From 378cce9bc94ea943acd13b93871ab5ea7d72cfce Mon Sep 17 00:00:00 2001 From: transcaffeine Date: Thu, 5 Nov 2020 19:49:02 +0100 Subject: [PATCH] gnupg: ensure ssh uses gnupg-agent Loads the gnupg_agent-skript in the ~/.bashrc, which exports the needed variables (SSH_AUTH_SOCK, SSH_AGENT_PID, GPG_AGENT_INFO). Also downloads the pubkey of the user and sets ownertrust on the key. Fixes #3 --- roles/gnupg/defaults/main.yml | 1 + roles/gnupg/tasks/main.yml | 22 ++++++++++++++++++++-- roles/gnupg/templates/gpg.conf.j2 | 1 - 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/roles/gnupg/defaults/main.yml b/roles/gnupg/defaults/main.yml index 2ca58dc..c3e01c6 100644 --- a/roles/gnupg/defaults/main.yml +++ b/roles/gnupg/defaults/main.yml @@ -7,3 +7,4 @@ gpg_keygrips: [] gpg_folder: "~/.gnupg" +gpg_user: "{{ ansible_user }}" diff --git a/roles/gnupg/tasks/main.yml b/roles/gnupg/tasks/main.yml index 1fb1d1b..1b6e6eb 100644 --- a/roles/gnupg/tasks/main.yml +++ b/roles/gnupg/tasks/main.yml @@ -38,8 +38,26 @@ dest: "{{ gpg_folder }}/gnupg_agent" mode: 0700 +- name: Ensure gnupg_agent skript is included in .bashrc so SSH uses gpg-agent + blockinfile: + path: "~/.bashrc" + insertafter: "\[\[ \$- != \*i\* \]\] && return" + line: | + # load script telling SSH to use the gpg agent + source "{{ gpg_folder }}"/gnupg_agent + state: present +- name: Download own pubkey + get_url: + url: "https://git.finallycoffee.eu/{{ gpg_user }}/about/raw/branch/master/pubkey.asc" + dest: "~/{{ gpg_user }}.pub" - - +- name: Import own pubkey and set owner-trust + command: + cmd: | + gpg2 --no-tty --command-fd 0 --import ~/{{ gpg_user }}.pub << EOF + trust + 5 + quit + EOF diff --git a/roles/gnupg/templates/gpg.conf.j2 b/roles/gnupg/templates/gpg.conf.j2 index 6f62bf6..79a8906 100644 --- a/roles/gnupg/templates/gpg.conf.j2 +++ b/roles/gnupg/templates/gpg.conf.j2 @@ -8,5 +8,4 @@ allow-freeform-uid with-fingerprint keyid-format 0xlong keyserver hkps://hkps.pool.sks-keyservers.net -#keyserver-options ca-cert-file=/home/electron/.gnupg/sks-keyservers_ca.pem keyserver-options no-honor-keyserver-url