Install deb822 sources on Debian >=12

2023-03-19 11:44:53 +01:00 · 2023-03-19 11:44:53 +01:00 · 45e8132d07
parent f1644ed138
commit 45e8132d07
43 changed files with 518 additions and 541 deletions
--- a/docker-host/tasks/main.yml
+++ b/docker-host/tasks/main.yml
@ -1,7 +1,7 @@
 # This role installs the docker daemon
 ---
 - name: Remove older docker packages
-  apt:
+  ansible.builtin.apt:
    name:
      - docker
      - docker-engine
@ -9,21 +9,21 @@
    state: absent

 - name: Install source requirements
-  apt:
+  ansible.builtin.apt:
    name:
      - ca-certificates
      - gnupg2
    state: present

 - name: Install apt-transport-https (Debian <10)
-  apt:
+  ansible.builtin.apt:
    name:
      - apt-transport-https
    state: present
  when: ansible_distribution_major_version is version('10', '<')

 - name: Add Docker's official GPG key
-  copy:
+  ansible.builtin.copy:
    src: docker-debian.asc
    dest: "{{ apt_keyring_dir }}/docker-debian.asc"
    force: yes
@ -32,10 +32,11 @@
    group: root

 - name: Add Docker repository (Debian <12)
-  apt_repository:
+  ansible.builtin.apt_repository:
    repo: 'deb [signed-by={{ apt_keyring_dir }}/docker-debian.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
-    filename: docker.list
+    filename: docker
    state: present
+    update_cache: yes
  when: ansible_distribution_major_version is version('12', '<')

 - name: Add Docker repository (Debian >=12)
@ -43,43 +44,48 @@
    src: docker.sources.j2
    dest: /etc/apt/sources.list.d/docker.sources
    state: present
+  register: docker_sources
  when: ansible_distribution_major_version is version('12', '>=')

+- name: Update APT cache
+  ansible.builtin.apt:
+    update_cache: yes
+  when: docker_sources is changed
+
 - name: Install Docker
-  apt:
+  ansible.builtin.apt:
    name:
      - docker-ce
      - docker-ce-cli
      - containerd.io
-    update_cache: yes

 - name: python-docker is installed
-  apt:
+  ansible.builtin.apt:
    name: python-docker
    state: present
  when: ansible_python_version is version('3', '<')

 - name: python3-docker is installed
-  apt:
+  ansible.builtin.apt:
    name: python3-docker
    state: present
  when: ansible_python_version is version('3', '>=')

 - name: Copy Docker daemon configuration file
-  template:
+  ansible.builtin.template:
    src: daemon.json.j2
    dest: /etc/docker/daemon.json
  notify: restart docker

 - name: Creating Docker tmp directory
-  file:
+  ansible.builtin.file:
    path: "{{ docker_tmpdir }}"
    state: directory
    mode: "0644"
    owner: root

 - name: Creating Docker TLS directory
-  file:
+  ansible.builtin.file:
    path: "{{ docker_tls_path }}"
    state: directory
    mode: "0644"
@ -87,7 +93,7 @@
  when: docker_tls_enabled | bool

 - name: Copy shellpki utility to Docker TLS directory
-  template:
+  ansible.builtin.template:
    src: "{{ item }}.j2"
    dest: "{{ docker_tls_path }}/{{ item }}"
    mode: "0744"
@ -97,12 +103,13 @@
  when: docker_tls_enabled | bool

 - name: Check if certs are already created
-  stat:
+  ansible.builtin.stat:
    path: "{{ docker_tls_path }}/certs"
  register: tls_certs_stat

 - name: Creating a CA, server key
-  command: "{{ docker_tls_path }}/shellpki.sh init"
+  ansible.builtin.command:
+    cmd: "{{ docker_tls_path }}/shellpki.sh init"
  when:
    - docker_tls_enabled | bool
    - not tls_certs_stat.stat.isdir
--- a/elasticsearch/tasks/apt_sources.yml
+++ b/elasticsearch/tasks/apt_sources.yml
@ -0,0 +1,36 @@
+---
+- name: APT https transport is enabled (Debian <10)
+  ansible.builtin.apt:
+    name: apt-transport-https
+    state: present
+  when: ansible_distribution_major_version is version('10', '<')
+
+- name: Elastic GPG key is installed
+  ansible.builtin.copy:
+    src: elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
+    force: yes
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: Add Elastic repository (Debian <12)
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    filename: elastic
+    state: present
+    update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')
+
+- name: Add Elastic repository (Debian >=12)
+  ansible.builtin.template:
+    src: elastic.sources.j2
+    dest: /etc/apt/sources.list.d/elastic.sources
+    state: present
+  register: elastic_sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  ansible.builtin.apt:
+    update_cache: yes
+  when: elastic_sources is changed
--- a/elasticsearch/tasks/packages.yml
+++ b/elasticsearch/tasks/packages.yml
@ -1,73 +1,23 @@
 ---
-
- name: APT https transport is enabled
-  apt:
-    name: apt-transport-https
-    state: present
-  tags:
-    - elasticsearch
-    - packages
-
- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-  tags:
-    - elasticsearch
-    - packages
-
- name: Elastic embedded GPG key is absent
-  apt_key:
-    id: "D88E42B4"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-  tags:
-    - elasticsearch
-    - packages
-
- name: Elastic GPG key is installed
-  copy:
-    src: elastic.asc
-    dest: "{{ apt_keyring_dir }}/elastic.asc"
-    force: yes
-    mode: "0644"
-    owner: root
-    group: root
-  tags:
-    - elasticsearch
-    - packages
-
- name: Elastic sources list is available
-  apt_repository:
-    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: present
-    update_cache: yes
-  tags:
-    - elasticsearch
-    - packages
-
- name: Unsigned Elastic sources list is not available
-  apt_repository:
-    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: absent
-    update_cache: yes
-  tags:
-    - elasticsearch
-    - packages
+- name: APT sources
+  ansible.builtin.import_tasks: apt_sources.yml
+  args:
+    apply:
+      tags:
+        - elasticsearch
+        - packages

 - name: Elasticsearch is installed
-  apt:
+  ansible.builtin.apt:
    name: elasticsearch
    state: present
+    update_cache: yes
  tags:
    - elasticsearch
    - packages

 - name: Elasticsearch service is enabled
-  service:
+  ansible.builtin.systemd:
    name: elasticsearch
    enabled: yes
  tags:
--- a/elasticsearch/templates/elastic.sources.j2
+++ b/elasticsearch/templates/elastic.sources.j2
@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt
+Suites: stable
+Components: main
+Signed-by: {{ apt_keyring_dir }}/elastic.asc
+Enabled: yes
--- a/evolinux-base/tasks/hardware.dell.yml
+++ b/evolinux-base/tasks/hardware.dell.yml
@ -55,6 +55,7 @@
      ansible.builtin.apt_repository:
        repo: 'deb [signed-by={{ apt_keyring_dir }}/hwraid.le-vert.net.asc] http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main'
        state: present
+        update_cache: yes
      tags:
        - packages
      when:
@ -66,8 +67,13 @@
        dest: /etc/apt/sources.list.d/hwraid.le-vert.net.sources
      tags:
        - packages
-      when:
-        - ansible_distribution_major_version is version('12', '>=')
+      register: hwraid_sources
+      when: ansible_distribution_major_version is version('12', '>=')
+
+    - name: Update APT cache
+      apt:
+        update_cache: yes
+      when: hwraid_sources is changed

    - name: Install packages for DELL/LSI hardware
      ansible.builtin.apt:
--- a/filebeat/tasks/apt_sources.yml
+++ b/filebeat/tasks/apt_sources.yml
@ -0,0 +1,36 @@
+---
+- name: APT https transport is enabled (Debian <10)
+  ansible.builtin.apt:
+    name: apt-transport-https
+    state: present
+  when: ansible_distribution_major_version is version('10', '<')
+
+- name: Elastic GPG key is installed
+  ansible.builtin.copy:
+    src: elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
+    force: yes
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: Add Elastic repository (Debian <12)
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    filename: elastic
+    state: present
+    update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')
+
+- name: Add Elastic repository (Debian >=12)
+  ansible.builtin.template:
+    src: elastic.sources.j2
+    dest: /etc/apt/sources.list.d/elastic.sources
+    state: present
+  register: elastic_sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  apt:
+    update_cache: yes
+  when: elastic_sources is changed
--- a/filebeat/tasks/main.yml
+++ b/filebeat/tasks/main.yml
@ -1,62 +1,11 @@
 ---
-
- name: APT https transport is enabled
-  apt:
-    name: apt-transport-https
-    state: present
-  tags:
-    - filebeat
-    - packages
-
- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-  tags:
-    - filebeat
-    - packages
-
- name: Elastic embedded GPG key is absent
-  apt_key:
-    id: "D88E42B4"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-  tags:
-    - filebeat
-    - packages
-
- name: Elastic GPG key is installed
-  copy:
-    src: elastic.asc
-    dest: "{{ apt_keyring_dir }}/elastic.asc"
-    force: yes
-    mode: "0644"
-    owner: root
-    group: root
-  tags:
-    - filebeat
-    - packages
-
- name: Elastic sources list is available
-  apt_repository:
-    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: present
-    update_cache: yes
-  tags:
-    - filebeat
-    - packages
-
- name: Unsigned Elastic sources list is not available
-  apt_repository:
-    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: absent
-    update_cache: yes
-  tags:
-    - filebeat
-    - packages
+- name: APT sources
+  import_tasks: apt_sources.yml
+  args:
+    apply:
+      tags:
+        - filebeat
+        - packages

 - name: Filebeat is installed
  apt:
--- a/filebeat/templates/elastic.sources.j2
+++ b/filebeat/templates/elastic.sources.j2
@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt
+Suites: stable
+Components: main
+Signed-by: {{ apt_keyring_dir }}/elastic.asc
+Enabled: yes
--- a/fluentd/files/treasuredata.asc
+++ b/fluentd/files/treasuredata.asc
--- a/fluentd/tasks/main.yml
+++ b/fluentd/tasks/main.yml
@ -1,27 +1,9 @@
 ---

- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-  tags:
-    - packages
-    - fluentd
-
- name: Fluentd embedded GPG key is absent
-  apt_key:
-    id: "AB97ACBE"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-  tags:
-    - packages
-    - fluentd
-
 - name: Add Fluentd GPG key
  copy:
-    src: fluentd.asc
-    dest: "{{ apt_keyring_dir }}/fluentd.asc"
+    src: treasuredata.asc
+    dest: "{{ apt_keyring_dir }}/treasuredata.asc"
    force: yes
    mode: "0644"
    owner: root
@ -30,30 +12,31 @@
    - packages
    - fluentd

- name: Fluentd sources list is available
+- name: Add Treasuredata repository (Debian <12)
  apt_repository:
-    repo: "deb [signed-by={{ apt_keyring_dir }}/fluentd.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib"
-    filename: treasuredata
-    update_cache: yes
+    repo: "deb [signed-by={{ apt_keyring_dir }}/treasuredata.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib"
+    filename: treasuredata.list
    state: present
  tags:
    - packages
    - fluentd
+  when: ansible_distribution_major_version is version('12', '<')

- name: Unsigned Fluentd sources list is not available
-  apt_repository:
-    repo: "deb http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib"
-    filename: treasuredata
-    update_cache: yes
-    state: absent
+- name: Add Treasuredata repository (Debian >=12)
+  ansible.builtin.template:
+    src: treasuredata.sources.j2
+    dest: /etc/apt/sources.list.d/treasuredata.sources
+    state: present
  tags:
    - packages
    - fluentd
+  when: ansible_distribution_major_version is version('12', '>=')

 - name: Fluentd is installed.
  apt:
    name: td-agent
    state: present
+    update_cache: yes
  tags:
    - fluentd
    - packages
--- a/fluentd/templates/treasuredata.sources.j2
+++ b/fluentd/templates/treasuredata.sources.j2
@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/
+Suites: {{ ansible_distribution_release }}
+Components: contrib
+Signed-by: {{ apt_keyring_dir }}/treasuredata.asc
+Enabled: yes
--- a/jenkins/tasks/main.yml
+++ b/jenkins/tasks/main.yml
@ -5,18 +5,6 @@
 # http://mirrors.jenkins.io/.*
 # http://jenkins.mirror.isppower.de/.*

- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-
- name: Jenkins embedded GPG key is absent
-  apt_key:
-    id: "D50582E6"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-
 - name: Add Jenkins GPG key
  copy:
    src: jenkins.asc
@ -26,22 +14,30 @@
    owner: root
    group: root

- name: Add jenkins APT repository
+- name: Add Jenkins APT repository (Debian <12)
  apt_repository:
    repo: deb [signed-by={{ apt_keyring_dir }}/jenkins.asc] http://pkg.jenkins-ci.org/debian-stable binary/
    filename: jenkins
    update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')

- name: Remove unsigned jenkins APT repository
-  apt_repository:
-    repo: deb http://pkg.jenkins-ci.org/debian-stable binary/
-    filename: jenkins
+- name: Add Jenkins repository (Debian >=12)
+  ansible.builtin.template:
+    src: jenkins.sources.j2
+    dest: /etc/apt/sources.list.d/jenkins.sources
+    state: present
+  register: jenkins_sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  apt:
    update_cache: yes
-    state: absent
+  when: jenkins_sources is changed

 - name: Install Jenkins
  apt:
    name: jenkins
+    state: present

 - name: Change Jenkins port
  replace:
--- a/jenkins/templates/jenkins.sources.j2
+++ b/jenkins/templates/jenkins.sources.j2
@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: http://pkg.jenkins-ci.org/debian-stable
+Suites: binary/
+Signed-by: {{ apt_keyring_dir }}/jenkins.asc
+Enabled: yes
--- a/kibana/tasks/apt_sources.yml
+++ b/kibana/tasks/apt_sources.yml
@ -0,0 +1,36 @@
+---
+- name: APT https transport is enabled (Debian <10)
+  ansible.builtin.apt:
+    name: apt-transport-https
+    state: present
+  when: ansible_distribution_major_version is version('10', '<')
+
+- name: Elastic GPG key is installed
+  ansible.builtin.copy:
+    src: elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
+    force: yes
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: Add Elastic repository (Debian <12)
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    filename: elastic
+    state: present
+    update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')
+
+- name: Add Elastic repository (Debian >=12)
+  ansible.builtin.template:
+    src: elastic.sources.j2
+    dest: /etc/apt/sources.list.d/elastic.sources
+    state: present
+  register: elastic_sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  apt:
+    update_cache: yes
+  when: elastic_sources is changed
--- a/kibana/tasks/main.yml
+++ b/kibana/tasks/main.yml
@ -1,67 +1,17 @@
 ---
-
- name: APT https transport is enabled
-  apt:
-    name: apt-transport-https
-    state: present
-  tags:
-    - kibana
-    - packages
-
- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-  tags:
-    - kibana
-    - packages
-
- name: Elastic embedded GPG key is absent
-  apt_key:
-    id: "D88E42B4"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-  tags:
-    - kibana
-    - packages
-
- name: Elastic GPG key is installed
-  copy:
-    src: elastic.asc
-    dest: "{{ apt_keyring_dir }}/elastic.asc"
-    force: yes
-    mode: "0644"
-    owner: root
-    group: root
-  tags:
-    - kibana
-    - packages
-
- name: Elastic sources list is available
-  apt_repository:
-    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: present
-    update_cache: yes
-  tags:
-    - kibana
-    - packages
-
- name: Unsigned Elastic sources list is not available
-  apt_repository:
-    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: absent
-    update_cache: yes
-  tags:
-    - kibana
-    - packages
+- name: APT sources
+  import_tasks: apt_sources.yml
+  args:
+    apply:
+      tags:
+        - kibana
+        - packages

