new apt_sources.yml ; systemd + command instead of service + shell

2024-03-28 16:08:08 -04:00 · 2024-03-28 16:08:08 -04:00 · 7b3d3764ce
parent 41e8f376ee
commit 7b3d3764ce
8 changed files with 89 additions and 38 deletions
--- a/webapps/jitsimeet/defaults/main.yml
+++ b/webapps/jitsimeet/defaults/main.yml
@ -1,5 +1,6 @@
 ---
 # defaults file for main vars
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"

 jitsimeet_system_dep: "['gnupg2', 'curl', 'apt-transport-https', 'default-jdk', 'lua5.2', 'lua-unbound', 'certbot', 'python3-certbot-nginx']"

--- a/webapps/jitsimeet/files/jitsimeet.gpg
+++ b/webapps/jitsimeet/files/jitsimeet.gpg
--- a/webapps/jitsimeet/files/prosody.gpg
+++ b/webapps/jitsimeet/files/prosody.gpg
--- a/webapps/jitsimeet/tasks/apt_sources.yml
+++ b/webapps/jitsimeet/tasks/apt_sources.yml
@ -0,0 +1,55 @@
+---
+
+- name: "Ensure {{ apt_keyring_dir }} directory exists"
+  file:
+    path: "{{ apt_keyring_dir }}"
+    state: directory
+    mode: "755"
+    owner: root
+    group: root
+
+- name: Prosody GPG key is installed
+  ansible.builtin.copy:
+    src: prosody.gpg
+    dest: "{{ apt_keyring_dir }}/prosody.gpg"
+    force: true
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: Jitsi Meet GPG key is installed
+  ansible.builtin.copy:
+    src: jitsimeet.gpg
+    dest: "{{ apt_keyring_dir }}/jitsimeet.gpg"
+    force: true
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: Add Prosody repository (Debian <12)
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by={{ apt_keyring_dir }}/prosody.gpg] https://packages.prosody.im/debian {{ ansible_distribution_release }} main"
+    filename: prosody
+    state: present
+    update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')
+
+- name: Add Prosody repository (Debian >=12)
+  ansible.builtin.template:
+    src: apt/prosody.sources.j2
+    dest: /etc/apt/sources.list.d/prosody.sources
+  when: ansible_distribution_major_version is version('12', '>=')
+
+- name: Add Jitsi Meet repository (Debian <12)
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by={{ apt_keyring_dir }}/jitsimeet.gpg] https://download.jitsi.org stable/"
+    filename: jitsimeet
+    state: present
+    update_cache: yes
+  when: ansible_distribution_major_version is version('12', '<')
+
+- name: Add Jitsi Meet repository (Debian >=12)
+  ansible.builtin.template:
+    src: apt/jitsimeet.sources.j2
+    dest: /etc/apt/sources.list.d/jitsimeet.sources
+  when: ansible_distribution_major_version is version('12', '>=')
--- a/webapps/jitsimeet/tasks/main.yml
+++ b/webapps/jitsimeet/tasks/main.yml
@ -1,33 +1,8 @@
 ---
 # tasks file for jitsimeet install

-#- name: Set FQDN
-#  ansible.builtin.command: "hostnamectl set-hostname {{ jitsimeet_domains | first }}"
-
- name: Add Prosody apt repository key
-  ansible.builtin.get_url:
-    url: https://prosody.im/files/prosody-debian-packages.key
-    dest: /etc/apt/trusted.gpg.d/prosody.gpg
-    mode: '0644'
-    force: true
-
- name: Add Jitsi Meet apt repository key + dearmor hack
-  ansible.builtin.shell: curl -sL https://download.jitsi.org/jitsi-key.gpg.key | sh -c 'gpg --dearmor > /etc/apt/trusted.gpg.d/jitsimeet.gpg'
-
- name: Adjust permissions of gpg key
-  ansible.builtin.file:
-    path: /etc/apt/trusted.gpg.d/jitsimeet.gpg
-    mode: '0644'
-
- name: Add Prosody apt repository
-  ansible.builtin.apt_repository:
-    repo: "deb [signed-by=/etc/apt/trusted.gpg.d/prosody.gpg] https://packages.prosody.im/debian {{ ansible_distribution_release }} main"
-    state: present
-
- name: Add Jitsi Meet apt repository
-  ansible.builtin.apt_repository:
-    repo: "deb [signed-by=/etc/apt/trusted.gpg.d/jitsimeet.gpg] https://download.jitsi.org stable/"
-    state: present
+- name: APT sources
+  ansible.builtin.include_tasks: apt_sources.yml

 - name: Install system dependencies
  ansible.builtin.apt:
@ -115,23 +90,25 @@
        }

 - name: Unregister default jvb account in prosody
-  ansible.builtin.command: prosodyctl unregister jvb auth.{{ jitsimeet_domains | first }}
+  ansible.builtin.command: 
+    cmd: prosodyctl unregister jvb auth.{{ jitsimeet_domains | first }}

 - name: Register jvb account in prosody (with proper secret)
-  ansible.builtin.command: prosodyctl register jvb auth.{{ jitsimeet_domains | first }} {{ jitsimeet_jvb_secret }}
+  ansible.builtin.command: 
+    cmd: prosodyctl register jvb auth.{{ jitsimeet_domains | first }} {{ jitsimeet_jvb_secret }}

 - name: Restart prosody
-  ansible.builtin.service:
+  ansible.builtin.systemd:
    name: prosody
    state: restarted

 - name: Restart jvb
-  ansible.builtin.service:
+  ansible.builtin.systemd:
    name: jitsi-videobridge2
    state: restarted

 - name: Restart jicofo
-  ansible.builtin.service:
+  ansible.builtin.systemd:
    name: jicofo
    state: restarted

@ -152,7 +129,7 @@
      dest: "/etc/nginx/sites-enabled/{{ jitsimeet_domains |first }}.conf"
      state: link
  - name: Reload nginx conf
-    ansible.builtin.service:
+    ansible.builtin.systemd:
      name: nginx
      state: reloaded
  - name: Make sure /var/lib/letsencrypt exists and has correct permissions
@ -161,7 +138,8 @@
      state: directory
      mode: '0755'
  - name: Generate certificate with certbot
-    ansible.builtin.shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ jitsimeet_certbot_admin_email }} -d {{ jitsimeet_domains |first }}
+    ansible.builtin.command: 
+      cmd: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ jitsimeet_certbot_admin_email }} -d {{ jitsimeet_domains |first }}
  when: ssl.stat.exists != true

 - name: (Re)check if SSL certificate is present and register result
@ -190,7 +168,7 @@
    state: link

 - name: Reload nginx conf
-  ansible.builtin.service:
+  ansible.builtin.systemd:
    name: nginx
    state: reloaded

--- a/webapps/jitsimeet/tasks/other_domains.yml
+++ b/webapps/jitsimeet/tasks/other_domains.yml
@ -29,7 +29,7 @@
      dest: "/etc/nginx/sites-enabled/{{ domain }}.conf"
      state: link
  - name: Reload nginx conf
-    ansible.builtin.service:
+    ansible.builtin.systemd:
      name: nginx
      state: reloaded
  - name: Make sure /var/lib/letsencrypt exists and has correct permissions
@ -38,7 +38,8 @@
      state: directory
      mode: '0755'
  - name: Generate certificate with certbot
-    ansible.builtin.shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ jitsimeet_certbot_admin_email }} -d {{ domain }}
+    ansible.builtin.command: 
+      cmd: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ jitsimeet_certbot_admin_email }} -d {{ domain }}
  when: ssl.stat.exists != true

 - name: (Re)check if SSL certificate is present and register result
@ -66,6 +67,6 @@
    state: link

 - name: Reload nginx conf
-  ansible.builtin.service:
+  ansible.builtin.systemd:
    name: nginx
    state: reloaded
--- a/webapps/jitsimeet/templates/apt/jitsimeet.sources.j2
+++ b/webapps/jitsimeet/templates/apt/jitsimeet.sources.j2
@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://download.jitsi.org
+Suites: stable/
+#Components: main
+Signed-by: {{ apt_keyring_dir }}/jitsimeet.gpg
+Enabled: yes
--- a/webapps/jitsimeet/templates/apt/prosody.sources.j2
+++ b/webapps/jitsimeet/templates/apt/prosody.sources.j2
@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+Types: deb
+URIs: https://packages.prosody.im/debian
+Suites: bookworm
+Components: main
+Signed-by: {{ apt_keyring_dir }}/prosody.gpg
+Enabled: yes