Update the guide to allow DEPLOY_USER to use passwordless sudo
Some checks are pending
CI/CD Pipeline / Test Backend (push) Waiting to run
CI/CD Pipeline / Test Frontend (push) Waiting to run
CI/CD Pipeline / Build and Push Docker Images (push) Blocked by required conditions
CI/CD Pipeline / Deploy to Production (push) Blocked by required conditions

This commit is contained in:
continuist 2025-06-28 13:13:22 -04:00
parent 54bc5c5931
commit 2ee91f95e0

View file

@ -238,7 +238,7 @@ On both Linodes, create the deployment user with sudo privileges:
sudo useradd -m -s /bin/bash DEPLOY_USER
sudo usermod -aG sudo DEPLOY_USER
# Set a secure password (you won't need it for SSH key auth, but it's good practice)
# Set a secure password (for emergency access only)
echo "DEPLOY_USER:$(openssl rand -base64 32)" | sudo chpasswd
# Copy your SSH key to the deployment user
@ -247,32 +247,25 @@ sudo cp ~/.ssh/authorized_keys /home/DEPLOY_USER/.ssh/
sudo chown -R DEPLOY_USER:DEPLOY_USER /home/DEPLOY_USER/.ssh
sudo chmod 700 /home/DEPLOY_USER/.ssh
sudo chmod 600 /home/DEPLOY_USER/.ssh/authorized_keys
# Configure sudo to use SSH key authentication (most secure)
echo "DEPLOY_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/DEPLOY_USER
sudo chmod 440 /etc/sudoers.d/DEPLOY_USER
```
##### 0.4.5 Disable Root SSH Access
**Security Note**: This configuration allows the DEPLOY_USER to use sudo without a password, which is more secure for CI/CD automation since there are no passwords to store or expose. The random password is set for emergency console access only.
On both Linodes, disable root SSH access for security:
##### 0.4.5 Test Sudo Access
Test that the deployment user can use sudo without password prompts:
```bash
# Edit SSH configuration
sudo nano /etc/ssh/sshd_config
# Test sudo access
ssh DEPLOY_USER@YOUR_CI_CD_IP 'sudo whoami'
ssh DEPLOY_USER@YOUR_PRODUCTION_IP 'sudo whoami'
```
Find and modify these lines:
```
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
```
**Note**: We disable root SSH access entirely and use the deployment user for all SSH operations.
Restart SSH service:
```bash
sudo systemctl restart ssh
```
**Important**: Test SSH access with the deployment user before closing your current session to ensure you don't get locked out.
**Expected output**: Both commands should return `root` without prompting for a password.
##### 0.4.6 Test Deployment User Access