diff --git a/ansible/roles/build/files/aurutils-purge b/ansible/roles/build/files/aurutils-purge new file mode 100755 index 0000000..4622310 --- /dev/null +++ b/ansible/roles/build/files/aurutils-purge @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +# +repo-remove --sign /var/cache/pacman/custom/custom.db.tar "$1" +sudo pacman -R "$1" +sudo paccache -r diff --git a/ansible/roles/build/files/aurutils-sync b/ansible/roles/build/files/aurutils-sync new file mode 100644 index 0000000..ba5fe44 --- /dev/null +++ b/ansible/roles/build/files/aurutils-sync @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +# +# Wrapper script to `aur sync` +set -euo pipefail +IFS=$'\n\t' +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +GPGKEY=27DE40D9B8455C1B exec aur sync --makepkg-conf /etc/aurutils/makepkg.conf -c --sign "$@" diff --git a/ansible/roles/build/files/aurutils.conf b/ansible/roles/build/files/aurutils.conf new file mode 100644 index 0000000..992ef60 --- /dev/null +++ b/ansible/roles/build/files/aurutils.conf @@ -0,0 +1,8 @@ +[options] +CacheDir = /var/cache/pacman/pkg +CacheDir = /var/cache/pacman/custom +CleanMethod = KeepCurrent + +[custom] +SigLevel = Required +Server = file:///var/cache/pacman/custom diff --git a/ansible/roles/build/files/gpg.asc b/ansible/roles/build/files/gpg.asc new file mode 100644 index 0000000..c6de310 --- /dev/null +++ b/ansible/roles/build/files/gpg.asc @@ -0,0 +1,34 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0 +0H+RsWG0HVRvbSBBbGV4YW5kZXIgPHRvbUBmaXp6LmJ1eno+iJAEExYIADgWIQS4 +SBWTY8KHeReVS+En3kDZuEVcGwUCXZwWGgIbAwULCQgHAgYVCAkKCwIEFgIDAQIe +AQIXgAAKCRAn3kDZuEVcG9glAQDX3Bzaz9sQpycc40LeLxSKQsWplfJigfr8wWOg +C15TywEAqkTtCrTNsltdZERLMre7qnv/6RSo54OW0C4pdN7UUAa0HlRvbSBBbGV4 +YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A +2bhFXBsFAl+w+R0CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQJ95A2bhF +XBt6fgD+NOYnw9gz5K/q3H5LE/JvqzCSHezJmeGgif0CuU4m1/MA+gPDKME7syEt +JsTpELEMrxWWpDW0tD/W1iJE7roGYPQPtB9Ub20gQWxleGFuZGVyIDx0b21AaGFy +bW9uaWMuYWk+iJAEExYIADgWIQS4SBWTY8KHeReVS+En3kDZuEVcGwUCX7D5RAIb +AwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAn3kDZuEVcGzjDAP9pM1ScstOk +ti+oRAsNSk8qsjIsCT9O5voDS0Q7plWlcwD/btKVFO9tPLsXhyvdB+NSwueVs7TA +kRVjlW3hktpefg24OARdnBYaEgorBgEEAZdVAQUBAQdArbTYQgDBMG7EBFTKA6+f +4CWgwl26Lf2b6cyCGfUw2j4DAQgHiHgEGBYIACAWIQS4SBWTY8KHeReVS+En3kDZ +uEVcGwUCXZwWGgIbDAAKCRAn3kDZuEVcG03MAQCrkjrE+MhtvbfGaHGHlwz9QnF0 +Z519YzK8Xr8m0O+09QEA9BFCfkAzBM4D4JKeWJh/tmN9U6UexzLrRdY+W9cugAm4 +MwRdnBbKFgkrBgEEAdpHDwEBB0A/IgvgQaDhPkk72raSlUPLZaMyJfPedlfBhbgY +uhNiSIj1BBgWCAAmAhsCFiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsFAl+w+hYFCQe4 +fcwAgXYgBBkWCAAdFiEEgeZEOZZ1UC6xJRa606F5yaU8Dt4FAl2cFsoACgkQ06F5 +yaU8Dt6MngD+Krs3aYyHH6i85ebVESgBI8XeXhgACM4exepw+0UcoYkBAKK4DvV3 +oJD6o1ku6Rr8pUH962SQm8PO9pO2JBBAb6ADCRAn3kDZuEVcG9uAAP43vUsbe24/ +6tjEezAW0a4L2E1u4HNU8t53lolngs1kswEAy1HBdYEMR9TovX/kMeBHLcz1J2pM +VRSV0JnJhj5eZwa4MwRdnBcBFgkrBgEEAdpHDwEBB0BrvpOZa4q6JHVuc1XUVQTq +hDgLwD5SJBvzHSTXPYOZMoh+BBgWCAAmAhsgFiEEuEgVk2PCh3kXlUvhJ95A2bhF +XBsFAl+w+hYFCQe4fZUACgkQJ95A2bhFXBs3NgEA3SFYTgRVstidfoEpEZV4DdSL +kXaOwN3Eyba4UniClyMA/2CCxQt24vu19TyvUtOXWCp9Zi8SyIqoeiXQ4ZmhhnQO +uDgEXZwXKBIKKwYBBAGXVQEFAQEHQA7S3cFTEu6iROopVyF4UBl3hQrEAbOc9CW+ +xXKFZYgSAwEIB4h+BBgWCAAmAhsMFiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsFAl+w ++hcFCQe4fW4ACgkQJ95A2bhFXBtUXAEAyEJCUNVSJ7qvQv5IXuwbYTX2Mh7JU3+F +GJHO7AWBXCQA/2aLAi9kYmz9ba770XYwTeBZIv9Y6UIwIwVmFdYHC/EM +=a/z4 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/ansible/roles/build/files/makepkg.conf b/ansible/roles/build/files/makepkg.conf new file mode 100644 index 0000000..f49f92d --- /dev/null +++ b/ansible/roles/build/files/makepkg.conf @@ -0,0 +1,158 @@ +#!