4.3 KiB
DevOps Agent: Deploy Vault-Dash to VPS
Goal
Configure the deployment secrets and keys needed to deploy the vault-dash application from Forgejo CI/CD to a VPS.
Context
The vault-dash project is a Python/FastAPI/NiceGUI dashboard for options hedging analysis. The CI/CD pipeline runs on Forgejo Actions and currently fails at the build and deploy stages due to missing secrets.
Current Infrastructure
- Forgejo Server:
http://git.uncloud.vpn(internal VPN address) - Git URL:
ssh://git@10.100.0.2:2222/bu5hm4nn/vault-dash.git - Runner Labels:
[linux, docker] - Target Deployment: VPS (details to be determined)
Deployment Workflow
The .forgejo/workflows/deploy.yaml workflow has these stages:
- lint → test → type-check → build → deploy
The build stage pushes to a Docker registry, and the deploy stage uses SSH to deploy to a VPS.
Required Secrets
1. Docker Registry Secrets
The build job needs:
REGISTRY_PASSWORD(or falls back toGITHUB_TOKEN)REGISTRYenvironment variable (defaults to10.100.0.2:3000)
env:
REGISTRY: ${{ vars.REGISTRY || '10.100.0.2:3000' }}
IMAGE_NAME: ${{ github.repository }}
# In docker/login-action:
username: ${{ github.actor }}
password: ${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
2. Deployment Secrets
The deploy job needs:
DEPLOY_HOST- VPS hostname/IP addressDEPLOY_USER- SSH user (defaults todeploy)DEPLOY_PORT- SSH port (defaults to22)DEPLOY_PATH- Deploy path (defaults to/opt/vault-dash)DEPLOY_SSH_PRIVATE_KEY- SSH private key for authentication
env:
DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
DEPLOY_USER: ${{ secrets.DEPLOY_USER || 'deploy' }}
DEPLOY_PORT: ${{ secrets.DEPLOY_PORT || '22' }}
DEPLOY_PATH: ${{ secrets.DEPLOY_PATH || '/opt/vault-dash' }}
DEPLOY_SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }}
APP_IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
Tasks
-
Determine VPS details: Where should the application be deployed? What's the host IP/hostname?
-
Create a deploy user on the VPS:
- Create a
deployuser with sudo privileges for Docker - Generate an SSH keypair for the deploy user
- Configure the public key in the VPS
~/.ssh/authorized_keys
- Create a
-
Add Forgejo secrets:
- In Forgejo, go to Repository → Settings → Secrets
- Add
DEPLOY_HOSTwith the VPS address - Add
DEPLOY_SSH_PRIVATE_KEYwith the private key content - Add
REGISTRY_PASSWORDif using the internal registry
-
Configure Docker on the VPS:
- Ensure Docker and Docker Compose are installed
- The deploy script will pull the container image from the registry
-
Verify network connectivity:
- Forgejo runner must be able to reach the VPS via SSH
- VPS must be able to pull images from the registry
Instructions for the DevOps Agent
When setting up the deployment:
-
For the SSH key: Generate a dedicated deploy key (not a personal key):
ssh-keygen -t ed25519 -f vault-dash-deploy-key -N "" -C "vault-dash-deploy@forgejo"The private key (
vault-dash-deploy-key) goes intoDEPLOY_SSH_PRIVATE_KEYsecret. The public key (vault-dash-deploy-key.pub) goes into the VPS user's~/.ssh/authorized_keys. -
For the deploy user on VPS:
# Create deploy user sudo useradd -m -s /bin/bash deploy # Add to docker group sudo usermod -aG docker deploy # Set up SSH directory sudo -u deploy mkdir -p /home/deploy/.ssh sudo -u deploy chmod 700 /home/deploy/.ssh # Add the public key echo "ssh-ed25519 AAAA... vault-dash-deploy@forgejo" | sudo -u deploy tee /home/deploy/.ssh/authorized_keys sudo -u deploy chmod 600 /home/deploy/.ssh/authorized_keys -
For the Docker registry (if using internal Forgejo registry):
- The registry must be accessible from both the runner and the VPS
- The
REGISTRY_PASSWORDcan be the user's Forgejo token or a dedicated registry token
-
Create a dedicated deployment directory:
sudo mkdir -p /opt/vault-dash sudo chown deploy:deploy /opt/vault-dash
Output
Please provide:
- The VPS hostname/IP address
- The SSH public key to add to the VPS
- Confirmation of all secrets added to Forgejo
- Any additional network or firewall configurations needed