From 3b7ba8532f31d221c0708e2d6733bccdd3935f91 Mon Sep 17 00:00:00 2001
From: Egor Tensin <Egor.Tensin@gmail.com>
Date: Mon, 11 Sep 2023 18:01:37 +0200
Subject: etckeeper: manage the ignore list

---
 roles/etckeeper/defaults/main.yml        | 15 +++++++
 roles/etckeeper/handlers/commit.yml      | 24 +++++++++++
 roles/etckeeper/handlers/commit_conf.yml | 24 -----------
 roles/etckeeper/handlers/main.yml        | 12 +++++-
 roles/etckeeper/tasks/ignore.yml         | 18 ++++++++
 roles/etckeeper/tasks/main.yml           | 12 ++++++
 roles/pacman/tasks/main.yml              | 70 ++++----------------------------
 roles/rate_mirrors/tasks/main.yml        | 52 ------------------------
 8 files changed, 89 insertions(+), 138 deletions(-)
 create mode 100644 roles/etckeeper/handlers/commit.yml
 delete mode 100644 roles/etckeeper/handlers/commit_conf.yml
 create mode 100644 roles/etckeeper/tasks/ignore.yml

diff --git a/roles/etckeeper/defaults/main.yml b/roles/etckeeper/defaults/main.yml
index 176453c..e783002 100644
--- a/roles/etckeeper/defaults/main.yml
+++ b/roles/etckeeper/defaults/main.yml
@@ -3,3 +3,18 @@ git_email: Egor.Tensin@gmail.com
 
