diff --git a/README.md b/README.md index 545c0af..a49e081 100644 --- a/README.md +++ b/README.md @@ -1,24 +1,16 @@ # jake's keyserver This program pokes gpg when it receives a key. Then it does stuff to the output gpg produces and stores it in a postgres database. -This program is exceedingly fragile; thanks to it's reliance on GnuPG. - -On gpg-2.2.x and on gpg-2.4.x --with-colons flag on a file has differing outputs, 2.2.x omitting signature records but 2.4.x not omitting signature records. - -To show the signature records for 2.2.x gpg, one must import the key then run 'gpg --with-colons --list-sigs john@domain'. -On 2.4.x, --with-colons will show them without having to import the key. - -Due to this, I've opted to always import key, plug that output to a bunch of regexs, then delete them. Meaning, if you upload your own key while the program is running as your user, it will delete your own key. ## Features * 'Secret' upload path. * Disable upload for secret, normal path, or both. For when you don't want people to upload keys. ## Requirements -* Relevant Mojo/Mojolicious modules +* Perl v5.38.0 or greater +* Relevant Mojo/Mojolicious modules and other Perl modules * Postgresql server -* GnuPG -* A dedicated user (DO NOT RUN AS YOUR DAILY USER) +* A dedicated user would be nice ### Install on your distro Maybe it is packaged by your distro maintainers? @@ -27,27 +19,51 @@ Maybe it is packaged by your distro maintainers? ``` apt install libmojolicious-perl libmojo-pg-perl ``` -(Not sure if you'll need to cpan Mojo::File and/or Mojo::Util) +Note: the latest Perl at the time of writing on Debian stable is v5.36.x which doesn't have class support... I really wanted to use class(). Sorry! +So, you're likely better off installing perlbrew and having the dedicated user that will run this program compile and install v5.38.x. + +### perlbrew (with Debian 12.8) +``` +% sudo apt install perlbrew +% sudo -u jjakkekeyserver perlbrew init +% echo 'source ~/perl5/perlbrew/etc/bashrc' | sudo -u jjakkekeyserver tee -a /var/jjakkekeyserver/.profile +% sudo -u jjakkekeyserver perlbrew available # pick at least v5.38.x. Here I pick 5.40.x +% sudo -u jjakkekeyserver perlbrew install perl-5.40.0 # this *will* take a while +% sudo -u jjakkekeyserver perlbrew install-cpanm +% sudo chsh jjakkekeyserver -s /bin/bash # we will set this back to /bin/nologin later +% sudo -u jjakkekeyserver -i +jjakkekeyserver% PERL_CPANM_HOME=/tmp cpanm DBD::Pg # needs postgresql-server-dev-xx (on debian) +jjakkekeyserver% cpanm Mojolicious Mojo::Pg # AND postgres itself must be running + # DBD::Pg test wants to poke stuff, fails otherwise +jjakkekeyserver% perl ./keyserver # see whats broken or not. +# after you've made sure it works... +jjakkekeyserver% exit +% sudo chsh jjakkekeyserver -s /bin/nologin +``` + +#### postgres +``` +% sudo apt install postgresql postgresql-server-dev-xx +% sudo -u postgres psql # test if 'active' so to speak. +``` +Follow instructions from 'Create relevent details for the database.' ### Install via cpan (or cpan-minus, considered way better by most) ``` cpanm Mojolicious Mojo::Pg Mojo::File Mojo::Util ``` -Installing via cpan(m) will work because the Mojolicious devs are competent (to be more specific, they opt to recreate everything, that way if a dependancy breaks because the author is ignoring issues or fucking DEAD there won't be permanently broken cpan repos that mojolicious depends on) +Installing via cpan(m) will work because the Mojolicious devs are competent (to be more specific, they opt to recreate everything, that way if a dependency breaks because the author is ignoring issues or fucking DEAD there won't be permanently broken cpan repos that mojolicious depends on) ## To use ### Create a dedicated user to run this program ``` -sudo useradd --system -m /var/jjakkekeyserver --shell /bin/nologin jjakkekeyserver -sudo chmod 700 /var/jjakkekeyserver -sudo -u jjakkekeyserver --set-home gpg # gpg needs to create some files or it won't work right. press Ctrl + D to exit it. +sudo useradd --system --create-home --home-dir /var/jjakkekeyserver --shell /bin/nologin jjakkekeyserver ``` ### Create the config file ``` cp keyserver.conf.example keyserver.conf ``` -Note that hypnotoad/morbo looks for the config file in the same directory as it was called from. I have no idea how to change this as there isn't a --config-file option one can use with hypnotoad or morbo. ### Create relevant details for the database. An example that you may follow: @@ -57,12 +73,13 @@ postgres=# create database jjakkekeyserverdb; postgres=# create user jjakkekeyserver with encrypted password 'password'; postgres=# grant all privileges on database jjakkekeyserverdb to jjakkekeyserver; postgres=# \c jjakkekeyserverdb; -postgres=# grant all privileges on schema public to jjakkekeyserver; +jjakkekeyserverdb=# grant all privileges on schema public to jjakkekeyserver; +jjakkekeyserverdb=# exit ``` ### Start Program ``` -sudo -u jjakkekeyserver hypnotoad -f keyserver; # -f = starts in foreground +sudo -u jjakkekeyserver hypnotoad -f keyserver ./keyserver.conf; # -f = starts in foreground ``` ### Proxy @@ -71,11 +88,21 @@ It's a good idea to proxy this program behind another dedicated program that lis ## Usage ### GnuPG examples ``` -gpg --keyserver hkp://hostname --send-keys -gpg --keyserver hkp://hostname --search-keys -gpg --keyserver hkp://hostname --recv-keys +gpg --keyserver hkp(s)://hostname --send-keys +gpg --keyserver hkp(s)://hostname --search-keys +gpg --keyserver hkp(s)://hostname --recv-keys ``` ### Web browser -http://hostname +http(s)://hostname + +## SystemD + +Make sure the service file actually makes sense for your use case; unless you've followed the guide in this README, it most certainly does not. +``` +vim jjakkekeyserver.service +sudo cp jjakkekeyserver.service /etc/systemd/system +sudo systemctl daemon-reload +sudo systemctl start jjakkekeyserver.service +``` diff --git a/keyserver.conf.example b/keyserver.conf.example index 11cc410..6204c3c 100644 --- a/keyserver.conf.example +++ b/keyserver.conf.example @@ -1,9 +1,9 @@ { hypnotoad => { listen => [ - 'http://127.0.0.55:8080' # .55 not .1 + 'http://127.0.0.1:8080' ], - pid_file => '/var/run/jjakkekeyserver.pid', + pid_file => './jjakkekeyserver.pid', workers => 6 }, pguser => 'jjakkekeyserver',