Verified Commit 3a585892 authored by anarcat's avatar anarcat
Browse files

git: review the mirror procedure before converting tor-puppet (team#41971)

parent 7a893892

howto/git.md

+21 −14
Original line number Original line Diff line number Diff line
@@ -566,35 +566,42 @@ This procedure is kept for historical purposes only. 




If a repository is, for some reason (typically security), not hosted

If a repository is, for some reason (typically security), not hosted

on GitLab, it can still be mirrored there. A typical example is the

on GitLab, it can still be mirrored there. A typical example is the

Puppet repository (see [TPA-RFC-76](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-76-puppet-merge-request-workflow)). To mirror the repository, you

Puppet repository (see [TPA-RFC-76](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-76-puppet-merge-request-workflow)). 

need (make sure to run this as the user which hosts the repository,

typically `git`):





 1. create the repository in GitLab, possibly private itself (but

The following instructions assume you are mirroring a *private

    sometimes it's fine if it's public as well)

repository* from a host (`alberti.torproject.org` in this case) where

users typically push in a sandbox user (`git` in this case). We also

assume you have a local clone of the repository you can operate from.





 1. add the GitLab remote on the private repository:

 1. Create the repository in GitLab, possibly private itself, this can

    be done by adding a remote and pushing *from the local clone*:

        

        git remote add gitlab ssh://git@gitlab.torproject.org/tpo/tpa/account-keyring.git

        git push gitlab --mirror



 1. Add the GitLab remote on the *private repository* (in this case on

    `alberti`, running as `git`:





        git remote add origin ssh://git@gitlab.torproject.org/tpo/tpa/account-keyring.git

        git remote add origin ssh://git@gitlab.torproject.org/tpo/tpa/account-keyring.git





 2. create a deploy key on the server:

 2. Create a deploy key on the server (again, as `git@alberti`):





        ssh-keygen -t ed25519

        ssh-keygen -t ed25519





 4. add the deploy key to the repository, in Settings, Repository,

 4. Add the deploy key to the [GitLab repository](https://gitlab.torproject.org/tpo/tpa/account-keyring), in Settings,

    Deploy keys, make sure it has write access, and name it after the

    Repository, Deploy keys, make sure it has write access, and name

    user on the mirrored host (e.g. `git@alberti.torproject.org` in

    it after the user on the mirrored host

    this case)

    (e.g. `git@alberti.torproject.org` in this case)





 5. protect the branch, in Settings, Repository, Protected branches:

 5. Protect the branch, in Settings, Repository, Protected branches:





    - Allowed to merge: no one

    - Allowed to merge: no one

    - Allowed to push and merge: no one, and add the deploy key

    - Allowed to push and merge: no one, and add the deploy key





 6. disable merge requests (in Settings, General) or set them to be

 6. Disable merge requests (in Settings, General) or set them to be

    "fast-forward only" (in Settings, Merge requests)

    "fast-forward only" (in Settings, Merge requests)





 7. on the mirrored repository, add a `post-receive` hook like:

 7. On the mirrored repository, add a `post-receive` hook like:





```

```

#!/bin/sh

#!/bin/sh