From c0ad22b6ec97ebc85abaf59dfe9255bf529ff0da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <joerg.sachse@slub-dresden.de>
Date: Thu, 7 Mar 2024 16:33:38 +0100
Subject: [PATCH] style: use deb822 format and remove deprecated apt_key
 (resolves #2233 / ND-2723)

---
 molecule/resources/playbooks/prepare.yml | 112 ++++++++++++++++++-----
 1 file changed, 88 insertions(+), 24 deletions(-)

diff --git a/molecule/resources/playbooks/prepare.yml b/molecule/resources/playbooks/prepare.yml
index 77c4fdf..0590c79 100644
--- a/molecule/resources/playbooks/prepare.yml
+++ b/molecule/resources/playbooks/prepare.yml
@@ -1,30 +1,94 @@
 ---
 - name: Prepare
   hosts: "*"
-  tasks:
-    - name: install GPG
-      ansible.builtin.apt:
-        name: "gnupg"
-        state: latest
-        update_cache: true
-      become: true
-    - name: add non-free repos to be able to install libmath-random-perl from Debian public repo
-      ansible.builtin.replace:
-        path: "/etc/apt/sources.list"
-        regexp: '^(.*) main$'
-        replace: '\g<1> main non-free'
-      become: true
-    - name: add GPG key for SLUB Debian repository
-      ansible.builtin.apt_key:
-        # url: "https://sdvdebianrepo.slub-dresden.de/deb-repository/pub.gpg.key"
-        url: "http://bdv141.slub-dresden.de/deb-repository/pub.gpg.key"
-        state: present
+  pre_tasks:
+    - name: configure additional package repositories for Debian
+      when: ansible_os_family == "Debian"
+      block:
+      - name: install GPG
+        ansible.builtin.apt:
+          name: "gnupg"
+          state: latest
+          update_cache: true
+        become: true
+      - name: modify package repo config
+        ansible.builtin.deb822_repository:
+          architectures: "amd64"
+          components: "{{ item.components | default('main') }}"
+          enabled: "{{ item.enabled | default(true) }}"
+          name: "{{ item.name }}"
+          pdiffs: true
+          signed_by: "{{ item.signed_by }}"
+          suites: "{{ item.suites | default(ansible_lsb.codename) }}"
+          uris: "{{ item.uris }}"
+        loop:
+          # PC @steidl with local Debian repo for SubAp tests
+          - name: "bdv141"
+            signed_by: "http://bdv141.slub-dresden.de/deb-repository/pub.gpg.key"
+            suites: "lza-testing"
+            uris: "http://bdv141.slub-dresden.de/deb-repository"
+          # on-prem Debian Repo
+          - name: "slub"
+            signed_by: "https://sdvdebianrepo.slub-dresden.de/deb-repository/pub.gpg.key"
+            uris: "https://sdvdebianrepo.slub-dresden.de/deb-repository"
+          # add non-free repos to be able to install libmath-random-perl from official Debian public repo
+          - name: "debian"
+            components: ["main", "non-free"]
+            signed_by: "/usr/share/keyrings/debian-archive-keyring.gpg"
+            suites: ["{{ ansible_lsb.codename }}", "{{ ansible_lsb.codename }}-updates"]
+            uris: "http://deb.debian.org/debian"
+        notify: update package cache
+        become: true
+
+    - name: configure additional package repositories for RedHat
+      when: ansible_os_family == "RedHat"
+      block:
+      - name: add custom repositories
+        ansible.builtin.yum_repository:
+          name: "{{ item.name }}"
+          description: "{{ item.description }}"
+          baseurl: "{{ item.baseurl }}"
+          gpgcheck: "{{ item.gpgcheck | default('true') }}"
+          gpgkey: "{{ item.gpgkey | default(omit) }}"
+        loop:
+          - name: "epel"
+            description: EPEL YUM repo
+            baseurl: "https://download.fedoraproject.org/pub/epel/{{ ansible_distribution_major_version }}/x86_64/"
+            gpgkey: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}"
+          - name: "slub"
+            description: SLUB YUM repo
+            baseurl: "https://sdvrhelrepo.slub-dresden.de/"
+            gpgcheck: "false"
+        notify: update package cache
+      - name: remove legacy repo configuration to avoid double configuration for SLUB repo
+        ansible.builtin.file:
+          path: "/etc/yum.repos.d/SLUB.repo"
+          state: absent
+        notify: update package cache
+
+    # Ansible roles can install a multitude of firewall rules, some of which
+    # will lock us out of our Molecule test VM if we don't take precautions.
+    # As Molecule itself uses SSH just like Ansible, we need to open port
+    # tcp/22 to the private /24 subnet that Vagrant uses when provisioning the
+    # VM. As we don't know for sure what the address for this subnet is and it
+    # can change across servers/platforms, we gather this information
+    # dynamically and filter it through `ipaddr` to get the address of the
+    # whole subnet. The rule is inserted right on top of the list to make sure
+    # we always get access.
+    - name: add firewall rule to allow access from Molecule host into testing VM
+      ansible.builtin.iptables:
+        action: insert
+        rule_num: 1
+        chain: INPUT
+        comment: "molecule access"
+        jump: "ACCEPT"
+        protocol: tcp
+        source: "{{ ansible_default_ipv4.address | ansible.utils.ipaddr('network') }}/24"
+        destination_port: "22"
       become: true
-    - name: add repo URL to sources.list
-      ansible.builtin.apt_repository:
-        # repo: "deb https://sdvdebianrepo.slub-dresden.de/deb-repository bullseye main"
-        repo: "deb http://bdv141.slub-dresden.de/deb-repository lza-testing main"
-        state: present
+
+  handlers:
+    - name: update package cache
+      ansible.builtin.package:
         update_cache: true
-        mode: "0644"
       become: true
-- 
GitLab