Install drone CLI

They will be installed by ansible, and are not required for the
ansible run.

.gitmodules

@@ -1,15 +1,15 @@
-[submodule "contrib/vim-plug"]
-	path = contrib/vim-plug
-	url = https://github.com/junegunn/vim-plug
 [submodule "ansible_roles/firefox"]
 	path = ansible_roles/firefox
 	url = https://github.com/staticdev/ansible-role-firefox
 [submodule "pkgbuilds/spotify"]
 	path = pkgbuilds/spotify
 	url = https://aur.archlinux.org/spotify.git
-[submodule "pkgbuilds/archlinux-java-run"]
+[submodule "pkgbuilds/nodejs-intelephense"]
-	path = pkgbuilds/archlinux-java-run
+	path = pkgbuilds/nodejs-intelephense
-	url = https://aur.archlinux.org/archlinux-java-run.git
+	url = https://aur.archlinux.org/nodejs-intelephense.git
-[submodule "pkgbuilds/portfolio"]
+[submodule "pkgbuilds/portfolio-performance-bin"]
-	path = pkgbuilds/portfolio
+	path = pkgbuilds/portfolio-performance-bin
-	url = https://aur.archlinux.org/portfolio.git
+	url = https://aur.archlinux.org/portfolio-performance-bin.git
+[submodule "pkgbuilds/vim-plug"]
+	path = pkgbuilds/vim-plug
+	url = https://aur.archlinux.org/vim-plug.git

_machines/neptune.yml

@@ -59,12 +59,12 @@ users:
     - personal_projects
 
 screen:
-  1: DP-3
+  1: DP-4-1-6
-  2: DP-3
+  2: DP-4-1-6
-  3: DP-4
+  3: DP-4-1-6
-  4: DP-4
+  4: DP-4-1-6
-  5: DP-4
+  5: DP-4-1-6
-  6: DP-4
+  6: DP-4-1-6
   7: eDP-1
   8: eDP-1
   9: eDP-1
@@ -72,9 +72,9 @@ screen:
 
 workspace:
   1: ""
-  2: ""
+  2: ""
-  3: " local"
+  3: ""
-  4: " remote"
+  4: ""
   7: ""
   8: ""
   9: ""

autostart/autostart.target.j2

@@ -2,7 +2,6 @@
 BindsTo=windowmanager.target
 After=windowmanager.target
 
-Wants=blueman.service
 Wants=dpms.service
 Wants=dunst.service
 {% for profile, config in (user.firefox_profiles|default({})).items() %}

autostart/services/blueman.service

@@ -1,8 +0,0 @@
-[Unit]
-BindsTo=autostart.target
-After=windowmanager.target
-
-[Service]
-ExecStart=/usr/bin/env blueman-applet
-PassEnvironment=DISPLAY
-Restart=always

autostart/services/gpg-agent.service

@@ -5,7 +5,7 @@ ConditionPathExists=%t/features/gpg_agent
 
 [Service]
 Type=forking
-ExecStart=/usr/bin/env gpg-agent --no-detach --daemon
+ExecStart=/usr/bin/env gpg-agent --daemon
 PassEnvironment=DISPLAY GNUPGHOME
 
 Restart=always

autostart/services/laptop-lid.service

@@ -5,6 +5,6 @@ ConditionPathExists=%t/features/machine_is_laptop
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/env bash -c 'grep "^${ACPI_LID_NAME}.*enabled" /proc/acpi/wakeup && echo " ${ACPI_LID_NAME}" | sudo tee /proc/acpi/wakeup'
+ExecStart=/usr/bin/env bash -c 'grep "^${ACPI_LID_NAME}.*enabled" /proc/acpi/wakeup && echo " ${ACPI_LID_NAME}" | sudo tee /proc/acpi/wakeup || true'
 RemainAfterExit=true
 PassEnvironment=DISPLAY

autostart/services/yubikey-touch-detector.service

@@ -3,6 +3,7 @@ BindsTo=autostart.target
 PartOf=gpg-agent.service
 After=windowmanager.target
 After=gpg-agent.service
+ConditionPathExists=%t/features/gpg_agent
 
 [Service]
 ExecStart=/usr/bin/env yubikey-touch-detector -libnotify

bin/qr

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+qrencode "$*" -o - | imv -

check-aur-updates.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+git submodule update --remote pkgbuilds/*

git/gitconfig.j2

@@ -71,6 +71,9 @@
     fileMode = true
     whitespace = "blank-at-eol,space-before-tab,blank-at-eof"
     abbrev = 8
+    pager = delta
+[interactive]
+    diffFilter = delta --color-only
 [color]
     ui = true
 [column]
@@ -78,7 +81,7 @@
 [push]
     default = simple
 [merge]
-    tool = vimdiff
+    conflictstyle = diff3
 [gc]
     auto = 0
 [advice]
@@ -105,7 +108,6 @@
     autoStash = true
 [diff]
     submodule = log
-    mnemonicPrefix = true
     renameLimit = 1199
 [branch]
     autoSetupMerge = true
@@ -124,3 +126,9 @@
 	directory = /var/lib/dotfiles
 [includeIf "gitdir:/var/lib/dotfiles"]
     path = /var/lib/dotfiles/gitcfg
+[delta]
+    navigate = true    # use n and N to move between diff sections
+
+    # delta detects terminal colors automatically; set one of these to disable auto-detection
+    # dark = true
+    # light = true

i3/config.j2

@@ -329,6 +329,7 @@ bindsym XF86MonBrightnessDown exec --no-startup-id xbacklight -dec 8 ; exec --no
 
 bindsym $mod+m exec     --no-startup-id pactl set-source-mute '@DEFAULT_SOURCE@' toggle
 bindsym $mod+space exec --no-startup-id pactl set-source-mute '@DEFAULT_SOURCE@' toggle
+bindsym KP_Enter   exec --no-startup-id pactl set-source-mute '@DEFAULT_SOURCE@' toggle
 
 ##############################################################################
 ### BARS #######################################################################
@@ -338,7 +339,6 @@ bar {
     mode dock
     position bottom
 
-    tray_output primary
     tray_padding 2
 
     strip_workspace_numbers no

i3/i3status-rust/config.toml.j2

@@ -68,6 +68,7 @@ interval = 1
 block = "battery"
 interval = 10
 format = " $icon $percentage $time "
+charging_format = " $icon $percentage "
 missing_format = ""
 
 [[block]]
@@ -101,7 +102,7 @@ command = "ping -n -q -w 2 -c 1 8.8.8.8 >/dev/null 2>/dev/null && printf '{\"tex
 [[block]]
 block = "custom"
 command = "curl -s 'https://wttr.in/Stockholm?m&T&format=%c%t' | sed 's/  / /g'"
-interval = 1800
+interval = 3600
 
 [[block]]
 block = "time"

install.sh

@@ -9,27 +9,6 @@ set -o errexit
 set -o nounset
 
 DOTDIR="/var/lib/dotfiles"
-_SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-
-[[ -e './.git' ]] && git submodule update --init
-
-if [[ "$(readlink "${_SCRIPT_DIR}")" != "${DOTDIR}" ]] && [[ "${_SCRIPT_DIR}" != "${DOTDIR}" ]] ; then
-    if [[ -e "${DOTDIR}" ]] ; then
-        2>&1 printf "${DOTDIR} already exists. This seems unsafe.\n"
-        exit 1
-    fi
-    printf "Moving directory to $DOTDIR ...\n"
-    sudo=""
-    if (( $(id -u ) != 0 )) ; then
-        sudo=sudo
-    fi
-    $sudo mv --no-target-directory "${_SCRIPT_DIR}" "${DOTDIR}"
-    printf "Done\n"
-else
-    printf "Already working in ${DOTDIR}, nothing to do\n"
-fi
-
-cd "${DOTDIR}"
 
 os_release_file=/etc/os-release
 if [[ ! -e "${os_release_file}" ]] ; then
@@ -37,7 +16,7 @@ if [[ ! -e "${os_release_file}" ]] ; then
     exit 1
 fi
 
