Hockeypuck is an OpenPGP public keyserver, implementing the HKP draft
protocol specification, as well as several extensions to the protocol supported
by SKS. Project homepage: https://hockeypuck.github.io/

Project Docs

Refer to the Hockeypuck project website for
general information about the workload deployed by this charm.

Deploying Hockeypuck with Juju

Prerequisites

Juju 1.23.2 or later is recommended to make full use of this charm's juju
actions
. Install a recent version of juju with:

sudo apt-add-repository ppa:juju/stable

Deploying Hockeypuck

Deploy a Hockeypuck service:

juju deploy cs:~hockeypuck/trusty/hockeypuck

Deploy MongoDB and relate it:

juju deploy mongodb

juju add-relation mongodb hockeypuck

HTTP reverse-proxy

Expose Hockeypuck on port 80 behind haproxy.

juju deploy haproxy

juju add-relation hockeypuck:website haproxy:reverseproxy

juju expose haproxy

Or behind squid for caching.

juju deploy squid-reverseproxy

juju add-relation hockeypuck:website squid-reverseproxy

juju set squid-reverseproxy port=11371

juju expose squid

Actions

This charm provides several useful actions for managing your new keyserver.

fetch-keyfiles

fetch-keyfiles downloads OpenPGP binary keyfiles from a remote location to a local directory on the keyserver.

Parameters

src

Required. The remote location to fetch keyfiles from. This is expected to be a
directory containing concatenated OpenPGP public keys in RFC 4880 binary
format. These are the files typically produced by an SKS dump, and should have
a *.pgp file extension.

rsync://, http:// and ftp:// protocols are supported.

Please be mindful of the network activity that this action can place on the
remote server hosting the files. Use sparingly on global pool dumps; otherwise
mirror the files.

dest

Local directory where the files will be stored. /srv/hockeypuck/import is the
default if not specified.

load-keyfiles

Stops the hockeypuck service and loads keyfiles into Hockeypuck.

Parameters

path

Local directory where files will be loaded from. /srv/hockeypuck/import is the
default.

Peering

Peering with Relations

Assuming two Hockeypucks:

juju deploy cs:~hockeypuck/trusty/hockeypuck hkp1
juju deploy cs:~hockeypuck/trusty/hockeypuck hkp2

Enable gossip between them with:

juju add-relation hkp1:keymaster hkp2:gatekeeper

Destroy the relation to stop syncing keys:

juju destroy-relation hkp1:keymaster hkp2:gatekeeper

Regardless of which service is keymaster or gatekeeper, both services will
initiate and serve connections.

Peering with Configuration

To peer with other keyservers (Hockeypuck or SKS servers) that aren't in your
Juju environment, set the config option recon_partners. The format of this
option is a space-delimited list of partners, where each partner is a
comma-separated pair of HTTP and recon addresses. Like this:

juju set hockeypuck recon_partners="peer1:http,peer1:recon peer2:http,peer2:recon"

Note that you can specify a different host for the HTTP and recon addresses.
This supports connecting to peers that expose these ports on different host
addresses.

Configuration

app_path
(string)
                            Base directory location for service configuration & log files.
                        
/srv
log_level
(string)
                            Log level, one of: debug, info, warning, error, fatal, panic
                        
INFO
recon_port
(int)
                            Listen port for recon gossip protocol.
                        
11370
source_repo
(string)
                            PPA repository to install Hockeypuck from.
                        
ppa:hockeypuck/unstable
hkp_port
(int)
                            Listen port for HTTP Keyserver Protocol (HKP) requests.

                        
11371
deployment
(string)
                            development, staging or production
                        
production
recon_gossip_interval
(int)
                            Maximum time to wait between gossip connection attempts to peers. The actual delay is randomized.

                        
60
recon_allow_cidrs
(string)
                            Comma-separated list of CIDRs to allow gossip peers to connect from. For example, 10.0.0.0/8,192.168.0.0/16,163.15.34.10/32

                        
recon_partners
(string)
                            Space-separated list of extra gossip peers, each of which defined by a comma-separated pair of <http host:port>,<recon host:port> addresses. For example, "10.0.0.2:11371,10.0.0.2:11370 keys.load-balanced.org:11371,163.71.23.24:11370"