dotfiles/playbook.yml

---
- name: configure system
  hosts: localhost
  connection: local
  become: false
  tasks:
    - name: Read machine-specific variables
      ansible.builtin.include_vars:
        file: _machines/{{ ansible_hostname }}.yml
        name: machine
      tags:
        - always

    - ansible.builtin.set_fact:
        distro: "{{ ansible_distribution | lower }}"
      tags:
        - always

    - name: Check for valid distro
      ansible.builtin.assert:
        that: distro in ('archlinux')

    - block:
        - name: Install ansible requirements
          ansible.builtin.package:
            name: "{{ packages[distro] }}"
            state: present
          become: true
          vars:
            packages:
              archlinux:
                - python-jmespath

    - name: Pacman
      tags:
        - pacman
      block:
        - name: Enable multilib repository
          ansible.builtin.blockinfile:
            path: /etc/pacman.conf
            block: |
              [multilib]
              Include = /etc/pacman.d/mirrorlist
            marker: "# {mark} ANSIBLE MANAGED multilib"
          notify:
            - refresh package lists
          become: true

        - name: Make sure that package lists are refreshed if necessary
          ansible.builtin.meta: flush_handlers

        - name: Enable parallel download
          ansible.builtin.blockinfile:
            path: /etc/pacman.conf
            insertafter: "\\[options\\]"
            block: |
              ParallelDownloads = 5
            marker: "# {mark} ANSIBLE MANAGED parallel_download"
          become: true

        - name: Install pacman-contrib for paccache
          ansible.builtin.package:
            name: pacman-contrib
            state: present
          become: true

        - block:
            - name: Install pacman cache clean service
              ansible.builtin.copy:
                dest: /etc/systemd/system/pacman-cache-cleanup.service
                owner: root
                group: root
                mode: "0644"
                content: |
                  [Service]
                  Type=oneshot
                  ExecStart=/bin/sh -c '/usr/bin/paccache -rk1 && /usr/bin/paccache -ruk0'
                  RemainAfterExit=true
              become: true

            - name: Install pacman cache clean timer
              ansible.builtin.copy:
                dest: /etc/systemd/system/pacman-cache-cleanup.timer
                owner: root
                group: root
                mode: "0644"
                content: |
                  [Timer]
                  OnCalendar=daily

                  [Install]
                  WantedBy=multi-user.target
              become: true

            - ansible.builtin.systemd:
                name: pacman-cache-cleanup.timer
                enabled: true
                state: started
                daemon_reload: true
              become: true

              name: Enable pacman cache clean timer

    - name: dotfiles directory
      tags:
        - dotfiles-directory
      block:
        - name: create dotfiles group
          group:
            name: dotfiles
            state: present
          become: true
          become_user: root

        - name: create dotfiles user
          user:
            name: dotfiles
            group: dotfiles
            home: /var/lib/dotfiles
            create_home: false
            shell: /bin/bash
            system: true
          become: true
          become_user: root

        - name: create dotfiles directory
          file:
            state: directory
            path: /var/lib/dotfiles
            owner: dotfiles
            group: dotfiles
            mode: "0775" # group needs write access!
          become: true
          become_user: root

        - name: fix group for dotfiles directory
          shell: |
            chgrp --changes --recursive dotfiles . | grep -Ev "changed group of ('./.git/index'|'./.git/modules/)"
          args:
            executable: /bin/bash
            chdir: /var/lib/dotfiles
          register: dotfiles_group_change
          become: true
          become_user: root
          failed_when: dotfiles_group_change.rc not in (0, 1)
          changed_when: dotfiles_group_change.rc == 0 # == lines selected, i.e. some output

        - name: fix group permissions for dotfiles directory
          shell: |
            chmod --changes --recursive g+rwX . | grep -Ev "mode of ('./.git/index'|'./.git/modules/)"
          args:
            executable: /bin/bash
            chdir: /var/lib/dotfiles
          register: dotfiles_permission_change
          become: true
          become_user: root
          failed_when: dotfiles_permission_change.rc not in (0, 1)
          changed_when: dotfiles_permission_change.rc == 0 # == lines selected, i.e. some output

