Meeting Agenda Item: Introduction Gabriel Diaz'
by Gabriel Diaz
Hello community!
My name is Gabriel Diaz, and I am very interested in start contributing
with my knowledge.
I'm from Colombia so mi Time Zone is GTM-5.
My basic skills and experiences are quite simple.
I learned to program a few year ago and i have liked it since then, I know
different languages like C++, Python, Java, Haskell, and I know different
paradigms like OOP or structured.
I'd like to improve my programming skills, learning from the great
developers than this community has.
I have made different projects in those languages, most of all for my
university assignments, but nothing too big.
I'm joining because since I knew about free software I love it, and get
really interested in developing free software.
I'm able to contribute about 6 hours per week, it depends on my workload.
I checked the outstanding issues but didn't feel comfortable picking one to
help with, I think is better first get more involved.
--
Gabriel Diaz.
10 years
[PATCH] migrate keyserver to be a role
by Michael Scherer
From: Michael Scherer <misc(a)zarb.org>
---
files/keyserver/css.css | 132 ----------------------
files/keyserver/index.html | 91 ----------------
files/keyserver/membership | 48 --------
files/keyserver/sks.conf | 83 --------------
files/keyserver/sksconf | 13 ---
files/keyserver/ssl.conf | 224 --------------------------------------
handlers/restart_services.yml | 6 -
playbooks/groups/keyserver.yml | 2 +-
roles/keyserver/files/css.css | 132 ++++++++++++++++++++++
roles/keyserver/files/index.html | 91 ++++++++++++++++
roles/keyserver/files/membership | 48 ++++++++
roles/keyserver/files/sks.conf | 83 ++++++++++++++
roles/keyserver/files/sksconf | 13 +++
roles/keyserver/files/ssl.conf | 224 ++++++++++++++++++++++++++++++++++++++
roles/keyserver/handlers/main.yml | 6 +
roles/keyserver/tasks/main.yml | 100 +++++++++++++++++
tasks/keyserver.yml | 100 -----------------
17 files changed, 698 insertions(+), 698 deletions(-)
delete mode 100644 files/keyserver/css.css
delete mode 100644 files/keyserver/index.html
delete mode 100644 files/keyserver/membership
delete mode 100644 files/keyserver/sks.conf
delete mode 100644 files/keyserver/sksconf
delete mode 100644 files/keyserver/ssl.conf
create mode 100644 roles/keyserver/files/css.css
create mode 100644 roles/keyserver/files/index.html
create mode 100644 roles/keyserver/files/membership
create mode 100644 roles/keyserver/files/sks.conf
create mode 100644 roles/keyserver/files/sksconf
create mode 100644 roles/keyserver/files/ssl.conf
create mode 100644 roles/keyserver/handlers/main.yml
create mode 100644 roles/keyserver/tasks/main.yml
delete mode 100644 tasks/keyserver.yml
diff --git a/files/keyserver/css.css b/files/keyserver/css.css
deleted file mode 100644
index 99443a0..0000000
--- a/files/keyserver/css.css
+++ /dev/null
@@ -1,132 +0,0 @@
- * { font-family: helvetica, sans-serif; }
-
- h1,
- p {
- margin: 0; /* Let's zero those margins */
- }
-
-h2 { color: #3c6eb4; margin: 0;}
-
- #container {
- /* border: 1px solid #555; /* Nice transition from white background */
- width: 600px; /* Should be narrow enough for small screens */
- margin: 0 auto; /* Centering */
- font-size: 1.1em; /* Font big enough not to need to squint */
- line-height: 1.3em;
-
- }
-
- #title {
- /* background-color:#e2e5e2; */
- padding: 10px;
- }
-
- #title h1, #title h2 {
- margin-top: 0.3em;
- }
-
- #info {
- /* background-color:#e2e5e2; */
- padding: 5px 10px;
- }
-
- #main {
- /* background : #FAFBEA; */
- padding: 0 10px 10px 10px;
- }
-
- #main header {
- padding-top: 1em;
- }
-
- #main p {
- margin: 0.5em 0;
- }
-
- #keytext {
- width: 100%;
- height: 150px;
- border: 1px solid #555;
- background : #fff;
- max-width: 100%;
- display: block;
- }
-
- ul {
- width: 100%;
- list-style-type: none;
- padding-left: 0;
- }
-
- li {
- width: 99%;
- }
-
- li label {
- width: 57%;
- display: inline-block;
- }
-
- button {
- border-radius: 3px;
- -moz-border-radius: 3px;
- background: -webkit-gradient(linear, left top, left bottom, from(#fff), to(#ddd));
- background: -moz-linear-gradient(top, #fff, #ddd);
- border: 1px solid #bbb;
- }
-
- #info p {line-height: 1.1em; margin-bottom: 0.3em;}
-
-
-
-#bodyform {
- margin-top: 20px;
- color: #555;
- font-weight: normal;
- font-size: 16px;
-
-}
-
-#headcontent {
- width: 700px;
- margin: auto;
- display: table;
-
-}
-
-#lefttop {
- float: left;
- text-align: left;
-}
-
-#righttop {
- float:right;
- text-align: right;
-}
-
-hr {
- background: #3c6eb4;
- height: 8px;
- border: 0px;
-}
-
-footer {
- background: #3c6eb4;
- margin: auto;
- color: #fff;
-
-}
-
-footer p { width: 500px; margin: auto; text-align: center;}
-
-a {text-decoration: none; color: #B8C9FF; font-weight: bold;}
-
-fieldset {
- border: 2px solid #4462C4;
-}
-
-legend {
- color: #3c6eb4;
-}
-
-
diff --git a/files/keyserver/index.html b/files/keyserver/index.html
deleted file mode 100644
index 12b7be5..0000000
--- a/files/keyserver/index.html
+++ /dev/null
@@ -1,91 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
-<head>
- <link rel="stylesheet" type="text/css" media="all" href="css.css" />
- <title>Fedora Project GPG Key Server</title>
-</head>
-
- <body>
-
-<div id=bodyform>
- <div id=headcontent>
- <div id=lefttop>
- <a href="https://fedoraproject.org">
- <img src='https://fedoraproject.org/static/images/fedora-logo.png'>
- </a>
- </div>
- <div id=righttop>
- <h1>SKS OpenPGP Key server</h1>
- <h2>keys.fedoraproject.org</h2>
- </div>
- </div>
- <hr></hr>
-
- <div id="container">
-
- <div id="main" role="main">
- <header>
- <h2>Extract a key</h2>
- </header>
- <p>You can find a key by typing in some words that appear in the
- userid (name, email, etc.) of the key you're looking for, or
- by typing in the keyid in hex format ("0x…")</p>
- <form id="lookup" action="/pks/lookup" method="get">
- <fieldset checked="true"> <legend>Search for a public key</legend>
- <ul>
- <li> <label for="search">String</label> <input id="search"
- name="search" placeholder="0xDEADBEEF" required="" autofocus=""
- type="text"> </li>
- <li> <label for="fingerprint">Show PGP Fingerprints</label>
- <input id="fingerprint" name="fingerprint" type="checkbox">
- </li>
- <li> <label for="hash">Show SKS full-key hashes</label> <input
- id="hash" name="hash" type="checkbox"> </li>
- <li> <label for="matching">Get regular index of matching
- keys</label> <input id="matching" name="op" value="index"
- type="radio"> </li>
- <li> <label for="verbose">Get verbose index of matching
- keys</label> <input id="verbose" name="op" value="vindex"
- checked="checked" type="radio"> </li>
- <li> <label for="asciiarmored">Retrieve ascii-armored
- keys</label> <input id="asciiarmored" name="op" value="get"
- type="radio"> </li>
- <li> <label for="fullkey">Retrieve keys by full-key hash</label>
- <input id="fullkey" name="op" value="hget" type="radio">
- </li>
- </ul>
- <button type="reset">Reset</button> <button type="submit">Search
-
-
-
-
-
-
- for a key</button> </fieldset>
- </form>
- <header>
- <h2>Submit a key</h2>
- </header>
- <p>You can submit a key by simply pasting in the ASCII-armored
- version of your key and clicking on submit.</p>
- <form id="add" action="/pks/add" method="post">
- <fieldset> <textarea id="keytext" name="keytext" rows="5" cols="30"></textarea>
- <button type="reset">Reset</button> <button checked="true"
- type="submit">Submit this key</button></fieldset>
- </form>
- </div>
- <!-- end of #main -->
- </div>
- <!--! end of #container -->
- <footer id="info">
- <p><a href="https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Home">SKS</a> is
- a new <a href="http://www.openpgp.org/">OpenPGP</a>
- keyserver. The main innovation of SKS is that it includes a
- highly-efficient reconciliation algorithm for keeping the
- keyservers synchronized.</p>
- <p style="text-align: center;"><a href="/pks/lookup?op=stats">SKS statistics</a></p>
- </footer>
-</div>
- </body>
-
-</html>
diff --git a/files/keyserver/membership b/files/keyserver/membership
deleted file mode 100644
index 42d57b3..0000000
--- a/files/keyserver/membership
+++ /dev/null
@@ -1,48 +0,0 @@
-a.sks.srv.scientia.net 11370 # root(a)sks.srv.scientia.net
-key.adeti.org 11370 # Marco RODRIGUES <marco(a)adeti.org> 0x7CE697FC
-key.ip6.li 11370 # Christian Felsing <hostmaster(a)ip6.li> 0x5386E2A0
-keys2.kfwebs.net 11370 # 0x0B7F8B60E3EDFAE3
-keys.andreas-puls.de 11370 # Andreas Puls <appu(a)gmx.net> 0xDAC73FA6
-#keys.christensenplace.us 11370 # Eric Christensen <eric(a)christensenplace.us> 0x024BB3D1
-keyserver.advmapper.com 11370 # Tyler Schwend <tylerschwend(a)gmail.com> 0xDB4B79F8
-keyserver.cns.vt.edu 11370 # Phil Benchoff <benchoff(a)vt.edu> <keymaster(a)cns.vt.edu>
-#keyserver.computer42.org 11370 # H.-Dirk Schmitt <dirk(a)computer42.org> 0x6A017B17
-keyserver.dacr.hu 11370 # David Horvath <dacr(a)dacr.hu> 0x00CBC81A
-keyserver.gingerbear.net 11370 # John P. Clizbe <John(a)Gingerbear.net> 0xD6569825
-keyserver.kim-minh.com 11370 # Kim Minh Kaplan<kaplan+sks(a)kim-minh.com> 0xAF1E829C
-keyserver.kjsl.org 11370 # Javier Henderson <javier(a)kjsl.org> 0x9BF88EE5
-keyserver.nausch.org 11370 # Michael Nausch <michael(a)nausch.org> 0x2384C849
-#key-server.nl 11370 # Wijnand Modderman-Lenstra <maze(a)key-server.nl> 0x294DF221
-keyserver.saol.no-ip.com 11370 # Peter <peter(a)saol.no-ip.com> 0x39E97290
-keyserver.secretresearchfacility.com 11370 # Stephan Seitz <s.seitz(a)secretresearchfacility.com> 0xAB83B1C3
-keyserver.serviz.fr 11370 # robert <sks(at)serviz(pt)fr> 0xEF333C7E
-keyserver.sincer.us 11370 # Petru Ghita <petrutz(a)venaver.info> 0x7CF29D04
-keyserver.skoopsmedia.net 11370 # unknown
-#keyservers.org 11370 # Rob Hansen <rjh(a)sixdemonbag.org>
-keyserver.stack.nl 11370 # Johan van Selst <johans(a)stack.nl> 0xD3AE8D3A
-keyserver.ut.mephi.ru 11370 # Dmitry Yu Okunev <dyokunev(a)ut.mephi.ru> 0x8E30679C, pks team <pks(a)ut.mephi.ru>
-keyserver.vi-di.fr 11370 # Frank Villaro-Dixon <keyserver(a)vi-di.fr>016106A6AF223DBE
-keys.exosphere.de 11370 # Christoph Gebhardt <chris(a)exosphere.de> 0xE1C2E92C
-keys.jhcloos.com 11370 # James Cloos <cloos(a)jhcloos.com> 0xED7DAEA6
-keys.niif.hu 11370 # Gabor Kiss <kissg(a)ssg.ki.iif.hu>
-keys.thoma.cc 11370 # Maximilian Thoma <keys(a)thoma.cc> 0xB480AC4B
-#keys.wuschelpuschel.org 11370 # 0x017D1C3D Peter Kornherr <peter(a)wuschelpuschel.org>
-#openpgp1.claruscomms.net 11370 # unknown
-pgp.circl.lu 11370 # CIRCL - info(a)circl.lu - 0x22BD4CD5
-#pgp.codelabs.ru 11370 # Eygene Ryabinkin <rea(a)codelabs.ru> 0x8152ECFB
-pgp.jjim.de 11370 # Joel Garske <admin(a)pgp.jjim.de> 0xA921EB20
-pgpkeys.mallos.nl 11370 # Arnold Schekkerman <arnold(a)mallos.nl> 0xB66BBBAA
-#pgp.megagod.net 11370 # Kullawat Chaowanawatee (0xC19EAE3A)
-pgp.rediris.es 11370 # Francisco.monserrat <francisco.monserrat(a)rediris.es> 0xD3A42C61
-#pki.colliertech.org 11370 # C.J. Adams-Collier <cjac(a)uw.edu> 0x8E562765BA27A83C
-ranger.ky9k.org 11370 # Brian D Heaton <pgp-keymaster(a)ky9k.org> 0x9A016118
-sks.alpha-labs.net 11370 # Christian Reiss <email(a)christian-reiss.de> 0x44e29126abcd43c5
-sks.disunitedstates.com 11370 # David Benfell <benfell(a)disunitedstates.com> 0x1236602B
-sks.ecks.ca 11370 # Eric Benoit <eric(a)ecks.ca> 0x69E65D2C
-sks.es.net 11370 # keymaster(a)es.net
-sks.fidocon.de 11370 # unknown
-sks.karotte.org 11370 # Sebastian Wiesinger <sebastian(a)karotte.org> 0x93A0B9CE
-sks.keyservers.net 11370 # John P. Clizbe <John(a)Gingerbear.net> 0xD6569825
-sks-peer.spodhuis.org 11370 # Phil Pennock <keyserver(a)spodhuis.org> 0x3903637F
-sks.pkqs.net 11370 # Stephan Beyer <s-beyer(a)gmx.net> 0xFCC5040F
-zimmermann.mayfirst.org 11370 # Daniel Kahn Gillmor <dkg(a)fifthhorseman.net> 0xCCD2ED94D21739E9
diff --git a/files/keyserver/sks.conf b/files/keyserver/sks.conf
deleted file mode 100644
index 2b87b46..0000000
--- a/files/keyserver/sks.conf
+++ /dev/null
@@ -1,83 +0,0 @@
-ServerName keys.fedoraproject.org
-Listen 80.239.156.219:11371
-NameVirtualHost *:443
-
-<ifModule !mod_proxy.c>
- LoadModule proxy_module modules/mod_proxy.so
-</IfModule>
-
-<IfModule !mod_proxy_http.c>
- LoadModule proxy_http_module modules/mod_proxy_http.so
-</IfModule>
-
-<IfModule !mod_proxy_balancer.c>
- LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
-</IfModule>
-
-<IfModule !mod_headers.c>
- LoadModule headers_module modules/mod_headers.so
-</IfModule>
-
-<IfModule !mod_authz_host.c>
- LoadModule authz_host_module modules/mod_authz_host.so
-</IfModule>
-
-<IfModule !mod_log_config.c>
- LoadModule log_config_module modules/mod_log_config.so
-</IfModule>
-
-<IfModule !mod_env.c>
- LoadModule env_module modules/mod_env.so
-</IfModule>
-
-<Directory />
- Options FollowSymLinks
- AllowOverride None
- Order deny,allow
- Deny from all
-</Directory>
-
-<VirtualHost *:80>
- ServerAdmin sysadmin-keys-members(a)fedoraproject.org
- ServerName keys.fedoraproject.org
- ProxyPass / http://127.0.0.1:11371/
- ProxyPassReverse / http://127.0.0.1:11371/
- SetEnv proxy-nokeepalive 1
- ProxyVia Full
-</VirtualHost>
-<VirtualHost *:443>
- ServerAdmin sysadmin-keys-members(a)fedoraproject.org
- ServerName keys.fedoraproject.org
- ServerAlias keys01.fedoraproject.org
-
- SSLEngine on
- SSLCertificateFile /etc/pki/tls/wildcard-2013.fedoraproject.org.cert
- SSLCertificateChainFile /etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert
- SSLCertificateKeyFile /etc/pki/tls/wildcard-2013.fedoraproject.org.key
- ProxyPass / http://localhost:11371/
- ProxyPassReverse / http://localhost:11371/
- SetEnv proxy-nokeepalive 1
- ProxyVia Full
-</VirtualHost>
-<VirtualHost *:443>
- ServerAdmin sysadmin-keys-members(a)fedoraproject.org
- ServerName pool.sks-keyservers.net
- ServerAlias sks-keyservers.net
- ServerAlias *.sks-keyservers.net
-
- SSLEngine on
- SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem
- SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key
- ProxyPass / http://localhost:11371/
- ProxyPassReverse / http://localhost:11371/
- SetEnv proxy-nokeepalive 1
- ProxyVia Full
-</VirtualHost>
-<VirtualHost *:11371>
- ServerAdmin sysadmin-keys-members(a)fedoraproject.org
- ServerName keys.fedoraproject.org
- ProxyPass / http://127.0.0.1:11371/
- ProxyPassReverse / http://127.0.0.1:11371/
- SetEnv proxy-nokeepalive 1
- ProxyVia Full
-</VirtualHost>
diff --git a/files/keyserver/sksconf b/files/keyserver/sksconf
deleted file mode 100644
index ae15003..0000000
--- a/files/keyserver/sksconf
+++ /dev/null
@@ -1,13 +0,0 @@
-basedir: /srv/sks
-#debuglevel: 10
-#debug:
-hostname: keys.fedoraproject.org
-hkp_address: 127.0.0.1
-hkp_port: 11371
-recon_port: 11370
-#gossip_interval: 1440
-stat_hour: 00
-initial_stat:
-membership_reload_interval: 1
-disable_mailsync:
-server_contact: 0x167B4A54236BBEAA37DCCD92ED14D5E7110810E9
diff --git a/files/keyserver/ssl.conf b/files/keyserver/ssl.conf
deleted file mode 100644
index c1ed750..0000000
--- a/files/keyserver/ssl.conf
+++ /dev/null
@@ -1,224 +0,0 @@
-#
-# This is the Apache server configuration file providing SSL support.
-# It contains the configuration directives to instruct the server how to
-# serve pages over an https connection. For detailing information about these
-# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
-#
-# Do NOT simply read the instructions in here without understanding
-# what they do. They're here only as hints or reminders. If you are unsure
-# consult the online docs. You have been warned.
-#
-
-LoadModule ssl_module modules/mod_ssl.so
-
-#
-# When we also provide SSL we have to listen to the
-# the HTTPS port in addition.
-#
-Listen 443
-
-##
-## SSL Global Context
-##
-## All SSL configuration in this context applies both to
-## the main server and all SSL-enabled virtual hosts.
-##
-
-# Pass Phrase Dialog:
-# Configure the pass phrase gathering process.
-# The filtering dialog program (`builtin' is a internal
-# terminal dialog) has to provide the pass phrase on stdout.
-SSLPassPhraseDialog builtin
-
-# Inter-Process Session Cache:
-# Configure the SSL Session Cache: First the mechanism
-# to use and second the expiring timeout (in seconds).
-SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
-SSLSessionCacheTimeout 300
-
-# Semaphore:
-# Configure the path to the mutual exclusion semaphore the
-# SSL engine uses internally for inter-process synchronization.
-SSLMutex default
-
-# Pseudo Random Number Generator (PRNG):
-# Configure one or more sources to seed the PRNG of the
-# SSL library. The seed data should be of good random quality.
-# WARNING! On some platforms /dev/random blocks if not enough entropy
-# is available. This means you then cannot use the /dev/random device
-# because it would lead to very long connection times (as long as
-# it requires to make more entropy available). But usually those
-# platforms additionally provide a /dev/urandom device which doesn't
-# block. So, if available, use this one instead. Read the mod_ssl User
-# Manual for more details.
-SSLRandomSeed startup file:/dev/urandom 256
-SSLRandomSeed connect builtin
-#SSLRandomSeed startup file:/dev/random 512
-#SSLRandomSeed connect file:/dev/random 512
-#SSLRandomSeed connect file:/dev/urandom 512
-
-#
-# Use "SSLCryptoDevice" to enable any supported hardware
-# accelerators. Use "openssl engine -v" to list supported
-# engine names. NOTE: If you enable an accelerator and the
-# server does not start, consult the error logs and ensure
-# your accelerator is functioning properly.
-#
-SSLCryptoDevice builtin
-#SSLCryptoDevice ubsec
-
-##
-## SSL Virtual Host Context
-##
-
-<VirtualHost _default_:443>
-
-# General setup for the virtual host, inherited from global configuration
-#DocumentRoot "/var/www/html"
- # ProxyPass / http://localhost:11371/
- # ProxyPassReverse / http://localhost:11371/
-#ServerName www.example.com:443
-
-# Use separate log files for the SSL virtual host; note that LogLevel
-# is not inherited from httpd.conf.
-ErrorLog logs/ssl_error_log
-TransferLog logs/ssl_access_log
-LogLevel warn
-
-# SSL Engine Switch:
-# Enable/Disable SSL for this virtual host.
-SSLEngine on
-
-# SSL Protocol support:
-# List the enable protocol levels with which clients will be able to
-# connect. Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
-
-# SSL Cipher Suite:
-# List the ciphers that the client is permitted to negotiate.
-# See the mod_ssl documentation for a complete list.
-SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
-
-# Server Certificate:
-# Point SSLCertificateFile at a PEM encoded certificate. If
-# the certificate is encrypted, then you will be prompted for a
-# pass phrase. Note that a kill -HUP will prompt again. A new
-# certificate can be generated using the genkey(1) command.
-SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem
-
-# Server Private Key:
-# If the key is not combined with the certificate, use this
-# directive to point at the key file. Keep in mind that if
-# you've both a RSA and a DSA private key you can configure
-# both in parallel (to also allow the use of DSA ciphers, etc.)
-SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key
-
-# Server Certificate Chain:
-# Point SSLCertificateChainFile at a file containing the
-# concatenation of PEM encoded CA certificates which form the
-# certificate chain for the server certificate. Alternatively
-# the referenced file can be the same as SSLCertificateFile
-# when the CA certificates are directly appended to the server
-# certificate for convinience.
-#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
-
-# Certificate Authority (CA):
-# Set the CA certificate verification path where to find CA
-# certificates for client authentication or alternatively one
-# huge file containing all of them (file must be PEM encoded)
-#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
-
-# Client Authentication (Type):
-# Client certificate verification type and depth. Types are
-# none, optional, require and optional_no_ca. Depth is a
-# number which specifies how deeply to verify the certificate
-# issuer chain before deciding the certificate is not valid.
-#SSLVerifyClient require
-#SSLVerifyDepth 10
-
-# Access Control:
-# With SSLRequire you can do per-directory access control based
-# on arbitrary complex boolean expressions containing server
-# variable checks and other lookup directives. The syntax is a
-# mixture between C and Perl. See the mod_ssl documentation
-# for more details.
-#<Location />
-#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
-# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
-# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
-# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
-# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
-# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
-#</Location>
-
-# SSL Engine Options:
-# Set various options for the SSL engine.
-# o FakeBasicAuth:
-# Translate the client X.509 into a Basic Authorisation. This means that
-# the standard Auth/DBMAuth methods can be used for access control. The
-# user name is the `one line' version of the client's X.509 certificate.
-# Note that no password is obtained from the user. Every entry in the user
-# file needs this password: `xxj31ZMTZzkVA'.
-# o ExportCertData:
-# This exports two additional environment variables: SSL_CLIENT_CERT and
-# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
-# server (always existing) and the client (only existing when client
-# authentication is used). This can be used to import the certificates
-# into CGI scripts.
-# o StdEnvVars:
-# This exports the standard SSL/TLS related `SSL_*' environment variables.
