Allow Custom Repository when Installing Modules (#16)

* Adding ability to set repo for module install, rename apt key variables, task updates

* Resolving lint failures

* Fixing old signing key name

* Updating dependancy versions.

Author: jswongF5

.github/workflows/requirements/requirements_molecule.txt

@@ -1,7 +1,7 @@
 ansible-core==2.14.3
 jinja2==3.1.2
-ansible-lint==6.14.1
-yamllint==1.29.0
+ansible-lint==6.14.3
+yamllint==1.30.0
 molecule==4.0.4
 molecule-plugins[docker]==23.0.0
 docker==6.0.1

defaults/main.yml

@@ -30,12 +30,22 @@ nms_clickhouse_release_kind: lts
 nms_remove_certs: true
 
 ## By default, no NMS modules are installed.
-## If version is not set or is absent, the latest version is installed.
-## If setup is not set or is absent, the value from the nms_setup is used.
+## If 'version' is not set or is absent, the latest version is installed.
+## If 'setup' is not set or is absent, the value from the nms_setup is used.
+## If modules need to be installed from a different repository, set 'yum_repo' or 'apt_repo'.
+## 'yum_gpgcheck' and 'apt_verify' are additional apt and yum options that can also be set.
+##   Valid inputs are 'true' or 'false'. If these aren't defined, it will use the default values
+##   from the 'ansible.builtin.yum_repository' or 'ansible.builtin.apt_repository' modules.
 nms_modules: []
   # - name: acm
   #   version: ''
   #   setup: install
   # - name: sm
   #   version: ''
   #   setup: install
+  # - name: acm
+  #   yum_repo: install
+  #   yum_gpgcheck: false
+  # - name: acm
+  #   apt_repo: install
+  #   apt_validate: false

molecule/modules/converge.yml

@@ -16,4 +16,4 @@
           key: license/nginx-repo.key
         nms_modules:
           - name: acm
-          - name: sm
+          - name: sm

molecule/modules/verify.yml

@@ -44,7 +44,7 @@
         url: https://localhost/modules
         status_code: 200
         validate_certs: false
-        return_content: yes
+        return_content: true
         body_format: json
       register: response
       failed_when: '("API Connectivity Manager" and "Security Monitoring") not in (response.json | map(attribute="name") | list)'

molecule/plus-count-upgrade/converge.yml

@@ -29,7 +29,7 @@
       ansible.builtin.systemd:
         name: nginx-agent
         state: stopped
-  
+
     - name: (RedHat) Upgrading nginx-agent
       ansible.builtin.yum:
         name: nginx-agent

tasks/nms/install-debian.yml

@@ -1,20 +1,34 @@
 ---
-- name: (Debian/Ubuntu) {{ (nms_cleanup_status is defined) | ternary('Remove', 'Configure') }} NGINX Management Suite Apt repository
+- name: (Debian/Ubuntu) {{ 'Remove' if nms_cleanup_status is defined or nms_state == 'absent' else 'Configure' }} NGINX Management Suite Apt repository
   ansible.builtin.apt_repository:
-    repo: "{{ nms_debian_signing_key_repo }}"
+    repo: "{{ nms_repository_debian | default(nms_default_repository_debian) }}"
     state: "{{ nms_cleanup_status | default((nms_setup == 'uninstall') | ternary('absent', 'present')) }}"
     update_cache: false
     filename: nms
 
