feat(bootstrap): install vendor-matched hardware packages

2026-04-29 21:23:55 +02:00
parent 3880b8f41e
commit 7d45f25a7e
5 changed files with 388 additions and 1 deletions
--- a/roles/bootstrap/tasks/_hardware.yml
+++ b/roles/bootstrap/tasks/_hardware.yml
@@ -0,0 +1,187 @@
+---
+# Installs vendor-matched microcode/firmware/GPU/peripheral packages into /mnt
+# based on hardware_profile_active set by environment/_detect_hardware.yml.
+- name: Load hardware package definitions
+  ansible.builtin.include_vars:
+    file: hardware.yml
+
+- name: Validate hardware support for current os_family
+  ansible.builtin.assert:
+    that:
+      - os_family in bootstrap_hardware_packages
+      - hardware_profile_active is defined
+    fail_msg: >-
+      Hardware feature requested but no package map for os_family
+      '{{ os_family }}'. Extend roles/bootstrap/vars/hardware.yml.
+    quiet: true
+
+# nvidia_driver: auto → open (Turing+) → proprietary (older, if family ships it)
+#                → nouveau (fallback). Explicit value falls back to nouveau when
+#                the family lacks packages for it.
+- name: Resolve Nvidia driver flavor
+  vars:
+    _family: "{{ bootstrap_hardware_packages[os_family] }}"
+    _user_driver: "{{ system_cfg.features.gpu.nvidia_driver | default('auto') }}"
+    _has_nvidia: "{{ 'nvidia' in (hardware_profile_active.gpus | default([])) }}"
+    _supports_open: "{{ hardware_profile_active.nvidia_supports_open | default(true) | bool }}"
+    _open_pkgs: "{{ _family.gpu_nvidia.open | default([]) }}"
+    _prop_pkgs: "{{ _family.gpu_nvidia.proprietary | default([]) }}"
+    _auto_choice: >-
+      {{
+        ('open' if _supports_open and _open_pkgs | length > 0
+         else ('proprietary' if _prop_pkgs | length > 0
+               else 'nouveau'))
+      }}
+    _user_choice: >-
+      {{
+        _auto_choice if _user_driver == 'auto'
+        else (_user_driver
+              if (_family.gpu_nvidia[_user_driver] | default([]) | length > 0)
+              else 'nouveau')
+      }}
+  ansible.builtin.set_fact:
+    _nvidia_driver_resolved: "{{ _user_choice if _has_nvidia else 'nouveau' }}"
+
+# Fedora's akmod-nvidia* packages live in RPMFusion non-free, which is not
+# enabled out of the box; install the release RPM before the package step.
+- name: Enable RPMFusion non-free for Fedora Nvidia install
+  when:
+    - os_family == 'RedHat'
+    - os == 'fedora'
+    - system_cfg.features.gpu.enabled | bool
+    - _nvidia_driver_resolved in ['open', 'proprietary']
+  ansible.builtin.command: >-
+    {{ chroot_command }} dnf install -y
+    https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-{{ os_version_major }}.noarch.rpm
+    https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-{{ os_version_major }}.noarch.rpm
+  register: _rpmfusion_result
+  changed_when: _rpmfusion_result.rc == 0
+
+- name: Resolve hardware package set
+  vars:
+    _family: "{{ bootstrap_hardware_packages[os_family] }}"
+    _cpu: "{{ hardware_profile_active.cpu | default('') | string }}"
+    _gpus: "{{ hardware_profile_active.gpus | default([]) | list }}"
+    _wifi: "{{ hardware_profile_active.wireless | default([]) | list }}"
+    _fp_detected: "{{ hardware_profile_active.fingerprint | default(false) | bool }}"
+    _firmware_on: "{{ system_cfg.features.firmware.enabled | bool }}"
+    _microcode_on: "{{ _firmware_on and (system_cfg.features.firmware.microcode | bool) }}"
+    _gpu_on: "{{ system_cfg.features.gpu.enabled | bool }}"
+    _peripherals_on: "{{ system_cfg.features.peripherals.enabled | bool }}"
+    _webcam_pref: "{{ system_cfg.features.peripherals.webcam | default('auto') }}"
+    _fp_pref: "{{ system_cfg.features.peripherals.fingerprint | default('auto') }}"
+    _dl_on: "{{ system_cfg.features.peripherals.displaylink | bool }}"
+    _webcam_on: >-
+      {{
+        _peripherals_on
+        and (_webcam_pref == 'true' or (_webcam_pref == 'auto' and _peripherals_on))
+      }}
+    _fp_on: >-
+      {{
+        _peripherals_on
+        and (_fp_pref == 'true' or (_fp_pref == 'auto' and _fp_detected))
+      }}
+    # Union of GPU/wireless/CPU vendors; CPU vendor is included so Intel-CPU
+    # systems pull i915/iwlwifi firmware via the same vendor split.
