Default variable details
Some of debops.keyring default variables have more extensive configuration
than simple strings or lists, here you can find documentation and examples for
them.
keyring__dependent_apt_auth_files
The keyring__dependent_apt_auth_files list can be used to create and
manage /etc/apt/auth.conf.d/ configuration files which caontain
authentication credentials required by specific APT repositories. The format
and more details about these files can be found in apt_auth.conf(5)
manual page. The debops.reprepro role can be used to create APT
repositories that require authentication.
This functionality is also available in the debops.apt role for use via the Ansible inventory. See apt__auth_files for more details.
Examples
Provide credentials for a private APT repository, with password stored in the
secret/ directory managed by the debops.secret role. The APT
repository is managed by the debops.reprepro role which uses the
debops.nginx role to manage the authentication credentials.
keyring__dependent_apt_auth_files:
- name: 'private_repo'
machine: 'https://repo.example.org/debian'
login: 'username'
password: '{{ lookup("password", secret + "/credentials/repo"
+ "/nginx/htpasswd"
+ "/apt_access/username") }}'
Syntax
THe variables are defined as a list of YAML dictionaries .Each configuration
entry defines a separate file in the /etc/apt/auth.conf.d/ directory.
The state and contents of the file are specified using specific parameters:
nameRequired. Name of the configuration file with authentication credentials, can contain
.confsuffix which will be stripped. Entries with the samenameparameter are merged together using Universal Configuration and can affect each other in order of appearance.machineRequired. The URL of the APT repository that requires the following credentials.
loginRequired. The username expected by the APT repository during HTTP Basic Authentication.
passwordRequired. The password expected by the APT repository during HTTP Basic Authentication. It can be stored in the
secret/directory and retrieved from there if needed.stateOptional. If not defined or
present, a given configuration file will created on the host. Ifabsent, a given configuration file will be removed from the host. Ifignore, a given entry will not be evaluated during role execution.commentOptional. String or YAML text block with additional comments included in the generated configuration file.
keyring__dependent_apt_keys
This variable defines a list of GPG keys which should be present (or absent) in the host's APT keyring, used to verify signatures of the Debian/Ubuntu package lists. It is meant to be used by other Ansible roles via the role-dependent variables.
Examples
Using the debops.nginx role, ensure that the nginx.org upstream APT
key is present in the APT keyring. If the key is not available in the local
key store, it will be downloaded from the keyserver specified in the
keyring__keyserver variable:
# Role: debops.nginx/defaults/main.yml
nginx__keyring__dependent_apt_keys:
- id: '573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62'
keyring: 'nginx.asc'
# Playbook: nginx.yml
- hosts: [ 'debops_service_nginx' ]
roles:
- role: debops.keyring
keyring__dependent_apt_keys:
- '{{ nginx__keyring__dependent_apt_keys }}'
- role: debops.nginx
Using the debops.nginx role, ensure that the nginx.org upstream APT
key is present in the APT keyring, if support for upstream version of
nginx is enabled. If the key is not available in the local key
store, it will be downloaded from the specified URL. Additionally, ensure that
the APT repository configuration is present and the cache is updated. The
playbook is the same as in the previous example:
# Role: debops.nginx/defaults/main.yml
nginx__upstream: True
nginx__keyring__dependent_apt_keys:
- id: '573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62'
keyring: 'nginx.asc'
url: 'https://nginx.org/keys/nginx_signing.key'
repo: 'deb http://nginx.org/packages/debian {{ ansible_distribution_release }} nginx'
state: '{{ "present" if nginx__upstream | bool else "absent" }}'
Also with the debops.nginx role, install the APT GPG key in a separate
keyring and tell APT to use this key only for Nginx official packages. The APT
repository configuration will be stored in the
/etc/apt/sources.list.d/nginx-upstream.list' configuration file (note
the `>`` YAML block marker, which will fold the repository string to a single
line):
nginx__keyring__dependent_apt_keys:
- id: '573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62'
url: 'https://nginx.org/keys/nginx_signing.key'
keyring: '/usr/share/keyring/nginx-archive-keyring.gpg'
repo: >
deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg]
http://nginx.org/packages/debian {{ ansible_distribution_release }} nginx
filename: 'nginx-upstream'
state: '{{ "present" if nginx__upstream | bool else "absent" }}'
There are many more real-world examples available in various DebOps roles. To find them, you can run the command in the DebOps monorepo root directory:
git grep '__keyring__dependent_apt_keys:' ansible/roles
Syntax
The value of the keyring__dependent_apt_keys variable is a YAML list.
