fix: Gitea Traefik routing and connection pool optimization
Some checks failed
🚀 Build & Deploy Image / Determine Build Necessity (push) Failing after 10m14s
🚀 Build & Deploy Image / Build Runtime Base Image (push) Has been skipped
🚀 Build & Deploy Image / Build Docker Image (push) Has been skipped
🚀 Build & Deploy Image / Run Tests & Quality Checks (push) Has been skipped
🚀 Build & Deploy Image / Auto-deploy to Staging (push) Has been skipped
🚀 Build & Deploy Image / Auto-deploy to Production (push) Has been skipped
Security Vulnerability Scan / Check for Dependency Changes (push) Failing after 11m25s
Security Vulnerability Scan / Composer Security Audit (push) Has been cancelled
Some checks failed
🚀 Build & Deploy Image / Determine Build Necessity (push) Failing after 10m14s
🚀 Build & Deploy Image / Build Runtime Base Image (push) Has been skipped
🚀 Build & Deploy Image / Build Docker Image (push) Has been skipped
🚀 Build & Deploy Image / Run Tests & Quality Checks (push) Has been skipped
🚀 Build & Deploy Image / Auto-deploy to Staging (push) Has been skipped
🚀 Build & Deploy Image / Auto-deploy to Production (push) Has been skipped
Security Vulnerability Scan / Check for Dependency Changes (push) Failing after 11m25s
Security Vulnerability Scan / Composer Security Audit (push) Has been cancelled
- Remove middleware reference from Gitea Traefik labels (caused routing issues) - Optimize Gitea connection pool settings (MAX_IDLE_CONNS=30, authentication_timeout=180s) - Add explicit service reference in Traefik labels - Fix intermittent 504 timeouts by improving PostgreSQL connection handling Fixes Gitea unreachability via git.michaelschiemer.de
This commit is contained in:
218
deployment/docs/guides/ssh-access.md
Normal file
218
deployment/docs/guides/ssh-access.md
Normal file
@@ -0,0 +1,218 @@
|
||||
# SSH-Zugriff Dokumentation
|
||||
|
||||
## Übersicht
|
||||
|
||||
Diese Dokumentation beschreibt die SSH-Zugriffskonfiguration für den Production-Server.
|
||||
|
||||
## SSH-Key-Generierung
|
||||
|
||||
### Neuen SSH-Key generieren
|
||||
|
||||
```bash
|
||||
# Auf Control-Node (lokal)
|
||||
ssh-keygen -t ed25519 -C "production-server" -f ~/.ssh/production
|
||||
|
||||
# Oder RSA (falls ed25519 nicht unterstützt)
|
||||
ssh-keygen -t rsa -b 4096 -C "production-server" -f ~/.ssh/production
|
||||
```
|
||||
|
||||
**Wichtig:**
|
||||
- Passphrase setzen (empfohlen)
|
||||
- Key sicher speichern
|
||||
- Private Key niemals teilen
|
||||
|
||||
### Key-Berechtigungen
|
||||
|
||||
```bash
|
||||
chmod 600 ~/.ssh/production
|
||||
chmod 644 ~/.ssh/production.pub
|
||||
```
|
||||
|
||||
## SSH-Config
|
||||
|
||||
### Control-Node Konfiguration
|
||||
|
||||
**Datei:** `~/.ssh/config`
|
||||
|
||||
```ssh-config
|
||||
Host production
|
||||
HostName <server-ip>
|
||||
User deploy
|
||||
IdentityFile ~/.ssh/production
|
||||
ServerAliveInterval 60
|
||||
ServerAliveCountMax 3
|
||||
StrictHostKeyChecking yes
|
||||
UserKnownHostsFile ~/.ssh/known_hosts
|
||||
```
|
||||
|
||||
**Wichtig:**
|
||||
- `<server-ip>` durch tatsächliche IP ersetzen
|
||||
- `deploy` ist der Standard-User (nach Setup)
|
||||
|
||||
### SSH-Config testen
|
||||
|
||||
```bash
|
||||
# Verbindung testen
|
||||
ssh production 'whoami'
|
||||
# Sollte ausgeben: deploy
|
||||
|
||||
# Ohne Passwort (Key-only)
|
||||
ssh production
|
||||
```
|
||||
|
||||
## Server-Setup
|
||||
|
||||
### Deploy-User erstellen
|
||||
|
||||
**Auf Server (als root):**
|
||||
```bash
|
||||
# User anlegen
|
||||
adduser deploy
|
||||
usermod -aG sudo deploy
|
||||
|
||||
# SSH-Verzeichnis erstellen
|
||||
mkdir -p /home/deploy/.ssh
|
||||
chmod 700 /home/deploy/.ssh
|
||||
```
|
||||
|
||||
### Public Key hinzufügen
|
||||
|
||||
**Option 1: ssh-copy-id (empfohlen)**
|
||||
```bash
|
||||
# Auf Control-Node
|
||||
ssh-copy-id -i ~/.ssh/production.pub deploy@<server-ip>
|
||||
```
|
||||
|
||||
**Option 2: Manuell**
|
||||
```bash
|
||||
# Auf Control-Node
|
||||
cat ~/.ssh/production.pub | ssh deploy@<server-ip> \
|
||||
"mkdir -p ~/.ssh && \
|
||||
cat >> ~/.ssh/authorized_keys && \
|
||||
chmod 600 ~/.ssh/authorized_keys && \
|
||||
chmod 700 ~/.ssh"
|
||||
```
|
||||
|
||||
**Option 3: Via Ansible (nach initialem Setup)**
|
||||
```bash
|
||||
# Wird automatisch über initial-server-setup.yml verwaltet
|
||||
```
|
||||
|
||||
### SSH-Key-only Authentication
|
||||
|
||||
**Auf Server:**
|
||||
```bash
|
||||
sudo nano /etc/ssh/sshd_config
|
||||
```
|
||||
|
||||
**Ändern:**
|
||||
```config
|
||||
PasswordAuthentication no
|
||||
PubkeyAuthentication yes
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
```
|
||||
|
||||
**Neu starten:**
|
||||
```bash
|
||||
sudo systemctl restart sshd
|
||||
```
|
||||
|
||||
**Wichtig:** Vorher sicherstellen, dass SSH-Key funktioniert!
|
||||
|
||||
## Ansible-Integration
|
||||
|
||||
### Inventory-Konfiguration
|
||||
|
||||
**Datei:** `deployment/ansible/inventory/production.yml`
|
||||
|
||||
```yaml
|
||||
all:
|
||||
children:
|
||||
production:
|
||||
hosts:
|
||||
server:
|
||||
ansible_host: <server-ip>
|
||||
ansible_user: deploy
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
ansible_ssh_private_key_file: ~/.ssh/production
|
||||
```
|
||||
|
||||
### Ansible-Verbindung testen
|
||||
|
||||
```bash
|
||||
cd ~/dev/michaelschiemer/deployment/ansible
|
||||
ansible production -m ping
|
||||
# Sollte ausgeben: pong
|
||||
```
|
||||
|
||||
## Sicherheit
|
||||
|
||||
### Best Practices
|
||||
|
||||
1. **SSH-Key mit Passphrase**
|
||||
- Private Key verschlüsselt
|
||||
- Passphrase bei jeder Nutzung
|
||||
|
||||
2. **Key-Rotation**
|
||||
- Regelmäßig neue Keys generieren
|
||||
- Alte Keys entfernen
|
||||
|
||||
3. **Fail2ban**
|
||||
- Automatische Sperrung bei Brute-Force
|
||||
- Optional, aber empfohlen
|
||||
|
||||
4. **SSH-Port ändern (optional)**
|
||||
- Standard-Port 22 ändern
|
||||
- Reduziert automatische Angriffe
|
||||
|
||||
5. **Root-Login deaktivieren**
|
||||
- Nur über deploy-User
|
||||
- Sudo für Admin-Tasks
|
||||
|
||||
### Fail2ban Installation
|
||||
|
||||
```bash
|
||||
# Auf Server
|
||||
sudo apt install fail2ban
|
||||
sudo systemctl enable fail2ban
|
||||
sudo systemctl start fail2ban
|
||||
|
||||
# Status prüfen
|
||||
sudo fail2ban-client status sshd
|
||||
```
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### SSH-Verbindung fehlgeschlagen
|
||||
|
||||
**Problem:** `Permission denied (publickey)`
|
||||
|
||||
**Lösung:**
|
||||
1. Key-Berechtigungen prüfen: `chmod 600 ~/.ssh/production`
|
||||
2. Public Key auf Server prüfen: `cat ~/.ssh/authorized_keys`
|
||||
3. SSH-Config prüfen: `ssh -v production`
|
||||
4. Server-Logs prüfen: `sudo tail -f /var/log/auth.log`
|
||||
|
||||
### Key-Format-Problem
|
||||
|
||||
**Problem:** `error in libcrypto`
|
||||
|
||||
**Lösung:**
|
||||
1. Neuen Key generieren (ed25519 oder RSA)
|
||||
2. WSL/libcrypto-Kompatibilität prüfen
|
||||
3. Key-Format prüfen: `file ~/.ssh/production`
|
||||
|
||||
### Ansible-Verbindung fehlgeschlagen
|
||||
|
||||
**Problem:** `ansible production -m ping` schlägt fehl
|
||||
|
||||
**Lösung:**
|
||||
1. SSH-Verbindung manuell testen: `ssh production`
|
||||
2. Inventory-Datei prüfen
|
||||
3. Python-Interpreter prüfen: `ansible production -m raw -a "which python3"`
|
||||
|
||||
## Referenzen
|
||||
|
||||
- `deployment/docs/guides/server-rebuild-plan.md` - Server-Neuaufbau Plan
|
||||
- `deployment/ansible/inventory/production.yml` - Ansible Inventory
|
||||
- `deployment/ansible/playbooks/initial-server-setup.yml` - Basis-Setup Playbook
|
||||
Reference in New Issue
Block a user