GnuPG configuration start

2021-06-29 20:54:25 +02:00 · 2021-06-29 20:54:25 +02:00 · 48031d8df7
parent 121f629bdb
commit 48031d8df7
6 changed files with 60 additions and 0 deletions
--- a/config/automatrop/playbooks/default.yml
+++ b/config/automatrop/playbooks/default.yml
@ -16,6 +16,8 @@
      when: encrypt_home_stacked_fs
    - role: dotfiles
      tags: dotfiles
+    - role: gnupg
+      tags: gnupg
    - role: mnussbaum.base16-builder-ansible # Required for desktop_environment
      tags:
        - color
--- a/config/automatrop/roles/gnupg/tasks/main.yml
+++ b/config/automatrop/roles/gnupg/tasks/main.yml
@ -0,0 +1,51 @@
+- name: Create GnuPG directory
+  file:
+    path: "{{ gnupghome }}"
+    state: directory
+    mode: "u=rwx"
+
+- name: Create GnuPG configuration files
+  file:
+    path: "{{ gnupghome }}/{{ item }}"
+    state: file
+    mode: "u=rw,g=r,o=r"
+  loop:
+    - gpg-agent.conf
+    - gpg.conf
+
+- name: Configure GnuPG
+  lineinfile:
+    path: "{{ gnupghome }}/gpg.conf"
+    regex: "^#?\\s*{{ item.key }}\\s"
+    line: "{{ item.key }}{% if item.value is defined %} {{ item.value }}{% endif %}"
+  loop:
+    # Remove fluff
+    - key: no-greeting
+    - key: no-emit-version
+    - key: no-comments
+    # Output format that I prefer
+    - key: keyid-format
+      value: 0xlong
+    # Show fingerprints
+    - key: with-fingerprint
+    # Make sure to show if key is invalid
+    # (should be default on most platform,
+    # but just to be sure)
+    - key: list-options
+      value: show-uid-validity
+    - key: verify-options
+      value: show-uid-validity
+    # Stronger algorithm (https://wiki.archlinux.org/title/GnuPG#Different_algorithm)
+    - key: personal-digest-preferences
+      value: SHA512
+    - key: cert-digest-algo
+      value: SHA512
+    - key: default-preference-list
+      value: SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
+    - key: personal-cipher-preferences
+      value: TWOFISH CAMELLIA256 AES 3DES
+# TODO Set default-key in extensions depending on which ones are available
+# TODO Add enable-ssh-support to gpg-agent.conf in extensions to signal shenv that we should not use the SSH agent
+
+# TODO Import 0x8312C8CAC1BAC289 with https://github.com/netson/ansible-gpg-key,
+# think about the source
--- a/config/automatrop/roles/gnupg/vars/main.yml
+++ b/config/automatrop/roles/gnupg/vars/main.yml
@ -0,0 +1 @@
+gnupghome: "{{ ansible_user_dir }}/.config/gnupg"
--- a/config/automatrop/roles/software/templates/snippets/pm_terminal_essentials.j2
+++ b/config/automatrop/roles/software/templates/snippets/pm_terminal_essentials.j2
@ -3,6 +3,7 @@ man
 visidata
 insect
 translate-shell
+gnupg
 {# Editor #}
 {% if termux %}
 nvim
--- a/config/shell/shenv
+++ b/config/shell/shenv
@ -108,6 +108,7 @@ prependpath "$HOME/.config/scripts"

 # SSH Agent

+
 # If GPG agent is configured for SSH
 if grep -q ^enable-ssh-support$ $GNUPGHOME/gpg-agent.conf 2> /dev/null
 then
@ -138,3 +139,6 @@ else
        start_agent
    fi
 fi
+
+# TODO Service sytem that works without systemd,
+# and can stop processes on logout
--- a/config/vim/pluginlist.vim
+++ b/config/vim/pluginlist.vim
@ -19,6 +19,7 @@ call plug#begin('~/.cache/vim/plugged')
 Plug 'chriskempson/base16-vim'
 Plug 'tpope/vim-surround'
 Plug 'tpope/vim-fugitive'
+Plug 'shumphrey/fugitive-gitlab.vim'
 " Plug 'tpope/vim-repeat'

 " Regex for words, with case in mind
				`@ -0,0 +1 @@`
				`gnupghome: "{{ ansible_user_dir }}/.config/gnupg"`