feat: uniform system.content source schema across installers and repositories

2026-05-27 05:15:32 +02:00
parent 939c5c741f
commit d922efd2e4
25 changed files with 419 additions and 50 deletions
--- a/roles/configuration/tasks/fstab.yml
+++ b/roles/configuration/tasks/fstab.yml
@@ -26,7 +26,7 @@
 - name: Remove RHEL ISO fstab entry when not using local repo
  when:
    - os == "rhel"
-    - system_cfg.features.rhel_repo.source != "iso"
+    - system_cfg.content.source != "dvd"
  ansible.builtin.lineinfile:
    path: /mnt/etc/fstab
    regexp: "^.*\\/dvd.*$"
@@ -35,7 +35,7 @@
 - name: Replace ISO UUID entry with /dev/sr0 in fstab
  when:
    - os == "rhel"
-    - system_cfg.features.rhel_repo.source == "iso"
+    - system_cfg.content.source == "dvd"
  vars:
    configuration_fstab_dvd_line: >-
      {{
@@ -53,7 +53,7 @@
  when:
    - os == "rhel"
    - hypervisor_type == "vmware"
-    - system_cfg.features.rhel_repo.source == "iso"
+    - system_cfg.content.source == "dvd"
  ansible.builtin.command:
    argv:
      - dd
--- a/roles/configuration/tasks/main.yml
+++ b/roles/configuration/tasks/main.yml
@@ -7,7 +7,6 @@
  ansible.builtin.include_tasks: "{{ configuration_task.file }}"
  loop:
    - file: repositories.yml
-      when: "{{ os_family == 'Debian' }}"
    - file: banner.yml
    - file: fstab.yml
    - file: locales.yml
--- a/roles/configuration/tasks/repositories.yml
+++ b/roles/configuration/tasks/repositories.yml
@@ -1,5 +1,8 @@
 ---
- name: Write final sources.list
+# Config runs against the chroot, so these write /mnt directly via templates
+# rather than apt_repository/yum_repository, which would touch the live host.
+- name: Write the apt sources.list
+  when: os_family == 'Debian'
  vars:
    _debian_release_map:
      "12": bookworm
@@ -13,11 +16,69 @@
    dest: /mnt/etc/apt/sources.list
    mode: "0644"

- name: Ensure apt performance configuration persists
+- name: Ensure apt performance and content-proxy configuration
+  when: os_family == 'Debian'
  ansible.builtin.copy:
    dest: /mnt/etc/apt/apt.conf.d/99performance
    content: |
      Acquire::Retries "3";
      Acquire::http::Pipeline-Depth "10";
      APT::Install-Recommends "false";
+      {% if system_cfg.content.proxy | length > 0 %}
+      Acquire::http::Proxy "{{ system_cfg.content.proxy }}";
+      Acquire::https::Proxy "{{ system_cfg.content.proxy }}";
+      {% endif %}
    mode: "0644"
+
+- name: Drop the install-time DVD repo from the target on non-dvd sources
+  when:
+    - os_family == 'RedHat'
+    - system_cfg.content.source != 'dvd'
+  ansible.builtin.file:
+    path: /mnt/etc/yum.repos.d/redhat.repo
+    state: absent
+
+- name: Write the EL mirror repo on the target
+  when:
+    - os_family == 'RedHat'
+    - system_cfg.content.source == 'mirror'
+    - system_cfg.content.url | length > 0
+  ansible.builtin.template:
+    src: el_mirror.repo.j2
+    dest: "/mnt/etc/yum.repos.d/{{ os }}.repo"
+    mode: "0644"
+
+- name: Find the stock vendor repos shipped by the release package
+  when:
+    - os_family == 'RedHat'
+    - system_cfg.content.source == 'mirror'
+    - system_cfg.content.url | length > 0
+  ansible.builtin.find:
+    paths: /mnt/etc/yum.repos.d
+    patterns: "*.repo"
+    excludes: "{{ os }}.repo"
+  register: el_stock_repos
+
+- name: Remove the stock vendor repos so only the custom mirror is reachable
+  when:
+    - os_family == 'RedHat'
+    - system_cfg.content.source == 'mirror'
+    - system_cfg.content.url | length > 0
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: absent
+  loop: "{{ el_stock_repos.files | default([]) }}"
+  loop_control:
+    label: "{{ item.path }}"
+
+- name: Configure the dnf content proxy on the target
+  when:
+    - os_family == 'RedHat'
+    - system_cfg.content.proxy | length > 0
+  ansible.builtin.lineinfile:
+    path: /mnt/etc/dnf/dnf.conf
+    line: "proxy={{ system_cfg.content.proxy }}"
+    regexp: "^proxy="
+    create: true
+    mode: "0644"
+    state: present
--- a/roles/configuration/tasks/satellite_register.yml
+++ b/roles/configuration/tasks/satellite_register.yml
@@ -0,0 +1,46 @@
+---
+# Invoked post-reboot on the booted host, not in the chroot: subscription-manager
+# needs a running systemd and the live network.
+- name: Add the Satellite host to /etc/hosts
+  when: system_cfg.content.satellite.ip | length > 0
+  ansible.builtin.lineinfile:
+    path: /etc/hosts
+    line: "{{ system_cfg.content.satellite.ip }} {{ system_cfg.content.satellite.host }}"
+    regexp: "[[:space:]]{{ system_cfg.content.satellite.host | regex_escape }}([[:space:]]|$)"
+    state: present
+
+- name: Fetch the Katello CA consumer RPM
+  ansible.builtin.get_url:
+    url: >-
+      {{ system_cfg.content.satellite.ca_url
+         if (system_cfg.content.satellite.ca_url | length > 0)
+         else 'https://' ~ system_cfg.content.satellite.host ~ '/pub/katello-ca-consumer-latest.noarch.rpm' }}
+    dest: /tmp/katello-ca-consumer-latest.noarch.rpm
+    validate_certs: false
+    mode: "0644"
+
+- name: Install the Katello CA consumer RPM
+  ansible.builtin.dnf:
+    name: /tmp/katello-ca-consumer-latest.noarch.rpm
+    state: present
+    disable_gpg_check: true
+
+- name: Clean any stale subscription identity
+  ansible.builtin.command: subscription-manager clean
+  changed_when: true
+
+- name: Register with Satellite via activation key
+  no_log: true
+  community.general.redhat_subscription:
+    state: present
+    server_hostname: "{{ system_cfg.content.satellite.host }}"
+    org_id: "{{ system_cfg.content.satellite.org }}"
+    activationkey: "{{ system_cfg.content.satellite.activation_key }}"
+    environment: "{{ system_cfg.content.satellite.environment | default(omit, true) }}"
+    auto_attach: true
+    force_register: true
+    server_proxy_hostname: "{{ (system_cfg.content.proxy | urlsplit('hostname')) | default(omit, true) }}"
+    server_proxy_port: "{{ (system_cfg.content.proxy | urlsplit('port')) | default(omit, true) }}"
+    syspurpose:
+      service_level_agreement: "{{ system_cfg.content.satellite.service_level | default(omit, true) }}"
+      sync: true
--- a/roles/configuration/templates/debian.sources.list.j2
+++ b/roles/configuration/templates/debian.sources.list.j2
@@ -1,6 +1,6 @@
 # Managed by Ansible.
 {% set release = _debian_release_map[os_version | string] | default('trixie') %}
-{% set mirror = system_cfg.mirror | default('http://deb.debian.org/debian', true) %}
+{% set mirror = system_cfg.content.url | default('http://deb.debian.org/debian', true) %}
 {% set components = 'main contrib non-free non-free-firmware' %}

 deb {{ mirror }} {{ release }} {{ components }}
--- a/roles/configuration/templates/el_mirror.repo.j2
+++ b/roles/configuration/templates/el_mirror.repo.j2
@@ -0,0 +1,17 @@
+[{{ os }}{{ os_version_major }}-baseos]
+name={{ os }} {{ os_version_major }} BaseOS
+baseurl={{ system_cfg.content.url }}/BaseOS
+enabled=1
+gpgcheck={{ 1 if system_cfg.content.gpgcheck | bool else 0 }}
+{% if system_cfg.content.proxy | length > 0 %}
+proxy={{ system_cfg.content.proxy }}
+{% endif %}
+
+[{{ os }}{{ os_version_major }}-appstream]
+name={{ os }} {{ os_version_major }} AppStream
+baseurl={{ system_cfg.content.url }}/AppStream
+enabled=1
+gpgcheck={{ 1 if system_cfg.content.gpgcheck | bool else 0 }}
+{% if system_cfg.content.proxy | length > 0 %}
+proxy={{ system_cfg.content.proxy }}
+{% endif %}
--- a/roles/configuration/templates/ubuntu.sources.list.j2
+++ b/roles/configuration/templates/ubuntu.sources.list.j2
@@ -1,6 +1,6 @@
 # Managed by Ansible.
 {% set release = _ubuntu_release_map[os] | default('resolute') %}
-{% set mirror = system_cfg.mirror %}
+{% set mirror = system_cfg.content.url %}
 {% set components = 'main restricted universe multiverse' %}

 deb {{ mirror }} {{ release }} {{ components }}