website-build: Use rsync for deploying the website.

The website and documentation originally comes from Libreboot and Libreboot didn't have separate website and documentation. And we need to reuse it because without it, GNU Boot would be almost useless as without documentation most users would not be able to install it. The website is about 900 files and consist in about 27 MiB of pictures. Given that the website is not ready yet and that we are looking for contributions to help us fixing it, we will end up having to update it often, and ideally in a timely manner as well not to discourage contributions. So we needed some way to deployment the website with very few commands. GNU typically use CVS for deploying the website, but it is harder to use than rsync for automatizing the deployment of a website. To do that someone would have to write or adapt code to do the deployment automatically, but that can potentially be time consuming to do, especially if it needs to be done efficiently (for instance by only adding files that changed since the last time) not to load too much the CVS server. Because of all that, an rsync access was temporarily setup for us, to enable us to publish the website now and to be able to fixing this deployment issue later and/or ask for help on the website to fix it. Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> Acked-by: Adrien 'neox' Bourmault <neox@gnu.org>
2023-10-15 16:38:44 +02:00 · 2023-10-15 16:38:44 +02:00 · be72474aa0
parent 19a26051d1
commit be72474aa0
3 changed files with 106 additions and 28 deletions
--- a/website-build/Makefile.am
+++ b/website-build/Makefile.am
@ -108,18 +108,23 @@ test:
 endif
 endif

+# The rsync options are hardcoded here because some options are known
+# not to work. For instance --delete results in rsync hanging. Also
+# note that it's possible to rsync some files to gnu.org but not from
+# gnu.org.
+RSYNC_OPTIONS := -av --progress
 deploy: website.tar.gz
-	curl \
-		--oauth2-bearer `cat id_oauth2_bearer` \
-		-Fcontent=@website.tar.gz \
-		https://pages.sr.ht/publish/$(DOMAIN)
+	rm -rf deploy
+	mkdir -p deploy
+	tar xf website.tar.gz -C deploy
+	rsync $(RSYNC_OPTIONS) \
+		deploy/ \
+		$(RSYNC_DESTINATION)/

-# See https://reproducible-builds.org/docs/archives/ for more details
 website.tar.gz: build
 	tar \
 		--exclude-vcs \
 		--format=gnu \
-		--mtime='1970-01-01 00:00Z' \
 		--owner=0 --group=0 --numeric-owner \
 		--sort=name \
 		-czf \
--- a/website-build/README
+++ b/website-build/README
@ -1,5 +1,5 @@
 == Introduction ==
-This project enables to easily build and deploy the Libreboot website.
+This project enables to easily build and deploy the GNU Boot website.

 == Local deployments ==
 Here's how to deploy the website in a local webserver:
@ -9,26 +9,87 @@ $ make test

 Then you can point a browser to http://localhost:8080/software/gnuboot/test/web/

-== Deployment on Sourcehut ==
-Sourcehut has a way to setup a static website by uploading a tarball
-of the content. Users that want to deploy a website there are expected
-to follow the official documentation[1] to generate a token and add
-this token to the id_oauth2_bearer file in the current directory.
+== Deployment on https://gnu.org/software/gnuboot/ ==

-To generate the token, you need to log in and then go on the
-https://meta.sr.ht/oauth2/personal-token page. Once there you need to
-go in "Limit scope of access grant" and to select at least SITES,
-otherwise it won't work (it would fail with the "The specified key
-does not exist." message).
+The deployment to https://gnu.org/software/gnuboot/ uses rsync. As
+gnu.org machine is behind a firewall, so you need to workaround
+that.

-[1]https://srht.site/quickstart
+A way to do that is to get a shell account on fencepost.gnu.org, and
+use SSH to forward the connection to gnu.org. This can be done with
+something like that in your SSH configuration:
+
+    Host gnu.org
+      User wwwcvs
+      Port 2224
+      HostName 127.0.0.1
+    Host fencepost.gnu.org
+      LocalForward 127.0.0.1:2224 gnu.org:22
+      User gnutoo
+
+In the example above you will need to adjust the fencepost username,
+and modify it to suit your SSH setup if needed (for instance if you
+use keys in different locations, or if the port 2224 is already taken,
+etc).
+
+See https://www.gnu.org/software/README.accounts.html for more details
+about Fencepost accounts, the SSH fingerprints, etc.
+
+For gnu.org, it's easier if you use an ED25519 key for gnu.org as I
+have the fingerprints below. See [1] for other options.
+
+Once everything is setup you can then SSH into fencepost:
+    $ ssh fencepost.gnu.org
+    [...]
+    gnutoo@fencepost:~$
+
+Once this is done you can then open a new shell and add the SSH
+fingerprint. Here's the ED25519 SSH fingerprints:
+    $ ssh gnu.org
+    The authenticity of host '[127.0.0.1]:2224 ([127.0.0.1]:2224)' can't be established.
+    ED25519 key fingerprint is SHA256:pmCf0NrBzSSYfg6DdgmlMzPWZzGpXXcPEz6LP1+o5Jc.
+    This host key is known by the following other names/addresses:
+        ~/.ssh/known_hosts:306: [127.0.0.1]:4444
+    Are you sure you want to continue connecting (yes/no/[fingerprint])?
+
+You can then confirm by pasting the fingerprint like that[2]:
+    Are you sure you want to continue connecting (yes/no/[fingerprint])? SHA256:pmCf0NrBzSSYfg6DdgmlMzPWZzGpXXcPEz6LP1+o5Jc
+    Warning: Permanently added '[127.0.0.1]:2224' (ED25519) to the list of known hosts.
+
+Note that it is normal for the connection to gnu.org to block at this
+point. You can exit it with the Ctrl+D or Ctrl+C key combinations.
+
+At this point everything is setup.
+
+To deploy the website you then need to make sure that you still have
+an SSH connection to fencepost.gnu.org and you can then deploy the
+website with the following commands:
+    $ ./autogen.sh
+    $ ./configure
+    $ make deploy
+
+Then you can point a browser to https://gnu.org/software/gnuboot/test/web/
+
+References:
+-----------
+[1]If you want to use RSA the easiest way is probably to contact the
+   FSF system administrator that will install your key on #fsfsys and
+   also ask that person for the server fingerprint. In that case it
+   would be a good idea to also contribute a patch to add the
+   fingerprint here.
+[2]The 'SHA256:pmCf0NrBzSSYfg6DdgmlMzPWZzGpXXcPEz6LP1+o5Jc'
+   fingerprint was confirmed to me the 24 October 2023 on the #fsfsys
+   IRC channel on liberachat by Ian Kelling, a system administrator
+   that has access to the gnu.org machine: "18:07 < iank> i see that
+   SHA256:pmCf0NrBzSSYfg6DdgmlMzPWZzGpXXcPEz6LP1+o5Jc exists on the
+   server".

 == Dependencies ==
 * autoconf
 * automake
 * coreutils
-* curl: for uploading the website to sourcehut
 * guix
+* lighttpd: optional: for testing the website if you don't have Guix.
 * make
 * tar

--- a/website-build/configure.ac
+++ b/website-build/configure.ac
@ -13,12 +13,13 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.

-AC_INIT([lbwww-build],[0.1],[GNUtoo@cyberdimension.org])
+AC_INIT([gnuboot],[0.1],[gnuboot@gnu.org])
 AM_INIT_AUTOMAKE([foreign])
 AC_CONFIG_FILES([Makefile])

 AC_SUBST([LBWWW_PATH], [])
 AC_SUBST([LBWWW_GIT_FOUND], [])
+AC_SUBST([RSYNC_DESTINATION], [])
 AC_SUBST([UNTITLED_PATH], [])
 AC_SUBST([UNTITLED_GIT_FOUND], [])

@ -33,7 +34,8 @@ AM_CONDITIONAL( [WANT_GUIX], [test x"$guix" = x"yes"])
 AC_ARG_WITH([lbwww-path],
  [AS_HELP_STRING([--with-lbwww-path=PATH],
                  [Use a local lbwww directory from PATH instead of downloading
-		   the latest version from https://git.sr.ht/~libreboot/lbwww])],
+		   the latest version from
+		   https://git.savannah.gnu.org/git/gnuboot.git])],
  [LBWWW_PATH=$withval],
  [])

@ -47,18 +49,30 @@ AC_ARG_ENABLE(lighttpd,
  [lighttpd="yes"])
 AM_CONDITIONAL( [WANT_LIGHTTPD], [test x"$lighttpd" = x"yes"])

+# --with-rsync-destination
+AC_ARG_WITH([rsync-destination],
+  [AS_HELP_STRING([--with-rsync-destination=DESTINATION],
+                  [Use a custom rsync destination (DEST in rsync manual)
+		   instead of the default one
+		   (wwwcvs@gnu.org:/var/www/software/gnuboot).])],
+  [RSYNC_DESTINATION=$withval],
+  [RSYNC_DESTINATION=wwwcvs@gnu.org:/var/www/software/gnuboot])
+
+AM_CONDITIONAL( [WANT_UNTITLED_PATH], [test x"$UNTITLED_PATH" != x""])
+
+
 # --with-untitled-path
 AC_ARG_WITH([untitled-path],
  [AS_HELP_STRING([--with-untitled-path=PATH],
                  [Use a local untitled directory from PATH instead of downloading
-		   the latest version from https://git.sr.ht/~libreboot/untitled])],
+		   a specific version from
+		   https://git.sr.ht/~libreboot/untitled .])],
  [UNTITLED_PATH=$withval],
  [])

 AM_CONDITIONAL( [WANT_UNTITLED_PATH], [test x"$UNTITLED_PATH" != x""])

 # Check dependencies
-AC_CHECK_PROG([CURL], [curl], [curl])
 AC_CHECK_PROG([REALPATH], [realpath], [realpath])
 AC_CHECK_PROG([TAR], [tar], [tar])

@ -154,14 +168,12 @@ AS_IF([test x"$guix" = x"yes"],
              [test was not found in PATH ($PATH)])])])

 AC_OUTPUT
-
-AS_IF([test x"$LBWWW_PATH" != x"" ||
-       test x"$UNTITLED_PATH" != x""],
-      [AS_ECHO(["Configuration options:"])
-       AS_ECHO([])])
+AS_ECHO(["Configuration options:"])

 AS_IF([test x"$LBWWW_PATH" != x""],
      [AS_ECHO(["    LBWWW_PATH: $LBWWW_PATH"])])

+AS_ECHO(["    RSYNC_DESTINATION: $RSYNC_DESTINATION"])
+
 AS_IF([test x"$UNTITLED_PATH" != x""],
      [AS_ECHO(["    UNTITLED_PATH: $UNTITLED_PATH"])])