git: review the mirror procedure before converting tor-puppet (team#41971)

3a585892 · anarcat · 7a893892 · 3a585892
Verified Commit 3a585892 authored 2 months ago by anarcat
--- a/howto/git.md
+++ b/howto/git.md
@@ -566,35 +566,42 @@ This procedure is kept for historical purposes only.

 If a repository is, for some reason (typically security), not hosted
 on GitLab, it can still be mirrored there. A typical example is the
-Puppet repository (see [TPA-RFC-76](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-76-puppet-merge-request-workflow)). To mirror the repository, you
-need (make sure to run this as the user which hosts the repository,
-typically `git`):
+Puppet repository (see [TPA-RFC-76](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-76-puppet-merge-request-workflow)). 

- 1. create the repository in GitLab, possibly private itself (but
-    sometimes it's fine if it's public as well)
+The following instructions assume you are mirroring a *private
+repository* from a host (`alberti.torproject.org` in this case) where
+users typically push in a sandbox user (`git` in this case). We also
+assume you have a local clone of the repository you can operate from.

- 1. add the GitLab remote on the private repository:
+ 1. Create the repository in GitLab, possibly private itself, this can
+    be done by adding a remote and pushing *from the local clone*:
+        
+        git remote add gitlab ssh://git@gitlab.torproject.org/tpo/tpa/account-keyring.git
+        git push gitlab --mirror
+
+ 1. Add the GitLab remote on the *private repository* (in this case on
+    `alberti`, running as `git`:

        git remote add origin ssh://git@gitlab.torproject.org/tpo/tpa/account-keyring.git

- 2. create a deploy key on the server:
+ 2. Create a deploy key on the server (again, as `git@alberti`):

        ssh-keygen -t ed25519

- 4. add the deploy key to the repository, in Settings, Repository,
-    Deploy keys, make sure it has write access, and name it after the
-    user on the mirrored host (e.g. `git@alberti.torproject.org` in
-    this case)
+ 4. Add the deploy key to the [GitLab repository](https://gitlab.torproject.org/tpo/tpa/account-keyring), in Settings,
+    Repository, Deploy keys, make sure it has write access, and name
+    it after the user on the mirrored host
+    (e.g. `git@alberti.torproject.org` in this case)

- 5. protect the branch, in Settings, Repository, Protected branches:
+ 5. Protect the branch, in Settings, Repository, Protected branches:

    - Allowed to merge: no one
    - Allowed to push and merge: no one, and add the deploy key

- 6. disable merge requests (in Settings, General) or set them to be
+ 6. Disable merge requests (in Settings, General) or set them to be
    "fast-forward only" (in Settings, Merge requests)

- 7. on the mirrored repository, add a `post-receive` hook like:
+ 7. On the mirrored repository, add a `post-receive` hook like:

 ```
 #!/bin/sh