 - name: Kibana is installed
  apt:
    name: kibana
    state: present
+    update_cache: yes
  tags:
    - kibana
    - packages
--- a/kibana/templates/elastic.sources.j2
+++ b/kibana/templates/elastic.sources.j2
@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt
+Suites: stable
+Components: main
+Signed-by: {{ apt_keyring_dir }}/elastic.asc
+Enabled: yes
--- a/logstash/tasks/apt_sources.yml
+++ b/logstash/tasks/apt_sources.yml
@ -0,0 +1,36 @@
+---
+- name: APT https transport is enabled (Debian <10)
+  ansible.builtin.apt:
+    name: apt-transport-https
+    state: present
+  when: ansible_distribution_major_version is version('10', '<')
+
+- name: Elastic GPG key is installed
+  ansible.builtin.copy:
+    src: elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
+    force: yes
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: Add Elastic repository (Debian <12)
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    filename: elastic
+    state: present
+    update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')
+
+- name: Add Elastic repository (Debian >=12)
+  ansible.builtin.template:
+    src: elastic.sources.j2
+    dest: /etc/apt/sources.list.d/elastic.sources
+    state: present
+  register: elastic_sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  apt:
+    update_cache: yes
+  when: elastic_sources is changed
--- a/logstash/tasks/main.yml
+++ b/logstash/tasks/main.yml
@ -1,62 +1,11 @@
 ---
-
- name: APT https transport is enabled
-  apt:
-    name: apt-transport-https
-    state: present
-  tags:
-    - logstash
-    - packages
-
- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-  tags:
-    - logstash
-    - packages
-
- name: Elastic embedded GPG key is absent
-  apt_key:
-    id: "D88E42B4"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-  tags:
-    - logstash
-    - packages
-
- name: Elastic GPG key is installed
-  copy:
-    src: elastic.asc
-    dest: "{{ apt_keyring_dir }}/elastic.asc"
-    force: yes
-    mode: "0644"
-    owner: root
-    group: root
-  tags:
-    - logstash
-    - packages
-
- name: Elastic sources list is available
-  apt_repository:
-    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: present
-    update_cache: yes
-  tags:
-    - logstash
-    - packages
-
- name: Unsigned Elastic sources list is not available
-  apt_repository:
-    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: absent
-    update_cache: yes
-  tags:
-    - logstash
-    - packages
+- name: APT sources
+  import_tasks: apt_sources.yml
+  args:
+    apply:
+      tags:
+        - logstash
+        - packages

 - name: Logstash is installed
  apt:
--- a/logstash/templates/elastic.sources.j2
+++ b/logstash/templates/elastic.sources.j2
@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt
+Suites: stable
+Components: main
+Signed-by: {{ apt_keyring_dir }}/elastic.asc
+Enabled: yes
--- a/metricbeat/tasks/apt_sources.yml
+++ b/metricbeat/tasks/apt_sources.yml
@ -0,0 +1,36 @@
+---
+- name: APT https transport is enabled (Debian <10)
+  ansible.builtin.apt:
+    name: apt-transport-https
+    state: present
+  when: ansible_distribution_major_version is version('10', '<')
+
+- name: Elastic GPG key is installed
+  ansible.builtin.copy:
+    src: elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
+    force: yes
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: Add Elastic repository (Debian <12)
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    filename: elastic
+    state: present
+    update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')
+
+- name: Add Elastic repository (Debian >=12)
+  ansible.builtin.template:
+    src: elastic.sources.j2
+    dest: /etc/apt/sources.list.d/elastic.sources
+    state: present
+  register: elastic_sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  apt:
+    update_cache: yes
+  when: elastic_sources is changed
--- a/metricbeat/tasks/main.yml
+++ b/metricbeat/tasks/main.yml
@ -1,62 +1,11 @@
 ---
-
- name: APT https transport is enabled
-  apt:
-    name: apt-transport-https
-    state: present
-  tags:
-    - metricbeat
-    - packages
-
- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-  tags:
-    - metricbeat
-    - packages
-
- name: Elastic embedded GPG key is absent
-  apt_key:
-    id: "D88E42B4"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-  tags:
-    - metricbeat
-    - packages
-
- name: Elastic GPG key is installed
-  copy:
-    src: elastic.asc
-    dest: "{{ apt_keyring_dir }}/elastic.asc"
-    force: yes
-    mode: "0644"
-    owner: root
-    group: root
-  tags:
-    - metricbeat
-    - packages
-
- name: Elastic sources list is available
-  apt_repository:
-    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: present
-    update_cache: yes
-  tags:
-    - metricbeat
-    - packages
-
- name: Elastic sources list is available
-  apt_repository:
-    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
-    filename: elastic
-    state: absent
-    update_cache: yes
-  tags:
-    - metricbeat
-    - packages
+- name: APT sources
+  import_tasks: apt_sources.yml
+  args:
+    apply:
+      tags:
+        - metricbeat
+        - packages