-source /etc/os-release
+source "${os_release_file}"
 
 sudowrap() {
     if (( $(id -u) != 0 )) ; then
@@ -48,31 +27,22 @@ sudowrap() {
 }
 
 cache_updated=0
-_install() {
+install() {
-    _package="$1" ; shift
+    local package="$1" ; shift
+
     if [[ $NAME == "Arch Linux" ]] ; then
-        sudowrap pacman -S --noconfirm "${_package}"
+        if (( ! cache_updated )) ; then
+            sudowrap pacman -Sy
+            cache_updated=1
+        fi
+        sudowrap pacman -S --needed --noconfirm "${package}"
     else
         2>&1 printf "Unsupported distro $NAME, exiting"
         exit 1
     fi
 }
 
+command -v make    >/dev/null || install "make"
+command -v ansible >/dev/null || install "ansible"
 
-if ! command -v python3 >/dev/null ; then
+cd "${DOTDIR}" && make
-    printf 'Python3 not installed, installing ...\n'
-    _install "python3"
-    printf 'Done\n'
-fi
-
-if ! command -v make >/dev/null ; then
-    printf 'Make not installed, installing ...\n'
-    _install "make"
-    printf 'Done\n'
-fi
-
-if [[ $NAME == "Arch Linux" ]] ; then
-    _install "ansible"
-fi
-
-cd "$DOTDIR" && make

install_scripts/ares.sh

@@ -1,14 +1,10 @@
 #!/usr/bin/env bash
 
-# Parameters:
-#
-# $1: Device
-
 set -o xtrace
 set -o nounset
 set -o errexit
 
-DEVICE="${1:?}"
+DEVICE="/dev/sda"
 
 if [[ ! -b "${DEVICE}" ]] ; then
     printf '%s does not look like a device' "${DEVICE}"
@@ -106,6 +102,28 @@ grub-mkconfig -o /boot/grub/grub.cfg
 systemctl enable NetworkManager
 
 passwd
+
+# enable root autologin on first boot
+
+mkdir /etc/systemd/system/getty@tty1.service.d/
+cat << EOF > /etc/systemd/system/getty@tty1.service.d/autologin.conf
+[Service]
+ExecStart=
+ExecStart=-/sbin/agetty -o '-p -f -- \\u' --noclear --autologin root %I $TERM
+EOF
+# ExecStartPost=/bin/rm /etc/systemd/system/getty@tty1.service.d/autologin.conf
+# ExecStartPost=/bin/rmdir /etc/systemd/system/getty@tty1.service.d/
+
+# Run
+cat << 'EOF' > /root/.bash_profile
+    if [[ "\$(tty)" == "/dev/tty1" ]] ; then
+        rm -rf /etc/systemd/system/getty@tty1.service.d/
+        if /var/lib/dotfiles/install.sh ; then
+            rm -f /root/.bash_profile
+            reboot
+        fi
+    fi
+EOF
 CHROOTSCRIPT
 
 chmod +x /mnt/chroot-script.sh

install_scripts/bootstrap.sh

@@ -3,22 +3,17 @@
 set -o nounset
 set -o errexit
 
+host="${1}"   ; shift
+
 pacman -Sy --noconfirm git # yes its a partial upgrade, but thats just the live cd
 
 cd /root
 git clone --recursive https://code.hkoerber.de/hannes/dotfiles.git
 
-./dotfiles/install_scripts/ares.sh /dev/sda
+./dotfiles/install_scripts/${host}.sh
 
-mv /root/dotfiles /mnt/root/dotfiles
+mv /root/dotfiles /mnt/var/lib/dotfiles
-cat << EOF > /mnt/root/.bash_profile
-if /root/dotfiles/install.sh ; then
-    rm -f /root/.bash_profile
-    reboot
-fi
-EOF
-
-umount -R /mnt
 
 read -p "> Ready for reboot. Press enter for shutdown, then remove the installation media and boot again "
+
 poweroff

install_scripts/neptune.sh

@@ -0,0 +1,131 @@
+#!/usr/bin/env bash
+
+set -o xtrace
+set -o nounset
+set -o errexit
+
+DEVICE="/dev/nvme0n1"
+
+if [[ ! -b "${DEVICE}" ]] ; then
+    printf '%s does not look like a device' "${DEVICE}"
+    exit 1
+fi
+
+if [[ ! -d /sys/firmware/efi/efivars ]] ; then
+    printf 'efivars does not exist, looks like the system is not booted in EFI mode'
+    exit 1
+fi
+
+loadkeys de-latin1
+
+timedatectl set-ntp true
+
+sed -e 's/\s*\([^#]*\).*/\1/' << EOF | sfdisk ${DEVICE}
+    label: gpt
+    device: ${DEVICE}
+
+    ${DEVICE}p1 : name=uefi      , size=512M , type=uefi
+    ${DEVICE}p2 : name=boot      , size=512M , type=linux
+    ${DEVICE}p3 : name=cryptpart ,             type=linux
+EOF
+
+# might take a bit for the new partion table to be updated in-kernel
+sleep 1
+
+cryptsetup --batch-mode luksFormat --iter-time 1000 ${DEVICE}p3
+cryptsetup --batch-mode open ${DEVICE}p3 cryptpart
+
+pvcreate /dev/mapper/cryptpart
+vgcreate vgbase /dev/mapper/cryptpart
+
+lvcreate -L 32G vgbase -n swap
+lvcreate -l 100%FREE vgbase -n root
+
+yes | mkfs.fat -F32 ${DEVICE}p1
+yes | mkfs.ext4 ${DEVICE}p2
+yes | mkfs.ext4 /dev/vgbase/swap
+yes | mkfs.ext4 /dev/vgbase/root
+
+mount /dev/vgbase/root /mnt
+
+mkdir /mnt/efi
+mount ${DEVICE}p1 /mnt/efi
+
+mkdir /mnt/boot
+mount ${DEVICE}p2 /mnt/boot
+
+mkswap /dev/vgbase/swap
+swapon /dev/vgbase/swap
+
+pacstrap /mnt base linux-zen linux-firmware networkmanager intel-ucode lvm2 grub efibootmgr
+
+genfstab -U /mnt >> /mnt/etc/fstab
+
+cat << CHROOTSCRIPT > /mnt/chroot-script.sh
+
+set -o xtrace
+set -o errexit
+set -o nounset
+
+ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
+hwclock --systohc
+
+sed -i 's/^#de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/' /etc/locale.gen
+sed -i 's/^#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
+
+locale-gen
+
+printf 'LANG=en_US.UTF-8\n' > /etc/locale.conf
+
+printf 'KEYMAP=de-latin1\nFONT=lat2-16\n' > /etc/vconsole.conf
+
+printf 'neptune\n' > /etc/hostname
+
+cat <<EOF > /etc/hosts
+127.0.0.1 localhost
+::1       localhost
+127.0.1.1 neptune
+EOF
+
+sed -i 's/^HOOKS=.*$/HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems resume fsck)/' /etc/mkinitcpio.conf
+
+mkinitcpio -P
+
+grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
+
+sed -i "s/^GRUB_CMDLINE_LINUX=.*$/GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=\$(blkid -s UUID -o value ${DEVICE}p3):cryptpart root=UUID=\$(blkid -s UUID -o value /dev/vgbase/root)\"/" /etc/default/grub
+sed -i "s/^GRUB_CMDLINE_LINUX_DEFAULT=.*$/GRUB_CMDLINE_LINUX_DEFAULT=\"resume=UUID=\$(blkid -s UUID -o value /dev/vgbase/swap)\"/" /etc/default/grub
+sed -i 's/^GRUB_DISABLE_RECOVERY=.*$/GRUB_DISABLE_RECOVERY=/' /etc/default/grub
+
+grub-mkconfig -o /boot/grub/grub.cfg
+
+systemctl enable NetworkManager
+
+passwd
+
+# enable root autologin on first boot
+
+mkdir /etc/systemd/system/getty@tty1.service.d/
+cat << EOF > /etc/systemd/system/getty@tty1.service.d/autologin.conf
+[Service]
+ExecStart=
+ExecStart=-/sbin/agetty -o '-p -f -- \\u' --noclear --autologin root %I $TERM
+EOF
+# ExecStartPost=/bin/rm /etc/systemd/system/getty@tty1.service.d/autologin.conf
+# ExecStartPost=/bin/rmdir /etc/systemd/system/getty@tty1.service.d/
+
+# Run
+cat << 'EOF' > /root/.bash_profile
+    if [[ "\$(tty)" == "/dev/tty1" ]] ; then
+        rm -rf /etc/systemd/system/getty@tty1.service.d/
+        if /var/lib/dotfiles/install.sh ; then
+            rm -f /root/.bash_profile
+            reboot
+        fi
+    fi
+EOF
+CHROOTSCRIPT
+
+chmod +x /mnt/chroot-script.sh
+arch-chroot /mnt /chroot-script.sh
+rm -f /mnt/chroot-script.sh

