Description

Context

Ysul was our main FreeBSD server before we add an hypervisor with a Docker engine and specialized VMs on it.

As such, it still hosts both legacy development and production services.

Ysul is now superseded by WindRiver as devserver. But to move all Ysul content as is to WindRiver isn't welcome, as we'd prefer a better separation between devserver and production.

A plan is so needed to split Ysul services into prod and dev, and move them accordingly.

Ysul services to move

Service	Role	Content for this service
MySQL	dbserver-mysql	A lot of unmanaged databases, some from Grip, mix of dev, archives and prod
Eggdrops	viperserv	Dæghrefn and Wearg, and code for Æschere (test one) and TC2 (still needed?)
nginx / php-fpm	webserver-legacy	All PHP and static sites, excepted the ones we deploy through Docker
MediaWiki	saas-mediawiki	/srv/saas and /srv/mediawiki to serve MediaWiki sites

Plan

Plan is:

Sort web services
- Update DNS for *51.* to use www2.nasqueron.org, keep that one for dev
- Keep production sites on www1.nasqueron.org
Split or templatize nginx definitions: some sites has their 51 experimental counterpart defined in the same vhost file
Start a MySQL cluster
- Provision db-B-001.nasqueron.org for MySQL hosting
- Move every db there, without any dev/archive/test/prod sorting
- Create somewhere in 172.27.27. a VIP (managed like IPFO outside IntraNought block or an IntraNought to ease routing?)
- Update EVERY website to use credentials in Vault to access that one BEFORE moving it to web-001
Provision web-001.nasqueron.org for nginx and php-fpm
- Move production sites to web-001.nasqueron.org
- Update DNS for www1.nasqueron.org to point to web-001 (or a VIP)
Move dev sites to WindRiver
Currently keep ViperServ on Ysul: the only issue seems youtube-dl is too slow, but nobody is currently complaining about that one, so can be moved later during Ysul decom to irc-001 or Eglide.

Expected disruptions

Any rogue MySQL use will break. If so, just open a task to get rOPS create and deploy credentials where it's needed.

Revisions and Commits

rOPS Nasqueron Operations
	D3212	rOPS717d6ffb69f5 Provision .env credentials per environment
	D3190	rOPS8effa7c1f156 Align nginx configuration to production for webserver-alkane
	D3100	rOPS0162d25c7590 Update MOTD to advertise Ysul EOL status
	D3080	rOPS3473a6e0e693 Serve WordPress site for dereckson.be
	D3075	rOPS38859c4c695f Import .zshrc configuration from Ysul
	D3074	rOPS5a74f793b47c Serve Dereckson database on db-B-001
	D3069	rOPS2a336c8a4f92 Provision other Dæghrefn databases
	D3049	rOPS1f112d7a5c99 Deploy MediaWiki SaaS on Alkane PaaS
	D3044	rOPS4f50c6de258b Don't build PHP 5.6 anymore
	D3032	rOPS6817329915b7 Provide the "deploy" account for roles needing it
	D3019	rOPS7a388e2d4c9f Enable latest FreeBSD repository on dbserver-mysql
	D2989	rOPS26f5c937b673 Use db-B-001 for eggdrop MariaDB database
	D2987	rOPSb44705d1eca1 Provision users and databases on devserver-mysql role
	D2986	rOPS2ce580561ae1 Listen to external connections on dbserver-mysql role
	D2981	rOPS3b116e84b821 Provision web-001
	D2980	rOPSfb84d4ec0b7a Provision db-B-001 MariaDB server
	D2979	rOPS4b3d3e3fef25 Create /usr/local/share/grc directory on devserver role
	D2978	rOPS1791923adb6b Bootstrap FreeBSD server with Salt

Related Objects
Search...

