idm > /dev/null
-  poudriere bulk -j "$jail" -f  /usr/local/etc/poudriere.d/pkglist -p "$ports_tree" > /dev/null
+  poudriere jail -u  -j "$jail" > /dev/null
+  poudriere bulk     -j "$jail" -f /usr/local/etc/poudriere.d/idm-pkglist -p "$ports_tree" -z idm    > /dev/null
+  poudriere pkgclean -j "$jail" -f /usr/local/etc/poudriere.d/idm-pkglist -p "$ports_tree" -z idm -y > /dev/null
+  poudriere bulk     -j "$jail" -f /usr/local/etc/poudriere.d/pkglist     -p "$ports_tree"           > /dev/null
+  poudriere pkgclean -j "$jail" -f /usr/local/etc/poudriere.d/pkglist     -p "$ports_tree" -y        > /dev/null
 done
 
 poudriere distclean -p "$ports_tree" -a -y > /dev/null
diff --git a/files/usr/local/libexec/prosody-acme-proxy.xmpp_server b/files/usr/local/libexec/prosody-acme-proxy.xmpp_server
index d69017b..70faddd 100644
--- a/files/usr/local/libexec/prosody-acme-proxy.xmpp_server
+++ b/files/usr/local/libexec/prosody-acme-proxy.xmpp_server
@@ -37,7 +37,7 @@ md5_old=$(cat "$CHECKSUM_FILE")
   printf 'get certs/%s.crt\n' "$@"
   printf 'get certs/%s.key\n' "$@"
   printf 'quit\n'
-} | sftp -b - "$acmeproxy_target"
+} | /usr/local/bin/sftp -b - "$acmeproxy_target"
 
 # Get md5 of the new certificates.
 md5_new=$(md5sum "$CERT_DIR"/*.crt "$CERT_DIR"/*.key | tee "$CHECKSUM_FILE")
diff --git a/files/usr/local/libexec/prosody-update-roster.xmpp_server b/files/usr/local/libexec/prosody-update-roster.xmpp_server
index 1b79747..84c0c6e 100644
--- a/files/usr/local/libexec/prosody-update-roster.xmpp_server
+++ b/files/usr/local/libexec/prosody-update-roster.xmpp_server
@@ -6,8 +6,9 @@ use warnings;
 use Net::LDAP;
 use Authen::SASL;
 
-@ARGV == 1 or die "usage: $0 ROLE_NAME\n";
+@ARGV == 2 or die "usage: $0 ROLE_NAME ROSTER_FILE\n";
 my $role = $ARGV[0];
+my $roster = $ARGV[1];
 
 open my $fh, '<', '/usr/local/etc/openldap/ldap.conf' or quit($!);
 my %config;
@@ -25,7 +26,7 @@ my $uri          = $config{URI}        // die("URI not specified\n");
 my $users_basedn = $config{USERS_BASE} // die("USERS_BASE not specified\n");
 my $roles_basedn = $config{ROLES_BASE} // die("ROLES_BASE not specified\n");
 
-my $conn = Net::LDAP->new($ldap_uris, version => '3') or die "$@";
+my $conn = Net::LDAP->new($uri, version => '3') or die "$@";
 my $sasl = Authen::SASL->new($mech);
 my $status = $conn->bind(sasl => $sasl);
 $status->code and die $status->error;
@@ -36,12 +37,13 @@ my $search = $conn->search(
   filter => "(&(memberOf=cn=$role,$roles_basedn)(mailAddress=*))",
   attrs  => ['mailAddress', 'cn']);
 
-print "[Internal]\n";
-
+open $fh, '>', $roster or die "failed to open file for writing: $roster\n";
+print $fh "[Internal]\n";
 foreach my $entry ($search->entries) {
   my $jid = ($entry->get_value('mailAddress'))[0];
   my $cn = ($entry->get_value('cn'))[0] // $jid;
-  print "$jid=$cn\n";
+  print $fh "$jid=$cn\n";
 }
+close $fh;
 
 system('prosodyctl reload');
diff --git a/files/usr/local/sbin/jailctl.freebsd_hypervisor b/files/usr/local/sbin/jailctl.freebsd_hypervisor
index df48f57..8719297 100644
--- a/files/usr/local/sbin/jailctl.freebsd_hypervisor
+++ b/files/usr/local/sbin/jailctl.freebsd_hypervisor
@@ -193,14 +193,14 @@ Options:
   zfs create -v "${JAIL_DATASET}/${name}"
   zfs clone \
     $ZFS_OPTS \
-    -o quota="$os_quota" \
+    -o refquota="$os_quota" \
     "$snapshot" "${JAIL_DATASET}/${name}/os"
 
