proxy_role/tasks/dirmngr.yml

# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-

---

- name: "DEBUG: proxy dirmngr.yml"
  debug:
    verbosity: 1
    msg: "DEBUG: Including proxy dirmngr.yml"

- name: /etc/gnupg/
  shell: |
   [ -d "/etc/gnupg" ] || mkdir -p "{{USR_LOCAL}}/etc/gnupg"


- name: /etc/dirmngr/dirmngr.conf
  lineinfile:
    dest: "/etc/dirmngr/dirmngr.conf"
    insertbefore: BOF
    mode:  0755
    owner: "{{BOX_ROOT_USER}}"
    group: "{{BOX_ROOT_GROUP}}"
    create: yes
    regexp: "# -.- mode: conf; tab-width: 0; coding: utf-8-unix -.-"
    line: "# -*- mode: conf; tab-width: 0; coding: utf-8-unix -*-"
  when:
    - not ansible_check_mode
  # FixMe:
  ignore_errors: true

- name: /etc/gnupg/gpgconf.conf
  lineinfile:
    dest: "/etc/gnupg/gpgconf.conf"
    # insertbefore: BOF
    mode:  0755
    owner: "{{BOX_ROOT_USER}}"
    group: "{{BOX_ROOT_GROUP}}"
    create: yes
    state: "{{item.state}}"
    regexp: "^#*{{item.key}} .*"
    line: "{{item.key}} {{item.val}}"
  when:
    - not ansible_check_mode
  with_items:
    - key: keyserver-options
      val: no-try-dns-srv
      # Debian! gpg: keyserver option 'no-try-dns-srv' is unknown
      # gentoo unknown - dirmngr ?
      state: absent
    - key: debug-level
      val: "4"
      # not on gentoo
      state: "{{ 'present' if ansible_distribution != 'Gentoo' else 'absent' }}"
#    - key: connect-timeout
#      val: "20"
#      value: ""
#      state: present


- name: /etc/dirmngr/dirmngr.conf
  blockinfile:
    dest: "/etc/dirmngr/dirmngr.conf"
    create: false
    marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dirmngr.yml head"
    block: |
      verbose
      debug-all
      standard-resolver
      disable-ldap
  when:
    - not ansible_check_mode

- name: /etc/dirmngr/dirmngr.conf
  blockinfile:
    dest: /etc/dirmngr/dirmngr.conf
    create: true
    marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dirmngr.yml ipv6"
    block: |
      disable-ipv6
  when:
    - not ansible_check_mode
    - BASE_IPV6_DISABLE == 1

- name: /etc/dirmngr/dirmngr.conf
  blockinfile:
    dest: "/etc/dirmngr/dirmngr.conf"
    create: false
    marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dirmngr.yml head"
    block: |
      {% for elt in PROXY_GNUPG_SERVERS %}
      keyserver hkp://{{ elt }}
      {% endfor %}
      {% for elt in PROXY_GNUPG_CERTS %}
      hkp-cacert {{ elt }}
      {% endfor %}
  when:
    - not ansible_check_mode


- name: /var/log/dirmngr.log
  shell: |
    [ -f /var/log/dirmngr.log ] || touch /var/log/dirmngr.log
    chown root /var/log/dirmngr.log
  args:
    creates: /var/log/dirmngr.log

- name: /etc/dirmngr/dirmngr.conf.tor
  shell: |
    [ -e /etc/dirmngr/dirmngr.conf.tor ] || \
      cp -p /etc/dirmngr/dirmngr.conf /etc/dirmngr/dirmngr.conf.tor
  when:
    - PROXY_MODE == 'tor'

- name: /etc/dirmngr/dirmngr.conf use-tor
  blockinfile:
    dest: "/etc/dirmngr/dirmngr.conf"
    create: true
    marker: "# {mark} ANSIBLE MANAGED BLOCK tor"
    block: |
      use-tor
      # https://keys.openpgp.org/about/usage
      keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion

  when:
    - not ansible_check_mode
    - PROXY_MODE == 'tor'

- name: /etc/dirmngr/dirmngr.conf.whonix
  shell: |
    [ -e /etc/dirmngr/dirmngr.conf.whonix ] || \
      cp -p /etc/dirmngr/dirmngr.conf /etc/dirmngr/dirmngr.conf.whonix
  when:
    - PROXY_MODE == 'whonix'

