diff options
Diffstat (limited to 'ansible_collections/community/sops/roles')
28 files changed, 669 insertions, 0 deletions
diff --git a/ansible_collections/community/sops/roles/_install_age/README.md b/ansible_collections/community/sops/roles/_install_age/README.md new file mode 100644 index 00000000..a8541545 --- /dev/null +++ b/ansible_collections/community/sops/roles/_install_age/README.md @@ -0,0 +1,7 @@ +<!-- +GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +SPDX-License-Identifier: GPL-3.0-or-later +SPDX-FileCopyrightText: 2022, Felix Fontein +--> + +See [the documentation](https://docs.ansible.com/ansible/devel/collections/community/sops/). diff --git a/ansible_collections/community/sops/roles/_install_age/defaults/main.yml b/ansible_collections/community/sops/roles/_install_age/defaults/main.yml new file mode 100644 index 00000000..83e6bea5 --- /dev/null +++ b/ansible_collections/community/sops/roles/_install_age/defaults/main.yml @@ -0,0 +1,7 @@ +--- +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-FileCopyrightText: 2022, Felix Fontein + +sops_install_on_localhost: false +sops_become_on_install: true diff --git a/ansible_collections/community/sops/roles/_install_age/meta/main.yml b/ansible_collections/community/sops/roles/_install_age/meta/main.yml new file mode 100644 index 00000000..6e671781 --- /dev/null +++ b/ansible_collections/community/sops/roles/_install_age/meta/main.yml @@ -0,0 +1,11 @@ +--- +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-FileCopyrightText: 2022, Felix Fontein + +galaxy_info: + standalone: false + description: > + [INTERNAL] Install age (https://github.com/FiloSottile/age/). + +dependencies: [] diff --git a/ansible_collections/community/sops/roles/_install_age/tasks/main.yml b/ansible_collections/community/sops/roles/_install_age/tasks/main.yml new file mode 100644 index 00000000..6bdfa445 --- /dev/null +++ b/ansible_collections/community/sops/roles/_install_age/tasks/main.yml @@ -0,0 +1,64 @@ +--- +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-FileCopyrightText: 2022, Felix Fontein + +- name: Gather required information on localhost + when: sops_install_on_localhost + ansible.builtin.setup: + gather_subset: + - '!all' + - '!min' + - architecture + - distribution + - distribution_major_version + - distribution_version + - os_family + delegate_to: localhost + delegate_facts: true + run_once: true + +- vars: + _community_sops_install_age_facts: >- + {{ hostvars['localhost' if sops_install_on_localhost else inventory_hostname].ansible_facts }} + block: + - name: Show system information + ansible.builtin.debug: + msg: |- + Architecture: {{ _community_sops_install_age_facts.architecture }} + Distribution: {{ _community_sops_install_age_facts.distribution }} {{ _community_sops_install_age_facts.distribution_major_version }} + Distribution version: {{ _community_sops_install_age_facts.distribution_version }} + OS family: {{ _community_sops_install_age_facts.os_family }} + + - name: Include distribution specific variables + ansible.builtin.include_vars: '{{ lookup("ansible.builtin.first_found", params) }}' + vars: + params: + files: + - >- + D-{{ _community_sops_install_age_facts.distribution }}-{{ _community_sops_install_age_facts.distribution_version }}.yml + - >- + D-{{ _community_sops_install_age_facts.distribution }}-{{ _community_sops_install_age_facts.distribution_major_version }}.yml + - >- + D-{{ _community_sops_install_age_facts.distribution }}.yml + - >- + OS-{{ _community_sops_install_age_facts.os_family }}-{{ _community_sops_install_age_facts.distribution_major_version }}.yml + - >- + OS-{{ _community_sops_install_age_facts.os_family }}.yml + - default.yml + paths: + - '{{ role_path }}/vars' + + - name: Install system packages + ansible.builtin.package: + name: '{{ _community_sops_install_age_system_packages }}' + become: '{{ sops_become_on_install }}' + delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}' + run_once: '{{ sops_install_on_localhost or omit }}' + when: _community_sops_install_age_system_packages | length > 0 + + - name: Set results + ansible.builtin.set_fact: + age_installed: "{{ _community_sops_install_age_has_age }}" + delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}' + delegate_facts: '{{ true if sops_install_on_localhost else omit }}' diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Alpine.