packages.yml

@@ -1,5 +1,9 @@
 packages:
   list:
+    kernel:
+      archlinux:
+        - linux-zen-headers
+        - linux-zen-docs
     build-essentials:
       archlinux:
         - gcc
@@ -7,6 +11,9 @@ packages:
         - cmake
         - maven
         - base-devel
+    posix:
+      archlinux:
+        - posix
     make:
       archlinux: ["make"]
     gdb:
@@ -15,6 +22,8 @@ packages:
       archlinux: ["strace"]
     sudo:
       archlinux: ["sudo"]
+    doas:
+      archlinux: ["opendoas"]
     apt:
       archlinux: [""]
     xorg:
@@ -53,7 +62,7 @@ packages:
       archlinux: ["noto-fonts-emoji"]
     git:
       # tk required for gitk
-      archlinux: ["git", "tk"]
+      archlinux: ["git", "tk", "git-delta"]
     htop:
       archlinux: ["htop"]
     feh:
@@ -97,7 +106,7 @@ packages:
     pandoc:
       archlinux: ["pandoc", "texlive-core", "texlive-fontsextra", "texlive-latexextra"]
     libvirt:
-      archlinux: ["virt-manager", "libvirt", "dnsmasq", "ebtables", "dmidecode", "virt-install", "virt-viewer"]
+      archlinux: ["virt-manager", "libvirt", "dnsmasq", "ebtables", "dmidecode", "virt-install", "virt-viewer", "libguestfs", "edk2-ovmf"]
     firefox:
       archlinux: ["firefox"]
     ranger:
@@ -131,8 +140,6 @@ packages:
       archlinux: ["wireshark-cli", "wireshark-qt"]
     nmap:
       archlinux: ["nmap"]
-    openvpn:
-      archlinux: ["openvpn"]
     curl:
       archlinux: ["curl"]
     wget:
@@ -180,8 +187,6 @@ packages:
       archlinux: ["cowsay"]
     ruby:
       archlinux: ["ruby"]
-    lxc:
-      archlinux: ["lxc"]
     acpi:
       archlinux: ["acpi", "acpid"]
     nodejs:
@@ -192,10 +197,6 @@ packages:
       archlinux: ["dunst"]
     cloc:
       archlinux: ["cloc"]
-    bluetooth:
-      archlinux: ["bluez", "bluez-tools", "blueman"]
-    autorandr:
-      archlinux: ["autorandr"]
     bwm-ng:
       archlinux: ["bwm-ng"]
     virtualbox:
@@ -212,8 +213,14 @@ packages:
       archlinux: ["rclone"]
     dnf:
       archlinux: ["dnf"]
-    rustup:
+    rust:
-      archlinux: ["rustup"]
+      archlinux:
+        - rustup
+        - cargo-edit
+        - cargo-msrv
+        - cargo-watch
+        - cargo-release
+        - cargo-sort
     musescore:
       archlinux: ["musescore"]
     sipcalc:
@@ -256,6 +263,8 @@ packages:
       archlinux: ["xf86-input-synaptics"]
     ncdu:
       archlinux: ["ncdu"]
+    dust:
+      archlinux: ["dust"]
     font-utils:
       archlinux: ["woff2"]
     jq:
@@ -306,6 +315,8 @@ packages:
       archlinux:
         - bash
         - bash-language-server
+        - shellcheck
+        - shfmt
     packer:
       archlinux: ["packer"]
     c:
@@ -328,6 +339,7 @@ packages:
     json:
       archlinux:
         - vscode-json-languageserver
+        - gron
     markdown:
       archlinux:
         - marksman
@@ -351,6 +363,63 @@ packages:
     telnet:
       archlinux:
         - inetutils
+    cloudformation-tools:
+      archlinux:
+        - python-cfn-lint
+    johntheripper:
+      archlinux:
+        - john
+    age:
+      archlinux:
+        - age
+    httpie:
+      archlinux:
+        - httpie
+    yt-dlp:
+      archlinux:
+        - yt-dlp
+    ytfzf:
+      archlinux:
+        - ytfzf
+        - ueberzug
+    ffmpeg:
+      archlinux:
+        - ffmpeg
+    zeal:
+      archlinux:
+        - zeal
+    kcharselect:
+      archlinux:
+        - kcharselect
+    bottom:
+      archlinux:
+        - bottom
+    # for iotop
+    sysstat:
+      archlinux:
+        - sysstat
+    qrencode:
+      archlinux:
+        - qrencode
+    iotop:
+      archlinux:
+        - iotop
+    w3m:
+      archlinux:
+        - w3m
+    ruff:
+      archlinux:
+        - ruff
+    mold:
+      archlinux:
+        - mold
+    arch-packaging:
+      archlinux:
+        - namcap
+        - devtools
+    dron:
+      archlinux:
+        - drone-cli
 
   remove:
     mousepad:
@@ -361,3 +430,11 @@ packages:
       archlinux: ["rust"]
     screen:
       archlinux: ["screen"]
+    lxc:
+      archlinux: ["lxc"]
+    autorandr:
+      archlinux: ["autorandr"]
+    openvpn:
+      archlinux: ["openvpn"]
+    bluetooth:
+      archlinux: ["bluez", "bluez-tools", "blueman"]

playbook.yml

@@ -36,7 +36,10 @@
             archlinux:
               - python-jmespath
 
-    - block:
+    - name: pacman
+      tags:
+        - pacman
+      block:
         - name: enable multilib repository
           blockinfile:
             path: /etc/pacman.conf
@@ -103,11 +106,11 @@
               state: started
               daemon_reload: true
             become: true
-        tags: [pacman_cache_cleanup]
 
