Merge branch 'stretch' of https://github.com/bashrc/freedombone

doc/EN/app_keyserver.org

+#+TITLE:
+#+AUTHOR: Bob Mottram
+#+EMAIL: bob@freedombone.net
+#+KEYWORDS: freedombone, keyserver
+#+DESCRIPTION: How to use KEYSERVER
+#+OPTIONS: ^:nil toc:nil
+#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
+
+#+BEGIN_CENTER
+[[file:images/logo.png]]
+#+END_CENTER
+
+#+BEGIN_EXPORT html
+<center>
+<h1>OpenPGP Key Server</h1>
+</center>
+#+END_EXPORT
+
+The /web of trust/ is a nice idea, but how trustable is it? If you take a look at how many OpenPGP key servers are out there then there are a two or three main ones and not much else. Can you trust those servers? Who is maintaining them and how often? Is any censorship going on? How hard would it be for adversaries to get implants onto them? In terms of technology this infrastructure is quite old and it could have been neglected for a long time. Once vigilant maintainers might have turned lazy and gotten lax with server security, or been recruited over to the dark side.
+
+For these kinds of reasons you might prefer to run your own web of trust infrastructure. In simple terms it's a database of GPG public keys which provides a way for users to /find out how to communicate with others securely via email/. You can meet in person and exchange public keys via sneakernet on USB drives, but most users of GPG don't do that. Instead they just download the public key for a given email address from one of the key servers.
+
+#+BEGIN_CENTER
+[[file:images/keyserver.jpg]]
+#+END_CENTER
+
+* Installation
+
+ssh into the system with:
+
+#+BEGIN_SRC bash
+ssh myusername@mydomain.com -p 2222
+#+END_SRC
+
+Select *Add/Remove Apps* then *keyserver*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /keys.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
+
+After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for the Key server. If the certificate is obtained successfully then you will see a congratulations message.
+
+* How to use it
+Interaction with the web user interface is pretty minimal and obvious, but most likely you will also want to be able to use your keyserver from the commandline. To do that use the *--keyserver* option. For example to search for a key on your server:
+
+#+begin_src bash
+gpg --keyserver [your keyserver domain] --search-keys [email address]
+#+end_src
+
+
+Or to send a key to it:
+
+#+begin_src bash
+gpg --keyserver [your keyserver domain] --send-keys [email address or key ID]
+#+end_src
+
+Or to get a key:
+
+#+begin_src bash
+gpg --keyserver [your keyserver domain] --recv-keys [email address or key ID]
+#+end_src
+* Sync with other keyservers
+Key servers avoid censorship or errors by gossiping between each other and cross referencing the data. You can define which other servers your key server will gossip with by going to the *Administrator control panel*, selecting *App Settings* then *keyserver* then *Sync with other keyserver*.
+
+It's a good idea not to try to sync with the popular OpenPGP key servers, because those have gigantic databases which may make your server unstable and certainly would make it hard to create backups within a tractable amount of time. This option is mainly intended to sync with other Freedombone systems or small home servers within a particular community.
+* Possible problems
+OpenPGP key servers are not very well defended from flooding attacks. This means that an adversary could just upload a billion keys to destabilize the server and fill it with nonsense to make it unusable. Since key servers are /fully open to the public/ there isn't anything to prevent that from happening.
+
+Within the Freedombone system there is a watchdog script which keeps track of the key server database size, and disables the key server if that gets too large. Apart from the usual firewall and web server traffic rate limits, this is a crude but probably practical way of defending against flooding.
+
+If a flood attack does happen then really the only way to recover is to restore from the last known good backup, which can be done from the *Administrator control panel*.

doc/EN/apps.org

 A simple kanban system for managing projects or TODO lists.
 
 [[./app_kanboard.html][How to use it]]
+* Key Server
+An OpenPGP key server for storing and retrieving GPG public keys.
+
+[[./app_keyserver.html][How to use it]]
 * Koel
 Access your music collection from any internet connected device.
 

src/freedombone-app-keyserver

                      KEYSERVER_DOMAIN_NAME
                      KEYSERVER_CODE)
 
+function check_keyserver_directory_size {
+    dirsize=$(du /var/lib/sks/DB | awk -F ' ' '{print $1}')
+    # 500M
+    if [ $dirsize -gt 500000 ]; then
+        echo "1"
+        return
+    fi
+    echo "0"
+}
+
+function keyserver_watchdog {
+    ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | awk -F ':' '{print $2}')
+    ADMIN_EMAIL_ADDRESS=${ADMIN_USERNAME}@${HOSTNAME}
+    keyserver_size_warning=$"The SKS keyserver database is getting large. Check that you aren't being spammed"
+    keyserver_disabled_warning=$"The SKS keyserver has been disabled because it is getting too large. This is to prevent flooding attacks from crashing the server. You may need to restore the keyserver from backup."
+    keyserver_mail_subject_line=$"${PROJECT_NAME} keyserver warning"
+    keyserver_mail_subject_line_disabled=$"${PROJECT_NAME} keyserver disabled"
+    read_config_param KEYSERVER_DOMAIN_NAME
+    keyserver_watchdog_script=/etc/cron.hourly/keyserver-watchdog
+    echo '#!/bin/bash' > $keyserver_watchdog_script
+    echo "dirsize=\$(du /var/lib/sks/DB | awk -F ' ' '{print \$1}')" >> $keyserver_watchdog_script
+    echo 'if [ $dirsize -gt 450000 ]; then' >> $keyserver_watchdog_script
+
+    echo "  echo \"$keyserver_size_warning\" | mail -s \"$keyserver_mail_subject_line\" $ADMIN_EMAIL_ADDRESS" >> $keyserver_watchdog_script
+
+    echo '  if [ $dirsize -gt 500000 ]; then' >> $keyserver_watchdog_script
+    echo "    nginx_dissite $KEYSERVER_DOMAIN_NAME" >> $keyserver_watchdog_script
+    echo '    systemctl stop sks' >> $keyserver_watchdog_script
+    echo '    systemctl disable sks' >> $keyserver_watchdog_script
+    echo "    echo \"$keyserver_disabled_warning\" | mail -s \"$keyserver_mail_subject_line_disabled\" $ADMIN_EMAIL_ADDRESS" >> $keyserver_watchdog_script
+    echo '  fi' >> $keyserver_watchdog_script
+    echo 'fi' >> $keyserver_watchdog_script
+
+    chmod +x $keyserver_watchdog_script
+}
+
+
+function configure_firewall_for_keyserver {
+    if [[ $ONION_ONLY != "no" ]]; then
+        return
+    fi
+    firewall_add keyserver 11370 tcp
+    firewall_add keyserver 11371 tcp
+    firewall_add keyserver 11372 tcp
+    mark_completed $FUNCNAME
+}
+
+function keyserver_reset_database {
+    if [ -d /var/lib/sks/DB ]; then
+        rm -rf /var/lib/sks/DB
+    fi
+    sks build
+    chown -Rc debian-sks: /var/lib/sks
+    systemctl restart sks
+}
+
 function logging_on_keyserver {
     echo -n ''
 }
 }
 
 function upgrade_keyserver {
+    keyserver_watchdog
+
     CURR_KEYSERVER_WEB_COMMIT=$(get_completion_param "keyserver web commit")
     if [[ "$CURR_KEYSERVER_WEB_COMMIT" == "$KEYSERVER_WEB_COMMIT" ]]; then
         return
 }
 
 function backup_local_keyserver {
-    echo -n ''
+    # remove any unused log files
+    cd /var/lib/sks/DB
+    db_archive -d
+
+    source_directory=/etc/sks
+    if [ -d $source_directory ]; then
+        systemctl stop sks
+        dest_directory=keyserverconfig
+        function_check backup_directory_to_usb
+        backup_directory_to_usb $source_directory $dest_directory
+        systemctl start sks
+    fi
+    if [[ "$(check_keyserver_directory_size)" != "0" ]]; then
+        echo $'WARNING: Keyserver database size is too large to backup'
+        return
+    fi
+    source_directory=/var/lib/sks/DB
+    if [ -d $source_directory ]; then
+        systemctl stop sks
+        dest_directory=keyserver
+        function_check backup_directory_to_usb
+        backup_directory_to_usb $source_directory $dest_directory
+        systemctl start sks
+    fi
 }
 
 function restore_local_keyserver {
-    echo -n ''
+    if [ ! -d /var/lib/sks/DB ]; then
+        return
+    fi
+    echo $"Restoring SKS Keyserver"
+    systemctl stop sks
+
+    temp_restore_dir=/root/tempkeyserverconfig
+    function_check restore_directory_from_usb
+    restore_directory_from_usb $temp_restore_dir keyserverconfig
+    cp -r $temp_restore_dir/etc/sks/* /etc/sks/
+    rm -rf $temp_restore_dir
+    chown -Rc debian-sks: /etc/sks/sksconf
+    chown -Rc debian-sks: /etc/sks/mailsync
+
+    temp_restore_dir=/root/tempkeyserver
+    function_check restore_directory_from_usb
+    restore_directory_from_usb $temp_restore_dir keyserver
+    mv /var/lib/sks/DB /var/lib/sks/DB_prev
+    cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB
+    if [ ! "$?" = "0" ]; then
+        # restore the old database
+        rm -rf /var/lib/sks/DB
+        mv /var/lib/sks/DB_prev /var/lib/sks/DB
+
+        rm -rf $temp_restore_dir
+        function_check set_user_permissions
+        set_user_permissions
+        function_check backup_unmount_drive
+        backup_unmount_drive
+        exit 5627294
+    fi
+    rm -rf $temp_restore_dir
+    chown -Rc debian-sks: /var/lib/sks
+
+    # remove the old database
+    rm -rf /var/lib/sks/DB_prev
+
+    systemctl enable sks
+    systemctl start sks
+    nginx_ensite $KEYSERVER_DOMAIN_NAME
 }
 
 function backup_remote_keyserver {
-    echo -n ''
+    # remove any unused log files
+    cd /var/lib/sks/DB
+    db_archive -d
+
+    source_directory=/etc/sks
+    if [ -d $source_directory ]; then
+        systemctl stop sks
+        dest_directory=keyserverconfig
+        function_check backup_directory_to_friend
+        backup_directory_to_friend $source_directory $dest_directory
+        systemctl start sks
+    fi
+    if [[ "$(check_keyserver_directory_size)" != "0" ]]; then
+        echo $'WARNING: Keyserver database size is too large to backup'
+        return
+    fi
+    source_directory=/var/lib/sks/DB
+    if [ -d $source_directory ]; then
+        systemctl stop sks
+        dest_directory=keyserver
+        function_check backup_directory_to_friend
+        backup_directory_to_friend $source_directory $dest_directory
+        systemctl start sks
+    fi
 }
 
 function restore_remote_keyserver {
-    echo -n ''
+    if [ ! -d /var/lib/sks/DB ]; then
+        return
+    fi
+    echo $"Restoring SKS Keyserver"
+    systemctl stop sks
+
+    temp_restore_dir=/root/tempkeyserverconfig
+    function_check restore_directory_from_friend
+    restore_directory_from_friend $temp_restore_dir keyserverconfig
+    cp -r $temp_restore_dir/etc/sks/* /etc/sks/
+    rm -rf $temp_restore_dir
+    chown -Rc debian-sks: /etc/sks/sksconf
+    chown -Rc debian-sks: /etc/sks/mailsync
+
+    temp_restore_dir=/root/tempkeyserver
+    function_check restore_directory_from_friend
+    restore_directory_from_friend $temp_restore_dir keyserver
+    mv /var/lib/sks/DB /var/lib/sks/DB_prev
+    cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB
+    if [ ! "$?" = "0" ]; then
+        # restore the old database
+        rm -rf /var/lib/sks/DB
+        mv /var/lib/sks/DB_prev /var/lib/sks/DB
+
+        rm -rf $temp_restore_dir
+        function_check set_user_permissions
+        set_user_permissions
+        return
+    fi
+    rm -rf $temp_restore_dir
+    chown -Rc debian-sks: /var/lib/sks
+
+    # remove the old database
+    rm -rf /var/lib/sks/DB_prev
+
+    systemctl enable sks
+    systemctl start sks
+    nginx_ensite $KEYSERVER_DOMAIN_NAME
 }
 
 function remove_keyserver {
     systemctl stop sks
-    apt-get -qy remove sks
+    if [ -f /etc/cron.hourly/keyserver-watchdog ]; then
+        rm /etc/cron.hourly/keyserver-watchdog
+    fi
+    apt-get -qy remove sks dirmngr
 
     read_config_param "KEYSERVER_DOMAIN_NAME"
     nginx_dissite $KEYSERVER_DOMAIN_NAME
     remove_config_param KEYSERVER_CODE
     function_check remove_onion_service
     remove_onion_service keyserver ${KEYSERVER_ONION_PORT}
+    remove_onion_service sks 11370 11371 11372
     remove_completion_param "install_keyserver"
 
+    firewall_remove 11370 tcp
+    firewall_remove 11371 tcp
+    firewall_remove 11372 tcp
+
     sed -i '/keyserver/d' $COMPLETION_FILE
+    sed -i '/sks onion/d' $COMPLETION_FILE
     if [ -d /var/lib/sks ]; then
         rm -rf /var/lib/sks
     fi
     APP_INSTALLED=1
 }
 
+function keyserver_create_mailsync {
+    echo $"# List of email addresses which submitted keys will be forwarded to" > /etc/sks/mailsync
+    echo '' >> /etc/sks/mailsync
+    chown -Rc debian-sks: /etc/sks/mailsync
+}
+
+function keyserver_create_membership {
+    if [ -f /etc/sks/membership ]; then
+        return
+    fi
+    systemctl stop sks
+    echo $"# List of other $PROJECT_NAME SKS Keyservers to sync with." > /etc/sks/membership
+    echo '#' >> /etc/sks/membership
+    echo $"# Don't add major keyservers here, because it will take an" >> /etc/sks/membership
+    echo $'# Infeasible amount of time to sync and backups will become' >> /etc/sks/membership
+    echo $'# absurdly long and probably break your system. You have been warned.' >> /etc/sks/membership
+    echo '' >> /etc/sks/membership
+    chown -Rc debian-sks: /etc/sks/membership
+    systemctl start sks
+}
+
 function keyserver_import_keys {
+    # NOTE: this function isn't used, but kept for reference
     dialog --title $"Import public keys database" \
            --backtitle $"Freedombone Control Panel" \
            --defaultno \
 
     cd /var/lib/sks
     echo $'Building the keyserver database from the downloaded dump'
-    sks build
+    keyserver_reset_database
+}
+
+function keyserver_sync {
+    data=$(tempfile 2>/dev/null)
+    trap "rm -f $data" 0 1 2 5 15
+    dialog --backtitle $"Freedombone Control Panel" \
+           --title $"Sync with other keyserver" \
+           --form $"\nEnter details for the other server. Please be aware that it's not a good idea to sync with major keyservers which have exceptionally large databases. This is intended to sync with other $PROJECT_NAME systems each having a small database for a particular community." 16 60 3 \
+           $"Domain:" 1 1 "" 1 25 32 64 \
+           $"Port:" 2 1 "11370" 2 25 6 6 \
+           $"Sync Email (optional):" 3 1 "pgp-public-keys@" 3 25 32 64 \
+           2> $data
+    sel=$?
+    case $sel in
+        1) return;;
+        255) return;;
+    esac
+    other_keyserver_domain=$(cat $data | sed -n 1p)
+    other_keyserver_port=$(cat $data | sed -n 2p)
+    other_keyserver_email=$(cat $data | sed -n 3p)
+    if [[ "$other_keyserver_domain" != *'.'* ]]; then
+        return
+    fi
+    if [[ "$other_keyserver_domain" == *' '* ]]; then
+        return
+    fi
+    if [[ "$other_keyserver_port" == *'.'* ]]; then
+        return
+    fi
+    if [[ "$other_keyserver_port" == *' '* ]]; then
+        return
+    fi
+    if [ ${#other_keyserver_domain} -lt 4 ]; then
+        return
+    fi
+    if [ ${#other_keyserver_port} -lt 4 ]; then
+        return
+    fi
+
+    # Warn if trying to sync
+    if [[ "$other_keyserver_domain" == *"sks-keyservers.net" || "$other_keyserver_domain" == *"gnupg.net" || "$other_keyserver_domain" == *"pgp.com" || "$other_keyserver_domain" == *"pgp.mit.edu" || "$other_keyserver_domain" == *"the.earth.li" || "$other_keyserver_domain" == *"mayfirst.org" || "$other_keyserver_domain" == *"ubuntu.com" ]]; then
+        dialog --title $"Sync with other keyserver" \
+               --msgbox $"\nDon't try to sync with the major keyservers. Your system will be overloaded with an infeasible database size." 8 60
+        return
+    fi
+
+    if [[ "$other_keyserver_email" != "pgp-public-keys@" ]]; then
+        if [[ "$other_keyserver_email" == *"@"* ]]; then
+            if [[ "$other_keyserver_email" == *"."* ]]; then
+                keyserver_create_mailsync
+                if ! grep -q "$other_keyserver_email" /etc/sks/mailsync; then
+                    echo "$other_keyserver_email" >> /etc/sks/mailsync
+                    chown -Rc debian-sks: /etc/sks/mailsync
+                fi
+            else
+                dialog --title $"Sync with other keyserver" \
+                       --msgbox $"Email doesn't look right: $other_keyserver_email" 6 60
+                return
+            fi
+        fi
+    fi
+    keyserver_create_membership
+    if grep -q "$other_keyserver_domain $other_keyserver_port" /etc/sks/membership; then
+        return
+    fi
+    if grep -q "$other_keyserver_domain " /etc/sks/membership; then
+        sed -i "s|$other_keyserver_domain .*|$other_keyserver_domain $other_keyserver_port|g" /etc/sks/membership
+    else
+        echo "$other_keyserver_domain $other_keyserver_port" >> /etc/sks/membership
+    fi
+    chown -Rc debian-sks: /etc/sks/membership
+    systemctl restart sks
+    dialog --title $"Sync with other keyserver" \
+           --msgbox $"Keyserver added" 6 40
+}
+
+function keyserver_edit {
+    if [ ! -f /etc/sks/membership ]; then
+        return
+    fi
+    editor /etc/sks/membership
+    chown -Rc debian-sks: /etc/sks/membership
+    systemctl restart sks
+}
+
+function keyserver_remove_key {
+    data=$(tempfile 2>/dev/null)
+    trap "rm -f $data" 0 1 2 5 15
+    dialog --title $"Remove a key" \
+           --backtitle $"Freedombone Control Panel" \
+           --inputbox $"Enter the ID of the key which you wish to remove:" 12 60 2>$data
+    sel=$?
+    case $sel in
+        0)
+            remove_key_id=$(<$data)
+            if [ ${#remove_key_id} -gt 8 ]; then
+                sks drop $remove_key_id
+                dialog --title $"Remove a key" \
+                       --msgbox $"The key was removed" 6 40
+            fi
+            ;;
+    esac
 }
 
 function configure_interactive_keyserver {
         trap "rm -f $data" 0 1 2 5 15
         dialog --backtitle $"Freedombone Control Panel" \
                --title $"SKS Keyserver" \
-               --radiolist $"Choose an operation:" 10 70 2 \
-               1 $"Import public keys database" off \
-               2 $"Exit" on 2> $data
+               --radiolist $"Choose an operation:" 12 70 4 \
+               1 $"Remove a key" off \
+               2 $"Sync with other keyserver" off \
+               3 $"Edit sync keyservers" off \
+               4 $"Exit" on 2> $data
         sel=$?
         case $sel in
             1) return;;
             255) return;;
         esac
         case $(cat $data) in
-            1) keyserver_import_keys;;
-            2) break;;
+            1) keyserver_remove_key;;
+            2) keyserver_sync;;
+            3) keyserver_edit;;
+            4) break;;
         esac
     done
 }
 
 function install_keyserver {
     apt-get -qy install build-essential gcc ocaml libdb-dev wget sks
-    sks build
-    chown -Rc debian-sks: /var/lib/sks/DB
+    keyserver_reset_database
     sed -i 's|initstart=.*|initstart=yes|g' /etc/default/sks
+    apt-get -qy install dirmngr
     systemctl restart sks
 
     if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then
     sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
     sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
 
-    sksconf_file=/var/lib/sks/sksconf
-    echo 'debuglevel: 3' > $sksconf_file
-    echo '' >> $sksconf_file
-    echo "hostname:                       $KEYSERVER_DOMAIN_NAME" >> $sksconf_file
-    echo '' >> $sksconf_file
-    echo 'hkp_address:                    127.0.0.1' >> $sksconf_file
-    echo "hkp_port:                       $KEYSERVER_PORT" >> $sksconf_file
-    echo 'recon_port:                     11370' >> $sksconf_file
-    echo '' >> $sksconf_file
-    echo "server_contact:                 $GPG_ID" >> $sksconf_file
-    echo '' >> $sksconf_file
-    echo 'initial_stat:' >> $sksconf_file
-    echo 'disable_mailsync:' >> $sksconf_file
-    echo 'membership_reload_interval:     1' >> $sksconf_file
-    echo 'stat_hour:                      12' >> $sksconf_file
-    echo '' >> $sksconf_file
-    echo 'max_matches:                    500' >> $sksconf_file
+    sksconf_file=/etc/sks/sksconf
+    sed -i "s|#hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file
+    sed -i "s|hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file
+    sed -i "s|#hkp_port:.*|hkp_port: 11373|g" $sksconf_file
+    sed -i "s|hkp_port:.*|hkp_port: 11373|g" $sksconf_file
+    sed -i "s|#recon_port:.*|recon_port: 11370|g" $sksconf_file
+    sed -i "s|recon_port:.*|recon_port: 11370|g" $sksconf_file
+    sed -i "s|#recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file
+    sed -i "s|recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file
+    sed -i 's|#hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file
+    sed -i 's|hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file
+    sed -i "s|#from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file
+    sed -i "s|from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file
+    sed -i 's|#sendmail_cmd:|sendmail_cmd:|g' $sksconf_file
+
+    if ! grep -q "#disable_mailsync" $sksconf_file; then
+        echo '#disable_mailsync:' >> $sksconf_file
+    else
+        sed -i 's|disable_mailsync:|#disable_mailsync:|g' $sksconf_file
+    fi
+    if ! grep -q "membership_reload_interval:" $sksconf_file; then
+        echo 'membership_reload_interval:     1' >> $sksconf_file
+    else
+        sed -i 's|#membership_reload_interval:.*|membership_reload_interval:     1|g' $sksconf_file
+        sed -i 's|membership_reload_interval:.*|membership_reload_interval:     1|g' $sksconf_file
+    fi
+    if ! grep -q "max_matches:" $sksconf_file; then
+        echo 'max_matches: 50' >> $sksconf_file
+    else
+        sed -i 's|#max_matches:.*|max_matches: 50|g' $sksconf_file
+        sed -i 's|max_matches:.*|max_matches: 50|g' $sksconf_file
+    fi
+    if ! grep -q "stat_hour:" $sksconf_file; then
+        echo "stat_hour: $((1 + RANDOM % 8))" >> $sksconf_file
+    else
+        sed -i "s|#stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file
+        sed -i "s|stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file
+    fi
+    if ! grep -q "disable_log_diffs:" $sksconf_file; then
+        echo "disable_log_diffs:" >> $sksconf_file
+    else
+        sed -i "s|#disable_log_diffs:.*|disable_log_diffs:|g" $sksconf_file
+        sed -i "s|disable_log_diffs:.*|disable_log_diffs:|g" $sksconf_file
+    fi
+    if ! grep -q "debuglevel:" $sksconf_file; then
+        echo "debuglevel: 0" >> $sksconf_file
+    else
+        sed -i "s|#debuglevel:.*|debuglevel: 0|g" $sksconf_file
+        sed -i "s|debuglevel:.*|debuglevel: 0|g" $sksconf_file
+    fi
+
     chown debian-sks: $sksconf_file
 
+    if ! grep -q "hidden_service_sks" /etc/tor/torrc; then
+        echo 'HiddenServiceDir /var/lib/tor/hidden_service_sks/' >> /etc/tor/torrc
+        echo "HiddenServicePort 11370 127.0.0.1:11370" >> /etc/tor/torrc
+        echo "HiddenServicePort 11373 127.0.0.1:11371" >> /etc/tor/torrc
+        echo "HiddenServicePort 11372 127.0.0.1:11372" >> /etc/tor/torrc
+        echo $'Added onion site for sks'
+    fi
+
+    onion_update
+    wait_for_onion_service 'sks'
+
+    if [ ! -f /var/lib/tor/hidden_service_sks/hostname ]; then
+        echo $'sks onion site hostname not found'
+        exit 8352982
+    fi
+    SKS_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_sks/hostname)
+
     KEYSERVER_ONION_HOSTNAME=$(add_onion_service keyserver 80 ${KEYSERVER_ONION_PORT})
 
     keyserver_nginx_site=/etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME
     if [[ $ONION_ONLY == "no" ]]; then
-        function_check nginx_http_redirect
-        nginx_http_redirect $KEYSERVER_DOMAIN_NAME
+        # NOTE: without http active on port 80 the keyserver doesn't work
+        #       from the commandline
+        echo 'server {' > $keyserver_nginx_site
+        echo '  listen 80;' >> $keyserver_nginx_site
+        echo '  listen 0.0.0.0:11371;' >> $keyserver_nginx_site
+        echo '  listen [::]:80;' >> $keyserver_nginx_site
+        echo "  server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site
+        echo '' >> $keyserver_nginx_site
+        echo '  # Logs' >> $keyserver_nginx_site
+        echo '  access_log /dev/null;' >> $keyserver_nginx_site
+        echo '  error_log /dev/null;' >> $keyserver_nginx_site
+        echo '' >> $keyserver_nginx_site
+        echo '  # Root' >> $keyserver_nginx_site
+        echo "  root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;" >> $keyserver_nginx_site
+        echo '' >> $keyserver_nginx_site
+        echo '  rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site
+        echo '  rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
+        echo '  rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
+        echo '  rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
+        echo '  rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
+        echo '  rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
+        echo '  rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
+        echo '' >> $keyserver_nginx_site
+        echo '  location /pks {' >> $keyserver_nginx_site
+        echo '    proxy_pass         http://127.0.0.1:11373;' >> $keyserver_nginx_site
+        echo '    proxy_pass_header  Server;' >> $keyserver_nginx_site
+        echo "    add_header         Via \"1.1 $KEYSERVER_DOMAIN_NAME:11371 (nginx)\";" >> $keyserver_nginx_site
+        echo '    proxy_ignore_client_abort on;' >> $keyserver_nginx_site
+        echo '    client_max_body_size 8m;' >> $keyserver_nginx_site
+        echo '  }' >> $keyserver_nginx_site
+        echo '}' >> $keyserver_nginx_site
+        echo '' >> $keyserver_nginx_site
         echo 'server {' >> $keyserver_nginx_site
         echo '  listen 443 ssl;' >> $keyserver_nginx_site
+        echo '  listen 0.0.0.0:11372 ssl;' >> $keyserver_nginx_site
         echo '  listen [::]:443 ssl;' >> $keyserver_nginx_site
         echo "  server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site
         echo '' >> $keyserver_nginx_site
+        echo '  error_page 404 /404.html;' >> $keyserver_nginx_site
+        echo '' >> $keyserver_nginx_site
+        echo '  location ~ (.git|LICENSE|readme.md) {' >> $keyserver_nginx_site
+        echo '    deny all;' >> $keyserver_nginx_site
+        echo '    return 404;' >> $keyserver_nginx_site
+        echo '  }' >> $keyserver_nginx_site
+        echo '' >> $keyserver_nginx_site
         echo '  # Security' >> $keyserver_nginx_site
         function_check nginx_ssl
         nginx_ssl $KEYSERVER_DOMAIN_NAME
         echo '  rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
         echo '' >> $keyserver_nginx_site
         echo '  location /pks {' >> $keyserver_nginx_site
-        echo "    proxy_pass         http://127.0.0.1:$KEYSERVER_PORT;" >> $keyserver_nginx_site
+        echo "    proxy_pass         http://127.0.0.1:11373;" >> $keyserver_nginx_site
         echo '    proxy_pass_header  Server;' >> $keyserver_nginx_site
-        echo "    add_header         Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_PORT (nginx)\";" >> $keyserver_nginx_site
+        echo "    add_header         Via \"1.1 $KEYSERVER_DOMAIN_NAME:11372 (nginx)\";" >> $keyserver_nginx_site
         echo '    proxy_ignore_client_abort on;' >> $keyserver_nginx_site
         echo '    client_max_body_size 8m;' >> $keyserver_nginx_site
         echo '  }' >> $keyserver_nginx_site
         echo -n '' > $keyserver_nginx_site
     fi
     echo 'server {' >> $keyserver_nginx_site
-    echo "    listen 127.0.0.1:$KEYSERVER_ONION_PORT default_server;" >> $keyserver_nginx_site
-    echo "    server_name $KEYSERVER_ONION_HOSTNAME;" >> $keyserver_nginx_site
+    echo "  listen 127.0.0.1:$KEYSERVER_ONION_PORT default_server;" >> $keyserver_nginx_site
+    echo "  server_name $KEYSERVER_ONION_HOSTNAME;" >> $keyserver_nginx_site
+    echo '' >> $keyserver_nginx_site
+    echo '  error_page 404 /404.html;' >> $keyserver_nginx_site
+    echo '' >> $keyserver_nginx_site
+    echo '  location ~ (.git|LICENSE|readme.md) {' >> $keyserver_nginx_site
+    echo '    deny all;' >> $keyserver_nginx_site
+    echo '    return 404;' >> $keyserver_nginx_site
+    echo '  }' >> $keyserver_nginx_site
     echo '' >> $keyserver_nginx_site
     function_check nginx_disable_sniffing
     nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME
     echo '  rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
     echo '' >> $keyserver_nginx_site
     echo '  location /pks {' >> $keyserver_nginx_site
-    echo "    proxy_pass         http://127.0.0.1:$KEYSERVER_PORT;" >> $keyserver_nginx_site
+    echo "    proxy_pass         http://127.0.0.1:11373;" >> $keyserver_nginx_site
     echo '    proxy_pass_header  Server;' >> $keyserver_nginx_site
-    echo "    add_header         Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_PORT (nginx)\";" >> $keyserver_nginx_site
+    echo "    add_header         Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_ONION_PORT (nginx)\";" >> $keyserver_nginx_site
     echo '    proxy_ignore_client_abort on;' >> $keyserver_nginx_site
     echo '    client_max_body_size 8m;' >> $keyserver_nginx_site
     echo '  }' >> $keyserver_nginx_site
     function_check nginx_ensite
     nginx_ensite $KEYSERVER_DOMAIN_NAME
 
+    configure_firewall_for_keyserver
+
+    # remove membership file - don't try to sync with other keyservers
+    if [ -f /etc/sks/membership ]; then
+        rm /etc/sks/membership
+    fi
+
+    if ! grep -q "pgp-public-keys" /etc/aliases; then
+        echo 'pgp-public-keys:      "|/usr/lib/sks/sks_add_mail /etc/sks"' >> /etc/aliases
+    fi
+    chown -Rc debian-sks: /etc/sks/mailsync
+
+    systemctl enable sks
+    systemctl restart sks
     systemctl restart nginx
 
     set_completion_param "keyserver domain" "$KEYSERVER_DOMAIN_NAME"
     set_completion_param "keyserver onion domain" "$KEYSERVER_ONION_HOSTNAME"
+    set_completion_param "sks onion domain" "$SKS_ONION_HOSTNAME"
+
+    keyserver_watchdog
 
