Allow `remi_repo_gpg_key_url` and `remi_repo_gpg_key_url` to pass to remi role

[indytechcook]

It doesn't appear there is a way to pass the remi_repo_gpg_key_url or remi_repo_gpg_key_url to your repo-remi role. This would allow for the selection of the closest mirror.

If this is already possible, I'm sorry I couldn't figure it out.

cc @ElijahLynn

[ElijahLynn]

Hrm, I wonder if the gpg keys are even on the mirrors.

[geerlingguy]

@indytechcook - You can override both variables in your playbook:

remi_repo_url: "https://rpms.remirepo.net/enterprise/remi-release-{{ ansible_distribution_major_version }}.rpm"
remi_repo_gpg_key_url: "https://rpms.remirepo.net/RPM-GPG-KEY-remi2018"

Those are defined as defaults in the repo-remi role: https://github.com/geerlingguy/ansible-role-repo-remi/blob/master/defaults/main.yml

But as @ElijahLynn mentions, they may not be mirrored on the official mirrors...

[indytechcook]

@geerlingguy can we pass them to the PHP playbook?

[indytechcook]

Sorry, I withdraw my comment, @ElijahLynn is teaching me more about how this works in ansible. I need to finish your book :)

[ElijahLynn]

But as @ElijahLynn mentions, they may not be mirrored on the official mirrors...

It doesn't appear the GPG Keys are mirrored (https://forum.remirepo.net/viewtopic.php?pid=11935#p11935 and https://twitter.com/RemiRepository/status/1420625963419947009).

Hosting the key elsewhere, e.g. S3 (as Neil suggested outside this thread) and overriding the default remi_repo_gpg_key_url in the playbook where we call the role would work. The GPG Key endpoint appears to be stable again now but this will likely happen again in the future (not if but when).

[remicollet]

Install the distribution-gpg-keys package (from EPEL) which provides lot of 3rd party repo keys ;)

[remicollet]

And you can also use the cdn for this

• EL-7: http://cdn.remirepo.net/RPM-GPG-KEY-remi
• EL-8: http://cdn.remirepo.net/RPM-GPG-KEY-remi2018

the cdn is a small set of servers (2 for now), only used for small "critical" traffic, usually the mirrorlist (no https available)

[geerlingguy]

@remicollet - Oh, nice! Thanks for the updates, and again thanks for your work keeping the PHP world going 'round in RHEL land. I've created a follow-up issue for implementation: https://github.com/geerlingguy/ansible-role-repo-remi/issues/27

[Lusitaniae]

And you can also use the cdn for this

• EL-7: http://cdn.remirepo.net/RPM-GPG-KEY-remi
• EL-8: http://cdn.remirepo.net/RPM-GPG-KEY-remi2018

the cdn is a small set of servers (2 for now), only used for small "critical" traffic, usually the mirrorlist (no https available)

Wonder if the keys could be served from an actual CDN? e.g. http://keys.remirepo.net/ just for serving those files from a CDN

I made a Cloudflare endpoint from my domain with a Page Rule to force caching of the keys

(The Host override rule (required) seems to be available from enterprise plan only)

But people would be more trustworthy if you would do it, and it would be a good default value to this repo, which I'm sure would reduce thousands of requests per day to your origin.