From 0c02e1b46357062742d1f2e4c785df46307f6dc3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Denis=20Krienb=C3=BChl?= <denis.krienbuehl@cloudscale.ch>
Date: Thu, 3 Apr 2025 16:09:14 +0200
Subject: [PATCH] [reprepro] Add ability to disable GPG snapshot creation

Under some circumstances those are not desirable:

- When the backup is done another way.
- If one does not want them on the Ansible controller.
- If the secret directory is not used.
---
 ansible/roles/reprepro/defaults/main.yml         | 10 ++++++++++
 ansible/roles/reprepro/tasks/configure_gnupg.yml |  5 ++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/reprepro/defaults/main.yml b/ansible/roles/reprepro/defaults/main.yml
index f8a44ecb7d..f0d68acb71 100644
--- a/ansible/roles/reprepro/defaults/main.yml
+++ b/ansible/roles/reprepro/defaults/main.yml
@@ -165,6 +165,16 @@ reprepro__gpg_snapshot_name: 'gnupg.tar'
 # be archived.
 reprepro__gpg_snapshot_path: '{{ secret + "/reprepro/snapshots/" + inventory_hostname }}'
 
+
+# .. envvar:: reprepro__gpg_snapshot_keep [[[
+#
+# Wether gpg snapshots should be created and downloaded to the Ansible
+# controller. This should only be disabled the backup is kept another way.
+#
+# When disabling the snapshot, after using them, the old gnupg.tar files should
+# be removed, otherwise the role might revert to an old snapshot state.
+reprepro__gpg_snapshot_keep: true
+
                                                                    # ]]]
 # .. envvar:: reprepro__gpg_key_type [[[
 #
diff --git a/ansible/roles/reprepro/tasks/configure_gnupg.yml b/ansible/roles/reprepro/tasks/configure_gnupg.yml
index adea0fe795..3dd5bb2faf 100644
--- a/ansible/roles/reprepro/tasks/configure_gnupg.yml
+++ b/ansible/roles/reprepro/tasks/configure_gnupg.yml
@@ -71,13 +71,16 @@
     group: '{{ reprepro__group }}'
     mode: '0600'
   register: reprepro__register_gpg_archive
+  when: reprepro__gpg_snapshot_keep
 
 - name: Upload ~/.gnupg archive to Ansible Controller
   ansible.builtin.fetch:  # noqa no-handler
     src: '{{ reprepro__home + "/" + reprepro__gpg_snapshot_name }}'
     dest: '{{ reprepro__gpg_snapshot_path + "/" + reprepro__gpg_snapshot_name }}'
     flat: True
-  when: reprepro__register_gpg_archive is changed
+  when:
+    - reprepro__gpg_snapshot_keep
+    - reprepro__register_gpg_archive is changed
 
 - name: Remove old automatic signing key
   ansible.builtin.file:  # noqa no-handler