Skip to content
Snippets Groups Projects
Verified Commit 2bbb8ea0 authored by Chris Croome's avatar Chris Croome
Browse files

updates for legacy distros

parent 9b415d7c
No related branches found
No related tags found
No related merge requests found
Pipeline #35032 passed
Stage: bookworm
Hide whitespace changes
Inline Side-by-side
files/icinga.gpg
+ 0
0
View file @ 2bbb8ea0
No preview for this file type
meta/argument_specs.yml
+ 4
13
View file @ 2bbb8ea0
......@@ -66,19 +66,6 @@ argument_specs:
elements: str
required: true
description: A list of Icinga features that are enabled.
icinga_gpg_checksum:
type: str
required: true
description: Icinga ASCII armored GPG public key SHA256 checksum.
icinga_gpg_fingerprints:
type: list
elements: str
required: true
description: List of GPG fingerprints for the Icinga GPG public key.
icinga_gpg_url:
type: str
required: true
description: Icinga ASCII armored GPG public key URL.
icinga_hosts_dir:
type: str
required: true
......@@ -103,6 +90,10 @@ argument_specs:
type: str
required: true
description: Iptables rule.
icinga_legacy_files:
type: list
required: false
description: A list of legacy files that should be absent.
icinga_local_tmp:
type: str
required: true
......
tasks/apt.yml
+ 99
234
View file @ 2bbb8ea0
......@@ -17,98 +17,65 @@
pkg: python3-debian
state: present
- name: Apt GPG configuration for supported Debian and Ubuntu distros
block:
- name: "Icinga GPG package present {{ icinga_archive_keyring_deb_url | ansible.builtin.urlsplit('path') | ansible.builtin.regex_replace('^[/]') }}"
ansible.builtin.apt:
deb: "{{ icinga_archive_keyring_deb_url }}"
state: present
- name: Stat /usr/share/keyrings/icinga-archive-keyring.gpg
ansible.builtin.stat:
path: /usr/share/keyrings/icinga-archive-keyring.gpg
register: icinga_archive_keyring_pub_key
- name: "The GPG key provided by the Icinga GPG package is required {{ icinga_archive_keyring_deb_url | ansible.builtin.urlsplit('path') | ansible.builtin.regex_replace('^[/]') }}"
ansible.builtin.assert:
that:
- icinga_archive_keyring_pub_key.stat.exists | bool
quiet: "{% if ansible_check_mode or ansible_verbosity >= 1 %}false{% else %}true{% endif %}"
fail_msg: >-
The GPG key provided by {{ icinga_archive_keyring_deb_url }} is required to configure the Icinga apt repo.
- name: Configure the Icinga apt repo when the GPG public key is present
block:
- name: "Icinga GPG package present {{ icinga_archive_keyring_deb_url | ansible.builtin.urlsplit('path') | ansible.builtin.regex_replace('^[/]') }}"
ansible.builtin.apt:
deb: "{{ icinga_archive_keyring_deb_url }}"
state: present
when: ansible_facts.distribution_release in icinga_distros
- name: Stat Icinga repository sources file
ansible.builtin.stat:
path: /etc/apt/sources.list.d/icinga.sources
register: icinga_sources_path
- name: Icinga gpg key present
ansible.builtin.copy:
src: icinga.gpg
dest: /usr/share/keyrings/icinga-archive-keyring.gpg
mode: "0644"
owner: root
group: root
when: ansible_facts.distribution_release not in icinga_distros
- name: Read and backup Icinga repository sources file
block:
- name: Stat /usr/share/keyrings/icinga-archive-keyring.gpg
ansible.builtin.stat:
path: /usr/share/keyrings/icinga-archive-keyring.gpg
register: icinga_archive_keyring_pub_key
- name: Slurp /etc/apt/sources.list.d/icinga.sources
ansible.builtin.slurp:
src: /etc/apt/sources.list.d/icinga.sources
register: icinga_sources_contents_b64encoded
- name: "The GPG key provided by the Icinga GPG package is required {{ icinga_archive_keyring_deb_url | ansible.builtin.urlsplit('path') | ansible.builtin.regex_replace('^[/]') }}"
ansible.builtin.assert:
that:
- icinga_archive_keyring_pub_key.stat.exists | bool
quiet: "{% if ansible_check_mode or ansible_verbosity >= 1 %}false{% else %}true{% endif %}"
fail_msg: >-
The GPG key provided by {{ icinga_archive_keyring_deb_url }} is required to configure the Icinga apt repo.
- name: Decode the base64 encoded version of /etc/apt/sources.list.d/icinga.sources
ansible.builtin.set_fact:
icinga_sources_contents: "{{ icinga_sources_contents_b64encoded['content'] | ansible.builtin.b64decode | community.general.jc('ini') }}"
- name: Configure the Icinga apt repo when the GPG public key is present
block:
- name: Print the contents of /etc/apt/sources.list.d/icinga.sources
ansible.builtin.debug:
var: icinga_sources_contents
verbosity: "{% if ansible_check_mode | bool %}0{% else %}1{% endif %}"
- name: Stat Icinga repository sources file
ansible.builtin.stat:
path: /etc/apt/sources.list.d/icinga.sources
register: icinga_sources_path
- name: Set a fact for the prior Icinga repository sources file contents
ansible.builtin.set_fact:
icinga_sources_contents_prior: "{{ icinga_sources_contents }}"
when: icinga_sources_contents is defined
- name: Read and backup Icinga repository sources file
block:
- name: Check Icinga repository sources file present
ansible.builtin.deb822_repository:
allow_downgrade_to_insecure: false
allow_insecure: false
allow_weak: false
architectures: "{{ ansible_facts.ansible_local.dpkg.arch }}"
check_date: true
check_valid_until: true
components: main
enabled: true
name: icinga
pdiffs: true
signed_by: /usr/share/keyrings/icinga-archive-keyring.gpg
suites: "icinga-{{ ansible_facts.distribution_release }}"
types: deb
uris: "https://packages.icinga.com/{{ ansible_facts.distribution | lower }}"
check_mode: true
changed_when: false
register: icinga_sources_check
- name: Slurp /etc/apt/sources.list.d/icinga.sources
ansible.builtin.slurp:
src: /etc/apt/sources.list.d/icinga.sources
register: icinga_sources_contents_b64encoded
- name: Debug proposed icinga_sources_check.repo
ansible.builtin.debug:
var: icinga_sources_check.repo
verbosity: "{% if ansible_check_mode | bool or ansible_diff_mode | bool %}1{% else %}2{% endif %}"
- name: Decode the base64 encoded version of /etc/apt/sources.list.d/icinga.sources
ansible.builtin.set_fact:
icinga_sources_contents: "{{ icinga_sources_contents_b64encoded['content'] | ansible.builtin.b64decode | community.general.jc('ini') }}"
- name: Backup old Icinga sources file
ansible.builtin.command:
cmd: >-
mv
/etc/apt/sources.list.d/icinga.sources
/etc/apt/sources.list.d/.icinga.sources.{{ icinga_date_timestamp }}.ansible.save
args:
creates: "/etc/apt/sources.list.d/.icinga.sources.{{ icinga_date_timestamp }}.ansible.save"
removes: /etc/apt/sources.list.d/icinga.sources
vars:
icinga_date_timestamp: "{{ ansible_facts.date_time.iso8601_basic_short }}"
when: icinga_sources_contents_prior != icinga_sources_check.repo | string | community.general.jc('ini')
- name: Print the contents of /etc/apt/sources.list.d/icinga.sources
ansible.builtin.debug:
var: icinga_sources_contents
verbosity: "{% if ansible_check_mode | bool %}0{% else %}1{% endif %}"
when: icinga_sources_path.stat.exists | bool
- name: Set a fact for the prior Icinga repository sources file contents
ansible.builtin.set_fact:
icinga_sources_contents_prior: "{{ icinga_sources_contents }}"
when: icinga_sources_contents is defined
- name: Icinga repository sources file present
- name: Check Icinga repository sources file present
ansible.builtin.deb822_repository:
allow_downgrade_to_insecure: false
allow_insecure: false
......@@ -124,163 +91,61 @@
suites: "icinga-{{ ansible_facts.distribution_release }}"
types: deb
uris: "https://packages.icinga.com/{{ ansible_facts.distribution | lower }}"
register: icinga_sources
when: icinga_archive_keyring_pub_key.stat.exists | bool
- name: Legacy Icinga apt configuration absent
ansible.builtin.file:
path: "{{ icinga_legacy_apt_path }}"
state: absent
loop:
- /etc/apt/keyrings/icinga.gpg
- /etc/apt/sources.list.d/icinga.list
- /usr/local/share/keyrings/icinga-archive-keyring.gpg
- /usr/share/keyrings/icinga.gpg
loop_control:
loop_var: icinga_legacy_apt_path
