Hockeypuck is an OpenPGP public keyserver, implementing the HKP draft
protocol specification, as well as several extensions to the protocol supported
by SKS. Project homepage: https://hockeypuck.github.io/
Refer to the Hockeypuck project website for
general information about the workload deployed by this charm.
Deploying Hockeypuck with Juju
Juju 1.23.2 or later is recommended to make full use of this charm's juju
actions. Install a recent version of juju with:
sudo apt-add-repository ppa:juju/stable
Deploy a Hockeypuck service:
juju deploy cs:~hockeypuck/trusty/hockeypuck
Deploy MongoDB and relate it:
juju deploy mongodb
juju add-relation mongodb hockeypuck
Expose Hockeypuck on port 80 behind haproxy.
juju deploy haproxy
juju add-relation hockeypuck:website haproxy:reverseproxy
juju expose haproxy
Or behind squid for caching.
juju deploy squid-reverseproxy
juju add-relation hockeypuck:website squid-reverseproxy
juju set squid-reverseproxy port=11371
juju expose squid
This charm provides several useful actions for managing your new keyserver.
fetch-keyfiles downloads OpenPGP binary keyfiles from a remote location to a local directory on the keyserver.
Required. The remote location to fetch keyfiles from. This is expected to be a
directory containing concatenated OpenPGP public keys in RFC 4880 binary
format. These are the files typically produced by an SKS dump, and should have
*.pgp file extension.
ftp:// protocols are supported.
Please be mindful of the network activity that this action can place on the
remote server hosting the files. Use sparingly on global pool dumps; otherwise
mirror the files.
Local directory where the files will be stored.
/srv/hockeypuck/import is the
default if not specified.
Stops the hockeypuck service and loads keyfiles into Hockeypuck.
Local directory where files will be loaded from.
/srv/hockeypuck/import is the
Peering with Relations
Assuming two Hockeypucks:
juju deploy cs:~hockeypuck/trusty/hockeypuck hkp1 juju deploy cs:~hockeypuck/trusty/hockeypuck hkp2
Enable gossip between them with:
juju add-relation hkp1:keymaster hkp2:gatekeeper
Destroy the relation to stop syncing keys:
juju destroy-relation hkp1:keymaster hkp2:gatekeeper
Regardless of which service is
gatekeeper, both services will
initiate and serve connections.
Peering with Configuration
To peer with other keyservers (Hockeypuck or SKS servers) that aren't in your
Juju environment, set the config option
recon_partners. The format of this
option is a space-delimited list of partners, where each partner is a
comma-separated pair of HTTP and recon addresses. Like this:
juju set hockeypuck recon_partners="peer1:http,peer1:recon peer2:http,peer2:recon"
Note that you can specify a different host for the HTTP and recon addresses.
This supports connecting to peers that expose these ports on different host
- (string) Base directory location for service configuration & log files.
- (string) Log level, one of: debug, info, warning, error, fatal, panic
- (int) Listen port for recon gossip protocol.
- (string) PPA repository to install Hockeypuck from.
- (int) Listen port for HTTP Keyserver Protocol (HKP) requests.
- (string) development, staging or production
- (int) Maximum time to wait between gossip connection attempts to peers. The actual delay is randomized.
- (string) Comma-separated list of CIDRs to allow gossip peers to connect from. For example, 10.0.0.0/8,192.168.0.0/16,126.96.36.199/32
- (string) Space-separated list of extra gossip peers, each of which defined by a comma-separated pair of <http host:port>,<recon host:port> addresses. For example, "10.0.0.2:11371,10.0.0.2:11370 keys.load-balanced.org:11371,188.8.131.52:11370"