1 files changed, 55 insertions, 0 deletions

diff --git a/roles/pacman/tasks/main.yml b/roles/pacman/tasks/main.yml
new file mode 100644
index 0000000..df7fac7
--- /dev/null
+++ b/roles/pacman/tasks/main.yml
@@ -0,0 +1,55 @@
+- name: Upgrade packages or fail gracefully
+  become: true
+  block:
+    - name: Upgrade packages
+      community.general.pacman:
+        update_cache: true
+        upgrade: true
+      register: pacman_result
+      notify: pacman_upgraded
+
+    - name: Reboot if necessary
+      ansible.builtin.meta: flush_handlers
+  rescue:
+    - name: Fail if /etc is not versioned
+      ansible.builtin.fail:
+        msg: Upgrading packages failed for an unknown reason!
+      when: not etc_versioned
+
+    - name: Check for changes in /etc
+      ansible.builtin.command: git status --porcelain=v1
+      args:
+        chdir: /etc
+      register: git_status
+      changed_when: false
+
+    - name: Fail if there're no unstaged changes in /etc
+      ansible.builtin.fail:
+        msg: Upgrading packages failed for an unknown reason!
+      when: not git_status.stdout
+
+    - name: All changes in /etc are in pacman.d/gnupg?
+      ansible.builtin.shell: |
+        set -o pipefail && \
+        git status --porcelain=v1 \
+            | cut -c 4- \
+            | grep -G -v '^pacman.d/gnupg/'
+      args:
+        chdir: /etc
+      register: only_gnupg
+      changed_when: false
+
+    - name: Commit changes in /etc
+      ansible.builtin.command: |
+        etckeeper commit 'pacman: GPG keys'
+      when: git_status.stdout and only_gnupg.rc != 0
+
+    - name: Retry upgrading packages
+      community.general.pacman:
+        update_cache: true
+        upgrade: true
+      register: pacman_result
+      notify: pacman_upgraded
+
+    - name: Reboot if necessary
+      ansible.builtin.meta: flush_handlers