From 5f3c13ab68df846ddc3bc9e9906b37a67aab2a05 Mon Sep 17 00:00:00 2001
From: jtekuelve <153301222+jtekuelve@users.noreply.github.com>
Date: Thu, 7 Mar 2024 14:20:46 +0100
Subject: [PATCH] Make Zabbix repository gpg key URL customizable (#1186)

---
 changelogs/fragments/1186-custom_gpg_key_url.yml | 7 +++++++
 docs/ZABBIX_AGENT_ROLE.md                        | 2 ++
 docs/ZABBIX_JAVAGATEWAY_ROLE.md                  | 2 ++
 docs/ZABBIX_PROXY_ROLE.md                        | 3 +++
 docs/ZABBIX_SERVER_ROLE.md                       | 2 ++
 docs/ZABBIX_WEB_ROLE.md                          | 2 ++
 roles/zabbix_agent/defaults/main.yml             | 3 +++
 roles/zabbix_agent/tasks/Debian.yml              | 4 ++--
 roles/zabbix_agent/vars/Debian.yml               | 2 +-
 roles/zabbix_javagateway/defaults/main.yml       | 3 +++
 roles/zabbix_javagateway/tasks/Debian.yml        | 7 +++++--
 roles/zabbix_javagateway/vars/Debian.yml         | 2 +-
 roles/zabbix_proxy/defaults/main.yml             | 2 ++
 roles/zabbix_proxy/tasks/Debian.yml              | 7 +++++--
 roles/zabbix_proxy/vars/Debian.yml               | 2 +-
 roles/zabbix_server/defaults/main.yml            | 2 ++
 roles/zabbix_server/tasks/Debian.yml             | 7 +++++--
 roles/zabbix_server/vars/Debian.yml              | 2 +-
 roles/zabbix_web/defaults/main.yml               | 3 +++
 roles/zabbix_web/tasks/Debian.yml                | 7 +++++--
 roles/zabbix_web/vars/Debian.yml                 | 2 +-
 21 files changed, 58 insertions(+), 15 deletions(-)
 create mode 100644 changelogs/fragments/1186-custom_gpg_key_url.yml

diff --git a/changelogs/fragments/1186-custom_gpg_key_url.yml b/changelogs/fragments/1186-custom_gpg_key_url.yml
new file mode 100644
index 000000000..03c414298
--- /dev/null
+++ b/changelogs/fragments/1186-custom_gpg_key_url.yml
@@ -0,0 +1,7 @@
+minor_changes:
+  - agent, javagateway, proxy, server, and web role - introduced default variable zabbix_repo_deb_gpg_key_url with value http://repo.zabbix.com/zabbix-official-repo.key
+  - agent, javagateway, proxy, server, and web role - used zabbix_repo_deb_gpg_key_url in "Debian | Download gpg key" instead of hardcoded url
+  - agent, javagateway, proxy, server, and web role - added the http_proxy and https_proxy environment variables to "Debian | Download gpg key" analog to other tasks
+  - agent, javagateway, proxy, server, and web role - introduced default variable zabbix_repo_deb_include_deb_src with value true
+  - agent, javagateway, proxy, server, and web role - used variable zabbix_repo_deb_include_deb_src in "Debian | Installing repository" to determine whether deb-src should be added to /etc/apt/sources.list.d/zabbix.sources
+  - agent, javagateway, proxy, server, and web role - removed superfluous slash in zabbix_gpg_key of the Debian vars and renamed key to zabbix-repo instead of zabbix-official-repo
diff --git a/docs/ZABBIX_AGENT_ROLE.md b/docs/ZABBIX_AGENT_ROLE.md
index 0ad0f7747..5efe7c9c7 100644
--- a/docs/ZABBIX_AGENT_ROLE.md
+++ b/docs/ZABBIX_AGENT_ROLE.md
@@ -136,6 +136,8 @@ The following is an overview of all available configuration default for this rol
 * `zabbix_agent_disable_repo`: A list of repos to disable during install.  Default `epel`.
 * `zabbix_repo_deb_url`: The URL to the Zabbix repository.  Default `http://repo.zabbix.com/zabbix/{{ zabbix_agent_version }}/{{ ansible_distribution.lower() }}`
 * `zabbix_repo_deb_component`: The repository component for Debian installs. Default `main`.
+* `zabbix_repo_deb_gpg_key_url`: The URL to download the Zabbix GPG key from. Default `http://repo.zabbix.com/zabbix-official-repo.key`.
+* `zabbix_repo_deb_include_deb_src`: True, if deb-src should be included in the zabbix.sources entry. Default `true`.
 
 ### SElinux
 
diff --git a/docs/ZABBIX_JAVAGATEWAY_ROLE.md b/docs/ZABBIX_JAVAGATEWAY_ROLE.md
index 1761c7f8b..c83e4279f 100644
--- a/docs/ZABBIX_JAVAGATEWAY_ROLE.md
+++ b/docs/ZABBIX_JAVAGATEWAY_ROLE.md
@@ -62,6 +62,8 @@ The `zabbix_javagateway_version` is optional. The latest available major.minor v
 * `zabbix_javagateway_conf_mode`: Default: `0644`. The "mode" for the Zabbix configuration file.
 * `zabbix_repo_deb_url`: The URL to the Zabbix repository.  Default `http://repo.zabbix.com/zabbix/{{ zabbix_agent_version }}/{{ ansible_distribution.lower() }}`
 * `zabbix_repo_deb_component`: The repository component for Debian installs. Default `main`.
+* `zabbix_repo_deb_gpg_key_url`: The URL to download the Zabbix GPG key from. Default `http://repo.zabbix.com/zabbix-official-repo.key`.
+* `zabbix_repo_deb_include_deb_src`: True, if deb-src should be included in the zabbix.sources entry. Default `true`.
 
 ### Java Gatewaty
 
diff --git a/docs/ZABBIX_PROXY_ROLE.md b/docs/ZABBIX_PROXY_ROLE.md
index baec42155..f4c9922be 100644
--- a/docs/ZABBIX_PROXY_ROLE.md
+++ b/docs/ZABBIX_PROXY_ROLE.md
@@ -133,6 +133,9 @@ The following is an overview of all available configuration default for this rol
 * `*zabbix_proxy_package_state`: Default: `present`. Can be overridden to `latest` to update packages
 * `zabbix_repo_deb_url`: The URL to the Zabbix repository.  Default `http://repo.zabbix.com/zabbix/{{ zabbix_proxy_version }}/{{ ansible_distribution.lower() }}`
 * `zabbix_repo_deb_component`: The repository component for Debian installs. Default `main`.
+* `zabbix_repo_deb_gpg_key_url`: The URL to download the Zabbix GPG key from. Default `http://repo.zabbix.com/zabbix-official-repo.key`.
+* `zabbix_repo_deb_include_deb_src`: True, if deb-src should be included in the zabbix.sources entry. Default `true`.
+
 ### SElinux
 
 * `zabbix_proxy_selinux`: Default: `False`. Enables an SELinux policy so that the Proxy will run.
diff --git a/docs/ZABBIX_SERVER_ROLE.md b/docs/ZABBIX_SERVER_ROLE.md
index f154f4951..9c3139480 100644
--- a/docs/ZABBIX_SERVER_ROLE.md
+++ b/docs/ZABBIX_SERVER_ROLE.md
@@ -109,6 +109,8 @@ The following is an overview of all available configuration default for this rol
 * `zabbix_service_enabled`: Default: `True` Can be overridden to `False` if needed
 * `zabbix_repo_deb_url`: The URL to the Zabbix repository.  Default `http://repo.zabbix.com/zabbix/{{ zabbix_server_version }}/{{ ansible_distribution.lower() }}`
 * `zabbix_repo_deb_component`: The repository component for Debian installs. Default `main`.
+* `zabbix_repo_deb_gpg_key_url`: The URL to download the Zabbix GPG key from. Default `http://repo.zabbix.com/zabbix-official-repo.key`.
+* `zabbix_repo_deb_include_deb_src`: True, if deb-src should be included in the zabbix.sources entry. Default `true`.
 
 ### SElinux
 
diff --git a/docs/ZABBIX_WEB_ROLE.md b/docs/ZABBIX_WEB_ROLE.md
index 5904f8288..91ef7e236 100644
--- a/docs/ZABBIX_WEB_ROLE.md
+++ b/docs/ZABBIX_WEB_ROLE.md
@@ -94,6 +94,8 @@ The following is an overview of all available configuration defaults for this ro
 * `zabbix_web_conf_mode`: Default: `0644`. The "mode" for the Zabbix configuration file.
 * `zabbix_repo_deb_url`: The URL to the Zabbix repository.  Default `http://repo.zabbix.com/zabbix/{{ zabbix_web_version }}/{{ ansible_distribution.lower() }}`
 * `zabbix_repo_deb_component`: The repository component for Debian installs. Default `main`.
+* `zabbix_repo_deb_gpg_key_url`: The URL to download the Zabbix GPG key from. Default `http://repo.zabbix.com/zabbix-official-repo.key`.
+* `zabbix_repo_deb_include_deb_src`: True, if deb-src should be included in the zabbix.sources entry. Default `true`.
 
 ### Zabbix Web specific
 
diff --git a/roles/zabbix_agent/defaults/main.yml b/roles/zabbix_agent/defaults/main.yml
index 71fa98178..9c5d1c81d 100644
--- a/roles/zabbix_agent/defaults/main.yml
+++ b/roles/zabbix_agent/defaults/main.yml
@@ -26,6 +26,9 @@ zabbix_agent2_deny_key: "{{ zabbix_agent_deny_key }}"
 # Selinux related vars
 selinux_allow_zabbix_run_sudo: false
 
+zabbix_repo_deb_gpg_key_url: http://repo.zabbix.com/zabbix-official-repo.key
+zabbix_repo_deb_include_deb_src: true
+
 zabbix_agent_install_agent_only: false
 zabbix_agent_packages:
   - "{{ zabbix_agent_package }}"
diff --git a/roles/zabbix_agent/tasks/Debian.yml b/roles/zabbix_agent/tasks/Debian.yml
index 014e490b2..ca4b73b61 100644
--- a/roles/zabbix_agent/tasks/Debian.yml
+++ b/roles/zabbix_agent/tasks/Debian.yml
@@ -67,7 +67,7 @@
 - name: "Debian | Download gpg key"
   when: not ansible_check_mode  # Because get_url always has changed status in check_mode.
   ansible.builtin.get_url:
-    url: http://repo.zabbix.com/zabbix-official-repo.key
+    url: "{{ zabbix_repo_deb_gpg_key_url }}"
     dest: "{{ zabbix_gpg_key }}"
     mode: "0644"
     force: true
@@ -85,7 +85,7 @@
     group: root
     mode: 0644
     content: |
-      Types: deb deb-src
+      Types: deb{{ ' deb-src' if zabbix_repo_deb_include_deb_src }}
       Enabled: yes
       URIs: {{ zabbix_repo_deb_url }}
       Suites: {{ ansible_distribution_release }}
diff --git a/roles/zabbix_agent/vars/Debian.yml b/roles/zabbix_agent/vars/Debian.yml
index 4a65dfbeb..be6a10441 100644
--- a/roles/zabbix_agent/vars/Debian.yml
+++ b/roles/zabbix_agent/vars/Debian.yml
@@ -44,5 +44,5 @@ zabbix_valid_agent_versions:
     - 6.0
 
 debian_keyring_path: /etc/apt/keyrings/
-zabbix_gpg_key: "{{ debian_keyring_path }}/zabbix-official-repo.asc"
+zabbix_gpg_key: "{{ debian_keyring_path }}zabbix-repo.asc"
 _zabbix_repo_deb_url: "http://repo.zabbix.com/zabbix/{{ zabbix_agent_version }}"
diff --git a/roles/zabbix_javagateway/defaults/main.yml b/roles/zabbix_javagateway/defaults/main.yml
index 4356f61a4..2998423f1 100644
--- a/roles/zabbix_javagateway/defaults/main.yml
+++ b/roles/zabbix_javagateway/defaults/main.yml
@@ -31,3 +31,6 @@ zabbix_javagateway_pidfile: /run/zabbix/zabbix_java_gateway.pid
 zabbix_javagateway_listenip: 0.0.0.0
 zabbix_javagateway_listenport: 10052
 zabbix_javagateway_startpollers: 5
+
+zabbix_repo_deb_gpg_key_url: http://repo.zabbix.com/zabbix-official-repo.key
+zabbix_repo_deb_include_deb_src: true
diff --git a/roles/zabbix_javagateway/tasks/Debian.yml b/roles/zabbix_javagateway/tasks/Debian.yml
index 74ad4cf75..743055407 100644
--- a/roles/zabbix_javagateway/tasks/Debian.yml
+++ b/roles/zabbix_javagateway/tasks/Debian.yml
@@ -48,10 +48,13 @@
 - name: "Debian | Download gpg key"
   when: not ansible_check_mode  # Because get_url always has changed status in check_mode.
   ansible.builtin.get_url:
-    url: http://repo.zabbix.com/zabbix-official-repo.key
+    url: "{{ zabbix_repo_deb_gpg_key_url }}"
     dest: "{{ zabbix_gpg_key }}"
     mode: "0644"
     force: true
+  environment:
+    http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}"
+    https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}"
   become: true
   tags:
     - install
@@ -63,7 +66,7 @@
     group: root
     mode: 0644
     content: |
-      Types: deb deb-src
+      Types: deb{{ ' deb-src' if zabbix_repo_deb_include_deb_src }}
       Enabled: yes
       URIs: {{ zabbix_repo_deb_url }}
       Suites: {{ ansible_distribution_release }}
diff --git a/roles/zabbix_javagateway/vars/Debian.yml b/roles/zabbix_javagateway/vars/Debian.yml
index 2253f5b7b..7eacbf909 100644
--- a/roles/zabbix_javagateway/vars/Debian.yml
+++ b/roles/zabbix_javagateway/vars/Debian.yml
@@ -26,5 +26,5 @@ zabbix_valid_javagateway_versions:
     - 6.0
 
 debian_keyring_path: /etc/apt/keyrings/
-zabbix_gpg_key: "{{ debian_keyring_path }}/zabbix-official-repo.asc"
+zabbix_gpg_key: "{{ debian_keyring_path }}zabbix-repo.asc"
 _zabbix_repo_deb_url: "http://repo.zabbix.com/zabbix/{{ zabbix_javagateway_version }}"
diff --git a/roles/zabbix_proxy/defaults/main.yml b/roles/zabbix_proxy/defaults/main.yml
index f46c9c64e..07d14eda0 100644
--- a/roles/zabbix_proxy/defaults/main.yml
+++ b/roles/zabbix_proxy/defaults/main.yml
@@ -61,6 +61,8 @@ zabbix_repo_yum:
     state: present
 zabbix_proxy_apt_priority:
 zabbix_proxy_package_state: present
+zabbix_repo_deb_gpg_key_url: http://repo.zabbix.com/zabbix-official-repo.key
+zabbix_repo_deb_include_deb_src: true
 
 # Proxy Configuration Variables (Only ones with role provided defaults)
 zabbix_proxy_allowroot: 0
diff --git a/roles/zabbix_proxy/tasks/Debian.yml b/roles/zabbix_proxy/tasks/Debian.yml
index 31029ee18..83a38c24a 100644
--- a/roles/zabbix_proxy/tasks/Debian.yml
+++ b/roles/zabbix_proxy/tasks/Debian.yml
@@ -73,10 +73,13 @@
 - name: "Debian | Download gpg key"
   when: not ansible_check_mode  # Because get_url always has changed status in check_mode.
   ansible.builtin.get_url:
-    url: http://repo.zabbix.com/zabbix-official-repo.key
+    url: "{{ zabbix_repo_deb_gpg_key_url }}"
     dest: "{{ zabbix_gpg_key }}"
     mode: "0644"
     force: true
+  environment:
+    http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}"
+    https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}"
   register: are_zabbix_proxy_dependency_packages_installed
   until: are_zabbix_proxy_dependency_packages_installed is succeeded
   become: true
@@ -90,7 +93,7 @@
     group: root
     mode: 0644
     content: |
-      Types: deb deb-src
+      Types: deb{{ ' deb-src' if zabbix_repo_deb_include_deb_src }}
       Enabled: yes
       URIs: {{ zabbix_repo_deb_url }}
       Suites: {{ ansible_distribution_release }}
diff --git a/roles/zabbix_proxy/vars/Debian.yml b/roles/zabbix_proxy/vars/Debian.yml
index cd9527eb2..a6d1e810b 100644
--- a/roles/zabbix_proxy/vars/Debian.yml
+++ b/roles/zabbix_proxy/vars/Debian.yml
@@ -51,7 +51,7 @@ mysql_plugin:
   "10": mysql_native_password
 
 debian_keyring_path: /etc/apt/keyrings/
-zabbix_gpg_key: "{{ debian_keyring_path }}/zabbix-official-repo.asc"
+zabbix_gpg_key: "{{ debian_keyring_path }}zabbix-repo.asc"
 _zabbix_repo_deb_url: "http://repo.zabbix.com/zabbix/{{ zabbix_proxy_version }}"
 _zabbix_proxy_fping6location: /usr/bin/fping6
 _zabbix_proxy_fpinglocation: /usr/bin/fping
diff --git a/roles/zabbix_server/defaults/main.yml b/roles/zabbix_server/defaults/main.yml
index 6aec202dd..2455d4205 100644
--- a/roles/zabbix_server/defaults/main.yml
+++ b/roles/zabbix_server/defaults/main.yml
@@ -61,6 +61,8 @@ zabbix_repo_yum:
 zabbix_server_apt_priority:
 zabbix_server_install_recommends: true
 zabbix_server_conf_mode: 0640
+zabbix_repo_deb_gpg_key_url: http://repo.zabbix.com/zabbix-official-repo.key
+zabbix_repo_deb_include_deb_src: true
 
 # Server Configuration Variables (Only ones with role provided defaults)
 zabbix_server_alertscriptspath: /usr/lib/zabbix/alertscripts
diff --git a/roles/zabbix_server/tasks/Debian.yml b/roles/zabbix_server/tasks/Debian.yml
index 5bd1be77f..0113db862 100644
--- a/roles/zabbix_server/tasks/Debian.yml
+++ b/roles/zabbix_server/tasks/Debian.yml
@@ -72,10 +72,13 @@
 - name: "Debian | Download gpg key"
   when: not ansible_check_mode  # Because get_url always has changed status in check_mode.
   ansible.builtin.get_url:
-    url: http://repo.zabbix.com/zabbix-official-repo.key
+    url: "{{ zabbix_repo_deb_gpg_key_url }}"
     dest: "{{ zabbix_gpg_key }}"
     mode: "0644"
     force: true
+  environment:
+    http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}"
+    https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}"
   register: zabbix_server_repo_files_installed
   until: zabbix_server_repo_files_installed is succeeded
   become: true
@@ -89,7 +92,7 @@
     group: root
     mode: 0644
     content: |
-      Types: deb deb-src
+      Types: deb{{ ' deb-src' if zabbix_repo_deb_include_deb_src }}
       Enabled: yes
       URIs: {{ zabbix_repo_deb_url }}
       Suites: {{ ansible_distribution_release }}
diff --git a/roles/zabbix_server/vars/Debian.yml b/roles/zabbix_server/vars/Debian.yml
index 4074869e6..d6c3aa384 100644
--- a/roles/zabbix_server/vars/Debian.yml
+++ b/roles/zabbix_server/vars/Debian.yml
@@ -29,7 +29,7 @@ zabbix_valid_server_versions:
     - 6.0
 
