# Gitea Secrets Setup Guide for CT109 Deployment **Date:** November 14, 2025 ## ⚠️ Prerequisites - CT109 SSH Access Setup Required ### Issues Identified: 1. **Port 21 Connection Refused** - Port 21 is FTP, not SSH 2. **SSH Key Not Authorized** - The `silverlabs` key is not authorized on CT109 ### Before Adding Secrets, Fix SSH Access: #### Option A: Add SSH Key to CT109 ```bash # Copy the public key to CT109 ssh-copy-id -i ~/.ssh/silverlabs.pub sysadmin@10.0.0.51 # Or manually add it: cat ~/.ssh/silverlabs.pub | ssh sysadmin@10.0.0.51 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" ``` #### Option B: Generate New Deployment Key ```bash # Generate a new SSH key specifically for CI/CD ssh-keygen -t ed25519 -C "gitea-actions-ct109" -f ~/.ssh/littleshop_ct109_key # Copy to CT109 ssh-copy-id -i ~/.ssh/littleshop_ct109_key.pub sysadmin@10.0.0.51 # Test connection ssh -i ~/.ssh/littleshop_ct109_key sysadmin@10.0.0.51 "echo 'Success!' && docker --version" ``` #### Verify Correct SSH Port ```bash # Test different ports ssh -p 22 sysadmin@10.0.0.51 # Standard SSH port ssh -p 2222 sysadmin@10.0.0.51 # Common alternative ssh -p 22000 sysadmin@10.0.0.51 # Another common alternative # Or check from Proxmox: pct enter 109 ss -tlnp | grep ssh # This will show the actual SSH port ``` --- ## 📋 Gitea Secrets Configuration Once SSH access is working, add these secrets to Gitea. ### Method 1: Via Gitea Web UI (Recommended) #### Step 1: Navigate to Repository Settings 1. Go to: `https://git.silverlabs.uk/Jamie/littleshop` 2. Click **Settings** (gear icon) 3. Click **Secrets** in the left sidebar #### Step 2: Add Secrets Click **Add Secret** for each of the following: **Secret 1: CT109_HOST** ``` Name: CT109_HOST Value: 10.0.0.51 ``` **Secret 2: CT109_SSH_PORT** ``` Name: CT109_SSH_PORT Value: 22 ``` *(Adjust this value based on the actual SSH port you verified above)* **Secret 3: CT109_USER** ``` Name: CT109_USER Value: sysadmin ``` **Secret 4: CT109_SSH_KEY** ``` Name: CT109_SSH_KEY Value: ``` To get the private key content: ```bash # If using existing silverlabs key: cat ~/.ssh/silverlabs # If you generated a new key: cat ~/.ssh/littleshop_ct109_key ``` Copy the entire output including: - `-----BEGIN OPENSSH PRIVATE KEY-----` - All the encoded content - `-----END OPENSSH PRIVATE KEY-----` --- ### Method 2: Via Gitea API (Advanced) ```bash # Set variables GITEA_URL="https://git.silverlabs.uk" GITEA_TOKEN="70ec152b27ee12d8a2cfb7241df5735351df72cd" REPO_OWNER="Jamie" REPO_NAME="littleshop" # Read SSH key into variable SSH_KEY=$(cat ~/.ssh/silverlabs) # Add CT109_HOST curl -X POST "$GITEA_URL/api/v1/repos/$REPO_OWNER/$REPO_NAME/actions/secrets/CT109_HOST" \ -H "Authorization: token $GITEA_TOKEN" \ -H "Content-Type: application/json" \ -d '{"data": "10.0.0.51"}' # Add CT109_SSH_PORT curl -X POST "$GITEA_URL/api/v1/repos/$REPO_OWNER/$REPO_NAME/actions/secrets/CT109_SSH_PORT" \ -H "Authorization: token $GITEA_TOKEN" \ -H "Content-Type: application/json" \ -d '{"data": "22"}' # Add CT109_USER curl -X POST "$GITEA_URL/api/v1/repos/$REPO_OWNER/$REPO_NAME/actions/secrets/CT109_USER" \ -H "Authorization: token $GITEA_TOKEN" \ -H "Content-Type: application/json" \ -d '{"data": "root"}' # Add CT109_SSH_KEY curl -X POST "$GITEA_URL/api/v1/repos/$REPO_OWNER/$REPO_NAME/actions/secrets/CT109_SSH_KEY" \ -H "Authorization: token $GITEA_TOKEN" \ -H "Content-Type: application/json" \ -d "{\"data\": $(jq -Rs . <<< "$SSH_KEY")}" ``` --- ## 🔧 CT109 Docker Container Setup Ensure CT109 has Docker installed and configured: ```bash # SSH into CT109 ssh sysadmin@10.0.0.51 # Install Docker (if not already installed) apt update apt install -y docker.io docker-compose # Enable and start Docker systemctl enable docker systemctl start docker # Verify Docker is working docker --version docker ps # Create deployment directory mkdir -p /opt/littleshop cd /opt/littleshop # Test Docker can run docker run --rm hello-world ``` ### Enable Docker in Proxmox LXC Container If Docker isn't working in CT109, enable nesting on the Proxmox host: ```bash # On Proxmox host (not inside CT109) pct set 109 -features nesting=1,keyctl=1 pct stop 109 pct start 109 ``` --- ## ✅ Verification Steps ### 1. Test SSH Connection from Gitea Actions Create a test workflow to verify secrets are working: ```yaml # .gitea/workflows/test-secrets.yml name: Test CT109 Connection on: workflow_dispatch: jobs: test-connection: runs-on: ubuntu-latest steps: - name: Test SSH Connection run: | mkdir -p ~/.ssh chmod 700 ~/.ssh echo "${{ secrets.CT109_SSH_KEY }}" > ~/.ssh/deploy_key chmod 600 ~/.ssh/deploy_key ssh -i ~/.ssh/deploy_key \ -p ${{ secrets.CT109_SSH_PORT }} \ -o StrictHostKeyChecking=no \ ${{ secrets.CT109_USER }}@${{ secrets.CT109_HOST }} \ "echo 'Connection successful!' && docker --version" rm ~/.ssh/deploy_key ``` Run this workflow manually to test the connection. ### 2. Verify All Secrets Are Set In Gitea UI, navigate to: `https://git.silverlabs.uk/Jamie/littleshop/settings/secrets` You should see all 4 secrets listed: - ✅ CT109_HOST - ✅ CT109_SSH_PORT - ✅ CT109_USER - ✅ CT109_SSH_KEY ### 3. Test Full Deployment Once secrets are verified: ```bash # Push to development branch git checkout development git add . git commit -m "test: Verify CT109 deployment" git push origin development ``` Watch the deployment in Gitea Actions: `https://git.silverlabs.uk/Jamie/littleshop/actions` --- ## 🔍 Troubleshooting ### Issue: "Permission denied (publickey)" **Solution:** SSH key not authorized on CT109 ```bash # Add your SSH public key to CT109 ssh-copy-id -i ~/.ssh/silverlabs.pub sysadmin@10.0.0.51 # Or manually: ssh sysadmin@10.0.0.51 mkdir -p ~/.ssh chmod 700 ~/.ssh echo "YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys ``` ### Issue: "Connection refused" on port 21 **Solution:** Port 21 is FTP, not SSH. Find the correct SSH port: ```bash # Check from Proxmox host pct exec 109 -- ss -tlnp | grep ssh # Or try common SSH ports ssh -p 22 sysadmin@10.0.0.51 # Standard ssh -p 2222 sysadmin@10.0.0.51 # Alternative ssh -p 22000 sysadmin@10.0.0.51 # Another common port ``` ### Issue: "docker: command not found" in CT109 **Solution:** Install Docker in the container ```bash ssh sysadmin@10.0.0.51 apt update apt install -y docker.io systemctl enable --now docker ``` ### Issue: Docker not starting - "Cannot connect to daemon" **Solution:** Enable nesting in Proxmox ```bash # On Proxmox host pct set 109 -features nesting=1,keyctl=1 pct stop 109 pct start 109 ``` ### Issue: Secrets not visible in Gitea Actions **Solution:** Ensure repository exists and Actions are enabled ```bash # Create repository first (if needed) # Via Gitea UI: New Repository → "littleshop" # Or push to create: git push -u origin development ``` --- ## 📝 Summary **Before secrets can be added:** 1. ✅ Fix SSH access to CT109 2. ✅ Verify correct SSH port 3. ✅ Ensure Docker is installed in CT109 4. ✅ Create littleshop repository in Gitea (if not exists) **Then add secrets via Gitea UI:** - CT109_HOST: `10.0.0.51` - CT109_SSH_PORT: `22` (or actual port) - CT109_USER: `root` - CT109_SSH_KEY: `` **Finally test deployment:** ```bash git push origin development ``` --- ## 🔐 Security Best Practices 1. **Use dedicated deployment key** instead of your personal SSH key 2. **Restrict key permissions** on CT109: ```bash # In CT109's /root/.ssh/authorized_keys, prefix the key with: command="docker ps",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-ed25519 AAAA... ``` 3. **Rotate keys regularly** - regenerate deployment keys every 90 days 4. **Monitor deployment logs** in Gitea Actions for suspicious activity 5. **Use separate keys** for each environment (development, staging, production) --- **Next Steps:** Fix SSH access to CT109, then add secrets via Gitea UI! 🚀