Use proper keyrings directory for APT version

Debian 9 → 11 : /etc/apt/trusted.gpg.d Debian 12 : /etc/apt/keyrings
2022-11-02 23:15:17 +01:00 · 2022-11-02 23:15:17 +01:00 · f531460f49
parent 7f3f7b3e04
commit f531460f49
38 changed files with 61 additions and 27 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -12,6 +12,7 @@ The **patch** part changes is incremented if multiple releases happen the same m

 ### Added

+* Use proper keyrings directory for APT version
 * evolinux-base: replace regular kernel by cloud kernel on virtual servers
 * nagios-nrpe: check_haproxy_stats supports DRAIN status
 * lxc-php: set php-fpm umask to 007
--- a/apt/defaults/main.yml
+++ b/apt/defaults/main.yml
@ -25,3 +25,5 @@ apt_check_hold_cron_hour: "*/4"
 apt_check_hold_cron_weekday: "*"
 apt_check_hold_cron_day: "*"
 apt_check_hold_cron_month: "*"
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/apt/tasks/evolix_public.yml
+++ b/apt/tasks/evolix_public.yml
@ -19,7 +19,7 @@
 - name: Add Evolix GPG key
  copy:
    src: reg.asc
-    dest: /etc/apt/trusted.gpg.d/reg.asc
+    dest: "{{ apt_keyring_dir }}/reg.asc"
    force: yes
    mode: "0644"
    owner: root
--- a/docker-host/defaults/main.yml
+++ b/docker-host/defaults/main.yml
@ -28,3 +28,5 @@ docker_tls_ca_key: ca/ca-key.pem
 docker_tls_cert: server/cert.pem
 docker_tls_key: server/key.pem
 docker_tls_csr: server/server.csr
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/docker-host/tasks/main.yml
+++ b/docker-host/tasks/main.yml
@ -19,7 +19,7 @@
 - name: Add Docker's official GPG key
  copy:
    src: docker-debian.asc
-    dest: /etc/apt/trusted.gpg.d/docker-debian.asc
+    dest: "{{ apt_keyring_dir }}/docker-debian.asc"
    force: yes
    mode: "0644"
    owner: root
--- a/elasticsearch/defaults/main.yml
+++ b/elasticsearch/defaults/main.yml
@ -29,3 +29,5 @@ elasticsearch_plugin_head_clone_dir: "{{ elasticsearch_plugin_head_home }}/www"
 elasticsearch_plugin_head_tmp_dir: "{{ elasticsearch_plugin_head_home }}/tmp"

 elasticsearch_additional_scripts_dir: /usr/share/scripts
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/elasticsearch/tasks/packages.yml
+++ b/elasticsearch/tasks/packages.yml
@ -29,7 +29,7 @@
 - name: Elastic GPG key is installed
  copy:
    src: elastic.asc
-    dest: /etc/apt/trusted.gpg.d/elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
    force: yes
    mode: "0644"
    owner: root
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@ -21,6 +21,8 @@ evolinux_apt_public_sources: True
 evolinux_apt_upgrade: True
 evolinux_apt_remove_aptitude: True

+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
+
 # etc-evolinux

 evolinux_etcevolinux_include: True
--- a/evolinux-base/tasks/hardware.yml
+++ b/evolinux-base/tasks/hardware.yml
@ -81,7 +81,7 @@
    - name: HPE GPG key is installed
      copy:
        src: hpePublicKey2048_key1.asc
-        dest: /etc/apt/trusted.gpg.d/hpePublicKey2048_key1.asc
+        dest: "{{ apt_keyring_dir }}/hpePublicKey2048_key1.asc"
        force: yes
        mode: "0644"
        owner: root
@ -208,7 +208,7 @@
    - name: HWRaid GPG key is installed
      copy:
        src: hwraid.le-vert.net.asc
-        dest: /etc/apt/trusted.gpg.d/hwraid.le-vert.net.asc
+        dest: "{{ apt_keyring_dir }}/hwraid.le-vert.net.asc"
        force: yes
        mode: "0644"
        owner: root
--- a/filebeat/defaults/main.yml
+++ b/filebeat/defaults/main.yml
@ -22,3 +22,5 @@ filebeat_use_config_template: False
 filebeat_update_config: True
 filebeat_force_config: True
 filebeat_upgrade_package: False
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/filebeat/tasks/main.yml
+++ b/filebeat/tasks/main.yml
@ -29,7 +29,7 @@
 - name: Elastic GPG key is installed
  copy:
    src: elastic.asc
-    dest: /etc/apt/trusted.gpg.d/elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
    force: yes
    mode: "0644"
    owner: root
--- a/fluentd/defaults/main.yml
+++ b/fluentd/defaults/main.yml
@ -10,3 +10,5 @@ fluentd_host_port:

 fluentd_flush_interval:
 fluentd_heartbeat_type:
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/fluentd/tasks/main.yml
+++ b/fluentd/tasks/main.yml
@ -21,7 +21,7 @@
 - name: Add Fluentd GPG key
  copy:
    src: fluentd.asc
-    dest: /etc/apt/trusted.gpg.d/fluentd.asc
+    dest: "{{ apt_keyring_dir }}/fluentd.asc"
    force: yes
    mode: "0644"
    owner: root
@ -32,7 +32,7 @@