    - name: packages
      tags:
        - packages
      block:
        - name: load package list
          include_vars:
            file: packages.yml
            name: defined_packages

        - name: force-update iptables to iptables-nft on arch
          shell: |
            if ! pacman -Qi iptables | grep '^Name.*iptables-nft' ; then
              # --noconfirm does not cut it
              yes | pacman -S iptables-nft
              exit 100
            fi
            exit 0
          become: true
          register: force_install_iptables
          changed_when: force_install_iptables.rc == 100
          failed_when: force_install_iptables.rc not in (0, 100)

        - set_fact:
            distro_packages: "{{ defined_packages|json_query('*.%s'|format(distro)) }}"

        - name: check list
          assert:
            that: "defined_packages|length == distro_packages|length"

        - name: install packages
          package:
            name: "{{ defined_packages|json_query(pkg_query) }}"
            state: present
          become: true
          vars:
            pkg_query: "{{ '*.%s[]'|format(distro) }}"

        - name: install additional packages
          package:
            name: "{{ machine.additional_packages|default([]) }}"
            state: present
          become: true

        - name: remove unconfigured packages
          script:
            cmd: ./remove-unconfigured-packages.sh --noconfirm
          register: unconfigured_packages_cmd
          failed_when: unconfigured_packages_cmd.rc not in (0, 123)
          changed_when: unconfigured_packages_cmd.rc == 123
          become: true

    - name: Enable reflector timer
      ansible.builtin.systemd:
        name: reflector.timer
        enabled: true
        state: started
        daemon_reload: true
      become: true

    - name: aur
      tags:
        - aur
      block:
        - name: create build user on arch
          user:
            name: makepkg
            home: /var/lib/makepkg
            create_home: true
            shell: /bin/bash
            system: true
          become: true

        - set_fact:
            aur_packages:
              # local packages:
              - name: workstation-mgr

              - name: portfolio-performance-bin
                preexec: |
                  #!/usr/bin/env bash
                  source ./env
                  curl -sSf --proto '=https' https://keys.openpgp.org/vks/v1/by-fingerprint/E46E6F8FF02E4C83569084589239277F560C95AC | gpg --import -

              - name: spotify
                preexec: |
                  #!/usr/bin/env bash
                  source ./env
                  echo lel
                  curl -sSf --proto '=https' https://download.spotify.com/debian/pubkey_C85668DF69375001.gpg | gpg --import -

              - name: nodejs-intelephense
              - name: terraform-ls-bin
              - name: grm-git
              - name: screencfg-git
              - name: google-earth-pro

              # ===
              - name: python-botocore-stubs
              # dependency of
              - name: python-boto3-stubs

              - name: python-chevron
              - name: python-aws-lambda-builders
              # === dependencies of
              - name: aws-sam-cli

              # ===
              - name: python-vdf
              # dependency of
              - name: protontricks

              # ===
              - name: slack-desktop

              # ===
              - name: python-class-registry
              - name: python-rst2ansi
              # dependency of
              - name: backblaze-b2

              # ===
              - name: claude-code

        - set_fact:
            aur_packages: "{{ aur_packages|map(attribute='dependencies', default=[]) | flatten + aur_packages }}"

        - name: install dependencies
          shell: |
            aur_packages=({{ aur_packages | map(attribute='name') | join(' ') }})

            source pkgbuilds/{{ item.name }}/PKGBUILD

            installed=0

            dependencies=(${depends[@]} ${makedepends[@]} ${checkdepends[@]})
            for dep in "${dependencies[@]}" ; do
              aur=0
              for aur_pkg in "${aur_packages[@]}" ; do
                if [[ "${aur_pkg}" == "${dep}" ]] ; then
                  aur=1
                  break
                fi
              done

              if (( aur )) ; then
                continue
              fi

              if ! pacman -Qq "${dep}" >/dev/null 2>&1 ; then
                installed=1
                pacman -S --noconfirm --needed "${dep}"
              fi
            done

            if (( installed )) ; then
              exit 123
            else
              exit 0
            fi
          args:
            executable: /bin/bash
          register: install_deps
          failed_when: install_deps.rc not in (0, 123)
          changed_when: install_deps.rc == 123
          become: true
          loop: "{{ aur_packages }}"
          loop_control:
            label: "{{ item.name }}"

        - name: create build root directory
          file:
            path: "/var/lib/makepkg/{{ item.name }}/"
            state: directory
            mode: "0700"
            owner: makepkg
            group: makepkg
          become_user: makepkg
          become: true
          loop: "{{ aur_packages }}"
          loop_control:
            label: "{{ item.name }}"

        - name: create build gpg directory
          file:
            path: "/var/lib/makepkg/{{ item.name }}/gnupg"
            state: directory
            mode: "0700"
            owner: makepkg
            group: makepkg
          become_user: makepkg
          become: true
          loop: "{{ aur_packages }}"
          loop_control:
            label: "{{ item.name }}"

        - name: create env file
          copy:
            dest: /var/lib/makepkg/{{ item.name }}/env
            owner: makepkg
            group: makepkg
            mode: "0600"
            content: |
              export GNUPGHOME="/var/lib/makepkg/{{ item.name }}/gnupg"
          become_user: makepkg
          become: true
          loop: "{{ aur_packages }}"
          loop_control:
            label: "{{ item.name }}"

        - name: check preexec script
          stat:
            path: /var/lib/makepkg/{{ item.name }}/preexec
          become_user: makepkg
          become: true
          when: item.preexec is defined
          loop: "{{ aur_packages }}"
          register: preexec_before
          loop_control:
            label: "{{ item.name }}"

        - name: install preexec script
          copy:
            dest: /var/lib/makepkg/{{ item.name }}/preexec
            owner: makepkg
            group: makepkg
            mode: "0700"
            content: "{{ item.preexec }}"
          become_user: makepkg
          become: true
          when: item.preexec is defined
          loop: "{{ aur_packages }}"
          loop_control:
            label: "{{ item.name }}"

        - name: check preexec script
          stat:
            path: /var/lib/makepkg/{{ item.name }}/preexec
          become_user: makepkg
          become: true
          when: item.preexec is defined
          loop: "{{ aur_packages }}"
          register: preexec_after
          loop_control:
            label: "{{ item.name }}"

        - name: run preexec script
          command:
            cmd: "{{ item.1.stat.path }}"
            chdir: "{{ item.1.stat.path | dirname }}"
          become_user: makepkg
          become: true
          when: not item[0].stat.exists or (item[0].stat.checksum|default('') != item[1].stat.checksum)
          loop: "{{ preexec_before.results| reject('skipped')|zip(preexec_after.results| reject('skipped')) }}"
          loop_control:
            label: "{{ item.1.stat.path }}"

        - name: create build script
          copy:
            owner: makepkg
            group: makepkg
            mode: "0700"
            dest: /var/lib/makepkg/{{ item.name }}/build.sh
            content: |
              #!/usr/bin/env bash

              source /var/lib/makepkg/{{ item.name }}/env

              export PKGEXT='.pkg.tar'
              export BUILDDIR=/var/lib/makepkg/{{ item.name }}/build/
              export SRCDEST=/var/lib/makepkg/{{ item.name }}/src/
              export PKGDEST=/var/lib/makepkg/{{ item.name }}/

              cd /var/lib/dotfiles/pkgbuilds/{{ item.name }}/

              source ./PKGBUILD

              for arch in "${arch[@]}" ; do
                if [[ "${arch}" == "any" ]] ; then
                  arch="any"
                  break
                fi
                if [[ "${arch}" == "x86_64" ]] ; then
                  arch="x86_64"
                fi
              done

              if [[ ! "${arch}" ]] ; then
                printf 'unsupported arch\n' >&2
                exit 1
              fi

              if [[ "${epoch}" ]] ; then
                version="${epoch}:${pkgver}-${pkgrel}"
              else
                version="${pkgver}-${pkgrel}"
              fi

              filename="${PKGDEST%/}/${pkgname}-${version}-${arch}${PKGEXT}"

              if [[ ! -e "${filename}" ]] ; then
                makepkg \
                  --clean \
                  --nosign || exit 1
              fi

              printf '%s' "${filename}" > /var/lib/makepkg/{{ item.name }}/pkgname
          become: true
          become_user: makepkg
          loop: "{{ aur_packages }}"
          loop_control:
            label: "{{ item.name }}"

        - name: create install script
          copy:
            owner: root
            group: root
            mode: "0700"
            dest: /var/lib/makepkg/{{ item.name }}/install.sh
            content: |
              #!/usr/bin/env bash

              sudo -u makepkg -g makepkg /var/lib/makepkg/{{ item.name }}/build.sh || exit 1

              filename="$(</var/lib/makepkg/{{ item.name }}/pkgname)"

              name=$(pacman -Qi --file "${filename}" | grep '^Name' | awk '{print $3}')
              version=$(pacman -Qi --file "${filename}" | grep '^Version' | awk '{print $3}')

              if [[ "$(pacman -Q "${name}")" == "${name} ${version}" ]] ; then
                exit 0
              else
                pacman --upgrade --needed --noconfirm "$filename" || exit 1
                exit 123
              fi
          become: true
          loop: "{{ aur_packages }}"
          loop_control:
            label: "{{ item.name }}"

        - name: build and install aur package
          command: /var/lib/makepkg/{{ item.name }}/install.sh
          register: aur_install
          changed_when: aur_install.rc == 123
          failed_when: aur_install.rc not in (0, 123)
          become: true
          loop: "{{ aur_packages }}"
          loop_control:
            label: "{{ item.name }}"

        - name: clean up build leftovers
          file:
            path: /var/lib/makepkg/{{ item[0].name }}/{{ item[1] }}/
            state: absent
          become_user: makepkg
          become: true
          with_nested:
            - "{{ aur_packages }}"
            - - build
              - src
          loop_control:
            label: "{{ item[0].name }}/{{ item[1] }}"

    - name: configure timesyncd on arch
      copy:
        owner: root
        group: root
        mode: "0644"
        dest: /etc/systemd/timesyncd.conf
        content: |
          [Time]
          NTP=0.arch.pool.ntp.org 1.arch.pool.ntp.org 2.arch.pool.ntp.org 3.arch.pool.ntp.org
          FallbackNTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org
      become: true

    - name: install lz4
      package:
        name: lz4
        state: present
      become: true

    - name: set mkinitcpio hooks
      set_fact:
        mkinitcpio_hooks: "base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems resume fsck"
      when: machine.encrypted_root|bool

    - name: set mkinitcpio hooks
      set_fact:
        mkinitcpio_hooks: "base udev autodetect microcode modconf kms keyboard keymap consolefont block filesystems resume fsck"
      when: not machine.encrypted_root|bool

    - name: configure mkinitcpio hooks
      lineinfile:
        path: /etc/mkinitcpio.conf
        regexp: "^#?HOOKS=.*$"
        line: 'HOOKS=({{ mkinitcpio_hooks }})'
      become: true
      notify:
        - rebuild initrd

    - name: use vz4 for mkinitcpio compression
      lineinfile:
        path: /etc/mkinitcpio.conf
        regexp: "^#?COMPRESSION=.*$"
        line: 'COMPRESSION="lz4"'
      become: true
      notify:
        - rebuild initrd

