From ce1640151c1bb01ae5e89bb216ff7fc28330d074 Mon Sep 17 00:00:00 2001
From: ionutboangiu <ionutboangiu@gmail.com>
Date: Wed, 19 Mar 2025 20:38:05 +0200
Subject: [PATCH] update gpg role

now equivalent to gpg task files from deb_packages
---
 data/ansible/roles/gpg/defaults/main.yaml     |  2 +-
 data/ansible/roles/gpg/tasks/gpg-gen-key.yaml | 58 ++++++++++++++-----
 data/ansible/roles/gpg/tasks/main.yaml        | 56 ++++++++++++------
 .../roles/gpg/templates/gen-key-script.j2     |  8 +--
 4 files changed, 86 insertions(+), 38 deletions(-)

diff --git a/data/ansible/roles/gpg/defaults/main.yaml b/data/ansible/roles/gpg/defaults/main.yaml
index a7d12f77d..7a2e3e400 100644
--- a/data/ansible/roles/gpg/defaults/main.yaml
+++ b/data/ansible/roles/gpg/defaults/main.yaml
@@ -5,4 +5,4 @@ gpg_useremail: "cgrates@itsyscom.com"
 gpg_pubkeyfileexport: "apt.cgrates.org.gpg.key"
 gpg_keylength: 2048
 gpg_subkeylength: 2048
-gpg_expire: 360
\ No newline at end of file
+gpg_expire: 360
diff --git a/data/ansible/roles/gpg/tasks/gpg-gen-key.yaml b/data/ansible/roles/gpg/tasks/gpg-gen-key.yaml
index a1ed0cd58..cc5c1ec13 100644
--- a/data/ansible/roles/gpg/tasks/gpg-gen-key.yaml
+++ b/data/ansible/roles/gpg/tasks/gpg-gen-key.yaml
@@ -1,23 +1,51 @@
 ---
-- name: set default gpg options
-  become: yes
-  template:
+- name: Set defaut gpg options
+  become: true
+  ansible.builtin.template:
     src: gpg.conf.j2
     dest: "{{ gpg_home }}/.gnupg/gpg.conf"
-    mode: '0600'
+    mode: "0600"
     owner: root
 
-- name: copy default template for gpg
-  become: yes
-  template:
+- name: Copy default template for gpg key generation
+  become: true
+  ansible.builtin.template:
     src: gen-key-script.j2
-    dest: "{{ gpg_home }}/gen-key-script"
-    mode: '0700'
+    dest: "{{ gpg_home }}/.gnupg/gen-key-script-root"
+    mode: "0600"
     owner: root
 
-- name: generate gpg keys
-  become: yes
-  command: gpg --batch --gen-key gen-key-script
-  args:
-    chdir: "{{ gpg_home }}"
-  notify: Restart gpg-agent
+# Not sure what this task does, or if it's needed.
+- name: List available GPG secret keys
+  become: true
+  ansible.builtin.command: "gpg --list-secret-keys --keyid-format LONG"
+
+# rng-tools might not be needed on newer kernel versions
+- name: Install rng-tools-debian
+  become: true
+  ansible.builtin.apt:
+    name: rng-tools-debian
+    state: present
+  ignore_errors: true
+
+- name: Make sure /etc/default/rng-tools-debian exist
+  become: true
+  ansible.builtin.file:
+    path: /etc/default/rng-tools-debian
+    state: touch
+
+- name: Add HRNGDEVICE=/dev/urandom so we can execute rngd
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/default/rng-tools-debian
+    line: HRNGDEVICE=/dev/urandom
+    insertafter: last
+
+- name: Generate randomness
+  become: true
+  ansible.builtin.command: "sudo /etc/init.d/rng-tools-debian restart"
+  ignore_errors: true
+
+- name: Generate gpg key
+  become: true
+  ansible.builtin.command: "sudo gpg --batch --gen-key {{ gpg_home }}/.gnupg/gen-key-script-root"
diff --git a/data/ansible/roles/gpg/tasks/main.yaml b/data/ansible/roles/gpg/tasks/main.yaml
index fdd4e237b..7cb3139cc 100644
--- a/data/ansible/roles/gpg/tasks/main.yaml
+++ b/data/ansible/roles/gpg/tasks/main.yaml
@@ -1,36 +1,56 @@
 ---
-# tasks file for gpg
+- name: Ensure GnuPG is installed
+  become: true
+  ansible.builtin.apt:
+    name: gnupg
+    state: present
+
+- name: Restart gpg-agent
+  become: true
+  ansible.builtin.command: "gpgconf --kill all"
+  # TODO: Make it execute only when GPG config changes or keys are updated
+  changed_when: false
+
 - name: Ensure .gnupg config directory exists with right permissions
-  file: 
-    dest: "{{ gpg_home }}/.gnupg" 
-    state: directory 
-    mode: 0700 
+  become: true
+  ansible.builtin.file:
+    dest: "{{ gpg_home }}/.gnupg"
+    state: directory
+    mode: "0700"
     owner: root
 
