IaC/ansible/roles/aur_repo_host/tasks/main.yaml

---

- name: Create the makepkg drop-in config file
  ansible.builtin.template:
    dest: /etc/makepkg.conf.d/makepkg.conf
    src: makepkg.conf.j2
    owner: root
    group: root
    mode: "0644"

- name: Create the build user group
  ansible.builtin.group:
    name: "{{ aur_repo_build_account }}"
    system: true
    state: present

- name: Create the build user
  ansible.builtin.user:
    name: "{{ aur_repo_build_account }}"
    password: '!'
    group: "{{ aur_repo_build_account }}"
    comment: "AUR Package Builder"
    shell: /sbin/nologin
    home: "{{ aur_repo_dir }}"
    createhome: true
    system: true
    state: present

- name: Create the build user sudoer file
  ansible.builtin.template:
    dest: /etc/sudoers.d/{{ aur_repo_build_account }}
    src: aur-sudoer.j2
    owner: root
    group: root
    mode: "0640"

- name: Create the build dirs
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: "{{ aur_repo_build_account }}"
    group: "{{ aur_repo_build_account }}"
    mode: "0775"
  loop:
    - "{{ aur_repo_dir }}"
    - "{{ aur_repo_dir }}/packages"
    - "{{ aur_repo_dir }}/sources"
    - "{{ aur_repo_dir }}/srcpackages"
    - /var/log/makepkg
    - /tmp/build

- name: Check if the signing key is in build user's keyring
  become: true
  become_user: "{{ aur_repo_build_account }}"
  ansible.builtin.command:
    cmd: gpg2 --list-secret-key --with-colons {{ aur_repo_key_thumbprint }}
  failed_when: key_result.rc not in [0, 2]
  changed_when: false
  register: key_result

- name: GPG key import block
  when: key_result.rc == 2
  block:

    - name: Template out the signing private key
      ansible.builtin.template:
        dest: "/tmp/build/signing_key.asc"
        src: signing_key.asc.j2
        owner: "{{ aur_repo_build_account }}"
        group: "{{ aur_repo_build_account }}"
        mode: "0600"

    - name: Import the signing key
      become: true
      become_user: "{{ aur_repo_build_account }}"
      ansible.builtin.command:
        cmd: gpg2 --import /tmp/build/signing_key.asc
      changed_when: true

    - name: Delete the signing key
      ansible.builtin.file:
        path: "/tmp/build/signing_key.asc"
        state: absent

- name: Check if aurutils is already installed
  ansible.builtin.stat:
    follow: true
    path: /usr/bin/aur
  register: aurutils_stat

- name: Aurutils install block
  when: not aurutils_stat.stat.exists
  block:

    - name: Install makepkg dependencies
      community.general.pacman:
        name:
          - git
          - base-devel
        state: present
        update_cache: true

    - name: Clone aurutils
      ansible.builtin.git:
        depth: 1
        dest: /tmp/aurutils
        repo: https://aur.archlinux.org/aurutils.git
        single_branch: true
        version: master

    - name: Slurp PKGBUILD contents
      ansible.builtin.slurp:
        path: /tmp/aurutils/PKGBUILD
      register: aurutils_pkgbuild

    - name: Parse PKGBUILD into facts
      ansible.builtin.set_fact:
        aurutils_dependencies: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^depends=\\().*(?=\\)$)', multiline=True) | replace(\"'\", '') | split(' ') }}" # noqa: yaml[line-length]
        aurutils_pkgver: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^pkgver=).*(?=$)', multiline=True) }}"
        aurutils_pkgrel: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^pkgrel=).*(?=$)', multiline=True) }}"
        aurutils_arch: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^arch=\\().*(?=\\)$)', multiline=True) | replace(\"'\", '') }}"

    - name: Install aurutils dependencies
      community.general.pacman:
        name: "{{ aurutils_dependencies }}"
        state: present
        reason: dependency
        update_cache: false

    - name: Build aurutils
      become: true
      become_user: "{{ aur_repo_build_account }}"
      ansible.builtin.command:
        cmd: makepkg
        chdir: /tmp/aurutils
        creates: "{{ aur_repo_dir }}/packages/aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar"

    - name: Update repo database
      become: true
      become_user: "{{ aur_repo_build_account }}"
      ansible.builtin.command:
        argv:
          - repo-add
          - --prevent-downgrade
          - --remove
          - --sign
          - --key
          - "{{ aur_repo_key_thumbprint }}"
          - home.db.tar
          - aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar
        chdir: "{{ aur_repo_dir }}/packages"
      changed_when: true