   # Create delegated 'data' dataset.
   zfs create -v \
     $ZFS_OPTS \
     -o mountpoint=none \
-    -o quota="$data_quota" \
+    -o refquota="$data_quota" \
     "${JAIL_DATASET}/${name}/data"
 
   # Copy timezone configuration from host.
@@ -761,7 +761,7 @@ cmd::reprovision(){
   zfs::ensure_snapshot snapshot "${JAIL_DATASET}/templates/${template}"
 
   # Stash old configuration data.
-  old_quota=$(zfs get -Hp -o value quota "${JAIL_DATASET}/${jail}/os")
+  old_quota=$(zfs get -Hp -o value refquota "${JAIL_DATASET}/${jail}/os")
   old_hostname=$(sysrc -f "${JAIL_HOME}/${jail}/os/etc/rc.conf" -qn hostname)
   old_ifconfig=$(sysrc -f "${JAIL_HOME}/${jail}/os/etc/rc.conf" -qn ifconfig_jail0)
   old_defaultrouter=$(sysrc -f "${JAIL_HOME}/${jail}/os/etc/rc.conf" -qn defaultrouter) ||:
@@ -773,7 +773,7 @@ cmd::reprovision(){
   zfs destroy -v -f -r "${JAIL_DATASET}/${jail}/os"
   zfs clone \
     $ZFS_OPTS \
-    -o quota="$old_quota" \
+    -o refquota="$old_quota" \
     "$snapshot" "${JAIL_DATASET}/${jail}/os"
 
   # Copy timezone configuration from host.
@@ -839,7 +839,7 @@ cmd::shell(){
   jail::exists "$jail"  || die "no such jail: ${jail}"
   jail::running "$jail" || die "jail not running: ${jail}"
 
-  jail::exec "$jail" /bin/csh
+  jail::exec "$jail" /bin/sh
 }
 
 cmd::show(){
@@ -857,7 +857,7 @@ cmd::show(){
   printf -- '------------------------- JAIL CONFIGURATION -------------------------\n'
   cat "${JAIL_HOME}/${jail}/jail.conf"
   printf -- '\n---------------------------- ZFS DATASET -----------------------------\n'
-  zfs list -o name,quota,used,avail,mountpoint -S name \
+  zfs list -o name,refquota,used,avail,mountpoint -S name \
     "${JAIL_DATASET}/${jail}/os" \
     "${JAIL_DATASET}/${jail}/data"
 }
@@ -878,7 +878,7 @@ cmd::status(){
   printf -- '---------------------------- JAIL STATUS -----------------------------\n'
   jls -j "$jail" -h jid name path osrelease host.hostname 2>/dev/null | column -t
   printf -- '\n---------------------------- ZFS DATASET -----------------------------\n'
-  zfs list -o name,quota,used,avail,mountpoint -S name \
+  zfs list -o name,refquota,used,avail,mountpoint -S name \
     "${JAIL_DATASET}/${jail}/os" \
     "${JAIL_DATASET}/${jail}/data" \
     | sed "s|^${JAIL_DATASET}/${jail}/||" \
diff --git a/files/usr/local/share/applications/gajim.desktop.desktop b/files/usr/local/share/applications/gajim.desktop.desktop
new file mode 100644
index 0000000..ef5a3c9
--- /dev/null
+++ b/files/usr/local/share/applications/gajim.desktop.desktop
@@ -0,0 +1,20 @@
+[Desktop Entry]
+Categories=Network;InstantMessaging;GTK;Chat;
+Name=Gajim
+GenericName=XMPP Chat Client
+Comment=A fully-featured XMPP chat client
+Keywords=chat;messaging;im;xmpp;voip;
+Exec=gajim %u
+Icon=org.gajim.Gajim
+StartupNotify=false
+X-GNOME-SingleWindow=true
+X-GNOME-UsesNotifications=true
+Terminal=false
+Type=Application
+MimeType=x-scheme-handler/xmpp;
+Actions=StartChat;
+
+[Desktop Action StartChat]
+Exec=gajim --start-chat
+Name=Start a new chat
+Icon=org.gajim.Gajim
diff --git a/files/usr/local/share/applications/gajim.desktop.laptop b/files/usr/local/share/applications/gajim.desktop.laptop
new file mode 120000
index 0000000..f1edc09
--- /dev/null
+++ b/files/usr/local/share/applications/gajim.desktop.laptop
@@ -0,0 +1 @@
+gajim.desktop.desktop
\ No newline at end of file
diff --git a/files/usr/local/share/applications/gajim.desktop.roadwarrior_laptop b/files/usr/local/share/applications/gajim.desktop.roadwarrior_laptop
new file mode 120000
index 0000000..f1edc09
--- /dev/null
+++ b/files/usr/local/share/applications/gajim.desktop.roadwarrior_laptop
@@ -0,0 +1 @@
+gajim.desktop.desktop
\ No newline at end of file
diff --git a/pki b/pki
index 96e8a87..4e10151 100755
--- a/pki
+++ b/pki
@@ -5,7 +5,7 @@
 set -eu
 
 PROGNAME=pki
-USAGE="<init|cert|client-cert|renew>"
+USAGE="<init|cert|client-cert|renew|pkcs12|show>"
 BOXCONF_ROOT=$(dirname "$(readlink -f "$0")")
 
 BOXCONF_CA_PASSWORD_FILE="${BOXCONF_ROOT}/.ca_password"
@@ -342,6 +342,36 @@ pki_renew(){
   _pki_renew "${1}/${2}" "${days:-}"
 }
 
+pki_pkcs12(){
+  # Generate a pkcs12 bundle.
+  USAGE='pkcs12 HOSTNAME CERTNAME PATH'
+  [ $# -eq 3 ] || usage
+
+  [ -f "${BOXCONF_CA_DIR}/${1}/${2}.crt" ] || die "certificate does not exist: ${1}/${2}.crt"
+  [ -f "${BOXCONF_CA_DIR}/${1}/${2}.key" ] || die "key does not exist: ${1}/${2}.key"
+
+  _boxconf_get_vault_password
+
+  PASS="$BOXCONF_VAULT_PASSWORD" openssl pkcs12 -legacy -export \
+    -out "$3" \
+    -inkey "${BOXCONF_CA_DIR}/${1}/${2}.key" \
+    -in "${BOXCONF_CA_DIR}/${1}/${2}.crt" \
+    -name "$2" \
+    -passin env:PASS
+}
+
+pki_show(){
+  # Show a certificate and decrypted private key.
+  USAGE='show HOSTNAME CERTNAME'
+  [ -f "${BOXCONF_CA_DIR}/${1}/${2}.crt" ] || die "certificate does not exist: ${1}/${2}.crt"
+  [ -f "${BOXCONF_CA_DIR}/${1}/${2}.key" ] || die "key does not exist: ${1}/${2}.key"
+
+  _boxconf_get_vault_password
+
+  cat "${BOXCONF_CA_DIR}/${1}/${2}.crt"
+  _boxconf_decrypt_key "${BOXCONF_CA_DIR}/${1}/${2}.key"
+}
+
 [ $# -ge 1 ] || usage
 action=$1; shift
 
@@ -354,5 +384,7 @@ case $action in
   server-cert|server|cert) pki_server "$@" ;;
   client-cert|client)      pki_client "$@" ;;
   renew)                   pki_renew "$@" ;;
+  pkcs12)                  pki_pkcs12 "$@" ;;
+  show)                    pki_show "$@" ;;
   *)                       usage ;;
 esac
diff --git a/scripts/hostclass/asterisk_server b/scripts/hostclass/asterisk_server
index dcd2675..30699d8 100644
--- a/scripts/hostclass/asterisk_server
+++ b/scripts/hostclass/asterisk_server
@@ -34,6 +34,8 @@
 asterisk_public_tls_cert="${acme_cert_dir}/asterisk.crt"
 asterisk_public_tls_key="${acme_cert_dir}/asterisk.key"
 asterisk_conf_dir=/usr/local/etc/asterisk
+asterisk_sound_dir=/usr/local/share/asterisk/sounds/en
+asterisk_g722_tarball=https://downloads.asterisk.org/pub/telephony/sounds/asterisk-core-sounds-en-g722-current.tar.gz
 asterisk_db_dir=/var/db/asterisk
 asterisk_user=asterisk
 
@@ -50,6 +52,11 @@ zfs set \
   "${state_dataset}/asterisk"
 install_directory -o "$asterisk_user" -g "$asterisk_user" -m 0755 "$asterisk_db_dir"
 
+# Download G722 sounds.
+if ! [ -f "${asterisk_sound_dir}/hello-world.g722" ]; then
+  curl -fL "$asterisk_g722_tarball" | tar xf - -C "$asterisk_sound_dir"
+fi
+
 # Generate asterisk configuration.
 install_file -m 0644 \
   "${asterisk_conf_dir}/extensions.conf" \
diff --git a/scripts/hostclass/bitwarden_server b/scripts/hostclass/bitwarden_server
index ff67c3e..f300b0d 100644
--- a/scripts/hostclass/bitwarden_server
+++ b/scripts/hostclass/bitwarden_server
@@ -15,6 +15,7 @@ vaultwarden_client_keytab="${keytab_dir}/vaultwarden.client.keytab"
 
 pkg install -y \
   vaultwarden \
+  ca_root_nss \
   nginx
 
 # Create vaultwarden principal and keytab.
diff --git a/scripts/hostclass/dav_server b/scripts/hostclass/dav_server
index a69c072..e39b08c 100644
--- a/scripts/hostclass/dav_server
+++ b/scripts/hostclass/dav_server
@@ -9,6 +9,7 @@
 : ${davical_branch:='master'}
 : ${davical_awl_repo:='https://gitlab.com/davical-project/awl.git'}
 : ${davical_awl_branch:='master'}
+: ${davical_admins:=''}
 
 davical_dn="uid=${davical_username},${robots_basedn}"
 davical_repo_dir=/usr/local/www/davical
@@ -105,6 +106,17 @@ if ! davical_psql -c 'SELECT 1 FROM awl_db_revision'; then
   davical_psql -c "delete from usr where username = 'admin'"
 fi
 
