SilverLABS/littleshop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2ebe6e5b3e
littleshop/GITEA_SECRETS_SETUP_GUIDE.md
SysAdmin 47e43d4ff8 ci: Migrate from GitLab CI/CD to Gitea Actions with CT109 pre-production 
**Migration Complete:**
- Removed GitLab CI/CD configuration (.gitlab-ci.yml)
- Created Gitea Actions workflows (.gitea/workflows/)
- Disabled automatic production deployment (manual only)
- Added pre-production deployment to CT109 Docker container

**New Workflows:**
- build-and-deploy.yml: Main CI/CD pipeline with CT109 deployment
- rollback.yml: Manual rollback capability
- README.md: Comprehensive workflow documentation

**Pre-Production Environment (CT109):**
- Host: 10.0.0.51
- User: sysadmin
- Port: 22
- Deploys on push to development/main branches
- Access URL: http://ct109.local:5100

**Documentation:**
- CI_CD_MIGRATION_GITEA.md: Complete migration guide
- CI_CD_CT109_PREPRODUCTION.md: CT109 deployment architecture
- GITEA_SECRETS_SETUP_GUIDE.md: Secrets configuration instructions

**Git Remote Updated:**
- Migrated from GitLab (gitlab.silverlabs.uk) to Gitea (git.silverlabs.uk)
- Using token authentication for push/pull operations

**Next Steps:**
1. Push code to Gitea to create repository
2. Add CT109 secrets via Gitea UI (CT109_HOST, CT109_SSH_PORT, CT109_USER, CT109_SSH_KEY)
3. Test pre-production deployment workflow

