diff --git a/docs/DEVOPS_DEPLOY_PROMPT.md b/docs/DEVOPS_DEPLOY_PROMPT.md new file mode 100644 index 0000000..a674406 --- /dev/null +++ b/docs/DEVOPS_DEPLOY_PROMPT.md @@ -0,0 +1,130 @@ +# DevOps Agent: Deploy Vault-Dash to VPS + +## Goal + +Configure the deployment secrets and keys needed to deploy the `vault-dash` application from Forgejo CI/CD to a VPS. + +## Context + +The `vault-dash` project is a Python/FastAPI/NiceGUI dashboard for options hedging analysis. The CI/CD pipeline runs on Forgejo Actions and currently fails at the `build` and `deploy` stages due to missing secrets. + +### Current Infrastructure + +- **Forgejo Server**: `http://git.uncloud.vpn` (internal VPN address) +- **Git URL**: `ssh://git@10.100.0.2:2222/bu5hm4nn/vault-dash.git` +- **Runner Labels**: `[linux, docker]` +- **Target Deployment**: VPS (details to be determined) + +## Deployment Workflow + +The `.forgejo/workflows/deploy.yaml` workflow has these stages: + +1. **lint** → **test** → **type-check** → **build** → **deploy** + +The build stage pushes to a Docker registry, and the deploy stage uses SSH to deploy to a VPS. + +## Required Secrets + +### 1. Docker Registry Secrets + +The `build` job needs: +- `REGISTRY_PASSWORD` (or falls back to `GITHUB_TOKEN`) +- `REGISTRY` environment variable (defaults to `10.100.0.2:3000`) + +```yaml +env: + REGISTRY: ${{ vars.REGISTRY || '10.100.0.2:3000' }} + IMAGE_NAME: ${{ github.repository }} + +# In docker/login-action: +username: ${{ github.actor }} +password: ${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }} +``` + +### 2. Deployment Secrets + +The `deploy` job needs: +- `DEPLOY_HOST` - VPS hostname/IP address +- `DEPLOY_USER` - SSH user (defaults to `deploy`) +- `DEPLOY_PORT` - SSH port (defaults to `22`) +- `DEPLOY_PATH` - Deploy path (defaults to `/opt/vault-dash`) +- `DEPLOY_SSH_PRIVATE_KEY` - SSH private key for authentication + +```yaml +env: + DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }} + DEPLOY_USER: ${{ secrets.DEPLOY_USER || 'deploy' }} + DEPLOY_PORT: ${{ secrets.DEPLOY_PORT || '22' }} + DEPLOY_PATH: ${{ secrets.DEPLOY_PATH || '/opt/vault-dash' }} + DEPLOY_SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }} + APP_IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} +``` + +## Tasks + +1. **Determine VPS details**: Where should the application be deployed? What's the host IP/hostname? + +2. **Create a deploy user on the VPS**: + - Create a `deploy` user with sudo privileges for Docker + - Generate an SSH keypair for the deploy user + - Configure the public key in the VPS `~/.ssh/authorized_keys` + +3. **Add Forgejo secrets**: + - In Forgejo, go to Repository → Settings → Secrets + - Add `DEPLOY_HOST` with the VPS address + - Add `DEPLOY_SSH_PRIVATE_KEY` with the private key content + - Add `REGISTRY_PASSWORD` if using the internal registry + +4. **Configure Docker on the VPS**: + - Ensure Docker and Docker Compose are installed + - The deploy script will pull the container image from the registry + +5. **Verify network connectivity**: + - Forgejo runner must be able to reach the VPS via SSH + - VPS must be able to pull images from the registry + +## Instructions for the DevOps Agent + +When setting up the deployment: + +1. **For the SSH key**: Generate a dedicated deploy key (not a personal key): + ```bash + ssh-keygen -t ed25519 -f vault-dash-deploy-key -N "" -C "vault-dash-deploy@forgejo" + ``` + The private key (`vault-dash-deploy-key`) goes into `DEPLOY_SSH_PRIVATE_KEY` secret. + The public key (`vault-dash-deploy-key.pub`) goes into the VPS user's `~/.ssh/authorized_keys`. + +2. **For the deploy user on VPS**: + ```bash + # Create deploy user + sudo useradd -m -s /bin/bash deploy + + # Add to docker group + sudo usermod -aG docker deploy + + # Set up SSH directory + sudo -u deploy mkdir -p /home/deploy/.ssh + sudo -u deploy chmod 700 /home/deploy/.ssh + + # Add the public key + echo "ssh-ed25519 AAAA... vault-dash-deploy@forgejo" | sudo -u deploy tee /home/deploy/.ssh/authorized_keys + sudo -u deploy chmod 600 /home/deploy/.ssh/authorized_keys + ``` + +3. **For the Docker registry** (if using internal Forgejo registry): + - The registry must be accessible from both the runner and the VPS + - The `REGISTRY_PASSWORD` can be the user's Forgejo token or a dedicated registry token + +4. **Create a dedicated deployment directory**: + ```bash + sudo mkdir -p /opt/vault-dash + sudo chown deploy:deploy /opt/vault-dash + ``` + +## Output + +Please provide: +1. The VPS hostname/IP address +2. The SSH public key to add to the VPS +3. Confirmation of all secrets added to Forgejo +4. Any additional network or firewall configurations needed \ No newline at end of file