From 1edcfd5114b4ba496cf36d031184c1ef83542f7e Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Fri, 13 Oct 2017 20:29:24 +0300
Subject: Add: install signing key, keyring package via sources_lists

---
 roles/sane_debian_system/defaults/main.yml |  5 ++++-
 roles/sane_debian_system/tasks/apt.yml     | 11 +++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/roles/sane_debian_system/defaults/main.yml b/roles/sane_debian_system/defaults/main.yml
index b804181..44b2b2c 100644
--- a/roles/sane_debian_system/defaults/main.yml
+++ b/roles/sane_debian_system/defaults/main.yml
@@ -14,7 +14,10 @@ debian_mirror: ftp.fi.debian.org
 
 # A list of extra APT repositories to add. Each list entry should be a
 # dict with the key "repo", which is the sources.list line to add. If
-# list is empty (as it is by default), nothing extra is added.
+# list is empty (as it is by default), nothing extra is added. Other
+# keys are "signing_key", the public key of the archive signing key,
+# and "keyring_packge", which contains the .deb package with the
+# archive signing key.
 sources_lists: []
 
 
diff --git a/roles/sane_debian_system/tasks/apt.yml b/roles/sane_debian_system/tasks/apt.yml
index d6ef838..9cbeca6 100644
--- a/roles/sane_debian_system/tasks/apt.yml
+++ b/roles/sane_debian_system/tasks/apt.yml
@@ -25,11 +25,22 @@
     repo: "{{ item.repo }}"
     update_cache: no
 
+- name: add archive signing keys
+  with_items: "{{ sources_lists }}"
+  apt_key:
+    data: "{{ item.signing_key }}"
+    state: present
+
 - name: update package lists
   apt:
     update_cache: yes
     cache_valid_time: 0
 
+- name: add archive keyrings
+  with_items: "{{ sources_lists }}"
+  apt:
+    name: "{{ item.keyring_package }}"
+
 - name: dist-upgrade so everything is up to date
   apt:
     upgrade: dist
-- 
cgit v1.2.1