home-server/roles/front/tasks/main.yml

---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
  vars:
    msg: 'arch-install-scripts'
### ⇐ UPSTREAM BEGIN ###

- name: install arch-install-scripts
  package:
    name: arch-install-scripts
    state: present

### UPSTREAM END ⇒ ###
- name: merge upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
  vars:
    msg: 'arch-install-scripts'
### ⇐ UPSTREAM END ###

- name: send a remote-exec script to the host
  template:
    src: templates/DMZ.{{env}}.j2
    dest: "/usr/local/bin/{{DMZ}}"
    mode: 0755

- name: create the DMZ container directory and needed paths
  file:
    path: "{{item}}"
    state: directory
    mode: 0755
  with_items:
    - "{{front_dir}}"

- name: install an Archlinux container
  shell: >
    pacstrap -c -d {{front_dir}}
    $(
    LANG=C pacman -Si base
    | sed -nr 's/^Depends[^:]*: *//;t ok;b;: ok;s/ +/\n/g;p;q'
    | grep -vxE
    'bzip2|dhcpcd|gzip|licenses|linux|lvm2|mdadm|pciutils|reiserfsprogs|systemd-sysvcompat|texinfo|usbutils|xfsprogs'
    )
    busybox openssh python etckeeper
  args:
    creates: "{{front_dir}}/usr"
  register: arch

- name: enable BusyBox…
  command: |
    arch-chroot {{front_dir}} /usr/bin/busybox --install
  args:
    creates: "{{front_dir}}/usr/bin/ash"
  when:
    - (env == 'prod')
    - (arch.changed)

- name: … but not for some binaries
  file:
    path: "{{front_dir}}/usr/bin/{{item}}"
    state: absent
  when: (arch.changed)
  with_items:
    # base-devel needs patch, gawk (owns awk), which
    - patch
    - gawk
    - awk
    - which
    # exim owns sendmail
    - sendmail
    # spamassassin needs gcc needs binutils owns ar + strings
    - ar
    - strings
    # make needs guile needs texinfo needs gzip + less, own: less, gunzip, gzip, uncompress, zcat
    - less
    - gunzip
    - gzip
    - uncompress
    - zcat
    # util-linux owns setpriv, rfkill
    - setpriv
    - rfkill
    # net-tools owns arp, ifconfig, iptunnel, nameif, netstat, route, slattach
    - arp
    - ifconfig
    - iptunnel
    - nameif
    - netstat
    - route
    - slattach
    # vim owns xxd
    - xxd
    # php-imagick needs imagemagick needs libtool needs tar
    - tar

- name: copy some files from host to container
  copy:
    remote_src: true
    src: "{{item}}"
    dest: "{{front_dir}}{{item}}"
    mode: 0644
  with_items:
    - /etc/pacman.conf
    - /etc/resolv.conf
  when:
    - (arch.changed)

- name: create .ssh in the container
  file:
    path: "{{front_dir}}/root/.ssh"
    state: directory
    mode: 0700

- name: init the container
  include_role:
    name: init
    vars_from: front_chroot.{{env}}.yaml

- name: init SSH in the container
  include_role:
    name: ssh
    vars_from: front_chroot.{{env}}.yaml

- name: ensure systemd-nspawn@.service.d exists
  file:
    path: /etc/systemd/system/systemd-nspawn@.service.d
    state: directory
    mode: 0755

- name: override nspawn default settings for journald
  copy:
    src: files/nspawn_override.conf
    dest: /etc/systemd/system/systemd-nspawn@.service.d/override.conf
    mode: 0644

- name: enable machines.target
  systemd:
    daemon_reload: true
    name: machines.target
    state: started
    enabled: true

- name: ensure /etc/systemd/nspawn exists
  file:
    path: /etc/systemd/nspawn
    state: directory
    mode: 0755

- name: create a unit file for the container
  copy:
    src: files/DMZ.nspawn
    dest: "/etc/systemd/nspawn/{{DMZ}}.nspawn"
    mode: 0644

- name: enable systemd-nspawn@{{DMZ}}.service
  systemd:
    daemon_reload: true
    name: "systemd-nspawn@{{DMZ}}.service"
    enabled: true
  when: (env == 'prod')

### LOCAL COMMIT ⇒ ###
- name: commit local changes
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
  vars:
    msg: 'DMZ init+SSH'
### ⇐ LOCAL COMMIT ###