- name: Create GnuPG directory
  file:
    path: "{{ gnupghome }}"
    state: directory
    mode: "u=rwx"

- name: Create GnuPG configuration files
  file:
    path: "{{ gnupghome }}/{{ item }}"
    state: file
    mode: "u=rw,g=r,o=r"
  loop:
    - gpg-agent.conf
    - gpg.conf

- name: Configure GnuPG
  lineinfile:
    path: "{{ gnupghome }}/gpg.conf"
    regex: "^#?\\s*{{ item.key }}\\s"
    line: "{{ item.key }}{% if item.value is defined %} {{ item.value }}{% endif %}"
  loop:
    # Remove fluff
    - key: no-greeting
    - key: no-emit-version
    - key: no-comments
    # Output format that I prefer
    - key: keyid-format
      value: 0xlong
    # Show fingerprints
    - key: with-fingerprint
    # Make sure to show if key is invalid
    # (should be default on most platform,
    # but just to be sure)
    - key: list-options
      value: show-uid-validity
    - key: verify-options
      value: show-uid-validity
    # Stronger algorithm (https://wiki.archlinux.org/title/GnuPG#Different_algorithm)
    - key: personal-digest-preferences
      value: SHA512
    - key: cert-digest-algo
      value: SHA512
    - key: default-preference-list
      value: SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
    - key: personal-cipher-preferences
      value: TWOFISH CAMELLIA256 AES 3DES
# TODO Set default-key in extensions depending on which ones are available
# TODO Add enable-ssh-support to gpg-agent.conf in extensions to signal shenv that we should not use the SSH agent

# TODO Import 0x8312C8CAC1BAC289 with https://github.com/netson/ansible-gpg-key,
# think about the source