Skip to content

ci: deploy to woco.dev as reese user with dedicated WOCO_DEV_SSH_KEY#78

Closed
reese8272 wants to merge 2 commits into
stagingfrom
reese/fix-woco-dev-ssh-secret
Closed

ci: deploy to woco.dev as reese user with dedicated WOCO_DEV_SSH_KEY#78
reese8272 wants to merge 2 commits into
stagingfrom
reese/fix-woco-dev-ssh-secret

Conversation

@reese8272

Copy link
Copy Markdown

Summary

  • Routes staging CI deploys to woco.dev as reese (sudo group) instead of root — automated root logins violate security best practice; a healthy box has no root sessions
  • Separates the woco.dev deploy secret (WOCO_DEV_SSH_KEY) from the prod deploy secret (DEPLOY_SSH_KEY) so compromising one doesn't affect the other
  • Adds sudo prefixes to systemctl, chown, and install calls that previously ran as root directly

Prerequisites (all done)

  • reese user exists on woco.dev with key in authorized_keys and NOPASSWD sudo
  • Root SSH disabled on woco.dev (PermitRootLogin no)
  • WOCO_DEV_SSH_KEY GitHub secret set to dedicated deploy key (not personal key)

Test plan

  • Push any commit to staging and confirm CI deploys successfully to woco.dev
  • Confirm ssh root@172.238.189.147 is denied

🤖 Generated with Claude Code

reese8272 and others added 2 commits June 30, 2026 13:41
DEPLOY_SSH_KEY is authorized on hellowoco.app (wocod) but not woco.dev
(root). Separate secret lets Reese load his own key there independently.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Root SSH logins for automated processes violate security best practice.
WOCO_DEV_SSH_KEY must be a dedicated deploy key, not a personal key.
Box prereq: reese user in sudo group with key in authorized_keys.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@reese8272

Copy link
Copy Markdown
Author

Closing as superseded. Staging's current CI (build-and-deploy.yml / deploy-prod.yml) already deploys as wocod directly with dedicated STAGING_DEPLOY_SSH_KEY / PROD_DEPLOY_SSH_KEY and scoped sudo -n — a stronger design than reese+WOCO_DEV_SSH_KEY proposed here (and it matches Michael's 'wocod deploys on both boxes'). The stale-docs remnant is handled in #82. Follow-up worth doing on the boxes: remove the old root deploy key from /root/.ssh/authorized_keys and delete the retired DEPLOY_SSH_KEY / WOCO_DEV_SSH_KEY repo secrets if present.

@reese8272 reese8272 closed this Jul 2, 2026
grubermeister pushed a commit that referenced this pull request Jul 3, 2026
…del (#82)

Successor to PRs #77 and #78, whose payloads are now superseded:
- #77 (default push_data.sh host to reese@) — superseded by #79, which
  removes the username default entirely per Michael's instruction.
- #78 (CI deploy as reese + WOCO_DEV_SSH_KEY) — superseded by staging's
  own rework: CI now SSHes directly as wocod with dedicated
  STAGING/PROD_DEPLOY_SSH_KEY keys and scoped sudo -n, which is stronger.

What remained true from their intent is that the docs still described the
old root-deploy world: STAGING_WOCO_DEV.md told operators to push data as
root@woco.dev and AUTH_SYNC.md to scp as root@ — both impossible now that
root login is disabled, and contrary to the deploy model. Updated to
<your-user>@ with notes that files still land owned by wocod, and marked
the provisioning section's root SSH as initial-setup-only.

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
@reese8272 reese8272 deleted the reese/fix-woco-dev-ssh-secret branch July 6, 2026 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant