secure_apt role was added

Signed-off-by: kogeler <[email protected]>

Author: kogeler

.gitignore

@@ -1,12 +1,9 @@
 .*.swp
-.terraform
-plan.out
-*.tfstate.backup
 /*json
 /*key
 *private.key
 *service-account-key.json
 *.private_key_encrypted
-.idea
 /ansible/collections
-venv
+venv
+.idea

README.md

@@ -1,4 +1,4 @@
-# Ansible Collection - paritytech.chain_operations
+# Ansible Collection - paritytech.chain
 
 ## Install Ansible collections
 
@@ -7,7 +7,15 @@ Create `requirements.yml` file in your playbook repository (or add to the existi
 collections:
   - name: https://github.com/paritytech/ansible-galaxy.git
     type: git
-    version: main
+    version: 1.6.2
+```
+
+or
+
+```yaml
+collections:
+  - name: paritytech.chain
+    version: 1.6.2
 ```
 
 If you want to install collections in the project space, you have to run:
@@ -24,4 +32,9 @@ ansible-galaxy collection install -f -r requirements.yml
 
 ## Roles
 
-Node role - [README](./roles/node/README.md) 
+* key_inject - [README](./roles/key_inject/README.md)
+* node - [README](./roles/node/README.md)
+* node_backup - [README](./roles/node_backup/README.md)
+* secure_apt - [README](./roles/secure_apt/README.md)
+* state_exporter - [README](./roles/state_exporter/README.md)
+* ws_health_exporter - [README](./roles/ws_health_exporter/README.md)

galaxy.yml

@@ -8,15 +8,15 @@ namespace: paritytech
 name: chain
 
 # The version of the collection. Must be compatible with semantic versioning
-version: 1.6.0
+version: 1.6.2
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md
 
 # A list of the collection's content authors. Can be just the name or in the format 'Full Name <email> (url)
 # @nicks:irc/im.site#channel'
 authors:
-- Devops Team <[email protected]>
+  - Devops Team <[email protected]>
 
 ### OPTIONAL but strongly recommended
 # A short summary description of the collection
@@ -25,7 +25,7 @@ description: parity chain operations
 # Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only
 # accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file'
 license:
-- GPL-2.0-or-later
+  - GPL-2.0-or-later
 
 # The path to the license file for the collection. This path is relative to the root of the collection. This key is
 # mutually exclusive with 'license'
@@ -42,20 +42,19 @@ tags: []
 dependencies: {}
 
 # The URL of the originating SCM repository
-repository: "https://github.com/paritytech/ansible-galaxy.git"
+repository: https://github.com/paritytech/ansible-galaxy.git
 
 # The URL to any online docs
-documentation: http://docs.example.com
+documentation: https://github.com/paritytech/ansible-galaxy
 
 # The URL to the homepage of the collection/project
-homepage: http://example.com
+homepage: https://parity.io
 
 # The URL to the collection issue tracker
-issues: http://example.com/issue/tracker
+issues: https://github.com/paritytech/ansible-galaxy/issues
 
 # A list of file glob-like patterns used to filter any files or directories that should not be included in the build
 # artifact. A pattern is matched from the relative path of the file or directory of the collection directory. This
 # uses 'fnmatch' to match the files or directories. Some directories and files like 'galaxy.yml', '*.pyc', '*.retry',
 # and '.git' are always filtered
 build_ignore: []
-

roles/secure_apt/README.md

@@ -0,0 +1,20 @@
+Role Name
+=========
+
+A role to apply an APT repository + key securely as the apt_key Ansible module is deprecated
+
+Requirements
+--------------
+
+* You have to be able to use `become`
+
+Example Playbook
+----------------
+
+  - hosts: servers  
+    roles:
+      - paritytech.common.secure_apt  
+    vars:
+      secure_apt_key: B53DC80D13EDEF05  
+      secure_apt_repositories:
+        - https://packages.cloud.google.com/apt cloud-sdk-{{ ansible_distribution_release }} main

roles/secure_apt/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+secure_apt_keyserver: keyserver.ubuntu.com
+
+secure_apt_key: ""
+
+secure_apt_repositories: []
+
+secure_apt_update_cache: true

roles/secure_apt/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+
+- name: Create custom keyring directory
+  ansible.builtin.file:
+    path: "{{ _secure_apt_keyring_folder }}"
+    state: directory
+    mode: 0755
+
+- name: Add APT key
+  ansible.builtin.apt_key:
+    id: "{{ secure_apt_key }}"
+    keyring: "{{ _secure_apt_keyring_folder }}/{{ secure_apt_key }}.gpg"
+    keyserver: "{{ secure_apt_keyserver }}"
+  # Causes a fatal error in check mode due to apt-key + grep
+  # more info: https://github.com/ansible/ansible/issues/28820
+  ignore_errors: "{{ ansible_check_mode }}"
+
+- name: Set restrictive permissions for key file
+  ansible.builtin.file:
+    path: "{{ _secure_apt_keyring_folder }}/{{ secure_apt_key }}.gpg"
+    mode: 0444
+  # Causes a fatal error in check mode
+  ignore_errors: "{{ ansible_check_mode }}"
+
+- name: Add APT repository
+  ansible.builtin.apt_repository:
+    repo: "deb [arch=amd64 signed-by={{ _secure_apt_keyring_folder }}/{{ secure_apt_key }}.gpg] {{ item }}"
+    update_cache: "{{ secure_apt_update_cache }}"
+  loop: "{{ secure_apt_repositories }}"

roles/secure_apt/vars/main.yml

@@ -0,0 +1,2 @@
+---
+_secure_apt_keyring_folder: /usr/local/share/keyring