From 251a7c0dd5532a6c3e5073cb0eca3b8e5dda2d42 Mon Sep 17 00:00:00 2001
From: Kris Lamoureux <kris@lamoureux.io>
Date: Thu, 19 Oct 2023 02:56:36 -0400
Subject: [PATCH] Import PGP key and verify git commits

---
 dev/host_vars/docker.yml    | 14 ++++++++------
 roles/base/tasks/system.yml | 13 +++++++++++++
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/dev/host_vars/docker.yml b/dev/host_vars/docker.yml
index a6ca476..3eb0987 100644
--- a/dev/host_vars/docker.yml
+++ b/dev/host_vars/docker.yml
@@ -2,6 +2,10 @@
 allow_reboot: false
 manage_network: false
 
+root_gpgkeys:
+    # kris@lamoureux.io
+  - id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
+
 # docker
 docker_users:
   - vagrant
@@ -17,9 +21,8 @@ docker_compose_deploy:
     version: 31ee724feebc1d5f91cb17ffd6892c352537f194
     enabled: true
     accept_newhostkey: true # Consider verifying manually instead
-    # Must manually add my public GPG key to root's keyring
-    #trusted_keys:
-    #  - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
+    trusted_keys:
+      - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
     env:
       ENABLE: true
 
@@ -29,9 +32,8 @@ docker_compose_deploy:
     version: 31ee724feebc1d5f91cb17ffd6892c352537f194
     enabled: true
     accept_newhostkey: true # Consider verifying manually instead
-    # Must manually add my public GPG key to root's keyring
-    #trusted_keys:
-    #  - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
+    trusted_keys:
+      - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
     env:
       ENABLE: true
       VERSION: "2.10"
diff --git a/roles/base/tasks/system.yml b/roles/base/tasks/system.yml
index 393289a..4ddeef1 100644
--- a/roles/base/tasks/system.yml
+++ b/roles/base/tasks/system.yml
@@ -9,6 +9,19 @@
     name: gpg
     state: present
 
+- name: Check for existing GPG keys
+  command: "gpg --list-keys {{ item.id }} 2>/dev/null"
+  register: gpg_check
+  loop: "{{ root_gpgkeys }}"
+  failed_when: false
+  changed_when: false
+  when: root_gpgkeys is defined
+
+- name: Import GPG keys
+  command: "gpg --keyserver {{ item.server | default('keys.openpgp.org') }} --recv-key {{ item.id }}"
+  loop: "{{ root_gpgkeys }}"
+  when: root_gpgkeys is defined and gpg_check.results | map(attribute='rc') | list != [0]
+
 - name: Install NTPsec
   ansible.builtin.apt:
     name: ntpsec