87 lines
3.1 KiB
YAML
87 lines
3.1 KiB
YAML
---
|
|
- name: Copy and import GPG keypairs to remote host
|
|
block:
|
|
- name: Create cipher directory for gocryptfs
|
|
file:
|
|
path: "{{ homedir }}/.ciphers"
|
|
state: directory
|
|
- name: Create a gocryptfs vault
|
|
command:
|
|
argv: [/usr/bin/gocryptfs, -init, "{{ homedir }}/.ciphers"]
|
|
stdin: "{{ gcfs_password }}"
|
|
register: gcfs_masterkey_created
|
|
- name: Create temporary file for password
|
|
tempfile:
|
|
prefix: gcfs_passfile
|
|
state: file
|
|
register: tempfile_created
|
|
- name: Put password in temporary file
|
|
lineinfile:
|
|
path: "{{ tempfile_created.path }}"
|
|
line: "{{ gcfs_password }}"
|
|
state: present
|
|
- name: Create directory for storing gocryptfs decryption configuration files
|
|
file:
|
|
path: "{{ homedir }}/.fskeys/ciphers"
|
|
state: directory
|
|
- name: Get gocryptfs decryption configuration file metadata
|
|
stat:
|
|
path: "{{ homedir }}/.ciphers"
|
|
when: gcfs_masterkey_created.rc == 0
|
|
register: gcfs_vault
|
|
- name: Copy gocryptfs decryption configuration to this directory
|
|
copy:
|
|
remote_src: "{{ homedir }}/.ciphers/gocryptfs.conf"
|
|
dest: "{{ homedir }}/.fskeys/ciphers/gocryptfs.conf"
|
|
force: yes
|
|
backup: yes
|
|
when: gcfs_vault.stat.exists and gcfs_masterkey_created.rc == 0
|
|
- name: Create directory in which to mount decrypted gocryptfs vault
|
|
file:
|
|
path: "{{ homedir }}/.mnt/plains"
|
|
state: directory
|
|
- name: Mount the gocryptfs vault
|
|
ansible.posix.mount:
|
|
src: "{{ homedir }}/.ciphers"
|
|
path: "{{ homedir }}/.mnt/plains"
|
|
state: mounted
|
|
fstype: fuse./usr/bin/gocryptfs
|
|
opts: "nofail,passfile={{ tempfile_created.path }},config={{ homedir }}/.fskeys/ciphers/gocryptfs.conf"
|
|
register: gcfs_mounted
|
|
when: gcfs_vault.stat.exists and gcfs_masterkey_created.rc == 0
|
|
- name: Create directory in decrypted gocryptfs vault
|
|
file:
|
|
path: "{{ homedir }}/.mnt/plains/gpg"
|
|
state: directory
|
|
when: gcfs_mounted
|
|
- name: Copy GPG keypair
|
|
copy:
|
|
src: "gpg/{{ accts.username }}/main.priv.asc"
|
|
dest: "{{ homedir }}/.mnt/secrets/gpg/main.priv.asc"
|
|
force: yes
|
|
backup: yes
|
|
register: gpgkeys_copied
|
|
when: gcfs_mounted
|
|
#@TODO: Create handler that copies gcfs_masterkey_created text into decrypted vault in-between here
|
|
- name: Import GPG keypair
|
|
become: yes
|
|
become_method: sudo
|
|
command:
|
|
argv: [gpg, --import, "{{ homedir }}/.mnt/secrets/gpg/main.priv.asc"]
|
|
register: gpgkeys_imported
|
|
when: gpgkeys_copied and gcfs_mounted
|
|
# - name: Unmount the gocryptfs vault
|
|
# ansible.posix.mount:
|
|
# path: "{{ homedir }}/.mnt/plains"
|
|
# state: unmounted
|
|
# fstype: fuse
|
|
# opts: "u"
|
|
# register: gcfs_unmounted
|
|
# when: gpg_keys_copied and gcfs_mounted
|
|
- name: Unmount the gocryptfs vault
|
|
command:
|
|
argv: [fusermount, -u, "{{ homedir }}/.mnt/plains"]
|
|
when: gpgkeys_copied and gcfs_mounted
|
|
register: gpg_keypair_copy
|
|
tags: ['copy_gpg']
|