-      when: distro == 'archlinux'
+    - name: dotfiles directory
-
+      tags:
-    - block:
+        - dotfiles-directory
+      block:
         - name: create dotfiles group
           group:
             name: dotfiles
@@ -138,256 +141,20 @@
 
         - name: fix permissions for dotfiles directory
           shell: |
-          cd /var/lib/dotfiles
-          if [[ -e .git ]] ; then
-              # There is no sane way to specify the global .gitconfig to use, so we
-              # actually have to override HOME so git looks into ~/.gitconfig
-              export HOME="$(mktemp -d)"
-              set -o pipefail
-              set -o errexit
-              git config --global --add safe.directory /var/lib/dotfiles
-              git ls-tree -z --name-only HEAD | xargs --null chown --changes --recursive dotfiles:dotfiles
-              git ls-tree -z --name-only HEAD | xargs --null chmod --changes --recursive g+wX
-          else
             chown --changes --recursive dotfiles:dotfiles .
-              chmod --changes --recursive g+wX .
+            chmod --changes --recursive g+rwX .
-          fi
           args:
             executable: /bin/bash
+            chdir: /var/lib/dotfiles
           register: dotfiles_permission_change
           become: true
           become_user: root
           changed_when: dotfiles_permission_change.stdout_lines|length > 0
-      tags: [dotfiles-directory]
 
-    - block:
+    - name: packages
-      - name: create build user on arch
+      tags:
-        user:
+        - packages
-          name: makepkg
+      block:
-          home: /var/lib/makepkg
-          create_home: true
-          shell: /bin/bash
-          system: true
-        become: true
-
-      - set_fact:
-          aur_packages:
-            - name: portfolio
-              dependencies:
-                - name: archlinux-java-run
-
-            - name: spotify
-              preexec: |
-                #!/usr/bin/env bash
-                curl -sS https://download.spotify.com/debian/pubkey_6224F9941A8AA6D1.gpg | gpg --import -
-
-      - set_fact:
-          aur_packages: "{{ aur_packages + aur_packages|map(attribute='dependencies', default=[]) | flatten }}"
-
-      - name: install dependencies
-        shell: |
-          aur_packages=({{ aur_packages | map(attribute='name') | join(' ') }})
-
-          source pkgbuilds/{{ item.name }}/PKGBUILD
-
-          installed=0
-
-          dependencies=(${depends[@]} ${makedepends[@]})
-          for dep in "${dependencies[@]}" ; do
-            aur=0
-            for aur_pkg in "${aur_packages[@]}" ; do
-              if [[ "${aur_pkg}" == "${dep}" ]] ; then
-                aur=1
-                break
-              fi
-            done
-
-            if (( aur )) ; then
-              continue
-            fi
-
-            if ! pacman -Qq "${dep}" >/dev/null 2>&1 ; then
-              installed=1
-              sudo pacman -S --noconfirm --needed "${dep}"
-            fi
-          done
-
-          if (( installed )) ; then
-            exit 1
-          else
-            exit 0
-          fi
-        args:
-          executable: /bin/bash
-        register: install_deps
-        failed_when: install_deps.rc > 1
-        changed_when: install_deps.rc == 1
-        become: true
-        loop: "{{ aur_packages }}"
-        loop_control:
-          label: "{{ item.name }}"
-
-      - name: check preexec script
-        stat:
-          path: /var/lib/makepkg/{{ item.name }}/preexec
-        become_user: makepkg
-        become: true
-        when: item.preexec is defined
-        loop: "{{ aur_packages }}"
-        register: preexec_before
-        loop_control:
-          label: "{{ item.name }}"
-
-      - name: create build root directory
-        file:
-          path: "/var/lib/makepkg/{{ item.name }}/"
-          state: directory
-          mode: '0700'
-          owner: makepkg
-          group: makepkg
-        become_user: makepkg
-        become: true
-        loop: "{{ aur_packages }}"
-        loop_control:
-          label: "{{ item.name }}"
-
-      - name: install preexec script
-        copy:
-          dest: /var/lib/makepkg/{{ item.name }}/preexec
-          owner: makepkg
-          group: makepkg
-          mode: "0700"
-          content: "{{ item.preexec }}"
-        become_user: makepkg
-        become: true
-        when: item.preexec is defined
-        loop: "{{ aur_packages }}"
-        loop_control:
-          label: "{{ item.name }}"
-
-      - name: check preexec script
-        stat:
-          path: /var/lib/makepkg/{{ item.name }}/preexec
-        become_user: makepkg
-        become: true
-        when: item.preexec is defined
-        loop: "{{ aur_packages }}"
-        register: preexec_after
-        loop_control:
-          label: "{{ item.name }}"
-
-      - name: run preexec script
-        command: "{{ item.1.stat.path }}"
-        become_user: makepkg
-        become: true
-        when:
-          - not item[0].stat.exists
-          - item[0].stat.checksum|default('') != item[1].stat.checksum
-        loop: "{{ preexec_before.results| reject('skipped')|zip(preexec_after.results| reject('skipped')) }}"
-        loop_control:
-          label: "{{ item.1.stat.path }}"
-
-      - name: build AUR packages
-        shell:
-          cmd: |
-            export PKGEXT='.pkg.tar.zst'
-            export BUILDDIR=/var/lib/makepkg/{{ item.name }}/build/
-            export SRCDEST=/var/lib/makepkg/{{ item.name }}/src/
-            export PKGDEST=/var/lib/makepkg/{{ item.name }}/
-
-            source ./PKGBUILD
-
-            for arch in "${arch[@]}" ; do
-              if [[ "${arch}" == "any" ]] ; then
-                arch="any"
-                break
-              fi
-              if [[ "${arch}" == "x86_64" ]] ; then
-                arch="x86_64"
-              fi
-            done
-
-            if [[ ! "${arch}" ]] ; then
-              printf 'unsupported arch' >&2
-              exit 1
-            fi
-
-            if [[ "${epoch}" ]] ; then
-              version="${epoch}:${pkgver}-${pkgrel}"
-            else
-              version="${pkgver}-${pkgrel}"
-            fi
-
-            filename="${PKGDEST%/}/${pkgname}-${version}-${arch}${PKGEXT}"
-
-            needs_build=0
-            if [[ ! -e "${filename}" ]] ; then
-              needs_build=1
-              makepkg \
-                --clean \
-                --nodeps \
-                --nosign || exit 2
-            fi
-
-            printf '%s\n' "${filename}"
-
-            if (( needs_build )) ; then
-              exit 1
-            else
-              exit 0
-            fi
-        args:
-          executable: /bin/bash
-          chdir: "pkgbuilds/{{ item.name }}"
-        register: aur_build
-        failed_when: aur_build.rc > 1
-        changed_when: aur_build.rc == 1
-        become_user: makepkg
-        become: true
-        loop: "{{ aur_packages }}"
-        loop_control:
-          label: "{{ item.name }}"
-
-      - name: clean up build leftovers
-        file:
-          path: /var/lib/makepkg/{{ item[0].name }}/{{ item[1] }}/
-          state: absent
-        become_user: makepkg
-        become: true
-        with_nested:
-          - "{{ aur_packages }}"
-          -
-            - build
-            - src
-        loop_control:
-          label: "{{ item[0].name }}/{{ item[1] }}"
-
-      - name: install AUR packages
-        shell:
-          cmd: |
-            set -x
-            filename="{{ item }}"
-
-            name=$(pacman -Qi --file "${filename}"  | grep '^Name' | awk '{print $3}')
-            version=$(pacman -Qi --file "${filename}"  | grep '^Version' | awk '{print $3}')
-
-            if [[ "$(pacman -Q "${name}")" == "${name} ${version}" ]] ; then
-              exit 0
-            else
-              pacman --upgrade --needed --noconfirm "$filename"
-              exit 1
-            fi
-        args:
-          executable: /bin/bash
-        become: true
-        register: aur_install
-        changed_when: aur_install.rc == 1
-        failed_when: aur_install.rc > 1
-        loop: "{{ aur_build.results|map(attribute='stdout') }}"
-      tags: ["aur"]
-      when: distro == 'archlinux'
-
-    - block:
         - name: load package list
           include_vars:
             file: packages.yml
@@ -396,7 +163,6 @@
           shell: pacman -Q iptables && yes | pacman -S iptables-nft
           changed_when: false
           become: true
-        when: distro == 'archlinux'
 
         - set_fact:
             defined_packages: "{{ packages|json_query('keys(list)') }}"
@@ -441,9 +207,281 @@
           when: machine.packages is defined
           become: true
 
-      tags: [packages]
+    - name: aur
+      tags:
+        - aur
+      block:
+        - name: create build user on arch
+          user:
+            name: makepkg
+            home: /var/lib/makepkg
+            create_home: true
+            shell: /bin/bash
+            system: true
+          become: true
+
+        - set_fact:
+            aur_packages:
+              - name: portfolio-performance-bin
+                preexec: |
+                  #!/usr/bin/env bash
+                  source ./env
+                  curl -sSf --proto '=https' https://keys.openpgp.org/vks/v1/by-fingerprint/E46E6F8FF02E4C83569084589239277F560C95AC | gpg --import -
+
+              - name: nodejs-intelephense
+
+              - name: spotify
+                preexec: |
+                  #!/usr/bin/env bash
+                  source ./env
+                  curl -sSf --proto '=https' https://download.spotify.com/debian/pubkey_6224F9941A8AA6D1.gpg | gpg --import -
+
+              - name: vim-plug
+
+        - set_fact:
+            aur_packages: "{{ aur_packages|map(attribute='dependencies', default=[]) | flatten + aur_packages }}"
+
+        - name: install dependencies
+          shell: |
+            aur_packages=({{ aur_packages | map(attribute='name') | join(' ') }})
+
+            source pkgbuilds/{{ item.name }}/PKGBUILD
+
+            installed=0
+
+            dependencies=(${depends[@]} ${makedepends[@]})
+            for dep in "${dependencies[@]}" ; do
+              aur=0
+              for aur_pkg in "${aur_packages[@]}" ; do
+                if [[ "${aur_pkg}" == "${dep}" ]] ; then
+                  aur=1
+                  break
+                fi
+              done
+
+              if (( aur )) ; then
+                continue
+              fi
+
+              if ! pacman -Qq "${dep}" >/dev/null 2>&1 ; then
+                installed=1
+                pacman -S --noconfirm --needed "${dep}"
+              fi
+            done
+
+            if (( installed )) ; then
+              exit 123
+            else
+              exit 0
+            fi
+          args:
+            executable: /bin/bash
+          register: install_deps
+          failed_when: install_deps.rc not in (0, 123)
+          changed_when: install_deps.rc == 123
+          become: true
+          loop: "{{ aur_packages }}"
+          loop_control:
+            label: "{{ item.name }}"
+
+        - name: create build root directory
+          file:
+            path: "/var/lib/makepkg/{{ item.name }}/"
+            state: directory
+            mode: '0700'
+            owner: makepkg
+            group: makepkg
+          become_user: makepkg
+          become: true
+          loop: "{{ aur_packages }}"
+          loop_control:
+            label: "{{ item.name }}"
+
+        - name: create build gpg directory
+          file:
+            path: "/var/lib/makepkg/{{ item.name }}/gnupg"
+            state: directory
+            mode: '0700'
+            owner: makepkg
+            group: makepkg
+          become_user: makepkg
+          become: true
+          loop: "{{ aur_packages }}"
+          loop_control:
+            label: "{{ item.name }}"
+
+        - name: create env file
+          copy:
+            dest: /var/lib/makepkg/{{ item.name }}/env
+            owner: makepkg
+            group: makepkg
+            mode: "0600"
+            content: |
+              export GNUPGHOME="/var/lib/makepkg/{{ item.name }}/gnupg"
+          become_user: makepkg
+          become: true
+          loop: "{{ aur_packages }}"
+          loop_control:
+            label: "{{ item.name }}"
+
+        - name: check preexec script
+          stat:
+            path: /var/lib/makepkg/{{ item.name }}/preexec
+          become_user: makepkg
+          become: true
+          when: item.preexec is defined
+          loop: "{{ aur_packages }}"
+          register: preexec_before
+          loop_control:
+            label: "{{ item.name }}"
+
+        - name: install preexec script
+          copy:
+            dest: /var/lib/makepkg/{{ item.name }}/preexec
+            owner: makepkg
+            group: makepkg
+            mode: "0700"
+            content: "{{ item.preexec }}"
+          become_user: makepkg
+          become: true
+          when: item.preexec is defined
+          loop: "{{ aur_packages }}"
+          loop_control:
+            label: "{{ item.name }}"
+
+        - name: check preexec script
+          stat:
+            path: /var/lib/makepkg/{{ item.name }}/preexec
+          become_user: makepkg
+          become: true
+          when: item.preexec is defined
+          loop: "{{ aur_packages }}"
+          register: preexec_after
+          loop_control:
+            label: "{{ item.name }}"
+
+        - name: run preexec script
+          command:
+            cmd: "{{ item.1.stat.path }}"
+            chdir: "{{ item.1.stat.path | dirname }}"
+          become_user: makepkg
+          become: true
+          when:
+            - not item[0].stat.exists
+            - item[0].stat.checksum|default('') != item[1].stat.checksum
+          loop: "{{ preexec_before.results| reject('skipped')|zip(preexec_after.results| reject('skipped')) }}"
+          loop_control:
+            label: "{{ item.1.stat.path }}"
+
+        - name: create build script
+          copy:
+            owner: makepkg
+            group: makepkg
+            mode: "0700"
+            dest: /var/lib/makepkg/{{ item.name }}/build.sh
+            content: |
+              #!/usr/bin/env bash
+
+              source /var/lib/makepkg/{{ item.name }}/env
+
+              export PKGEXT='.pkg.tar'
+              export BUILDDIR=/var/lib/makepkg/{{ item.name }}/build/
+              export SRCDEST=/var/lib/makepkg/{{ item.name }}/src/
+              export PKGDEST=/var/lib/makepkg/{{ item.name }}/
+
+              cd /var/lib/dotfiles/pkgbuilds/{{ item.name }}/
+
+              source ./PKGBUILD
+
+              for arch in "${arch[@]}" ; do
+                if [[ "${arch}" == "any" ]] ; then
+                  arch="any"
+                  break
+                fi
+                if [[ "${arch}" == "x86_64" ]] ; then
+                  arch="x86_64"
+                fi
+              done
+
+              if [[ ! "${arch}" ]] ; then
+                printf 'unsupported arch' >&2
+                exit 1
+              fi
+
+              if [[ "${epoch}" ]] ; then
+                version="${epoch}:${pkgver}-${pkgrel}"
+              else
+                version="${pkgver}-${pkgrel}"
+              fi
+
+              filename="${PKGDEST%/}/${pkgname}-${version}-${arch}${PKGEXT}"
+
+              needed_build=0
+              if [[ ! -e "${filename}" ]] ; then
+                needed_build=1
+                makepkg \
+                  --clean \
+                  --nosign || exit 1
+              fi
+
+              printf '%s' "${filename}" > /var/lib/makepkg/{{ item.name }}/pkgname
+          become: true
+          become_user: makepkg
+          loop: "{{ aur_packages }}"
+          loop_control:
+            label: "{{ item.name }}"
+
+        - name: create install script
+          copy:
+            owner: root
+            group: root
+            mode: "0700"
+            dest: /var/lib/makepkg/{{ item.name }}/install.sh
+            content: |
+              #!/usr/bin/env bash
+
+              sudo -u makepkg -g makepkg /var/lib/makepkg/{{ item.name }}/build.sh || exit 1
+
+              filename="$(</var/lib/makepkg/{{ item.name }}/pkgname)"
+
+              name=$(pacman -Qi --file "${filename}"  | grep '^Name' | awk '{print $3}')
+              version=$(pacman -Qi --file "${filename}"  | grep '^Version' | awk '{print $3}')
+
+              if [[ "$(pacman -Q "${name}")" == "${name} ${version}" ]] ; then
+                exit 0
+              else
+                pacman --upgrade --needed --noconfirm "$filename" || exit 1
+                exit 123
+              fi
+          become: true
+          loop: "{{ aur_packages }}"
+          loop_control:
+            label: "{{ item.name }}"
+
+        - name: build and install aur package
+          command: /var/lib/makepkg/{{ item.name }}/install.sh
+          register: aur_install
+          changed_when: aur_install.rc == 123
+          failed_when: aur_install.rc not in (0, 123)
+          become: true
+          loop: "{{ aur_packages }}"
+          loop_control:
+            label: "{{ item.name }}"
+
+        - name: clean up build leftovers
+          file:
+            path: /var/lib/makepkg/{{ item[0].name }}/{{ item[1] }}/
+            state: absent
+          become_user: makepkg
+          become: true
+          with_nested:
+            - "{{ aur_packages }}"
+            -
+              - build
+              - src
+          loop_control:
+            label: "{{ item[0].name }}/{{ item[1] }}"
 