# This is not enough:
- name: /usr/bin/dirmngr.bin
  # FixMe: blockinfile
  shell: |
    # /usr/bin/dirmngr.bin --dump-options >> /tmp/$$.out
    [ -d /etc/dirmngr ] || mkdir /etc/dirmngr
    [ -f /etc/dirmngr/dirmngr.conf ] || touch /etc/dirmngr/dirmngr.conf
    grep -q disable-ipv6 /etc/dirmngr/dirmngr.conf ] || \
      echo disable-ipv6 >> /etc/dirmngr/dirmngr.conf
  args:
    creates: /etc/dirmngr/dirmngr.conf
  when:
    - not ansible_check_mode
    - BASE_IPV6_DISABLE == 1

- block:

  - name: /usr/bin/dirmngr.bin
    shell: |
      [ -f /usr/local/bin/proxy_dirmngr.bash ] || exit 1

      # This is recent
      cd /usr/bin/
      if [ ! -f dirmngr.bin ] ; then
          mv dirmngr dirmngr.bin
        elif file dirmngr | grep -q ELF ; then
          mv dirmngr dirmngr.bin
        fi

      [ -h dirmngr ] || ln -s /usr/local/bin/proxy_dirmngr.bash dirmngr

      chmod 755 dirmngr /usr/local/bin/proxy_dirmngr.bash
      [ -x /usr/local/bin/proxy_dirmngr.bash ] || exit 2

  when:
    # the --keyserver may be required even with ipv6
    - true or BASE_IPV6_DISABLE == 1
    - not ansible_check_mode
second 2024-01-06 03:08:22 +00:00			`# -- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix --`

			`---`

			`- name: "DEBUG: proxy dirmngr.yml"`
			`debug:`
			`verbosity: 1`
			`msg: "DEBUG: Including proxy dirmngr.yml"`

			`- name: /etc/gnupg/`
			`shell: \|`
			`[ -d "/etc/gnupg" ] \|\| mkdir -p "{{USR_LOCAL}}/etc/gnupg"`


			`- name: /etc/dirmngr/dirmngr.conf`
			`lineinfile:`
			`dest: "/etc/dirmngr/dirmngr.conf"`
			`insertbefore: BOF`
			`mode: 0755`
			`owner: "{{BOX_ROOT_USER}}"`
			`group: "{{BOX_ROOT_GROUP}}"`
			`create: yes`
			`regexp: "# -.- mode: conf; tab-width: 0; coding: utf-8-unix -.-"`
			`line: "# -- mode: conf; tab-width: 0; coding: utf-8-unix --"`
			`when:`
			`- not ansible_check_mode`
			`# FixMe:`
			`ignore_errors: true`

			`- name: /etc/gnupg/gpgconf.conf`
			`lineinfile:`
			`dest: "/etc/gnupg/gpgconf.conf"`
			`# insertbefore: BOF`
			`mode: 0755`
			`owner: "{{BOX_ROOT_USER}}"`
			`group: "{{BOX_ROOT_GROUP}}"`
			`create: yes`
			`state: "{{item.state}}"`
			`regexp: "^#{{item.key}} ."`
			`line: "{{item.key}} {{item.val}}"`
			`when:`
			`- not ansible_check_mode`
			`with_items:`
			`- key: keyserver-options`
			`val: no-try-dns-srv`
			`# Debian! gpg: keyserver option 'no-try-dns-srv' is unknown`
			`# gentoo unknown - dirmngr ?`
			`state: absent`
			`- key: debug-level`
			`val: "4"`
			`# not on gentoo`
			`state: "{{ 'present' if ansible_distribution != 'Gentoo' else 'absent' }}"`
			`# - key: connect-timeout`
			`# val: "20"`
			`# value: ""`
			`# state: present`


			`- name: /etc/dirmngr/dirmngr.conf`
			`blockinfile:`
			`dest: "/etc/dirmngr/dirmngr.conf"`
			`create: false`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dirmngr.yml head"`
			`block: \|`
			`verbose`
			`debug-all`
			`standard-resolver`
			`disable-ldap`
			`when:`
			`- not ansible_check_mode`