 etckeeper_remote_name: origin
 #etckeeper_remote_url:
+
+etckeeper_ignored_paths:
+  # My resolv.conf is typically managed, by either systemd or NetworkManager.
+  - /resolv.conf
+  # This is just a stupid systemd file.
+  - /.updated
+  # I really don't need all the Wi-Fi networks.
+  - /NetworkManager/system-connections/
+  # I'm unsure about this; but it does make pacman upgrades much easier - I
+  # don't need to account for /etc/pacman.d/gnupg suddenly having changes.
+  - /pacman.d/gnupg/
+  # I run rate-mirrors before every upgrade pretty much.
+  - /pacman.d/mirrorlist
+
+etckeeper_extra_ignored_paths: []
diff --git a/roles/etckeeper/handlers/commit.yml b/roles/etckeeper/handlers/commit.yml
new file mode 100644
index 0000000..f48db8f
--- /dev/null
+++ b/roles/etckeeper/handlers/commit.yml
@@ -0,0 +1,24 @@
+- name: Get list of modified files
+  become: true
+  ansible.builtin.shell: |
+    set -o pipefail && \
+    git status --porcelain=v1 \
+        | cut -c 4- \
+        | grep -G -v '^{{ paths | map("regex_replace", "^/", "") | list | join("\|^") }}'
+  args:
+    chdir: /etc
+  register: git_status
+  changed_when: false
+  failed_when: git_status.rc not in [0, 1]
+
+- name: Fail if unexpected files were modified
+  ansible.builtin.fail:
+    msg: |
+      Unexpected files were modified:
+      {{ git_status.stdout }}
+  when: git_status.rc == 0
+
+- name: etckeeper commit
+  become: true
+  ansible.builtin.command: |
+    etckeeper commit '{{ commit_msg }}'
diff --git a/roles/etckeeper/handlers/commit_conf.yml b/roles/etckeeper/handlers/commit_conf.yml
deleted file mode 100644
index 134e264..0000000
--- a/roles/etckeeper/handlers/commit_conf.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-- name: Get list of modified files
-  become: true
-  ansible.builtin.shell: |
-    set -o pipefail && \
-    git status --porcelain=v1 \
-        | cut -c 4- \
-        | grep -G -v '^etckeeper/etckeeper.conf'
-  args:
-    chdir: /etc
-  register: git_status
-  changed_when: false
-  failed_when: git_status.rc not in [0, 1]
-
-- name: Fail if unexpected files were modified
-  ansible.builtin.fail:
-    msg: |
-      Unexpected files were modified:
-      {{ git_status.stdout }}
-  when: git_status.rc == 0
-
-- name: etckeeper commit
-  become: true
-  ansible.builtin.command: |
-    etckeeper commit 'configure etckeeper'
diff --git a/roles/etckeeper/handlers/main.yml b/roles/etckeeper/handlers/main.yml
index 9993ed5..ca6beaa 100644
--- a/roles/etckeeper/handlers/main.yml
+++ b/roles/etckeeper/handlers/main.yml
@@ -1,3 +1,13 @@
 - name: Commit etckeeper.conf
-  ansible.builtin.include_tasks: commit_conf.yml
+  ansible.builtin.include_tasks: commit.yml
+  vars:
+    paths: [etckeeper/etckeeper.conf]
+    commit_msg: configure etckeeper
   listen: etckeeper_commit_conf
+
+- name: Commit .gitignore
+  ansible.builtin.include_tasks: commit.yml
+  vars:
+    paths: '{{ [".gitignore"] + etckeeper_ignored_paths + etckeeper_extra_ignored_paths }}'
+    commit_msg: configure ignored files
+  listen: etckeeper_commit_gitignore
diff --git a/roles/etckeeper/tasks/ignore.yml b/roles/etckeeper/tasks/ignore.yml
new file mode 100644
index 0000000..a798368
--- /dev/null
+++ b/roles/etckeeper/tasks/ignore.yml
@@ -0,0 +1,18 @@
+- name: Add line to .gitignore
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/.gitignore
+    line: '{{ ignore_path }}'
+    state: present
+    owner: root
+    group: root
+    mode: '644'
+  register: gitignore
+  notify: etckeeper_commit_gitignore
+
+- name: Remove path from cache
+  when: gitignore.changed
+  become: true
+  ansible.builtin.command: # noqa: command-instead-of-module
+    cmd: git rm -r --ignore-unmatch --cached -- '{{ ignore_path | regex_replace("^/", "") }}'
+    chdir: /etc
diff --git a/roles/etckeeper/tasks/main.yml b/roles/etckeeper/tasks/main.yml
index 431a378..f609ce7 100644
--- a/roles/etckeeper/tasks/main.yml
+++ b/roles/etckeeper/tasks/main.yml
@@ -74,3 +74,15 @@
         option: PUSH_REMOTE
         value: '{{ etckeeper_remote_name }}'
       notify: etckeeper_commit_conf
+
+- name: Commit etckeeper.conf if necessary
+  ansible.builtin.meta: flush_handlers
+
+- name: Configure ignored paths
+  ansible.builtin.include_tasks: ignore.yml
+  loop: '{{ etckeeper_ignored_paths + etckeeper_extra_ignored_paths }}'
+  loop_control:
+    loop_var: ignore_path
+
+- name: Commit .gitignore if necessary
+  ansible.builtin.meta: flush_handlers
diff --git a/roles/pacman/tasks/main.yml b/roles/pacman/tasks/main.yml
index 5ed782f..a235d7d 100644
--- a/roles/pacman/tasks/main.yml
+++ b/roles/pacman/tasks/main.yml
@@ -1,62 +1,10 @@
-- name: Upgrade packages or fail gracefully
+- name: Upgrade packages
   become: true
-  block:
-    - name: Upgrade packages
-      community.general.pacman:
-        update_cache: true
-        upgrade: true
-      register: pacman_result
-      notify: pacman_upgraded
-
-    - name: Reboot if necessary
-      ansible.builtin.meta: flush_handlers
-  rescue:
-    - name: Check if /etc is versioned
-      ansible.builtin.file:
-        path: /etc/.git/config
-        state: file
-      register: etc_versioned
-
-    - name: Fail if /etc is not versioned
-      ansible.builtin.fail:
-        msg: Upgrading packages failed for an unknown reason!
-      when: not etc_versioned
-
-    - name: Check for changes in /etc
-      ansible.builtin.command: # noqa: command-instead-of-module
-        cmd: git status --porcelain=v1
-        chdir: /etc
-      register: git_status
-      changed_when: false
-
-    - name: Fail if there're no uncommitted changes in /etc
-      ansible.builtin.fail:
-        msg: Upgrading packages failed for an unknown reason!
-      when: not git_status.stdout
-
-    - name: All changes in /etc are in pacman.d/gnupg?
-      ansible.builtin.shell: |
-        set -o pipefail && \
-        git status --porcelain=v1 \
-            | cut -c 4- \
-            | grep -G -v '^pacman.d/gnupg/'
-      args:
-        chdir: /etc
-      register: only_gnupg
-      changed_when: false
-      failed_when: only_gnupg.rc not in [0, 1]
-
-    - name: Commit changes in /etc/pacman.d/gnupg
-      ansible.builtin.command: |
-        etckeeper commit 'pacman: GPG keys'
-      when: only_gnupg.rc == 1
-
-    - name: Retry upgrading packages
-      community.general.pacman:
-        update_cache: true
-        upgrade: true
-      register: pacman_result
-      notify: pacman_upgraded
-
-    - name: Reboot if necessary
-      ansible.builtin.meta: flush_handlers
+  community.general.pacman:
+    update_cache: true
+    upgrade: true
+  register: pacman_result
+  notify: pacman_upgraded
+
+- name: Reboot if necessary
+  ansible.builtin.meta: flush_handlers
diff --git a/roles/rate_mirrors/tasks/main.yml b/roles/rate_mirrors/tasks/main.yml
index 9d40fa2..4d72a41 100644
--- a/roles/rate_mirrors/tasks/main.yml
+++ b/roles/rate_mirrors/tasks/main.yml
@@ -1,28 +1,3 @@
-- name: Check if /etc is versioned
-  become: true
-  ansible.builtin.file:
-    path: /etc/.git/config
-    state: file
-  register: etc_versioned
-
-- name: Fail if there're uncommitted changes in /etc
-  when: etc_versioned
-  become: true
-  block:
-    - name: Check for changes in /etc
-      ansible.builtin.command: # noqa: command-instead-of-module
-        cmd: git status --porcelain=v1
-        chdir: /etc
-      register: git_status
-      changed_when: false
-
-    - name: Fail
-      ansible.builtin.fail:
-        msg: |
-          There are uncommitted changes in /etc:
-          {{ git_status.stdout }}
-      when: git_status.stdout
-
 - name: Rate pacman mirrors
   become: true
   ansible.builtin.shell: |
@@ -31,30 +6,3 @@
         --disable-comments \
         --save /etc/pacman.d/mirrorlist \
         "$ID"
-
-- name: Commit pacman.d/mirrorlist
-  when: etc_versioned
-  become: true
-  block:
-    - name: Check for changes in /etc
-      ansible.builtin.shell: |
-        set -o pipefail && \
-        git status --porcelain=v1 \
-            | cut -c 4- \
-            | grep -G -v '^pacman.d/mirrorlist'
-      args:
-        chdir: /etc
-      register: git_status
-      changed_when: false
-      failed_when: git_status.rc not in [0, 1]
-
-    - name: Fail if there're other uncommitted changes
-      ansible.builtin.fail:
-        msg: |
-          How did this happen? Other files have been modified:
-          {{ git_status.stdout }}
-      when: git_status.rc == 0
-
-    - name: etckeeper commit
-      ansible.builtin.command: |
-        etckeeper commit 'rate-mirrors'
-- 
cgit v1.2.3