when: ansible_facts.distribution_release in icinga_distros
- name: Apt GPG configuration for unsupported Debian and Ubuntu distros
block:
- name: EOL Distribution Versions
ansible.builtin.fail:
msg: "TODO see Required Actions for Users of EOL Distribution Versions https://icinga.com/blog/2024/08/26/icinga-package-repository-key-rotation-2024/"
- name: Legacy Icinga apt configuration absent
ansible.builtin.file:
path: "{{ icinga_legacy_apt_path }}"
state: absent
loop:
- /etc/apt/sources.list.d/icinga.list
- /usr/share/keyrings/icinga.gpg
- /usr/local/share/keyrings/icinga-archive-keyring.gpg
loop_control:
loop_var: icinga_legacy_apt_path
- name: Apt Keyrings directory present
ansible.builtin.file:
path: /etc/apt/keyrings
state: directory
mode: "0755"
owner: root
group: root
- name: Icinga gpg ascii armored key present
ansible.builtin.get_url:
url: "{{ icinga_gpg_url }}"
checksum: "{{ icinga_gpg_checksum }}"
dest: /root/icinga.asc
mode: "0644"
owner: root
group: root
register: icinga_tmp_asc_file
- name: Stat Icinga2 gpg ascii armored file
ansible.builtin.stat:
path: /root/icinga.asc
register: icinga_asc_file
- name: Check gpg key when it exists
block:
- name: Stat Icinga gpg dearmored file
ansible.builtin.stat:
path: /etc/apt/keyrings/icinga.gpg
register: icinga_gpg_file
- name: Icinga gpg key dearmored
ansible.builtin.shell: |-
set -e -o pipefail
gpg --dearmor < /root/icinga.asc > /etc/apt/keyrings/icinga.gpg
chmod 644 /etc/apt/keyrings/icinga.gpg
args:
executable: "{{ ansible_facts.ansible_local.bash.path }}"
when: ( icinga_tmp_asc_file.changed | bool ) or ( not icinga_gpg_file.stat.exists | bool )
- name: Stat Icinga gpg dearmored file
ansible.builtin.stat:
path: /etc/apt/keyrings/icinga.gpg
register: icinga_gpg_file
- name: Debug disto
ansible.builtin.debug:
var: ansible_facts.distribution
verbosity: 2
- name: Debug disto version
ansible.builtin.debug:
var: ansible_facts.distribution_version
verbosity: 2
- name: Icinga gpg key check command
ansible.builtin.command: >
gpg --with-colons
{% if ansible_facts.ansible_local.gpg.version is version('2.2.12', '<') %}
--with-fingerprint --with-subkey-fingerprint
{% else %}
--show-keys
{% endif %}
/etc/apt/keyrings/icinga.gpg
when: ( icinga_gpg_file.stat.exists | bool )
check_mode: false
check_mode: true
changed_when: false
register: icinga_gpg
- name: Icinga gpg key check first fingerprint on Debian 10 and older
ansible.builtin.assert:
that:
- icinga_fpr in icinga_gpg.stdout
quiet: "{% if ansible_verbosity == 0 %}true{% else %}false{% endif %}"
when:
- ansible_loop.first | bool
- ansible_facts.distribution == "Debian"
- ansible_facts.distribution_version is version('10', '<')
loop: "{{ icinga_gpg_fingerprints }}"
loop_control:
extended: true
loop_var: icinga_fpr
register: icinga_sources_check
- name: Icinga gpg key check first fingerprint on Ubuntu 18.04 and older
ansible.builtin.assert:
that:
- icinga_fpr in icinga_gpg.stdout
quiet: "{% if ansible_verbosity == 0 %}true{% else %}false{% endif %}"
when:
- ansible_loop.first | bool
- ansible_facts.distribution == "Ubuntu"
- ansible_facts.distribution_version is version('18.04', '<=')
loop: "{{ icinga_gpg_fingerprints }}"
loop_control:
extended: true
loop_var: icinga_fpr
- name: Icinga gpg key check all fingerprints
ansible.builtin.assert:
that:
- icinga_fpr in icinga_gpg.stdout
quiet: "{% if ansible_verbosity == 0 %}true{% else %}false{% endif %}"
when: >
( ( ansible_facts.distribution == "Debian" ) and ( ansible_facts.distribution_version is version('10', '>=') ) ) or
( ( ansible_facts.distribution == "Ubuntu" ) and ( ansible_facts.distribution_version is version('18.04', '>') ) )
loop: "{{ icinga_gpg_fingerprints }}"
loop_control:
loop_var: icinga_fpr
when: icinga_asc_file.stat.exists | bool
- name: Icinga repo apt sources file present
ansible.builtin.template:
src: icinga.sources.j2
dest: /etc/apt/sources.list.d/icinga.sources
