From c12f7277344665bf7019638a90d47d6588256508 Mon Sep 17 00:00:00 2001 From: grabowski Date: Tue, 7 Apr 2026 16:26:04 +0700 Subject: [PATCH] Update deploy workflow for private repo with deploy keys MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two SSH keys needed: - DEPLOY_KEY: CI runner → LXC server (SSH access) - REPO_DEPLOY_KEY: LXC server → Gitea repo (git pull access) Workflow writes the repo deploy key to ~/.ssh on the server and configures SSH to use it for git.b4l.co.th. Handles first deploy (clone) and subsequent deploys (pull) automatically. Co-Authored-By: Claude Opus 4.6 (1M context) --- .gitea/workflows/deploy.yml | 30 ++++++++++++++++++++--- docs/ci-deploy-setup.md | 48 +++++++++++++++++++++++++++++++------ 2 files changed, 68 insertions(+), 10 deletions(-) diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 601b805..bd002d3 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -18,10 +18,34 @@ jobs: script: | set -e - cd ${{ secrets.DEPLOY_PATH || '/home/bflr/buildfor_life_repair' }} + APP_DIR="${{ secrets.DEPLOY_PATH || '/home/bflr/buildfor_life_repair' }}" - echo "==> Pulling latest code..." - git pull origin main + # Set up deploy key for private repo access + mkdir -p ~/.ssh + echo "${{ secrets.REPO_DEPLOY_KEY }}" > ~/.ssh/repo_deploy_key + chmod 600 ~/.ssh/repo_deploy_key + + # Configure SSH to use deploy key for git.b4l.co.th + if ! grep -q "git.b4l.co.th" ~/.ssh/config 2>/dev/null; then + cat >> ~/.ssh/config < First deploy, cloning..." + git clone git@git.b4l.co.th:B4L/buildfor_life_repair.git "$APP_DIR" + cd "$APP_DIR" + else + cd "$APP_DIR" + echo "==> Pulling latest code..." + git pull origin main + fi echo "==> Installing dependencies..." npm ci --production=false diff --git a/docs/ci-deploy-setup.md b/docs/ci-deploy-setup.md index fb00d7a..0179b62 100644 --- a/docs/ci-deploy-setup.md +++ b/docs/ci-deploy-setup.md @@ -14,20 +14,34 @@ chmod 440 /etc/sudoers.d/bflr-deploy Make sure the repo is cloned and the app works manually first (see `docs/deploy-proxmox-lxc.md`). -## 2. Generate a deploy SSH key +## 2. Generate SSH keys -On your local machine (or the Gitea runner): +You need **two** SSH key pairs: + +### a) Deploy key (CI runner → LXC server) + +This lets the CI runner SSH into your server: ```bash -ssh-keygen -t ed25519 -C "gitea-deploy" -f deploy_key -N "" +ssh-keygen -t ed25519 -C "ci-to-server" -f ci_deploy_key -N "" ``` Copy the **public** key to the server: ```bash -ssh-copy-id -i deploy_key.pub bflr@your-lxc-ip +ssh-copy-id -i ci_deploy_key.pub bflr@your-lxc-ip ``` +### b) Repo deploy key (LXC server → private Gitea repo) + +This lets the server `git pull` from the private repo: + +```bash +ssh-keygen -t ed25519 -C "server-to-repo" -f repo_deploy_key -N "" +``` + +Add the **public** key in Gitea: repo → **Settings** → **Deploy Keys** → **Add Deploy Key**, paste `repo_deploy_key.pub`. + ## 3. Add secrets in Gitea Go to your repo on git.b4l.co.th → **Settings** → **Actions** → **Secrets**, and add: @@ -36,10 +50,30 @@ Go to your repo on git.b4l.co.th → **Settings** → **Actions** → **Secrets* |--------|-------| | `DEPLOY_HOST` | LXC server IP (e.g. `192.168.1.50`) | | `DEPLOY_USER` | SSH user (e.g. `bflr`) | -| `DEPLOY_KEY` | Contents of `deploy_key` (the private key, not .pub) | +| `DEPLOY_KEY` | Contents of `ci_deploy_key` (private key — CI runner → server) | +| `REPO_DEPLOY_KEY` | Contents of `repo_deploy_key` (private key — server → Gitea repo) | | `DEPLOY_PORT` | SSH port (optional, defaults to 22) | | `DEPLOY_PATH` | App directory (optional, defaults to `/home/bflr/buildfor_life_repair`) | +### First clone on the server + +If you haven't cloned the repo yet, the workflow will do it automatically on the first run. Or clone manually: + +```bash +# On the server as bflr user, set up the deploy key first +mkdir -p ~/.ssh +cp repo_deploy_key ~/.ssh/repo_deploy_key +chmod 600 ~/.ssh/repo_deploy_key +cat >> ~/.ssh/config <