diff --git a/whisperpine/ansitofu/roles/consul/defaults/main.yml b/whisperpine/ansitofu/roles/consul/defaults/main.yml index 5c8963f..f2c97a9 100644 --- a/whisperpine/ansitofu/roles/consul/defaults/main.yml +++ b/whisperpine/ansitofu/roles/consul/defaults/main.yml @@ -3,13 +3,14 @@ consul_user: "consul" consul_group: "consul" consul_dependencies: - - ca-certificates # required by the "ansible.builtin.apt_key" module - - gnupg # required by the "ansible.builtin.apt_key" module + - gnupg + - ca-certificates # required by the "ansible.builtin.get_url" module - iproute2 # make the "hostvars[inventory_hostname].ansible_default_ipv4.address" fact be gathered # Variables used when installing consul. consul_gpg_url: https://apt.releases.hashicorp.com/gpg consul_repo_url: https://apt.releases.hashicorp.com +consul_key_file: /etc/apt/keyrings/consul.gpg consul_data_dir: "/opt/consul/data" consul_config_dir: "/etc/consul.d" diff --git a/whisperpine/ansitofu/roles/consul/tasks/install.yml b/whisperpine/ansitofu/roles/consul/tasks/install.yml index 881cbad..5c588a8 100644 --- a/whisperpine/ansitofu/roles/consul/tasks/install.yml +++ b/whisperpine/ansitofu/roles/consul/tasks/install.yml @@ -22,14 +22,22 @@ shell: /usr/sbin/nologin system: true -- name: Add consul gpg key - ansible.builtin.apt_key: +- name: Download consul gpg key + ansible.builtin.get_url: url: "{{ consul_gpg_url }}" - state: present + dest: /tmp/consul.asc + mode: "0644" + +- name: Convert consul gpg key to binary + ansible.builtin.command: + cmd: gpg --dearmor -o "{{ consul_key_file }}" /tmp/consul.asc + creates: "{{ consul_key_file }}" - name: Add HashiCorp apt repository ansible.builtin.apt_repository: - repo: "deb [arch=amd64] {{ consul_repo_url }} {{ ansible_facts['distribution_release'] }} main" + repo: >- + deb [arch=amd64 signed-by={{ consul_key_file }}] + {{ consul_repo_url }} {{ ansible_facts['distribution_release'] }} main state: present - name: Install consul diff --git a/whisperpine/ansitofu/roles/install_docker/defaults/main.yml b/whisperpine/ansitofu/roles/install_docker/defaults/main.yml index 441cea7..4b3a428 100644 --- a/whisperpine/ansitofu/roles/install_docker/defaults/main.yml +++ b/whisperpine/ansitofu/roles/install_docker/defaults/main.yml @@ -4,6 +4,7 @@ install_docker_arch: amd64 # Repository URLs. install_docker_gpg_url: https://download.docker.com/linux/ubuntu/gpg install_docker_repo_url: https://download.docker.com/linux/ubuntu +install_docker_key_file: /etc/apt/keyrings/docker.gpg # Users to add to the docker group. install_docker_users: @@ -11,11 +12,11 @@ install_docker_users: # Dependencies required for installation. install_docker_dependencies: - - apt-transport-https + - gnupg - ca-certificates - - curl + - apt-transport-https - software-properties-common - - gnupg + - curl # Docker packages to install. install_docker_packages: diff --git a/whisperpine/ansitofu/roles/install_docker/tasks/main.yml b/whisperpine/ansitofu/roles/install_docker/tasks/main.yml index 2bcffbd..a49dc3f 100644 --- a/whisperpine/ansitofu/roles/install_docker/tasks/main.yml +++ b/whisperpine/ansitofu/roles/install_docker/tasks/main.yml @@ -1,23 +1,28 @@ -- name: Update apt package cache - ansible.builtin.apt: - update_cache: true - cache_valid_time: 3600 - no_log: true - - name: Install required dependencies ansible.builtin.apt: name: "{{ install_docker_dependencies }}" state: present + update_cache: true no_log: true -- name: Add Docker GPG key - ansible.builtin.apt_key: +- name: Download Docker GPG key + ansible.builtin.get_url: url: "{{ install_docker_gpg_url }}" - state: present + dest: /tmp/docker.asc + mode: "0644" + +- name: Convert Docker GPG key to binary + ansible.builtin.command: + cmd: gpg --dearmor -o "{{ install_docker_key_file }}" /tmp/docker.asc + creates: "{{ install_docker_key_file }}" - name: Add Docker repository ansible.builtin.apt_repository: - repo: "deb [arch={{ install_docker_arch }}] {{ install_docker_repo_url }} {{ ansible_facts['distribution_release'] }} stable" + repo: >- + deb [arch={{ install_docker_arch }} signed-by={{ install_docker_key_file }}] + {{ install_docker_repo_url }} + {{ ansible_facts['distribution_release'] }} + stable state: present filename: docker diff --git a/whisperpine/ansitofu/roles/mongodb/defaults/main.yml b/whisperpine/ansitofu/roles/mongodb/defaults/main.yml index 2769960..6ae2e29 100644 --- a/whisperpine/ansitofu/roles/mongodb/defaults/main.yml +++ b/whisperpine/ansitofu/roles/mongodb/defaults/main.yml @@ -1,11 +1,11 @@ mongodb_dependencies: - - ca-certificates # required by the "ansible.builtin.apt_key" module - - gnupg # required by the "ansible.builtin.apt_key" module + - ca-certificates # required by the "ansible.builtin.get_url" module - iproute2 # make the "hostvars[inventory_hostname].ansible_default_ipv4.address" fact be gathered - cron # required by the "ansible.builtin.cron" module mongodb_version: "8.0" mongodb_repo_url: https://repo.mongodb.org/apt/ubuntu +mongodb_key_file: /etc/apt/keyrings/mongodb.asc mongodb_port: 27017 mongodb_repl_set: rs0 diff --git a/whisperpine/ansitofu/roles/mongodb/tasks/install.yml b/whisperpine/ansitofu/roles/mongodb/tasks/install.yml index e114c28..573fce6 100644 --- a/whisperpine/ansitofu/roles/mongodb/tasks/install.yml +++ b/whisperpine/ansitofu/roles/mongodb/tasks/install.yml @@ -5,15 +5,19 @@ update_cache: true no_log: true -- name: Add mongodb gpg key - ansible.builtin.apt_key: +- name: Download mongodb gpg key + ansible.builtin.get_url: url: https://pgp.mongodb.com/server-{{ mongodb_version }}.asc - state: present - no_log: true + dest: "{{ mongodb_key_file }}" + mode: "0644" - name: Add mongodb repository ansible.builtin.apt_repository: - repo: "deb [arch=amd64] {{ mongodb_repo_url }} {{ ansible_facts['distribution_release'] }}/mongodb-org/{{ mongodb_version }} multiverse" + repo: >- + deb [arch=amd64 signed-by={{ mongodb_key_file }}] + {{ mongodb_repo_url }} + {{ ansible_facts['distribution_release'] }}/mongodb-org/{{ mongodb_version }} + multiverse state: present - name: Install mongodb