B4L/buildfor_life_repair
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update deploy workflow for private repo with deploy keys
Deploy to LXC / deploy (push) Successful in 19s
Details

Browse Source 
Two SSH keys needed:
- DEPLOY_KEY: CI runner → LXC server (SSH access)
- REPO_DEPLOY_KEY: LXC server → Gitea repo (git pull access)

Workflow writes the repo deploy key to ~/.ssh on the server and
configures SSH to use it for git.b4l.co.th. Handles first deploy
(clone) and subsequent deploys (pull) automatically.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Alexander Grabowski
2026-04-07 16:26:04 +07:00
parent 12a6e9ef0b
commit c12f727734
2 changed files with 68 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/deploy.yml
+25 -1
View File
@@ -18,10 +18,34 @@ jobs:
script: | script: |
set -e set -e
cd ${{ secrets.DEPLOY_PATH || '/home/bflr/buildfor_life_repair' }} APP_DIR="${{ secrets.DEPLOY_PATH || '/home/bflr/buildfor_life_repair' }}"
# Set up deploy key for private repo access
mkdir -p ~/.ssh
echo "${{ secrets.REPO_DEPLOY_KEY }}" > ~/.ssh/repo_deploy_key
chmod 600 ~/.ssh/repo_deploy_key
# Configure SSH to use deploy key for git.b4l.co.th
if ! grep -q "git.b4l.co.th" ~/.ssh/config 2>/dev/null; then
cat >> ~/.ssh/config <<EOF
Host git.b4l.co.th
HostName git.b4l.co.th
IdentityFile ~/.ssh/repo_deploy_key
StrictHostKeyChecking accept-new
EOF
chmod 600 ~/.ssh/config
fi
# Clone if first deploy, otherwise pull
if [ ! -d "$APP_DIR" ]; then
echo "==> First deploy, cloning..."
git clone git@git.b4l.co.th:B4L/buildfor_life_repair.git "$APP_DIR"
cd "$APP_DIR"
else
cd "$APP_DIR"
echo "==> Pulling latest code..." echo "==> Pulling latest code..."
git pull origin main git pull origin main
fi
echo "==> Installing dependencies..." echo "==> Installing dependencies..."
npm ci --production=false npm ci --production=false
docs/ci-deploy-setup.md
+41 -7
View File
@@ -14,20 +14,34 @@ chmod 440 /etc/sudoers.d/bflr-deploy
Make sure the repo is cloned and the app works manually first (see `docs/deploy-proxmox-lxc.md`). Make sure the repo is cloned and the app works manually first (see `docs/deploy-proxmox-lxc.md`).
## 2. Generate a deploy SSH key ## 2. Generate SSH keys
On your local machine (or the Gitea runner): You need **two** SSH key pairs:
### a) Deploy key (CI runner → LXC server)
This lets the CI runner SSH into your server:
```bash ```bash
ssh-keygen -t ed25519 -C "gitea-deploy" -f deploy_key -N "" ssh-keygen -t ed25519 -C "ci-to-server" -f ci_deploy_key -N ""
``` ```
Copy the **public** key to the server: Copy the **public** key to the server:
```bash ```bash
ssh-copy-id -i deploy_key.pub bflr@your-lxc-ip ssh-copy-id -i ci_deploy_key.pub bflr@your-lxc-ip
``` ```
### b) Repo deploy key (LXC server → private Gitea repo)
This lets the server `git pull` from the private repo:
```bash
ssh-keygen -t ed25519 -C "server-to-repo" -f repo_deploy_key -N ""
```
Add the **public** key in Gitea: repo → **Settings****Deploy Keys****Add Deploy Key**, paste `repo_deploy_key.pub`.
## 3. Add secrets in Gitea ## 3. Add secrets in Gitea
Go to your repo on git.b4l.co.th → **Settings****Actions****Secrets**, and add: Go to your repo on git.b4l.co.th → **Settings****Actions****Secrets**, and add:
@@ -36,10 +50,30 @@ Go to your repo on git.b4l.co.th → **Settings** → **Actions** → **Secrets*
|--------|-------| |--------|-------|
| `DEPLOY_HOST` | LXC server IP (e.g. `192.168.1.50`) | | `DEPLOY_HOST` | LXC server IP (e.g. `192.168.1.50`) |
| `DEPLOY_USER` | SSH user (e.g. `bflr`) | | `DEPLOY_USER` | SSH user (e.g. `bflr`) |
| `DEPLOY_KEY` | Contents of `deploy_key` (the private key, not .pub) | | `DEPLOY_KEY` | Contents of `ci_deploy_key` (private key — CI runner → server) |
| `REPO_DEPLOY_KEY` | Contents of `repo_deploy_key` (private key — server → Gitea repo) |
| `DEPLOY_PORT` | SSH port (optional, defaults to 22) | | `DEPLOY_PORT` | SSH port (optional, defaults to 22) |
| `DEPLOY_PATH` | App directory (optional, defaults to `/home/bflr/buildfor_life_repair`) | | `DEPLOY_PATH` | App directory (optional, defaults to `/home/bflr/buildfor_life_repair`) |
### First clone on the server
If you haven't cloned the repo yet, the workflow will do it automatically on the first run. Or clone manually:
```bash
# On the server as bflr user, set up the deploy key first
mkdir -p ~/.ssh
cp repo_deploy_key ~/.ssh/repo_deploy_key
chmod 600 ~/.ssh/repo_deploy_key
cat >> ~/.ssh/config <<EOF
Host git.b4l.co.th
HostName git.b4l.co.th
IdentityFile ~/.ssh/repo_deploy_key
StrictHostKeyChecking accept-new
EOF
git clone git@git.b4l.co.th:B4L/buildfor_life_repair.git
```
## 4. Enable Actions in Gitea ## 4. Enable Actions in Gitea
Make sure Gitea Actions is enabled on your instance: Make sure Gitea Actions is enabled on your instance:
@@ -71,8 +105,8 @@ Push any change to `main` and check the Actions tab in Gitea for the deploy log.
## What the workflow does ## What the workflow does
1. SSHs into the LXC server 1. SSHs into the LXC server
2. `git pull` the latest code 2. Installs the repo deploy key for private repo access
3. `npm ci` to install dependencies 3. `git pull` the latest code (or `git clone` on first deploy)
4. `npm run build` to compile 4. `npm run build` to compile
5. `npm run db:push` to apply any schema changes 5. `npm run db:push` to apply any schema changes
6. `sudo systemctl restart bflr` to restart the service 6. `sudo systemctl restart bflr` to restart the service