1 files changed, 37 insertions, 18 deletions

diff --git a/roles/sane_debian_system/tasks/apt.yml b/roles/sane_debian_system/tasks/apt.yml
index 84c6420..0da3332 100644
--- a/roles/sane_debian_system/tasks/apt.yml
+++ b/roles/sane_debian_system/tasks/apt.yml
@@ -1,9 +1,9 @@
 # Safety check: make sure debian_codename is set.
-- name: check that debian_codename is set
+- name: check that sane_debian_system_codename is set
   shell: |
-    if [ "{{ debian_codename }}" = "" ]
+    if [ "{{ sane_debian_system_codename }}" = "" ]
     then
-        echo "You MUST set debian_codename" 1>&2
+        echo "You MUST set sane_debian_system_codename" 1>&2
         exit 1
     fi
 
@@ -11,8 +11,12 @@
 # First update package lists. The ones that come with the image may be
 # badly out of date.
 #
-# Ignore any error here so that later tasks can fix things such as a badly
-# formed sources.list.
+# Use shell to run apt-get, rather than the Ansible apt module, so
+# that we can pass in the --allow-releaseinfo--change option.
+- name: update package lists
+  shell: |
+    apt-get update --allow-releaseinfo-change
+
 - name: update package lists
   ignore_errors: yes
   apt:
@@ -24,11 +28,7 @@
 # will still work. apt-transport-https is in the main Debian archive,
 # and we assume those are in the sources.list that come with the
 # image.
-#
-# Ignore any error here so that later tasks can fix things such as a badly
-# formed sources.list.
 - name: install apt-transport-https
-  ignore_errors: yes
   apt:
     name: apt-transport-https
 
@@ -37,26 +37,45 @@
     src: sources.list.j2
     dest: /etc/apt/sources.list
 
+- name: "update package lists"
+  apt:
+    update_cache: yes
+
+- name: install necessary tools
+  apt:
+    name:
+      - sudo
+
+- name: "allow root to use sudo"
+  copy:
+    content: |
+      root ALL=(ALL:ALL) NOPASSWD: ALL
+    dest: /etc/sudoers.d/root
+    mode: 0600
+
 - name: additional sources.list.d/*
-  with_items: "{{ sources_lists }}"
+  with_items: "{{ sane_debian_system_sources_lists }}"
   apt_repository:
     repo: "{{ item.repo }}"
     update_cache: no
 
 - name: add archive signing keys
-  with_items: "{{ sources_lists }}"
-  apt_key:
-    data: "{{ item.signing_key }}"
-    state: present
+  with_items: "{{ sane_debian_system_sources_lists }}"
+  shell: |
+    key="{{ item.signing_key }}"
+    sum="$(echo -n "$key" | sha1sum | awk '{ print $1 }')"
+    echo "$key" > "/etc/apt/trusted.gpg.d/$sum.asc"
   when: item.signing_key is defined
 
+# Use shell to run apt-get to update package lists so that we can pass
+# in the --allow-releaseinfo--change option.
 - name: update package lists
-  apt:
-    update_cache: yes
-    cache_valid_time: 0
+  shell: |
+    apt-get update --allow-releaseinfo-change
+
 
 - name: add archive keyrings
-  with_items: "{{ sources_lists }}"
+  with_items: "{{ sane_debian_system_sources_lists }}"
   apt:
     name: "{{ item.keyring_package }}"
   when: item.keyring_package is defined