+if [ -n "$davical_admins" ]; then
+  # Note: This won't work until each admin in $davical_admins has logged in
+  #       at least once.
+  davical_psql -c \
+    "INSERT INTO role_member (user_no, role_no)
+     SELECT user_no, (SELECT role_no FROM roles WHERE role_name  = 'Admin')
+     FROM usr
+     WHERE username in ('$(join "','" $davical_admins)')
+     ON CONFLICT DO NOTHING"
+fi
+
 # Copy TLS certificate for nginx.
 install_certificate     nginx "$davical_https_cert"
 install_certificate_key nginx "$davical_https_key"
diff --git a/scripts/hostclass/desktop b/scripts/hostclass/desktop
index bddce05..629ebc0 100644
--- a/scripts/hostclass/desktop
+++ b/scripts/hostclass/desktop
@@ -27,13 +27,14 @@ set_loader_conf \
   linux_load=YES \
   linux64_load=YES
 
+# Enable FUSE.
+set_loader_conf fusefs_load=YES
+
 # Install packages common to all DEs.
 pkg install -y $desktop_common_packages
 
-# Install scripts for creating local (non-NFS) home directories.
-install_file -m 0555 \
-  /usr/local/libexec/pam-create-local-homedir \
-  /etc/profile.d/local-homedir.sh
+# Install profile script for improving experience on NFS homedirs.
+install_file -m 0555 /etc/profile.d/local-homedir.sh
 
 # Create ZFS dataset for local homedirs.
 create_dataset -o mountpoint=/usr/local/home "${state_dataset}/home"
@@ -66,6 +67,9 @@ service webcamd status || service webcamd start
 install_file -m 0644 /usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop
 install_file -m 0555 /usr/local/libexec/nss-trust-root-ca
 
+# Install gajim desktop file.
+install_file -m 0644 /usr/local/share/applications/gajim.desktop
+
 case $desktop_type in
   i3)
     pkg install -y $desktop_i3_packages
@@ -97,6 +101,11 @@ case $desktop_type in
       /usr/local/etc/xdg/plasma-workspace/shutdown
     install_file -m 0555 /usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh
 
+    # Disable user switching
+    # Broken with consolekit: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221452
+    # VT switch causes loss of graphics acceleration: https://github.com/freebsd/drm-kmod/issues/175
+    install_file -m 0644 /usr/local/etc/xdg/kdeglobals
+
     # Enable sddm.
     sysrc -v sddm_enable=YES
     ;;
diff --git a/scripts/hostclass/idm_server/90-idm b/scripts/hostclass/idm_server/90-idm
index eadd621..260e52b 100644
--- a/scripts/hostclass/idm_server/90-idm
+++ b/scripts/hostclass/idm_server/90-idm
@@ -68,11 +68,12 @@ pkg install -y \
   pam_mkhomedir
 
 # Configure PAM/NSS integration.
+install_template -m 0644 \
+  /etc/pam.d/login \
+  /etc/pam.d/sshd
 install_file -m 0644 \
   /etc/nsswitch.conf \
   /etc/pam.d/system \
-  /etc/pam.d/login \
-  /etc/pam.d/sshd \
   /etc/pam.d/sudo \
   /etc/pam.d/su \
   /etc/pam.d/other
diff --git a/scripts/hostclass/nfs_server/10-nfs b/scripts/hostclass/nfs_server/10-nfs
index a775859..6ab8436 100644
--- a/scripts/hostclass/nfs_server/10-nfs
+++ b/scripts/hostclass/nfs_server/10-nfs
@@ -48,3 +48,4 @@ install_template -m 0644 /etc/exports
 for service in gssd nfsuserd mountd nfsd; do
   service "$service" status || service "$service" start
 done
+service mountd reload
diff --git a/scripts/hostclass/pkg_repository b/scripts/hostclass/pkg_repository
index 7044f96..86e6b2c 100644
--- a/scripts/hostclass/pkg_repository
+++ b/scripts/hostclass/pkg_repository
@@ -83,9 +83,11 @@ for version in $poudriere_versions; do
   abi="FreeBSD:${version%%.*}:$(uname -p)"
 
   [ -d "${poudriere_data_dir}/jails/${jail}" ] || poudriere jail -c -j "$jail" -v "$version"
-  poudriere jail -u -j "$jail"
-  poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm
-  poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/pkglist" -p latest
+  poudriere jail -u  -j "$jail"
+  poudriere bulk -v  -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm
+  poudriere pkgclean -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm -y
+  poudriere bulk -v  -j "$jail" -f "${poudriere_conf_dir}/pkglist"     -p latest
+  poudriere pkgclean -j "$jail" -f "${poudriere_conf_dir}/pkglist"     -p latest -y
 
   install_directory -m 0755 "${poudriere_data_dir}/data/packages/${abi}"
   ln -snfv "../${jail}-latest" "${poudriere_data_dir}/data/packages/${abi}/latest"
@@ -102,7 +104,7 @@ install_directory -m 0555 "${poudriere_data_dir}/data/packages/poudriere"
 
 # Create cron job to update packages automatically.
 install_file -m 0555 /usr/local/libexec/poudriere-cron
-install_file -m 0644 /etc/cron.d/poudriere
+install_template -m 0644 /etc/cron.d/poudriere
 
 # Now that we have a valid repo, switch the pkg repo to the local filesystem.
 install_directory -m 0755 \
diff --git a/scripts/hostclass/public_webserver b/scripts/hostclass/public_webserver
index 3877313..e92149f 100644
--- a/scripts/hostclass/public_webserver
+++ b/scripts/hostclass/public_webserver
@@ -20,8 +20,8 @@ zfs set \
   "${state_dataset}/vhosts"
 
 # Configure nginx.
-install_template -m 0644 /usr/local/etc/nginx/nginx.conf
-install -Cv -m 0644 /dev/null /usr/local/etc/nginx/vhosts.conf
+install_template -m 0644 "${nginx_conf_dir}/nginx.conf"
+[ -f "${nginx_conf_dir}/vhosts.conf" ] || install -Cv -m 0644 /dev/null "${nginx_conf_dir}/vhosts.conf"
 sysrc -v nginx_enable=YES
 service nginx restart
 
@@ -37,7 +37,7 @@ for certname in $acme_certs; do
 done
 
 # Now that we have the ACME certs, add the vhosts.
-install_template -m 0644 /usr/local/etc/nginx/vhosts.conf
+install_template -m 0644 "${nginx_conf_dir}/vhosts.conf"
 service nginx restart
 
 # If any acmeproxy_domains were specified, setup the SFTP proxy.
diff --git a/scripts/hostclass/smtp_server/20-postfix b/scripts/hostclass/smtp_server/20-postfix
index 68ac474..795e574 100644
--- a/scripts/hostclass/smtp_server/20-postfix
+++ b/scripts/hostclass/smtp_server/20-postfix
@@ -38,10 +38,10 @@ ln -snfv "$postfix_keytab" "/var/krb5/user/${postfix_uid}/client.keytab"
 # Generate postfix configuration.
 install_template -m 0644 \
   "${postfix_conf_dir}/main.cf" \
+  "${postfix_conf_dir}/master.cf" \
   "${postfix_conf_dir}/virtual_mailboxes.cf" \
   "${postfix_conf_dir}/virtual_aliases.cf" \
   /usr/local/lib/sasl2/smtpd.conf
-install_file -m 0644 "${postfix_conf_dir}/master.cf"
 
 # Allow postfix to read the saslauthd socket.
 install_directory -m 0750 -o "$saslauthd_user" -g "$postfix_user" "$saslauthd_runtime_dir"
@@ -54,10 +54,9 @@ if [ "$postfix_public_fqdn" != "$fqdn" ]; then
   # Acquire public TLS certificate.
   install_template -m 0600 /usr/local/etc/sudoers.d/acme
   acme_install_certificate \
-    -c "$postfix_public_tls_cert" \
-    -k "$postfix_public_tls_key" \
     -g "$postfix_user" \
     -r 'sudo service postfix reload' \
+    postfix \
     "$postfix_public_fqdn"
 fi
 
diff --git a/scripts/hostclass/unifi_controller b/scripts/hostclass/unifi_controller
index 9fd161e..96558e1 100644
--- a/scripts/hostclass/unifi_controller
+++ b/scripts/hostclass/unifi_controller
@@ -33,6 +33,10 @@ service unifi status && service unifi stop
 [ -f "${unifi_home}/data/keystore" ] || install -Cv -o "$unifi_user" -g "$unifi_user" -m 0600 /dev/null "${unifi_home}/data/keystore"
 su -m "$unifi_user" -c "java -jar ${unifi_home}/lib/ace.jar import_key_cert ${unifi_https_key} ${unifi_https_cert} ${site_cacert_path}"
 
+# Add root CA to java keystore.
+keytool -list -cacerts -storepass changeit -alias "$site" \
+  || keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias "$site" -file "$site_cacert_path"
+
 # Disable analytics.
 install_directory -m 0640 -o "$unifi_user" -g "$unifi_user" \
   "${unifi_home}/data/sites" \
diff --git a/scripts/hostclass/xmpp_server b/scripts/hostclass/xmpp_server
index 1889447..667014f 100644
--- a/scripts/hostclass/xmpp_server
+++ b/scripts/hostclass/xmpp_server
@@ -7,7 +7,7 @@
 : ${prosody_admins:=''}
 : ${prosody_public_fqdn:="$fqdn"}
 : ${prosody_domains:="$email_domain"}
-: ${prosody_ldap_passwd:='changeme'}
+: ${prosody_ldap_password:='changeme'}
 : ${prosody_dbname:='prosody'}
 : ${prosody_dbhost:="$postgres_host"}
 : ${prosody_access_role:='xmpp-access'}
@@ -24,10 +24,11 @@ prosody_dn="uid=${prosody_username},${robots_basedn}"
 prosody_local_user=prosody
 prosody_conf_dir=/usr/local/etc/prosody
 prosody_certs_dir="${prosody_conf_dir}/certs"
-prosody_keytab="${keytab_dir}/prosody.keytab"
+prosody_keytab="${keytab_dir}/prosody.client.keytab"
 prosody_roster_path="${prosody_conf_dir}/roster.ini"
 prosody_http_port=8080
-prosody_upload_dir=/var/db/prosody/http_upload
+prosody_db_dir=/var/db/prosody
+prosody_upload_dir="${prosody_db_dir}/http_upload"
 
 prosody_https_cacert="${acme_cert_dir}/nginx.ca.crt"
 prosody_https_cert="${acme_cert_dir}/nginx.crt"
@@ -42,10 +43,8 @@ pkg install -y \
   nginx
 
 # Create ZFS dataset for HTTP upload files.
-create_dataset -o "mountpoint=${prosody_upload_dir}" "${state_dataset}/http_upload"
-
-# Set ownership on http_upload directory.
-install_directory -o "$prosody_local_user" -g "$prosody_local_user" -m 0750 "$prosody_upload_dir"
+create_dataset -o "mountpoint=${prosody_db_dir}" "${state_dataset}/prosody"
+install_directory -o "$prosody_local_user" -g "$prosody_local_user" -m 0750 "$prosody_db_dir"
 
 # Create prosody user private group.
 ldap_add "cn=${prosody_username},${private_groups_basedn}" <<EOF
@@ -98,27 +97,28 @@ install_template -o root -g "$prosody_local_user" -m 0640 /usr/local/etc/prosody
 # Configure automatic roster.
 install_file -m 0555 /usr/local/libexec/prosody-update-roster
 install -Cv -m 0640 -o "$prosody_local_user" -g "$prosody_local_user" /dev/null "${prosody_conf_dir}/roster.ini"
-su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-update-roster ${prosody_access_role} > ${prosody_roster_path}"
+su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-update-roster ${prosody_access_role} ${prosody_roster_path}"
 
 # Copy prosody crontab.
 install_template -m 0644 /etc/cron.d/prosody
 
 # Configure nginx.
-install_template -m 0644 /usr/local/etc/nginx/nginx.conf
+install_template -m 0644 "${nginx_conf_dir}/nginx.conf"
+[ -f "${nginx_conf_dir}/vhosts.conf" ] || install -Cv -m 0644 /dev/null "${nginx_conf_dir}/vhosts.conf"
 sysrc -v nginx_enable=YES
 service nginx restart
 
+# Retrieve webserver certificate via ACME.
 install_template -m 0600 /usr/local/etc/sudoers.d/acme
 acme_install_certificate \
-  -C "$prosody_https_cacert" \
-  -c "$prosody_https_cert" \
-  -k "$prosody_https_key" \
   -g "$nginx_user" \
   -r 'sudo service nginx reload' \
+  nginx \
   "$prosody_public_fqdn"
 
-# Now that we have the ACME certs, add the nginx vhost.
-install_template -m 0644 /usr/local/etc/nginx/vhosts.conf
+# Now that we have the ACME certs, add the vhosts.
+install_template -m 0644 "${nginx_conf_dir}/vhosts.conf"
+service nginx restart
 
 # Enable and start daemons.
 sysrc -v prosody_enable=YES
diff --git a/scripts/hostname/desktop2 b/scripts/hostname/desktop2
new file mode 100644
index 0000000..0e6e551
--- /dev/null
+++ b/scripts/hostname/desktop2
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# This desktop has USB speakers and webcam USB microphone, so sndio can't
+# use both at the same time. This creates a virtual device combining both
+# of them into one virutal sound card.
+#
+# Because the virtual soundcard is installed to /dev/dsp, it will
+# automatically be used as the default.
+
+playback_device=1
+recording_device=0
+samplerate=48000
+bits=16
+buffer_ms=25
+microphone_gain=50
+
+pkg install -y virtual_oss
+sysrc -v \
+  virtual_oss_enable=YES \
+  virtual_oss_dsp="-T /dev/sndstat -C 2 -c 2 -S -r ${samplerate} -b ${bits} -s ${buffer_ms}ms -O /dev/dsp${playback_device} -R /dev/dsp${recording_device} -d dsp -t vsdp.ctl"
+service virtual_oss restart
+
+set_loader_conf "hint.pcm.${recording_device}.mic=${microphone_gain}"
+set_loader_conf "hint.pcm.${playback_device}.pcm=100"
diff --git a/scripts/hostname/nfs1/10-homedirs b/scripts/hostname/nfs1/10-homedirs
index 3a6d923..db0c1e0 100644
--- a/scripts/hostname/nfs1/10-homedirs
+++ b/scripts/hostname/nfs1/10-homedirs
@@ -1,8 +1,12 @@
 #!/bin/sh
 
-default_priv_quota=250G
+default_priv_quota=50G
 default_pub_quota=10G
 
+# Format: username:privquota:pubquota. For example:
+# nfs_homedirs='joe:250G:10G  jane:250G'
+# nfs_groupdirs='sysadmins:250G doefamily:100G:10G'
+
 # Create user home directories.
 for userquota in ${nfs_homedirs:-}; do
   user=$(echo "$userquota" | awk -F: '{print $1}')
diff --git a/scripts/hostname/nfs1/20-shares b/scripts/hostname/nfs1/20-shares
index beb3b11..0dd6ddb 100644
--- a/scripts/hostname/nfs1/20-shares
+++ b/scripts/hostname/nfs1/20-shares
@@ -1,16 +1,22 @@
 #!/bin/sh
 
-# media/music
-create_dataset -p "${nfs_dataset}/media/music"
-zfs set \
-  compression=off \
-  com.sun:auto-snapshot:daily=true \
-  com.sun:auto-snapshot:weekly=true \
-  "${nfs_dataset}/media/music"
-chgrp media-admin "${nfs_root}/media/music"
-chmod 2770 "${nfs_root}/media/music"
-set_facl "${nfs_root}/media/music" \
-   group:media-admin:rwpDdaARWcs:fd:allow \
-   group:media-admin:x:d:allow \
-   group:media-access:raRcs:fd:allow \
-   group:media-access:x:d:allow
+media_access_group='media-access'
+media_admin_group='media-admin'
+media_shares='music shows movies audiobooks roms books scores isos'
+
+# media shares
+for share in $media_shares; do
+  create_dataset -p "${nfs_dataset}/media/${share}"
+  zfs set \
+    compression=off \
+    com.sun:auto-snapshot:daily=true \
+    com.sun:auto-snapshot:weekly=true \
+    "${nfs_dataset}/media/${share}"
+  chgrp "$media_admin_group" "${nfs_root}/media/${share}"
+  chmod 2770 "${nfs_root}/media/${share}"
+  set_facl "${nfs_root}/media/${share}" \
+     "group:${media_admin_group}:rwpDdaARWcs:fd:allow" \
+     "group:${media_admin_group}:x:d:allow" \
+     "group:${media_access_group}:raRcs:fd:allow" \
+     "group:${media_access_group}:x:d:allow"
+done
diff --git a/scripts/hostname/nfs1/30-autofs b/scripts/hostname/nfs1/30-autofs
index fe3a468..a7153d4 100644
--- a/scripts/hostname/nfs1/30-autofs
+++ b/scripts/hostname/nfs1/30-autofs
@@ -72,9 +72,11 @@ automountKey: /nfs/media
 automountInformation: auto_media ${nfs_mount_opts}
 EOF
 
-# auto_media: music
-ldap_add "automountKey=music,automountMapName=auto_media,${automount_basedn}" <<EOF
+# auto_media: music, movies, etc
+for share in $media_shares; do
+  ldap_add "automountKey=${share},automountMapName=auto_media,${automount_basedn}" <<EOF
 objectClass: automount
-automountKey: music
-automountInformation: ${fqdn}:/media/music
+automountKey: ${share}
+automountInformation: ${fqdn}:/media/${share}
 EOF
+done
diff --git a/scripts/os/freebsd/10-bootloader b/scripts/os/freebsd/10-bootloader
index 3209927..a5c8908 100644
--- a/scripts/os/freebsd/10-bootloader
+++ b/scripts/os/freebsd/10-bootloader
@@ -11,7 +11,7 @@ install_file -m 0644 /etc/ttys
 kill -HUP 1
 
 set_loader_conf \
-  autoboot_delay=1 \
+  autoboot_delay=3 \
   beastie_disable=YES \
   cc_htcp_load=YES \
   kern.geom.label.disk_ident.enable=0 \
diff --git a/scripts/os/freebsd/50-idm b/scripts/os/freebsd/50-idm
index 1585c6f..1e5e877 100644
--- a/scripts/os/freebsd/50-idm
+++ b/scripts/os/freebsd/50-idm
@@ -18,12 +18,16 @@ pkg install -y \
   p5-Authen-SASL \
   pam_mkhomedir
 
