GnuPG: install my key

Tried something fancy with ansible-galaxy but meh

.gitmodules

@@ -4,3 +4,6 @@
 [submodule "config/automatrop/plugins/modules/aur"]
 	path = config/automatrop/plugins/modules/aur
 	url = https://github.com/kewlfft/ansible-aur.git
+[submodule "config/automatrop/plugins/modules/gpg_key"]
+	path = config/automatrop/plugins/modules/gpg_key
+	url = https://github.com/netson/ansible-gpg-key.git

config/automatrop/ansible.cfg

@@ -6,3 +6,4 @@ library=plugins/modules
 
 [ssh_connection]
 pipelining = True # does not work with requiretty in /etc/sudoers
+ssh_args=-o ForwardAgent=yes # no need for installing/configuring/unlocking SSH/GPG keys on the host to be able to git clone extensions

config/automatrop/playbooks/default.yml

@@ -16,6 +16,8 @@
       when: encrypt_home_stacked_fs
     - role: dotfiles
       tags: dotfiles
+    - role: gnupg
+      tags: gnupg
     - role: mnussbaum.base16-builder-ansible # Required for desktop_environment
       tags:
         - color

config/automatrop/plugins/modules/gpg_key

@@ -0,0 +1 @@
+Subproject commit 435f8e6aea0ba9be482c4409db380868a23fea9c

config/automatrop/roles/dotfiles/handlers/main.yml

@@ -1,2 +1,3 @@
 - name: install dotfiles
   command: "{{ ansible_user_dir }}/.dotfiles/config/scripts/dotfiles install"
+# TODO A python module to do that, so without an handler

config/automatrop/roles/dotfiles/tasks/main.yml

@@ -16,6 +16,7 @@
     dest: "{{ ansible_user_dir }}/.dotfiles"
     update: "{{ not has_forge_access }}"
   notify: install dotfiles
+# TODO Put actual dotfiles in a subdirectory of the repo, so we don't have to put everything in config
 
 - name: Register as Ansible collection
   file:

config/automatrop/roles/extensions/tasks/main.yml

@@ -1,6 +1,8 @@
-- include_role:
+- name: Load extensions
+  include_role:
     name: "geoffreyfrogeye.{{ item }}automatrop.entry"
   loop: "{{ extensions }}"
+  tags: always
 
 - name: Configure extensions rc sourcing
   template:

config/automatrop/roles/gnupg/tasks/main.yml

@@ -0,0 +1,52 @@
+- name: Create GnuPG directory
+  file:
+    path: "{{ gnupghome }}"
+    state: directory
+    mode: "u=rwx"
+
+- name: Create GnuPG configuration files
+  file:
+    path: "{{ gnupghome }}/{{ item }}"
+    state: file
+    mode: "u=rw,g=r,o=r"
+  loop:
+    - gpg-agent.conf
+    - gpg.conf
+
+- name: Configure GnuPG
+  lineinfile:
+    path: "{{ gnupghome }}/gpg.conf"
+    regex: "^#?\\s*{{ item.key }}\\s"
+    line: "{{ item.key }}{% if item.value is defined %} {{ item.value }}{% endif %}"
+  loop:
+    # Remove fluff
+    - key: no-greeting
+    - key: no-emit-version
+    - key: no-comments
+    # Output format that I prefer
+    - key: keyid-format
+      value: 0xlong
+    # Show fingerprints
+    - key: with-fingerprint
+    # Make sure to show if key is invalid
+    # (should be default on most platform,
+    # but just to be sure)
+    - key: list-options
+      value: show-uid-validity
+    - key: verify-options
+      value: show-uid-validity
+    # Stronger algorithm (https://wiki.archlinux.org/title/GnuPG#Different_algorithm)
+    - key: personal-digest-preferences
+      value: SHA512
+    - key: cert-digest-algo
+      value: SHA512
+    - key: default-preference-list
+      value: SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
+    - key: personal-cipher-preferences
+      value: TWOFISH CAMELLIA256 AES 3DES
+# TODO Set default-key in extensions depending on which ones are available
+# TODO Add enable-ssh-support to gpg-agent.conf in extensions to signal shenv that we should not use the SSH agent
+
+- name: Install Geoffrey Frogeye's key
+  gpg_key:
+    fpr: 4FBA930D314A03215E2CDB0A8312C8CAC1BAC289

config/automatrop/roles/gnupg/vars/main.yml

@@ -0,0 +1 @@
+gnupghome: "{{ ansible_user_dir }}/.config/gnupg"

config/automatrop/roles/software/templates/snippets/pm_system.j2

@@ -1,5 +1,5 @@
 etckeeper
-{% if has_batttery %}
+{% if has_battery %}
 tlp
 {% endif %}
 dhcpcd
@@ -8,3 +8,9 @@ chrony
 {% if encrypt_home_stacked_fs %}
 ecryptfs-utils
 {% endif %}
+kexec-tools
+openvpn
+{% if arch_based %}
+openvpn-update-resolv-conf-git
+{# TODO Other distributions #}
+{% endif %}

config/automatrop/roles/software/templates/snippets/pm_terminal_essentials.j2

@@ -3,6 +3,7 @@ man
 visidata
 insect
 translate-shell
+gnupg
 {# Editor #}
 {% if termux %}
 nvim

config/automatrop/roles/system/files/openvpn-client.service

@@ -0,0 +1,11 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf
+# The part before --script-security 2 might need upgrading from
+# /usr/lib/systemd/system/openvpn-client@.service if it was upgraded
+Restart=on-failure
+User=
+AmbiantCapabilities=
+# It's not pretty, but other script only work with systemd or call resolvconf with -p,
+# which doesn't work without a local DNS resolver
+# TODO Local DNS resolver sounds nice anyway

config/automatrop/roles/system/tasks/main.yml

@@ -65,6 +65,27 @@
   become: yes
   when: extlinux.stat.exists
 
+- name: Remove bootsplash packages (Arch based)
+  pacman:
+    name:
+      - bootsplash-systemd
+      - bootsplash-theme-manjaro
+    state: absent
+  become: yes
+  when: arch_based
+
+
+# Display Manager
+
+- name: Remove display manager packages (Arch based)
+  pacman:
+    name:
+      - sddm
+      - sddm-breath2-theme
+    state: absent
+  become: yes
+  when: arch_based
+
 # Xorg configuration
 
 - name: Check if there is nvidia-xrun is installed
@@ -262,6 +283,15 @@
   notify:
     - wifi setup changed
 
+- name: Mask systemd-networkd
+  systemd:
+    name: systemd-networkd
+    state: stopped
+    enabled: no
+    masked: yes
+  become: yes
+  notify: etc changed
+
 # Time synchronisation
 
 - name: Mask systemd-timesyncd
@@ -272,7 +302,6 @@
     masked: yes
   become: yes
   notify: etc changed
-  when: arch_based
 
 - name: Configure chrony
   copy:
@@ -309,8 +338,28 @@
   notify:
     - etc changed
 
+# VPN configuration
+
+- name: Prepare directory for openvpn-client service override
+  file:
+    path: /etc/systemd/system/openvpn-client@.service.d
+    state: directory
+    mode: "u=rwx,g=rx,o=rx"
+  become: yes
+
+- name: Make openvpn use hooks for resolvconf
+  copy:
+    src: openvpn-client.service
+    dest: /etc/systemd/system/openvpn-client@.service.d/override.conf
+  become: yes
+  notify:
+    - etc changed
+    - systemd changed
+
 # TODO Hibernation, if that's relevant
 # $ sudo blkid | grep 'TYPE="swap"'
 # $ sudoedit /etc/default/grub
 # Add resume=UUID=<UUID-of-swap-partition> to GRUB_CMDLINE_LINUX_DEFAULT
 # $ sudo grub-mkconfig -o /boot/grub/grub.cfg
+
+# TODO udevil

config/shell/shenv

@@ -108,6 +108,7 @@ prependpath "$HOME/.config/scripts"
 
 # SSH Agent
 
+
 # If GPG agent is configured for SSH
 if grep -q ^enable-ssh-support$ $GNUPGHOME/gpg-agent.conf 2> /dev/null
 then
@@ -138,3 +139,6 @@ else
         start_agent
     fi
 fi
+
+# TODO Service sytem that works without systemd,
+# and can stop processes on logout

config/shell/shrc

@@ -101,7 +101,10 @@ unset _i_prefer
 # Needed because xterm/urxvt won't use the last color, needed for vim
 
 ## GPG
-# Update TTY
+# Makes the last open terminal the ones that receives the pinentry message (if
+# not run from a terminal with DESKTOP)
+# TODO Only run if gpg-agent is started?
+# TODO Make a command out of this for easy management (and maybe remove the below)
 export GPG_TTY=$(tty)
 gpg-connect-agent updatestartuptty /bye >/dev/null
 

config/vim/pluginlist.vim

@@ -19,6 +19,7 @@ call plug#begin('~/.cache/vim/plugged')
 Plug 'chriskempson/base16-vim'
 Plug 'tpope/vim-surround'
 Plug 'tpope/vim-fugitive'
+Plug 'shumphrey/fugitive-gitlab.vim'
 " Plug 'tpope/vim-repeat'
 
 " Regex for words, with case in mind