As I mentioned in my last post I have been working on the migration of my blog, well it is now completed. This is my first post powered by Jekyll. So far everything appears to be working as expected, but I’m sure I’ll find niggles that need fixing as time goes on.
So I have been working away in the background on the migration of my blog away from the Apache Roller powered blog platform that I currently use. One of the issues that annoyed me, and I never got around to fixing (although it would probably have been easy to fix), is the fact that all my posts appear at a URL that includes the word "blog" twice. It was redundant, and irritated me, and because I never fixed it, removing that means that when I migrate the blog I'll need to set up a redirect for the old links to still work, which also annoys me, but is the cost of this migration I suppose. So I am going to do a review of the process, what I wanted to do, how far I have got, how I did it, and what is left to do.
I said I was going to migrate my blog some time ago, off of Apache Roller that it currently runs on, and onto Jekyll (probably). Well since then I've basically not done a lot, but I have now hit a minor milestone. I have managed to migrate my blog content to a new Jekyll site. It's not ready for me to publish it yet, I still have a lot to learn about how to use and set up Jekyll, I either want to match the URL layout of my current blog as much as possible, or at the very least map out the URL rewrites I'm going to need so that any links continue to work. But for this milestone I needed to get the content out of the Roller database, and into Jekyll, and for that I found the RSS importer not quite up to what I wanted. So in the true spirit of open source, I took the available tools, I hacked around with them, and I got something that worked for me, and then as I may not be the only one that needs this, I raised a pull request.
I normally shy away from giving a set of instructions for how to do something. There are two reasons for this, often there are already better instructions than I could write out on the internet already, and also it is very easy to give incomplete, or incorrect, instructions, that when blindly followed leave people in a situation that is bad, and that they don't know is bad. However I need to have faith in my own knowledge, and I need to stretch myself.
So with this in mind, following Microsoft's purchase of Github I have finally got around to building my own git server. This is something I have wanted to do for some time, but have always shied away from. Well now I have done it, and I have also written a guide for others to follow on how to do the same.
I have started to look into rebuilding my blog based on jekyll. Part of this will mean changing code, which will need version control. As I mentioned when talking about my new hosted website this can be done in git. That git repository is just a local repository though (not counting the copies pushed up to the server). It's probably about time I had some public code repositories (not including the professional ones I have worked on, those have always been kept separate from my personal identity). However it looks like Microsoft are buying GitHub. The timing isn't great, but I'm a resourceful sysadmin, maybe it's time to host my own. Also the timing could be worse I could be invested in hosting the repositories with GitHub. So I'm going to look into Gitea as an option for hosting my own code repository. I'll let you know how it goes.
So I mentioned that I had registered a new domain recently. I also mentioned that I was going to host a website for this on the virtual private servers I have for my mail servers. I had a couple of prerequisites that needed meeting before setting this up.
I have always been sceptical of the new generic top level domains, I saw them as ICANN shamelessly cashing in on something it had the power to control. Because of this I have until now avoided them. However my current domain name is quite long, and I have for a long time wanted something shorter, but the good ones that may be applicable to me have all been taken.
But the time has come to admit that the new generic top level domains are here to stay, so I have swallowed my pride, and found that most of the good names are gone already anyway. But one was available that was suitable, so I have registered stewart.zone. I'm going to use it to set up a website that isn't hosted on my home connection. For this I'm going to use the hosted virtual servers I already have for my mail servers, but that is going to need me to set up a backup process for them, as they will no longer just be mail servers, so rather than trust my ability to reconfigure a new server from scratch I'm going to trust in my ability to back up the configurations in a sensible way, and save myself the trouble of having to manually rebuild their configurations if they go wrong.
Also this will give me an opportunity to build a website that isn't quite so ugly, and also isn't lumbered with some of the "features" of my current site that I haven't had the heart to do away with, but are a bit rubbish. Once this is done successfully I'll look at migrating my current site over to the new hosts, and the new design, and then I won't need to open up firewall rules on my router any more.
So I've had my mail servers set up and working for a month now, and there are a few things I haven't done. My old mail server is still set to send from a domain of craig-james-stewart.co.uk by default, and it is no longer in the SPF record as a sender for that domain, so I have had to fix that so that I can continue to receive emails from it seamlessly. I've also had to alter the contact form on my website for the same reason. As well as these minor tweeks I have come to the realisation that I ignored time drift when setting up the mail servers, easily corrected by installing ntpd in it's default configuration on debian, apart from my rather strict iptables rules. So having fixed that, the only thing left to do, is configure certbot to auto-renew my ssl certificates, which is as simple as adding a couple of cron entries. So now I have two mail servers that will continue to work, with little maintenance effort. I still need to look at DKIM and DMARC, but those can wait.
In my last blog post I set up apache and certbot and got the ssl certificates I needed for my new mail server. So this blog was going to be about postfix, but as I found a handy guide online I followed some of it to get what I wanted. That is to say I followed those steps that made sense, skipped the ones that conflicted with my requirements, and altered the ones that didn't apply because of changes I had made. This gave me a reasonable set up, on two servers, that could each act independently, but lacked the mailbox sync to allow me to use them as a single mail infrastructure. To be fair the only things that really needed changing in any great detail where the dovecot userdb settings to allow doveadm to enumerate the users and get the correct settings, most of the remaining settings changes were trivial (SSL cert locations for example). I also skipped all of the optional extras (like roundcube and phpmyadmin). After this I had to configure dovecot mailbox sync as per their guide, and tweak the SSL settings to harden them, and now I have new mail servers. It took longer than I would like, and I have less to say than I have for the previous steps. But all is now working. I have however decided to look into DKIM and DMARC settings, as I have already configured SPF and there is a nice guide to follow linked from the comments on the guide I followed to get postfix installed and working.
So after my last blog post I decided that this one should be less rushed, and more practised and tested, which turns out to be a good thing. After my last blog post the hosted servers I have didn't work over IPv6, this is due to the hosting firm's use of SLAAC to configure the external IPv6 address and routing, and my use of iptables to block all traffic that wasn't otherwise allowed. Now I allowed icmp echo requests on IPv4 but those commands raised an error run I transposed them to IPv6 so I left them out. This led to SLAAC, which requires ICMP to work over IPv6 to not work. That has been rectified now. So onto apache, and SSL certs. Now one of the requirements I had for these servers was the ability to swap between them via DNS, and as I do not know how to configure postfix to use multiple SSL certs based upon the domain that is being connected too I decided the easiest way to do that would be to get a cert with a cname to that shared domain for each server. Using http authentication with lets encrypt you put a file on disk and they request that file from the domain they are validating. This would be a problem for the server that is not currently being pointed at for the shared domain.