The need for UEFI booting originates from dedicated server and it does
not benefit cloud servers. It therefore makes sense to skip it on them.

There is no need to split up partitioning into per-partition tasks.
Use long options for readability.

Use an uppercase LABEL to avoid a warning from mkfs.fat:

    mkfs.fat: Warning: lowercase labels might not work properly on some systems

Use something other than "efi" as the label since some firmware do not
like it. While this is not really an issue for Arch infrastructure, since
there is zero change that this will be run on any MSI hardware with its
broken firmware, it is best to simply folow the wiki anyway. See
https://wiki.archlinux.org/title/EFI_system_partition#Firmware_does_not_see_the_EFI_directory

sgdisk does not align the partition size/end by default. The
`-I`/`--align-end` option needs to be used to enable alignment. See
https://wiki.archlinux.org/title/Advanced_Format#Partition_alignment

Additionally use the partition names (PARTLABELs) that gdisk and cgdisk
set (but sgdisk doesn't) and follow the Discoverable Partitions
Specification by useing the appropriate partition for the root partition.
See https://wiki.archlinux.org/title/Partitioning#Single_root_partition

2024.05.01 and later images are using Zstandard compression.

In the Hetzner rescue environment, they have begun setting
TMPDIR=/tmp/hwc which breaks mkinitcpio, so remove the ~/.bashrc file so
that is not set.

Since Linux 6.2, Btrfs enables asynchronous trimming in its mount flags.

[1] https://github.com/archlinux/archinstall/issues/1837
[2] https://github.com/torvalds/linux/commit/63a7cb130718

Commit 8e6d5474 ("sshd: use drop-in for basic sshd configuration")
changed the sshd_config.j2 template to contain only overridden bits of
sshd_config. However, it did not account for the install_arch role use
of the same template which was still installed to /etc/ssh/sshd_config.

Fix install_arch to install to etc/ssh/sshd_config.d/override.conf too.

Fixes: 8e6d5474 ("sshd: use drop-in for basic sshd configuration")

This is meant to be used in the Hetzner cloud sandbox project, so SSH
keys can be injected when a new VM is created from e.g. a CI pipeline,
so that the CI pipeline can SSH to the newly created VM.

The EC2 metadata service is used over the Hetzner metadata service, as
it is supported by more providers (including Hetzner).

Liberally add "noqa no-changed-when" tags to the problematic tasks,
except for two "systemd-tmpfiles --create" calls. For these we can
simply include the creates= parameter in the command module's call.

Leonidas Spyropoulos authored 2 years ago and Evangelos Foutras committed 2 years ago

Convert the permissions to strings to avoid octal interpretation.

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Pass --target=i386-pc to grub-install to stick with legacy BIOS boot.

Our partitioning scheme is not suitable for EFI boot.

/etc/motd now contains "OS Rescue Environment" when in rescue mode.

C.UTF-8 is installed by default, so we can avoid messing with locale-gen
by using that.

All the postgres servers (excluding matrix due to[1]) have been migrated
with the following commands:
# sudo -u postgres pg_dumpall > d
# sed "s/LOCALE = 'C'/LOCALE = 'C.UTF-8'/" -i d
# systemctl stop postgresql.service
# mv /var/lib/postgres/data{,.old}
$ ansible-playbook --diff -t postgres playbooks/<host>.yml
# sudo -u postgres psql < d

[1] https://github.com/matrix-org/synapse/blob/19a57f4a3710d6c3f7cc9d031e0e59bc2ed3b052/docs/postgres.md#fixing-incorrect-collate-or-ctype

Fix #470

- common: for deciding when to install/configure smartmontools
- install_arch: installing ucode update only on physical hosts

Wiki says "Do not download it from a mirror" and it sounds more secure.

Fixes: 503b08db ("install_arch: verify bootstrap image signature")

Matt Nelson authored 2 years ago and Evangelos Foutras committed 2 years ago

Fixes #458.

Ordering "when:" before "block:" makes it more readable I suppose.

This avoid having extra-long lines and works fine for task-based rules.

ansible-lint 6.5.0 complains about:

  name: All names should start with an
        uppercase letter. (name[casing])

Microcode updates are not applicable to cloud servers.

The glibc 2.35-6 package ships with the C.UTF-8 locale included which
means there is now a usable UTF-8 locale available by default.

en_US.UTF-8 will still be generated because PostgreSQL clusters are
created with that locale. Migrating the clusters to C.UTF-8 is
possible, but that requires dumping and recreating them.

Also tweak the documentation on rebuilderd workers and add runner1.

Since release 2022.07.01, there is a versionless bootstrap tarball file (archlinux-bootstrap-x86_64.tar.gz). See https://github.com/pierres/archiso-manager/pull/12.

"latest" is a valid version, so there is no need to check for the exact version number anymore.

These are used to signal the start of the document in a stream of many
documents. As Ansible only supports one YAML document per file this is
unnecessary. About a third of our YAML documents already lacked these.

Addresses the following ansible-lint warning:

risky-file-permissions: File permissions unset or incorrect.
roles/install_arch/tasks/main.yml:50

Amin Vakil authored 3 years ago and Kristian Klausen committed 2 years ago

Creates a systemd service which executes these commands on first boot:

pacman-key --init

pacman-key --populate archlinux

Also it makes sure /etc/pacman.d/gnupg is not absent.

At last it removes /etc/machine-id to make sure systemd launches first
boot services.

- Create packer builder in FSN1 and change image to ubuntu-20.04
- Add "use_proxy: false" to provisioner config to work around [1]
- Reduce the size of the BIOS boot partition to 1M (from 10M) [2]
- Update bootstrap_version to 2022.03.01

[1] https://github.com/hashicorp/packer-plugin-ansible/issues/69
[2] https://www.gnu.org/software/grub/manual/grub/html_node/BIOS-installation.html

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

shell is like command but runs the command through a shell, so that
piping will work.

Leonidas Spyropoulos authored 3 years ago and Kristian Klausen committed 3 years ago

This is shared between common and install_arch roles

Closed: #288

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

noconfirm does not work because the default answer to the first check is
`No`.

Kristian Klausen authored 3 years ago and Jelle van der Waa committed 3 years ago

The root_ssh_keys variable was changed in:
ea9f114d ("root_ssh: Support giving root access to only some hosts")
so let's just use the root_ssh role instead of maintaining the logic in
two places.