Replace deprecated apt_key (3)

arBmind · arBmind · commit ebbda6c4a42c · 2025-08-05T13:03:33.000+02:00
diff --git a/.devcontainer/docker-compose.override.yml b/.devcontainer/docker-compose.override.yml
@@ -2,3 +2,5 @@
 services:
   ansible:
     image: "ghcr.io/ansible/community-ansible-dev-tools:latest"
+  app_vm:
+    image: ghcr.io/hicknhack-software/ansible-target:jammy
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 *.retry
 tests/docker-sshkey*
+.ansible
diff --git a/apache/passenger/defaults/main.yml b/apache/passenger/defaults/main.yml
@@ -1,9 +1,10 @@
 ---
 apache_passenger_install: apt # or gem
 apache_passenger_state: "latest"
-apache_passenger_key_id: "16378A33A6EF16762922526E561F9B9CAC40B2F7"
-apache_passenger_key_server: "keyserver.ubuntu.com"
-apache_passenger_apt_repo: "deb https://oss-binaries.phusionpassenger.com/apt/passenger {{ ansible_lsb.codename }} main"
+# apache_passenger_key_id: "16378A33A6EF16762922526E561F9B9CAC40B2F7"
+# apache_passenger_key_server: "keyserver.ubuntu.com"
+apache_passenger_key_url: "https://oss-binaries.phusionpassenger.com/auto-software-signing-gpg-key.txt"
+apache_passenger_apt_uri: "https://oss-binaries.phusionpassenger.com/apt/passenger"
 
 # apache_passenger_install: gem
 apache_passenger_gem_version: ">1"
diff --git a/apache/passenger/tasks/apt_install.yml b/apache/passenger/tasks/apt_install.yml
@@ -5,25 +5,37 @@
       - "gpg"
       - "apt-transport-https"
       - "ca-certificates"
+      - "python3-debian"
     state: latest
     update_cache: true
     cache_valid_time: 3600
 
-- name: Install | add key
-  ansible.builtin.apt_key:
-    keyserver: "{{ apache_passenger_key_server }}"
-    id: "{{ apache_passenger_key_id }}"
+# note: old keychain is no longer supported!
+# - name: Install | add key
+#   ansible.builtin.apt_key:
+#     keyserver: "{{ apache_passenger_key_server }}"
+#     id: "{{ apache_passenger_key_id }}"
 
-- name: Install | add repo
-  ansible.builtin.apt_repository:
-    repo: "{{ apache_passenger_apt_repo }}"
+# - name: Install | add repo
+#   ansible.builtin.apt_repository:
+#     repo: "{{ apache_passenger_apt_repo }}"
+
+- name: Install | Add repo
+  ansible.builtin.deb822_repository:
+    name: Phusion Passenger
+    types: deb
+    uris: ["{{ apache_passenger_apt_uri }}"]
+    suites: ["{{ ansible_lsb.codename }}"]
+    components: [main]
+    architectures: [amd64]
+    signed_by: "{{ apache_passenger_key_url }}"
+  register: repo_result
 
 - name: Install | packages
   ansible.builtin.apt:
     pkg: "{{ apache_passenger_package }}"
     state: "{{ apache_passenger_state }}"
-    update_cache: true
-    cache_valid_time: 3600
+    update_cache: "{{ repo_result.changed | bool }}"
   notify: Restart apache
 
 - name: Install | enable module
diff --git a/nginx/passenger/defaults/main.yml b/nginx/passenger/defaults/main.yml
@@ -11,6 +11,9 @@ passenger_cloak_headers: true
 # app_hosts: "www.example.com example.com en.example.com de.example.de"
 app_hosts: "{{ app_domain }}"
 
