From: Michael Scherer misc@zarb.org
--- files/keyserver/css.css | 132 ---------------------- files/keyserver/index.html | 91 ---------------- files/keyserver/membership | 48 -------- files/keyserver/sks.conf | 83 -------------- files/keyserver/sksconf | 13 --- files/keyserver/ssl.conf | 224 -------------------------------------- handlers/restart_services.yml | 6 - playbooks/groups/keyserver.yml | 2 +- roles/keyserver/files/css.css | 132 ++++++++++++++++++++++ roles/keyserver/files/index.html | 91 ++++++++++++++++ roles/keyserver/files/membership | 48 ++++++++ roles/keyserver/files/sks.conf | 83 ++++++++++++++ roles/keyserver/files/sksconf | 13 +++ roles/keyserver/files/ssl.conf | 224 ++++++++++++++++++++++++++++++++++++++ roles/keyserver/handlers/main.yml | 6 + roles/keyserver/tasks/main.yml | 100 +++++++++++++++++ tasks/keyserver.yml | 100 ----------------- 17 files changed, 698 insertions(+), 698 deletions(-) delete mode 100644 files/keyserver/css.css delete mode 100644 files/keyserver/index.html delete mode 100644 files/keyserver/membership delete mode 100644 files/keyserver/sks.conf delete mode 100644 files/keyserver/sksconf delete mode 100644 files/keyserver/ssl.conf create mode 100644 roles/keyserver/files/css.css create mode 100644 roles/keyserver/files/index.html create mode 100644 roles/keyserver/files/membership create mode 100644 roles/keyserver/files/sks.conf create mode 100644 roles/keyserver/files/sksconf create mode 100644 roles/keyserver/files/ssl.conf create mode 100644 roles/keyserver/handlers/main.yml create mode 100644 roles/keyserver/tasks/main.yml delete mode 100644 tasks/keyserver.yml
diff --git a/files/keyserver/css.css b/files/keyserver/css.css deleted file mode 100644 index 99443a0..0000000 --- a/files/keyserver/css.css +++ /dev/null @@ -1,132 +0,0 @@ - * { font-family: helvetica, sans-serif; } - - h1, - p { - margin: 0; /* Let's zero those margins */ - } - -h2 { color: #3c6eb4; margin: 0;} - - #container { - /* border: 1px solid #555; /* Nice transition from white background */ - width: 600px; /* Should be narrow enough for small screens */ - margin: 0 auto; /* Centering */ - font-size: 1.1em; /* Font big enough not to need to squint */ - line-height: 1.3em; - - } - - #title { - /* background-color:#e2e5e2; */ - padding: 10px; - } - - #title h1, #title h2 { - margin-top: 0.3em; - } - - #info { - /* background-color:#e2e5e2; */ - padding: 5px 10px; - } - - #main { - /* background : #FAFBEA; */ - padding: 0 10px 10px 10px; - } - - #main header { - padding-top: 1em; - } - - #main p { - margin: 0.5em 0; - } - - #keytext { - width: 100%; - height: 150px; - border: 1px solid #555; - background : #fff; - max-width: 100%; - display: block; - } - - ul { - width: 100%; - list-style-type: none; - padding-left: 0; - } - - li { - width: 99%; - } - - li label { - width: 57%; - display: inline-block; - } - - button { - border-radius: 3px; - -moz-border-radius: 3px; - background: -webkit-gradient(linear, left top, left bottom, from(#fff), to(#ddd)); - background: -moz-linear-gradient(top, #fff, #ddd); - border: 1px solid #bbb; - } - - #info p {line-height: 1.1em; margin-bottom: 0.3em;} - - - -#bodyform { - margin-top: 20px; - color: #555; - font-weight: normal; - font-size: 16px; - -} - -#headcontent { - width: 700px; - margin: auto; - display: table; - -} - -#lefttop { - float: left; - text-align: left; -} - -#righttop { - float:right; - text-align: right; -} - -hr { - background: #3c6eb4; - height: 8px; - border: 0px; -} - -footer { - background: #3c6eb4; - margin: auto; - color: #fff; - -} - -footer p { width: 500px; margin: auto; text-align: center;} - -a {text-decoration: none; color: #B8C9FF; font-weight: bold;} - -fieldset { - border: 2px solid #4462C4; -} - -legend { - color: #3c6eb4; -} - - diff --git a/files/keyserver/index.html b/files/keyserver/index.html deleted file mode 100644 index 12b7be5..0000000 --- a/files/keyserver/index.html +++ /dev/null @@ -1,91 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> -<head> - <link rel="stylesheet" type="text/css" media="all" href="css.css" /> - <title>Fedora Project GPG Key Server</title> -</head> - - <body> - -<div id=bodyform> - <div id=headcontent> - <div id=lefttop> - <a href="https://fedoraproject.org"> - <img src='https://fedoraproject.org/static/images/fedora-logo.png'> - </a> - </div> - <div id=righttop> - <h1>SKS OpenPGP Key server</h1> - <h2>keys.fedoraproject.org</h2> - </div> - </div> - <hr></hr> - - <div id="container"> - - <div id="main" role="main"> - <header> - <h2>Extract a key</h2> - </header> - <p>You can find a key by typing in some words that appear in the - userid (name, email, etc.) of the key you're looking for, or - by typing in the keyid in hex format ("0x…")</p> - <form id="lookup" action="/pks/lookup" method="get"> - <fieldset checked="true"> <legend>Search for a public key</legend> - <ul> - <li> <label for="search">String</label> <input id="search" - name="search" placeholder="0xDEADBEEF" required="" autofocus="" - type="text"> </li> - <li> <label for="fingerprint">Show PGP Fingerprints</label> - <input id="fingerprint" name="fingerprint" type="checkbox"> - </li> - <li> <label for="hash">Show SKS full-key hashes</label> <input - id="hash" name="hash" type="checkbox"> </li> - <li> <label for="matching">Get regular index of matching - keys</label> <input id="matching" name="op" value="index" - type="radio"> </li> - <li> <label for="verbose">Get verbose index of matching - keys</label> <input id="verbose" name="op" value="vindex" - checked="checked" type="radio"> </li> - <li> <label for="asciiarmored">Retrieve ascii-armored - keys</label> <input id="asciiarmored" name="op" value="get" - type="radio"> </li> - <li> <label for="fullkey">Retrieve keys by full-key hash</label> - <input id="fullkey" name="op" value="hget" type="radio"> - </li> - </ul> - <button type="reset">Reset</button> <button type="submit">Search - - - - - - - for a key</button> </fieldset> - </form> - <header> - <h2>Submit a key</h2> - </header> - <p>You can submit a key by simply pasting in the ASCII-armored - version of your key and clicking on submit.