Ansible role for installing software on Debian

gistfile0.txt

---
#
# Copyright (c) 2022 Kimmo Suominen
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

# Variables:
#
# - debsig_id           Key fingerprint for debsig key
#
# - keyring.dir         Keyring directory for APT repo keyrings
# - keyring.file        Keyring filename for APT repo
# - keyring.type        Keyring type to download (asc or gpg)
# - keyring.url         Keyring download URL
#
# - sw.arch             Enable arch option for APT source
# - sw.component        Component for APT source
# - sw.id               Name of the APT source (list file)
# - sw.packages         List of packages to install
# - sw.suite            Suite for APT source
# - sw.url              Base URL for APT source
# - sw.url_path         Additional path for APT source URL
# - sw.url_path_arch    Append arch to path for APT source

- name: Install from a third-party Debian repository
  become: yes
  vars:
    apt_url: "{{ [ sw.url + sw.url_path | default('') ] }}"
    apt_keyring_dir: "{{ keyring.dir | default('/usr/share/keyrings') }}"
    apt_keyring_file: "{{ keyring.file | default(sw.id + '-archive-keyring.gpg') }}"
    apt_keyring_type: "{{ keyring.type | default('gpg') }}"
    apt_keyring_url: "{{ keyring.url | default([sw.url, apt_keyring_file] | join('/')) }}"
  block:

  - name: Install curl
    ansible.builtin.apt:
      name: curl
    tags: always

  - tags:
    - debsig
    - keyring
    - list
    - sw
    block:

    - name: Retrieve keyring file (asc)
      ansible.builtin.shell:
        cmd: >-
          umask 022;
          curl -sS {{ apt_keyring_url }}
          | gpg --dearmor --output {{ apt_keyring_dir }}/{{ apt_keyring_file }}
        creates: "{{ apt_keyring_dir }}/{{ apt_keyring_file }}"
      when:
      - apt_keyring_type in ["asc"]

    - name: Retrieve keyring file (gpg)
      ansible.builtin.get_url:
        url: "{{ apt_keyring_url }}"
        dest: "{{ apt_keyring_dir }}/{{ apt_keyring_file }}"
        mode: 0644
      when:
      - apt_keyring_type not in ["asc"]

  - when: debsig_id is defined
    vars:
      debsig_keyring_dir: /usr/share/debsig/keyrings/{{ debsig_id }}
      debsig_policy_dir: /etc/debsig/policies/{{ debsig_id }}
    tags:
    - debsig
    - sw
    block:

    - name: Create debsig-verify policy directories
      ansible.builtin.file:
        path: "{{ item }}"
        state: directory
        mode: 0755
      loop:
      - "{{ debsig_keyring_dir }}"
      - "{{ debsig_policy_dir }}"

    - name: Retrieve debsig-verify policy
      ansible.builtin.get_url:
        url: "{{ sw.url }}/debian/debsig/{{ sw.id }}.pol"
        dest: "{{ debsig_policy_dir }}/{{ sw.id }}.pol"
        mode: 0644

    - name: Install debsig-verify keyring
      ansible.builtin.copy:
        src: "{{ apt_keyring_dir }}/{{ apt_keyring_file }}"
        dest: "{{ debsig_keyring_dir }}/debsig.gpg"
        mode: preserve
        remote_src: yes
        unsafe_writes: "{{ ansible_check_mode }}"

  - tags:
    - list
    - sw
    block:

    - when: >-
        sw.arch | default(false)
        or sw.url_path_arch | default(false)
      block:

      - name: Obtain architecture
        ansible.builtin.command: dpkg --print-architecture
        register: dpkg_architecture
        changed_when: false
        check_mode: false

      - name: Add architecture to APT options
        ansible.builtin.set_fact:
          apt_options: "{{
            apt_options | default([])
            + [ 'arch=' + dpkg_architecture.stdout ]
          }}"
        when: sw.arch | default(false)

      - name: Append architecture to APT URL path
        ansible.builtin.set_fact:
          apt_url: "{{ apt_url + [ dpkg_architecture.stdout ] }}"
        when: sw.url_path_arch | default(false)

    - name: Add keyring to APT options
      ansible.builtin.set_fact:
        apt_options: "{{
          apt_options | default([])
          + [ 'signed-by=' + apt_keyring_dir + '/' + apt_keyring_file ]
        }}"

    - name: Create APT source
      ansible.builtin.apt_repository:
        filename: "{{ sw.id }}"
        repo: >-
          deb [{{ apt_options | join(' ') }}]
          {{ apt_url | join('/') }}
          {{ sw.suite | default(ansible_facts.distribution_release) }}
          {{ sw.component | default('main') }}
        mode: 0644

  - name: Install requested packages
    ansible.builtin.apt:
      name: "{{ sw.packages }}"
    tags: sw