diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml index e9320f9..ca250b7 100644 --- a/molecule/default/requirements.yml +++ b/molecule/default/requirements.yml @@ -1,3 +1,4 @@ --- # requirements file for molecule -roles: [] +roles: + - name: ednxzu.manage_apt_packages diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 0433fa6..03f484f 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -40,19 +40,49 @@ - stat_etc_apt_sources_list.stat.mode == '0644' - name: "Verify file /etc/apt/sources.list" + vars: + expected_source_list_content: | + # See /etc/apt/sources.list.d/{{ ansible_distribution|lower }}.sources ansible.builtin.assert: that: - - "('deb http://fr.archive.ubuntu.com/ubuntu ' + ansible_distribution_release + ' main restricted universe multiverse') in (slurp_etc_apt_sources_list.content|b64decode)" - - "('deb http://fr.archive.ubuntu.com/ubuntu ' + ansible_distribution_release + '-updates main restricted universe multiverse') in (slurp_etc_apt_sources_list.content|b64decode)" - - "('deb http://fr.archive.ubuntu.com/ubuntu ' + ansible_distribution_release + '-security main restricted universe multiverse') in (slurp_etc_apt_sources_list.content|b64decode)" - - "('deb http://fr.archive.ubuntu.com/ubuntu ' + ansible_distribution_release + '-backports main restricted universe multiverse') in (slurp_etc_apt_sources_list.content|b64decode)" - when: (ansible_distribution|lower) == 'ubuntu' + - "(slurp_etc_apt_sources_list.content|b64decode) == expected_source_list_content" - - name: "Verify file /etc/apt/sources.list" + - name: "Test: file /etc/apt/sources.list.d/{{ ansible_distribution|lower }}" + block: + - name: "Stat /etc/apt/sources.list.d/{{ ansible_distribution|lower }}" + ansible.builtin.stat: + path: "/etc/apt/sources.list.d/{{ ansible_distribution|lower }}.sources" + register: stat_etc_apt_sources_list_d + + - name: "Slurp file /etc/apt/sources.list.d/{{ ansible_distribution|lower }}" + ansible.builtin.slurp: + src: "/etc/apt/sources.list.d/{{ ansible_distribution|lower }}.sources" + register: slurp_etc_apt_sources_list_d + + - name: "Verify file /etc/apt/sources.list.d/{{ ansible_distribution|lower }}" ansible.builtin.assert: that: - - "('deb http://deb.debian.org/debian ' + ansible_distribution_release + ' main contrib') in (slurp_etc_apt_sources_list.content|b64decode)" - - "('deb http://deb.debian.org/debian ' + ansible_distribution_release + '-updates main contrib') in (slurp_etc_apt_sources_list.content|b64decode)" - - "('deb http://deb.debian.org/debian-security ' + ansible_distribution_release + '-security main contrib') in (slurp_etc_apt_sources_list.content|b64decode)" - - "('deb http://deb.debian.org/debian ' + ansible_distribution_release + '-backports main') in (slurp_etc_apt_sources_list.content|b64decode)" - when: (ansible_distribution|lower) == 'debian' + - stat_etc_apt_sources_list_d.stat.exists + - stat_etc_apt_sources_list_d.stat.isreg + - stat_etc_apt_sources_list_d.stat.pw_name == 'root' + - stat_etc_apt_sources_list_d.stat.gr_name == 'root' + - stat_etc_apt_sources_list_d.stat.mode == '0644' + + - name: "Verify file /etc/apt/sources.list.d/{{ ansible_distribution|lower }}" + vars: + expected_source_list_content: + ubuntu: | + X-Repolib-Name: ubuntu + Types: deb + URIs: http://fr.archive.ubuntu.com/ubuntu + Suites: {{ ansible_distribution_release }} {{ ansible_distribution_release }}-security {{ ansible_distribution_release }}-updates {{ ansible_distribution_release }}-backports + Components: main restricted universe multiverse + debian: | + X-Repolib-Name: debian + Types: deb + URIs: http://deb.debian.org/debian + Suites: {{ ansible_distribution_release }} {{ ansible_distribution_release }}-updates {{ ansible_distribution_release }}-backports + Components: main + ansible.builtin.assert: + that: + - "(slurp_etc_apt_sources_list_d.content|b64decode) == expected_source_list_content[ansible_distribution|lower]" diff --git a/molecule/with_custom_repo/group_vars/all.yml b/molecule/with_custom_repo/group_vars/all.yml index b2c1c21..8137599 100644 --- a/molecule/with_custom_repo/group_vars/all.yml +++ b/molecule/with_custom_repo/group_vars/all.yml @@ -2,17 +2,25 @@ manage_repositories_enable_default_repo: true manage_repositories_enable_custom_repo: true manage_repositories_custom_repo: - - uri: "https://apt.releases.hashicorp.com" - gpg_key: "https://apt.releases.hashicorp.com/gpg" - comments: "hashicorp repository" - type: "deb" - suites: "{{ ansible_distribution_release }}" - components: "main" - filename: "hashicorp" - - uri: "https://download.docker.com/linux/{{ ansible_distribution|lower }}" - gpg_key: "https://download.docker.com/linux/{{ ansible_distribution|lower }}/gpg" + - name: docker + uri: "https://download.docker.com/linux/{{ ansible_distribution|lower }}" comments: "{{ ansible_distribution|lower }} docker repository" - type: "deb" - suites: "{{ ansible_distribution_release }}" - components: "stable" - filename: "docker" + types: + - deb + suites: + - "{{ ansible_distribution_release }}" + components: + - stable + options: + Signed-By: "https://download.docker.com/linux/{{ ansible_distribution|lower }}/gpg" + - name: hashicorp + uri: "https://apt.releases.hashicorp.com" + comments: "hashicorp repository" + types: + - deb + suites: + - "{{ ansible_distribution_release }}" + components: + - main + options: + Signed-By: "https://apt.releases.hashicorp.com/gpg" diff --git a/molecule/with_custom_repo/requirements.yml b/molecule/with_custom_repo/requirements.yml index e9320f9..ca250b7 100644 --- a/molecule/with_custom_repo/requirements.yml +++ b/molecule/with_custom_repo/requirements.yml @@ -1,3 +1,4 @@ --- # requirements file for molecule -roles: [] +roles: + - name: ednxzu.manage_apt_packages diff --git a/molecule/with_custom_repo/verify.yml b/molecule/with_custom_repo/verify.yml index 947aa4e..8418cb9 100644 --- a/molecule/with_custom_repo/verify.yml +++ b/molecule/with_custom_repo/verify.yml @@ -40,22 +40,52 @@ - stat_etc_apt_sources_list.stat.mode == '0644' - name: "Verify file /etc/apt/sources.list" + vars: + expected_source_list_content: | + # See /etc/apt/sources.list.d/{{ ansible_distribution|lower }}.sources ansible.builtin.assert: that: - - "('deb http://fr.archive.ubuntu.com/ubuntu ' + ansible_distribution_release + ' main restricted universe multiverse') in (slurp_etc_apt_sources_list.content|b64decode)" - - "('deb http://fr.archive.ubuntu.com/ubuntu ' + ansible_distribution_release + '-updates main restricted universe multiverse') in (slurp_etc_apt_sources_list.content|b64decode)" - - "('deb http://fr.archive.ubuntu.com/ubuntu ' + ansible_distribution_release + '-security main restricted universe multiverse') in (slurp_etc_apt_sources_list.content|b64decode)" - - "('deb http://fr.archive.ubuntu.com/ubuntu ' + ansible_distribution_release + '-backports main restricted universe multiverse') in (slurp_etc_apt_sources_list.content|b64decode)" - when: (ansible_distribution|lower) == 'ubuntu' + - "(slurp_etc_apt_sources_list.content|b64decode) == expected_source_list_content" - - name: "Verify file /etc/apt/sources.list" + - name: "Test: file /etc/apt/sources.list.d/{{ ansible_distribution|lower }}" + block: + - name: "Stat /etc/apt/sources.list.d/{{ ansible_distribution|lower }}" + ansible.builtin.stat: + path: "/etc/apt/sources.list.d/{{ ansible_distribution|lower }}.sources" + register: stat_etc_apt_sources_list_d + + - name: "Slurp file /etc/apt/sources.list.d/{{ ansible_distribution|lower }}" + ansible.builtin.slurp: + src: "/etc/apt/sources.list.d/{{ ansible_distribution|lower }}.sources" + register: slurp_etc_apt_sources_list_d + + - name: "Verify file /etc/apt/sources.list.d/{{ ansible_distribution|lower }}" ansible.builtin.assert: that: - - "('deb http://deb.debian.org/debian ' + ansible_distribution_release + ' main contrib') in (slurp_etc_apt_sources_list.content|b64decode)" - - "('deb http://deb.debian.org/debian ' + ansible_distribution_release + '-updates main contrib') in (slurp_etc_apt_sources_list.content|b64decode)" - - "('deb http://deb.debian.org/debian-security ' + ansible_distribution_release + '-security main contrib') in (slurp_etc_apt_sources_list.content|b64decode)" - - "('deb http://deb.debian.org/debian ' + ansible_distribution_release + '-backports main') in (slurp_etc_apt_sources_list.content|b64decode)" - when: (ansible_distribution|lower) == 'debian' + - stat_etc_apt_sources_list_d.stat.exists + - stat_etc_apt_sources_list_d.stat.isreg + - stat_etc_apt_sources_list_d.stat.pw_name == 'root' + - stat_etc_apt_sources_list_d.stat.gr_name == 'root' + - stat_etc_apt_sources_list_d.stat.mode == '0644' + + - name: "Verify file /etc/apt/sources.list.d/{{ ansible_distribution|lower }}" + vars: + expected_source_list_content: + ubuntu: | + X-Repolib-Name: ubuntu + Types: deb + URIs: http://fr.archive.ubuntu.com/ubuntu + Suites: {{ ansible_distribution_release }} {{ ansible_distribution_release }}-security {{ ansible_distribution_release }}-updates {{ ansible_distribution_release }}-backports + Components: main restricted universe multiverse + debian: | + X-Repolib-Name: debian + Types: deb + URIs: http://deb.debian.org/debian + Suites: {{ ansible_distribution_release }} {{ ansible_distribution_release }}-updates {{ ansible_distribution_release }}-backports + Components: main + ansible.builtin.assert: + that: + - "(slurp_etc_apt_sources_list_d.content|b64decode) == expected_source_list_content[ansible_distribution|lower]" - name: "Test: directory /etc/apt/sources.list.d" block: @@ -78,23 +108,45 @@ register: slurp_etc_apt_sources_list_d - name: "Verify file /etc/apt/sources.list.d/docker.list" + vars: + expected_source_list_docker_content: | + # Ansible managed: Do NOT edit this file manually! + + # {{ ansible_distribution|lower }} docker repository + X-Repolib-Name: docker + Types: deb + URIs: https://download.docker.com/linux/{{ ansible_distribution|lower }} + Suites: {{ ansible_distribution_release }} + Components: stable + Signed-By: /usr/share/keyrings/docker-archive-keyring.asc ansible.builtin.assert: that: - item.item.isreg - item.item.pw_name == 'root' - item.item.gr_name == 'root' - item.item.mode == '0644' - - "(item.content|b64decode) == ('deb [signed-by=/usr/share/keyrings/docker-archive-keyring.asc] https://download.docker.com/linux/' + (ansible_distribution|lower) + ' ' + ansible_distribution_release + ' stable\\n')" + - "(item.content|b64decode) == expected_source_list_docker_content" loop: "{{ slurp_etc_apt_sources_list_d.results }}" when: (item.item.path | basename | splitext | first) == 'docker' - name: "Verify file /etc/apt/sources.list.d/hashicorp.list" + vars: + expected_source_list_hashicorp_content: | + # Ansible managed: Do NOT edit this file manually! + + # hashicorp repository + X-Repolib-Name: hashicorp + Types: deb + URIs: https://apt.releases.hashicorp.com + Suites: {{ ansible_distribution_release }} + Components: main + Signed-By: /usr/share/keyrings/hashicorp-archive-keyring.asc ansible.builtin.assert: that: - item.item.isreg - item.item.pw_name == 'root' - item.item.gr_name == 'root' - item.item.mode == '0644' - - "(item.content|b64decode) == ('deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.asc] https://apt.releases.hashicorp.com ' + ansible_distribution_release + ' main\\n')" + - "(item.content|b64decode) == expected_source_list_hashicorp_content" loop: "{{ slurp_etc_apt_sources_list_d.results }}" when: (item.item.path | basename | splitext | first) == 'hashicorp' diff --git a/tasks/custom_repositories.yml b/tasks/custom_repositories.yml index 5edd07f..2d4995a 100644 --- a/tasks/custom_repositories.yml +++ b/tasks/custom_repositories.yml @@ -2,17 +2,23 @@ # task/custom_repositories file for manage_repositories - name: "Download gpg key for custom repositories" ansible.builtin.get_url: - url: "{{ item.gpg_key }}" - dest: "/usr/share/keyrings/{{ item.filename }}-archive-keyring.asc" + url: "{{ item.options['Signed-By'] }}" + dest: "{{ manage_repositories_signing_keys_location }}/{{ item.name }}-archive-keyring.asc" mode: '0644' loop: "{{ manage_repositories_custom_repo }}" - when: item.gpg_key not in [None, ''] + when: item.options is defined + and item.options['Signed-By'] is defined + and item.options['Signed-By'] not in [None, ''] -- name: "Add custom repository into source.list.d/.list" +- name: "Configure custom repositories" vars: - signed_by: "{% if item.gpg_key not in [None, ''] %}[signed-by=/usr/share/keyrings/{{ item.filename }}-archive-keyring.asc]{% endif %}" - ansible.builtin.apt_repository: - repo: "{{ item.type }} {% if signed_by != '' %}{{ signed_by }} {% endif %}{{ item.uri }} {{ item.suites }} {{ item.components }}" - state: "present" - filename: "{{ item.filename }}" + repository: "{{ item }}" + ansible.builtin.template: + src: "repo.sources.j2" + dest: "{{ manage_repositories_repo_location }}/{{ item.name }}.sources" + mode: '0644' + owner: root + group: root loop: "{{ manage_repositories_custom_repo }}" + notify: + - "debian-based-cache-update" diff --git a/tasks/debian.yml b/tasks/debian.yml deleted file mode 100644 index 858d672..0000000 --- a/tasks/debian.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# task/debian file for manage_repositories -- name: "Configure ubuntu main repositories into sources.list" - vars: - repositories: "{{ manage_repositories_default_repo }}" - ansible.builtin.template: - src: "sources.list.j2" - dest: "{{ manage_repositories_default_repo_location }}" - mode: '0644' - owner: root - group: root - notify: - - "debian-based-cache-update" diff --git a/tasks/main.yml b/tasks/main.yml index 9707fa8..a21273d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,16 +4,12 @@ ansible.builtin.include_vars: file: "{{ ansible_distribution|lower }}.yml" -- name: "Import main repositories" - when: manage_repositories_enable_default_repo - block: - - name: "Import ubuntu.yml" - ansible.builtin.include_tasks: ubuntu.yml - when: ansible_distribution == 'Ubuntu' +- name: "Import prerequisites.yml" + ansible.builtin.include_tasks: prerequisites.yml - - name: "Import debian.yml" - ansible.builtin.include_tasks: debian.yml - when: ansible_distribution == 'Debian' +- name: "Import main repositories for {{ ansible_distribution|lower }}" + ansible.builtin.include_tasks: "main_repositories.yml" + when: manage_repositories_enable_default_repo - name: "Import custom_repositories.yml" ansible.builtin.include_tasks: custom_repositories.yml diff --git a/tasks/main_repositories.yml b/tasks/main_repositories.yml new file mode 100644 index 0000000..57f9bf6 --- /dev/null +++ b/tasks/main_repositories.yml @@ -0,0 +1,44 @@ +--- +# task/debian file for manage_repositories +- name: "Emtpy /etc/apt/sources.list" + block: + - name: "Read the current content of source.list" + ansible.builtin.slurp: + src: "{{ manage_repositories_sources_list_location }}" + register: sources_list_current_content + ignore_errors: true + + - name: "Convert sources.list current content to string" + ansible.builtin.set_fact: + sources_list_current_content_str: "{{ (sources_list_current_content.content | default('')) | b64decode }}" + + - name: "Define sources.list new content" + ansible.builtin.set_fact: + sources_list_new_content: "{{ manage_repositories_sources_list_message }}" + + - name: "Create file /etc/apt/sources.list" + ansible.builtin.file: + path: "{{ manage_repositories_sources_list_location }}" + state: touch + owner: root + group: root + mode: '0644' + when: sources_list_current_content_str == '' + + - name: "Replace content of /etc/apt/sources.list" + ansible.builtin.replace: + path: "{{ manage_repositories_sources_list_location }}" + regexp: "{{ sources_list_current_content_str | regex_escape }}" + replace: "{{ sources_list_new_content }}" + when: sources_list_current_content_str != sources_list_new_content + +- name: "Configure main repositories into sources.list.d for {{ ansible_distribution|lower }} " + ansible.builtin.deb822_repository: + name: "{{ item.name }}" + types: "{{item.types}}" + uris: "{{ item.uri }}" + suites: "{{ item.suites | join(' ') }}" + components: "{{ item.components }}" + loop: "{{ manage_repositories_default_repo }}" + notify: + - "debian-based-cache-update" diff --git a/tasks/prerequisites.yml b/tasks/prerequisites.yml new file mode 100644 index 0000000..6e851f1 --- /dev/null +++ b/tasks/prerequisites.yml @@ -0,0 +1,7 @@ +--- +# task/prerequisites file for manage_repositories +- name: "Install python dependencies" + ansible.builtin.include_role: + name: ednxzu.manage_apt_packages + vars: + manage_apt_packages_list: "{{ manage_repositories_required_packages }}" diff --git a/tasks/ubuntu.yml b/tasks/ubuntu.yml deleted file mode 100644 index ca2eebf..0000000 --- a/tasks/ubuntu.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# task/ubuntu file for manage_repositories -- name: "Configure ubuntu main repositories into sources.list" - vars: - repositories: "{{ manage_repositories_default_repo }}" - ansible.builtin.template: - src: "sources.list.j2" - dest: "{{ manage_repositories_default_repo_location }}" - mode: '0644' - owner: root - group: root - notify: - - "debian-based-cache-update" diff --git a/templates/repo.sources.j2 b/templates/repo.sources.j2 new file mode 100644 index 0000000..79dae38 --- /dev/null +++ b/templates/repo.sources.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} + +# {{ repository.comments}} +X-Repolib-Name: {{ repository.name }} +Types: {{ repository.types | join(' ') }} +URIs: {{ repository.uri }} +Suites: {{ repository.suites | join(' ') }} +Components: {{ repository.components | join(' ') }} +{% if (repository.options is defined) and repository.options %} +{% for option in repository.options %} +{% if option == "Signed-By" %} +{{ option }}: {{ manage_repositories_signing_keys_location + "/" + item.name + "-archive-keyring.asc" }} +{% else %} +{{ option }}: {{ repository.options[option] }} +{% endif %} +{% endfor %} +{% endif %} diff --git a/templates/sources.list.j2 b/templates/sources.list.j2 deleted file mode 100644 index c8ca4dd..0000000 --- a/templates/sources.list.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# {{ ansible_managed }} - -{% for repository in repositories %} -# {{ repository.comments}} -{{ repository.type }} {% if repository.gpg_key is not none %}[signed-by=/usr/share/keyrings/{{ repository.filename }}-archive-keyring.asc] {% endif %}{{ repository.uri }} {{ repository.suites }} {{ repository.components }} -{% endfor %} \ No newline at end of file diff --git a/vars/debian.yml b/vars/debian.yml index 73b7639..aa099c6 100644 --- a/vars/debian.yml +++ b/vars/debian.yml @@ -1,31 +1,23 @@ --- # vars file for manage_repositories manage_repositories_default_repo: - # debian main repository - - uri: "{{ manage_repositories_main_repo_uri[ansible_distribution|lower] }}" - gpg_key: + - name: debian + uri: "{{ manage_repositories_main_repo_uri[ansible_distribution|lower] }}" comments: "debian main repository" - type: "deb" - suites: "{{ ansible_distribution_release }}" - components: "main contrib" - # debian updates repository - - uri: "{{ manage_repositories_main_repo_uri[ansible_distribution|lower] }}" - gpg_key: - comments: "debian updates repository" - type: "deb" - suites: "{{ ansible_distribution_release }}-updates" - components: "main contrib" - # debian security repository - - uri: "{{ manage_repositories_main_repo_uri[ansible_distribution|lower] }}-security" - gpg_key: - comments: "debian security repository" - type: "deb" - suites: "{{ ansible_distribution_release }}-security" - components: "main contrib" - # debian backports repository - - uri: "{{ manage_repositories_main_repo_uri[ansible_distribution|lower] }}" - gpg_key: - comments: "debian backports repository" - type: "deb" - suites: "{{ ansible_distribution_release }}-backports" - components: "main" + types: + - deb + suites: + - "{{ ansible_distribution_release }}" + - "{{ ansible_distribution_release }}-updates" + - "{{ ansible_distribution_release }}-backports" + components: + - main + - name: debian-security + uri: "{{ manage_repositories_main_repo_uri[ansible_distribution|lower] }}-security" + comments: "debian main repository" + types: + - deb + suites: + - "{{ ansible_distribution_release }}-security" + components: + - main diff --git a/vars/main.yml b/vars/main.yml index 4b126a0..d6c9648 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,3 +1,10 @@ --- # vars file for manage_repositories -manage_repositories_default_repo_location: /etc/apt/sources.list +manage_repositories_sources_list_location: /etc/apt/sources.list +manage_repositories_repo_location: /etc/apt/sources.list.d +manage_repositories_signing_keys_location: /usr/share/keyrings +manage_repositories_sources_list_message: "# See /etc/apt/sources.list.d/{{ ansible_distribution|lower }}.sources\\n" +manage_repositories_required_packages: + - name: python3-debian + version: latest + state: present diff --git a/vars/ubuntu.yml b/vars/ubuntu.yml index 10f2c7d..8bb0bf8 100644 --- a/vars/ubuntu.yml +++ b/vars/ubuntu.yml @@ -1,31 +1,18 @@ --- # vars file for manage_repositories manage_repositories_default_repo: - # ubuntu main repository - - uri: "{{ manage_repositories_main_repo_uri[ansible_distribution|lower] }}" - gpg_key: + - name: ubuntu + uri: "{{ manage_repositories_main_repo_uri[ansible_distribution|lower] }}" comments: "ubuntu main repository" - type: "deb" - suites: "{{ ansible_distribution_release }}" - components: "main restricted universe multiverse" - # ubuntu updates repository - - uri: "{{ manage_repositories_main_repo_uri[ansible_distribution|lower] }}" - gpg_key: - comments: "ubuntu updates repository" - type: "deb" - suites: "{{ ansible_distribution_release }}-updates" - components: "main restricted universe multiverse" - # ubuntu security repository - - uri: "{{ manage_repositories_main_repo_uri[ansible_distribution|lower] }}" - gpg_key: - comments: "ubuntu security repository" - type: "deb" - suites: "{{ ansible_distribution_release }}-security" - components: "main restricted universe multiverse" - # ubuntu backports repository - - uri: "{{ manage_repositories_main_repo_uri[ansible_distribution|lower] }}" - gpg_key: - comments: "ubuntu backports repository" - type: "deb" - suites: "{{ ansible_distribution_release }}-backports" - components: "main restricted universe multiverse" + types: + - deb + suites: + - "{{ ansible_distribution_release }}" + - "{{ ansible_distribution_release }}-security" + - "{{ ansible_distribution_release }}-updates" + - "{{ ansible_distribution_release }}-backports" + components: + - main + - restricted + - universe + - multiverse