</p> - <form id="add" action="/pks/add" method="post"> - <fieldset> <textarea id="keytext" name="keytext" rows="5" cols="30"></textarea> - <button type="reset">Reset</button> <button checked="true" - type="submit">Submit this key</button></fieldset> - </form> - </div> - <!-- end of #main --> - </div> - <!--! end of #container --> - <footer id="info"> - <p><a href="https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Home">SKS</a> is - a new <a href="http://www.openpgp.org/">OpenPGP</a> - keyserver. The main innovation of SKS is that it includes a - highly-efficient reconciliation algorithm for keeping the - keyservers synchronized.</p> - <p style="text-align: center;"><a href="/pks/lookup?op=stats">SKS statistics</a></p> - </footer> -</div> - </body> - -</html> diff --git a/files/keyserver/membership b/files/keyserver/membership deleted file mode 100644 index 42d57b3..0000000 --- a/files/keyserver/membership +++ /dev/null @@ -1,48 +0,0 @@ -a.sks.srv.scientia.net 11370 # root@sks.srv.scientia.net -key.adeti.org 11370 # Marco RODRIGUES marco@adeti.org 0x7CE697FC -key.ip6.li 11370 # Christian Felsing hostmaster@ip6.li 0x5386E2A0 -keys2.kfwebs.net 11370 # 0x0B7F8B60E3EDFAE3 -keys.andreas-puls.de 11370 # Andreas Puls appu@gmx.net 0xDAC73FA6 -#keys.christensenplace.us 11370 # Eric Christensen eric@christensenplace.us 0x024BB3D1 -keyserver.advmapper.com 11370 # Tyler Schwend tylerschwend@gmail.com 0xDB4B79F8 -keyserver.cns.vt.edu 11370 # Phil Benchoff benchoff@vt.edu keymaster@cns.vt.edu -#keyserver.computer42.org 11370 # H.-Dirk Schmitt dirk@computer42.org 0x6A017B17 -keyserver.dacr.hu 11370 # David Horvath dacr@dacr.hu 0x00CBC81A -keyserver.gingerbear.net 11370 # John P. Clizbe John@Gingerbear.net 0xD6569825 -keyserver.kim-minh.com 11370 # Kim Minh Kaplankaplan+sks@kim-minh.com 0xAF1E829C -keyserver.kjsl.org 11370 # Javier Henderson javier@kjsl.org 0x9BF88EE5 -keyserver.nausch.org 11370 # Michael Nausch michael@nausch.org 0x2384C849 -#key-server.nl 11370 # Wijnand Modderman-Lenstra maze@key-server.nl 0x294DF221 -keyserver.saol.no-ip.com 11370 # Peter peter@saol.no-ip.com 0x39E97290 -keyserver.secretresearchfacility.com 11370 # Stephan Seitz s.seitz@secretresearchfacility.com 0xAB83B1C3 -keyserver.serviz.fr 11370 # robert <sks(at)serviz(pt)fr> 0xEF333C7E -keyserver.sincer.us 11370 # Petru Ghita petrutz@venaver.info 0x7CF29D04 -keyserver.skoopsmedia.net 11370 # unknown -#keyservers.org 11370 # Rob Hansen rjh@sixdemonbag.org -keyserver.stack.nl 11370 # Johan van Selst johans@stack.nl 0xD3AE8D3A -keyserver.ut.mephi.ru 11370 # Dmitry Yu Okunev dyokunev@ut.mephi.ru 0x8E30679C, pks team pks@ut.mephi.ru -keyserver.vi-di.fr 11370 # Frank Villaro-Dixon keyserver@vi-di.fr016106A6AF223DBE -keys.exosphere.de 11370 # Christoph Gebhardt chris@exosphere.de 0xE1C2E92C -keys.jhcloos.com 11370 # James Cloos cloos@jhcloos.com 0xED7DAEA6 -keys.niif.hu 11370 # Gabor Kiss kissg@ssg.ki.iif.hu -keys.thoma.cc 11370 # Maximilian Thoma keys@thoma.cc 0xB480AC4B -#keys.wuschelpuschel.org 11370 # 0x017D1C3D Peter Kornherr peter@wuschelpuschel.org -#openpgp1.claruscomms.net 11370 # unknown -pgp.circl.lu 11370 # CIRCL - info@circl.lu - 0x22BD4CD5 -#pgp.codelabs.ru 11370 # Eygene Ryabinkin rea@codelabs.ru 0x8152ECFB -pgp.jjim.de 11370 # Joel Garske admin@pgp.jjim.de 0xA921EB20 -pgpkeys.mallos.nl 11370 # Arnold Schekkerman arnold@mallos.nl 0xB66BBBAA -#pgp.megagod.net 11370 # Kullawat Chaowanawatee (0xC19EAE3A) -pgp.rediris.es 11370 # Francisco.monserrat francisco.monserrat@rediris.es 0xD3A42C61 -#pki.colliertech.org 11370 # C.J. Adams-Collier cjac@uw.edu 0x8E562765BA27A83C -ranger.ky9k.org 11370 # Brian D Heaton pgp-keymaster@ky9k.org 0x9A016118 -sks.alpha-labs.net 11370 # Christian Reiss email@christian-reiss.de 0x44e29126abcd43c5 -sks.disunitedstates.com 11370 # David Benfell benfell@disunitedstates.com 0x1236602B -sks.ecks.ca 11370 # Eric Benoit eric@ecks.ca 0x69E65D2C -sks.es.net 11370 # keymaster@es.net -sks.fidocon.de 11370 # unknown -sks.karotte.org 11370 # Sebastian Wiesinger sebastian@karotte.org 0x93A0B9CE -sks.keyservers.net 11370 # John P. Clizbe John@Gingerbear.net 0xD6569825 -sks-peer.spodhuis.org 11370 # Phil Pennock keyserver@spodhuis.org 0x3903637F -sks.pkqs.net 11370 # Stephan Beyer s-beyer@gmx.net 0xFCC5040F -zimmermann.mayfirst.org 11370 # Daniel Kahn Gillmor dkg@fifthhorseman.net 0xCCD2ED94D21739E9 diff --git a/files/keyserver/sks.conf b/files/keyserver/sks.conf deleted file mode 100644 index 2b87b46..0000000 --- a/files/keyserver/sks.conf +++ /dev/null @@ -1,83 +0,0 @@ -ServerName keys.fedoraproject.org -Listen 80.239.156.219:11371 -NameVirtualHost *:443 - -<ifModule !mod_proxy.c> - LoadModule proxy_module modules/mod_proxy.so -</IfModule> - -<IfModule !mod_proxy_http.c> - LoadModule proxy_http_module modules/mod_proxy_http.so -</IfModule> - -<IfModule !mod_proxy_balancer.c> - LoadModule proxy_balancer_module modules/mod_proxy_balancer.so -</IfModule> - -<IfModule !mod_headers.c> - LoadModule headers_module modules/mod_headers.so -</IfModule> - -<IfModule !mod_authz_host.c> - LoadModule authz_host_module modules/mod_authz_host.so -</IfModule> - -<IfModule !mod_log_config.c> - LoadModule log_config_module modules/mod_log_config.so -</IfModule> - -<IfModule !mod_env.c> - LoadModule env_module modules/mod_env.so -</IfModule> - -<Directory /> - Options FollowSymLinks - AllowOverride None - Order deny,allow - Deny from all -</Directory> - -<VirtualHost *:80> - ServerAdmin sysadmin-keys-members@fedoraproject.org - ServerName keys.fedoraproject.org - ProxyPass / http://127.0.0.1:11371/ - ProxyPassReverse / http://127.0.0.1:11371/ - SetEnv proxy-nokeepalive 1 - ProxyVia Full -</VirtualHost> -<VirtualHost *:443> - ServerAdmin sysadmin-keys-members@fedoraproject.org - ServerName keys.fedoraproject.org - ServerAlias keys01.fedoraproject.org - - SSLEngine on - SSLCertificateFile /etc/pki/tls/wildcard-2013.fedoraproject.org.cert - SSLCertificateChainFile /etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert - SSLCertificateKeyFile /etc/pki/tls/wildcard-2013.fedoraproject.org.key - ProxyPass / http://localhost:11371/ - ProxyPassReverse / http://localhost:11371/ - SetEnv proxy-nokeepalive 1 - ProxyVia Full -</VirtualHost> -<VirtualHost *:443> - ServerAdmin sysadmin-keys-members@fedoraproject.org - ServerName pool.sks-keyservers.net - ServerAlias sks-keyservers.net - ServerAlias *.sks-keyservers.net - - SSLEngine on - SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem - SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key - ProxyPass / http://localhost:11371/ - ProxyPassReverse / http://localhost:11371/ - SetEnv proxy-nokeepalive 1 - ProxyVia Full -</VirtualHost> -<VirtualHost *:11371> - ServerAdmin sysadmin-keys-members@fedoraproject.org - ServerName keys.fedoraproject.org - ProxyPass / http://127.0.0.1:11371/ - ProxyPassReverse / http://127.0.0.1:11371/ - SetEnv proxy-nokeepalive 1 - ProxyVia Full -</VirtualHost> diff --git a/files/keyserver/sksconf b/files/keyserver/sksconf deleted file mode 100644 index ae15003..0000000 --- a/files/keyserver/sksconf +++ /dev/null @@ -1,13 +0,0 @@ -basedir: /srv/sks -#debuglevel: 10 -#debug: -hostname: keys.fedoraproject.org -hkp_address: 127.0.0.1 -hkp_port: 11371 -recon_port: 11370 -#gossip_interval: 1440 -stat_hour: 00 -initial_stat: -membership_reload_interval: 1 -disable_mailsync: -server_contact: 0x167B4A54236BBEAA37DCCD92ED14D5E7110810E9 diff --git a/files/keyserver/ssl.conf b/files/keyserver/ssl.conf deleted file mode 100644 index c1ed750..0000000 --- a/files/keyserver/ssl.conf +++ /dev/null @@ -1,224 +0,0 @@ -# -# This is the Apache server configuration file providing SSL support. -# It contains the configuration directives to instruct the server how to -# serve pages over an https connection. For detailing information about these -# directives see URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# - -LoadModule ssl_module modules/mod_ssl.so - -# -# When we also provide SSL we have to listen to the -# the HTTPS port in addition. -# -Listen 443 - -## -## SSL Global Context -## -## All SSL configuration in this context applies both to -## the main server and all SSL-enabled virtual hosts. -## - -# Pass Phrase Dialog: -# Configure the pass phrase gathering process. -# The filtering dialog program (`builtin' is a internal -# terminal dialog) has to provide the pass phrase on stdout. -SSLPassPhraseDialog builtin - -# Inter-Process Session Cache: -# Configure the SSL Session Cache: First the mechanism -# to use and second the expiring timeout (in seconds). -SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) -SSLSessionCacheTimeout 300 - -# Semaphore: -# Configure the path to the mutual exclusion semaphore the -# SSL engine uses internally for inter-process synchronization. -SSLMutex default - -# Pseudo Random Number Generator (PRNG): -# Configure one or more sources to seed the PRNG of the -# SSL library. The seed data should be of good random quality. -# WARNING! On some platforms /dev/random blocks if not enough entropy -# is available. This means you then cannot use the /dev/random device -# because it would lead to very long connection times (as long as -# it requires to make more entropy available). But usually those -# platforms additionally provide a /dev/urandom device which doesn't -# block. So, if available, use this one instead. Read the mod_ssl User -# Manual for more details. -SSLRandomSeed startup file:/dev/urandom 256 -SSLRandomSeed connect builtin -#SSLRandomSeed startup file:/dev/random 512 -#SSLRandomSeed connect file:/dev/random 512 -#SSLRandomSeed connect file:/dev/urandom 512 - -# -# Use "SSLCryptoDevice" to enable any supported hardware -# accelerators. Use "openssl engine -v" to list supported -# engine names. NOTE: If you enable an accelerator and the -# server does not start, consult the error logs and ensure -# your accelerator is functioning properly. -# -SSLCryptoDevice builtin -#SSLCryptoDevice ubsec - -## -## SSL Virtual Host Context -## - -<VirtualHost _default_:443> - -# General setup for the virtual host, inherited from global configuration -#DocumentRoot "/var/www/html" - # ProxyPass / http://localhost:11371/ - # ProxyPassReverse / http://localhost:11371/ -#ServerName www.example.com:443 - -# Use separate log files for the SSL virtual host; note that LogLevel -# is not inherited from httpd.conf. -ErrorLog logs/ssl_error_log -TransferLog logs/ssl_access_log -LogLevel warn - -# SSL Engine Switch: -# Enable/Disable SSL for this virtual host. -SSLEngine on - -# SSL Protocol support: -# List the enable protocol levels with which clients will be able to -# connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 - -# SSL Cipher Suite: -# List the ciphers that the client is permitted to negotiate. -# See the mod_ssl documentation for a complete list. -SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW - -# Server Certificate: -# Point SSLCertificateFile at a PEM encoded certificate. If -# the certificate is encrypted, then you will be prompted for a -# pass phrase. Note that a kill -HUP will prompt again. A new -# certificate can be generated using the genkey(1) command. -SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem - -# Server Private Key: -# If the key is not combined with the certificate, use this -# directive to point at the key file. Keep in mind that if -# you've both a RSA and a DSA private key you can configure -# both in parallel (to also allow the use of DSA ciphers, etc.) -SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key - -# Server Certificate Chain: -# Point SSLCertificateChainFile