Commit 4fc5a3c9 authored by Joseph Weston's avatar Joseph Weston
Browse files

add nikola deploy configuration to prevent CI server blacklisting

We don't check the host key and just upload the docs. The worst that
can happen is that an "attacker" gets our docs, and the Kwant website
does not get updated. We enforce the use of public key authentication
only, so an attacker cannot get any credentials, and the docs are
public information, so there is no risk.
parent b4758aea
...@@ -369,10 +369,21 @@ REDIRECTIONS = [] ...@@ -369,10 +369,21 @@ REDIRECTIONS = []
# to `nikola deploy`. If no arguments are specified, a preset # to `nikola deploy`. If no arguments are specified, a preset
# named `default` will be executed. You can use as many presets # named `default` will be executed. You can use as many presets
# in a `nikola deploy` command as you like. # in a `nikola deploy` command as you like.
# rsync is used to send documentation to our web servers: we never send any
# secret information, and using 'ssh-keyscan' causes the CI server's IP to
# be blacklisted, so we specify "StrictHostKeyChecking=no".
SSH_OPTS = ["StrictHostKeyChecking=no", "UserKnownHostsFile=/dev/null",
"IdentitiesOnly=yes"]
SSH_OPTS = ' '.join('-o ' + opt for opt in SSH_OPTS)
DEPLOY_COMMANDS = { DEPLOY_COMMANDS = {
'default': [ 'default': [
"rsync -rlv -e 'ssh -i deploy_key' --delete --filter 'P doc/*' output/* kwant@kwant-project.org:", "rsync -rlv -e 'ssh {} -i deploy_key' --delete --filter 'P doc/*' output/* kwant@kwant-project.org:"
"rsync -lv -e 'ssh -i deploy_key' htaccess-apache kwant@kwant-project.org:/.htaccess", .format(SSH_OPTS),
"rsync -lv -e 'ssh {} -i deploy_key' htaccess-apache kwant@kwant-project.org:/.htaccess"
.format(SSH_OPTS),
] ]
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment