From 9b0347dc5b15a59a6fa56b60481846e7cdf4da30 Mon Sep 17 00:00:00 2001
From: ace <ace@0xace.cc>
Date: Thu, 10 Aug 2023 18:39:24 +0300
Subject: [PATCH] fix rpm key import

---
 tasks/RedHat.yaml | 39 ++++++++++++++++++++++++++++++++++++++-
 vars/RedHat.yaml  |  6 +++---
 2 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/tasks/RedHat.yaml b/tasks/RedHat.yaml
index e8f4816..b7b4fd2 100644
--- a/tasks/RedHat.yaml
+++ b/tasks/RedHat.yaml
@@ -11,7 +11,44 @@
     gpgkey: "{{ item.gpgkey | default('omit') }}"
   loop: "{{ postgres_exporter_rpm_repository }}"
 
-- name: Ensure {{ postgres_exporter_package }} version {{ postgres_exporter_version }} installed
+- name: Modify crypto policy for RHEL 9 before key import
+  when:
+    - ansible_facts['os_family'] == 'RedHat'
+    - ansible_facts['distribution_major_version'] == '9'
+  block:
+    - name: Get policy
+      shell: update-crypto-policies --show
+      register: cryptopolicy_before
+      changed_when: false
+
+    - name: Allow SHA1 keys
+      shell: update-crypto-policies --set {{ cryptopolicy_before.stdout }}:SHA1
+      when: "'SHA1' not in cryptopolicy_before.stdout"
+      changed_when: false
+
+- name: Import a key from a url
+  ansible.builtin.rpm_key:
+    key: "{{ item.1 | default('omit') }}"
+    state: present
+  loop: "{{ postgres_exporter_rpm_repository | subelements('gpgkey') }}"
+
+- name: Modify crypto policy for RHEL 9 after key import
+  when:
+    - ansible_facts['os_family'] == 'RedHat'
+    - ansible_facts['distribution_major_version'] == '9'
+  block:
+    - name: Get policy
+      shell: update-crypto-policies --show
+      register: cryptopolicy_after
+      changed_when: false
+
+    - name: Rollback policy after key import
+      shell: update-crypto-policies --set {{ cryptopolicy_before.stdout }}
+      when:
+        - cryptopolicy_before.stdout !=  cryptopolicy_after.stdout
+      changed_when: false
+
+- name: Ensure {{ postgres_exporter_package_name }} version {{ postgres_exporter_version }} installed
   dnf:
     name: "{{ postgres_exporter_package }}"
     state: present
diff --git a/vars/RedHat.yaml b/vars/RedHat.yaml
index 197b479..866b75c 100644
--- a/vars/RedHat.yaml
+++ b/vars/RedHat.yaml
@@ -5,9 +5,9 @@ postgres_exporter_rpm_repository:
     baseurl: "https://packagecloud.io/prometheus-rpm/release/el/$releasever/$basearch"
     repo_gpgcheck: yes
     gpgcheck: yes
-    gpgkey: >-
-      https://packagecloud.io/prometheus-rpm/release/gpgkey
-      https://raw.githubusercontent.com/lest/prometheus-rpm/master/RPM-GPG-KEY-prometheus-rpm
+    gpgkey:
+      - https://packagecloud.io/prometheus-rpm/release/gpgkey
+      - https://raw.githubusercontent.com/lest/prometheus-rpm/master/RPM-GPG-KEY-prometheus-rpm
 
 postgres_exporter_package_name: "postgres_exporter"
 postgres_exporter_package: "{{ postgres_exporter_package_name }}-{{ postgres_exporter_version }}"