diff --git a/files/icinga.gpg b/files/icinga.gpg
index 4f744c5ef879b141e4e7fd74b1f34505edcd12a9..69c2df4ed81a94ad60a85eeb9f3c82b50554a3d3 100644
Binary files a/files/icinga.gpg and b/files/icinga.gpg differ
diff --git a/meta/argument_specs.yml b/meta/argument_specs.yml
index b3e8fe6423fb8ad896a6797547f9b9b3663774b7..8016159aab101300ce21420c5bc79156022a5bec 100644
--- a/meta/argument_specs.yml
+++ b/meta/argument_specs.yml
@@ -66,19 +66,6 @@ argument_specs:
elements: str
required: true
description: A list of Icinga features that are enabled.
- icinga_gpg_checksum:
- type: str
- required: true
- description: Icinga ASCII armored GPG public key SHA256 checksum.
- icinga_gpg_fingerprints:
- type: list
- elements: str
- required: true
- description: List of GPG fingerprints for the Icinga GPG public key.
- icinga_gpg_url:
- type: str
- required: true
- description: Icinga ASCII armored GPG public key URL.
icinga_hosts_dir:
type: str
required: true
@@ -103,6 +90,10 @@ argument_specs:
type: str
required: true
description: Iptables rule.
+ icinga_legacy_files:
+ type: list
+ required: false
+ description: A list of legacy files that should be absent.
icinga_local_tmp:
type: str
required: true
diff --git a/tasks/apt.yml b/tasks/apt.yml
index 545f62b0c464a814790f800e86750d08ab4d3929..d230d2125c05af5c152dfa55936e84b8c1063b58 100644
--- a/tasks/apt.yml
+++ b/tasks/apt.yml
@@ -17,98 +17,65 @@
pkg: python3-debian
state: present
- - name: Apt GPG configuration for supported Debian and Ubuntu distros
- block:
-
- - name: "Icinga GPG package present {{ icinga_archive_keyring_deb_url | ansible.builtin.urlsplit('path') | ansible.builtin.regex_replace('^[/]') }}"
- ansible.builtin.apt:
- deb: "{{ icinga_archive_keyring_deb_url }}"
- state: present
-
- - name: Stat /usr/share/keyrings/icinga-archive-keyring.gpg
- ansible.builtin.stat:
- path: /usr/share/keyrings/icinga-archive-keyring.gpg
- register: icinga_archive_keyring_pub_key
-
- - name: "The GPG key provided by the Icinga GPG package is required {{ icinga_archive_keyring_deb_url | ansible.builtin.urlsplit('path') | ansible.builtin.regex_replace('^[/]') }}"
- ansible.builtin.assert:
- that:
- - icinga_archive_keyring_pub_key.stat.exists | bool
- quiet: "{% if ansible_check_mode or ansible_verbosity >= 1 %}false{% else %}true{% endif %}"
- fail_msg: >-
- The GPG key provided by {{ icinga_archive_keyring_deb_url }} is required to configure the Icinga apt repo.
-
- - name: Configure the Icinga apt repo when the GPG public key is present
- block:
+ - name: "Icinga GPG package present {{ icinga_archive_keyring_deb_url | ansible.builtin.urlsplit('path') | ansible.builtin.regex_replace('^[/]') }}"
+ ansible.builtin.apt:
+ deb: "{{ icinga_archive_keyring_deb_url }}"
+ state: present
+ when: ansible_facts.distribution_release in icinga_distros
- - name: Stat Icinga repository sources file
- ansible.builtin.stat:
- path: /etc/apt/sources.list.d/icinga.sources
- register: icinga_sources_path
+ - name: Icinga gpg key present
+ ansible.builtin.copy:
+ src: icinga.gpg
+ dest: /usr/share/keyrings/icinga-archive-keyring.gpg
+ mode: "0644"
+ owner: root
+ group: root
+ when: ansible_facts.distribution_release not in icinga_distros
- - name: Read and backup Icinga repository sources file
- block:
+ - name: Stat /usr/share/keyrings/icinga-archive-keyring.gpg
+ ansible.builtin.stat:
+ path: /usr/share/keyrings/icinga-archive-keyring.gpg
+ register: icinga_archive_keyring_pub_key
- - name: Slurp /etc/apt/sources.list.d/icinga.sources
- ansible.builtin.slurp:
- src: /etc/apt/sources.list.d/icinga.sources
- register: icinga_sources_contents_b64encoded
+ - name: "The GPG key provided by the Icinga GPG package is required {{ icinga_archive_keyring_deb_url | ansible.builtin.urlsplit('path') | ansible.builtin.regex_replace('^[/]') }}"
+ ansible.builtin.assert:
+ that:
+ - icinga_archive_keyring_pub_key.stat.exists | bool
+ quiet: "{% if ansible_check_mode or ansible_verbosity >= 1 %}false{% else %}true{% endif %}"
+ fail_msg: >-
+ The GPG key provided by {{ icinga_archive_keyring_deb_url }} is required to configure the Icinga apt repo.
