[Git][reproducible-builds/debian-rebuilder-setup][ansible] Automatically generate gpg key

kpcyrd gitlab at salsa.debian.org
Mon Nov 5 18:39:50 CET 2018


kpcyrd pushed to branch ansible at Reproducible Builds / debian-rebuilder-setup


Commits:
a70d2eea by kpcyrd at 2018-11-05T17:40:33Z
Automatically generate gpg key

- - - - -


7 changed files:

- external_vars.yml
- playbook.yml
- requirements.yml
- roles/builders/tasks/main.yml
- + roles/gpg/defaults/main.yml
- + roles/gpg/tasks/main.yml
- + roles/gpg/templates/gpg-keygen.j2


Changes:

=====================================
external_vars.yml
=====================================
@@ -1,5 +1,5 @@
 ---
-build_gpg_user: foo
+build_gpg_user: root
 build_gpg_realname: "foo bar"
 build_gpg_email: "foo at localhost"
 main_template_enable: true


=====================================
playbook.yml
=====================================
@@ -15,7 +15,7 @@
   roles:
   - builders
   # The gpgkey generation role had to be disabled because it was taking a lot of time. I'm not sure we are supposed to do this.
-  # - { role: juju4.gpgkey_generate, gpg_user: "{{ build_gpg_user }}", gpg_realname: "{{ build_gpg_realname }}", gpg_useremail: "{{ build_gpg_email }}" , gpg_generator_user: "root" }
+  - { role: gpg, gpg_user: "{{ build_gpg_user }}", gpg_realname: "{{ build_gpg_realname }}", gpg_useremail: "{{ build_gpg_email }}" , gpg_generator_user: "root", gpg_home: "/root" }
 
 - name: Setup Scheduler
   hosts: schedulers


=====================================
requirements.yml
=====================================
@@ -1,3 +1 @@
-- src: juju4.gpgkey_generate
-
 - src: nginxinc.nginx


=====================================
roles/builders/tasks/main.yml
=====================================
@@ -8,6 +8,7 @@
     - gnupg2
     - curl
     - python-pip
+    - haveged
 
 - name: Install in-toto
   pip:


=====================================
roles/gpg/defaults/main.yml
=====================================
@@ -0,0 +1,11 @@
+---
+#gpg_generator_user: "{{ ansible_ssh_user }}"
+gpg_generator_user: "myuser"
+## Note: gpg_home is the path of user generating keys, it could be gpg_user or different.
+##	it's both keys destination and home path for .gnupg dir
+gpg_home: "/home/{{ gpg_generator_user }}"
+
+gpg_user: "{{ ansible_ssh_user }}"
+gpg_realname: "GPG Ansible user"
+#gpg_userhome:
+gpg_useremail: "{{ gpg_user }}@localhost"


=====================================
roles/gpg/tasks/main.yml
=====================================
@@ -0,0 +1,11 @@
+- name: Copy gpg keygen config
+  template:
+    src: gpg-keygen.j2
+    dest: "{{ gpg_home }}/gpg-keygen"
+
+- name: Generate gpg key
+  shell: "gpg --no-tty --batch --gen-key < ~/gpg-keygen"
+  args:
+    creates: "{{ gpg_home }}/.gnupg/pubring.kbx"
+  become: yes
+  become_user: "{{ gpg_generator_user }}"


=====================================
roles/gpg/templates/gpg-keygen.j2
=====================================
@@ -0,0 +1,9 @@
+Key-Type: RSA
+Key-Length: 4096
+Key-Usage: sign
+Name-Real: {{ ansible_hostname }}
+Name-Comment: Automatically generated key for signing .buildinfo files
+Expire-Date: 0
+%no-ask-passphrase
+%no-protection
+%commit



View it on GitLab: https://salsa.debian.org/reproducible-builds/debian-rebuilder-setup/commit/a70d2eea24e2729d2611b38be701e31338974d12

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/debian-rebuilder-setup/commit/a70d2eea24e2729d2611b38be701e31338974d12
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20181105/4664bbe7/attachment.html>


More information about the rb-commits mailing list