     APP_INSTALLED=1
 }

src/freedombone-controlpanel

         echo -n -e "$(pad_string ${DEFAULT_DOMAIN_NAME})"
         echo "$(cat ${COMPLETION_FILE} | grep 'email onion domain' | awk -F ':' '{print $2}')"
     fi
+    if grep -q "sks onion domain" $COMPLETION_FILE; then
+        read_config_param "KEYSERVER_DOMAIN_NAME"
+        echo -n -e "$(pad_string 'SKS')"
+        echo -n -e "$(pad_string ${KEYSERVER_DOMAIN_NAME})"
+        echo "$(cat ${COMPLETION_FILE} | grep 'sks onion domain' | awk -F ':' '{print $2}')"
+    fi
 
     for app_name in "${APPS_INSTALLED_NAMES[@]}"
     do

src/freedombone-upgrade

 
 update-ca-certificates
 
+# remove any keyserver log files
+if [ -d /var/lib/sks/DB ]; then
+    cd /var/lib/sks/DB
+    db_archive -d
+fi
+
 if [ ! -d $PROJECT_DIR ]; then
     git_clone $PROJECT_REPO $PROJECT_DIR
 fi

website/EN/app_keyserver.html

+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
+<head>
+<!-- 2017-07-30 Sun 18:18 -->
+<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1" />
+<title></title>
+<meta name="generator" content="Org mode" />
+<meta name="author" content="Bob Mottram" />
+<meta name="description" content="How to use KEYSERVER"
+ />
+<meta name="keywords" content="freedombone, keyserver" />
+<style type="text/css">
+ <!--/*--><![CDATA[/*><!--*/
+  .title  { text-align: center;
+             margin-bottom: .2em; }
+  .subtitle { text-align: center;
+              font-size: medium;
+              font-weight: bold;
+              margin-top:0; }
+  .todo   { font-family: monospace; color: red; }
+  .done   { font-family: monospace; color: green; }
+  .priority { font-family: monospace; color: orange; }
+  .tag    { background-color: #eee; font-family: monospace;
+            padding: 2px; font-size: 80%; font-weight: normal; }
+  .timestamp { color: #bebebe; }
+  .timestamp-kwd { color: #5f9ea0; }
+  .org-right  { margin-left: auto; margin-right: 0px;  text-align: right; }
+  .org-left   { margin-left: 0px;  margin-right: auto; text-align: left; }
+  .org-center { margin-left: auto; margin-right: auto; text-align: center; }
+  .underline { text-decoration: underline; }
+  #postamble p, #preamble p { font-size: 90%; margin: .2em; }
+  p.verse { margin-left: 3%; }
+  pre {
+    border: 1px solid #ccc;
+    box-shadow: 3px 3px 3px #eee;
+    padding: 8pt;
+    font-family: monospace;
+    overflow: auto;
+    margin: 1.2em;
+  }
+  pre.src {
+    position: relative;
+    overflow: visible;
+    padding-top: 1.2em;
+  }
+  pre.src:before {
+    display: none;
+    position: absolute;
+    background-color: white;
+    top: -10px;
+    right: 10px;
+    padding: 3px;
+    border: 1px solid black;
+  }
+  pre.src:hover:before { display: inline;}
+  /* Languages per Org manual */
+  pre.src-asymptote:before { content: 'Asymptote'; }
+  pre.src-awk:before { content: 'Awk'; }
+  pre.src-C:before { content: 'C'; }
+  /* pre.src-C++ doesn't work in CSS */
+  pre.src-clojure:before { content: 'Clojure'; }
+  pre.src-css:before { content: 'CSS'; }
+  pre.src-D:before { content: 'D'; }
+  pre.src-ditaa:before { content: 'ditaa'; }
+  pre.src-dot:before { content: 'Graphviz'; }
+  pre.src-calc:before { content: 'Emacs Calc'; }
+  pre.src-emacs-lisp:before { content: 'Emacs Lisp'; }
+  pre.src-fortran:before { content: 'Fortran'; }
+  pre.src-gnuplot:before { content: 'gnuplot'; }
+  pre.src-haskell:before { content: 'Haskell'; }
+  pre.src-hledger:before { content: 'hledger'; }
+  pre.src-java:before { content: 'Java'; }
+  pre.src-js:before { content: 'Javascript'; }
+  pre.src-latex:before { content: 'LaTeX'; }
+  pre.src-ledger:before { content: 'Ledger'; }
+  pre.src-lisp:before { content: 'Lisp'; }
+  pre.src-lilypond:before { content: 'Lilypond'; }
+  pre.src-lua:before { content: 'Lua'; }
+  pre.src-matlab:before { content: 'MATLAB'; }
+  pre.src-mscgen:before { content: 'Mscgen'; }
+  pre.src-ocaml:before { content: 'Objective Caml'; }
+  pre.src-octave:before { content: 'Octave'; }
+  pre.src-org:before { content: 'Org mode'; }
+  pre.src-oz:before { content: 'OZ'; }
+  pre.src-plantuml:before { content: 'Plantuml'; }
+  pre.src-processing:before { content: 'Processing.js'; }
+  pre.src-python:before { content: 'Python'; }
+  pre.src-R:before { content: 'R'; }
+  pre.src-ruby:before { content: 'Ruby'; }
+  pre.src-sass:before { content: 'Sass'; }
+  pre.src-scheme:before { content: 'Scheme'; }
+  pre.src-screen:before { content: 'Gnu Screen'; }
+  pre.src-sed:before { content: 'Sed'; }
+  pre.src-sh:before { content: 'shell'; }
+  pre.src-sql:before { content: 'SQL'; }
+  pre.src-sqlite:before { content: 'SQLite'; }
+  /* additional languages in org.el's org-babel-load-languages alist */
+  pre.src-forth:before { content: 'Forth'; }
+  pre.src-io:before { content: 'IO'; }
+  pre.src-J:before { content: 'J'; }
+  pre.src-makefile:before { content: 'Makefile'; }
+  pre.src-maxima:before { content: 'Maxima'; }
+  pre.src-perl:before { content: 'Perl'; }
+  pre.src-picolisp:before { content: 'Pico Lisp'; }
+  pre.src-scala:before { content: 'Scala'; }
+  pre.src-shell:before { content: 'Shell Script'; }
+  pre.src-ebnf2ps:before { content: 'ebfn2ps'; }
+  /* additional language identifiers per "defun org-babel-execute"
+       in ob-*.el */
+  pre.src-cpp:before  { content: 'C++'; }
+  pre.src-abc:before  { content: 'ABC'; }
+  pre.src-coq:before  { content: 'Coq'; }
+  pre.src-groovy:before  { content: 'Groovy'; }
+  /* additional language identifiers from org-babel-shell-names in
+     ob-shell.el: ob-shell is the only babel language using a lambda to put
+     the execution function name together. */
+  pre.src-bash:before  { content: 'bash'; }
+  pre.src-csh:before  { content: 'csh'; }
+  pre.src-ash:before  { content: 'ash'; }
+  pre.src-dash:before  { content: 'dash'; }
+  pre.src-ksh:before  { content: 'ksh'; }
+  pre.src-mksh:before  { content: 'mksh'; }
+  pre.src-posh:before  { content: 'posh'; }
+  /* Additional Emacs modes also supported by the LaTeX listings package */
+  pre.src-ada:before { content: 'Ada'; }
+  pre.src-asm:before { content: 'Assembler'; }
+  pre.src-caml:before { content: 'Caml'; }
+  pre.src-delphi:before { content: 'Delphi'; }
+  pre.src-html:before { content: 'HTML'; }
+  pre.src-idl:before { content: 'IDL'; }
+  pre.src-mercury:before { content: 'Mercury'; }
+  pre.src-metapost:before { content: 'MetaPost'; }
+  pre.src-modula-2:before { content: 'Modula-2'; }
+  pre.src-pascal:before { content: 'Pascal'; }
+  pre.src-ps:before { content: 'PostScript'; }
+  pre.src-prolog:before { content: 'Prolog'; }
+  pre.src-simula:before { content: 'Simula'; }
+  pre.src-tcl:before { content: 'tcl'; }
+  pre.src-tex:before { content: 'TeX'; }
+  pre.src-plain-tex:before { content: 'Plain TeX'; }
+  pre.src-verilog:before { content: 'Verilog'; }
+  pre.src-vhdl:before { content: 'VHDL'; }
+  pre.src-xml:before { content: 'XML'; }
+  pre.src-nxml:before { content: 'XML'; }
+  /* add a generic configuration mode; LaTeX export needs an additional
+     (add-to-list 'org-latex-listings-langs '(conf " ")) in .emacs */
+  pre.src-conf:before { content: 'Configuration File'; }
+
+  table { border-collapse:collapse; }
+  caption.t-above { caption-side: top; }
+  caption.t-bottom { caption-side: bottom; }
+  td, th { vertical-align:top;  }
+  th.org-right  { text-align: center;  }
+  th.org-left   { text-align: center;   }
+  th.org-center { text-align: center; }
+  td.org-right  { text-align: right;  }
+  td.org-left   { text-align: left;   }
+  td.org-center { text-align: center; }
+  dt { font-weight: bold; }
+  .footpara { display: inline; }
+  .footdef  { margin-bottom: 1em; }
+  .figure { padding: 1em; }
+  .figure p { text-align: center; }
+  .inlinetask {
+    padding: 10px;
+    border: 2px solid gray;
+    margin: 10px;
+    background: #ffffcc;
+  }
+  #org-div-home-and-up
+   { text-align: right; font-size: 70%; white-space: nowrap; }
+  textarea { overflow-x: auto; }
+  .linenr { font-size: smaller }
+  .code-highlighted { background-color: #ffff00; }
+  .org-info-js_info-navigation { border-style: none; }
+  #org-info-js_console-label
+    { font-size: 10px; font-weight: bold; white-space: nowrap; }
+  .org-info-js_search-highlight
+    { background-color: #ffff00; color: #000000; font-weight: bold; }
+  .org-svg { width: 90%; }
+  /*]]>*/-->
+</style>
+<link rel="stylesheet" type="text/css" href="freedombone.css" />
+<script type="text/javascript">
+/*
+@licstart  The following is the entire license notice for the
+JavaScript code in this tag.
+
+Copyright (C) 2012-2017 Free Software Foundation, Inc.
+
+The JavaScript code in this tag is free software: you can
+redistribute it and/or modify it under the terms of the GNU
+General Public License (GNU GPL) as published by the Free Software
+Foundation, either version 3 of the License, or (at your option)
+any later version.  The code is distributed WITHOUT ANY WARRANTY;
+without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU GPL for more details.
+
+As additional permission under GNU GPL version 3 section 7, you
+may distribute non-source (e.g., minimized or compacted) forms of
+that code without the copy of the GNU GPL normally required by
+section 4, provided you include this license notice and a URL
+through which recipients can access the Corresponding Source.
+
+
+@licend  The above is the entire license notice
+for the JavaScript code in this tag.
+*/
+<!--/*--><![CDATA[/*><!--*/
+ function CodeHighlightOn(elem, id)
+ {
+   var target = document.getElementById(id);
+   if(null != target) {
+     elem.cacheClassElem = elem.className;
+     elem.cacheClassTarget = target.className;
+     target.className = "code-highlighted";
+     elem.className   = "code-highlighted";
+   }
+ }
+ function CodeHighlightOff(elem, id)
+ {
+   var target = document.getElementById(id);
+   if(elem.cacheClassElem)
+     elem.className = elem.cacheClassElem;
+   if(elem.cacheClassTarget)
+     target.className = elem.cacheClassTarget;
+ }
+/*]]>*///-->
+</script>
+</head>
+<body>
+<div id="preamble" class="status">
+<a name="top" id="top"></a>
+</div>
+<div id="content">
+<div class="org-center">
+
+<div class="figure">
+<p><img src="images/logo.png" alt="logo.png" />
+</p>
+</div>
+</div>
+
+<center>
+<h1>OpenPGP Key Server</h1>
+</center>
+
+<p>
+The <i>web of trust</i> is a nice idea, but how trustable is it? If you take a look at how many OpenPGP key servers are out there then there are a two or three main ones and not much else. Can you trust those servers? Who is maintaining them and how often? Is any censorship going on? How hard would it be for adversaries to get implants onto them? In terms of technology this infrastructure is quite old and it could have been neglected for a long time. Once vigilant maintainers might have turned lazy and gotten lax with server security, or been recruited over to the dark side.
+</p>
+
+<p>
+For these kinds of reasons you might prefer to run your own web of trust infrastructure. In simple terms it's a database of GPG public keys which provides a way for users to <i>find out how to communicate with others securely via email</i>. You can meet in person and exchange public keys via sneakernet on USB drives, but most users of GPG don't do that. Instead they just download the public key for a given email address from one of the key servers.
+</p>
+
+<div class="org-center">
+
+<div class="figure">
+<p><img src="images/keyserver.jpg" alt="keyserver.jpg" />
+</p>
+</div>
+</div>
+
+<div id="outline-container-orgfcf6c32" class="outline-2">
+<h2 id="orgfcf6c32">Installation</h2>
+<div class="outline-text-2" id="text-orgfcf6c32">
+<p>
+ssh into the system with:
+</p>
+
+<div class="org-src-container">
+<pre><code class="src src-bash">ssh myusername@mydomain.com -p 2222
+</code></pre>
+</div>
+
+<p>
+Select <b>Add/Remove Apps</b> then <b>keyserver</b>. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under <b>Dynamic DNS</b> on the FreeDNS site (the random string from "<i>quick cron example</i>" which appears after <i>update.php?</i> and before <i>&gt;&gt;</i>). For more details on obtaining a domain and making it accessible via dynamic DNS see the <a href="./faq.html">FAQ</a>. Typically the domain name you use will be a subdomain, such as <i>keys.mydomainname.net</i>. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
+</p>
+
+<p>
+After the install has completed go to <b>Security settings</b> and select <b>Create a new Let's Encrypt certificate</b> and enter the domain name that you are using for the Key server. If the certificate is obtained successfully then you will see a congratulations message.
+</p>
+</div>
+</div>
+
+<div id="outline-container-org8e2baf7" class="outline-2">
+<h2 id="org8e2baf7">How to use it</h2>
+<div class="outline-text-2" id="text-org8e2baf7">
+<p>
+Interaction with the web user interface is pretty minimal and obvious, but most likely you will also want to be able to use your keyserver from the commandline. To do that use the <b>&#x2013;keyserver</b> option. For example to search for a key on your server:
+</p>
+
+<div class="org-src-container">
+<pre><code class="src src-bash">gpg --keyserver [your keyserver domain] --search-keys [email address]
+</code></pre>
+</div>
+
+
+<p>
+Or to send a key to it:
+</p>
+
+<div class="org-src-container">
+<pre><code class="src src-bash">gpg --keyserver [your keyserver domain] --send-keys [email address or key ID]
+</code></pre>
+</div>
+
+<p>
+Or to get a key:
+</p>
+
+<div class="org-src-container">
+<pre><code class="src src-bash">gpg --keyserver [your keyserver domain] --recv-keys [email address or key ID]
+</code></pre>
+</div>
+</div>
+</div>
+<div id="outline-container-orgf7e93ae" class="outline-2">
+<h2 id="orgf7e93ae">Sync with other keyservers</h2>
+<div class="outline-text-2" id="text-orgf7e93ae">
+<p>
+Key servers avoid censorship or errors by gossiping between each other and cross referencing the data. You can define which other servers your key server will gossip with by going to the <b>Administrator control panel</b>, selecting <b>App Settings</b> then <b>keyserver</b> then <b>Sync with other keyserver</b>.
+</p>
+
+<p>
+It's a good idea not to try to sync with the popular OpenPGP key servers, because those have gigantic databases which may make your server unstable and certainly would make it hard to create backups within a tractable amount of time. This option is mainly intended to sync with other Freedombone systems or small home servers within a particular community.
+</p>
+</div>
+</div>
+<div id="outline-container-org7be3c82" class="outline-2">
+<h2 id="org7be3c82">Possible problems</h2>
+<div class="outline-text-2" id="text-org7be3c82">
+<p>
+OpenPGP key servers are not very well defended from flooding attacks. This means that an adversary could just upload a billion keys to destabilize the server and fill it with nonsense to make it unusable. Since key servers are <i>fully open to the public</i> there isn't anything to prevent that from happening.
+</p>
+
+<p>
+Within the Freedombone system there is a watchdog script which keeps track of the key server database size, and disables the key server if that gets too large. Apart from the usual firewall and web server traffic rate limits, this is a crude but probably practical way of defending against flooding.
+</p>
+
+<p>
+If a flood attack does happen then really the only way to recover is to restore from the last known good backup, which can be done from the <b>Administrator control panel</b>.
+</p>
+</div>
+</div>
+</div>
+<div id="postamble" class="status">
+
+<style type="text/css">
+.back-to-top {
+    position: fixed;
+    bottom: 2em;
+    right: 0px;
+    text-decoration: none;
+    color: #000000;
+    background-color: rgba(235, 235, 235, 0.80);
+    font-size: 12px;
+    padding: 1em;
+    display: none;
+}
+
+.back-to-top:hover {
+    background-color: rgba(135, 135, 135, 0.50);
+}
+</style>
+
+<div class="back-to-top">
+<a href="#top">Back to top</a> | <a href="mailto:bob@freedombone.net">E-mail me</a>
+</div>
+</div>
+</body>
+</html>

website/EN/apps.html

 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2017-07-25 Tue 23:25 -->
+<!-- 2017-07-28 Fri 22:42 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title></title>
 </div>
 </div>
 
