diff --git a/CHANGELOG.md b/CHANGELOG.md index e6f1831d..024c0c50 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* apt: add move-apt-keyrings script/tasks * nagios-nrpe: Print pool config path in check_phpfpm_multi output * nagios-nrpe: add tasks/files for a wrapper * fail2ban: add "Internal login failure" to Dovecot filter diff --git a/apt/files/move-apt-keyrings.sh b/apt/files/move-apt-keyrings.sh new file mode 100644 index 00000000..3283c4ee --- /dev/null +++ b/apt/files/move-apt-keyrings.sh @@ -0,0 +1,32 @@ +#!/bin/sh + +# Move apt repository key from /etc/apt/trusted.gpg.d/ to /etc/apt/keyrings/ and add "signed-by" tag in source list +# +# Example: move-apt-keyrings.sh http://repo.mongodb.org/apt/debian mongodb-server-[0-9\\.]+.asc + +repository_pattern=$1 +key=$2 + +found_files=$(grep --files-with-matches --recursive --extended-regexp "${repository_pattern}" "/etc/apt/sources.list.d/") + +old_key_file="/etc/apt/trusted.gpg.d/${key}" +new_key_file="/etc/apt/keyrings/${key}" + +for file in ${found_files}; do + if ! grep --quiet "signed-by" "${file}"; then + signed_by="signed-by=${new_key_file}" + if grep --quiet "deb(-src)? \[" "${file}"; then + sed -i "s@deb\(-src\)\? \[\([^]]\+\)\]@deb\1 [\2 ${signed_by}]@" "${file}" + else + sed -i "s@deb\(-src\)\? @deb\1 [${signed_by}] @" "${file}" + fi + fi +done + +if [ -f "${old_key_file}" ] && [ ! -f "${new_key_file}" ]; then + mv "${old_key_file}" "${new_key_file}" +fi +if [ -f "${new_key_file}" ]; then + chmod 644 "${new_key_file}" + chown root: "${new_key_file}" +fi diff --git a/apt/tasks/move-apt-keyring.yml b/apt/tasks/move-apt-keyring.yml new file mode 100644 index 00000000..cf74c53e --- /dev/null +++ b/apt/tasks/move-apt-keyring.yml @@ -0,0 +1,36 @@ +--- +- name: New APT keyrings directory is present + file: + path: /etc/apt/keyrings + state: directory + mode: "0755" + owner: root + group: root + +- name: migration script is present + copy: + src: move-apt-keyrings.sh + dest: /root/move-apt-keyrings.sh + mode: "0755" + owner: root + group: root + +- name: Move repository signing key + command: "/root/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\"" + loop: + - { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" } + - { repository_pattern: "https://artifacts.elastic.co/packages/[^/]+/apt", key: "elastics.asc" } + - { repository_pattern: "https://download.docker.com/linux/debian", key: "docker-debian.asc" } + - { repository_pattern: "https://downloads.linux.hpe.com/SDR/repo/mcp", key: "hpePublicKey2048_key1.asc" } + - { repository_pattern: "http://pkg.jenkins-ci.org/debian-stable", key: "jenkins.asc" } + - { repository_pattern: "https://packages.sury.org/php/", key: "sury.gpg" } + - { repository_pattern: "http://repo.mongodb.org/apt/debian", key: "mongodb-server-[0-9\\.]+.asc" } + - { repository_pattern: "http://apt.newrelic.com/debian/", key: "newrelic.asc" } + - { repository_pattern: "https://deb.nodesource.com/", key: "nodesource.asc" } + - { repository_pattern: "https://dl.yarnpkg.com/debian/", key: "yarn.asc" } + - { repository_pattern: "http://apt.postgresql.org/pub/repos/apt/", key: "postgresql.asc" } + register: _cmd + +- name: Debug command + debug: + var: _cmd