fedora-infra_ansible/roles/sigul/server/tasks/main.yml

---
- name: Install sigul server
  ansible.builtin.package: state=present name={{ item }}
  with_items:
  - sigul-server
  - rpm-sign
  - bzip2
  - p11-kit
  - openssl-pkcs11
  - gnutls-utils
  - ykpers
  # - yubico-piv-tool
  - pcsc-lite
  - opensc
  - tar
  tags:
  - packages

- name: Enable pcscd
  service: name=pcscd state=started enabled=yes

- name: Install gnupg packages
  ansible.builtin.package: state=present name={{ item }}
  with_items:
  - gnupg
  tags:
  - packages

- name: Setup sigul server.conf
  ansible.builtin.template: src=server.conf.j2 dest=/etc/sigul/server.conf
            owner=sigul group=sigul mode=0640
  tags:
  - config

- name: Add polkit rules to allow sigul user to access the smartcard/yubikey
  ansible.builtin.copy: src=00-sigul.rules dest=/etc/polkit-1/rules.d/00-sigul.rules
  tags:
  - config

- name: Deploy public yubikey certs
  ansible.builtin.copy: src="{{private}}/files/sigul/{{item}}" dest=/etc/sigul/{{item}} mode=0644 owner=root group=root
  with_items:
  - yubikey_sv03.pem
  - yubikey_sv04.pem
  - yubikey_sv05.pem
  - yubikey_sv06.pem
  tags:
  - config

- name: Mask tmpfs tmp
  systemd: masked=yes name=tmp.mount
  tags:
  - config