devteam/sharenet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update the guide to allow DEPLOY_USER to use passwordless sudo
Some checks are pending
CI/CD Pipeline / Test Backend (push) Waiting to run
Details
CI/CD Pipeline / Test Frontend (push) Waiting to run
Details
CI/CD Pipeline / Build and Push Docker Images (push) Blocked by required conditions
Details
CI/CD Pipeline / Deploy to Production (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
continuist 2025-06-28 13:13:22 -04:00
parent 54bc5c5931
commit 2ee91f95e0
1 changed files with 13 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
CI_CD_PIPELINE_SETUP_GUIDE.md
View file

@ -238,7 +238,7 @@ On both Linodes, create the deployment user with sudo privileges:
sudo useradd -m -s /bin/bash DEPLOY_USER sudo useradd -m -s /bin/bash DEPLOY_USER
sudo usermod -aG sudo DEPLOY_USER sudo usermod -aG sudo DEPLOY_USER
# Set a secure password (you won't need it for SSH key auth, but it's good practice) # Set a secure password (for emergency access only)
echo "DEPLOY_USER:$(openssl rand -base64 32)" | sudo chpasswd echo "DEPLOY_USER:$(openssl rand -base64 32)" | sudo chpasswd
# Copy your SSH key to the deployment user # Copy your SSH key to the deployment user
@ -247,32 +247,25 @@ sudo cp ~/.ssh/authorized_keys /home/DEPLOY_USER/.ssh/
sudo chown -R DEPLOY_USER:DEPLOY_USER /home/DEPLOY_USER/.ssh sudo chown -R DEPLOY_USER:DEPLOY_USER /home/DEPLOY_USER/.ssh
sudo chmod 700 /home/DEPLOY_USER/.ssh sudo chmod 700 /home/DEPLOY_USER/.ssh
sudo chmod 600 /home/DEPLOY_USER/.ssh/authorized_keys sudo chmod 600 /home/DEPLOY_USER/.ssh/authorized_keys
# Configure sudo to use SSH key authentication (most secure)
echo "DEPLOY_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/DEPLOY_USER
sudo chmod 440 /etc/sudoers.d/DEPLOY_USER
``` ```
##### 0.4.5 Disable Root SSH Access **Security Note**: This configuration allows the DEPLOY_USER to use sudo without a password, which is more secure for CI/CD automation since there are no passwords to store or expose. The random password is set for emergency console access only.
On both Linodes, disable root SSH access for security: ##### 0.4.5 Test Sudo Access
Test that the deployment user can use sudo without password prompts:
```bash ```bash
# Edit SSH configuration # Test sudo access
sudo nano /etc/ssh/sshd_config ssh DEPLOY_USER@YOUR_CI_CD_IP 'sudo whoami'
ssh DEPLOY_USER@YOUR_PRODUCTION_IP 'sudo whoami'
``` ```
Find and modify these lines: **Expected output**: Both commands should return `root` without prompting for a password.
```
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
```
**Note**: We disable root SSH access entirely and use the deployment user for all SSH operations.
Restart SSH service:
```bash
sudo systemctl restart ssh
```
**Important**: Test SSH access with the deployment user before closing your current session to ensure you don't get locked out.
##### 0.4.6 Test Deployment User Access ##### 0.4.6 Test Deployment User Access