    - name: Check if the signing key is in pacman keyring
      ansible.builtin.command:
        argv:
          - pacman-key
          - -l
          - "{{ aur_repo_key_thumbprint }}"
      failed_when: pacman_key_result.rc not in [0, 1]
      changed_when: false
      register: pacman_key_result

    - name: Pacman key import block
      when: pacman_key_result.rc == 1
      block:

        - name: Import the signing public key to arch keyring
          ansible.builtin.command:
            argv:
              - pacman-key
              - -r
              - "{{ aur_repo_key_thumbprint }}"
              - --keyserver
              - hkps://keyserver.ubuntu.com
          changed_when: true

        - name: Locally sign the imported pacman key
          ansible.builtin.command:
            argv:
              - pacman-key
              - --lsign-key
              - "{{ aur_repo_key_thumbprint }}"
          changed_when: true

    - name: Add custom repo block to pacman.conf
      ansible.builtin.blockinfile:
        path: /etc/pacman.conf
        block: |
          [home]
          SigLevel = Required TrustedOnly
          Server = file://{{ aur_repo_dir }}/packages
        create: false
        state: present
        insertafter: EOF

    - name: Install aurutils
      community.general.pacman:
        name: aurutils
        state: present
        update_cache: true

- name: Enable the multilib repository
  ansible.builtin.replace:
    path: /etc/pacman.conf
    backup: true
    regexp: '^[#]?\[multilib\]\n[#]?Include = \/etc\/pacman.d\/mirrorlist$'
    replace: '[multilib]\nInclude = /etc/pacman.d/mirrorlist'
  register: multilib_enable

- name: Update the package database # noqa: no-handler
  when: multilib_enable.changed
  community.general.pacman:
    update_cache: true

- name: Sync AUR packages
  become: true
  become_user: "{{ aur_repo_build_account }}"
  ansible.builtin.command:
    cmd: aur sync --no-view -CnrS {{ item }}
  loop: "{{ aur_repo_host_packages }}"
  register: aur_sync_result
  changed_when: (aur_sync_result.stderr_lines | last | replace(':','')) != "sync there is nothing to do"
  failed_when: aur_sync_result.rc != 0

- name: Add the root www folder if it doesn't exist
  ansible.builtin.file:
    path: /var/www
    state: directory
    owner: http
    group: http
    mode: "0775"

- name: Link the aur repo to the web root
  ansible.builtin.file:
    src: "{{ aur_repo_dir }}/packages"
    path: /var/www{{ aur_repo_dir }}
    state: link

- name: Add the aur-sync systemd unit files
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: /usr/lib/systemd/system/
    owner: root
    group: root
    mode: "0644"
  loop:
    - aur-sync.service
    - aur-sync.timer
  register: aur_sync_unit_files

- name: Enable and start the aur-sync systemd timer # noqa: no-handler
  when: aur_sync_unit_files.changed
  ansible.builtin.systemd:
    name: aur-sync.timer
    enabled: true
    state: started
    daemon_reload: true
aurutils install working 2024-04-22 05:46:14 -04:00			`---`

			`- name: Create the makepkg drop-in config file`
			`ansible.builtin.template:`
			`dest: /etc/makepkg.conf.d/makepkg.conf`
			`src: makepkg.conf.j2`
			`owner: root`
			`group: root`
			`mode: "0644"`

			`- name: Create the build user group`
			`ansible.builtin.group:`
			`name: "{{ aur_repo_build_account }}"`
			`system: true`
			`state: present`

			`- name: Create the build user`
			`ansible.builtin.user:`
			`name: "{{ aur_repo_build_account }}"`
			`password: '!'`
			`group: "{{ aur_repo_build_account }}"`
			`comment: "AUR Package Builder"`
			`shell: /sbin/nologin`
			`home: "{{ aur_repo_dir }}"`
			`createhome: true`
			`system: true`
			`state: present`

aur repo host complete 2024-04-22 23:47:14 -04:00			`- name: Create the build user sudoer file`
			`ansible.builtin.template:`
			`dest: /etc/sudoers.d/{{ aur_repo_build_account }}`
			`src: aur-sudoer.j2`
			`owner: root`
			`group: root`
			`mode: "0640"`

