From 20898c310a04951ff584ce3896d268d5203e35db Mon Sep 17 00:00:00 2001
From: rene <rene@endor.universe.local>
Date: Thu, 21 Apr 2022 14:57:47 +0200
Subject: [PATCH] use signed repos

---
 .../tasks/system_setup/prepare_packagemanager.yml  | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/roles/mastodon/tasks/system_setup/prepare_packagemanager.yml b/roles/mastodon/tasks/system_setup/prepare_packagemanager.yml
index 745ef82..7ee4a80 100644
--- a/roles/mastodon/tasks/system_setup/prepare_packagemanager.yml
+++ b/roles/mastodon/tasks/system_setup/prepare_packagemanager.yml
@@ -7,6 +7,14 @@
     - { id: "72ECF46A56B4AD39C907BBB71646B01B86E50310", url: "https://dl.yarnpkg.com/debian/pubkey.gpg" }
     - { id: "9FD3B784BC1C6FC31A8A0A1C1655A0AB68576280", url: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key" } 
 
+- name: mastodon | package manager | download gpg keys
+  get_url:
+    url: "{{ item.url }}"
+    dest: "/usr/share/keyrings/{{ item.localkey }}"
+  loop:
+    - { url: "https://dl.yarnpkg.com/debian/pubkey.gpg", localkey: "yarnkey.gpg" }
+    - { url: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key", localkey: "nodesource.gpg.key" }
+
 - name: mastodon | package manager | add repos
   apt_repository:
     repo: "{{ item.repo }}"
@@ -16,6 +24,6 @@
     validate_certs: yes # not required. If C(no), SSL certificates for the target repo will not be validated. This should only be used on personally controlled sites using self-signed certificates.
     filename: "{{ item.filename }}"
   loop:
-    - { repo: "deb https://dl.yarnpkg.com/debian/ stable main", filename: "yarn"}
-    - { repo: "deb https://deb.nodesource.com/node_{{ node_major_version }}.x {{ ansible_lsb.codename }} main", filename: "nodejs"}
-    - { repo: "deb-src https://deb.nodesource.com/{{ node_major_version }}.x {{ ansible_lsb.codename }} main", filename: "nodejs"}
\ No newline at end of file
+    - { repo: "deb [signed-by="/usr/share/keyrings/yarnkey.gpg"] https://dl.yarnpkg.com/debian/ stable main", filename: "yarn"}
+    - { repo: "deb [signed-by="/usr/share/keyrings/nodesource.gpg.key"] https://deb.nodesource.com/node_{{ node_major_version }}.x {{ ansible_lsb.codename }} main", filename: "nodejs"}
+    - { repo: "deb-src [signed-by="/usr/share/keyrings/nodesource.gpg.key"] https://deb.nodesource.com/{{ node_major_version }}.x {{ ansible_lsb.codename }} main", filename: "nodejs"}
\ No newline at end of file