Starting to convert to playbook: Added gnupg role

2019-03-16 08:44:22 +01:00 · 2019-03-16 08:44:22 +01:00 · 35e5df830f
parent 8d40aa6e63
commit 35e5df830f
8 changed files with 85 additions and 0 deletions
--- a/group_vars/gnupg.yml
+++ b/group_vars/gnupg.yml
@ -0,0 +1,3 @@
+# List of all keygrips to be templated into the sshcontrol
+gpg_keygrips: ["468CB012C93D96E3C67F2CBCFB112400050023B6"]
+
--- a/roles/gnupg/defaults/main.yml
+++ b/roles/gnupg/defaults/main.yml
@ -0,0 +1,7 @@
+# How long the PIN gets cached (max)
+gpg_cache_ttl: 300
+gpg_cache_ttl_ssh: 300
+
+# Array of all keygrips to pass to sshcontrol
+gpg_keygrips: []
+
--- a/roles/gnupg/files/gnupg_agent
+++ b/roles/gnupg/files/gnupg_agent
@ -0,0 +1,14 @@
+#!/bin/bash
+
+rc=$(pgrep gpg-agent)
+if [ "$rc" != 0 ]; then
+  export GPG_AGENT_INFO
+  export SSH_AUTH_SOCK
+  export SSH_AGENT_PID
+else
+  eval $(gpg-agent --daemon)
+fi
+
+gpg-connect-agent /bye
+export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+
--- a/roles/gnupg/tasks/main.yml
+++ b/roles/gnupg/tasks/main.yml
@ -0,0 +1,28 @@
+---
+# Installs GnuPG2 and templates the configs
+
+- name: Install gnupg (RedHat*)
+  yum: name=gnupg2 state=latest
+  when: ansible_os_family == "RedHat"
+
+- name: Install gnupg (Arch)
+  pacman:
+    name: gnupg
+    state: latest
+  when: ansible_os_family == "Archlinux"
+
+- name: Configure gpg.conf (behaviour of gpg)
+  template: src=gpg.conf.j2 ~/.gnupg/gpg.conf
+
+- name: Configure gpg-agent.conf (agent configuration)
+  template: src=gpg-agent.conf.j2 ~/.gnupg/gpg-agent.conf
+
+- name: Configure ssh-control (in order for gpg-agent to act as ssh-agent)
+  template: src=sshcontrol.j2 ~/.gnupg/sshcontrol
+
+- name: Copy gnupg_agent script, which makes gpg-agent responsible for ssh-auth
+  copy:
+    src: "{{ role_path }}/files/gpg_agent"
+    dest: ~/.gnupg/gpg_agent
+    mode: 0700
+
--- a/roles/gnupg/templates/gnupg_agent.j2
+++ b/roles/gnupg/templates/gnupg_agent.j2
--- a/roles/gnupg/templates/gpg-agent.conf.j2
+++ b/roles/gnupg/templates/gpg-agent.conf.j2
@ -0,0 +1,7 @@
+default-cache-ttl {{ gpg_cache_ttl }}
+default-cache-ttl-ssh {{ gpg_cache_ttl_ssh }}
+max-cache-ttl {{ gpg_cache_ttl }}
+max-cache-ttl-ssh {{ gpg_cache_ttl_ssh }}
+no-allow-external-cache
+enable-ssh-support
+ignore-cache-for-signing
--- a/roles/gnupg/templates/gpg.conf.j2
+++ b/roles/gnupg/templates/gpg.conf.j2
@ -0,0 +1,12 @@
+cert-digest-algo SHA256
+no-emit-version 
+no-comments 
+personal-cipher-preferences AES AES256 AES192 CAST5
+personal-digest-preferences SHA256 SHA512 SHA384 SHA224
+ignore-time-conflict 
+allow-freeform-uid 
+with-fingerprint
+keyid-format 0xlong
+keyserver hkps://hkps.pool.sks-keyservers.net
+#keyserver-options ca-cert-file=/home/electron/.gnupg/sks-keyservers_ca.pem
+keyserver-options no-honor-keyserver-url
--- a/roles/gnupg/templates/sshcontrol.j2
+++ b/roles/gnupg/templates/sshcontrol.j2
@ -0,0 +1,14 @@
+# List of allowed ssh keys.  Only keys present in this file are used
+# in the SSH protocol.  The ssh-add tool may add new entries to this
+# file to enable them; you may also add them manually.  Comment
+# lines, like this one, as well as empty lines are ignored.  Lines do
+# have a certain length limit but this is not serious limitation as
+# the format of the entries is fixed and checked by gpg-agent. A
+# non-comment line starts with optional white spaces, followed by the
+# keygrip of the key given as 40 hex digits, optionally followed by a
+# caching TTL in seconds, and another optional field for arbitrary
+# flags.   Prepend the keygrip with an '!' mark to disable it.
+
+{% for keygrip in gpg_keygrips %}
+{{ gpg_keygrips.keygrip }}
+{% endfor %}