Currently for theyvoteforyou, openaustralia and planningalerts they're being sent to seperate slack channels by project. So, for example openaustralia staging and production cron output goes to the same slack channel. This makes things less useful because every time you look at a log you have to figure out whether it's production or staging.

So, handle cron output differently for production and staging:

• We could send them to different channels
• We could only send them to slack for production (I think this is my preferred choice)

Right now it's openaustraliafoundation.org.au. It should stay that way until after the migration is complete. After that's done it would be good to change it to oaf.org.au to be consistent with the dominant form of the email address that we use.

Also, openaustraliafoundation should then redirect to oaf.org.au.

Right now it's being installed from an openaustralia fork of righttoknow. There's really very little reason now to maintain that fork as we haven't been doing active development on alavetelli for a good few years.

So, it would make more sense to use more of a default setup as mysociety maintains it.

Before we had everything going out via email. Do we still want to do this?

After migrating to RDS:

DB Instance main-database contains MyISAM tables that have not been migrated to InnoDB. These
tables can impact your ability to perform point-in-time restores. Consider converting these tables to
InnoDB. Please refer to
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.BackingUpAndRestoringAmazonRDSInstances.html#Overview.BackupDeviceRestrictions"

We've currently missed that in the openaustralia migration

Unfortunately free hosting, so generously donated by Octopus Computing for many years, is coming to an end. We need to migrate all of our services off of Octopus by the end of February.

This doesn't give us a huge amount of time. So, there's clearly a limited amount of re-architecting that we can do. It makes sense to revive this project which was to split out the different websites on to different VMs, which will loosen some of the dependencies between the sites and also hopefully make it easier for volunteers to potentially help maintain the infrastructure. We won't then need to give them access to everything for the volunteer to be only helping out with one project. There's also less to learn and less that can go wrong, in theory at least.

Some principles on how we could do this:

• Unless there's a very specific and clear reason keep all changes to the minimum (e.g. don't change versions of support software unless it's needed. Don't change the architecture just because we can)
• Separate each site on to its own VM
• Centralise the databases - this is different than the approach originally taken in this repo - this is so that the architecture is closer to using a managed database (which would be great if we could because running databases is no fun). Alternatively if we don't go for a managed solution in the long wrong it's easier to set up a replicated database in a leader/follower setup.
• Manage servers using Ansible
• Migrate each service off one by one (to spread out the load of any downtime) and get feedback on our decisions as quickly as possible.

This should be there for all the sites so that during migration we can disable the cron jobs on the new server, migrate the database, disable cron jobs on the old server and then enable cron jobs on the new server.

We're moving to boxes built using Ansible and one thing @mlandauer hasn't quite worked out is how to deal with package updates effectively.

Ansible is kind of hacky (even more than usual) when it comes to setting up EC2 instances and the associated bits and bobs.

Would it make more sense to investigate whether something like Terraform is a more appropriate tool?

Basically setup the default site for nginx

Currently we're generating them by hand, encrypting them and checking them into the repository.

This works but won't allow someone who doesn't have the ansible vault password to do local development which is less than ideal.

We don't want to check in the private key for the CA as that would allow anyone to sign a certificate for any domain, effectively allowing someone to man-in-the-middle any of my traffic (or anyone else who trusts that CA root certificate).

So, a much better solution would be for every individual developer to have their own unique root CA. So, let's write a script to do all the hard work.

We need to update the SSL certificates (self-signed) for this so we might as well might things a little bit better. If we create a certificate authority and sign SSL certificates with it for development domains then we only need to install the CA certificate and all domains signed the CA certificate will be trusted which makes things much less hassly.

See here for some information on how to do this:
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

See this snippet from the apache setup on Kedumba:

# Turn off any php handling for this so that urls ending in .php get passed to Rails
    RemoveHandler .php
    php_flag engine off

We need to do something similar for nginx

See the output of running the cron job morningupdate:

PHP Warning: Module 'newrelic' already loaded in Unknown on line 0
PHP Warning: Module 'newrelic' already loaded in Unknown on line 0
Start time: 2018-03-05 09:05:01 AEDT
Parsing from APH to XML and loading into the database
[DEPRECATION] requiring "RMagick" is deprecated. Use "rmagick" instead
PHP Warning: Module 'newrelic' already loaded in Unknown on line 0

