[Git][reproducible-builds/debian-rebuilder-setup][ansible] Automatically generate gpg key
kpcyrd
gitlab at salsa.debian.org
Mon Nov 5 18:39:50 CET 2018
kpcyrd pushed to branch ansible at Reproducible Builds / debian-rebuilder-setup
Commits:
a70d2eea by kpcyrd at 2018-11-05T17:40:33Z
Automatically generate gpg key
- - - - -
7 changed files:
- external_vars.yml
- playbook.yml
- requirements.yml
- roles/builders/tasks/main.yml
- + roles/gpg/defaults/main.yml
- + roles/gpg/tasks/main.yml
- + roles/gpg/templates/gpg-keygen.j2
Changes:
=====================================
external_vars.yml
=====================================
@@ -1,5 +1,5 @@
---
-build_gpg_user: foo
+build_gpg_user: root
build_gpg_realname: "foo bar"
build_gpg_email: "foo at localhost"
main_template_enable: true
=====================================
playbook.yml
=====================================
@@ -15,7 +15,7 @@
roles:
- builders
# The gpgkey generation role had to be disabled because it was taking a lot of time. I'm not sure we are supposed to do this.
- # - { role: juju4.gpgkey_generate, gpg_user: "{{ build_gpg_user }}", gpg_realname: "{{ build_gpg_realname }}", gpg_useremail: "{{ build_gpg_email }}" , gpg_generator_user: "root" }
+ - { role: gpg, gpg_user: "{{ build_gpg_user }}", gpg_realname: "{{ build_gpg_realname }}", gpg_useremail: "{{ build_gpg_email }}" , gpg_generator_user: "root", gpg_home: "/root" }
- name: Setup Scheduler
hosts: schedulers
=====================================
requirements.yml
=====================================
@@ -1,3 +1 @@
-- src: juju4.gpgkey_generate
-
- src: nginxinc.nginx
=====================================
roles/builders/tasks/main.yml
=====================================
@@ -8,6 +8,7 @@
- gnupg2
- curl
- python-pip
+ - haveged
- name: Install in-toto
pip:
=====================================
roles/gpg/defaults/main.yml
=====================================
@@ -0,0 +1,11 @@
+---
+#gpg_generator_user: "{{ ansible_ssh_user }}"
+gpg_generator_user: "myuser"
+## Note: gpg_home is the path of user generating keys, it could be gpg_user or different.
+## it's both keys destination and home path for .gnupg dir
+gpg_home: "/home/{{ gpg_generator_user }}"
+
+gpg_user: "{{ ansible_ssh_user }}"
+gpg_realname: "GPG Ansible user"
+#gpg_userhome:
+gpg_useremail: "{{ gpg_user }}@localhost"
=====================================
roles/gpg/tasks/main.yml
=====================================
@@ -0,0 +1,11 @@
+- name: Copy gpg keygen config
+ template:
+ src: gpg-keygen.j2
+ dest: "{{ gpg_home }}/gpg-keygen"
+
+- name: Generate gpg key
+ shell: "gpg --no-tty --batch --gen-key < ~/gpg-keygen"
+ args:
+ creates: "{{ gpg_home }}/.gnupg/pubring.kbx"
+ become: yes
+ become_user: "{{ gpg_generator_user }}"
=====================================
roles/gpg/templates/gpg-keygen.j2
=====================================
@@ -0,0 +1,9 @@
+Key-Type: RSA
+Key-Length: 4096
+Key-Usage: sign
+Name-Real: {{ ansible_hostname }}
+Name-Comment: Automatically generated key for signing .buildinfo files
+Expire-Date: 0
+%no-ask-passphrase
+%no-protection
+%commit
View it on GitLab: https://salsa.debian.org/reproducible-builds/debian-rebuilder-setup/commit/a70d2eea24e2729d2611b38be701e31338974d12
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/debian-rebuilder-setup/commit/a70d2eea24e2729d2611b38be701e31338974d12
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20181105/4664bbe7/attachment.html>
More information about the rb-commits
mailing list