Created
October 20, 2023 14:17
-
-
Save suominen/4c840ebae302a0db02fc289c845ec42c to your computer and use it in GitHub Desktop.
Ansible role for installing software on Debian
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# | |
# Copyright (c) 2022 Kimmo Suominen | |
# All rights reserved. | |
# | |
# Redistribution and use in source and binary forms, with or without | |
# modification, are permitted provided that the following conditions | |
# are met: | |
# | |
# 1. Redistributions of source code must retain the above copyright | |
# notice, this list of conditions and the following disclaimer. | |
# | |
# 2. Redistributions in binary form must reproduce the above copyright | |
# notice, this list of conditions and the following disclaimer | |
# in the documentation and/or other materials provided with the | |
# distribution. | |
# | |
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |
# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
# | |
# Variables: | |
# | |
# - debsig_id Key fingerprint for debsig key | |
# | |
# - keyring.dir Keyring directory for APT repo keyrings | |
# - keyring.file Keyring filename for APT repo | |
# - keyring.type Keyring type to download (asc or gpg) | |
# - keyring.url Keyring download URL | |
# | |
# - sw.arch Enable arch option for APT source | |
# - sw.component Component for APT source | |
# - sw.id Name of the APT source (list file) | |
# - sw.packages List of packages to install | |
# - sw.suite Suite for APT source | |
# - sw.url Base URL for APT source | |
# - sw.url_path Additional path for APT source URL | |
# - sw.url_path_arch Append arch to path for APT source | |
- name: Install from a third-party Debian repository | |
become: yes | |
vars: | |
apt_url: "{{ [ sw.url + sw.url_path | default('') ] }}" | |
apt_keyring_dir: "{{ keyring.dir | default('/usr/share/keyrings') }}" | |
apt_keyring_file: "{{ keyring.file | default(sw.id + '-archive-keyring.gpg') }}" | |
apt_keyring_type: "{{ keyring.type | default('gpg') }}" | |
apt_keyring_url: "{{ keyring.url | default([sw.url, apt_keyring_file] | join('/')) }}" | |
block: | |
- name: Install curl | |
ansible.builtin.apt: | |
name: curl | |
tags: always | |
- tags: | |
- debsig | |
- keyring | |
- list | |
- sw | |
block: | |
- name: Retrieve keyring file (asc) | |
ansible.builtin.shell: | |
cmd: >- | |
umask 022; | |
curl -sS {{ apt_keyring_url }} | |
| gpg --dearmor --output {{ apt_keyring_dir }}/{{ apt_keyring_file }} | |
creates: "{{ apt_keyring_dir }}/{{ apt_keyring_file }}" | |
when: | |
- apt_keyring_type in ["asc"] | |
- name: Retrieve keyring file (gpg) | |
ansible.builtin.get_url: | |
url: "{{ apt_keyring_url }}" | |
dest: "{{ apt_keyring_dir }}/{{ apt_keyring_file }}" | |
mode: 0644 | |
when: | |
- apt_keyring_type not in ["asc"] | |
- when: debsig_id is defined | |
vars: | |
debsig_keyring_dir: /usr/share/debsig/keyrings/{{ debsig_id }} | |
debsig_policy_dir: /etc/debsig/policies/{{ debsig_id }} | |
tags: | |
- debsig | |
- sw | |
block: | |
- name: Create debsig-verify policy directories | |
ansible.builtin.file: | |
path: "{{ item }}" | |
state: directory | |
mode: 0755 | |
loop: | |
- "{{ debsig_keyring_dir }}" | |
- "{{ debsig_policy_dir }}" | |
- name: Retrieve debsig-verify policy | |
ansible.builtin.get_url: | |
url: "{{ sw.url }}/debian/debsig/{{ sw.id }}.pol" | |
dest: "{{ debsig_policy_dir }}/{{ sw.id }}.pol" | |
mode: 0644 | |
- name: Install debsig-verify keyring | |
ansible.builtin.copy: | |
src: "{{ apt_keyring_dir }}/{{ apt_keyring_file }}" | |
dest: "{{ debsig_keyring_dir }}/debsig.gpg" | |
mode: preserve | |
remote_src: yes | |
unsafe_writes: "{{ ansible_check_mode }}" | |
- tags: | |
- list | |
- sw | |
block: | |
- when: >- | |
sw.arch | default(false) | |
or sw.url_path_arch | default(false) | |
block: | |
- name: Obtain architecture | |
ansible.builtin.command: dpkg --print-architecture | |
register: dpkg_architecture | |
changed_when: false | |
check_mode: false | |
- name: Add architecture to APT options | |
ansible.builtin.set_fact: | |
apt_options: "{{ | |
apt_options | default([]) | |
+ [ 'arch=' + dpkg_architecture.stdout ] | |
}}" | |
when: sw.arch | default(false) | |
- name: Append architecture to APT URL path | |
ansible.builtin.set_fact: | |
apt_url: "{{ apt_url + [ dpkg_architecture.stdout ] }}" | |
when: sw.url_path_arch | default(false) | |
- name: Add keyring to APT options | |
ansible.builtin.set_fact: | |
apt_options: "{{ | |
apt_options | default([]) | |
+ [ 'signed-by=' + apt_keyring_dir + '/' + apt_keyring_file ] | |
}}" | |
- name: Create APT source | |
ansible.builtin.apt_repository: | |
filename: "{{ sw.id }}" | |
repo: >- | |
deb [{{ apt_options | join(' ') }}] | |
{{ apt_url | join('/') }} | |
{{ sw.suite | default(ansible_facts.distribution_release) }} | |
{{ sw.component | default('main') }} | |
mode: 0644 | |
- name: Install requested packages | |
ansible.builtin.apt: | |
name: "{{ sw.packages }}" | |
tags: sw |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment