summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--drafts/posts/adding-cgit-subdomain-to-personal-site.md136
1 files changed, 98 insertions, 38 deletions
diff --git a/drafts/posts/adding-cgit-subdomain-to-personal-site.md b/drafts/posts/adding-cgit-subdomain-to-personal-site.md
index a302b0e..70af4a5 100644
--- a/drafts/posts/adding-cgit-subdomain-to-personal-site.md
+++ b/drafts/posts/adding-cgit-subdomain-to-personal-site.md
@@ -1,26 +1,25 @@
+++
-title = "Adding a CGit web interface"
+title = "Adding a CGit Subdomain To My Site"
tags = ["linux", "nginx", "certbot"]
-summary = """
-
-Here I document my experience setting up CGit on my VPS.
-
-"""
+summary = "Setting up CGit on my VPS."
+date = 2026-03-06
+++
# Motivation
-To update the content of my blog, I have to do something of a dance. I
-like versioning my blog's *content* as a separate Git repo,
-independent of the SSG that manages its final layout, rendering,
-styling, etc. So right now what I'm doing is this:
+To update the content of my blog, I have to do something of a
+dance. My blog's content started out life as a subdirectory of my SSG
+project, but now lives in its own separate Git repo. This is super
+convenient since I now can host my blog wherever I want on my VPS's
+filesystem, for example in a folder called `brandons_blog`. So right
+now what I'm doing is this:
1. Commit all changes.
2. Push the changes to GitHub, where it's currently hosted in a
somewhat centralized manner.
3. Log in via SSH into my VPS.
-4. Navigate to the cloned version of the blog repo that lives there,
- and run `git pull`.
+4. Perform a `cd` into the `brandons_blog` directory, and run `git
+ pull`.
However, I thought, "wouldn't it be nice if I could push **directly**
to the VPS repo?" And so I started working on that idea in the obvious
@@ -37,9 +36,9 @@ directory now owned by it.)
I quickly learned, to my dismay, that I couldn't push to the VPS
remote if it's not a bare repo. A bare repo is one initialized with
`git init --bare`, so that it doesn't have a working directory
-populated with files. However, the buildablog server does expect to
-see a working directory with blog files (not just blobs, for example),
-so this doesn't solve my problem.
+populated with files. However, the buildablog server expects to see a
+working directory with blog files (not just blobs, for example), so
+this doesn't solve my problem.
# Cgit
@@ -51,26 +50,30 @@ I ended up adding the Cgit web interface to my site, available via
how to do it, but their suggested Nginx setup was off in some
parts.
-After a ton of false starts, I ended up doing the following. Note that
-this assumes that you've already followed the aforementioned tutorial
-on setting up your `git` user and its home directory. As a quick addon
-to that, I suggest adjusting the permissions for the `/var/git`
-directory to 775 (I had initially found they were set to 770.) This
-allows the Cgit web interface to actually read and display your hosted
-repos, which is after all the point.
+After a ton of false starts, I ended up doing slightly different. Note
+that this assumes that you've already followed the aforementioned
+tutorial on setting up your `git` user and its home directory. As a
+quick addon to that, I suggest adjusting the permissions for the
+`/var/git` directory to 775 (I had initially found they were set to
+770.) This allows the Cgit web interface to actually read and display
+your hosted repos, which is after all the point.
+
+Here's what I did. I'm phrasing these in the imperative mood since it
+reads better than beginning everything with "I" + past-tense, and the
+steps themselves are also suitable as a potential HOWTO for my future
+self:
1. Add two new *external records* for `git.brandonirizarry.xyz` to my
site's DNS configuration over on Epik: the A (IPv4) and AAAA (IPv6)
records, per usual if you're already somewhat familiar with this
thing.