-# Per default this exportation is switched off for performance reasons,
-# because the extraction step is an expensive operation and is usually
-# useless for serving static content. So one usually enables the
-# exportation for CGI and SSI requests only.
-# o StrictRequire:
-# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
-# under a "Satisfy any" situation, i.e. when it applies access is denied
-# and no other module can change it.
-# o OptRenegotiate:
-# This enables optimized SSL connection renegotiation handling when SSL
-# directives are used in per-directory context.
-#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
-<Files ~ "\.(cgi|shtml|phtml|php3?)$">
- SSLOptions +StdEnvVars
-</Files>
-<Directory "/var/www/cgi-bin">
- SSLOptions +StdEnvVars
-</Directory>
-
-# SSL Protocol Adjustments:
-# The safe and default but still SSL/TLS standard compliant shutdown
-# approach is that mod_ssl sends the close notify alert but doesn't wait for
-# the close notify alert from client. When you need a different shutdown
-# approach you can use one of the following variables:
-# o ssl-unclean-shutdown:
-# This forces an unclean shutdown when the connection is closed, i.e. no
-# SSL close notify alert is send or allowed to received. This violates
-# the SSL/TLS standard but is needed for some brain-dead browsers. Use
-# this when you receive I/O errors because of the standard approach where
-# mod_ssl sends the close notify alert.
-# o ssl-accurate-shutdown:
-# This forces an accurate shutdown when the connection is closed, i.e. a
-# SSL close notify alert is send and mod_ssl waits for the close notify
-# alert of the client. This is 100% SSL/TLS standard compliant, but in
-# practice often causes hanging connections with brain-dead browsers. Use
-# this only for browsers where you know that their SSL implementation
-# works correctly.
-# Notice: Most problems of broken clients are also related to the HTTP
-# keep-alive facility, so you usually additionally want to disable
-# keep-alive for those clients, too. Use variable "nokeepalive" for this.
-# Similarly, one has to force some clients to use HTTP/1.0 to workaround
-# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
-# "force-response-1.0" for this.
-SetEnvIf User-Agent ".*MSIE.*" \
- nokeepalive ssl-unclean-shutdown \
- downgrade-1.0 force-response-1.0
-
-# Per-Server Logging:
-# The home of a custom SSL log file. Use this when you want a
-# compact non-error SSL logfile on a virtual host basis.
-CustomLog logs/ssl_request_log \
- "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-
-</VirtualHost>
-
diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml
index 10fa661..90cfb67 100644
--- a/handlers/restart_services.yml
+++ b/handlers/restart_services.yml
@@ -80,12 +80,6 @@
- name: restart rsyslog
action: service name=rsyslog state=restarted
-- name: restart sks-db
- action: service name=sks-db state=restarted
-
-- name: restart sks-recon
- action: service name=sks-recon state=restarted
-
- name: restart sshd
action: service name=sshd state=restarted
diff --git a/playbooks/groups/keyserver.yml b/playbooks/groups/keyserver.yml
index ef2fb9c..4bc06fc 100644
--- a/playbooks/groups/keyserver.yml
+++ b/playbooks/groups/keyserver.yml
@@ -38,6 +38,7 @@
- nagios_client
- fas_client
- fedmsg/base
+ - keyserver
tasks:
- include: "{{ tasks }}/hosts.yml"
@@ -47,7 +48,6 @@
- include: "{{ tasks }}/motd.yml"
- include: "{{ tasks }}/sudo.yml"
- include: "{{ tasks }}/apache.yml"
- - include: "{{ tasks }}/keyserver.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"
diff --git a/roles/keyserver/files/css.css b/roles/keyserver/files/css.css
new file mode 100644
index 0000000..99443a0
--- /dev/null
+++ b/roles/keyserver/files/css.css
@@ -0,0 +1,132 @@
+ * { font-family: helvetica, sans-serif; }
+
+ h1,
+ p {
+ margin: 0; /* Let's zero those margins */
+ }
+
+h2 { color: #3c6eb4; margin: 0;}
+
+ #container {
+ /* border: 1px solid #555; /* Nice transition from white background */
+ width: 600px; /* Should be narrow enough for small screens */
+ margin: 0 auto; /* Centering */
+ font-size: 1.1em; /* Font big enough not to need to squint */
+ line-height: 1.3em;
+
+ }
+
+ #title {
+ /* background-color:#e2e5e2; */
+ padding: 10px;
+ }
+
+ #title h1, #title h2 {
+ margin-top: 0.3em;
+ }
+
+ #info {
+ /* background-color:#e2e5e2; */
+ padding: 5px 10px;
+ }
+
+ #main {
+ /* background : #FAFBEA; */
+ padding: 0 10px 10px 10px;
+ }
+
+ #main header {
+ padding-top: 1em;
+ }
+
+ #main p {
+ margin: 0.5em 0;
+ }
+
+ #keytext {
+ width: 100%;
+ height: 150px;
+ border: 1px solid #555;
+ background : #fff;
+ max-width: 100%;
+ display: block;
+ }
+
+ ul {
+ width: 100%;
+ list-style-type: none;
+ padding-left: 0;
+ }
+
+ li {
+ width: 99%;
+ }
+
+ li label {
+ width: 57%;
+ display: inline-block;
+ }
+
+ button {
+ border-radius: 3px;
+ -moz-border-radius: 3px;
+ background: -webkit-gradient(linear, left top, left bottom, from(#fff), to(#ddd));
+ background: -moz-linear-gradient(top, #fff, #ddd);
+ border: 1px solid #bbb;
+ }
+
+ #info p {line-height: 1.1em; margin-bottom: 0.3em;}
+
+
+
+#bodyform {
+ margin-top: 20px;
+ color: #555;
+ font-weight: normal;
+ font-size: 16px;
+
+}
+
+#headcontent {
+ width: 700px;
+ margin: auto;
+ display: table;
+
+}
+
+#lefttop {
+ float: left;
+ text-align: left;
+}
+
+#righttop {
+ float:right;
+ text-align: right;
+}
+
+hr {
+ background: #3c6eb4;
+ height: 8px;
+ border: 0px;
+}
+
+footer {
+ background: #3c6eb4;
+ margin: auto;
+ color: #fff;
+
+}
+
+footer p { width: 500px; margin: auto; text-align: center;}
+
+a {text-decoration: none; color: #B8C9FF; font-weight: bold;}
+
+fieldset {
+ border: 2px solid #4462C4;
+}
+
+legend {
+ color: #3c6eb4;
+}
+
+
diff --git a/roles/keyserver/files/index.html b/roles/keyserver/files/index.html
new file mode 100644
index 0000000..12b7be5
--- /dev/null
+++ b/roles/keyserver/files/index.html
@@ -0,0 +1,91 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
+<head>
+ <link rel="stylesheet" type="text/css" media="all" href="css.css" />
+ <title>Fedora Project GPG Key Server</title>
+</head>
+
+ <body>
+
+<div id=bodyform>
+ <div id=headcontent>
+ <div id=lefttop>
+ <a href="https://fedoraproject.org">
+ <img src='https://fedoraproject.org/static/images/fedora-logo.png'>
+ </a>
+ </div>
+ <div id=righttop>
+ <h1>SKS OpenPGP Key server</h1>
+ <h2>keys.fedoraproject.org</h2>
+ </div>
+ </div>
+ <hr></hr>
+
+ <div id="container">
+
+ <div id="main" role="main">
+ <header>
+ <h2>Extract a key</h2>
+ </header>
+ <p>You can find a key by typing in some words that appear in the
+ userid (name, email, etc.) of the key you're looking for, or
+ by typing in the keyid in hex format ("0x…")</p>
+ <form id="lookup" action="/pks/lookup" method="get">
+ <fieldset checked="true"> <legend>Search for a public key</legend>
+ <ul>
+ <li> <label for="search">String</label> <input id="search"
+ name="search" placeholder="0xDEADBEEF" required="" autofocus=""
+ type="text"> </li>
+ <li> <label for="fingerprint">Show PGP Fingerprints</label>
+ <input id="fingerprint" name="fingerprint" type="checkbox">
+ </li>
+ <li> <label for="hash">Show SKS full-key hashes</label> <input
