2 files changed, 56 insertions, 0 deletions

diff --git a/roles/pacman/handlers/main.yml b/roles/pacman/handlers/main.yml
new file mode 100644
index 0000000..9dd7b9f
--- /dev/null
+++ b/roles/pacman/handlers/main.yml
@@ -0,0 +1,8 @@
+- name: Reboot
+  reboot:
+  when: 'ansible_env["SSH_CLIENT"].split()[0] not in ansible_all_ipv4_addresses'
+
+- name: Wait for connectivity
+  # One of the nodes is the VPN server connecting all the other nodes, wait
+  # until all of them are back up:
+  wait_for_connection:
diff --git a/roles/pacman/tasks/main.yml b/roles/pacman/tasks/main.yml
new file mode 100644
index 0000000..8e20aa5
--- /dev/null
+++ b/roles/pacman/tasks/main.yml
@@ -0,0 +1,48 @@
+- name: Check if pacman is installed
+  command: pacman --version
+  register: pacman_version
+  changed_when: no
+  ignore_errors: yes
+
+- when: pacman_version.rc == 0
+  become: yes
+  block:
+    - name: Upgrade packages
+      community.general.pacman:
+        update_cache: yes
+        upgrade: yes
+      notify:
+        - Reboot
+        - Wait for connectivity
+  rescue:
+    - fail:
+        msg: Upgrading packages failed for an unknown reason!
+      when: not etc_versioned
+
+    - name: There are uncommitted changes
+      shell: cd /etc && git status --porcelain=v1
+      register: git_status
+      changed_when: no
+
+    - fail:
+        msg: Upgrading packages failed for an unknown reason!
+      when: not git_status.stdout
+
+    - name: All changes are pacman.d/gnupg
+      shell: cd /etc && git status --porcelain=v1 | cut -c 4- | grep -G -v '^pacman.d/gnupg/'
+      register: only_gnupg
+      changed_when: no
+      ignore_errors: yes
+
+    - name: Commit pacman.d/gnupg
+      command: |
+        etckeeper commit 'pacman: GPG keys'
+      when: git_status.stdout and only_gnupg.rc != 0
+  
+    - name: Upgrade packages after GPG keys
+      community.general.pacman:
+        update_cache: yes
+        upgrade: yes
+      notify:
+        - Reboot
+        - Wait for connectivity