 - name: Metricbeat is installed
  apt:
--- a/metricbeat/templates/elastic.sources.j2
+++ b/metricbeat/templates/elastic.sources.j2
@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt
+Suites: stable
+Components: main
+Signed-by: {{ apt_keyring_dir }}/elastic.asc
+Enabled: yes
--- a/mongodb/tasks/main.yml
+++ b/mongodb/tasks/main.yml
@ -1,13 +1,14 @@
 ---

- include: main_jessie.yml
+- ansible.builtin.import_tasks: main_jessie.yml
  when: ansible_distribution_release == "jessie"

- include: main_stretch.yml
+- ansible.builtin.import_tasks: main_stretch.yml
  when: ansible_distribution_release == "stretch"

- include: main_buster.yml
+- ansible.builtin.import_tasks: main_buster.yml
  when: ansible_distribution_release == "buster"

- include: main_bullseye.yml
-  when: ansible_distribution_major_version is version('11', '>=')
+- ansible.builtin.import_tasks: main_bullseye.yml
+  when: ansible_distribution_release == "bullseye"
+
--- a/mongodb/tasks/main_bullseye.yml
+++ b/mongodb/tasks/main_bullseye.yml
@ -1,22 +1,10 @@
 ---

 - fail:
-    msg: Not compatible with Debian 11 (Bullseye)
+    msg: MongoDB versions <4.2 are not compatible with Debian 11 (Bullseye)
  when:
  - ansible_distribution_release == "bullseye"
-  - mongodb_version is version('5.0', '<')
-
- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-
- name: MongoDB embedded GPG key is absent
-  apt_key:
-    id: "B8612B5D"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
+  - mongodb_version is version('5.2', '<')

 - name: Add MongoDB GPG key
  copy:
@ -27,19 +15,11 @@
    owner: root
    group: root

- name: Enable APT sources list
+- name: Add MongoDB repository
  apt_repository:
    repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main"
    state: present
    filename: "mongodb-org-{{ mongodb_version }}"
-    update_cache: yes
-
- name: Disable unsigned APT sources list
-  apt_repository:
-    repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main"
-    state: absent
-    filename: "mongodb-org-{{ mongodb_version }}"
-    update_cache: yes

 - name: Install packages
  apt:
--- a/newrelic/tasks/php.yml
+++ b/newrelic/tasks/php.yml
@ -1,7 +1,7 @@
 ---

 - name: Pre-seed package configuration with app name
-  debconf:
+  ansible.builtin.debconf:
    name: newrelic-php5
    question: "newrelic-php5/application-name"
    value: "{{ newrelic_appname }}"
@ -9,7 +9,7 @@
  when: newrelic_appname | length > 0

 - name: Pre-seed package configuration with license
-  debconf:
+  ansible.builtin.debconf:
    name: newrelic-php5
    question: "newrelic-php5/license-key"
    value: "{{ newrelic_license }}"
@ -17,26 +17,27 @@
  when: newrelic_license | length > 0

 - name: list newrelic config files
-  shell: "find /etc/php* -type f -name newrelic.ini"
+  ansible.builtin.shell:
+    cmd: "find /etc/php* -type f -name newrelic.ini"
  changed_when: False
  check_mode: no
  register: find_newrelic_ini

 - name: Disable AWS detection
-  lineinfile:
+  ansible.builtin.lineinfile:
    dest: "{{ item }}"
    regexp: '^;?newrelic.daemon.utilization.detect_aws'
    line: 'newrelic.daemon.utilization.detect_aws = false'
  loop: "{{ find_newrelic_ini.stdout_lines }}"

 - name: Disable Docker detection
-  lineinfile:
+  ansible.builtin.lineinfile:
    dest: "{{ item }}"
    regexp: '^;?newrelic.daemon.utilization.detect_docker'
    line: 'newrelic.daemon.utilization.detect_docker = false'
  loop: "{{ find_newrelic_ini.stdout_lines }}"

 - name: Install package for PHP
-  apt:
+  ansible.builtin.apt:
    name: newrelic-php5
    state: present
--- a/newrelic/tasks/sources.yml
+++ b/newrelic/tasks/sources.yml
@ -1,19 +1,7 @@
 ---

- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-
- name: NewRelic embedded GPG key is absent
-  apt_key:
-    id: "548C16BF"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-
 - name: Add NewRelic GPG key
-  copy:
+  ansible.builtin.copy:
    src: newrelic.asc
    dest: "{{ apt_keyring_dir }}/newrelic.asc"
    force: yes
@ -21,16 +9,23 @@
    owner: root
    group: root

- name: Install NewRelic repository
-  apt_repository:
+- name: Install NewRelic repository (Debian <12)
+  ansible.builtin.apt_repository:
    repo: "deb [signed-by={{ apt_keyring_dir }}/newrelic.asc] http://apt.newrelic.com/debian/ newrelic non-free"
    state: present
    filename: newrelic
    update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')

- name: Desinstall unsigned NewRelic repository
-  apt_repository:
-    repo: "deb http://apt.newrelic.com/debian/ newrelic non-free"
-    state: absent
-    filename: newrelic
+- name: Add NewRelic repository (Debian >=12)
+  ansible.builtin.template:
+    src: newrelic.sources.j2
+    dest: /etc/apt/sources.list.d/newrelic.sources
+    state: present
+  register: newrelic_sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  ansible.builtin.apt:
    update_cache: yes
+  when: newrelic_sources is changed
--- a/newrelic/tasks/sysmond.yml
+++ b/newrelic/tasks/sysmond.yml
@ -1,11 +1,11 @@
 ---

 - name: Install system monitor daemon
-  apt:
+  ansible.builtin.apt:
    name: newrelic-sysmond

 - name: Set license key for newrelic-sysmond
-  replace:
+  ansible.builtin.replace:
    dest: /etc/newrelic/nrsysmond.cfg
    regexp: "license_key=REPLACE_WITH_REAL_KEY"
    replace: "license_key={{ newrelic_license }}"
--- a/newrelic/templates/newrelic.sources.j2
+++ b/newrelic/templates/newrelic.sources.j2
@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: http://apt.newrelic.com/debian/
+Suites: newrelic
+Components: non-free
+Signed-by: {{ apt_keyring_dir }}/newrelic.asc
+Enabled: yes
--- a/nodejs/tasks/main.yml
+++ b/nodejs/tasks/main.yml
@ -1,36 +1,17 @@
 ---

- name: APT https transport is enabled
-  apt:
+- name: APT https transport is enabled (Debian <10)
+  ansible.builtin.apt:
    name: apt-transport-https
    state: present
  tags:
    - system
    - packages
    - nodejs
-
- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-  tags:
-    - system
-    - packages
-    - nodejs
-
- name: NodeJS embedded GPG key is absent
-  apt_key:
-    id: "68576280"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-  tags:
-    - system
-    - packages
-    - nodejs
+  when: ansible_distribution_major_version is version('10', '<')

 - name: NodeJS GPG key is installed
-  copy:
+  ansible.builtin.copy:
    src: nodesource.asc
    dest: "{{ apt_keyring_dir }}/nodesource.asc"
    mode: "0644"
@ -41,8 +22,8 @@
    - packages
    - nodejs

- name: NodeJS sources list ({{ nodejs_apt_version }}) is available
-  apt_repository:
+- name: Add NodeJS repository (Debian <12)
+  ansible.builtin.apt_repository:
    repo: "deb [signed-by={{ apt_keyring_dir }}/nodesource.asc] https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main"
    filename: nodesource
    update_cache: yes
@ -51,26 +32,32 @@
    - system
    - packages
    - nodejs
+  when: ansible_distribution_major_version is version('12', '<')

- name: Unsigned NodeJS sources list ({{ nodejs_apt_version }}) is not available
-  apt_repository:
-    repo: "deb https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main"
-    filename: nodesource
-    update_cache: yes
-    state: absent
+- name: Add NodeJS repository (Debian >=12)
+  ansible.builtin.template:
+    src: nodesource.sources.j2
+    dest: /etc/apt/sources.list.d/nodesource.sources
+    state: present
+  register: nodesource_sources
  tags:
    - system
    - packages
    - nodejs
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  ansible.builtin.apt:
+    update_cache: yes
+  when: nodesource_sources is changed

 - name: NodeJS is installed
-  apt:
+  ansible.builtin.apt:
    name: nodejs
    state: present
-    update_cache: yes
  tags:
    - packages
    - nodejs

- include: yarn.yml
+- ansible.builtin.import_tasks: yarn.yml
  when: nodejs_install_yarn | bool
--- a/nodejs/tasks/yarn.yml
+++ b/nodejs/tasks/yarn.yml
@ -1,29 +1,7 @@
 ---

- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-  tags:
-    - system
-    - packages
-    - nodejs
-    - yarn
-
- name: Yarn embedded GPG key is absent
-  apt_key:
-    id: "86E50310"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-  tags:
-    - system
-    - packages
-    - nodejs
-    - yarn
-
 - name: Yarn GPG key is installed
-  copy:
+  ansible.builtin.copy:
    src: yarn.asc
    dest: "{{ apt_keyring_dir }}/yarn.asc"
    mode: "0644"
@ -35,32 +13,39 @@
    - nodejs
    - yarn

- name: Yarn sources list is available
-  apt_repository:
+- name: Add Yarn repository (Debian <12)
+  ansible.builtin.apt_repository:
    repo: "deb [signed-by={{ apt_keyring_dir }}/yarn.asc] https://dl.yarnpkg.com/debian/ stable main"
    filename: yarn
-    update_cache: yes
    state: present
  tags:
    - system
    - packages
    - nodejs
    - yarn
+  when: ansible_distribution_major_version is version('12', '<')

- name: Unsigned Yarn sources list is not available
-  apt_repository:
-    repo: "deb https://dl.yarnpkg.com/debian/ stable main"
-    filename: yarn
+- name: Add Yarn repository (Debian >=12)
+  ansible.builtin.template:
+    src: yarn.sources.j2
+    dest: /etc/apt/sources.list.d/yarn.sources
+    state: present
    update_cache: yes
-    state: absent
+  register: yarn_sources
  tags:
    - system
    - packages
    - nodejs
    - yarn
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  ansible.builtin.apt:
+    update_cache: yes
+  when: yarn_sources is changed

 - name: Yarn is installed
-  apt:
+  ansible.builtin.apt:
    name: yarn
    state: present
  tags:
--- a/nodejs/templates/nodesource.sources.j2
+++ b/nodejs/templates/nodesource.sources.j2
@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://deb.nodesource.com/{{ nodejs_apt_version }}
+Suites: {{ ansible_distribution_release }}
+Components: main
+Signed-by: {{ apt_keyring_dir }}/nodesource.asc
+Enabled: yes
--- a/nodejs/templates/yarn.sources.j2
+++ b/nodejs/templates/yarn.sources.j2
@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://dl.yarnpkg.com/debian/
+Suites: stable
+Components: main
+Signed-by: {{ apt_keyring_dir }}/yarn.asc
+Enabled: yes
--- a/php/tasks/sury_pre.yml
+++ b/php/tasks/sury_pre.yml
@ -1,12 +1,10 @@
 ---

- name: Setup deb.sury.org repository - Add GPG key
-  copy:
-    src: sury.gpg
-    dest: "{{ apt_keyring_dir }}/sury.gpg"
-    mode: "0644"
-    owner: root
-    group: root
+- name: Setup deb.sury.org repository - Install apt-transport-https
+  apt:
+    name: apt-transport-https
+    state: present
+  when: ansible_distribution_major_version is version('10', '<')

 - name: copy pub.evolix.org GPG key
  copy:
@ -16,18 +14,6 @@
    owner: root
    group: root

- name: Setup deb.sury.org repository - Install apt-transport-https
-  apt:
-    state: present
-    name: apt-transport-https
-
- name: Setup deb.sury.org repository - Add preferences file
-  copy:
-    src: sury.preferences
-    dest: /etc/apt/preferences.d/z-sury
-  when:
-    - ansible_distribution_release != "bullseye"
-
 - name: Setup pub.evolix.org repository - Add source list
  apt_repository:
    repo: "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }}-php81 main"
@ -36,17 +22,41 @@
  when:
    - ansible_distribution_release == "bullseye"

- name: Setup deb.sury.org repository - Add source list
+- name: Setup deb.sury.org repository - Add preferences file
+  copy:
+    src: sury.preferences
+    dest: /etc/apt/preferences.d/z-sury
+  when:
+    - ansible_distribution_release != "bullseye"
+
+- name: Setup deb.sury.org repository - Add GPG key
+  copy:
+    src: sury.gpg
+    dest: "{{ apt_keyring_dir }}/sury.gpg"
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: Add Sury repository (Debian <12)
  apt_repository:
    repo: "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
    filename: sury
    state: present
+    update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')

- name: Setup deb.sury.org repository - Remove unsigned source list
-  apt_repository:
-    repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
-    filename: sury
-    state: absent
+- name: Add Sury repository (Debian >=12)
+  ansible.builtin.template:
+    src: sury.sources.j2
+    dest: /etc/apt/sources.list.d/sury.sources
+    state: present
+  register: sury_sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  apt:
+    update_cache: yes
+  when: sury_sources is changed

 - name: "Override package list for Sury (Debian 9 or later)"
  set_fact:
--- a/php/templates/sury.sources.j2
+++ b/php/templates/sury.sources.j2
@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://packages.sury.org/php/
+Suites: {{ ansible_distribution_release }}
+Components: main
+Signed-by: {{ apt_keyring_dir }}/sury.gpg
+Enabled: yes
--- a/postgresql/tasks/main.yml
+++ b/postgresql/tasks/main.yml
@ -1,25 +1,28 @@
 ---
- include: locales.yml
+- ansible.builtin.import_tasks: locales.yml

- include: packages_jessie.yml
+- ansible.builtin.import_tasks: packages_jessie.yml
  when: ansible_distribution_release == "jessie"

