[PATCH] migrate keyserver to be a role
misc at zarb.org
misc at zarb.org
Tue Apr 15 14:35:04 UTC 2014
From: Michael Scherer <misc at zarb.org>
---
files/keyserver/css.css | 132 ----------------------
files/keyserver/index.html | 91 ----------------
files/keyserver/membership | 48 --------
files/keyserver/sks.conf | 83 --------------
files/keyserver/sksconf | 13 ---
files/keyserver/ssl.conf | 224 --------------------------------------
handlers/restart_services.yml | 6 -
playbooks/groups/keyserver.yml | 2 +-
roles/keyserver/files/css.css | 132 ++++++++++++++++++++++
roles/keyserver/files/index.html | 91 ++++++++++++++++
roles/keyserver/files/membership | 48 ++++++++
roles/keyserver/files/sks.conf | 83 ++++++++++++++
roles/keyserver/files/sksconf | 13 +++
roles/keyserver/files/ssl.conf | 224 ++++++++++++++++++++++++++++++++++++++
roles/keyserver/handlers/main.yml | 6 +
roles/keyserver/tasks/main.yml | 100 +++++++++++++++++
tasks/keyserver.yml | 100 -----------------
17 files changed, 698 insertions(+), 698 deletions(-)
delete mode 100644 files/keyserver/css.css
delete mode 100644 files/keyserver/index.html
delete mode 100644 files/keyserver/membership
delete mode 100644 files/keyserver/sks.conf
delete mode 100644 files/keyserver/sksconf
delete mode 100644 files/keyserver/ssl.conf
create mode 100644 roles/keyserver/files/css.css
create mode 100644 roles/keyserver/files/index.html
create mode 100644 roles/keyserver/files/membership
create mode 100644 roles/keyserver/files/sks.conf
create mode 100644 roles/keyserver/files/sksconf
create mode 100644 roles/keyserver/files/ssl.conf
create mode 100644 roles/keyserver/handlers/main.yml
create mode 100644 roles/keyserver/tasks/main.yml
delete mode 100644 tasks/keyserver.yml
diff --git a/files/keyserver/css.css b/files/keyserver/css.css
deleted file mode 100644
index 99443a0..0000000
--- a/files/keyserver/css.css
+++ /dev/null
@@ -1,132 +0,0 @@
- * { font-family: helvetica, sans-serif; }
-
- h1,
- p {
- margin: 0; /* Let's zero those margins */
- }
-
-h2 { color: #3c6eb4; margin: 0;}
-
- #container {
- /* border: 1px solid #555; /* Nice transition from white background */
- width: 600px; /* Should be narrow enough for small screens */
- margin: 0 auto; /* Centering */
- font-size: 1.1em; /* Font big enough not to need to squint */
- line-height: 1.3em;
-
- }
-
- #title {
- /* background-color:#e2e5e2; */
- padding: 10px;
- }
-
- #title h1, #title h2 {
- margin-top: 0.3em;
- }
-
- #info {
- /* background-color:#e2e5e2; */
- padding: 5px 10px;
- }
-
- #main {
- /* background : #FAFBEA; */
- padding: 0 10px 10px 10px;
- }
-
- #main header {
- padding-top: 1em;
- }
-
- #main p {
- margin: 0.5em 0;
- }
-
- #keytext {
- width: 100%;
- height: 150px;
- border: 1px solid #555;
- background : #fff;
- max-width: 100%;
- display: block;
- }
-
- ul {
- width: 100%;
- list-style-type: none;
- padding-left: 0;
- }
-
- li {
- width: 99%;
- }
-
- li label {
- width: 57%;
- display: inline-block;
- }
-
- button {
- border-radius: 3px;
- -moz-border-radius: 3px;
- background: -webkit-gradient(linear, left top, left bottom, from(#fff), to(#ddd));
- background: -moz-linear-gradient(top, #fff, #ddd);
- border: 1px solid #bbb;
- }
-
- #info p {line-height: 1.1em; margin-bottom: 0.3em;}
-
-
-
-#bodyform {
- margin-top: 20px;
- color: #555;
- font-weight: normal;
- font-size: 16px;
-
-}
-
-#headcontent {
- width: 700px;
- margin: auto;
- display: table;
-
-}
-
-#lefttop {
- float: left;
- text-align: left;
-}
-
-#righttop {
- float:right;
- text-align: right;
-}
-
-hr {
- background: #3c6eb4;
- height: 8px;
- border: 0px;
-}
-
-footer {
- background: #3c6eb4;
- margin: auto;
- color: #fff;
-
-}
-
-footer p { width: 500px; margin: auto; text-align: center;}
-
-a {text-decoration: none; color: #B8C9FF; font-weight: bold;}
-
-fieldset {
- border: 2px solid #4462C4;
-}
-
-legend {
- color: #3c6eb4;
-}
-
-
diff --git a/files/keyserver/index.html b/files/keyserver/index.html
deleted file mode 100644
index 12b7be5..0000000
--- a/files/keyserver/index.html
+++ /dev/null
@@ -1,91 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
-<head>
- <link rel="stylesheet" type="text/css" media="all" href="css.css" />
- <title>Fedora Project GPG Key Server</title>
-</head>
-
- <body>
-
-<div id=bodyform>
- <div id=headcontent>
- <div id=lefttop>
- <a href="https://fedoraproject.org">
- <img src='https://fedoraproject.org/static/images/fedora-logo.png'>
- </a>
- </div>
- <div id=righttop>
- <h1>SKS OpenPGP Key server</h1>
- <h2>keys.fedoraproject.org</h2>
- </div>
- </div>
- <hr></hr>
-
- <div id="container">
-
- <div id="main" role="main">
- <header>
- <h2>Extract a key</h2>
- </header>
- <p>You can find a key by typing in some words that appear in the
- userid (name, email, etc.) of the key you're looking for, or
- by typing in the keyid in hex format ("0x…")</p>
- <form id="lookup" action="/pks/lookup" method="get">
- <fieldset checked="true"> <legend>Search for a public key</legend>
- <ul>
- <li> <label for="search">String</label> <input id="search"
- name="search" placeholder="0xDEADBEEF" required="" autofocus=""
- type="text"> </li>
- <li> <label for="fingerprint">Show PGP Fingerprints</label>
- <input id="fingerprint" name="fingerprint" type="checkbox">
- </li>
- <li> <label for="hash">Show SKS full-key hashes</label> <input
- id="hash" name="hash" type="checkbox"> </li>
- <li> <label for="matching">Get regular index of matching
- keys</label> <input id="matching" name="op" value="index"
- type="radio"> </li>
- <li> <label for="verbose">Get verbose index of matching
- keys</label> <input id="verbose" name="op" value="vindex"
- checked="checked" type="radio"> </li>
- <li> <label for="asciiarmored">Retrieve ascii-armored
- keys</label> <input id="asciiarmored" name="op" value="get"
- type="radio"> </li>
- <li> <label for="fullkey">Retrieve keys by full-key hash</label>
- <input id="fullkey" name="op" value="hget" type="radio">
- </li>
- </ul>
- <button type="reset">Reset</button> <button type="submit">Search
-
-
-
-
-
-
- for a key</button> </fieldset>
- </form>
- <header>
- <h2>Submit a key</h2>
- </header>
- <p>You can submit a key by simply pasting in the ASCII-armored
- version of your key and clicking on submit.</p>
- <form id="add" action="/pks/add" method="post">
- <fieldset> <textarea id="keytext" name="keytext" rows="5" cols="30"></textarea>
- <button type="reset">Reset</button> <button checked="true"
- type="submit">Submit this key</button></fieldset>
- </form>
- </div>
- <!-- end of #main -->
- </div>
- <!--! end of #container -->
- <footer id="info">
- <p><a href="https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Home">SKS</a> is
- a new <a href="http://www.openpgp.org/">OpenPGP</a>
- keyserver. The main innovation of SKS is that it includes a
- highly-efficient reconciliation algorithm for keeping the
- keyservers synchronized.</p>
- <p style="text-align: center;"><a href="/pks/lookup?op=stats">SKS statistics</a></p>
- </footer>
-</div>
- </body>
-
-</html>
diff --git a/files/keyserver/membership b/files/keyserver/membership
deleted file mode 100644
index 42d57b3..0000000
--- a/files/keyserver/membership
+++ /dev/null
@@ -1,48 +0,0 @@
-a.sks.srv.scientia.net 11370 # root at sks.srv.scientia.net
-key.adeti.org 11370 # Marco RODRIGUES <marco at adeti.org> 0x7CE697FC
-key.ip6.li 11370 # Christian Felsing <hostmaster at ip6.li> 0x5386E2A0
-keys2.kfwebs.net 11370 # 0x0B7F8B60E3EDFAE3
-keys.andreas-puls.de 11370 # Andreas Puls <appu at gmx.net> 0xDAC73FA6
-#keys.christensenplace.us 11370 # Eric Christensen <eric at christensenplace.us> 0x024BB3D1
-keyserver.advmapper.com 11370 # Tyler Schwend <tylerschwend at gmail.com> 0xDB4B79F8
-keyserver.cns.vt.edu 11370 # Phil Benchoff <benchoff at vt.edu> <keymaster at cns.vt.edu>
-#keyserver.computer42.org 11370 # H.-Dirk Schmitt <dirk at computer42.org> 0x6A017B17
-keyserver.dacr.hu 11370 # David Horvath <dacr at dacr.hu> 0x00CBC81A
-keyserver.gingerbear.net 11370 # John P. Clizbe <John at Gingerbear.net> 0xD6569825
-keyserver.kim-minh.com 11370 # Kim Minh Kaplan<kaplan+sks at kim-minh.com> 0xAF1E829C
-keyserver.kjsl.org 11370 # Javier Henderson <javier at kjsl.org> 0x9BF88EE5
-keyserver.nausch.org 11370 # Michael Nausch <michael at nausch.org> 0x2384C849
-#key-server.nl 11370 # Wijnand Modderman-Lenstra <maze at key-server.nl> 0x294DF221
-keyserver.saol.no-ip.com 11370 # Peter <peter at saol.no-ip.com> 0x39E97290
-keyserver.secretresearchfacility.com 11370 # Stephan Seitz <s.seitz at secretresearchfacility.com> 0xAB83B1C3
-keyserver.serviz.fr 11370 # robert <sks(at)serviz(pt)fr> 0xEF333C7E
-keyserver.sincer.us 11370 # Petru Ghita <petrutz at venaver.info> 0x7CF29D04
-keyserver.skoopsmedia.net 11370 # unknown
-#keyservers.org 11370 # Rob Hansen <rjh at sixdemonbag.org>
-keyserver.stack.nl 11370 # Johan van Selst <johans at stack.nl> 0xD3AE8D3A
-keyserver.ut.mephi.ru 11370 # Dmitry Yu Okunev <dyokunev at ut.mephi.ru> 0x8E30679C, pks team <pks at ut.mephi.ru>
-keyserver.vi-di.fr 11370 # Frank Villaro-Dixon <keyserver at vi-di.fr>016106A6AF223DBE
-keys.exosphere.de 11370 # Christoph Gebhardt <chris at exosphere.de> 0xE1C2E92C
-keys.jhcloos.com 11370 # James Cloos <cloos at jhcloos.com> 0xED7DAEA6
-keys.niif.hu 11370 # Gabor Kiss <kissg at ssg.ki.iif.hu>
-keys.thoma.cc 11370 # Maximilian Thoma <keys at thoma.cc> 0xB480AC4B
-#keys.wuschelpuschel.org 11370 # 0x017D1C3D Peter Kornherr <peter at wuschelpuschel.org>
-#openpgp1.claruscomms.net 11370 # unknown
-pgp.circl.lu 11370 # CIRCL - info at circl.lu - 0x22BD4CD5
-#pgp.codelabs.ru 11370 # Eygene Ryabinkin <rea at codelabs.ru> 0x8152ECFB
-pgp.jjim.de 11370 # Joel Garske <admin at pgp.jjim.de> 0xA921EB20
-pgpkeys.mallos.nl 11370 # Arnold Schekkerman <arnold at mallos.nl> 0xB66BBBAA
-#pgp.megagod.net 11370 # Kullawat Chaowanawatee (0xC19EAE3A)
-pgp.rediris.es 11370 # Francisco.monserrat <francisco.monserrat at rediris.es> 0xD3A42C61
-#pki.colliertech.org 11370 # C.J. Adams-Collier <cjac at uw.edu> 0x8E562765BA27A83C
-ranger.ky9k.org 11370 # Brian D Heaton <pgp-keymaster at ky9k.org> 0x9A016118
-sks.alpha-labs.net 11370 # Christian Reiss <email at christian-reiss.de> 0x44e29126abcd43c5
-sks.disunitedstates.com 11370 # David Benfell <benfell at disunitedstates.com> 0x1236602B
-sks.ecks.ca 11370 # Eric Benoit <eric at ecks.ca> 0x69E65D2C
-sks.es.net 11370 # keymaster at es.net
-sks.fidocon.de 11370 # unknown
-sks.karotte.org 11370 # Sebastian Wiesinger <sebastian at karotte.org> 0x93A0B9CE
-sks.keyservers.net 11370 # John P. Clizbe <John at Gingerbear.net> 0xD6569825
-sks-peer.spodhuis.org 11370 # Phil Pennock <keyserver at spodhuis.org> 0x3903637F
-sks.pkqs.net 11370 # Stephan Beyer <s-beyer at gmx.net> 0xFCC5040F
-zimmermann.mayfirst.org 11370 # Daniel Kahn Gillmor <dkg at fifthhorseman.net> 0xCCD2ED94D21739E9
diff --git a/files/keyserver/sks.conf b/files/keyserver/sks.conf
deleted file mode 100644
index 2b87b46..0000000
--- a/files/keyserver/sks.conf
+++ /dev/null
@@ -1,83 +0,0 @@
-ServerName keys.fedoraproject.org
-Listen 80.239.156.219:11371
-NameVirtualHost *:443
-
-<ifModule !mod_proxy.c>
- LoadModule proxy_module modules/mod_proxy.so
-</IfModule>
-
-<IfModule !mod_proxy_http.c>
- LoadModule proxy_http_module modules/mod_proxy_http.so
-</IfModule>
-
-<IfModule !mod_proxy_balancer.c>
- LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
-</IfModule>
-
-<IfModule !mod_headers.c>
- LoadModule headers_module modules/mod_headers.so
-</IfModule>
-
-<IfModule !mod_authz_host.c>
- LoadModule authz_host_module modules/mod_authz_host.so
-</IfModule>
-
-<IfModule !mod_log_config.c>
- LoadModule log_config_module modules/mod_log_config.so
-</IfModule>
-
-<IfModule !mod_env.c>
- LoadModule env_module modules/mod_env.so
-</IfModule>
-
-<Directory />
- Options FollowSymLinks
- AllowOverride None
- Order deny,allow
- Deny from all
-</Directory>
-
-<VirtualHost *:80>
- ServerAdmin sysadmin-keys-members at fedoraproject.org
- ServerName keys.fedoraproject.org
- ProxyPass / http://127.0.0.1:11371/
- ProxyPassReverse / http://127.0.0.1:11371/
- SetEnv proxy-nokeepalive 1
- ProxyVia Full
-</VirtualHost>
-<VirtualHost *:443>
- ServerAdmin sysadmin-keys-members at fedoraproject.org
- ServerName keys.fedoraproject.org
- ServerAlias keys01.fedoraproject.org
-
- SSLEngine on
- SSLCertificateFile /etc/pki/tls/wildcard-2013.fedoraproject.org.cert
- SSLCertificateChainFile /etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert
- SSLCertificateKeyFile /etc/pki/tls/wildcard-2013.fedoraproject.org.key
- ProxyPass / http://localhost:11371/
- ProxyPassReverse / http://localhost:11371/
- SetEnv proxy-nokeepalive 1
- ProxyVia Full
-</VirtualHost>
-<VirtualHost *:443>
- ServerAdmin sysadmin-keys-members at fedoraproject.org
- ServerName pool.sks-keyservers.net
- ServerAlias sks-keyservers.net
- ServerAlias *.sks-keyservers.net
-
- SSLEngine on
- SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem
- SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key
- ProxyPass / http://localhost:11371/
- ProxyPassReverse / http://localhost:11371/
- SetEnv proxy-nokeepalive 1
- ProxyVia Full
-</VirtualHost>
-<VirtualHost *:11371>
- ServerAdmin sysadmin-keys-members at fedoraproject.org
- ServerName keys.fedoraproject.org
- ProxyPass / http://127.0.0.1:11371/
- ProxyPassReverse / http://127.0.0.1:11371/
- SetEnv proxy-nokeepalive 1
- ProxyVia Full
-</VirtualHost>
diff --git a/files/keyserver/sksconf b/files/keyserver/sksconf
deleted file mode 100644
index ae15003..0000000
--- a/files/keyserver/sksconf
+++ /dev/null
@@ -1,13 +0,0 @@
-basedir: /srv/sks
-#debuglevel: 10
-#debug:
-hostname: keys.fedoraproject.org
-hkp_address: 127.0.0.1
-hkp_port: 11371
-recon_port: 11370
-#gossip_interval: 1440
-stat_hour: 00
-initial_stat:
-membership_reload_interval: 1
-disable_mailsync:
-server_contact: 0x167B4A54236BBEAA37DCCD92ED14D5E7110810E9
diff --git a/files/keyserver/ssl.conf b/files/keyserver/ssl.conf
deleted file mode 100644
index c1ed750..0000000
--- a/files/keyserver/ssl.conf
+++ /dev/null
@@ -1,224 +0,0 @@
-#
-# This is the Apache server configuration file providing SSL support.
-# It contains the configuration directives to instruct the server how to
-# serve pages over an https connection. For detailing information about these
-# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
-#
-# Do NOT simply read the instructions in here without understanding
-# what they do. They're here only as hints or reminders. If you are unsure
-# consult the online docs. You have been warned.
-#
-
-LoadModule ssl_module modules/mod_ssl.so
-
-#
-# When we also provide SSL we have to listen to the
-# the HTTPS port in addition.
-#
-Listen 443
-
-##
-## SSL Global Context
-##
-## All SSL configuration in this context applies both to
-## the main server and all SSL-enabled virtual hosts.
-##
-
-# Pass Phrase Dialog:
-# Configure the pass phrase gathering process.
-# The filtering dialog program (`builtin' is a internal
-# terminal dialog) has to provide the pass phrase on stdout.
-SSLPassPhraseDialog builtin
-
-# Inter-Process Session Cache:
-# Configure the SSL Session Cache: First the mechanism
-# to use and second the expiring timeout (in seconds).
-SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
-SSLSessionCacheTimeout 300
-
-# Semaphore:
-# Configure the path to the mutual exclusion semaphore the
-# SSL engine uses internally for inter-process synchronization.
-SSLMutex default
-
-# Pseudo Random Number Generator (PRNG):
-# Configure one or more sources to seed the PRNG of the
-# SSL library. The seed data should be of good random quality.
-# WARNING! On some platforms /dev/random blocks if not enough entropy
-# is available. This means you then cannot use the /dev/random device
-# because it would lead to very long connection times (as long as
-# it requires to make more entropy available). But usually those
-# platforms additionally provide a /dev/urandom device which doesn't
-# block. So, if available, use this one instead. Read the mod_ssl User
-# Manual for more details.
-SSLRandomSeed startup file:/dev/urandom 256
-SSLRandomSeed connect builtin
-#SSLRandomSeed startup file:/dev/random 512
-#SSLRandomSeed connect file:/dev/random 512
-#SSLRandomSeed connect file:/dev/urandom 512
-
-#
-# Use "SSLCryptoDevice" to enable any supported hardware
-# accelerators. Use "openssl engine -v" to list supported
-# engine names. NOTE: If you enable an accelerator and the
-# server does not start, consult the error logs and ensure
-# your accelerator is functioning properly.
-#
-SSLCryptoDevice builtin
-#SSLCryptoDevice ubsec
-
-##
-## SSL Virtual Host Context
-##
-
-<VirtualHost _default_:443>
-
-# General setup for the virtual host, inherited from global configuration
-#DocumentRoot "/var/www/html"
- # ProxyPass / http://localhost:11371/
- # ProxyPassReverse / http://localhost:11371/
-#ServerName www.example.com:443
-
-# Use separate log files for the SSL virtual host; note that LogLevel
-# is not inherited from httpd.conf.
-ErrorLog logs/ssl_error_log
-TransferLog logs/ssl_access_log
-LogLevel warn
-
-# SSL Engine Switch:
-# Enable/Disable SSL for this virtual host.
-SSLEngine on
-
-# SSL Protocol support:
-# List the enable protocol levels with which clients will be able to
-# connect. Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
-
-# SSL Cipher Suite:
-# List the ciphers that the client is permitted to negotiate.
-# See the mod_ssl documentation for a complete list.
-SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
-
-# Server Certificate:
-# Point SSLCertificateFile at a PEM encoded certificate. If
-# the certificate is encrypted, then you will be prompted for a
-# pass phrase. Note that a kill -HUP will prompt again. A new
-# certificate can be generated using the genkey(1) command.
-SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem
-
-# Server Private Key:
-# If the key is not combined with the certificate, use this
-# directive to point at the key file. Keep in mind that if
-# you've both a RSA and a DSA private key you can configure
-# both in parallel (to also allow the use of DSA ciphers, etc.)
-SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key
-
-# Server Certificate Chain:
-# Point SSLCertificateChainFile at a file containing the
-# concatenation of PEM encoded CA certificates which form the
-# certificate chain for the server certificate. Alternatively
-# the referenced file can be the same as SSLCertificateFile
-# when the CA certificates are directly appended to the server
-# certificate for convinience.
-#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
-
-# Certificate Authority (CA):
-# Set the CA certificate verification path where to find CA
-# certificates for client authentication or alternatively one
-# huge file containing all of them (file must be PEM encoded)
-#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
-
-# Client Authentication (Type):
-# Client certificate verification type and depth. Types are
-# none, optional, require and optional_no_ca. Depth is a
-# number which specifies how deeply to verify the certificate
-# issuer chain before deciding the certificate is not valid.
-#SSLVerifyClient require
-#SSLVerifyDepth 10
-
-# Access Control:
-# With SSLRequire you can do per-directory access control based
-# on arbitrary complex boolean expressions containing server
-# variable checks and other lookup directives. The syntax is a
-# mixture between C and Perl. See the mod_ssl documentation
-# for more details.
-#<Location />
-#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
-# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
-# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
-# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
-# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
-# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
-#</Location>
-
-# SSL Engine Options:
-# Set various options for the SSL engine.
-# o FakeBasicAuth:
-# Translate the client X.509 into a Basic Authorisation. This means that
-# the standard Auth/DBMAuth methods can be used for access control. The
-# user name is the `one line' version of the client's X.509 certificate.
-# Note that no password is obtained from the user. Every entry in the user
-# file needs this password: `xxj31ZMTZzkVA'.
-# o ExportCertData:
-# This exports two additional environment variables: SSL_CLIENT_CERT and
-# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
-# server (always existing) and the client (only existing when client
-# authentication is used). This can be used to import the certificates
-# into CGI scripts.
-# o StdEnvVars:
-# This exports the standard SSL/TLS related `SSL_*' environment variables.
-# Per default this exportation is switched off for performance reasons,
-# because the extraction step is an expensive operation and is usually
-# useless for serving static content. So one usually enables the
-# exportation for CGI and SSI requests only.
-# o StrictRequire:
-# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
-# under a "Satisfy any" situation, i.e. when it applies access is denied
-# and no other module can change it.
-# o OptRenegotiate:
-# This enables optimized SSL connection renegotiation handling when SSL
-# directives are used in per-directory context.
-#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
-<Files ~ "\.(cgi|shtml|phtml|php3?)$">
- SSLOptions +StdEnvVars
-</Files>
-<Directory "/var/www/cgi-bin">
- SSLOptions +StdEnvVars
-</Directory>
-
-# SSL Protocol Adjustments:
-# The safe and default but still SSL/TLS standard compliant shutdown
-# approach is that mod_ssl sends the close notify alert but doesn't wait for
-# the close notify alert from client. When you need a different shutdown
-# approach you can use one of the following variables:
-# o ssl-unclean-shutdown:
-# This forces an unclean shutdown when the connection is closed, i.e. no
-# SSL close notify alert is send or allowed to received. This violates
-# the SSL/TLS standard but is needed for some brain-dead browsers. Use
-# this when you receive I/O errors because of the standard approach where
-# mod_ssl sends the close notify alert.
-# o ssl-accurate-shutdown:
-# This forces an accurate shutdown when the connection is closed, i.e. a
-# SSL close notify alert is send and mod_ssl waits for the close notify
-# alert of the client. This is 100% SSL/TLS standard compliant, but in
-# practice often causes hanging connections with brain-dead browsers. Use
-# this only for browsers where you know that their SSL implementation
-# works correctly.
-# Notice: Most problems of broken clients are also related to the HTTP
-# keep-alive facility, so you usually additionally want to disable
-# keep-alive for those clients, too. Use variable "nokeepalive" for this.
-# Similarly, one has to force some clients to use HTTP/1.0 to workaround
-# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
-# "force-response-1.0" for this.
-SetEnvIf User-Agent ".*MSIE.*" \
- nokeepalive ssl-unclean-shutdown \
- downgrade-1.0 force-response-1.0
-
-# Per-Server Logging:
-# The home of a custom SSL log file. Use this when you want a
-# compact non-error SSL logfile on a virtual host basis.
-CustomLog logs/ssl_request_log \
- "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-
-</VirtualHost>
-
diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml
index 10fa661..90cfb67 100644
--- a/handlers/restart_services.yml
+++ b/handlers/restart_services.yml
@@ -80,12 +80,6 @@
- name: restart rsyslog
action: service name=rsyslog state=restarted
-- name: restart sks-db
- action: service name=sks-db state=restarted
-
-- name: restart sks-recon
- action: service name=sks-recon state=restarted
-
- name: restart sshd
action: service name=sshd state=restarted
diff --git a/playbooks/groups/keyserver.yml b/playbooks/groups/keyserver.yml
index ef2fb9c..4bc06fc 100644
--- a/playbooks/groups/keyserver.yml
+++ b/playbooks/groups/keyserver.yml
@@ -38,6 +38,7 @@
- nagios_client
- fas_client
- fedmsg/base
+ - keyserver
tasks:
- include: "{{ tasks }}/hosts.yml"
@@ -47,7 +48,6 @@
- include: "{{ tasks }}/motd.yml"
- include: "{{ tasks }}/sudo.yml"
- include: "{{ tasks }}/apache.yml"
- - include: "{{ tasks }}/keyserver.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"
diff --git a/roles/keyserver/files/css.css b/roles/keyserver/files/css.css
new file mode 100644
index 0000000..99443a0
--- /dev/null
+++ b/roles/keyserver/files/css.css
@@ -0,0 +1,132 @@
+ * { font-family: helvetica, sans-serif; }
+
+ h1,
+ p {
+ margin: 0; /* Let's zero those margins */
+ }
+
+h2 { color: #3c6eb4; margin: 0;}
+
+ #container {
+ /* border: 1px solid #555; /* Nice transition from white background */
+ width: 600px; /* Should be narrow enough for small screens */
+ margin: 0 auto; /* Centering */
+ font-size: 1.1em; /* Font big enough not to need to squint */
+ line-height: 1.3em;
+
+ }
+
+ #title {
+ /* background-color:#e2e5e2; */
+ padding: 10px;
+ }
+
+ #title h1, #title h2 {
+ margin-top: 0.3em;
+ }
+
+ #info {
+ /* background-color:#e2e5e2; */
+ padding: 5px 10px;
+ }
+
+ #main {
+ /* background : #FAFBEA; */
+ padding: 0 10px 10px 10px;
+ }
+
+ #main header {
+ padding-top: 1em;
+ }
+
+ #main p {
+ margin: 0.5em 0;
+ }
+
+ #keytext {
+ width: 100%;
+ height: 150px;
+ border: 1px solid #555;
+ background : #fff;
+ max-width: 100%;
+ display: block;
+ }
+
+ ul {
+ width: 100%;
+ list-style-type: none;
+ padding-left: 0;
+ }
+
+ li {
+ width: 99%;
+ }
+
+ li label {
+ width: 57%;
+ display: inline-block;
+ }
+
+ button {
+ border-radius: 3px;
+ -moz-border-radius: 3px;
+ background: -webkit-gradient(linear, left top, left bottom, from(#fff), to(#ddd));
+ background: -moz-linear-gradient(top, #fff, #ddd);
+ border: 1px solid #bbb;
+ }
+
+ #info p {line-height: 1.1em; margin-bottom: 0.3em;}
+
+
+
+#bodyform {
+ margin-top: 20px;
+ color: #555;
+ font-weight: normal;
+ font-size: 16px;
+
+}
+
+#headcontent {
+ width: 700px;
+ margin: auto;
+ display: table;
+
+}
+
+#lefttop {
+ float: left;
+ text-align: left;
+}
+
+#righttop {
+ float:right;
+ text-align: right;
+}
+
+hr {
+ background: #3c6eb4;
+ height: 8px;
+ border: 0px;
+}
+
+footer {
+ background: #3c6eb4;
+ margin: auto;
+ color: #fff;
+
+}
+
+footer p { width: 500px; margin: auto; text-align: center;}
+
+a {text-decoration: none; color: #B8C9FF; font-weight: bold;}
+
+fieldset {
+ border: 2px solid #4462C4;
+}
+
+legend {
+ color: #3c6eb4;
+}
+
+
diff --git a/roles/keyserver/files/index.html b/roles/keyserver/files/index.html
new file mode 100644
index 0000000..12b7be5
--- /dev/null
+++ b/roles/keyserver/files/index.html
@@ -0,0 +1,91 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
+<head>
+ <link rel="stylesheet" type="text/css" media="all" href="css.css" />
+ <title>Fedora Project GPG Key Server</title>
+</head>
+
+ <body>
+
+<div id=bodyform>
+ <div id=headcontent>
+ <div id=lefttop>
+ <a href="https://fedoraproject.org">
+ <img src='https://fedoraproject.org/static/images/fedora-logo.png'>
+ </a>
+ </div>
+ <div id=righttop>
+ <h1>SKS OpenPGP Key server</h1>
+ <h2>keys.fedoraproject.org</h2>
+ </div>
+ </div>
+ <hr></hr>
+
+ <div id="container">
+
+ <div id="main" role="main">
+ <header>
+ <h2>Extract a key</h2>
+ </header>
+ <p>You can find a key by typing in some words that appear in the
+ userid (name, email, etc.) of the key you're looking for, or
+ by typing in the keyid in hex format ("0x…")</p>
+ <form id="lookup" action="/pks/lookup" method="get">
+ <fieldset checked="true"> <legend>Search for a public key</legend>
+ <ul>
+ <li> <label for="search">String</label> <input id="search"
+ name="search" placeholder="0xDEADBEEF" required="" autofocus=""
+ type="text"> </li>
+ <li> <label for="fingerprint">Show PGP Fingerprints</label>
+ <input id="fingerprint" name="fingerprint" type="checkbox">
+ </li>
+ <li> <label for="hash">Show SKS full-key hashes</label> <input
+ id="hash" name="hash" type="checkbox"> </li>
+ <li> <label for="matching">Get regular index of matching
+ keys</label> <input id="matching" name="op" value="index"
+ type="radio"> </li>
+ <li> <label for="verbose">Get verbose index of matching
+ keys</label> <input id="verbose" name="op" value="vindex"
+ checked="checked" type="radio"> </li>
+ <li> <label for="asciiarmored">Retrieve ascii-armored
+ keys</label> <input id="asciiarmored" name="op" value="get"
+ type="radio"> </li>
+ <li> <label for="fullkey">Retrieve keys by full-key hash</label>
+ <input id="fullkey" name="op" value="hget" type="radio">
+ </li>
+ </ul>
+ <button type="reset">Reset</button> <button type="submit">Search
+
+
+
+
+
+
+ for a key</button> </fieldset>
+ </form>
+ <header>
+ <h2>Submit a key</h2>
+ </header>
+ <p>You can submit a key by simply pasting in the ASCII-armored
+ version of your key and clicking on submit.</p>
+ <form id="add" action="/pks/add" method="post">
+ <fieldset> <textarea id="keytext" name="keytext" rows="5" cols="30"></textarea>
+ <button type="reset">Reset</button> <button checked="true"
+ type="submit">Submit this key</button></fieldset>
+ </form>
+ </div>
+ <!-- end of #main -->
+ </div>
+ <!--! end of #container -->
+ <footer id="info">
+ <p><a href="https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Home">SKS</a> is
+ a new <a href="http://www.openpgp.org/">OpenPGP</a>
+ keyserver. The main innovation of SKS is that it includes a
+ highly-efficient reconciliation algorithm for keeping the
+ keyservers synchronized.</p>
+ <p style="text-align: center;"><a href="/pks/lookup?op=stats">SKS statistics</a></p>
+ </footer>
+</div>
+ </body>
+
+</html>
diff --git a/roles/keyserver/files/membership b/roles/keyserver/files/membership
new file mode 100644
index 0000000..42d57b3
--- /dev/null
+++ b/roles/keyserver/files/membership
@@ -0,0 +1,48 @@
+a.sks.srv.scientia.net 11370 # root at sks.srv.scientia.net
+key.adeti.org 11370 # Marco RODRIGUES <marco at adeti.org> 0x7CE697FC
+key.ip6.li 11370 # Christian Felsing <hostmaster at ip6.li> 0x5386E2A0
