summaryrefslogtreecommitdiffstats
path: root/ansible_collections/community/sops/roles
diff options
context:
space:
mode:
Diffstat (limited to 'ansible_collections/community/sops/roles')
-rw-r--r--ansible_collections/community/sops/roles/_install_age/README.md7
-rw-r--r--ansible_collections/community/sops/roles/_install_age/defaults/main.yml7
-rw-r--r--ansible_collections/community/sops/roles/_install_age/meta/main.yml11
-rw-r--r--ansible_collections/community/sops/roles/_install_age/tasks/main.yml64
-rw-r--r--ansible_collections/community/sops/roles/_install_age/vars/D-Alpine.yml9
-rw-r--r--ansible_collections/community/sops/roles/_install_age/vars/D-Archlinux.yml9
-rw-r--r--ansible_collections/community/sops/roles/_install_age/vars/D-Debian-10.yml8
-rw-r--r--ansible_collections/community/sops/roles/_install_age/vars/D-Fedora.yml9
-rw-r--r--ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-16.yml8
-rw-r--r--ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-18.yml8
-rw-r--r--ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-20.yml8
-rw-r--r--ansible_collections/community/sops/roles/_install_age/vars/OS-Debian.yml9
-rw-r--r--ansible_collections/community/sops/roles/_install_age/vars/default.yml8
-rw-r--r--ansible_collections/community/sops/roles/install/README.md7
-rw-r--r--ansible_collections/community/sops/roles/install/defaults/main.yml10
-rw-r--r--ansible_collections/community/sops/roles/install/meta/argument_specs.yml72
-rw-r--r--ansible_collections/community/sops/roles/install/meta/main.yml11
-rw-r--r--ansible_collections/community/sops/roles/install/tasks/detect_source.yml26
-rw-r--r--ansible_collections/community/sops/roles/install/tasks/github.yml50
-rw-r--r--ansible_collections/community/sops/roles/install/tasks/github_api.yml38
-rw-r--r--ansible_collections/community/sops/roles/install/tasks/github_latest_release.yml34
-rw-r--r--ansible_collections/community/sops/roles/install/tasks/main.yml100
-rw-r--r--ansible_collections/community/sops/roles/install/tasks/system.yml26
-rw-r--r--ansible_collections/community/sops/roles/install/vars/D-Alpine.yml23
-rw-r--r--ansible_collections/community/sops/roles/install/vars/D-Archlinux.yml23
-rw-r--r--ansible_collections/community/sops/roles/install/vars/OS-Debian.yml31
-rw-r--r--ansible_collections/community/sops/roles/install/vars/OS-RedHat.yml32
-rw-r--r--ansible_collections/community/sops/roles/install/vars/default.yml21
28 files changed, 669 insertions, 0 deletions
diff --git a/ansible_collections/community/sops/roles/_install_age/README.md b/ansible_collections/community/sops/roles/_install_age/README.md
new file mode 100644
index 00000000..a8541545
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/README.md
@@ -0,0 +1,7 @@
+<!--
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: 2022, Felix Fontein
+-->
+
+See [the documentation](https://docs.ansible.com/ansible/devel/collections/community/sops/).
diff --git a/ansible_collections/community/sops/roles/_install_age/defaults/main.yml b/ansible_collections/community/sops/roles/_install_age/defaults/main.yml
new file mode 100644
index 00000000..83e6bea5
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+sops_install_on_localhost: false
+sops_become_on_install: true
diff --git a/ansible_collections/community/sops/roles/_install_age/meta/main.yml b/ansible_collections/community/sops/roles/_install_age/meta/main.yml
new file mode 100644
index 00000000..6e671781
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/meta/main.yml
@@ -0,0 +1,11 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+galaxy_info:
+ standalone: false
+ description: >
+ [INTERNAL] Install age (https://github.com/FiloSottile/age/).
+
+dependencies: []
diff --git a/ansible_collections/community/sops/roles/_install_age/tasks/main.yml b/ansible_collections/community/sops/roles/_install_age/tasks/main.yml
new file mode 100644
index 00000000..6bdfa445
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/tasks/main.yml
@@ -0,0 +1,64 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Gather required information on localhost
+ when: sops_install_on_localhost
+ ansible.builtin.setup:
+ gather_subset:
+ - '!all'
+ - '!min'
+ - architecture
+ - distribution
+ - distribution_major_version
+ - distribution_version
+ - os_family
+ delegate_to: localhost
+ delegate_facts: true
+ run_once: true
+
+- vars:
+ _community_sops_install_age_facts: >-
+ {{ hostvars['localhost' if sops_install_on_localhost else inventory_hostname].ansible_facts }}
+ block:
+ - name: Show system information
+ ansible.builtin.debug:
+ msg: |-
+ Architecture: {{ _community_sops_install_age_facts.architecture }}
+ Distribution: {{ _community_sops_install_age_facts.distribution }} {{ _community_sops_install_age_facts.distribution_major_version }}
+ Distribution version: {{ _community_sops_install_age_facts.distribution_version }}
+ OS family: {{ _community_sops_install_age_facts.os_family }}
+
+ - name: Include distribution specific variables
+ ansible.builtin.include_vars: '{{ lookup("ansible.builtin.first_found", params) }}'
+ vars:
+ params:
+ files:
+ - >-
+ D-{{ _community_sops_install_age_facts.distribution }}-{{ _community_sops_install_age_facts.distribution_version }}.yml
+ - >-
+ D-{{ _community_sops_install_age_facts.distribution }}-{{ _community_sops_install_age_facts.distribution_major_version }}.yml
+ - >-
+ D-{{ _community_sops_install_age_facts.distribution }}.yml
+ - >-
+ OS-{{ _community_sops_install_age_facts.os_family }}-{{ _community_sops_install_age_facts.distribution_major_version }}.yml
+ - >-
+ OS-{{ _community_sops_install_age_facts.os_family }}.yml
+ - default.yml
+ paths:
+ - '{{ role_path }}/vars'
+
+ - name: Install system packages
+ ansible.builtin.package:
+ name: '{{ _community_sops_install_age_system_packages }}'
+ become: '{{ sops_become_on_install }}'
+ delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}'
+ run_once: '{{ sops_install_on_localhost or omit }}'
+ when: _community_sops_install_age_system_packages | length > 0
+
+ - name: Set results
+ ansible.builtin.set_fact:
+ age_installed: "{{ _community_sops_install_age_has_age }}"
+ delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}'
+ delegate_facts: '{{ true if sops_install_on_localhost else omit }}'
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Alpine.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Alpine.yml
new file mode 100644
index 00000000..002c8136
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Alpine.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_age_system_packages:
+ - age
+
+_community_sops_install_age_has_age: true
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Archlinux.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Archlinux.yml
new file mode 100644
index 00000000..002c8136
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Archlinux.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_age_system_packages:
+ - age
+
+_community_sops_install_age_has_age: true
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Debian-10.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Debian-10.yml
new file mode 100644
index 00000000..5ee19d4c
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Debian-10.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_age_system_packages: []
+
+_community_sops_install_age_has_age: false
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Fedora.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Fedora.yml
new file mode 100644
index 00000000..002c8136
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Fedora.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_age_system_packages:
+ - age
+
+_community_sops_install_age_has_age: true
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-16.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-16.yml
new file mode 100644
index 00000000..5ee19d4c
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-16.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_age_system_packages: []
+
+_community_sops_install_age_has_age: false
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-18.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-18.yml
new file mode 100644
index 00000000..5ee19d4c
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-18.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_age_system_packages: []
+
+_community_sops_install_age_has_age: false
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-20.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-20.yml
new file mode 100644
index 00000000..5ee19d4c
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-20.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_age_system_packages: []
+
+_community_sops_install_age_has_age: false
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/OS-Debian.yml b/ansible_collections/community/sops/roles/_install_age/vars/OS-Debian.yml
new file mode 100644
index 00000000..002c8136
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/OS-Debian.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_age_system_packages:
+ - age
+
+_community_sops_install_age_has_age: true
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/default.yml b/ansible_collections/community/sops/roles/_install_age/vars/default.yml
new file mode 100644
index 00000000..5ee19d4c
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/default.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_age_system_packages: []
+
+_community_sops_install_age_has_age: false
diff --git a/ansible_collections/community/sops/roles/install/README.md b/ansible_collections/community/sops/roles/install/README.md
new file mode 100644
index 00000000..a8541545
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/README.md
@@ -0,0 +1,7 @@
+<!--
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: 2022, Felix Fontein
+-->
+
+See [the documentation](https://docs.ansible.com/ansible/devel/collections/community/sops/).
diff --git a/ansible_collections/community/sops/roles/install/defaults/main.yml b/ansible_collections/community/sops/roles/install/defaults/main.yml
new file mode 100644
index 00000000..7e793f13
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/defaults/main.yml
@@ -0,0 +1,10 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+sops_version: latest
+sops_source: auto
+sops_install_on_localhost: false
+sops_become_on_install: true
+sops_github_latest_detection: auto
diff --git a/ansible_collections/community/sops/roles/install/meta/argument_specs.yml b/ansible_collections/community/sops/roles/install/meta/argument_specs.yml
new file mode 100644
index 00000000..e6f3e874
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/meta/argument_specs.yml
@@ -0,0 +1,72 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+argument_specs:
+ main:
+ short_description: Install Mozilla sops
+ version_added: 1.5.0
+ description:
+ - This role installs L(Mozilla sops,https://github.com/mozilla/sops) and Gnu Privacy Guard (GPG).
+ - >-
+ This role supports the following operating systems:
+ Alpine (new enough),
+ Arch Linux,
+ CentOS 7, Stream 8, or newer,
+ Debian 10 (Buster) or newer,
+ Fedora (new enough),
+ RHEL 7 or newer,
+ Ubuntu 16.04 or newer LTS versions
+ - The Ansible facts C(ansible_facts.architecture), C(ansible_facts.distribution), C(ansible_facts.distribution_major_version),
+ C(ansible_facts.distribution_version), and C(ansible_facts.os_family) are expected to be present if I(sops_install_on_localhost) is C(false).
+ author:
+ - Felix Fontein (@felixfontein)
+ options:
+ sops_version:
+ default: latest
+ description:
+ - The version of sops to install.
+ - Should be a version like C(3.7.2). The special value C(latest) will select the latest version available form the given source.
+ type: str
+ sops_source:
+ default: auto
+ description:
+ - Determines the source from where sops is installed.
+ - The value C(github) will install sops from the Mozilla sops releases on GitHub (U(https://github.com/mozilla/sops/releases/)).
+ - The value C(system) will install sops from the system packages. Note that not all system package repositories support sops.
+ - The value C(auto) will determine the best source to install sops from. Here, system package repositories are preferred over GitHub.
+ type: str
+ choices:
+ - auto
+ - github
+ - system
+ sops_install_on_localhost:
+ default: false
+ description:
+ - Installs sops on the Ansible controller (C(localhost)) instead of the remote host.
+ type: bool
+ sops_become_on_install:
+ default: true
+ description:
+ - 'Whether the role should use C(become: true) when installing packages.'
+ type: bool
+ sops_github_latest_detection:
+ description:
+ - When installing the latest sops version from GitHub, configures how the latest release is detected.
+ - C(auto) tries C(api) first and then uses C(latest-release).
+ - C(api) asks the GitHub API for a list of recent releases and picks the highest version.
+ - C(latest-release) uses a not fully documented URL to retrieve the release marked as "latest" by the repository maintainers.
+ type: str
+ choices:
+ - auto
+ - api
+ - latest-release
+ version_added: 1.6.0
+ sops_github_token:
+ description:
+ - Token to provide when querying the GitHub API for the latest release. Without the token
+ there are rather strict rate limits.
+ - Should mainly be used in GitHub Actions.
+ type: str
+ version_added: 1.6.0
diff --git a/ansible_collections/community/sops/roles/install/meta/main.yml b/ansible_collections/community/sops/roles/install/meta/main.yml
new file mode 100644
index 00000000..f6dc6814
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/meta/main.yml
@@ -0,0 +1,11 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+galaxy_info:
+ standalone: false
+ description: >
+ Install Mozilla sops (https://github.com/mozilla/sops).
