From 35e5df830faffe27722fa7346167098fffa53dfb Mon Sep 17 00:00:00 2001
From: jreichmann <johanna.reichmann@delta-industries.de>
Date: Sat, 16 Mar 2019 08:44:22 +0100
Subject: [PATCH] Starting to convert to playbook: Added gnupg role

---
 group_vars/gnupg.yml                    |  3 +++
 roles/gnupg/defaults/main.yml           |  7 +++++++
 roles/gnupg/files/gnupg_agent           | 14 +++++++++++++
 roles/gnupg/tasks/main.yml              | 28 +++++++++++++++++++++++++
 roles/gnupg/templates/gnupg_agent.j2    |  0
 roles/gnupg/templates/gpg-agent.conf.j2 |  7 +++++++
 roles/gnupg/templates/gpg.conf.j2       | 12 +++++++++++
 roles/gnupg/templates/sshcontrol.j2     | 14 +++++++++++++
 8 files changed, 85 insertions(+)
 create mode 100644 group_vars/gnupg.yml
 create mode 100644 roles/gnupg/defaults/main.yml
 create mode 100755 roles/gnupg/files/gnupg_agent
 create mode 100644 roles/gnupg/tasks/main.yml
 create mode 100644 roles/gnupg/templates/gnupg_agent.j2
 create mode 100644 roles/gnupg/templates/gpg-agent.conf.j2
 create mode 100644 roles/gnupg/templates/gpg.conf.j2
 create mode 100644 roles/gnupg/templates/sshcontrol.j2

diff --git a/group_vars/gnupg.yml b/group_vars/gnupg.yml
new file mode 100644
index 0000000..fee29df
--- /dev/null
+++ b/group_vars/gnupg.yml
@@ -0,0 +1,3 @@
+# List of all keygrips to be templated into the sshcontrol
+gpg_keygrips: ["468CB012C93D96E3C67F2CBCFB112400050023B6"]
+
diff --git a/roles/gnupg/defaults/main.yml b/roles/gnupg/defaults/main.yml
new file mode 100644
index 0000000..4687fc3
--- /dev/null
+++ b/roles/gnupg/defaults/main.yml
@@ -0,0 +1,7 @@
+# How long the PIN gets cached (max)
+gpg_cache_ttl: 300
+gpg_cache_ttl_ssh: 300
+
+# Array of all keygrips to pass to sshcontrol
+gpg_keygrips: []
+
diff --git a/roles/gnupg/files/gnupg_agent b/roles/gnupg/files/gnupg_agent
new file mode 100755
index 0000000..1de5761
--- /dev/null
+++ b/roles/gnupg/files/gnupg_agent
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+rc=$(pgrep gpg-agent)
+if [ "$rc" != 0 ]; then
+  export GPG_AGENT_INFO
+  export SSH_AUTH_SOCK
+  export SSH_AGENT_PID
+else
+  eval $(gpg-agent --daemon)
+fi
+
+gpg-connect-agent /bye
+export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+
diff --git a/roles/gnupg/tasks/main.yml b/roles/gnupg/tasks/main.yml
new file mode 100644
index 0000000..1ba4f4e
--- /dev/null
+++ b/roles/gnupg/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+# Installs GnuPG2 and templates the configs
+
+- name: Install gnupg (RedHat*)
+  yum: name=gnupg2 state=latest
+  when: ansible_os_family == "RedHat"
+
+- name: Install gnupg (Arch)
+  pacman:
+    name: gnupg
+    state: latest
+  when: ansible_os_family == "Archlinux"
+
+- name: Configure gpg.conf (behaviour of gpg)
+  template: src=gpg.conf.j2 ~/.gnupg/gpg.conf
+
+- name: Configure gpg-agent.conf (agent configuration)
+  template: src=gpg-agent.conf.j2 ~/.gnupg/gpg-agent.conf
+
+- name: Configure ssh-control (in order for gpg-agent to act as ssh-agent)
+  template: src=sshcontrol.j2 ~/.gnupg/sshcontrol
+
+- name: Copy gnupg_agent script, which makes gpg-agent responsible for ssh-auth
+  copy:
+    src: "{{ role_path }}/files/gpg_agent"
+    dest: ~/.gnupg/gpg_agent
+    mode: 0700
+
diff --git a/roles/gnupg/templates/gnupg_agent.j2 b/roles/gnupg/templates/gnupg_agent.j2
new file mode 100644
index 0000000..e69de29
diff --git a/roles/gnupg/templates/gpg-agent.conf.j2 b/roles/gnupg/templates/gpg-agent.conf.j2
new file mode 100644
index 0000000..463f088
--- /dev/null
+++ b/roles/gnupg/templates/gpg-agent.conf.j2
@@ -0,0 +1,7 @@
+default-cache-ttl {{ gpg_cache_ttl }}
+default-cache-ttl-ssh {{ gpg_cache_ttl_ssh }}
+max-cache-ttl {{ gpg_cache_ttl }}
+max-cache-ttl-ssh {{ gpg_cache_ttl_ssh }}
+no-allow-external-cache
+enable-ssh-support
+ignore-cache-for-signing
diff --git a/roles/gnupg/templates/gpg.conf.j2 b/roles/gnupg/templates/gpg.conf.j2
new file mode 100644
index 0000000..6f62bf6
--- /dev/null
+++ b/roles/gnupg/templates/gpg.conf.j2
@@ -0,0 +1,12 @@
+cert-digest-algo SHA256
+no-emit-version 
+no-comments 
+personal-cipher-preferences AES AES256 AES192 CAST5
+personal-digest-preferences SHA256 SHA512 SHA384 SHA224
+ignore-time-conflict 
+allow-freeform-uid 
+with-fingerprint
+keyid-format 0xlong
+keyserver hkps://hkps.pool.sks-keyservers.net
+#keyserver-options ca-cert-file=/home/electron/.gnupg/sks-keyservers_ca.pem
+keyserver-options no-honor-keyserver-url
diff --git a/roles/gnupg/templates/sshcontrol.j2 b/roles/gnupg/templates/sshcontrol.j2
new file mode 100644
index 0000000..3c6a2c2
--- /dev/null
+++ b/roles/gnupg/templates/sshcontrol.j2
@@ -0,0 +1,14 @@
+# List of allowed ssh keys.  Only keys present in this file are used
+# in the SSH protocol.  The ssh-add tool may add new entries to this
+# file to enable them; you may also add them manually.  Comment
+# lines, like this one, as well as empty lines are ignored.  Lines do
+# have a certain length limit but this is not serious limitation as
+# the format of the entries is fixed and checked by gpg-agent. A
+# non-comment line starts with optional white spaces, followed by the
+# keygrip of the key given as 40 hex digits, optionally followed by a
+# caching TTL in seconds, and another optional field for arbitrary
+# flags.   Prepend the keygrip with an '!' mark to disable it.
+
+{% for keygrip in gpg_keygrips %}
+{{ gpg_keygrips.keygrip }}
+{% endfor %}