Starting to convert to playbook: Added gnupg role

This commit is contained in:
Johanna Dorothea Reichmann 2019-03-16 08:44:22 +01:00
parent 8d40aa6e63
commit 35e5df830f
Signed by: transcaffeine
GPG Key ID: 03624C433676E465
8 changed files with 85 additions and 0 deletions

3
group_vars/gnupg.yml Normal file
View File

@ -0,0 +1,3 @@
# List of all keygrips to be templated into the sshcontrol
gpg_keygrips: ["468CB012C93D96E3C67F2CBCFB112400050023B6"]

View File

@ -0,0 +1,7 @@
# How long the PIN gets cached (max)
gpg_cache_ttl: 300
gpg_cache_ttl_ssh: 300
# Array of all keygrips to pass to sshcontrol
gpg_keygrips: []

14
roles/gnupg/files/gnupg_agent Executable file
View File

@ -0,0 +1,14 @@
#!/bin/bash
rc=$(pgrep gpg-agent)
if [ "$rc" != 0 ]; then
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
export SSH_AGENT_PID
else
eval $(gpg-agent --daemon)
fi
gpg-connect-agent /bye
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

View File

@ -0,0 +1,28 @@
---
# Installs GnuPG2 and templates the configs
- name: Install gnupg (RedHat*)
yum: name=gnupg2 state=latest
when: ansible_os_family == "RedHat"
- name: Install gnupg (Arch)
pacman:
name: gnupg
state: latest
when: ansible_os_family == "Archlinux"
- name: Configure gpg.conf (behaviour of gpg)
template: src=gpg.conf.j2 ~/.gnupg/gpg.conf
- name: Configure gpg-agent.conf (agent configuration)
template: src=gpg-agent.conf.j2 ~/.gnupg/gpg-agent.conf
- name: Configure ssh-control (in order for gpg-agent to act as ssh-agent)
template: src=sshcontrol.j2 ~/.gnupg/sshcontrol
- name: Copy gnupg_agent script, which makes gpg-agent responsible for ssh-auth
copy:
src: "{{ role_path }}/files/gpg_agent"
dest: ~/.gnupg/gpg_agent
mode: 0700

View File

View File

@ -0,0 +1,7 @@
default-cache-ttl {{ gpg_cache_ttl }}
default-cache-ttl-ssh {{ gpg_cache_ttl_ssh }}
max-cache-ttl {{ gpg_cache_ttl }}
max-cache-ttl-ssh {{ gpg_cache_ttl_ssh }}
no-allow-external-cache
enable-ssh-support
ignore-cache-for-signing

View File

@ -0,0 +1,12 @@
cert-digest-algo SHA256
no-emit-version
no-comments
personal-cipher-preferences AES AES256 AES192 CAST5
personal-digest-preferences SHA256 SHA512 SHA384 SHA224
ignore-time-conflict
allow-freeform-uid
with-fingerprint
keyid-format 0xlong
keyserver hkps://hkps.pool.sks-keyservers.net
#keyserver-options ca-cert-file=/home/electron/.gnupg/sks-keyservers_ca.pem
keyserver-options no-honor-keyserver-url

View File

@ -0,0 +1,14 @@
# List of allowed ssh keys. Only keys present in this file are used
# in the SSH protocol. The ssh-add tool may add new entries to this
# file to enable them; you may also add them manually. Comment
# lines, like this one, as well as empty lines are ignored. Lines do
# have a certain length limit but this is not serious limitation as
# the format of the entries is fixed and checked by gpg-agent. A
# non-comment line starts with optional white spaces, followed by the
# keygrip of the key given as 40 hex digits, optionally followed by a
# caching TTL in seconds, and another optional field for arbitrary
# flags. Prepend the keygrip with an '!' mark to disable it.
{% for keygrip in gpg_keygrips %}
{{ gpg_keygrips.keygrip }}
{% endfor %}