Skip to content

Instantly share code, notes, and snippets.

@guillaumewuip
Created June 26, 2016 16:49
Show Gist options
  • Save guillaumewuip/f1768e93a6cdc2b4d7b8a90332c0df3a to your computer and use it in GitHub Desktop.
Save guillaumewuip/f1768e93a6cdc2b4d7b8a90332c0df3a to your computer and use it in GitHub Desktop.
Gitlab CI to dokku
###############################################################################
# Variables #
###############################################################################
variables:
DOKKU_HOST: 'host.com'
PROJECT_NAME: 'project_name'
###############################################################################
# Cache #
###############################################################################
cache:
untracked: true
paths:
- node_modules/
key: 'web_dependencies'
###############################################################################
# Templates #
###############################################################################
.deploy_template: &deploy_definition
image: ubuntu
stage: deploy
before_script:
# Install
- apt-get update -y &>/dev/null
- which ssh-keyscan || (apt-get install -y ssh &>/dev/null)
- which git || (apt-get install -y git &>/dev/null)
- which ssh-agent || (apt-get install openssh-client -y)
# Add ssh private key $SSH_DEPLOY_KEY
- eval $(ssh-agent -s)
- ssh-add <(echo "$SSH_DEPLOY_KEY")
# SSH config
- mkdir -p ~/.ssh
- echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
# Add dokku to known hosts
- ssh-keyscan -H $DOKKU_HOST >> ~/.ssh/known_hosts
script:
- echo git push dokku@$DOKKU_HOST:$PROJECT_NAME master # debug
- git push dokku@$DOKKU_HOST:$PROJECT_NAME master
###############################################################################
# Stages #
###############################################################################
stages:
- deploy
deploy_to_dokku:
<<: *deploy_definition
only:
- master
environment: production
@Overdrivr
Copy link

It's a nice base, but you should remove the "StrictHostKeyChecking" line otherwise the known hosts definition is not used since it is not checked.

Also, redefining known host each time you run the CI pipeline does not protects you against man in the middle. The ssh-keyscan command should be ran once from a trusted network, its output saved to a Gitlab CI secret. Then, inside this ci script, place the contents of that secret inside the known_hosts file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment