Install deb822 sources on Debian >=12

docker-host/tasks/main.yml

@@ -1,7 +1,7 @@
 # This role installs the docker daemon
 ---
 - name: Remove older docker packages
-  apt:
+  ansible.builtin.apt:
     name:
       - docker
       - docker-engine
@@ -9,21 +9,21 @@
     state: absent
 
 - name: Install source requirements
-  apt:
+  ansible.builtin.apt:
     name:
       - ca-certificates
       - gnupg2
     state: present
 
 - name: Install apt-transport-https (Debian <10)
-  apt:
+  ansible.builtin.apt:
     name:
       - apt-transport-https
     state: present
   when: ansible_distribution_major_version is version('10', '<')
 
 - name: Add Docker's official GPG key
-  copy:
+  ansible.builtin.copy:
     src: docker-debian.asc
     dest: "{{ apt_keyring_dir }}/docker-debian.asc"
     force: yes
@@ -32,10 +32,11 @@
     group: root
 
 - name: Add Docker repository (Debian <12)
-  apt_repository:
+  ansible.builtin.apt_repository:
     repo: 'deb [signed-by={{ apt_keyring_dir }}/docker-debian.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
-    filename: docker.list
+    filename: docker
     state: present
+    update_cache: yes
   when: ansible_distribution_major_version is version('12', '<')
 
 - name: Add Docker repository (Debian >=12)
@@ -43,43 +44,48 @@
     src: docker.sources.j2
     dest: /etc/apt/sources.list.d/docker.sources
     state: present
+  register: docker_sources
   when: ansible_distribution_major_version is version('12', '>=')
 
+- name: Update APT cache
+  ansible.builtin.apt:
+    update_cache: yes
+  when: docker_sources is changed
+
 - name: Install Docker
-  apt:
+  ansible.builtin.apt:
     name:
       - docker-ce
       - docker-ce-cli
       - containerd.io
-    update_cache: yes
 
 - name: python-docker is installed
-  apt:
+  ansible.builtin.apt:
     name: python-docker
     state: present
   when: ansible_python_version is version('3', '<')
 
 - name: python3-docker is installed
-  apt:
+  ansible.builtin.apt:
     name: python3-docker
     state: present
   when: ansible_python_version is version('3', '>=')
 
 - name: Copy Docker daemon configuration file
-  template:
+  ansible.builtin.template:
     src: daemon.json.j2
     dest: /etc/docker/daemon.json
   notify: restart docker
 
 - name: Creating Docker tmp directory
-  file:
+  ansible.builtin.file:
     path: "{{ docker_tmpdir }}"
     state: directory
     mode: "0644"
     owner: root
 
 - name: Creating Docker TLS directory
-  file:
+  ansible.builtin.file:
     path: "{{ docker_tls_path }}"
     state: directory
     mode: "0644"
@@ -87,7 +93,7 @@
   when: docker_tls_enabled | bool
 
 - name: Copy shellpki utility to Docker TLS directory
-  template:
+  ansible.builtin.template:
     src: "{{ item }}.j2"
     dest: "{{ docker_tls_path }}/{{ item }}"
     mode: "0744"
@@ -97,12 +103,13 @@
   when: docker_tls_enabled | bool
 
 - name: Check if certs are already created
-  stat:
+  ansible.builtin.stat:
     path: "{{ docker_tls_path }}/certs"
   register: tls_certs_stat
 
 - name: Creating a CA, server key
-  command: "{{ docker_tls_path }}/shellpki.sh init"
+  ansible.builtin.command:
+    cmd: "{{ docker_tls_path }}/shellpki.sh init"
   when:
     - docker_tls_enabled | bool
     - not tls_certs_stat.stat.isdir

elasticsearch/tasks/apt_sources.yml

@@ -0,0 +1,36 @@
+---
+- name: APT https transport is enabled (Debian <10)
+  ansible.builtin.apt:
+    name: apt-transport-https
+    state: present
+  when: ansible_distribution_major_version is version('10', '<')
+
+- name: Elastic GPG key is installed
+  ansible.builtin.copy:
+    src: elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
+    force: yes
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: Add Elastic repository (Debian <12)
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    filename: elastic
+    state: present
+    update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')
+
+- name: Add Elastic repository (Debian >=12)
+  ansible.builtin.template:
+    src: elastic.sources.j2
+    dest: /etc/apt/sources.list.d/elastic.sources
+    state: present
+  register: elastic_sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  ansible.builtin.apt:
+    update_cache: yes
+  when: elastic_sources is changed

elasticsearch/tasks/packages.yml

@@ -1,73 +1,23 @@
 ---
-
-- name: APT https transport is enabled
-  apt:
-    name: apt-transport-https
-    state: present
-  tags:
-    - elasticsearch
-    - packages
-
-- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-  tags:
-    - elasticsearch
-    - packages
-
-- name: Elastic embedded GPG key is absent
-  apt_key:
-    id: "D88E42B4"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-  tags:
-    - elasticsearch
-    - packages
-
-- name: Elastic GPG key is installed
-  copy:
-    src: elastic.asc
-    dest: "{{ apt_keyring_dir }}/elastic.asc"
-    force: yes
-    mode: "0644"
-    owner: root
-    group: root
-  tags:
-    - elasticsearch
-    - packages
-
-- name: Elastic sources list is available
-  apt_repository:
-    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: present
-    update_cache: yes
-  tags:
-    - elasticsearch
-    - packages
-
-- name: Unsigned Elastic sources list is not available
-  apt_repository:
-    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: absent
-    update_cache: yes
-  tags:
-    - elasticsearch
-    - packages
+- name: APT sources
+  ansible.builtin.import_tasks: apt_sources.yml
+  args:
+    apply:
+      tags:
+        - elasticsearch
+        - packages
 
 - name: Elasticsearch is installed
-  apt:
+  ansible.builtin.apt:
     name: elasticsearch
     state: present
+    update_cache: yes
   tags:
     - elasticsearch
     - packages
 
 - name: Elasticsearch service is enabled
-  service:
+  ansible.builtin.systemd:
     name: elasticsearch
     enabled: yes
   tags:

elasticsearch/templates/elastic.sources.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt
+Suites: stable
+Components: main
+Signed-by: {{ apt_keyring_dir }}/elastic.asc
+Enabled: yes

evolinux-base/tasks/hardware.dell.yml

@@ -55,6 +55,7 @@
       ansible.builtin.apt_repository:
         repo: 'deb [signed-by={{ apt_keyring_dir }}/hwraid.le-vert.net.asc] http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main'
         state: present
+        update_cache: yes
       tags:
         - packages
       when:
@@ -66,8 +67,13 @@
         dest: /etc/apt/sources.list.d/hwraid.le-vert.net.sources
       tags:
         - packages
-      when:
-        - ansible_distribution_major_version is version('12', '>=')
+      register: hwraid_sources
+      when: ansible_distribution_major_version is version('12', '>=')
+
+    - name: Update APT cache
+      apt:
+        update_cache: yes
+      when: hwraid_sources is changed
 
     - name: Install packages for DELL/LSI hardware
       ansible.builtin.apt:

filebeat/tasks/apt_sources.yml

@@ -0,0 +1,36 @@
+---
+- name: APT https transport is enabled (Debian <10)
+  ansible.builtin.apt:
+    name: apt-transport-https
+    state: present
+  when: ansible_distribution_major_version is version('10', '<')
+
+- name: Elastic GPG key is installed
+  ansible.builtin.copy:
+    src: elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
+    force: yes
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: Add Elastic repository (Debian <12)
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    filename: elastic
+    state: present
+    update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')
+
+- name: Add Elastic repository (Debian >=12)
+  ansible.builtin.template:
+    src: elastic.sources.j2
+    dest: /etc/apt/sources.list.d/elastic.sources
+    state: present
+  register: elastic_sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  apt:
+    update_cache: yes
+  when: elastic_sources is changed

filebeat/tasks/main.yml

@@ -1,62 +1,11 @@
 ---
-
-- name: APT https transport is enabled
-  apt:
-    name: apt-transport-https
-    state: present
-  tags:
-    - filebeat
-    - packages
-
-- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-  tags:
-    - filebeat
-    - packages
-
-- name: Elastic embedded GPG key is absent
-  apt_key:
-    id: "D88E42B4"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-  tags:
-    - filebeat
-    - packages
-
-- name: Elastic GPG key is installed
-  copy:
-    src: elastic.asc
-    dest: "{{ apt_keyring_dir }}/elastic.asc"
-    force: yes
-    mode: "0644"
-    owner: root
-    group: root
-  tags:
-    - filebeat
-    - packages
-
-- name: Elastic sources list is available
-  apt_repository:
-    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: present
-    update_cache: yes
-  tags:
-    - filebeat
-    - packages
-
-- name: Unsigned Elastic sources list is not available
-  apt_repository:
-    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: absent
-    update_cache: yes
-  tags:
-    - filebeat
-    - packages
+- name: APT sources
+  import_tasks: apt_sources.yml
+  args:
+    apply:
+      tags:
+        - filebeat
+        - packages
 
 - name: Filebeat is installed
   apt:

filebeat/templates/elastic.sources.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt
+Suites: stable
+Components: main
+Signed-by: {{ apt_keyring_dir }}/elastic.asc
+Enabled: yes

fluentd/tasks/main.yml

@@ -1,27 +1,9 @@
 ---
 
-- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-  tags:
-    - packages
-    - fluentd
-
-- name: Fluentd embedded GPG key is absent
-  apt_key:
-    id: "AB97ACBE"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-  tags:
-    - packages
-    - fluentd
-
 - name: Add Fluentd GPG key
   copy:
-    src: fluentd.asc
-    dest: "{{ apt_keyring_dir }}/fluentd.asc"
+    src: treasuredata.asc
+    dest: "{{ apt_keyring_dir }}/treasuredata.asc"
     force: yes
     mode: "0644"
     owner: root
@@ -30,30 +12,31 @@
     - packages
     - fluentd
 
-- name: Fluentd sources list is available
+- name: Add Treasuredata repository (Debian <12)
   apt_repository:
-    repo: "deb [signed-by={{ apt_keyring_dir }}/fluentd.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib"
-    filename: treasuredata
-    update_cache: yes
+    repo: "deb [signed-by={{ apt_keyring_dir }}/treasuredata.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib"
+    filename: treasuredata.list
     state: present
   tags:
     - packages
     - fluentd
+  when: ansible_distribution_major_version is version('12', '<')
 
-- name: Unsigned Fluentd sources list is not available
-  apt_repository:
-    repo: "deb http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib"
-    filename: treasuredata
-    update_cache: yes
-    state: absent
+- name: Add Treasuredata repository (Debian >=12)
+  ansible.builtin.template:
+    src: treasuredata.sources.j2
+    dest: /etc/apt/sources.list.d/treasuredata.sources
+    state: present
   tags:
     - packages
     - fluentd
+  when: ansible_distribution_major_version is version('12', '>=')
 
 - name: Fluentd is installed.
   apt:
     name: td-agent
     state: present
+    update_cache: yes
   tags:
     - fluentd
     - packages

fluentd/templates/treasuredata.sources.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/
+Suites: {{ ansible_distribution_release }}
+Components: contrib
+Signed-by: {{ apt_keyring_dir }}/treasuredata.asc
+Enabled: yes

jenkins/tasks/main.yml

@@ -5,18 +5,6 @@
 # http://mirrors.jenkins.io/.*
 # http://jenkins.mirror.isppower.de/.*
 
-- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-
-- name: Jenkins embedded GPG key is absent
-  apt_key:
-    id: "D50582E6"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-
 - name: Add Jenkins GPG key
   copy:
     src: jenkins.asc
@@ -26,22 +14,30 @@
     owner: root
     group: root
 
-- name: Add jenkins APT repository
+- name: Add Jenkins APT repository (Debian <12)
   apt_repository:
     repo: deb [signed-by={{ apt_keyring_dir }}/jenkins.asc] http://pkg.jenkins-ci.org/debian-stable binary/
     filename: jenkins
     update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')
 
-- name: Remove unsigned jenkins APT repository
-  apt_repository:
-    repo: deb http://pkg.jenkins-ci.org/debian-stable binary/
-    filename: jenkins
+- name: Add Jenkins repository (Debian >=12)
+  ansible.builtin.template:
+    src: jenkins.sources.j2
+    dest: /etc/apt/sources.list.d/jenkins.sources
+    state: present
+  register: jenkins_sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  apt:
     update_cache: yes
-    state: absent
+  when: jenkins_sources is changed
 
 - name: Install Jenkins
   apt:
     name: jenkins
+    state: present
 
 - name: Change Jenkins port
   replace:

jenkins/templates/jenkins.sources.j2

@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: http://pkg.jenkins-ci.org/debian-stable
+Suites: binary/
+Signed-by: {{ apt_keyring_dir }}/jenkins.asc
+Enabled: yes

kibana/tasks/apt_sources.yml

@@ -0,0 +1,36 @@
+---
+- name: APT https transport is enabled (Debian <10)
+  ansible.builtin.apt:
+    name: apt-transport-https
+    state: present
+  when: ansible_distribution_major_version is version('10', '<')
+
+- name: Elastic GPG key is installed
+  ansible.builtin.copy:
+    src: elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
+    force: yes
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: Add Elastic repository (Debian <12)
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    filename: elastic
+    state: present
+    update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')
+
+- name: Add Elastic repository (Debian >=12)
+  ansible.builtin.template:
+    src: elastic.sources.j2
+    dest: /etc/apt/sources.list.d/elastic.sources
+    state: present
+  register: elastic_sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  apt:
+    update_cache: yes
+  when: elastic_sources is changed

kibana/tasks/main.yml

@@ -1,67 +1,17 @@
 ---
-
-- name: APT https transport is enabled
-  apt:
-    name: apt-transport-https
-    state: present
-  tags:
-    - kibana
-    - packages
-
-- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-  tags:
-    - kibana
-    - packages
-
-- name: Elastic embedded GPG key is absent
-  apt_key:
-    id: "D88E42B4"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-  tags:
-    - kibana
-    - packages
-
-- name: Elastic GPG key is installed
-  copy:
-    src: elastic.asc
-    dest: "{{ apt_keyring_dir }}/elastic.asc"
-    force: yes
-    mode: "0644"
-    owner: root
-    group: root
-  tags:
-    - kibana
-    - packages
-
-- name: Elastic sources list is available
-  apt_repository:
-    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: present
-    update_cache: yes
-  tags:
-    - kibana
-    - packages
-
-- name: Unsigned Elastic sources list is not available
-  apt_repository:
-    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: absent
-    update_cache: yes
-  tags:
-    - kibana
-    - packages
+- name: APT sources
+  import_tasks: apt_sources.yml
+  args:
+    apply:
+      tags:
+        - kibana
+        - packages
 
 - name: Kibana is installed
   apt:
     name: kibana
     state: present
+    update_cache: yes
   tags:
     - kibana
     - packages

kibana/templates/elastic.sources.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt
+Suites: stable
+Components: main
+Signed-by: {{ apt_keyring_dir }}/elastic.asc
+Enabled: yes

logstash/tasks/apt_sources.yml

@@ -0,0 +1,36 @@
+---
+- name: APT https transport is enabled (Debian <10)
+  ansible.builtin.apt:
+    name: apt-transport-https
+    state: present
+  when: ansible_distribution_major_version is version('10', '<')
+
+- name: Elastic GPG key is installed
+  ansible.builtin.copy:
+    src: elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
+    force: yes
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: Add Elastic repository (Debian <12)
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    filename: elastic
+    state: present
+    update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')
+
+- name: Add Elastic repository (Debian >=12)
+  ansible.builtin.template:
+    src: elastic.sources.j2
+    dest: /etc/apt/sources.list.d/elastic.sources
+    state: present
+  register: elastic_sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  apt:
+    update_cache: yes
+  when: elastic_sources is changed

logstash/tasks/main.yml

@@ -1,62 +1,11 @@
 ---
-
-- name: APT https transport is enabled
-  apt:
-    name: apt-transport-https
-    state: present
-  tags:
-    - logstash
-    - packages
-
-- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-  tags:
-    - logstash
-    - packages
-
-- name: Elastic embedded GPG key is absent
-  apt_key:
-    id: "D88E42B4"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-  tags:
-    - logstash
-    - packages
-
-- name: Elastic GPG key is installed
-  copy:
-    src: elastic.asc
-    dest: "{{ apt_keyring_dir }}/elastic.asc"
-    force: yes
-    mode: "0644"
-    owner: root
-    group: root
-  tags:
-    - logstash
-    - packages
-
-- name: Elastic sources list is available
-  apt_repository:
-    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: present
-    update_cache: yes
-  tags:
-    - logstash
-    - packages
-
-- name: Unsigned Elastic sources list is not available
-  apt_repository:
-    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: absent
-    update_cache: yes
-  tags:
-    - logstash
-    - packages
+- name: APT sources
+  import_tasks: apt_sources.yml
+  args:
+    apply:
+      tags:
+        - logstash
+        - packages
 
 - name: Logstash is installed
   apt:

logstash/templates/elastic.sources.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt
+Suites: stable
+Components: main
+Signed-by: {{ apt_keyring_dir }}/elastic.asc
+Enabled: yes

metricbeat/tasks/apt_sources.yml

@@ -0,0 +1,36 @@
+---
+- name: APT https transport is enabled (Debian <10)
+  ansible.builtin.apt:
+    name: apt-transport-https
+    state: present
+  when: ansible_distribution_major_version is version('10', '<')
+
+- name: Elastic GPG key is installed
+  ansible.builtin.copy:
+    src: elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
+    force: yes
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: Add Elastic repository (Debian <12)
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    filename: elastic
+    state: present
+    update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')
+
+- name: Add Elastic repository (Debian >=12)
+  ansible.builtin.template:
+    src: elastic.sources.j2
+    dest: /etc/apt/sources.list.d/elastic.sources
+    state: present
+  register: elastic_sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  apt:
+    update_cache: yes
+  when: elastic_sources is changed

metricbeat/tasks/main.yml

@@ -1,62 +1,11 @@
 ---
-
-- name: APT https transport is enabled
-  apt:
-    name: apt-transport-https
-    state: present
-  tags:
-    - metricbeat
-    - packages
-
-- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-  tags:
-    - metricbeat
-    - packages
-
-- name: Elastic embedded GPG key is absent
-  apt_key:
-    id: "D88E42B4"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-  tags:
-    - metricbeat
-    - packages
-
-- name: Elastic GPG key is installed
-  copy:
-    src: elastic.asc
-    dest: "{{ apt_keyring_dir }}/elastic.asc"
-    force: yes
-    mode: "0644"
-    owner: root
-    group: root
-  tags:
-    - metricbeat
-    - packages
-
-- name: Elastic sources list is available
-  apt_repository:
-    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: present
-    update_cache: yes
-  tags:
-    - metricbeat
-    - packages
-
-- name: Elastic sources list is available
-  apt_repository:
-    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: absent
-    update_cache: yes
-  tags:
-    - metricbeat
-    - packages
+- name: APT sources
+  import_tasks: apt_sources.yml
+  args:
+    apply:
+      tags:
+        - metricbeat
+        - packages
 
 - name: Metricbeat is installed
   apt:

metricbeat/templates/elastic.sources.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt
+Suites: stable
+Components: main
+Signed-by: {{ apt_keyring_dir }}/elastic.asc
+Enabled: yes

mongodb/tasks/main.yml

@@ -1,13 +1,14 @@
 ---
 
-- include: main_jessie.yml
+- ansible.builtin.import_tasks: main_jessie.yml
   when: ansible_distribution_release == "jessie"
 
-- include: main_stretch.yml
+- ansible.builtin.import_tasks: main_stretch.yml
   when: ansible_distribution_release == "stretch"
 
-- include: main_buster.yml
+- ansible.builtin.import_tasks: main_buster.yml
   when: ansible_distribution_release == "buster"
 
-- include: main_bullseye.yml
-  when: ansible_distribution_major_version is version('11', '>=')
+- ansible.builtin.import_tasks: main_bullseye.yml
+  when: ansible_distribution_release == "bullseye"
+

mongodb/tasks/main_bullseye.yml

@@ -1,22 +1,10 @@
 ---
 
 - fail:
-    msg: Not compatible with Debian 11 (Bullseye)
+    msg: MongoDB versions <4.2 are not compatible with Debian 11 (Bullseye)
   when:
   - ansible_distribution_release == "bullseye"
-  - mongodb_version is version('5.0', '<')
-
-- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-
-- name: MongoDB embedded GPG key is absent
-  apt_key:
-    id: "B8612B5D"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
+  - mongodb_version is version('5.2', '<')
 
 - name: Add MongoDB GPG key
   copy:
@@ -27,19 +15,11 @@
     owner: root
     group: root
 