+keys2.kfwebs.net 11370 # 0x0B7F8B60E3EDFAE3
+keys.andreas-puls.de 11370 # Andreas Puls <appu at gmx.net> 0xDAC73FA6
+#keys.christensenplace.us 11370 # Eric Christensen <eric at christensenplace.us> 0x024BB3D1
+keyserver.advmapper.com 11370 # Tyler Schwend <tylerschwend at gmail.com> 0xDB4B79F8
+keyserver.cns.vt.edu 11370 # Phil Benchoff <benchoff at vt.edu> <keymaster at cns.vt.edu>
+#keyserver.computer42.org 11370 # H.-Dirk Schmitt <dirk at computer42.org> 0x6A017B17
+keyserver.dacr.hu 11370 # David Horvath <dacr at dacr.hu> 0x00CBC81A
+keyserver.gingerbear.net 11370 # John P. Clizbe <John at Gingerbear.net> 0xD6569825
+keyserver.kim-minh.com 11370 # Kim Minh Kaplan<kaplan+sks at kim-minh.com> 0xAF1E829C
+keyserver.kjsl.org 11370 # Javier Henderson <javier at kjsl.org> 0x9BF88EE5
+keyserver.nausch.org 11370 # Michael Nausch <michael at nausch.org> 0x2384C849
+#key-server.nl 11370 # Wijnand Modderman-Lenstra <maze at key-server.nl> 0x294DF221
+keyserver.saol.no-ip.com 11370 # Peter <peter at saol.no-ip.com> 0x39E97290
+keyserver.secretresearchfacility.com 11370 # Stephan Seitz <s.seitz at secretresearchfacility.com> 0xAB83B1C3
+keyserver.serviz.fr 11370 # robert <sks(at)serviz(pt)fr> 0xEF333C7E
+keyserver.sincer.us 11370 # Petru Ghita <petrutz at venaver.info> 0x7CF29D04
+keyserver.skoopsmedia.net 11370 # unknown
+#keyservers.org 11370 # Rob Hansen <rjh at sixdemonbag.org>
+keyserver.stack.nl 11370 # Johan van Selst <johans at stack.nl> 0xD3AE8D3A
+keyserver.ut.mephi.ru 11370 # Dmitry Yu Okunev <dyokunev at ut.mephi.ru> 0x8E30679C, pks team <pks at ut.mephi.ru>
+keyserver.vi-di.fr 11370 # Frank Villaro-Dixon <keyserver at vi-di.fr>016106A6AF223DBE
+keys.exosphere.de 11370 # Christoph Gebhardt <chris at exosphere.de> 0xE1C2E92C
+keys.jhcloos.com 11370 # James Cloos <cloos at jhcloos.com> 0xED7DAEA6
+keys.niif.hu 11370 # Gabor Kiss <kissg at ssg.ki.iif.hu>
+keys.thoma.cc 11370 # Maximilian Thoma <keys at thoma.cc> 0xB480AC4B
+#keys.wuschelpuschel.org 11370 # 0x017D1C3D Peter Kornherr <peter at wuschelpuschel.org>
+#openpgp1.claruscomms.net 11370 # unknown
+pgp.circl.lu 11370 # CIRCL - info at circl.lu - 0x22BD4CD5
+#pgp.codelabs.ru 11370 # Eygene Ryabinkin <rea at codelabs.ru> 0x8152ECFB
+pgp.jjim.de 11370 # Joel Garske <admin at pgp.jjim.de> 0xA921EB20
+pgpkeys.mallos.nl 11370 # Arnold Schekkerman <arnold at mallos.nl> 0xB66BBBAA
+#pgp.megagod.net 11370 # Kullawat Chaowanawatee (0xC19EAE3A)
+pgp.rediris.es 11370 # Francisco.monserrat <francisco.monserrat at rediris.es> 0xD3A42C61
+#pki.colliertech.org 11370 # C.J. Adams-Collier <cjac at uw.edu> 0x8E562765BA27A83C
+ranger.ky9k.org 11370 # Brian D Heaton <pgp-keymaster at ky9k.org> 0x9A016118
+sks.alpha-labs.net 11370 # Christian Reiss <email at christian-reiss.de> 0x44e29126abcd43c5
+sks.disunitedstates.com 11370 # David Benfell <benfell at disunitedstates.com> 0x1236602B
+sks.ecks.ca 11370 # Eric Benoit <eric at ecks.ca> 0x69E65D2C
+sks.es.net 11370 # keymaster at es.net
+sks.fidocon.de 11370 # unknown
+sks.karotte.org 11370 # Sebastian Wiesinger <sebastian at karotte.org> 0x93A0B9CE
+sks.keyservers.net 11370 # John P. Clizbe <John at Gingerbear.net> 0xD6569825
+sks-peer.spodhuis.org 11370 # Phil Pennock <keyserver at spodhuis.org> 0x3903637F
+sks.pkqs.net 11370 # Stephan Beyer <s-beyer at gmx.net> 0xFCC5040F
+zimmermann.mayfirst.org 11370 # Daniel Kahn Gillmor <dkg at fifthhorseman.net> 0xCCD2ED94D21739E9
diff --git a/roles/keyserver/files/sks.conf b/roles/keyserver/files/sks.conf
new file mode 100644
index 0000000..2b87b46
--- /dev/null
+++ b/roles/keyserver/files/sks.conf
@@ -0,0 +1,83 @@
+ServerName keys.fedoraproject.org
+Listen 80.239.156.219:11371
+NameVirtualHost *:443
+
+<ifModule !mod_proxy.c>
+ LoadModule proxy_module modules/mod_proxy.so
+</IfModule>
+
+<IfModule !mod_proxy_http.c>
+ LoadModule proxy_http_module modules/mod_proxy_http.so
+</IfModule>
+
+<IfModule !mod_proxy_balancer.c>
+ LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
+</IfModule>
+
+<IfModule !mod_headers.c>
+ LoadModule headers_module modules/mod_headers.so
+</IfModule>
+
+<IfModule !mod_authz_host.c>
+ LoadModule authz_host_module modules/mod_authz_host.so
+</IfModule>
+
+<IfModule !mod_log_config.c>
+ LoadModule log_config_module modules/mod_log_config.so
+</IfModule>
+
+<IfModule !mod_env.c>
+ LoadModule env_module modules/mod_env.so
+</IfModule>
+
+<Directory />
+ Options FollowSymLinks
+ AllowOverride None
+ Order deny,allow
+ Deny from all
+</Directory>
+
+<VirtualHost *:80>
+ ServerAdmin sysadmin-keys-members at fedoraproject.org
+ ServerName keys.fedoraproject.org
+ ProxyPass / http://127.0.0.1:11371/
+ ProxyPassReverse / http://127.0.0.1:11371/
+ SetEnv proxy-nokeepalive 1
+ ProxyVia Full
+</VirtualHost>
+<VirtualHost *:443>
+ ServerAdmin sysadmin-keys-members at fedoraproject.org
+ ServerName keys.fedoraproject.org
+ ServerAlias keys01.fedoraproject.org
+
+ SSLEngine on
+ SSLCertificateFile /etc/pki/tls/wildcard-2013.fedoraproject.org.cert
+ SSLCertificateChainFile /etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert
+ SSLCertificateKeyFile /etc/pki/tls/wildcard-2013.fedoraproject.org.key
+ ProxyPass / http://localhost:11371/
+ ProxyPassReverse / http://localhost:11371/
+ SetEnv proxy-nokeepalive 1
+ ProxyVia Full
+</VirtualHost>
+<VirtualHost *:443>
+ ServerAdmin sysadmin-keys-members at fedoraproject.org
+ ServerName pool.sks-keyservers.net
+ ServerAlias sks-keyservers.net
+ ServerAlias *.sks-keyservers.net
+
+ SSLEngine on
+ SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem
+ SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key
+ ProxyPass / http://localhost:11371/
+ ProxyPassReverse / http://localhost:11371/
+ SetEnv proxy-nokeepalive 1
+ ProxyVia Full
+</VirtualHost>
+<VirtualHost *:11371>
+ ServerAdmin sysadmin-keys-members at fedoraproject.org
+ ServerName keys.fedoraproject.org
+ ProxyPass / http://127.0.0.1:11371/
+ ProxyPassReverse / http://127.0.0.1:11371/
+ SetEnv proxy-nokeepalive 1
+ ProxyVia Full
+</VirtualHost>
diff --git a/roles/keyserver/files/sksconf b/roles/keyserver/files/sksconf
new file mode 100644
index 0000000..ae15003
--- /dev/null
+++ b/roles/keyserver/files/sksconf
@@ -0,0 +1,13 @@
+basedir: /srv/sks
+#debuglevel: 10
+#debug:
+hostname: keys.fedoraproject.org
+hkp_address: 127.0.0.1
+hkp_port: 11371
+recon_port: 11370
+#gossip_interval: 1440
+stat_hour: 00
+initial_stat:
+membership_reload_interval: 1
+disable_mailsync:
+server_contact: 0x167B4A54236BBEAA37DCCD92ED14D5E7110810E9
diff --git a/roles/keyserver/files/ssl.conf b/roles/keyserver/files/ssl.conf
new file mode 100644
index 0000000..c1ed750
--- /dev/null
+++ b/roles/keyserver/files/ssl.conf
@@ -0,0 +1,224 @@
+#
+# This is the Apache server configuration file providing SSL support.
+# It contains the configuration directives to instruct the server how to
+# serve pages over an https connection. For detailing information about these
+# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do. They're here only as hints or reminders. If you are unsure
+# consult the online docs. You have been warned.
+#
+
+LoadModule ssl_module modules/mod_ssl.so
+
+#
+# When we also provide SSL we have to listen to the
+# the HTTPS port in addition.
+#
+Listen 443
+
+##
+## SSL Global Context
+##
+## All SSL configuration in this context applies both to
+## the main server and all SSL-enabled virtual hosts.
+##
+
+# Pass Phrase Dialog:
+# Configure the pass phrase gathering process.
+# The filtering dialog program (`builtin' is a internal
+# terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog builtin
+
+# Inter-Process Session Cache:
+# Configure the SSL Session Cache: First the mechanism
+# to use and second the expiring timeout (in seconds).
+SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
+SSLSessionCacheTimeout 300
+
+# Semaphore:
+# Configure the path to the mutual exclusion semaphore the
+# SSL engine uses internally for inter-process synchronization.
+SSLMutex default
+
+# Pseudo Random Number Generator (PRNG):
+# Configure one or more sources to seed the PRNG of the
+# SSL library. The seed data should be of good random quality.
+# WARNING! On some platforms /dev/random blocks if not enough entropy
+# is available. This means you then cannot use the /dev/random device
+# because it would lead to very long connection times (as long as
+# it requires to make more entropy available). But usually those
+# platforms additionally provide a /dev/urandom device which doesn't
+# block. So, if available, use this one instead. Read the mod_ssl User
+# Manual for more details.
+SSLRandomSeed startup file:/dev/urandom 256
+SSLRandomSeed connect builtin
+#SSLRandomSeed startup file:/dev/random 512
+#SSLRandomSeed connect file:/dev/random 512
+#SSLRandomSeed connect file:/dev/urandom 512
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names. NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly.
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:443>
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+ # ProxyPass / http://localhost:11371/
+ # ProxyPassReverse / http://localhost:11371/
+#ServerName www.example.com:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel warn
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+# SSL Protocol support:
+# List the enable protocol levels with which clients will be able to
+# connect. Disable SSLv2 access by default:
+SSLProtocol all -SSLv2
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+
+# Server Certificate:
+# Point SSLCertificateFile at a PEM encoded certificate. If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase. Note that a kill -HUP will prompt again. A new
+# certificate can be generated using the genkey(1) command.
+SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem
+
+# Server Private Key:
+# If the key is not combined with the certificate, use this
+# directive to point at the key file. Keep in mind that if
+# you've both a RSA and a DSA private key you can configure
+# both in parallel (to also allow the use of DSA ciphers, etc.)
+SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key
+
+# Server Certificate Chain:
+# Point SSLCertificateChainFile at a file containing the
+# concatenation of PEM encoded CA certificates which form the
+# certificate chain for the server certificate. Alternatively
+# the referenced file can be the same as SSLCertificateFile
+# when the CA certificates are directly appended to the server
+# certificate for convinience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+# Certificate Authority (CA):
+# Set the CA certificate verification path where to find CA
+# certificates for client authentication or alternatively one
+# huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+# Client Authentication (Type):
+# Client certificate verification type and depth. Types are
+# none, optional, require and optional_no_ca. Depth is a
+# number which specifies how deeply to verify the certificate
+# issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth 10
+
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_ssl documentation
+# for more details.
+#<Location />
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_*' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+ SSLOptions +StdEnvVars
+</Files>
+<Directory "/var/www/cgi-bin">
+ SSLOptions +StdEnvVars
+</Directory>
+
+# SSL Protocol Adjustments:
+# The safe and default but still SSL/TLS standard compliant shutdown
+# approach is that mod_ssl sends the close notify alert but doesn't wait for
+# the close notify alert from client. When you need a different shutdown
+# approach you can use one of the following variables:
+# o ssl-unclean-shutdown:
+# This forces an unclean shutdown when the connection is closed, i.e. no
+# SSL close notify alert is send or allowed to received. This violates
+# the SSL/TLS standard but is needed for some brain-dead browsers. Use
+# this when you receive I/O errors because of the standard approach where
+# mod_ssl sends the close notify alert.
+# o ssl-accurate-shutdown:
+# This forces an accurate shutdown when the connection is closed, i.e. a
+# SSL close notify alert is send and mod_ssl waits for the close notify
+# alert of the client. This is 100% SSL/TLS standard compliant, but in
+# practice often causes hanging connections with brain-dead browsers. Use
+# this only for browsers where you know that their SSL implementation
+# works correctly.
+# Notice: Most problems of broken clients are also related to the HTTP
+# keep-alive facility, so you usually additionally want to disable
+# keep-alive for those clients, too. Use variable "nokeepalive" for this.
+# Similarly, one has to force some clients to use HTTP/1.0 to workaround
+# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+# "force-response-1.0" for this.
+SetEnvIf User-Agent ".*MSIE.*" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
+# Per-Server Logging:
+# The home of a custom SSL log file. Use this when you want a
+# compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>
+
diff --git a/roles/keyserver/handlers/main.yml b/roles/keyserver/handlers/main.yml
new file mode 100644
index 0000000..eee9214
--- /dev/null
+++ b/roles/keyserver/handlers/main.yml
@@ -0,0 +1,6 @@
+- name: restart sks-db
+ action: service name=sks-db state=restarted
+
+- name: restart sks-recon
+ action: service name=sks-recon state=restarted
+
diff --git a/roles/keyserver/tasks/main.yml b/roles/keyserver/tasks/main.yml
new file mode 100644
index 0000000..af7c672
--- /dev/null
+++ b/roles/keyserver/tasks/main.yml
@@ -0,0 +1,100 @@
+---
+- name: install sks
+ yum: name=sks state=installed
+ tags:
+ - packages
+
+- name: install mod_ssl
+ yum: name=mod_ssl state=installed
+ tags:
+ - packages
+
+- name: /srv/sks
+ file: >
+ path=/srv/sks
+ state=directory
+ owner=sks group=sks mode=0755
+
+- name: /srv/sks/membership
+ copy: src="membership" dest=/srv/sks/membership owner=sks group=sks mode=0644
+ tags:
+ - config
+
+- name: /srv/sks/sksconf
+ copy: src="sksconf" dest=/srv/sks/sksconf owner=sks group=sks mode=0644
+ tags:
+ - config
+
+- name: /srv/sks/web
+ file: >
+ path=/srv/sks/web
+ state=directory
+ owner=sks group=sks mode=0755
+
+- name: /srv/sks/web/index.html
+ copy: src="index.html" dest=/srv/sks/web/index.html owner=sks group=sks mode=0644
+ tags:
+ - config
+ with_items:
+- name: /srv/sks/web/css.css
+ copy: src="css.css" dest=/srv/sks/web/css.css owner=sks group=sks mode=0644
+ tags:
+ - config
+
+- name: /etc/httpd/conf.d/sks.conf
+ copy: src="sks.conf" dest=/etc/httpd/conf.d/sks.conf owner=root group=root mode=0644
+ tags:
+ - config
+
+- name: /etc/httpd/conf.d/ssl.conf
+ copy: src="ssl.conf" dest=/etc/httpd/conf.d/ssl.conf owner=root group=root mode=0644
+ tags:
+ - config
+
+- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.cert
+ copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.cert" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.cert owner=root group=root mode=0600
+ tags:
+ - config
+
+- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.key
+ copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.key" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.key owner=root group=root mode=0600
+ tags:
+ - config
+
+- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert
+ copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert owner=root group=root mode=0600
+ tags:
+ - config
+
+- name: /etc/pki/tls/keys_fedoraproject_org.crt.pem
+ copy: src="{{ puppet_private }}/keys_fedoraproject_org.crt.pem" dest=/etc/pki/tls/keys_fedoraproject_org.crt.pem owner=root group=root mode=0600
+ tags:
+ - config
+
+- name: /etc/pki/tls/keys_fedoraproject_org.key
+ copy: src="{{ puppet_private }}/keys_fedoraproject_org.key" dest=/etc/pki/tls/keys_fedoraproject_org.key owner=root group=root mode=0600
+ tags:
+ - config
+
+- cron: name="regenerate stats hourly"
+ hour="*"
+ minute="5"
+ job="killall -SIGUSR2 sks-db"
+ state=present
+
+- name: Set sks-db to run on boot
+ service: name=sks-db enabled=yes
+ ignore_errors: true
+ notify:
+ - restart sks-db
+ tags:
+ - service
+
+- name: Set sks-recon to run on boot
+ service: name=sks-recon enabled=yes
+ ignore_errors: true
+ notify:
+ - restart sks-recon
+ tags:
+ - service
+
diff --git a/tasks/keyserver.yml b/tasks/keyserver.yml
deleted file mode 100644
index 9cf3e2c..0000000
--- a/tasks/keyserver.yml
+++ /dev/null
@@ -1,100 +0,0 @@
----
-- name: install sks
- yum: name=sks state=installed
- tags:
- - packages
-
-- name: install mod_ssl
- yum: name=mod_ssl state=installed
- tags:
- - packages
-
-- name: /srv/sks
- file: >
- path=/srv/sks
- state=directory
- owner=sks group=sks mode=0755
-
-- name: /srv/sks/membership
- copy: src="{{ files }}/keyserver/membership" dest=/srv/sks/membership owner=sks group=sks mode=0644
- tags:
- - config
-
-- name: /srv/sks/sksconf
- copy: src="{{ files }}/keyserver/sksconf" dest=/srv/sks/sksconf owner=sks group=sks mode=0644
- tags:
- - config
-
-- name: /srv/sks/web
- file: >
- path=/srv/sks/web
- state=directory
- owner=sks group=sks mode=0755
-
-- name: /srv/sks/web/index.html
- copy: src="{{ files }}/keyserver/index.html" dest=/srv/sks/web/index.html owner=sks group=sks mode=0644
- tags:
- - config
-
-- name: /srv/sks/web/css.css
- copy: src="{{ files }}/keyserver/css.css" dest=/srv/sks/web/css.css owner=sks group=sks mode=0644
- tags:
- - config
-
-- name: /etc/httpd/conf.d/sks.conf
- copy: src="{{ files }}/keyserver/sks.conf" dest=/etc/httpd/conf.d/sks.conf owner=root group=root mode=0644
- tags:
- - config
-
-- name: /etc/httpd/conf.d/ssl.conf
- copy: src="{{ files }}/keyserver/ssl.conf" dest=/etc/httpd/conf.d/ssl.conf owner=root group=root mode=0644
- tags:
- - config
-
-- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.cert
- copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.cert" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.cert owner=root group=root mode=0600
- tags:
- - config
-
-- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.key
- copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.key" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.key owner=root group=root mode=0600
- tags:
- - config
-
-- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert
- copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert owner=root group=root mode=0600
- tags:
- - config
-
-- name: /etc/pki/tls/keys_fedoraproject_org.crt.pem
- copy: src="{{ puppet_private }}/keys_fedoraproject_org.crt.pem" dest=/etc/pki/tls/keys_fedoraproject_org.crt.pem owner=root group=root mode=0600
- tags:
- - config
-
-- name: /etc/pki/tls/keys_fedoraproject_org.key
- copy: src="{{ puppet_private }}/keys_fedoraproject_org.key" dest=/etc/pki/tls/keys_fedoraproject_org.key owner=root group=root mode=0600
- tags:
- - config
-
-- cron: name="regenerate stats hourly"
- hour="*"
- minute="5"
- job="killall -SIGUSR2 sks-db"
- state=present
-
-- name: Set sks-db to run on boot
- service: name=sks-db enabled=yes
- ignore_errors: true
- notify:
- - restart sks-db
- tags:
- - service
-
-- name: Set sks-recon to run on boot
- service: name=sks-recon enabled=yes
- ignore_errors: true
- notify:
- - restart sks-recon
- tags:
- - service
-
--
1.9.0
More information about the infrastructure
mailing list