- - name: Decode the base64 encoded version of /etc/apt/sources.list.d/icinga.sources
- ansible.builtin.set_fact:
- icinga_sources_contents: "{{ icinga_sources_contents_b64encoded['content'] | ansible.builtin.b64decode | community.general.jc('ini') }}"
+ - name: Configure the Icinga apt repo when the GPG public key is present
+ block:
- - name: Print the contents of /etc/apt/sources.list.d/icinga.sources
- ansible.builtin.debug:
- var: icinga_sources_contents
- verbosity: "{% if ansible_check_mode | bool %}0{% else %}1{% endif %}"
+ - name: Stat Icinga repository sources file
+ ansible.builtin.stat:
+ path: /etc/apt/sources.list.d/icinga.sources
+ register: icinga_sources_path
- - name: Set a fact for the prior Icinga repository sources file contents
- ansible.builtin.set_fact:
- icinga_sources_contents_prior: "{{ icinga_sources_contents }}"
- when: icinga_sources_contents is defined
+ - name: Read and backup Icinga repository sources file
+ block:
- - name: Check Icinga repository sources file present
- ansible.builtin.deb822_repository:
- allow_downgrade_to_insecure: false
- allow_insecure: false
- allow_weak: false
- architectures: "{{ ansible_facts.ansible_local.dpkg.arch }}"
- check_date: true
- check_valid_until: true
- components: main
- enabled: true
- name: icinga
- pdiffs: true
- signed_by: /usr/share/keyrings/icinga-archive-keyring.gpg
- suites: "icinga-{{ ansible_facts.distribution_release }}"
- types: deb
- uris: "https://packages.icinga.com/{{ ansible_facts.distribution | lower }}"
- check_mode: true
- changed_when: false
- register: icinga_sources_check
+ - name: Slurp /etc/apt/sources.list.d/icinga.sources
+ ansible.builtin.slurp:
+ src: /etc/apt/sources.list.d/icinga.sources
+ register: icinga_sources_contents_b64encoded
- - name: Debug proposed icinga_sources_check.repo
- ansible.builtin.debug:
- var: icinga_sources_check.repo
- verbosity: "{% if ansible_check_mode | bool or ansible_diff_mode | bool %}1{% else %}2{% endif %}"
+ - name: Decode the base64 encoded version of /etc/apt/sources.list.d/icinga.sources
+ ansible.builtin.set_fact:
+ icinga_sources_contents: "{{ icinga_sources_contents_b64encoded['content'] | ansible.builtin.b64decode | community.general.jc('ini') }}"
- - name: Backup old Icinga sources file
- ansible.builtin.command:
- cmd: >-
- mv
- /etc/apt/sources.list.d/icinga.sources
- /etc/apt/sources.list.d/.icinga.sources.{{ icinga_date_timestamp }}.ansible.save
- args:
- creates: "/etc/apt/sources.list.d/.icinga.sources.{{ icinga_date_timestamp }}.ansible.save"
- removes: /etc/apt/sources.list.d/icinga.sources
- vars:
- icinga_date_timestamp: "{{ ansible_facts.date_time.iso8601_basic_short }}"
- when: icinga_sources_contents_prior != icinga_sources_check.repo | string | community.general.jc('ini')
+ - name: Print the contents of /etc/apt/sources.list.d/icinga.sources
+ ansible.builtin.debug:
+ var: icinga_sources_contents
+ verbosity: "{% if ansible_check_mode | bool %}0{% else %}1{% endif %}"
- when: icinga_sources_path.stat.exists | bool
+ - name: Set a fact for the prior Icinga repository sources file contents
