From f531460f49b662c35d0db82a67c775cdc53f6ccd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 2 Nov 2022 23:15:17 +0100 Subject: [PATCH] Use proper keyrings directory for APT version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Debian 9 → 11 : /etc/apt/trusted.gpg.d Debian 12 : /etc/apt/keyrings --- CHANGELOG.md | 1 + apt/defaults/main.yml | 2 ++ apt/tasks/evolix_public.yml | 2 +- docker-host/defaults/main.yml | 2 ++ docker-host/tasks/main.yml | 2 +- elasticsearch/defaults/main.yml | 2 ++ elasticsearch/tasks/packages.yml | 2 +- evolinux-base/defaults/main.yml | 2 ++ evolinux-base/tasks/hardware.yml | 4 ++-- filebeat/defaults/main.yml | 2 ++ filebeat/tasks/main.yml | 2 +- fluentd/defaults/main.yml | 2 ++ fluentd/tasks/main.yml | 4 ++-- jenkins/defaults/main.yml | 3 +++ jenkins/tasks/main.yml | 2 +- kibana/defaults/main.yml | 2 ++ kibana/tasks/main.yml | 2 +- logstash/defaults/main.yml | 4 +++- logstash/tasks/main.yml | 2 +- lxc-php/defaults/main.yml | 2 +- lxc-php/tasks/php80.yml | 4 ++-- lxc-php/tasks/php81.yml | 4 ++-- metricbeat/defaults/main.yml | 2 ++ metricbeat/tasks/main.yml | 2 +- mongodb/defaults/main.yml | 4 +++- mongodb/tasks/main_bullseye.yml | 2 +- mongodb/tasks/main_buster.yml | 2 +- newrelic/defaults/main.yml | 2 ++ newrelic/tasks/sources.yml | 2 +- nodejs/defaults/main.yml | 2 ++ nodejs/tasks/main.yml | 2 +- nodejs/tasks/yarn.yml | 2 +- percona/defaults/main.yml | 2 ++ percona/tasks/main.yml | 2 +- php/defaults/main.yml | 2 ++ php/tasks/sury_pre.yml | 2 +- postgresql/defaults/main.yml | 2 ++ postgresql/tasks/pgdg-repo.yml | 2 +- 38 files changed, 61 insertions(+), 27 deletions(-) create mode 100644 jenkins/defaults/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 4546d4da..0a9a7496 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* Use proper keyrings directory for APT version * evolinux-base: replace regular kernel by cloud kernel on virtual servers * nagios-nrpe: check_haproxy_stats supports DRAIN status * lxc-php: set php-fpm umask to 007 diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml index e5093c6e..681f1d14 100644 --- a/apt/defaults/main.yml +++ b/apt/defaults/main.yml @@ -25,3 +25,5 @@ apt_check_hold_cron_hour: "*/4" apt_check_hold_cron_weekday: "*" apt_check_hold_cron_day: "*" apt_check_hold_cron_month: "*" + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml index 8352e666..21062a32 100644 --- a/apt/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.yml @@ -19,7 +19,7 @@ - name: Add Evolix GPG key copy: src: reg.asc - dest: /etc/apt/trusted.gpg.d/reg.asc + dest: "{{ apt_keyring_dir }}/reg.asc" force: yes mode: "0644" owner: root diff --git a/docker-host/defaults/main.yml b/docker-host/defaults/main.yml index 3f713930..44496203 100644 --- a/docker-host/defaults/main.yml +++ b/docker-host/defaults/main.yml @@ -28,3 +28,5 @@ docker_tls_ca_key: ca/ca-key.pem docker_tls_cert: server/cert.pem docker_tls_key: server/key.pem docker_tls_csr: server/server.csr + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index b430de6f..861a352d 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -19,7 +19,7 @@ - name: Add Docker's official GPG key copy: src: docker-debian.asc - dest: /etc/apt/trusted.gpg.d/docker-debian.asc + dest: "{{ apt_keyring_dir }}/docker-debian.asc" force: yes mode: "0644" owner: root diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml index 2b891953..98b1a646 100644 --- a/elasticsearch/defaults/main.yml +++ b/elasticsearch/defaults/main.yml @@ -29,3 +29,5 @@ elasticsearch_plugin_head_clone_dir: "{{ elasticsearch_plugin_head_home }}/www" elasticsearch_plugin_head_tmp_dir: "{{ elasticsearch_plugin_head_home }}/tmp" elasticsearch_additional_scripts_dir: /usr/share/scripts + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index 826fee1e..5070d554 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index d75a23bf..497a3d2b 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -21,6 +21,8 @@ evolinux_apt_public_sources: True evolinux_apt_upgrade: True evolinux_apt_remove_aptitude: True +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" + # etc-evolinux evolinux_etcevolinux_include: True diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index fefb8177..9762825b 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -81,7 +81,7 @@ - name: HPE GPG key is installed copy: src: hpePublicKey2048_key1.asc - dest: /etc/apt/trusted.gpg.d/hpePublicKey2048_key1.asc + dest: "{{ apt_keyring_dir }}/hpePublicKey2048_key1.asc" force: yes mode: "0644" owner: root @@ -208,7 +208,7 @@ - name: HWRaid GPG key is installed copy: src: hwraid.le-vert.net.asc - dest: /etc/apt/trusted.gpg.d/hwraid.le-vert.net.asc + dest: "{{ apt_keyring_dir }}/hwraid.le-vert.net.asc" force: yes mode: "0644" owner: root diff --git a/filebeat/defaults/main.yml b/filebeat/defaults/main.yml index deed1508..6538aab5 100644 --- a/filebeat/defaults/main.yml +++ b/filebeat/defaults/main.yml @@ -22,3 +22,5 @@ filebeat_use_config_template: False filebeat_update_config: True filebeat_force_config: True filebeat_upgrade_package: False + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index dd326cc8..d312a3fb 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root diff --git a/fluentd/defaults/main.yml b/fluentd/defaults/main.yml index 86475f51..18d9b0c7 100644 --- a/fluentd/defaults/main.yml +++ b/fluentd/defaults/main.yml @@ -10,3 +10,5 @@ fluentd_host_port: fluentd_flush_interval: fluentd_heartbeat_type: + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index 282accf2..9248db97 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -21,7 +21,7 @@ - name: Add Fluentd GPG key copy: src: fluentd.asc - dest: /etc/apt/trusted.gpg.d/fluentd.asc + dest: "{{ apt_keyring_dir }}/fluentd.asc" force: yes mode: "0644" owner: root @@ -32,7 +32,7 @@ - name: Fluentd sources list is available apt_repository: - repo: "deb http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" + repo: "deb [signed-by={{ apt_keyring_dir }}/fluentd.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" filename: treasuredata update_cache: yes state: present diff --git a/jenkins/defaults/main.yml b/jenkins/defaults/main.yml new file mode 100644 index 00000000..bf1296d7 --- /dev/null +++ b/jenkins/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 8ed3d38c..54f1987e 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -20,7 +20,7 @@ - name: Add Jenkins GPG key copy: src: jenkins.asc - dest: /etc/apt/trusted.gpg.d/jenkins.asc + dest: "{{ apt_keyring_dir }}/jenkins.asc" force: yes mode: "0644" owner: root diff --git a/kibana/defaults/main.yml b/kibana/defaults/main.yml index 7107398c..900e579c 100644 --- a/kibana/defaults/main.yml +++ b/kibana/defaults/main.yml @@ -9,3 +9,5 @@ kibana_proxy_nginx: False kibana_proxy_domain: "kibana.{{ ansible_fqdn }}" kibana_proxy_ssl_cert: "/etc/ssl/certs/{{ ansible_fqdn }}.crt" kibana_proxy_ssl_key: "/etc/ssl/private/{{ ansible_fqdn }}.key" + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index d0694094..1978e90e 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root diff --git a/logstash/defaults/main.yml b/logstash/defaults/main.yml index 7cc40e49..b42fc347 100644 --- a/logstash/defaults/main.yml +++ b/logstash/defaults/main.yml @@ -7,4 +7,6 @@ logstash_log_rotate_days: 365 logstash_custom_tmpdir: Null logstash_default_tmpdir: /var/lib/logstash/tmp logstash_log_syslog_enabled: True -logstash_config_force: True \ No newline at end of file +logstash_config_force: True + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index 856ceba1..ccb2a1bc 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index 5567c4d0..9b501b6c 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -30,4 +30,4 @@ lxc_php_services: php80: 'php8.0-fpm.service' php81: 'php8.1-fpm.service' - +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index 47039fe7..a6539bff 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -25,7 +25,7 @@ - name: copy pub.evolix.net GPG key copy: src: reg.asc - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/reg.asc + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc mode: "0644" owner: root group: root @@ -33,7 +33,7 @@ - name: copy packages.sury.org GPG Key copy: src: sury.gpg - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/sury.gpg + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg mode: "0644" owner: root group: root diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index 8883cbcc..057f15fc 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -25,7 +25,7 @@ - name: copy pub.evolix.net GPG key copy: src: reg.asc - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/reg.asc + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc mode: "0644" owner: root group: root @@ -33,7 +33,7 @@ - name: copy packages.sury.org GPG Key copy: src: sury.gpg - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/sury.gpg + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg mode: "0644" owner: root group: root diff --git a/metricbeat/defaults/main.yml b/metricbeat/defaults/main.yml index 780a4ffd..f6eb2a3e 100644 --- a/metricbeat/defaults/main.yml +++ b/metricbeat/defaults/main.yml @@ -28,3 +28,5 @@ metricbeat_tags: Null # metricbeat_fields: # - "env: staging" metricbeat_fields: Null + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 8a009f7f..9f432ffe 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root diff --git a/mongodb/defaults/main.yml b/mongodb/defaults/main.yml index c118f588..667d68d5 100644 --- a/mongodb/defaults/main.yml +++ b/mongodb/defaults/main.yml @@ -7,4 +7,6 @@ mongodb_bind: 127.0.0.1 # otherwise it can disable important settings, like authorization :/ mongodb_force_config: False -mongodb_version: 4.4 \ No newline at end of file +mongodb_version: 4.4 + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index f97016ec..2a9a1c3a 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -21,7 +21,7 @@ - name: Add MongoDB GPG key copy: src: "server-{{mongodb_version}}.asc" - dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc" + dest: "{{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc" force: yes mode: "0644" owner: root diff --git a/mongodb/tasks/main_buster.yml b/mongodb/tasks/main_buster.yml index cf5ce2ae..8de5e447 100644 --- a/mongodb/tasks/main_buster.yml +++ b/mongodb/tasks/main_buster.yml @@ -15,7 +15,7 @@ - name: Add MongoDB GPG key copy: src: "server-{{mongodb_version}}.asc" - dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc" + dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc" force: yes mode: "0644" owner: root diff --git a/newrelic/defaults/main.yml b/newrelic/defaults/main.yml index cddbcb0b..3205e53b 100644 --- a/newrelic/defaults/main.yml +++ b/newrelic/defaults/main.yml @@ -5,3 +5,5 @@ newrelic_php: False newrelic_license: "" newrelic_appname: "" + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/newrelic/tasks/sources.yml b/newrelic/tasks/sources.yml index c27de24d..bd674f11 100644 --- a/newrelic/tasks/sources.yml +++ b/newrelic/tasks/sources.yml @@ -15,7 +15,7 @@ - name: Add NewRelic GPG key copy: src: newrelic.asc - dest: /etc/apt/trusted.gpg.d/newrelic.asc + dest: "{{ apt_keyring_dir }}/newrelic.asc" force: yes mode: "0644" owner: root diff --git a/nodejs/defaults/main.yml b/nodejs/defaults/main.yml index 8f36de49..a8adbb47 100644 --- a/nodejs/defaults/main.yml +++ b/nodejs/defaults/main.yml @@ -4,3 +4,5 @@ nodejs_apt_version: 'node_16.x' nodejs_install_yarn: False + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/nodejs/tasks/main.yml b/nodejs/tasks/main.yml index 5ab49e70..d127f44f 100644 --- a/nodejs/tasks/main.yml +++ b/nodejs/tasks/main.yml @@ -32,7 +32,7 @@ - name: NodeJS GPG key is installed copy: src: nodesource.asc - dest: /etc/apt/trusted.gpg.d/nodesource.asc + dest: "{{ apt_keyring_dir }}/nodesource.asc" mode: "0644" owner: root group: root diff --git a/nodejs/tasks/yarn.yml b/nodejs/tasks/yarn.yml index e3dfe1da..6e38f019 100644 --- a/nodejs/tasks/yarn.yml +++ b/nodejs/tasks/yarn.yml @@ -25,7 +25,7 @@ - name: Yarn GPG key is installed copy: src: yarn.asc - dest: /etc/apt/trusted.gpg.d/yarn.asc + dest: "{{ apt_keyring_dir }}/yarn.asc" mode: "0644" owner: root group: root diff --git a/percona/defaults/main.yml b/percona/defaults/main.yml index 46a86904..316eccc9 100644 --- a/percona/defaults/main.yml +++ b/percona/defaults/main.yml @@ -2,3 +2,5 @@ percona__install_xtrabackup: True percona__xtrabackup_package_name: percona-xtrabackup-24 + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/percona/tasks/main.yml b/percona/tasks/main.yml index 27544252..6dc319ff 100644 --- a/percona/tasks/main.yml +++ b/percona/tasks/main.yml @@ -18,7 +18,7 @@ - name: Add Percona GPG key copy: src: percona.asc - dest: /etc/apt/trusted.gpg.d/percona.asc + dest: "{{ apt_keyring_dir }}/percona.asc" force: yes mode: "0644" owner: root diff --git a/php/defaults/main.yml b/php/defaults/main.yml index 19040baf..2e633d0f 100644 --- a/php/defaults/main.yml +++ b/php/defaults/main.yml @@ -8,3 +8,5 @@ php_symfony_requirements: False php_modules_mysqlnd: False php_fpm_remove_default_pool: False + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index 13dcc4ec..b528268a 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -3,7 +3,7 @@ - name: Setup deb.sury.org repository - Add GPG key copy: src: sury.gpg - dest: /etc/apt/trusted.gpg.d/sury.gpg + dest: "{{ apt_keyring_dir }}/sury.gpg" mode: "0644" owner: root group: root diff --git a/postgresql/defaults/main.yml b/postgresql/defaults/main.yml index dcdffb05..ffc3007c 100644 --- a/postgresql/defaults/main.yml +++ b/postgresql/defaults/main.yml @@ -20,3 +20,5 @@ locales_default: fr_FR.UTF-8 # PostGIS postgresql_install_postgis: False + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index 38f21079..b6315f37 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -23,7 +23,7 @@ - name: Add PGDG GPG key copy: src: postgresql.asc - dest: /etc/apt/trusted.gpg.d/postgresql.asc + dest: "{{ apt_keyring_dir }}/postgresql.asc" force: yes mode: "0644" owner: root