			`- name: /etc/dirmngr/dirmngr.conf`
			`blockinfile:`
			`dest: /etc/dirmngr/dirmngr.conf`
			`create: true`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dirmngr.yml ipv6"`
			`block: \|`
			`disable-ipv6`
			`when:`
			`- not ansible_check_mode`
			`- BASE_IPV6_DISABLE == 1`

			`- name: /etc/dirmngr/dirmngr.conf`
			`blockinfile:`
			`dest: "/etc/dirmngr/dirmngr.conf"`
			`create: false`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dirmngr.yml head"`
			`block: \|`
			`{% for elt in PROXY_GNUPG_SERVERS %}`
			`keyserver hkp://{{ elt }}`
			`{% endfor %}`
			`{% for elt in PROXY_GNUPG_CERTS %}`
			`hkp-cacert {{ elt }}`
			`{% endfor %}`
			`when:`
			`- not ansible_check_mode`


			`- name: /var/log/dirmngr.log`
			`shell: \|`
			`[ -f /var/log/dirmngr.log ] \|\| touch /var/log/dirmngr.log`
			`chown root /var/log/dirmngr.log`
			`args:`
			`creates: /var/log/dirmngr.log`

			`- name: /etc/dirmngr/dirmngr.conf.tor`
			`shell: \|`
			`[ -e /etc/dirmngr/dirmngr.conf.tor ] \|\| \`
			`cp -p /etc/dirmngr/dirmngr.conf /etc/dirmngr/dirmngr.conf.tor`
			`when:`
			`- PROXY_MODE == 'tor'`

			`- name: /etc/dirmngr/dirmngr.conf use-tor`
			`blockinfile:`
			`dest: "/etc/dirmngr/dirmngr.conf"`
			`create: true`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK tor"`
			`block: \|`
			`use-tor`
			`# https://keys.openpgp.org/about/usage`
			`keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion`

			`when:`
			`- not ansible_check_mode`
			`- PROXY_MODE == 'tor'`

			`- name: /etc/dirmngr/dirmngr.conf.whonix`
			`shell: \|`
			`[ -e /etc/dirmngr/dirmngr.conf.whonix ] \|\| \`
			`cp -p /etc/dirmngr/dirmngr.conf /etc/dirmngr/dirmngr.conf.whonix`
			`when:`
			`- PROXY_MODE == 'whonix'`

			`# This is not enough:`
			`- name: /usr/bin/dirmngr.bin`
			`# FixMe: blockinfile`
			`shell: \|`
			`# /usr/bin/dirmngr.bin --dump-options >> /tmp/$$.out`
			`[ -d /etc/dirmngr ] \|\| mkdir /etc/dirmngr`
			`[ -f /etc/dirmngr/dirmngr.conf ] \|\| touch /etc/dirmngr/dirmngr.conf`
			`grep -q disable-ipv6 /etc/dirmngr/dirmngr.conf ] \|\| \`
			`echo disable-ipv6 >> /etc/dirmngr/dirmngr.conf`
			`args:`
			`creates: /etc/dirmngr/dirmngr.conf`
			`when:`
			`- not ansible_check_mode`
			`- BASE_IPV6_DISABLE == 1`

			`- block:`

			`- name: /usr/bin/dirmngr.bin`
			`shell: \|`
			`[ -f /usr/local/bin/proxy_dirmngr.bash ] \|\| exit 1`

			`# This is recent`
			`cd /usr/bin/`
			`if [ ! -f dirmngr.bin ] ; then`
			`mv dirmngr dirmngr.bin`
			`elif file dirmngr \| grep -q ELF ; then`
			`mv dirmngr dirmngr.bin`
			`fi`

			`[ -h dirmngr ] \|\| ln -s /usr/local/bin/proxy_dirmngr.bash dirmngr`

			`chmod 755 dirmngr /usr/local/bin/proxy_dirmngr.bash`
			`[ -x /usr/local/bin/proxy_dirmngr.bash ] \|\| exit 2`

			`when:`
			`# the --keyserver may be required even with ipv6`
			`- true or BASE_IPV6_DISABLE == 1`
			`- not ansible_check_mode`