+ 

+   - role: httpd/reverseproxy

+     website: awx.fedoraproject.org

+     destname: awx

+     balancer_name: app-ocp

+     balancer_members: "{{ ocp_nodes }}"

+     targettype: openshift

+     ocp4: true

+     keephost: true

+     tags:

+     - awx

+     when: env == "production"

+   - role: httpd/website

+     site_name: awx.fedoraproject.org

+     sslonly: true

+     cert_name: "{{wildcard_cert_name}}"

+     tags:

+     - awx

+ ---

+ - name: make the app be real

+   hosts: localhost

+   connection: local

+   user: root

+   gather_facts: False

+ 

+   vars_files:

+     - /srv/web/infra/ansible/vars/global.yml

+     - "/srv/private/ansible/vars.yml"

+     - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

+ 

+   module_defaults:

+     group/awx.awx.controller:

+       controller_host: awx.fedoraproject.org

+       controller_username: "{{ awx_admin_username }}"

+       controller_password: "{{ awx_admin_password }}"

+ 

+   roles:

+   - role: awx/controller

+ ---

+ collections:

+ - awx.awx

+ ---

+ - name: Create Fedora Ansible Execution Environment

+   execution_environment:

+     name: Fedora ansible EE

+     image: registry.gitlab.com/darknao/fedora-ansible-ee:latest

+     pull: always

+ ---

+ - name: Define batcave01 as execution node

+   instance:

+     hostname: batcave01.vpn.fedoraproject.org

+     node_type: execution

+ 

+ - name: Create batcave instance group

+   instance_group:

+     name: batcave

+     instances:

+     - batcave01.vpn.fedoraproject.org

+ ---

+ - include_tasks: saml2.yml

+ - include_tasks: execution_environment.yml

+ - include_tasks: org.yml

+ - include_tasks: execution_nodes.yml

+ - include_tasks: projects.yml

+ ---

+ - name: Create Fedora organization

+   organization:

+     name: Fedora

+     description: Fedora Project Org

+ ---

+ - name: Create Fedora Infra project

+   project:

+     name: Fedora Infra

+     description: ""

+     scm_type: git

+     scm_url: https://pagure.io/fedora-infra/ansible.git

+     scm_clean: true

+     organization: Fedora

+     scm_update_on_launch: true

+     default_environment: Fedora ansible EE

+ 

+ - name: Create Fedora Infra Inventory

+   inventory:

+     name: Fedora Infra

+     description: ""

+     organization: Fedora

+ 

+ - name: Set up Fedora Infra Inventory source

+   inventory_source:

+     source_project: Fedora Infra

+     inventory: Fedora Infra

+     name: Fedora Infra Git

+     source: scm

+     source_path: inventory

+     update_on_launch: true

+ 

+ - name: Trigger inventory update

+   inventory_source_update:

+     name: Fedora Infra Git

+     inventory: Fedora Infra

+ ---

+ - name: Configure SAML2 authentication

+   settings:

+     settings:

+       SAML_AUTO_CREATE_OBJECTS: true

+       SOCIAL_AUTH_SAML_SP_ENTITY_ID: https://awx.fedoraproject.org/

+       SOCIAL_AUTH_SAML_SP_PUBLIC_CERT:

+         "{{ lookup('file', '{{ private }}/files/awx/{{ env }}/awx-saml.crt') }}"

+       SOCIAL_AUTH_SAML_SP_PRIVATE_KEY:

+         "{{ lookup('file', '{{ private }}/files/awx/{{ env }}/awx-saml.key') }}"

+       SOCIAL_AUTH_SAML_ORG_INFO:

+         en-US:

+           url: https://awx.fedoraproject.org/

+           name: AWX

+           displayname: Ansible AWX

+       SOCIAL_AUTH_SAML_TECHNICAL_CONTACT:

+         emailAddress: infrastructure@lists.fedoraproject.org

+         givenName: Fedora Infrastructure

+       SOCIAL_AUTH_SAML_SUPPORT_CONTACT:

+         emailAddress: infrastructure@lists.fedoraproject.org

+         givenName: Fedora Infrastructure

+       SOCIAL_AUTH_SAML_ENABLED_IDPS:

+         fedora:

+           x509cert:

+             "{{ lookup(

+                   'file',

+                   '{{ private }}/files/saml2/{{ env }}/keys/idp.crt'

+                 )

+                 | regex_replace('\n', '')

+             }}"

+           attr_email: "email"

+           attr_first_name: "givenname"

+           attr_last_name: "surname"

+           attr_user_permanent_id: "name_id"

+           attr_username: "name_id"

+           entity_id: "https://id.fedoraproject.org/idp/saml2/metadata"

+           url: "https://id.fedoraproject.org/idp/saml2/SSO/Redirect"

+       SOCIAL_AUTH_SAML_SECURITY_CONFIG:

+         authnRequestsSigned: true

+       SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR:

+         is_superuser_attr: groups

+         is_superuser_value:

+           - sysadmin-main

+       SOCIAL_AUTH_SAML_ORGANIZATION_MAP: {}

+       SOCIAL_AUTH_SAML_TEAM_ATTR:

+         saml_attr: groups

+         remove: true

+         team_org_map:

+           - organization: Fedora

+             team: fedora-websites

+ ---

+ - name: Create the awx user

+   user:

+     name: awx

+     shell: /bin/bash

+ 

+ - name: Enable Copr repo for Ansible Receptor (Fedora)

+   community.general.copr:

+     name: ansible-awx/receptor

+   when: ansible_distribution == 'Fedora'

+ 

+ - name: Enable Copr repo for Ansible Receptor (RHEL)

+   community.general.copr:

+     name: ansible-awx/receptor

+     chroot: epel-9-x86_64

+   when:

+   - ansible_distribution == 'RedHat'

+   - ansible_distribution_major_version|int == 9

+ 

+ - name: Deploy podman

+   include_role:

+     name: awx/podman

+   vars:

+     podman_user: awx

+     podman_group: awx

+ 

+ - name: Deploy Ansible Receptor

+   include_role:

+     name: awx/receptor

+   vars:

+     receptor_user: awx

+     receptor_group: awx

+     receptor_verify: true

+     receptor_tls: true

+     receptor_mintls13: false

+     receptor_work_commands:

+       ansible-runner:

+         command: ansible-runner

+         params: worker

+         allowruntimeparams: true

+         verifysignature: true

+     custom_worksign_public_keyfile:

+       "{{ private }}/files/awx/{{ inventory_hostname }}/work-public-key.pem"

+     custom_tls_certfile: "{{ private }}/files/awx/{{ inventory_hostname }}/tls/receptor.crt"

+     custom_tls_keyfile: "{{ private }}/files/awx/{{ inventory_hostname }}/tls/receptor.key"

+     custom_ca_certfile: "{{ private }}/files/awx/{{ inventory_hostname }}/tls/ca/receptor-ca.crt"

+     receptor_protocol: 'tcp'

+     receptor_listener: true

+     receptor_port: 27199

+     receptor_dependencies:

+       - python3-pip

+     ansible_host: "{{ inventory_hostname }}"

+ 

+ - name: Install ansible-runner

+   pip:

+     name: ansible-runner

+     executable: pip3

+ # Ansible Role: Podman

+ 

+ Installs and configures Podman on RHEL/CentOS/Fedora servers.

+ 

+ ## Role Variables

+ 

+ Available variables are listed below, along with default values.

+ 

+ ---

+ 

+     podman_user: 'podman'

+     podman_group: 'podman'

+ 

+ The user and group under which podman will be configured.

+ 

+ ---

+ 

+     default_runtime: 'crun'

+ 

+ The default container runtime to use for Podman. 

+ 

+ ---

+ 

+     default_cgroup_manager: 'cgroupfs'

+ 

+ The default cgroup manager to use for Podman.

+ 

+ ---

+ 

+ # License

+ 

+ Apache 2

+ ---

+ podman_user: 'podman'

+ podman_group: 'podman'

+ 

+ default_runtime: 'crun'

+ default_cgroup_manager: 'cgroupfs'

+ 

+ _hostname: "{{ routable_hostname | default(ansible_host) }}"

+ ---

+ # Variable configuration.

+ - include_tasks: variables.yml

+ 

+ # Setup/install tasks.

