feat(deploy): improve ssh key handling and deployment security

- Remove hardcoded SSH private key file path from workflow
- Use proper SSH directory structure (~/.ssh/) for key storage
- Add known_hosts file for improved SSH security
- Move environment variables to dedicated env block
- Remove StrictHostKeyChecking=no for better security
- Update deploy script to use proper SSH key path
- Maintain deployment path configuration via environment variables

.gitea/workflows/deploy.yaml

@@ -17,8 +17,6 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - run: echo "${{ secrets.SSH_PRIVATE_KEY }}" > /private.key
-      - run: chmod 600 /private.key
       - run: |
           export HUGO_VERSION=$(curl --silent -I https://github.com/gohugoio/hugo/releases/latest | grep location | sed 's|.*tag/||' | tr -d '\r')
           export HUGO_VERSION_SHORT=$(echo ${HUGO_VERSION} | sed 's/v//')
@@ -27,10 +25,17 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: true
-      - run: APP_VERSION=latest make
       - run: |
-          export SSH_PRIVATE_KEY=/private.key
+          mkdir -p ~/.ssh/
-          export SSH_USERNAME=${{ secrets.SSH_USERNAME }}
+          echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
-          export DEPLOYMENT_HOST=${{ secrets.DEPLOYMENT_HOST }}
+          chmod 600 ~/.ssh/id_ed25519
-          export DEPLOYMENT_PATH=${{ secrets.DEPLOYMENT_PATH }}
+          echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
+          make
           make deploy
+        env:
+          SSH_USERNAME: ${{ vars.SSH_USERNAME }}
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          SSH_KNOWN_HOSTS: ${{ vars.SSH_KNOWN_HOSTS }}
+          DEPLOYMENT_HOST: ${{ vars.DEPLOYMENT_HOST }}
+          DEPLOYMENT_PATH: ${{ vars.DEPLOYMENT_PATH }}
+          APP_VERSION: ${{ vars.GITHUB_REF_NAME }}

deploy.sh

@@ -5,7 +5,6 @@ set -e
 # FLOW
 ###
 #
-# if the private key variable is set, prepend "-i" to it
 # if the username variable is set, append the at sign to it
 # if either the deployment host or deployment path variables are not set, return an error
 # tarball the built website and scp it to the deployment host
@@ -13,11 +12,6 @@ set -e
 # then remove everything in the data path, untar the tarball and reload the server
 # finally remove the tarball, both from the remote host and locally (cleanup)
 
-# Check if the private key variable is set
-if [ ! -z "${SSH_PRIVATE_KEY}" ]; then
-    SSH_PRIVATE_KEY="-i ${SSH_PRIVATE_KEY}"
-fi
-
 # Check if the username variable is set
 if [ ! -z "${SSH_USERNAME}" ]; then
     SSH_USERNAME="${SSH_USERNAME}@"
@@ -29,9 +23,12 @@ if [ -z "${DEPLOYMENT_HOST}" ] || [ -z "${DEPLOYMENT_PATH}" ]; then
     exit 1
 fi
 
+# Compress the built website and scp it to the remote host
 tar -czf httpdocs.tgz -C public .
-scp -o StrictHostKeyChecking=no ${SSH_PRIVATE_KEY} httpdocs.tgz ${SSH_USERNAME}${DEPLOYMENT_HOST}:/tmp/httpdocs.tgz
+scp ${SSH_PRIVATE_KEY} httpdocs.tgz ${SSH_USERNAME}${DEPLOYMENT_HOST}:/tmp/httpdocs.tgz
-ssh -o StrictHostKeyChecking=no ${SSH_PRIVATE_KEY} ${SSH_USERNAME}${DEPLOYMENT_HOST} "DEPLOYMENT_PATH=$DEPLOYMENT_PATH bash" << 'EOF'
+
+# SSH to the remote host, cd to the deployment path, and deploy the website (delete and overwrite everything)
+ssh ${SSH_PRIVATE_KEY} ${SSH_USERNAME}${DEPLOYMENT_HOST} "DEPLOYMENT_PATH=$DEPLOYMENT_PATH bash" << 'EOF'
   cd ${DEPLOYMENT_PATH}
   DATAPATH=$(cat .env | grep "NGINX_DATA" | sed "s/NGINX_DATA=//g")
   rm -rf ${DATAPATH}/{*,.*}