ilia/ansible
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Add checks and conditional tasks for package management across roles

Browse Source 
- Introduce checks for existing GPG keys and repositories for Docker, NodeSource, and Tailscale to ensure correct configurations before installation.
- Implement conditional removal of incorrect keys and repositories to maintain a clean setup.
- Update Makefile to include a command for editing group vault variables.

These changes enhance package management reliability and streamline the installation process across different roles.
This commit is contained in:
ilia 2025-09-11 21:05:31 -04:00
parent c5ae3af9ac
commit b424e9b55b
9 changed files with 280 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Makefile
View File

@ -456,6 +456,9 @@ ifndef HOST
endif endif
ansible-vault edit host_vars/$(HOST).yml ansible-vault edit host_vars/$(HOST).yml
edit-group-vault: ## Edit encrypted group vars (usage: make edit-group-vault)
ansible-vault edit inventories/production/group_vars/all/vault.yml
test-connectivity: ## Test network connectivity and SSH access to all hosts test-connectivity: ## Test network connectivity and SSH access to all hosts
@echo "$(BOLD)Connectivity Test$(RESET)" @echo "$(BOLD)Connectivity Test$(RESET)"
@if [ -n "$(CURRENT_HOST)" ]; then \ @if [ -n "$(CURRENT_HOST)" ]; then \

8
playbooks/development.yml
View File

@ -2,6 +2,7 @@
- name: Configure development environment - name: Configure development environment
hosts: dev hosts: dev
become: true become: true
strategy: free
roles: roles:
- {role: maintenance, tags: ['maintenance']} - {role: maintenance, tags: ['maintenance']}
@ -20,6 +21,13 @@
- name: Update apt cache - name: Update apt cache
ansible.builtin.apt: ansible.builtin.apt:
update_cache: true update_cache: true
ignore_errors: true
register: apt_update_result
- name: Display apt update status
ansible.builtin.debug:
msg: "Apt cache update: {{ 'Success' if apt_update_result is succeeded else 'Failed - continuing anyway' }}"
when: ansible_debug_output | default(false) | bool
tasks: tasks:
# Additional tasks can be added here if needed # Additional tasks can be added here if needed

50
roles/applications/tasks/main.yml
View File

@ -16,6 +16,36 @@
applications_desktop_apps_needed: "{{ ['redshift', 'libreoffice', 'evince'] | difference(ansible_facts.packages.keys()) | length > 0 }}" applications_desktop_apps_needed: "{{ ['redshift', 'libreoffice', 'evince'] | difference(ansible_facts.packages.keys()) | length > 0 }}"
applications_brave_needs_install: "{{ applications_brave_check.rc != 0 or 'brave-browser' not in ansible_facts.packages }}" applications_brave_needs_install: "{{ applications_brave_check.rc != 0 or 'brave-browser' not in ansible_facts.packages }}"
- name: Check if Brave GPG key exists and is correct
ansible.builtin.shell: |
if [ -f /usr/share/keyrings/brave-browser-archive-keyring.gpg ]; then
if file /usr/share/keyrings/brave-browser-archive-keyring.gpg | grep -q "PGP"; then
echo "correct_key"
else
echo "wrong_key"
fi
else
echo "not_exists"
fi
register: brave_key_check
failed_when: false
when: applications_brave_needs_install
- name: Check if Brave repository exists and is correct
ansible.builtin.shell: |
if [ -f /etc/apt/sources.list.d/brave-browser.list ]; then
if grep -q "deb \[signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg\]" /etc/apt/sources.list.d/brave-browser.list; then
echo "correct_config"
else
echo "wrong_config"
fi
else
echo "not_exists"
fi
register: brave_repo_check
failed_when: false
when: applications_brave_needs_install
- name: Clean up duplicate Brave repository files - name: Clean up duplicate Brave repository files
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
@ -25,6 +55,18 @@
- /etc/apt/sources.list.d/brave-browser-release.sources - /etc/apt/sources.list.d/brave-browser-release.sources
become: true become: true
failed_when: false failed_when: false
when:
- applications_brave_needs_install
- brave_repo_check.stdout == "wrong_config"
- name: Remove incorrect Brave GPG key
ansible.builtin.file:
path: /usr/share/keyrings/brave-browser-archive-keyring.gpg
state: absent
become: true
when:
- applications_brave_needs_install
- brave_key_check.stdout == "wrong_key"
- name: Install desktop applications - name: Install desktop applications
ansible.builtin.apt: ansible.builtin.apt:
@ -38,17 +80,19 @@
- name: Brave browser installation - name: Brave browser installation
when: applications_brave_needs_install when: applications_brave_needs_install
block: block:
- name: Download Brave APT key - name: Download Brave APT key only if needed
ansible.builtin.get_url: ansible.builtin.get_url:
url: https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg url: https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg
dest: /usr/share/keyrings/brave-browser-archive-keyring.gpg dest: /usr/share/keyrings/brave-browser-archive-keyring.gpg
mode: '0644' mode: '0644'
when: brave_key_check.stdout in ["not_exists", "wrong_key"]
- name: Add Brave repository - name: Add Brave repository only if needed
ansible.builtin.apt_repository: ansible.builtin.apt_repository:
repo: "deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main" repo: "deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main"
filename: brave-browser filename: brave-browser
state: present state: present
when: brave_repo_check.stdout in ["not_exists", "wrong_config"]
- name: Install Brave browser - name: Install Brave browser
ansible.builtin.apt: ansible.builtin.apt:
@ -64,4 +108,4 @@
- "LibreOffice: {{ 'Installed' if 'libreoffice' in ansible_facts.packages else 'Missing' }}" - "LibreOffice: {{ 'Installed' if 'libreoffice' in ansible_facts.packages else 'Missing' }}"
- "Evince: {{ 'Installed' if 'evince' in ansible_facts.packages else 'Missing' }}" - "Evince: {{ 'Installed' if 'evince' in ansible_facts.packages else 'Missing' }}"
- "Brave: {{ applications_brave_check.stdout if applications_brave_check.rc == 0 else 'Not installed' }}" - "Brave: {{ applications_brave_check.stdout if applications_brave_check.rc == 0 else 'Not installed' }}"
when: ansible_debug_output | default(false) | bool when: ansible_debug_output | default(false) | bool