+
+dependencies: []
diff --git a/ansible_collections/community/sops/roles/install/tasks/detect_source.yml b/ansible_collections/community/sops/roles/install/tasks/detect_source.yml
new file mode 100644
index 00000000..e31c0fa9
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/tasks/detect_source.yml
@@ -0,0 +1,26 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Check whether system packages are a valid source of sops {{ sops_version }}
+ when:
+ - _community_sops_install_system_has_system
+ - not (sops_version != 'latest' and _community_sops_install_system_has_system_latest_only)
+ ansible.builtin.set_fact:
+ _community_sops_install_effective_sops_source: system
+
+- name: Check whether GitHub is a valid source of sops
+ when:
+ - _community_sops_install_system_has_github
+ - _community_sops_install_effective_sops_source == 'auto'
+ ansible.builtin.set_fact:
+ _community_sops_install_effective_sops_source: github
+
+- name: Ensure that something was detected
+ ansible.builtin.fail:
+ msg: >-
+ Was not able to determine installation source for sops {{ sops_version }}
+ for {{ _community_sops_install_facts.distribution }} {{ _community_sops_install_facts.distribution_version }}.
+ Please open an issue in https://github.com/ansible-collections/community.sops/issues if you think this should work.
+ when: _community_sops_install_effective_sops_source == 'auto'
diff --git a/ansible_collections/community/sops/roles/install/tasks/github.yml b/ansible_collections/community/sops/roles/install/tasks/github.yml
new file mode 100644
index 00000000..f5719220
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/tasks/github.yml
@@ -0,0 +1,50 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Make sure that sops can be installed from GitHub
+ ansible.builtin.fail:
+ msg: >-
+ Sops cannot be installed from GitHub for
+ {{ _community_sops_install_facts.distribution }} {{ _community_sops_install_facts.distribution_version }}.
+ when: not _community_sops_install_system_has_github
+
+- name: Start determining sops version
+ ansible.builtin.set_fact:
+ _community_sops_install_effective_sops_version: '{{ "" if sops_version == "latest" else sops_version }}'
+
+# This method uses the GitHub API, which is rate-limited.
+- name: Determine latest version (fallback)
+ when:
+ - _community_sops_install_effective_sops_version == ''
+ - sops_github_latest_detection in ['auto', 'api']
+ ansible.builtin.include_tasks: github_api.yml
+
+# This method asks GitHub for the latest release, which depends on the release to be
+# correctly marked as "latest" in the GitHub UI. Fortunately this is not as aggressively
+# rate-limited as the API (used in the fallback).
+- name: Determine latest version
+ when:
+ - _community_sops_install_effective_sops_version == ''
+ - sops_github_latest_detection in ['auto', 'latest-release']
+ ansible.builtin.include_tasks: github_latest_release.yml
+
+- name: Fail when latest version could not be selected
+ ansible.builtin.fail:
+ msg: Could not determine the latest GitHub release
+ when: _community_sops_install_effective_sops_version == ''
+
+- name: Show selected version
+ ansible.builtin.debug:
+ msg: The latest sops version is sops {{ _community_sops_install_effective_sops_version }}.
+ when: sops_version == 'latest'
+
+- name: Set variables
+ ansible.builtin.set_fact:
+ _community_sops_install_system_packages_actual: >-
+ {{ _community_sops_install_system_packages + _community_sops_install_system_packages_github }}
+ _community_sops_install_system_packages_unsigned_actual: >-
+ {{ _community_sops_install_system_packages_unsigned + _community_sops_install_system_packages_unsigned_github }}
+ _community_sops_install_system_package_deb_actual: >-
+ {{ _community_sops_install_system_package_deb_github }}
diff --git a/ansible_collections/community/sops/roles/install/tasks/github_api.yml b/ansible_collections/community/sops/roles/install/tasks/github_api.yml
new file mode 100644
index 00000000..01d9b77b
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/tasks/github_api.yml
@@ -0,0 +1,38 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Fetch list of releases from GitHub
+ ansible.builtin.uri:
+ headers:
+ Accept: application/vnd.github+json
+ Authorization: "{{ ('Bearer ' ~ sops_github_token) if sops_github_token is defined and sops_github_token else '' }}"
+ status_code:
+ - 200
+ - 403 # "HTTP Error 403: rate limit exceeded"
+ url: https://api.github.com/repos/mozilla/sops/releases
+ register: _community_sops_install_github_releases
+ delegate_to: localhost
+ run_once: true
+
+- name: In case rate limit was exceeded, inform user
+ ansible.builtin.debug:
+ msg: >-
+ Rate limit exceeded! Make sure to provide a GitHub token
+ as `sops_github_token` to reduce the chance of this error.
