roles/gnupg/tasks/main.yml

   1 ---
   2 - name: Config files
   3   synchronize:
   4     recursive: yes
   5     archive: no
   6     checksum: yes
   7     src: gnupg
   8     dest: /$XDG_CONFIG_HOME/
   9 - name: Protect directory
  10   file:
  11     path: $XDG_CONFIG_HOME/gnupg
  12     state: directory
  13     mode: 0700
  14 - name: Get gnupg runtime folder name
  15   shell: 'gpgconf --list-dirs socketdir | sed -e "s@$XDG_RUNTIME_DIR/gnupg/@@"'
  16   register: gnupg_runtime_dir_cmd
  17   changed_when: false
  18 - name: check existing secret key
  19   shell: "gpg --list-secret-keys | grep '{{ gpg_useremail }}'"
  20   changed_when: false
  21   ignore_errors: true
  22   register: gpgkeys
  23 - name: ask for gpg password
  24   pause:
  25     prompt: "Chose gpg password"
  26     echo: false
  27   register: gpg_password
  28   when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
  29 - name: confirm gpg password
  30   pause:
  31     prompt: "Confirm gpg password"
  32     echo: false
  33   register: gpg_password_confirm
  34   when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
  35 - name: check gpg password
  36   assert:
  37     that: gpg_password_confirm.user_input == gpg_password.user_input
  38   when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
  39 - name: copy default template for gpg key generation
  40   template:
  41     src: gen-key-script.j2
  42     dest: "$XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
  43     mode: 0600
  44   no_log: true
  45   when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
  46 - name: generate gpg key
  47   command: "gpg --batch --gen-key $XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
  48   when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
  49   register: genkey
  50 - name: remove template file
  51   file:
  52     path: "$XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
  53     state: absent
  54   when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
  55 - name: get keygrip
  56   shell: "gpg -K --with-colons {{ gpg_useremail }} | grep '^grp' | cut -d':' -f10"
  57   register: keygrip
  58   when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
  59   notify:
  60     - notify add key to immae@immae.eu
  61     - send key to immae@immae.eu
  62     - notify add key to password store
  63 - name: add keygrip to sshcontrol
  64   lineinfile:
  65     line: "{{ keygrip.stdout }}"
  66     insertafter: EOF
  67     dest: "$XDG_CONFIG_HOME/gnupg/sshcontrol"
  68     create: true
  69     state: present
  70   when: keygrip is defined and "stdout" in keygrip and keygrip.stdout != ""
  71   notify:
  72     - restart gpg-agent
  73 - name: Add systemd overrides
  74   template:
  75     src: "systemd/{{ item }}.conf.j2"
  76     dest: "$XDG_CONFIG_HOME/systemd/user/{{ item }}.socket.d/override.conf"
  77   register: results
  78   loop:
  79     - dirmngr
  80     - gpg-agent
  81     - gpg-agent-browser
  82     - gpg-agent-extra
  83     - gpg-agent-ssh
  84 - name: Restart systemd units
  85   systemd:
  86     daemon_reload: true
  87     scope: user
  88     state: restarted
  89     name: "{{ item }}.socket"
  90   loop: "{{ results.results|selectattr('changed')|map(attribute='item')|list }}"
  91 - name: clone password store
  92   register: clone_password_store
  93   shell: "cd $(dirname $ANSIBLE_CONFIG ); git submodule update --init password_store"
  94   changed_when: clone_password_store is defined and "stdout" in clone_password_store and clone_password_store.stdout != ""