From fbbd5e4c1c0ade8c333e0145400810c38c461938 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 4 Jul 2026 15:29:09 -0400 Subject: [PATCH] deploy fix 7 --- docs/DOCKER.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/docs/DOCKER.md b/docs/DOCKER.md index b02c22d..fed29c2 100644 --- a/docs/DOCKER.md +++ b/docs/DOCKER.md @@ -231,6 +231,41 @@ Supported private key formats: If your key is passphrase-protected, generate a dedicated deploy key without a passphrase for CI instead of reusing an interactive workstation key. +To create a new dedicated deploy key, run this on your workstation or another trusted admin machine, not inside Gitea: + +```bash +ssh-keygen -t ed25519 -f ./rentaldrivego_gitea_deploy -C "gitea-actions-rentaldrivego" -N "" +ssh-keygen -lf ./rentaldrivego_gitea_deploy.pub +base64 < ./rentaldrivego_gitea_deploy | tr -d '\n' +``` + +Use the generated files like this: + +- `rentaldrivego_gitea_deploy`: private key. Store this in Gitea as either raw `VPS_SSH_KEY` or base64-encoded `VPS_SSH_KEY_B64`. +- `rentaldrivego_gitea_deploy.pub`: public key. Install this on the VPS in `~/.ssh/authorized_keys` for the account configured as `VPS_USER`. + +Do not put the `.pub` file or an `authorized_keys` line into `VPS_SSH_KEY` or `VPS_SSH_KEY_B64`. Gitea needs the private key; the VPS needs the public key. + +To install the public key on the VPS, SSH into the server as the same account configured in `VPS_USER`, then run: + +```bash +mkdir -p ~/.ssh +chmod 700 ~/.ssh +printf '%s\n' '' >> ~/.ssh/authorized_keys +chmod 600 ~/.ssh/authorized_keys +ssh-keygen -lf ~/.ssh/authorized_keys +``` + +If you are logged in as `root` but `VPS_USER` is a different account such as `deploy`, install the public key under that user's home directory instead: + +```bash +install -d -m 700 -o deploy -g deploy /home/deploy/.ssh +printf '%s\n' '' >> /home/deploy/.ssh/authorized_keys +chown deploy:deploy /home/deploy/.ssh/authorized_keys +chmod 600 /home/deploy/.ssh/authorized_keys +ssh-keygen -lf /home/deploy/.ssh/authorized_keys +``` + If SSH authentication fails after the workflow loads the key, compare the logged deploy key fingerprint with the key installed on the server: ```bash