 debian_keyring_path: /etc/apt/keyrings/
-zabbix_gpg_key: "{{ debian_keyring_path }}/zabbix-official-repo.asc"
+zabbix_gpg_key: "{{ debian_keyring_path }}zabbix-repo.asc"
 _zabbix_repo_deb_url: "http://repo.zabbix.com/zabbix/{{ zabbix_server_version }}"
 _zabbix_server_fping6location: /usr/bin/fping6
 _zabbix_server_fpinglocation: /usr/bin/fping
diff --git a/roles/zabbix_web/defaults/main.yml b/roles/zabbix_web/defaults/main.yml
index f37bb07da..c9a3d51df 100644
--- a/roles/zabbix_web/defaults/main.yml
+++ b/roles/zabbix_web/defaults/main.yml
@@ -87,6 +87,9 @@ zabbix_server_history_types:
   - "dbl"
 
 zabbix_selinux: false
+
+zabbix_repo_deb_gpg_key_url: http://repo.zabbix.com/zabbix-official-repo.key
+zabbix_repo_deb_include_deb_src: true
 # selinux_allow_zabbix_can_network: false
 # zabbix_apache_can_connect_ldap: false
 
diff --git a/roles/zabbix_web/tasks/Debian.yml b/roles/zabbix_web/tasks/Debian.yml
index ffd12a367..08ec3fb12 100644
--- a/roles/zabbix_web/tasks/Debian.yml
+++ b/roles/zabbix_web/tasks/Debian.yml
@@ -90,10 +90,13 @@
 - name: "Debian | Download gpg key"
   when: not ansible_check_mode  # Because get_url always has changed status in check_mode.
   ansible.builtin.get_url:
-    url: http://repo.zabbix.com/zabbix-official-repo.key
+    url: "{{ zabbix_repo_deb_gpg_key_url }}"
     dest: "{{ zabbix_gpg_key }}"
     mode: "0644"
     force: true
+  environment:
+    http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}"
+    https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}"
   become: true
   tags:
     - install
@@ -105,7 +108,7 @@
     group: root
     mode: 0644
     content: |
-      Types: deb deb-src
+      Types: deb{{ ' deb-src' if zabbix_repo_deb_include_deb_src }}
       Enabled: yes
       URIs: {{ zabbix_repo_deb_url }}
       Suites: {{ ansible_distribution_release }}
diff --git a/roles/zabbix_web/vars/Debian.yml b/roles/zabbix_web/vars/Debian.yml
index 7b60c70bd..fcabaddc5 100644
--- a/roles/zabbix_web/vars/Debian.yml
+++ b/roles/zabbix_web/vars/Debian.yml
@@ -47,5 +47,5 @@ zabbix_valid_web_versions:
     - 6.0
 
 debian_keyring_path: /etc/apt/keyrings/
-zabbix_gpg_key: "{{ debian_keyring_path }}/zabbix-official-repo.asc"
+zabbix_gpg_key: "{{ debian_keyring_path }}zabbix-repo.asc"
 _zabbix_repo_deb_url: "http://repo.zabbix.com/zabbix/{{ zabbix_web_version }}"