at a file containing the -# concatenation of PEM encoded CA certificates which form the -# certificate chain for the server certificate. Alternatively -# the referenced file can be the same as SSLCertificateFile -# when the CA certificates are directly appended to the server -# certificate for convinience. -#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt - -# Certificate Authority (CA): -# Set the CA certificate verification path where to find CA -# certificates for client authentication or alternatively one -# huge file containing all of them (file must be PEM encoded) -#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt - -# Client Authentication (Type): -# Client certificate verification type and depth. Types are -# none, optional, require and optional_no_ca. Depth is a -# number which specifies how deeply to verify the certificate -# issuer chain before deciding the certificate is not valid. -#SSLVerifyClient require -#SSLVerifyDepth 10 - -# Access Control: -# With SSLRequire you can do per-directory access control based -# on arbitrary complex boolean expressions containing server -# variable checks and other lookup directives. The syntax is a -# mixture between C and Perl. See the mod_ssl documentation -# for more details. -#<Location /> -#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ -# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ -# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ -# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ -# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ -# or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/ -#</Location> - -# SSL Engine Options: -# Set various options for the SSL engine. -# o FakeBasicAuth: -# Translate the client X.509 into a Basic Authorisation. This means that -# the standard Auth/DBMAuth methods can be used for access control. The -# user name is the `one line' version of the client's X.509 certificate. -# Note that no password is obtained from the user. Every entry in the user -# file needs this password: `xxj31ZMTZzkVA'. -# o ExportCertData: -# This exports two additional environment variables: SSL_CLIENT_CERT and -# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the -# server (always existing) and the client (only existing when client -# authentication is used). This can be used to import the certificates -# into CGI scripts. -# o StdEnvVars: -# This exports the standard SSL/TLS related `SSL_*' environment variables. -# Per default this exportation is switched off for performance reasons, -# because the extraction step is an expensive operation and is usually -# useless for serving static content. So one usually enables the -# exportation for CGI and SSI requests only. -# o StrictRequire: -# This denies access when "SSLRequireSSL" or "SSLRequire" applied even -# under a "Satisfy any" situation, i.e. when it applies access is denied -# and no other module can change it. -# o OptRenegotiate: -# This enables optimized SSL connection renegotiation handling when SSL -# directives are used in per-directory context. -#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire -<Files ~ ".(cgi|shtml|phtml|php3?)$"> - SSLOptions +StdEnvVars -</Files> -<Directory "/var/www/cgi-bin"> - SSLOptions +StdEnvVars -</Directory> - -# SSL Protocol Adjustments: -# The safe and default but still SSL/TLS standard compliant shutdown -# approach is that mod_ssl sends the close notify alert but doesn't wait for -# the close notify alert from client. When you need a different shutdown -# approach you can use one of the following variables: -# o ssl-unclean-shutdown: -# This forces an unclean shutdown when the connection is closed, i.e. no -# SSL close notify alert is send or allowed to received. This violates -# the SSL/TLS standard but is needed for some brain-dead browsers. Use -# this when you receive I/O errors because of the standard approach where -# mod_ssl sends the close notify alert. -# o ssl-accurate-shutdown: -# This forces an accurate shutdown when the connection is closed, i.e. a -# SSL close notify alert is send and mod_ssl waits for the close notify -# alert of the client. This is 100% SSL/TLS standard compliant, but in -# practice often causes hanging connections with brain-dead browsers. Use -# this only for browsers where you know that their SSL implementation -# works correctly. -# Notice: Most problems of broken clients are also related to the HTTP -# keep-alive facility, so you usually additionally want to disable -# keep-alive for those clients, too. Use variable "nokeepalive" for this. -# Similarly, one has to force some clients to use HTTP/1.0 to workaround -# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and -# "force-response-1.0" for this. -SetEnvIf User-Agent ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - -# Per-Server Logging: -# The home of a custom SSL log file. Use this when you want a -# compact non-error SSL logfile on a virtual host basis. -CustomLog logs/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b" - -</VirtualHost> - diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml index 10fa661..90cfb67 100644 --- a/handlers/restart_services.yml +++ b/handlers/restart_services.yml @@ -80,12 +80,6 @@ - name: restart rsyslog action: service name=rsyslog state=restarted
-- name: restart sks-db - action: service name=sks-db state=restarted - -- name: restart sks-recon - action: service name=sks-recon state=restarted - - name: restart sshd action: service name=sshd state=restarted
diff --git a/playbooks/groups/keyserver.yml b/playbooks/groups/keyserver.yml index ef2fb9c..4bc06fc 100644 --- a/playbooks/groups/keyserver.yml +++ b/playbooks/groups/keyserver.yml @@ -38,6 +38,7 @@ - nagios_client - fas_client - fedmsg/base + - keyserver
tasks: - include: "{{ tasks }}/hosts.yml" @@ -47,7 +48,6 @@ - include: "{{ tasks }}/motd.yml" - include: "{{ tasks }}/sudo.yml" - include: "{{ tasks }}/apache.yml" - - include: "{{ tasks }}/keyserver.yml"