+# Script to create /usr/local/home/${USER} on login.
+install_file -m 0555 /usr/local/libexec/pam-create-local-homedir
+
 # Configure PAM/NSS integration.
+install_template -m 0644 \
+  /etc/pam.d/login \
+  /etc/pam.d/sshd
 install_file -m 0644 \
   /etc/nsswitch.conf \
   /etc/pam.d/system \
-  /etc/pam.d/login \
-  /etc/pam.d/sshd \
   /etc/pam.d/sudo \
   /etc/pam.d/su \
   /etc/pam.d/other
diff --git a/scripts/os/freebsd/80-microcode b/scripts/os/freebsd/80-microcode
index f9e213e..0d2a910 100644
--- a/scripts/os/freebsd/80-microcode
+++ b/scripts/os/freebsd/80-microcode
@@ -7,8 +7,12 @@ if [ "$BOXCONF_VIRTUALIZATION_TYPE" != none ]; then
   return
 fi
 
-pkg install -y cpu-microcode
+if [ "${enable_microcode_updates:-}" = false ]; then
+  set_loader_conf cpu_microcode_load=NO
+else
+  pkg install -y cpu-microcode
 
-set_loader_conf \
-  cpu_microcode_load=YES \
-  cpu_microcode_name="/boot/firmware/${microcode_name}"
+  set_loader_conf \
+    cpu_microcode_load=YES \
+    cpu_microcode_name="/boot/firmware/${microcode_name}"
+fi
diff --git a/vars/hostclass/desktop b/vars/hostclass/desktop
index e92a8ac..0b5e8f5 100644
--- a/vars/hostclass/desktop
+++ b/vars/hostclass/desktop
@@ -19,9 +19,17 @@ clear_tmp_enable=false
 # Chromium seems to need this to enable VAAPI video decoding on intel.
 chrome_flags='--enable-features=Vulkan,VulkanFromANGLE,DefaultANGLEVulkan'
 
+gajim_packages="
+gajim
+py${python_version}-omemo-dr
+farstream
+gsound"
+
 # signal-desktop requires pulseaudio for audio/video chat. SAD!
 desktop_common_packages="
+android-tools
 bind-tools
+ca_root_nss
 cantarell-fonts
 chromium
 droid-fonts-ttf
@@ -62,19 +70,19 @@ wireguard-tools
 xorg"
 
 desktop_kde_packages="
+android-file-transfer-qt5
 audacious-qt5
 audacious-plugins-qt5
 digikam
-dino
 elisa
-gajim
+${gajim_packages}
 gtksourceview4
 k3b
 kde5
 kid3-kf5
 kmix
 konversation
-py${python_version}-omemo-dr
+en-hunspell
 sddm"
 
 desktop_i3_packages='
diff --git a/vars/hostclass/xmpp_server b/vars/hostclass/xmpp_server
index 204d1ba..8a3a20c 100644
--- a/vars/hostclass/xmpp_server
+++ b/vars/hostclass/xmpp_server
@@ -1,5 +1,9 @@
 #!/bin/sh
 
+prosody_c2s_tls_port=5223
+prosody_s2s_tls_port=5270
+
+allowed_tcp_ports="ssh http https xmpp-client xmpp-server ${prosody_c2s_tls_port} ${prosody_s2s_tls_port}"
 acme=true
-allowed_tcp_ports='ssh http https xmpp-client xmpp-server'
 nginx_public=true
+
diff --git a/vars/hostname/alcatraz1 b/vars/hostname/alcatraz1
new file mode 100644
index 0000000..9b7d2ef
--- /dev/null
+++ b/vars/hostname/alcatraz1
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+# Causes UEFI exception on boot, "invalid opcode" ???
+enable_microcode_updates=false
diff --git a/vars/hostname/xmpp1 b/vars/hostname/xmpp1
index e094b54..094b4b2 100644
--- a/vars/hostname/xmpp1
+++ b/vars/hostname/xmpp1
@@ -2,4 +2,3 @@
 
 cnames=xmpp
 prosody_acme_host=www1
-prosody_public_fqdn=xmpp.example.com
-- 
cgit v1.2.3