-- name: Enable APT sources list
+- name: Add MongoDB repository
   apt_repository:
     repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main"
     state: present
     filename: "mongodb-org-{{ mongodb_version }}"
-    update_cache: yes
-
-- name: Disable unsigned APT sources list
-  apt_repository:
-    repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main"
-    state: absent
-    filename: "mongodb-org-{{ mongodb_version }}"
-    update_cache: yes
 
 - name: Install packages
   apt:

newrelic/tasks/php.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Pre-seed package configuration with app name
-  debconf:
+  ansible.builtin.debconf:
     name: newrelic-php5
     question: "newrelic-php5/application-name"
     value: "{{ newrelic_appname }}"
@@ -9,7 +9,7 @@
   when: newrelic_appname | length > 0
 
 - name: Pre-seed package configuration with license
-  debconf:
+  ansible.builtin.debconf:
     name: newrelic-php5
     question: "newrelic-php5/license-key"
     value: "{{ newrelic_license }}"
@@ -17,26 +17,27 @@
   when: newrelic_license | length > 0
 
 - name: list newrelic config files
-  shell: "find /etc/php* -type f -name newrelic.ini"
+  ansible.builtin.shell:
+    cmd: "find /etc/php* -type f -name newrelic.ini"
   changed_when: False
   check_mode: no
   register: find_newrelic_ini
 
 - name: Disable AWS detection
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: "{{ item }}"
     regexp: '^;?newrelic.daemon.utilization.detect_aws'
     line: 'newrelic.daemon.utilization.detect_aws = false'
   loop: "{{ find_newrelic_ini.stdout_lines }}"
 
 - name: Disable Docker detection
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: "{{ item }}"
     regexp: '^;?newrelic.daemon.utilization.detect_docker'
     line: 'newrelic.daemon.utilization.detect_docker = false'
   loop: "{{ find_newrelic_ini.stdout_lines }}"
 
 - name: Install package for PHP
-  apt:
+  ansible.builtin.apt:
     name: newrelic-php5
     state: present

newrelic/tasks/sources.yml

@@ -1,19 +1,7 @@
 ---
 
-- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-
-- name: NewRelic embedded GPG key is absent
-  apt_key:
-    id: "548C16BF"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-
 - name: Add NewRelic GPG key
-  copy:
+  ansible.builtin.copy:
     src: newrelic.asc
     dest: "{{ apt_keyring_dir }}/newrelic.asc"
     force: yes
@@ -21,16 +9,23 @@
     owner: root
     group: root
 
-- name: Install NewRelic repository
-  apt_repository:
+- name: Install NewRelic repository (Debian <12)
+  ansible.builtin.apt_repository:
     repo: "deb [signed-by={{ apt_keyring_dir }}/newrelic.asc] http://apt.newrelic.com/debian/ newrelic non-free"
     state: present
     filename: newrelic
     update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')
 
-- name: Desinstall unsigned NewRelic repository
-  apt_repository:
-    repo: "deb http://apt.newrelic.com/debian/ newrelic non-free"
-    state: absent
-    filename: newrelic
+- name: Add NewRelic repository (Debian >=12)
+  ansible.builtin.template:
+    src: newrelic.sources.j2
+    dest: /etc/apt/sources.list.d/newrelic.sources
+    state: present
+  register: newrelic_sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  ansible.builtin.apt:
     update_cache: yes
+  when: newrelic_sources is changed

newrelic/tasks/sysmond.yml

@@ -1,11 +1,11 @@
 ---
 
 - name: Install system monitor daemon
-  apt:
+  ansible.builtin.apt:
     name: newrelic-sysmond
 
 - name: Set license key for newrelic-sysmond
-  replace:
+  ansible.builtin.replace:
     dest: /etc/newrelic/nrsysmond.cfg
     regexp: "license_key=REPLACE_WITH_REAL_KEY"
     replace: "license_key={{ newrelic_license }}"

newrelic/templates/newrelic.sources.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: http://apt.newrelic.com/debian/
+Suites: newrelic
+Components: non-free
+Signed-by: {{ apt_keyring_dir }}/newrelic.asc
+Enabled: yes

nodejs/tasks/main.yml

@@ -1,36 +1,17 @@
 ---
 
-- name: APT https transport is enabled
-  apt:
+- name: APT https transport is enabled (Debian <10)
+  ansible.builtin.apt:
     name: apt-transport-https
     state: present
   tags:
     - system
     - packages
     - nodejs
-
-- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-  tags:
-    - system
-    - packages
-    - nodejs
-
-- name: NodeJS embedded GPG key is absent
-  apt_key:
-    id: "68576280"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-  tags:
-    - system
-    - packages
-    - nodejs
+  when: ansible_distribution_major_version is version('10', '<')
 
