Blog of Raivo Laanemets

Stories about web development, freelancing and personal computers.

More infdot.com upgrade progress


The big upgrade process is pretty much finished. I managed to get minor services migrated too and have shut down the old machine. I also improved configuration of various things.

Gitolite

I was about to find out how to upgrade to version 3.x but discovered I was already running it. As it is mostly just script files I did not do full re-install.

To make Redmine see gitolite repos, UMASK in ~/.gitolite.rc has to be changed to 0027 and the user running Redmine (redmine in my case) has to be added to the gitolite user main group (gitolite in my case). Here is a related SlackOverflow thread.

Subversion

I had a single large repository but I decided to not cut it up into smaller git repos. Now I'm serving it over SSH as Nginx+svn is a no-go. I used a good tutorial from here.

As with gitolite, Redmine user must be added to the svn user's main group.

Sitecheck

A script checking lots of sites for status code 200. During the upgrade I implemented an option to log failures only. The log file of the script is watched by a real-time third-party logging service.

Firewall

Decided to go with ufw. My configuration (http, https, smtp, ssh, ntp) looks like this:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
25                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
123                        ALLOW IN    Anywhere
22                         ALLOW IN    Anywhere (v6)
80                         ALLOW IN    Anywhere (v6)
25                         ALLOW IN    Anywhere (v6)
443                        ALLOW IN    Anywhere (v6)
123                        ALLOW IN    Anywhere (v6)

One minor annoyance about ufw is that it stores configuration under /lib not under /etc. I use etckeeper which unfortunately does not version /lib (not that it should at all). There is a bug filed on it too.

Init scripts

On my old server I did not put much strength on init scripts. This time I created one for each service that does not start by other means. Thin server for Redmine uses this. The feeds app uses this and the blog uses this.

Nginx conf improvements

Had to configure proper redirects from http to https and www to non-www. Added expire headers for static files. Configuration for the feeds app is here and for the blog is here.

Also configured the default server for Nginx. It can be accessed from http://109.74.197.220/ and the source is here. This is shown whenever someone asks the server for a domain for which the server has not been configured.

Missing favicons and robots.txts

I created some of these but I'm not entirely sure whether it's better to serve empty robots.txt or send status 404. 404's on robots.txt can be easily removed from error logs but every site should have a favicon. It's easier to navigate browser tabs with them.

Finishing up

By now I have everything running on the new machine. I will set up proper backups in the next week and keep eye on logs to iron out last possible quirks.


Comments

No comments have been added so far.

Email is not displayed anywhere.
URLs (max 3) starting with http:// or https:// can be used. Use @Name to mention someone.