|Max Mehl 2feae2620d||1 week ago|
|LICENSES||1 week ago|
|keys||1 week ago|
|wkd||1 week ago|
|.drone.yml||1 week ago|
|Dockerfile-ca||1 week ago|
|Dockerfile-restd||1 week ago|
|README.md||1 week ago|
|docker-compose.yml||1 week ago|
|reset-db.sh||1 week ago|
This is a custom installation of OpenPGP CA for the FSFE.
OpenPGP CA (certificate authority) is a tool for managing OpenPGP keys within groups or organizations. In the FSFE case, it allows FSFE users to import their public keys into our key store, have them signed by the FSFE CA, and make them available via WKD (Web Key Directory).
This project consists of three parts:
openpgp-ca: the base service, managing the CA, and exporting WKD. Not running permanently.
openpgp-ca-restd: the REST API that allows fsfe-cd (our user interface on my.fsfe.org) to interact with the OpenPGP CA database
openpgp-ca-wkd: a simple webserver, exposing the WKD directory to the public.
openpgp-ca-keys: a simple webserver, displaying keys.fsfe.org and providing the plain-text ASCII keys
openpgp-ca-restd container is connected to the fsfe-cd Docker
The WKD has to be exported from
openpgp-ca. Because this service does
not run permanently, the following command has to be issued on the
docker run -v "/srv/openpgp-ca/data:/var/run/openpgp-ca/" -v "/srv/openpgp-ca/wkd:/tmp/wkd" openpgp-ca:latest wkd export /tmp/wkd/
Note that we have to mount the volumes explicitely.
In summary, we have the following cronjobs running:
# Export OpenPGP-CA WKD and ASCII keys, and once per day delete all keys to catch stale ones 2 2 * * * rm /srv/openpgp-ca/wkd/.well-known/openpgpkey/fsfe.org/hu/* > /dev/null 2>&1 3 2 * * * rm /srv/openpgp-ca/keys/* > /dev/null 2>&1 * * * * * docker run --rm -v "/srv/openpgp-ca/data:/var/run/openpgp-ca/" -v "/srv/openpgp-ca/wkd:/tmp/wkd" openpgp-ca:latest wkd export /tmp/wkd > /dev/null 2>&1 * * * * * docker run --rm -v "/srv/openpgp-ca/data:/var/run/openpgp-ca/" -v "/srv/openpgp-ca/keys:/tmp/keys" openpgp-ca:latest user export -p /tmp/keys > /dev/null 2>&1