From f73c8ff53d234c8a0d855cc9bdd6e9575d3e355a Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 12 Aug 2021 23:23:04 +0200 Subject: use singed-by= option for source list entries of external repos --- roles/apt-repo/aptly/tasks/main.yml | 10 ++++++++-- roles/apt-repo/base/tasks/main.yml | 5 +++++ roles/apt-repo/blackmagic/tasks/main.yml | 10 ++++++++-- roles/apt-repo/docker-com/tasks/main.yml | 10 ++++++++-- roles/apt-repo/grafana/tasks/main.yml | 10 ++++++++-- roles/apt-repo/helsinki/tasks/main.yml | 10 ++++++++-- roles/apt-repo/kodi/tasks/main.yml | 10 ++++++++-- roles/apt-repo/kubernetes/tasks/main.yml | 10 ++++++++-- roles/apt-repo/kubic-project/tasks/main.yml | 10 ++++++++-- roles/apt-repo/nodejs/tasks/main.yml | 10 ++++++++-- roles/apt-repo/nordvpn/tasks/main.yml | 10 ++++++++-- roles/apt-repo/obs-studio/tasks/main.yml | 10 ++++++++-- roles/apt-repo/percona/tasks/main.yml | 10 ++++++++-- roles/apt-repo/riot/tasks/main.yml | 10 ++++++++-- roles/apt-repo/spreadspace/tasks/main.yml | 10 ++++++++-- roles/apt-repo/tor-project/tasks/main.yml | 10 ++++++++-- 16 files changed, 125 insertions(+), 30 deletions(-) (limited to 'roles') diff --git a/roles/apt-repo/aptly/tasks/main.yml b/roles/apt-repo/aptly/tasks/main.yml index f0d7ca97..5d487397 100644 --- a/roles/apt-repo/aptly/tasks/main.yml +++ b/roles/apt-repo/aptly/tasks/main.yml @@ -2,13 +2,19 @@ - name: add repository key copy: src: repo.gpg - dest: /etc/apt/trusted.gpg.d/aptly.gpg + dest: /etc/apt/keyrings/aptly.gpg register: apt_repo_aptly_key +## TODO: remove once all servers have been converted +- name: remove repository key from old location + file: + path: /etc/apt/trusted.gpg.d/aptly.gpg + state: absent + - name: add repository entry copy: content: | - deb http://repo.aptly.info/ squeeze main + deb [signed-by=/etc/apt/keyrings/aptly.gpg] http://repo.aptly.info/ squeeze main dest: /etc/apt/sources.list.d/aptly.list register: apt_repo_aptly_sources diff --git a/roles/apt-repo/base/tasks/main.yml b/roles/apt-repo/base/tasks/main.yml index 7abd5800..12b94301 100644 --- a/roles/apt-repo/base/tasks/main.yml +++ b/roles/apt-repo/base/tasks/main.yml @@ -11,6 +11,11 @@ args: warn: false +- name: create keyring directory for external repos + file: + path: /etc/apt/keyrings + state: directory + ## aptitude is needed for package upgrade roles - name: install aptitude and https transport apt: diff --git a/roles/apt-repo/blackmagic/tasks/main.yml b/roles/apt-repo/blackmagic/tasks/main.yml index 0e14d8fa..0a63a094 100644 --- a/roles/apt-repo/blackmagic/tasks/main.yml +++ b/roles/apt-repo/blackmagic/tasks/main.yml @@ -2,9 +2,15 @@ - name: install repo key copy: src: repo.gpg - dest: /etc/apt/trusted.gpg.d/blackmagic.gpg + dest: /etc/apt/keyrings/blackmagic.gpg register: apt_repo_blackmagic_key +## TODO: remove once all servers have been converted +- name: remove repository key from old location + file: + path: /etc/apt/trusted.gpg.d/blackmagic.gpg + state: absent + - name: configure repo authentication when: @@ -43,7 +49,7 @@ - name: add repository entry copy: content: | - deb https://build.spreadspace.org/ {{ ansible_distribution_release }} blackmagic + deb [signed-by=/etc/apt/keyrings/blackmagic.gpg] https://build.spreadspace.org/ {{ ansible_distribution_release }} blackmagic dest: /etc/apt/sources.list.d/blackmagic.list register: apt_repo_blackmagic_sources diff --git a/roles/apt-repo/docker-com/tasks/main.yml b/roles/apt-repo/docker-com/tasks/main.yml index 3ebfa87f..7b34c3d4 100644 --- a/roles/apt-repo/docker-com/tasks/main.yml +++ b/roles/apt-repo/docker-com/tasks/main.yml @@ -2,13 +2,19 @@ - name: add repository key copy: src: repo.gpg - dest: /etc/apt/trusted.gpg.d/docker-com.gpg + dest: /etc/apt/keyrings/docker-com.gpg register: apt_repo_docker_com_key +## TODO: remove once all servers have been converted +- name: remove repository key from old location + file: + path: /etc/apt/trusted.gpg.d/docker-com.gpg + state: absent + - name: add repository entry copy: content: | - deb https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable + deb [signed-by=/etc/apt/keyrings/docker-com.gpg] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable dest: /etc/apt/sources.list.d/docker-com.list register: apt_repo_docker_com_sources diff --git a/roles/apt-repo/grafana/tasks/main.yml b/roles/apt-repo/grafana/tasks/main.yml index c7ab2c58..bf54554d 100644 --- a/roles/apt-repo/grafana/tasks/main.yml +++ b/roles/apt-repo/grafana/tasks/main.yml @@ -2,13 +2,19 @@ - name: add repository key copy: src: repo.gpg - dest: /etc/apt/trusted.gpg.d/grafana.gpg + dest: /etc/apt/keyrings/grafana.gpg register: apt_repo_grafana_key +## TODO: remove once all servers have been converted +- name: remove repository key from old location + file: + path: /etc/apt/trusted.gpg.d/grafana.gpg + state: absent + - name: add repository entry copy: content: | - deb https://packages.grafana.com/oss/deb stable main + deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://packages.grafana.com/oss/deb stable main dest: /etc/apt/sources.list.d/grafana.list register: apt_repo_grafana_sources diff --git a/roles/apt-repo/helsinki/tasks/main.yml b/roles/apt-repo/helsinki/tasks/main.yml index 3f20640c..7820d3f4 100644 --- a/roles/apt-repo/helsinki/tasks/main.yml +++ b/roles/apt-repo/helsinki/tasks/main.yml @@ -2,13 +2,19 @@ - name: add repository key copy: src: repo.gpg - dest: /etc/apt/trusted.gpg.d/helsinki.gpg + dest: /etc/apt/keyrings/helsinki.gpg register: apt_repo_helsinki_key +## TODO: remove once all servers have been converted +- name: remove repository key from old location + file: + path: /etc/apt/trusted.gpg.d/helsinki.gpg + state: absent + - name: add repository entry copy: content: | - deb http://build.helsinki.at/ {{ ansible_distribution_release }} main + deb [signed-by=/etc/apt/keyrings/helsinki.gpg] http://build.helsinki.at/ {{ ansible_distribution_release }} main dest: /etc/apt/sources.list.d/helsinki.list register: apt_repo_helsinki_sources diff --git a/roles/apt-repo/kodi/tasks/main.yml b/roles/apt-repo/kodi/tasks/main.yml index 30bd07b5..3a320977 100644 --- a/roles/apt-repo/kodi/tasks/main.yml +++ b/roles/apt-repo/kodi/tasks/main.yml @@ -2,13 +2,19 @@ - name: add repository key copy: src: repo.gpg - dest: /etc/apt/trusted.gpg.d/kodi.gpg + dest: /etc/apt/keyrings/kodi.gpg register: apt_repo_kodi_key +## TODO: remove once all servers have been converted +- name: remove repository key from old location + file: + path: /etc/apt/trusted.gpg.d/kodi.gpg + state: absent + - name: add repository entry copy: content: | - deb http://ppa.launchpad.net/team-xbmc/ppa/ubuntu {{ ansible_distribution_release }} main + deb [signed-by=/etc/apt/keyrings/kodi.gpg] http://ppa.launchpad.net/team-xbmc/ppa/ubuntu {{ ansible_distribution_release }} main dest: /etc/apt/sources.list.d/kodi.list register: apt_repo_kodi_sources diff --git a/roles/apt-repo/kubernetes/tasks/main.yml b/roles/apt-repo/kubernetes/tasks/main.yml index 5a6e9a7a..61b6000f 100644 --- a/roles/apt-repo/kubernetes/tasks/main.yml +++ b/roles/apt-repo/kubernetes/tasks/main.yml @@ -2,13 +2,19 @@ - name: add repository key copy: src: repo.gpg - dest: /etc/apt/trusted.gpg.d/kubernetes.gpg + dest: /etc/apt/keyrings/kubernetes.gpg register: apt_repo_kubernetes_key +## TODO: remove once all servers have been converted +- name: remove repository key from old location + file: + path: /etc/apt/trusted.gpg.d/kubernetes.gpg + state: absent + - name: add repository entry copy: content: | - deb https://apt.kubernetes.io/ kubernetes-xenial main + deb [signed-by=/etc/apt/keyrings/kubernetes.gpg] https://apt.kubernetes.io/ kubernetes-xenial main dest: /etc/apt/sources.list.d/kubernetes.list register: apt_repo_kubernetes_sources diff --git a/roles/apt-repo/kubic-project/tasks/main.yml b/roles/apt-repo/kubic-project/tasks/main.yml index 115d4060..6f9e2d78 100644 --- a/roles/apt-repo/kubic-project/tasks/main.yml +++ b/roles/apt-repo/kubic-project/tasks/main.yml @@ -2,13 +2,19 @@ - name: add repository key copy: src: repo.gpg - dest: /etc/apt/trusted.gpg.d/kubic-project.gpg + dest: /etc/apt/keyrings/kubic-project.gpg register: apt_repo_kubic_project_key +## TODO: remove once all servers have been converted +- name: remove repository key from old location + file: + path: /etc/apt/trusted.gpg.d/kubic-project.gpg + state: absent + - name: add repository entry copy: content: | - deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ (ansible_distribution == 'Ubuntu') | ternary('xUbuntu', ansible_distribution) }}_{{ ansible_distribution_version }}/ / + deb [signed-by=/etc/apt/keyrings/kubic-project.gpg] http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ (ansible_distribution == 'Ubuntu') | ternary('xUbuntu', ansible_distribution) }}_{{ ansible_distribution_version }}/ / dest: /etc/apt/sources.list.d/kubic-project.list register: apt_repo_kubic_project_sources diff --git a/roles/apt-repo/nodejs/tasks/main.yml b/roles/apt-repo/nodejs/tasks/main.yml index 01c72041..c7d13df7 100644 --- a/roles/apt-repo/nodejs/tasks/main.yml +++ b/roles/apt-repo/nodejs/tasks/main.yml @@ -2,13 +2,19 @@ - name: add repository key copy: src: repo.gpg - dest: /etc/apt/trusted.gpg.d/nodejs.gpg + dest: /etc/apt/keyrings/nodejs.gpg register: apt_repo_nodejs_key +## TODO: remove once all servers have been converted +- name: remove repository key from old location + file: + path: /etc/apt/trusted.gpg.d/nodejs.gpg + state: absent + - name: add repository entry copy: content: | - deb https://deb.nodesource.com/node_10.x {{ ansible_distribution_release }} main + deb [signed-by=/etc/apt/keyrings/nodejs.gpg] https://deb.nodesource.com/node_10.x {{ ansible_distribution_release }} main dest: /etc/apt/sources.list.d/nodejs.list register: apt_repo_nodejs_sources diff --git a/roles/apt-repo/nordvpn/tasks/main.yml b/roles/apt-repo/nordvpn/tasks/main.yml index d63da994..f22aaff2 100644 --- a/roles/apt-repo/nordvpn/tasks/main.yml +++ b/roles/apt-repo/nordvpn/tasks/main.yml @@ -2,13 +2,19 @@ - name: add repository key copy: src: repo.gpg - dest: /etc/apt/trusted.gpg.d/nordvpn.gpg + dest: /etc/apt/keyrings/nordvpn.gpg register: apt_repo_nordvpn_key +## TODO: remove once all servers have been converted +- name: remove repository key from old location + file: + path: /etc/apt/trusted.gpg.d/nordvpn.gpg + state: absent + - name: add repository entry copy: content: | - deb https://repo.nordvpn.com/deb/nordvpn/debian stable main + deb [signed-by=/etc/apt/keyrings/nordvpn.gpg] https://repo.nordvpn.com/deb/nordvpn/debian stable main dest: /etc/apt/sources.list.d/nordvpn.list register: apt_repo_nordvpn_sources diff --git a/roles/apt-repo/obs-studio/tasks/main.yml b/roles/apt-repo/obs-studio/tasks/main.yml index c16dbb5d..15d8a286 100644 --- a/roles/apt-repo/obs-studio/tasks/main.yml +++ b/roles/apt-repo/obs-studio/tasks/main.yml @@ -2,13 +2,19 @@ - name: add repository key copy: src: repo.gpg - dest: /etc/apt/trusted.gpg.d/obs-studio.gpg + dest: /etc/apt/keyrings/obs-studio.gpg register: apt_repo_obs_studio_key +## TODO: remove once all servers have been converted +- name: remove repository key from old location + file: + path: /etc/apt/trusted.gpg.d/obs-studio.gpg + state: absent + - name: add repository entry copy: content: | - deb http://ppa.launchpad.net/obsproject/obs-studio/ubuntu {{ ansible_distribution_release }} main + deb [signed-by=/etc/apt/keyrings/obs-studio.gpg] http://ppa.launchpad.net/obsproject/obs-studio/ubuntu {{ ansible_distribution_release }} main dest: /etc/apt/sources.list.d/obs-studio.list register: apt_repo_obs_studio_sources diff --git a/roles/apt-repo/percona/tasks/main.yml b/roles/apt-repo/percona/tasks/main.yml index 4b82b2b4..4158a912 100644 --- a/roles/apt-repo/percona/tasks/main.yml +++ b/roles/apt-repo/percona/tasks/main.yml @@ -2,13 +2,19 @@ - name: add repository key copy: src: repo.gpg - dest: /etc/apt/trusted.gpg.d/percona.gpg + dest: /etc/apt/keyrings/percona.gpg register: apt_repo_percona_key +## TODO: remove once all servers have been converted +- name: remove repository key from old location + file: + path: /etc/apt/trusted.gpg.d/percona.gpg + state: absent + - name: add repository entry copy: content: | - deb http://repo.percona.com/apt {{ ansible_distribution_release }} main + deb [signed-by=/etc/apt/keyrings/percona.gpg] http://repo.percona.com/apt {{ ansible_distribution_release }} main dest: /etc/apt/sources.list.d/percona.list register: apt_repo_percona_sources diff --git a/roles/apt-repo/riot/tasks/main.yml b/roles/apt-repo/riot/tasks/main.yml index ea2c93f9..c27d9e34 100644 --- a/roles/apt-repo/riot/tasks/main.yml +++ b/roles/apt-repo/riot/tasks/main.yml @@ -2,13 +2,19 @@ - name: add repository key copy: src: repo.gpg - dest: /etc/apt/trusted.gpg.d/riot.gpg + dest: /etc/apt/keyrings/riot.gpg register: apt_repo_riot_key +## TODO: remove once all servers have been converted +- name: remove repository key from old location + file: + path: /etc/apt/trusted.gpg.d/riot.gpg + state: absent + - name: add repository entry copy: content: | - deb https://riot.im/packages/debian/ default main + deb [signed-by=/etc/apt/keyrings/riot.gpg] https://riot.im/packages/debian/ default main dest: /etc/apt/sources.list.d/riot.list register: apt_repo_riot_sources diff --git a/roles/apt-repo/spreadspace/tasks/main.yml b/roles/apt-repo/spreadspace/tasks/main.yml index 6fe9eeea..52bfe61b 100644 --- a/roles/apt-repo/spreadspace/tasks/main.yml +++ b/roles/apt-repo/spreadspace/tasks/main.yml @@ -2,13 +2,19 @@ - name: add repository key copy: src: repo.gpg - dest: /etc/apt/trusted.gpg.d/spreadspace.gpg + dest: /etc/apt/keyrings/spreadspace.gpg register: apt_repo_spreadspace_key +## TODO: remove once all servers have been converted +- name: remove repository key from old location + file: + path: /etc/apt/trusted.gpg.d/spreadspace.gpg + state: absent + - name: add repository entry copy: content: | - deb https://build.spreadspace.org/ {{ ansible_distribution_release }} {{ spreadspace_apt_repo_components | join(' ') }} + deb [signed-by=/etc/apt/keyrings/spreadspace.gpg] https://build.spreadspace.org/ {{ ansible_distribution_release }} {{ spreadspace_apt_repo_components | join(' ') }} dest: /etc/apt/sources.list.d/spreadspace.list register: apt_repo_spreadspace_sources diff --git a/roles/apt-repo/tor-project/tasks/main.yml b/roles/apt-repo/tor-project/tasks/main.yml index 5571be8f..0b79ff91 100644 --- a/roles/apt-repo/tor-project/tasks/main.yml +++ b/roles/apt-repo/tor-project/tasks/main.yml @@ -2,13 +2,19 @@ - name: add repository key copy: src: repo.gpg - dest: /etc/apt/trusted.gpg.d/tor-project.gpg + dest: /etc/apt/keyrings/tor-project.gpg register: apt_repo_tor_project_key +## TODO: remove once all servers have been converted +- name: remove repository key from old location + file: + path: /etc/apt/trusted.gpg.d/tor-project.gpg + state: absent + - name: add repository entry copy: content: | - deb [arch=amd64] http://deb.torproject.org/torproject.org {{ ansible_distribution_release }} main + deb [signed-by=/etc/apt/keyrings/tor-project.gpg arch=amd64] http://deb.torproject.org/torproject.org {{ ansible_distribution_release }} main dest: /etc/apt/sources.list.d/tor-poject.list register: apt_repo_tor_project_sources -- cgit v1.2.3