-- name: check existing secret key
-  shell: "gpg --list-secret-keys | grep '{{ gpg_realname }}'"
-  register: gpgkeys
+# Note: matching on realname or email doesn't allow to create multiple keys. alternative?
+- name: Check existing secret key
+  ansible.builtin.shell: "gpg --list-secret-keys | grep '{{ gpg_realname }}'"
   changed_when: false
-  failed_when: false
+  ignore_errors: true
+  become: true
+  become_user: root
+  register: gpgkeys
 
 - name: Check expired keys
-  shell: "gpg --list-keys {{ gpg_realname }} | grep 'expired'"
-  register: gpgExpKeys
-  changed_when: false
+  become: true
+  ansible.builtin.shell: "gpg --list-keys {{ gpg_realname }} | grep 'expired'"
+  ignore_errors: true
   failed_when: false
-  when:  gpgkeys.stdout_lines|length > 0
+  changed_when: false
+  register: gpgExpKeys
+  when: gpgkeys.stdout_lines|length > 0
 
 - name: Update expired
-  shell: 'printf "expire\n{{ gpg_expire }}\nsave\n" | gpg --batch --command-fd 0 --status-fd=2 --edit-key {{ gpg_realname }}'
+  become: true
+  ansible.builtin.shell: 'printf "expire\n{{ gpg_expire }}\nsave\n" | gpg --batch --command-fd 0 --status-fd=2 --edit-key {{ gpg_realname }}'
   when: gpgkeys.stdout_lines|length > 0 and gpgExpKeys.stdout_lines|length > 0
 
-- include_tasks: gpg-gen-key.yaml
+- ansible.builtin.include_tasks: gpg-gen-key.yaml
   when: gpgkeys.stdout_lines|length < 1
 
-- name: get user armored public key
-  shell: "sudo gpg --armor --output {{ gpg_pubkeyfileexport }} --export {{ gpg_useremail }}"
+- name: Get user armored public key
+  become: true
+  ansible.builtin.command: "sudo gpg --armor --output {{ gpg_pubkeyfileexport }} --export {{ gpg_useremail }}"
   when: gpgkeys.stdout_lines|length < 1 or (gpgkeys.stdout_lines|length > 0 and gpgExpKeys.stdout_lines|length > 0)
 
 - name: After export move the key to /var/packages
-  shell: "sudo mv {{ gpg_pubkeyfileexport }} /var/packages"
+  become: true
+  ansible.builtin.command: "sudo mv {{ gpg_pubkeyfileexport }} /var/packages"
   when: gpgkeys.stdout_lines|length < 1 or (gpgkeys.stdout_lines|length > 0 and gpgExpKeys.stdout_lines|length > 0)
diff --git a/data/ansible/roles/gpg/templates/gen-key-script.j2 b/data/ansible/roles/gpg/templates/gen-key-script.j2
index 55ca3262c..fdeb7ee64 100644
--- a/data/ansible/roles/gpg/templates/gen-key-script.j2
+++ b/data/ansible/roles/gpg/templates/gen-key-script.j2
@@ -1,13 +1,13 @@
+{{ ansible_managed | comment }}
 %echo Generating a basic OpenPGP key
-Key-Type: default
+%no-protection
+Key-Type: RSA
 Key-Length: {{ gpg_keylength }}
-Subkey-Type: default
+Subkey-Type: RSA
 Subkey-Length: {{ gpg_subkeylength }}
 Name-Real: {{ gpg_realname }}
 Name-Email: {{ gpg_useremail }}
 Expire-Date: {{ gpg_expire }}
 %no-ask-passphrase
-%pubring {{ gpg_home }}/.gnupg/pubring.kbx
-%secring {{ gpg_home }}/.gnupg/private-keys-v1.d
 %commit
 %echo done