+ - include_tasks: setup-RedHat.yml

+   when: ansible_os_family == 'RedHat'

+ 

+ - name: Create directory for podman runtime config

+   ansible.builtin.file:

+     path: "~{{ podman_user }}/.config/containers"

+     state: directory

+     mode: 0700

+     owner: "{{ podman_user }}"

+     group: "{{ podman_group }}"

+ 

+ - name: Configure podman default runtime

+   ansible.builtin.copy:

+     content: |

+       [engine]

+       runtime = "{{ default_runtime }}"

+       cgroup_manager = "{{ default_cgroup_manager }}"

+     dest: "~{{ podman_user }}/.config/containers/containers.conf"

+     owner: "{{ podman_user }}"

+     group: "{{ podman_group }}"

+     mode: 0600

+ 

+ - name: Create empty mounts config file to avoid permissions error message

+   ansible.builtin.copy:

+     content: ""

+     dest: "~{{ podman_user }}/.config/containers/mounts.conf"

+     force: false

+     owner: "{{ podman_user }}"

+     group: "{{ podman_group }}"

+     mode: 0600

+ 

+ - name: Ensure registries.conf.d exists

+   ansible.builtin.file:

+     path: /etc/containers/registries.conf.d/

+     state: directory

+     mode: 0755

+ 

+ - name: Force fully qualified image names to be provided to podman pull

+   ansible.builtin.copy:

+     content: |

+       unqualified-search-registries = []

+     dest: /etc/containers/registries.conf.d/force-fully-qualified-images.conf

+     mode: 0644

+ ---

+ - name: Install podman packages

+   ansible.builtin.dnf:

+     name: "{{ podman_packages }}"

+     state: present

+ ---

+ - name: Include OS-specific variables (RedHat)

+   ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"

+   when:

+     - ansible_os_family == 'RedHat'

+ 

+ - name: Define podman_packages

+   ansible.builtin.set_fact:

+     podman_packages: "{{ __podman_packages | list }}"

+   when: podman_packages is not defined

+ ---

+ __podman_packages:

+   - podman

+   - crun

+ # Ansible Role: Setup

+ 

+ Installs and configures a Receptor node on RHEL/CentOS/Fedora servers.

+ 

+ 

+ ## Role Variables

+ 

+ Available variables are listed below, along with default values.

+ 

+ ---

+ 

+     receptor_packages:

+       - receptor

+ 

+ Set the names of the packages needed to install Receptor.

+ 

+ ---

+ 

+     receptor_dependencies: []

+ 

+ Specify other packages needed, probably on a per-node-type basis using

+ groupvars or hostvars.

+ 

+ ---

+ 

+     receptor_user: 'receptor'

+     receptor_group: 'receptor'

+ 

+ The user and group under which Receptor will run.

+ 

+ ---

+ 

+     receptor_socket_dir: '/var/run/receptor'

+ 

+ The directory that Receptor will place its control socket into.

+ 

+ ---

+ 

+     receptor_control_filename: 'receptor.sock'

+ 

+ The name of the control socket file.

+ 

+ ---

+ 

+     receptor_config_path: '/etc/receptor'

+ 

+ Path to the Receptor config file.

+ 

+ ---

+ 

+     routable_hostname: # defaults to not set

+ 

+ Hostvar for the routable address to this node.  If this is unset

+ `ansible_host` will be used instead.  Must be unique.

+ 

+ ---

+ 

+     receptor_peers: # defaults to not set

+ 

+ Hostvar for the Ansible hosts that this node is peering outwards to.

+ This is expected to be a list of dicts.

+ 

+ In the dicts, the `'host'` key is required, `'port'` and `'protocol'`

+ are optional and will default to the overall defaults for

+ `receptor_port` and `receptor_protocol`.

+ 

+ ---

+ 

+     receptor_tls: false

+ 

+ Enables the TLS protocol to be used for communication between nodes.

+ If enabled, appropriate certificates will have to be provided or

+ generated.

+ 

+ ---

+ 

+     receptor_mintls13: false

+ 

+ If set to true, this forces the minimum TLS version used to be 1.3.

+ Otherwise, the minimum version will be 1.2.  This variable has no

+ effect unless `receptor_tls` is enabled.

+ 

+ ---

+ 

+     receptor_tls_dir: '/etc/receptor/tls'

+     receptor_tls_ca_dir: '{{ receptor_tls_dir }}/ca'

+ 

+ Directories on the server where the TLS keys and CA keys would be located.

+ 

+ ---

+ 

+     receptor_tls_certfile: "{{ receptor_tls_dir }}/{{ receptor_host_identifier }}.crt"

+     receptor_tls_keyfile: "{{ receptor_tls_dir }}/{{ receptor_host_identifier }}.key"

+ 

+ Path on the server to the public and private TLS key files.

