dotfiles/config/automatrop/roles/gnupg/tasks/main.yml

---
- name: Create GnuPG directory
  ansible.builtin.file:
    path: "{{ gnupghome }}"
    state: directory
    mode: u=rwx

- name: Create GnuPG configuration files
  ansible.builtin.file:
    path: "{{ gnupghome }}/{{ item }}"
    state: file
    mode: u=rw,g=r,o=r
  loop:
    - gpg-agent.conf
    - gpg.conf

- name: Configure GnuPG
  ansible.builtin.lineinfile:
    path: "{{ gnupghome }}/gpg.conf"
    regex: ^#?\s*{{ item.key }}\s
    line: "{{ item.key }}{% if item.value is defined %} {{ item.value }}{% endif %}"
  loop:
    # Remove fluff
    - key: no-greeting
    - key: no-emit-version
    - key: no-comments
    # Output format that I prefer
    - key: keyid-format
      value: "0xlong"
    # Show fingerprints
    - key: with-fingerprint
    # Make sure to show if key is invalid
    # (should be default on most platform,
    # but just to be sure)
    - key: list-options
      value: show-uid-validity
    - key: verify-options
      value: show-uid-validity
    # Stronger algorithm (https://wiki.archlinux.org/title/GnuPG#Different_algorithm)
    - key: personal-digest-preferences
      value: SHA512
    - key: cert-digest-algo
      value: SHA512
    - key: default-preference-list
      value: SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
    - key: personal-cipher-preferences
      value: TWOFISH CAMELLIA256 AES 3DES

- name: Install Geoffrey Frogeye's key
  gpg_key:
    fpr: 4FBA930D314A03215E2CDB0A8312C8CAC1BAC289
    trust: 5