dotfiles/playbook.yml

- name: configure system
  hosts: localhost
  connection: local
  become: false
  tasks:
    - name: read machine-specific variables
      include_vars:
        file: _machines/{{ ansible_hostname }}.yml
        name: machine
      tags:
        - always

    - set_fact:
        distro: "{{ ansible_distribution|lower }}"
      tags:
        - always

    - name: check for valid distro
      assert:
        that: distro in ('archlinux')

    - block:
      - name: install ansible requirements
        package:
          name: "{{ packages[distro] }}"
          state: present
        become: true
        vars:
          packages:
            archlinux:
              - python-jmespath

    - name: pacman
      tags:
        - pacman
      block:
        - name: enable multilib repository
          blockinfile:
            path: /etc/pacman.conf
            block: |
              [multilib]
              Include = /etc/pacman.d/mirrorlist
            marker: "# {mark} ANSIBLE MANAGED multilib"
          become: true

        - name: enable parallel download
          blockinfile:
            path: /etc/pacman.conf
            insertafter: '\[options\]'
            block: |
              ParallelDownloads = 5
            marker: "# {mark} ANSIBLE MANAGED parallel_download"
          become: true

        - block:
          - name: upgrade system
            pacman:
              upgrade: true
              update_cache: true
            become: true
            changed_when: false

          tags: [system-update]

        - name: install pacman-contrib for paccache
          package:
            name: pacman-contrib
            state: present
          become: true

        - block:
          - name: install pacman cache clean service
            copy:
              dest: /etc/systemd/system/pacman-cache-cleanup.service
              owner: root
              group: root
              mode: '0644'
              content: |
                [Service]
                Type=oneshot
                ExecStart=/bin/sh -c '/usr/bin/paccache -rk1 && /usr/bin/paccache -ruk0'
                RemainAfterExit=true
            become: true

          - name: install pacman cache clean timer
            copy:
              dest: /etc/systemd/system/pacman-cache-cleanup.timer
              owner: root
              group: root
              mode: '0644'
              content: |
                [Timer]
                OnCalendar=daily

                [Install]
                WantedBy=multi-user.target
            become: true

          - name: enable pacman cache clean timer
            systemd:
              name: pacman-cache-cleanup.timer
              enabled: true
              state: started
              daemon_reload: true
            become: true

    - name: dotfiles directory
      tags:
        - dotfiles-directory
      block:
        - name: create dotfiles group
          group:
            name: dotfiles
            state: present
          become: true
          become_user: root

        - name: create dotfiles user
          user:
            name: dotfiles
            group: dotfiles
            home: /var/lib/dotfiles
            create_home: false
            shell: /bin/bash
            system: true
          become: true
          become_user: root

        - name: create dotfiles directory
          file:
            state: directory
            path: /var/lib/dotfiles
            owner: dotfiles
            group: dotfiles
            mode: '0775' # group needs write access!
          become: true
          become_user: root

        - name: fix permissions for dotfiles directory
          shell: |
            chown --changes --recursive dotfiles:dotfiles .
            chmod --changes --recursive g+rwX .
          args:
            executable: /bin/bash
            chdir: /var/lib/dotfiles
          register: dotfiles_permission_change
          become: true
          become_user: root
          changed_when: dotfiles_permission_change.stdout_lines|length > 0

    - name: packages
      tags:
        - packages
      block:
        - name: load package list
          include_vars:
            file: packages.yml
            name: defined_packages

        - name: force-update iptables to iptables-nft on arch
          shell: |
            if ! pacman -Qi iptables | grep '^Name.*iptables-nft' ; then
              # --noconfirm does not cut it
              yes | pacman -S iptables-nft
              exit 100
            fi
            exit 0
          become: true
          register: force_install_iptables
          changed_when: force_install_iptables.rc == 100
          failed_when: force_install_iptables.rc not in (0, 100)

        - set_fact:
            distro_packages: "{{ defined_packages|json_query('*.%s'|format(distro)) }}"

        - name: check list
          assert:
            that: "defined_packages|length == distro_packages|length"

        - name: install packages
          package:
            name: "{{ defined_packages|json_query(query) }}"
            state: present
          become: true
          vars:
            query: "{{ '*.%s[]'|format(distro) }}"

        - name: remove unconfigured packages
          script:
            cmd: ./remove-unconfigured-packages.sh --noconfirm
          register: unconfigured_packages_cmd
          failed_when: unconfigured_packages_cmd.rc not in (0, 123)
          changed_when: unconfigured_packages_cmd.rc == 123
          become: true

    - name: aur
      tags:
        - aur
      block:
        - name: create build user on arch
          user:
            name: makepkg
            home: /var/lib/makepkg
            create_home: true
            shell: /bin/bash
            system: true
          become: true

