I've started looking at Ansible to manage all the laptops, VMs, SBCs that I have running Arch
Got the ol' pacman installs / updates working fine, but I'm having some problems understanding how to setup AUR to install some of those packages.
Main issue is where Ansible is basically doing everything as root, and AUR helpers don't want to run as root, so ok, create a 2nd non-root user first...
But even installing an AUR helper (yay) brings problems:
I can setup a folder in /tmp/aur , I can git clone the yay package, but then I have no idea how to run makepkg or then yay as that non-root user.
Sound like you have configured your Ansible to run as root per default. You should remove that from your ansible.cfg. The tasks you do need root for you use the keyword 'become: true' to use sudo for that task alone (or use 'become' for a block if several tasks).
I may be wrong, but if you did ssh as roothen it seems like your ssh configuration leaves a bit to be desired. If you can ssh in as root, you may want disallow that in your ssh configuration... don't remember the setting now, 'AllowRoot no' maybe? Then it also should be that you have your pub key in root's .ssh/authorized_keys, you may want to remove that. Allowing anyone to ssh in as root is probably not a good idea. For example 'root' is a very common username used in bruteforce attacks on exposed ssh ports, so locking down any possibility to get in as root directly is probably a good idea.
Edit: I missed part of the question. The repository below only references installing yay. Could you have the become_password as a vault secret in ansible and respond to the password prompt with expect?
I literally stumbled upon this a few hours ago, maybe it will help.
I did something similar with Puppet a while ago, it also runs as root so hot the same problem.
My solution was to set up my own package repo for the AUR packages I needed and just build them periodically. This way I only have to build them once for all the machines.
If your non-root user has sudo access, then it should be as easy as making your Ansible playbook log in as the non-root user by default, and then use Ansible's become for anything that needs to run with sudo.
Can't you change to a normal user with become? We do lots of stuff with Ansible as normal user. You should be able to create tasks that get executed as normal user and install yay and run makepkg, and then run yay to install packages.