feat(roles/repo_remi): Add RHEL 10 / Rocky 10 support

CHANGELOG.md

@@ -16,6 +16,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Removed
 
+* **role:repo_remi**: Drop support for RHEL 7 and Fedora 35. Both are EOL (RHEL 7: June 2024, Fedora 35: December 2022). The per-platform `tasks/RedHat7.yml`, `vars/{RedHat7,Fedora}.yml` and `templates/{RedHat7,Fedora}/` trees are removed.
 * **tool:particle**: Remove the `tools/particle` Vagrant-based role test runner, its sample inventories under `tests/`, and the bundled `linuxfabrik/lib` git submodule (whose only consumer was `particle`). The runner and the submodule were tightly wired together, and Dependabot did not have a `gitsubmodule` config for this repo, so the bundled lib was silently drifting behind upstream. Since role testing is moving to Molecule anyway, dropping the whole stack is cleaner than keeping the wiring around. Older revisions remain accessible through git history.
 
 ### Breaking Changes
@@ -32,6 +33,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+* **role:repo_remi**: Add RHEL 10 / Rocky 10 support (new GPG key, repo templates, and module-stream tasks for EL 10).
+* **role:repo_remi**: Add `meta/argument_specs.yml` declaring the four user-facing variables (`repo_remi__basic_auth_login`, `repo_remi__enabled_php_version`, `repo_remi__enabled_redis_version`, `repo_remi__mirror_url`) so role-entry validation catches type mismatches and unknown variables. `repo_remi__basic_auth_login` is declared as `type: 'raw'` because its default in `defaults/main.yml` resolves to an empty string when no Bitwarden lookup is configured.
 * **role:monitoring_plugins, role:repo_monitoring_plugins**: Add SLES 15 and SLES 16 support. The roles now install the Linuxfabrik Monitoring Plugins from the SUSE channel of `repo.linuxfabrik.ch` and apply the SUSE-specific package version lock ([#245](https://github.com/Linuxfabrik/lfops/issues/245)).
 * **role:alternatives, role:elastic_agent, role:elastic_agent_fleet_server, role:icinga_kubernetes_web, role:lvm, role:mailto_root, role:motd, role:proxysql**: (Re-)introduce `meta/argument_specs.yml` so role-entry validation catches type mismatches and missing required variables. The originally proposed specs were correct for these roles (no strict-options login dicts, no `__dependent_var` injections from `setup_*` playbooks), so they are restored unchanged.
 * **role:apps, role:example, role:kernel_settings**: (Re-)introduce `meta/argument_specs.yml`, with the `__dependent_var` slot declared so `setup_*` playbooks that inject these via `vars:` (e.g. `setup_icinga2_master`, `setup_moodle`, `setup_nextcloud`) pass validation.

COMPATIBILITY.md

@@ -142,7 +142,7 @@ Which Ansible role is proven to run on which OS?
 | repo_postgresql                       |        |        |  (x)   |   x    |   (x)   |           |           |           |                                              |
 | repo_proxysql                         |  (x)   |  (x)   |   x    |   x    |   (x)   |    (x)    |    (x)    |    (x)    |                                              |
 | repo_redis                            |   x    |   x    |        |        |         |    (x)    |    (x)    |    (x)    |                                              |
-| repo_remi                             |        |        |   x    |   x    |         |           |           |           | Fedora 35                                    |
+| repo_remi                             |        |        |   x    |   x    |    x    |           |           |           |                                              |
 | repo_rpmfusion                        |        |        |   x    |  (x)   |   (x)   |           |           |           |                                              |
 | repo_sury                             |   x    |   x    |   -    |   -    |         |    (x)    |    (x)    |    (x)    |                                              |
 | rocketchat                            |        |        |   x    |  (x)   |   (x)   |           |           |           | Fedora 35                                    |

roles/repo_remi/README.md

@@ -6,11 +6,6 @@ This role deploys the [Remi's RPM repository](https://rpms.remirepo.net/).
 *Available since LFOps `2.0.0`.*
 
 
-## Mandatory Requirements
-
-* For RHEL7, install `yum-utils`. This can be done using the [linuxfabrik.lfops.yum_utils](https://github.com/Linuxfabrik/lfops/tree/main/roles/yum_utils) role.
-
-
 ## Tags
 
