roles/common: update tarsnap task

Update tarsnap task to use apt signed-by for package signing keys instead of adding keys directly to apt-key.
2023-08-23 21:18:27 +03:00 · 2023-08-23 21:18:27 +03:00 · 51c95e5d4c
commit 51c95e5d4c
parent 8dbec29d2a
1 changed files with 24 additions and 8 deletions
--- a/roles/common/tasks/tarsnap.yml
+++ b/roles/common/tasks/tarsnap.yml
@ -1,18 +1,34 @@
 ---
- name: Add Tarsnap apt mirror
-  ansible.builtin.template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644
+- name: Check tarsnap apt signing key
+  ansible.builtin.stat:
+    path: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
+  register: tarsnap_signing_key_stat
+
+- name: Download tarsnap apt signing key
+  ansible.builtin.get_url:
+    url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
+    dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
+    owner: root
+    group: root
+    mode: 0644
+  register: download_tarsnap_signing_key
+  when: not tarsnap_signing_key_stat.stat.exists
+
+- name: Add tarsnap.org repo
+  ansible.builtin.template:
+    src: tarsnap_sources.list.j2
+    dest: /etc/apt/sources.list.d/tarsnap.list
+    owner: root
+    group: root
+    mode: 0644
  register: add_tarsnap_apt_repository
  when: ansible_architecture != 'armv7l'

- name: Add GPG key for Tarsnap
-  ansible.builtin.apt_key: id=0xF608BA1BFB5CE8F8CAB088359F084BEE7F938A76 url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present
-  register: add_tarsnap_apt_key
-
 - name: Update apt cache
-  ansible.builtin.apt:
+  ansible.builtin.apt: # noqa no-handler
    update_cache: true
  when:
-    add_tarsnap_apt_key is changed or
+    (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or
    add_tarsnap_apt_repository is changed

 - name: Install tarsnap