+ id="hash" name="hash" type="checkbox"> </li>
+ <li> <label for="matching">Get regular index of matching
+ keys</label> <input id="matching" name="op" value="index"
+ type="radio"> </li>
+ <li> <label for="verbose">Get verbose index of matching
+ keys</label> <input id="verbose" name="op" value="vindex"
+ checked="checked" type="radio"> </li>
+ <li> <label for="asciiarmored">Retrieve ascii-armored
+ keys</label> <input id="asciiarmored" name="op" value="get"
+ type="radio"> </li>
+ <li> <label for="fullkey">Retrieve keys by full-key hash</label>
+ <input id="fullkey" name="op" value="hget" type="radio">
+ </li>
+ </ul>
+ <button type="reset">Reset</button> <button type="submit">Search
+
+
+
+
+
+
+ for a key</button> </fieldset>
+ </form>
+ <header>
+ <h2>Submit a key</h2>
+ </header>
+ <p>You can submit a key by simply pasting in the ASCII-armored
+ version of your key and clicking on submit.</p>
+ <form id="add" action="/pks/add" method="post">
+ <fieldset> <textarea id="keytext" name="keytext" rows="5" cols="30"></textarea>
+ <button type="reset">Reset</button> <button checked="true"
+ type="submit">Submit this key</button></fieldset>
+ </form>
+ </div>
+ <!-- end of #main -->
+ </div>
+ <!--! end of #container -->
+ <footer id="info">
+ <p><a href="https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Home">SKS</a> is
+ a new <a href="http://www.openpgp.org/">OpenPGP</a>
+ keyserver. The main innovation of SKS is that it includes a
+ highly-efficient reconciliation algorithm for keeping the
+ keyservers synchronized.</p>
+ <p style="text-align: center;"><a href="/pks/lookup?op=stats">SKS statistics</a></p>
+ </footer>
+</div>
+ </body>
+
+</html>
diff --git a/roles/keyserver/files/membership b/roles/keyserver/files/membership
new file mode 100644
index 0000000..42d57b3
--- /dev/null
+++ b/roles/keyserver/files/membership
@@ -0,0 +1,48 @@
+a.sks.srv.scientia.net 11370 # root(a)sks.srv.scientia.net
+key.adeti.org 11370 # Marco RODRIGUES <marco(a)adeti.org> 0x7CE697FC
+key.ip6.li 11370 # Christian Felsing <hostmaster(a)ip6.li> 0x5386E2A0
+keys2.kfwebs.net 11370 # 0x0B7F8B60E3EDFAE3
+keys.andreas-puls.de 11370 # Andreas Puls <appu(a)gmx.net> 0xDAC73FA6
+#keys.christensenplace.us 11370 # Eric Christensen <eric(a)christensenplace.us> 0x024BB3D1
+keyserver.advmapper.com 11370 # Tyler Schwend <tylerschwend(a)gmail.com> 0xDB4B79F8
+keyserver.cns.vt.edu 11370 # Phil Benchoff <benchoff(a)vt.edu> <keymaster(a)cns.vt.edu>
+#keyserver.computer42.org 11370 # H.-Dirk Schmitt <dirk(a)computer42.org> 0x6A017B17
+keyserver.dacr.hu 11370 # David Horvath <dacr(a)dacr.hu> 0x00CBC81A
+keyserver.gingerbear.net 11370 # John P. Clizbe <John(a)Gingerbear.net> 0xD6569825
+keyserver.kim-minh.com 11370 # Kim Minh Kaplan<kaplan+sks(a)kim-minh.com> 0xAF1E829C
+keyserver.kjsl.org 11370 # Javier Henderson <javier(a)kjsl.org> 0x9BF88EE5
+keyserver.nausch.org 11370 # Michael Nausch <michael(a)nausch.org> 0x2384C849
+#key-server.nl 11370 # Wijnand Modderman-Lenstra <maze(a)key-server.nl> 0x294DF221
+keyserver.saol.no-ip.com 11370 # Peter <peter(a)saol.no-ip.com> 0x39E97290
+keyserver.secretresearchfacility.com 11370 # Stephan Seitz <s.seitz(a)secretresearchfacility.com> 0xAB83B1C3
+keyserver.serviz.fr 11370 # robert <sks(at)serviz(pt)fr> 0xEF333C7E
+keyserver.sincer.us 11370 # Petru Ghita <petrutz(a)venaver.info> 0x7CF29D04
+keyserver.skoopsmedia.net 11370 # unknown
+#keyservers.org 11370 # Rob Hansen <rjh(a)sixdemonbag.org>
+keyserver.stack.nl 11370 # Johan van Selst <johans(a)stack.nl> 0xD3AE8D3A
+keyserver.ut.mephi.ru 11370 # Dmitry Yu Okunev <dyokunev(a)ut.mephi.ru> 0x8E30679C, pks team <pks(a)ut.mephi.ru>
+keyserver.vi-di.fr 11370 # Frank Villaro-Dixon <keyserver(a)vi-di.fr>016106A6AF223DBE
+keys.exosphere.de 11370 # Christoph Gebhardt <chris(a)exosphere.de> 0xE1C2E92C
+keys.jhcloos.com 11370 # James Cloos <cloos(a)jhcloos.com> 0xED7DAEA6
+keys.niif.hu 11370 # Gabor Kiss <kissg(a)ssg.ki.iif.hu>
+keys.thoma.cc 11370 # Maximilian Thoma <keys(a)thoma.cc> 0xB480AC4B
+#keys.wuschelpuschel.org 11370 # 0x017D1C3D Peter Kornherr <peter(a)wuschelpuschel.org>
+#openpgp1.claruscomms.net 11370 # unknown
+pgp.circl.lu 11370 # CIRCL - info(a)circl.lu - 0x22BD4CD5
+#pgp.codelabs.ru 11370 # Eygene Ryabinkin <rea(a)codelabs.ru> 0x8152ECFB
+pgp.jjim.de 11370 # Joel Garske <admin(a)pgp.jjim.de> 0xA921EB20
+pgpkeys.mallos.nl 11370 # Arnold Schekkerman <arnold(a)mallos.nl> 0xB66BBBAA
+#pgp.megagod.net 11370 # Kullawat Chaowanawatee (0xC19EAE3A)
+pgp.rediris.es 11370 # Francisco.monserrat <francisco.monserrat(a)rediris.es> 0xD3A42C61
+#pki.colliertech.org 11370 # C.J. Adams-Collier <cjac(a)uw.edu> 0x8E562765BA27A83C
+ranger.ky9k.org 11370 # Brian D Heaton <pgp-keymaster(a)ky9k.org> 0x9A016118
+sks.alpha-labs.net 11370 # Christian Reiss <email(a)christian-reiss.de> 0x44e29126abcd43c5
+sks.disunitedstates.com 11370 # David Benfell <benfell(a)disunitedstates.com> 0x1236602B
+sks.ecks.ca 11370 # Eric Benoit <eric(a)ecks.ca> 0x69E65D2C
+sks.es.net 11370 # keymaster(a)es.net
+sks.fidocon.de 11370 # unknown
+sks.karotte.org 11370 # Sebastian Wiesinger <sebastian(a)karotte.org> 0x93A0B9CE
+sks.keyservers.net 11370 # John P. Clizbe <John(a)Gingerbear.net> 0xD6569825
+sks-peer.spodhuis.org 11370 # Phil Pennock <keyserver(a)spodhuis.org> 0x3903637F
+sks.pkqs.net 11370 # Stephan Beyer <s-beyer(a)gmx.net> 0xFCC5040F
+zimmermann.mayfirst.org 11370 # Daniel Kahn Gillmor <dkg(a)fifthhorseman.net> 0xCCD2ED94D21739E9
diff --git a/roles/keyserver/files/sks.conf b/roles/keyserver/files/sks.conf
new file mode 100644
index 0000000..2b87b46
--- /dev/null
+++ b/roles/keyserver/files/sks.conf
@@ -0,0 +1,83 @@
+ServerName keys.fedoraproject.org
+Listen 80.239.156.219:11371
+NameVirtualHost *:443
+
+<ifModule !mod_proxy.c>
+ LoadModule proxy_module modules/mod_proxy.so
+</IfModule>
+
+<IfModule !mod_proxy_http.c>
+ LoadModule proxy_http_module modules/mod_proxy_http.so
+</IfModule>
+
+<IfModule !mod_proxy_balancer.c>
+ LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
+</IfModule>
+
+<IfModule !mod_headers.c>
+ LoadModule headers_module modules/mod_headers.so
+</IfModule>
+
+<IfModule !mod_authz_host.c>
+ LoadModule authz_host_module modules/mod_authz_host.so
+</IfModule>
+
+<IfModule !mod_log_config.c>
+ LoadModule log_config_module modules/mod_log_config.so
+</IfModule>
+
+<IfModule !mod_env.c>
+ LoadModule env_module modules/mod_env.so
+</IfModule>
+
+<Directory />
+ Options FollowSymLinks
+ AllowOverride None
+ Order deny,allow
+ Deny from all
+</Directory>
+
+<VirtualHost *:80>
+ ServerAdmin sysadmin-keys-members(a)fedoraproject.org
+ ServerName keys.fedoraproject.org
+ ProxyPass / http://127.0.0.1:11371/
+ ProxyPassReverse / http://127.0.0.1:11371/
+ SetEnv proxy-nokeepalive 1
+ ProxyVia Full
+</VirtualHost>
+<VirtualHost *:443>
+ ServerAdmin sysadmin-keys-members(a)fedoraproject.org
+ ServerName keys.fedoraproject.org
+ ServerAlias keys01.fedoraproject.org
+
+ SSLEngine on
+ SSLCertificateFile /etc/pki/tls/wildcard-2013.fedoraproject.org.cert
+ SSLCertificateChainFile /etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert
+ SSLCertificateKeyFile /etc/pki/tls/wildcard-2013.fedoraproject.org.key
+ ProxyPass / http://localhost:11371/
+ ProxyPassReverse / http://localhost:11371/
+ SetEnv proxy-nokeepalive 1
+ ProxyVia Full
+</VirtualHost>
+<VirtualHost *:443>
+ ServerAdmin sysadmin-keys-members(a)fedoraproject.org
+ ServerName pool.sks-keyservers.net
+ ServerAlias sks-keyservers.net
+ ServerAlias *.sks-keyservers.net
+
+ SSLEngine on
+ SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem
+ SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key
+ ProxyPass / http://localhost:11371/
+ ProxyPassReverse / http://localhost:11371/
+ SetEnv proxy-nokeepalive 1
+ ProxyVia Full
+</VirtualHost>
+<VirtualHost *:11371>
+ ServerAdmin sysadmin-keys-members(a)fedoraproject.org
+ ServerName keys.fedoraproject.org
+ ProxyPass / http://127.0.0.1:11371/
+ ProxyPassReverse / http://127.0.0.1:11371/
+ SetEnv proxy-nokeepalive 1
+ ProxyVia Full
+</VirtualHost>
diff --git a/roles/keyserver/files/sksconf b/roles/keyserver/files/sksconf
new file mode 100644
index 0000000..ae15003
--- /dev/null
+++ b/roles/keyserver/files/sksconf
@@ -0,0 +1,13 @@
+basedir: /srv/sks
+#debuglevel: 10
+#debug:
+hostname: keys.fedoraproject.org
+hkp_address: 127.0.0.1
+hkp_port: 11371
+recon_port: 11370
+#gossip_interval: 1440
+stat_hour: 00
+initial_stat:
+membership_reload_interval: 1
+disable_mailsync:
+server_contact: 0x167B4A54236BBEAA37DCCD92ED14D5E7110810E9
diff --git a/roles/keyserver/files/ssl.conf b/roles/keyserver/files/ssl.conf
new file mode 100644
index 0000000..c1ed750
--- /dev/null
+++ b/roles/keyserver/files/ssl.conf
@@ -0,0 +1,224 @@
+#
+# This is the Apache server configuration file providing SSL support.
+# It contains the configuration directives to instruct the server how to
+# serve pages over an https connection. For detailing information about these
+# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do. They're here only as hints or reminders. If you are unsure
+# consult the online docs. You have been warned.
+#
+
+LoadModule ssl_module modules/mod_ssl.so
+
+#
+# When we also provide SSL we have to listen to the
+# the HTTPS port in addition.
+#
+Listen 443
+
+##
+## SSL Global Context
+##
+## All SSL configuration in this context applies both to
+## the main server and all SSL-enabled virtual hosts.
+##
+
+# Pass Phrase Dialog:
+# Configure the pass phrase gathering process.
+# The filtering dialog program (`builtin' is a internal
+# terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog builtin
+
+# Inter-Process Session Cache:
+# Configure the SSL Session Cache: First the mechanism
+# to use and second the expiring timeout (in seconds).
+SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
+SSLSessionCacheTimeout 300
+
+# Semaphore:
+# Configure the path to the mutual exclusion semaphore the
+# SSL engine uses internally for inter-process synchronization.
+SSLMutex default
+
+# Pseudo Random Number Generator (PRNG):
+# Configure one or more sources to seed the PRNG of the
+# SSL library. The seed data should be of good random quality.
+# WARNING! On some platforms /dev/random blocks if not enough entropy
+# is available. This means you then cannot use the /dev/random device
+# because it would lead to very long connection times (as long as
+# it requires to make more entropy available). But usually those
+# platforms additionally provide a /dev/urandom device which doesn't
+# block. So, if available, use this one instead. Read the mod_ssl User
+# Manual for more details.
+SSLRandomSeed startup file:/dev/urandom 256
+SSLRandomSeed connect builtin
+#SSLRandomSeed startup file:/dev/random 512
+#SSLRandomSeed connect file:/dev/random 512
+#SSLRandomSeed connect file:/dev/urandom 512
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names. NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly.
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:443>
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+ # ProxyPass / http://localhost:11371/
+ # ProxyPassReverse / http://localhost:11371/
+#ServerName www.example.com:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel warn
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+# SSL Protocol support:
+# List the enable protocol levels with which clients will be able to
+# connect. Disable SSLv2 access by default:
+SSLProtocol all -SSLv2
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+
+# Server Certificate:
+# Point SSLCertificateFile at a PEM encoded certificate. If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase. Note that a kill -HUP will prompt again. A new
+# certificate can be generated using the genkey(1) command.
+SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem
+
+# Server Private Key:
+# If the key is not combined with the certificate, use this
+# directive to point at the key file. Keep in mind that if
+# you've both a RSA and a DSA private key you can configure
+# both in parallel (to also allow the use of DSA ciphers, etc.)
+SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key
+
+# Server Certificate Chain:
+# Point SSLCertificateChainFile at a file containing the
+# concatenation of PEM encoded CA certificates which form the
+# certificate chain for the server certificate. Alternatively
+# the referenced file can be the same as SSLCertificateFile
+# when the CA certificates are directly appended to the server
+# certificate for convinience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+# Certificate Authority (CA):
+# Set the CA certificate verification path where to find CA
+# certificates for client authentication or alternatively one
+# huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+# Client Authentication (Type):
+# Client certificate verification type and depth. Types are
+# none, optional, require and optional_no_ca. Depth is a
+# number which specifies how deeply to verify the certificate
+# issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth 10
+
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_ssl documentation
+# for more details.
+#<Location />
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_*' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+ SSLOptions +StdEnvVars
+</Files>
+<Directory "/var/www/cgi-bin">
+ SSLOptions +StdEnvVars
+</Directory>
+
+# SSL Protocol Adjustments:
+# The safe and default but still SSL/TLS standard compliant shutdown
+# approach is that mod_ssl sends the close notify alert but doesn't wait for
+# the close notify alert from client. When you need a different shutdown
+# approach you can use one of the following variables:
+# o ssl-unclean-shutdown:
+# This forces an unclean shutdown when the connection is closed, i.e. no
+# SSL close notify alert is send or allowed to received. This violates
+# the SSL/TLS standard but is needed for some brain-dead browsers. Use
+# this when you receive I/O errors because of the standard approach where
+# mod_ssl sends the close notify alert.
+# o ssl-accurate-shutdown:
+# This forces an accurate shutdown when the connection is closed, i.e. a
+# SSL close notify alert is send and mod_ssl waits for the close notify
+# alert of the client. This is 100% SSL/TLS standard compliant, but in
+# practice often causes hanging connections with brain-dead browsers. Use
+# this only for browsers where you know that their SSL implementation
+# works correctly.
+# Notice: Most problems of broken clients are also related to the HTTP
+# keep-alive facility, so you usually additionally want to disable
+# keep-alive for those clients, too. Use variable "nokeepalive" for this.
+# Similarly, one has to force some clients to use HTTP/1.0 to workaround
+# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+# "force-response-1.0" for this.
+SetEnvIf User-Agent ".*MSIE.*" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
+# Per-Server Logging:
+# The home of a custom SSL log file. Use this when you want a
+# compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>
+
diff --git a/roles/keyserver/handlers/main.yml b/roles/keyserver/handlers/main.yml
new file mode 100644
index 0000000..eee9214
--- /dev/null
+++ b/roles/keyserver/handlers/main.yml
@@ -0,0 +1,6 @@
+- name: restart sks-db
+ action: service name=sks-db state=restarted
+
+- name: restart sks-recon
+ action: service name=sks-recon state=restarted
+
diff --git a/roles/keyserver/tasks/main.yml b/roles/keyserver/tasks/main.yml
new file mode 100644
index 0000000..af7c672
--- /dev/null
+++ b/roles/keyserver/tasks/main.yml
@@ -0,0 +1,100 @@
+---
+- name: install sks
+ yum: name=sks state=installed
+ tags:
+ - packages
+
+- name: install mod_ssl
+ yum: name=mod_ssl state=installed
+ tags:
+ - packages
+
+- name: /srv/sks
+ file: >
+ path=/srv/sks
+ state=directory
+ owner=sks group=sks mode=0755
+
+- name: /srv/sks/membership
+ copy: src="membership" dest=/srv/sks/membership owner=sks group=sks mode=0644
+ tags:
+ - config
+
+- name: /srv/sks/sksconf
+ copy: src="sksconf" dest=/srv/sks/sksconf owner=sks group=sks mode=0644
+ tags:
+ - config
+
+- name: /srv/sks/web
+ file: >
+ path=/srv/sks/web
+ state=directory
+ owner=sks group=sks mode=0755
+
+- name: /srv/sks/web/index.html
+ copy: src="index.html" dest=/srv/sks/web/index.html owner=sks group=sks mode=0644
+ tags:
+ - config
+ with_items:
+- name: /srv/sks/web/css.css
+ copy: src="css.css" dest=/srv/sks/web/css.css owner=sks group=sks mode=0644
+ tags:
+ - config
+
+- name: /etc/httpd/conf.d/sks.conf
+ copy: src="sks.conf" dest=/etc/httpd/conf.d/sks.conf owner=root group=root mode=0644
+ tags:
+ - config
+
+- name: /etc/httpd/conf.d/ssl.conf
+ copy: src="ssl.conf" dest=/etc/httpd/conf.d/ssl.conf owner=root group=root mode=0644
+ tags:
+ - config
+
+- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.cert
+ copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.cert" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.cert owner=root group=root mode=0600
+ tags:
+ - config
+
+- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.key
+ copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.key" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.key owner=root group=root mode=0600
+ tags:
+ - config
+
+- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert
+ copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert owner=root group=root mode=0600
+ tags:
+ - config
+
+- name: /etc/pki/tls/keys_fedoraproject_org.crt.pem
+ copy: src="{{ puppet_private }}/keys_fedoraproject_org.crt.pem" dest=/etc/pki/tls/keys_fedoraproject_org.crt.pem owner=root group=root mode=0600
+ tags:
+ - config
+
+- name: /etc/pki/tls/keys_fedoraproject_org.key
+ copy: src="{{ puppet_private }}/keys_fedoraproject_org.key" dest=/etc/pki/tls/keys_fedoraproject_org.key owner=root group=root mode=0600
+ tags:
+ - config
+
+- cron: name="regenerate stats hourly"
+ hour="*"
+ minute="5"
+ job="killall -SIGUSR2 sks-db"
+ state=present
+
+- name: Set sks-db to run on boot
+ service: name=sks-db enabled=yes
+ ignore_errors: true
+ notify:
+ - restart sks-db
+ tags:
+ - service
+
+- name: Set sks-recon to run on boot
+ service: name=sks-recon enabled=yes
+ ignore_errors: true
+ notify:
+ - restart sks-recon
+ tags:
+ - service
+
diff --git a/tasks/keyserver.yml b/tasks/keyserver.yml
deleted file mode 100644
index 9cf3e2c..0000000
--- a/tasks/keyserver.yml
+++ /dev/null
@@ -1,100 +0,0 @@
----
-- name: install sks
- yum: name=sks state=installed
- tags:
- - packages
-
-- name: install mod_ssl
- yum: name=mod_ssl state=installed
- tags:
- - packages
-
-- name: /srv/sks
- file: >
- path=/srv/sks
- state=directory
- owner=sks group=sks mode=0755
-
-- name: /srv/sks/membership
- copy: src="{{ files }}/keyserver/membership" dest=/srv/sks/membership owner=sks group=sks mode=0644
- tags:
- - config
-
-- name: /srv/sks/sksconf
- copy: src="{{ files }}/keyserver/sksconf" dest=/srv/sks/sksconf owner=sks group=sks mode=0644
- tags:
- - config
-
-- name: /srv/sks/web
- file: >
- path=/srv/sks/web
- state=directory
- owner=sks group=sks mode=0755
-
-- name: /srv/sks/web/index.html
- copy: src="{{ files }}/keyserver/index.html" dest=/srv/sks/web/index.html owner=sks group=sks mode=0644
- tags:
- - config
-
-- name: /srv/sks/web/css.css
- copy: src="{{ files }}/keyserver/css.css" dest=/srv/sks/web/css.css owner=sks group=sks mode=0644
- tags:
- - config
-
-- name: /etc/httpd/conf.d/sks.conf
- copy: src="{{ files }}/keyserver/sks.conf" dest=/etc/httpd/conf.d/sks.conf owner=root group=root mode=0644
- tags:
- - config
-
-- name: /etc/httpd/conf.d/ssl.conf
- copy: src="{{ files }}/keyserver/ssl.conf" dest=/etc/httpd/conf.d/ssl.conf owner=root group=root mode=0644
- tags:
- - config
-
-- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.cert
- copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.cert" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.cert owner=root group=root mode=0600
- tags:
- - config
-
-- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.key
- copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.key" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.key owner=root group=root mode=0600
- tags:
- - config
-
-- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert
- copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert owner=root group=root mode=0600
- tags:
- - config
-
-- name: /etc/pki/tls/keys_fedoraproject_org.crt.pem
- copy: src="{{ puppet_private }}/keys_fedoraproject_org.crt.pem" dest=/etc/pki/tls/keys_fedoraproject_org.crt.pem owner=root group=root mode=0600
- tags:
- - config
-
-- name: /etc/pki/tls/keys_fedoraproject_org.key
- copy: src="{{ puppet_private }}/keys_fedoraproject_org.key" dest=/etc/pki/tls/keys_fedoraproject_org.key owner=root group=root mode=0600
- tags:
- - config
-
-- cron: name="regenerate stats hourly"
- hour="*"
- minute="5"
- job="killall -SIGUSR2 sks-db"
- state=present
-
-- name: Set sks-db to run on boot
- service: name=sks-db enabled=yes
- ignore_errors: true
- notify:
- - restart sks-db
- tags:
- - service
-
-- name: Set sks-recon to run on boot
- service: name=sks-recon enabled=yes
- ignore_errors: true
- notify:
- - restart sks-recon
- tags:
- - service
-
--
1.9.0
10 years
Plan for tomorrow's Fedora Infrastructure meeting (2014-04-24)
by Kevin Fenzi
The infrastructure team will be having it's weekly meeting tomorrow,
2014-04-24 at 18:00 UTC in #fedora-meeting on the freenode network.
Suggested topics:
#topic New folks introductions and Apprentice tasks.
If any new folks want to give a quick one line bio or any apprentices
would like to ask general questions, they can do so in this part of the
meeting. Don't be shy!
#topic Applications status / discussion
Check in on status of our applications: pkgdb, fas, bodhi, koji,
community, voting, tagger, packager, dpsearch, etc.
If there's new releases, bugs we need to work around or things to note.
