automatic signature verification

il y a 5 ans · f4b12d01e9
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -3,10 +3,12 @@ gitea_http_port: 3000

 gitea_server_name: "{{ inventory_hostname }}"

 gitea_download_version: 1.5.1
 gitea_download_url: https://dl.gitea.io/gitea/{{gitea_download_version}}/gitea-{{gitea_download_version}}-linux-amd64
 #gitea_download_url: https://github.com/go-gitea/gitea/releases/download/v{{gitea_download_version}}/gitea-{{gitea_download_version}}-linux-amd64
 gitea_download_checksum: sha256:ae4f43f73acbd0b61fbca78385a017d7aaed6f7d50f2bff5c3f057acfb46c71a
 gitea_download_platform: linux
 gitea_download_arch: amd64
 gitea_download_version: 1.9.2
 gitea_download_filename: gitea-{{gitea_download_version}}-{{gitea_download_platform}}-{{gitea_download_arch}}
 gitea_download_url: https://dl.gitea.io/gitea/{{gitea_download_version}}/{{gitea_download_filename}}
 #gitea_download_url: https://github.com/go-gitea/gitea/releases/download/v{{gitea_download_version}}/{{gitea_download_filename}}

 gitea_admin_username: testadmin
 gitea_admin_password: testadmin
--- a/tasks/deploy.yml
+++ b/tasks/deploy.yml
@@ -1,23 +1,7 @@
 ---
 - name: debian packages
  apt:
    pkg:
      - ca-certificates
      - git
      - golang

 - name: download gitea
  get_url:
    url: "{{ gitea_download_url }}"
    dest: /usr/local/bin/gitea
    checksum: "{{ gitea_download_checksum }}"
  notify:
    - restart gitea

 - name: gitea executable
  file:
    path: /usr/local/bin/gitea
    mode: u=rwx,g=rx,o=rx


 # - name: allow gitea executable to bind on privileged port
 #   capabilities:
--- a/tasks/download.yaml
+++ b/tasks/download.yaml
@@ -0,0 +1,50 @@
 ---

 - name: gitea download dir
  file:
    path: /opt/gitea
    state: directory

 - name: gitea keyring
  command: gpg --no-default-keyring --keyring /opt/gitea/keyring.gpg
    --keyserver pool.sks-keyservers.net
    --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
  register: _gitea_keyring_recv
  changed_when: '"import" in _gitea_keyring_recv.stderr'

 - name: gitea checksum
  uri:
    url: "{{ gitea_download_url }}.sha256"
    return_content: true
  register: _gitea_checksum

 - name: download gitea signature
  get_url:
    url: "{{ gitea_download_url }}.asc"
    dest: "/opt/gitea/{{ gitea_download_filename }}.asc"
    force: true
  register: _gitea_download_signature


 - name: download gitea
  get_url:
    url: "{{ gitea_download_url }}"
    dest: "/opt/gitea/{{ gitea_download_filename }}"
    checksum: "sha256:{{_gitea_checksum.content.split(' ')|first}}"

 - name: verify gitea signature
  command: gpg --no-default-keyring --keyring /opt/gitea/keyring.gpg
    --verify "/opt/gitea/{{ gitea_download_filename }}.asc"
    "/opt/gitea/{{ gitea_download_filename }}"
  changed_when: false

 - name: gitea executable
  file:
    path: /opt/gitea/{{ gitea_download_filename }}
    mode: u=rwx,g=rx,o=rx

 - name: make gitea binary available on system
  file:
    src: /opt/gitea/{{ gitea_download_filename }}
    dest: /usr/local/bin/gitea
    state: link
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,11 +1,13 @@
 ---

 - import_tasks: setup.yaml
 - import_tasks: download.yaml

 - import_tasks: deploy.yml

 - name: flush handlers
  meta: flush_handlers


 - include_role:
    name: certificate
  vars:
--- a/tasks/setup.yaml
+++ b/tasks/setup.yaml
@@ -0,0 +1,9 @@
 ---

 - name: debian packages
  apt:
    pkg:
      - ca-certificates
      - git
      - golang
      - gnupg