 - name: NodeJS GPG key is installed
-  copy:
+  ansible.builtin.copy:
     src: nodesource.asc
     dest: "{{ apt_keyring_dir }}/nodesource.asc"
     mode: "0644"
@@ -41,8 +22,8 @@
     - packages
     - nodejs
 
-- name: NodeJS sources list ({{ nodejs_apt_version }}) is available
-  apt_repository:
+- name: Add NodeJS repository (Debian <12)
+  ansible.builtin.apt_repository:
     repo: "deb [signed-by={{ apt_keyring_dir }}/nodesource.asc] https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main"
     filename: nodesource
     update_cache: yes
@@ -51,26 +32,32 @@
     - system
     - packages
     - nodejs
+  when: ansible_distribution_major_version is version('12', '<')
 
-- name: Unsigned NodeJS sources list ({{ nodejs_apt_version }}) is not available
-  apt_repository:
-    repo: "deb https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main"
-    filename: nodesource
-    update_cache: yes
-    state: absent
+- name: Add NodeJS repository (Debian >=12)
+  ansible.builtin.template:
+    src: nodesource.sources.j2
+    dest: /etc/apt/sources.list.d/nodesource.sources
+    state: present
+  register: nodesource_sources
   tags:
     - system
     - packages
     - nodejs
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  ansible.builtin.apt:
+    update_cache: yes
+  when: nodesource_sources is changed
 
 - name: NodeJS is installed
-  apt:
+  ansible.builtin.apt:
     name: nodejs
     state: present
-    update_cache: yes
   tags:
     - packages
     - nodejs
 
-- include: yarn.yml
+- ansible.builtin.import_tasks: yarn.yml
   when: nodejs_install_yarn | bool

nodejs/tasks/yarn.yml

@@ -1,29 +1,7 @@
 ---
 
-- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-  tags:
-    - system
-    - packages
-    - nodejs
-    - yarn
-
-- name: Yarn embedded GPG key is absent
-  apt_key:
-    id: "86E50310"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-  tags:
-    - system
-    - packages
-    - nodejs
-    - yarn
-
 - name: Yarn GPG key is installed
-  copy:
+  ansible.builtin.copy:
     src: yarn.asc
     dest: "{{ apt_keyring_dir }}/yarn.asc"
     mode: "0644"
@@ -35,32 +13,39 @@
     - nodejs
     - yarn
 
-- name: Yarn sources list is available
-  apt_repository:
+- name: Add Yarn repository (Debian <12)
+  ansible.builtin.apt_repository:
     repo: "deb [signed-by={{ apt_keyring_dir }}/yarn.asc] https://dl.yarnpkg.com/debian/ stable main"
     filename: yarn
-    update_cache: yes
     state: present
   tags:
     - system
     - packages
     - nodejs
     - yarn
+  when: ansible_distribution_major_version is version('12', '<')
 
-- name: Unsigned Yarn sources list is not available
-  apt_repository:
-    repo: "deb https://dl.yarnpkg.com/debian/ stable main"
-    filename: yarn
+- name: Add Yarn repository (Debian >=12)
+  ansible.builtin.template:
+    src: yarn.sources.j2
+    dest: /etc/apt/sources.list.d/yarn.sources
+    state: present
     update_cache: yes
-    state: absent
+  register: yarn_sources
   tags:
     - system
     - packages
     - nodejs
     - yarn
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  ansible.builtin.apt:
+    update_cache: yes
+  when: yarn_sources is changed
 
