proxy_role/tasks/dirmngr.yml
2024-01-06 03:08:22 +00:00

173 lines
4.4 KiB
YAML

# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: proxy dirmngr.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy dirmngr.yml"
- name: /etc/gnupg/
shell: |
[ -d "/etc/gnupg" ] || mkdir -p "{{USR_LOCAL}}/etc/gnupg"
- name: /etc/dirmngr/dirmngr.conf
lineinfile:
dest: "/etc/dirmngr/dirmngr.conf"
insertbefore: BOF
mode: 0755
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
regexp: "# -.- mode: conf; tab-width: 0; coding: utf-8-unix -.-"
line: "# -*- mode: conf; tab-width: 0; coding: utf-8-unix -*-"
when:
- not ansible_check_mode
# FixMe:
ignore_errors: true
- name: /etc/gnupg/gpgconf.conf
lineinfile:
dest: "/etc/gnupg/gpgconf.conf"
# insertbefore: BOF
mode: 0755
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
state: "{{item.state}}"
regexp: "^#*{{item.key}} .*"
line: "{{item.key}} {{item.val}}"
when:
- not ansible_check_mode
with_items:
- key: keyserver-options
val: no-try-dns-srv
# Debian! gpg: keyserver option 'no-try-dns-srv' is unknown
# gentoo unknown - dirmngr ?
state: absent
- key: debug-level
val: "4"
# not on gentoo
state: "{{ 'present' if ansible_distribution != 'Gentoo' else 'absent' }}"
# - key: connect-timeout
# val: "20"
# value: ""
# state: present
- name: /etc/dirmngr/dirmngr.conf
blockinfile:
dest: "/etc/dirmngr/dirmngr.conf"
create: false
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dirmngr.yml head"
block: |
verbose
debug-all
standard-resolver
disable-ldap
when:
- not ansible_check_mode
- name: /etc/dirmngr/dirmngr.conf
blockinfile:
dest: /etc/dirmngr/dirmngr.conf
create: true
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dirmngr.yml ipv6"
block: |
disable-ipv6
when:
- not ansible_check_mode
- BASE_IPV6_DISABLE == 1
- name: /etc/dirmngr/dirmngr.conf
blockinfile:
dest: "/etc/dirmngr/dirmngr.conf"
create: false
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dirmngr.yml head"
block: |
{% for elt in PROXY_GNUPG_SERVERS %}
keyserver hkp://{{ elt }}
{% endfor %}
{% for elt in PROXY_GNUPG_CERTS %}
hkp-cacert {{ elt }}
{% endfor %}
when:
- not ansible_check_mode
- name: /var/log/dirmngr.log
shell: |
[ -f /var/log/dirmngr.log ] || touch /var/log/dirmngr.log
chown root /var/log/dirmngr.log
args:
creates: /var/log/dirmngr.log
- name: /etc/dirmngr/dirmngr.conf.tor
shell: |
[ -e /etc/dirmngr/dirmngr.conf.tor ] || \
cp -p /etc/dirmngr/dirmngr.conf /etc/dirmngr/dirmngr.conf.tor
when:
- PROXY_MODE == 'tor'
- name: /etc/dirmngr/dirmngr.conf use-tor
blockinfile:
dest: "/etc/dirmngr/dirmngr.conf"
create: true
marker: "# {mark} ANSIBLE MANAGED BLOCK tor"
block: |
use-tor
# https://keys.openpgp.org/about/usage
keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
when:
- not ansible_check_mode
- PROXY_MODE == 'tor'
- name: /etc/dirmngr/dirmngr.conf.whonix
shell: |
[ -e /etc/dirmngr/dirmngr.conf.whonix ] || \
cp -p /etc/dirmngr/dirmngr.conf /etc/dirmngr/dirmngr.conf.whonix
when:
- PROXY_MODE == 'whonix'
# This is not enough:
- name: /usr/bin/dirmngr.bin
# FixMe: blockinfile
shell: |
# /usr/bin/dirmngr.bin --dump-options >> /tmp/$$.out
[ -d /etc/dirmngr ] || mkdir /etc/dirmngr
[ -f /etc/dirmngr/dirmngr.conf ] || touch /etc/dirmngr/dirmngr.conf
grep -q disable-ipv6 /etc/dirmngr/dirmngr.conf ] || \
echo disable-ipv6 >> /etc/dirmngr/dirmngr.conf
args:
creates: /etc/dirmngr/dirmngr.conf
when:
- not ansible_check_mode
- BASE_IPV6_DISABLE == 1
- block:
- name: /usr/bin/dirmngr.bin
shell: |
[ -f /usr/local/bin/proxy_dirmngr.bash ] || exit 1
# This is recent
cd /usr/bin/
if [ ! -f dirmngr.bin ] ; then
mv dirmngr dirmngr.bin
elif file dirmngr | grep -q ELF ; then
mv dirmngr dirmngr.bin
fi
[ -h dirmngr ] || ln -s /usr/local/bin/proxy_dirmngr.bash dirmngr
chmod 755 dirmngr /usr/local/bin/proxy_dirmngr.bash
[ -x /usr/local/bin/proxy_dirmngr.bash ] || exit 2
when:
# the --keyserver may be required even with ipv6
- true or BASE_IPV6_DISABLE == 1
- not ansible_check_mode