Fragmented Thought

Setting up per site read-only deploy keys using github



Lance Gliser

Heads up! This content is more than six months old. Take some time to verify everything still works as expected.

I'm going to forget this again if I don't write it down this time. Here's the scenario I was trying to overcome:

Single server, multiple sites backed by independent repos using ssh. Each site should have its own private ssh key added to the remote repository as a deploy keys. These deploy keys can not be the user's private key to get on the server.

The solution is this:


Each user can use a custom file in their .ssh folder that can override the SSH hostname and key for any given host. Here's an example:

Host HostName PreferredAuthentications publickey IdentityFile ~/.ssh/example-org-id_rsa

From there, any given ssh clone to the server simply has to include a custom hostname, which you've modified to match the .ssh/config files:

would become

After that the git pull and push are seamless, and the other developers may never even need to know if you symlink the .ssh config file itself.

But it's 2020 now...

We have better technology. If you're manually pulling your code, good for you for not using FTP, but come on. It's time to invest in hooks, and true DevOps. Start by reading up at GitHub Actions.