sebix.hockeypuck

Panoramica Versioni Approfondimenti

Hockeypuck

This role sets up hockeypuck using the available version of Go.

Hockeypuck is a modern OpenPGP key server written in Go.

This role also installs PostgreSQL and configures it as the backend for Hockeypuck. Hockeypuck is cloned to the server and built there. Systemd is used to manage the server.

Requirements

Role Variables

Here’s a list of variables with their default values:

hockeypuck_home: /var/lib/hockeypuck
hockeypuck_directory: "{{ hockeypuck_home }}/hockeypuck/"
hockeypuck_hostname: "{{ hostname|d(ansible_hostname)|d(inventory_hostname) }}"
hockeypuck_templates: "{{ hockeypuck_directory }}/contrib/templates"
hockeypuck_index_template: "{{ hockeypuck_templates }}/index.html.tmpl"
hockeypuck_vindex_template: "{{ hockeypuck_templates }}/index.html.tmpl"
hockeypuck_stats_template: "{{ hockeypuck_templates }}/stats.html.tmpl"
hockeypuck_webroot: "{{ hockeypuck_directory }}/contrib/webroot/"
hockeypuck_logfile: /var/log/hockeypuck/hockeypuck.log
hockeypuck_loglevel: INFO
hockeypuck_recondb: "{{ hockeypuck_home }}/recon.db"
hockeypuck_log_request_details: "true"
hockeypuck_peers: []
hockeypuck_blacklist: []
hockeypuck_conflux_recon_allowCIDRs: []
hockeypuck_conflux_recon_seenCacheSize: 72000
hockeypuck_hkp_bind: :11371
hockeypuck_git_version: branch-2.1
hockeypuck_contact: # no default
hockeypuck_hkp_ssl_enabled: false
hockeypuck_hkp_ssl_certificate: # no default
hockeypuck_hkp_ssl_key: # no default

Hostname

The hostname is used to name the host of the Hockeypuck instance in its configuration file.

If the variable hockeypuck_hostname isn't set:

  • The variable hostname is used. If that's not set,
  • ansible_hostname is used, which needs gathered facts. If facts aren't gathered,
  • inventory_hostname is used as a backup, which is always defined.

HKPS/SSL/TLS

To turn on HKPS, set the parameters like this:

hockeypuck_hkp_ssl_enabled: true
hockeypuck_hkp_ssl_certificate: "/path/to/certificate"
hockeypuck_hkp_ssl_key: "/path/to/private/key"

Peers

hockeypuck_peers can be a simple list:

- example.com
- example.net

This assumes the same address for HTTP and recon, with default ports 11370 and 11371. The peer name will be peer$index.

Or, hockeypuck_peers can be a detailed map:

- name: full example
  http_addr: example.net
  http_addr_port: 11371
  recon_addr: example.net
  recon_addr_port: 11370

The ports are optional.

If the Hockeypuck server is behind a reverse proxy, set hockeypuck_conflux_recon_allowCIDRs to the proxy's IP address. Hockeypuck allows incoming recon only from configured peers and the specified network ranges.

hockeypuck_conflux_recon_allowCIDRs:
  - 10.0.0.1/8
  - 192.168.0.1/32

Key Blacklisting

You can blacklist keys using the hockeypuck_blacklist option with one fingerprint per item:

hockeypuck_blacklist:
  - B4530375102C9EB270909C9C006694EB
  - a490d0f4d311a4153e2bb7cadbb802b258acd84f

For an existing useful blacklist, check out CIRCL's openpgp-keys-filterlists.

Dependencies

This installs Go on the server using gantsign.golang.

Example Playbook

Here’s an example of a playbook:

- hosts: servers
  roles:
    - sebix.hockeypuck
  vars:
     # optional variables, see above for a complete list, including default values
    - golang_version: 1.19
    - hockeypuck_contact: "YOUR_KEY_FINGERPRINT"

License

BSD-3-Clause

Author Information

Visit Intevation for more information.

Informazioni sul progetto

Installing and setting up the Hockeypuck OpenPGP key server

role web pgp openpgp hkp sks golang hockeypuck
Installa
ansible-galaxy install sebix.hockeypuck
GitHub repository
1 stelle
0 fork
0 problemi aperti
Licenza
bsd-3-clause
Download
80
Proprietario