+    _cpu_vendor_list: "{{ ([_cpu] if (_cpu | length > 0) else []) | list }}"
+    _firmware_vendors: >-
+      {{
+        (_firmware_on | ternary(
+          (_gpus + _wifi + _cpu_vendor_list)
+          | reject('equalto', '') | unique | list,
+          []
+        ))
+      }}
+    _microcode_pkgs: >-
+      {{
+        ((_microcode_on and _cpu | length > 0) | ternary(
+          _family.cpu_microcode[_cpu] | default([]),
+          []
+        )) | list
+      }}
+    _firmware_pkgs: >-
+      {{
+        (_firmware_on | ternary(
+          (_family.firmware_base | default([]) | list)
+          + (_firmware_vendors
+             | map('extract', _family.firmware | default({}))
+             | select('truthy')
+             | list
+             | sum(start=[])),
+          []
+        )) | list
+      }}
+    _gpu_base_pkgs: "{{ (_gpu_on | ternary(_family.gpu_base | default([]), [])) | list }}"
+    _gpu_vendor_pkgs: >-
+      {{
+        (_gpu_on | ternary(
+          (_gpus | reject('equalto', 'nvidia') | list)
+          | map('extract', _family.gpu | default({}))
+          | select('truthy')
+          | list
+          | sum(start=[]),
+          []
+        )) | list
+      }}
+    _gpu_nvidia_pkgs: >-
+      {{
+        ((_gpu_on and ('nvidia' in _gpus)) | ternary(
+          _family.gpu_nvidia[_nvidia_driver_resolved] | default([]),
+          []
+        )) | list
+      }}
+    _peripherals_base_pkgs: >-
+      {{
+        (_webcam_on | ternary(_family.peripherals_base | default([]), [])) | list
+      }}
+    _peripherals_fingerprint_pkgs: >-
+      {{
+        (_fp_on | ternary(_family.peripherals_fingerprint | default([]), [])) | list
+      }}
+    _peripherals_displaylink_pkgs: >-
+      {{
+        (_dl_on | ternary(_family.peripherals_displaylink | default([]), [])) | list
+      }}
+  ansible.builtin.set_fact:
+    _hardware_packages: >-
+      {{
+        (_microcode_pkgs + _firmware_pkgs
+         + _gpu_base_pkgs + _gpu_vendor_pkgs + _gpu_nvidia_pkgs
+         + _peripherals_base_pkgs + _peripherals_fingerprint_pkgs
+         + _peripherals_displaylink_pkgs)
+        | reject('equalto', '')
+        | unique
+        | list
+      }}
+
+- name: Report hardware package selection
+  ansible.builtin.debug:
+    msg: >-
+      Hardware install ({{ os_family }}):
+      cpu={{ hardware_profile_active.cpu | default('-') }},
+      gpus={{ hardware_profile_active.gpus | default([]) | join(',') | default('-', true) }},
+      nvidia_driver={{ _nvidia_driver_resolved }},
+      wireless={{ hardware_profile_active.wireless | default([]) | join(',') | default('-', true) }},
+      fingerprint={{ hardware_profile_active.fingerprint | default(false) }}
+      → {{ _hardware_packages | length }} package(s)
+
+- name: Install hardware packages
+  when: _hardware_packages | length > 0
+  vars:
+    _install_commands:
+      RedHat: >-
+        {{ chroot_command }} dnf --releasever={{ os_version }}
+        --setopt=install_weak_deps=False install -y {{ _hardware_packages | join(' ') }}
+      Debian: >-
+        {{ chroot_command }} apt install -y {{ _hardware_packages | join(' ') }}
+      Archlinux: >-
+        pacstrap /mnt {{ _hardware_packages | join(' ') }}
+      Suse: >-
+        {{ chroot_command }} zypper install -y {{ _hardware_packages | join(' ') }}
+      Alpine: >-
+        {{ chroot_command }} apk add {{ _hardware_packages | join(' ') }}
+      Void: >-
+        {{ chroot_command }} xbps-install -Sy {{ _hardware_packages | join(' ') }}
+  ansible.builtin.command: "{{ _install_commands[os_family] }}"
+  register: _hardware_install_result
+  changed_when: _hardware_install_result.rc == 0
--- a/roles/bootstrap/tasks/main.yml
+++ b/roles/bootstrap/tasks/main.yml
@@ -34,6 +34,13 @@
    bootstrap_var_key: "{{ 'bootstrap_' + (os | replace('-lts', '') | replace('-', '_')) }}"
  ansible.builtin.include_tasks: "{{ bootstrap_os_task_map[os] }}"

+- name: Install hardware-matched firmware/microcode/GPU/peripheral packages
+  when: >-
+    (system_cfg.features.firmware.enabled | bool)
+    or (system_cfg.features.gpu.enabled | bool)
+    or (system_cfg.features.peripherals.enabled | bool)
+  ansible.builtin.include_tasks: _hardware.yml
+
 - name: Install desktop environment packages
  when: system_cfg.features.desktop.enabled | bool
  ansible.builtin.include_tasks: _desktop.yml
--- a/roles/bootstrap/vars/hardware.yml
+++ b/roles/bootstrap/vars/hardware.yml
@@ -0,0 +1,183 @@
+---
+# Hardware-aware package definitions keyed by os_family. Schema:
+#   cpu_microcode[intel|amd]       CPU vendor microcode
+#   firmware_base                  unconditional firmware packages
+#   firmware[<vendor>]             vendor-split firmware (intel|amd|nvidia|
+#                                  atheros|broadcom|mediatek|marvell|realtek|
+#                                  qcom|cirrus|other)
+#   gpu_base                       mesa + vulkan loader
+#   gpu[intel|amd]                 per-GPU userspace
+#   gpu_nvidia[open|proprietary|nouveau]   nvidia driver flavor
+#   peripherals_base               webcam/scanner stack
+#   peripherals_fingerprint        fprintd + libfprint
+#   peripherals_displaylink        evdi kernel module + DisplayLink helpers
+# Only packages matching detected hardware are installed; families without
+# vendor splits collapse to a single firmware meta package.
+bootstrap_hardware_packages:
+  Archlinux:
+    cpu_microcode:
+      intel: [intel-ucode]
+      amd: [amd-ucode]
+    firmware_base: []
+    firmware:
+      intel: [linux-firmware-other]      # iwlwifi + i915 firmware live here
+      amd: [linux-firmware-amdgpu]
+      nvidia: [linux-firmware-nvidia]
+      atheros: [linux-firmware-atheros]
+      broadcom: [linux-firmware-broadcom]
+      mediatek: [linux-firmware-mediatek]
+      marvell: [linux-firmware-marvell]
+      realtek: [linux-firmware-realtek]
+      qcom: [linux-firmware-qcom]
+      cirrus: [linux-firmware-cirrus]
+      other: [linux-firmware-other]
+    gpu_base: [mesa, vulkan-icd-loader]
+    gpu:
+      intel: [vulkan-intel, intel-media-driver]
+      amd: [vulkan-radeon, libva-mesa-driver]
+    gpu_nvidia:
+      open: [nvidia-open-dkms, nvidia-utils]
+      proprietary: [nvidia-dkms, nvidia-utils]
+      nouveau: [xf86-video-nouveau, vulkan-nouveau]
+    peripherals_base: [v4l-utils]
+    peripherals_fingerprint: [fprintd, libfprint]
+    peripherals_displaylink: []          # AUR only; user must wire in AUR helper
+
+  Debian:
+    cpu_microcode:
+      intel: [intel-microcode]
+      amd: [amd64-microcode]
+    firmware_base: [firmware-linux-free]
+    firmware:
+      intel: [firmware-iwlwifi, firmware-misc-nonfree]
+      amd: [firmware-amd-graphics, firmware-misc-nonfree]
+      nvidia: [firmware-misc-nonfree]
+      atheros: [firmware-atheros]
+      broadcom: [firmware-brcm80211]
+      mediatek: [firmware-misc-nonfree]
+      marvell: [firmware-misc-nonfree]
+      realtek: [firmware-realtek]
+      qcom: [firmware-misc-nonfree]
+      cirrus: [firmware-misc-nonfree]
+      other: [firmware-misc-nonfree]
+    gpu_base: [mesa-vulkan-drivers, libgl1-mesa-dri]
+    gpu:
+      intel: [intel-media-va-driver, i965-va-driver]
+      amd: [libva-glx2, mesa-va-drivers]
+    gpu_nvidia:
+      # Debian trixie+ ships nvidia-open-kernel-dkms; older releases only have
+      # the proprietary nvidia-driver. Both come from the non-free component.
+      open: [nvidia-open-kernel-dkms, nvidia-driver, nvidia-vulkan-icd]
+      proprietary: [nvidia-driver, nvidia-vulkan-icd]
+      nouveau: [xserver-xorg-video-nouveau]
+    peripherals_base: [v4l-utils]
+    peripherals_fingerprint: [fprintd, libpam-fprintd]
+    peripherals_displaylink: [evdi-dkms]  # userspace driver still needs vendor .run
+
+  RedHat:
+    cpu_microcode:
+      intel: [microcode_ctl]
+      amd: [microcode_ctl]
+    firmware_base: [linux-firmware]
+    firmware:
+      intel: []
+      amd: []
+      nvidia: []
+      atheros: []
+      broadcom: []
+      mediatek: []
+      marvell: []
+      realtek: []
+      qcom: []
+      cirrus: []
+      other: []
+    gpu_base: [mesa-dri-drivers, mesa-vulkan-drivers, vulkan-loader]
+    gpu:
+      intel: [intel-media-driver, libva-intel-driver]
+      amd: [mesa-va-drivers]
+    gpu_nvidia:
+      # akmod packages from RPMFusion non-free; repo enabled by _hardware.yml.
+      open: [akmod-nvidia-open, xorg-x11-drv-nvidia, xorg-x11-drv-nvidia-cuda]
+      proprietary: [akmod-nvidia, xorg-x11-drv-nvidia, xorg-x11-drv-nvidia-cuda]
+      nouveau: [xorg-x11-drv-nouveau]
+    peripherals_base: [v4l-utils]
+    peripherals_fingerprint: [fprintd, fprintd-pam]
+    peripherals_displaylink: [evdi]      # COPR-supplied; repo enablement deferred
+
+  Suse:
+    cpu_microcode:
+      intel: [ucode-intel]
+      amd: [ucode-amd]
+    firmware_base: [kernel-firmware-all]
+    firmware: {}
+    gpu_base: [Mesa, Mesa-libGL1, libvulkan1]
+    gpu:
+      intel: [libvulkan_intel]
+      amd: [libvulkan_radeon]
+    gpu_nvidia:
+      # NVIDIA SUSE repo packages; repo enablement out of scope for v1.
+      open: [nvidia-open-driver-G06-signed-kmp-default]
+      proprietary: [x11-video-nvidiaG06]
+      nouveau: [xf86-video-nouveau]
+    peripherals_base: [v4l-utils]
+    peripherals_fingerprint: [fprintd, libfprint-2-2]
+    peripherals_displaylink: []
+
+  Alpine:
+    cpu_microcode:
+      intel: [intel-ucode]
+      amd: [amd-ucode]
+    firmware_base: []
+    firmware:
+      intel: [linux-firmware-other, linux-firmware-i915]
+      amd: [linux-firmware-amdgpu]
+      nvidia: [linux-firmware-nvidia]
+      atheros: [linux-firmware-ath10k_pci, linux-firmware-ath11k]
+      broadcom: [linux-firmware-brcm]
+      mediatek: [linux-firmware-mediatek]
+      marvell: [linux-firmware-mrvl]
+      realtek: [linux-firmware-rtl_nic, linux-firmware-rtlwifi]
+      qcom: [linux-firmware-qcom]
+      cirrus: [linux-firmware-cirrus]
+      other: [linux-firmware-other]
+    gpu_base: [mesa, mesa-dri-gallium]
+    gpu:
+      intel: [mesa-vulkan-intel, intel-media-driver]
+      amd: [mesa-vulkan-ati, mesa-va-gallium]
+    gpu_nvidia:
+      # Alpine ships only the open-kernel-modules variant in community.
+      open: [nvidia-open-gpu-kernel-modules]
+      proprietary: []                    # not packaged on Alpine
+      nouveau: [mesa-vulkan-nouveau]
+    peripherals_base: [v4l-utils]
+    peripherals_fingerprint: [fprintd, libfprint]
+    peripherals_displaylink: []
+
+  Void:
+    cpu_microcode:
+      intel: [intel-ucode]
+      amd: [linux-firmware-amd]
+    firmware_base: [linux-firmware]
+    firmware:
+      intel: [linux-firmware-intel, linux-firmware-network]
+      amd: [linux-firmware-amd]
+      nvidia: [linux-firmware-nvidia]
+      atheros: [linux-firmware-network]
+      broadcom: [linux-firmware-broadcom]
+      mediatek: [linux-firmware-network]
+      marvell: [linux-firmware-network]
+      realtek: [linux-firmware-network]
+      qcom: [linux-firmware-network]
+      cirrus: [linux-firmware]
+      other: [linux-firmware]
+    gpu_base: [mesa, mesa-dri]
+    gpu:
+      intel: [mesa-vulkan-intel, intel-video-accel]
+      amd: [mesa-vulkan-radeon, mesa-vaapi]
+    gpu_nvidia:
+      open: [nvidia-open]                # in nonfree repo
+      proprietary: [nvidia]              # in nonfree repo
+      nouveau: [xf86-video-nouveau]
+    peripherals_base: [v4l-utils]
+    peripherals_fingerprint: [fprintd, libfprint]
+    peripherals_displaylink: []