From b424e9b55bf4b4767794106e1364a3c1543567e3 Mon Sep 17 00:00:00 2001 From: ilia Date: Thu, 11 Sep 2025 21:05:31 -0400 Subject: [PATCH] Add checks and conditional tasks for package management across roles - Introduce checks for existing GPG keys and repositories for Docker, NodeSource, and Tailscale to ensure correct configurations before installation. - Implement conditional removal of incorrect keys and repositories to maintain a clean setup. - Update Makefile to include a command for editing group vault variables. These changes enhance package management reliability and streamline the installation process across different roles. --- Makefile | 3 + playbooks/development.yml | 8 +++ roles/applications/tasks/main.yml | 50 ++++++++++++- roles/development/tasks/main.yml | 75 +++++++++++++++----- roles/docker/tasks/setup_gpg_key.yml | 31 +++++++- roles/docker/tasks/setup_repo_debian.yml | 24 ++++++- roles/docker/tasks/setup_repo_linux_mint.yml | 24 ++++++- roles/docker/tasks/setup_repo_ubuntu.yml | 24 ++++++- roles/tailscale/tasks/debian.yml | 68 +++++++++++++++++- 9 files changed, 280 insertions(+), 27 deletions(-) diff --git a/Makefile b/Makefile index 893d745..8f0ba75 100644 --- a/Makefile +++ b/Makefile @@ -456,6 +456,9 @@ ifndef HOST endif ansible-vault edit host_vars/$(HOST).yml +edit-group-vault: ## Edit encrypted group vars (usage: make edit-group-vault) + ansible-vault edit inventories/production/group_vars/all/vault.yml + test-connectivity: ## Test network connectivity and SSH access to all hosts @echo "$(BOLD)Connectivity Test$(RESET)" @if [ -n "$(CURRENT_HOST)" ]; then \ diff --git a/playbooks/development.yml b/playbooks/development.yml index fc84bbe..e293367 100644 --- a/playbooks/development.yml +++ b/playbooks/development.yml @@ -2,6 +2,7 @@ - name: Configure development environment hosts: dev become: true + strategy: free roles: - {role: maintenance, tags: ['maintenance']} @@ -20,6 +21,13 @@ - name: Update apt cache ansible.builtin.apt: update_cache: true + ignore_errors: true + register: apt_update_result + + - name: Display apt update status + ansible.builtin.debug: + msg: "Apt cache update: {{ 'Success' if apt_update_result is succeeded else 'Failed - continuing anyway' }}" + when: ansible_debug_output | default(false) | bool tasks: # Additional tasks can be added here if needed diff --git a/roles/applications/tasks/main.yml b/roles/applications/tasks/main.yml index bbe9a38..46a0776 100644 --- a/roles/applications/tasks/main.yml +++ b/roles/applications/tasks/main.yml @@ -16,6 +16,36 @@ applications_desktop_apps_needed: "{{ ['redshift', 'libreoffice', 'evince'] | difference(ansible_facts.packages.keys()) | length > 0 }}" applications_brave_needs_install: "{{ applications_brave_check.rc != 0 or 'brave-browser' not in ansible_facts.packages }}" +- name: Check if Brave GPG key exists and is correct + ansible.builtin.shell: | + if [ -f /usr/share/keyrings/brave-browser-archive-keyring.gpg ]; then + if file /usr/share/keyrings/brave-browser-archive-keyring.gpg | grep -q "PGP"; then + echo "correct_key" + else + echo "wrong_key" + fi + else + echo "not_exists" + fi + register: brave_key_check + failed_when: false + when: applications_brave_needs_install + +- name: Check if Brave repository exists and is correct + ansible.builtin.shell: | + if [ -f /etc/apt/sources.list.d/brave-browser.list ]; then + if grep -q "deb \[signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg\]" /etc/apt/sources.list.d/brave-browser.list; then + echo "correct_config" + else + echo "wrong_config" + fi + else + echo "not_exists" + fi + register: brave_repo_check + failed_when: false + when: applications_brave_needs_install + - name: Clean up duplicate Brave repository files ansible.builtin.file: path: "{{ item }}" @@ -25,6 +55,18 @@ - /etc/apt/sources.list.d/brave-browser-release.sources become: true failed_when: false + when: + - applications_brave_needs_install + - brave_repo_check.stdout == "wrong_config" + +- name: Remove incorrect Brave GPG key + ansible.builtin.file: + path: /usr/share/keyrings/brave-browser-archive-keyring.gpg + state: absent + become: true + when: + - applications_brave_needs_install + - brave_key_check.stdout == "wrong_key" - name: Install desktop applications ansible.builtin.apt: @@ -38,17 +80,19 @@ - name: Brave browser installation when: applications_brave_needs_install block: - - name: Download Brave APT key + - name: Download Brave APT key only if needed ansible.builtin.get_url: url: https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg dest: /usr/share/keyrings/brave-browser-archive-keyring.gpg mode: '0644' + when: brave_key_check.stdout in ["not_exists", "wrong_key"] - - name: Add Brave repository + - name: Add Brave repository only if needed ansible.builtin.apt_repository: repo: "deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main" filename: brave-browser state: present + when: brave_repo_check.stdout in ["not_exists", "wrong_config"] - name: Install Brave browser ansible.builtin.apt: @@ -64,4 +108,4 @@ - "LibreOffice: {{ 'Installed' if 'libreoffice' in ansible_facts.packages else 'Missing' }}" - "Evince: {{ 'Installed' if 'evince' in ansible_facts.packages else 'Missing' }}" - "Brave: {{ applications_brave_check.stdout if applications_brave_check.rc == 0 else 'Not installed' }}" - when: ansible_debug_output | default(false) | bool + when: ansible_debug_output | default(false) | bool \ No newline at end of file diff --git a/roles/development/tasks/main.yml b/roles/development/tasks/main.yml index bf8eb9a..95ff9f7 100644 --- a/roles/development/tasks/main.yml +++ b/roles/development/tasks/main.yml @@ -17,41 +17,84 @@ failed_when: false changed_when: false -- name: Remove existing NodeSource repository files - ansible.builtin.file: - path: "{{ item }}" - state: absent - loop: - - /etc/apt/sources.list.d/nodesource.list - - /etc/apt/sources.list.d/nodesource.list.save - become: true +- name: Check if NodeSource repository exists and is correct + ansible.builtin.shell: | + if [ -f /etc/apt/sources.list.d/nodesource.list ]; then + if grep -q "deb \[signed-by=/etc/apt/keyrings/nodesource.gpg\] https://deb.nodesource.com/node_22.x nodistro main" /etc/apt/sources.list.d/nodesource.list; then + echo "correct_config" + else + echo "wrong_config" + fi + else + echo "not_exists" + fi + register: nodesource_repo_check failed_when: false when: node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2') +- name: Check if NodeSource GPG key exists and is correct + ansible.builtin.shell: | + if [ -f /etc/apt/keyrings/nodesource.gpg ]; then + if file /etc/apt/keyrings/nodesource.gpg | grep -q "PGP"; then + echo "correct_key" + else + echo "wrong_key" + fi + else + echo "not_exists" + fi + register: nodesource_key_check + failed_when: false + when: node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2') + +- name: Remove incorrect NodeSource repository + ansible.builtin.file: + path: /etc/apt/sources.list.d/nodesource.list + state: absent + become: true + when: + - node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2') + - nodesource_repo_check.stdout == "wrong_config" + +- name: Remove incorrect NodeSource key + ansible.builtin.file: + path: /etc/apt/keyrings/nodesource.gpg + state: absent + become: true + when: + - node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2') + - nodesource_key_check.stdout == "wrong_key" + - name: Create keyrings directory ansible.builtin.file: path: /etc/apt/keyrings state: directory mode: '0755' become: true - when: node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2') + when: + - node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2') + - nodesource_key_check.stdout in ["not_exists", "wrong_key"] -- name: Add NodeSource GPG key +- name: Add NodeSource GPG key only if needed ansible.builtin.get_url: - url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key - dest: /etc/apt/keyrings/nodesource.asc + url: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key + dest: /etc/apt/keyrings/nodesource.gpg mode: '0644' force: true become: true - when: node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2') + when: + - node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2') + - nodesource_key_check.stdout in ["not_exists", "wrong_key"] -- name: Add NodeSource repository +- name: Add NodeSource repository only if needed ansible.builtin.apt_repository: - repo: "deb [signed-by=/etc/apt/keyrings/nodesource.asc] https://deb.nodesource.com/node_22.x nodistro main" + repo: "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_22.x nodistro main" state: present update_cache: false become: true - when: node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2') + when: + - node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2') + - nodesource_repo_check.stdout in ["not_exists", "wrong_config"] - name: Install Node.js 22 from NodeSource ansible.builtin.apt: diff --git a/roles/docker/tasks/setup_gpg_key.yml b/roles/docker/tasks/setup_gpg_key.yml index 915a29b..693c72d 100644 --- a/roles/docker/tasks/setup_gpg_key.yml +++ b/roles/docker/tasks/setup_gpg_key.yml @@ -1,20 +1,45 @@ --- -- name: Download Docker's official GPG key +- name: Check if Docker GPG key exists and is correct + ansible.builtin.shell: | + if [ -f /etc/apt/keyrings/docker.gpg ]; then + if file /etc/apt/keyrings/docker.gpg | grep -q "PGP"; then + echo "correct_key" + else + echo "wrong_key" + fi + else + echo "not_exists" + fi + register: docker_key_check + failed_when: false + +- name: Remove incorrect Docker GPG key + ansible.builtin.file: + path: /etc/apt/keyrings/docker.gpg + state: absent + become: true + when: docker_key_check.stdout == "wrong_key" + +- name: Download Docker's official GPG key only if needed ansible.builtin.get_url: url: https://download.docker.com/linux/ubuntu/gpg dest: /tmp/docker.gpg mode: '0644' + when: docker_key_check.stdout in ["not_exists", "wrong_key"] -- name: Convert and install Docker GPG key +- name: Convert and install Docker GPG key only if needed ansible.builtin.shell: gpg --dearmor < /tmp/docker.gpg > /etc/apt/keyrings/docker.gpg changed_when: false + when: docker_key_check.stdout in ["not_exists", "wrong_key"] -- name: Set permissions on Docker GPG key +- name: Set permissions on Docker GPG key only if needed ansible.builtin.file: path: /etc/apt/keyrings/docker.gpg mode: '0644' + when: docker_key_check.stdout in ["not_exists", "wrong_key"] - name: Clean up temporary GPG key file ansible.builtin.file: path: /tmp/docker.gpg state: absent + when: docker_key_check.stdout in ["not_exists", "wrong_key"] \ No newline at end of file diff --git a/roles/docker/tasks/setup_repo_debian.yml b/roles/docker/tasks/setup_repo_debian.yml index 18b5f1c..438f05b 100644 --- a/roles/docker/tasks/setup_repo_debian.yml +++ b/roles/docker/tasks/setup_repo_debian.yml @@ -1,6 +1,28 @@ --- -- name: Add Docker repository for Debian +- name: Check if Docker repository exists and is correct + ansible.builtin.shell: | + if [ -f /etc/apt/sources.list.d/docker.list ]; then + if grep -q "deb \[arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg\] https://download.docker.com/linux/debian" /etc/apt/sources.list.d/docker.list; then + echo "correct_config" + else + echo "wrong_config" + fi + else + echo "not_exists" + fi + register: docker_repo_check + failed_when: false + +- name: Remove incorrect Docker repository + ansible.builtin.file: + path: /etc/apt/sources.list.d/docker.list + state: absent + become: true + when: docker_repo_check.stdout == "wrong_config" + +- name: Add Docker repository for Debian only if needed ansible.builtin.apt_repository: repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" state: present update_cache: true + when: docker_repo_check.stdout in ["not_exists", "wrong_config"] \ No newline at end of file diff --git a/roles/docker/tasks/setup_repo_linux_mint.yml b/roles/docker/tasks/setup_repo_linux_mint.yml index fb57c3f..a13031b 100644 --- a/roles/docker/tasks/setup_repo_linux_mint.yml +++ b/roles/docker/tasks/setup_repo_linux_mint.yml @@ -7,8 +7,30 @@ 'focal' if ansible_distribution_version is version('20', '>=') else 'bionic' }} -- name: Add Docker repository for Linux Mint (using Ubuntu base) +- name: Check if Docker repository exists and is correct + ansible.builtin.shell: | + if [ -f /etc/apt/sources.list.d/docker.list ]; then + if grep -q "deb \[arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg\] https://download.docker.com/linux/ubuntu" /etc/apt/sources.list.d/docker.list; then + echo "correct_config" + else + echo "wrong_config" + fi + else + echo "not_exists" + fi + register: docker_repo_check + failed_when: false + +- name: Remove incorrect Docker repository + ansible.builtin.file: + path: /etc/apt/sources.list.d/docker.list + state: absent + become: true + when: docker_repo_check.stdout == "wrong_config" + +- name: Add Docker repository for Linux Mint (using Ubuntu base) only if needed ansible.builtin.apt_repository: repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ docker_ubuntu_codename }} stable" state: present update_cache: true + when: docker_repo_check.stdout in ["not_exists", "wrong_config"] \ No newline at end of file diff --git a/roles/docker/tasks/setup_repo_ubuntu.yml b/roles/docker/tasks/setup_repo_ubuntu.yml index d223c78..0602dbf 100644 --- a/roles/docker/tasks/setup_repo_ubuntu.yml +++ b/roles/docker/tasks/setup_repo_ubuntu.yml @@ -1,6 +1,28 @@ --- -- name: Add Docker repository for Ubuntu +- name: Check if Docker repository exists and is correct + ansible.builtin.shell: | + if [ -f /etc/apt/sources.list.d/docker.list ]; then + if grep -q "deb \[arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg\] https://download.docker.com/linux/ubuntu" /etc/apt/sources.list.d/docker.list; then + echo "correct_config" + else + echo "wrong_config" + fi + else + echo "not_exists" + fi + register: docker_repo_check + failed_when: false + +- name: Remove incorrect Docker repository + ansible.builtin.file: + path: /etc/apt/sources.list.d/docker.list + state: absent + become: true + when: docker_repo_check.stdout == "wrong_config" + +- name: Add Docker repository for Ubuntu only if needed ansible.builtin.apt_repository: repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" state: present update_cache: true + when: docker_repo_check.stdout in ["not_exists", "wrong_config"] \ No newline at end of file diff --git a/roles/tailscale/tasks/debian.yml b/roles/tailscale/tasks/debian.yml index 1579f70..415fa36 100644 --- a/roles/tailscale/tasks/debian.yml +++ b/roles/tailscale/tasks/debian.yml @@ -1,16 +1,74 @@ --- -- name: Add Tailscale GPG key +- name: Check if Tailscale is already installed + ansible.builtin.command: tailscale version + register: tailscale_version_check + failed_when: false + changed_when: false + +- name: Check if Tailscale GPG key exists and is correct + ansible.builtin.shell: | + if [ -f /usr/share/keyrings/tailscale-archive-keyring.gpg ]; then + if file /usr/share/keyrings/tailscale-archive-keyring.gpg | grep -q "PGP"; then + echo "correct_key" + else + echo "wrong_key" + fi + else + echo "not_exists" + fi + register: tailscale_key_check + failed_when: false + when: tailscale_version_check.rc != 0 + +- name: Check if Tailscale repository exists and is correct + ansible.builtin.shell: | + if [ -f /etc/apt/sources.list.d/tailscale.list ]; then + if grep -q "deb \[signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg\]" /etc/apt/sources.list.d/tailscale.list; then + echo "correct_config" + else + echo "wrong_config" + fi + else + echo "not_exists" + fi + register: tailscale_repo_check + failed_when: false + when: tailscale_version_check.rc != 0 + +- name: Remove incorrect Tailscale GPG key + ansible.builtin.file: + path: /usr/share/keyrings/tailscale-archive-keyring.gpg + state: absent + become: true + when: + - tailscale_version_check.rc != 0 + - tailscale_key_check.stdout == "wrong_key" + +- name: Remove incorrect Tailscale repository + ansible.builtin.file: + path: /etc/apt/sources.list.d/tailscale.list + state: absent + become: true + when: + - tailscale_version_check.rc != 0 + - tailscale_repo_check.stdout == "wrong_config" + +- name: Add Tailscale GPG key only if needed ansible.builtin.get_url: url: https://pkgs.tailscale.com/stable/ubuntu/jammy.noarmor.gpg dest: /usr/share/keyrings/tailscale-archive-keyring.gpg mode: '0644' become: true + when: + - tailscale_version_check.rc != 0 + - tailscale_key_check.stdout in ["not_exists", "wrong_key"] - name: Determine repository codename ansible.builtin.set_fact: tailscale_repo_codename: "{{ 'jammy' if ansible_distribution == 'Ubuntu' else 'bookworm' }}" + when: tailscale_version_check.rc != 0 -- name: Add Tailscale repository +- name: Add Tailscale repository only if needed ansible.builtin.apt_repository: repo: >- deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] @@ -19,17 +77,22 @@ state: present filename: tailscale become: true + when: + - tailscale_version_check.rc != 0 + - tailscale_repo_check.stdout in ["not_exists", "wrong_config"] - name: Update apt cache ansible.builtin.apt: update_cache: true become: true + when: tailscale_version_check.rc != 0 - name: Install Tailscale ansible.builtin.apt: name: tailscale state: present become: true + when: tailscale_version_check.rc != 0 notify: Start tailscaled - name: Enable and start Tailscale daemon @@ -38,3 +101,4 @@ enabled: true state: started become: true + when: tailscale_version_check.rc != 0 \ No newline at end of file