|
1 week ago | |
---|---|---|
LICENSES | 1 week ago | |
keys | 1 week ago | |
wkd | 1 week ago | |
.drone.yml | 1 week ago | |
Dockerfile-ca | 1 week ago | |
Dockerfile-restd | 1 week ago | |
README.md | 1 week ago | |
docker-compose.yml | 1 week ago | |
reset-db.sh | 1 week ago |
This is a custom installation of OpenPGP CA for the FSFE.
OpenPGP CA (certificate authority) is a tool for managing OpenPGP keys within groups or organizations. In the FSFE case, it allows FSFE users to import their public keys into our key store, have them signed by the FSFE CA, and make them available via WKD (Web Key Directory).
This project consists of three parts:
openpgp-ca
: the base service, managing the CA, and exporting WKD.
Not running permanently.openpgp-ca-restd
: the REST API that allows fsfe-cd (our user
interface on my.fsfe.org) to interact with the OpenPGP CA databaseopenpgp-ca-wkd
: a simple webserver, exposing the WKD directory to
the public.openpgp-ca-keys
: a simple webserver, displaying keys.fsfe.org and
providing the plain-text ASCII keysThe openpgp-ca-restd
container is connected to the fsfe-cd Docker
network.
The WKD has to be exported from openpgp-ca
. Because this service does
not run permanently, the following command has to be issued on the
server's CLI:
docker run -v "/srv/openpgp-ca/data:/var/run/openpgp-ca/" -v "/srv/openpgp-ca/wkd:/tmp/wkd" openpgp-ca:latest wkd export /tmp/wkd/
Note that we have to mount the volumes explicitely.
In summary, we have the following cronjobs running:
# Export OpenPGP-CA WKD and ASCII keys, and once per day delete all keys to catch stale ones
2 2 * * * rm /srv/openpgp-ca/wkd/.well-known/openpgpkey/fsfe.org/hu/* > /dev/null 2>&1
3 2 * * * rm /srv/openpgp-ca/keys/* > /dev/null 2>&1
* * * * * docker run --rm -v "/srv/openpgp-ca/data:/var/run/openpgp-ca/" -v "/srv/openpgp-ca/wkd:/tmp/wkd" openpgp-ca:latest wkd export /tmp/wkd > /dev/null 2>&1
* * * * * docker run --rm -v "/srv/openpgp-ca/data:/var/run/openpgp-ca/" -v "/srv/openpgp-ca/keys:/tmp/keys" openpgp-ca:latest user export -p /tmp/keys > /dev/null 2>&1