From 19a65cb742170b829e8dc2e9eefa811debf124c0 Mon Sep 17 00:00:00 2001 From: Kris Lamoureux Date: Wed, 25 Feb 2026 22:36:37 -0500 Subject: [PATCH] Add zrepl role --- roles/zrepl/defaults/main.yml | 1 + roles/zrepl/tasks/install.yml | 40 +++++++++++++++++++++++++++++++++++ roles/zrepl/tasks/main.yml | 24 +++++++++++++++++++++ 3 files changed, 65 insertions(+) create mode 100644 roles/zrepl/defaults/main.yml create mode 100644 roles/zrepl/tasks/install.yml create mode 100644 roles/zrepl/tasks/main.yml diff --git a/roles/zrepl/defaults/main.yml b/roles/zrepl/defaults/main.yml new file mode 100644 index 0000000..afff420 --- /dev/null +++ b/roles/zrepl/defaults/main.yml @@ -0,0 +1 @@ +zrepl_pkg_hold: true diff --git a/roles/zrepl/tasks/install.yml b/roles/zrepl/tasks/install.yml new file mode 100644 index 0000000..d61e06f --- /dev/null +++ b/roles/zrepl/tasks/install.yml @@ -0,0 +1,40 @@ +- name: Download zrepl APT signing key + ansible.builtin.get_url: + url: https://zrepl.cschwarz.com/apt/apt-key.asc + dest: /tmp/zrepl-apt-key.asc + mode: "600" + force: true + +- name: Get fingerprint of downloaded key + ansible.builtin.shell: | + set -euo pipefail + gpg --with-colons --import-options show-only \ + --import /tmp/zrepl-apt-key.asc | awk -F: '$1=="fpr"{print $10; exit}' + args: + executable: /bin/bash + changed_when: false + register: gpg_key_info + +- name: Verify key fingerprint matches expected value + ansible.builtin.assert: + that: gpg_key_info.stdout == expected_fingerprint + vars: + expected_fingerprint: "E101418FD3D6FBCB9D65A62D708699FC5F2EBF16" + +- name: Dearmor zrepl key into APT keyring + ansible.builtin.command: + cmd: >- + gpg --dearmor --yes --output /usr/share/keyrings/zrepl-archive-keyring.gpg + /tmp/zrepl-apt-key.asc + args: + creates: /usr/share/keyrings/zrepl-archive-keyring.gpg + +- name: Add zrepl apt repository + ansible.builtin.apt_repository: + repo: "deb [signed-by={{ zrepl_keyring_path }}] {{ zrepl_url }} {{ zrepl_suite }} main" + filename: zrepl + state: present + vars: + zrepl_keyring_path: /usr/share/keyrings/zrepl-archive-keyring.gpg + zrepl_url: "https://zrepl.cschwarz.com/apt/debian" + zrepl_suite: "{{ ansible_distribution_release }}" diff --git a/roles/zrepl/tasks/main.yml b/roles/zrepl/tasks/main.yml new file mode 100644 index 0000000..8cf7d41 --- /dev/null +++ b/roles/zrepl/tasks/main.yml @@ -0,0 +1,24 @@ +- name: Install GnuPG + ansible.builtin.apt: + name: gnupg + state: present + update_cache: true + +- name: Check if zrepl repo exists + ansible.builtin.stat: + path: /etc/apt/sources.list.d/zrepl.list + register: zrepl_repo_file + +- name: Install zrepl repo + ansible.builtin.include_tasks: install.yml + when: not zrepl_repo_file.stat.exists + +- name: Install zrepl + ansible.builtin.apt: + name: zrepl + state: present + +- name: Set zrepl package hold state + ansible.builtin.dpkg_selections: + name: zrepl + selection: "{{ 'hold' if zrepl_pkg_hold else 'install' }}"