--- - block: - name: Update apt cache apt: cache_valid_time: 3600 update_cache: true register: _pre_update_apt_cache until: _pre_update_apt_cache is succeeded when: - ansible_pkg_mgr == "apt" - name: Install dependencies package: name: "{{ caddy_dependencies }}" state: present register: _install_dep_packages until: _install_dep_packages is succeeded retries: 5 delay: 2 - block: - name: Download caddy archive get_url: url: "{{ caddy_dl_url }}.tar.gz" dest: "/tmp/caddy-{{ caddy_version }}-linux-{{ caddy_arch }}.tar.gz" register: _download_archive until: _download_archive is succeeded retries: 5 delay: 2 - name: Download caddy checksum.txt get_url: url: "{{ caddy_dl_url_checksum }}" dest: "/tmp/caddy_{{ caddy_version }}_checksums.txt" register: _download_checksums_txt until: _download_checksums_txt is succeeded retries: 5 delay: 2 - name: Download caddy checksum.txt.pem get_url: url: "{{ caddy_dl_url_checksum }}.pem" dest: "/tmp/caddy_{{ caddy_version }}_checksums.txt.pem" register: _download_checksums_txt_pem until: _download_checksums_txt_pem is succeeded retries: 5 delay: 2 - name: Download caddy checksum.txt.sig get_url: url: "{{ caddy_dl_url_checksum }}.sig" dest: "/tmp/caddy_{{ caddy_version }}_checksums.txt.sig" register: _download_checksums_txt_sig until: _download_checksums_txt_pem is succeeded retries: 5 delay: 2 - name: Verify Certificate command: "COSIGN_EXPERIMENTAL=1 cosign verify-blob --certificate /tmp/caddy_{{ caddy_version }}_checksums.txt.pem --signature /tmp/caddy_{{ caddy_version }}_checksums.txt.sig /tmp/caddy_{{ caddy_version }}_checksums.txt" register: _caddy_cosign_key_status changed_when: false failed_when: _caddy_cosign_key_status.rc not in (0, 2) - name: Unpack caddy binary unarchive: remote_src: yes src: "/tmp/caddy-{{ caddy_version }}-linux-{{ caddy_arch }}.tar.gz" dest: "/usr/local/bin" mode: 0755 owner: root group: root notify: "Restart caddy" when: (not caddy_version_check|bool) or (caddy_active_version.stdout != caddy_version)