projects / Institute / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b31388a)
Install root@core's public key in /etc/root-pub.pem.
authorMatt Birkholz <matt@birchwood-abbey.net>
Thu, 20 Nov 2025 23:36:13 +0000 (16:36 -0700)
committerMatt Birkholz <matt@birchwood-abbey.net>
Thu, 20 Nov 2025 23:36:13 +0000 (16:36 -0700)
Thus anyone can send encrypted email to root with the --recipient-file
option to gpg.

This might have simplified the hacked passwd command if it did not
have to run as sysadm anyway, for /etc/shadow access.

README.org patch | blob | history
roles_t/core/handlers/main.yml patch | blob | history
roles_t/core/tasks/main.yml patch | blob | history
roles_t/core/templates/passwd patch | blob | history

diff --git a/README.org b/README.org
index 49b204431c2cf8f7453929bd6971aeae140375f7..6993612dffaadbaa3dede6d017ba7b4d277d35f3 100644 (file)
--- a/README.org
+++ b/README.org
@@ -6383,7 +6383,7 @@ close $TMP;
 
 my $O = new IO::File;
 open $O, ("| gpg --encrypt --armor"
-         ." --trust-model always --recipient root\@core"
+         ." --recipient-file /etc/root-pub.pem"
          ." > $tmp") or die "Error running gpg > $tmp: $!\n";
 print $O <<EOD;
 username: $username
@@ -6538,10 +6538,10 @@ configuration so that the email to root can be encrypted.
     group: root
 
 - name: Install root PGP key file.
-  become: no
+  become: yes
   copy:
     src: ../Secret/root-pub.pem
-    dest: ~/.gnupg-root-pub.pem
+    dest: /etc/root-pub.pem
     mode: u=r,g=r,o=r
   notify: Import root PGP key.
 #+END_SRC
@@ -6551,7 +6551,7 @@ configuration so that the email to root can be encrypted.
 
 - name: Import root PGP key.
   become: no
-  command: gpg --import ~/.gnupg-root-pub.pem
+  command: gpg --import /etc/root-pub.pem
 #+END_SRC
 
 ** The Old Command
diff --git a/roles_t/core/handlers/main.yml b/roles_t/core/handlers/main.yml
index 891fd894bbf2fef9c5677f619c1f0a700864e772..71d259b1ca59be8f49ef9c9b67802327865df57b 100644 (file)
--- a/roles_t/core/handlers/main.yml
+++ b/roles_t/core/handlers/main.yml
@@ -86,4 +86,4 @@
 
 - name: Import root PGP key.
   become: no
-  command: gpg --import ~/.gnupg-root-pub.pem
+  command: gpg --import /etc/root-pub.pem
diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml
index 096092ceee3106fa02bf4bcd3941a92ba519f9fc..879fd0c3c5f3775362d96f1f4a95dc4a0cd89a6d 100644 (file)
--- a/roles_t/core/tasks/main.yml
+++ b/roles_t/core/tasks/main.yml
@@ -957,9 +957,9 @@
     group: root
 
 - name: Install root PGP key file.
-  become: no
+  become: yes
   copy:
     src: ../Secret/root-pub.pem
-    dest: ~/.gnupg-root-pub.pem
+    dest: /etc/root-pub.pem
     mode: u=r,g=r,o=r
   notify: Import root PGP key.
diff --git a/roles_t/core/templates/passwd b/roles_t/core/templates/passwd
index e8e511d5d92184309a409ba472cba20c63f21f46..584204d770717b4dfa2d62cebf08e3b2e26eee8d 100644 (file)
--- a/roles_t/core/templates/passwd
+++ b/roles_t/core/templates/passwd
@@ -51,7 +51,7 @@ close $TMP;
 
 my $O = new IO::File;
 open $O, ("| gpg --encrypt --armor"
-         ." --trust-model always --recipient root\@core"
+         ." --recipient-file /etc/root-pub.pem"
          ." > $tmp") or die "Error running gpg > $tmp: $!\n";
 print $O <<EOD;
 username: $username
Small Institute Networking