handlers: - include: "{{ handlers }}/restart_services.yml" diff --git a/roles/keyserver/files/css.css b/roles/keyserver/files/css.css new file mode 100644 index 0000000..99443a0 --- /dev/null +++ b/roles/keyserver/files/css.css @@ -0,0 +1,132 @@ + * { font-family: helvetica, sans-serif; } + + h1, + p { + margin: 0; /* Let's zero those margins */ + } + +h2 { color: #3c6eb4; margin: 0;} + + #container { + /* border: 1px solid #555; /* Nice transition from white background */ + width: 600px; /* Should be narrow enough for small screens */ + margin: 0 auto; /* Centering */ + font-size: 1.1em; /* Font big enough not to need to squint */ + line-height: 1.3em; + + } + + #title { + /* background-color:#e2e5e2; */ + padding: 10px; + } + + #title h1, #title h2 { + margin-top: 0.3em; + } + + #info { + /* background-color:#e2e5e2; */ + padding: 5px 10px; + } + + #main { + /* background : #FAFBEA; */ + padding: 0 10px 10px 10px; + } + + #main header { + padding-top: 1em; + } + + #main p { + margin: 0.5em 0; + } + + #keytext { + width: 100%; + height: 150px; + border: 1px solid #555; + background : #fff; + max-width: 100%; + display: block; + } + + ul { + width: 100%; + list-style-type: none; + padding-left: 0; + } + + li { + width: 99%; + } + + li label { + width: 57%; + display: inline-block; + } + + button { + border-radius: 3px; + -moz-border-radius: 3px; + background: -webkit-gradient(linear, left top, left bottom, from(#fff), to(#ddd)); + background: -moz-linear-gradient(top, #fff, #ddd); + border: 1px solid #bbb; + } + + #info p {line-height: 1.1em; margin-bottom: 0.3em;} + + + +#bodyform { + margin-top: 20px; + color: #555; + font-weight: normal; + font-size: 16px; + +} + +#headcontent { + width: 700px; + margin: auto; + display: table; + +} + +#lefttop { + float: left; + text-align: left; +} + +#righttop { + float:right; + text-align: right; +} + +hr { + background: #3c6eb4; + height: 8px; + border: 0px; +} + +footer { + background: #3c6eb4; + margin: auto; + color: #fff; + +} + +footer p { width: 500px; margin: auto; text-align: center;} + +a {text-decoration: none; color: #B8C9FF; font-weight: bold;} + +fieldset { + border: 2px solid #4462C4; +} + +legend { + color: #3c6eb4; +} + + diff --git a/roles/keyserver/files/index.html b/roles/keyserver/files/index.html new file mode 100644 index 0000000..12b7be5 --- /dev/null +++ b/roles/keyserver/files/index.html @@ -0,0 +1,91 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> +<head> + <link rel="stylesheet" type="text/css" media="all" href="css.css" /> + <title>Fedora Project GPG Key Server</title> +</head> + + <body> + +<div id=bodyform> + <div id=headcontent> + <div id=lefttop> + <a href="https://fedoraproject.org"> + <img src='https://fedoraproject.org/static/images/fedora-logo.png'> + </a> + </div> + <div id=righttop> + <h1>SKS OpenPGP Key server</h1> + <h2>keys.fedoraproject.org</h2> + </div> + </div> + <hr></hr> + + <div id="container"> + + <div id="main" role="main"> + <header> + <h2>Extract a key</h2> + </header> + <p>You can find a key by typing in some words that appear in the + userid (name, email, etc.) of the key you're looking for, or + by typing in the keyid in hex format ("0x…")</p> + <form id="lookup" action="/pks/lookup" method="get"> + <fieldset checked="true"> <legend>Search for a public key</legend> + <ul> + <li> <label for="search">String</label> <input id="search" + name="search" placeholder="0xDEADBEEF" required="" autofocus="" + type="text"> </li> + <li> <label for="fingerprint">Show PGP Fingerprints</label> + <input id="fingerprint" name="fingerprint" type="checkbox"> + </li> + <li> <label for="hash">Show SKS full-key hashes</label> <input + id="hash" name="hash" type="checkbox"> </li> + <li> <label for="matching">Get regular index of matching + keys</label> <input id="matching" name="op" value="index" + type="radio"> </li> + <li> <label for="verbose">Get verbose index of matching + keys</label> <input id="verbose" name="op" value="vindex" + checked="checked" type="radio"> </li> + <li> <label for="asciiarmored">Retrieve ascii-armored + keys</label> <input id="asciiarmored" name="op" value="get" + type="radio"> </li> + <li> <label for="fullkey">Retrieve keys by full-key hash</label> + <input id="fullkey" name="op" value="hget" type="radio"> + </li> + </ul> + <button type="reset">Reset</button> <button type="submit">Search + + + + + + + for a key</button> </fieldset> + </form> + <header> + <h2>Submit a key</h2> + </header> + <p>You can submit a key by simply pasting in the ASCII-armored + version of your key and clicking on submit.</p> + <form id="add" action="/pks/add" method="post"> + <fieldset> <textarea id="keytext" name="keytext" rows="5" cols="30"></textarea> + <button type="reset">Reset</button> <button checked="true" + type="submit">Submit this key</button></fieldset> + </form> + </div> + <!-- end of #main --> + </div> + <!--! end of #container --> + <footer id="info"> + <p><a href="https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Home">SKS</a> is + a new <a href="http://www.openpgp.org/">OpenPGP</a> + keyserver. The main innovation of SKS is that it includes a + highly-efficient reconciliation algorithm for keeping the + keyservers synchronized.</p> + <p style="text-align: center;"><a href="/pks/lookup?op=stats">SKS statistics</a></p> + </footer> +</div> + </body> + +</html> diff --git a/roles/keyserver/files/membership b/roles/keyserver/files/membership new file mode 100644 index 0000000..42d57b3 --- /dev/null +++ b/roles/keyserver/files/membership @@ -0,0 +1,48 @@ +a.sks.srv.scientia.net 11370 # root@sks.srv.scientia.net +key.adeti.org 11370 # Marco RODRIGUES marco@adeti.org 0x7CE697FC +key.ip6.li 11370 # Christian Felsing hostmaster@ip6.li 0x5386E2A0 +keys2.kfwebs.net 11370 # 0x0B7F8B60E3EDFAE3 +keys.andreas-puls.de 11370 # Andreas Puls appu@gmx.net 0xDAC73FA6 +#keys.christensenplace.us 11370 # Eric Christensen eric@christensenplace.us 0x024BB3D1 +keyserver.advmapper.com 11370 # Tyler Schwend tylerschwend@gmail.com 0xDB4B79F8 +keyserver.cns.vt.edu 11370 # Phil Benchoff benchoff@vt.edu keymaster@cns.vt.edu +#keyserver.computer42.org 11370 # H.