feat!: Separate www into www/blog and www/private

Now the private content is stored as a git submodule. This means I can keep that repo's source private, but still use it in the build product. The build product (website) relies on HTTP basic authentication, so access control is maintained throughout the SDLC.
2026-04-04 11:48:33 -07:00 · 2026-04-04 11:48:33 -07:00 · 35d31bea2a
commit 35d31bea2a
parent 60d8788ffa
116 changed files with 3863 additions and 120 deletions
--- a/.forgejo/workflows/cd.yml
+++ b/.forgejo/workflows/cd.yml
@ -8,7 +8,6 @@ on:
        required: true
        type: choice
        options:
-          - local
          - staging
          - prod

@ -19,7 +18,9 @@ jobs:
      - name: Download artifact
        uses: actions/download-artifact@v3
        with:
-          name: site-${{ github.sha }}
-          path: blog/
+          name: blog-${{ github.sha }}
+          path: book/
      - name: Deploy
-        run: nix shell nixpkgs#rsync --command ./deploy.sh ${{ inputs.target }}
+        run: |
+          nix shell nixpkgs#rsync --command rsync -av --delete book/ /srv/www/binning.net/
+          printf "✓ Local deployment complete!\n"
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@ -8,11 +8,28 @@ jobs:
    runs-on: self-hosted
    steps:
      - uses: actions/checkout@v4
+        with:
+          submodules: false
      - name: Build
-        run: nix shell nixpkgs#mdbook --command ./deploy.sh build
+        run: |
+          git config --global url."https://oauth2:${{ secrets.WWW_PRIVATE_TOKEN }}@forgejo.binning.net/".insteadOf "https://forgejo.binning.net/"         
+          git submodule update --init --depth=1
+          nix shell nixpkgs#mdbook --command mdbook build
+          printf "✓ Build complete!\n"
      - name: Upload artifact
        uses: actions/upload-artifact@v3
        with:
-          name: site-${{ github.sha }}
-          path: blog/
-
+          name: blog-${{ github.sha }}
+          path: book/
+  deploy:
+    runs-on: self-hosted
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: blog-${{ github.sha }}
+          path: book/
+      - name: Deploy
+        run: |
+          nix shell nixpkgs#rsync --command rsync -av --delete book/ /srv/www/binning.net/
+          printf "✓ Local deployment complete!\n"
--- a/.forgejo/workflows/nightly.yml
+++ b/.forgejo/workflows/nightly.yml
@ -9,15 +9,19 @@ jobs:
    runs-on: self-hosted
    steps:
      - uses: actions/checkout@v4
+        with:
+          submodules: false
      - name: Build
-        run: nix shell nixpkgs#mdbook --command ./deploy.sh build
+        run: |
+          git config --global url."https://oauth2:${{ secrets.WWW_PRIVATE_TOKEN }}@forgejo.binning.net/".insteadOf "https://forgejo.binning.net/"         
+          git submodule update --init --depth=1
+          nix shell nixpkgs#mdbook --command mdbook build
+          printf "✓ Build complete!\n"
      - name: Upload artifact
        uses: actions/upload-artifact@v3
        with:
-          name: site-${{ github.sha }}
-          path: blog/
-
-
+          name: blog-${{ github.sha }}
+          path: book/
  deploy:
    needs: build
    runs-on: self-hosted
@ -25,7 +29,12 @@ jobs:
      - name: Download artifact
        uses: actions/download-artifact@v3
        with:
-          name: site-${{ github.sha }}
-          path: blog/
+          submodules: true
+          token: ${{ secrets.WWW_PRIVATE_TOKEN }}
+        with:
+          name: blog-${{ github.sha }}
+          path: book/
      - name: Deploy
-        run: nix shell nixpkgs#rsync --command ./deploy.sh local
+        run: |
+          nix shell nixpkgs#rsync --command rsync -av --delete book/ /srv/www/binning.net/
+          printf "✓ Local deployment complete!\n"