infrastructure/roles/install_arch/tasks/main.yml

---

- name: read /etc/motd
  command: cat /etc/motd
  register: motd_contents
  changed_when: motd_contents.stdout | length > 0

- name: check whether we're running in Hetzner or Packet.net rescue environment
  fail: msg="Not running in rescue system!"
  when: "'Hetzner Rescue' not in motd_contents.stdout and 'Rescue environment based on Alpine Linux' not in motd_contents.stdout"

- name: make sure all required packages are installed in the rescue system for installation
  apk: name=sgdisk,btrfs-progs,tar update_cache=yes
  when: ansible_facts['os_family'] == "Alpine"

- name: create GRUB embed partitions
  command: sgdisk -g --clear -n 1:0:+10M {{ item }} -c 1:boot -t 1:ef02
  with_items:
    - "{{ system_disks }}"
  register: sgdisk
  changed_when: "sgdisk.rc == 0"

- name: create root partitions
  command: sgdisk -n 2:0:0 {{ item }} -c 2:root
  with_items:
    - "{{ system_disks }}"
  register: sgdisk
  changed_when: "sgdisk.rc == 0"

- name: partition and format the disks (btrfs RAID)
  command: mkfs.btrfs -f -L root -d {{ raid_level|default('raid1') }} -m {{ raid_level|default('raid1') }} -O no-holes {{ system_disks | map('regex_replace', '^(.*)$', '\g<1>p2' if 'nvme' in system_disks[0] else '\g<1>2') | join(' ') }}
  when: filesystem == "btrfs" and system_disks|length >= 2

- name: partition and format the disks (btrfs single)
  command: mkfs.btrfs -f -L root -d single -m single -O no-holes {{ system_disks[0] }}{{ 'p2' if 'nvme' in system_disks[0] else '2' }}
  when: filesystem == "btrfs" and system_disks|length == 1

- name: mount the filesystem (btrfs)
  mount: src="{{ system_disks[0] }}{{ 'p2' if 'nvme' in system_disks[0] else '2' }}" path=/mnt state=mounted fstype=btrfs opts="compress-force=zstd,space_cache=v2"
  when: filesystem == "btrfs"

- name: touch LOCK file on mountpoint
  file: path=/mnt/LOCK state=touch owner=root group=root mode=0644

- name: download bootstrap image
  get_url:
    url: https://mirrors.kernel.org/archlinux/iso/{{ bootstrap_version }}/archlinux-bootstrap-{{ bootstrap_version }}-x86_64.tar.gz
    dest: /tmp/

- name: extract boostrap image  # noqa 208
  unarchive:
    src: /tmp/archlinux-bootstrap-{{ bootstrap_version }}-x86_64.tar.gz
    dest: /tmp
    remote_src: true
    creates: /tmp/root.x86_64

- name: copy resolv.conf to bootstrap chroot
  copy: remote_src=true src=/etc/resolv.conf dest=/tmp/root.x86_64/etc/resolv.conf owner=root group=root mode=0644

- name: mount /proc to bootstrap chroot
  command: mount --rbind /proc /tmp/root.x86_64/proc creates=/tmp/root.x86_64/proc/uptime  # noqa 303

- name: mount /sys to bootstrap chroot
  command: mount --rbind /sys /tmp/root.x86_64/sys creates=/tmp/root.x86_64/sys/dev  # noqa 303

- name: mount /dev to bootstrap chroot
  command: mount --rbind /dev /tmp/root.x86_64/dev creates=/tmp/root.x86_64/dev/zero  # noqa 303

- name: mount /mnt to bootstrap chroot
  command: mount --rbind /mnt /tmp/root.x86_64/mnt creates=/tmp/root.x86_64/mnt/LOCK  # noqa 303

- name: configure pacman mirror
  template: src=mirrorlist.j2 dest=/tmp/root.x86_64/etc/pacman.d/mirrorlist owner=root group=root mode=0644

- name: initialize pacman keyring inside bootstrap chroot
  command: chroot /tmp/root.x86_64 pacman-key --init
  register: chroot_pacman_key_init
  changed_when: "chroot_pacman_key_init.rc == 0"

- name: populate pacman keyring inside bootstrap chroot
  command: chroot /tmp/root.x86_64 pacman-key --populate archlinux
  register: chroot_pacman_key_populate
  changed_when: "chroot_pacman_key_populate.rc == 0"

- name: install ucode update for Intel
  set_fact: ucode="intel-ucode"
  when: "'GenuineIntel' in ansible_facts['processor']"

- name: install ucode update for AMD
  set_fact: ucode="amd-ucode"
  when: "'AuthenticAMD' in ansible_facts['processor']"

