How am I upgrading this server

Fri 09 June 2017 // posts

The time has come for me to upgrade the server where I run this blog. It's not that Debian 6 (squeeze) wouldn't serve me well for another 6 years, however, I'm taking this chance to start from scratch by reviewing every service configuration and start using adequate tools for deploying changes.

Changes, changes...

I'm making this post now that I'm able to manage anything on the server, with confidence, just by running an Ansible playbook...or I can simply rebuild the whole server from scratch the same way :)

In fact, this is how I test before triggering live changes

After making changes and before pushing them to master,
1) I use Vagrant to test the playbook locally, on a clean state VM.
2) if everything looks fine, I push the change to master
3) a Jenkins pipeline is triggered, which in turn makes some tests using Vagrant as well
4) if tests pass, the playbook is executed against the live environment

What am I managing

  • Reverse proxy
  • Network bits
  • Multiple domains
    • dns soa
    • http servers
    • email services

I could (and should) be using existing Ansible roles by now. Instead I decided to build them all (mostly) so I can get familiar with Ansible internals. This is what I came up with so far:

  • jubaldo.bind: install bind9 and create zone dbs
  • jubaldo.certbot: install certbot and request / renew certificates for multiple domains
  • create a filesystem structure for users and domains
  • jubaldo.dovecot: install and configure dovecot imap service
  • jubaldo.exim4: install and configure exim4 smtp service and spamassassin
  • jubaldo.fail2ban: install and configure fail2ban
  • jubaldo.firewall: set up iptables
  • jubaldo.isso: install and configure Isso
  • jubaldo.openvpn: install and configure openvpn

So long, Wordpress

I waved goodbye to Wordpress and its very close friends (php, mysql, apache) but welcomed Pelican, a static blog site generator, plus Isso, a commenting service for static sites. I'm loving this combo! :)
In terms of the new deployment process, everytime I make a new post or a change and push it to master, a Jenkins pipeline is triggered: the blog is built and deployed, using Ansible synchronize and file modules.
This is what the blog's Jenkinsfile looks like:

stage('Build') {
    sh "virtualenv _py"
    withEnv(["PATH=${env.WORKSPACE}/_py/bin:${env.PATH}"]) {
        sh "pip install -r requirements.txt"
        sh "make clean publish"

stage('Deploy') {
    sh "/usr/bin/ansible -b -i \"${deploy_host},\" ${deploy_host} -u ${ansible_remote_user} -m synchronize -a \"src=output/ dest=${deploy_path}\""
    sh "/usr/bin/ansible -b -i \"${deploy_host},\" ${deploy_host} -u ${ansible_remote_user} -m file -a \"name=${deploy_path} state=directory recurse=True owner=${remote_user} group=${remote_group} mode='0750'\""

All of this has been a fun and motivating process so far :)