diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..2f75a95 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,15 @@ +--- + +version: 2 + +updates: + + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + day: sunday + assignees: + - wookietreiber + +... diff --git a/.github/workflows/ansible.yml b/.github/workflows/ansible.yml new file mode 100644 index 0000000..8ad0439 --- /dev/null +++ b/.github/workflows/ansible.yml @@ -0,0 +1,20 @@ +--- + +name: ansible + +on: + pull_request: + push: + branches: + - main + - wip/next + +jobs: + + ansible-lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: ansible/ansible-lint-action@v6 + +... diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml new file mode 100644 index 0000000..a83c354 --- /dev/null +++ b/.github/workflows/review.yml @@ -0,0 +1,31 @@ +--- + +name: review + +on: [pull_request] + +jobs: + + yamllint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: reviewdog/action-yamllint@v1 + with: + github_token: ${{ secrets.github_token }} + reporter: github-pr-review + yamllint_flags: '.' + + ansible-lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: 3.x + - uses: reviewdog/action-ansiblelint@v1 + with: + github_token: ${{ secrets.github_token }} + reporter: github-pr-review + +... diff --git a/README.md b/README.md index dfd93ba..a3a99ca 100644 --- a/README.md +++ b/README.md @@ -3,5 +3,99 @@ Ansible Role: Archlinux An Ansible role that configures [Archlinux][] specifics. +Table of Contents +----------------- + + + +- [Requirements](#requirements) +- [Role Variables](#role-variables) +- [Dependencies](#dependencies) +- [Example Playbook](#example-playbook) + * [Top-Level Playbook](#top-level-playbook) + * [Role Dependency](#role-dependency) +- [License](#license) +- [Author Information](#author-information) + + + +Requirements +------------ + +- Ansible 2.9 + +Role Variables +-------------- + +For now, please check the templates. A more complete documentation will follow +later. + +Dependencies +------------ + +```yml +--- + +# requirements.yml + +roles: + + - name: idiv_biodiversity.archlinux + src: https://github.com/idiv-biodiversity/ansible-role-archlinux + version: vX.Y.Z + +... +``` + +Example Playbook +---------------- + +### Top-Level Playbook + +Write a top-level playbook: + +```yml +--- + +- name: head server + hosts: head + + roles: + - role: idiv_biodiversity.archlinux + tags: + - archlinux + +... +``` + +### Role Dependency + +Define the role dependency in `meta/main.yml`: + +```yml +--- + +dependencies: + + - role: idiv_biodiversity.archlinux + tags: + - archlinux + +... +``` + +License +------- + +MIT + +Author Information +------------------ + +This role was created in 2024 by [Christian Krause][author] aka [wookietreiber at GitHub][wookietreiber], HPC cluster systems administrator at the [German Centre for Integrative Biodiversity Research (iDiv)][idiv]. + [Archlinux]: https://archlinux.org/ +[author]: https://www.idiv.de/en/groups_and_people/employees/details/61.html +[idiv]: https://www.idiv.de/ +[wookietreiber]: https://github.com/wookietreiber diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..c84a23e --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,22 @@ +--- + +galaxy_info: + role_name: archlinux + namespace: idiv_biodiversity + + author: Christian Krause + description: 'configure archlinux specifics' + company: German Centre for Integrative Biodiversity Research (iDiv) + license: MIT + min_ansible_version: '2.9' + + platforms: + + - name: ArchLinux + versions: + - all + + galaxy_tags: + - archlinux + +... diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..83ea0f2 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,35 @@ +--- + +- name: configure pacman + ansible.builtin.template: + src: pacman.conf.j2 + dest: /etc/pacman.conf + owner: root + group: root + mode: 0644 + tags: + - pacman + - pacman-conf + +- name: configure pacman mirrorlist + ansible.builtin.template: + src: mirrorlist.j2 + dest: /etc/pacman.d/mirrorlist + owner: root + group: root + mode: 0644 + tags: + - pacman + - pacman-mirrorlist + +- name: configure makepkg + ansible.builtin.template: + src: makepkg.conf.j2 + dest: /etc/makepkg.conf + owner: root + group: root + mode: 0644 + tags: + - makepkg-conf + +... diff --git a/templates/makepkg.conf.j2 b/templates/makepkg.conf.j2 new file mode 100644 index 0000000..c3c3014 --- /dev/null +++ b/templates/makepkg.conf.j2 @@ -0,0 +1,219 @@ +#!/hint/bash +# shellcheck disable=2034 + +# +# /etc/makepkg.conf +# + +######################################################################### +# SOURCE ACQUISITION +######################################################################### +# +#-- The download utilities that makepkg should use to acquire sources +# Format: 'protocol::agent' +DLAGENTS=('file::/usr/bin/curl -qgC - -o %o %u' + 'ftp::/usr/bin/curl -qgfC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u' + 'http::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u' + 'https::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u' + 'rsync::/usr/bin/rsync --no-motd -z %u %o' + 'scp::/usr/bin/scp -C %u %o') + +# Other common tools: +# /usr/bin/snarf +# /usr/bin/lftpget -c +# /usr/bin/wget + +#-- The package required by makepkg to download VCS sources +# Format: 'protocol::package' +VCSCLIENTS=('bzr::breezy' + 'fossil::fossil' + 'git::git' + 'hg::mercurial' + 'svn::subversion') + +######################################################################### +# ARCHITECTURE, COMPILE FLAGS +######################################################################### +# +CARCH="x86_64" +CHOST="x86_64-pc-linux-gnu" + +#-- Compiler and Linker Flags +{% if archlinux_makepkg_cppflags is defined %} +CPPFLAGS="{{ archlinux_makepkg_cppflags | join(' ') }}" +{% else %} +#CPPFLAGS="" +{% endif %} +{% if archlinux_makepkg_cflags is defined %} +CFLAGS="{{ archlinux_makepkg_cflags | join(' ') }}" +{% else %} +CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \ + -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security \ + -fstack-clash-protection -fcf-protection \ + -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer" +{% endif %} +{% if archlinux_makepkg_cxxflags is defined %} +CXXFLAGS="{{ archlinux_makepkg_cxxflags | join(' ') }}" +{% else %} +CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS" +{% endif %} +{% if archlinux_makepkg_ldflags is defined %} +LDFLAGS="{{ archlinux_makepkg_ldflags | join(' ') }}" +{% else %} +LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--as-needed -Wl,-z,relro -Wl,-z,now \ + -Wl,-z,pack-relative-relocs" +{% endif %} +LTOFLAGS="-flto=auto" +RUSTFLAGS="-Cforce-frame-pointers=yes" +#-- Make Flags: change this for DistCC/SMP systems +{% if archlinux_makepkg_makeflags is defined %} +MAKEFLAGS="{{ archlinux_makepkg_makeflags | join(' ') }}" +{% else %} +#MAKEFLAGS="-j2" +{% endif %} +#-- Debugging flags +DEBUG_CFLAGS="-g" +DEBUG_CXXFLAGS="$DEBUG_CFLAGS" +DEBUG_RUSTFLAGS="-C debuginfo=2" + +######################################################################### +# BUILD ENVIRONMENT +######################################################################### +# +# Makepkg defaults: BUILDENV=(!distcc !color !ccache check !sign) +# A negated environment option will do the opposite of the comments below. +# +#-- distcc: Use the Distributed C/C++/ObjC compiler +#-- color: Colorize output messages +#-- ccache: Use ccache to cache compilation +#-- check: Run the check() function if present in the PKGBUILD +#-- sign: Generate PGP signature file +# +BUILDENV=(!distcc color !ccache check !sign) +# +#-- If using DistCC, your MAKEFLAGS will also need modification. In addition, +#-- specify a space-delimited list of hosts running in the DistCC cluster. +#DISTCC_HOSTS="" +# +#-- Specify a directory for package building. +{% if archlinux_makepkg_builddir is defined %} +BUILDDIR={{ archlinux_makepkg_builddir }} +{% else %} +#BUILDDIR=/tmp/makepkg +{% endif %} + +######################################################################### +# GLOBAL PACKAGE OPTIONS +# These are default values for the options=() settings +######################################################################### +# +# Makepkg defaults: OPTIONS=(!strip docs libtool staticlibs emptydirs !zipman !purge !debug !lto !autodeps) +# A negated option will do the opposite of the comments below. +# +#-- strip: Strip symbols from binaries/libraries +#-- docs: Save doc directories specified by DOC_DIRS +#-- libtool: Leave libtool (.la) files in packages +#-- staticlibs: Leave static library (.a) files in packages +#-- emptydirs: Leave empty directories in packages +#-- zipman: Compress manual (man and info) pages in MAN_DIRS with gzip +#-- purge: Remove files specified by PURGE_TARGETS +#-- debug: Add debugging flags as specified in DEBUG_* variables +#-- lto: Add compile flags for building with link time optimization +#-- autodeps: Automatically add depends/provides +# +OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge debug lto) + +#-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512, b2 +INTEGRITY_CHECK=(sha256) +#-- Options to be used when stripping binaries. See `man strip' for details. +STRIP_BINARIES="--strip-all" +#-- Options to be used when stripping shared libraries. See `man strip' for details. +STRIP_SHARED="--strip-unneeded" +#-- Options to be used when stripping static libraries. See `man strip' for details. +STRIP_STATIC="--strip-debug" +#-- Manual (man and info) directories to compress (if zipman is specified) +MAN_DIRS=({usr{,/local}{,/share},opt/*}/{man,info}) +#-- Doc directories to remove (if !docs is specified) +DOC_DIRS=(usr/{,local/}{,share/}{doc,gtk-doc} opt/*/{doc,gtk-doc}) +#-- Files to be removed from all packages (if purge is specified) +PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod) +#-- Directory to store source code in for debug packages +DBGSRCDIR="/usr/src/debug" +#-- Prefix and directories for library autodeps +LIB_DIRS=('lib:usr/lib' 'lib32:usr/lib32') + +######################################################################### +# PACKAGE OUTPUT +######################################################################### +# +# Default: put built package and cached source in build directory +# +#-- Destination: specify a fixed directory where all packages will be placed +{% if archlinux_makepkg_pkgdest is defined %} +PKGDEST={{ archlinux_makepkg_pkgdest }} +{% else %} +#PKGDEST=/home/packages +{% endif %} +#-- Source cache: specify a fixed directory where source files will be cached +{% if archlinux_makepkg_srcdest is defined %} +SRCDEST={{ archlinux_makepkg_srcdest }} +{% else %} +#SRCDEST=/home/sources +{% endif %} +#-- Source packages: specify a fixed directory where all src packages will be placed +{% if archlinux_makepkg_srcpkgdest is defined %} +SRCPKGDEST={{ archlinux_makepkg_srcpkgdest }} +{% else %} +#SRCPKGDEST=/home/srcpackages +{% endif %} +#-- Log files: specify a fixed directory where all log files will be placed +{% if archlinux_makepkg_logdest is defined %} +LOGDEST={{ archlinux_makepkg_logdest }} +{% else %} +#LOGDEST=/home/makepkglogs +{% endif %} +#-- Packager: name/email of the person or organization building packages +{% if archlinux_makepkg_packager is defined %} +PACKAGER="{{ archlinux_makepkg_packager }}" +{% else %} +#PACKAGER="John Doe " +{% endif %} +#-- Specify a key to use for package signing +#GPGKEY="" + +######################################################################### +# COMPRESSION DEFAULTS +######################################################################### +# +COMPRESSGZ=(gzip -c -f -n) +COMPRESSBZ2=(bzip2 -c -f) +COMPRESSXZ=(xz -c -z -) +COMPRESSZST=(zstd -c -T0 --ultra -20 -) +COMPRESSLRZ=(lrzip -q) +COMPRESSLZO=(lzop -q) +COMPRESSZ=(compress -c -f) +COMPRESSLZ4=(lz4 -q) +COMPRESSLZ=(lzip -c -f) + +######################################################################### +# EXTENSION DEFAULTS +######################################################################### +# +{% if archlinux_makepkg_pkgext is defined %} +PKGEXT='{{ archlinux_makepkg_pkgext }}' +{% else %} +PKGEXT='.pkg.tar.zst' +{% endif %} +{% if archlinux_makepkg_srcext is defined %} +SRCEXT='{{ archlinux_makepkg_srcext }}' +{% else %} +SRCEXT='.src.tar.gz' +{% endif %} + +######################################################################### +# OTHER +######################################################################### +# +#-- Command used to run pacman as root, instead of trying sudo and su +#PACMAN_AUTH=() +# vim: set ft=sh ts=2 sw=2 et: diff --git a/templates/mirrorlist.j2 b/templates/mirrorlist.j2 new file mode 100644 index 0000000..7a18066 --- /dev/null +++ b/templates/mirrorlist.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} +{% for mirror in archlinux_pacman_mirrors %} +Server = {{ mirror }} +{% endfor %} diff --git a/templates/pacman.conf.j2 b/templates/pacman.conf.j2 new file mode 100644 index 0000000..e014ad2 --- /dev/null +++ b/templates/pacman.conf.j2 @@ -0,0 +1,110 @@ +# +# /etc/pacman.conf +# +# See the pacman.conf(5) manpage for option and repository directives + +# +# GENERAL OPTIONS +# +[options] +# The following paths are commented out with their default values listed. +# If you wish to use different paths, uncomment and update the paths. +#RootDir = / +#DBPath = /var/lib/pacman/ +#CacheDir = /var/cache/pacman/pkg/ +#LogFile = /var/log/pacman.log +#GPGDir = /etc/pacman.d/gnupg/ +#HookDir = /etc/pacman.d/hooks/ +HoldPkg = pacman glibc +#XferCommand = /usr/bin/curl -L -C - -f -o %o %u +#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u +#CleanMethod = KeepInstalled +Architecture = auto + +# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup +#IgnorePkg = +#IgnoreGroup = + +#NoUpgrade = +#NoExtract = + +# Misc options +{% if archlinux_pacman_use_syslog is defined and archlinux_pacman_use_syslog %} +UseSyslog +{% else %} +#UseSyslog +{% endif %} +{% if archlinux_pacman_color is defined and archlinux_pacman_color %} +Color +{% else %} +#Color +{% endif %} +#NoProgressBar +CheckSpace +#VerbosePkgLists +#ParallelDownloads = 5 + +# By default, pacman accepts packages signed by keys that its local keyring +# trusts (see pacman-key and its man page), as well as unsigned packages. +SigLevel = Required DatabaseOptional +LocalFileSigLevel = Optional +#RemoteFileSigLevel = Required + +# NOTE: You must run `pacman-key --init` before first using pacman; the local +# keyring can then be populated with the keys of all official Arch Linux +# packagers with `pacman-key --populate archlinux`. + +# +# REPOSITORIES +# - can be defined here or included from another file +# - pacman will search repositories in the order defined here +# - local/custom mirrors can be added here or in separate files +# - repositories listed first will take precedence when packages +# have identical names, regardless of version number +# - URLs will have $repo replaced by the name of the current repo +# - URLs will have $arch replaced by the name of the architecture +# +# Repository entries are of the format: +# [repo-name] +# Server = ServerName +# Include = IncludePath +# +# The header [repo-name] is crucial - it must be present and +# uncommented to enable the repo. +# + +# The testing repositories are disabled by default. To enable, uncomment the +# repo name header and Include lines. You can add preferred servers immediately +# after the header, and they will be used before the default mirrors. + +#[core-testing] +#Include = /etc/pacman.d/mirrorlist + +[core] +Include = /etc/pacman.d/mirrorlist + +#[extra-testing] +#Include = /etc/pacman.d/mirrorlist + +[extra] +Include = /etc/pacman.d/mirrorlist + +# If you want to run 32 bit applications on your x86_64 system, +# enable the multilib repositories as required here. + +#[multilib-testing] +#Include = /etc/pacman.d/mirrorlist + +{% if archlinux_pacman_multilib is defined and archlinux_pacman_multilib %} +[multilib] +Include = /etc/pacman.d/mirrorlist +{% else %} +#[multilib] +#Include = /etc/pacman.d/mirrorlist +{% endif %} + +# An example of a custom package repository. See the pacman manpage for +# tips on creating your own repositories. +#[custom] +#SigLevel = Optional TrustAll +#Server = file:///home/custompkgs