Blog update

November 14, 2020

I recently updated the server where this blog is hosted, so I tought I'd do an update on the original post explaining the tech stack used to run it. Once in seven years shouldn't be too meta.

The design

First of all, kudos to Pascal Navière, a very talented polymath that did the design of this site(CSS, DOM structure, etc.), which I then modified. All bugs are therefore my own additions.

Since launch, Pascal has found a career in software engineering. He has so many tricks up his sleeve, you would be surprised. But it's not my place to tell his story.

What I failed to mention initially, was all the icons done in CSS art, which was pretty rare at the time, and secret superpower of Pascal's. The icons are on the left (or bottom for lower resolutions), and in the share bar at the bottom of every article; some of which might be blocked by uBlock lists, and I decided to not work around it. Despite being very careful not load any external resource (other than the font), it's not my place to decide if someone thinks the share bar is an annoyance or not.

There's no use for the Google+ icon anymore, so it has been retired. But if you look into the CSS, you can find it with the others.

At the beginning there also wasn't any pagination: I did not deem it necessary with only one article, despite it being in Pascal's original design. I added it later to the templates.

The tech

The DNS you used to access this website is still hosted by gandi. The website itself resides on a Scaleway Stardust instance, more than sufficient for my needs, and currently the cheapest virtual private server in the world. The SSL certificate has been provided by Lets's Encrypt for many years now.

On this VPS, Ubuntu 20.04 LTS, with nginx serving the actual pages.

Pages which are all old school static HTML, generated by the venerable Pelican currently at version 4.5.0. I've thought multiple times about moving to another engine like Hugo or Zola, but none has all the features I need (like Pelican webassets which compiles the CSS into a bundle), and I'm too lazy to port the templates anyway.

On my machine pelican is run with python 3.8.6, in a venv where pip was installed. The content is edited with vim on Fedora 32.

Over the years, I did some experiments, like compiling nginx with the Pagespeed plugin, but I've moved back to distro builds since maintaining it wasn't worth the hassle. The website is still served over HTTP/2, and supports IPv6.

Many years ago, I moved to Let's Encrypt instead of StartSSL. The later isn't trusted anymore by browsers after some woes. I initially settled for simp_le as an ACME client, and deployed it with ansible using L-P's role. It has served me well over the last (almost four) years, but isn't maintained anymore, and simp_le doesn't support the latest version of the protocol, ACMEv2.

As I moved to a new server, I wanted all software to be automatically deployed with ansible.

I had a look at acmetool. Since there's no official acmetool build with the latest version; I did not want to install go on the server, however trivial it might seem, and handle the updating myself. Ditto for trusting a third-party repo. The acmetool version is the distro repos does not support ACMEv2, so I wouldn't be able to get a new certificate, and renewal would stop working in 2021. Therefore I chose to use certbot the original ACME client.

I initially wanted to use a third party ansible role to simplify deployment, so I then settled on both nginx and certbot roles from Jeff Geerling. I successfully used those to deploy a test site, but was unsatisfied with how complex it was. I had to patch the vendored nginx role to add IPv6 support, and it deployed the redirects using separate files. It all seemed to complex for only one website; a task that could be done with a single ansible template and an apt rule. In addition, the certbot role did not support the nginx plugin, so I rewrote it all, and removed the vendored roles.

The recommended way to install certbot on all Linux distros is to use snapd; and while I understand why they chose this approach (software is always up-to-date, and they control the deployment), snapd is a resource-hog which I had already disabled. So I decided to install certbot and certbot-nginx via pip, and keep them up-to-date automatically with a cron job. That makes a compromised PyPI a point of failure of this server, but I already trust them anyway.

In the end, nginx 1.18.0 (from Ubuntu) and certbot 1.9.0 (from PyPI) are both deployed with ansible 2.10.3, with python 3.8.5 (also from Ubuntu) on the server.

Continue reading→