aur_builder FTW

roles/05_packages/tasks/aur.yml

@@ -1,9 +1,25 @@
 ---
+- name: Create the `aur_builder` user
+  become: true
+  ansible.builtin.user:
+    name: aur_builder
+    create_home: yes
+    group: wheel
+
+- name: Allow the `aur_builder` user to run `sudo pacman` without a password
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/sudoers.d/11-install-aur_builder
+    line: 'aur_builder ALL=(ALL) NOPASSWD: /usr/bin/pacman'
+    create: yes
+    mode: 0644
+    validate: 'visudo -cf %s'
+
 - name: Installing AUR helper
   kewlfft.aur.aur:
     name: "{{ aur_helper }}"
   become: true
-  become_user: "{{ user.name }}"
+  become_user: aur_builder
 
 - name: Install AUR packages
   kewlfft.aur.aur:
@@ -11,4 +27,4 @@
     state: present
     use: "{{ aur_helper }}"
   become: true
-  become_user: "{{ user.name }}"    
+  become_user: aur_builder  

roles/07_user/tasks/main.yml

@@ -22,6 +22,6 @@
 - name: Setup sudo
   ansible.builtin.copy:
     dest: /etc/sudoers.d/{{ user.name }}
-    content: "{{ user.name }} ALL=(ALL:ALL) NOPASSWD: ALL"
+    content: "{{ user.name }} ALL=(ALL:ALL) ALL"
     mode: 0440
     validate: /usr/sbin/visudo -cf %s