			`- name: Create the build dirs`
aurutils install working 2024-04-22 05:46:14 -04:00			`ansible.builtin.file:`
			`path: "{{ item }}"`
			`state: directory`
			`owner: "{{ aur_repo_build_account }}"`
			`group: "{{ aur_repo_build_account }}"`
aur repo host complete 2024-04-22 23:47:14 -04:00			`mode: "0775"`
aurutils install working 2024-04-22 05:46:14 -04:00			`loop:`
			`- "{{ aur_repo_dir }}"`
			`- "{{ aur_repo_dir }}/packages"`
			`- "{{ aur_repo_dir }}/sources"`
			`- "{{ aur_repo_dir }}/srcpackages"`
			`- /var/log/makepkg`
			`- /tmp/build`

aur repo host complete 2024-04-22 23:47:14 -04:00			`- name: Check if the signing key is in build user's keyring`
aurutils install working 2024-04-22 05:46:14 -04:00			`become: true`
			`become_user: "{{ aur_repo_build_account }}"`
			`ansible.builtin.command:`
			`cmd: gpg2 --list-secret-key --with-colons {{ aur_repo_key_thumbprint }}`
			`failed_when: key_result.rc not in [0, 2]`
			`changed_when: false`
			`register: key_result`

			`- name: GPG key import block`
			`when: key_result.rc == 2`
			`block:`

			`- name: Template out the signing private key`
			`ansible.builtin.template:`
			`dest: "/tmp/build/signing_key.asc"`
			`src: signing_key.asc.j2`
			`owner: "{{ aur_repo_build_account }}"`
			`group: "{{ aur_repo_build_account }}"`
			`mode: "0600"`

			`- name: Import the signing key`
			`become: true`
			`become_user: "{{ aur_repo_build_account }}"`
			`ansible.builtin.command:`
			`cmd: gpg2 --import /tmp/build/signing_key.asc`
			`changed_when: true`

			`- name: Delete the signing key`
			`ansible.builtin.file:`
			`path: "/tmp/build/signing_key.asc"`
			`state: absent`

			`- name: Check if aurutils is already installed`
			`ansible.builtin.stat:`
			`follow: true`
			`path: /usr/bin/aur`
			`register: aurutils_stat`

			`- name: Aurutils install block`
			`when: not aurutils_stat.stat.exists`
			`block:`

			`- name: Install makepkg dependencies`
			`community.general.pacman:`
			`name:`
			`- git`
			`- base-devel`
			`state: present`
			`update_cache: true`

			`- name: Clone aurutils`
			`ansible.builtin.git:`
			`depth: 1`
			`dest: /tmp/aurutils`
			`repo: https://aur.archlinux.org/aurutils.git`
			`single_branch: true`
			`version: master`

			`- name: Slurp PKGBUILD contents`
			`ansible.builtin.slurp:`
			`path: /tmp/aurutils/PKGBUILD`
			`register: aurutils_pkgbuild`

			`- name: Parse PKGBUILD into facts`
			`ansible.builtin.set_fact:`
			`aurutils_dependencies: "{{ aurutils_pkgbuild['content'] \| b64decode \| regex_search('(?<=^depends=\\().*(?=\\)$)', multiline=True) \| replace(\"'\", '') \| split(' ') }}" # noqa: yaml[line-length]`
			`aurutils_pkgver: "{{ aurutils_pkgbuild['content'] \| b64decode \| regex_search('(?<=^pkgver=).*(?=$)', multiline=True) }}"`
			`aurutils_pkgrel: "{{ aurutils_pkgbuild['content'] \| b64decode \| regex_search('(?<=^pkgrel=).*(?=$)', multiline=True) }}"`
			`aurutils_arch: "{{ aurutils_pkgbuild['content'] \| b64decode \| regex_search('(?<=^arch=\\().*(?=\\)$)', multiline=True) \| replace(\"'\", '') }}"`

			`- name: Install aurutils dependencies`
			`community.general.pacman:`
			`name: "{{ aurutils_dependencies }}"`
			`state: present`
			`reason: dependency`
			`update_cache: false`

			`- name: Build aurutils`
			`become: true`
			`become_user: "{{ aur_repo_build_account }}"`
			`ansible.builtin.command:`
			`cmd: makepkg`
			`chdir: /tmp/aurutils`
aur repo wip 2024-04-22 08:49:49 -04:00			`creates: "{{ aur_repo_dir }}/packages/aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar"`

			`- name: Update repo database`
			`become: true`
			`become_user: "{{ aur_repo_build_account }}"`
			`ansible.builtin.command:`
			`argv:`
			`- repo-add`
			`- --prevent-downgrade`
			`- --remove`
			`- --sign`
			`- --key`
			`- "{{ aur_repo_key_thumbprint }}"`
custom remote repo working 2024-04-22 10:14:39 -04:00			`- home.db.tar`
aur repo wip 2024-04-22 08:49:49 -04:00			`- aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar`
			`chdir: "{{ aur_repo_dir }}/packages"`
			`changed_when: true`
aurutils install working 2024-04-22 05:46:14 -04:00
			`- name: Check if the signing key is in pacman keyring`
			`ansible.builtin.command:`
			`argv:`
			`- pacman-key`
			`- -l`
			`- "{{ aur_repo_key_thumbprint }}"`
aur repo host complete 2024-04-22 23:47:14 -04:00			`failed_when: pacman_key_result.rc not in [0, 1]`
aurutils install working 2024-04-22 05:46:14 -04:00			`changed_when: false`
			`register: pacman_key_result`