-    - block:
     - name: configure timesyncd on arch
       copy:
         owner: root
@@ -462,7 +500,7 @@
         state: present
       become: true
 
-      - name: use lz4 for mkinitcpio compression
+    - name: use vz4 for mkinitcpio compression
       lineinfile:
         path: /etc/mkinitcpio.conf
         regexp: '^#?COMPRESSION=.*$'
@@ -470,12 +508,14 @@
       become: true
       notify:
         - rebuild initrd
-      when: distro == 'archlinux'
 
+    - name: services
+      tags:
+        - services
+      block:
         - set_fact:
             disable_services:
-          - sshd
+              - sshd.service
-      when: distro == 'archlinux'
 
         - name: disable services
           service:
@@ -555,6 +595,16 @@
           %sudonopw ALL=(ALL) NOPASSWD: ALL
       become: true
 
+    - name: configure passwordless doas
+      copy:
+        owner: root
+        group: root
+        mode: "0400"
+        dest: /etc/doas.conf
+        content: |
+          permit nopass nolog setenv {PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin} :sudonopw
+      become: true
+
     - block:
       - name: install AMDGPU packages
         package:
@@ -587,7 +637,6 @@
         become: true
 
       when:
-        - distro == 'archlinux'
         - machine.gpu is defined and machine.gpu == 'amd'
 
     - set_fact:
@@ -595,11 +644,30 @@
       tags:
         - always
 
+    # See https://bbs.archlinux.org/viewtopic.php?id=259764
+    - block:
+      - name: configure pacman to skip installing nextcloud dbus file
+        blockinfile:
+          path: /etc/pacman.conf
+          insertafter: '^#NoExtract'
+          block: |
+            NoExtract = usr/share/dbus-1/services/com.nextcloudgmbh.Nextcloud.service
+          marker: "# {mark} ANSIBLE MANAGED noextract nextcloud"
+        become: true
+
+      - name: remove nextcloud dbus file
+        file:
+          path: /usr/share/dbus-1/services/com.nextcloudgmbh.Nextcloud.service
+          state: absent
+        become: true
+
     - include_tasks: user.yml
       args:
         apply:
           become: true
           become_user: "{{ user.name }}"
+          tags:
+            - user
       with_items: "{{ users }}"
       no_log: True # less spam
       loop_control:

