roles/gnupg/tasks/main.yml

   1 ---
   2 - name: Config files
   3   synchronize:
   4     recursive: yes
   5     archive: no
   6     checksum: yes
   7     src: gnupg
   8     dest: /$XDG_CONFIG_HOME/
   9 - name: Protect directory
  10   file:
  11     path: $XDG_CONFIG_HOME/gnupg
  12     state: directory
  13     mode: 0700
  14 - name: Get gnupg runtime folder name
  15   shell: 'gpgconf --list-dirs socketdir | sed -e "s@$XDG_RUNTIME_DIR/gnupg/@@"'
  16   register: gnupg_runtime_dir_cmd
  17   changed_when: false
  18   check_mode: no
  19 - name: check existing secret key
  20   shell: "gpg --list-secret-keys | grep '{{ gpg_useremail }}'"
  21   changed_when: false
  22   ignore_errors: true
  23   register: gpgkeys
  24   check_mode: no
  25 - name: ask for gpg password
  26   pause:
  27     prompt: "Chose gpg password"
  28     echo: false
  29   register: gpg_password
  30   when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
  31 - name: confirm gpg password
  32   pause:
  33     prompt: "Confirm gpg password"
  34     echo: false
  35   register: gpg_password_confirm
  36   when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
  37 - name: check gpg password
  38   assert:
  39     that: gpg_password_confirm.user_input == gpg_password.user_input
  40   when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
  41 - name: copy default template for gpg key generation
  42   template:
  43     src: gen-key-script.j2
  44     dest: "$XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
  45     mode: 0600
  46   no_log: true
  47   when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
  48 - name: generate gpg key
  49   command: "gpg --batch --gen-key $XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
  50   when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
  51   register: genkey
  52 - name: remove template file
  53   file:
  54     path: "$XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
  55     state: absent
  56   when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
  57 - name: get keygrip
  58   shell: "gpg -K --with-colons {{ gpg_useremail }} | grep '^grp' | cut -d':' -f10"
  59   register: keygrip
  60   when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
  61   notify:
  62     - notify add key to immae@immae.eu
  63     - send key to immae@immae.eu
  64     - notify add key to password store
  65 - name: add keygrip to sshcontrol
  66   lineinfile:
  67     line: "{{ keygrip.stdout }}"
  68     insertafter: EOF
  69     dest: "$XDG_CONFIG_HOME/gnupg/sshcontrol"
  70     create: true
  71     state: present
  72   when: keygrip is defined and "stdout" in keygrip and keygrip.stdout != ""
  73   notify:
  74     - restart gpg-agent
  75 - name: Add systemd overrides
  76   template:
  77     src: "systemd/{{ item }}.conf.j2"
  78     dest: "$XDG_CONFIG_HOME/systemd/user/{{ item }}.socket.d/override.conf"
  79   register: results
  80   loop:
  81     - dirmngr
  82     - gpg-agent
  83     - gpg-agent-browser
  84     - gpg-agent-extra
  85     - gpg-agent-ssh
  86 - name: Restart systemd units
  87   systemd:
  88     daemon_reload: true
  89     scope: user
  90     state: restarted
  91     name: "{{ item }}.socket"
  92   loop: "{{ results.results|selectattr('changed')|map(attribute='item')|list }}"
  93 - name: clone password store
  94   register: clone_password_store
  95   shell: "cd $(dirname $ANSIBLE_CONFIG ); git submodule update --init password_store"
  96   changed_when: clone_password_store is defined and "stdout" in clone_password_store and clone_password_store.stdout != ""