Vendor Galaxy Roles and Collections

ansible_collections/community/sops/roles/install/tasks/detect_source.yml

@@ -0,0 +1,26 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Check whether system packages are a valid source of SOPS {{ sops_version }}
+  when:
+    - _community_sops_install_system_has_system
+    - not (sops_version != 'latest' and _community_sops_install_system_has_system_latest_only)
+  ansible.builtin.set_fact:
+    _community_sops_install_effective_sops_source: system
+
+- name: Check whether GitHub is a valid source of SOPS
+  when:
+    - _community_sops_install_system_has_github
+    - _community_sops_install_effective_sops_source == 'auto'
+  ansible.builtin.set_fact:
+    _community_sops_install_effective_sops_source: github
+
+- name: Ensure that something was detected
+  ansible.builtin.fail:
+    msg: >-
+      Was not able to determine installation source for SOPS {{ sops_version }}
+      for {{ _community_sops_install_facts.distribution }} {{ _community_sops_install_facts.distribution_version }}.
+      Please open an issue in https://github.com/ansible-collections/community.sops/issues if you think this should work.
+  when: _community_sops_install_effective_sops_source == 'auto'

ansible_collections/community/sops/roles/install/tasks/github.yml

@@ -0,0 +1,50 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Make sure that SOPS can be installed from GitHub
+  ansible.builtin.fail:
+    msg: >-
+      SOPS cannot be installed from GitHub for
+      {{ _community_sops_install_facts.distribution }} {{ _community_sops_install_facts.distribution_version }}.
+  when: not _community_sops_install_system_has_github
+
+- name: Start determining SOPS version
+  ansible.builtin.set_fact:
+    _community_sops_install_effective_sops_version: '{{ "" if sops_version == "latest" else sops_version }}'
+
+# This method uses the GitHub API, which is rate-limited.
+- name: Determine latest version (fallback)
+  when:
+    - _community_sops_install_effective_sops_version == ''
+    - sops_github_latest_detection in ['auto', 'api']
+  ansible.builtin.include_tasks: github_api.yml
+
+# This method asks GitHub for the latest release, which depends on the release to be
+# correctly marked as "latest" in the GitHub UI. Fortunately this is not as aggressively
+# rate-limited as the API (used in the fallback).
+- name: Determine latest version
+  when:
+    - _community_sops_install_effective_sops_version == ''
+    - sops_github_latest_detection in ['auto', 'latest-release']
+  ansible.builtin.include_tasks: github_latest_release.yml
+
+- name: Fail when latest version could not be selected
+  ansible.builtin.fail:
+    msg: Could not determine the latest GitHub release
+  when: _community_sops_install_effective_sops_version == ''
+
+- name: Show selected version
+  ansible.builtin.debug:
+    msg: The latest SOPS version is SOPS {{ _community_sops_install_effective_sops_version }}.
+  when: sops_version == 'latest'
+
+- name: Set variables
+  ansible.builtin.set_fact:
+    _community_sops_install_system_packages_actual: >-
+      {{ _community_sops_install_system_packages + _community_sops_install_system_packages_github }}
+    _community_sops_install_system_packages_unsigned_actual: >-
+      {{ _community_sops_install_system_packages_unsigned + _community_sops_install_system_packages_unsigned_github }}
+    _community_sops_install_system_package_deb_actual: >-
+      {{ _community_sops_install_system_package_deb_github }}

ansible_collections/community/sops/roles/install/tasks/github_api.yml

@@ -0,0 +1,38 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Fetch list of releases from GitHub
+  ansible.builtin.uri:
+    headers:
+      Accept: application/vnd.github+json
+      Authorization: "{{ ('Bearer ' ~ sops_github_token) if sops_github_token is defined and sops_github_token else '' }}"
+    status_code:
+      - 200
+      - 403  # "HTTP Error 403: rate limit exceeded"
+    url: https://api.github.com/repos/getsops/sops/releases
+  register: _community_sops_install_github_releases
+  delegate_to: localhost
+  run_once: true
+
+- name: In case rate limit was exceeded, inform user
+  ansible.builtin.debug:
+    msg: >-
+      Rate limit exceeded! Make sure to provide a GitHub token
+      as `sops_github_token` to reduce the chance of this error.
+  when: _community_sops_install_github_releases.status == 403
+
+- name: Determine the latest release
+  ansible.builtin.set_fact:
+    _community_sops_install_effective_sops_version: >-
+      {{
+        (
+          _community_sops_install_github_releases.json
+          | rejectattr("prerelease")
+          | rejectattr("draft")
+          | map(attribute="tag_name")
+          | map("ansible.builtin.regex_replace", "^v", "")
+          | community.sops._latest_version
+        ) if _community_sops_install_github_releases.status == 200 else ''
+      }}

ansible_collections/community/sops/roles/install/tasks/github_latest_release.yml

@@ -0,0 +1,34 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Fetch the latest release from GitHub
+  ansible.builtin.uri:
+    follow_redirects: "none"
+    status_code:
+      - 302
+      - 307
+    url: https://github.com/getsops/sops/releases/latest/
+  register: _community_sops_install_github_latest_release
+  delegate_to: localhost
+  run_once: true
+
+- name: Determine the latest release
+  ansible.builtin.set_fact:
+    _community_sops_install_effective_sops_version: >-
+      {{
+        _community_sops_install_github_latest_release.location
+        | default("", true)
+        | ansible.builtin.regex_search("(?<=/releases/tag/)([0-9a-z._-]+)")
+        | default("", true)
+        | ansible.builtin.regex_replace("^v", "")
+      }}
+
+- name: In case this failed, inform user
+  ansible.builtin.debug:
+    msg: >-
+      Could not obtain latest version from https://github.com/getsops/sops/releases/latest/.
+      Please create an issue in https://github.com/ansible-collections/community.sops/issues/
+      if there is not already one.
+  when: _community_sops_install_effective_sops_version == ''

ansible_collections/community/sops/roles/install/tasks/main.yml

@@ -0,0 +1,102 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Gather required information on localhost
+  when: sops_install_on_localhost
+  ansible.builtin.setup:
+    gather_subset:
+      - '!all'
+      - '!min'
+      - architecture
+      - distribution
+      - distribution_major_version
+      - distribution_version
+      - os_family
+      - pkg_mgr
+  delegate_to: localhost
+  delegate_facts: true
+  run_once: true
+
+- vars:
+    _community_sops_install_facts: >-
+      {{ hostvars['localhost' if sops_install_on_localhost else inventory_hostname].ansible_facts }}
+  block:
+    - name: Show system information
+      ansible.builtin.debug:
+        msg: |-
+          Architecture: {{ _community_sops_install_facts.architecture }}
+          Distribution: {{ _community_sops_install_facts.distribution }} {{ _community_sops_install_facts.distribution_major_version }}
+          Distribution version: {{ _community_sops_install_facts.distribution_version }}
+          OS family: {{ _community_sops_install_facts.os_family }}
+          System package manager: {{ _community_sops_install_facts.pkg_mgr }}
+
+    - name: Include distribution specific variables
+      ansible.builtin.include_vars: '{{ lookup("ansible.builtin.first_found", params) }}'
+      vars:
+        params:
+          files:
+            - >-
+              D-{{ _community_sops_install_facts.distribution }}-{{ _community_sops_install_facts.distribution_version }}.yml
+            - >-
+              D-{{ _community_sops_install_facts.distribution }}-{{ _community_sops_install_facts.distribution_major_version }}.yml
+            - >-
+              D-{{ _community_sops_install_facts.distribution }}.yml
+            - >-
+              OS-{{ _community_sops_install_facts.os_family }}-{{ _community_sops_install_facts.distribution_major_version }}.yml
+            - >-
+              OS-{{ _community_sops_install_facts.os_family }}.yml
+            - default.yml
+          paths:
+            - '{{ role_path }}/vars'
+
+    - name: Start determining source
+      ansible.builtin.set_fact:
+        _community_sops_install_effective_sops_source: '{{ sops_source }}'
+
+    - name: Auto-detect source to install SOPS from
+      ansible.builtin.include_tasks: detect_source.yml
+      when: _community_sops_install_effective_sops_source == 'auto'
+
+    - name: Install SOPS from GitHub
+      ansible.builtin.include_tasks: github.yml
+      when: _community_sops_install_effective_sops_source == 'github'
+
+    - name: Install SOPS from system package repositories
+      ansible.builtin.include_tasks: system.yml
+      when: _community_sops_install_effective_sops_source == 'system'
+
+    - name: Install system packages
+      ansible.builtin.package:
+        name: '{{ _community_sops_install_system_packages_actual }}'
+        allow_downgrade: '{{ true if _community_sops_install_allow_downgrade and sops_version != "latest" else omit }}'
+      become: '{{ sops_become_on_install }}'
+      delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}'
+      run_once: '{{ sops_install_on_localhost }}'
+      when: _community_sops_install_system_packages_actual | length > 0
+
+    - name: Install unsigned system packages
+      ansible.builtin.package:
+        name: '{{ _community_sops_install_system_packages_unsigned_actual }}'
+        allow_downgrade: '{{ true if _community_sops_install_allow_downgrade and sops_version != "latest" else omit }}'
+        disable_gpg_check: true
+      become: '{{ sops_become_on_install }}'
+      delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}'
+      run_once: '{{ sops_install_on_localhost }}'
+      when: _community_sops_install_system_packages_unsigned_actual | length > 0
+
+    - name: Install packages from URL/path (Debian)
+      ansible.builtin.apt:
+        deb: '{{ _community_sops_install_system_package_deb_actual }}'
+        allow_downgrade: '{{ true if _community_sops_install_allow_downgrade and sops_version != "latest" else omit }}'
+      become: '{{ sops_become_on_install }}'
+      delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}'
+      run_once: '{{ sops_install_on_localhost }}'
+      when: _community_sops_install_system_package_deb_actual is string
+
+    - name: Set results
+      ansible.builtin.set_fact:
+        sops_installed: true
+      delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}'
+      delegate_facts: '{{ true if sops_install_on_localhost else omit }}'

ansible_collections/community/sops/roles/install/tasks/system.yml

@@ -0,0 +1,26 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Make sure that SOPS can be installed from system packages
+  ansible.builtin.fail:
+    msg: >-
+      SOPS cannot be installed from system packages for
+      {{ _community_sops_install_facts.distribution }} {{ _community_sops_install_facts.distribution_version }}.
+  when: not _community_sops_install_system_has_system
+
+- name: Make sure that systems only supporting 'latest' are not told to install another version
+  ansible.builtin.fail:
+    msg: >-
+      SOPS version {{ sops_version }} was requested, but we can only install latest SOPS from system packages.
+  when: sops_version != 'latest' and _community_sops_install_system_has_system_latest_only
+
+- name: Set variables
+  ansible.builtin.set_fact:
+    _community_sops_install_system_packages_actual: >-
+      {{ _community_sops_install_system_packages + _community_sops_install_system_packages_system }}
+    _community_sops_install_system_packages_unsigned_actual: >-
+      {{ _community_sops_install_system_packages_unsigned + _community_sops_install_system_packages_unsigned_system }}
+    _community_sops_install_system_package_deb_actual: >-
+      {{ _community_sops_install_system_package_deb_system }}