+ when: _community_sops_install_github_releases.status == 403
+
+- name: Determine the latest release
+ ansible.builtin.set_fact:
+ _community_sops_install_effective_sops_version: >-
+ {{
+ (
+ _community_sops_install_github_releases.json
+ | rejectattr("prerelease")
+ | rejectattr("draft")
+ | map(attribute="tag_name")
+ | map("ansible.builtin.regex_replace", "^v", "")
+ | community.sops._latest_version
+ ) if _community_sops_install_github_releases.status == 200 else ''
+ }}
diff --git a/ansible_collections/community/sops/roles/install/tasks/github_latest_release.yml b/ansible_collections/community/sops/roles/install/tasks/github_latest_release.yml
new file mode 100644
index 00000000..ca67b3cd
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/tasks/github_latest_release.yml
@@ -0,0 +1,34 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Fetch the latest release from GitHub
+ ansible.builtin.uri:
+ follow_redirects: false
+ status_code:
+ - 302
+ - 307
+ url: https://github.com/mozilla/sops/releases/latest/
+ register: _community_sops_install_github_latest_release
+ delegate_to: localhost
+ run_once: true
+
+- name: Determine the latest release
+ ansible.builtin.set_fact:
+ _community_sops_install_effective_sops_version: >-
+ {{
+ _community_sops_install_github_latest_release.location
+ | default("", true)
+ | ansible.builtin.regex_search("(?<=/releases/tag/)([0-9a-z._-]+)")
+ | default("", true)
+ | ansible.builtin.regex_replace("^v", "")
+ }}
+
+- name: In case this failed, inform user
+ ansible.builtin.debug:
+ msg: >-
+ Could not obtain latest version from https://github.com/mozilla/sops/releases/latest/.
+ Please create an issue in https://github.com/ansible-collections/community.sops/issues/
+ if there is not already one.
+ when: _community_sops_install_effective_sops_version == ''
diff --git a/ansible_collections/community/sops/roles/install/tasks/main.yml b/ansible_collections/community/sops/roles/install/tasks/main.yml
new file mode 100644
index 00000000..548c8201
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/tasks/main.yml
@@ -0,0 +1,100 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Gather required information on localhost
+ when: sops_install_on_localhost
+ ansible.builtin.setup:
+ gather_subset:
+ - '!all'
+ - '!min'
+ - architecture
+ - distribution
+ - distribution_major_version
+ - distribution_version
+ - os_family
+ delegate_to: localhost
+ delegate_facts: true
+ run_once: true
+
+- vars:
+ _community_sops_install_facts: >-
+ {{ hostvars['localhost' if sops_install_on_localhost else inventory_hostname].ansible_facts }}
+ block:
+ - name: Show system information
+ ansible.builtin.debug:
+ msg: |-
+ Architecture: {{ _community_sops_install_facts.architecture }}
+ Distribution: {{ _community_sops_install_facts.distribution }} {{ _community_sops_install_facts.distribution_major_version }}
+ Distribution version: {{ _community_sops_install_facts.distribution_version }}
+ OS family: {{ _community_sops_install_facts.os_family }}
+
+ - name: Include distribution specific variables
+ ansible.builtin.include_vars: '{{ lookup("ansible.builtin.first_found", params) }}'
+ vars:
+ params:
+ files:
+ - >-
+ D-{{ _community_sops_install_facts.distribution }}-{{ _community_sops_install_facts.distribution_version }}.yml
+ - >-
+ D-{{ _community_sops_install_facts.distribution }}-{{ _community_sops_install_facts.distribution_major_version }}.yml
+ - >-
+ D-{{ _community_sops_install_facts.distribution }}.yml
+ - >-
+ OS-{{ _community_sops_install_facts.os_family }}-{{ _community_sops_install_facts.distribution_major_version }}.yml
+ - >-
+ OS-{{ _community_sops_install_facts.os_family }}.yml
+ - default.yml
+ paths:
+ - '{{ role_path }}/vars'
+
+ - name: Start determining source
+ ansible.builtin.set_fact:
+ _community_sops_install_effective_sops_source: '{{ sops_source }}'
+
+ - name: Auto-detect source to install sops from
+ ansible.builtin.include_tasks: detect_source.yml
+ when: _community_sops_install_effective_sops_source == 'auto'
+
+ - name: Install Mozilla sops from GitHub
+ ansible.builtin.include_tasks: github.yml
+ when: _community_sops_install_effective_sops_source == 'github'
+
+ - name: Install Mozilla sops from system package repositories
+ ansible.builtin.include_tasks: system.yml
+ when: _community_sops_install_effective_sops_source == 'system'
