90 lines
3.7 KiB
YAML
90 lines
3.7 KiB
YAML
---
|
|
- name: Copy and import GPG keypairs to remote host
|
|
block:
|
|
- name: Create cipher directory for gocryptfs
|
|
file:
|
|
path: "{{ ansible_facts['user_dir'] }}/.ciphers"
|
|
state: directory
|
|
- name: Create a gocryptfs vault
|
|
command:
|
|
argv: [/usr/bin/gocryptfs, -init, "{{ ansible_facts['user_dir'] }}/.ciphers"]
|
|
stdin: "{{ gcfs_password }}"
|
|
register: gcfs_masterkey_created
|
|
- name: Create temporary file for password
|
|
tempfile:
|
|
prefix: gcfs_passfile
|
|
state: file
|
|
register: tempfile_created
|
|
- name: Put password in temporary file
|
|
lineinfile:
|
|
path: "{{ tempfile_created.path }}"
|
|
line: "{{ gcfs_password }}"
|
|
state: present
|
|
when: tempfile_created
|
|
- name: Create directory for storing gocryptfs decryption configuration files
|
|
file:
|
|
path: "{{ ansible_facts['user_dir'] }}/.fskeys/ciphers"
|
|
state: directory
|
|
- name: Get gocryptfs decryption configuration file metadata
|
|
stat:
|
|
path: "{{ ansible_facts['user_dir'] }}/.ciphers"
|
|
when: gcfs_masterkey_created.rc == 0
|
|
register: gcfs_vault
|
|
- name: Copy gocryptfs decryption configuration to another directory
|
|
copy:
|
|
remote_src: "{{ ansible_facts['user_dir'] }}/.ciphers/gocryptfs.conf"
|
|
dest: "{{ ansible_facts['user_dir'] }}/.fskeys/ciphers/gocryptfs.conf"
|
|
force: yes
|
|
backup: yes
|
|
register: gocryptfs_conf_copied
|
|
when: gcfs_vault.stat.exists and gcfs_masterkey_created.rc == 0
|
|
- name: Remove gocryptfs decryption configuration from source directory
|
|
file:
|
|
path: "{{ ansible_facts['user_dir'] }}/.ciphers/gocryptfs.conf"
|
|
state: absent
|
|
register: gocryptfs_orig_conf_removed
|
|
when: gocryptfs_conf_copied
|
|
- name: Mount the gocryptfs vault
|
|
ansible.posix.mount:
|
|
src: "{{ ansible_facts['user_dir'] }}/.ciphers"
|
|
path: "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain"
|
|
state: ephemeral
|
|
fstype: fuse./usr/bin/gocryptfs
|
|
opts: "nofail,passfile={{ tempfile_created.path }},config={{ ansible_facts['user_dir'] }}/.fskeys/ciphers/gocryptfs.conf"
|
|
register: gcfs_mounted
|
|
when: gcfs_vault.stat.exists and gcfs_masterkey_created.rc == 0
|
|
- name: Create directory in decrypted gocryptfs vault
|
|
file:
|
|
path: "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain/gpg"
|
|
state: directory
|
|
when: gcfs_mounted
|
|
- name: Copy GPG keypair
|
|
copy:
|
|
src: "gpg/{{ ansible_facts['user_id'] }}/{{ item }}"
|
|
dest: "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain/gpg/{{ item }}"
|
|
force: yes
|
|
backup: yes
|
|
loop: "{{ query('fileglob', roles_path ~ 'bootstrap/files/gpg/' ~ ansible_facts['user_id'] ~ '/*') }}"
|
|
register: gpgkeys_copied
|
|
when: gcfs_mounted
|
|
- name: Import GPG keypair
|
|
become: yes
|
|
become_method: sudo
|
|
command:
|
|
argv: [gpg, --import, "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain/gpg/{{ item }}"]
|
|
loop: "{{ query('fileglob', roles_path ~ 'bootstrap/files/gpg/' ~ ansible_facts['user_id'] ~ '/*') }}"
|
|
register: gpgkeys_imported
|
|
when: gpgkeys_copied and gcfs_mounted
|
|
#@TODO create handler that sends copy of gcfs_masterkey_created somehow
|
|
- name: Unmount the gocryptfs vault
|
|
ansible.posix.mount:
|
|
path: "{{ ansible_facts['user_dir'] }}/.mnt/plains"
|
|
state: unmounted
|
|
register: gcfs_unmounted
|
|
when: gpgkeys_copied and gcfs_mounted
|
|
# - name: Unmount the gocryptfs vault
|
|
# command:
|
|
# argv: [fusermount, -u, "{{ ansible_facts['user_dir'] }}/.mnt/plains"]
|
|
# when: gpgkeys_copied and gcfs_mounted
|
|
register: gpg_keypair_copy
|