[perso/Immae/Config/Ansible.git] / roles / gnupg / tasks / main.yml

---
- name: Config files
  synchronize:
    recursive: yes
    archive: no
    checksum: yes
    src: gnupg
    dest: /$XDG_CONFIG_HOME/
- name: Protect directory
  file:
    path: $XDG_CONFIG_HOME/gnupg
    state: directory
    mode: 0700
- name: Get gnupg runtime folder name
  shell: 'gpgconf --list-dirs socketdir | sed -e "s@$XDG_RUNTIME_DIR/gnupg/@@"'
  register: gnupg_runtime_dir_cmd
  changed_when: false
  check_mode: no
- name: check existing secret key
  shell: "gpg --list-secret-keys | grep '{{ gpg_useremail }}'"
  changed_when: false
  ignore_errors: true
  register: gpgkeys
  check_mode: no
- name: Ask for gpg password
  when: gpgkeys.stdout == ""
  block:
    - name: Ask for gpg password
      pause:
        prompt: "Chose gpg password"
        echo: false
      register: gpg_password
    - name: Confirm gpg password
      pause:
        prompt: "Confirm gpg password"
        echo: false
      register: gpg_password_confirm
    - name: check gpg password
      assert:
        that: gpg_password_confirm.user_input == gpg_password.user_input
- name: Generate gpg key
  when: gpgkeys.stdout == ""
  block:
    - name: Copy default template for gpg key generation
      template:
        src: gen-key-script.j2
        dest: "$XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
        mode: 0600
      no_log: true
    - name: Generate gpg key
      command: "gpg --batch --gen-key $XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
      register: genkey
  always:
    - name: Remove template file
      file:
        path: "$XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
        state: absent
- name: get keygrip
  shell: "gpg -K --with-colons {{ gpg_useremail }} | grep '^grp' | cut -d':' -f10"
  register: keygrip
  when: gpgkeys.stdout == ""
  notify:
    - notify add key to immae@immae.eu
    - send key to immae@immae.eu
    - notify add key to password store
- name: add keygrip to sshcontrol
  lineinfile:
    line: "{{ keygrip.stdout }}"
    insertafter: EOF
    dest: "$XDG_CONFIG_HOME/gnupg/sshcontrol"
    create: true
    state: present
  when: keygrip is defined and "stdout" in keygrip and keygrip.stdout != ""
  notify:
    - restart gpg-agent
- name: Override the gpg socket directory
  block:
    - name: Add systemd overrides
      template:
        src: "systemd/{{ item }}.conf.j2"
        dest: "$XDG_CONFIG_HOME/systemd/user/{{ item }}.socket.d/override.conf"
      register: results
      loop:
        - dirmngr
        - gpg-agent
        - gpg-agent-browser
        - gpg-agent-extra
        - gpg-agent-ssh
    - name: Restart systemd units
      systemd:
        daemon_reload: true
        scope: user
        state: restarted
        name: "{{ item }}.socket"
      loop: "{{ results.results|selectattr('changed')|map(attribute='item')|list }}"
- name: clone password store
  register: clone_password_store
  shell: "cd $(dirname $ANSIBLE_CONFIG ); git submodule update --init password_store"
  changed_when: clone_password_store is defined and "stdout" in clone_password_store and clone_password_store.stdout != ""
Commit	Line	Data
397c4fed IB	1	---
	2	- name: Config files
	3	synchronize:
	4	recursive: yes
	5	archive: no
	6	checksum: yes
	7	src: gnupg
	8	dest: /$XDG_CONFIG_HOME/
	9	- name: Protect directory
	10	file:
	11	path: $XDG_CONFIG_HOME/gnupg
	12	state: directory
	13	mode: 0700
	14	- name: Get gnupg runtime folder name
b6984948	15	shell: 'gpgconf --list-dirs socketdir \| sed -e "s@$XDG_RUNTIME_DIR/gnupg/@@"'
397c4fed	16	register: gnupg_runtime_dir_cmd
b6984948	17	changed_when: false
d03cede6	18	check_mode: no
b6984948 IB	19	- name: check existing secret key
	20	shell: "gpg --list-secret-keys \| grep '{{ gpg_useremail }}'"
	21	changed_when: false
	22	ignore_errors: true
	23	register: gpgkeys
d03cede6	24	check_mode: no
cf86d448 IB	25	- name: Ask for gpg password
	26	when: gpgkeys.stdout == ""
	27	block:
	28	- name: Ask for gpg password
	29	pause:
	30	prompt: "Chose gpg password"
	31	echo: false
	32	register: gpg_password
	33	- name: Confirm gpg password
	34	pause:
	35	prompt: "Confirm gpg password"
	36	echo: false
	37	register: gpg_password_confirm
	38	- name: check gpg password
	39	assert:
	40	that: gpg_password_confirm.user_input == gpg_password.user_input
	41	- name: Generate gpg key
	42	when: gpgkeys.stdout == ""
	43	block:
	44	- name: Copy default template for gpg key generation
	45	template:
	46	src: gen-key-script.j2
	47	dest: "$XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
	48	mode: 0600
	49	no_log: true
	50	- name: Generate gpg key
	51	command: "gpg --batch --gen-key $XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
	52	register: genkey
	53	always:
	54	- name: Remove template file
	55	file:
	56	path: "$XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
	57	state: absent
b6984948 IB	58	- name: get keygrip
	59	shell: "gpg -K --with-colons {{ gpg_useremail }} \| grep '^grp' \| cut -d':' -f10"
	60	register: keygrip
cf86d448	61	when: gpgkeys.stdout == ""
b6984948 IB	62	notify:
	63	- notify add key to immae@immae.eu
	64	- send key to immae@immae.eu
	65	- notify add key to password store
	66	- name: add keygrip to sshcontrol
	67	lineinfile:
	68	line: "{{ keygrip.stdout }}"
	69	insertafter: EOF
	70	dest: "$XDG_CONFIG_HOME/gnupg/sshcontrol"
	71	create: true
	72	state: present
	73	when: keygrip is defined and "stdout" in keygrip and keygrip.stdout != ""
	74	notify:
	75	- restart gpg-agent
cf86d448 IB	76	- name: Override the gpg socket directory
	77	block:
	78	- name: Add systemd overrides
	79	template:
	80	src: "systemd/{{ item }}.conf.j2"
	81	dest: "$XDG_CONFIG_HOME/systemd/user/{{ item }}.socket.d/override.conf"
	82	register: results
	83	loop:
	84	- dirmngr
	85	- gpg-agent
	86	- gpg-agent-browser
	87	- gpg-agent-extra
	88	- gpg-agent-ssh
	89	- name: Restart systemd units
	90	systemd:
	91	daemon_reload: true
	92	scope: user
	93	state: restarted
	94	name: "{{ item }}.socket"
	95	loop: "{{ results.results\|selectattr('changed')\|map(attribute='item')\|list }}"
b6984948 IB	96	- name: clone password store
	97	register: clone_password_store
	98	shell: "cd $(dirname $ANSIBLE_CONFIG ); git submodule update --init password_store"
	99	changed_when: clone_password_store is defined and "stdout" in clone_password_store and clone_password_store.stdout != ""