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Alpine.yml new file mode 100644 index 00000000..002c8136 --- /dev/null +++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Alpine.yml @@ -0,0 +1,9 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +_community_sops_install_age_system_packages: + - age + +_community_sops_install_age_has_age: true diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Archlinux.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Archlinux.yml new file mode 100644 index 00000000..002c8136 --- /dev/null +++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Archlinux.yml @@ -0,0 +1,9 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +_community_sops_install_age_system_packages: + - age + +_community_sops_install_age_has_age: true diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Debian-10.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Debian-10.yml new file mode 100644 index 00000000..5ee19d4c --- /dev/null +++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Debian-10.yml @@ -0,0 +1,8 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +_community_sops_install_age_system_packages: [] + +_community_sops_install_age_has_age: false diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Fedora.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Fedora.yml new file mode 100644 index 00000000..002c8136 --- /dev/null +++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Fedora.yml @@ -0,0 +1,9 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +_community_sops_install_age_system_packages: + - age + +_community_sops_install_age_has_age: true diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-16.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-16.yml new file mode 100644 index 00000000..5ee19d4c --- /dev/null +++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-16.yml @@ -0,0 +1,8 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +_community_sops_install_age_system_packages: [] + +_community_sops_install_age_has_age: false diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-18.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-18.yml new file mode 100644 index 00000000..5ee19d4c --- /dev/null +++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-18.yml @@ -0,0 +1,8 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +_community_sops_install_age_system_packages: [] + +_community_sops_install_age_has_age: false diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-20.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-20.yml new file mode 100644 index 00000000..5ee19d4c --- /dev/null +++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-20.yml @@ -0,0 +1,8 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +_community_sops_install_age_system_packages: [] + +_community_sops_install_age_has_age: false diff --git a/ansible_collections/community/sops/roles/_install_age/vars/OS-Debian.yml b/ansible_collections/community/sops/roles/_install_age/vars/OS-Debian.yml new file mode 100644 index 00000000..002c8136 --- /dev/null +++ b/ansible_collections/community/sops/roles/_install_age/vars/OS-Debian.yml @@ -0,0 +1,9 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +_community_sops_install_age_system_packages: + - age + +_community_sops_install_age_has_age: true diff --git a/ansible_collections/community/sops/roles/_install_age/vars/default.yml b/ansible_collections/community/sops/roles/_install_age/vars/default.yml new file mode 100644 index 00000000..5ee19d4c --- /dev/null +++ b/ansible_collections/community/sops/roles/_install_age/vars/default.yml @@ -0,0 +1,8 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +_community_sops_install_age_system_packages: [] + +_community_sops_install_age_has_age: false diff --git a/ansible_collections/community/sops/roles/install/README.md b/ansible_collections/community/sops/roles/install/README.md new file mode 100644 index 00000000..a8541545 --- /dev/null +++ b/ansible_collections/community/sops/roles/install/README.md @@ -0,0 +1,7 @@ +<!