test.sh

@@ -0,0 +1,266 @@
+#!/usr/bin/env bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+tmpdir="$(mktemp -d --tmpdir=/var/tmp)"
+
+trap cleanup EXIT
+
+ISO_MIRROR="https://ftp.fau.de/archlinux/iso/latest/"
+ISO_MIRROR="https://ftp.acc.umu.se/mirror/archlinux/iso/latest/"
+
+iso_dir="${XDG_DATA_HOME}/arch-iso/"
+iso_path="${iso_dir}/archlinux-x86_64.iso"
+
+cleanup() {
+    rm -rf "${tmpdir}"
+    pids=()
+    jobs -p | while IFS="" read -r line; do pids+=("$line"); done
+    kill "${pids[@]}"
+}
+
+download_iso() {
+    mkdir -p "${iso_dir}"
+    (
+        cd "${iso_dir}"
+        wget \
+            --timestamping \
+            --no-hsts \
+            "${ISO_MIRROR}sha256sums.txt"
+
+        if [[ ! -e "${iso_path}" ]] || ! sha256sum --ignore-missing --check ./sha256sums.txt; then
+            wget \
+                --no-hsts \
+                --output-document "${iso_path}" \
+                "${ISO_MIRROR}archlinux-x86_64.iso"
+        fi
+    )
+}
+
+disk="${tmpdir}/disk.qcow2"
+
+mon_sock="${tmpdir}/mon.sock"
+
+sshopts=(
+    -o StrictHostKeyChecking=no
+    -o UserKnownHostsFile=/dev/null
+    -o PreferredAuthentications=publickey
+    -o ConnectTimeout=1s
+    -i "${tmpdir}/ssh.key"
+    -l root
+    -p 60022
+    127.0.0.1
+)
+
+wait_for_ssh() {
+    echo "waiting for ssh"
+    set +o errexit
+    maxtries=60
+    tries=0
+    while ! ssh -q "${sshopts[@]}" true; do
+        ((tries++))
+        if ((tries > maxtries)); then
+            echo "ssh did not become available"
+            exit 3
+        fi
+        sleep 1
+    done
+    echo "ssh available"
+    set -o errexit
+}
+
+qemuopts=(
+    "-m" "size=8G"
+    "-drive" "file=${disk},format=qcow2,if=none,id=root"
+
+    "-accel" "kvm"
+
+    "-drive" "if=pflash,format=raw,readonly=true,file=/usr/share/ovmf/x64/OVMF_CODE.fd"
+    "-drive" "if=pflash,format=raw,file=${tmpdir}/efivars.fd"
+    "-machine" "q35,smm=on,acpi=on"
+    "-smp" "cpus=8,sockets=1,cores=8,threads=1"
+    "-cpu" "host"
+
+    "-netdev" "user,id=net0,hostfwd=tcp::60022-:22"
+    "-device" "virtio-net-pci,netdev=net0"
+
+    "-nodefaults"
+
+    "-vga" "virtio"
+    "-display" "spice-app"
+)
+
+send_mon() {
+    local socket="${1}"
+    patterns=(
+        -e 's/ /spc/'
+        -e 's/\./dot/'
+        -e 's/,/comma/' -e 's/-/slash/'
+        -e 's/\//shift-7/'
+        -e 's/\([A-Z]\)/shift-\L\1/'
+        -e 's/=/shift-0/'
+        -e 's/"/shift-2/'
+        -e "s/'/shift-0x2b/"
+        # ^ is a dead key, we would have to send a space to be precise. but it's
+        # going to work out as long as the following char does not combine
+        -e 's/\^/0x29/'
+        -e 's/#/0x2b/'
+        -e 's/\?/shift-0x0c/'
+        -e 's/\\/alt_r-0x0c/' # altgr is alt_r
+        -e 's/\*/shift-0x1b/'
+        -e 's/(/shift-0x09/'
+        -e 's/)/shift-0x0a/'
+        -e 's/^/sendkey /'
+    )
+
+    cat \
+        <(fold -w 1 |
+            sed "${patterns[@]}") \
+        <(echo "sendkey ret") |
+        nc -N -U "${socket}"
+
+    echo "sendkey ret" | nc -N -U "${socket}"
+}
+
+install_from_iso() {
+    local hostname="${1}"
+    shift
+    local hostqemuopts=("$@")
+    rm -rf "${tmpdir:?}"/*
+
+    ssh-keygen -f "${tmpdir}"/ssh.key -N '' -t ed25519 -C 'archiso-tmp'
+
+    cloud-localds "${tmpdir}/userdata.img" <(
+        cat <<EOF
+    #cloud-config
+    users:
+      - name: root
+        ssh_authorized_keys:
+          - $(cat "${tmpdir}"/ssh.key.pub)
+
+EOF
+    )
+
+    cp /usr/share/ovmf/x64/OVMF_VARS.fd "${tmpdir}/efivars.fd"
+    mkisofs \
+        -uid 0 \
+        -gid 0 \
+        -J \
+        -R \
+        -T \
+        -V REPO \
+        -o "${tmpdir}/repo.iso" \
+        .
+
+    qemu-img create \
+        -f qcow2 \
+        "${disk}" \
+        1000G
+
+    opts=(
+        "-cdrom" "${iso_path}"
+        "-boot" "order=d"
+
+        "-drive" "file=${tmpdir}/repo.iso,format=raw,if=virtio,media=cdrom"
+        "-drive" "file=${tmpdir}/userdata.img,format=raw,if=virtio,media=cdrom"
+
+        "-fsdev" "local,id=pacman-cache,path=share,path=/var/cache/pacman/pkg/,readonly=on,security_model=none"
+        "-device" "virtio-9p-pci,fsdev=pacman-cache,mount_tag=pacman-cache"
+    )
+
+    qemu-system-x86_64 -name "${hostname}" "${qemuopts[@]}" "${hostqemuopts[@]}" "${opts[@]}" &
+    wait_for_ssh
+
+    # shellcheck disable=SC2087
+    ssh -tt "${sshopts[@]}" <<EOF || true
+      mkdir /var/cache/pacman-cache-host
+      mount -t 9p -o trans=virtio,version=9p2000.L,ro pacman-cache /var/cache/pacman-cache-host
+
+      # Uncomment CacheDir and prepend the host pacman cache as cachedir
+      # At worst, the cache directory will be ignored if it does not exist
+      # Pacman will always use the first directory with write access for downloads
+      sed -i 's/^#\?\(CacheDir.*\)/\1\nCacheDir = \/var\/cache\/pacman-cache-host\//' /etc/pacman.conf
+
+      mkdir /repo/
+      mount /dev/disk/by-label/REPO /repo/
+
+      printf 'lukspw\nlukspw\nrootpw\nrootpw\n' | \
+        /repo/install_scripts/"${hostname}".sh
+
+      mount /dev/mapper/vgbase-root /mnt
+
+      cat << SPECIALS > /tmp/specials.sh
+        if [[ "\\\$(tty)" == "/dev/tty1" ]] ; then
+          mkdir /var/cache/pacman-cache-host
+          mount -t 9p -o trans=virtio,version=9p2000.L,ro pacman-cache /var/cache/pacman-cache-host
+
+          # Uncomment CacheDir and prepend the host pacman cache as cachedir
+          # At worst, the cache directory will be ignored if it does not exist
+          # Pacman will always use the first directory with write access for downloads
+          sed -i 's/^#\?\(CacheDir.*\)/\1\nCacheDir = \/var\/cache\/pacman-cache-host\//' /etc/pacman.conf
+        fi
+SPECIALS
+
+      mv /mnt/root/.bash_profile /tmp/rest.sh
+
+      cat /tmp/specials.sh /tmp/rest.sh > /mnt/root/.bash_profile
+
+      rsync -rl /repo/ /mnt/var/lib/dotfiles/
+
+      umount /mnt
+
+      poweroff
+EOF
+
+    wait
+}
+
+configure_new_system() {
+    local hostname="${1}"
+    shift
+    local hostqemuopts=("${@}")
+
+    opts=(
+        "-fsdev" "local,id=pacman-cache,path=share,path=/var/cache/pacman/pkg/,readonly=on,security_model=none"
+        "-device" "virtio-9p-pci,fsdev=pacman-cache,mount_tag=pacman-cache"
+
+        "-monitor" "unix:${mon_sock},server=on,wait=off"
+    )
+
+    qemu-system-x86_64 -name "${hostname}" "${qemuopts[@]}" "${hostqemuopts[@]}" "${opts[@]}" &
+
+    # 5s for grub timeout, 5s for kernel boot
+    echo waiting for luks password prompt ...
+    sleep 10s
+    echo 'lukspw' | send_mon "${mon_sock}"
+
+    echo waiting for boot ...
+    sleep 10s
+    wait
+}
+
+machines=(ares neptune)
+if (($# > 0)); then
+    machines=("${@}")
+fi
+
+download_iso
+
+for hostname in "${machines[@]}"; do
+    case "${hostname}" in
+    ares)
+        hostqemuopts=("-device" "ide-hd,drive=root")
+        ;;
+    neptune)
+        hostqemuopts=("-device" "nvme,serial=rootnvme,drive=root")
+        ;;
+    *)
+        exit 1
+        ;;
+    esac
+    [[ ! "${hostqemuopts[*]}" ]] && exit 1
+    install_from_iso "${hostname}" "${hostqemuopts[@]}"
+    configure_new_system "${hostname}" "${hostqemuopts[@]}"
+done

user.yml

@@ -8,7 +8,6 @@
       - sudonopw
       - games
       - kvm
-  tags: [always]
 
 - name: create user group
   group:
@@ -25,15 +24,7 @@
     create_home: true
     groups: "{{ [user.name, 'dotfiles'] + user_groups }}"
     shell: /usr/bin/zsh
-
+    skeleton: /dev/null
-  become: true
-  become_user: root
-
-- name: configure sudoers
-  lineinfile:
-    path: /etc/sudoers
-    line: "{{ user.name }} ALL=(ALL) NOPASSWD:ALL"
-    regexp: "^{{ user.name }}\\s+"
   become: true
   become_user: root
 
@@ -48,29 +39,28 @@
     - "/home/{{ user.name }}/.config/systemd/"
     - "/home/{{ user.name }}/.config/systemd/user/"
 
+- name: disable undesired services
+  tags:
+    - undesired-services
+  block:
     - set_fact:
         undesired_user_services:
           - gpg-agent.socket
+          - gpg-agent.sock.service
           - gpg-agent-browser.socket
           - gpg-agent-ssh.socket
           - gpg-agent-extra.socket
           - xdg-user-dirs-update.service
           - gnome-keyring-daemon.service
 
