From 915b2fa5d755ecfa1dbcaa1541eaa3a75deafc93 Mon Sep 17 00:00:00 2001 From: ionutboangiu Date: Wed, 28 Jun 2023 10:56:04 -0400 Subject: [PATCH] Implement gpg role --- data/ansible/roles/gpg/defaults/main.yaml | 8 +++++ data/ansible/roles/gpg/tasks/gpg-gen-key.yaml | 20 +++++++++++ data/ansible/roles/gpg/tasks/main.yaml | 36 +++++++++++++++++++ .../roles/gpg/templates/gen-key-script.j2 | 13 +++++++ data/ansible/roles/gpg/templates/gpg.conf.j2 | 5 +++ 5 files changed, 82 insertions(+) create mode 100644 data/ansible/roles/gpg/defaults/main.yaml create mode 100644 data/ansible/roles/gpg/tasks/gpg-gen-key.yaml create mode 100644 data/ansible/roles/gpg/tasks/main.yaml create mode 100644 data/ansible/roles/gpg/templates/gen-key-script.j2 create mode 100644 data/ansible/roles/gpg/templates/gpg.conf.j2 diff --git a/data/ansible/roles/gpg/defaults/main.yaml b/data/ansible/roles/gpg/defaults/main.yaml new file mode 100644 index 000000000..a7d12f77d --- /dev/null +++ b/data/ansible/roles/gpg/defaults/main.yaml @@ -0,0 +1,8 @@ +--- +gpg_home: "/root" +gpg_realname: "CGRateS" +gpg_useremail: "cgrates@itsyscom.com" +gpg_pubkeyfileexport: "apt.cgrates.org.gpg.key" +gpg_keylength: 2048 +gpg_subkeylength: 2048 +gpg_expire: 360 \ No newline at end of file diff --git a/data/ansible/roles/gpg/tasks/gpg-gen-key.yaml b/data/ansible/roles/gpg/tasks/gpg-gen-key.yaml new file mode 100644 index 000000000..bc8c33ad0 --- /dev/null +++ b/data/ansible/roles/gpg/tasks/gpg-gen-key.yaml @@ -0,0 +1,20 @@ +--- +- name: set default gpg options + template: + src: gpg.conf.j2 + dest: "{{ gpg_home }}/.gnupg/gpg.conf" + mode: '0600' + owner: root + +- name: copy default template for gpg + template: + src: gen-key-script.j2 + dest: "{{ gpg_home }}/gen-key-script" + mode: '0700' + owner: root + +- name: generate gpg keys + command: gpg --batch --gen-key gen-key-script + args: + chdir: "{{ gpg_home }}" + notify: Restart gpg-agent diff --git a/data/ansible/roles/gpg/tasks/main.yaml b/data/ansible/roles/gpg/tasks/main.yaml new file mode 100644 index 000000000..fdd4e237b --- /dev/null +++ b/data/ansible/roles/gpg/tasks/main.yaml @@ -0,0 +1,36 @@ +--- +# tasks file for gpg +- name: Ensure .gnupg config directory exists with right permissions + file: + dest: "{{ gpg_home }}/.gnupg" + state: directory + mode: 0700 + owner: root + +- name: check existing secret key + shell: "gpg --list-secret-keys | grep '{{ gpg_realname }}'" + register: gpgkeys + changed_when: false + failed_when: false + +- name: Check expired keys + shell: "gpg --list-keys {{ gpg_realname }} | grep 'expired'" + register: gpgExpKeys + changed_when: false + failed_when: false + when: gpgkeys.stdout_lines|length > 0 + +- name: Update expired + shell: 'printf "expire\n{{ gpg_expire }}\nsave\n" | gpg --batch --command-fd 0 --status-fd=2 --edit-key {{ gpg_realname }}' + when: gpgkeys.stdout_lines|length > 0 and gpgExpKeys.stdout_lines|length > 0 + +- include_tasks: gpg-gen-key.yaml + when: gpgkeys.stdout_lines|length < 1 + +- name: get user armored public key + shell: "sudo gpg --armor --output {{ gpg_pubkeyfileexport }} --export {{ gpg_useremail }}" + when: gpgkeys.stdout_lines|length < 1 or (gpgkeys.stdout_lines|length > 0 and gpgExpKeys.stdout_lines|length > 0) + +- name: After export move the key to /var/packages + shell: "sudo mv {{ gpg_pubkeyfileexport }} /var/packages" + when: gpgkeys.stdout_lines|length < 1 or (gpgkeys.stdout_lines|length > 0 and gpgExpKeys.stdout_lines|length > 0) diff --git a/data/ansible/roles/gpg/templates/gen-key-script.j2 b/data/ansible/roles/gpg/templates/gen-key-script.j2 new file mode 100644 index 000000000..228615366 --- /dev/null +++ b/data/ansible/roles/gpg/templates/gen-key-script.j2 @@ -0,0 +1,13 @@ +%echo Generating a basic OpenPGP key +Key-Type: default +Key-Length: {{ gpg_keylength }} +Subkey-Type: default +Subkey-Length: {{ gpg_subkeylength }} +Name-Real: {{ gpg_realname }} +Name-Email: {{ gpg_useremail }} +Expire-Date: {{ gpg_expire }} +Passphrase: +%pubring {{ gpg_home }}/.gnupg/pubring.kbx +%secring {{ gpg_home }}/.gnupg/private-keys-v1.d +%commit +%echo done diff --git a/data/ansible/roles/gpg/templates/gpg.conf.j2 b/data/ansible/roles/gpg/templates/gpg.conf.j2 new file mode 100644 index 000000000..38d375f03 --- /dev/null +++ b/data/ansible/roles/gpg/templates/gpg.conf.j2 @@ -0,0 +1,5 @@ +{{ ansible_managed | comment }} +# Prioritize stronger algorithms for new keys. +default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed +# Use a stronger digest than the default SHA1 for certifications. +cert-digest-algo SHA512