+ ansible.builtin.set_fact:
+ icinga_sources_contents_prior: "{{ icinga_sources_contents }}"
+ when: icinga_sources_contents is defined
- - name: Icinga repository sources file present
+ - name: Check Icinga repository sources file present
ansible.builtin.deb822_repository:
allow_downgrade_to_insecure: false
allow_insecure: false
@@ -124,163 +91,61 @@
suites: "icinga-{{ ansible_facts.distribution_release }}"
types: deb
uris: "https://packages.icinga.com/{{ ansible_facts.distribution | lower }}"
- register: icinga_sources
-
- when: icinga_archive_keyring_pub_key.stat.exists | bool
-
- - name: Legacy Icinga apt configuration absent
- ansible.builtin.file:
- path: "{{ icinga_legacy_apt_path }}"
- state: absent
- loop:
- - /etc/apt/keyrings/icinga.gpg
- - /etc/apt/sources.list.d/icinga.list
- - /usr/local/share/keyrings/icinga-archive-keyring.gpg
- - /usr/share/keyrings/icinga.gpg
- loop_control:
- loop_var: icinga_legacy_apt_path
-
- when: ansible_facts.distribution_release in icinga_distros
-
- - name: Apt GPG configuration for unsupported Debian and Ubuntu distros
- block:
-
- - name: EOL Distribution Versions
- ansible.builtin.fail:
- msg: "TODO see Required Actions for Users of EOL Distribution Versions https://icinga.com/blog/2024/08/26/icinga-package-repository-key-rotation-2024/"
-
- - name: Legacy Icinga apt configuration absent
- ansible.builtin.file:
- path: "{{ icinga_legacy_apt_path }}"
- state: absent
- loop:
- - /etc/apt/sources.list.d/icinga.list
- - /usr/share/keyrings/icinga.gpg
- - /usr/local/share/keyrings/icinga-archive-keyring.gpg
- loop_control:
- loop_var: icinga_legacy_apt_path
-
- - name: Apt Keyrings directory present
- ansible.builtin.file:
- path: /etc/apt/keyrings
- state: directory
- mode: "0755"
- owner: root
- group: root
-
- - name: Icinga gpg ascii armored key present
- ansible.builtin.get_url:
- url: "{{ icinga_gpg_url }}"
- checksum: "{{ icinga_gpg_checksum }}"
- dest: /root/icinga.asc
- mode: "0644"
- owner: root
- group: root
- register: icinga_tmp_asc_file
-
- - name: Stat Icinga2 gpg ascii armored file
- ansible.builtin.stat:
- path: /root/icinga.asc
- register: icinga_asc_file
-
- - name: Check gpg key when it exists
- block:
-
- - name: Stat Icinga gpg dearmored file
- ansible.builtin.stat:
- path: /etc/apt/keyrings/icinga.gpg
- register: icinga_gpg_file
-
- - name: Icinga gpg key dearmored
- ansible.builtin.shell: |-
- set -e -o pipefail
- gpg --dearmor < /root/icinga.asc > /etc/apt/keyrings/icinga.gpg
- chmod 644 /etc/apt/keyrings/icinga.gpg
- args:
- executable: "{{ ansible_facts.ansible_local.bash.path }}"
- when: ( icinga_tmp_asc_file.changed | bool ) or ( not icinga_gpg_file.stat.exists | bool )
-
- - name: Stat Icinga gpg dearmored file
- ansible.builtin.stat:
- path: /etc/apt/keyrings/icinga.gpg
- register: icinga_gpg_file
-
- - name: Debug disto
- ansible.builtin.debug:
- var: ansible_facts.distribution
- verbosity: 2
-
- - name: Debug disto version
- ansible.builtin.debug:
- var: ansible_facts.distribution_version
- verbosity: 2
-
- - name: Icinga gpg key check command
- ansible.builtin.command: >
- gpg --with-colons
- {% if ansible_facts.ansible_local.gpg.version is version('2.2.12', '<') %}
- --with-fingerprint --with-subkey-fingerprint
- {% else %}
- --show-keys
- {% endif %}
- /etc/apt/keyrings/icinga.gpg
- when: ( icinga_gpg_file.stat.exists | bool )
- check_mode: false
+ check_mode: true
changed_when: false
- register: icinga_gpg
-
- - name: Icinga gpg key check first fingerprint on Debian 10 and older
- ansible.builtin.assert:
- that:
- - icinga_fpr in icinga_gpg.stdout
- quiet: "{% if ansible_verbosity == 0 %}true{% else %}false{% endif %}"
- when:
- - ansible_loop.first | bool
- - ansible_facts.distribution == "Debian"
- - ansible_facts.distribution_version is version('10', '<')
- loop: "{{ icinga_gpg_fingerprints }}"
- loop_control:
- extended: true
- loop_var: icinga_fpr
+ register: icinga_sources_check
- - name: Icinga gpg key check first fingerprint on Ubuntu 18.04 and older
- ansible.builtin.assert:
- that:
- - icinga_fpr in icinga_gpg.stdout
- quiet: "{% if ansible_verbosity == 0 %}true{% else %}false{% endif %}"
- when:
- - ansible_loop.first | bool
- - ansible_facts.distribution == "Ubuntu"
- - ansible_facts.distribution_version is version('18.04', '<=')
- loop: "{{ icinga_gpg_fingerprints }}"
- loop_control:
- extended: true
- loop_var: icinga_fpr
-
- - name: Icinga gpg key check all fingerprints
- ansible.builtin.assert:
- that:
- - icinga_fpr in icinga_gpg.stdout
- quiet: "{% if ansible_verbosity == 0 %}true{% else %}false{% endif %}"
- when: >
- ( ( ansible_facts.distribution == "Debian" ) and ( ansible_facts.distribution_version is version('10', '>=') ) ) or
- ( ( ansible_facts.distribution == "Ubuntu" ) and ( ansible_facts.distribution_version is version('18.04', '>') ) )
- loop: "{{ icinga_gpg_fingerprints }}"
- loop_control:
- loop_var: icinga_fpr
-
- when: icinga_asc_file.stat.exists | bool
-
- - name: Icinga repo apt sources file present
- ansible.builtin.template:
- src: icinga.sources.j2
- dest: /etc/apt/sources.list.d/icinga.sources
- mode: "0644"
- owner: root
- group: root
+ - name: Debug proposed icinga_sources_check.repo
+ ansible.builtin.debug:
+ var: icinga_sources_check.repo
+ verbosity: "{% if ansible_check_mode | bool or ansible_diff_mode | bool %}1{% else %}2{% endif %}"
+
+ - name: Backup old Icinga sources file
+ ansible.builtin.command:
+ cmd: >-
+ mv
+ /etc/apt/sources.list.d/icinga.sources
+ /etc/apt/sources.list.d/.icinga.sources.{{ icinga_date_timestamp }}.ansible.save
+ args:
+ creates: "/etc/apt/sources.list.d/.icinga.sources.{{ icinga_date_timestamp }}.ansible.save"
+ removes: /etc/apt/sources.list.d/icinga.sources
+ vars:
+ icinga_date_timestamp: "{{ ansible_facts.date_time.iso8601_basic_short }}"
+ when: icinga_sources_contents_prior != icinga_sources_check.repo | string | community.general.jc('ini')
+
+ when: icinga_sources_path.stat.exists | bool
+
+ - name: Icinga repository sources file present
+ ansible.builtin.deb822_repository:
+ allow_downgrade_to_insecure: false
+ allow_insecure: false
+ allow_weak: false
+ architectures: "{{ ansible_facts.ansible_local.dpkg.arch }}"
+ check_date: true
+ check_valid_until: true
+ components: main
+ enabled: true
+ name: icinga
+ pdiffs: true
+ signed_by: /usr/share/keyrings/icinga-archive-keyring.gpg
+ suites: "icinga-{{ ansible_facts.distribution_release }}"
+ types: deb
+ uris: "https://packages.icinga.com/{{ ansible_facts.distribution | lower }}"
register: icinga_sources
- when: ansible_facts.distribution_release not in icinga_distros
+ when: icinga_archive_keyring_pub_key.stat.exists | bool
+
+ - name: Legacy Icinga apt configuration absent
+ ansible.builtin.file:
+ path: "{{ icinga_legacy_file }}"
+ state: absent
+ loop: "{{ icinga_legacy_files }}"
+ loop_control:
+ loop_var: icinga_legacy_file
+ label: "{{ icinga_legacy_file | ansible.builtin.basename }}"
+ when:
+ - icinga_legacy_files is defined
+ - icinga_legacy_files != []
- name: Icinga apt prefs file present
ansible.builtin.template:
diff --git a/templates/icinga.sources.j2 b/templates/icinga.sources.j2
deleted file mode 100644
index 047c2aa4ee020f69276f8fdc45fc555eb381f0ec..0000000000000000000000000000000000000000
--- a/templates/icinga.sources.j2
+++ /dev/null
@@ -1,10 +0,0 @@
-# {{ ansible_managed }}
-
-Types: deb
-URIs: https://packages.icinga.com/{{ ansible_facts.distribution | lower }}
-Suites: icinga-{{ ansible_facts.distribution_release }}
-Architectures: {{ ansible_facts.ansible_local.dpkg.arch }}
-Components: main
-Signed-By: /etc/apt/keyrings/icinga.gpg
-
-# vim: syntax=debsources
diff --git a/vars/main.yml b/vars/main.yml
index c8ae682513c54348f028236f90cd2a8b98476a52..114cec6fafcf0bc78aa1314b596eb0a3ce9e3b46 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -24,22 +24,16 @@ icinga_distros:
# https://packages.icinga.com/ubuntu/README.html
icinga_archive_keyring_deb_url: "https://packages.icinga.com/icinga-archive-keyring_latest+{{ ansible_facts.distribution | lower }}{{ ansible_facts.distribution_major_version }}.deb"
+# Legacy files to delete
+icinga_legacy_files:
+ - /etc/apt/keyrings/icinga.gpg
+ - /etc/apt/sources.list.d/icinga.list
+ - /usr/local/share/keyrings/icinga-archive-keyring.gpg
+ - /usr/share/keyrings/icinga.gpg
+
# JMESPath query to check existing IPv4 rule
icinga_iptables_ipv4_query: "[?chain == 'INPUT'].rules | [0] | [?source == '{{ icinga_master_node }}'] | [0] | options"
-# ASCII armored GPG public key URL linked from
-# https://packages.icinga.com/ubuntu/
-icinga_gpg_url: https://packages.icinga.com/icinga.key
-
-# Get the sha256 checksum using the following command
-# wget -q https://packages.icinga.com/icinga.key -O - | sha256sum - | awk '{ print $1 }' | sed 's/^/"sha256:/' | sed 's/$/"/'
-icinga_gpg_checksum: "sha256:e2b9301181fcc3cd555323cafbecfcd8764f47e06e14e0128f172c544bbb619f"
-
-# Get the gpg fingerprints using the following command
-# wget -q https://packages.icinga.com/icinga.key -O - | gpg --with-colons --show-keys - | grep ^fpr | sed 's/^fpr//' | sed 's/://g' | sed 's/^/ - /'
-icinga_gpg_fingerprints:
- - DD3AF6198ED000B4C0B73956CC116F55AA7F2382
-
# Packages available will vary between distros, you can get the packages installed from this repo using
# aptitude search "?origin (icinga) ?installed"
#