-Dirk Schmitt dirk@computer42.org 0x6A017B17 +keyserver.dacr.hu 11370 # David Horvath dacr@dacr.hu 0x00CBC81A +keyserver.gingerbear.net 11370 # John P. Clizbe John@Gingerbear.net 0xD6569825 +keyserver.kim-minh.com 11370 # Kim Minh Kaplankaplan+sks@kim-minh.com 0xAF1E829C +keyserver.kjsl.org 11370 # Javier Henderson javier@kjsl.org 0x9BF88EE5 +keyserver.nausch.org 11370 # Michael Nausch michael@nausch.org 0x2384C849 +#key-server.nl 11370 # Wijnand Modderman-Lenstra maze@key-server.nl 0x294DF221 +keyserver.saol.no-ip.com 11370 # Peter peter@saol.no-ip.com 0x39E97290 +keyserver.secretresearchfacility.com 11370 # Stephan Seitz s.seitz@secretresearchfacility.com 0xAB83B1C3 +keyserver.serviz.fr 11370 # robert <sks(at)serviz(pt)fr> 0xEF333C7E +keyserver.sincer.us 11370 # Petru Ghita petrutz@venaver.info 0x7CF29D04 +keyserver.skoopsmedia.net 11370 # unknown +#keyservers.org 11370 # Rob Hansen rjh@sixdemonbag.org +keyserver.stack.nl 11370 # Johan van Selst johans@stack.nl 0xD3AE8D3A +keyserver.ut.mephi.ru 11370 # Dmitry Yu Okunev dyokunev@ut.mephi.ru 0x8E30679C, pks team pks@ut.mephi.ru +keyserver.vi-di.fr 11370 # Frank Villaro-Dixon keyserver@vi-di.fr016106A6AF223DBE +keys.exosphere.de 11370 # Christoph Gebhardt chris@exosphere.de 0xE1C2E92C +keys.jhcloos.com 11370 # James Cloos cloos@jhcloos.com 0xED7DAEA6 +keys.niif.hu 11370 # Gabor Kiss kissg@ssg.ki.iif.hu +keys.thoma.cc 11370 # Maximilian Thoma keys@thoma.cc 0xB480AC4B +#keys.wuschelpuschel.org 11370 # 0x017D1C3D Peter Kornherr peter@wuschelpuschel.org +#openpgp1.claruscomms.net 11370 # unknown +pgp.circl.lu 11370 # CIRCL - info@circl.lu - 0x22BD4CD5 +#pgp.codelabs.ru 11370 # Eygene Ryabinkin rea@codelabs.ru 0x8152ECFB +pgp.jjim.de 11370 # Joel Garske admin@pgp.jjim.de 0xA921EB20 +pgpkeys.mallos.nl 11370 # Arnold Schekkerman arnold@mallos.nl 0xB66BBBAA +#pgp.megagod.net 11370 # Kullawat Chaowanawatee (0xC19EAE3A) +pgp.rediris.es 11370 # Francisco.monserrat francisco.monserrat@rediris.es 0xD3A42C61 +#pki.colliertech.org 11370 # C.J. Adams-Collier cjac@uw.edu 0x8E562765BA27A83C +ranger.ky9k.org 11370 # Brian D Heaton pgp-keymaster@ky9k.org 0x9A016118 +sks.alpha-labs.net 11370 # Christian Reiss email@christian-reiss.de 0x44e29126abcd43c5 +sks.disunitedstates.com 11370 # David Benfell benfell@disunitedstates.com 0x1236602B +sks.ecks.ca 11370 # Eric Benoit eric@ecks.ca 0x69E65D2C +sks.es.net 11370 # keymaster@es.net +sks.fidocon.de 11370 # unknown +sks.karotte.org 11370 # Sebastian Wiesinger sebastian@karotte.org 0x93A0B9CE +sks.keyservers.net 11370 # John P. Clizbe John@Gingerbear.net 0xD6569825 +sks-peer.spodhuis.org 11370 # Phil Pennock keyserver@spodhuis.org 0x3903637F +sks.pkqs.net 11370 # Stephan Beyer s-beyer@gmx.net 0xFCC5040F +zimmermann.mayfirst.org 11370 # Daniel Kahn Gillmor dkg@fifthhorseman.net 0xCCD2ED94D21739E9 diff --git a/roles/keyserver/files/sks.conf b/roles/keyserver/files/sks.conf new file mode 100644 index 0000000..2b87b46 --- /dev/null +++ b/roles/keyserver/files/sks.conf @@ -0,0 +1,83 @@ +ServerName keys.fedoraproject.org +Listen 80.239.156.219:11371 +NameVirtualHost *:443 + +<ifModule !mod_proxy.c> + LoadModule proxy_module modules/mod_proxy.so +</IfModule> + +<IfModule !mod_proxy_http.c> + LoadModule proxy_http_module modules/mod_proxy_http.so +</IfModule> + +<IfModule !mod_proxy_balancer.c> + LoadModule proxy_balancer_module modules/mod_proxy_balancer.so +</IfModule> + +<IfModule !mod_headers.c> + LoadModule headers_module modules/mod_headers.so +</IfModule> + +<IfModule !mod_authz_host.c> + LoadModule authz_host_module modules/mod_authz_host.so +</IfModule> + +<IfModule !mod_log_config.c> + LoadModule log_config_module modules/mod_log_config.so +</IfModule> + +<IfModule !mod_env.c> + LoadModule env_module modules/mod_env.so +</IfModule> + +<Directory /> + Options FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all +</Directory> + +<VirtualHost *:80> + ServerAdmin sysadmin-keys-members@fedoraproject.org + ServerName keys.fedoraproject.org + ProxyPass / http://127.0.0.1:11371/ + ProxyPassReverse / http://127.0.0.1:11371/ + SetEnv proxy-nokeepalive 1 + ProxyVia Full +</VirtualHost> +<VirtualHost *:443> + ServerAdmin sysadmin-keys-members@fedoraproject.org + ServerName keys.fedoraproject.org + ServerAlias keys01.fedoraproject.org + + SSLEngine on + SSLCertificateFile /etc/pki/tls/wildcard-2013.fedoraproject.org.cert + SSLCertificateChainFile /etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert + SSLCertificateKeyFile /etc/pki/tls/wildcard-2013.fedoraproject.org.key + ProxyPass / http://localhost:11371/ + ProxyPassReverse / http://localhost:11371/ + SetEnv proxy-nokeepalive 1 + ProxyVia Full +</VirtualHost> +<VirtualHost *:443> + ServerAdmin sysadmin-keys-members@fedoraproject.org + ServerName pool.sks-keyservers.net + ServerAlias sks-keyservers.net + ServerAlias *.sks-keyservers.net + + SSLEngine on + SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem + SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key + ProxyPass / http://localhost:11371/ + ProxyPassReverse / http://localhost:11371/ + SetEnv proxy-nokeepalive 1 + ProxyVia Full +</VirtualHost> +<VirtualHost *:11371> + ServerAdmin sysadmin-keys-members@fedoraproject.org + ServerName keys.fedoraproject.org + ProxyPass / http://127.0.0.1:11371/ + ProxyPassReverse / http://127.0.0.1:11371/ + SetEnv proxy-nokeepalive 1 + ProxyVia Full +</VirtualHost> diff --git a/roles/keyserver/files/sksconf b/roles/keyserver/files/sksconf new file mode 100644 index 0000000..ae15003 --- /dev/null +++ b/roles/keyserver/files/sksconf @@ -0,0 +1,13 @@ +basedir: /srv/sks +#debuglevel: 