    - name: libvirtd
      tags:
        - libvirtd
      # Arch defaults to systemd socket activation. Hate that stuff, just run the
      # damn daemon (so I notice early when something is wrong, not just when I
      # want to use it).
      block:
        - name: mask sockets
          service:
            state: stopped
            enabled: false
            masked: true
            name: "{{ item }}"
          loop:
            - libvirtd.socket
            - libvirtd-tls.socket
            - libvirtd-tcp.socket
            - libvirtd-ro.socket
            - libvirtd-admin.socket
          become: true

        # the libvirtd unit file contains the following setting:
        #
        # Environment=LIBVIRTD_ARGS="--timeout 120"
        #
        # This will make libvirtd stop after 120 seconds without connections or running
        # domains. To convince the daemon to just keep being a daemon, this needs to be
        # removed. Fortunately, the unit also contains the following:
        #
        # EnvironmentFile=-/etc/conf.d/libvirtd
        #
        # And `EnvironmentFile` trumps `Environment`. Otherwise we'd need to do some
        # damn systemd override shenanigans.
        - name: configure libvirtd env variable override
          copy:
            owner: root
            group: root
            mode: "0600"
            dest: /etc/conf.d/libvirtd
            content: |
              LIBVIRTD_ARGS=
          become: true
          notify:
            - restart libvirtd

        - name: enable libvirtd
          service:
            state: started
            enabled: true
            name: libvirtd.service
          become: true

    - name: services
      tags:
        - services
      block:
        - set_fact:
            disable_services:
              - sshd

        - name: disable services
          service:
            state: stopped
            enabled: false
            name: "{{ item }}.service"
          with_items: "{{ disable_services }}"
          become: true

        - set_fact:
            enable_services:
              - NetworkManager
              - docker
              - systemd-timesyncd

        - name: enable services
          service:
            state: started
            enabled: true
            name: "{{ item }}.service"
          with_items: "{{ enable_services }}"
          become: true

        - name: enable sockets
          service:
            state: started
            enabled: true
            name: "{{ item }}.socket"
          loop:
            - pcscd
          become: true

    - name: get systemd boot target
      command: systemctl get-default
      register: systemd_target
      changed_when: false
      check_mode: false

    - name: define systemd default target
      set_fact:
        default_target: "{{ machine.system_default_target|default('multi-user.target') }}"

    - name: set systemd boot target
      command: systemctl set-default {{ default_target }}
      when: systemd_target.stdout != default_target
      become: true

    - name: handle lid switch
      lineinfile:
        path: /etc/systemd/logind.conf
        regexp: "^HandleLidSwitch="
        line: "HandleLidSwitch=ignore"
      become: true

    - name: handle power key
      lineinfile:
        path: /etc/systemd/logind.conf
        regexp: "^HandlePowerKey="
        line: "HandlePowerKey=suspend"
      become: true

    - name: limit journald size
      lineinfile:
        path: /etc/systemd/journald.conf
        regexp: "^#?SystemMaxUse=.*$"
        line: "SystemMaxUse=50M"
      become: true
      notify:
        - restart journald

    - name: create sudonopw group
      group:
        name: sudonopw
        system: true

    - name: configure passwordless sudo
      copy:
        owner: root
        group: root
        mode: "0600"
        dest: /etc/sudoers.d/sudonopw
        content: |
          %sudonopw ALL=(ALL) NOPASSWD: ALL
      become: true

    - name: configure passwordless doas
      copy:
        owner: root
        group: root
        mode: "0400"
        dest: /etc/doas.conf
        content: |
          permit nopass nolog setenv {PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin} :sudonopw
      become: true

    - name: hardware-specific configuration
      tags:
        - hardware
      block:
        - name: read driver variables
          include_vars:
            file: drivers.yml
            name: drivers
          tags:
            - always

        - name: gpu configuration
          tags:
            - hardware:gpu
          block:
            - name: install AMD cpu packages
              package:
                name: "{{ drivers.cpu.amd }}"
                state: present
              become: true
              when: machine.cpu == 'amd'

            - name: install Intel cpu packages
              package:
                name: "{{ drivers.cpu.intel }}"
                state: present
              become: true
              when: machine.cpu == 'intel'

          when:
            - machine.cpu is defined

        - name: gpu configuration
          tags:
            - hardware:gpu
          block:
            - name: AMD configuration
              when: machine.gpu == 'amd'
              block:
                - name: install AMDGPU packages
                  package:
                    name: "{{ drivers.gpu.amd }}"
                    state: present
                  become: true

                - name: set AMDGPU options
                  copy:
                    owner: root
                    group: root
                    mode: "0600"
                    dest: /etc/X11/xorg.conf.d/20-amdgpu.conf
                    content: |
                      Section "Device"
                          Identifier "AMD"
                          Driver "amdgpu"
                          Option "VariableRefresh" "true"
                          Option "TearFree" "true"
                      EndSection
                  become: true

            - name: Nvidia configuration
              when: machine.gpu == 'nvidia'
              block:
                - name: install nouveau packages
                  package:
                    name: "{{ drivers.gpu.nvidia }}"
                    state: present
                  become: true

            - name: Intel configuration
              when: machine.gpu == 'intel'
              block:
                - name: install intel packages
                  package:
                    name: "{{ drivers.gpu.intel }}"
                    state: present
                  become: true
          when:
            - machine.gpu is defined

    # See https://bbs.archlinux.org/viewtopic.php?id=259764
    - block:
        - name: configure pacman to skip installing nextcloud dbus file
          blockinfile:
            path: /etc/pacman.conf
            insertafter: "^#NoExtract"
            block: |
              NoExtract = usr/share/dbus-1/services/com.nextcloudgmbh.Nextcloud.service
            marker: "# {mark} ANSIBLE MANAGED noextract nextcloud"
          become: true

        - name: remove nextcloud dbus file
          file:
            path: /usr/share/dbus-1/services/com.nextcloudgmbh.Nextcloud.service
            state: absent
          become: true

    - name: try to make gpg agent behave
      block:
        - name: configure pacman to skip installing gpg user units
          blockinfile:
            path: /etc/pacman.conf
            insertafter: "^#NoExtract"
            block: |
              NoExtract = usr/lib/systemd/user/gpg-agent*
            marker: "# {mark} ANSIBLE MANAGED noextract gpg-agent"
          become: true

    - name: backlight configuration
      tags:
        - backlight
      block:
        # See https://wiki.archlinux.org/title/backlight#ACPI
        - name: create udev rule to allow video group backlight access
          copy:
            dest: /etc/udev/rules.d/backlight.rules
            owner: root
            group: root
            mode: "0644"
            content: |
              ACTION=="add", SUBSYSTEM=="backlight", RUN+="/bin/chgrp video $sys$devpath/brightness", RUN+="/bin/chmod g+w $sys$devpath/brightness"
          become: true

    - set_fact:
        users: "{{ machine.users }}"
      tags:
        - always

    - include_tasks: user.yml
      args:
        apply:
          become: true
          become_user: "{{ user.name }}"
          tags:
            - user
      with_items: "{{ users }}"
      no_log: true # less spam
      loop_control:
        loop_var: user
      tags:
        - always

    - include_tasks: "{{ item }}"
      with_first_found:
        - files:
            - "_machines/{{ ansible_hostname }}-tasks.yml"
          skip: true
      tags:
        - always

  handlers:
    - name: refresh package lists
      community.general.pacman:
        update_cache: true
      become: true

    - name: rebuild initrd
      command: mkinitcpio -P
      become: true
      register: mkinitcpio_cmd
      failed_when: >
        mkinitcpio_cmd.rc != 0
        and
        not (mkinitcpio_cmd.rc == 1 and "file not found: `fsck.overlay'" in mkinitcpio_cmd.stderr)

    - name: restart journald
      service:
        name: systemd-journald
        state: restarted
      become: true

    - name: restart libvirtd
      service:
        name: libvirtd
        state: restarted
      become: true