refactor: copy external files to role, copy containers to quay.io linux-system-roles

[richm]

Copy quadlet files and configs into the role
Copy container images to quay.io/linux-system-roles

Signed-off-by: Rich Megginson rmeggins@redhat.com

Summary by Sourcery

Inline quadlet and configuration assets into the trustee_server role and adjust service management behavior.

New Features:

• Add bundled quadlet unit files and configuration files under the role's files directory for trustee components.

Enhancements:

• Refactor trustee_quadlet tasks to copy quadlet and config files from the role instead of cloning an external Git repository at runtime.
• Ensure trustee configuration directory is created with appropriate permissions before deploying configs.
• Adjust secret registration server task notifications so service restarts are triggered by template changes and avoid redundant restarts when the service is already tracked.

Chores:

• Remove unused git dependency and quadlet repository variables from role defaults.

[sourcery-ai]

Reviewer's Guide

Refactors the trustee_server role to vendor quadlet and config assets into the role instead of cloning them from an external Git repo, adjusts secret registration server task notifications and restart logic, and adds static config/quadlet files plus minor vars cleanup.

Sequence diagram for secret registration server deployment and restart logic

sequenceDiagram
    actor AnsibleUser
    participant AnsibleController
    participant TaskDeployScript
    participant TaskDeployService
    participant TaskSetFact
    participant HandlerRestartServices
    participant Systemd

    AnsibleUser->>AnsibleController: run trustee_server role

    AnsibleController->>TaskDeployScript: template secret_registration_server.py
    TaskDeployScript-->>AnsibleController: result __trustee_server_secret_reg_script (changed or not)
    alt script changed
        AnsibleController->>HandlerRestartServices: notify restart_trustee_services
    end

    AnsibleController->>TaskDeployService: template secret_registration_server.service
    TaskDeployService-->>AnsibleController: result __trustee_server_secret_reg_service (changed or not)
    alt service unit changed
        AnsibleController->>HandlerRestartServices: notify restart_trustee_services
    end

    AnsibleController->>TaskSetFact: update __trustee_server_services list
    alt secret_registration_server not in __trustee_server_services
        TaskSetFact-->>AnsibleController: __trustee_server_services += secret_registration_server
    else already present
        TaskSetFact-->>AnsibleController: no change to __trustee_server_services
    end

    AnsibleController->>HandlerRestartServices: run handler if notified
    HandlerRestartServices->>Systemd: restart all services in __trustee_server_services
    Systemd-->>HandlerRestartServices: services restarted
    HandlerRestartServices-->>AnsibleController: handler completed
    AnsibleController-->>AnsibleUser: role completed

Loading

Flow diagram for quadlet and config deployment from vendored files

flowchart TD
    A_start["Start trustee_quadlet tasks"] --> B_dir["Ensure quadlet install directory exists (__trustee_server_quadlet_install_dir)"]
    B_dir --> C_copy_quadlet["Copy files from files/quadlet/ to __trustee_server_quadlet_install_dir"]
    C_copy_quadlet --> D_cfg_dir["Ensure config directory exists (__trustee_server_config_dir)"]
    D_cfg_dir --> E_loop_as["Copy files/configs/as to __trustee_server_config_dir"]
    D_cfg_dir --> F_loop_kbs["Copy files/configs/kbs to __trustee_server_config_dir"]
    D_cfg_dir --> G_loop_rvps["Copy files/configs/rvps to __trustee_server_config_dir"]
    E_loop_as --> H_done["Quadlet and config deployment complete"]
    F_loop_kbs --> H_done
    G_loop_rvps --> H_done

Loading

File-Level Changes

Change	Details	Files
Stop cloning quadlet/config files from an external Git repository and instead ship and install them from role-local files.	Remove tempfile, git clone, find, fail-if-missing, and cleanup tasks that fetched quadlet files from a remote Git repository at runtime. Change the quadlet installation task to copy all files from the role’s files/quadlet directory into the configured quadlet install directory. Add a task to ensure the Trustee Server config directory exists with correct permissions. Change config copy logic to pull specific subdirectories (as, kbs, rvps) from role-local files/configs into the Trustee Server config directory with directory_mode set.	tasks/trustee_quadlet.yml
Adjust secret registration server deployment to rely on handler notifications instead of always flagging changes and re-adding the service to the restart list.	Add notify: restart trustee services to the secret registration server script and systemd unit template tasks so handler is triggered when either changes. Update the fact-setting task that tracks services to restart so it only appends secret_registration_server if not already present and remove its explicit notify, avoiding duplicate entries and unnecessary restarts. Slightly normalize Jinja expression formatting in the set_fact task.	tasks/secret_registration_server.yml
Clean up variables to reflect vendored quadlet/config assets and remove unused Git-related settings.	Remove git from the internal trustee package list since quadlet files are no longer fetched via git. Delete variables that described the external quadlet Git repository URL, path, and branch, because they are no longer used. Retain only the quadlet install and config directory variables needed by the new copy-based approach.	vars/main.yml
Add static configuration and quadlet asset files to the role to support the new copy-based deployment model.	Introduce files/configs/kbs configuration assets, including a KBS config.toml and policy.rego for authorization policy. Add placeholder or initial config.json files for as and rvps components and a version.env file under files/configs. Add quadlet units and volume definitions (containers, volumes, pod) for trustee components under files/quadlet, to be installed directly by the role. Add a test-role files path under tests/roles/linux-system-roles.trustee_server/files to align tests with the new on-disk asset layout.	files/configs/kbs/config.toml files/configs/kbs/policy.rego files/configs/as/config.json files/configs/rvps/config.json files/configs/version.env files/quadlet/as-data.volume files/quadlet/kbs-data.volume files/quadlet/rvps-data.volume files/quadlet/trustee-as.container files/quadlet/trustee-kbs.container files/quadlet/trustee-rvps.container files/quadlet/trustee.pod tests/roles/linux-system-roles.trustee_server/files
Minor housekeeping to keep task structure aligned with the new model.	Remove an outdated comment in tasks/main.yml that referenced example tasks, keeping the playbook concise and focused.	tasks/main.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 3 issues, and left some high level feedback:

• In the trustee_quadlet.yml copy tasks, src paths like files/quadlet/ and files/configs/{{ item }} are likely incorrect for a role (they are resolved relative to the role's files/ directory), and should probably be updated to quadlet/ and configs/{{ item }} respectively to avoid looking under files/files/....
• The when condition "'secret_registration_server' not in __trustee_server_services" in secret_registration_server.yml will fail if __trustee_server_services is undefined; consider using (__trustee_server_services | default([])) in the condition as well to match the set_fact expression.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In the `trustee_quadlet.yml` copy tasks, `src` paths like `files/quadlet/` and `files/configs/{{ item }}` are likely incorrect for a role (they are resolved relative to the role's `files/` directory), and should probably be updated to `quadlet/` and `configs/{{ item }}` respectively to avoid looking under `files/files/...`.
- The `when` condition `"'secret_registration_server' not in __trustee_server_services"` in `secret_registration_server.yml` will fail if `__trustee_server_services` is undefined; consider using `(__trustee_server_services | default([]))` in the condition as well to match the `set_fact` expression.

## Individual Comments

### Comment 1
<location path="tasks/trustee_quadlet.yml" line_range="16-19" />
<code_context>
-    msg: "No quadlet files found in {{ __trustee_server_quadlet_repo_url }}/{{ __trustee_server_quadlet_repo_path }}"
-  when: quadlet_files_found.files | length == 0
-
 - name: Copy Trustee Server quadlet files to install directory
   ansible.builtin.copy:
-    src: "{{ item.path }}"
-    dest: "{{ __trustee_server_quadlet_install_dir }}/{{ item.path | basename }}"
+    src: files/quadlet/
+    dest: "{{ __trustee_server_quadlet_install_dir }}/"
     mode: "0644"
-    remote_src: true
</code_context>
<issue_to_address>
**issue (bug_risk):** Role-relative `src` path for quadlet files is likely incorrect (`files/...` will be resolved twice).

In roles, `copy.src` is already relative to the role’s `files/` directory, so `src: files/quadlet/` will be resolved as `roles/<role_name>/files/files/quadlet/`. Update this to `src: quadlet/` so Ansible correctly uses `roles/<role_name>/files/quadlet/`.
</issue_to_address>

### Comment 2
<location path="tasks/trustee_quadlet.yml" line_range="28-34" />
<code_context>
+    state: directory
+    mode: "0755"

 - name: Copy Trustee Server config files to config directory
   ansible.builtin.copy:
-    src: "{{ __trustee_server_quadlet_repo_dir.path }}/configs/"
-    dest: "{{ __trustee_server_config_dir }}/"
+    src: "files/configs/{{ item }}"
+    dest: "{{ __trustee_server_config_dir }}"
     mode: "0644"
-    remote_src: true
-    force: true
-  when: __repo_configs_dir.stat.exists
+    directory_mode: "0755"
+  loop: [as, kbs, rvps]

 - name: Generate certificates for all components
</code_context>
<issue_to_address>
**issue (bug_risk):** Config copy task probably needs role-relative `src` without the `files/` prefix.

Using `src: "files/configs/{{ item }}"` will resolve to `.../files/files/configs/<item>`, which likely doesn’t exist. For role-relative lookup, use `src: "configs/{{ item }}"` so Ansible maps it to `roles/<role_name>/files/configs/<item>` correctly.
</issue_to_address>

### Comment 3
<location path="files/configs/kbs/config.toml" line_range="15-18" />
<code_context>
+insecure_api = false
+auth_public_key = "/etc/kbs/auth.pub"
+
+[attestation_token]
+insecure_key = false
+attestataion_token_type = "CoCo"
+trusted_certs_paths = ["/etc/kbs/trusted_certs/token0.crt"]
+
+[attestation_service]
</code_context>
<issue_to_address>
**issue (bug_risk):** The `attestataion_token_type` key appears to be misspelled and may not be recognized by KBS.

`attestataion_token_type = "CoCo"` should likely be `attestation_token_type`. If KBS relies on this exact key, the typo could cause the setting to be ignored or misparsed, potentially resulting in runtime errors or unintended (possibly insecure) defaults.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[richm]

[citest]

[richm]

[citest]