-2. Start out with the `http` version of the site you're serving. Not
- only does this make adding the TLS certificate later on painless,
- you can immediately verify that your new subdomain is, in fact,
- being hosted. Add the following server block to whatever nginx
- configuration you have published as your website, and then reload
- the nginx configuration with something like `sudo systemctl restart
- nginx.service`:
+2. Start out by adding the Nginx configuration of the `http` version
+ of the site. Not only does this make adding the TLS certificate
+ later on painless, you can immediately verify that your new
+ subdomain is, in fact, being hosted. Add the following server block
+ to your published Nginx configuration, and then reload Nginx
+ (e.g. `sudo systemctl restart nginx.service`):
```
server {
@@ -107,11 +110,11 @@ server {
```
3. Add a TLS certificate for your subdomain. I admit that I took a
- someone nonlinear path in achieving my setup, but this should be as
- simple as running `sudo certbot --nginx`, and then selecting your
- subdomain from the menu options. Here I'm assuming you've already
- gotten a certificate for your main site, hence you only need one
- for your new subdomain.
+ somewhat nonlinear path in achieving my setup, but this should be
+ as simple as running `sudo certbot --nginx`, and then selecting
+ your subdomain from the menu options. Here I'm assuming you've
+ already gotten a certificate for your main site, hence you need a
+ certificate only for your new subdomain.
From there you shouldn't even have to restart Nginx: you should see
that your subdomain is available over `https`.
@@ -121,10 +124,67 @@ that your subdomain is available over `https`.
I learned, through banging my head against various misconfigurations
(both from the DNS and Nginx sides), that Let's Encrypt (what Certbot
uses to issue the certificate) [imposes a rate limit](https://letsencrypt.org/docs/rate-limits/#authorization-failures-per-identifier-per-account) on
-certificate issues per identifier, which doesn't forgive botched
-certificates. The solution here is to run Certbot with the
-`--test-cert` flag, which uses Let's Encrypt's staging area, which has
-no such draconian rate limit.
+certificate issues per identifier (five per hour), which doesn't
+forgive botched attempts at certificate registration. The solution
+here is to run Certbot with the `--test-cert` flag, which uses Let's
+Encrypt's staging area, which has a much more forgiving rate limit.
+
+In digging a bit through the Let's Encrypt [forums](https://community.letsencrypt.org/), I learned
+about two super helpful sites for debugging DNS and certificate
+issues:
+
+1. <https://letsdebug.net>
+
+ Super helpful for figuring out issues with bad certificates.
+
+2. <https://dnsviz.net>
+
+ For debugging a site's DNS config, which I was messing up since I
+ wasn't sure in the beginning how to properly add a subdomain to my
+ DNS records (somewhat confusingly, Epik places the word
+ "subdomain" alongside the CNAME section, making me think CNAME had
+ something to do with it, which it doesn't.)
+
+# A Ghost in the Machine?
+
+I finally managed to [host](https://git.brandonirizarry.xyz) my Cgit dashboard on my site, which
+currently contains only my blog repo. I even managed to share the link
+with a friend of mine, who was successfully able to view it from their
+end.
+
+However, when going through some exercises in *The Go Programming
+Language* (a story for another time), I happened to cavalierly make a
+GET request to that subdomain, which then reported a TLS error. In my
+mind this seemed somewhat bonkers, since, after all, everything was
+already up and running, no? So late that evening I had to jump back
+onto the VPS and do some bespoke troubleshooting.
+
+It looked like there were some redundant server blocks in my Nginx
+config file that were added while I was throwing everything and the
+kitchen sink at getting a valid TLS certificate. So what I did in the
+end was remove everything Certbot had added concerning my `git`
+subdomain, essentially reverting back to just the server block shown
+just above, and repeating those exact steps — including first
+verifying service over `http`. This part of the process for me was the
+most satisfying, since it proves that the mere act of publishing a
+website on the Web is, at its core, not all that difficult. One thing
+different this time though was that, per the options Cerbot presents
+you, it sufficed to reinstall the existing certificate, as opposed to
+applying for a new one.)
+
+After that, everything was in order! I even checked the site the next
+morning just to make sure it had stayed that way. To date, everything
+looks good.
+
+# In the End...
+
+In the end, I didn't actually solve my initial problem, but still went
+down an interesting rabbit hole, and now have a convenient tool at my
+disposal — my own poor-man's GitHub — for personal use. For now, I may
+well only use it for throwaway Go packages, in case I don't feel like
+using workspaces.
+
+
generated by cgit v1.2.3 (git 2.46.0) at 2026-06-05 23:19:22 +0000