use singed-by= option for source list entries of external repos

author: Christian Pointner <equinox@spreadspace.org> 2021-08-12 23:23:04 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2021-08-12 23:23:04 +0200
commit: f73c8ff53d234c8a0d855cc9bdd6e9575d3e355a (patch)
tree: 6205d52cb9d89a7414dbe0d1faa01e1f61822937 /roles
parent: linux/ipv4: disable log_martians by default (diff)
16 files changed, 125 insertions, 30 deletions
diff --git a/roles/apt-repo/aptly/tasks/main.yml b/roles/apt-repo/aptly/tasks/main.yml
index f0d7ca97..5d487397 100644
--- a/roles/apt-repo/aptly/tasks/main.yml
+++ b/roles/apt-repo/aptly/tasks/main.yml
@@ -2,13 +2,19 @@
 - name: add repository key
   copy:
     src: repo.gpg
-    dest: /etc/apt/trusted.gpg.d/aptly.gpg
+    dest: /etc/apt/keyrings/aptly.gpg
   register: apt_repo_aptly_key
 
+## TODO: remove once all servers have been converted
+- name: remove repository key from old location
+  file:
+    path: /etc/apt/trusted.gpg.d/aptly.gpg
+    state: absent
+
 - name: add repository entry
   copy:
     content: |
-      deb http://repo.aptly.info/ squeeze main
+      deb [signed-by=/etc/apt/keyrings/aptly.gpg] http://repo.aptly.info/ squeeze main
     dest: /etc/apt/sources.list.d/aptly.list
   register: apt_repo_aptly_sources
 
diff --git a/roles/apt-repo/base/tasks/main.yml b/roles/apt-repo/base/tasks/main.yml
index 7abd5800..12b94301 100644
--- a/roles/apt-repo/base/tasks/main.yml
+++ b/roles/apt-repo/base/tasks/main.yml
@@ -11,6 +11,11 @@
   args:
     warn: false
 
+- name: create keyring directory for external repos
+  file:
+    path: /etc/apt/keyrings
+    state: directory
+
 ## aptitude is needed for package upgrade roles
 - name: install aptitude and https transport
   apt:
diff --git a/roles/apt-repo/blackmagic/tasks/main.yml b/roles/apt-repo/blackmagic/tasks/main.yml
index 0e14d8fa..0a63a094 100644
--- a/roles/apt-repo/blackmagic/tasks/main.yml
+++ b/roles/apt-repo/blackmagic/tasks/main.yml
@@ -2,9 +2,15 @@
 - name: install repo key
   copy:
     src: repo.gpg
-    dest: /etc/apt/trusted.gpg.d/blackmagic.gpg
+    dest: /etc/apt/keyrings/blackmagic.gpg
   register: apt_repo_blackmagic_key
 
+## TODO: remove once all servers have been converted
+- name: remove repository key from old location
+  file:
+    path: /etc/apt/trusted.gpg.d/blackmagic.gpg
+    state: absent
+
 
 - name: configure repo authentication
   when:
@@ -43,7 +49,7 @@
 - name: add repository entry
   copy:
     content: |
-      deb https://build.spreadspace.org/ {{ ansible_distribution_release }} blackmagic
+      deb [signed-by=/etc/apt/keyrings/blackmagic.gpg] https://build.spreadspace.org/ {{ ansible_distribution_release }} blackmagic
     dest: /etc/apt/sources.list.d/blackmagic.list
   register: apt_repo_blackmagic_sources
 
diff --git a/roles/apt-repo/docker-com/tasks/main.yml b/roles/apt-repo/docker-com/tasks/main.yml
index 3ebfa87f..7b34c3d4 100644
--- a/roles/apt-repo/docker-com/tasks/main.yml
+++ b/roles/apt-repo/docker-com/tasks/main.yml
@@ -2,13 +2,19 @@
 - name: add repository key
   copy:
     src: repo.gpg
-    dest: /etc/apt/trusted.gpg.d/docker-com.gpg
+    dest: /etc/apt/keyrings/docker-com.gpg
   register: apt_repo_docker_com_key
 