mode: "0644"
owner: root
group: root
- name: Debug proposed icinga_sources_check.repo
ansible.builtin.debug:
var: icinga_sources_check.repo
verbosity: "{% if ansible_check_mode | bool or ansible_diff_mode | bool %}1{% else %}2{% endif %}"
- name: Backup old Icinga sources file
ansible.builtin.command:
cmd: >-
mv
/etc/apt/sources.list.d/icinga.sources
/etc/apt/sources.list.d/.icinga.sources.{{ icinga_date_timestamp }}.ansible.save
args:
creates: "/etc/apt/sources.list.d/.icinga.sources.{{ icinga_date_timestamp }}.ansible.save"
removes: /etc/apt/sources.list.d/icinga.sources
vars:
icinga_date_timestamp: "{{ ansible_facts.date_time.iso8601_basic_short }}"
when: icinga_sources_contents_prior != icinga_sources_check.repo | string | community.general.jc('ini')
when: icinga_sources_path.stat.exists | bool
- name: Icinga repository sources file present
ansible.builtin.deb822_repository:
allow_downgrade_to_insecure: false
allow_insecure: false
allow_weak: false
architectures: "{{ ansible_facts.ansible_local.dpkg.arch }}"
check_date: true
check_valid_until: true
components: main
enabled: true
name: icinga
pdiffs: true
signed_by: /usr/share/keyrings/icinga-archive-keyring.gpg
suites: "icinga-{{ ansible_facts.distribution_release }}"
types: deb
uris: "https://packages.icinga.com/{{ ansible_facts.distribution | lower }}"
register: icinga_sources
when: ansible_facts.distribution_release not in icinga_distros
when: icinga_archive_keyring_pub_key.stat.exists | bool
- name: Legacy Icinga apt configuration absent
ansible.builtin.file:
path: "{{ icinga_legacy_file }}"
state: absent
loop: "{{ icinga_legacy_files }}"
loop_control:
loop_var: icinga_legacy_file
label: "{{ icinga_legacy_file | ansible.builtin.basename }}"
when:
- icinga_legacy_files is defined
- icinga_legacy_files != []
- name: Icinga apt prefs file present
ansible.builtin.template:
......
templates/icinga.sources.j2 deleted 100644 → 0
+ 0
10
View file @ 9b415d7c
# {{ ansible_managed }}
Types: deb
URIs: https://packages.icinga.com/{{ ansible_facts.distribution | lower }}
Suites: icinga-{{ ansible_facts.distribution_release }}
Architectures: {{ ansible_facts.ansible_local.dpkg.arch }}
Components: main
Signed-By: /etc/apt/keyrings/icinga.gpg
# vim: syntax=debsources
vars/main.yml
+ 7
13
View file @ 2bbb8ea0
......@@ -24,22 +24,16 @@ icinga_distros:
# https://packages.icinga.com/ubuntu/README.html
icinga_archive_keyring_deb_url: "https://packages.icinga.com/icinga-archive-keyring_latest+{{ ansible_facts.distribution | lower }}{{ ansible_facts.distribution_major_version }}.deb"
# Legacy files to delete
icinga_legacy_files:
- /etc/apt/keyrings/icinga.gpg
- /etc/apt/sources.list.d/icinga.list
- /usr/local/share/keyrings/icinga-archive-keyring.gpg
- /usr/share/keyrings/icinga.gpg
# JMESPath query to check existing IPv4 rule
icinga_iptables_ipv4_query: "[?chain == 'INPUT'].rules | [0] | [?source == '{{ icinga_master_node }}'] | [0] | options"
# ASCII armored GPG public key URL linked from
# https://packages.icinga.com/ubuntu/
icinga_gpg_url: https://packages.icinga.com/icinga.key
# Get the sha256 checksum using the following command
# wget -q https://packages.icinga.com/icinga.key -O - | sha256sum - | awk '{ print $1 }' | sed 's/^/"sha256:/' | sed 's/$/"/'
icinga_gpg_checksum: "sha256:e2b9301181fcc3cd555323cafbecfcd8764f47e06e14e0128f172c544bbb619f"
# Get the gpg fingerprints using the following command
# wget -q https://packages.icinga.com/icinga.key -O - | gpg --with-colons --show-keys - | grep ^fpr | sed 's/^fpr//' | sed 's/://g' | sed 's/^/ - /'
icinga_gpg_fingerprints:
- DD3AF6198ED000B4C0B73956CC116F55AA7F2382
# Packages available will vary between distros, you can get the packages installed from this repo using
# aptitude search "?origin (icinga) ?installed"
#
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Webarchitects | Forum | Status | SSH Fingerprints