75
roles/development/tasks/main.yml
View File

@ -17,41 +17,84 @@
failed_when: false failed_when: false
changed_when: false changed_when: false
- name: Remove existing NodeSource repository files - name: Check if NodeSource repository exists and is correct
ansible.builtin.file: ansible.builtin.shell: |
path: "{{ item }}" if [ -f /etc/apt/sources.list.d/nodesource.list ]; then
state: absent if grep -q "deb \[signed-by=/etc/apt/keyrings/nodesource.gpg\] https://deb.nodesource.com/node_22.x nodistro main" /etc/apt/sources.list.d/nodesource.list; then
loop: echo "correct_config"
- /etc/apt/sources.list.d/nodesource.list else
- /etc/apt/sources.list.d/nodesource.list.save echo "wrong_config"
become: true fi
else
echo "not_exists"
fi
register: nodesource_repo_check
failed_when: false failed_when: false
when: node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2') when: node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2')
- name: Check if NodeSource GPG key exists and is correct
ansible.builtin.shell: |
if [ -f /etc/apt/keyrings/nodesource.gpg ]; then
if file /etc/apt/keyrings/nodesource.gpg | grep -q "PGP"; then
echo "correct_key"
else
echo "wrong_key"
fi
else
echo "not_exists"
fi
register: nodesource_key_check
failed_when: false
when: node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2')
- name: Remove incorrect NodeSource repository
ansible.builtin.file:
path: /etc/apt/sources.list.d/nodesource.list
state: absent
become: true
when:
- node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2')
- nodesource_repo_check.stdout == "wrong_config"
- name: Remove incorrect NodeSource key
ansible.builtin.file:
path: /etc/apt/keyrings/nodesource.gpg
state: absent
become: true
when:
- node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2')
- nodesource_key_check.stdout == "wrong_key"
- name: Create keyrings directory - name: Create keyrings directory
ansible.builtin.file: ansible.builtin.file:
path: /etc/apt/keyrings path: /etc/apt/keyrings
state: directory state: directory
mode: '0755' mode: '0755'
become: true become: true
when: node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2') when:
- node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2')
- nodesource_key_check.stdout in ["not_exists", "wrong_key"]
- name: Add NodeSource GPG key - name: Add NodeSource GPG key only if needed
ansible.builtin.get_url: ansible.builtin.get_url:
url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key url: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key
dest: /etc/apt/keyrings/nodesource.asc dest: /etc/apt/keyrings/nodesource.gpg
mode: '0644' mode: '0644'
force: true force: true
become: true become: true
when: node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2') when:
- node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2')
- nodesource_key_check.stdout in ["not_exists", "wrong_key"]
- name: Add NodeSource repository - name: Add NodeSource repository only if needed
ansible.builtin.apt_repository: ansible.builtin.apt_repository:
repo: "deb [signed-by=/etc/apt/keyrings/nodesource.asc] https://deb.nodesource.com/node_22.x nodistro main" repo: "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_22.x nodistro main"
state: present state: present
update_cache: false update_cache: false
become: true become: true
when: node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2') when:
- node_version_check.rc != 0 or not node_version_check.stdout.startswith('v2')
- nodesource_repo_check.stdout in ["not_exists", "wrong_config"]
- name: Install Node.js 22 from NodeSource - name: Install Node.js 22 from NodeSource
ansible.builtin.apt: ansible.builtin.apt:

31
roles/docker/tasks/setup_gpg_key.yml
View File

@ -1,20 +1,45 @@
--- ---
- name: Download Docker's official GPG key - name: Check if Docker GPG key exists and is correct
ansible.builtin.shell: |
if [ -f /etc/apt/keyrings/docker.gpg ]; then
if file /etc/apt/keyrings/docker.gpg | grep -q "PGP"; then
echo "correct_key"
else
echo "wrong_key"
fi
else
echo "not_exists"
fi
register: docker_key_check
failed_when: false
- name: Remove incorrect Docker GPG key
ansible.builtin.file:
path: /etc/apt/keyrings/docker.gpg
state: absent
become: true
when: docker_key_check.stdout == "wrong_key"
- name: Download Docker's official GPG key only if needed
ansible.builtin.get_url: ansible.builtin.get_url:
url: https://download.docker.com/linux/ubuntu/gpg url: https://download.docker.com/linux/ubuntu/gpg
dest: /tmp/docker.gpg dest: /tmp/docker.gpg
mode: '0644' mode: '0644'
when: docker_key_check.stdout in ["not_exists", "wrong_key"]
- name: Convert and install Docker GPG key - name: Convert and install Docker GPG key only if needed
ansible.builtin.shell: gpg --dearmor < /tmp/docker.gpg > /etc/apt/keyrings/docker.gpg ansible.builtin.shell: gpg --dearmor < /tmp/docker.gpg > /etc/apt/keyrings/docker.gpg
changed_when: false changed_when: false
when: docker_key_check.stdout in ["not_exists", "wrong_key"]
- name: Set permissions on Docker GPG key - name: Set permissions on Docker GPG key only if needed
ansible.builtin.file: ansible.builtin.file:
path: /etc/apt/keyrings/docker.gpg path: /etc/apt/keyrings/docker.gpg
mode: '0644' mode: '0644'
when: docker_key_check.stdout in ["not_exists", "wrong_key"]
- name: Clean up temporary GPG key file - name: Clean up temporary GPG key file
ansible.builtin.file: ansible.builtin.file:
path: /tmp/docker.gpg path: /tmp/docker.gpg
state: absent state: absent
when: docker_key_check.stdout in ["not_exists", "wrong_key"]

24
roles/docker/tasks/setup_repo_debian.yml
View File

@ -1,6 +1,28 @@
--- ---
- name: Add Docker repository for Debian - name: Check if Docker repository exists and is correct
ansible.builtin.shell: |
if [ -f /etc/apt/sources.list.d/docker.list ]; then
if grep -q "deb \[arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg\] https://download.docker.com/linux/debian" /etc/apt/sources.list.d/docker.list; then
echo "correct_config"
else
echo "wrong_config"
fi
else
echo "not_exists"
fi
register: docker_repo_check
failed_when: false
- name: Remove incorrect Docker repository
ansible.builtin.file:
path: /etc/apt/sources.list.d/docker.list
state: absent
become: true
when: docker_repo_check.stdout == "wrong_config"
- name: Add Docker repository for Debian only if needed
ansible.builtin.apt_repository: ansible.builtin.apt_repository:
repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
state: present state: present
update_cache: true update_cache: true
when: docker_repo_check.stdout in ["not_exists", "wrong_config"]

24
roles/docker/tasks/setup_repo_linux_mint.yml
View File

@ -7,8 +7,30 @@
'focal' if ansible_distribution_version is version('20', '>=') else 'focal' if ansible_distribution_version is version('20', '>=') else
'bionic' }} 'bionic' }}
- name: Add Docker repository for Linux Mint (using Ubuntu base) - name: Check if Docker repository exists and is correct
ansible.builtin.shell: |
if [ -f /etc/apt/sources.list.d/docker.list ]; then
if grep -q "deb \[arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg\] https://download.docker.com/linux/ubuntu" /etc/apt/sources.list.d/docker.list; then
echo "correct_config"
else
echo "wrong_config"
fi
else
echo "not_exists"
fi
register: docker_repo_check
failed_when: false
- name: Remove incorrect Docker repository
ansible.builtin.file:
path: /etc/apt/sources.list.d/docker.list
state: absent
become: true
when: docker_repo_check.stdout == "wrong_config"
- name: Add Docker repository for Linux Mint (using Ubuntu base) only if needed
ansible.builtin.apt_repository: ansible.builtin.apt_repository:
repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ docker_ubuntu_codename }} stable" repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ docker_ubuntu_codename }} stable"
state: present state: present
update_cache: true update_cache: true
when: docker_repo_check.stdout in ["not_exists", "wrong_config"]

