AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible on Arch Linux Automation Complete Guide

By Luca Berton · Published 2024-01-01 · Category: installation

Automate Arch Linux (rolling) with Ansible: pacman, AUR via paru, systemd, nftables, snapshot-based safety, Wayland, developer environments.

Arch Linux is a rolling-release distribution favored by developers, enthusiasts, and lab operators. It always ships the latest stable kernel (typically 6.16+), Python 3.13/3.14, OpenSSH 10.0, Podman 5, and a minimal base install. Ansible's job on Arch is to make the otherwise hands-on system reproducible — pinning packages, dropping config, and keeping AUR builds idempotent. This guide is the master Ansible reference for Arch Linux workstations and lab servers.

Arch Linux release facts

| Item | Value | |---|---| | Type | Rolling release | | Default kernel | latest mainline / LTS | | Default Python | 3.13/3.14 | | Package manager | pacman | | AUR helpers | paru, yay | | Init | systemd |

See also: How to install Ansible in Arch Linux 2021.12.01 - Ansible install

Ansible-core compatibility

Use ansible-core 2.20.

Baseline playbook

- name: Arch Linux baseline
  hosts: arch
  become: true
  tasks:
    - name: Sync and upgrade
      community.general.pacman:
        update_cache: true
        upgrade: true

- name: Install baseline tools
      community.general.pacman:
        name:
          - vim
          - htop
          - curl
          - chrony
          - nftables
          - openssh
          - podman
          - cockpit
          - reflector
        state: present


- name: Best mirrors via reflector
      ansible.builtin.command: |
        reflector --latest 20 --protocol https --country DE,FR,US --sort rate --save /etc/pacman.d/mirrorlist
      changed_when: true


- name: Enable services
      ansible.builtin.service:
        name: "{{ item }}"
        enabled: true
        state: started
      loop: [chronyd, nftables, sshd, cockpit.socket]

See also: Ansible on Debian 13 Trixie Automation Complete Guide

AUR packages via paru (run as non-root)

- name: Install AUR packages idempotently
  hosts: arch
  become: true
  tasks:
    - name: Ensure paru is installed
      community.general.pacman:
        name: paru
        state: present

- name: Install AUR packages
      become: true
      become_user: builder
      ansible.builtin.command: paru -S --noconfirm --needed {{ item }}
      register: paru_out
      changed_when: "'reinstalling' not in paru_out.stdout and 'is up to date' not in paru_out.stdout"
      loop:
        - visual-studio-code-bin
        - 1password

nftables firewall

- name: Configure nftables on Arch
  hosts: arch
  become: true
  handlers:
    - name: reload nftables
      ansible.builtin.service: { name: nftables, state: reloaded }
  tasks:
    - name: Drop ruleset
      ansible.builtin.copy:
        dest: /etc/nftables.conf
        owner: root
        mode: "0644"
        content: |
          flush ruleset
          table inet filter {
            chain input {
              type filter hook input priority 0; policy drop;
              ct state established,related accept
              iif "lo" accept
              tcp dport 22 accept
              icmp type echo-request accept
            }
          }
      notify: reload nftables

See also: Ansible on openSUSE Tumbleweed Automation Complete Guide

Pre-upgrade snapshots (Btrfs/Snapper)

- name: Snapshot before pacman -Syu
  hosts: arch
  become: true
  tasks:
    - name: Create pre snapshot
      ansible.builtin.command: snapper create --type pre --description "ansible pre-syu" --print-number
      register: pre

- name: Sync and upgrade
      community.general.pacman: { update_cache: true, upgrade: true }


- name: Post snapshot
      ansible.builtin.command: snapper create --type post --pre-number {{ pre.stdout }} --description "ansible post-syu"

Best practices

• Never run paru as root — use a dedicated builder user. • Pin critical packages with IgnorePkg in /etc/pacman.conf and lift the pin only via Ansible. • Couple Arch with Btrfs + Snapper for deterministic rollback.

Conclusion

Ansible turns Arch Linux from a hand-tuned developer system into a reproducible, snapshot-safe workstation. Combine community.general.pacman, paru for AUR, and Snapper to ship a fleet of identical Arch boxes from a single playbook.

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home