How to build the web site

You need hugo to build the website. On Debian, install it from the 'hugo' package:

# apt install hugo

Furthermore, you need to checkout the submodules:

website-content $ git submodule init
website-content $ git submodule update

Now you can build the site using 'make', it will be put into 'public'. 'make server' will launch a local server that is useful while editing the web site.

Server setup

On the server, the website is built using gitlab's ci runner, see .gitlab-ci.yml. To deploy the site, the ci job rsyncs it to the host. For this purpose, a restricted user is created:

# adduser --system --home /var/www/www-data-rsync --shell /bin/sh --disabled-password --ingroup www-data www-data-rsync

Create a key and restrict it to invoke the restricted-rsync script:

# mkdir /var/www/www-data-rsync/.ssh
# chmod 700 /var/www/www-data-rsync/.ssh
# ssh-keygen -t ed25519 -C 'Used for website deployment.' -f www-data-rsync-id_ed25519
# echo 'command="/usr/local/bin/rrsync /var/www/html --safe-links",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOBBpthbSQ3HgOkhoBwsrZCA9VMX7hRftB5t6LePqtr3 Used for website deployment.' > /var/www/www-data-rsync/.ssh/authorized_keys
# chmod 400 /var/www/www-data-rsync/.ssh/authorized_keys
# chown -R www-data-rsync:www-data /var/www/www-data-rsync/.ssh

Copy the restricted-rsync script from the docs and make it executable:

# cp /usr/share/doc/rsync/scripts/rrsync /usr/local/bin/
# chmod +x /usr/local/bin/rrsync

Finally, allow www-data-rsync to write to the document root:

# chown root:www-data /var/www/html
# chmod g+w /var/www/html

The last bit is to supply the generated secret to gitlab's ci runner via RSYNC_TARGET_SECRET_KEY. Other information that needs to be provided are RSYNC_TARGET_HOST, RSYNC_TARGET_PORT, RSYNC_TARGET_HOST_KEY, and RSYNC_TARGET_USER.