Merge pull request #31 from jooola/use_signed_by

Follow Debian third party repository best practices

.gitignore

@@ -0,0 +1 @@
+.venv

.pre-commit-config.yaml

@@ -55,15 +55,15 @@ repos:
         name: Run prettier with docker
         entry: tmknom/prettier:latest -l
         language: docker_image
-        files: "\\.(\
-          css|less|scss\
-          |graphql|gql\
-          |html\
-          |js|jsx\
-          |json\
-          |md|markdown|mdown|mkdn\
-          |mdx\
-          |ts|tsx\
-          |vue\
-          |yaml|yml\
-          )$"
+        files: |
+          (?x)\.(
+            css|less|scss
+            graphql|gql|
+            html|
+            js|jsx|ts|tsx|
+            json|
+            md|markdown|mdown|mkdn|
+            mdx|
+            vue|
+            yaml|yml
+          )$

README.md

@@ -92,6 +92,7 @@ Available variables are listed below, along with default values (see
 mariadb_use_official_repo: false
 mariadb_use_official_repo_url: https://deb.mariadb.org
 mariadb_use_official_repo_version: "10.10"
+mariadb_use_official_repo_format_deb822: false
 ```
 
 You may deploy the MariaDB Server version that comes with your distribution

defaults/main.yml

@@ -7,6 +7,8 @@ ansible_python_interpreter: /usr/bin/python3
 mariadb_use_official_repo: false
 mariadb_use_official_repo_url: https://deb.mariadb.org
 mariadb_use_official_repo_version: 10.6
+# see: https://manpages.debian.org/stable/apt/sources.list.5.en.html#DEB822-STYLE_FORMAT
+mariadb_use_official_repo_format_deb822: false
 
 mariadb_enabled_on_startup: true
 # The following is set to true by default but you may consider setting it to

molecule/default/verify.yml

@@ -77,14 +77,14 @@
       ansible.builtin.shell: |
         mariadb -Bse 'STATUS' | grep "^Server version:"
       register: version
-      when: "{{ lookup('env', 'MARIADB_VERSION') }}"
+      when: lookup('env', 'MARIADB_VERSION')
 
     - name: Check MariaDB version
       ansible.builtin.assert:
         that:
-          - "'{{ lookup('env', 'MARIADB_VERSION') }}' in version.stdout"
+          - lookup('env', 'MARIADB_VERSION') in version.stdout
         msg: "{{ version.stdout }}"
-      when: "{{ lookup('env', 'MARIADB_VERSION') }}"
+      when: lookup('env', 'MARIADB_VERSION')
 
     - name: Check that Innodb engine is enabled (and default)
       ansible.builtin.shell: |

molecule/vagrant/verify.yml

@@ -77,14 +77,14 @@
       ansible.builtin.shell: |
         sudo mariadb -Bse 'STATUS' | grep "^Server version:"
       register: version
-      when: "{{ lookup('env', 'MARIADB_VERSION') }}"
+      when: lookup('env', 'MARIADB_VERSION')
 
     - name: Check MariaDB version
       ansible.builtin.assert:
         that:
-          - "'{{ lookup('env', 'MARIADB_VERSION') }}' in version.stdout"
+          - lookup('env', 'MARIADB_VERSION') in version.stdout
         msg: "{{ version.stdout }}"
-      when: "{{ lookup('env', 'MARIADB_VERSION') }}"
+      when: lookup('env', 'MARIADB_VERSION')
 
     - name: Check that Innodb engine is enabled (and default)
       ansible.builtin.shell: |

tasks/setup_debian.yml

@@ -10,31 +10,65 @@
         state: present
         update_cache: true
 
-    - name: Install mariadb repository key
+    - name: Ensure keyrings dir exists
+      ansible.builtin.file:
+        path: /etc/apt/keyrings
+        state: directory
+        owner: root
+        group: root
+        mode: "0755"
+
+    - name: Fetch mariadb repository key
       ansible.builtin.get_url:
-        url: "https://mariadb.org/mariadb_release_signing_key.asc"
-        dest: "/etc/apt/trusted.gpg.d/mariadb.asc"
+        url: https://mariadb.org/mariadb_release_signing_key.asc
+        dest: /etc/apt/keyrings/mariadb-keyring.asc
         # //TEMP todo
         # checksum: sha256:http://example.com/path/sha256sum.txt
         owner: root
         group: root
         mode: "0644"
+      register: fetch_repository_key
       # change is always triggered in check mode
       when: not ansible_check_mode
 
-    - name: Determine distribution name (Debian sid pb)
+    - name: Dearmor mariadb repository key
+      ansible.builtin.command: >
+        gpg --dearmor
+        -o /etc/apt/keyrings/mariadb-keyring.gpg
+        /etc/apt/keyrings/mariadb-keyring.asc
+      when: fetch_repository_key is changed
+
+    - name: Determine repo distribution release
       ansible.builtin.set_fact:
-        distribution: "{% if 'n/a' in ansible_distribution_release %}sid{% else %}{{ ansible_distribution_release }}{% endif %}"
+        repo_distribution_release: >-
+          {{ 'sid' if 'n/a' in ansible_distribution_version else ansible_distribution_release }}
 
     - name: Setup mariadb repository sourcelist entry
       ansible.builtin.copy:
         dest: /etc/apt/sources.list.d/mariadb.list
         content: |
           # Ansible managed
-          deb {{ mariadb_use_official_repo_url }}/{{ mariadb_use_official_repo_version }}/{{ ansible_distribution | lower() }} {{ distribution }} main
+          deb [signed-by=/etc/apt/keyrings/mariadb-keyring.gpg] {{ mariadb_use_official_repo_url }}/{{ mariadb_use_official_repo_version }}/{{ ansible_distribution | lower() }} {{ repo_distribution_release }} main
         owner: root
         group: root
         mode: "0644"
+      when: not mariadb_use_official_repo_format_deb822
+
+    - name: Setup mariadb repository sources entry
+      ansible.builtin.copy:
+        dest: /etc/apt/sources.list.d/mariadb.sources
+        content: |
+          # Ansible managed
+          X-Repolib-Name: MariaDB
+          Types: deb
+          URIs: {{ mariadb_use_official_repo_url }}/{{ mariadb_use_official_repo_version }}/{{ ansible_distribution | lower() }}
+          Suites: {{ repo_distribution_release }}
+          Components: main
+          Signed-By: /etc/apt/keyrings/mariadb-keyring.gpg
+        owner: root
+        group: root
+        mode: "0644"
+      when: mariadb_use_official_repo_format_deb822
 
     - name: Prefer MariaDB repo over Debian repo
       ansible.builtin.copy: