Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Move keyserver to a role. Thanks misc!

Browse source
This commit is contained in:
Kevin Fenzi 2014-04-24 20:37:51 +00:00
parent 0982cd46a9
commit 52c9e9a08d
10 changed files with 103 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

132
files/keyserver/css.css
View file

@ -1,132 +0,0 @@
* { font-family: helvetica, sans-serif; }
h1,
p {
margin: 0; /* Let's zero those margins */
}
h2 { color: #3c6eb4; margin: 0;}
#container {
/* border: 1px solid #555; /* Nice transition from white background */
width: 600px; /* Should be narrow enough for small screens */
margin: 0 auto; /* Centering */
font-size: 1.1em; /* Font big enough not to need to squint */
line-height: 1.3em;
}
#title {
/* background-color:#e2e5e2; */
padding: 10px;
}
#title h1, #title h2 {
margin-top: 0.3em;
}
#info {
/* background-color:#e2e5e2; */
padding: 5px 10px;
}
#main {
/* background : #FAFBEA; */
padding: 0 10px 10px 10px;
}
#main header {
padding-top: 1em;
}
#main p {
margin: 0.5em 0;
}
#keytext {
width: 100%;
height: 150px;
border: 1px solid #555;
background : #fff;
max-width: 100%;
display: block;
}
ul {
width: 100%;
list-style-type: none;
padding-left: 0;
}
li {
width: 99%;
}
li label {
width: 57%;
display: inline-block;
}
button {
border-radius: 3px;
-moz-border-radius: 3px;
background: -webkit-gradient(linear, left top, left bottom, from(#fff), to(#ddd));
background: -moz-linear-gradient(top, #fff, #ddd);
border: 1px solid #bbb;
}
#info p {line-height: 1.1em; margin-bottom: 0.3em;}
#bodyform {
margin-top: 20px;
color: #555;
font-weight: normal;
font-size: 16px;
}
#headcontent {
width: 700px;
margin: auto;
display: table;
}
#lefttop {
float: left;
text-align: left;
}
#righttop {
float:right;
text-align: right;
}
hr {
background: #3c6eb4;
height: 8px;
border: 0px;
}
footer {
background: #3c6eb4;
margin: auto;
color: #fff;
}
footer p { width: 500px; margin: auto; text-align: center;}
a {text-decoration: none; color: #B8C9FF; font-weight: bold;}
fieldset {
border: 2px solid #4462C4;
}
legend {
color: #3c6eb4;
}