 - name: Fluentd sources list is available
  apt_repository:
-    repo: "deb http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib"
+    repo: "deb [signed-by={{ apt_keyring_dir }}/fluentd.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib"
    filename: treasuredata
    update_cache: yes
    state: present
--- a/jenkins/defaults/main.yml
+++ b/jenkins/defaults/main.yml
@ -0,0 +1,3 @@
+---
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/jenkins/tasks/main.yml
+++ b/jenkins/tasks/main.yml
@ -20,7 +20,7 @@
 - name: Add Jenkins GPG key
  copy:
    src: jenkins.asc
-    dest: /etc/apt/trusted.gpg.d/jenkins.asc
+    dest: "{{ apt_keyring_dir }}/jenkins.asc"
    force: yes
    mode: "0644"
    owner: root
--- a/kibana/defaults/main.yml
+++ b/kibana/defaults/main.yml
@ -9,3 +9,5 @@ kibana_proxy_nginx: False
 kibana_proxy_domain: "kibana.{{ ansible_fqdn }}"
 kibana_proxy_ssl_cert: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
 kibana_proxy_ssl_key: "/etc/ssl/private/{{ ansible_fqdn }}.key"
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/kibana/tasks/main.yml
+++ b/kibana/tasks/main.yml
@ -29,7 +29,7 @@
 - name: Elastic GPG key is installed
  copy:
    src: elastic.asc
-    dest: /etc/apt/trusted.gpg.d/elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
    force: yes
    mode: "0644"
    owner: root
--- a/logstash/defaults/main.yml
+++ b/logstash/defaults/main.yml
@ -7,4 +7,6 @@ logstash_log_rotate_days: 365
 logstash_custom_tmpdir: Null
 logstash_default_tmpdir: /var/lib/logstash/tmp
 logstash_log_syslog_enabled: True
-logstash_config_force: True
+logstash_config_force: True
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/logstash/tasks/main.yml
+++ b/logstash/tasks/main.yml
@ -29,7 +29,7 @@
 - name: Elastic GPG key is installed
  copy:
    src: elastic.asc
-    dest: /etc/apt/trusted.gpg.d/elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
    force: yes
    mode: "0644"
    owner: root
--- a/lxc-php/defaults/main.yml
+++ b/lxc-php/defaults/main.yml
@ -30,4 +30,4 @@ lxc_php_services:
  php80: 'php8.0-fpm.service'
  php81: 'php8.1-fpm.service'

-
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/lxc-php/tasks/php80.yml
+++ b/lxc-php/tasks/php80.yml
@ -25,7 +25,7 @@
 - name: copy pub.evolix.net GPG key
  copy:
    src: reg.asc
-    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/reg.asc
+    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc
    mode: "0644"
    owner: root
    group: root
@ -33,7 +33,7 @@
 - name: copy packages.sury.org GPG Key
  copy:
    src: sury.gpg
-    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/sury.gpg
+    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg
    mode: "0644"
    owner: root
    group: root
--- a/lxc-php/tasks/php81.yml
+++ b/lxc-php/tasks/php81.yml
@ -25,7 +25,7 @@
 - name: copy pub.evolix.net GPG key
  copy:
    src: reg.asc
-    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/reg.asc
+    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc
    mode: "0644"
    owner: root
    group: root
@ -33,7 +33,7 @@
 - name: copy packages.sury.org GPG Key
  copy:
    src: sury.gpg
-    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/sury.gpg
+    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg
    mode: "0644"
    owner: root
    group: root
--- a/metricbeat/defaults/main.yml
+++ b/metricbeat/defaults/main.yml
@ -28,3 +28,5 @@ metricbeat_tags: Null
 # metricbeat_fields:
 #   - "env: staging"
 metricbeat_fields: Null
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/metricbeat/tasks/main.yml
+++ b/metricbeat/tasks/main.yml
@ -29,7 +29,7 @@
 - name: Elastic GPG key is installed
  copy:
    src: elastic.asc
-    dest: /etc/apt/trusted.gpg.d/elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
    force: yes
    mode: "0644"
    owner: root
--- a/mongodb/defaults/main.yml
+++ b/mongodb/defaults/main.yml
@ -7,4 +7,6 @@ mongodb_bind: 127.0.0.1
 # otherwise it can disable important settings, like authorization :/
 mongodb_force_config: False

-mongodb_version: 4.4
+mongodb_version: 4.4
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/mongodb/tasks/main_bullseye.yml
+++ b/mongodb/tasks/main_bullseye.yml
@ -21,7 +21,7 @@
 - name: Add MongoDB GPG key
  copy:
    src: "server-{{mongodb_version}}.asc"
-    dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc"
+    dest: "{{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc"
    force: yes
    mode: "0644"
    owner: root
--- a/mongodb/tasks/main_buster.yml
+++ b/mongodb/tasks/main_buster.yml
@ -15,7 +15,7 @@
 - name: Add MongoDB GPG key
  copy:
    src: "server-{{mongodb_version}}.asc"
-    dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc"
+    dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc"
    force: yes
    mode: "0644"
    owner: root
--- a/newrelic/defaults/main.yml
+++ b/newrelic/defaults/main.yml
@ -5,3 +5,5 @@ newrelic_php: False

 newrelic_license: ""
 newrelic_appname: ""
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/newrelic/tasks/sources.yml
+++ b/newrelic/tasks/sources.yml
@ -15,7 +15,7 @@
 - name: Add NewRelic GPG key
  copy:
    src: newrelic.asc
-    dest: /etc/apt/trusted.gpg.d/newrelic.asc
+    dest: "{{ apt_keyring_dir }}/newrelic.asc"
    force: yes
    mode: "0644"
    owner: root
--- a/nodejs/defaults/main.yml
+++ b/nodejs/defaults/main.yml
@ -4,3 +4,5 @@
 nodejs_apt_version: 'node_16.x'

 nodejs_install_yarn: False
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/nodejs/tasks/main.yml
+++ b/nodejs/tasks/main.yml
@ -32,7 +32,7 @@
 - name: NodeJS GPG key is installed
  copy:
    src: nodesource.asc
-    dest: /etc/apt/trusted.gpg.d/nodesource.asc
+    dest: "{{ apt_keyring_dir }}/nodesource.asc"
    mode: "0644"
    owner: root
    group: root
--- a/nodejs/tasks/yarn.yml
+++ b/nodejs/tasks/yarn.yml
@ -25,7 +25,7 @@
 - name: Yarn GPG key is installed
  copy:
    src: yarn.asc
-    dest: /etc/apt/trusted.gpg.d/yarn.asc
+    dest: "{{ apt_keyring_dir }}/yarn.asc"
    mode: "0644"
    owner: root
    group: root
--- a/percona/defaults/main.yml
+++ b/percona/defaults/main.yml
@ -2,3 +2,5 @@

 percona__install_xtrabackup: True
 percona__xtrabackup_package_name: percona-xtrabackup-24
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/percona/tasks/main.yml
+++ b/percona/tasks/main.yml
@ -18,7 +18,7 @@
 - name: Add Percona GPG key
  copy:
    src: percona.asc
-    dest: /etc/apt/trusted.gpg.d/percona.asc
+    dest: "{{ apt_keyring_dir }}/percona.asc"
    force: yes
    mode: "0644"
    owner: root
--- a/php/defaults/main.yml
+++ b/php/defaults/main.yml
@ -8,3 +8,5 @@ php_symfony_requirements: False
 php_modules_mysqlnd: False

 php_fpm_remove_default_pool: False
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/php/tasks/sury_pre.yml
+++ b/php/tasks/sury_pre.yml
@ -3,7 +3,7 @@
 - name: Setup deb.sury.org repository - Add GPG key
  copy:
    src: sury.gpg
-    dest: /etc/apt/trusted.gpg.d/sury.gpg
+    dest: "{{ apt_keyring_dir }}/sury.gpg"
    mode: "0644"
    owner: root
    group: root
--- a/postgresql/defaults/main.yml
+++ b/postgresql/defaults/main.yml
@ -20,3 +20,5 @@ locales_default: fr_FR.UTF-8

 # PostGIS
 postgresql_install_postgis: False
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/postgresql/tasks/pgdg-repo.yml
+++ b/postgresql/tasks/pgdg-repo.yml
@ -23,7 +23,7 @@
 - name: Add PGDG GPG key
  copy:
    src: postgresql.asc
-    dest: /etc/apt/trusted.gpg.d/postgresql.asc
+    dest: "{{ apt_keyring_dir }}/postgresql.asc"
    force: yes
    mode: "0644"
    owner: root