 `repo_remi`

roles/repo_remi/files/RedHat10/etc/pki/rpm-gpg/RPM-GPG-KEY-remi.el10

@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGWdEG0BEADV9c8aSIITQmoWKN0ac4c8AEhZcdzpWSRPwHIS8syVRw/gj30W
+Mn1OoxqFn2UECh2jjqYaQFECXNrM2/lzO4GhvcuoPn6p0rXFMvYvwtiOJ+rmDvTe
+UOwRxkZhYehpvsRPFoVhlYJh3U1BM0UHm2iE/TIqVusY9FHQuCMZVl0BHk81YGDa
+qE3cyu+9zOs8z1bYlsYBgLIbtb4+loQTRexFTfZkUcCWgAaNyur8Wy7Msdm5LOqN
+ZZu6bNKBOv0Cr+BOwGNoFRbi4IM+5H+0eI1n7V5if4CuXfdYHp+Pm+PQvftm/nqB
+jRLKqioRKzHjk7xNMsi5lM+SU4WyfU77pr3RXuJR6fkymLVAeu5sy2U6ySj0SXIO
+/I3oPp4/zJ8/e94jG5iDqh92b5IWyXSE+EGw4kkpUvZLrK8vyyEfk8h9Gf8qA5uL
+yGfw0vnSVjYb+RdnfZFVdPaIEmeY8tnobS87duj8JESZiSWo5sU4filkciW5e+MJ
+w9wohgl+Cqm2J5Ljqus6DRm4ptKbZD8QZRnmGcSk6O2VopBKt2XLat4eIJLr/EiN
+0CJ1EH/oJmEeZbYtUjxjsGsbPXicwDH6ZIeIMSaiDgqRxPm1LTGVLjSHAk+k0e5l
+ulEmaoA7t/p3U2peGc7ONvozXiyNHZdGiRkqFC1mA9/JpeWw4KFH6JSgmQARAQAB
+tEtSZW1pJ3MgUlBNIHJlcG9zaXRvcnkgMjAyNCAoaHR0cHM6Ly9ycG1zLnJlbWly
+ZXBvLm5ldC8pIDxyZW1pQHJlbWlyZXBvLm5ldD6JAlEEEwEIADsWIQTPHfAFfOhd
+/1svKjfC/TssKglI5AUCZZ0QbQIbAwULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIX
+gAAKCRDC/TssKglI5Na7EACDTGjTcuTyudfuu/JC41BSurclCcwZyPsGaClyc0qx
+Tk8Rs4rbyVw1u494fiFG/yEVl7LGGja84UJOlMdw82KgVUmr4fGLaBBFWm+KnZ4W
+4vvFcCIxUshENOaDrkhby9F5P379gVOK9I3n9l4Q2xt+sWUNwE74CNfCTUeYMIm/
+/AHbb1DTM9FuIT6FssgvILMTlksiyrw8U8bj+QUzPZrFCpvv+PnFA7ZDMEyCf2Tz
+/zawxoP3a3b+3/g61U9SVIkfToonnorqh9lkQYhsdKTFHW6eESqe7zcqMBZv/sSc
+3kFzl22KczSdU8eYxdujv9BmlW2SOrQsnuMYxvoD1LzhwSB/nOapNrWU+djhJCof
+ueZ+rBW4QWysmG0dEp5Wpz85TstAnQ+j5aCOMSAkiAVsrJ0Ff3JXakIiL7rEtccS
+dhgBT06LJtJy1NGIC0Sotn45n6dtfi6IuI8LnELCKeHxhdFSJcAPB8y95u0uHymy
+sqMfzjq1VcYtzC5II6Yd5Gtb2+QzyQwORslwXhUdXwZKUc5i6X5xFMSxU523fH9n
+i+kQlUTPkOUr66v4fmYDj+ZlJQSFoPylcHCke/vOo/rH5nj+YMPa6LdohsdzHKpd
+DkKrk+Udj5aDXtXGIFYwoNKO4BnCsz/ImZfB4CQ+ekJsY1pFill3+MRTM6IvSA+P
+7LkCDQRlnRBtARAAq8k4FM9euMMsXz0buxxyr0ew0ecWNhZGy24a6DXORVTEJbgI
+T3HpV/C2PWkwgEBswYzREm+en61jhWr5unCiytO2klT+K2WNcIUNW+z2ciL/JNaJ
+OcKwjkiY/A+KtDStzllCQ/XnpgAXGvFZjMjhHrNGQoAwNnPE/cMtYwcuVdW3Ipm3
+cOOtzxRmfnhP8YUEyHxdos/7AZowaiLIUkaL5RUaygGrfPGyUXPl1aXS1oiOm37W
+RiKCGUxCHSlpBqeh1WQPOaps8y+ME9jMzF9SLvqiXlKPllJIx9i8tHUOnX6Y2U2x
+5sXsCEiA+zNVMU3YQ04++Yx2Rp6sDhNEnAbTCqqequqIzaXHZWwszAeG6pj1G90m
+8PwDeHy641ySgDMwVPpnH5rHWmmT96XvF9QNg07OBtW9/phryzwAuHogrBY4DyFD
+pUxDkTv9TxfBaS/s1uJxEGknIgnKzQo79mRy206waGKRA2AV36ORSfU12sK8pl3r
+N95iIDh/OIuMl2STaXilhwb1hRpGFvwRlq3Hvvan4SY1aO219Q+VxMGXeqC5F/rm
+Anh7mRVMP2qu0rj7L8xJ/OD/bPfuWL72/PvviBr/jdRM9I+Vj8dPGjhUwhK1dpEG
+Q6yvoVXLHXucVHfIVR+ALLBmK8oHXNIFeIXhiUbgmRAilPHRz6Rf5pgbrC0AEQEA
+AYkCNgQYAQgAIBYhBM8d8AV86F3/Wy8qN8L9OywqCUjkBQJlnRBtAhsMAAoJEML9
+OywqCUjkQ2kP/iwqvt1sX85KM4OSE9ftqemwnvh19NizMKHMYGgikMAvy2CndEOI
+wzKVeE1iK9/ivZQQIbD5l0G9hzVZjIxbgu9dAcxM+jdmaPyUj7yn6AX2yeGAeHyA
+qzNKZaTLJPieRzdXk/uKPVyWUuzbR0vwR7n8N5N0pe/FEfO9O0uX5iz2kf5+b10c
+WqvzLmO+czuyCjTHnjhKfE73iIktYE3MnM8qFHPiKwm+jeTkUnmInoR3qIKR/SCV
+u2vk/q5uvpNaUSPSDKji6wh3/hbNbPocLSGIjugfWNm/4LhlSHPNnRJ2dIvSxeiI
+qtSWxhULEyHGBPMLDriVumCV7Rb/byJwiMbmCIpxB5XLtbgt7nIqWQTko+6ci71S
+4rDXolM3bytYbpqq4b/Xc1bhBuTX3omwrd0kxmGqad8eia6O6iBsP7GAl4QkySm4
+MfKQfohjXTnT60wqEzQwLGI4NKN9bHRSsGINHX5p+Kz9HLf87fTY4uglbFxg0/II
+Y3nko5KBw/gfe0WpwZY0sWjK20cXJn3xLQjoG8OjUNUCUYTRsiAvn4AiDRt++qtl
+bvJjJqOU1k4GrGoCVpEUiOc9Cw1YZREcFe8H2at3pGnxJ1DFlYA916kNAxYANp2s
+r3N3agwevgIzP78hynxjm6a5H2w0vkg189pZn2RR9zX9gmrvlqg1o0P1
+=meaU
+-----END PGP PUBLIC KEY BLOCK-----

roles/repo_remi/meta/argument_specs.yml

@@ -0,0 +1,39 @@
+argument_specs:
+  main:
+    options:
+
+      repo_remi__basic_auth_login:
+        # 'raw' rather than 'dict', because the default in defaults/main.yml
+        # resolves to '' (empty string) when lfops__repo_basic_auth_login is
+        # not set; a strict 'dict' spec would reject the empty default.
+        type: 'raw'
+        required: false
+        description: >-
+          HTTP basic auth credentials for the Remi repository. Expected as
+          a dict with `username` and `password` keys. Typically fed by
+          `linuxfabrik.lfops.bitwarden_item`, which returns the full
+          Bitwarden item with additional keys.
+
+      repo_remi__enabled_php_version:
+        type: 'str'
+        required: false
+        description: >-
+          Major and minor version of PHP for which the repository should
+          be enabled (e.g. `8.1`). If unset, no PHP module stream is
+          enabled.
+
+      repo_remi__enabled_redis_version:
+        type: 'str'
+        required: false
+        description: >-
+          Major and minor version of Redis for which the repository should
+          be enabled (e.g. `7.2`). If unset, no Redis module stream is
+          enabled.
+
+      repo_remi__mirror_url:
+        type: 'str'
+        required: false
+        description: >-
+          URL of a custom mirror server providing the repository. Defaults
+          to `lfops__repo_mirror_url`; if that is also unset, the default
+          upstream mirrors are used.

