docs(deploy): document the repo-scoped deploy key + SSH alias flow
Generate a dedicated ed25519 deploy key on the server (private key stays put), register the public half read-only, and clone via a bifrost-portal-git SSH alias with IdentitiesOnly so it can't clash with the existing apps' keys. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
01b7106a22
commit
d27ab4c98b
1 changed files with 35 additions and 5 deletions
40
DEPLOY.md
40
DEPLOY.md
|
|
@ -74,14 +74,42 @@ sudo install -d -o fenja -g fenja /opt/fenja/data/bifrost-portal/uploads
|
|||
sudo install -d -o fenja -g fenja /opt/fenja/data/bifrost-portal/backups
|
||||
```
|
||||
|
||||
## 3. Clone the repo
|
||||
## 3. Deploy key + clone
|
||||
|
||||
The `fenja` user needs read access to `git.fenja.ai` (a deploy key on its
|
||||
account, or your forwarded agent for the first clone):
|
||||
The `fenja` user needs read access to this repo on `git.fenja.ai`. Use a
|
||||
dedicated, repo-scoped **deploy key** generated on the server (private key never
|
||||
leaves the box) plus an SSH alias so it's used only for this repo.
|
||||
|
||||
```bash
|
||||
sudo -u fenja git clone ssh://git@git.fenja.ai:2222/joh/project-bifrost-platform.git \
|
||||
/opt/bifrost-portal
|
||||
# Generate the keypair (no passphrase — it's for unattended deploys)
|
||||
sudo -u fenja install -d -m 700 /home/fenja/.ssh
|
||||
sudo -u fenja ssh-keygen -t ed25519 -N "" \
|
||||
-f /home/fenja/.ssh/bifrost_portal_deploy \
|
||||
-C "bifrost-portal-deploy@$(hostname)"
|
||||
|
||||
# SSH alias so git uses THIS key only for the portal repo
|
||||
sudo -u fenja tee -a /home/fenja/.ssh/config >/dev/null <<'EOF'
|
||||
|
||||
Host bifrost-portal-git
|
||||
HostName git.fenja.ai
|
||||
Port 2222
|
||||
User git
|
||||
IdentityFile ~/.ssh/bifrost_portal_deploy
|
||||
IdentitiesOnly yes
|
||||
EOF
|
||||
sudo -u fenja chmod 600 /home/fenja/.ssh/config
|
||||
sudo -u fenja bash -c 'ssh-keyscan -p 2222 git.fenja.ai >> /home/fenja/.ssh/known_hosts 2>/dev/null'
|
||||
|
||||
# Print the PUBLIC key to register
|
||||
sudo -u fenja cat /home/fenja/.ssh/bifrost_portal_deploy.pub
|
||||
```
|
||||
|
||||
Upload that public key on `git.fenja.ai`: **Repo → Settings → Deploy Keys →
|
||||
Add Deploy Key**, read-only (leave write access off). Then test and clone:
|
||||
|
||||
```bash
|
||||
sudo -u fenja ssh -T bifrost-portal-git # expect a greeting, no password prompt
|
||||
sudo -u fenja git clone bifrost-portal-git:joh/project-bifrost-platform.git /opt/bifrost-portal
|
||||
```
|
||||
|
||||
> **Keep the git checkouts separate.** This portal (`project-bifrost-platform`)
|
||||
|
|
@ -89,6 +117,8 @@ sudo -u fenja git clone ssh://git@git.fenja.ai:2222/joh/project-bifrost-platform
|
|||
> git projects with their own remotes. `/opt/bifrost-portal` is a self-contained
|
||||
> checkout — never nest it inside another app's tree, never point its remote at
|
||||
> theirs, and only ever run `scripts/deploy.sh` from inside `/opt/bifrost-portal`.
|
||||
> Cloning via the `bifrost-portal-git` alias makes `origin` resolve through the
|
||||
> dedicated deploy key, which `scripts/deploy.sh` uses transparently.
|
||||
|
||||
## 4. Environment file
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue