This will be of interest only to admins who run a Libravatar master server using the libravatar-master package and who want to add a new slave.

Initial setup

Do this on the slave:

  1. install the apt-transport-https package
  2. add the Libravatar apt repository:

    echo "deb https://apt.libravatar.org/ jessie main" >> /etc/apt/sources.list
    gpg --keyserver pgp.net.nz --recv 007c98d1
    gpg -a --export 007c98d1 | apt-key add -
    
  3. install the required packages on the slave:

    apt update
    apt install libravatar-{common,cdn-common,cdn,seccdn,slave}
    
  4. put the following global TLS config in /etc/apache2/conf-available/tls.conf:

    SSLHonorCipherOrder On
    SSLCompression Off
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:/var/run/ocsp(128000)
    
  5. enable the newly-added TLS config:

    a2enconf tls
    
  6. reduce apache log retention to 10 days in /etc/logrotate.d/apache and enable the removeip apache module:

    a2enmod removeip
    systemctl restart apache2
    
  7. make sure cron errors go somewhere by adding this to /etc/aliases:

    libravatar-slave: mirrors@libravatar.org
    
  8. update the postfix config:

    newaliases
    /etc/init.d/postfix reload
    
  9. if running fcheck on the slave, add this to /etc/fcheck/fcheck.local.cfg:

    Exclusion      = /etc/libravatar/seccdn-chain.pem
    Exclusion      = /etc/libravatar/seccdn.crt
    Exclusion      = /etc/libravatar/seccdn.pem
    

Do this on the master:

  1. add the slave's ssh pubkey (in /var/lib/libravatar/slave/.ssh/id_rsa.pub) to /var/lib/libravatar/master/.ssh/authorized_keys using an entry that looks like this:

    from="1.2.3.4",no-X11-forwarding,no-user-rc,no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa AAAAB3Nza...quq5x root@cdn3
    
  2. ensure that the sshuser user can connect via ssh:

    adduser libravatar-master sshuser
    

Within about 15 minutes, you should see these files pop up on the slave:

  • /var/lib/libravatar/slave/cert/chain.pem
  • /var/lib/libravatar/slave/cert/seccdn.pem
  • /var/lib/libravatar/slave/cert/seccdn.crt

Testing the new mirror

Given a new slave with an IP address of 192.0.2.10, then you can put this in your local /etc/hosts:

192.0.2.10    cdn.libravatar.org seccdn.libravatar.org

and then lookup images using the test tool.

Adding the new mirror to the DNS load-balancer

  1. Add these two DNS records in the libravatar.org zone:

    cdn      A    10   123.123.123.123
    seccdn   A    10   123.123.123.123
    cdn      AAAA 10   dead::beef
    seccdn   AAAA 10   dead::beef
    
  2. Add the same records to the JSON zone file and then use namecoind to update the libravatar.bit zone:

    namecoind name_update d/libravatar "`xargs echo < config/dns.json`"
    

SSL testing

Once the DNS zone has been updated, use the SSL Labs tool to make sure that the SSL config for the new mirror matches the other ones. In particular, it is important that the new mirror does not require the use of SNI since it's not supported on old operating systems.

If there are any problems, simply take the new mirror out of the seccdn CNAME group. The bandwidth requirements for HTTP are much bigger, so it's fine to have fewer mirrors doing HTTPS.

Basic monitoring

At the very least, add something like http://ismyblogworking.com/1.cdn.libravatar.org/working.html to your feed reader.

Enabling stats on the slave (optional)

  1. install awstats:

    apt-get install awstats
    
  2. add this to /etc/awstats/awstats.conf.local:

    SiteDomain="libravatar.org"
    LogType=W
    LogFormat=1
    
  3. make the reports available:

    ln -s /usr/share/awstats/icon/ /var/www/html/awstats-icon
    ln -s /var/cache/awstats/ /var/www/html/stats
    
  4. serve that directory using Apache by putting the following in /etc/apache/sites-enabled/000-default.conf:

    <Directory />
           Options FollowSymLinks
           AllowOverride None
    </Directory>
    <Directory /var/www/html/>
           Options Indexes FollowSymLinks MultiViews
           AllowOverride None
           Require all granted
    </Directory>
    

Enable automated deployments (optional)

  1. install the deployment package:

    apt-get install libravatar-deployment
    
  2. add your ssh user to the libravatar-deployment group:

    adduser francois libravatar-deployment