\u5728\u73b0\u4ee3\u524d\u540e\u7aef\u5206\u79bb\u6216\u9759\u6001\u7ad9\u70b9\uff0c\u5c06\u7f51\u7ad9\u4ee3\u7801\u5b89\u5168\u5feb\u901f\u7684\u63a8\u9001\u5230 Web \u670d\u52a1\u5668\u63d0\u9ad8\u6548\u7387\u7684\u5fc5\u7531\u4e4b\u8def\u3002<\/p>\n\n\n\n
\u5f00\u53d1\u8005\u5c06\u7f51\u7ad9\u4ee3\u7801 Push \u5230 GitLab \u7684\u4e3b\u5206\u652f\u3002GitLab CI \u542f\u52a8\u4e00\u4e2a\u4e34\u65f6\u7684\u8f7b\u91cf\u7ea7 Runner\uff0c\u901a\u8fc7 SSH \u89e6\u53d1 Web Server \u4e3b\u52a8\u62c9\u53d6 Git \u4ee3\u7801\u3002\u4e13\u7528\u7684 pushgit \u5bb9\u5668\u4e0e Nginx \u5bb9\u5668\u5206\u79bb\uff0c\u53ea\u6709\u9759\u6001\u8d44\u6e90\/\u4ee3\u7801\u6240\u5728\u7684\u76ee\u5f55\u662f\u5171\u4eab\u6302\u8f7d\u7684\u3002CI \u53ea\u4e0e pushgit \u5bb9\u5668\u901a\u4fe1\uff0c\u6ca1\u6709\u4efb\u4f55 Web Server \u7684\u5176\u5b83\u6743\u9650\u3002<\/p>\n\n\n\n
\u8fd9\u4e2a\u5bb9\u5668\u7528\u4e8e\u63a5\u53d7 GitLab CI \u7684SSH\u8bbf\u95ee\uff0c\u89e6\u53d1\u62c9\u53d6 Git \u66f4\u65b0\u7f51\u7ad9\u6587\u4ef6\u3002<\/p>\n\n\n\n
docker-compose.yml:<\/p>\n\n\n\n
pushgit:\n build: .\/pushgit\n image: pushgit\n container_name: pushgit\n restart: unless-stopped\n ports:\n - 2222:22\n environment:\n - TZ=Asia\/Shanghai\n volumes:\n - .\/yaoge1:\/var\/www\/yaoge1:rw\n - .\/yaoge2:\/var\/www\/yaoge2:rw<\/code><\/pre>\n\n\n\nDockerfile:<\/p>\n\n\n\n
FROM alpine:latest\n\nRUN sed -i 's#https\\?:\/\/dl-cdn.alpinelinux.org\/alpine#https:\/\/mirrors.cernet.edu.cn\/alpine#g' \/etc\/apk\/repositories\n\nRUN apk update --no-cache \\\n && apk upgrade --no-cache \\\n && apk add --no-cache tzdata ca-certificates openssh-server openssh-client git \\\n && update-ca-certificates \\\n && rm -rf \/var\/cache\/apk\/*\n\nCOPY --chmod=0600 host_key\/ssh_host_*_key \/etc\/ssh\/\nCOPY --chmod=0644 host_key\/ssh_host_*_key.pub \/etc\/ssh\/\nRUN echo \"PasswordAuthentication no\" > \/etc\/ssh\/sshd_config.d\/disable_password.conf \\\n && echo \"StrictHostKeyChecking accept-new\" > \/etc\/ssh\/ssh_config.d\/accept_hostkey.conf\n\nRUN adduser -D -u 1000 -h \/home\/pushgit -s \/home\/pushgit\/pushgit.sh pushgit && passwd -u pushgit\nCOPY --chown=pushgit:pushgit --chmod=0700 pushgit.sh \/home\/pushgit\/\nRUN install -d -m 0700 -o pushgit -g pushgit \/home\/pushgit\/.ssh\nCOPY --chown=pushgit:pushgit --chmod=0600 id_key\/id_* \/home\/pushgit\/.ssh\/\nCOPY --chown=pushgit:pushgit --chmod=0600 authorized_keys \/home\/pushgit\/.ssh\/\nRUN ssh-keyscan git.yaoge123.com >> \/home\/pushgit\/.ssh\/known_hosts \\\n && chown pushgit:pushgit \/home\/pushgit\/.ssh\/known_hosts \\\n && chmod 0644 \/home\/pushgit\/.ssh\/known_hosts\n\nCMD [\"\/usr\/sbin\/sshd\", \"-De\"]<\/code><\/pre>\n\n\n\npushgit.sh:<\/p>\n\n\n\n
#!\/bin\/sh\nset -e\necho \"$2: \"\ncd \"\/var\/www\/$2\" || { echo \"Directory not found!\"; exit 1; }\ngit config --global safe.directory \"\/var\/www\/$2\"\ngit fetch --all\ngit reset --hard @{upstream}\ngit clean -fd<\/code><\/pre>\n\n\n\nauthorized_keys:<\/p>\n\n\n\n
restrict,command=\"yaoge1\" ssh-ed25519 AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxZ gitlab-yaoge1\nrestrict,command=\"yaoge2\" ssh-ed25519 AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxU gitlab-yaoge2<\/code><\/pre>\n\n\n\nNginx \u914d\u7f6e<\/h3>\n\n\n\nserver {\n listen 80;\n listen [::]:80;\n server_name yaoge1.yaoge123.com;\n server_tokens off;\n return 301 https:\/\/$server_name$request_uri;\n}\n\nserver {\n listen *:443 ssl;\n listen [::]:443 ssl;\n server_name yaoge1.yaoge123.com;\n server_tokens off;\n \n include ssl\/acme-challenge.conf;\n include ssl\/yaoge123_com.conf;\n\n location ~ \/\\.git {\n return 404;\n }\n\n root \/var\/www\/yaoge1;\n}<\/code><\/pre>\n\n\n\nGitLab \u7aef\u914d\u7f6e<\/h2>\n\n\n\n
\u521b\u5efa\u4e00\u4e2a\u7528\u6237\uff08\u6bd4\u5982 WebServerPush\uff09\uff0c\u628a\u4e0a\u8ff0 id_key\/id_*.pub \u52a0\u5165\u7528\u6237\u7684 SSH Keys \u4e0b\uff0c\u628a\u8fd9\u4e2a\u7528\u6237\u52a0\u5165\u5230\u9879\u76ee\u6210\u5458\u4e2d\uff0c\u7ed9 Reporter \u89d2\u8272\u3002\u8fd9\u4e2a\u7528\u6237\u662f\u516c\u7528\u7684\uff0c\u6240\u6709\u7c7b\u4f3c\u7684\u9879\u76ee\u90fd\u6dfb\u52a0\u8fd9\u4e2a\u7528\u6237\u5373\u53ef\u3002<\/p>\n\n\n\n
\u751f\u6210\u4e00\u5bf9\u7f51\u7ad9\u9879\u76ee\u4e13\u7528\u7684 key\uff0c\u5176\u4e2d\u516c\u94a5\u653e\u5230\u4e0a\u8ff0 authorized_keys \u4e2d\uff0c\u79c1\u94a5\u7ecfBASE64\u7f16\u7801\u540e\u5b58\u5230CI\/CD\u53d8\u91cf\u4e2d\u3002<\/p>\n\n\n\n\u53d8\u91cf\u952e\u503c (Key)<\/td> \u8bf4\u660e<\/td><\/tr> SSH_PRIVATE_KEY_BASE64<\/td> SSH \u79c1\u94a5\u7684Base64\u7f16\u7801\uff0c\u9009\u62e9 Masked and hidden \u548c Protect variable<\/td><\/tr> SERVER_IP<\/td> Web Server \u7684 IP<\/td><\/tr> SERVER_PORT<\/td> pushgit \u5bb9\u5668\u66b4\u9732\u7684 SSH \u7aef\u53e3\uff08\u5982\u4e0a\u6587\u793a\u4f8b\u7684 2222\uff09<\/td><\/tr> SSH_USER<\/td> pushgit \u5bb9\u5668\u5185\u7684\u64cd\u4f5c\u8d26\u6237\uff08\u5982\u4e0a\u6587\u793a\u4f8b\u7684 pushgit\uff09<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n.gitlab-ci.yml<\/p>\n\n\n\n
deploy_to_server:\n stage: deploy\n image: alpine:latest\n before_script:\n - apk add --no-cache openssh-client coreutils\n - echo \"$SSH_PRIVATE_KEY_BASE64\" | base64 -d > .\/ssh_key\n - chmod 400 .\/ssh_key\n script:\n - ssh -o StrictHostKeyChecking=accept-new -i .\/ssh_key -T -p $SERVER_PORT $SSH_USER@$SERVER_IP<\/code><\/pre>\n\n\n\n\u4e0b\u9762\u53ea\u8981\u5728 Web Server \u4e0a\u7528 git clone \u521d\u59cb\u5316\u4e00\u4e0b\u5373\u53ef\uff0c\u540e\u7eed\u53ea\u8981 git \u63a8\u9001\u4e86\u65b0\u7684\u6587\u4ef6\uff0c\u5c31\u4f1a\u81ea\u52a8\u89e6\u53d1\u66f4\u65b0\u3002<\/p>\n\n\n\n\n","protected":false},"excerpt":{"rendered":"
\u5728\u73b0\u4ee3\u524d\u540e\u7aef\u5206\u79bb\u6216\u9759\u6001\u7ad9\u70b9\uff0c\u5c06\u7f51\u7ad9\u4ee3\u7801\u5b89\u5168\u5feb\u901f\u7684\u63a8\u9001\u5230 Web \u670d\u52a1\u5668\u63d0\u9ad8\u6548\u7387\u7684\u5fc5\u7531\u4e4b\u8def\u3002 \u67b6\u6784 \u5f00\u53d1\u8005\u5c06\u7f51\u7ad9 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[165,11,1],"tags":[],"class_list":["post-3456","post","type-post","status-publish","format-standard","hentry","category-internet","category-xnix","category-1"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/paOwEq-TK","_links":{"self":[{"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/posts\/3456","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/comments?post=3456"}],"version-history":[{"count":3,"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/posts\/3456\/revisions"}],"predecessor-version":[{"id":3459,"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/posts\/3456\/revisions\/3459"}],"wp:attachment":[{"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/media?parent=3456"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/categories?post=3456"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/tags?post=3456"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}