roles/repo_remi/tasks/RedHat.yml

@@ -0,0 +1,67 @@
+- block:
+
+  - name: 'Deploy /etc/pki/rpm-gpg/RPM-GPG-KEY-remi.el{{ ansible_facts["distribution_major_version"] }}'
+    ansible.builtin.copy:
+      src: '{{ ansible_facts["os_family"] }}{{ ansible_facts["distribution_major_version"] }}/etc/pki/rpm-gpg/RPM-GPG-KEY-remi.el{{ ansible_facts["distribution_major_version"] }}'
+      dest: '/etc/pki/rpm-gpg/RPM-GPG-KEY-remi.el{{ ansible_facts["distribution_major_version"] }}'
+      owner: 'root'
+      group: 'root'
+      mode: 0o644
+
+  tags:
+    - 'repo_remi'
+
+
+# note: the remi repo still uses modularity with RHEL10 even though `modularity is deprecated, and functionality will be removed in a future release of DNF5.` have a look at https://github.com/remicollet/remirepo/issues/265#issuecomment-2298206332
+- block:
+
+  - name: 'dnf -y module reset php'
+    ansible.builtin.command: 'dnf -y module reset php'
+    register: '__repo_remi__dnf_module_reset_php_result'
+    changed_when: '"Nothing to do" not in __repo_remi__dnf_module_reset_php_result["stdout"]'
+
+  - name: 'dnf -y module enable php:remi-{{ repo_remi__enabled_php_version }}'
+    ansible.builtin.command: 'dnf -y module enable php:remi-{{ repo_remi__enabled_php_version }}'
+    register: '__repo_remi__dnf_module_enable_php_result'
+    changed_when: '"Nothing to do" not in __repo_remi__dnf_module_enable_php_result["stdout"]'
+
+  # block
+  when: 'repo_remi__enabled_php_version is defined and repo_remi__enabled_php_version | length > 0'
+  tags:
+    - 'repo_remi'
+
+
+- block:
+
+  - name: 'dnf -y module reset composer'
+    ansible.builtin.command: 'dnf -y module reset composer'
+    register: '__repo_remi__dnf_module_reset_composer_result'
+    changed_when: '"Nothing to do" not in __repo_remi__dnf_module_reset_composer_result["stdout"]'
+
+  - name: 'dnf -y module enable composer'
+    ansible.builtin.command: 'dnf -y module enable composer'
+    register: '__repo_remi__dnf_module_enable_composer_result'
+    changed_when: '"Nothing to do" not in __repo_remi__dnf_module_enable_composer_result["stdout"]'
+
+  # block
+  when: 'repo_remi__enabled_php_version is defined and repo_remi__enabled_php_version | length > 0'
+  tags:
+    - 'repo_remi'
+
+
+- block:
+
+  - name: 'dnf -y module reset redis'
+    ansible.builtin.command: 'dnf -y module reset redis'
+    register: '__repo_remi__dnf_module_reset_redis_result'
+    changed_when: '"Nothing to do" not in __repo_remi__dnf_module_reset_redis_result["stdout"]'
+
+  - name: 'dnf -y module enable redis:remi-{{ repo_remi__enabled_redis_version }}'
+    ansible.builtin.command: 'dnf -y module enable redis:remi-{{ repo_remi__enabled_redis_version }}'
+    register: '__repo_remi__dnf_module_enable_redis_result'
+    changed_when: '"Nothing to do" not in __repo_remi__dnf_module_enable_redis_result["stdout"]'
+
+  # block
+  when: 'repo_remi__enabled_redis_version is defined and repo_remi__enabled_redis_version | length > 0'
+  tags:
+    - 'repo_remi'

roles/repo_remi/tasks/main.yml

@@ -3,12 +3,12 @@
     name: 'shared'
     tasks_from: 'platform-variables.yml'
   tags:
-    - 'repo_remi'
+    - 'always'
 
 
 - block:
 
-  - name: 'Remi Repo Mirror URL:'
+  - name: 'Remi Repo Mirror URL'
     ansible.builtin.debug:
       var: 'repo_remi__mirror_url'
 
@@ -20,15 +20,15 @@
       owner: 'root'
       group: 'root'
       mode: 0o644
-    loop: '{{ repo_remi__repo_files }}'
+    loop: '{{ __repo_remi__repo_files }}'
 
   - name: 'Remove rpmnew / rpmsave (and Debian equivalents)'
     ansible.builtin.include_role:
       name: 'shared'
       tasks_from: 'remove-rpmnew-rpmsave.yml'
     vars:
       shared__remove_rpmnew_rpmsave_config_file: '/etc/yum.repos.d/{{ item | basename }}'
-    loop: '{{ repo_remi__repo_files }}'
+    loop: '{{ __repo_remi__repo_files }}'
 
   tags:
     - 'repo_remi'