gitlab continuous deployment private key security

Question

I am working on a php project.

I have 2 servers:

- gitlab server
- production server (apache2 + php + mysql)

My PHP source files are stored and versioned on my gitlab server. I want to automatically deploy php files to production server.

Here is what i have done: - I have created a "deployer" user on production server. - I have ran ssh-keygen for this user. - I have copy and paste ssh private key (/home/deployer/.ssh/id_rsa) into a gitlab secret variable.

Here is an extract of .gitlab-ci.yml file:

deploy:
  stage: deploy
  when: manual
  only:
  - master
  script:
  - echo "${SSH_PRIVATE_KEY}" > id_rsa
  - chmod go-rwx ./id_rsa
  - rsync -hrvz --delete --exclude '.git*' --exclude id_rsa -e 'ssh -o StrictHostKeyChecking=no -i ./id_rsa' ./ deployer@productionservrer.com:/var/www/html

Everything works.

My problem is a need to create a temporarily id_rsa file to store private key for rsync. This file is exclude from rsync but i am upset about this file. If someone accidentally remove rsync --exclude options, my id_rsa file will be exposed on webserver.

So my question is how can i work without having to store private key in a temp file.

Thanks

Answer 1

Is there a reason to create id_rsa file in same folder as is your project at? If you simply move id_rsa file prom project folder to, say, /home/local-user/.ssh folder you won’t have to worry about accidental copy? Sorry for typos, writing from phone...