91
files/keyserver/index.html
View file

@ -1,91 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<link rel="stylesheet" type="text/css" media="all" href="css.css" />
<title>Fedora Project GPG Key Server</title>
</head>
<body>
<div id=bodyform>
<div id=headcontent>
<div id=lefttop>
<a href="https://fedoraproject.org">
<img src='https://fedoraproject.org/static/images/fedora-logo.png'>
</a>
</div>
<div id=righttop>
<h1>SKS OpenPGP Key server</h1>
<h2>keys.fedoraproject.org</h2>
</div>
</div>
<hr></hr>
<div id="container">
<div id="main" role="main">
<header>
<h2>Extract a key</h2>
</header>
<p>You can find a key by typing in some words that appear in the
userid (name, email, etc.) of the key you're looking for, or
by typing in the keyid in hex format ("0x&#8230;")</p>
<form id="lookup" action="/pks/lookup" method="get">
<fieldset checked="true"> <legend>Search for a public key</legend>
<ul>
<li> <label for="search">String</label> <input id="search"
name="search" placeholder="0xDEADBEEF" required="" autofocus=""
type="text"> </li>
<li> <label for="fingerprint">Show PGP Fingerprints</label>
<input id="fingerprint" name="fingerprint" type="checkbox">
</li>
<li> <label for="hash">Show SKS full-key hashes</label> <input
id="hash" name="hash" type="checkbox"> </li>
<li> <label for="matching">Get regular index of matching
keys</label> <input id="matching" name="op" value="index"
type="radio"> </li>
<li> <label for="verbose">Get verbose index of matching
keys</label> <input id="verbose" name="op" value="vindex"
checked="checked" type="radio"> </li>
<li> <label for="asciiarmored">Retrieve ascii-armored
keys</label> <input id="asciiarmored" name="op" value="get"
type="radio"> </li>
<li> <label for="fullkey">Retrieve keys by full-key hash</label>
<input id="fullkey" name="op" value="hget" type="radio">
</li>
</ul>
<button type="reset">Reset</button> <button type="submit">Search
for a key</button> </fieldset>
</form>
<header>
<h2>Submit a key</h2>
</header>
<p>You can submit a key by simply pasting in the ASCII-armored
version of your key and clicking on submit.</p>
<form id="add" action="/pks/add" method="post">
<fieldset> <textarea id="keytext" name="keytext" rows="5" cols="30"></textarea>
<button type="reset">Reset</button> <button checked="true"
type="submit">Submit this key</button></fieldset>
</form>
</div>
<!-- end of #main -->
</div>
<!--! end of #container -->
<footer id="info">
<p><a href="https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Home">SKS</a> is
a new <a href="http://www.openpgp.org/">OpenPGP</a>
keyserver. The main innovation of SKS is that it includes a
highly-efficient reconciliation algorithm for keeping the
keyservers synchronized.</p>
<p style="text-align: center;"><a href="/pks/lookup?op=stats">SKS statistics</a></p>
</footer>
</div>
</body>
</html>