24
roles/docker/tasks/setup_repo_ubuntu.yml
View File

@ -1,6 +1,28 @@
--- ---
- name: Add Docker repository for Ubuntu - name: Check if Docker repository exists and is correct
ansible.builtin.shell: |
if [ -f /etc/apt/sources.list.d/docker.list ]; then
if grep -q "deb \[arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg\] https://download.docker.com/linux/ubuntu" /etc/apt/sources.list.d/docker.list; then
echo "correct_config"
else
echo "wrong_config"
fi
else
echo "not_exists"
fi
register: docker_repo_check
failed_when: false
- name: Remove incorrect Docker repository
ansible.builtin.file:
path: /etc/apt/sources.list.d/docker.list
state: absent
become: true
when: docker_repo_check.stdout == "wrong_config"
- name: Add Docker repository for Ubuntu only if needed
ansible.builtin.apt_repository: ansible.builtin.apt_repository:
repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
state: present state: present
update_cache: true update_cache: true
when: docker_repo_check.stdout in ["not_exists", "wrong_config"]

68
roles/tailscale/tasks/debian.yml
View File

@ -1,16 +1,74 @@
--- ---
- name: Add Tailscale GPG key - name: Check if Tailscale is already installed
ansible.builtin.command: tailscale version
register: tailscale_version_check
failed_when: false
changed_when: false
- name: Check if Tailscale GPG key exists and is correct
ansible.builtin.shell: |
if [ -f /usr/share/keyrings/tailscale-archive-keyring.gpg ]; then
if file /usr/share/keyrings/tailscale-archive-keyring.gpg | grep -q "PGP"; then
echo "correct_key"
else
echo "wrong_key"
fi
else
echo "not_exists"
fi
register: tailscale_key_check
failed_when: false
when: tailscale_version_check.rc != 0
- name: Check if Tailscale repository exists and is correct
ansible.builtin.shell: |
if [ -f /etc/apt/sources.list.d/tailscale.list ]; then
if grep -q "deb \[signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg\]" /etc/apt/sources.list.d/tailscale.list; then
echo "correct_config"
else
echo "wrong_config"
fi
else
echo "not_exists"
fi
register: tailscale_repo_check
failed_when: false
when: tailscale_version_check.rc != 0
- name: Remove incorrect Tailscale GPG key
ansible.builtin.file:
path: /usr/share/keyrings/tailscale-archive-keyring.gpg
state: absent
become: true
when:
- tailscale_version_check.rc != 0
- tailscale_key_check.stdout == "wrong_key"
- name: Remove incorrect Tailscale repository
ansible.builtin.file:
path: /etc/apt/sources.list.d/tailscale.list
state: absent
become: true
when:
- tailscale_version_check.rc != 0
- tailscale_repo_check.stdout == "wrong_config"
- name: Add Tailscale GPG key only if needed
ansible.builtin.get_url: ansible.builtin.get_url:
url: https://pkgs.tailscale.com/stable/ubuntu/jammy.noarmor.gpg url: https://pkgs.tailscale.com/stable/ubuntu/jammy.noarmor.gpg
dest: /usr/share/keyrings/tailscale-archive-keyring.gpg dest: /usr/share/keyrings/tailscale-archive-keyring.gpg
mode: '0644' mode: '0644'
become: true become: true
when:
- tailscale_version_check.rc != 0
- tailscale_key_check.stdout in ["not_exists", "wrong_key"]
- name: Determine repository codename - name: Determine repository codename
ansible.builtin.set_fact: ansible.builtin.set_fact:
tailscale_repo_codename: "{{ 'jammy' if ansible_distribution == 'Ubuntu' else 'bookworm' }}" tailscale_repo_codename: "{{ 'jammy' if ansible_distribution == 'Ubuntu' else 'bookworm' }}"
when: tailscale_version_check.rc != 0
- name: Add Tailscale repository - name: Add Tailscale repository only if needed
ansible.builtin.apt_repository: ansible.builtin.apt_repository:
repo: >- repo: >-
deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg]
@ -19,17 +77,22 @@
state: present state: present
filename: tailscale filename: tailscale
become: true become: true
when:
- tailscale_version_check.rc != 0
- tailscale_repo_check.stdout in ["not_exists", "wrong_config"]
- name: Update apt cache - name: Update apt cache
ansible.builtin.apt: ansible.builtin.apt:
update_cache: true update_cache: true
become: true become: true
when: tailscale_version_check.rc != 0
- name: Install Tailscale - name: Install Tailscale
ansible.builtin.apt: ansible.builtin.apt:
name: tailscale name: tailscale
state: present state: present
become: true become: true
when: tailscale_version_check.rc != 0
notify: Start tailscaled notify: Start tailscaled
- name: Enable and start Tailscale daemon - name: Enable and start Tailscale daemon
@ -38,3 +101,4 @@
enabled: true enabled: true
state: started state: started
become: true become: true
when: tailscale_version_check.rc != 0