IaC/ansible/roles/aur_repo/tasks/main.yaml

---

- name: Create the makepkg drop-in config file
  ansible.builtin.template:
    dest: /etc/makepkg.conf.d/makepkg.conf
    src: makepkg.conf.j2
    owner: root
    group: root
    mode: "0644"

- name: Create the build user group
  ansible.builtin.group:
    name: "{{ aur_repo_build_account }}"
    system: true
    state: present

- name: Create the build user
  ansible.builtin.user:
    name: "{{ aur_repo_build_account }}"
    password: '!'
    group: "{{ aur_repo_build_account }}"
    comment: "AUR Package Builder"
    shell: /sbin/nologin
    home: "{{ aur_repo_dir }}"
    createhome: true
    system: true
    state: present

- name: Create the parent build dir
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: "{{ aur_repo_build_account }}"
    group: "{{ aur_repo_build_account }}"
    mode: "0755"
  loop:
    - "{{ aur_repo_dir }}"
    - "{{ aur_repo_dir }}/packages"
    - "{{ aur_repo_dir }}/sources"
    - "{{ aur_repo_dir }}/srcpackages"
    - /var/log/makepkg
    - /tmp/build

- name: Check if the singing key is in build user's keyring
  become: true
  become_user: "{{ aur_repo_build_account }}"
  ansible.builtin.command:
    cmd: gpg2 --list-secret-key --with-colons {{ aur_repo_key_thumbprint }}
  failed_when: key_result.rc not in [0, 2]
  changed_when: false
  register: key_result

- name: GPG key import block
  when: key_result.rc == 2
  block:

    - name: Template out the signing private key
      ansible.builtin.template:
        dest: "/tmp/build/signing_key.asc"
        src: signing_key.asc.j2
        owner: "{{ aur_repo_build_account }}"
        group: "{{ aur_repo_build_account }}"
        mode: "0600"

    - name: Import the signing key
      become: true
      become_user: "{{ aur_repo_build_account }}"
      ansible.builtin.command:
        cmd: gpg2 --import /tmp/build/signing_key.asc
      changed_when: true

    - name: Delete the signing key
      ansible.builtin.file:
        path: "/tmp/build/signing_key.asc"
        state: absent

- name: Check if aurutils is already installed
  ansible.builtin.stat:
    follow: true
    path: /usr/bin/aur
  register: aurutils_stat

- name: Aurutils install block
  when: not aurutils_stat.stat.exists
  block:

    - name: Install makepkg dependencies
      community.general.pacman:
        name:
          - git
          - base-devel
        state: present
        update_cache: true

    - name: Clone aurutils
      ansible.builtin.git:
        depth: 1
        dest: /tmp/aurutils
        repo: https://aur.archlinux.org/aurutils.git
        single_branch: true
        version: master

    - name: Slurp PKGBUILD contents
      ansible.builtin.slurp:
        path: /tmp/aurutils/PKGBUILD
      register: aurutils_pkgbuild

    - name: Parse PKGBUILD into facts
      ansible.builtin.set_fact:
        aurutils_dependencies: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^depends=\\().*(?=\\)$)', multiline=True) | replace(\"'\", '') | split(' ') }}" # noqa: yaml[line-length]
        aurutils_pkgver: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^pkgver=).*(?=$)', multiline=True) }}"
        aurutils_pkgrel: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^pkgrel=).*(?=$)', multiline=True) }}"
        aurutils_arch: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^arch=\\().*(?=\\)$)', multiline=True) | replace(\"'\", '') }}"

    - name: Debug aurutils dependencies
      ansible.builtin.debug:
        msg: "{{ aur_repo_dir }}/packages/aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar.lz4"

    - name: Install aurutils dependencies
      community.general.pacman:
        name: "{{ aurutils_dependencies }}"
        state: present
        reason: dependency
        update_cache: false

    - name: Build aurutils
      become: true
      become_user: "{{ aur_repo_build_account }}"
      ansible.builtin.command:
        cmd: makepkg
        chdir: /tmp/aurutils
        creates: "{{ aur_repo_dir }}/packages/aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar.lz4"

    - name: Check if the signing key is in pacman keyring
      ansible.builtin.command:
        argv:
          - pacman-key
          - -l
          - "{{ aur_repo_key_thumbprint }}"
      failed_when: pacman_key_result.rc not in [0, 2]
      changed_when: false
      register: pacman_key_result

    - name: Pacman key import block
      when: pacman_key_result.rc == 2
      block:

        - name: Import the signing public key to arch keyring
          ansible.builtin.command:
            argv:
              - pacman-key
              - -r
              - "{{ aur_repo_key_thumbprint }}"
              - --keyserver
              - hkps://keyserver.ubuntu.com
          changed_when: true

        - name: Locally sign the imported pacman key
          ansible.builtin.command:
            argv:
              - pacman-key
              - --lsign-key
              - "{{ aur_repo_key_thumbprint }}"
          changed_when: true

    - name: Install aurutils
      community.general.pacman:
        name: "{{ aur_repo_dir }}/packages/aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar.lz4"
        state: present
        update_cache: false