10 +#debug: +hostname: keys.fedoraproject.org +hkp_address: 127.0.0.1 +hkp_port: 11371 +recon_port: 11370 +#gossip_interval: 1440 +stat_hour: 00 +initial_stat: +membership_reload_interval: 1 +disable_mailsync: +server_contact: 0x167B4A54236BBEAA37DCCD92ED14D5E7110810E9 diff --git a/roles/keyserver/files/ssl.conf b/roles/keyserver/files/ssl.conf new file mode 100644 index 0000000..c1ed750 --- /dev/null +++ b/roles/keyserver/files/ssl.conf @@ -0,0 +1,224 @@ +# +# This is the Apache server configuration file providing SSL support. +# It contains the configuration directives to instruct the server how to +# serve pages over an https connection. For detailing information about these +# directives see URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# + +LoadModule ssl_module modules/mod_ssl.so + +# +# When we also provide SSL we have to listen to the +# the HTTPS port in addition. +# +Listen 443 + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog builtin + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) +SSLSessionCacheTimeout 300 + +# Semaphore: +# Configure the path to the mutual exclusion semaphore the +# SSL engine uses internally for inter-process synchronization. +SSLMutex default + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec + +## +## SSL Virtual Host Context +## + +<VirtualHost _default_:443> + +# General setup for the virtual host, inherited from global configuration +#DocumentRoot "/var/www/html" + # ProxyPass / http://localhost:11371/ + # ProxyPassReverse / http://localhost:11371/ +#ServerName www.example.com:443 + +# Use separate log files for the SSL virtual host; note that LogLevel +# is not inherited from httpd.conf. +ErrorLog logs/ssl_error_log +TransferLog logs/ssl_access_log +LogLevel warn + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# SSL Protocol support: +# List the enable protocol levels with which clients will be able to +# connect. Disable SSLv2 access by default: +SSLProtocol all -SSLv2 + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. +SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW + +# Server Certificate: +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that a kill -HUP will prompt again. A new +# certificate can be generated using the genkey(1) command. +SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem + +# Server Private Key: +# If the key is not combined with the certificate, use this +# directive to point at the key file. Keep in mind that if +# you've both a RSA and a DSA private key you can configure +# both in parallel (to also allow the use of DSA ciphers, etc.) +SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key + +# Server Certificate Chain: +# Point SSLCertificateChainFile at a file containing the +# concatenation of PEM encoded CA certificates which form the +# certificate chain for the server certificate. Alternatively +# the referenced file can be the same as SSLCertificateFile +# when the CA certificates are directly appended to the server +# certificate for convinience. +#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt + +# Certificate Authority (CA): +# Set the CA certificate verification path where to find CA +# certificates for client authentication or alternatively one +# huge file containing all of them (file must be PEM encoded) +#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt + +# Client Authentication (Type): +# Client certificate verification type and depth. Types are +# none, optional, require and optional_no_ca. Depth is a +# number which specifies how deeply to verify the certificate +# issuer chain before deciding the certificate is not valid. +#SSLVerifyClient require +#SSLVerifyDepth 10 + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_ssl documentation +# for more details. +#<Location /> +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/ +#</Location> + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire +<Files ~ ".(cgi|shtml|phtml|php3?)$"> + SSLOptions +StdEnvVars +</Files> +<Directory "/var/www/cgi-bin"> + SSLOptions +StdEnvVars +</Directory> + +# SSL Protocol Adjustments: +# The safe and default but still SSL/TLS standard compliant shutdown +# approach is that mod_ssl sends the close notify alert but doesn't wait for +# the close notify alert from client. When you need a different shutdown +# approach you can use one of the following variables: +# o ssl-unclean-shutdown: +# This forces an unclean shutdown when the connection is closed, i.e. no +# SSL close notify alert is send or allowed to received. This violates +# the SSL/TLS standard but is needed for some brain-dead browsers. Use +# this when you receive I/O errors because of the standard approach where +# mod_ssl sends the close notify alert. +# o ssl-accurate-shutdown: +# This forces an accurate shutdown when the connection is closed, i.e. a +# SSL close notify alert is send and mod_ssl waits for the close notify +# alert of the client. This is 100% SSL/TLS standard compliant, but in +# practice often causes hanging connections with brain-dead browsers. Use +# this only for browsers where you know that their SSL implementation +# works correctly. +# Notice: Most problems of broken clients are also related to the HTTP +# keep-alive facility, so you usually additionally want to disable +# keep-alive for those clients, too. Use variable "nokeepalive" for this. +# Similarly, one has to force some clients to use HTTP/1.0 to workaround +# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and +# "force-response-1.0" for this. +SetEnvIf User-Agent ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b" + +</VirtualHost> + diff --git a/roles/keyserver/handlers/main.yml b/roles/keyserver/handlers/main.yml new file mode 100644 index 0000000..eee9214 --- /dev/null +++ b/roles/keyserver/handlers/main.yml @@ -0,0 +1,6 @@ +- name: restart sks-db + action: service name=sks-db state=restarted + +- name: restart sks-recon + action: service name=sks-recon state=restarted + diff --git a/roles/keyserver/tasks/main.yml b/roles/keyserver/tasks/main.yml new file mode 100644 index 0000000..af7c672 --- /dev/null +++ b/roles/keyserver/tasks/main.yml @@ -0,0 +1,100 @@ +--- +- name: install sks + yum: name=sks state=installed + tags: + - packages + +- name: install mod_ssl + yum: name=mod_ssl state=installed + tags: + - packages + +- name: /srv/sks + file: > + path=/srv/sks + state=directory + owner=sks group=sks mode=0755 + +- name: /srv/sks/membership + copy: src="membership" dest=/srv/sks/membership owner=sks group=sks mode=0644 + tags: + - config + +- name: /srv/sks/sksconf + copy: src="sksconf" dest=/srv/sks/sksconf owner=sks group=sks mode=0644 + tags: + - config + +- name: /srv/sks/web + file: > + path=/srv/sks/web + state=directory + owner=sks group=sks mode=0755 + +- name: /srv/sks/web/index.html + copy: src="index.html" dest=/srv/sks/web/index.html owner=sks group=sks mode=0644 + tags: + - config + with_items: +- name: /srv/sks/web/css.css + copy: src="css.css" dest=/srv/sks/web/css.css owner=sks group=sks mode=0644 + tags: + - config + +- name: /etc/httpd/conf.d/sks.conf + copy: src="sks.conf" dest=/etc/httpd/conf.d/sks.conf owner=root group=root mode=0644 + tags: + - config + +- name: /etc/httpd/conf.d/ssl.conf + copy: src="ssl.conf" dest=/etc/httpd/conf.d/ssl.conf owner=root group=root mode=0644 + tags: + - config + +- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.cert + copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.cert" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.cert owner=root group=root mode=0600 + tags: + - config + +- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.key + copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.key" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.key owner=root group=root mode=0600 + tags: + - config + +- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert + copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert owner=root group=root mode=0600 + tags: + - config + +- name: /etc/pki/tls/keys_fedoraproject_org.crt.pem + copy: src="{{ puppet_private }}/keys_fedoraproject_org.crt.pem" dest=/etc/pki/tls/keys_fedoraproject_org.crt.pem owner=root group=root mode=0600 + tags: + - config + +- name: /etc/pki/tls/keys_fedoraproject_org.key + copy: src="{{ puppet_private }}/keys_fedoraproject_org.key" dest=/etc/pki/tls/keys_fedoraproject_org.key owner=root group=root mode=0600 + tags: + - config + +- cron: name="regenerate stats hourly" + hour="*" + minute="5" + job="killall -SIGUSR2 sks-db" + state=present + +- name: Set sks-db to run on boot + service: name=sks-db enabled=yes + ignore_errors: true + notify: + - restart sks-db + tags: + - service + +- name: Set sks-recon to run on boot + service: name=sks-recon enabled=yes + ignore_errors: true + notify: + - restart sks-recon + tags: + - service + diff --git a/tasks/keyserver.yml b/tasks/keyserver.yml deleted file mode 100644 index 9cf3e2c..0000000 --- a/tasks/keyserver.yml +++ /dev/null @@ -1,100 +0,0 @@ ---- -- name: install sks - yum: name=sks state=installed - tags: - - packages - -- name: install mod_ssl - yum: name=mod_ssl state=installed - tags: - - packages - -- name: /srv/sks - file: > - path=/srv/sks - state=directory - owner=sks group=sks mode=0755 - -- name: /srv/sks/membership - copy: src="{{ files }}/keyserver/membership" dest=/srv/sks/membership owner=sks group=sks mode=0644 - tags: - - config - -- name: /srv/sks/sksconf - copy: src="{{ files }}/keyserver/sksconf" dest=/srv/sks/sksconf owner=sks group=sks mode=0644 - tags: - - config - -- name: /srv/sks/web - file: > - path=/srv/sks/web - state=directory - owner=sks group=sks mode=0755 - -- name: /srv/sks/web/index.html - copy: src="{{ files }}/keyserver/index.html" dest=/srv/sks/web/index.html owner=sks group=sks mode=0644 - tags: - - config - -- name: /srv/sks/web/css.css - copy: src="{{ files }}/keyserver/css.css" dest=/srv/sks/web/css.css owner=sks group=sks mode=0644 - tags: - - config - -- name: /etc/httpd/conf.d/sks.conf - copy: src="{{ files }}/keyserver/sks.conf" dest=/etc/httpd/conf.d/sks.conf owner=root group=root mode=0644 - tags: - - config - -- name: /etc/httpd/conf.d/ssl.conf - copy: src="{{ files }}/keyserver/ssl.conf" dest=/etc/httpd/conf.d/ssl.conf owner=root group=root mode=0644 - tags: - - config - -- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.cert - copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.cert" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.cert owner=root group=root mode=0600 - tags: - - config - -- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.key - copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.key" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.key owner=root group=root mode=0600 - tags: - - config - -- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert - copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert owner=root group=root mode=0600 - tags: - - config - -- name: /etc/pki/tls/keys_fedoraproject_org.crt.pem - copy: src="{{ puppet_private }}/keys_fedoraproject_org.crt.pem" dest=/etc/pki/tls/keys_fedoraproject_org.crt.pem owner=root group=root mode=0600 - tags: - - config - -- name: /etc/pki/tls/keys_fedoraproject_org.key - copy: src="{{ puppet_private }}/keys_fedoraproject_org.key" dest=/etc/pki/tls/keys_fedoraproject_org.key owner=root group=root mode=0600 - tags: - - config - -- cron: name="regenerate stats hourly" - hour="*" - minute="5" - job="killall -SIGUSR2 sks-db" - state=present - -- name: Set sks-db to run on boot - service: name=sks-db enabled=yes - ignore_errors: true - notify: - - restart sks-db - tags: - - service - -- name: Set sks-recon to run on boot - service: name=sks-recon enabled=yes - ignore_errors: true - notify: - - restart sks-recon - tags: - - service -
infrastructure@lists.fedoraproject.org