        - set_fact:
            aur_packages:
              - name: portfolio-performance-bin
                preexec: |
                  #!/usr/bin/env bash
                  source ./env
                  curl -sSf --proto '=https' https://keys.openpgp.org/vks/v1/by-fingerprint/E46E6F8FF02E4C83569084589239277F560C95AC | gpg --import -

              - name: spotify
                preexec: |
                  #!/usr/bin/env bash
                  source ./env
                  curl -sSf --proto '=https' https://download.spotify.com/debian/pubkey_6224F9941A8AA6D1.gpg | gpg --import -

              - name: nodejs-intelephense
              - name: vim-plug
              - name: terraform-ls-bin
              - name: grm-git
              - name: screencfg-git

        - set_fact:
            aur_packages: "{{ aur_packages|map(attribute='dependencies', default=[]) | flatten + aur_packages }}"

        - name: install dependencies
          shell: |
            aur_packages=({{ aur_packages | map(attribute='name') | join(' ') }})

            source pkgbuilds/{{ item.name }}/PKGBUILD

            installed=0

            dependencies=(${depends[@]} ${makedepends[@]})
            for dep in "${dependencies[@]}" ; do
              aur=0
              for aur_pkg in "${aur_packages[@]}" ; do
                if [[ "${aur_pkg}" == "${dep}" ]] ; then
                  aur=1
                  break
                fi
              done

              if (( aur )) ; then
                continue
              fi

              if ! pacman -Qq "${dep}" >/dev/null 2>&1 ; then
                installed=1
                pacman -S --noconfirm --needed "${dep}"
              fi
            done

            if (( installed )) ; then
              exit 123
            else
              exit 0
            fi
          args:
            executable: /bin/bash
          register: install_deps
          failed_when: install_deps.rc not in (0, 123)
          changed_when: install_deps.rc == 123
          become: true
          loop: "{{ aur_packages }}"
          loop_control:
            label: "{{ item.name }}"

        - name: create build root directory
          file:
            path: "/var/lib/makepkg/{{ item.name }}/"
            state: directory
            mode: '0700'
            owner: makepkg
            group: makepkg
          become_user: makepkg
          become: true
          loop: "{{ aur_packages }}"
          loop_control:
            label: "{{ item.name }}"

        - name: create build gpg directory
          file:
            path: "/var/lib/makepkg/{{ item.name }}/gnupg"
            state: directory
            mode: '0700'
            owner: makepkg
            group: makepkg
          become_user: makepkg
          become: true
          loop: "{{ aur_packages }}"
          loop_control:
            label: "{{ item.name }}"

        - name: create env file
          copy:
            dest: /var/lib/makepkg/{{ item.name }}/env
            owner: makepkg
            group: makepkg
            mode: "0600"
            content: |
              export GNUPGHOME="/var/lib/makepkg/{{ item.name }}/gnupg"
          become_user: makepkg
          become: true
          loop: "{{ aur_packages }}"
          loop_control:
            label: "{{ item.name }}"

        - name: check preexec script
          stat:
            path: /var/lib/makepkg/{{ item.name }}/preexec
          become_user: makepkg
          become: true
          when: item.preexec is defined
          loop: "{{ aur_packages }}"
          register: preexec_before
          loop_control:
            label: "{{ item.name }}"

        - name: install preexec script
          copy:
            dest: /var/lib/makepkg/{{ item.name }}/preexec
            owner: makepkg
            group: makepkg
            mode: "0700"
            content: "{{ item.preexec }}"
          become_user: makepkg
          become: true
          when: item.preexec is defined
          loop: "{{ aur_packages }}"
          loop_control:
            label: "{{ item.name }}"

        - name: check preexec script
          stat:
            path: /var/lib/makepkg/{{ item.name }}/preexec
          become_user: makepkg
          become: true
          when: item.preexec is defined
          loop: "{{ aur_packages }}"
          register: preexec_after
          loop_control:
            label: "{{ item.name }}"

        - name: run preexec script
          command:
            cmd: "{{ item.1.stat.path }}"
            chdir: "{{ item.1.stat.path | dirname }}"
          become_user: makepkg
          become: true
          when:
            - not item[0].stat.exists
            - item[0].stat.checksum|default('') != item[1].stat.checksum
          loop: "{{ preexec_before.results| reject('skipped')|zip(preexec_after.results| reject('skipped')) }}"
          loop_control:
            label: "{{ item.1.stat.path }}"

        - name: create build script
          copy:
            owner: makepkg
            group: makepkg
            mode: "0700"
            dest: /var/lib/makepkg/{{ item.name }}/build.sh
            content: |
              #!/usr/bin/env bash

              source /var/lib/makepkg/{{ item.name }}/env

              export PKGEXT='.pkg.tar'
              export BUILDDIR=/var/lib/makepkg/{{ item.name }}/build/
              export SRCDEST=/var/lib/makepkg/{{ item.name }}/src/
              export PKGDEST=/var/lib/makepkg/{{ item.name }}/

              cd /var/lib/dotfiles/pkgbuilds/{{ item.name }}/

              source ./PKGBUILD

              for arch in "${arch[@]}" ; do
                if [[ "${arch}" == "any" ]] ; then
                  arch="any"
                  break
                fi
                if [[ "${arch}" == "x86_64" ]] ; then
                  arch="x86_64"
                fi
              done

              if [[ ! "${arch}" ]] ; then
                printf 'unsupported arch\n' >&2
                exit 1
              fi

              if [[ "${epoch}" ]] ; then
                version="${epoch}:${pkgver}-${pkgrel}"
              else
                version="${pkgver}-${pkgrel}"
              fi

              filename="${PKGDEST%/}/${pkgname}-${version}-${arch}${PKGEXT}"

              needed_build=0
              if [[ ! -e "${filename}" ]] ; then
                needed_build=1
                makepkg \
                  --clean \
                  --nosign || exit 1
              fi

              printf '%s' "${filename}" > /var/lib/makepkg/{{ item.name }}/pkgname
          become: true
          become_user: makepkg
          loop: "{{ aur_packages }}"
          loop_control:
            label: "{{ item.name }}"

        - name: create install script
          copy:
            owner: root
            group: root
            mode: "0700"
            dest: /var/lib/makepkg/{{ item.name }}/install.sh
            content: |
              #!/usr/bin/env bash

              sudo -u makepkg -g makepkg /var/lib/makepkg/{{ item.name }}/build.sh || exit 1

              filename="$(</var/lib/makepkg/{{ item.name }}/pkgname)"

              name=$(pacman -Qi --file "${filename}"  | grep '^Name' | awk '{print $3}')
              version=$(pacman -Qi --file "${filename}"  | grep '^Version' | awk '{print $3}')

              if [[ "$(pacman -Q "${name}")" == "${name} ${version}" ]] ; then
                exit 0
              else
                pacman --upgrade --needed --noconfirm "$filename" || exit 1
                exit 123
              fi
          become: true
          loop: "{{ aur_packages }}"
          loop_control:
            label: "{{ item.name }}"

        - name: build and install aur package
          command: /var/lib/makepkg/{{ item.name }}/install.sh
          register: aur_install
          changed_when: aur_install.rc == 123
          failed_when: aur_install.rc not in (0, 123)
          become: true
          loop: "{{ aur_packages }}"
          loop_control:
            label: "{{ item.name }}"

        - name: clean up build leftovers
          file:
            path: /var/lib/makepkg/{{ item[0].name }}/{{ item[1] }}/
            state: absent
          become_user: makepkg
          become: true
          with_nested:
            - "{{ aur_packages }}"
            -
              - build
              - src
          loop_control:
            label: "{{ item[0].name }}/{{ item[1] }}"

    - name: configure timesyncd on arch
      copy:
        owner: root
        group: root
        mode: "0644"
        dest: /etc/systemd/timesyncd.conf
        content: |
          [Time]
          NTP=0.arch.pool.ntp.org 1.arch.pool.ntp.org 2.arch.pool.ntp.org 3.arch.pool.ntp.org
          FallbackNTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org
      become: true

    - name: install lz4
      package:
        name: lz4
        state: present
      become: true

    - name: use vz4 for mkinitcpio compression
      lineinfile:
        path: /etc/mkinitcpio.conf
        regexp: '^#?COMPRESSION=.*$'
        line: 'COMPRESSION="lz4"'
      become: true
      notify:
        - rebuild initrd

    - name: services
      tags:
        - services
      block:
        - set_fact:
            disable_services:
              - sshd.service

        - name: disable services
          service:
            state: stopped
            enabled: false
            name: "{{ item }}"
          with_items: "{{ disable_services }}"
          become: true
          when: manage_services|default(true)|bool

        - set_fact:
            enable_services:
              - NetworkManager
              - docker
              - libvirtd
              - systemd-timesyncd
              - pcscd

        - name: enable services
          service:
            state: started
            enabled: true
            name: "{{ item }}"
          with_items: "{{ enable_services }}"
          become: true
          when: manage_services|default(true)|bool

    - name: get systemd boot target
      command: systemctl get-default
      register: systemd_target
      changed_when: false
      check_mode: false

    - set_fact:
        default_target: multi-user.target

    - name: set systemd boot target
      command: systemctl set-default {{ default_target }}
      when: systemd_target.stdout != default_target
      become: true

    - name: handle lid switch
      lineinfile:
        path: /etc/systemd/logind.conf
        regexp: '^HandleLidSwitch='
        line: 'HandleLidSwitch=ignore'
      become: true

    - name: handle power key
      lineinfile:
        path: /etc/systemd/logind.conf
        regexp: '^HandlePowerKey='
        line: 'HandlePowerKey=suspend'
      become: true

    - name: limit journald size
      lineinfile:
        path: /etc/systemd/journald.conf
        regexp: '^#?SystemMaxUse=.*$'
        line: 'SystemMaxUse=50M'
      become: true
      notify:
        - restart journald

    - name: create sudonopw group
      group:
        name: sudonopw
        system: true

    - name: configure passwordless sudo
      copy:
        owner: root
        group: root
        mode: "0600"
        dest: /etc/sudoers.d/sudonopw
        content: |
          %sudonopw ALL=(ALL) NOPASSWD: ALL
      become: true

    - name: configure passwordless doas
      copy:
        owner: root
        group: root
        mode: "0400"
        dest: /etc/doas.conf
        content: |
          permit nopass nolog setenv {PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin} :sudonopw
      become: true

    - name: hardware-specific configuration
      tags:
        - hardware
      block:
        - name: read driver variables
          include_vars:
            file: drivers.yml
            name: drivers
          tags:
            - always

        - name: gpu configuration
          tags:
            - hardware:gpu
          block:
            - name: install AMD cpu packages
              package:
                name: "{{ drivers.cpu.amd }}"
                state: present
              become: true
              when: machine.cpu == 'amd'

            - name: install Intel cpu packages
              package:
                name: "{{ drivers.cpu.intel }}"
                state: present
              become: true
              when: machine.cpu == 'intel'
              
          when:
            - machine.cpu is defined

        - name: gpu configuration
          tags:
            - hardware:gpu
          block:
            - name: AMD configuration
              when: machine.gpu == 'amd'
              block:
                - name: install AMDGPU packages
                  package:
                    name: "{{ drivers.gpu.amd }}"
                    state: present
                  become: true

                - name: set AMDGPU options
                  copy:
                    owner: root
                    group: root
                    mode: "0600"
                    dest: /etc/X11/xorg.conf.d/20-amdgpu.conf
                    content: |
                      Section "Device"
                          Identifier "AMD"
                          Driver "amdgpu"
                          Option "VariableRefresh" "true"
                          Option "TearFree" "true"
                      EndSection
                  become: true

            - name: Nvidia configuration
              when: machine.gpu == 'nvidia'
              block:
                - name: install nouveau packages
                  package:
                    name: "{{ drivers.gpu.nvidia }}"
                    state: present
                  become: true
          when:
            - machine.gpu is defined

    - set_fact:
        users: "{{ machine.users }}"
      tags:
        - always

    # See https://bbs.archlinux.org/viewtopic.php?id=259764
    - block:
      - name: configure pacman to skip installing nextcloud dbus file
        blockinfile:
          path: /etc/pacman.conf
          insertafter: '^#NoExtract'
          block: |
            NoExtract = usr/share/dbus-1/services/com.nextcloudgmbh.Nextcloud.service
          marker: "# {mark} ANSIBLE MANAGED noextract nextcloud"
        become: true

      - name: remove nextcloud dbus file
        file:
          path: /usr/share/dbus-1/services/com.nextcloudgmbh.Nextcloud.service
          state: absent
        become: true

    - name: try to make gpg agent behave
      block:
      - name: configure pacman to skip installing gpg user units
        blockinfile:
          path: /etc/pacman.conf
          insertafter: '^#NoExtract'
          block: |
            NoExtract = usr/lib/systemd/user/gpg-agent*
          marker: "# {mark} ANSIBLE MANAGED noextract gpg-agent"
        become: true

    - name: backlight configuration
      tags:
        - backlight
      block:
        # See https://wiki.archlinux.org/title/backlight#ACPI
        - name: create udev rule to allow video group backlight access
          copy:
            dest: /etc/udev/rules.d/backlight.rules
            owner: root
            group: root
            mode: '0644'
            content: |
              ACTION=="add", SUBSYSTEM=="backlight", RUN+="/bin/chgrp video $sys$devpath/brightness", RUN+="/bin/chmod g+w $sys$devpath/brightness"
          become: true

    - include_tasks: user.yml
      args:
        apply:
          become: true
          become_user: "{{ user.name }}"
          tags:
            - user
      with_items: "{{ users }}"
      no_log: True # less spam
      loop_control:
        loop_var: user
      tags:
        - always

  handlers:
    - name: rebuild initrd
      command: mkinitcpio -P
      become: true
      register: mkinitcpio_cmd
      failed_when: >
        mkinitcpio_cmd.rc != 0
        and
        not (mkinitcpio_cmd.rc == 1 and "file not found: `fsck.overlay'" in mkinitcpio_cmd.stderr)

    - name: restart journald
      service:
        name: systemd-journald
        state: restarted
      become: true