Issue with custom apt sources created by deb822_repository

I try to get a grip on managing debian repositories with Ansible.

Playbook

---

- name: deploy java-react example
  hosts: all
  become: true

  vars:
    node_major: '20'
    java_version: 8
    java_type: jdk

  tasks:
    - name: install python3-debian
      ansible.builtin.apt:
        name: python3-debian
        state: present
        update_cache: true
      become: true
      become_user: root

    - name: Add adptium repo using key from URL
      ansible.builtin.deb822_repository:
        name: adoptium
      # types: deb
        uris: https://packages.adoptium.net/artifactory/deb
        suites: '{{ ansible_distribution_release }}'
        components: main
        architectures: amd64
        signed_by: https://packages.adoptium.net/artifactory/api/gpg/key/public

    - name: Add node repo using key from URL
      ansible.builtin.deb822_repository:
        name: node
        uris: https://deb.nodesource.com/node_{{ node_major }}.x
       suites: '{{ ansible_distribution_release }}'
        components: main
        architectures: amd64
        signed_by: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key


    - name: Install packages
      ansible.builtin.apt:  # package:
        name: "{{ item }}"
        state: present
        update_cache: true
      loop:
        - temurin-{{ java_version }}-{{java_type}}   # temurin-8-jdk
        - nodejs

now, the install packages TASK fails with updating apt apparently

    "msg": "E:Malformed entry 1 in sources file /etc/apt/sources.list.d/node.sources (Suite), E:The list of sources could not be read."

the node.sources file created looks like this

sysop@nexus:/etc/apt/sources.list.d$ cat node.sources
X-Repolib-Name: node
URIs: https://deb.nodesource.com/node_20.x
Components: main
Architectures: amd64
Signed-By: /etc/apt/keyrings/node.asc
Types: deb

Any idea, what I am doing wrong here?

A whitespace issue for the suites, try adding one additional spaces to the start of this line?

This is what I have for Node.js and this is the generated node.sources file:

Allow-Downgrade-To-Insecure: no
Allow-Insecure: no
Allow-Weak: no
Architectures: amd64
Check-Date: yes
Check-Valid-Until: yes
Components: main
Enabled: yes
X-Repolib-Name: node
Signed-By: /etc/apt/keyrings/nodejs.gpg
Suites: bookworm
Types: deb
URIs: https://deb.nodesource.com/node_20.x

sorry, my bad. There is I just made an error in the post. The task with such a wrong indentation would also just fail and not produce a keyfile that would not work I guess. Weirdly I can not edit my own post. So this is what it actually is.

    - name: Add node repo using key from URL
      ansible.builtin.deb822_repository:
        name: node
        uris: https://deb.nodesource.com/node_{{ node_major }}.x
        suites: '{{ ansible_distribution_release }}'
        components: main
        architectures: amd64
        signed_by: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key

thx for that webarch / nodejs · GitLab link though.

1 Like

The issue is that the Suites line is missing from your node.sources?

This is a guess but perhaps ansible_distribution_release is not defined and you need to add an explicit gather facts directive somewhere?

No problem, I’ve tried to work around the fact that the deb822_repository module doesn’t support diff mode and doesn’t have the option to produce backups.

Another shortcoming is that it only allows one set of sources per file, which is not the default for the file in Ubuntu 24.04 or Debian Trixie, so separate files have to be generated, eg ubuntu.sources and ubuntu-security.sources etc.

this is how I figured out to make it work now

    - name: Add node repo with key from URL
      ansible.builtin.deb822_repository:
        name: node
        uris: https://deb.nodesource.com/node_{{ node_major }}.x
        suites: '{{ ansible_distribution_release }}'
        components: main 
        architectures: amd64
        signed_by: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key
        trusted: true
      register: node_repo

where …

trusted: true

brings the solution.


actually as I am writing this I believe there is some sort of mixup trusted: true solves an error equivalent to: ""signatures couldn't be verified""

1 Like

It’s odd that I don’t need trusted: true, the only other difference that perhaps has an effect here is the signed_by, I’m using a path to a local file rather than a URL :person_shrugging: .

actually I do not see through that role entirely, so it’s difficult to compare. But it would be probably beneficial not to need to use trusted I guess.

all the Webarchitects stuff looks pretty cool and sophisticated. Probably I goo go-to-place for various stuff

1 Like