-<div id="outline-container-org9a19246" class="outline-2">
-<h2 id="org9a19246">CryptPad</h2>
-<div class="outline-text-2" id="text-org9a19246">
+<div id="outline-container-orgbe17d63" class="outline-2">
+<h2 id="orgbe17d63">CryptPad</h2>
+<div class="outline-text-2" id="text-orgbe17d63">
 <p>
 Collaborate on editing documents, presentations and source code, or vote on things. All with a good level of security.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orgaf887a3" class="outline-2">
-<h2 id="orgaf887a3">DLNA</h2>
-<div class="outline-text-2" id="text-orgaf887a3">
+<div id="outline-container-orgeb85cd1" class="outline-2">
+<h2 id="orgeb85cd1">DLNA</h2>
+<div class="outline-text-2" id="text-orgeb85cd1">
 <p>
 Enables you to use the system as a music server which any DLNA compatible devices can connect to within your home network.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org24b3d95" class="outline-2">
-<h2 id="org24b3d95">Dokuwiki</h2>
-<div class="outline-text-2" id="text-org24b3d95">
+<div id="outline-container-orge7dce56" class="outline-2">
+<h2 id="orge7dce56">Dokuwiki</h2>
+<div class="outline-text-2" id="text-orge7dce56">
 <p>
 A databaseless wiki system.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orga7568ea" class="outline-2">
-<h2 id="orga7568ea">Emacs</h2>
-<div class="outline-text-2" id="text-orga7568ea">
+<div id="outline-container-org16980fe" class="outline-2">
+<h2 id="org16980fe">Emacs</h2>
+<div class="outline-text-2" id="text-org16980fe">
 <p>
 If you use the Mutt client to read your email then this will set it up to use emacs for composing new mail.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org3d4300f" class="outline-2">
-<h2 id="org3d4300f">Etherpad</h2>
-<div class="outline-text-2" id="text-org3d4300f">
+<div id="outline-container-orge6eede4" class="outline-2">
+<h2 id="orge6eede4">Etherpad</h2>
+<div class="outline-text-2" id="text-orge6eede4">
 <p>
 Collaborate on creating documents in real time. Maybe you're planning a holiday with other family members or creating documentation for a Free Software project along with other volunteers. Etherpad is hard to beat for simplicity and speed. Only users of the system will be able to access it.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org91f769f" class="outline-2">
-<h2 id="org91f769f">Friendica</h2>
-<div class="outline-text-2" id="text-org91f769f">
+<div id="outline-container-org72aea62" class="outline-2">
+<h2 id="org72aea62">Friendica</h2>
+<div class="outline-text-2" id="text-org72aea62">
 <p>
 Federated social network system.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org6266e6b" class="outline-2">
-<h2 id="org6266e6b">Ghost</h2>
-<div class="outline-text-2" id="text-org6266e6b">
+<div id="outline-container-org75bbd1d" class="outline-2">
+<h2 id="org75bbd1d">Ghost</h2>
+<div class="outline-text-2" id="text-org75bbd1d">
 <p>
 Modern looking blogging system.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orge7307c0" class="outline-2">
-<h2 id="orge7307c0">GNU Social</h2>
-<div class="outline-text-2" id="text-orge7307c0">
+<div id="outline-container-org879241a" class="outline-2">
+<h2 id="org879241a">GNU Social</h2>
+<div class="outline-text-2" id="text-org879241a">
 <p>
 Federated social network. You can "<i>remote follow</i>" other users within the GNU Social federation.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org42d8a6c" class="outline-2">
-<h2 id="org42d8a6c">Gogs</h2>
-<div class="outline-text-2" id="text-org42d8a6c">
+<div id="outline-container-org0c63c0d" class="outline-2">
+<h2 id="org0c63c0d">Gogs</h2>
+<div class="outline-text-2" id="text-org0c63c0d">
 <p>
 Lightweight git project hosting system. You can mirror projects from Github, or if Github turns evil then just host your own projects while retaining the familiar <i>fork-and-pull</i> workflow. If you can use Github then you can also use Gogs.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org21d5b80" class="outline-2">
-<h2 id="org21d5b80">HTMLy</h2>
-<div class="outline-text-2" id="text-org21d5b80">
+<div id="outline-container-org8d5a195" class="outline-2">
+<h2 id="org8d5a195">HTMLy</h2>
+<div class="outline-text-2" id="text-org8d5a195">
 <p>
 Databaseless blogging system. Quite simple and with a markdown-like format.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org47d8fc7" class="outline-2">
-<h2 id="org47d8fc7">Hubzilla</h2>
-<div class="outline-text-2" id="text-org47d8fc7">
+<div id="outline-container-orgbc0a684" class="outline-2">
+<h2 id="orgbc0a684">Hubzilla</h2>
+<div class="outline-text-2" id="text-orgbc0a684">
 <p>
 Web publishing platform with social network like features and good privacy controls so that it's possible to specify who can see which content. Includes photo albums, calendar, wiki and file storage.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org71113c6" class="outline-2">
-<h2 id="org71113c6">IRC Server (ngirc)</h2>
-<div class="outline-text-2" id="text-org71113c6">
+<div id="outline-container-org4f18360" class="outline-2">
+<h2 id="org4f18360">IRC Server (ngirc)</h2>
+<div class="outline-text-2" id="text-org4f18360">
 <p>
 Run your own IRC chat channel which can be secured with a password and accessible via an onion address. A bouncer is included so that you can receive messages sent while you were offline. Works with Hexchat and other popular clients.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org9f28087" class="outline-2">
-<h2 id="org9f28087">Jitsi Meet</h2>
-<div class="outline-text-2" id="text-org9f28087">
+<div id="outline-container-orgc105f39" class="outline-2">
+<h2 id="orgc105f39">Jitsi Meet</h2>
+<div class="outline-text-2" id="text-orgc105f39">
 <p>
 Experimental WebRTC video conferencing system, similar to Google Hangouts. This may not be fully functional, but is hoped to be in the near future.
 </p>
 </div>
 </div>
 
-<div id="outline-container-orgbad5922" class="outline-2">
-<h2 id="orgbad5922">KanBoard</h2>
-<div class="outline-text-2" id="text-orgbad5922">
+<div id="outline-container-org10fbc88" class="outline-2">
+<h2 id="org10fbc88">KanBoard</h2>
+<div class="outline-text-2" id="text-org10fbc88">
 <p>
 A simple kanban system for managing projects or TODO lists.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org6529912" class="outline-2">
-<h2 id="org6529912">Koel</h2>
-<div class="outline-text-2" id="text-org6529912">
+<div id="outline-container-orgb3097e7" class="outline-2">
+<h2 id="orgb3097e7">Key Server</h2>
+<div class="outline-text-2" id="text-orgb3097e7">
+<p>
+An OpenPGP key server for storing and retrieving GPG public keys.
+</p>
+
+<p>
+<a href="./app_keyserver.html">How to use it</a>
+</p>
+</div>
+</div>
+<div id="outline-container-orga3542ee" class="outline-2">
+<h2 id="orga3542ee">Koel</h2>
+<div class="outline-text-2" id="text-orga3542ee">
 <p>
 Access your music collection from any internet connected device.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orgc0eae1a" class="outline-2">
-<h2 id="orgc0eae1a">Lychee</h2>
-<div class="outline-text-2" id="text-orgc0eae1a">
+<div id="outline-container-orga662c8f" class="outline-2">
+<h2 id="orga662c8f">Lychee</h2>
+<div class="outline-text-2" id="text-orga662c8f">
 <p>
 Make your photo albums available on the web.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orga4bfc9d" class="outline-2">
-<h2 id="orga4bfc9d">Mailpile</h2>
-<div class="outline-text-2" id="text-orga4bfc9d">
+<div id="outline-container-orgccf23ee" class="outline-2">
+<h2 id="orgccf23ee">Mailpile</h2>
+<div class="outline-text-2" id="text-orgccf23ee">
 <p>
 Modern email client which supports GPG encryption.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org672b48e" class="outline-2">
-<h2 id="org672b48e">Matrix</h2>
-<div class="outline-text-2" id="text-org672b48e">
+<div id="outline-container-orgdee374a" class="outline-2">
+<h2 id="orgdee374a">Matrix</h2>
+<div class="outline-text-2" id="text-orgdee374a">
 <p>
 Multi-user chat with some security and moderation controls.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orgce218ca" class="outline-2">
-<h2 id="orgce218ca">Mediagoblin</h2>
-<div class="outline-text-2" id="text-orgce218ca">
+<div id="outline-container-org7faaca0" class="outline-2">
+<h2 id="org7faaca0">Mediagoblin</h2>
+<div class="outline-text-2" id="text-org7faaca0">
 <p>
 Publicly host video and audio files so that you don't need to use YouTube/Vimeo/etc.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orgb224245" class="outline-2">
-<h2 id="orgb224245">Mumble</h2>
-<div class="outline-text-2" id="text-orgb224245">
+<div id="outline-container-orgfa87291" class="outline-2">
+<h2 id="orgfa87291">Mumble</h2>
+<div class="outline-text-2" id="text-orgfa87291">
 <p>
 The popular VoIP and text chat system. Say goodbye to old-fashioned telephony conferences with silly dial codes. Also works well on mobile.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org2786fbb" class="outline-2">
-<h2 id="org2786fbb">NextCloud</h2>
-<div class="outline-text-2" id="text-org2786fbb">
+<div id="outline-container-org88bc444" class="outline-2">
+<h2 id="org88bc444">NextCloud</h2>
+<div class="outline-text-2" id="text-org88bc444">
 <p>
 Store files on your server and sync them with laptops or mobile devices. Includes many plugins including videoconferencing and collaborative document editing.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orgaad15be" class="outline-2">
-<h2 id="orgaad15be">PI-Hole</h2>
-<div class="outline-text-2" id="text-orgaad15be">
+<div id="outline-container-orgd909087" class="outline-2">
+<h2 id="orgd909087">PI-Hole</h2>
+<div class="outline-text-2" id="text-orgd909087">
 <p>
 The black hole for web adverts. Block adverts at the domain name level within your local network. It can significantly reduce bandwidth, speed up page load times and protect your systems from being tracked by spyware.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org0cb789f" class="outline-2">
-<h2 id="org0cb789f">PostActiv</h2>
-<div class="outline-text-2" id="text-org0cb789f">
+<div id="outline-container-org54cc393" class="outline-2">
+<h2 id="org54cc393">PostActiv</h2>
+<div class="outline-text-2" id="text-org54cc393">
 <p>
 An alternative federated social networking system compatible with GNU Social. It includes some optimisations and fixes currently not available within the main GNU Social project.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org6b2db26" class="outline-2">
-<h2 id="org6b2db26">Profanity</h2>
-<div class="outline-text-2" id="text-org6b2db26">
+<div id="outline-container-orgbf4385b" class="outline-2">
+<h2 id="orgbf4385b">Profanity</h2>
+<div class="outline-text-2" id="text-orgbf4385b">
 <p>
 A shell based XMPP client which you can run on the Freedombone server via ssh.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org4dea572" class="outline-2">
-<h2 id="org4dea572">Riot Web</h2>
-<div class="outline-text-2" id="text-org4dea572">
+<div id="outline-container-orgda318c9" class="outline-2">
+<h2 id="orgda318c9">Riot Web</h2>
+<div class="outline-text-2" id="text-orgda318c9">
 <p>
 A browser based user interface for the Matrix federated communications system, including WebRTC audio and video chat.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org7e88433" class="outline-2">
-<h2 id="org7e88433">SearX</h2>
-<div class="outline-text-2" id="text-org7e88433">
+<div id="outline-container-org99449d0" class="outline-2">
+<h2 id="org99449d0">SearX</h2>
+<div class="outline-text-2" id="text-org99449d0">
 <p>
 A metasearch engine for customised and private web searches.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orgcfc1af4" class="outline-2">
-<h2 id="orgcfc1af4">tt-rss</h2>
-<div class="outline-text-2" id="text-orgcfc1af4">
+<div id="outline-container-org761a652" class="outline-2">
+<h2 id="org761a652">tt-rss</h2>
+<div class="outline-text-2" id="text-org761a652">
 <p>
 Private RSS reader. Pulls in RSS/Atom feeds via Tor and is only accessible via an onion address. Have "<i>the right to read</i>" without the Surveillance State knowing what you're reading. Also available with a user interface suitable for viewing on mobile devices via a browser such as OrFox.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org526d1e5" class="outline-2">
-<h2 id="org526d1e5">Syncthing</h2>
-<div class="outline-text-2" id="text-org526d1e5">
+<div id="outline-container-orga6e23d7" class="outline-2">
+<h2 id="orga6e23d7">Syncthing</h2>
+<div class="outline-text-2" id="text-orga6e23d7">
 <p>
 Possibly the best way to synchronise files across all of your devices. Once it has been set up it "just works" with no user intervention needed.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org43bcb4f" class="outline-2">
-<h2 id="org43bcb4f">Tahoe-LAFS</h2>
-<div class="outline-text-2" id="text-org43bcb4f">
+<div id="outline-container-org643b86b" class="outline-2">
+<h2 id="org643b86b">Tahoe-LAFS</h2>
+<div class="outline-text-2" id="text-org643b86b">
 <p>
 Robust and encrypted storage of files on one or more server.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org29d522e" class="outline-2">
-<h2 id="org29d522e">Tox</h2>
-<div class="outline-text-2" id="text-org29d522e">
+<div id="outline-container-org8eb9d12" class="outline-2">
+<h2 id="org8eb9d12">Tox</h2>
+<div class="outline-text-2" id="text-org8eb9d12">
 <p>
 Client and bootstrap node for the Tox chat/VoIP system.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org71eba9a" class="outline-2">
-<h2 id="org71eba9a">Turtl</h2>
-<div class="outline-text-2" id="text-org71eba9a">
+<div id="outline-container-org5a0e4e5" class="outline-2">
+<h2 id="org5a0e4e5">Turtl</h2>
+<div class="outline-text-2" id="text-org5a0e4e5">
 <p>
 A system for privately creating and sharing notes and images, similar to Evernote but without the spying.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org95cabfd" class="outline-2">
-<h2 id="org95cabfd">Vim</h2>
-<div class="outline-text-2" id="text-org95cabfd">
+<div id="outline-container-orgdeeab5b" class="outline-2">
+<h2 id="orgdeeab5b">Vim</h2>
+<div class="outline-text-2" id="text-orgdeeab5b">
 <p>
 If you use the Mutt client to read your email then this will set it up to use vim for composing new mail.
 </p>
 </div>
 </div>
 
-<div id="outline-container-org07897b8" class="outline-2">
-<h2 id="org07897b8">XMPP</h2>
-<div class="outline-text-2" id="text-org07897b8">
+<div id="outline-container-orgdbd802c" class="outline-2">
+<h2 id="orgdbd802c">XMPP</h2>
+<div class="outline-text-2" id="text-orgdbd802c">
 <p>
 Chat server which can be used together with client such as Gajim or Conversations to provide end-to-end content security and also onion routed metadata security. Includes advanced features such as <i>client state notification</i> to save battery power on your mobile devices, support for seamless roaming between networks and <i>message carbons</i> so that you can receive the same messages while being simultaneously logged in to your account on more than one device.
 </p>