-- +GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +SPDX-License-Identifier: GPL-3.0-or-later +SPDX-FileCopyrightText: 2022, Felix Fontein +--> + +See [the documentation](https://docs.ansible.com/ansible/devel/collections/community/sops/). diff --git a/ansible_collections/community/sops/roles/install/defaults/main.yml b/ansible_collections/community/sops/roles/install/defaults/main.yml new file mode 100644 index 00000000..7e793f13 --- /dev/null +++ b/ansible_collections/community/sops/roles/install/defaults/main.yml @@ -0,0 +1,10 @@ +--- +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-FileCopyrightText: 2022, Felix Fontein + +sops_version: latest +sops_source: auto +sops_install_on_localhost: false +sops_become_on_install: true +sops_github_latest_detection: auto diff --git a/ansible_collections/community/sops/roles/install/meta/argument_specs.yml b/ansible_collections/community/sops/roles/install/meta/argument_specs.yml new file mode 100644 index 00000000..e6f3e874 --- /dev/null +++ b/ansible_collections/community/sops/roles/install/meta/argument_specs.yml @@ -0,0 +1,72 @@ +--- +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-FileCopyrightText: 2022, Felix Fontein + +argument_specs: + main: + short_description: Install Mozilla sops + version_added: 1.5.0 + description: + - This role installs L(Mozilla sops,https://github.com/mozilla/sops) and Gnu Privacy Guard (GPG). + - >- + This role supports the following operating systems: + Alpine (new enough), + Arch Linux, + CentOS 7, Stream 8, or newer, + Debian 10 (Buster) or newer, + Fedora (new enough), + RHEL 7 or newer, + Ubuntu 16.04 or newer LTS versions + - The Ansible facts C(ansible_facts.architecture), C(ansible_facts.distribution), C(ansible_facts.distribution_major_version), + C(ansible_facts.distribution_version), and C(ansible_facts.os_family) are expected to be present if I(sops_install_on_localhost) is C(false). + author: + - Felix Fontein (@felixfontein) + options: + sops_version: + default: latest + description: + - The version of sops to install. + - Should be a version like C(3.7.2). The special value C(latest) will select the latest version available form the given source. + type: str + sops_source: + default: auto + description: + - Determines the source from where sops is installed. + - The value C(github) will install sops from the Mozilla sops releases on GitHub (U(https://github.com/mozilla/sops/releases/)). + - The value C(system) will install sops from the system packages. Note that not all system package repositories support sops. + - The value C(auto) will determine the best source to install sops from. Here, system package repositories are preferred over GitHub. + type: str + choices: + - auto + - github + - system + sops_install_on_localhost: + default: false + description: + - Installs sops on the Ansible controller (C(localhost)) instead of the remote host. + type: bool + sops_become_on_install: + default: true + description: + - 'Whether the role should use C(become: true) when installing packages.' + type: bool + sops_github_latest_detection: + description: + - When installing the latest sops version from GitHub, configures how the latest release is detected. + - C(auto) tries C(api) first and then uses C(latest-release). + - C(api) asks the GitHub API for a list of recent releases and picks the highest version. + - C(latest-release) uses a not fully documented URL to retrieve the release marked as "latest" by the repository maintainers. + type: str + choices: + - auto + - api + - latest-release + version_added: 1.6.0 + sops_github_token: + description: + - Token to provide when querying the GitHub API for the latest release. Without the token + there are rather strict rate limits. + - Should mainly be used in GitHub Actions. + type: str + version_added: 1.6.0 diff --git a/ansible_collections/community/sops/roles/install/meta/main.yml b/ansible_collections/community/sops/roles/install/meta/main.yml new file mode 100644 index 00000000..f6dc6814 --- /dev/null +++ b/ansible_collections/community/sops/roles/install/meta/main.yml @@ -0,0 +1,11 @@ +--- +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-FileCopyrightText: 2022, Felix Fontein + +galaxy_info: + standalone: false + description: > + Install Mozilla sops (https://github.com/mozilla/sops). + +dependencies: [] diff --git a/ansible_collections/community/sops/roles/install/tasks/detect_source.yml b/ansible_collections/community/sops/roles/install/tasks/detect_source.yml new file mode 100644 index 00000000..e31c0fa9 --- /dev/null +++ b/ansible_collections/community/sops/roles/install/tasks/detect_source.yml @@ -0,0 +1,26 @@ +--- +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-FileCopyrightText: 2022, Felix Fontein + +- name: Check whether system packages are a valid source of sops {{ sops_version }} + when: + - _community_sops_install_system_has_system + - not (sops_version != 'latest' and _community_sops_install_system_has_system_latest_only) + ansible.builtin.set_fact: + _community_sops_install_effective_sops_source: system + +- name: Check whether GitHub is a valid source of sops + when: + - _community_sops_install_system_has_github + - _community_sops_install_effective_sops_source == 'auto' + ansible.builtin.set_fact: + _community_sops_install_effective_sops_source: github + +- name: Ensure that something was detected + ansible.builtin.fail: + msg: >- + Was not able to determine installation source for sops {{ sops_version }} + for {{ _community_sops_install_facts.distribution }} {{ _community_sops_install_facts.distribution_version }}. + Please open an issue in https://github.com/ansible-collections/community.sops/issues if you think this should work. + when: _community_sops_install_effective_sops_source == 'auto' diff --git a/ansible_collections/community/sops/roles/install/tasks/github.yml b/ansible_collections/community/sops/roles/install/tasks/github.yml new file mode 100644 index 00000000..f5719220 --- /dev/null +++ b/ansible_collections/community/sops/roles/install/tasks/github.yml @@ -0,0 +1,50 @@ +--- +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-FileCopyrightText: 2022, Felix Fontein + +- name: Make sure that sops can be installed from GitHub + ansible.builtin.fail: + msg: >- + Sops cannot be installed from GitHub for + {{ _community_sops_install_facts.distribution }} {{ _community_sops_install_facts.distribution_version }}. + when: not _community_sops_install_system_has_github + +- name: Start determining sops version + ansible.builtin.set_fact: + _community_sops_install_effective_sops_version: '{{ "" if sops_version == "latest" else sops_version }}' + +# This method uses the GitHub API, which is rate-limited. +- name: Determine latest version (fallback) + when: + - _community_sops_install_effective_sops_version == '' + - sops_github_latest_detection in ['auto', 'api'] + ansible.builtin.include_tasks: github_api.yml + +# This method asks GitHub for the latest release, which depends on the release to be +# correctly marked as "latest" in the GitHub UI. Fortunately this is not as aggressively +# rate-limited as the API (used in the fallback). +- name: Determine latest version + when: + - _community_sops_install_effective_sops_version == '' + - sops_github_latest_detection in ['auto', 'latest-release'] + ansible.builtin.include_tasks: github_latest_release.yml + +- name: Fail when latest version could not be selected + ansible.builtin.fail: + msg: Could not determine the latest GitHub release + when: _community_sops_install_effective_sops_version == '' + +- name: Show selected version + ansible.builtin.debug: + msg: The latest sops version is sops {{ _community_sops_install_effective_sops_version }}. + when: sops_version == 'latest' + +- name: Set variables + ansible.builtin.set_fact: + _community_sops_install_system_packages_actual: >- + {{ _community_sops_install_system_packages + _community_sops_install_system_packages_github }} + _community_sops_install_system_packages_unsigned_actual: >- + {{ _community_sops_install_system_packages_unsigned + _community_sops_install_system_packages_unsigned_github }} + _community_sops_install_system_package_deb_actual: >- + {{ _community_sops_install_system_package_deb_github }} diff --git a/ansible_collections/community/sops/roles/install/tasks/github_api.yml b/ansible_collections/community/sops/roles/install/tasks/github_api.yml new file mode 100644 index 00000000..01d9b77b --- /dev/null +++ b/ansible_collections/community/sops/roles/install/tasks/github_api.yml @@ -0,0 +1,38 @@ +--- +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-FileCopyrightText: 2022, Felix Fontein + +- name: Fetch list of releases from GitHub + ansible.builtin.uri: + headers: + Accept: application/vnd.github+json + Authorization: "{{ ('Bearer ' ~ sops_github_token) if sops_github_token is defined and sops_github_token else '' }}" + status_code: + - 200 + - 403 # "HTTP Error 403: rate limit exceeded" + url: https://api.github.com/repos/mozilla/sops/releases + register: _community_sops_install_github_releases + delegate_to: localhost + run_once: true + +- name: In case rate limit was exceeded, inform user + ansible.builtin.debug: + msg: >- + Rate limit exceeded! Make sure to provide a GitHub token + as `sops_github_token` to reduce the chance of this error. + when: _community_sops_install_github_releases.status == 403 + +- name: Determine the latest release + ansible.builtin.set_fact: + _community_sops_install_effective_sops_version: >- + {{ + ( + _community_sops_install_github_releases.json + | rejectattr("prerelease") + | rejectattr("draft") + | map(attribute="tag_name") + | map("ansible.builtin.regex_replace", "^v", "") + | community.sops._latest_version + ) if _community_sops_install_github_releases.status == 200 else '' + }} diff --git a/ansible_collections/community/sops/roles/install/tasks/github_latest_release.yml b/ansible_collections/community/sops/roles/install/tasks/github_latest_release.yml new file mode 100644 index 00000000..ca67b3cd --- /dev/null +++ b/ansible_collections/community/sops/roles/install/tasks/github_latest_release.yml @@ -0,0 +1,34 @@ +--- +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-FileCopyrightText: 2022, Felix Fontein + +- name: Fetch the latest release from GitHub + ansible.builtin.uri: + follow_redirects: false + status_code: + - 302 + - 307 + url: https://github.com/mozilla/sops/releases/latest/ + register: _community_sops_install_github_latest_release + delegate_to: localhost + run_once: true + +- name: Determine the latest release + ansible.builtin.set_fact: + _community_sops_install_effective_sops_version: >- + {{ + _community_sops_install_github_latest_release.location + | default("", true) + | ansible.builtin.regex_search("(?<=/releases/tag/)([0-9a-z._-]+)") + | default("", true) + | ansible.builtin.regex_replace("^v", "") + }} + +- name: In case this failed, inform user + ansible.builtin.debug: + msg: >- + Could not obtain latest version from https://github.com/mozilla/sops/releases/latest/. + Please create an issue in https://github.com/ansible-collections/community.sops/issues/ + if there is not already one. + when: _community_sops_install_effective_sops_version == '' diff --git a/ansible_collections/community/sops/roles/install/tasks/main.yml b/ansible_collections/community/sops/roles/install/tasks/main.yml new file mode 100644 index 00000000..548c8201 --- /dev/null +++ b/ansible_collections/community/sops/roles/install/tasks/main.yml @@ -0,0 +1,100 @@ +--- +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-FileCopyrightText: 2022, Felix Fontein + +- name: Gather required information on localhost + when: sops_install_on_localhost + ansible.builtin.setup: + gather_subset: + - '!all' + - '!min' + - architecture + - distribution + - distribution_major_version + - distribution_version + - os_family + delegate_to: localhost + delegate_facts: true + run_once: true + +- vars: + _community_sops_install_facts: >- + {{ hostvars['localhost' if sops_install_on_localhost else inventory_hostname].ansible_facts }} + block: + - name: Show system information + ansible.builtin.debug: + msg: |- + Architecture: {{ _community_sops_install_facts.architecture }} + Distribution: {{ _community_sops_install_facts.distribution }} {{ _community_sops_install_facts.distribution_major_version }} + Distribution version: {{ _community_sops_install_facts.distribution_version }} + OS family: {{ _community_sops_install_facts.os_family }} + + - name: Include distribution specific variables + ansible.builtin.include_vars: '{{ lookup("ansible.builtin.first_found", params) }}' + vars: + params: + files: + - >- + D-{{ _community_sops_install_facts.distribution }}-{{ _community_sops_install_facts.distribution_version }}.yml + - >- + D-{{ _community_sops_install_facts.distribution }}-{{ _community_sops_install_facts.distribution_major_version }}.yml + - >- + D-{{ _community_sops_install_facts.distribution }}.yml + - >- + OS-{{ _community_sops_install_facts.os_family }}-{{ _community_sops_install_facts.distribution_major_version }}.yml + - >- + OS-{{ _community_sops_install_facts.os_family }}.yml + - default.yml + paths: + - '{{ role_path }}/vars' + + - name: Start determining source + ansible.builtin.set_fact: + _community_sops_install_effective_sops_source: '{{ sops_source }}' + + - name: Auto-detect source to install sops from + ansible.builtin.include_tasks: detect_source.yml + when: _community_sops_install_effective_sops_source == 'auto' + + - name: Install Mozilla sops from GitHub + ansible.builtin.include_tasks: github.yml + when: _community_sops_install_effective_sops_source == 'github' + + - name: Install Mozilla sops from system package repositories + ansible.builtin.include_tasks: system.yml + when: _community_sops_install_effective_sops_source == 'system' + + - name: Install system packages + ansible.builtin.package: + name: '{{ _community_sops_install_system_packages_actual }}' + allow_downgrade: '{{ true if _community_sops_install_allow_downgrade and sops_version != "latest" else omit }}' + become: '{{ sops_become_on_install }}' + delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}' + run_once: '{{ sops_install_on_localhost or omit }}' + when: _community_sops_install_system_packages_actual | length > 0 + + - name: Install unsigned system packages + ansible.builtin.package: + name: '{{ _community_sops_install_system_packages_unsigned_actual }}' + allow_downgrade: '{{ true if _community_sops_install_allow_downgrade and sops_version != "latest" else omit }}' + disable_gpg_check: true + become: '{{ sops_become_on_install }}' + delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}' + run_once: '{{ sops_install_on_localhost or omit }}' + when: _community_sops_install_system_packages_unsigned_actual | length > 0 + + - name: Install packages from URL/path (Debian) + ansible.builtin.apt: + deb: '{{ _community_sops_install_system_package_deb_actual }}' + allow_downgrade: '{{ true if _community_sops_install_allow_downgrade and sops_version != "latest" else omit }}' + become: '{{ sops_become_on_install }}' + delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}' + run_once: '{{ sops_install_on_localhost or omit }}' + when: _community_sops_install_system_package_deb_actual is string + + - name: Set results + ansible.builtin.set_fact: + sops_installed: true + delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}' + delegate_facts: '{{ true if sops_install_on_localhost else omit }}' diff --git a/ansible_collections/community/sops/roles/install/tasks/system.yml b/ansible_collections/community/sops/roles/install/tasks/system.yml new file mode 100644 index 00000000..bc82176c --- /dev/null +++ b/ansible_collections/community/sops/roles/install/tasks/system.yml @@ -0,0 +1,26 @@ +--- +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-FileCopyrightText: 2022, Felix Fontein + +- name: Make sure that sops can be installed from system packages + ansible.builtin.fail: + msg: >- + Sops cannot be installed from system packages for + {{ _community_sops_install_facts.distribution }} {{ _community_sops_install_facts.distribution_version }}. + when: not _community_sops_install_system_has_system + +- name: Make sure that systems only supporting 'latest' are not told to install another version + ansible.builtin.fail: + msg: >- + Sops version {{ sops_version }} was requested, but we can only install latest sops from system packages. + when: sops_version != 'latest' and _community_sops_install_system_has_system_latest_only + +- name: Set variables + ansible.builtin.set_fact: + _community_sops_install_system_packages_actual: >- + {{ _community_sops_install_system_packages + _community_sops_install_system_packages_system }} + _community_sops_install_system_packages_unsigned_actual: >- + {{ _community_sops_install_system_packages_unsigned + _community_sops_install_system_packages_unsigned_system }} + _community_sops_install_system_package_deb_actual: >- + {{ _community_sops_install_system_package_deb_system }} diff --git a/ansible_collections/community/sops/roles/install/vars/D-Alpine.yml b/ansible_collections/community/sops/roles/install/vars/D-Alpine.yml new file mode 100644 index 00000000..27577c48 --- /dev/null +++ b/ansible_collections/community/sops/roles/install/vars/D-Alpine.yml @@ -0,0 +1,23 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +_community_sops_install_system_has_system: true +_community_sops_install_system_has_system_latest_only: true +_community_sops_install_system_has_github: false + +_community_sops_install_allow_downgrade: false + +_community_sops_install_system_packages: + - gpg +_community_sops_install_system_packages_unsigned: [] + +_community_sops_install_system_package_deb_github: false +_community_sops_install_system_packages_github: [] +_community_sops_install_system_packages_unsigned_github: [] + +_community_sops_install_system_package_deb_system: false +_community_sops_install_system_packages_system: + - sops +_community_sops_install_system_packages_unsigned_system: [] diff --git a/ansible_collections/community/sops/roles/install/vars/D-Archlinux.yml b/ansible_collections/community/sops/roles/install/vars/D-Archlinux.yml new file mode 100644 index 00000000..51e34a8d --- /dev/null +++ b/ansible_collections/community/sops/roles/install/vars/D-Archlinux.yml @@ -0,0 +1,23 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +_community_sops_install_system_has_system: true +_community_sops_install_system_has_system_latest_only: true +_community_sops_install_system_has_github: false + +_community_sops_install_allow_downgrade: false + +_community_sops_install_system_packages: + - gnupg +_community_sops_install_system_packages_unsigned: [] + +_community_sops_install_system_package_deb_github: false +_community_sops_install_system_packages_github: [] +_community_sops_install_system_packages_unsigned_github: [] + +_community_sops_install_system_package_deb_system: false +_community_sops_install_system_packages_system: + - sops +_community_sops_install_system_packages_unsigned_system: [] diff --git a/ansible_collections/community/sops/roles/install/vars/OS-Debian.yml b/ansible_collections/community/sops/roles/install/vars/OS-Debian.yml new file mode 100644 index 00000000..5f9cf260 --- /dev/null +++ b/ansible_collections/community/sops/roles/install/vars/OS-Debian.yml @@ -0,0 +1,31 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +_community_sops_install_system_has_system: false +_community_sops_install_system_has_system_latest_only: true +_community_sops_install_system_has_github: true + +_community_sops_install_allow_downgrade: '{{ ansible_version.full is version("2.12", ">=") }}' + +_community_sops_install_system_packages: + - gnupg +_community_sops_install_system_packages_unsigned: [] + +_community_sops_install_arch_transform: + x86_64: amd64 +_community_sops_install_system_package_deb_github: >- + https://github.com/mozilla/sops/releases/download/v{{ + _community_sops_install_effective_sops_version + }}/sops_{{ + _community_sops_install_effective_sops_version + }}_{{ + _community_sops_install_arch_transform.get(ansible_facts.architecture, ansible_facts.architecture) + }}.deb +_community_sops_install_system_packages_github: [] +_community_sops_install_system_packages_unsigned_github: [] + +_community_sops_install_system_package_deb_system: false +_community_sops_install_system_packages_system: [] +_community_sops_install_system_packages_unsigned_system: [] diff --git a/ansible_collections/community/sops/roles/install/vars/OS-RedHat.yml b/ansible_collections/community/sops/roles/install/vars/OS-RedHat.yml new file mode 100644 index 00000000..95f7d2ab --- /dev/null +++ b/ansible_collections/community/sops/roles/install/vars/OS-RedHat.yml @@ -0,0 +1,32 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +_community_sops_install_system_has_system: false +_community_sops_install_system_has_system_latest_only: true +_community_sops_install_system_has_github: true + +_community_sops_install_allow_downgrade: true + +_community_sops_install_system_packages: + - gnupg2 +_community_sops_install_system_packages_unsigned: [] + +_community_sops_install_system_package_deb_github: false +_community_sops_install_system_packages_github: [] +_community_sops_install_system_packages_unsigned_github: + - >- + https://github.com/mozilla/sops/releases/download/v{{ + _community_sops_install_effective_sops_version + }}/sops-{{ + (_community_sops_install_effective_sops_version is version('3.6.0', '<')) | ternary('v', '') + }}{{ + _community_sops_install_effective_sops_version + }}-1.{{ + ansible_facts.architecture + }}.rpm + +_community_sops_install_system_package_deb_system: false +_community_sops_install_system_packages_system: [] +_community_sops_install_system_packages_unsigned_system: [] diff --git a/ansible_collections/community/sops/roles/install/vars/default.yml b/ansible_collections/community/sops/roles/install/vars/default.yml new file mode 100644 index 00000000..24d14b18 --- /dev/null +++ b/ansible_collections/community/sops/roles/install/vars/default.yml @@ -0,0 +1,21 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +_community_sops_install_system_has_system: false +_community_sops_install_system_has_system_latest_only: true +_community_sops_install_system_has_github: false + +_community_sops_install_allow_downgrade: false + +_community_sops_install_system_packages: [] +_community_sops_install_system_packages_unsigned: [] + +_community_sops_install_system_package_deb_github: false +_community_sops_install_system_packages_github: [] +_community_sops_install_system_packages_unsigned_github: [] + +_community_sops_install_system_package_deb_system: false +_community_sops_install_system_packages_system: [] +_community_sops_install_system_packages_unsigned_system: [] |