From b6984948ccd39e4aba15f02822703edebecb6bb7 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 6 Nov 2018 12:09:50 +0100 Subject: [PATCH] Add gpg configuration, key generation and password store --- .gitmodules | 3 ++ password_store | 1 + roles/gnupg/handlers/main.yml | 15 ++++++ roles/gnupg/tasks/main.yml | 62 ++++++++++++++++++++++++- roles/gnupg/templates/gen-key-script.j2 | 6 +++ roles/init/tasks/main.yml | 1 + roles/tools/tasks/main.yml | 5 ++ site.yml | 4 ++ 8 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 .gitmodules create mode 160000 password_store create mode 100644 roles/gnupg/handlers/main.yml create mode 100644 roles/gnupg/templates/gen-key-script.j2 diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..8a151f4 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "password_store"] + path = password_store + url = gitolite@git.immae.eu:perso/Immae/Prive/Password_store diff --git a/password_store b/password_store new file mode 160000 index 0000000..7f7ce3b --- /dev/null +++ b/password_store @@ -0,0 +1 @@ +Subproject commit 7f7ce3b8f8092f76fa826ce6f81f36ffd052c591 diff --git a/roles/gnupg/handlers/main.yml b/roles/gnupg/handlers/main.yml new file mode 100644 index 0000000..d32d321 --- /dev/null +++ b/roles/gnupg/handlers/main.yml @@ -0,0 +1,15 @@ +--- +- name: restart gpg-agent + systemd: + state: restarted + name: gpg-agent.service + scope: user +- name: notify add key to immae@immae.eu + pause: + prompt: "gpg key will be sent to immae.eu, please login to tmux and give passwords there." + seconds: 3 +- name: send key to immae@immae.eu + shell: "gpg --armor --export ismael@flony | ssh immae@immae.eu add_workstation_key | gpg --import -" +- name: notify add key to password store + pause: + prompt: "Please add the key to the password store and push: pass init -p Folder/Folder . Press key when done" diff --git a/roles/gnupg/tasks/main.yml b/roles/gnupg/tasks/main.yml index 8adaf69..d1289f5 100644 --- a/roles/gnupg/tasks/main.yml +++ b/roles/gnupg/tasks/main.yml @@ -12,8 +12,64 @@ state: directory mode: 0700 - name: Get gnupg runtime folder name - shell: 'GNUPGHOME=$XDG_CONFIG_HOME/gnupg gpgconf --list-dirs socketdir | sed -e "s@$XDG_RUNTIME_DIR/gnupg/@@"' + shell: 'gpgconf --list-dirs socketdir | sed -e "s@$XDG_RUNTIME_DIR/gnupg/@@"' register: gnupg_runtime_dir_cmd + changed_when: false +- name: check existing secret key + shell: "gpg --list-secret-keys | grep '{{ gpg_useremail }}'" + changed_when: false + ignore_errors: true + register: gpgkeys +- name: ask for gpg password + pause: + prompt: "Chose gpg password" + echo: false + register: gpg_password + when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == "" +- name: confirm gpg password + pause: + prompt: "Confirm gpg password" + echo: false + register: gpg_password_confirm + when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == "" +- name: check gpg password + assert: + that: gpg_password_confirm.user_input == gpg_password.user_input + when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == "" +- name: copy default template for gpg key generation + template: + src: gen-key-script.j2 + dest: "$XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}" + mode: 0600 + no_log: true + when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == "" +- name: generate gpg key + command: "gpg --batch --gen-key $XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}" + when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == "" + register: genkey +- name: remove template file + file: + path: "$XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}" + state: absent + when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == "" +- name: get keygrip + shell: "gpg -K --with-colons {{ gpg_useremail }} | grep '^grp' | cut -d':' -f10" + register: keygrip + when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == "" + notify: + - notify add key to immae@immae.eu + - send key to immae@immae.eu + - notify add key to password store +- name: add keygrip to sshcontrol + lineinfile: + line: "{{ keygrip.stdout }}" + insertafter: EOF + dest: "$XDG_CONFIG_HOME/gnupg/sshcontrol" + create: true + state: present + when: keygrip is defined and "stdout" in keygrip and keygrip.stdout != "" + notify: + - restart gpg-agent - name: Add systemd overrides template: src: "systemd/{{ item }}.conf.j2" @@ -32,3 +88,7 @@ state: restarted name: "{{ item }}.socket" loop: "{{ results.results|selectattr('changed')|map(attribute='item')|list }}" +- name: clone password store + register: clone_password_store + shell: "cd $(dirname $ANSIBLE_CONFIG ); git submodule update --init password_store" + changed_when: clone_password_store is defined and "stdout" in clone_password_store and clone_password_store.stdout != "" diff --git a/roles/gnupg/templates/gen-key-script.j2 b/roles/gnupg/templates/gen-key-script.j2 new file mode 100644 index 0000000..0687068 --- /dev/null +++ b/roles/gnupg/templates/gen-key-script.j2 @@ -0,0 +1,6 @@ +Key-Type: RSA +Key-Length: 4096 +Key-Usage: cert encrypt auth +Name-Real: {{ gpg_realname }} +Name-Email: {{ gpg_useremail }} +Passphrase: {{ gpg_password.user_input }} diff --git a/roles/init/tasks/main.yml b/roles/init/tasks/main.yml index 1baec91..edbd820 100644 --- a/roles/init/tasks/main.yml +++ b/roles/init/tasks/main.yml @@ -1,6 +1,7 @@ --- - name: Get gnupg runtime folder name shell: 'GNUPGHOME=$XDG_CONFIG_HOME/gnupg gpgconf --list-dirs socketdir | sed -e "s@$XDG_RUNTIME_DIR/gnupg/@@"' + changed_when: false register: gnupg_runtime_dir_cmd - name: Add pam_environment register: pam_environment diff --git a/roles/tools/tasks/main.yml b/roles/tools/tasks/main.yml index aa61aab..fe5b023 100644 --- a/roles/tools/tasks/main.yml +++ b/roles/tools/tasks/main.yml @@ -46,3 +46,8 @@ dest: $XDG_CONFIG_HOME/systemd/user/ notify: - reload systemd +- name: Link password store + file: + path: "$XDG_DATA_HOME/pass" + src: "$XDG_CONFIG_HOME/ansible/password_store" + state: link diff --git a/site.yml b/site.yml index 99cf119..a2bbe22 100644 --- a/site.yml +++ b/site.yml @@ -1,6 +1,9 @@ --- - hosts: home vars: + gpg_useremail: "ismael@flony" + gpg_realname: "Ismaël Bouya" + gpg_user: "ismael" debug_gnupg_runtime_dir: "d.sa5ao9hmm8xbjif73e5hcsfs" profile: "flony" role: @@ -19,3 +22,4 @@ - lxde - tools - contexts/fretlink + - gnupg -- 2.41.0