littleshop/GITEA_SECRETS_SETUP_GUIDE.md

Gitea Secrets Setup Guide for CT109 Deployment

Date: November 14, 2025

⚠️ Prerequisites - CT109 SSH Access Setup Required

Issues Identified:

1. Port 21 Connection Refused - Port 21 is FTP, not SSH
2. SSH Key Not Authorized - The silverlabs key is not authorized on CT109

Before Adding Secrets, Fix SSH Access:

Option A: Add SSH Key to CT109

# Copy the public key to CT109
ssh-copy-id -i ~/.ssh/silverlabs.pub sysadmin@10.0.0.51

# Or manually add it:
cat ~/.ssh/silverlabs.pub | ssh sysadmin@10.0.0.51 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Option B: Generate New Deployment Key

# Generate a new SSH key specifically for CI/CD
ssh-keygen -t ed25519 -C "gitea-actions-ct109" -f ~/.ssh/littleshop_ct109_key

# Copy to CT109
ssh-copy-id -i ~/.ssh/littleshop_ct109_key.pub sysadmin@10.0.0.51

# Test connection
ssh -i ~/.ssh/littleshop_ct109_key sysadmin@10.0.0.51 "echo 'Success!' && docker --version"

Verify Correct SSH Port

# Test different ports
ssh -p 22 sysadmin@10.0.0.51  # Standard SSH port
ssh -p 2222 sysadmin@10.0.0.51  # Common alternative
ssh -p 22000 sysadmin@10.0.0.51  # Another common alternative

# Or check from Proxmox:
pct enter 109
ss -tlnp | grep ssh
# This will show the actual SSH port

---

📋 Gitea Secrets Configuration

Once SSH access is working, add these secrets to Gitea.

Method 1: Via Gitea Web UI (Recommended)

Step 1: Navigate to Repository Settings

1. Go to: https://git.silverlabs.uk/Jamie/littleshop
2. Click Settings (gear icon)
3. Click Secrets in the left sidebar

Step 2: Add Secrets

Click Add Secret for each of the following:

Secret 1: CT109_HOST

Name: CT109_HOST
Value: 10.0.0.51

Secret 2: CT109_SSH_PORT

Name: CT109_SSH_PORT
Value: 22

(Adjust this value based on the actual SSH port you verified above)

Secret 3: CT109_USER

Name: CT109_USER
Value: sysadmin

Secret 4: CT109_SSH_KEY

Name: CT109_SSH_KEY
Value: <paste the entire private key here>

To get the private key content:

# If using existing silverlabs key:
cat ~/.ssh/silverlabs

# If you generated a new key:
cat ~/.ssh/littleshop_ct109_key

Copy the entire output including:

• -----BEGIN OPENSSH PRIVATE KEY-----
• All the encoded content
• -----END OPENSSH PRIVATE KEY-----

---

Method 2: Via Gitea API (Advanced)

# Set variables
GITEA_URL="https://git.silverlabs.uk"
GITEA_TOKEN="70ec152b27ee12d8a2cfb7241df5735351df72cd"
REPO_OWNER="Jamie"
REPO_NAME="littleshop"

# Read SSH key into variable
SSH_KEY=$(cat ~/.ssh/silverlabs)

# Add CT109_HOST
curl -X POST "$GITEA_URL/api/v1/repos/$REPO_OWNER/$REPO_NAME/actions/secrets/CT109_HOST" \
  -H "Authorization: token $GITEA_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"data": "10.0.0.51"}'

# Add CT109_SSH_PORT
curl -X POST "$GITEA_URL/api/v1/repos/$REPO_OWNER/$REPO_NAME/actions/secrets/CT109_SSH_PORT" \
  -H "Authorization: token $GITEA_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"data": "22"}'

# Add CT109_USER
curl -X POST "$GITEA_URL/api/v1/repos/$REPO_OWNER/$REPO_NAME/actions/secrets/CT109_USER" \
  -H "Authorization: token $GITEA_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"data": "root"}'

# Add CT109_SSH_KEY
curl -X POST "$GITEA_URL/api/v1/repos/$REPO_OWNER/$REPO_NAME/actions/secrets/CT109_SSH_KEY" \
  -H "Authorization: token $GITEA_TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"data\": $(jq -Rs . <<< "$SSH_KEY")}"

---

🔧 CT109 Docker Container Setup

Ensure CT109 has Docker installed and configured:

# SSH into CT109
ssh sysadmin@10.0.0.51

# Install Docker (if not already installed)
apt update
apt install -y docker.io docker-compose

# Enable and start Docker
systemctl enable docker
systemctl start docker

# Verify Docker is working
docker --version
docker ps

# Create deployment directory
mkdir -p /opt/littleshop
cd /opt/littleshop

# Test Docker can run
docker run --rm hello-world

Enable Docker in Proxmox LXC Container

If Docker isn't working in CT109, enable nesting on the Proxmox host:

# On Proxmox host (not inside CT109)
pct set 109 -features nesting=1,keyctl=1
pct stop 109
pct start 109

---

✅ Verification Steps

1. Test SSH Connection from Gitea Actions

Create a test workflow to verify secrets are working:

# .gitea/workflows/test-secrets.yml
name: Test CT109 Connection

on:
  workflow_dispatch:

jobs:
  test-connection:
    runs-on: ubuntu-latest
    steps:
      - name: Test SSH Connection
        run: |
          mkdir -p ~/.ssh
          chmod 700 ~/.ssh
          echo "${{ secrets.CT109_SSH_KEY }}" > ~/.ssh/deploy_key
          chmod 600 ~/.ssh/deploy_key

          ssh -i ~/.ssh/deploy_key \
            -p ${{ secrets.CT109_SSH_PORT }} \
            -o StrictHostKeyChecking=no \
            ${{ secrets.CT109_USER }}@${{ secrets.CT109_HOST }} \
            "echo 'Connection successful!' && docker --version"

          rm ~/.ssh/deploy_key          

Run this workflow manually to test the connection.

2. Verify All Secrets Are Set

In Gitea UI, navigate to: https://git.silverlabs.uk/Jamie/littleshop/settings/secrets

You should see all 4 secrets listed:

• ✅ CT109_HOST
• ✅ CT109_SSH_PORT
• ✅ CT109_USER
• ✅ CT109_SSH_KEY

3. Test Full Deployment

Once secrets are verified:

# Push to development branch
git checkout development
git add .
git commit -m "test: Verify CT109 deployment"
git push origin development

Watch the deployment in Gitea Actions: https://git.silverlabs.uk/Jamie/littleshop/actions

---

🔍 Troubleshooting

Issue: "Permission denied (publickey)"

Solution: SSH key not authorized on CT109

# Add your SSH public key to CT109
ssh-copy-id -i ~/.ssh/silverlabs.pub sysadmin@10.0.0.51

# Or manually:
ssh sysadmin@10.0.0.51
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Issue: "Connection refused" on port 21

Solution: Port 21 is FTP, not SSH. Find the correct SSH port:

# Check from Proxmox host
pct exec 109 -- ss -tlnp | grep ssh

# Or try common SSH ports
ssh -p 22 sysadmin@10.0.0.51    # Standard
ssh -p 2222 sysadmin@10.0.0.51  # Alternative
ssh -p 22000 sysadmin@10.0.0.51 # Another common port

Issue: "docker: command not found" in CT109

Solution: Install Docker in the container

ssh sysadmin@10.0.0.51
apt update
apt install -y docker.io
systemctl enable --now docker

Issue: Docker not starting - "Cannot connect to daemon"

Solution: Enable nesting in Proxmox

# On Proxmox host
pct set 109 -features nesting=1,keyctl=1
pct stop 109
pct start 109

Issue: Secrets not visible in Gitea Actions

Solution: Ensure repository exists and Actions are enabled

# Create repository first (if needed)
# Via Gitea UI: New Repository → "littleshop"

# Or push to create:
git push -u origin development

---

📝 Summary

Before secrets can be added:

1. ✅ Fix SSH access to CT109
2. ✅ Verify correct SSH port
3. ✅ Ensure Docker is installed in CT109
4. ✅ Create littleshop repository in Gitea (if not exists)

Then add secrets via Gitea UI:

• CT109_HOST: 10.0.0.51
• CT109_SSH_PORT: 22 (or actual port)
• CT109_USER: root
• CT109_SSH_KEY: <private key content>

Finally test deployment:

git push origin development

---

🔐 Security Best Practices

1. Use dedicated deployment key instead of your personal SSH key
2. Restrict key permissions on CT109:

   # In CT109's /root/.ssh/authorized_keys, prefix the key with:
   command="docker ps",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-ed25519 AAAA...
   

3. Rotate keys regularly - regenerate deployment keys every 90 days
4. Monitor deployment logs in Gitea Actions for suspicious activity
5. Use separate keys for each environment (development, staging, production)

---

Next Steps: Fix SSH access to CT109, then add secrets via Gitea UI! 🚀