path: root/roles/gnupg/tasks/main.yml

---
- name: Config files
  synchronize:
    recursive: yes
    archive: no
    checksum: yes
    src: gnupg
    dest: /$XDG_CONFIG_HOME/
- name: Protect directory
  file:
    path: $XDG_CONFIG_HOME/gnupg
    state: directory
    mode: 0700
- name: Get gnupg runtime folder name
  shell: 'gpgconf --list-dirs socketdir | sed -e "s@$XDG_RUNTIME_DIR/gnupg/@@"'
  register: gnupg_runtime_dir_cmd
  changed_when: false
- name: check existing secret key
  shell: "gpg --list-secret-keys | grep '{{ gpg_useremail }}'"
  changed_when: false
  ignore_errors: true
  register: gpgkeys
- name: ask for gpg password
  pause:
    prompt: "Chose gpg password"
    echo: false
  register: gpg_password
  when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
- name: confirm gpg password
  pause:
    prompt: "Confirm gpg password"
    echo: false
  register: gpg_password_confirm
  when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
- name: check gpg password
  assert:
    that: gpg_password_confirm.user_input == gpg_password.user_input
  when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
- name: copy default template for gpg key generation
  template:
    src: gen-key-script.j2
    dest: "$XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
    mode: 0600
  no_log: true
  when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
- name: generate gpg key
  command: "gpg --batch --gen-key $XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
  when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
  register: genkey
- name: remove template file
  file:
    path: "$XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
    state: absent
  when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
- name: get keygrip
  shell: "gpg -K --with-colons {{ gpg_useremail }} | grep '^grp' | cut -d':' -f10"
  register: keygrip
  when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
  notify:
    - notify add key to immae@immae.eu
    - send key to immae@immae.eu
    - notify add key to password store
- name: add keygrip to sshcontrol
  lineinfile:
    line: "{{ keygrip.stdout }}"
    insertafter: EOF
    dest: "$XDG_CONFIG_HOME/gnupg/sshcontrol"
    create: true
    state: present
  when: keygrip is defined and "stdout" in keygrip and keygrip.stdout != ""
  notify:
    - restart gpg-agent
- name: Add systemd overrides
  template:
    src: "systemd/{{ item }}.conf.j2"
    dest: "$XDG_CONFIG_HOME/systemd/user/{{ item }}.socket.d/override.conf"
  register: results
  loop:
    - dirmngr
    - gpg-agent
    - gpg-agent-browser
    - gpg-agent-extra
    - gpg-agent-ssh
- name: Restart systemd units
  systemd:
    daemon_reload: true
    scope: user
    state: restarted
    name: "{{ item }}.socket"
  loop: "{{ results.results|selectattr('changed')|map(attribute='item')|list }}"
- name: clone password store
  register: clone_password_store
  shell: "cd $(dirname $ANSIBLE_CONFIG ); git submodule update --init password_store"
  changed_when: clone_password_store is defined and "stdout" in clone_password_store and clone_password_store.stdout != ""