Implement gpg role

data/ansible/roles/gpg/defaults/main.yaml

@@ -0,0 +1,8 @@
+---
+gpg_home: "/root"
+gpg_realname: "CGRateS"
+gpg_useremail: "cgrates@itsyscom.com"
+gpg_pubkeyfileexport: "apt.cgrates.org.gpg.key"
+gpg_keylength: 2048
+gpg_subkeylength: 2048
+gpg_expire: 360

data/ansible/roles/gpg/tasks/gpg-gen-key.yaml

@@ -0,0 +1,20 @@
+---
+- name: set default gpg options
+  template:
+    src: gpg.conf.j2
+    dest: "{{ gpg_home }}/.gnupg/gpg.conf"
+    mode: '0600'
+    owner: root
+
+- name: copy default template for gpg
+  template:
+    src: gen-key-script.j2
+    dest: "{{ gpg_home }}/gen-key-script"
+    mode: '0700'
+    owner: root
+
+- name: generate gpg keys
+  command: gpg --batch --gen-key gen-key-script
+  args:
+    chdir: "{{ gpg_home }}"
+  notify: Restart gpg-agent

data/ansible/roles/gpg/tasks/main.yaml

@@ -0,0 +1,36 @@
+---
+# tasks file for gpg
+- name: Ensure .gnupg config directory exists with right permissions
+  file: 
+    dest: "{{ gpg_home }}/.gnupg" 
+    state: directory 
+    mode: 0700 
+    owner: root
+
+- name: check existing secret key
+  shell: "gpg --list-secret-keys | grep '{{ gpg_realname }}'"
+  register: gpgkeys
+  changed_when: false
+  failed_when: false
+
+- name: Check expired keys
+  shell: "gpg --list-keys {{ gpg_realname }} | grep 'expired'"
+  register: gpgExpKeys
+  changed_when: false
+  failed_when: false
+  when:  gpgkeys.stdout_lines|length > 0
+
+- name: Update expired
+  shell: 'printf "expire\n{{ gpg_expire }}\nsave\n" | gpg --batch --command-fd 0 --status-fd=2 --edit-key {{ gpg_realname }}'
+  when: gpgkeys.stdout_lines|length > 0 and gpgExpKeys.stdout_lines|length > 0
+
+- include_tasks: gpg-gen-key.yaml
+  when: gpgkeys.stdout_lines|length < 1
+
+- name: get user armored public key
+  shell: "sudo gpg --armor --output {{ gpg_pubkeyfileexport }} --export {{ gpg_useremail }}"
+  when: gpgkeys.stdout_lines|length < 1 or (gpgkeys.stdout_lines|length > 0 and gpgExpKeys.stdout_lines|length > 0)
+
+- name: After export move the key to /var/packages
+  shell: "sudo mv {{ gpg_pubkeyfileexport }} /var/packages"
+  when: gpgkeys.stdout_lines|length < 1 or (gpgkeys.stdout_lines|length > 0 and gpgExpKeys.stdout_lines|length > 0)

data/ansible/roles/gpg/templates/gen-key-script.j2

@@ -0,0 +1,13 @@
+%echo Generating a basic OpenPGP key
+Key-Type: default
+Key-Length: {{ gpg_keylength }}
+Subkey-Type: default
+Subkey-Length: {{ gpg_subkeylength }}
+Name-Real: {{ gpg_realname }}
+Name-Email: {{ gpg_useremail }}
+Expire-Date: {{ gpg_expire }}
+Passphrase: 
+%pubring {{ gpg_home }}/.gnupg/pubring.kbx
+%secring {{ gpg_home }}/.gnupg/private-keys-v1.d
+%commit
+%echo done

data/ansible/roles/gpg/templates/gpg.conf.j2

@@ -0,0 +1,5 @@
+{{ ansible_managed | comment }}
+# Prioritize stronger algorithms for new keys.
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
+# Use a stronger digest than the default SHA1 for certifications.
+cert-digest-algo SHA512