mirror/infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2025-01-18 08:06:16 +01:00
Code Issues
disable-oom-alert-on-build-machines
infrastructure/roles/install_arch/tasks/main.yml
Robin Candau 701c1d01ef Migrate 'with_X' to 'loop'
2024-12-23 17:43:01 +00:00

240 lines
9.5 KiB
YAML
Raw Permalink Blame History

- name: Read /etc/motd
command: cat /etc/motd
register: motd_contents
changed_when: motd_contents.stdout | length > 0
- name: Check whether we're running in Hetzner or Equinix Metal rescue environment
fail: msg="Not running in rescue system!"
when:
- "'Hetzner Rescue' not in motd_contents.stdout"
- "'Rescue environment based on Alpine Linux' not in motd_contents.stdout"
- "'OS Rescue Environment' not in motd_contents.stdout"
# It sources some files which sets TMPDIR=/tmp/hwc which breaks mkinitcpio
- name: Remove problematic ~/.bashrc
file: path=/root/.bashrc state=absent
when: "'Hetzner Rescue' in motd_contents.stdout"
- name: Prepare Equinix Metal rescue system
when: ansible_facts['os_family'] == "Alpine"
block:
- name: Make sure all required packages are installed in the rescue system
apk: name=sgdisk,btrfs-progs,tar,gnupg update_cache=yes
- name: Create the GnuPG home directory for the root user
file: path=/root/.gnupg state=directory owner=root group=root mode=0700
# Need to set no-use-tor otherwise dirmngr hangs at startup checking if
# 127.0.0.1:9050 works and remains in SYN-SENT state for about a minute
- name: Set the no-use-tor option in dirmngr.conf
lineinfile: name=/root/.gnupg/dirmngr.conf create=yes line=no-use-tor owner=root group=root mode=0644
- name: Create partitions
command: >
sgdisk
--align-end
--clear
--new=0:0:+1M --change-name=0:'BIOS boot partition' --typecode=0:ef02
{% if ansible_virtualization_role == 'host' %}
--new=0:0:+512M --change-name=0:'EFI system partition' --typecode=0:ef00
{% endif %}
--new=0:0:0 --change-name=0:root --typecode=0:8304
{{ item }}
loop:
- "{{ system_disks }}"
register: sgdisk
changed_when: "sgdisk.rc == 0"
- name: Store root partition number for later steps
set_fact:
root_partno: "{{ '3' if ansible_virtualization_role == 'host' else '2' }}"
- name: Partition and format the disks (btrfs RAID) # noqa no-changed-when
command: mkfs.btrfs -f -L root -d {{ raid_level | default('raid1') }} -m {{ raid_level | default('raid1') }} -O no-holes {{ system_disks | map('regex_replace', '^(.*)$', '\g<1>p' ~ root_partno if 'nvme' in system_disks[0] else '\g<1>' ~ root_partno) | join(' ') }}
when: filesystem == "btrfs" and system_disks | length >= 2
- name: Partition and format the disks (btrfs single) # noqa no-changed-when
command: mkfs.btrfs -f -L root -d single -m single -O no-holes {{ system_disks[0] }}{{ 'p' if 'nvme' in system_disks[0] }}{{ root_partno }}
when: filesystem == "btrfs" and system_disks | length == 1
- name: Mount the filesystem (btrfs)
mount: src="{{ system_disks[0] }}{{ 'p' if 'nvme' in system_disks[0] }}{{ root_partno }}" path=/mnt state=mounted fstype=btrfs opts="compress-force=zstd,space_cache=v2"
when: filesystem == "btrfs"
- name: Format and mount the EFI system partition
when: ansible_virtualization_role == 'host'
block:
- name: Format the EFI system partition # noqa no-changed-when
command: mkfs.fat -F 32 -S 4096 -n ESP {{ system_disks[0] }}{{ 'p2' if 'nvme' in system_disks[0] else '2' }}
- name: Create the efi mountpoint
file: path=/mnt/efi state=directory mode='0755'
- name: Mount the efi filesystem
mount: src="{{ system_disks[0] }}{{ 'p2' if 'nvme' in system_disks[0] else '2' }}" path=/mnt/efi state=mounted fstype=vfat
- name: Touch LOCK file on mountpoint
file: path=/mnt/LOCK state=touch owner=root group=root mode=0644
- name: Download bootstrap image
get_url:
url: "{{ item }}"
dest: /tmp/
mode: '0644'
loop:
- https://geo.mirror.pkgbuild.com/iso/{{ bootstrap_version }}/archlinux-bootstrap-x86_64.tar.zst
- https://archlinux.org/iso/{{ bootstrap_version }}/archlinux-bootstrap-x86_64.tar.zst.sig
- name: Get pierre's key
command: gpg --locate-keys pierre@archlinux.org
changed_when: false
- name: Verify bootstrap image signature
command: gpg --verify /tmp/archlinux-bootstrap-x86_64.tar.zst.sig
changed_when: false
- name: Extract boostrap image # noqa risky-file-permissions
unarchive:
src: /tmp/archlinux-bootstrap-x86_64.tar.zst
dest: /tmp
remote_src: true
creates: /tmp/root.x86_64
- name: Copy resolv.conf to bootstrap chroot
copy: remote_src=true src=/etc/resolv.conf dest=/tmp/root.x86_64/etc/resolv.conf owner=root group=root mode=0644
- name: Mount /proc to bootstrap chroot # noqa command-instead-of-module
command: mount --rbind /proc /tmp/root.x86_64/proc creates=/tmp/root.x86_64/proc/uptime
- name: Mount /sys to bootstrap chroot # noqa command-instead-of-module
command: mount --rbind /sys /tmp/root.x86_64/sys creates=/tmp/root.x86_64/sys/dev
