generated from alexcreasy/template-ansible-gpg
-
Notifications
You must be signed in to change notification settings - Fork 0
/
yubikey.yaml
80 lines (68 loc) · 2.66 KB
/
yubikey.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
---
- name: Setup GPG and SSH from YubiKey
hosts: localhost
vars:
gpg_home: "{{ ansible_env.HOME }}/.gnupg"
gpg_agent_conf: "{{ gpg_home }}/gpg-agent.conf"
homebrew_prefix: "{{ (ansible_machine == 'arm64') | ternary('/opt/homebrew', '/usr/local') }}"
keys_repo_dir: "{{ ansible_env.HOME }}/scm/keys"
gpg_key_id: 29D71BE27C8AF3CB839EE797F9BF59EA85435E26
gpg_public_key_filename: gpg.29D71BE27C8AF3CB839EE797F9BF59EA85435E26.pub.asc
tasks:
- name: Install necessary software for YubiKey
community.general.homebrew:
name:
- gnupg
- pinentry-mac
state: present
- name: Initialize GPG
ansible.builtin.command: gpg --update-trustdb
register: gpg_init_result
changed_when: "'trustdb created' in gpg_init_result.stderr"
- name: Setup default pinentry program for GPG
ansible.builtin.lineinfile:
dest: "{{ gpg_agent_conf }}"
insertafter: EOF
line: pinentry-program {{ homebrew_prefix }}/bin/pinentry-mac
create: true
mode: "0600"
- name: Checkout public keys repo
ansible.builtin.git:
repo: https://github.com/alexcreasy/keys.git
version: main
dest: "{{ keys_repo_dir }}"
update: false
- name: Import GPG public key
ansible.builtin.command: gpg --import {{ keys_repo_dir }}/{{ gpg_public_key_filename }}
register: gpg_result
changed_when: "'imported: 1' in gpg_result.stderr"
- name: Set key trust level to ultimate
ansible.builtin.command:
cmd: gpg --import-ownertrust
stdin: "{{ gpg_key_id }}:6:"
register: trust_result
changed_when: "'gpg: inserting ownertrust of 6' in trust_result.stderr"
- name: Import private key stubs from YubiKey
ansible.builtin.command:
cmd: gpg --card-status
creates: "{{ gpg_home }}/private-keys-v1.d/48E5E8A9B9F260817718B854B68F4C47833648DD.key"
- name: Create .ssh directory if not present
ansible.builtin.file:
path: "{{ ansible_env.HOME }}/.ssh"
state: directory
mode: "0700"
- name: Create SSH key stubs from YubiKey
ansible.builtin.command:
cmd: ssh-keygen -K
chdir: "{{ ansible_env.HOME }}/.ssh"
creates: id_ed25519_sk_rk_GitHub
- name: Rename public sk key
ansible.builtin.command:
cmd: mv id_ed25519_sk_rk_GitHub.pub id_ed25519_sk.pub
chdir: "{{ ansible_env.HOME }}/.ssh"
creates: id_ed25519_sk.pub
- name: Rename private sk key stub
ansible.builtin.command:
cmd: mv id_ed25519_sk_rk_GitHub id_ed25519_sk
chdir: "{{ ansible_env.HOME }}/.ssh"
creates: id_ed25519_sk