+apache_passenger_key_url: "https://oss-binaries.phusionpassenger.com/auto-software-signing-gpg-key.txt"
+apache_passenger_apt_uri: "https://oss-binaries.phusionpassenger.com/apt/passenger"
+
 passenger_variables:
   passenger_enabled: "on"
   passenger_ruby: "/home/{{ app_user }}/.rvm/wrappers/ruby-{{ ruby_version }}/ruby"
diff --git a/nginx/passenger/tasks/main.yml b/nginx/passenger/tasks/main.yml
@@ -5,28 +5,42 @@
       - "gpg"
       - "apt-transport-https"
       - "ca-certificates"
+      - "python3-debian"
     state: latest
     update_cache: true
     cache_valid_time: 3600
 
-- name: Apt | Add key for passenger repos
-  ansible.builtin.apt_key:
-    url: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x561F9B9CAC40B2F7
-    id: AC40B2F7
-    state: present
-
 - name: Apt | Add passenger repo
-  ansible.builtin.apt_repository:
-    repo: "deb https://oss-binaries.phusionpassenger.com/apt/passenger {{ ansible_lsb.codename }} main"
-    state: present
-    update_cache: true
+  ansible.builtin.deb822_repository:
+    name: Phusion Passenger
+    types: deb
+    uris: ["{{ apache_passenger_apt_uri }}"]
+    suites: ["{{ ansible_lsb.codename }}"]
+    components: [main]
+    architectures: [amd64]
+    signed_by: "{{ apache_passenger_key_url }}"
+  register: repo_result
+
+# old apt_key no longer works!
+# - name: Apt | Add key for passenger repos
+#   ansible.builtin.apt_key:
+#     url: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x561F9B9CAC40B2F7
+#     id: AC40B2F7
+#     state: present
+
+# - name: Apt | Add passenger repo
+#   ansible.builtin.apt_repository:
+#     repo: "deb https://oss-binaries.phusionpassenger.com/apt/passenger {{ ansible_lsb.codename }} main"
+#     state: present
+#     update_cache: true
 
 - name: Pkg | Install nginx passenger packages
   ansible.builtin.apt:
     state: present
     pkg:
       - "nginx-extras"
       - "passenger"
+    update_cache: "{{ repo_result.changed | bool }}"
   notify: Nginx restart
 
 - name: Service | Ensure nginx is running
diff --git a/nginx/server/defaults/main.yml b/nginx/server/defaults/main.yml
@@ -1,10 +1,11 @@
 ---
 nginx_install: official # or "apt" or "ppa"
-nginx_official_key_id: "573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62"
-nginx_official_key_servers:
-  - keyserver.ubuntu.com
-  - pgp.mit.edu
-nginx_official_repo: "deb http://nginx.org/packages/ubuntu {{ ansible_lsb.codename }} nginx"
+# nginx_official_key_id: "573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62"
+# nginx_official_key_servers:
+#   - keyserver.ubuntu.com
+#   - pgp.mit.edu
+nginx_official_key_url: "https://nginx.org/keys/nginx_signing.key"
+nginx_official_repo_uri: "https://nginx.org/packages/ubuntu"
 
 # name of the system user that runs nginx
 nginx_user: "www-data"
diff --git a/nginx/server/tasks/Debian.yml b/nginx/server/tasks/Debian.yml
@@ -15,21 +15,20 @@
           - "gpg"
           - "apt-transport-https"
           - "ca-certificates"
+          - "python3-debian"
         state: latest
         update_cache: true
         cache_valid_time: 3600
 
-    - name: Debian | Add official key
-      ansible.builtin.apt_key:
-        keyserver: "{{ item }}"
-        id: "{{ nginx_official_key_id }}"
-      loop: "{{ nginx_official_key_servers }}"
-      retries: 2
-      delay: 1
-
-    - name: Install | Add repo
-      ansible.builtin.apt_repository:
-        repo: "{{ nginx_official_repo }}"
+    - name: Debian | Add repo
+      ansible.builtin.deb822_repository:
+        name: NGINX
+        types: deb
+        uris: ["{{ nginx_official_repo_uri }}"]
+        suites: ["{{ ansible_lsb.codename }}"]
+        components: [nginx]
+        architectures: [amd64]
+        signed_by: "{{ nginx_official_key_url }}"
 
 - name: Debian | Packages
   ansible.builtin.apt:
diff --git a/postgresql/tasks/Debian.yml b/postgresql/tasks/Debian.yml
@@ -5,21 +5,33 @@
       - "gpg"
       - "apt-transport-https"
       - "ca-certificates"
+      - "python3-debian"
     state: latest
     update_cache: true
     cache_valid_time: 86400
 
-- name: Debian | Add repo key
-  ansible.builtin.apt_key:
-    url: "{{ postgresql_apt_key }}"
+- name: Install | Add repo
+  ansible.builtin.deb822_repository:
+    name: Postgresql
+    types: deb
+    uris: ["{{ postgresql_apt_url }}"]
+    suites: ["{{ ansible_lsb.codename }}-pgdg"]
+    components: [main]
+    architectures: [amd64]
+    signed_by: "{{ postgresql_apt_key }}"
+  register: repo_result
 
-- name: Debian | Add repo
-  ansible.builtin.apt_repository:
-    repo: "{{ postgresql_apt_repo }}"
+# note: apt_key no longer works
+# - name: Debian | Add repo key
+#   ansible.builtin.apt_key:
+#     url: "{{ postgresql_apt_key }}"
+
+# - name: Debian | Add repo
+#   ansible.builtin.apt_repository:
+#     repo: "{{ postgresql_apt_repo }}"
 
 - name: Debian | Packages
   ansible.builtin.apt:
     name: "{{ postgresql_packages + postgresql_python_packages | flatten }}"
     state: latest
-    update_cache: true
-    cache_valid_time: 86400
+    update_cache: "{{ repo_result.changed | bool }}"
diff --git a/postgresql/vars/Debian.yml b/postgresql/vars/Debian.yml
@@ -6,7 +6,7 @@ postgresql_python_packages:
 
 postgresql_apt_url: "https://apt.postgresql.org/pub/repos/apt"
 postgresql_apt_key: "{{ postgresql_apt_url }}/ACCC4CF8.asc"
-postgresql_apt_repo: "deb {{ postgresql_apt_url }}/ {{ ansible_lsb.codename }}-pgdg main"
+# postgresql_apt_repo: "deb {{ postgresql_apt_url }}/ {{ ansible_lsb.codename }}-pgdg main"
 
 postgresql_config_basepath: "/etc/postgresql"
 postgresql_data_basepath: "/var/lib/postgresql"
diff --git a/yarn/tasks/yarn.yml b/yarn/tasks/yarn.yml
@@ -5,20 +5,34 @@
       - "gpg"
       - "apt-transport-https"
       - "ca-certificates"
+      - "python3-debian"
     state: latest
     update_cache: true
     cache_valid_time: 3600
 
-- name: Configure the Yarn APT key
-  ansible.builtin.apt_key:
-    url: https://dl.yarnpkg.com/debian/pubkey.gpg
+- name: Install | Add repo
+  ansible.builtin.deb822_repository:
+    name: Yarn
+    types: deb
+    uris: ["https://dl.yarnpkg.com/debian/"]
+    suites: [stable]
+    components: [main]
+    architectures: [amd64]
+    signed_by: "https://dl.yarnpkg.com/debian/pubkey.gpg"
+  register: repo_result
 
-- name: Add Yarn repository
-  ansible.builtin.apt_repository:
-    repo: "deb https://dl.yarnpkg.com/debian/ stable main"
-    state: present
+# note: apt_key no longer works!
+# - name: Configure the Yarn APT key
+#   ansible.builtin.apt_key:
+#     url: https://dl.yarnpkg.com/debian/pubkey.gpg
+
+# - name: Add Yarn repository
+#   ansible.builtin.apt_repository:
+#     repo: "deb https://dl.yarnpkg.com/debian/ stable main"
+#     state: present
 
 - name: Install Yarn
   ansible.builtin.apt:
     name: yarn
     state: present
+    update_cache: "{{ repo_result.changed | bool }}"

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`*.retry`
`2`	`2`	`tests/docker-sshkey*`
	`3`	`+.ansible`