+- name: (Debian/Ubuntu) {{ 'Remove' if nms_cleanup_status is defined or nms_state == 'absent' else 'Configure' }} NMS Module Apt repository
+  ansible.builtin.apt_repository:
+    repo: "{{ item.apt_repo }}"
+    state: "{{ nms_cleanup_status | default(nms_state if item.setup is not defined else nms_state_vals[item.setup]) }}"
+    update_cache: false
+    validate_certs: "{{ omit if item.apt_validate is not defined else item.apt_validate }}"
+    filename: "nms-{{ item.name }}"
+  loop: "{{ nms_modules }}"
+  loop_control:
+    label: "{{ item.name }}"
+  when:
+    - nms_modules is defined
+    - item.apt_repo is defined
+
 - name: (Debian/Ubuntu) {{ nms_cleanup_status is defined | ternary('Remove', 'Configure') }} NGINX Plus license verification
   ansible.builtin.blockinfile:
     path: /etc/apt/apt.conf.d/90nginx
     create: true
     block: |
-      Acquire::https::{{ (nginx_repository | default(nginx_plus_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::Verify-Peer "true";
-      Acquire::https::{{ (nginx_repository | default(nginx_plus_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::Verify-Host "true";
-      Acquire::https::{{ (nginx_repositorynsibl | default(nginx_plus_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::SslCert     "/etc/ssl/nginx/nginx-repo.crt";
-      Acquire::https::{{ (nginx_repository | default(nginx_plus_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::SslKey      "/etc/ssl/nginx/nginx-repo.key";
+      Acquire::https::{{ (nms_repository_debian | default(nms_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::Verify-Peer "true";
+      Acquire::https::{{ (nms_repository_debian | default(nms_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::Verify-Host "true";
+      Acquire::https::{{ (nms_repository_debian | default(nms_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::SslCert     "/etc/ssl/nginx/nginx-repo.crt";
+      Acquire::https::{{ (nms_repository_debian | default(nms_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::SslKey      "/etc/ssl/nginx/nginx-repo.key";
     state: "{{ nms_cleanup_status | default((nms_setup == 'uninstall') | ternary('absent', 'present')) }}"
     mode: "0444"
 
@@ -26,8 +40,11 @@
     state: "{{ nms_state }}"
   register: nms_install_state
   when: nms_cleanup_status is not defined
+  notify:
+    - Restart NGINX Management Suite
+    - Restart NGINX
 
-- name: (Debian/Ubuntu) NMS Modules
+- name: (Debian/Ubuntu) {{ nms_setup if item.setup is not defined else item.setup | capitalize }} NMS Modules
   ansible.builtin.apt:
     name: "{{ nms_module_vals[item.name]['package_name'] }}{{ '' if (item.version is not defined or item.version == '') else '=' + item.version }}"
     update_cache: true

tasks/nms/install-redhat.yml

@@ -1,27 +1,31 @@
 ---
-- name: (CentOS/Oracle Linux/RHEL) {{ (nms_cleanup_status is defined) | ternary('Remove', 'Configure') }} NGINX Management Suite Yum repository
+- name: (Amazon/CentOS/Oracle Linux/RHEL) {{ 'Remove' if nms_cleanup_status is defined or nms_state == 'absent' else 'Configure' }} NGINX Management Suite Yum repository
   ansible.builtin.yum_repository:
     name: nms
     description: NGINX Management Suite
-    baseurl: "{{ nms_centos_yum_repo }}"
+    baseurl: "{{ nms_repository_redhat | default(lookup('vars', 'nms_default_repository_' + ((ansible_facts['distribution'] == 'Amazon') | ternary('amazon', 'centos')))) }}"
     enabled: true
     gpgcheck: "{{ omit if nms_gpgcheck is not defined else nms_gpgcheck }}"
     sslclientcert: "/etc/ssl/nginx/nginx-repo.crt"
     sslclientkey: "/etc/ssl/nginx/nginx-repo.key"
     state: "{{ nms_cleanup_status | default('present') }}"
-  when: ansible_facts['distribution'] != "Amazon"
 
-- name: (Amazon) {{ (nms_cleanup_status is defined) | ternary('Remove', 'Configure') }} NGINX Management Suite Yum repository
+- name: (Amazon/CentOS/Oracle Linux/RHEL) {{ 'Remove' if nms_cleanup_status is defined or nms_state == 'absent' else 'Configure' }} NMS Module Yum repository
   ansible.builtin.yum_repository:
-    name: nms
-    description: NGINX Management Suite
-    baseurl: "{{ nms_amazon_yum_repo }}"
+    name: "nms-{{ item.name }}"
+    description: "NGINX Management Suite - {{ item.name }}"
+    baseurl: "{{ item.yum_repo }}"
     enabled: true
-    gpgcheck: "{{ omit if nms_gpgcheck is not defined else nms_gpgcheck }}"
+    gpgcheck: "{{ omit if item.yum_gpgcheck is not defined else item.yum_gpgcheck }}"
     sslclientcert: "/etc/ssl/nginx/nginx-repo.crt"
     sslclientkey: "/etc/ssl/nginx/nginx-repo.key"
-    state: "{{ nms_cleanup_status | default('present') }}"
-  when: ansible_facts['distribution'] == "Amazon"
+    state: "{{ nms_cleanup_status | default(nms_state if item.setup is not defined else nms_state_vals[item.setup]) }}"
+  loop: "{{ nms_modules }}"
+  loop_control:
+    label: "{{ item.name }}"
+  when:
+    - nms_modules is defined
+    - item.yum_repo is defined
 
 - name: (Amazon Linux/CentOS/Oracle Linux/RHEL) {{ nms_setup | capitalize }} NGINX Instance Manager
   ansible.builtin.yum:
@@ -32,8 +36,11 @@
     update_only: "{{ nms_setup | lower == 'upgrade' }}"
   register: nms_install_state
   when: nms_cleanup_status is not defined
+  notify:
+    - Restart NGINX Management Suite
+    - Restart NGINX
 
-- name: (Amazon Linux/CentOS/Oracle Linux/RHEL) NMS Modules
+- name: (Amazon Linux/CentOS/Oracle Linux/RHEL) {{ nms_setup if item.setup is not defined else item.setup | capitalize }} NMS Modules
   ansible.builtin.yum:
     name: "{{ nms_module_vals[item.name]['package_name'] }}{{ '' if (item.version is not defined or item.version == '') else '-' + item.version }}"
     update_cache: true

tasks/prerequisites/prereq-debian.yml

@@ -6,6 +6,6 @@
 
 - name: (Debian) Import NGINX signing key from url
   ansible.builtin.apt_key:
-    id: "{{ nms_debian_signing_key_id }}"
-    keyring: "{{ nms_debian_signing_key_keyring_path }}"
+    id: "{{ nms_key_id | default(nms_default_key_id) }}"
+    keyring: "{{ nms_keyring_path | default(nms_default_keyring_path) }}"
     url: "https://nginx.org/keys/nginx_signing.key"

vars/main.yml

@@ -43,14 +43,15 @@ nms_supported_distributions:
     versions: [18.04, 20.04, 22.04]
     architectures: [x86_64]
 
-# Debian specific repo for NMS install
-nms_debian_signing_key_id: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
-nms_debian_signing_key_keyring_path: /usr/share/keyrings/nginx-archive-keyring.gpg
-nms_debian_signing_key_repo: deb [signed-by={{ nms_debian_signing_key_keyring_path }}] https://pkgs.nginx.com/nms/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus
+# Default NMS apt signing key
+nms_default_key_id: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
+nms_default_keyring_path: /usr/share/keyrings/nginx-archive-keyring.gpg
+
+# Default NMS repositories
+nms_default_repository_debian: deb [signed-by={{ nms_keyring_path | default(nms_default_keyring_path) }}] https://pkgs.nginx.com/nms/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus
+nms_default_repository_centos: https://pkgs.nginx.com/nms/centos/$releasever/$basearch/
+nms_default_repository_amazon: https://pkgs.nginx.com/nms/amzn2/$releasever/$basearch/
 
-# RPM specific repo for NMS install
-nms_centos_yum_repo: https://pkgs.nginx.com/nms/centos/$releasever/$basearch/
-nms_amazon_yum_repo: https://pkgs.nginx.com/nms/amzn2/$releasever/$basearch/
 # # For development purposes for disabling gpg check when installing on OS with RPM repo.
 # nms_gpgcheck: false