fedora-infra_ansible/roles/sigul/server/tasks/main.yml

- name: put rhel AH repos on rhel systems
  copy: src="{{ files }}/common/rhel7ah.repo" dest="/etc/yum.repos.d/rhel7ah.repo"
  when: ansible_distribution == 'RedHat'
  tags:
  - config
  - packages
  - yumrepos

- name: Install sigul server
  package: state=present name={{ item }}
  with_items:
  - sigul-server
  - rpm-sign
  - bzip2
  - p11-kit
  - openssl-pkcs11
  - gnutls-utils
  - ykpers
  - yubico-piv-tool
  - pcsc-lite
  - opensc
  - tar
  tags:
  - packages

- name: Enable pcscd
  service: name=pcscd state=started enabled=yes

- name: install rhel7 only packages
  package: state=present name={{ item }}
  with_items:
  - gnupg1
  when: ansible_distribution_major_version|int == 7
  tags:
  - packages

- name: install fedora only packages
  package: state=present name={{ item }}
  with_items:
  - gnupg
  when: ansible_distribution_major_version|int > 23
  tags:
  - packages

- name: Setup sigul server.conf
  template: src=server.conf.j2 dest=/etc/sigul/server.conf
            owner=sigul group=sigul mode=0640
  tags:
  - config

- name: Setup gpg link on rhel7
  file: state=link src=/usr/bin/gpg1 dest=/usr/bin/gpg
  when: ansible_distribution_major_version|int == 7

- name: add polkit rules to allow sigul user to access the smartcard/yubikey
  copy: src=00-sigul.rules dest=/etc/polkit-1/rules.d/00-sigul.rules
  tags:
  - config

- name: Deploy public yubikey certs
  copy: src="{{private}}/files/sigul/{{item}}" dest=/etc/sigul/{{item}} mode=0644 owner=root group=root
  with_items:
  - yubikey_sv03.pem
  - yubikey_sv04.pem
  - yubikey_sv05.pem
  - yubikey_sv06.pem
  tags:
  - config

- name: mask tmpfs tmp
  systemd: masked=yes name=tmp.mount
  tags:
  - config