- name: install arch base from bootstrap chroot
  command: chroot /tmp/root.x86_64 pacstrap /mnt base linux btrfs-progs grub openssh python-requests python-yaml {{ ucode }}
  args:
    creates: /tmp/root.x86_64/mnt/bin

- name: mount /proc to new chroot
  command: mount --rbind /proc /mnt/proc creates=/mnt/proc/uptime  # noqa 303

- name: mount /sys to new chroot
  command: mount --rbind /sys /mnt/sys creates=/mnt/sys/dev  # noqa 303

- name: mount /dev to new chroot
  command: mount --rbind /dev /mnt/dev creates=/mnt/dev/zero  # noqa 303

- name: configure locale.gen
  lineinfile: dest=/mnt/etc/locale.gen line="en_US.UTF-8 UTF-8" owner=root group=root mode=0644

- name: run locale-gen inside chroot
  command: chroot /mnt locale-gen
  register: chroot_locale_gen
  changed_when: "chroot_locale_gen.rc == 0"

- name: run systemd-firstboot
  command: chroot /mnt systemd-firstboot --locale=en_US.UTF-8 --timezone=UTC --hostname={{ hostname }}
  register: chroot_systemd_firstboot
  changed_when: "chroot_systemd_firstboot.rc == 0"

- name: run mkinitcpio
  command: chroot /mnt mkinitcpio -p linux
  register: chroot_mkinitcpio
  changed_when: "chroot_mkinitcpio.rc == 0"

- name: configure network (static)
  template: src=10-static-ethernet.network.j2 dest=/mnt/etc/systemd/network/10-static-ethernet.network owner=root group=root mode=0644
  when: not dhcp|default(false)

- name: configure network (dhcp)
  template: src=10-dhcp-ethernet.network.j2 dest=/mnt/etc/systemd/network/10-dhcp-ethernet.network owner=root group=root mode=0644
  when: dhcp|default(false)

- name: install hcloud-init
  copy: src=hcloud-init dest=/mnt/usr/local/bin/hcloud-init owner=root group=root mode=0755
  when: "'hcloud' in group_names or inventory_hostname == 'packer-base-image'"

- name: install hcloud-init.service
  copy: src=hcloud-init.service dest=/mnt/etc/systemd/system/hcloud-init.service owner=root group=root mode=0644
  when: "'hcloud' in group_names or inventory_hostname == 'packer-base-image'"

- name: enable hcloud-init inside chroot
  command: chroot /mnt systemctl enable hcloud-init
  register: chroot_systemd_services
  changed_when: "chroot_systemd_services.rc == 0"
  when: "'hcloud' in group_names or inventory_hostname == 'packer-base-image'"

- name: provide default mount options (btrfs)
  lineinfile:
    path: /mnt/etc/default/grub
    owner: root
    group: root
    mode: 0644
    regexp: "^GRUB_CMDLINE_LINUX_DEFAULT="
    line: "GRUB_CMDLINE_LINUX_DEFAULT=\"rootflags=compress-force=zstd\""
  when: filesystem == "btrfs"

- name: install grub
  command: chroot /mnt grub-install --recheck {{ item }}
  with_items:
    - "{{ system_disks }}"
  register: chroot_grub_install
  changed_when: "chroot_grub_install.rc == 0"

- name: configure grub
  command: chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
  register: chroot_grub_mkconfig
  changed_when: "chroot_grub_mkconfig.rc == 0"

- name: enable services inside chroot
  command: chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved fstrim.timer
  register: chroot_systemd_services
  changed_when: "chroot_systemd_services.rc == 0"

- name: assign pubkey list to fact
  set_fact: pubkey_list="{{ lookup('file', playbook_dir + "/../../pubkeys/" + item) }}"
  register: pubkeys
  vars:
    playbook_dir: "{{ playbook_dir }}"
  with_items: "{{ root_ssh_keys }}"

- name: assign pubkey string to fact
  set_fact: pubkey_string={{ pubkeys.results | map(attribute='ansible_facts.pubkey_list') | join('\n') }}

- name: add authorized key for root
  authorized_key: user=root key="{{ pubkey_string }}" path=/tmp/root.x86_64/mnt/root/.ssh/authorized_keys exclusive=yes

- name: configure sshd
  template: src=sshd_config.j2 dest=/mnt/etc/ssh/sshd_config owner=root group=root mode=0644

- name: create symlink to resolv.conf
  file: src=/run/systemd/resolve/stub-resolv.conf dest=/mnt/etc/resolv.conf state=link force=yes owner=root group=root mode=0644

- name: clean pacman cache
  command: chroot /mnt pacman -Scc --noconfirm
  register: chroot_pacman_clean_cache
  changed_when: "chroot_pacman_clean_cache.rc == 0"

- name: remove LOCK file on mountpoint
  file: path=/mnt/LOCK state=absent