+## TODO: remove once all servers have been converted
+- name: remove repository key from old location
+  file:
+    path: /etc/apt/trusted.gpg.d/docker-com.gpg
+    state: absent
+
 - name: add repository entry
   copy:
     content: |
-      deb https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable
+      deb [signed-by=/etc/apt/keyrings/docker-com.gpg] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable
     dest: /etc/apt/sources.list.d/docker-com.list
   register: apt_repo_docker_com_sources
 
diff --git a/roles/apt-repo/grafana/tasks/main.yml b/roles/apt-repo/grafana/tasks/main.yml
index c7ab2c58..bf54554d 100644
--- a/roles/apt-repo/grafana/tasks/main.yml
+++ b/roles/apt-repo/grafana/tasks/main.yml
@@ -2,13 +2,19 @@
 - name: add repository key
   copy:
     src: repo.gpg
-    dest: /etc/apt/trusted.gpg.d/grafana.gpg
+    dest: /etc/apt/keyrings/grafana.gpg
   register: apt_repo_grafana_key
 
+## TODO: remove once all servers have been converted
+- name: remove repository key from old location
+  file:
+    path: /etc/apt/trusted.gpg.d/grafana.gpg
+    state: absent
+
 - name: add repository entry
   copy:
     content: |
-      deb https://packages.grafana.com/oss/deb stable main
+      deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://packages.grafana.com/oss/deb stable main
     dest: /etc/apt/sources.list.d/grafana.list
   register: apt_repo_grafana_sources
 
diff --git a/roles/apt-repo/helsinki/tasks/main.yml b/roles/apt-repo/helsinki/tasks/main.yml
index 3f20640c..7820d3f4 100644
--- a/roles/apt-repo/helsinki/tasks/main.yml
+++ b/roles/apt-repo/helsinki/tasks/main.yml
@@ -2,13 +2,19 @@
 - name: add repository key
   copy:
     src: repo.gpg
-    dest: /etc/apt/trusted.gpg.d/helsinki.gpg
+    dest: /etc/apt/keyrings/helsinki.gpg
   register: apt_repo_helsinki_key
 
+## TODO: remove once all servers have been converted
+- name: remove repository key from old location
+  file:
+    path: /etc/apt/trusted.gpg.d/helsinki.gpg
+    state: absent
+
 - name: add repository entry
   copy:
     content: |
-      deb http://build.helsinki.at/ {{ ansible_distribution_release }} main
+      deb [signed-by=/etc/apt/keyrings/helsinki.gpg] http://build.helsinki.at/ {{ ansible_distribution_release }} main
     dest: /etc/apt/sources.list.d/helsinki.list
   register: apt_repo_helsinki_sources
 
diff --git a/roles/apt-repo/kodi/tasks/main.yml b/roles/apt-repo/kodi/tasks/main.yml
index 30bd07b5..3a320977 100644
--- a/roles/apt-repo/kodi/tasks/main.yml
+++ b/roles/apt-repo/kodi/tasks/main.yml
@@ -2,13 +2,19 @@
 - name: add repository key
   copy:
     src: repo.gpg
-    dest: /etc/apt/trusted.gpg.d/kodi.gpg
+    dest: /etc/apt/keyrings/kodi.gpg
   register: apt_repo_kodi_key
 
+## TODO: remove once all servers have been converted
+- name: remove repository key from old location
+  file:
+    path: /etc/apt/trusted.gpg.d/kodi.gpg
+    state: absent
+
 - name: add repository entry
   copy:
     content: |
-      deb http://ppa.launchpad.net/team-xbmc/ppa/ubuntu {{ ansible_distribution_release }} main
+      deb [signed-by=/etc/apt/keyrings/kodi.gpg] http://ppa.launchpad.net/team-xbmc/ppa/ubuntu {{ ansible_distribution_release }} main
     dest: /etc/apt/sources.list.d/kodi.list
   register: apt_repo_kodi_sources
 
diff --git a/roles/apt-repo/kubernetes/tasks/main.yml b/roles/apt-repo/kubernetes/tasks/main.yml
index 5a6e9a7a..61b6000f 100644
--- a/roles/apt-repo/kubernetes/tasks/main.yml
+++ b/roles/apt-repo/kubernetes/tasks/main.yml
@@ -2,13 +2,19 @@
 - name: add repository key
   copy:
     src: repo.gpg
-    dest: /etc/apt/trusted.gpg.d/kubernetes.gpg
+    dest: /etc/apt/keyrings/kubernetes.gpg
   register: apt_repo_kubernetes_key
 
+## TODO: remove once all servers have been converted
+- name: remove repository key from old location
+  file:
+    path: /etc/apt/trusted.gpg.d/kubernetes.gpg
+    state: absent
+
 - name: add repository entry
   copy:
     content: |
-      deb https://apt.kubernetes.io/ kubernetes-xenial main
+      deb [signed-by=/etc/apt/keyrings/kubernetes.gpg] https://apt.kubernetes.io/ kubernetes-xenial main
     dest: /etc/apt/sources.list.d/kubernetes.list
   register: apt_repo_kubernetes_sources
 
diff --git a/roles/apt-repo/kubic-project/tasks/main.yml b/roles/apt-repo/kubic-project/tasks/main.yml
index 115d4060..6f9e2d78 100644
--- a/roles/apt-repo/kubic-project/tasks/main.yml
+++ b/roles/apt-repo/kubic-project/tasks/main.yml
@@ -2,13 +2,19 @@
 - name: add repository key
   copy:
     src: repo.gpg
-    dest: /etc/apt/trusted.gpg.d/kubic-project.gpg
+    dest: /etc/apt/keyrings/kubic-project.gpg
   register: apt_repo_kubic_project_key
 
+## TODO: remove once all servers have been converted
+- name: remove repository key from old location
+  file:
+    path: /etc/apt/trusted.gpg.d/kubic-project.gpg
+    state: absent
+
 - name: add repository entry
   copy:
     content: |
-      deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ (ansible_distribution == 'Ubuntu') | ternary('xUbuntu', ansible_distribution) }}_{{ ansible_distribution_version }}/ /
+      deb [signed-by=/etc/apt/keyrings/kubic-project.gpg] http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ (ansible_distribution == 'Ubuntu') | ternary('xUbuntu', ansible_distribution) }}_{{ ansible_distribution_version }}/ /
     dest: /etc/apt/sources.list.d/kubic-project.list
   register: apt_repo_kubic_project_sources
 
diff --git a/roles/apt-repo/nodejs/tasks/main.yml b/roles/apt-repo/nodejs/tasks/main.yml
index 01c72041..c7d13df7 100644
--- a/roles/apt-repo/nodejs/tasks/main.yml
+++ b/roles/apt-repo/nodejs/tasks/main.yml
@@ -2,13 +2,19 @@
 - name: add repository key
   copy:
     src: repo.gpg
-    dest: /etc/apt/trusted.gpg.d/nodejs.gpg
+    dest: /etc/apt/keyrings/nodejs.gpg
   register: apt_repo_nodejs_key
 
+## TODO: remove once all servers have been converted
+- name: remove repository key from old location
+  file:
+    path: /etc/apt/trusted.gpg.d/nodejs.gpg
+    state: absent
+
 - name: add repository entry
   copy:
     content: |
-      deb https://deb.nodesource.com/node_10.x {{ ansible_distribution_release }} main
+      deb [signed-by=/etc/apt/keyrings/nodejs.gpg] https://deb.nodesource.com/node_10.x {{ ansible_distribution_release }} main
     dest: /etc/apt/sources.list.d/nodejs.list
   register: apt_repo_nodejs_sources
 
diff --git a/roles/apt-repo/nordvpn/tasks/main.yml b/roles/apt-repo/nordvpn/tasks/main.yml
index d63da994..f22aaff2 100644
--- a/roles/apt-repo/nordvpn/tasks/main.yml
+++ b/roles/apt-repo/nordvpn/tasks/main.yml
@@ -2,13 +2,19 @@
 - name: add repository key
   copy:
     src: repo.gpg
-    dest: /etc/apt/trusted.gpg.d/nordvpn.gpg
+    dest: /etc/apt/keyrings/nordvpn.gpg
   register: apt_repo_nordvpn_key
 
+## TODO: remove once all servers have been converted
+- name: remove repository key from old location
+  file:
+    path: /etc/apt/trusted.gpg.d/nordvpn.gpg
+    state: absent
+
 - name: add repository entry
   copy:
     content: |
-      deb https://repo.nordvpn.com/deb/nordvpn/debian stable main
+      deb [signed-by=/etc/apt/keyrings/nordvpn.gpg] https://repo.nordvpn.com/deb/nordvpn/debian stable main
     dest: /etc/apt/sources.list.d/nordvpn.list
   register: apt_repo_nordvpn_sources
 
diff --git a/roles/apt-repo/obs-studio/tasks/main.yml b/roles/apt-repo/obs-studio/tasks/main.yml
index c16dbb5d..15d8a286 100644
--- a/roles/apt-repo/obs-studio/tasks/main.yml
+++ b/roles/apt-repo/obs-studio/tasks/main.yml
@@ -2,13 +2,19 @@
 - name: add repository key
   copy:
     src: repo.gpg
-    dest: /etc/apt/trusted.gpg.d/obs-studio.gpg
+    dest: /etc/apt/keyrings/obs-studio.gpg
   register: apt_repo_obs_studio_key
 
+## TODO: remove once all servers have been converted
+- name: remove repository key from old location
+  file:
+    path: /etc/apt/trusted.gpg.d/obs-studio.gpg
+    state: absent
+
 - name: add repository entry
   copy:
     content: |
-      deb http://ppa.launchpad.net/obsproject/obs-studio/ubuntu {{ ansible_distribution_release }} main
+      deb [signed-by=/etc/apt/keyrings/obs-studio.gpg] http://ppa.launchpad.net/obsproject/obs-studio/ubuntu {{ ansible_distribution_release }} main
     dest: /etc/apt/sources.list.d/obs-studio.list
   register: apt_repo_obs_studio_sources
 
diff --git a/roles/apt-repo/percona/tasks/main.yml b/roles/apt-repo/percona/tasks/main.yml
index 4b82b2b4..4158a912 100644
--- a/roles/apt-repo/percona/tasks/main.yml
+++ b/roles/apt-repo/percona/tasks/main.yml
@@ -2,13 +2,19 @@
 - name: add repository key
   copy:
     src: repo.gpg
-    dest: /etc/apt/trusted.gpg.d/percona.gpg
+    dest: /etc/apt/keyrings/percona.gpg
   register: apt_repo_percona_key
 
+## TODO: remove once all servers have been converted
+- name: remove repository key from old location
+  file:
+    path: /etc/apt/trusted.gpg.d/percona.gpg
+    state: absent
+
 - name: add repository entry
   copy:
     content: |
-      deb http://repo.percona.com/apt {{ ansible_distribution_release }} main
+      deb [signed-by=/etc/apt/keyrings/percona.gpg] http://repo.percona.com/apt {{ ansible_distribution_release }} main
     dest: /etc/apt/sources.list.d/percona.list
   register: apt_repo_percona_sources
 
diff --git a/roles/apt-repo/riot/tasks/main.yml b/roles/apt-repo/riot/tasks/main.yml
index ea2c93f9..c27d9e34 100644
--- a/roles/apt-repo/riot/tasks/main.yml
+++ b/roles/apt-repo/riot/tasks/main.yml
@@ -2,13 +2,19 @@
 - name: add repository key
   copy:
     src: repo.gpg
-    dest: /etc/apt/trusted.gpg.d/riot.gpg
+    dest: /etc/apt/keyrings/riot.gpg
   register: apt_repo_riot_key
 
+## TODO: remove once all servers have been converted
+- name: remove repository key from old location
+  file:
+    path: /etc/apt/trusted.gpg.d/riot.gpg
+    state: absent
+
 - name: add repository entry
   copy:
     content: |
-      deb https://riot.im/packages/debian/ default main
+      deb [signed-by=/etc/apt/keyrings/riot.gpg] https://riot.im/packages/debian/ default main
     dest: /etc/apt/sources.list.d/riot.list
   register: apt_repo_riot_sources
 
diff --git a/roles/apt-repo/spreadspace/tasks/main.yml b/roles/apt-repo/spreadspace/tasks/main.yml
index 6fe9eeea..52bfe61b 100644
--- a/roles/apt-repo/spreadspace/tasks/main.yml
+++ b/roles/apt-repo/spreadspace/tasks/main.yml
@@ -2,13 +2,19 @@
 - name: add repository key
   copy:
     src: repo.gpg
-    dest: /etc/apt/trusted.gpg.d/spreadspace.gpg
+    dest: /etc/apt/keyrings/spreadspace.gpg
   register: apt_repo_spreadspace_key
 
+## TODO: remove once all servers have been converted
+- name: remove repository key from old location
+  file:
+    path: /etc/apt/trusted.gpg.d/spreadspace.gpg
+    state: absent
+
 - name: add repository entry
   copy:
     content: |
-      deb https://build.spreadspace.org/ {{ ansible_distribution_release }} {{ spreadspace_apt_repo_components | join(' ') }}
+      deb [signed-by=/etc/apt/keyrings/spreadspace.gpg] https://build.spreadspace.org/ {{ ansible_distribution_release }} {{ spreadspace_apt_repo_components | join(' ') }}
     dest: /etc/apt/sources.list.d/spreadspace.list
   register: apt_repo_spreadspace_sources
 
diff --git a/roles/apt-repo/tor-project/tasks/main.yml b/roles/apt-repo/tor-project/tasks/main.yml
index 5571be8f..0b79ff91 100644
--- a/roles/apt-repo/tor-project/tasks/main.yml
+++ b/roles/apt-repo/tor-project/tasks/main.yml
@@ -2,13 +2,19 @@
 - name: add repository key
   copy:
     src: repo.gpg
-    dest: /etc/apt/trusted.gpg.d/tor-project.gpg
+    dest: /etc/apt/keyrings/tor-project.gpg
   register: apt_repo_tor_project_key
 
+## TODO: remove once all servers have been converted
+- name: remove repository key from old location
+  file:
+    path: /etc/apt/trusted.gpg.d/tor-project.gpg
+    state: absent
+
 - name: add repository entry
   copy:
     content: |
-      deb [arch=amd64] http://deb.torproject.org/torproject.org {{ ansible_distribution_release }} main
+      deb [signed-by=/etc/apt/keyrings/tor-project.gpg arch=amd64] http://deb.torproject.org/torproject.org {{ ansible_distribution_release }} main
     dest: /etc/apt/sources.list.d/tor-poject.list
   register: apt_repo_tor_project_sources
author	Christian Pointner <equinox@spreadspace.org>	2021-08-12 23:23:04 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2021-08-12 23:23:04 +0200
commit	f73c8ff53d234c8a0d855cc9bdd6e9575d3e355a (patch)
tree	6205d52cb9d89a7414dbe0d1faa01e1f61822937 /roles
parent	linux/ipv4: disable log_martians by default (diff)