=======================
 More maintenance news
=======================

Today I replaced the light fixture, mentioned in the previous
post. Now there's light in the hall once again, and it's attached to
the wall better than the previous one was (drywall anchors, instead of
simply screws), as well as connected better (screw terminals, instead
of twisted wires). The previous one was installed by a contractor. Oh,
and the light produced by those 6500 K Philips light bulbs looks fine
to me: closer to white/sunlight than the 4000 K versions, I think.

On 2023-01-01 I received a mail notification from cron, about a
failure to renew the certificate via ACME (from Let's Encrypt); as
happened before, turns out that it was caused by the secondary
nameserver's (provided by gandi.net) laggy renewal, and apparently
that nameserver rejected update notifications for a few weeks before
that, so the lags became notable -- it only updates the records daily
now. It's still nice to have a secondary nameserver though, so I
finally delegated the _acme-challenge subdomain to a separate zone,
handled only by the primary nameserver -- so that even if Let's
Encrypt's DNS server goes to secondary at first, it's then redirected
to the primary nameserver for that subdomain, and reads the freshly
updated records. Thought of setting it that way before, but it seemed
not quite necessary, while complicating the overall configuration;
turned out to be rather important, and it's not that much of a
complication.

Another thing I have set that I kept postponing is a custom XMPP
blocklist, with Prosody's mod_firewall: hoped that
JabberSPAM/blacklist would suffice, but apparently it takes years to
add new entries there, and the spam can be annoying meantime. Recently
ran into a server administrator refusing to sort out the spam (well,
saying it's not spam; reminds me of occasional software maintainers
refusing to fix bugs, saying they aren't bugs -- though perhaps
network service administrators should be a bit more responsible),
though there were cases with just unresponsive administrators and
hosters in the past, so figured it's the time to finally set it. Could
have used nftables instead, but I think it's more appropriate to block
this way: for debugging from blocked servers (properly bouncing with
the reason provided, not just refusing connections or dropping
packets), as well as to keep the configuration specific to XMPP in the
relevant files, not in more general ones. As I do with email, too.

Also have set a system on a new work server, used LVM + ext4 instead
of btrfs this time. Had some issues with btrfs on other servers,
particularly after running out of space. And disabling its prominent
features on partitions used for databases anyway (mounting with
"nodatasum,nodatacow"). Next going to migrate a few large-ish
PostgreSQL databases there, likely setting streaming replication at
once, and then turning this new server into a primary/master, turning
the old one into standby/backup.

Oh, recalling recent maintenance work, I guess shoveling quite a lot
of snow from the country house entrance counts as well. Maybe will
have to figure something with the fence door's lock there, too, since
it's prone to freezing, and maybe plan and order a small roof on top
of the entrance (but need to ensure that the snow won't collect on top
and break it). But those are amounts and kinds of maintenance I'm not
quite comfortable with, unfortunately. Computer and apartment ones are
easier -- at least if you're spending much time in front of a
computer, inside an apartment.


----

:Date: 2023-01-14