... | ... | @@ -91,25 +91,27 @@ from a sysadmin perspective. User documentation lives in [doc/static-sites](doc/ |
|
|
|
|
|
## Removing a component
|
|
|
|
|
|
1. remove the component to Puppet, in `modules/roles/misc/static-components.yaml`
|
|
|
This procedure can be followed if we remove a static component. We
|
|
|
should, however, generally keep a redirection to another place to
|
|
|
avoid breaking links, so the instructions also include notes on how to
|
|
|
keep a "vanity site" around.
|
|
|
|
|
|
2. remove the host to DNS, if not already present, see [howto/dns](howto/dns). this
|
|
|
can be either in `dns/domains.git` or `dns/auto-dns.git`
|
|
|
This procedure is common to all cases:
|
|
|
|
|
|
1. remove the component to Puppet, in `modules/roles/misc/static-components.yaml`
|
|
|
|
|
|
3. remove the Apache virtual host, by removing a line like this in
|
|
|
2. remove the Apache virtual host, by removing a line like this in
|
|
|
[howto/puppet](howto/puppet) to
|
|
|
`modules/roles/templates/static-mirroring/vhost/static-vhosts.erb`:
|
|
|
|
|
|
vhost(lines, 'onionperf.torproject.org')
|
|
|
|
|
|
4. remove an SSL service, by removing a line in [howto/puppet](howto/puppet) to
|
|
|
3. remove an SSL service, by removing a line in [howto/puppet](howto/puppet) to
|
|
|
`modules/roles/manifests/static_mirror_web.pp`:
|
|
|
|
|
|
ssl::service { onionperf.torproject.org': ensure => 'ifstatic', notify => Exec['service apache2 reload'], key => true, }
|
|
|
|
|
|
5. remove the Let's encrypt certificate, see [howto/letsencrypt](howto/letsencrypt) for details
|
|
|
|
|
|
6. remove onion service, by removing another `onion::service` line in
|
|
|
4. remove onion service, by removing another `onion::service` line in
|
|
|
[howto/puppet](howto/puppet) to `modules/roles/manifests/static_mirror_onion.pp`:
|
|
|
|
|
|
onion::service {
|
... | ... | @@ -118,19 +120,19 @@ from a sysadmin perspective. User documentation lives in [doc/static-sites](doc/ |
|
|
[...]
|
|
|
}
|
|
|
|
|
|
7. remove the `sudo` rules for the role user
|
|
|
5. remove the `sudo` rules for the role user
|
|
|
|
|
|
8. remove the home directory specified on the server (often
|
|
|
6. remove the home directory specified on the server (often
|
|
|
`staticiforme`, but can be elsewhere) and mirrors, for example:
|
|
|
|
|
|
ssh staticiforme "mv /home/ooni /home/ooni-OLD ; echo rm -rf /home/ooni-OLD | at now + 7 days"
|
|
|
cumin -o txt 'C:roles::static_mirror_web' 'mv /srv/static.torproject.org/mirrors/ooni.torproject.org /srv/static.torproject.org/mirrors/ooni.torproject.org-OLD'
|
|
|
cumin -o txt 'C:roles::static_mirror_web' 'echo rm -rf /srv/static.torproject.org/mirrors/ooni.torproject.org-OLD | at now + 7 days'
|
|
|
|
|
|
9. consider removing the role user and group in LDAP, if there are no
|
|
|
7. consider removing the role user and group in LDAP, if there are no
|
|
|
files left owned by that user
|
|
|
|
|
|
10. remove from Nagios, e.g.:
|
|
|
8. remove from Nagios, e.g.:
|
|
|
|
|
|
-
|
|
|
name: mirror static sync - atlas
|
... | ... | @@ -138,6 +140,31 @@ from a sysadmin perspective. User documentation lives in [doc/static-sites](doc/ |
|
|
hosts: global
|
|
|
servicegroups: mirror
|
|
|
|
|
|
If we *do* want to keep a vanity site for the redirection, we should
|
|
|
also do this:
|
|
|
|
|
|
1. add an entry to `roles::static_mirror_web_vanity`, in the
|
|
|
`ssl::service` block of
|
|
|
`modules/roles/manifests/static_mirror_web_vanity.pp`
|
|
|
|
|
|
2. add a redirect in the template
|
|
|
(`modules/roles/templates/static-mirroring/vhost/vanity-vhosts.erb`),
|
|
|
for example:
|
|
|
|
|
|
Use vanity-host onionperf.torproject.org ^/(.*)$ https://gitlab.torproject.org/tpo/metrics/team/-/wikis/onionperf
|
|
|
|
|
|
If we do *not* want to keep a vanity site, we should also do this:
|
|
|
|
|
|
2. remove the host to DNS, if not already present, see [howto/dns](howto/dns). this
|
|
|
can be either in `dns/domains.git` or `dns/auto-dns.git`
|
|
|
|
|
|
3. remove the Let's encrypt certificate, see [howto/letsencrypt](howto/letsencrypt) for details
|
|
|
|
|
|
To deploy the changes globally immediately, run this:
|
|
|
|
|
|
ssh staticiforme puppet agent -t
|
|
|
cumin 'C:roles::static_mirror_web or C:roles::static_mirror_web_vanity' 'puppet agent -t'
|
|
|
|
|
|
## Pager playbook
|
|
|
|
|
|
TODO: add a pager playbook.
|
... | ... | |