Each list entry can be a string which represents the GPG key ID which will be
imported either from the local storage, or from the configured GPG keyserver.
Alternatively, list entry can be a YAML dictionary which allows a more
fine-grained control over the state of the GPG key and its source.
The role can manage repository keys directly (default) in the
/etc/apt/keyrings/ directory, or using the deprecated
ansible.builtin.apt_key module (disabled by default).
The YAML dictionaries are defined using specific parameters:
idThe GPG key fingerprint which is defined by this entry. It can be specified with spaces, which will be automatically removed when necessary. This parameter is not required if the
repoparameter is specified.apt_keyOptional, boolean. If not specified or
False, the role will manage the specified keys itself directly. IfTrue, the Ansible module will be used instead.dataOptional. The contents of the GPG key specified as a YAML text block (the key should be armored). If not specified, and the GPG key is found in the configured local key store, the role will try to lookup the key data from the file. If the key is not available in the local key store, the role will try to use the configured GPG keyserver to retrieve it, unless
urlorkeybaseparameters are specified.urlOptional. The URL where a given GPG key can be found. The
idparameter still needs to be specified for theapt_keyAnsible module to work as expected. If theurlparameter is not specified, and the key has not been found in a local keyring or is not specified directly, the role will try and download the specified GPG key from the Ubuntu keyserver (https://keyserver.ubuntu.com/) using its API.keybaseOptional. The name of the Keybase profile which should be used to lookup the key using the Keybase API. If the
urlparameter is specified, it will override thekeybaseparameter.keyringOptional. Absolute path for the keyring where the GPG key should be stored. If omitted, the key will be stored in the system-wide keyring (
/etc/apt/trusted.gpg).keyserverOptional. Override the default GPG keyserver URL specified in the
keyring__keyservervariable.stateOptional. If not specified or
present, the GPG key will be added to the APT keyring. Ifabsent, the key will be removed from the APT keyring. The same state will be applied to the APT repository, if therepoparameter is specified.repoThe sources.list(5) entry which defines an APT repository. This parameter can be specified with the GPG key id of the APT repository, or as standalone, to more efficiently configure APT (for example if multiple GPG keys are configured at once).
extrepoOptional. Specify the name of the APT source configured by the extrepo external repository manager (see debops.extrepo for more details). If the specified APT source is already enabled, the debops.keyring role will skip APT-related tasks (GPG key managemnt, APT repository configuration) to avoid creating duplicate entries.
filenameOptional. The name of the configuration file in the
/etc/sources.list.d/directory which will be used to store the APT repository configuration.
keyring__dependent_gpg_keys
The keyring__dependent_gpg_keys variable can be used to manage GPG
keys on the UNIX accounts. If an account is not defined, the root account
GPG keyring will be used by default. The GPG keys are useful to verify
signatures of the git commits or tags, or other files downloaded
over the network with external GPG signatures.
Examples
Using the debops.yadm Ansible role, prepare the GPG key of the
yadm upstream author to verify his GPG signature on the specific
git tag checked out from the repository, but only when the
installation from upstream is enabled. The GPG key will be added to the
root UNIX account GPG keyring:
# Role: debops.yadm/defaults/main.yml
yadm__upstream_enabled: True
yadm__upstream_gpg_id: '31B9 62F7 CC57...'
yadm__keyring__dependent_gpg_keys:
- id: '{{ yadm__upstream_gpg_id }}'
state: '{{ "present" if yadm__upstream_enabled | bool else "absent" }}'
# Playbook: yadm.yml
- hosts: [ 'debops_service_yadm' ]
roles:
- role: debops.keyring
keyring__dependent_gpg_keys:
- '{{ yadm__keyring__dependent_gpg_keys }}'
- role: debops.yadm
Note
The functionality below will be implemented at a later date.
Extract GPG key ids from the debops.golang configuration and install
them on the UNIX account used by the role to build the docker-registry Go
binary, which is then used by the debops.docker_registry role. The GPG
keys will be used to verify the git tags of the downloaded
repositories:
# Role: debops.docker_registry/defaults/main.yml
docker_registry__golang__dependent_packages:
- name: 'docker-registry'
apt_packages: [ 'docker-registry' ]
upstream: True
gpg: '8C7A 111C 2110 5794 B0E8 A27B F58C 5D0A 4405 ACDB'
git:
- repo: 'https://github.com/docker/distribution'
version: 'v2.7.1'
build_script: |
make clean binaries
binaries:
- src: 'github.com/docker/distribution/bin/registry'
dest: 'docker-registry'
notify: [ 'Restart docker-registry' ]
# Role: debops.golang/defaults/main.yml
golang__user: '_golang'
golang__group: '_golang'
golang__home: '/var/local/_golang'
golang__combined_packages: '{{ golang__dependent_packages | d([]) }}'
golang__keyring__dependent_gpg_user: '{{ golang__user }}'
golang__keyring__dependent_gpg_keys:
- user: '{{ golang__user }}'
group: '{{ golang__group }}'
home: '{{ golang__home }}'
- '{{ golang__combined_packages | debops.debops.parse_kv_items
| selectattr("gpg", "defined") | selectattr("state", "equalto", "present")
| map(attribute="gpg") | list }}'
# Playbook: docker_registry.yml
- hosts: [ 'debops_service_docker_registry' ]
roles:
- role: debops.keyring
keyring__dependent_gpg_user: '{{ golang__keyring__dependent_gpg_user }}'
keyring__dependent_gpg_keys:
- '{{ golang__keyring__dependent_gpg_keys }}'
- role: debops.golang
golang__dependent_packages:
- '{{ docker_registry__golang__dependent_packages }}'
- role: debops.docker_registry
There are many more real-world examples available in various DebOps roles. To find them, you can run the command in the DebOps monorepo root directory:
git grep '__keyring__dependent_gpg_keys:' ansible/roles
Syntax
The value of the keyring__dependent_gpg_keys variable is a YAML list.
Each list entry can be a string which represents the GPG key ID which will be
imported either from the local storage, or from the configured GPG keyserver.
Alternatively, list entry can be a YAML dictionary which allows a more
fine-grained control over the state of the GPG key and its source.
The YAML dictionaries are defined using specific parameters:
idThe GPG key fingerprint which is defined by this entry. It can be specified with spaces, which will be automatically removed when necessary. This parameter is not required if the
userparameter is specified.dataOptional. The contents of the GPG key specified as a YAML text block (the key should be armored). If not specified, and the GPG key is found in the configured local key store, the role will try to lookup the key data from the file. If the key is not available in the local key store, the role will try to use the configured GPG keyserver to retrieve it, unless
urlorkeybaseparameters are specified.urlOptional. The URL where a given GPG key can be found.
keybaseOptional. The name of the Keybase profile which should be used to lookup the key using the Keybase API. If the
urlparameter is specified, it will override thekeybaseparameter.keyserverOptional. Override the default GPG keyserver URL specified in the
keyring__keyservervariable.stateOptional. If not specified or
present, the GPG key will be added to the GPG keyring of a specified UNIX account, or therootaccount. Ifabsent, the key will be removed from the GPG keyring. Ifignore, a given configuration entry will not be evaluated by the role.create_userOptional, boolean. If not specified or
True, and theuserparameter is present, the configured UNIX account will be created to allow GPG keyring management. IfFalse, the role will not try to create an UNIX account; this might be useful if the account is already created in non-local user database, like LDAP.userA name of the UNIX account to create by the debops.keyring role, so that its GPG keyring can be correctly created and accessed. If this parameter is specified, you can omit the
idparameter to only create the UNIX account.groupOptional. A name of the primary UNIX group of the created UNIX account. If not specified, the UNIX group will have the same name as the UNIX account.
homeOptional. The absolute path of the home directory of the created UNIX account. If not specified, a home directory will be created in the
/home/directory by default.systemOptional, boolean. If not specified or
True, the created UNIX account and group will be "system" account and group, with UID/GID < 1000. IfFalse, the UNIX account and group will be "normal" account and group, with UID/GID > 1000.