Skip to main content

Raymii.org Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Ansible - Add an apt-repository on Debian and Ubuntu

Published: 15-05-2016 | Last update: 14-12-2018 | Author: Remy van Elst | Text only version of this article


Table of Contents


This is a guide that shows you how to add an apt repository to Debian and Ubuntuusing Ansible. It includes both the old way, when the apt modules only worked onUbuntu, and the new way, now that the apt-modules also support Debian, plus someother tricks.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

Introduction

Ansible allows you to add apt repositories and apt repository signing keyseasily using the two modules apt_repository and apt_key. You can use thiswhen you need to install packages from an external location, for example,nginx or goaccess. Both of these packages are in the repositories, but notthe latest version.

Using Ansible you can add the repository and the signing key, and then installthe package from the new repo. This guide will show you a few ways to do that inplaybooks.

The new way

The easy way is to first add the repository key, then add the repository andfinally install the package. Here's an example for nginx:

# always try to use HTTPS. I'm not sure why the nginx folks don't provide it.- name: add nginx apt-key  apt_key:     url: http://nginx.org/keys/nginx_signing.key     state: present - name: add nginx apt repository  apt_repository:     repo: 'deb http://nginx.org/packages/mainline/ubuntu/ xenial nginx'     state: present     filename: nginx     update_cache: yes- name: install nginx  apt:     name: nginx    state: present    update_cache: yes

This is a three line playbook which will download and install the repositorykey, add the repository to a seperate file in /etc/apt/sources.list.d/ andinstall the package while also doing an apt-get update to refresh the aptcache with the new repository.

This is the recommended way to add a repo and install packages from there. Readon to find out the workarounds in ye olden days.

The old way

In the past the apt_key module and behaved wonky on Debian installations, butnot on Ubuntu. The apt_key module also did not support downloading keys fromexternal locations and was tailored more to PPA's, which are nonexistent onDebian. Here's the same NGINX example, using the older way, which still works bythe way.

- name: 'add nginx repository'  template:     src: nginx.list.j2    dest: /etc/apt/sources.list.d/nginx.list- name: make sure folder /var/keys exists  file:     path: /var/keys    state: directory     owner: root- name: 'get nginx package signing key'  get_url:     url: http://nginx.org/keys/nginx_signing.key    dest: /var/keys/nginx_signing.key  register: result- name: add nginx apt-key  command: apt-key add '/var/keys/nginx_signing.key'  when: result.changed- name: install nginx  apt:    name: nginx     state: latest    update_cache: yes

The nginx repository template contains the following:

# {{ ansible_managed }}deb http://nginx.org/packages/mainline/{{ ansible_lsb.id|lower }}/ {{ ansible_lsb.codename|lower }} nginxdeb-src http://nginx.org/packages/mainline/{{ ansible_lsb.id|lower }}/ {{ ansible_lsb.codename|lower }} nginx

This is quite a nice trick, because it works on both Debian and Ubuntu, allversions. On the latest Ubuntu 16.04 the resulting repository line is this:

deb http://nginx.org/packages/mainline/ubuntu/ xenial nginx

But on an onder Debian installation, the result is this:

deb http://nginx.org/packages/mainline/debian/ wheezy nginx

You do need to make sure the upstream repository also follows this structure. Inthe nginx case, it does.

First a directory is created for the keyfile. The apt-key is downloaded manuallyto there, the result is registered. If the key already exists or is the same, wedon't do anything. If the key isn't there or has changed, we execute the apt-key add command manually to add the repository signing key. If that's all done,we update the apt-cache and install nginx.

That's quite a bit more steps and ways to break stuff, plus, less idempotent dueto the manual command. My playbook was so old, it still used the action: aptinstead of just apt:.

This is not the recommended way, but it still works just fine. If you addrepositories this way, no problem, but you might want to consider rewriting theplaybooks to the newer way.

More documentation

The official documentation for the two modules can be found on the Ansible docssite: apt_repository and apt_key.

You can also check out my other Ansible articles.

Tags: ansible, apt, deb, nginx, packages, python, repo, tutorials