This will be of interest only to admins who run a Libravatar master server using the libravatar-master package and who want to add a new slave.

Initial setup

Do this on the slave:

  1. make sure NTP is installed and running
  2. add the Libravatar apt repository:

    echo "deb jessie main" >> /etc/apt/sources.list
    gpg --keyserver --recv 007c98d1
    gpg -a --export 007c98d1 | apt-key add -
  3. install the required packages on the slave:

    apt-get update
    apt-get install libravatar-{common,cdn-common,cdn,seccdn,slave}
  4. create SSL certificate placeholders:

    touch /etc/libravatar/seccdn-chain.pem
    touch /etc/libravatar/seccdn.pem
    touch /etc/libravatar/seccdn.crt
  5. make sure cron errors go somewhere by adding this to /etc/aliases:

  6. update the postfix config:

    /etc/init.d/postfix reload
  7. if running fcheck on the slave, add this to /etc/fcheck/fcheck.local.cfg:

    Exclusion      = /etc/libravatar/seccdn-chain.pem
    Exclusion      = /etc/libravatar/seccdn.crt
    Exclusion      = /etc/libravatar/seccdn.pem

Do this on the master:

  1. add the slave's ssh pubkey (in /var/lib/libravatar/slave/.ssh/ to /var/lib/libravatar/master/.ssh/authorized_keys using an entry that looks like this:

    from="",no-X11-forwarding,no-user-rc,no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa AAAAB3Nza...quq5x root@cdn3

Within about 15 minutes, you should see these files pop up on the slave:

  • /var/lib/libravatar/slave/cert/chain.pem
  • /var/lib/libravatar/slave/cert/seccdn.pem
  • /var/lib/libravatar/slave/cert/seccdn.crt

Testing the new mirror

Given a new slave with an IP address of, then you can put this in your local /etc/hosts:

and then lookup images using the test tool.

Adding the new mirror to the DNS load-balancer

  1. Add these two DNS records in the zone:

    cdn      A    10
    seccdn   A    10
    cdn      AAAA 10   dead::beef
    seccdn   AAAA 10   dead::beef
  2. Add the same records to the JSON zone file and then use namecoind to update the libravatar.bit zone:

    namecoind name_update d/libravatar "`xargs echo < config/dns.json`"

SSL testing

Once the DNS zone has been updated, use the SSL Labs tool to make sure that the SSL config for the new mirror matches the other ones. In particular, it is important that the new mirror does not require the use of SNI since it's not supported on old operating systems.

If there are any problems, simply take the new mirror out of the seccdn CNAME group. The bandwidth requirements for HTTP are much bigger, so it's fine to have fewer mirrors doing HTTPS.

Basic monitoring

At the very least, add something like to your feed reader.

Enabling stats on the slave (optional)

  1. install awstats:

    apt-get install awstats
  2. add this to /etc/awstats/awstats.conf.local:

  3. make the reports available:

    ln -s /usr/share/awstats/icon/ /var/www/html/awstats-icon
    ln -s /var/cache/awstats/ /var/www/html/stats
  4. serve that directory using Apache by putting the following in /etc/apache/sites-enabled/000-default.conf:

    <Directory />
           Options FollowSymLinks
           AllowOverride None
    <Directory /var/www/html/>
           Options Indexes FollowSymLinks MultiViews
           AllowOverride None
           Require all granted

Enable automated deployments (optional)

  1. install the deployment package:

    apt-get install libravatar-deployment
  2. add your ssh user to the libravatar-deployment group:

    adduser francois libravatar-deployment