diff options
| -rw-r--r-- | chaos-at-home/ch-equinox-t450s.yml | 1 | ||||
| -rw-r--r-- | chaos-at-home/ch-equinox-ws.yml | 1 | ||||
| -rw-r--r-- | roles/ws/thunderbird-gpg-hack/handlers/main.yml | 3 | ||||
| -rw-r--r-- | roles/ws/thunderbird-gpg-hack/tasks/main.yml | 49 |
4 files changed, 54 insertions, 0 deletions
diff --git a/chaos-at-home/ch-equinox-t450s.yml b/chaos-at-home/ch-equinox-t450s.yml index e4f57287..ea1aca7f 100644 --- a/chaos-at-home/ch-equinox-t450s.yml +++ b/chaos-at-home/ch-equinox-t450s.yml @@ -33,6 +33,7 @@ - role: network/wireguard/base - role: ws/minet - role: ws/flatpak + - role: ws/thunderbird-gpg-hack post_tasks: - name: make sure tlp is started and enabled systemd: diff --git a/chaos-at-home/ch-equinox-ws.yml b/chaos-at-home/ch-equinox-ws.yml index b2dd76db..c3010e44 100644 --- a/chaos-at-home/ch-equinox-ws.yml +++ b/chaos-at-home/ch-equinox-ws.yml @@ -33,6 +33,7 @@ - role: ws/base - role: core/users - role: ws/flatpak + - role: ws/thunderbird-gpg-hack post_tasks: - name: disable caps-lock lineinfile: diff --git a/roles/ws/thunderbird-gpg-hack/handlers/main.yml b/roles/ws/thunderbird-gpg-hack/handlers/main.yml new file mode 100644 index 00000000..d4967d21 --- /dev/null +++ b/roles/ws/thunderbird-gpg-hack/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: replace apparmor profile snap.thunderbird.thunderbird + command: apparmor_parser -v -C -r /var/lib/snapd/apparmor/profiles/snap.thunderbird.thunderbird diff --git a/roles/ws/thunderbird-gpg-hack/tasks/main.yml b/roles/ws/thunderbird-gpg-hack/tasks/main.yml new file mode 100644 index 00000000..8a6037e8 --- /dev/null +++ b/roles/ws/thunderbird-gpg-hack/tasks/main.yml @@ -0,0 +1,49 @@ +--- +## workaround for: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/2009825 +## also see: https://forum.snapcraft.io/t/thunderbird-snap-and-external-gnupg-for-smart-cards/39553/1 + +# manual config changes: +## go to: Edit -> Settings -> (scroll to the end) -> Config Editor... +## mail.openpgp.allow_external_gnupg = true +## mail.openpgp.alternative_gpg_path = /home/equinox/gpg-wrapper-snap.sh + +- name: connect gpg-keys slot of thunderbird snap + command: snap connect thunderbird:gpg-keys :gpg-keys + changed_when: false + +## TODOM make home-dir configurable or find location for wrapper that is usable for all users... +- name: generate gpg-wrapper to workaround HOME variable issue + copy: + content: | + #!/bin/sh + export HOME="$SNAP_REAL_HOME" + exec $SNAP/usr/bin/gpg "$@" + dest: /home/equinox/gpg-wrapper-snap.sh + mode: 0755 + +- name: create apparmor abstraction for gnupg2 + copy: + content: | + # vim:syntax=apparmor + # gnupg2 sub-process running permissions + + abi <abi/4.0>, + + # user configurations + owner @{HOME}/.gnupg/* r, + owner @{HOME}/.gnupg/random_seed rk, + owner @{HOME}/.gnupg/tofu.db rwk, + owner /{,var/}run/user/[0-9]*/gnupg/* rw, + + # Include additions to the abstraction + include if exists <abstractions/gnupg2.d> + dest: /etc/apparmor.d/abstractions/gnupg2 + notify: replace apparmor profile snap.thunderbird.thunderbird + +- name: patch thunderbird apparmor profile + lineinfile: + line: " #include <abstractions/gnupg2>" + state: present + insertafter: " #include <abstractions/openssl>" + path: /var/lib/snapd/apparmor/profiles/snap.thunderbird.thunderbird + notify: replace apparmor profile snap.thunderbird.thunderbird |