ariadne.space/content/blog/migrating-from-wordpress.md

136 lines
6.4 KiB
Markdown
Raw Normal View History

---
title: Migrating away from WordPress
date: '2022-08-04'
---
Astute followers of this blog might have noticed that the layout has
dramatically changed. This is because I migrated away from WordPress
last weekend, switching [back to Hugo][hugo] after a few years. This
time around, the blog is fully self-hosted, rather than depending on
GitHub pages, and the deployment pipeline is reasonably secure.
Perhaps we can call it a "secure blog factory" with some further work,
even.
[hugo]: https://gohugo.io/
When most people deploy static websites anymore, they use a service
like Netlify, or GitHub pages to do it. These services are reasonable,
but when you do not own your own infrastructure, you are dependent on
a third party continuing to offer the service. With the latest news
that GitLab has decided to [delete user data that has not been touched
in over a year][gl-deletion], depending on third party services may be
something to start considering in your security and reliability posture.
[gl-deletion]: https://www.theregister.com/2022/08/04/gitlab_data_retention_policy/
## Migrating back to self-hosting
Because of the fact that I cannot really depend on third party
services to [conduct themselves in alignment with my own personal ethics][copilot]
and expectations for service reliability, even when paying them to do
so, I started to self-host the majority of my services over the past
year. This has had significant benefit in terms of enabling me to
have actual visibility into the behavior of my services, and to tune
the performance of them, as needed. Software such as Knative has
enabled me to work with my own infrastructure as if it were a managed
cloud service at one of the big providers.
[copilot]: https://github.blog/2021-06-29-introducing-github-copilot-ai-pair-programmer/
There was one problem, however. Some of the services I adopted when I
decided to start seriously hosting my own services again, have a less
than stellar security record, such as WordPress. While the core of
WordPress itself has an acceptable security record, as soon as you use
basically any plugin, it goes out the window. Much of this was
mitigated by the fact that I ran a custom WordPress image as a Knative
service, which meant that if any of the plugins got compromised, I could
just restart the pod, and I would be back to normal, but I have always
thought that it could be done better.
## Setting up Gitea because GitHub introduced Copilot
Last year, GitHub announced Copilot, a neural model that was trained on
the entire corpus of publicly available source code posted to GitHub.
While Microsoft claims that this is allowed under fair use, the overwhelming
majority of experts disagree so far. My personal opinion is that this
was a [breach of the public trust][gh-cohost] that the FOSS community
originally placed in GitHub, and a lesson that we must own our own
infrastructure in order to maintain [our autonomy in the digital world][da].
[gh-cohost]: https://ariadne.space/2022/07/01/a-silo-can-never-provide-digital-autonomy-to-its-users/
[da]: https://techautonomy.org/
As a result of all of this, I wound up setting up my own [Gitea instance][gitea],
which I use to maintain my own source code. In addition to Gitea, because
I needed a CI service, I deployed a [Woodpecker instance][woodpecker]. Both
of these services are very easy to deploy if you are already using Kubernetes,
and come highly recommended (it is also possible to use Tekton for CI with
Gitea, but it requires more work at the moment).
[gitea]: https://gitea.treehouse.systems/
[woodpecker]: https://woodpecker.treehouse.systems/
## Automatically publishing the blog with Woodpecker
If you look at the [source code for my blog][src], you will notice that
it is largely a normal Hugo site, that has some basic plumbing around
Woodpecker. I also use [apko][apko] to build a custom image that has
all of the tools needed to build and deploy the website, which is
self-hosted on the new OCI registry implemented in Gitea 1.17. For those
interested, you can look at the [logs of the deploy job][deploy-logs]
used to post this article!
[src]: https://gitea.treehouse.systems/ariadne/ariadne.space
[apko]: https://github.com/chainguard-dev/apko
[deploy-logs]: https://woodpecker.treehouse.systems/ariadne/ariadne.space/build/16
Almost all of the interesting stuff is in [the `woodpecker.yml` file][wpcfg],
however, which does the following:
[wpcfg]: https://gitea.treehouse.systems/ariadne/ariadne.space/src/branch/main/.woodpecker.yml
* Builds an up to date Hugo image from scratch on every deploy using
apko.
* Builds the new site.
* Fetches the contents of the last announcement post (`newswire.txt`).
* Deploys the new site using an SSH key stored as a secret, and a pinned
known SSH key also stored as a secret. The latter is largely so I can
just update the secret if I change SSH keys on that host.
* Checks if the last announcement post is different than the new one,
and if so, sends off a post [to my Mastodon account][masto] using a
personal access token.
[masto]: https://social.treehouse.systems/@ariadne
The last point is the big deal (to me). While ultimately it was not
difficult to set up, my original reason for using WordPress was that it
could do this type of automation out of the box. Paying off the technical
debt of having to worry about WordPress being compromised has certainly
been worth it, however.
## Future improvements
There are some future improvements I would like to do. For example, I
would like to sign the Hugo image I create with `cosign`. The current
blocker on this is that Gitea does not support a configurable `audience`
setting on its OpenID Connect implementation. Once that is done, it
should be possible to start working towards allowing Gitea instances to
work as OpenID Connect identities for use with the Sigstore
infrastructure. This will be very powerful when combined with the
new OCI registry support introduced in Gitea 1.17!
I also have some opinions on Woodpecker and other self-hosted CI systems,
that I plan to go into more detail on in a near-future blog post.
Hopefully the above provides some inspiration to play with self-hosting
your own website, or perhaps playing with apko outside of the GitHub
ecosystem. Thanks to the [Gitea][gt] and [Woodpecker][wp] developers for
making software that is easy to deploy, as well.
[gt]: https://gitea.io/
[wp]: https://woodpecker-ci.org/