🚀 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-14 19:10:14 +00:00

358 lines
8.0 KiB
Markdown
Raw Blame History

# Gitea Secrets Setup Guide for CT109 Deployment
**Date:** November 14, 2025
## ⚠️ Prerequisites - CT109 SSH Access Setup Required
### Issues Identified:
1. **Port 21 Connection Refused** - Port 21 is FTP, not SSH
2. **SSH Key Not Authorized** - The `silverlabs` key is not authorized on CT109
### Before Adding Secrets, Fix SSH Access:
#### Option A: Add SSH Key to CT109
```bash
# Copy the public key to CT109
ssh-copy-id -i ~/.ssh/silverlabs.pub sysadmin@10.0.0.51
# Or manually add it:
cat ~/.ssh/silverlabs.pub | ssh sysadmin@10.0.0.51 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
```
#### Option B: Generate New Deployment Key
```bash
# Generate a new SSH key specifically for CI/CD
ssh-keygen -t ed25519 -C "gitea-actions-ct109" -f ~/.ssh/littleshop_ct109_key
# Copy to CT109
ssh-copy-id -i ~/.ssh/littleshop_ct109_key.pub sysadmin@10.0.0.51
# Test connection
ssh -i ~/.ssh/littleshop_ct109_key sysadmin@10.0.0.51 "echo 'Success!' && docker --version"
```
#### Verify Correct SSH Port
```bash
# Test different ports
ssh -p 22 sysadmin@10.0.0.51 # Standard SSH port
ssh -p 2222 sysadmin@10.0.0.51 # Common alternative
ssh -p 22000 sysadmin@10.0.0.51 # Another common alternative
# Or check from Proxmox:
pct enter 109
ss -tlnp | grep ssh
# This will show the actual SSH port
```
---
## 📋 Gitea Secrets Configuration
Once SSH access is working, add these secrets to Gitea.
### Method 1: Via Gitea Web UI (Recommended)
#### Step 1: Navigate to Repository Settings
1. Go to: `https://git.silverlabs.uk/Jamie/littleshop`
2. Click **Settings** (gear icon)
3. Click **Secrets** in the left sidebar
#### Step 2: Add Secrets
Click **Add Secret** for each of the following:
**Secret 1: CT109_HOST**
```
Name: CT109_HOST
Value: 10.0.0.51
```
**Secret 2: CT109_SSH_PORT**
```
Name: CT109_SSH_PORT
Value: 22
```
*(Adjust this value based on the actual SSH port you verified above)*
**Secret 3: CT109_USER**
```
Name: CT109_USER
Value: sysadmin
```
**Secret 4: CT109_SSH_KEY**
```
Name: CT109_SSH_KEY
Value: <paste the entire private key here>
```
To get the private key content:
```bash
# If using existing silverlabs key:
cat ~/.ssh/silverlabs
# If you generated a new key:
cat ~/.ssh/littleshop_ct109_key
```
Copy the entire output including:
- `-----BEGIN OPENSSH PRIVATE KEY-----`
- All the encoded content
- `-----END OPENSSH PRIVATE KEY-----`
---
### Method 2: Via Gitea API (Advanced)
```bash
# Set variables
GITEA_URL="https://git.silverlabs.uk"
GITEA_TOKEN="70ec152b27ee12d8a2cfb7241df5735351df72cd"
REPO_OWNER="Jamie"
REPO_NAME="littleshop"
# Read SSH key into variable
SSH_KEY=$(cat ~/.ssh/silverlabs)
# Add CT109_HOST
curl -X POST "$GITEA_URL/api/v1/repos/$REPO_OWNER/$REPO_NAME/actions/secrets/CT109_HOST" \
-H "Authorization: token $GITEA_TOKEN" \
-H "Content-Type: application/json" \
-d '{"data": "10.0.0.51"}'
# Add CT109_SSH_PORT
curl -X POST "$GITEA_URL/api/v1/repos/$REPO_OWNER/$REPO_NAME/actions/secrets/CT109_SSH_PORT" \
-H "Authorization: token $GITEA_TOKEN" \
-H "Content-Type: application/json" \
-d '{"data": "22"}'
# Add CT109_USER
curl -X POST "$GITEA_URL/api/v1/repos/$REPO_OWNER/$REPO_NAME/actions/secrets/CT109_USER" \
-H "Authorization: token $GITEA_TOKEN" \
-H "Content-Type: application/json" \
-d '{"data": "root"}'
# Add CT109_SSH_KEY
curl -X POST "$GITEA_URL/api/v1/repos/$REPO_OWNER/$REPO_NAME/actions/secrets/CT109_SSH_KEY" \
-H "Authorization: token $GITEA_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"data\": $(jq -Rs . <<< "$SSH_KEY")}"
```
---
## 🔧 CT109 Docker Container Setup
Ensure CT109 has Docker installed and configured:
```bash
# SSH into CT109
ssh sysadmin@10.0.0.51
# Install Docker (if not already installed)
apt update
apt install -y docker.io docker-compose
# Enable and start Docker
systemctl enable docker
systemctl start docker
# Verify Docker is working
docker --version
docker ps
# Create deployment directory
mkdir -p /opt/littleshop
cd /opt/littleshop
# Test Docker can run
docker run --rm hello-world
```
### Enable Docker in Proxmox LXC Container
If Docker isn't working in CT109, enable nesting on the Proxmox host:
```bash
# On Proxmox host (not inside CT109)
pct set 109 -features nesting=1,keyctl=1
pct stop 109
pct start 109
```
---
## ✅ Verification Steps
### 1. Test SSH Connection from Gitea Actions
Create a test workflow to verify secrets are working:
```yaml
# .gitea/workflows/test-secrets.yml
name: Test CT109 Connection
on:
workflow_dispatch:
jobs:
test-connection:
runs-on: ubuntu-latest
steps:
- name: Test SSH Connection
run: |
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "${{ secrets.CT109_SSH_KEY }}" > ~/.ssh/deploy_key
chmod 600 ~/.ssh/deploy_key
ssh -i ~/.ssh/deploy_key \
-p ${{ secrets.CT109_SSH_PORT }} \
-o StrictHostKeyChecking=no \
${{ secrets.CT109_USER }}@${{ secrets.CT109_HOST }} \
"echo 'Connection successful!' && docker --version"
rm ~/.ssh/deploy_key
```
Run this workflow manually to test the connection.
### 2. Verify All Secrets Are Set
In Gitea UI, navigate to:
`https://git.silverlabs.uk/Jamie/littleshop/settings/secrets`
You should see all 4 secrets listed:
- ✅ CT109_HOST
- ✅ CT109_SSH_PORT
- ✅ CT109_USER
- ✅ CT109_SSH_KEY
### 3. Test Full Deployment
Once secrets are verified:
```bash
# Push to development branch
git checkout development
git add .
git commit -m "test: Verify CT109 deployment"
git push origin development
```
Watch the deployment in Gitea Actions:
`https://git.silverlabs.uk/Jamie/littleshop/actions`
---
## 🔍 Troubleshooting
### Issue: "Permission denied (publickey)"
**Solution:** SSH key not authorized on CT109
```bash
# Add your SSH public key to CT109
ssh-copy-id -i ~/.ssh/silverlabs.pub sysadmin@10.0.0.51
# Or manually:
ssh sysadmin@10.0.0.51
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
```
### Issue: "Connection refused" on port 21
**Solution:** Port 21 is FTP, not SSH. Find the correct SSH port:
```bash
# Check from Proxmox host
pct exec 109 -- ss -tlnp | grep ssh
# Or try common SSH ports
ssh -p 22 sysadmin@10.0.0.51 # Standard
ssh -p 2222 sysadmin@10.0.0.51 # Alternative
ssh -p 22000 sysadmin@10.0.0.51 # Another common port
```
### Issue: "docker: command not found" in CT109
**Solution:** Install Docker in the container
```bash
ssh sysadmin@10.0.0.51
apt update
apt install -y docker.io
systemctl enable --now docker
```
### Issue: Docker not starting - "Cannot connect to daemon"
**Solution:** Enable nesting in Proxmox
```bash
# On Proxmox host
pct set 109 -features nesting=1,keyctl=1
pct stop 109
pct start 109
```
### Issue: Secrets not visible in Gitea Actions
**Solution:** Ensure repository exists and Actions are enabled
```bash
# Create repository first (if needed)
# Via Gitea UI: New Repository → "littleshop"
# Or push to create:
git push -u origin development
```
---
## 📝 Summary
**Before secrets can be added:**
1. ✅ Fix SSH access to CT109
2. ✅ Verify correct SSH port
3. ✅ Ensure Docker is installed in CT109
4. ✅ Create littleshop repository in Gitea (if not exists)
**Then add secrets via Gitea UI:**
- CT109_HOST: `10.0.0.51`
- CT109_SSH_PORT: `22` (or actual port)
- CT109_USER: `root`
- CT109_SSH_KEY: `<private key content>`
**Finally test deployment:**
```bash
git push origin development
```
---
## 🔐 Security Best Practices
1. **Use dedicated deployment key** instead of your personal SSH key
2. **Restrict key permissions** on CT109:
```bash
# In CT109's /root/.ssh/authorized_keys, prefix the key with:
command="docker ps",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-ed25519 AAAA...
```
3. **Rotate keys regularly** - regenerate deployment keys every 90 days
4. **Monitor deployment logs** in Gitea Actions for suspicious activity
5. **Use separate keys** for each environment (development, staging, production)
---
**Next Steps:** Fix SSH access to CT109, then add secrets via Gitea UI! 🚀
Reference in New Issue View Git Blame Copy Permalink