Deployment to public website is broken (invalid credentials in the repo secrets)

[dairiki]

The deploy.yml workflow attempts to build and deploy the website when commits are made to the master branch. The building part appears to work, but the deployment part is failing, apparently due to missing or invalid credentials in the github repository's secrets.

As a result updates to lektor-website are not being propagated to getlektor.com. The public site is becoming pretty stale.

Who can fix this? @mitsuhiko?

[nixjdm]

I can see LEKTOR_DEPLOY_PASSWORD and LEKTOR_DEPLOY_USERNAME in this repo's secrets, updated spring of last year, but I can't see their contents, and I don't have direct access to the server. @mitsuhiko, I think you're the only one here with server access. Can you take a look and maybe fix this?

[maste9]

@dairiki I guess that's the answer to my request from the gitter channel?

For I still don't see any new plugins on getlektor.com 😞

[mitsuhiko]

I think the right solution here would be to port all of this to github pages. I can rebind the DNS if someone can publish it there.

[dairiki]

PR #337 will publish the site to github pages with a CNAME file setting the "custom domain" to www.getlektor.com.

@mitsuhiko, when you're ready to flip the DNS switches, let me know and I'll merge the PR. (Or you can merge it yourself.)

[dairiki]

I think the right solution here would be to port all of this to github pages. I can rebind the DNS if someone can publish it there.

@mitsuhiko I still think we're still ready to switch to GH Pages. We have a GitHub action set up that publishes to https://lektor.github.io/lektor-website/

I think all that we need DNS-wise is:

www.getlektor.com. CNAME lektor.github.io.

And, ideally, the following records at getlektor.com (to allow GitHub to do the redirect from getlektor.com to www.getlektor.com):

getlektor.com. A 185.199.108.153
getlektor.com. A 185.199.109.153
getlektor.com. A 185.199.110.153
getlektor.com. A 185.199.111.153
getlektor.com. AAAA 2606:50c0:8000::153
getlektor.com. AAAA 2606:50c0:8001::153
getlektor.com. AAAA 2606:50c0:8002::153
getlektor.com. AAAA 2606:50c0:8003::153

(or, if the registrar/DNS service supports the non-standard ALIAS or ANAME "records", this can be done more tersely as getlektor.com. ALIAS lektor.github.io. — or similar with ANAME)

Once that's done, merge #337 to create the CNAME file.

GitHub's instructions on all of this are here.

[dwt]

@mitsuhiko Do you have an update when you'll be able to rebind the DNS? I would really like the lektor website move to GitHub pages and that seems to currently block this solid. :/

[dairiki]

@mitsuhiko Ping!

I think the right solution here would be to port all of this to github pages. I can rebind the DNS if someone can publish it there.

We've implemented a workflow that publishes to github pages. That was done over two months ago. Please, either make the DNS updates to point getlektor.com to the github pages, or let us know some alternative plan to be able to update the content on the getlektor.com website.

Thank you!

[nixjdm]

I don't want to make the burden of doing this any harder, but if you're ok with it @mitsuhiko, I'd suggest modifying the DNS at the same time to support an eventual docs. subdomain, as hoped for in #226. If that's done ahead of time, that move could be done by other maintainers when ready, so you wouldn't be needed to step in at that point, too.

@dairiki Is that a simple extension of the snippet you provided above, like I'd think? Is there a reason not to do this? The only negative effect that's obvious to me is docs. subdomain resolving while not being used unless/until that work completes. But while getlektor.com/docs still works, that doesn't seem like a big deal to me.

[dairiki]

I'd suggest modifying the DNS at the same time to support an eventual docs. subdomain, as hoped for in #226.

This is probably not a good idea unless/until we have a site ready to go for the subdomain.

If DNS for a domain name is pointed to Github pages (and that domain name has not been "verified" — i.e. claimed — by a specific user or organization) then any Github pages site may claim to be that domain and serve up arbitrary content. (More here.)

---

Which brings up the point that the lektor Github organization ideally should "verify" ownership of the getlektor.com domain. This requires creating a special TXT record in DNS for the domain, (and also requires Github permissions to edit organization settings which I, apparently, do not have.) @mitsuhiko, If you feel like attempting this, instructions are here.

[nixjdm]

I see, thanks. Could we instead post a trivial page then in order to verify it, like an html redirect to /docs/? Or even a blank page? Then that could one day be updated. I'm just trying to get the most out of a single session of @mitsuhiko's time here.

Also I'm pretty sure I do have sufficient GitHub org perms to modify those settings, so I can try to help there. I just don't have DNS access.

[dairiki]

My understanding is that if we "verify" the getlektor.com domain (by going through the process involving creating a custom TXT record) that would protect all immediate subdomains (e.g. docs.getlektor.com) from being claimed by any Github pages sites outside of the lektor organization. So, if that is done, there is no real need to create a stub site to project the domain — not that that's a bad idea. (If DNS is pointed to Github pages and no site claims that domain, Github serves up a 404 page: "There isn't a GitHub Pages site here.")

[dairiki]

Also I'm pretty sure I do have sufficient GitHub org perms to modify those settings, so I can try to help there. I just don't have DNS access.

@nixjdm If you can, it is probably a good idea to go through the steps to verify ownership of getlektor.com (instructions here) up to to step that requires DNS access. Then pass on the details of the TXT record to be created to @mitsuhiko. Finally, when the TXT record has been created (even if that takes a while) it sounds like you can click the button to complete the process.

[nixjdm]

The txt record is ready to be added. I can verify it after it is added and has propagated. @mitsuhiko could you please then, in addition to @dairiki's previous instructions, also add the txt record listed here?

[dairiki]

(@nixjdm The link to the txt record you provided 404s for me. Hopefully, it works for organization admins.)

[nixjdm]

Yes, it should for Armin.

On Wed, May 4, 2022, 2:45 PM Jeff Dairiki @.***> wrote:

@.*** https://github.com/nixjdm The link to the txt record you provided 404s for me. Hopefully, it works for organization admins.)

— Reply to this email directly, view it on GitHub https://github.com/lektor/lektor-website/issues/330#issuecomment-1117784658, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA2FX4TXWMISHE4EK66JZJDVILHVRANCNFSM5KJNOY2A . You are receiving this because you were mentioned.Message ID: @.***>

[dairiki]

@mitsuhiko Here's a quarterly ping to keep this thread alive.

If you could point DNS for {www.,}getlektor.com to our GH Pages, that would allow us to be able to update the website.

If, for whatever reason, you're unwilling or unable to do so, let us know, too, so we can stop holding or breath ;-)

Thank you!

[dwt]

@dairiki Not sure he's actually getting the emails from here, have you tried emailing him directly or giving him a call?

[dairiki]

@dwt Email sent (just now)

[mitsuhiko]

I rebound the addresses to point to github pages instead. Should go into effect soon.

[dairiki]

@mitsuhiko Thank you, thank you! I've updated things so that we have the correct CNAME file in our gh-pages branch. Things seem to be working!

I notice that there appears to be only one A record listed for getlektor.com. The recommendation appears to be to set four A records and four AAAA records as described in step number 5 in these docs.

Here's what I see from here:

$ dig -t A +noall +answer getlektor.com
getlektor.com.      3573    IN  A   185.199.108.153

$ dig -t AAAA +noall +answer getlektor.com
# (nothing)

Ideally, we want all of these:

getlektor.com. A 185.199.108.153
getlektor.com. A 185.199.109.153
getlektor.com. A 185.199.110.153
getlektor.com. A 185.199.111.153
getlektor.com. AAAA 2606:50c0:8000::153
getlektor.com. AAAA 2606:50c0:8001::153
getlektor.com. AAAA 2606:50c0:8002::153
getlektor.com. AAAA 2606:50c0:8003::153