Revert "fix(roles/repo_grafana): only render basic-auth credentials when mirror URL is set"

danyalberchtoldlf · danyalberchtoldlf · commit 777ddcb2c0fd · 2026-04-28T09:35:56.000+02:00
This reverts commit 887d276.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -30,7 +30,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * **role:icinga2_master**: Fix `selinux` role failing on RHEL 10 with `SELinux boolean icinga2_can_connect_all is not defined in persistent policy` (and `[Errno 11]` for the other Icinga/Nagios booleans). The `icinga2-selinux` policy module references `nagios_*_plugin_t` types that were moved out of the EL10 base policy into the separate `nagios-selinux` package (EPEL), so without it the `icinga2-selinux` `%post` silently fails and the booleans never appear. The role now installs `nagios-selinux` as a separate pre-install task on RHEL 10 so its `%post` registers the required types before `icinga2-selinux`'s `%post` runs.
 * **role:infomaniak_vm**: Stop passing `security_groups` to `openstack.cloud.server`. Since the security group is already applied on the `ext-net1` port, setting it on the server made Neutron attempt the same on internal-network ports where `port_security_enabled` is `false`, failing with `Network requires port_security_enabled and subnet associated in order to apply security groups.`
 * **role:redis**: Fix `No package redis available.` on RHEL 10. Red Hat replaced Redis with Valkey (BSD-licensed, API/protocol/config-file compatible) in AppStream and the Remi repos no longer ship Redis for EL10 either. The role now installs `valkey` on EL10 via a new OS-specific `vars/RedHat10.yml`. Hardcoded paths (package name, `package_facts` lookup, `/etc/redis/`, `/var/lib/redis`, `/var/run/redis`, `/etc/redis/modules`) in `tasks/main.yml` and the `<v>-redis.conf.j2` templates are now driven by internal `__redis__*` variables, so EL8/9 keep installing Redis unchanged. User-facing variables (`redis__conf_*`, `redis__service_name`) stay backwards-compatible.
-* **role:repo_grafana**: Only render the `username`/`password` Basic-Auth fields in `grafana.repo` when `repo_grafana__mirror_url` is also set. Previously the credentials (typically inherited from `lfops__repo_basic_auth_login`) were sent to the public `https://rpm.grafana.com` server when no mirror was configured, causing dnf to fail with `Status code: 403 for https://rpm.grafana.com/repodata/repomd.xml`. Mirror credentials now only ever leave the host when there is also a mirror URL to send them to.
 * **role:redis**: Guard the four `loadmodule /usr/lib/redis/modules/{rejson,redisbloom,redistimeseries,redisearch}.so` directives in `8.0-redis.conf.j2` with an `{% if __redis__package == 'redis' %}` block. They reference Redis Stack bundle paths that don't exist on Valkey (the EL10 replacement), so loading them aborts the server. On RHEL 8/9 (Redis) the directives stay active.
 * **role:openvpn_server**: Fix `invalid selinux context: [Errno 22] Invalid argument` on RHEL 10 when deploying `server.p12` / `crl.pem`. The SELinux type `openvpn_etc_t` no longer exists in the RHEL 10 core policy (only `openvpn_port_t` and the packet types remain). The role now uses `etc_t` on RHEL 10 via a new OS-specific internal variable `__openvpn_server__selinux_etc_type`; other platforms keep `openvpn_etc_t`
 * **role:repo_epel**: Fix malformed RHEL 10 `epel.repo`: a missing newline in the `[epel-source]` section rendered `enabled=0username=<login>` when `repo_epel__basic_auth_login` was set, causing dnf to reject the file with `Invalid configuration value: enabled=0username=...`
diff --git a/roles/repo_grafana/templates/etc/yum.repos.d/grafana.repo.j2 b/roles/repo_grafana/templates/etc/yum.repos.d/grafana.repo.j2
@@ -1,5 +1,5 @@
 # {{ ansible_managed }}
-# 2026042801
+# 2024050901
 
 [grafana]
 name=grafana
@@ -16,7 +16,7 @@ sslverify=1
 sslcacert=/etc/pki/tls/certs/ca-bundle.crt
 # To prevent beta versions from being installed, add the following exclude line to your .repo file.
 exclude=*beta*
-{% if repo_grafana__mirror_url is defined and repo_grafana__mirror_url | length and repo_grafana__basic_auth_login is defined and repo_grafana__basic_auth_login | length %}
+{% if repo_grafana__basic_auth_login is defined and repo_grafana__basic_auth_login | length %}
 username={{ repo_grafana__basic_auth_login["username"] }}
 password={{ repo_grafana__basic_auth_login["password"] }}
 {% endif %}
