summaryrefslogtreecommitdiff
path: root/roles/gnupg/tasks/main.yml
blob: 183dd7dd243d5b406c047fb1fed1df43be9fb6f1 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
---
- name: Config files
  copy:
    src: "gnupg/{{ gnupg_config_item }}"
    dest: "$XDG_CONFIG_HOME/gnupg/{{ gnupg_config_item }}"
  loop:
    - gpg-agent.conf
    - gpg.conf
  loop_control:
    loop_var: gnupg_config_item
- name: Protect directory
  file:
    path: $XDG_CONFIG_HOME/gnupg
    state: directory
    mode: 0700
- name: Get gnupg runtime folder name
  shell: 'gpgconf --list-dirs socketdir | sed -e "s@$XDG_RUNTIME_DIR/gnupg/@@"'
  register: gnupg_runtime_dir_cmd
  changed_when: false
  check_mode: no
- name: check existing secret key
  shell: "gpg --list-secret-keys | grep '{{ gpg_useremail }}'"
  changed_when: false
  ignore_errors: true
  register: gpgkeys
  check_mode: no
- name: Ask for gpg password
  when: gpgkeys.stdout == ""
  block:
    - name: Ask for gpg password
      pause:
        prompt: "Chose gpg password"
        echo: false
      register: gpg_password
    - name: Confirm gpg password
      pause:
        prompt: "Confirm gpg password"
        echo: false
      register: gpg_password_confirm
    - name: check gpg password
      assert:
        that: gpg_password_confirm.user_input == gpg_password.user_input
- name: Generate gpg key
  when: gpgkeys.stdout == ""
  block:
    - name: Copy default template for gpg key generation
      template:
        src: gen-key-script.j2
        dest: "$XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
        mode: 0600
      no_log: true
    - name: Generate gpg key
      command: "gpg --batch --gen-key $XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
      register: genkey
  always:
    - name: Remove template file
      file:
        path: "$XDG_CONFIG_HOME/gnupg/gen-key-script-{{ gpg_user }}"
        state: absent
- name: get keygrip
  shell: "gpg -K --with-colons {{ gpg_useremail }} | grep '^grp' | cut -d':' -f10"
  register: keygrip
  when: gpgkeys.stdout == ""
  notify:
    - notify add key to immae@immae.eu
    - send key to immae@immae.eu
    - notify add key to password store
- meta: flush_handlers
- name: add keygrip to sshcontrol
  lineinfile:
    line: "{{ keygrip.stdout }}"
    insertafter: EOF
    dest: "$XDG_CONFIG_HOME/gnupg/sshcontrol"
    create: true
    state: present
  when: keygrip is defined and "stdout" in keygrip and keygrip.stdout != ""
  notify:
    - restart gpg-agent
- meta: flush_handlers
- name: Override the gpg socket directory
  block:
    - name: Add systemd overrides
      template:
        src: "systemd/{{ systemd_item }}.conf.j2"
        dest: "$XDG_CONFIG_HOME/systemd/user/{{ systemd_item }}.socket.d/override.conf"
      register: results
      loop:
        - dirmngr
        - gpg-agent
        - gpg-agent-browser
        - gpg-agent-extra
        - gpg-agent-ssh
      loop_control:
        loop_var: systemd_item
    - name: Restart systemd units
      systemd:
        daemon_reload: true
        scope: user
        state: restarted
        name: "{{ restart_systemd_item }}.socket"
      loop: "{{ results.results|selectattr('changed')|map(attribute='item')|list }}"
      loop_control:
        loop_var: restart_systemd_item