48
files/keyserver/membership
View file

@ -1,48 +0,0 @@
a.sks.srv.scientia.net 11370 # root@sks.srv.scientia.net
key.adeti.org 11370 # Marco RODRIGUES <marco@adeti.org> 0x7CE697FC
key.ip6.li 11370 # Christian Felsing <hostmaster@ip6.li> 0x5386E2A0
keys2.kfwebs.net 11370 # 0x0B7F8B60E3EDFAE3
keys.andreas-puls.de 11370 # Andreas Puls <appu@gmx.net> 0xDAC73FA6
#keys.christensenplace.us 11370 # Eric Christensen <eric@christensenplace.us> 0x024BB3D1
keyserver.advmapper.com 11370 # Tyler Schwend <tylerschwend@gmail.com> 0xDB4B79F8
keyserver.cns.vt.edu 11370 # Phil Benchoff <benchoff@vt.edu> <keymaster@cns.vt.edu>
#keyserver.computer42.org 11370 # H.-Dirk Schmitt <dirk@computer42.org> 0x6A017B17
keyserver.dacr.hu 11370 # David Horvath <dacr@dacr.hu> 0x00CBC81A
keyserver.gingerbear.net 11370 # John P. Clizbe <John@Gingerbear.net> 0xD6569825
keyserver.kim-minh.com 11370 # Kim Minh Kaplan<kaplan+sks@kim-minh.com> 0xAF1E829C
keyserver.kjsl.org 11370 # Javier Henderson <javier@kjsl.org> 0x9BF88EE5
keyserver.nausch.org 11370 # Michael Nausch <michael@nausch.org> 0x2384C849
#key-server.nl 11370 # Wijnand Modderman-Lenstra <maze@key-server.nl> 0x294DF221
keyserver.saol.no-ip.com 11370 # Peter <peter@saol.no-ip.com> 0x39E97290
keyserver.secretresearchfacility.com 11370 # Stephan Seitz <s.seitz@secretresearchfacility.com> 0xAB83B1C3
keyserver.serviz.fr 11370 # robert <sks(at)serviz(pt)fr> 0xEF333C7E
keyserver.sincer.us 11370 # Petru Ghita <petrutz@venaver.info> 0x7CF29D04
keyserver.skoopsmedia.net 11370 # unknown
#keyservers.org 11370 # Rob Hansen <rjh@sixdemonbag.org>
keyserver.stack.nl 11370 # Johan van Selst <johans@stack.nl> 0xD3AE8D3A
keyserver.ut.mephi.ru 11370 # Dmitry Yu Okunev <dyokunev@ut.mephi.ru> 0x8E30679C, pks team <pks@ut.mephi.ru>
keyserver.vi-di.fr 11370 # Frank Villaro-Dixon <keyserver@vi-di.fr>016106A6AF223DBE
keys.exosphere.de 11370 # Christoph Gebhardt <chris@exosphere.de> 0xE1C2E92C
keys.jhcloos.com 11370 # James Cloos <cloos@jhcloos.com> 0xED7DAEA6
keys.niif.hu 11370 # Gabor Kiss <kissg@ssg.ki.iif.hu>
keys.thoma.cc 11370 # Maximilian Thoma <keys@thoma.cc> 0xB480AC4B
#keys.wuschelpuschel.org 11370 # 0x017D1C3D Peter Kornherr <peter@wuschelpuschel.org>
#openpgp1.claruscomms.net 11370 # unknown
pgp.circl.lu 11370 # CIRCL - info@circl.lu - 0x22BD4CD5
#pgp.codelabs.ru 11370 # Eygene Ryabinkin <rea@codelabs.ru> 0x8152ECFB
pgp.jjim.de 11370 # Joel Garske <admin@pgp.jjim.de> 0xA921EB20
pgpkeys.mallos.nl 11370 # Arnold Schekkerman <arnold@mallos.nl> 0xB66BBBAA
#pgp.megagod.net 11370 # Kullawat Chaowanawatee (0xC19EAE3A)
pgp.rediris.es 11370 # Francisco.monserrat <francisco.monserrat@rediris.es> 0xD3A42C61
#pki.colliertech.org 11370 # C.J. Adams-Collier <cjac@uw.edu> 0x8E562765BA27A83C
ranger.ky9k.org 11370 # Brian D Heaton <pgp-keymaster@ky9k.org> 0x9A016118
sks.alpha-labs.net 11370 # Christian Reiss <email@christian-reiss.de> 0x44e29126abcd43c5
sks.disunitedstates.com 11370 # David Benfell <benfell@disunitedstates.com> 0x1236602B
sks.ecks.ca 11370 # Eric Benoit <eric@ecks.ca> 0x69E65D2C
sks.es.net 11370 # keymaster@es.net
sks.fidocon.de 11370 # unknown
sks.karotte.org 11370 # Sebastian Wiesinger <sebastian@karotte.org> 0x93A0B9CE
sks.keyservers.net 11370 # John P. Clizbe <John@Gingerbear.net> 0xD6569825
sks-peer.spodhuis.org 11370 # Phil Pennock <keyserver@spodhuis.org> 0x3903637F
sks.pkqs.net 11370 # Stephan Beyer <s-beyer@gmx.net> 0xFCC5040F
zimmermann.mayfirst.org 11370 # Daniel Kahn Gillmor <dkg@fifthhorseman.net> 0xCCD2ED94D21739E9

13
files/keyserver/sksconf
View file

@ -1,13 +0,0 @@
basedir: /srv/sks
#debuglevel: 10
#debug:
hostname: keys.fedoraproject.org
hkp_address: 127.0.0.1
hkp_port: 11371
recon_port: 11370
#gossip_interval: 1440
stat_hour: 00
initial_stat:
membership_reload_interval: 1
disable_mailsync:
server_contact: 0x167B4A54236BBEAA37DCCD92ED14D5E7110810E9

224
files/keyserver/ssl.conf
View file

@ -1,224 +0,0 @@
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
LoadModule ssl_module modules/mod_ssl.so
#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex default
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
# ProxyPass / http://localhost:11371/
# ProxyPassReverse / http://localhost:11371/
#ServerName www.example.com:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>