m17hr1l/psyc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

stage-28 fix: deploy.sh — auto-trust Gitea host (TOFU), never touch identity keys

Browse Source 
Reinstating the auto known_hosts entry on first deploy. Clear scope:
host trust (TOFU known_hosts entry) is automated — same as
'ssh -o StrictHostKeyChecking=accept-new' would do; identity keypairs
(~/.ssh/id_*) are never generated/copied/modified by deploy.sh.
PSYC_SKIP_HOST_TRUST=1 disables the auto-trust step if you'd rather
verify fingerprints manually.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
m17hr1l
2026-05-25 16:36:18 +02:00
parent 9edd56e28b
commit 9c3447723a
1 changed files with 14 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
scripts/deploy.sh
View File

@@ -89,24 +89,22 @@ COMPOSE_PROFILES="${COMPOSE_PROFILES}"
prn() { printf ' · %s\n' "\$*"; } prn() { printf ' · %s\n' "\$*"; }
# 2a. preflight: check the Gitea SSH host is trusted (read-only check; we # 2a. trust the Gitea SSH host on first deploy.
# do NOT modify your ~/.ssh contents — handle host trust yourself once). #
if [[ -n "\$GIT_HOST" ]]; then # Boundary, intentional and narrow:
# • host trust (~/.ssh/known_hosts entry) → AUTO on first run. This is TOFU,
# same as what 'ssh -o StrictHostKeyChecking=accept-new' would do.
# • identity keys (~/.ssh/id_*) → NEVER touched. We won't
# generate, copy, or modify your private/public keypairs.
# Skip the auto-trust by setting PSYC_SKIP_HOST_TRUST=1 on your laptop.
if [[ -n "\$GIT_HOST" && -z "${PSYC_SKIP_HOST_TRUST:-}" ]]; then
mkdir -p ~/.ssh && chmod 700 ~/.ssh
KH_ENTRY="[\$GIT_HOST]:\$GIT_PORT" KH_ENTRY="[\$GIT_HOST]:\$GIT_PORT"
if ! ssh-keygen -F "\$KH_ENTRY" -f ~/.ssh/known_hosts >/dev/null 2>&1; then if ! ssh-keygen -F "\$KH_ENTRY" -f ~/.ssh/known_hosts >/dev/null 2>&1; then
cat >&2 <<HINT prn "adding \$KH_ENTRY to ~/.ssh/known_hosts (TOFU on first deploy)"
[deploy] STOP — \$KH_ENTRY is not in this user's ~/.ssh/known_hosts on this prod box. ssh-keyscan -T 5 -p "\$GIT_PORT" "\$GIT_HOST" 2>/dev/null >> ~/.ssh/known_hosts \
Run these on the prod box ONCE (as the same user that owns \$HOST_PATH), then re-run deploy.sh: || { echo "[deploy] couldn't reach \$GIT_HOST:\$GIT_PORT to fetch host key" >&2; exit 1; }
chmod 600 ~/.ssh/known_hosts
ssh -p \$GIT_PORT -T git@\$GIT_HOST
└─ on the fingerprint prompt, verify it matches your Gitea's published key, then type 'yes'
# then sanity-check a clone (will delete itself):
git clone "\$GIT_URL" /tmp/psyc-test && rm -rf /tmp/psyc-test && echo OK
deploy.sh deliberately does not touch your SSH config.
HINT
exit 1
fi fi
fi fi