Getting started

Default remote keyserver

By default the debops.keyring role uses the Ubuntu keyserver to retrieve the GPG keys based on their fingerprints. The default keyserver is configured using the keyring__keyserver variable. For increased security, or if your infrastructure is located behind a firewall that blocks connections to the OpenPGP keyserver, you can use the debops.sks Ansible role to set up a local instance of a SKS keyserver and import the GPG keys to it for easy retrieval.

Previously used SKS Keyserver pool has been deprecated and won't be maintained anymore. Thanks to the maintainers for years of great service!

Local key store on the Ansible Controller

The role supports usage of a local key store on the Ansible Controller, by setting the absolute path to a directory with the GPG key files in the keyring__local_path variable. For example, to store the GPG keys inside of the DebOps project directory, ansible/keyring/ subdirectory, users can define in the ansible/inventory/group_vars/all/keyring.yml file:

keyring__local_path: '{{ inventory_dir | realpath + "/../keyring" }}'

This will tell the role to look for the key files in a ansible/keyring/ directory, relative to the Ansible inventory.

Each key file in the directory should be an ASCII-armored file, named using a specific format:

0xFINGERPRINT.asc

At runtime the role will check the specified directory for any GPG key files and will create a list which will be used to determine if a GPG key with a given ID is available locally. If a key is found, installation from the local key store will take precedence over other network-based methods.

Example inventory

The role is included by default in the bootstrap-ldap.yml and the common.yml playbook, therefore you don't need to do anything to enable it.

Example playbook

If you are using this role without DebOps, here's an example Ansible playbook that uses the debops.keyring role:

---

- name: Manage APT and GPG keyrings
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debops_all_hosts', 'debops_service_keyring' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'

  roles:

    - role: keyring
      tags: [ 'role::keyring', 'skip::keyring' ]

Ansible tags

You can use Ansible --tags or --skip-tags parameters to limit what tasks are performed during Ansible run. This can be used after a host was first configured to speed up playbook execution, when you are sure that most of the configuration is already in the desired state.

Available role tags:

role::keyring
Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.

Other resources

List of other useful resources related to the debops.keyring Ansible role: