IaC/ansible/roles/aur_repo_host/tasks/main.yaml

---

- name: Create the makepkg drop-in config file
  ansible.builtin.template:
    dest: /etc/makepkg.conf.d/makepkg.conf
    src: makepkg.conf.j2
    owner: root
    group: root
    mode: "0644"

- name: Create the build user group
  ansible.builtin.group:
    name: "{{ aur_repo_build_account }}"
    system: true
    state: present

- name: Create the build user
  ansible.builtin.user:
    name: "{{ aur_repo_build_account }}"
    password: '!'
    group: "{{ aur_repo_build_account }}"
    comment: "AUR Package Builder"
    shell: /sbin/nologin
    home: "{{ aur_repo_dir }}"
    createhome: true
    system: true
    state: present

- name: Create the build user sudoer file
  ansible.builtin.template:
    dest: /etc/sudoers.d/{{ aur_repo_build_account }}
    src: aur-sudoer.j2
    owner: root
    group: root
    mode: "0640"

- name: Create the build dirs
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: "{{ aur_repo_build_account }}"
    group: "{{ aur_repo_build_account }}"
    mode: "0775"
  loop:
    - "{{ aur_repo_dir }}"
    - "{{ aur_repo_dir }}/packages"
    - "{{ aur_repo_dir }}/sources"
    - "{{ aur_repo_dir }}/srcpackages"
    - /var/log/makepkg
    - /tmp/build

- name: Check if the signing key is in build user's keyring
  become: true
  become_user: "{{ aur_repo_build_account }}"
  ansible.builtin.command:
    cmd: gpg2 --list-secret-key --with-colons {{ aur_repo_key_thumbprint }}
  failed_when: key_result.rc not in [0, 2]
  changed_when: false
  register: key_result

- name: GPG key import block
  when: key_result.rc == 2
  block:

    - name: Template out the signing private key
      ansible.builtin.template:
        dest: "/tmp/build/signing_key.asc"
        src: signing_key.asc.j2
        owner: "{{ aur_repo_build_account }}"
        group: "{{ aur_repo_build_account }}"
        mode: "0600"

    - name: Import the signing key
      become: true
      become_user: "{{ aur_repo_build_account }}"
      ansible.builtin.command:
        cmd: gpg2 --import /tmp/build/signing_key.asc
      changed_when: true

    - name: Delete the signing key
      ansible.builtin.file:
        path: "/tmp/build/signing_key.asc"
        state: absent

- name: Check if aurutils is already installed
  ansible.builtin.stat:
    follow: true
    path: /usr/bin/aur
  register: aurutils_stat

- name: Aurutils install block
  when: not aurutils_stat.stat.exists
  block:

    - name: Install makepkg dependencies
      community.general.pacman:
        name:
          - git
          - base-devel
        state: present
        update_cache: true

    - name: Clone aurutils
      ansible.builtin.git:
        depth: 1
        dest: /tmp/aurutils
        repo: https://aur.archlinux.org/aurutils.git
        single_branch: true
        version: master

    - name: Slurp PKGBUILD contents
      ansible.builtin.slurp:
        path: /tmp/aurutils/PKGBUILD
      register: aurutils_pkgbuild

    - name: Parse PKGBUILD into facts
      ansible.builtin.set_fact:
        aurutils_dependencies: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^depends=\\().*(?=\\)$)', multiline=True) | replace(\"'\", '') | split(' ') }}" # noqa: yaml[line-length]
        aurutils_pkgver: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^pkgver=).*(?=$)', multiline=True) }}"
        aurutils_pkgrel: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^pkgrel=).*(?=$)', multiline=True) }}"
        aurutils_arch: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^arch=\\().*(?=\\)$)', multiline=True) | replace(\"'\", '') }}"

    - name: Install aurutils dependencies
      community.general.pacman:
        name: "{{ aurutils_dependencies }}"
        state: present
        reason: dependency
        update_cache: false

    - name: Build aurutils
      become: true
      become_user: "{{ aur_repo_build_account }}"
      ansible.builtin.command:
        cmd: makepkg
        chdir: /tmp/aurutils
        creates: "{{ aur_repo_dir }}/packages/aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar"

    - name: Update repo database
      become: true
      become_user: "{{ aur_repo_build_account }}"
      ansible.builtin.command:
        argv:
          - repo-add
          - --prevent-downgrade
          - --remove
          - --sign
          - --key
          - "{{ aur_repo_key_thumbprint }}"
          - home.db.tar
          - aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar
        chdir: "{{ aur_repo_dir }}/packages"
      changed_when: true

    - name: Check if the signing key is in pacman keyring
      ansible.builtin.command:
        argv:
          - pacman-key
          - -l
          - "{{ aur_repo_key_thumbprint }}"
      failed_when: pacman_key_result.rc not in [0, 1]
      changed_when: false
      register: pacman_key_result

    - name: Pacman key import block
      when: pacman_key_result.rc == 1
      block:

        - name: Import the signing public key to arch keyring
          ansible.builtin.command:
            argv:
              - pacman-key
              - -r
              - "{{ aur_repo_key_thumbprint }}"
              - --keyserver
              - hkps://keyserver.ubuntu.com
          changed_when: true

        - name: Locally sign the imported pacman key
          ansible.builtin.command:
            argv:
              - pacman-key
              - --lsign-key
              - "{{ aur_repo_key_thumbprint }}"
          changed_when: true

    - name: Add custom repo block to pacman.conf
      ansible.builtin.blockinfile:
        path: /etc/pacman.conf
        block: |
          [home]
          SigLevel = Required TrustedOnly
          Server = file://{{ aur_repo_dir }}/packages          
        create: false
        state: present
        insertafter: EOF

    - name: Install aurutils
      community.general.pacman:
        name: aurutils
        state: present
        update_cache: true

- name: Enable the multilib repository
  ansible.builtin.replace:
    path: /etc/pacman.conf
    backup: true
    regexp: '^[#]?\[multilib\]\n[#]?Include = \/etc\/pacman.d\/mirrorlist$'
    replace: '[multilib]\nInclude = /etc/pacman.d/mirrorlist'
  register: multilib_enable

- name: Update the package database # noqa: no-handler
  when: multilib_enable.changed
  community.general.pacman:
    update_cache: true

- name: Sync AUR packages
  become: true
  become_user: "{{ aur_repo_build_account }}"
  ansible.builtin.command:
    cmd: aur sync --no-view -CnrS {{ item }}
  loop: "{{ aur_repo_host_packages }}"
  register: aur_sync_result
  changed_when: (aur_sync_result.stderr_lines | last | replace(':','')) != "sync there is nothing to do"
  failed_when: aur_sync_result.rc != 0

- name: Add the root www folder if it doesn't exist
  ansible.builtin.file:
    path: /var/www
    state: directory
    owner: http
    group: http
    mode: "0775"

- name: Link the aur repo to the web root
  ansible.builtin.file:
    src: "{{ aur_repo_dir }}/packages"
    path: /var/www{{ aur_repo_dir }}
    state: link

- name: Add the aur-sync systemd unit files
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: /usr/lib/systemd/system/
    owner: root
    group: root
    mode: "0644"
  loop:
    - aur-sync.service
    - aur-sync.timer
  register: aur_sync_unit_files

- name: Enable and start the aur-sync systemd timer # noqa: no-handler
  when: aur_sync_unit_files.changed
  ansible.builtin.systemd:
    name: aur-sync.timer
    enabled: true
    state: started
    daemon_reload: true