- include: packages_stretch.yml
+- ansible.builtin.import_tasks: packages_stretch.yml
  when: ansible_distribution_release == "stretch"

- include: packages_buster.yml
+- ansible.builtin.import_tasks: packages_buster.yml
  when: ansible_distribution_release == "buster"

- include: packages_bullseye.yml
-  when: ansible_distribution_major_version is version('11', '>=')
+- ansible.builtin.import_tasks: packages_bullseye.yml
+  when: ansible_distribution_release == "bullseye"

- include: config.yml
+- ansible.builtin.import_tasks: packages_bookworm.yml
+  when: ansible_distribution_release == "bookworm"

- include: nrpe.yml
+- ansible.builtin.import_tasks: config.yml

- include: munin.yml
+- ansible.builtin.import_tasks: nrpe.yml

- include: logrotate.yml
+- ansible.builtin.import_tasks: munin.yml

- include: postgis.yml
+- ansible.builtin.import_tasks: logrotate.yml
+
+- ansible.builtin.import_tasks: postgis.yml
  when: postgresql_install_postgis | bool
--- a/postgresql/tasks/packages_bookworm.yml
+++ b/postgresql/tasks/packages_bookworm.yml
@ -1,15 +1,15 @@
 ---

 - name: "Set variables (Debian 12)"
-  set_fact:
+  ansible.builtin.set_fact:
    postgresql_version: '15'
  when: postgresql_version is none or postgresql_version | length == 0

- include: pgdg-repo.yml
+- ansible.builtin.import_tasks: pgdg-repo.yml
  when: postgresql_version != '15'

 - name: Install postgresql package
-  apt:
+  ansible.builtin.apt:
    name:
      - "postgresql-{{ postgresql_version }}"
      - pgtop
--- a/postgresql/tasks/packages_bullseye.yml
+++ b/postgresql/tasks/packages_bullseye.yml
@ -14,3 +14,4 @@
      - "postgresql-{{ postgresql_version }}"
      - pgtop
      - libdbd-pg-perl
+    update_cache: yes
--- a/postgresql/tasks/packages_buster.yml
+++ b/postgresql/tasks/packages_buster.yml
@ -14,3 +14,4 @@
      - "postgresql-{{ postgresql_version }}"
      - pgtop
      - libdbd-pg-perl
+    update_cache: yes
--- a/postgresql/tasks/packages_jessie.yml
+++ b/postgresql/tasks/packages_jessie.yml
@ -10,8 +10,8 @@

 - name: Install postgresql package
  apt:
-    name: '{{ item }}'
-  loop:
-    - "postgresql-{{ postgresql_version }}"
-    - ptop
-    - libdbd-pg-perl
+    name:
+      - "postgresql-{{ postgresql_version }}"
+      - ptop
+      - libdbd-pg-perl
+    update_cache: yes
--- a/postgresql/tasks/packages_stretch.yml
+++ b/postgresql/tasks/packages_stretch.yml
@ -14,3 +14,4 @@
      - "postgresql-{{ postgresql_version }}"
      - ptop
      - libdbd-pg-perl
+    update_cache: yes
--- a/postgresql/tasks/pgdg-repo.yml
+++ b/postgresql/tasks/pgdg-repo.yml
@ -8,18 +8,6 @@

 - meta: flush_handlers

- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
-
- name: PGDG embedded GPG key is absent
-  apt_key:
-    id: "ACCC4CF8"
-    keyring: /etc/apt/trusted.gpg
-    state: absent
-  when: _trusted_gpg_keyring.stat.exists
-
 - name: Add PGDG GPG key
  copy:
    src: postgresql.asc
@ -29,16 +17,25 @@
    owner: root
    group: root

- name: Add PGDG repository
+- name: Add PGDG repository (Debian <12)
  apt_repository:
    repo: "deb [signed-by={{ apt_keyring_dir }}/postgresql.asc] http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main"
+    filename: postgresql
    update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')

- name: Remove unsigned PGDG repository
-  apt_repository:
-    repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main"
+- name: Add PGDG repository (Debian >=12)
+  ansible.builtin.template:
+    src: postgresql.sources.j2
+    dest: /etc/apt/sources.list.d/postgresql.sources
+    state: present
+  register: postgresql_sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Update APT cache
+  ansible.builtin.apt:
    update_cache: yes
-    state: absent
+  when: elastic_sources is changed

 - name: Add APT preference file
  template:
--- a/postgresql/tasks/postgis.yml
+++ b/postgresql/tasks/postgis.yml
@ -5,3 +5,4 @@
      - postgis
      - "postgresql-{{ postgresql_version }}-postgis-2.5"
      - "postgresql-{{ postgresql_version }}-postgis-2.5-scripts"
+    update_cache: yes
--- a/postgresql/templates/postgresql.sources.j2
+++ b/postgresql/templates/postgresql.sources.j2
@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: http://apt.postgresql.org/pub/repos/apt/
+Suites: {{ ansible_distribution_release }}-pgdg
+Components: main
+Signed-by: {{ apt_keyring_dir }}/postgresql.asc
+Enabled: yes