xenobyte/sukaato-ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added git configuration, including acquisition/creation of SSH keys; to be moved/refactored later

Browse Source
This commit is contained in:
Alex Tavarez
2025-09-25 15:06:40 -04:00
parent c551192d2c
commit 97802668da
1 changed files with 148 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

146
playbooks/init_login.yml
View File

@@ -22,6 +22,24 @@
prompt: Enter space-wrapped colon -separated list of GPG private key passwords prompt: Enter space-wrapped colon -separated list of GPG private key passwords
unsafe: yes unsafe: yes
private: yes private: yes
- name: gpg_or_ssh_git_signing
prompt: Enter preferred signing key type (e.g., ssh or gpg)
unsafe: yes
private: no
default: "ssh"
- name: gpg_preferred_signing
prompt: Enter index or number of preferred signing key (negative number for random)
unsafe: yes
private: no
default: -1
- name: git_config_name
prompt: Enter name for your git configuration
unsafe: yes
private: no
- name: git_config_email
prompt: Enter email for your git configuration
unsafe: yes
private: no
tasks: tasks:
- name: Disable shell access for root - name: Disable shell access for root
ansible.builtin.include_role: ansible.builtin.include_role:
@@ -179,5 +197,133 @@
tags: tags:
- default - default
- import_gpg_privkeys - import_gpg_privkeys
# @TODO separate below task as lockdown role task, and maybe associated variables to lockdown role defaults/vars dirs
# @NOTE below depends on variable 'gpg_signing_key' and 'gpg_or_ssh_git_signing' from 'vars_prompt' playbook field
# @NOTE below depends on variable 'gpg_origin_private_keyids' and 'files_mode' found in lockdown role defaults/vars dirs
- name: Install and configure git
block:
- name: Install git package
ansible.builtin.package:
name: git
state: latest
- name: Configure git installation
block:
- name: Configure git name
community.general.git_config:
name: user.name
scope: global
state: present
value: "{{ git_config_name }}"
- name: Configure git email
community.general.git_config:
name: user.email
scope: global
state: present
value: "{{ git_config_email }}"
- name: Configure git signing key
block:
- name: Configure git signing GPG key
when: gpg_or_ssh_git_signing == "gpg"
block:
- name: Configure specified git signing GPG key
when: gpg_preferred_signing > -1
community.general.git_config:
name: user.signingkey
scope: global
state: present
value: "{{ gpg_origin_private_keyids[gpg_preferred_signing] }}"
- name: Configure random git signing GPG key
when: gpg_preferred_signing <= -1
community.general.git_config:
name: user.signingkey
scope: global
state: present
value: "{{ gpg_origin_private_keyids | random }}"
register: randomized_gpg_key_preference
- name: Configure git signing SSH key
when: gpg_or_ssh_git_signing == "ssh"
block:
- name: Acquire SSH key-pairs from other system
when: not files_mode
block:
- name: Acquire private SSH keys from other system
delegate_to: "{{ ssh_keypairs_origin_host }}" # @TODO variable needs declaration/definition
ansible.builtin.command:
argv:
- cat
- ~/.ssh/"{{ item }}.ppk"
loop: "{{ ssh_origin_keypairs_paths }}" # @TODO variable needs declaration/definition--should have max 2 items each without file extension, with private and then public keys having same basename
register: ssh_secrets
- name: Find SSH public keys in other system
delegate_to: "{{ ssh_keypairs_origin_host }}" # @TODO variable needs declaration/definition
ansible.builtin.command:
argv:
- cat
- ~/.ssh/"{{ item }}.pub"
loop: "{{ ssh_origin_keypairs_paths }}" # @TODO variable needs declaration/definition--should have max 2 items each without file extension, with private and then public keys having same basename
register: ssh_nonsecrets
- name: Create private SSH keys
ansible.builtin.copy:
content: "{{ item }}"
dest: "{{ ansible_facts['user_dir'] }}/.ssh/id_ed25519_git.ppk"
force: yes
backup: yes
mode: "0600"
state: present
loop: "{{ ssh_secrets.results }}"
register: created_ssh_private_keys
- name: Create public SSH keys
ansible.builtin.copy:
content: "{{ item }}"
dest: "{{ ansible_facts['user_dir'] }}/.ssh/id_ed25519_git.pub"
force: yes
backup: yes
mode: "0644"
state: present
loop: "{{ ssh_nonsecrets.results }}"
register: created_ssh_public_keys
- name: Acquire SSH key-pairs
when: files_mode
block:
- name: Transfer private SSH keys
ansible.builtin.copy:
src: files/all/ssh/id_ed25519_git.ppk # @TODO change path if and when moved into lockdown role task file and create corresponding file in lockdown role files dir
dest: "{{ ansible_facts['user_dir'] }}/.ssh/id_ed25519_git.ppk"
force: yes
backup: yes
mode: "0600"
state: present
register: created_ssh_private_key
- name: Transfer public SSH keys
ansible.builtin.copy:
src: files/all/ssh/id_ed25519_git.pub # @TODO change path if and when moved into lockdown role task file and create corresponding file in lockdown role files dir
dest: "{{ ansible_facts['user_dir'] }}/.ssh/id_ed25519_git.pub"
force: yes
backup: yes
mode: "0644"
state: present
register: created_ssh_public_key
- name: Configure acquired, specified SSH public key as git signing key
when: ssh_preferred_signing > -1 and not files_mode
community.general.git_config:
name: user.signingkey
scope: global
state: present
value: "{{ created_ssh_public_keys.results[ssh_preferred_signing] }}" # @TODO this variable needs declaration/definition
- name: Configure acquired, random SSH public key as git signing key
when: ssh_preferred_signing <= -1 and not files_mode
community.general.git_config:
name: user.signingkey
scope: global
state: present
value: "{{ created_ssh_public_keys.results | random }}" # @TODO this variable needs declaration/definition
register: randomized_ssh_pubkey_preference
- name: Configure transferred SSH public key as git signing key
when: ssh_preferred_signing <= -1 and files_mode
community.general.git_config:
name: user.signingkey
scope: global
state: present
value: "{{ created_ssh_public_key.dest }}"