- name: Mount /dev to bootstrap chroot # noqa command-instead-of-module
command: mount --rbind /dev /tmp/root.x86_64/dev creates=/tmp/root.x86_64/dev/zero
- name: Mount /mnt to bootstrap chroot # noqa command-instead-of-module
command: mount --rbind /mnt /tmp/root.x86_64/mnt creates=/tmp/root.x86_64/mnt/LOCK
- name: Configure pacman mirror
template: src=mirrorlist.j2 dest=/tmp/root.x86_64/etc/pacman.d/mirrorlist owner=root group=root mode=0644
- name: Initialize pacman keyring inside bootstrap chroot
command: chroot /tmp/root.x86_64 pacman-key --init
register: chroot_pacman_key_init
changed_when: "chroot_pacman_key_init.rc == 0"
- name: Populate pacman keyring inside bootstrap chroot
command: chroot /tmp/root.x86_64 pacman-key --populate archlinux
register: chroot_pacman_key_populate
changed_when: "chroot_pacman_key_populate.rc == 0"
- name: Install ucode update
when: ansible_virtualization_role == 'host'
block:
- name: Install ucode update for Intel
set_fact: ucode="intel-ucode"
when: "'GenuineIntel' in ansible_facts['processor']"
- name: Install ucode update for AMD
set_fact: ucode="amd-ucode"
when: "'AuthenticAMD' in ansible_facts['processor']"
- name: Install arch base from bootstrap chroot
command: chroot /tmp/root.x86_64 pacstrap /mnt base linux btrfs-progs grub openssh python-requests python-yaml inetutils {{ ucode | default('') }}
args:
creates: /tmp/root.x86_64/mnt/bin
- name: Mount /proc to new chroot # noqa command-instead-of-module
command: mount --rbind /proc /mnt/proc creates=/mnt/proc/uptime
- name: Mount /sys to new chroot # noqa command-instead-of-module
command: mount --rbind /sys /mnt/sys creates=/mnt/sys/dev
- name: Mount /dev to new chroot # noqa command-instead-of-module
command: mount --rbind /dev /mnt/dev creates=/mnt/dev/zero
- name: Run systemd-firstboot
command: chroot /mnt systemd-firstboot --locale=C.UTF-8 --timezone=UTC --hostname={{ hostname }}
register: chroot_systemd_firstboot
changed_when: "chroot_systemd_firstboot.rc == 0"
- name: Run mkinitcpio
command: chroot /mnt mkinitcpio -p linux
register: chroot_mkinitcpio
changed_when: "chroot_mkinitcpio.rc == 0"
- name: Configure networking
include_role:
name: networking
vars:
chroot_path: "/mnt"
- name: Provide default mount options (btrfs)
lineinfile:
path: /mnt/etc/default/grub
owner: root
group: root
mode: '0644'
regexp: "^GRUB_CMDLINE_LINUX_DEFAULT="
line: "GRUB_CMDLINE_LINUX_DEFAULT=\"rootflags=compress-force=zstd\""
when: filesystem == "btrfs"
- name: Install grub (legacy mode)
command: chroot /mnt grub-install --target=i386-pc --recheck {{ item }}
loop:
- "{{ system_disks }}"
register: chroot_grub_install_legacy
changed_when: "chroot_grub_install_legacy.rc == 0"
- name: Install grub (uefi mode)
command: chroot /mnt grub-install --target=x86_64-efi --efi-directory=/efi --removable --recheck {{ item }}
loop:
- "{{ system_disks }}"
register: chroot_grub_install_uefi
changed_when: "chroot_grub_install_uefi.rc == 0"
when: ansible_virtualization_role == 'host'
- name: Configure grub
command: chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
register: chroot_grub_mkconfig
changed_when: "chroot_grub_mkconfig.rc == 0"
- name: Setup pacman-init.service on first boot
copy: src=pacman-init.service dest=/mnt/etc/systemd/system/ owner=root group=root mode=0644
- name: Setup ec2-public-keys on first boot
copy: src={{ item.src }} dest=/mnt/{{ item.dest }} owner=root group=root mode={{ item.mode }}
loop:
- {src: ec2-public-keys, dest: /usr/local/bin/, mode: 755}
- {src: ec2-public-keys.service, dest: /etc/systemd/system/, mode: 644}
when: install_ec2_public_keys_service | default(false)
- name: Remove generated keyring in the installation process
file: path=/mnt/etc/pacman.d/gnupg state=absent
- name: Make sure /etc/machine-id is absent
file: path=/mnt/etc/machine-id state=absent
- name: Enable services inside chroot
command: chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved pacman-init {{ 'ec2-public-keys' if install_ec2_public_keys_service | default(false) }}
register: chroot_systemd_services
changed_when: "chroot_systemd_services.rc == 0"
- name: Add authorized key for root
include_role:
name: root_ssh
vars:
root_ssh_directory: /tmp/root.x86_64/mnt/root/.ssh
when: not install_ec2_public_keys_service | default(false)
- name: Configure sshd via drop-in
template: src=sshd_config.j2 dest=/mnt/etc/ssh/sshd_config.d/override.conf owner=root group=root mode=0644
- name: Clean pacman cache # noqa risky-shell-pipe ("Illegal option -o pipefail" in Hetzner's recovery environment (dash?))
shell: yes | chroot /mnt pacman -Scc
register: chroot_pacman_clean_cache
changed_when: "chroot_pacman_clean_cache.rc == 0"
- name: Remove LOCK file on mountpoint
file: path=/mnt/LOCK state=absent
View Git Blame Copy Permalink