			`- name: Pacman key import block`
aur repo host complete 2024-04-22 23:47:14 -04:00			`when: pacman_key_result.rc == 1`
aurutils install working 2024-04-22 05:46:14 -04:00			`block:`

			`- name: Import the signing public key to arch keyring`
			`ansible.builtin.command:`
			`argv:`
			`- pacman-key`
			`- -r`
			`- "{{ aur_repo_key_thumbprint }}"`
			`- --keyserver`
			`- hkps://keyserver.ubuntu.com`
			`changed_when: true`

			`- name: Locally sign the imported pacman key`
			`ansible.builtin.command:`
			`argv:`
			`- pacman-key`
			`- --lsign-key`
			`- "{{ aur_repo_key_thumbprint }}"`
			`changed_when: true`

aur repo wip 2024-04-22 08:49:49 -04:00			`- name: Add custom repo block to pacman.conf`
			`ansible.builtin.blockinfile:`
			`path: /etc/pacman.conf`
			`block: \|`
custom remote repo working 2024-04-22 10:14:39 -04:00			`[home]`
aur repo wip 2024-04-22 08:49:49 -04:00			`SigLevel = Required TrustedOnly`
			`Server = file://{{ aur_repo_dir }}/packages`
			`create: false`
			`state: present`
			`insertafter: EOF`

aurutils install working 2024-04-22 05:46:14 -04:00			`- name: Install aurutils`
			`community.general.pacman:`
aur repo wip 2024-04-22 08:49:49 -04:00			`name: aurutils`
aurutils install working 2024-04-22 05:46:14 -04:00			`state: present`
aur repo wip 2024-04-22 08:49:49 -04:00			`update_cache: true`

aur repo host complete 2024-04-22 23:47:14 -04:00			`- name: Enable the multilib repository`
			`ansible.builtin.replace:`
			`path: /etc/pacman.conf`
			`backup: true`
			`regexp: '^[#]?\[multilib\]\n[#]?Include = \/etc\/pacman.d\/mirrorlist$'`
			`replace: '[multilib]\nInclude = /etc/pacman.d/mirrorlist'`
			`register: multilib_enable`

			`- name: Update the package database # noqa: no-handler`
			`when: multilib_enable.changed`
			`community.general.pacman:`
			`update_cache: true`

			`- name: Sync AUR packages`
			`become: true`
			`become_user: "{{ aur_repo_build_account }}"`
			`ansible.builtin.command:`
			`cmd: aur sync --no-view -CnrS {{ item }}`
			`loop: "{{ aur_repo_host_packages }}"`
			`register: aur_sync_result`
			`changed_when: (aur_sync_result.stderr_lines \| last \| replace(':','')) != "sync there is nothing to do"`
			`failed_when: aur_sync_result.rc != 0`

aur repo wip 2024-04-22 08:49:49 -04:00			`- name: Add the root www folder if it doesn't exist`
			`ansible.builtin.file:`
			`path: /var/www`
			`state: directory`
			`owner: http`
			`group: http`
			`mode: "0775"`

			`- name: Link the aur repo to the web root`
			`ansible.builtin.file:`
			`src: "{{ aur_repo_dir }}/packages"`
custom remote repo working 2024-04-22 10:14:39 -04:00			`path: /var/www{{ aur_repo_dir }}`
aur repo wip 2024-04-22 08:49:49 -04:00			`state: link`
aur repo host complete 2024-04-22 23:47:14 -04:00
			`- name: Add the aur-sync systemd unit files`
			`ansible.builtin.copy:`
			`src: "{{ item }}"`
			`dest: /usr/lib/systemd/system/`
			`owner: root`
			`group: root`
			`mode: "0644"`
			`loop:`
			`- aur-sync.service`
			`- aur-sync.timer`
			`register: aur_sync_unit_files`

			`- name: Enable and start the aur-sync systemd timer # noqa: no-handler`
			`when: aur_sync_unit_files.changed`
			`ansible.builtin.systemd:`
			`name: aur-sync.timer`
			`enabled: true`
			`state: started`
			`daemon_reload: true`