update gpg role

now equivalent to gpg task files from deb_packages
2026-02-11 18:16:24 +05:00 · 2025-03-19 20:38:05 +02:00
parent 11e9d523d6
commit 806d4ea4af
4 changed files with 87 additions and 36 deletions
--- a/data/ansible/roles/gpg/defaults/main.yaml
+++ b/data/ansible/roles/gpg/defaults/main.yaml
@@ -5,4 +5,4 @@ gpg_useremail: "cgrates@itsyscom.com"
 gpg_pubkeyfileexport: "apt.cgrates.org.gpg.key"
 gpg_keylength: 2048
 gpg_subkeylength: 2048
-gpg_expire: 360
+gpg_expire: 360
--- a/data/ansible/roles/gpg/tasks/gpg-gen-key.yaml
+++ b/data/ansible/roles/gpg/tasks/gpg-gen-key.yaml
@@ -1,20 +1,51 @@
 ---
- name: set default gpg options
-  template:
+- name: Set defaut gpg options
+  become: true
+  ansible.builtin.template:
    src: gpg.conf.j2
    dest: "{{ gpg_home }}/.gnupg/gpg.conf"
-    mode: '0600'
+    mode: "0600"
    owner: root

- name: copy default template for gpg
-  template:
+- name: Copy default template for gpg key generation
+  become: true
+  ansible.builtin.template:
    src: gen-key-script.j2
-    dest: "{{ gpg_home }}/gen-key-script"
-    mode: '0700'
+    dest: "{{ gpg_home }}/.gnupg/gen-key-script-root"
+    mode: "0600"
    owner: root

- name: generate gpg keys
-  command: gpg --batch --gen-key gen-key-script
-  args:
-    chdir: "{{ gpg_home }}"
-  notify: Restart gpg-agent
+# Not sure what this task does, or if it's needed.
+- name: List available GPG secret keys
+  become: true
+  ansible.builtin.command: "gpg --list-secret-keys --keyid-format LONG"
+
+# rng-tools might not be needed on newer kernel versions
+- name: Install rng-tools-debian
+  become: true
+  ansible.builtin.apt:
+    name: rng-tools-debian
+    state: present
+  ignore_errors: true
+
+- name: Make sure /etc/default/rng-tools-debian exist
+  become: true
+  ansible.builtin.file:
+    path: /etc/default/rng-tools-debian
+    state: touch
+
+- name: Add HRNGDEVICE=/dev/urandom so we can execute rngd
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/default/rng-tools-debian
+    line: HRNGDEVICE=/dev/urandom
+    insertafter: last
+
+- name: Generate randomness
+  become: true
+  ansible.builtin.command: "sudo /etc/init.d/rng-tools-debian restart"
+  ignore_errors: true
+
+- name: Generate gpg key
+  become: true
+  ansible.builtin.command: "sudo gpg --batch --gen-key {{ gpg_home }}/.gnupg/gen-key-script-root"
--- a/data/ansible/roles/gpg/tasks/main.yaml
+++ b/data/ansible/roles/gpg/tasks/main.yaml
@@ -1,36 +1,56 @@
 ---
-# tasks file for gpg
+- name: Ensure GnuPG is installed
+  become: true
+  ansible.builtin.apt:
+    name: gnupg
+    state: present
+
+- name: Restart gpg-agent
+  become: true
+  ansible.builtin.command: "gpgconf --kill all"
+  # TODO: Make it execute only when GPG config changes or keys are updated
+  changed_when: false
+
 - name: Ensure .gnupg config directory exists with right permissions
-  file: 
-    dest: "{{ gpg_home }}/.gnupg" 
-    state: directory 
-    mode: 0700 
+  become: true
+  ansible.builtin.file:
+    dest: "{{ gpg_home }}/.gnupg"
+    state: directory
+    mode: "0700"
    owner: root

- name: check existing secret key
-  shell: "gpg --list-secret-keys | grep '{{ gpg_realname }}'"
-  register: gpgkeys
+# Note: matching on realname or email doesn't allow to create multiple keys. alternative?
+- name: Check existing secret key
+  ansible.builtin.shell: "gpg --list-secret-keys | grep '{{ gpg_realname }}'"
  changed_when: false
-  failed_when: false
+  ignore_errors: true
+  become: true
+  become_user: root
+  register: gpgkeys

 - name: Check expired keys
-  shell: "gpg --list-keys {{ gpg_realname }} | grep 'expired'"
-  register: gpgExpKeys
-  changed_when: false
+  become: true
+  ansible.builtin.shell: "gpg --list-keys {{ gpg_realname }} | grep 'expired'"
+  ignore_errors: true
  failed_when: false
-  when:  gpgkeys.stdout_lines|length > 0
+  changed_when: false
+  register: gpgExpKeys
+  when: gpgkeys.stdout_lines|length > 0

 - name: Update expired
-  shell: 'printf "expire\n{{ gpg_expire }}\nsave\n" | gpg --batch --command-fd 0 --status-fd=2 --edit-key {{ gpg_realname }}'
+  become: true
+  ansible.builtin.shell: 'printf "expire\n{{ gpg_expire }}\nsave\n" | gpg --batch --command-fd 0 --status-fd=2 --edit-key {{ gpg_realname }}'
  when: gpgkeys.stdout_lines|length > 0 and gpgExpKeys.stdout_lines|length > 0

- include_tasks: gpg-gen-key.yaml
+- ansible.builtin.include_tasks: gpg-gen-key.yaml
  when: gpgkeys.stdout_lines|length < 1

- name: get user armored public key
-  shell: "sudo gpg --armor --output {{ gpg_pubkeyfileexport }} --export {{ gpg_useremail }}"
+- name: Get user armored public key
+  become: true
+  ansible.builtin.command: "sudo gpg --armor --output {{ gpg_pubkeyfileexport }} --export {{ gpg_useremail }}"
  when: gpgkeys.stdout_lines|length < 1 or (gpgkeys.stdout_lines|length > 0 and gpgExpKeys.stdout_lines|length > 0)

 - name: After export move the key to /var/packages
-  shell: "sudo mv {{ gpg_pubkeyfileexport }} /var/packages"
+  become: true
+  ansible.builtin.command: "sudo mv {{ gpg_pubkeyfileexport }} /var/packages"
  when: gpgkeys.stdout_lines|length < 1 or (gpgkeys.stdout_lines|length > 0 and gpgExpKeys.stdout_lines|length > 0)
--- a/data/ansible/roles/gpg/templates/gen-key-script.j2
+++ b/data/ansible/roles/gpg/templates/gen-key-script.j2
@@ -1,13 +1,13 @@
+{{ ansible_managed | comment }}
 %echo Generating a basic OpenPGP key
-Key-Type: default
+%no-protection
+Key-Type: RSA
 Key-Length: {{ gpg_keylength }}
-Subkey-Type: default
+Subkey-Type: RSA
 Subkey-Length: {{ gpg_subkeylength }}
 Name-Real: {{ gpg_realname }}
 Name-Email: {{ gpg_useremail }}
 Expire-Date: {{ gpg_expire }}
-Passphrase: 
-%pubring {{ gpg_home }}/.gnupg/pubring.kbx
-%secring {{ gpg_home }}/.gnupg/private-keys-v1.d
+%no-ask-passphrase
 %commit
 %echo done