+ 

+ ---

+ 

+     receptor_ca_certfile: "{{ receptor_tls_ca_dir }}/mesh-CA.crt"

+     receptor_ca_keyfile: "{{ receptor_tls_ca_dir }}/mesh-CA.key"

+ 

+ Path on the server where the public and private Certificate Authority

+ key files would be located.

+ 

+ ---

+ 

+     custom_ca_certfile: # defaults to not set

+     custom_ca_keyfile: # defaults to not set

+ 

+ Path on the local filesystem to user-provided Certificate Authority

+ files.

+ 

+ ---

+ 

+     custom_tls_certfile: # defaults to not set

+     custom_tls_keyfile: # defaults to not set

+ 

+ Hostvar that is the path on the local filesystem to user-provided

+ per-node certificate files.  If used, both must be provided in

+ combination with a `custom_ca_certfile` that was used to sign them.

+ 

+ ---

+ 

+     receptor_sign: false

+ 

+ Hostvar designating that this host will sign any work that it sends

+ over the Receptor mesh.

+ 

+ ---

+ 

+     receptor_verify: false

+ 

+ Hostvar designating that this host will verify any work that it

+ receives using a public key.

+ 

+ ---

+ 

+     receptor_worksign_key_dir: "/etc/receptor"

+     receptor_worksign_private_keyfile: "{{ receptor_worksign_key_dir }}/work_private_key.pem"

+     receptor_worksign_public_keyfile: "{{ receptor_worksign_key_dir }}/work_public_key.pem"

+ 

+ Path on the server to the public and private OpenSSL work signing key files.

+ 

+ ---

+ 

+     custom_worksign_private_keyfile: # defaults to not set

+     custom_worksign_public_keyfile: # defaults to not set

+ 

+ Path on the local filesystem to user-provided OpenSSL work signing key

+ files.

+ 

+ ---

+ 

+     receptor_fd_limit_soft: 4096

+     receptor_fd_limit_hard: 8192

+ 

+ The file descriptor limits in PAM for Receptor.

+ 

+ ---

+ 

+     receptor_app_service: # defaults to not set

+ 

+ Optional variable to tie Receptor together with some other service in systemd.

+ 

+ ---

+ 

+     receptor_log_level: 'info'

+ 

+ The level at which Receptor should write logs.  Allowable options are 'error', 'warning', 'info', and 'debug'.

+ 

+ ---

+ 

+     receptor_listener: true

+ 

+ Hostvar to enable Receptor to listen for incoming remote connections.

+ 

+ ---

+ 

+     receptor_local_only: false

+ 

+ Hostvar to make this instance of Receptor listen for local-only

+ connections.  If set to true, this will take precedence over the value

+ of `receptor_listener`.

+ 

+ ---

+ 

+     receptor_protocol: 'tcp'

+     receptor_port: 27199

+ 

+ Override with hostvars for the protocol this instance of Receptor will

+ use (allowable options are 'tcp', 'udp', and 'ws' for websockets), and

+ the port number it will listen for those connections on.

+ 

+ ---

+ 

+     receptor_work_commands: # defaults to not set

+ 

+ The definition of the Receptor work commands.  This variable is

+ expected to be a dictionary, with keys the unique worktype name, and

+ values a dict of the rest of the key-value pairs of the work

+ definition.  See

+ <https://receptor.readthedocs.io/en/latest/workceptor.html> for more

+ information.

+ 

+ ---

+ 

+     receptor_kubernetes_commands: # defaults to not set

+ 

+ The definition of the Receptor work-kubernetes commands.  This

+ variable is expected to be a dictionary, with keys the unique worktype

+ name, and values a dict of the rest of the key-value pairs of the work

+ definition.  See <https://receptor.readthedocs.io/en/latest/k8s.html>

+ for more information.

+ 

+ ---

+ 

+ # License

+ 

+ Apache 2

+ ---

+ receptor_user: receptor

+ receptor_group: receptor

+ 

+ receptor_config_path: '/etc/receptor'

+ receptor_socket_dir: '/var/run/receptor'

+ receptor_control_filename: 'receptor.sock'

+ 

+ receptor_tls: false

+ receptor_mintls13: false

+ 

+ receptor_tls_dir: '/etc/receptor/tls'

+ receptor_tls_ca_dir: '{{ receptor_tls_dir }}/ca'

+ receptor_tls_certfile: "{{ receptor_tls_dir }}/{{ receptor_host_identifier }}.crt"

+ receptor_tls_keyfile: "{{ receptor_tls_dir }}/{{ receptor_host_identifier }}.key"

+ receptor_ca_certfile: "{{ receptor_tls_ca_dir }}/mesh-CA.crt"

+ receptor_ca_keyfile: "{{ receptor_tls_ca_dir }}/mesh-CA.key"

+ 

+ receptor_worksign_key_dir: "/etc/receptor"

+ receptor_worksign_private_keyfile: "{{ receptor_worksign_key_dir }}/work_private_key.pem"

+ receptor_worksign_public_keyfile: "{{ receptor_worksign_key_dir }}/work_public_key.pem"

+ 

+ receptor_fd_limit_soft: 4096

+ receptor_fd_limit_hard: 8192

+ 

+ receptor_listener: true

+ receptor_local_only: false

+ 

+ receptor_protocol: 'tcp'

+ receptor_port: 27199

+ receptor_sign: false

+ receptor_verify: false

+ 

+ receptor_log_level: 'info'

+ 

+ _hostname: "{{ routable_hostname | default(ansible_host) }}"

+ receptor_host_identifier:

+   "{{ (_hostname == 'localhost') | ternary('localhost.localdomain', _hostname) }}"

+ ---

+ - name: Ensure soft/hard file descriptors limits

+   ansible.builtin.template:

+     src: templates/pam_limits.conf.j2

+     dest: /etc/security/limits.d/receptor.conf

+     mode: '0600'

+     owner: root

+     group: root

+ 

+ - name: Ensure systemd override directory exists

+   ansible.builtin.file:

+     dest: /etc/systemd/system/receptor.service.d

+     state: directory

+     owner: root

+     group: root

+     mode: '0755'

+ 

+ - name: Override receptor's systemd service runuser

+   ansible.builtin.template:

+     src: templates/systemd_receptor_override.conf.j2

+     dest: /etc/systemd/system/receptor.service.d/override.conf

+     mode: '0644'

+     owner: root

+     group: root

+ #  notify: Restart Receptor

+ 

+ - name: Configure the receptor socket directory

+   ansible.builtin.file:

+     path: "{{ receptor_socket_dir }}"

+     state: directory

+     owner: "{{ receptor_user }}"

+     group: "{{ receptor_group }}"

+     mode: '0750'

+ 

+ - name: Create tmpfiles.d entry for receptor socket directory

+   ansible.builtin.template:

+     src: templates/receptor_tmpd.conf.j2

+     dest: /etc/tmpfiles.d/receptor.conf

+     mode: '0640'

+     owner: root

+     group: root

+ ---

+ # Variable configuration.

+ - include_tasks: variables.yml

+ 

+ # Setup/install tasks.

+ - include_tasks: setup-RedHat.yml

+   when: ansible_os_family == 'RedHat'

+ 

+ - include_tasks: configure.yml

+ 

+ - include_tasks: tls.yml

+   when: receptor_tls

+ 

+ - include_tasks: worksign.yml

+   when: receptor_sign or receptor_verify

+ 

+ - name: Deploy receptor config

+   ansible.builtin.template:

+     src: templates/receptor.conf.j2

+     dest: "{{ receptor_config_path }}/receptor.conf"

+     mode: '0644'

+     owner: "{{ receptor_user }}"

+     group: "{{ receptor_group }}"

+ #   notify:

+ #   - "Receptor Reload"

+ 

+ - name: Start Receptor service

+   ansible.builtin.systemd:

+     name: receptor

+     state: started

+     daemon_reload: true

+     enabled: true

+ ---

+ - name: Install receptor packages

+   ansible.builtin.dnf:

+     name: "{{ receptor_packages }}"

+     state: present

+ 

+ - name: Install dependencies specific to the node type

+   ansible.builtin.dnf:

+     name: "{{ receptor_dependencies | default([]) }}"

+     state: present

+ ---

+ - name: Create Receptor cert directories

+   ansible.builtin.file:

+     dest: "{{ item }}"

+     state: directory

+     mode: '0750'

+     owner: "{{ receptor_user }}"

+     group: "{{ receptor_group }}"

+     recurse: true

+   with_items:

+     - "{{ receptor_tls_dir }}"

+     - "{{ receptor_tls_ca_dir }}"

+ 

+ - name: Process provided TLS files

+   include_tasks: tls_local.yml

+   when: custom_tls_certfile is defined or custom_tls_keyfile is defined

+ 

+ - name: Set TLS file permissions

+   ansible.builtin.file:

+     dest: "{{ item }}"

+     owner: "{{ receptor_user }}"

+     group: "{{ receptor_group }}"

+     mode: '0640'

+   with_items:

+     - "{{ receptor_tls_certfile }}"

+     - "{{ receptor_tls_keyfile }}"

+     - "{{ receptor_ca_certfile }}"

+ ---

+ - name: Ensure both TLS files are provided

+   ansible.builtin.assert:

+     quiet: true

+     that:

+       - custom_tls_certfile | default('') | length

+       - custom_tls_keyfile | default('') | length

+     fail_msg: >

+       "You must provide both 'custom_tls_certfile' and 'custom_tls_keyfile'."

+ 

+ - name: Ensure CA certfile is provided

+   ansible.builtin.assert:

+     quiet: true

+     that:

+       - custom_ca_certfile | default('') | length

+     fail_msg: >

+       "You must provide the public CA file when providing custom TLS certificates."

+ 

+ - name: Check TLS private key modulus

+   delegate_to: localhost

+   become: false

+   ansible.builtin.command: openssl rsa -modulus -noout -in "{{ custom_tls_keyfile }}"

+   register: _tls_keyfile_modulus

+   changed_when: false

+ 

+ - name: Check TLS x509 key modulus

+   delegate_to: localhost

+   become: false

+   ansible.builtin.command: openssl x509 -modulus -noout -in "{{ custom_tls_certfile }}"

+   register: _tls_certfile_modulus

+   changed_when: false

+ 

+ - name: Ensure TLS pair matches

+   ansible.builtin.assert:

+     quiet: true

+     that:

+       - _tls_keyfile_modulus.stdout == _tls_certfile_modulus.stdout

+     fail_msg: >

+       "TLS !modulus! for {{ custom_tls_keyfile }} and {{ custom_tls_certfile }} doesn't match."

+     success_msg: "TLS !modulus! for {{ custom_tls_keyfile }} and {{ custom_tls_certfile }} matches."

+ 

+ - name: Ensure x509 certificate was signed by the expected Certificate Authority

+   delegate_to: localhost

+   become: false

+   ansible.builtin.command:

+     openssl verify -CAfile "{{ custom_ca_certfile }}" "{{ custom_tls_certfile }}"

+   changed_when: false

+ 

+ - name: Upload TLS files

+   become: true

+   become_user: "{{ receptor_user }}"

+   ansible.builtin.copy:

+     src: "{{ item.src }}"

+     dest: "{{ item.dest }}"

+     owner: "{{ receptor_user }}"

+     group: "{{ receptor_group }}"

+     mode: '0640'

+   with_items:

+     - {src: '{{ custom_tls_certfile }}', dest: '{{ receptor_tls_certfile }}'}

+     - {src: '{{ custom_tls_keyfile }}', dest: '{{ receptor_tls_keyfile }}'}

+     - {src: '{{ custom_ca_certfile }}', dest: '{{ receptor_ca_certfile }}'}

+ ---

+ - name: Include OS-specific variables (RedHat)

+   ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"

+   when:

+     - ansible_os_family == 'RedHat'

+ 

+ - name: Define receptor_packages

+   ansible.builtin.set_fact:

+     receptor_packages: "{{ __receptor_packages | list }}"

+   when: receptor_packages is not defined

+ ---

+ - include_tasks: worksign_local.yml

+   when: custom_worksign_private_keyfile is defined or custom_worksign_public_keyfile is defined

+ ---

+ - name: Distribute private work signing key

+   ansible.builtin.copy:

+     src: "{{ custom_worksign_private_keyfile }}"

+     dest: "{{ receptor_worksign_private_keyfile }}"

+     owner: "{{ receptor_user }}"

+     group: "{{ receptor_group }}"

+     mode: '0640'

+   when: receptor_sign

+ 

+ - name: Distribute public work signing key

+   ansible.builtin.copy:

+     src: "{{ custom_worksign_public_keyfile }}"

+     dest: "{{ receptor_worksign_public_keyfile }}"

+     owner: "{{ receptor_user }}"

+     group: "{{ receptor_group }}"