joh/project-bifrost-platform
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs(deploy): document the repo-scoped deploy key + SSH alias flow

Browse source 
Generate a dedicated ed25519 deploy key on the server (private key stays
put), register the public half read-only, and clone via a bifrost-portal-git
SSH alias with IdentitiesOnly so it can't clash with the existing apps' keys.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Arlind 2026-06-17 14:02:18 +02:00
parent 01b7106a22
commit d27ab4c98b
1 changed files with 35 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
DEPLOY.md
View file

@ -74,14 +74,42 @@ sudo install -d -o fenja -g fenja /opt/fenja/data/bifrost-portal/uploads
sudo install -d -o fenja -g fenja /opt/fenja/data/bifrost-portal/backups sudo install -d -o fenja -g fenja /opt/fenja/data/bifrost-portal/backups
``` ```
## 3. Clone the repo ## 3. Deploy key + clone
The `fenja` user needs read access to `git.fenja.ai` (a deploy key on its The `fenja` user needs read access to this repo on `git.fenja.ai`. Use a
account, or your forwarded agent for the first clone): dedicated, repo-scoped **deploy key** generated on the server (private key never
leaves the box) plus an SSH alias so it's used only for this repo.
```bash ```bash
sudo -u fenja git clone ssh://git@git.fenja.ai:2222/joh/project-bifrost-platform.git \ # Generate the keypair (no passphrase — it's for unattended deploys)
/opt/bifrost-portal sudo -u fenja install -d -m 700 /home/fenja/.ssh
sudo -u fenja ssh-keygen -t ed25519 -N "" \
-f /home/fenja/.ssh/bifrost_portal_deploy \
-C "bifrost-portal-deploy@$(hostname)"
# SSH alias so git uses THIS key only for the portal repo
sudo -u fenja tee -a /home/fenja/.ssh/config >/dev/null <<'EOF'
Host bifrost-portal-git
HostName git.fenja.ai
Port 2222
User git
IdentityFile ~/.ssh/bifrost_portal_deploy
IdentitiesOnly yes
EOF
sudo -u fenja chmod 600 /home/fenja/.ssh/config
sudo -u fenja bash -c 'ssh-keyscan -p 2222 git.fenja.ai >> /home/fenja/.ssh/known_hosts 2>/dev/null'
# Print the PUBLIC key to register
sudo -u fenja cat /home/fenja/.ssh/bifrost_portal_deploy.pub
```
Upload that public key on `git.fenja.ai`: **Repo → Settings → Deploy Keys →
Add Deploy Key**, read-only (leave write access off). Then test and clone:
```bash
sudo -u fenja ssh -T bifrost-portal-git # expect a greeting, no password prompt
sudo -u fenja git clone bifrost-portal-git:joh/project-bifrost-platform.git /opt/bifrost-portal
``` ```
> **Keep the git checkouts separate.** This portal (`project-bifrost-platform`) > **Keep the git checkouts separate.** This portal (`project-bifrost-platform`)
@ -89,6 +117,8 @@ sudo -u fenja git clone ssh://git@git.fenja.ai:2222/joh/project-bifrost-platform
> git projects with their own remotes. `/opt/bifrost-portal` is a self-contained > git projects with their own remotes. `/opt/bifrost-portal` is a self-contained
> checkout — never nest it inside another app's tree, never point its remote at > checkout — never nest it inside another app's tree, never point its remote at
> theirs, and only ever run `scripts/deploy.sh` from inside `/opt/bifrost-portal`. > theirs, and only ever run `scripts/deploy.sh` from inside `/opt/bifrost-portal`.
> Cloning via the `bifrost-portal-git` alias makes `origin` resolve through the
> dedicated deploy key, which `scripts/deploy.sh` uses transparently.
## 4. Environment file ## 4. Environment file