+
+ - name: Install system packages
+ ansible.builtin.package:
+ name: '{{ _community_sops_install_system_packages_actual }}'
+ allow_downgrade: '{{ true if _community_sops_install_allow_downgrade and sops_version != "latest" else omit }}'
+ become: '{{ sops_become_on_install }}'
+ delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}'
+ run_once: '{{ sops_install_on_localhost or omit }}'
+ when: _community_sops_install_system_packages_actual | length > 0
+
+ - name: Install unsigned system packages
+ ansible.builtin.package:
+ name: '{{ _community_sops_install_system_packages_unsigned_actual }}'
+ allow_downgrade: '{{ true if _community_sops_install_allow_downgrade and sops_version != "latest" else omit }}'
+ disable_gpg_check: true
+ become: '{{ sops_become_on_install }}'
+ delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}'
+ run_once: '{{ sops_install_on_localhost or omit }}'
+ when: _community_sops_install_system_packages_unsigned_actual | length > 0
+
+ - name: Install packages from URL/path (Debian)
+ ansible.builtin.apt:
+ deb: '{{ _community_sops_install_system_package_deb_actual }}'
+ allow_downgrade: '{{ true if _community_sops_install_allow_downgrade and sops_version != "latest" else omit }}'
+ become: '{{ sops_become_on_install }}'
+ delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}'
+ run_once: '{{ sops_install_on_localhost or omit }}'
+ when: _community_sops_install_system_package_deb_actual is string
+
+ - name: Set results
+ ansible.builtin.set_fact:
+ sops_installed: true
+ delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}'
+ delegate_facts: '{{ true if sops_install_on_localhost else omit }}'
diff --git a/ansible_collections/community/sops/roles/install/tasks/system.yml b/ansible_collections/community/sops/roles/install/tasks/system.yml
new file mode 100644
index 00000000..bc82176c
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/tasks/system.yml
@@ -0,0 +1,26 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Make sure that sops can be installed from system packages
+ ansible.builtin.fail:
+ msg: >-
+ Sops cannot be installed from system packages for
+ {{ _community_sops_install_facts.distribution }} {{ _community_sops_install_facts.distribution_version }}.
+ when: not _community_sops_install_system_has_system
+
+- name: Make sure that systems only supporting 'latest' are not told to install another version
+ ansible.builtin.fail:
+ msg: >-
+ Sops version {{ sops_version }} was requested, but we can only install latest sops from system packages.
+ when: sops_version != 'latest' and _community_sops_install_system_has_system_latest_only
+
+- name: Set variables
+ ansible.builtin.set_fact:
+ _community_sops_install_system_packages_actual: >-
+ {{ _community_sops_install_system_packages + _community_sops_install_system_packages_system }}
+ _community_sops_install_system_packages_unsigned_actual: >-
+ {{ _community_sops_install_system_packages_unsigned + _community_sops_install_system_packages_unsigned_system }}
+ _community_sops_install_system_package_deb_actual: >-
+ {{ _community_sops_install_system_package_deb_system }}
diff --git a/ansible_collections/community/sops/roles/install/vars/D-Alpine.yml b/ansible_collections/community/sops/roles/install/vars/D-Alpine.yml
new file mode 100644
index 00000000..27577c48
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/vars/D-Alpine.yml
@@ -0,0 +1,23 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_system_has_system: true
+_community_sops_install_system_has_system_latest_only: true
+_community_sops_install_system_has_github: false
+
+_community_sops_install_allow_downgrade: false
+
+_community_sops_install_system_packages:
+ - gpg
+_community_sops_install_system_packages_unsigned: []
+
+_community_sops_install_system_package_deb_github: false
+_community_sops_install_system_packages_github: []
+_community_sops_install_system_packages_unsigned_github: []
+
+_community_sops_install_system_package_deb_system: false
+_community_sops_install_system_packages_system:
+ - sops
+_community_sops_install_system_packages_unsigned_system: []
diff --git a/ansible_collections/community/sops/roles/install/vars/D-Archlinux.yml b/ansible_collections/community/sops/roles/install/vars/D-Archlinux.yml
new file mode 100644
index 00000000..51e34a8d
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/vars/D-Archlinux.yml
@@ -0,0 +1,23 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_system_has_system: true
+_community_sops_install_system_has_system_latest_only: true
+_community_sops_install_system_has_github: false
+
+_community_sops_install_allow_downgrade: false
+
+_community_sops_install_system_packages:
+ - gnupg
+_community_sops_install_system_packages_unsigned: []
+
+_community_sops_install_system_package_deb_github: false
+_community_sops_install_system_packages_github: []
+_community_sops_install_system_packages_unsigned_github: []
+
+_community_sops_install_system_package_deb_system: false
+_community_sops_install_system_packages_system:
+ - sops
+_community_sops_install_system_packages_unsigned_system: []
diff --git a/ansible_collections/community/sops/roles/install/vars/OS-Debian.yml b/ansible_collections/community/sops/roles/install/vars/OS-Debian.yml
new file mode 100644
index 00000000..5f9cf260
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/vars/OS-Debian.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_system_has_system: false
+_community_sops_install_system_has_system_latest_only: true
+_community_sops_install_system_has_github: true
+
+_community_sops_install_allow_downgrade: '{{ ansible_version.full is version("2.12", ">=") }}'
+
+_community_sops_install_system_packages:
+ - gnupg
+_community_sops_install_system_packages_unsigned: []
+
+_community_sops_install_arch_transform:
+ x86_64: amd64
+_community_sops_install_system_package_deb_github: >-
+ https://github.com/mozilla/sops/releases/download/v{{
+ _community_sops_install_effective_sops_version
+ }}/sops_{{
+ _community_sops_install_effective_sops_version
+ }}_{{
+ _community_sops_install_arch_transform.get(ansible_facts.architecture, ansible_facts.architecture)
+ }}.deb
+_community_sops_install_system_packages_github: []
+_community_sops_install_system_packages_unsigned_github: []
+
+_community_sops_install_system_package_deb_system: false
+_community_sops_install_system_packages_system: []
+_community_sops_install_system_packages_unsigned_system: []
diff --git a/ansible_collections/community/sops/roles/install/vars/OS-RedHat.yml b/ansible_collections/community/sops/roles/install/vars/OS-RedHat.yml
new file mode 100644
index 00000000..95f7d2ab
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/vars/OS-RedHat.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_system_has_system: false
+_community_sops_install_system_has_system_latest_only: true
+_community_sops_install_system_has_github: true
+
+_community_sops_install_allow_downgrade: true
+
+_community_sops_install_system_packages:
+ - gnupg2
+_community_sops_install_system_packages_unsigned: []
+
+_community_sops_install_system_package_deb_github: false
+_community_sops_install_system_packages_github: []
+_community_sops_install_system_packages_unsigned_github:
+ - >-
+ https://github.com/mozilla/sops/releases/download/v{{
+ _community_sops_install_effective_sops_version
+ }}/sops-{{
+ (_community_sops_install_effective_sops_version is version('3.6.0', '<')) | ternary('v', '')
+ }}{{
+ _community_sops_install_effective_sops_version
+ }}-1.{{
+ ansible_facts.architecture
+ }}.rpm
+
+_community_sops_install_system_package_deb_system: false
+_community_sops_install_system_packages_system: []
+_community_sops_install_system_packages_unsigned_system: []
diff --git a/ansible_collections/community/sops/roles/install/vars/default.yml b/ansible_collections/community/sops/roles/install/vars/default.yml
new file mode 100644
index 00000000..24d14b18
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/vars/default.yml
@@ -0,0 +1,21 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_system_has_system: false
+_community_sops_install_system_has_system_latest_only: true
+_community_sops_install_system_has_github: false
+
+_community_sops_install_allow_downgrade: false
+
+_community_sops_install_system_packages: []
+_community_sops_install_system_packages_unsigned: []
+
+_community_sops_install_system_package_deb_github: false
+_community_sops_install_system_packages_github: []
+_community_sops_install_system_packages_unsigned_github: []
+
+_community_sops_install_system_package_deb_system: false
+_community_sops_install_system_packages_system: []
+_community_sops_install_system_packages_unsigned_system: []