-- name: stop undesired service
+    # systemd needs a login session, machinectl handles that for us
-  systemd_service:
+    - name: stop and mask undesired services
-    name: "{{ item }}"
+      command:
-    scope: user
+        cmd: machinectl --quiet --uid {{ user.name }} shell -- .host /usr/bin/env systemctl --user mask --now "{{ item }}"
-    state: stopped
+      become: true
-  loop: "{{ undesired_user_services }}"
+      become_user: root
-
+      register: undesired_service_cmd
-# No way to use the `systemd` module here, as it needs a logind
+      changed_when: undesired_service_cmd.stderr != ""
-# session. So we have to handle the symlinks for masking ourselves.
-- name: disable and mask systemd user units
-  file:
-    state: link
-    dest: "/home/{{ user.name }}/.config/systemd/user/{{ item }}"
-    src: "/dev/null"
       loop: "{{ undesired_user_services }}"
 
 - name: create directory for getty autologin
@@ -96,7 +86,10 @@
   become: true
   become_user: root
 
-- block:
+- name: configure dotfiles
+  tags:
+    - dotfiles
+  block:
     - name: load dotfile list
       include_vars:
         file: dotfiles.yml
@@ -262,29 +255,11 @@
         src: /var/lib/dotfiles/bin
         owner: "{{ user.name }}"
         group: "{{ user.name }}"
+
+- name: vim
   tags:
-    - dotfiles
+    - vim
-
+  block:
-- block:
-  - name: create intermediate directories for vim-plug
-    file:
-      path: "{{ item }}"
-      state: directory
-    with_items:
-      - ~/.local/
-      - ~/.local/share/
-      - ~/.local/share/nvim/
-      - ~/.local/share/nvim/site/
-      - ~/.local/share/nvim/site/autoload/
-
-  - name: install vim-plug
-    copy:
-      src: contrib/vim-plug/plug.vim
-      dest: ~/.local/share/nvim/site/autoload/plug.vim
-      owner: "{{ user.name }}"
-      group: "{{ user.name }}"
-      mode: "0644"
-
     - name: install vim plugins
       command: nvim --headless +PlugInstall +qall
       register: vim_plugin_install
@@ -295,13 +270,15 @@
       register: vim_plugin_update
       changed_when: vim_plugin_update.stderr != ""
 
-  tags: [vim-plugins]
+- name: firefox
-
+  tags:
-- block:
+    - firefox
+  block:
     - name: create firefox directories
       firefox_profile:
         name: "{{ item.key }}"
       loop: "{{ user.firefox_profiles | dict2items }}"
+      check_mode: false
       register: firefox_profile_names
 
     - set_fact:
@@ -311,7 +288,6 @@
           toolkit.legacyUserProfileCustomizations.stylesheets: true
           browser.contentblocking.category: "strict"
           browser.newtabpage.enabled: false
-        browser.shell.checkDefaultBrowser: false
           browser.startup.homepage: "about:blank"
           privacy.trackingprotection.enabled: true
           privacy.trackingprotection.socialtracking.enabled: true
@@ -320,7 +296,6 @@
           # Restore last session on startup
           # https://support.mozilla.org/de/questions/1235263
           browser.startup.page: 3
-        browser.sessionstore.resume_from_crash: true
 
           # "Play DRM-controlled content"
           media.eme.enabled: true
@@ -387,10 +362,10 @@
       with_items: "{{ firefox_profile_names.results }}"
       loop_control:
         label: "{{ item.profile_path }}"
-  tags:
-    - firefox
 
 - name: handle autostart units
+  tags:
+    - autostart
   block:
     - name: create systemd user directory
       file:
@@ -434,10 +409,10 @@
         force: true
         follow: false
 
+- name: gpg
   tags:
-    - autostart
+    - gpg
-
+  block:
-- block:
     - name: import gpg key
       command: gpg --import ./gpgkeys/{{ user.gpg_key.email }}.gpg.asc
       register: gpg_import_output
@@ -451,4 +426,3 @@
       changed_when: gpg_trust_output.stderr_lines|length > 0
 
   when: user.gpg_key is defined
-  tags: [gpg]

zsh/zprofile.j2

@@ -1,5 +1,9 @@
 source /etc/profile
 
+if [[ "$(passwd --status $USER | awk '{print $2}')" =~ ^(NP|L)$ ]] ; then
+    while ! sudo passwd $USER ; do ; done
+fi
+
 _path=(
     "$HOME/bin"
     "$HOME/.cargo/bin"
@@ -17,16 +21,10 @@ export BROWSER="firefox"
 export PAGER="less"
 export LESS="FRX"
 
-export WINEPATH="$HOME/games/wine"
-
-export BINDIR="$HOME/bin"
-
 export LANG=en_US.UTF-8
 export LC_TIME=de_DE.UTF-8
 export LC_COLLATE=C
 
-export DOTFILES=~/dotfiles
-
 export GOPATH=~/.go
 export PATH=$PATH:$(go env GOPATH)/bin
 
@@ -52,23 +50,29 @@ umask 0022
 export {{ k }}="{{ v }}"
 {% endfor %}
 
-export FEATURE_DIR="${XDG_RUNTIME_DIR}/features/"
+feature_dir="${XDG_RUNTIME_DIR}/features/"
-rm -rf "${FEATURE_DIR}"/
+rm -rf "${feature_dir}"/
-mkdir -p "${FEATURE_DIR}"
+mkdir -p "${feature_dir}"
 
-[[ $MACHINE_HAS_NEXTCLOUD     == "true" ]] && touch "${FEATURE_DIR}"/nextcloud
+[[ $MACHINE_HAS_NEXTCLOUD     == "true" ]] && touch "${feature_dir}"/nextcloud
-[[ $MACHINE_HAS_KEEPASSX      == "true" ]] && touch "${FEATURE_DIR}"/keepassx
+[[ $MACHINE_HAS_KEEPASSX      == "true" ]] && touch "${feature_dir}"/keepassx
-[[ $MACHINE_HAS_STEAM         == "true" ]] && touch "${FEATURE_DIR}"/steam
+[[ $MACHINE_HAS_STEAM         == "true" ]] && touch "${feature_dir}"/steam
-[[ $MACHINE_HAS_RESTIC_BACKUP == "true" ]] && touch "${FEATURE_DIR}"/restic_backup
+[[ $MACHINE_HAS_RESTIC_BACKUP == "true" ]] && touch "${feature_dir}"/restic_backup
 
-[[ $MACHINE_TYPE == "laptop" ]] && touch "${FEATURE_DIR}"/machine_is_laptop
+[[ $MACHINE_TYPE == "laptop" ]] && touch "${feature_dir}"/machine_is_laptop
 
 {% if user.gpg_agent %}
-touch "${FEATURE_DIR}"/gpg_agent
+touch "${feature_dir}"/gpg_agent
 {% endif %}
 
-# Make all environment variables also usable in the systemd user instancee
+# Make important environment variables also usable in the systemd user instance
-systemctl --user import-environment
+systemd_envs=(
+    DISPLAY
+    GNUPGHOME
+    PATH
+    ACPI_LID_NAME
+)
+systemctl --user import-environment "${systemd_envs[@]}"
 
 # exec startx breaks some logind fuckery, without exec it works
 if [[ -z $DISPLAY ]] ; then

zsh/zshrc.j2

@@ -100,7 +100,7 @@ alias grep='grep --color=auto'
 alias fgrep='fgrep --color=auto'
 alias egrep='egrep --color=auto'
 
-alias rg='rg --hidden --glob "!.git/**"'
+alias rg='rg --hidden --glob "!.git/**" --glob "!.git"'
 
 alias rm='rm -v'
 alias cp='cp -vi'