Loading howto/static-component.md +39 −12 Original line number Diff line number Diff line Loading @@ -91,25 +91,27 @@ from a sysadmin perspective. User documentation lives in [doc/static-sites](doc/ ## Removing a component 1. remove the component to Puppet, in `modules/roles/misc/static-components.yaml` This procedure can be followed if we remove a static component. We should, however, generally keep a redirection to another place to avoid breaking links, so the instructions also include notes on how to keep a "vanity site" around. 2. remove the host to DNS, if not already present, see [howto/dns](howto/dns). this can be either in `dns/domains.git` or `dns/auto-dns.git` This procedure is common to all cases: 1. remove the component to Puppet, in `modules/roles/misc/static-components.yaml` 3. remove the Apache virtual host, by removing a line like this in 2. remove the Apache virtual host, by removing a line like this in [howto/puppet](howto/puppet) to `modules/roles/templates/static-mirroring/vhost/static-vhosts.erb`: vhost(lines, 'onionperf.torproject.org') 4. remove an SSL service, by removing a line in [howto/puppet](howto/puppet) to 3. remove an SSL service, by removing a line in [howto/puppet](howto/puppet) to `modules/roles/manifests/static_mirror_web.pp`: ssl::service { onionperf.torproject.org': ensure => 'ifstatic', notify => Exec['service apache2 reload'], key => true, } 5. remove the Let's encrypt certificate, see [howto/letsencrypt](howto/letsencrypt) for details 6. remove onion service, by removing another `onion::service` line in 4. remove onion service, by removing another `onion::service` line in [howto/puppet](howto/puppet) to `modules/roles/manifests/static_mirror_onion.pp`: onion::service { Loading @@ -118,19 +120,19 @@ from a sysadmin perspective. User documentation lives in [doc/static-sites](doc/ [...] } 7. remove the `sudo` rules for the role user 5. remove the `sudo` rules for the role user 8. remove the home directory specified on the server (often 6. remove the home directory specified on the server (often `staticiforme`, but can be elsewhere) and mirrors, for example: ssh staticiforme "mv /home/ooni /home/ooni-OLD ; echo rm -rf /home/ooni-OLD | at now + 7 days" cumin -o txt 'C:roles::static_mirror_web' 'mv /srv/static.torproject.org/mirrors/ooni.torproject.org /srv/static.torproject.org/mirrors/ooni.torproject.org-OLD' cumin -o txt 'C:roles::static_mirror_web' 'echo rm -rf /srv/static.torproject.org/mirrors/ooni.torproject.org-OLD | at now + 7 days' 9. consider removing the role user and group in LDAP, if there are no 7. consider removing the role user and group in LDAP, if there are no files left owned by that user 10. remove from Nagios, e.g.: 8. remove from Nagios, e.g.: - name: mirror static sync - atlas Loading @@ -138,6 +140,31 @@ from a sysadmin perspective. User documentation lives in [doc/static-sites](doc/ hosts: global servicegroups: mirror If we *do* want to keep a vanity site for the redirection, we should also do this: 1. add an entry to `roles::static_mirror_web_vanity`, in the `ssl::service` block of `modules/roles/manifests/static_mirror_web_vanity.pp` 2. add a redirect in the template (`modules/roles/templates/static-mirroring/vhost/vanity-vhosts.erb`), for example: Use vanity-host onionperf.torproject.org ^/(.*)$ https://gitlab.torproject.org/tpo/metrics/team/-/wikis/onionperf If we do *not* want to keep a vanity site, we should also do this: 2. remove the host to DNS, if not already present, see [howto/dns](howto/dns). this can be either in `dns/domains.git` or `dns/auto-dns.git` 3. remove the Let's encrypt certificate, see [howto/letsencrypt](howto/letsencrypt) for details To deploy the changes globally immediately, run this: ssh staticiforme puppet agent -t cumin 'C:roles::static_mirror_web or C:roles::static_mirror_web_vanity' 'puppet agent -t' ## Pager playbook TODO: add a pager playbook. Loading Loading
howto/static-component.md +39 −12 Original line number Diff line number Diff line Loading @@ -91,25 +91,27 @@ from a sysadmin perspective. User documentation lives in [doc/static-sites](doc/ ## Removing a component 1. remove the component to Puppet, in `modules/roles/misc/static-components.yaml` This procedure can be followed if we remove a static component. We should, however, generally keep a redirection to another place to avoid breaking links, so the instructions also include notes on how to keep a "vanity site" around. 2. remove the host to DNS, if not already present, see [howto/dns](howto/dns). this can be either in `dns/domains.git` or `dns/auto-dns.git` This procedure is common to all cases: 1. remove the component to Puppet, in `modules/roles/misc/static-components.yaml` 3. remove the Apache virtual host, by removing a line like this in 2. remove the Apache virtual host, by removing a line like this in [howto/puppet](howto/puppet) to `modules/roles/templates/static-mirroring/vhost/static-vhosts.erb`: vhost(lines, 'onionperf.torproject.org') 4. remove an SSL service, by removing a line in [howto/puppet](howto/puppet) to 3. remove an SSL service, by removing a line in [howto/puppet](howto/puppet) to `modules/roles/manifests/static_mirror_web.pp`: ssl::service { onionperf.torproject.org': ensure => 'ifstatic', notify => Exec['service apache2 reload'], key => true, } 5. remove the Let's encrypt certificate, see [howto/letsencrypt](howto/letsencrypt) for details 6. remove onion service, by removing another `onion::service` line in 4. remove onion service, by removing another `onion::service` line in [howto/puppet](howto/puppet) to `modules/roles/manifests/static_mirror_onion.pp`: onion::service { Loading @@ -118,19 +120,19 @@ from a sysadmin perspective. User documentation lives in [doc/static-sites](doc/ [...] } 7. remove the `sudo` rules for the role user 5. remove the `sudo` rules for the role user 8. remove the home directory specified on the server (often 6. remove the home directory specified on the server (often `staticiforme`, but can be elsewhere) and mirrors, for example: ssh staticiforme "mv /home/ooni /home/ooni-OLD ; echo rm -rf /home/ooni-OLD | at now + 7 days" cumin -o txt 'C:roles::static_mirror_web' 'mv /srv/static.torproject.org/mirrors/ooni.torproject.org /srv/static.torproject.org/mirrors/ooni.torproject.org-OLD' cumin -o txt 'C:roles::static_mirror_web' 'echo rm -rf /srv/static.torproject.org/mirrors/ooni.torproject.org-OLD | at now + 7 days' 9. consider removing the role user and group in LDAP, if there are no 7. consider removing the role user and group in LDAP, if there are no files left owned by that user 10. remove from Nagios, e.g.: 8. remove from Nagios, e.g.: - name: mirror static sync - atlas Loading @@ -138,6 +140,31 @@ from a sysadmin perspective. User documentation lives in [doc/static-sites](doc/ hosts: global servicegroups: mirror If we *do* want to keep a vanity site for the redirection, we should also do this: 1. add an entry to `roles::static_mirror_web_vanity`, in the `ssl::service` block of `modules/roles/manifests/static_mirror_web_vanity.pp` 2. add a redirect in the template (`modules/roles/templates/static-mirroring/vhost/vanity-vhosts.erb`), for example: Use vanity-host onionperf.torproject.org ^/(.*)$ https://gitlab.torproject.org/tpo/metrics/team/-/wikis/onionperf If we do *not* want to keep a vanity site, we should also do this: 2. remove the host to DNS, if not already present, see [howto/dns](howto/dns). this can be either in `dns/domains.git` or `dns/auto-dns.git` 3. remove the Let's encrypt certificate, see [howto/letsencrypt](howto/letsencrypt) for details To deploy the changes globally immediately, run this: ssh staticiforme puppet agent -t cumin 'C:roles::static_mirror_web or C:roles::static_mirror_web_vanity' 'puppet agent -t' ## Pager playbook TODO: add a pager playbook. Loading
