138 lines
4.6 KiB
YAML
138 lines
4.6 KiB
YAML
---
|
||
- name: Normalize apt repo config
|
||
ansible.builtin.set_fact:
|
||
apt_repo_config: "{{ {
|
||
'key_dir': '/etc/apt/keyrings',
|
||
'enable_universe': false,
|
||
'auto_update_cache': true,
|
||
'keyrings': [],
|
||
'legacy_paths': [],
|
||
'entries': []
|
||
} | combine(repo_config | default({}), recursive=True) }}"
|
||
|
||
# 0) 统一 keyring 路径
|
||
- name: Ensure keyring dir exists
|
||
ansible.builtin.file:
|
||
path: "{{ apt_repo_config.key_dir }}"
|
||
state: directory
|
||
owner: root
|
||
group: root
|
||
mode: '0755'
|
||
become: true
|
||
|
||
# 0.1) 确保 dearmor 可用
|
||
- name: Ensure gnupg is present for dearmor
|
||
ansible.builtin.apt:
|
||
name: gnupg
|
||
state: present
|
||
update_cache: false
|
||
become: true
|
||
|
||
# 0.2) 声明式 keyring 管理
|
||
- name: "Manage declared apt keyrings"
|
||
ansible.builtin.include_tasks: manage_keyring.yml
|
||
when: (apt_repo_config.keyrings | default([])) | length > 0
|
||
loop: "{{ apt_repo_config.keyrings | default([]) }}"
|
||
loop_control:
|
||
loop_var: apt_keyring
|
||
label: "{{ apt_keyring.name | default(apt_keyring.dest | default('custom-keyring')) }}"
|
||
vars:
|
||
keyring_dest: "{{ apt_keyring.dest | default(apt_repo_config.key_dir ~ '/' ~ apt_keyring.name ~ '.gpg') }}"
|
||
keyring_ascii: "{{ apt_keyring.asc_path | default(apt_repo_config.key_dir ~ '/' ~ apt_keyring.name ~ '.asc') }}"
|
||
keyring_state: "{{ apt_keyring.state | default('present') }}"
|
||
tags: [repo, baseline]
|
||
|
||
# 1) 清理历史遗留
|
||
- name: Remove legacy repo/keyring paths
|
||
ansible.builtin.file:
|
||
path: "{{ item }}"
|
||
state: absent
|
||
loop: "{{ apt_repo_config.legacy_paths | default([]) }}"
|
||
become: true
|
||
|
||
# 2) Ubuntu 可选 universe
|
||
- name: Enable Ubuntu 'universe' component (Ubuntu only)
|
||
ansible.builtin.apt_repository:
|
||
repo: "deb http://archive.ubuntu.com/ubuntu {{ ansible_distribution_release }} main universe"
|
||
state: present
|
||
filename: "ubuntu-{{ ansible_distribution_release }}-universe"
|
||
when:
|
||
- ansible_facts.distribution == 'Ubuntu'
|
||
- apt_repo_config.enable_universe | default(false) | bool
|
||
become: true
|
||
|
||
# 3) 每个仓库:下载 key(可选)→ dearmor(可选)→ 添加 .list(含 signed-by)
|
||
- name: "Fetch ASCII key (if key_url provided)"
|
||
ansible.builtin.get_url:
|
||
url: "{{ repo.key_url }}"
|
||
dest: "{{ apt_repo_config.key_dir }}/{{ repo.name }}.asc"
|
||
mode: '0644'
|
||
when: repo.key_url is defined and repo.key_url | length > 0
|
||
loop: "{{ apt_repo_config.entries | default([]) }}"
|
||
loop_control:
|
||
loop_var: repo
|
||
label: "{{ repo.name }}"
|
||
become: true
|
||
|
||
- name: "Dearmor key"
|
||
ansible.builtin.command:
|
||
cmd: "gpg --dearmor -o {{ apt_repo_config.key_dir }}/{{ repo.name }}.gpg {{ apt_repo_config.key_dir }}/{{ repo.name }}.asc"
|
||
creates: "{{ apt_repo_config.key_dir }}/{{ repo.name }}.gpg"
|
||
when: repo.key_url is defined and repo.key_url | length > 0
|
||
loop: "{{ apt_repo_config.entries | default([]) }}"
|
||
loop_control:
|
||
loop_var: repo
|
||
label: "{{ repo.name }}"
|
||
become: true
|
||
|
||
- name: "Ensure keyring permission"
|
||
ansible.builtin.file:
|
||
path: "{{ (repo.signed_by | default(apt_repo_config.key_dir ~ '/' ~ repo.name ~ '.gpg')) }}"
|
||
owner: root
|
||
group: root
|
||
mode: '0644'
|
||
state: file
|
||
when: (repo.key_url is defined and repo.key_url | length > 0) or (repo.signed_by is defined)
|
||
loop: "{{ apt_repo_config.entries | default([]) }}"
|
||
loop_control:
|
||
loop_var: repo
|
||
label: "{{ repo.name }}"
|
||
become: true
|
||
|
||
- name: "Cleanup repo specific paths"
|
||
when: repo.cleanup is defined and (repo.cleanup | length > 0)
|
||
become: true
|
||
loop: "{{ apt_repo_config.entries | default([]) }}"
|
||
loop_control:
|
||
loop_var: repo
|
||
label: "{{ repo.name }}"
|
||
block:
|
||
- name: "Cleanup repo specific path"
|
||
ansible.builtin.file:
|
||
path: "{{ item }}"
|
||
state: absent
|
||
loop: "{{ repo.cleanup }}"
|
||
loop_control:
|
||
label: "{{ repo.name }} -> {{ item }}"
|
||
|
||
- name: "Add classic .list repo with signed-by"
|
||
ansible.builtin.apt_repository:
|
||
repo: >-
|
||
deb [signed-by={{ repo.signed_by | default(apt_repo_config.key_dir ~ '/' ~ repo.name ~ '.gpg') }}]
|
||
{{ repo.uri }} {{ repo.suite }} {{ (repo.components | default(['main'])) | join(' ') }}
|
||
filename: "{{ repo.name }}"
|
||
state: "{{ (repo.enabled | default(false) | bool) | ternary('present','absent') }}"
|
||
when: repo.enabled | default(false) | bool
|
||
loop: "{{ apt_repo_config.entries | default([]) }}"
|
||
loop_control:
|
||
loop_var: repo
|
||
label: "{{ repo.name }}"
|
||
become: true
|
||
|
||
# 4) 统一更新 apt cache(可控)
|
||
- name: Update apt cache after repo setup
|
||
ansible.builtin.apt:
|
||
update_cache: true
|
||
when: apt_repo_config.auto_update_cache | default(false) | bool
|
||
become: true
|