From 0e052b001cb48a4d0290df178815347472468ef2 Mon Sep 17 00:00:00 2001 From: Thomas Reitz Date: Sun, 8 Mar 2026 10:34:01 +0100 Subject: [PATCH] chore: add CI/CD SSH key and update ACCESS.md with both keys - Generate separate Ed25519 key for Forgejo Actions CI/CD pipeline - Document both keys with clear purpose separation: deploy_ed25519 = server access (manual/Claude) cicd_ed25519 = automated deployments (Forgejo Actions) - Add key placement matrix (which key goes where) Co-Authored-By: Claude Opus 4.6 --- .keys/cicd_ed25519 | 7 ++++++ .keys/cicd_ed25519.pub | 1 + docs/ACCESS.md | 51 +++++++++++++++++++++++++++++++++--------- 3 files changed, 48 insertions(+), 11 deletions(-) create mode 100644 .keys/cicd_ed25519 create mode 100644 .keys/cicd_ed25519.pub diff --git a/.keys/cicd_ed25519 b/.keys/cicd_ed25519 new file mode 100644 index 0000000..250c361 --- /dev/null +++ b/.keys/cicd_ed25519 @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACDZT6PgLwzEzGQtBuPaPpLlPfP2gvOTfdEFN2vhWk46BgAAAKC7x6Lou8ei +6AAAAAtzc2gtZWQyNTUxOQAAACDZT6PgLwzEzGQtBuPaPpLlPfP2gvOTfdEFN2vhWk46Bg +AAAECBB/Q1ujr07L/3IwgTE3siUvM5fBLMO5iuw5eHkR1VctlPo+AvDMTMZC0G49o+kuU9 +8/aC85N90QU3a+FaTjoGAAAAF2luc2lnaHQtY2ljZEB4aW5pb24ubGFuAQIDBAUG +-----END OPENSSH PRIVATE KEY----- diff --git a/.keys/cicd_ed25519.pub b/.keys/cicd_ed25519.pub new file mode 100644 index 0000000..a628060 --- /dev/null +++ b/.keys/cicd_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINlPo+AvDMTMZC0G49o+kuU98/aC85N90QU3a+FaTjoG insight-cicd@xinion.lan diff --git a/docs/ACCESS.md b/docs/ACCESS.md index 69b8998..6de0010 100644 --- a/docs/ACCESS.md +++ b/docs/ACCESS.md @@ -20,21 +20,47 @@ --- -## 2. SSH Deployment Key +## 2. SSH Keys -Der Deployment Key liegt im Repository unter `.keys/`: +Alle Keys liegen im Repository unter `.keys/` (Repo ist nur intern verfuegbar). -| Datei | Beschreibung | -|------------------------------|-----------------------| -| `.keys/deploy_ed25519` | Private Key (Ed25519) | -| `.keys/deploy_ed25519.pub` | Public Key | +### 2.1 Deploy Key (Server-Zugriff) -### Public Key (zur Hinterlegung auf Servern) +Fuer den SSH-Zugriff auf den Entwicklungsserver `insight-dev-01`. + +| Datei | Beschreibung | +|------------------------------|---------------------------------| +| `.keys/deploy_ed25519` | Private Key (Server-Zugriff) | +| `.keys/deploy_ed25519.pub` | Public Key | + +**Public Key:** ``` ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMuTpqzLyjqTIDMJ4bwEE4o2JeHH3imL+NeipeuBfiTo insight-deploy@xinion.lan ``` -### SSH-Verbindung zum Server +**Hinterlegen auf:** Server `insight-dev-01` in `/home/deploy/.ssh/authorized_keys` + +### 2.2 CI/CD Key (Forgejo Actions) + +Fuer automatisierte Deployments durch die Forgejo Actions CI/CD-Pipeline. +Die Pipeline nutzt diesen Key, um sich per SSH auf den Server zu verbinden +und Docker-Container zu aktualisieren. + +| Datei | Beschreibung | +|------------------------------|---------------------------------| +| `.keys/cicd_ed25519` | Private Key (CI/CD Pipeline) | +| `.keys/cicd_ed25519.pub` | Public Key | + +**Public Key:** +``` +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINlPo+AvDMTMZC0G49o+kuU98/aC85N90QU3a+FaTjoG insight-cicd@xinion.lan +``` + +**Hinterlegen auf:** +1. Server `insight-dev-01` in `/home/deploy/.ssh/authorized_keys` +2. Forgejo: Repository Settings > Secrets (als `SSH_DEPLOY_KEY` fuer Actions) + +### 2.3 SSH-Verbindung zum Server ```bash # Verbindung zum Entwicklungsserver: ssh -i .keys/deploy_ed25519 deploy@ @@ -48,9 +74,12 @@ Host insight-dev StrictHostKeyChecking accept-new ``` -### Wo der Public Key hinterlegt werden muss -1. **Entwicklungsserver (VM)**: `/home/deploy/.ssh/authorized_keys` -2. **Forgejo**: Repository Settings > Deploy Keys (fuer CI/CD) +### 2.4 Wo welcher Key hinterlegt werden muss + +| Key | Server `authorized_keys` | Forgejo Secrets | +|--------------|--------------------------|------------------------| +| deploy | Ja | Nein | +| cicd | Ja | Ja (`SSH_DEPLOY_KEY`) | ---