Status	Subtype	Assigned	Task
Open	Epic	None	T1898 Decommission Ysul
Open		dereckson	T1803 Move and migrate Ysul production services elsewhere
Open		dereckson	T1828 Provide Alkane, Nasqueron PaaS to serve PHP and static sites
Open		dereckson	T1826 Create Alkane utility
Resolved		dereckson	T1827 Don't read body as String
Open		dereckson	T1825 Documentation for Alkane
Resolved		dereckson	T1829 Don't listen to world SSH for IntraNought servers
Resolved		dereckson	T1853 Setup IPv6 connectivity on web-001
Open		dereckson	T1849 Cover page for autoconfig.nasqueron.org
Open		dereckson	T1850 Move packages from Ysul to WindRiver
Open		dereckson	T1851 Migrate servers log API
Open		dereckson	T1852 Migrate ftp.nasqueron.org and FTP service
Open		dereckson	T1863 Restore api.wolfplex.org

Event Timeline

dereckson triaged this task as Normal priority.Mar 25 2023, 11:02

dereckson created this task.

DNS part done, at least for .nasqueron.org domain, Wolfplex should be checked too I guess.

dereckson moved this task from Backlog to Working on on the Servers board.Apr 6 2023, 18:32

dereckson mentioned this in T1823: Create new domain..Apr 6 2023, 23:18

dereckson added a revision: D2978: Bootstrap FreeBSD server with Salt.Apr 6 2023, 23:20

dereckson added a commit: rOPS1791923adb6b: Bootstrap FreeBSD server with Salt.Apr 6 2023, 23:24

dereckson added a revision: D2979: Create /usr/local/share/grc directory on devserver role.Apr 7 2023, 00:58

dereckson added a commit: rOPS4b3d3e3fef25: Create /usr/local/share/grc directory on devserver role.Apr 7 2023, 00:59

db-B-001 provisioned successfully

dereckson added a revision: D2980: Provision db-B-001 MariaDB server.Apr 7 2023, 01:09

dereckson added a commit: rOPSfb84d4ec0b7a: Provision db-B-001 MariaDB server.Apr 7 2023, 01:11

web-001 has the core role

Next steps:

Check https://devcentral.nasqueron.org/source/operations/browse/main/roles/webserver-core/nginx/files/includes/tls before apply the webserver-core role
Refactor webserver-legacy into webserver-alkane

Alkane is the name of our PaaS platform to host PHP sites through php-fpm pools and static websites. The legacy term chosen before implied we intended to migrate everything to Docker.

New strategy will instead use 4 volets:

A. Static sites

Host static sites on Alkane
Build static sites on Jenkins CD, publish them to Alkane

B. Applications in Python, Java, Rust, Go, Node.JS, etc.

Host them on Docker PaaS exclusively

C. Applications in PHP

Encourage new applications to use the Docker PaaS if suitable
Offer up-to-date shared hosting on Alkane PaaS the usual way: separate users, separate pools, up-to-date PHP version (ie PHP 8.2.4 right now)

D. SaaS

Maintain our MediaWiki SaaS on Alkane
Continue to implement a WordPress SaaS on Alkane too
If needed, phpBB SaaS work belongs to Docker too
Build from scratch the next PaaS on Docker PaaS as proof of concept

dereckson added a revision: D2981: Provision web-001.Apr 7 2023, 01:46

dereckson added a commit: rOPS3b116e84b821: Provision web-001.Apr 7 2023, 01:49

Idea: when a server uses router-001 as gateway, make the card with public IP a secondary one, and tell /etc/ssh/sshd_config to only bind to private address, e.g. ListenAddress 172.27.27.10

Idea: Alkane can got strict firewall config with only some ports open for its public IP, like 80 and 433. Other traffic will use private network.

dereckson added a project: Alkane.Apr 8 2023, 01:58

dereckson added a revision: D2986: Listen to external connections on dbserver-mysql role.Apr 9 2023, 22:25

dereckson added a commit: rOPS2ce580561ae1: Listen to external connections on dbserver-mysql role.Apr 9 2023, 22:57