Obsolete: this page refers to the pre-2019 Libravatar service.

This will be of interest only to admins who run a Libravatar master server using the libravatar-master package and who want to add a new slave.

Initial setup

Do this on the slave:

1. install the apt-transport-https package

2. add the Libravatar apt repository:

   echo "deb https://apt.libravatar.org/ jessie main" >> /etc/apt/sources.list
   gpg --keyserver pgp.net.nz --recv 007c98d1
   gpg -a --export 007c98d1 | apt-key add -
   

3. install the required packages on the slave:

   apt update
   apt install libravatar-{common,cdn-common,cdn,seccdn,slave}
   

4. put the following global TLS config in /etc/apache2/conf-available/tls.conf:

   SSLHonorCipherOrder On
   SSLCompression Off
   SSLUseStapling on
   SSLStaplingResponderTimeout 5
   SSLStaplingReturnResponderErrors off
   SSLStaplingCache shmcb:/var/run/ocsp(128000)
   

5. enable the newly-added TLS config:

   a2enconf tls
   

6. reduce apache log retention to 10 days in /etc/logrotate.d/apache and enable the removeip apache module:

   a2enmod removeip
   systemctl restart apache2
   

7. make sure cron errors go somewhere by adding this to /etc/aliases:

   libravatar-slave: mirrors@libravatar.org
   

8. update the postfix config:

   newaliases
   /etc/init.d/postfix reload
   

9. if running fcheck on the slave, add this to /etc/fcheck/fcheck.local.cfg:

   Exclusion      = /etc/libravatar/seccdn-chain.pem
   Exclusion      = /etc/libravatar/seccdn.crt
   Exclusion      = /etc/libravatar/seccdn.pem
   

Do this on the master:

1. add the slave's ssh pubkey (in /var/lib/libravatar/slave/.ssh/id_rsa.pub) to /var/lib/libravatar/master/.ssh/authorized_keys using an entry that looks like this:

   from="1.2.3.4",no-X11-forwarding,no-user-rc,no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa AAAAB3Nza...quq5x root@cdn3
   

2. ensure that the sshuser user can connect via ssh:

   adduser libravatar-master sshuser
   

Within about 15 minutes, you should see these files pop up on the slave:

• /var/lib/libravatar/slave/cert/chain.pem
• /var/lib/libravatar/slave/cert/seccdn.pem
• /var/lib/libravatar/slave/cert/seccdn.crt

Testing the new mirror

Given a new slave with an IP address of 192.0.2.10, then you can put this in your local /etc/hosts:

192.0.2.10    cdn.libravatar.org seccdn.libravatar.org

and then lookup images using the test tool.

Adding the new mirror to the DNS load-balancer

Add these two DNS records in the libravatar.org zone:

cdn      A    10   123.123.123.123
seccdn   A    10   123.123.123.123
cdn      AAAA 10   dead::beef
seccdn   AAAA 10   dead::beef

SSL testing

Once the DNS zone has been updated, use the SSL Labs tool to make sure that the SSL config for the new mirror matches the other ones.

If there are any problems, simply take the new mirror out of the seccdn CNAME group.

Basic monitoring

At the very least, add something like http://ismyblogworking.com/1.cdn.libravatar.org/working.html to your feed reader.

Enabling stats on the slave (optional)

1. install awstats:

   apt-get install awstats
   

2. add this to /etc/awstats/awstats.conf.local:

   SiteDomain="libravatar.org"
   LogType=W
   LogFormat=1
   

3. make the reports available:

   ln -s /usr/share/awstats/icon/ /var/www/html/awstats-icon
   ln -s /var/cache/awstats/ /var/www/html/stats
   

4. serve that directory using Apache by putting the following in /etc/apache/sites-enabled/000-default.conf:

   <Directory />
          Options FollowSymLinks
          AllowOverride None
   </Directory>
   <Directory /var/www/html/>
          Options Indexes FollowSymLinks MultiViews
          AllowOverride None
          Require all granted
   </Directory>
   

Enable automated deployments (optional)

1. install the deployment package:

   apt-get install libravatar-deployment
   

2. add your ssh user to the libravatar-deployment group:

   adduser francois libravatar-deployment