/hint/bash +# +# /etc/makepkg.conf +# + +######################################################################### +# SOURCE ACQUISITION +######################################################################### +# +#-- The download utilities that makepkg should use to acquire sources +# Format: 'protocol::agent' +DLAGENTS=('file::/usr/bin/curl -gqC - -o %o %u' + 'ftp::/usr/bin/curl -gqfC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u' + 'http::/usr/bin/curl -gqb "" -fLC - --retry 3 --retry-delay 3 -o %o %u' + 'https::/usr/bin/curl -gqb "" -fLC - --retry 3 --retry-delay 3 -o %o %u' + 'rsync::/usr/bin/rsync --no-motd -z %u %o' + 'scp::/usr/bin/scp -C %u %o') + +# Other common tools: +# /usr/bin/snarf +# /usr/bin/lftpget -c +# /usr/bin/wget + +#-- The package required by makepkg to download VCS sources +# Format: 'protocol::package' +VCSCLIENTS=('bzr::bzr' + 'fossil::fossil' + 'git::git' + 'hg::mercurial' + 'svn::subversion') + +######################################################################### +# ARCHITECTURE, COMPILE FLAGS +######################################################################### +# +CARCH="x86_64" +CHOST="x86_64-pc-linux-gnu" + +#-- Compiler and Linker Flags +#CPPFLAGS="" +CFLAGS="-march=native -mtune=native -O2 -pipe -fno-plt -fexceptions \ + -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security \ + -fstack-clash-protection -fcf-protection" +CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS" +LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now" +RUSTFLAGS="-C opt-level=2 -C target-cpu=native" +#-- Make Flags: change this for DistCC/SMP systems +MAKEFLAGS="-j$(nproc)" +#-- Debugging flags +DEBUG_CFLAGS="-g -fvar-tracking-assignments" +DEBUG_CXXFLAGS="-g -fvar-tracking-assignments" +#DEBUG_RUSTFLAGS="-C debuginfo=2" + +######################################################################### +# BUILD ENVIRONMENT +######################################################################### +# +# Makepkg defaults: BUILDENV=(!distcc !color !ccache check !sign) +# A negated environment option will do the opposite of the comments below. +# +#-- distcc: Use the Distributed C/C++/ObjC compiler +#-- color: Colorize output messages +#-- ccache: Use ccache to cache compilation +#-- check: Run the check() function if present in the PKGBUILD +#-- sign: Generate PGP signature file +# +BUILDENV=(!distcc color !ccache check !sign) +# +#-- If using DistCC, your MAKEFLAGS will also need modification. In addition, +#-- specify a space-delimited list of hosts running in the DistCC cluster. +#DISTCC_HOSTS="" +# +#-- Specify a directory for package building. +#BUILDDIR=/tmp/makepkg + +######################################################################### +# GLOBAL PACKAGE OPTIONS +# These are default values for the options=() settings +######################################################################### +# +# Makepkg defaults: OPTIONS=(!strip docs libtool staticlibs emptydirs !zipman !purge !debug !lto) +# A negated option will do the opposite of the comments below. +# +#-- strip: Strip symbols from binaries/libraries +#-- docs: Save doc directories specified by DOC_DIRS +#-- libtool: Leave libtool (.la) files in packages +#-- staticlibs: Leave static library (.a) files in packages +#-- emptydirs: Leave empty directories in packages +#-- zipman: Compress manual (man and info) pages in MAN_DIRS with gzip +#-- purge: Remove files specified by PURGE_TARGETS +#-- debug: Add debugging flags as specified in DEBUG_* variables +#-- lto: Add compile flags for building with link time optimization +# +OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !debug !lto) + +#-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512, b2 +INTEGRITY_CHECK=(sha256) +#-- Options to be used when stripping binaries. See `man strip' for details. +STRIP_BINARIES="--strip-all" +#-- Options to be used when stripping shared libraries. See `man strip' for details. +STRIP_SHARED="--strip-unneeded" +#-- Options to be used when stripping static libraries. See `man strip' for details. +STRIP_STATIC="--strip-debug" +#-- Manual (man and info) directories to compress (if zipman is specified) +MAN_DIRS=({usr{,/local}{,/share},opt/*}/{man,info}) +#-- Doc directories to remove (if !docs is specified) +DOC_DIRS=(usr/{,local/}{,share/}{doc,gtk-doc} opt/*/{doc,gtk-doc}) +#-- Files to be removed from all packages (if purge is specified) +PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod) +#-- Directory to store source code in for debug packages +DBGSRCDIR="/usr/src/debug" + +######################################################################### +# PACKAGE OUTPUT +######################################################################### +# +# Default: put built package and cached source in build directory +# +#-- Destination: specify a fixed directory where all packages will be placed +#PKGDEST=/home/packages +#-- Source cache: specify a fixed directory where source files will be cached +#SRCDEST=/home/sources +#-- Source packages: specify a fixed directory where all src packages will be placed +#SRCPKGDEST=/home/srcpackages +#-- Log files: specify a fixed directory where all log files will be placed +#LOGDEST=/home/makepkglogs +#-- Packager: name/email of the person or organization building packages +#PACKAGER="John Doe " +#-- Specify a key to use for package signing +#GPGKEY="" + +######################################################################### +# COMPRESSION DEFAULTS +######################################################################### +# +COMPRESSGZ=(gzip -c -f -n) +COMPRESSBZ2=(bzip2 -c -f) +COMPRESSXZ=(xz -c -z -) +COMPRESSZST=(zstd -c -z -q --threads=0 -) +COMPRESSLRZ=(lrzip -q) +COMPRESSLZO=(lzop -q) +COMPRESSZ=(compress -c -f) +COMPRESSLZ4=(lz4 -q) +COMPRESSLZ=(lzip -c -f) + +######################################################################### +# EXTENSION DEFAULTS +######################################################################### +# +PKGEXT='.pkg.tar.zst' +SRCEXT='.src.tar.gz' + +######################################################################### +# OTHER +######################################################################### +# +#-- Command used to run pacman as root, instead of trying sudo and su +#PACMAN_AUTH=() diff --git a/ansible/roles/build/files/pacman-custom.conf b/ansible/roles/build/files/pacman-custom.conf new file mode 100644 index 0000000..55b5cf4 --- /dev/null +++ b/ansible/roles/build/files/pacman-custom.conf @@ -0,0 +1,100 @@ +# +# /etc/pacman.conf +# +# See the pacman.conf(5) manpage for option and repository directives + +# +# GENERAL OPTIONS +# +[options] +# The following paths are commented out with their default values listed. +# If you wish to use different paths, uncomment and update the paths. +#RootDir = / +#DBPath = /var/lib/pacman/ +#CacheDir = /var/cache/pacman/pkg/ +#LogFile = /var/log/pacman.log +#GPGDir = /etc/pacman.d/gnupg/ +#HookDir = /etc/pacman.d/hooks/ +HoldPkg = pacman glibc +#XferCommand = /usr/bin/curl -L -C - -f -o %o %u +#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u +#CleanMethod = KeepInstalled +Architecture = auto + +# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup +#IgnorePkg = +#IgnoreGroup = + +#NoUpgrade = +#NoExtract = + +# Misc options +#UseSyslog +#Color +#TotalDownload +# We cannot check disk space from within a chroot environment +#CheckSpace +#VerbosePkgLists + +# By default, pacman accepts packages signed by keys that its local keyring +# trusts (see pacman-key and its man page), as well as unsigned packages. +SigLevel = Required DatabaseOptional +LocalFileSigLevel = Optional +#RemoteFileSigLevel = Required + +# NOTE: You must run `pacman-key --init` before first using pacman; the local +# keyring can then be populated with the keys of all official Arch Linux +# packagers with `pacman-key --populate archlinux`. + +# +# REPOSITORIES +# - can be defined here or included from another file +# - pacman will search repositories in the order defined here +# - local/custom mirrors can be added here or in separate files +# - repositories listed first will take precedence when packages +# have identical names, regardless of version number +# - URLs will have $repo replaced by the name of the current repo +# - URLs will have $arch replaced by the name of the architecture +# +# Repository entries are of the format: +# [repo-name] +# Server = ServerName +# Include = IncludePath +# +# The header [repo-name] is crucial - it must be present and +# uncommented to enable the repo. +# + +# The testing repositories are disabled by default. To enable, uncomment the +# repo name header and Include lines. You can add preferred servers immediately +# after the header, and they will be used before the default mirrors. + +#[testing] +#Include = /etc/pacman.d/mirrorlist + +[core] +Include = /etc/pacman.d/mirrorlist + +[extra] +Include = /etc/pacman.d/mirrorlist + +#[community-testing] +#Include = /etc/pacman.d/mirrorlist + +[community] +Include = /etc/pacman.d/mirrorlist + +# If you want to run 32 bit applications on your x86_64 system, +# enable the multilib repositories as required here. + +#[multilib-testing] +#Include = /etc/pacman.d/mirrorlist + +[multilib] +Include = /etc/pacman.d/mirrorlist + +# An example of a custom package repository. See the pacman manpage for +# tips on creating your own repositories. +#[custom] +#SigLevel = Optional TrustAll +#Server = file:///home/custompkgs diff --git a/ansible/roles/build/tasks/linux.yaml b/ansible/roles/build/tasks/linux.yaml index e1835f0..5e7a341 100644 --- a/ansible/roles/build/tasks/linux.yaml +++ b/ansible/roles/build/tasks/linux.yaml @@ -1,6 +1,132 @@ -# - name: Install packages -# pacman: -# name: -# - foo -# state: present -# update_cache: true +- include_role: + name: per_user + apply: + become: yes + become_user: "{{ build_user.name }}" + +- name: Install packages + pacman: + name: + - gnupg + - devtools + - base-devel + - vifm + - vim + state: present + update_cache: true + +- name: Extract aurutils aur entry + become_user: "{{ build_user.name }}" + unarchive: + src: https://aur.archlinux.org/cgit/aur.git/snapshot/aurutils.tar.gz + dest: "/home/{{ build_user.name }}/.config/ansible_deploy/" + remote_src: yes + creates: "/home/{{ build_user.name }}/.config/ansible_deploy/aurutils" + +- name: Check trusted gpg keys + command: pacman-key -l + register: pacmankeys + changed_when: false + check_mode: no + no_log: true + +- name: Trust the signing key for the aurutils package + command: pacman-key --recv-keys DBE7D3DD8C81D58D0A13D0E76BC26A17B9B7018A + when: '"DBE7D3DD8C81D58D0A13D0E76BC26A17B9B7018A" not in pacmankeys.stdout' + +- name: Trust my signing key + command: pacman-key -a - + args: + stdin: "{{ lookup('file', 'gpg.asc') }}" + when: '"B848159363C2877917954BE127DE40D9B8455C1B" not in pacmankeys.stdout' + register: my_key_imported + +- name: Sign my signing key + command: pacman-key --lsign-key "B848159363C2877917954BE127DE40D9B8455C1B" + when: my_key_imported.changed + +- name: Build the aurutils package + become_user: "{{ build_user.name }}" + command: makepkg -s --noconfirm + args: + chdir: "/home/{{ build_user.name }}/.config/ansible_deploy/aurutils" + creates: "/home/{{ build_user.name }}/.config/ansible_deploy/aurutils/aurutils-*-any.pkg.tar.*" + +- name: Install aurutils + shell: "pacman --noconfirm -U /home/{{ build_user.name }}/.config/ansible_deploy/aurutils/aurutils-*-any.pkg.tar.*" + args: + creates: /usr/bin/aur + +- name: Create owned directories + file: + name: "{{ item }}" + state: directory + owner: "{{ build_user.name }}" + group: "{{ build_user.group }}" + mode: 0755 + loop: + - /var/cache/pacman/custom + +- name: Create directories + file: + name: "{{ item }}" + state: directory + owner: root + group: root + mode: 0755 + loop: + - /etc/aurutils + +- name: Install configs + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0644 + owner: root + group: root + loop: + - src: aurutils.conf + dest: /etc/pacman.d/conf.d/ + - src: pacman-custom.conf + dest: /etc/aurutils/ + - src: makepkg.conf + dest: /etc/aurutils/ + +- name: Create custom repo db + command: repo-add --sign /var/cache/pacman/custom/custom.db.tar + become: true + become_user: "{{ build_user.name }}" + args: + creates: /var/cache/pacman/custom/custom.db.tar + +- name: Install scripts + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0755 + owner: root + group: root + loop: + - src: aurutils-purge + dest: /usr/local/bin/aurutils-purge + - src: aurutils-sync + dest: /usr/local/bin/aurutils-sync + +- name: build aurutils inside aurutils + become_user: "{{ build_user.name }}" + command: aurutils-sync --no-view aurutils + args: + creates: "/var/cache/pacman/custom/aurutils-*-any.pkg.tar.*" + register: buildaurutils + +- name: Install aurutils + command: pacman -Syy aurutils + when: buildaurutils.changed + +- name: chown the custom package db + file: + path: "{{ item }}" + owner: "{{ build_user.name }}" + state: file + loop: + - /var/cache/pacman/custom/custom.db diff --git a/ansible/roles/gpg/tasks/peruser.yaml b/ansible/roles/gpg/tasks/peruser.yaml index 01000bc..3855611 100644 --- a/ansible/roles/gpg/tasks/peruser.yaml +++ b/ansible/roles/gpg/tasks/peruser.yaml @@ -16,7 +16,7 @@ mode: 0600 owner: "{{ account_name.stdout }}" group: "{{ group_name.stdout }}" - with_items: + loop: - src: gpg.conf dest: .gnupg/gpg.conf - src: gpg-agent.conf