#topic Sysadmin status / discussion
Here we talk about sysadmin related happenings from the previous week,
or things that are upcoming.
#topic Upcoming Tasks/Items
https://apps.fedoraproject.org/calendar/list/infrastructure/
#topic Open Floor
Submit your agenda items, as tickets in the trac instance and send a
note replying to this thread.
More info here:
https://fedoraproject.org/wiki/Infrastructure/Meetings#Meetings
Thanks
kevin
10 years
New fedmsg certs
by Miroslav Suchý
Today I was notified that #fedora-fedmsg say:
[09:43] <fedmsg-bot> copr.build.end (invalid signature!) -- ...
I had to re-run playbook because that it seem that fedmsg got new certs and revoked old.
I still see at least:
[09:56] <fedmsg-bot> buildsys.build.state.change (invalid signature!) -- karsten's libccp4-6.3.1-4.fc20 failed to build
(ppc) http://ppc.koji.fedoraproject.org/koji/buildinfo?buildID=186452
[09:43] <fedmsg-bot> fedbadges.badge.award (invalid signature!) -- albertone has been awarded the "Paranoid Panda" badge
https://badges.fedoraproject.org/user/albertone
[09:44] <fedmsg-bot> fedbadges.person.rank.advance (invalid signature!) -- albertone moved to position 6003 on the
badges leaderboard
[09:46] <fedmsg-bot> bodhi.update.request.testing (invalid signature!) -- jgrulich submitted
kde-plasma-networkmanagement-0.9.0.11-1.fc19 to testing
https://admin.fedoraproject.org/updates/kde-plasma-networkmanagement-0.9....
[10:00] <fedmsg-bot> fedocal.meeting.reminder (invalid signature!) -- Friendly reminder! The "ROS/RPM IRC workshop"
meeting from the "ambassadors" calendar starts in 11 hours https://apps.fedoraproject.org/calendar/meeting/365/
So at least those (and maybe others) need to redeploy fedmsg certs.
--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
10 years
Meeting Agenda Item: Introduction Kenneth McDowell
by Kenneth
Hello,
My name is Kenny. I have been eyeing contributing to something open source
for a long time. I have found after reading the wiki on how to contribute, I
believe I would be able to best contribute to the Infrastructure group. I am
currently in the US (UTC -5). I have been working on RHEL based servers in
an enterprise environment since 2006, and I received my RHCE in 2010. Up
until a few years ago I was on the Operations side doing break-fix work. I
now work on the implementation side standing up servers and applications. My
philosophy is this, if there is a problem was there a scriptable resolution?
If so, script it. Have I been tasked with doing something that can be
automated? If so, automate it. I have morphed into more of a DevOps type
person in the past year or so.
I am hoping I can help in maintaining any of the servers that support the
Fedora team. In addition to system administration I do a lot of programming,
both for work and hobbies. I tend to spend a lot of my time in Java and PHP.
I have scripting experience with Bash and Perl to cover the basics. Python
is definitely a weak link of mine, however I have not hesitated taking it
up. Being a self-starter I have already done some basic things with it to
get the general syntax and style down.
So I basically want to be a behind the scenes nut and bolt guy. Making sure
machines stay up or come back up when they have an issue. Helping making
things smoother once settled in would be a top priority as well. My
available time would be a roller coaster, but a minimum of 4-5 hours a week
would not be an issue. I have been idle in IRC for at least 3-4 hours, and
have only seen a SWAP alert come through. It just depends on the work
schedule. For example tomorrow I will try to attend the weekly meeting, but
I have a meeting at work that may run over not allowing me to make it.
The best troubleshooting is proactive thinking!
- Kenny
---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
10 years
Meeting Agenda Item: Introduction - Bill Wood
by Bill Wood
Hello, everyone!
I'm Bill Wood. Fedora has been a huge part of my life since the Core 1
release (and I've been using RHL since version 5.2 up until Fedora
started up) and I want to devote my time while I'm not employed to
helping out the project.
My IRC handle is bwood09. You can already find me in the #fedora-admin
channel; I've been lurking for a while. I've got roughly ten years of
Linux administrative (user-end, not servers) experience, and five years
in actual Windows and Linux systems administrator work (this is where
the servers cam in). I've gotten to the point where I can usually design
and implement an entire system in a day. I'm able to work with just
about any program after a day or so of looking it over, and I can code
in C++, Java, Python, BASH, and more. I'm also proficient in web
technologies; I've recently learned HTML5 and CSS3. I do have my own
mini-datacenter in my home office, and I've got it working a lot like
AWS where I can provision/delete VMs in a very short amount of time. I
am also a perfectionist.
I'd like to learn more about what makes Fedora great. I've always had a
great amount of respect for this project, and I want to help make it
even better. I can help with a lot of the tickets I've seen on the
infrastructure list (I'd love to help fix #1180), and I look forward to
helping you guys for years to come.
10 years
Meeting Agenda Item: Introduction Claudio Penasio Jr.
by Claudio Penasio Junior
Hi all,
I've would like to introduce myself, my name is Claudio Penasio Junior, and
my personal page on Fedora is: https://fedoraproject.org/wiki/User:Penasio
When i participated on Fedora meetings i use Freenode on xchat with
following informations:
IRC Nick: penasio
Account System Name: penasio
Since 2000 my activity areas was: I was Linux instructor and Linux
Consultant between 2000 and 2003, this year I got my RHCE. After that I've
worked as a Sysadmin with RedHat Linux and Debian GNU Linux until the end
of 2010. After 2010 my main Activity is IT Support Manager with some
Sysadmin jobs in IT Infrastructure.
My main skills like Sisadmin is on Bind DNS, Apache httpd, LDAP
Authentication, SAMBA, Mysql (MariaDB), Postgresql, SVN and Mantis BT end
Shell Script and related Sysadmins activities.
I know a little bit of C Language, Python and PHP.
I would like to learn more about the newest Linux Clusters technologies and
keep my Linux and Sysadmin knowledge alive in my mind.
My main difficult will be at 18 UTC every Tuesday (3 pm São Paulo, Brasil),
I'm on the office at this time, but i will try.
So, that's all...
I hope can help in Infrastructure Team
--
Claudio Penasio Jr.
10 years
Meeting Agenda Item: Introduction Henderb Rodriguez
by Henderbj .
Hello, admins and members of Fedora Infraestructure Team.
My name is Henderb Rodriguez, Electronics Engineer, 36 years old, from
Venezuela.
I like to join this team in order to collaborate on development,
documentation, and translation to Spanish (my native language) of the great
Fedora OS and webpages/wikis related to it.
I have experience working on projects involving SQL programming,
application GUI, web development, even some drivers since more than 15
years.
Among my skills (obtained from paid jobs) are:
C development.
SQL development (Sybase).
Object Oriented Programming (QNX AppBuilder).
GUI to DB applications (at SIDOR, iron processing company)
Shell script programming (I was teacher of a course about "HP-UX Basic
Shell Scripting").
Datacenter Helpdesk Level 2 Unix/Linux Support (this was applied to
"Movistar de Venezuela" through Huawei Technologies).
Virtualization (primarily with Virtualbox)
OS installation, configuration and administration (Windows, Linux, Unix).
DNS management.
Firewall configuration.
I have worked on servers from various vendors and families, like HP
Proliant and BladeSystem, Sun SPARC and Blade, and MSC-S Ericsson servers,
running several Unix flavors, like HP-UX, Sun Solaris, RHEL, etc.
I would like to learn new programming languages, new technologies on
security, networking, and web development, improve on english technical
writing and translation to spanish.
This is the first time i try to get into an open source project and
community, and i want to work with the community that creates the
wonderfull Fedora OS, that i am using on my home workstations since Fedora
18. I have one multiseat workstation with two seats (for wife and kids),
and another workstation for my personal use, they both using Fedora 20.
I saw several tickets with easyfix mark, as the Ticket #3536 - "Add place
for raw HTML content for fedorahosted project", that i could have work on
it, but of course you maybe could suggest me another that could better fit
with my experience.
I think i can easy invest 6-10 hours/week to contribute to team
assignments. I am trying now to make a name as freelancer on odesk on my
spare time too.
With best regards,
Henderb Rodriguez
Freenode IRC handle: henderbj
10 years