style: use deb822 format and remove deprecated apt_key (resolves #2233 / ND-2723)

.gitlab-ci.yml

@@ -16,24 +16,30 @@ default:
     - source /opt/molecule/bin/activate
     - molecule destroy --scenario-name default
 
+variables:
+  SCENARIO: "default"
+  ANSIBLE_VAULT_PASSWORD_FILE: "${CI_PROJECT_DIR}/molecule/${SCENARIO}/../../../lza_repair.pass"
+  ANSIBLE_FORCE_COLOR: 'true'
+  PY_COLORS: '1'
+
 test-job:
   stage: test
   tags:
     - "shell"
   script:
     # make sure that Ansible Vaults are present and can be decrypted
-    - echo "${VAULT_REPAIR}" > ../../../lza_repair.pass
-    - export ANSIBLE_VAULT_IDENTITY_LIST="../../../lza_repair.pass"
+    - echo "${VAULT_REPAIR}" > ${ANSIBLE_VAULT_PASSWORD_FILE}
+    - export ANSIBLE_VAULT_IDENTITY_LIST="${ANSIBLE_VAULT_PASSWORD_FILE}"
     - rm -rf ../ansible_vaults/
     - git clone https://gitlab+deploy-token-25:${VAULT_ACCESS_TOKEN}@git.slub-dresden.de/slub-referat-2-3/ansible_vaults.git ../ansible_vaults/; \
     # run Molecule tests
-    - molecule syntax --scenario-name default
+    - molecule syntax --scenario-name ${SCENARIO}
     # We cannot use `molecule lint` anymore because:
     # - https://github.com/ansible-community/molecule/pull/3802 "Remove lint command"
     # - https://github.com/ansible-community/molecule/discussions/3825#discussioncomment-4908366
     - yamllint --strict --format colored ./
     - ansible-lint --format full --profile production --strict --force-color ./
-    - molecule create --scenario-name default
-    - molecule converge --scenario-name default
-    - molecule idempotence --scenario-name default
-    # - molecule verify --scenario-name default
+    - molecule create --scenario-name ${SCENARIO}
+    - molecule converge --scenario-name ${SCENARIO}
+    - molecule idempotence --scenario-name ${SCENARIO}
+    # - molecule verify --scenario-name ${SCENARIO}

meta/main.yml

@@ -8,7 +8,7 @@ galaxy_info:
   # If the issue tracker for your role is not on github, uncomment the next line and provide a value issue_tracker_url: http://example.com/issue/tracker Some suggested licenses: - BSD
   # (default) - MIT - GPLv2 - GPLv3 - Apache - CC-BY
   license: public domain
-  min_ansible_version: "2.4"
+  min_ansible_version: "2.10"
   # If this a Container Enabled role, provide the minimum Ansible Container version. min_ansible_container_version: Optionally specify the branch Galaxy will use when accessing the GitHub repo
   # for this role. During role install, if no tags are available, Galaxy will use this branch. During import Galaxy will access files on this branch. If Travis integration is configured, only
   # notifications for this branch will be accepted. Otherwise, in all cases, the repo's default branch (usually master) will be used. github_branch:
@@ -23,6 +23,7 @@ galaxy_info:
       versions:
         - "buster"
         - "bullseye"
+        - "bookworm"
   galaxy_tags: []
     # List tags for your role here, one per line. A tag is a keyword that describes and categorizes the role. Users find roles by searching for tags. Be sure to remove the '[]' above, if you
     # add tags to this list.

molecule/resources/playbooks/prepare.yml

@@ -9,24 +9,24 @@
     - name: configure additional package repositories for Debian
       when: ansible_os_family == "Debian"
       block:
-        - name: install GPG
-          ansible.builtin.apt:
-            name: "gnupg"
-            state: latest
-            update_cache: true
-          become: true
-        - name: add GPG key for SLUB Debian repository
-          ansible.builtin.apt_key:
-            url: "https://sdvdebianrepo.slub-dresden.de/deb-repository/pub.gpg.key"
-            state: present
-          become: true
-        - name: add repo URL to sources.list
-          ansible.builtin.apt_repository:
-            repo: "deb https://sdvdebianrepo.slub-dresden.de/deb-repository bookworm main"
-            state: present
-            update_cache: true
-            mode: "0644"
-          become: true
+      - name: install GPG
+        ansible.builtin.apt:
+          name: "gnupg"
+          state: latest
+          update_cache: true
+        become: true
+      - name: add custom repo for SLUB's custom Debian repo
+        ansible.builtin.deb822_repository:
+          architectures: "amd64"
+          components: "main"
+          enabled: true
+          name: "slub"
+          pdiffs: true
+          signed_by: "https://sdvdebianrepo.slub-dresden.de/deb-repository/pub.gpg.key"
+          suites: "{{ ansible_lsb.codename }}"
+          uris: "https://sdvdebianrepo.slub-dresden.de/deb-repository"
+        notify: update package cache
+        become: true
     - name: install tooling before running the actual tests, so we're not bound by the fixed versions
       ansible.builtin.apt:
         name: [
@@ -38,25 +38,54 @@
       become: true
 
     - name: configure additional package repositories for RedHat
-      when: ansible_os_family == "RedHat"
       block:
-        - name: add custom repositories
-          ansible.builtin.yum_repository:
-            name: "{{ item.name }}"
-            description: "{{ item.description }}"
-            baseurl: "{{ item.baseurl }}"
-            gpgcheck: "{{ item.gpgcheck | default('true') }}"
-            gpgkey: "{{ item.gpgkey | default(omit) }}"
-          loop:
-            - name: "epel"
-              description: EPEL YUM repo
-              baseurl: "https://download.fedoraproject.org/pub/epel/{{ ansible_distribution_major_version }}/x86_64/"
-              gpgkey: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}"
-            - name: "slub"
-              description: SLUB YUM repo
-              baseurl: "http://sdvrhelrepo.slub-dresden.de/"
-              gpgcheck: "false"
-        - name: remove legacy repo configuration to avoid double configuration for SLUB repo
-          ansible.builtin.file:
-            path: "/etc/yum.repos.d/SLUB.repo"
-            state: absent
+      - name: add custom repositories
+        ansible.builtin.yum_repository:
+          name: "{{ item.name }}"
+          description: "{{ item.description }}"
+          baseurl: "{{ item.baseurl }}"
+          gpgcheck: "{{ item.gpgcheck | default('true') }}"
+          gpgkey: "{{ item.gpgkey | default(omit) }}"
+        loop:
+          - name: "epel"
+            description: EPEL YUM repo
+            baseurl: "https://download.fedoraproject.org/pub/epel/{{ ansible_distribution_major_version }}/x86_64/"
+            gpgkey: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}"
+          - name: "slub"
+            description: SLUB YUM repo
+            baseurl: "https://sdvrhelrepo.slub-dresden.de/"
+            gpgcheck: "false"
+        notify: update package cache
+      - name: remove legacy repo configuration to avoid double configuration for SLUB repo
+        ansible.builtin.file:
+          path: "/etc/yum.repos.d/SLUB.repo"
+          state: absent
+        notify: update package cache
+      when: ansible_os_family == "RedHat"
+
+    # Ansible roles can install a multitude of firewall rules, some of which
+    # will lock us out of our Molecule test VM if we don't take precautions.
+    # As Molecule itself uses SSH just like Ansible, we need to open port
+    # tcp/22 to the private /24 subnet that Vagrant uses when provisioning the
+    # VM. As we don't know for sure what the address for this subnet is and it
+    # can change across servers/platforms, we gather this information
+    # dynamically and filter it through `ipaddr` to get the address of the
+    # whole subnet. The rule is inserted right on top of the list to make sure
+    # we always get access.
+    - name: add firewall rule to allow access from Molecule host into testing VM
+      ansible.builtin.iptables:
+        action: insert
+        rule_num: 1
+        chain: INPUT
+        comment: "molecule access"
+        jump: "ACCEPT"
+        protocol: tcp
+        source: "{{ ansible_default_ipv4.address | ansible.utils.ipaddr('network') }}/24"
+        destination_port: "22"
+      become: true
+
+  handlers:
+    - name: update package cache
+      ansible.builtin.package:
+        update_cache: true
+      become: true

site.yml

@@ -4,9 +4,9 @@
   pre_tasks:
     - name: Verify that the installed version of Ansible meets this playbook's version requirements.
       ansible.builtin.assert:
-        that: "ansible_version.full is version_compare('2.5', '>=')"
+        that: "ansible_version.full is version_compare('2.10', '>=')"
         msg: >
-          "You must update Ansible to at least 2.5 to use this playbook."
+          "You must update Ansible to at least 2.10 to use this playbook."
   # Collect facts from remote system? Possible values: true, false
   gather_facts: true
   # Gather only certain subsects of facts. Ansible supports network, hardware, virtual, facter, ohai as subset.

tasks/install-packages.yml

@@ -3,6 +3,7 @@
   ansible.builtin.apt:
     state: present
     name: [
+      'gpg',
       'logrotate',
       'lsb-release',
       'nfs-common',
@@ -15,5 +16,5 @@
       'tar',
       'unzip'
     ]
-    update_cache: "yes"
+    update_cache: true
     autoremove: true

tasks/install-repair-tools.yml

 ---
-- name: configure Debian repositories
-  when: "ansible_facts['distribution'] == 'Debian'"
+- name: add custom repo for SLUB's custom Debian repo
+  ansible.builtin.deb822_repository:
+    architectures: "amd64"
+    components: "main"
+    enabled: true
+    name: "slub"
+    pdiffs: true
+    signed_by: "{{ vault_debrepo_url }}deb-repository/pub.gpg.key"
+    suites: "{{ ansible_lsb.codename }}"
+    uris: "{{ vault_debrepo_url }}deb-repository"
+  when: "ansible_os_family == 'Debian'"
+
+- name: remove legacy apt-keys/sources
+  when: "ansible_os_family == 'Debian'"
   block:
     - name: öffentlichen Schlüssel hinzufügen (sonst muss bei jeder Installation eine Warnmeldung bestätigt werden)
       ansible.builtin.apt_key:
         url: "{{ vault_debrepo_url }}deb-repository/pub.gpg.key"
-        state: present
-      when: ansible_distribution_major_version == '11'
+        state: absent
       tags: [apt, aptkey]
     - name: SLUB-lokales Debian-Repository für Installation der SubApp in /etc/apt/sources.list.d/ eintragen
       ansible.builtin.apt_repository:
         repo: "deb {{ vault_debrepo_url }}deb-repository bullseye main"
-        state: present
-        update_cache: "yes"
-        mode: "0644"
-      when: ansible_distribution_major_version == '11'
+        state: absent
       tags: [apt]
 
 - name: install repairtool dependencies from local Debian repo server (if we're running in prod)