Add gpg configuration, key generation and password store

8 files changed, 95 insertions, 1 deletions

diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..8a151f4
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "password_store"]
+        path = password_store
+        url = gitolite@git.immae.eu:perso/Immae/Prive/Password_store
diff --git a/password_store b/password_store
new file mode 160000
+Subproject 7f7ce3b8f8092f76fa826ce6f81f36ffd052c59
diff --git a/roles/gnupg/handlers/main.yml b/roles/gnupg/handlers/main.yml
new file mode 100644
index 0000000..d32d321
--- /dev/null
+++ b/roles/gnupg/handlers/main.yml
@@ -0,0 +1,15 @@
+---
+- name: restart gpg-agent
+  systemd:
+    state: restarted
+    name: gpg-agent.service
+    scope: user
+- name: notify add key to immae@immae.eu
+  pause:
+    prompt: "gpg key will be sent to immae.eu, please login to tmux and give passwords there."
+    seconds: 3
+- name: send key to immae@immae.eu
+  shell: "gpg --armor --export ismael@flony | ssh immae@immae.eu add_workstation_key | gpg --import -"
+- name: notify add key to password store
+  pause:
+    prompt: "Please add the key to the password store and push: pass init -p Folder/Folder <key> <key>. Press key when done"
diff --git a/roles/gnupg/tasks/main.yml b/roles/gnupg/tasks/main.yml
index 8adaf69..d1289f5 100644
--- a/roles/gnupg/tasks/main.yml
+++ b/roles/gnupg/tasks/main.yml
@@ -12,8 +12,64 @@
     state: directory
     mode: 0700
 - name: Get gnupg runtime folder name
-  shell: 'GNUPGHOME=$XDG_CONFIG_HOME/gnupg gpgconf --list-dirs socketdir | sed -e "s@$XDG_RUNTIME_DIR/gnupg/@@"'
+  shell: 'gpgconf --list-dirs socketdir | sed -e "s@$XDG_RUNTIME_DIR/gnupg/@@"'
   register: gnupg_runtime_dir_cmd
+  changed_when: false
+- name: check existing secret key
+  shell: "gpg --list-secret-keys | grep '{{ gpg_useremail }}'"
+  changed_when: false
+  ignore_errors: true
+  register: gpgkeys
+- name: ask for gpg password
+  pause:
+    prompt: "Chose gpg password"
+    echo: false
+  register: gpg_password
+  when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
+- name: confirm gpg password
+  pause:
+    prompt: "Confirm gpg password"
+    echo: false
+  register: gpg_password_confirm
+  when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
+- name: check gpg password
+  assert:
+    that: gpg_password_confirm.user_input == gpg_password.user_input
+  when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
+- name: copy default template for gpg key generation
+  template:
+    src: gen-key-script.j2
+    dest: "$XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
+    mode: 0600
+  no_log: true
+  when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
+- name: generate gpg key
+  command: "gpg --batch --gen-key $XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
+  when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
+  register: genkey
+- name: remove template file
+  file:
+    path: "$XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
+    state: absent
+  when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
+- name: get keygrip
+  shell: "gpg -K --with-colons {{ gpg_useremail }} | grep '^grp' | cut -d':' -f10"
+  register: keygrip
+  when: gpgkeys is defined and "stdout" in gpgkeys and gpgkeys.stdout == ""
+  notify:
+    - notify add key to immae@immae.eu
+    - send key to immae@immae.eu
+    - notify add key to password store
+- name: add keygrip to sshcontrol
+  lineinfile:
+    line: "{{ keygrip.stdout }}"
+    insertafter: EOF
+    dest: "$XDG_CONFIG_HOME/gnupg/sshcontrol"
+    create: true
+    state: present
+  when: keygrip is defined and "stdout" in keygrip and keygrip.stdout != ""
+  notify:
+    - restart gpg-agent
 - name: Add systemd overrides
   template:
     src: "systemd/{{ item }}.conf.j2"
@@ -32,3 +88,7 @@
     state: restarted
     name: "{{ item }}.socket"
   loop: "{{ results.results|selectattr('changed')|map(attribute='item')|list }}"
+- name: clone password store
+  register: clone_password_store
+  shell: "cd $(dirname $ANSIBLE_CONFIG ); git submodule update --init password_store"
+  changed_when: clone_password_store is defined and "stdout" in clone_password_store and clone_password_store.stdout != ""
diff --git a/roles/gnupg/templates/gen-key-script.j2 b/roles/gnupg/templates/gen-key-script.j2
new file mode 100644
index 0000000..0687068
--- /dev/null
+++ b/roles/gnupg/templates/gen-key-script.j2
@@ -0,0 +1,6 @@
+Key-Type: RSA
+Key-Length: 4096
+Key-Usage: cert encrypt auth
+Name-Real: {{ gpg_realname }}
+Name-Email: {{ gpg_useremail }}
+Passphrase: {{ gpg_password.user_input }}
diff --git a/roles/init/tasks/main.yml b/roles/init/tasks/main.yml
index 1baec91..edbd820 100644
--- a/roles/init/tasks/main.yml
+++ b/roles/init/tasks/main.yml
@@ -1,6 +1,7 @@
 ---
 - name: Get gnupg runtime folder name
   shell: 'GNUPGHOME=$XDG_CONFIG_HOME/gnupg gpgconf --list-dirs socketdir | sed -e "s@$XDG_RUNTIME_DIR/gnupg/@@"'
+  changed_when: false
   register: gnupg_runtime_dir_cmd
 - name: Add pam_environment
   register: pam_environment
diff --git a/roles/tools/tasks/main.yml b/roles/tools/tasks/main.yml
index aa61aab..fe5b023 100644
--- a/roles/tools/tasks/main.yml
+++ b/roles/tools/tasks/main.yml
@@ -46,3 +46,8 @@
     dest: $XDG_CONFIG_HOME/systemd/user/
   notify:
     - reload systemd
+- name: Link password store
+  file:
+    path: "$XDG_DATA_HOME/pass"
+    src: "$XDG_CONFIG_HOME/ansible/password_store"
+    state: link
diff --git a/site.yml b/site.yml
index 99cf119..a2bbe22 100644
--- a/site.yml
+++ b/site.yml
@@ -1,6 +1,9 @@
 ---
 - hosts: home
   vars:
+    gpg_useremail: "ismael@flony"
+    gpg_realname: "Ismaël Bouya"
+    gpg_user: "ismael"
     debug_gnupg_runtime_dir: "d.sa5ao9hmm8xbjif73e5hcsfs"
     profile: "flony"
     role:
@@ -19,3 +22,4 @@
     - lxde
     - tools
     - contexts/fretlink
+    - gnupg