 - name: Yarn is installed
-  apt:
+  ansible.builtin.apt:
     name: yarn
     state: present
   tags:

nodejs/templates/nodesource.sources.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://deb.nodesource.com/{{ nodejs_apt_version }}
+Suites: {{ ansible_distribution_release }}
+Components: main
+Signed-by: {{ apt_keyring_dir }}/nodesource.asc
+Enabled: yes

nodejs/templates/yarn.sources.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://dl.yarnpkg.com/debian/
+Suites: stable
+Components: main
+Signed-by: {{ apt_keyring_dir }}/yarn.asc
+Enabled: yes

php/tasks/sury_pre.yml

@@ -1,12 +1,10 @@
 ---
 
-- name: Setup deb.sury.org repository - Add GPG key
-  copy:
-    src: sury.gpg
-    dest: "{{ apt_keyring_dir }}/sury.gpg"
-    mode: "0644"
-    owner: root
-    group: root
+- name: Setup deb.sury.org repository - Install apt-transport-https
+  apt:
+    name: apt-transport-https
+    state: present
+  when: ansible_distribution_major_version is version('10', '<')
 
 - name: copy pub.evolix.org GPG key
   copy:
@@ -16,18 +14,6 @@
     owner: root
     group: root
 
-- name: Setup deb.sury.org repository - Install apt-transport-https
-  apt:
-    state: present
-    name: apt-transport-https
-
-- name: Setup deb.sury.org repository - Add preferences file
-  copy:
-    src: sury.preferences
-    dest: /etc/apt/preferences.d/z-sury
-  when:
-    - ansible_distribution_release != "bullseye"
-
 - name: Setup pub.evolix.org repository - Add source list
   apt_repository:
     repo: "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }}-php81 main"
@@ -36,17 +22,41 @@
   when:
     - ansible_distribution_release == "bullseye"
 
-- name: Setup deb.sury.org repository - Add source list
+- name: Setup deb.sury.org repository - Add preferences file
+  copy:
+    src: sury.preferences
+    dest: /etc/apt/preferences.d/z-sury
+  when:
+    - ansible_distribution_release != "bullseye"
+
+- name: Setup deb.sury.org repository - Add GPG key
+  copy:
+    src: sury.gpg
+    dest: "{{ apt_keyring_dir }}/sury.gpg"
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: Add Sury repository (Debian <12)
   apt_repository:
     repo: "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
     filename: sury
     state: present
+    update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')
 
-- name: Setup deb.sury.org repository - Remove unsigned source list
-  apt_repository:
-    repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
-    filename: sury
-    state: absent
+- name: Add Sury repository (Debian >=12)
+  ansible.builtin.template:
+    src: sury.sources.j2
+    dest: /etc/apt/sources.list.d/sury.sources
+    state: present
+  register: sury_sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  apt:
+    update_cache: yes
+  when: sury_sources is changed
 
 - name: "Override package list for Sury (Debian 9 or later)"
   set_fact:

php/templates/sury.sources.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://packages.sury.org/php/
+Suites: {{ ansible_distribution_release }}
+Components: main
+Signed-by: {{ apt_keyring_dir }}/sury.gpg
+Enabled: yes

postgresql/tasks/main.yml

@@ -1,25 +1,28 @@
 ---
-- include: locales.yml
+- ansible.builtin.import_tasks: locales.yml
 
-- include: packages_jessie.yml
+- ansible.builtin.import_tasks: packages_jessie.yml
   when: ansible_distribution_release == "jessie"
 
-- include: packages_stretch.yml
+- ansible.builtin.import_tasks: packages_stretch.yml
   when: ansible_distribution_release == "stretch"
 
-- include: packages_buster.yml
+- ansible.builtin.import_tasks: packages_buster.yml
   when: ansible_distribution_release == "buster"
 
-- include: packages_bullseye.yml
-  when: ansible_distribution_major_version is version('11', '>=')
+- ansible.builtin.import_tasks: packages_bullseye.yml
+  when: ansible_distribution_release == "bullseye"
 
-- include: config.yml
+- ansible.builtin.import_tasks: packages_bookworm.yml
+  when: ansible_distribution_release == "bookworm"
 
-- include: nrpe.yml
+- ansible.builtin.import_tasks: config.yml
 
-- include: munin.yml
+- ansible.builtin.import_tasks: nrpe.yml
 
-- include: logrotate.yml
+- ansible.builtin.import_tasks: munin.yml
 
-- include: postgis.yml
+- ansible.builtin.import_tasks: logrotate.yml
+
+- ansible.builtin.import_tasks: postgis.yml
   when: postgresql_install_postgis | bool

postgresql/tasks/packages_bookworm.yml

@@ -1,15 +1,15 @@
 ---