parse-speeche: 0% | | ETA: --:--:--
parse-speeche: 50% |ooooooooooooooooooooo | ETA: 00:00:02
parse-speeche: 100% |oooooooooooooooooooooooooooooooooooooooooo| ETA: 00:00:00
parse-speeche: 100% |oooooooooooooooooooooooooooooooooooooooooo| Time: 00:00:05
PHP Warning: Module 'newrelic' already loaded in Unknown on line 0
Xapian indexing
PHP Warning: Module 'newrelic' already loaded in Unknown on line 0
xapian indexing debate 2018-02-05
xapian indexing lords 2018-02-05
xapian indexing debate 2018-02-06
xapian indexing lords 2018-02-06
xapian indexing debate 2018-02-07
xapian indexing lords 2018-02-07
xapian indexing debate 2018-02-08
xapian indexing lords 2018-02-08
xapian indexing debate 2018-02-12
xapian indexing lords 2018-02-12
xapian indexing debate 2018-02-13
xapian indexing lords 2018-02-13
xapian indexing debate 2018-02-14
xapian indexing lords 2018-02-14
xapian indexing debate 2018-02-15
xapian indexing lords 2018-02-15
xapian indexing debate 2018-02-26
xapian indexing debate 2018-02-27
xapian indexing debate 2018-02-28
xapian indexing debate 2018-03-01

Running rssgenerate
Can't locate XML/RSS.pm in @INC (you may need to install the XML::RSS module) (@INC contains: /srv/www/staging/releases/20180304001345/twfy/scripts/../../perllib /srv/www/staging/releases/20180304001345/twfy/scripts /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.1 /usr/local/share/perl/5.22.1 /usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.22 /usr/share/perl/5.22 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base .) at ./make_rss.pl line 9.
BEGIN failed--compilation aborted at ./make_rss.pl line 9.
PHP Warning: Module 'newrelic' already loaded in Unknown on line 0
PHP Notice: Undefined variable: returl in /srv/www/staging/releases/20180304001345/twfy/www/includes/easyparliament/page.php on line 889
PHP Notice: Undefined variable: returl in /srv/www/staging/releases/20180304001345/twfy/www/includes/easyparliament/page.php on line 911
...

And we can see in the apache logs that the RSS feed files are missing

Something for the backlog. It would be good to update all rails projects to use rbenv rather than a mixture of rbenv and rvm.

Because it's the right thing to do...

You need to configure the site address in the application configuration so we can't set it up transparently like PA or TVFY.

Currently on kedumba it's a rather tortuous setup: SSL requests get served by apache which in turn makes plain http requests to varnish which in turn requests things from apache.

This is very horrible. Do we really need this?

It's certainly not security - just might reduce noise of random people knocking loudly on our door

For some reason it's not there

Chances are we're going to not be able to use newrelic for all our server monitoring because we'll have too many servers. So, we'll probably have to setup our own monitoring infrastructure. That will be fun.

By default it does something unhelpful

This is a companion to #32

These should be disabled by default in development and test (with the exception of backups - see #12) because otherwise bad things will happen

Right now we've got the DNS setup in a way that is dependent on the instances being around for a long time and maintaining their IP address.

As far as I'm aware there are two approaches we could take:

• Use the Elastic Load Balancer
• or use Elastic IP Addresses

I'm guessing (without looking) that having a seperate IP address for each site is going to be too expensive and as far as I'm aware we can have several domains go through a single load balancer.

Hi,

Ansible n00b here trying to setup nuvasuparati.info with your Ansible + Alaveteli config. Now I am setting up the dev environment and I have an error. I made a clone and removed all non-foi stuff but I think I might be missing some local encrypted variables.

What am I doing wrong?

$ cat ~/.infrastructure_ansible_vault_pass.txt
secret
$ vagrant up righttoknow.org.au.dev
......
Cleaning up downloaded VirtualBox Guest Additions ISO...
==> righttoknow.org.au.dev: Checking for guest additions in VM...
==> righttoknow.org.au.dev: Checking for host entries
==> righttoknow.org.au.dev: adding to (/etc/hosts) : 192.168.10.10
righttoknow.org.au.dev  # VAGRANT: d92aac01fdc0306fab4d852efb4544a7
(righttoknow.org.au.dev) / ade91b15-c094-4d57-b495-c4cfc98c3a8b
[sudo] password for andrei:
==> righttoknow.org.au.dev: Setting hostname...
==> righttoknow.org.au.dev: Configuring and enabling network interfaces...
==> righttoknow.org.au.dev: Mounting shared folders...
    righttoknow.org.au.dev: /vagrant => ~/infrastructure
==> righttoknow.org.au.dev: Running provisioner: ansible...
PYTHONUNBUFFERED=1 ANSIBLE_FORCE_COLOR=true
ANSIBLE_HOST_KEY_CHECKING=false ANSIBLE_SSH_ARGS='-o
UserKnownHostsFile=/dev/null -o ControlMaster=auto -o
ControlPersist=60s' ansible-playbook
--private-key=~/infrastructure/.vagrant/machines/righttoknow.org.au.dev/virtualbox/private_key
--user=vagrant --connection=ssh --limit='righttoknow.org.au.dev'
--inventory-file=~/infrastructure/.vagrant/provisioners/ansible/inventory
--sudo -vv --skip-tags=dns site.yml
ERROR: Decryption failed
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.

Thank you for publishing your infrastructure!

Hi,

For some reason this task fails. I cloned commonlib and ansible passed but what is the correct way to do it? I disabled non-alaveteli sites so this might be the cause.

#mkdir -p /srv/www/current/
#cd /srv/www/current/
#git clone https://github.com/mysociety/commonlib.git

I ran using my fork of infrastructure, the secret is.... well.... secret in ~/.infrastructure_ansible_vault_pass.txt :)

So that we'll actually have a server setup that we will use in production too.

I think we're currently using capistrano for deployments on kedumba for theyvoteforyou so we should use that for the new server setup too to make sure that we're not missing anything in the deployment.

This is again to match how things are now done on kedumba

Once we've moved over to RDS (see #32) we won't need any backups for the server itself because everything of permanent value is stored in the database.

See https://rpm.newrelic.com/accounts/154944/ssl_upgrade

We'll obviously need to ensure that the backups on S3 are namespaced by the machine name (as we've tending to do anyway).

By doing this we're more likely to ensure that the right thing is happening in production by being able to test everything in development.

I think this is already being managed on a seperate server by ansible. Need to check this and need to check that the DNS is being managed somewhere.

For some reason it's not there. The server is showing up though

Work out what specs we need for each of these new servers:

Production

OpenAustralia.org.au

• RAM: 2 GB
• Disk: 80 GB

Latest gzipped MySQL backup: 269 MB * (30 days + 12 months + 52 weeks) = 25 GB

The running database is about 1.5 GB.

henare@kedumba:~$ du -sh /srv/www/www.openaustralia.org/
11G     /srv/www/www.openaustralia.org/
henare@kedumba:~$

That's just over 45 GB. Plus system and growth: 80 GB

OpenAustraliaFoundation.org.au

(what jamison already has)

• RAM: 1 GB
• Disk: 10 GB

PlanningAlerts

• RAM: 3 GB
• Disk: 80 GB

Disk

henare@kedumba:~$ du -h /srv/www/www.planningalerts.org.au/
6.7G    /srv/www/www.planningalerts.org.au/
henare@kedumba:~$ du -h /var/lib/automysqlbackup/*/pa_prod
3.2G    /var/lib/automysqlbackup/daily/pa_prod
3.0G    /var/lib/automysqlbackup/monthly/pa_prod
15G     /var/lib/automysqlbackup/weekly/pa_prod
henare@kedumba:~$

Up to 30 files could normally be in /var/lib/automysqlbackup/daily/pa_prod so I think a truer number is 15GB for this directory too (latest backup is 508 MB gzipped * 30 = ~15GB). That also makes the monthly directory 6 GB on the current backup size.

Adding up all the sizes from MySQL show table status; shows the database uses around 3.5 GB.

That's about 45GB. Plus system and growth: 80GB

Election Leaflets

• RAM: 1 GB
• Disk: 20 GB

Based on the latest backup database size, 6.8 MB, total required for automysqlbackup is 658 MB.

henare@kedumba:~$ du -sh /srv/www/www.electionleaflets.org.au/
11G     /srv/www/www.electionleaflets.org.au/
henare@kedumba:~$ 

Plus system and given we're not planning to add much to this: 20 GB.

Right To Know

• RAM: 3 GB
• Disk: 30 GB

henare@kedumba:~$ sudo du -sh /srv/www/www.righttoknow.org.au/
13G     /srv/www/www.righttoknow.org.au/
henare@kedumba:~$ 

postgres=# SELECT pg_size_pretty(pg_database_size('alaveteli_production'));
 pg_size_pretty
----------------
 101 MB
(1 row)

postgres=#

On the new server we'll also have autopostgresbackup so that'll take some space.

This could have quite a bit of growth soon. Let's say 30GB.

They Vote For You

• RAM: 2 GB
• Disk: 10 GB

Latest gzipped MySQL backup 9.1 MB, automysqlbackup should need 855 MB.

henare@kedumba:~$ du -sh /srv/www/theyvoteforyou.org.au/
3.3G    /srv/www/theyvoteforyou.org.au/
henare@kedumba:~$

morph.io

(existing Linode)

• RAM: 4 GB
• Disk: 95 GB (62 used)

cuttlefish.oaf.org.au

(existing Linode)

• RAM: 2 GB
• Disk: 50 GB (7.5 used)

Staging

As above, 1x server per application. The memory and disk could potentially be lower for these machines (especially disk).

• OpenAustralia.org.au
• OpenAustraliaFoundation.org.au
• PlanningAlerts
• Election Leaflets
• Right To Know
• They Vote For You
• morph.io
• cuttlefish.oaf.org.au