From 35e5df830faffe27722fa7346167098fffa53dfb Mon Sep 17 00:00:00 2001 From: jreichmann Date: Sat, 16 Mar 2019 08:44:22 +0100 Subject: [PATCH] Starting to convert to playbook: Added gnupg role --- group_vars/gnupg.yml | 3 +++ roles/gnupg/defaults/main.yml | 7 +++++++ roles/gnupg/files/gnupg_agent | 14 +++++++++++++ roles/gnupg/tasks/main.yml | 28 +++++++++++++++++++++++++ roles/gnupg/templates/gnupg_agent.j2 | 0 roles/gnupg/templates/gpg-agent.conf.j2 | 7 +++++++ roles/gnupg/templates/gpg.conf.j2 | 12 +++++++++++ roles/gnupg/templates/sshcontrol.j2 | 14 +++++++++++++ 8 files changed, 85 insertions(+) create mode 100644 group_vars/gnupg.yml create mode 100644 roles/gnupg/defaults/main.yml create mode 100755 roles/gnupg/files/gnupg_agent create mode 100644 roles/gnupg/tasks/main.yml create mode 100644 roles/gnupg/templates/gnupg_agent.j2 create mode 100644 roles/gnupg/templates/gpg-agent.conf.j2 create mode 100644 roles/gnupg/templates/gpg.conf.j2 create mode 100644 roles/gnupg/templates/sshcontrol.j2 diff --git a/group_vars/gnupg.yml b/group_vars/gnupg.yml new file mode 100644 index 0000000..fee29df --- /dev/null +++ b/group_vars/gnupg.yml @@ -0,0 +1,3 @@ +# List of all keygrips to be templated into the sshcontrol +gpg_keygrips: ["468CB012C93D96E3C67F2CBCFB112400050023B6"] + diff --git a/roles/gnupg/defaults/main.yml b/roles/gnupg/defaults/main.yml new file mode 100644 index 0000000..4687fc3 --- /dev/null +++ b/roles/gnupg/defaults/main.yml @@ -0,0 +1,7 @@ +# How long the PIN gets cached (max) +gpg_cache_ttl: 300 +gpg_cache_ttl_ssh: 300 + +# Array of all keygrips to pass to sshcontrol +gpg_keygrips: [] + diff --git a/roles/gnupg/files/gnupg_agent b/roles/gnupg/files/gnupg_agent new file mode 100755 index 0000000..1de5761 --- /dev/null +++ b/roles/gnupg/files/gnupg_agent @@ -0,0 +1,14 @@ +#!/bin/bash + +rc=$(pgrep gpg-agent) +if [ "$rc" != 0 ]; then + export GPG_AGENT_INFO + export SSH_AUTH_SOCK + export SSH_AGENT_PID +else + eval $(gpg-agent --daemon) +fi + +gpg-connect-agent /bye +export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) + diff --git a/roles/gnupg/tasks/main.yml b/roles/gnupg/tasks/main.yml new file mode 100644 index 0000000..1ba4f4e --- /dev/null +++ b/roles/gnupg/tasks/main.yml @@ -0,0 +1,28 @@ +--- +# Installs GnuPG2 and templates the configs + +- name: Install gnupg (RedHat*) + yum: name=gnupg2 state=latest + when: ansible_os_family == "RedHat" + +- name: Install gnupg (Arch) + pacman: + name: gnupg + state: latest + when: ansible_os_family == "Archlinux" + +- name: Configure gpg.conf (behaviour of gpg) + template: src=gpg.conf.j2 ~/.gnupg/gpg.conf + +- name: Configure gpg-agent.conf (agent configuration) + template: src=gpg-agent.conf.j2 ~/.gnupg/gpg-agent.conf + +- name: Configure ssh-control (in order for gpg-agent to act as ssh-agent) + template: src=sshcontrol.j2 ~/.gnupg/sshcontrol + +- name: Copy gnupg_agent script, which makes gpg-agent responsible for ssh-auth + copy: + src: "{{ role_path }}/files/gpg_agent" + dest: ~/.gnupg/gpg_agent + mode: 0700 + diff --git a/roles/gnupg/templates/gnupg_agent.j2 b/roles/gnupg/templates/gnupg_agent.j2 new file mode 100644 index 0000000..e69de29 diff --git a/roles/gnupg/templates/gpg-agent.conf.j2 b/roles/gnupg/templates/gpg-agent.conf.j2 new file mode 100644 index 0000000..463f088 --- /dev/null +++ b/roles/gnupg/templates/gpg-agent.conf.j2 @@ -0,0 +1,7 @@ +default-cache-ttl {{ gpg_cache_ttl }} +default-cache-ttl-ssh {{ gpg_cache_ttl_ssh }} +max-cache-ttl {{ gpg_cache_ttl }} +max-cache-ttl-ssh {{ gpg_cache_ttl_ssh }} +no-allow-external-cache +enable-ssh-support +ignore-cache-for-signing diff --git a/roles/gnupg/templates/gpg.conf.j2 b/roles/gnupg/templates/gpg.conf.j2 new file mode 100644 index 0000000..6f62bf6 --- /dev/null +++ b/roles/gnupg/templates/gpg.conf.j2 @@ -0,0 +1,12 @@ +cert-digest-algo SHA256 +no-emit-version +no-comments +personal-cipher-preferences AES AES256 AES192 CAST5 +personal-digest-preferences SHA256 SHA512 SHA384 SHA224 +ignore-time-conflict +allow-freeform-uid +with-fingerprint +keyid-format 0xlong +keyserver hkps://hkps.pool.sks-keyservers.net +#keyserver-options ca-cert-file=/home/electron/.gnupg/sks-keyservers_ca.pem +keyserver-options no-honor-keyserver-url diff --git a/roles/gnupg/templates/sshcontrol.j2 b/roles/gnupg/templates/sshcontrol.j2 new file mode 100644 index 0000000..3c6a2c2 --- /dev/null +++ b/roles/gnupg/templates/sshcontrol.j2 @@ -0,0 +1,14 @@ +# List of allowed ssh keys. Only keys present in this file are used +# in the SSH protocol. The ssh-add tool may add new entries to this +# file to enable them; you may also add them manually. Comment +# lines, like this one, as well as empty lines are ignored. Lines do +# have a certain length limit but this is not serious limitation as +# the format of the entries is fixed and checked by gpg-agent. A +# non-comment line starts with optional white spaces, followed by the +# keygrip of the key given as 40 hex digits, optionally followed by a +# caching TTL in seconds, and another optional field for arbitrary +# flags. Prepend the keygrip with an '!' mark to disable it. + +{% for keygrip in gpg_keygrips %} +{{ gpg_keygrips.keygrip }} +{% endfor %}