Skip to content

How to have server config in git#

We use git to store and track servers / containers or VM specific configurations. See Explanation on server configuration with git

Setup the repository#

Normally we use root and we clone this repository in /opt/openfoodfacts-infrastructure

To be able to clone the repository you will need to use a deploy key.

If available you can use the root ssh public key.

Create one if necessary, copy the public key content (eg. /root/.ssh/id_ed25519.pub) and add it as a deploy key to this repository

You can then use a normal git clone command: cd /opt; git clone git@github.com:openfoodfacts/openfoodfacts-infrastructure.git

Create a ssh key#

If root has yet no key you can create a new one, with:

ssh-keygen -t ed25519 -C "root@some-descriptive-host-name"

Using multiple repository#

Strangely enough, Github only allows to access one repository per public key. If you need to clone more than one repository with the same user, you will need to create new ssh key, use a specific server-name to create the project and use a specific configuration to connect to the git server.

Here I will use root-my-project for example

Create a ssh key:

ssh-keygen -t ed25519 -C "root@my-project-my-server-name" -f "/root/.ssh/github_my-project"
# cat the pub key
cat /root/.ssh/github_my-project.pub

You can then add this key to the deploy keys of your projects.

But then, edit ssh config (eg /root/.ssh/config) to add an alias to github server for your project and specify the key we just created as authentication:

Host github.com-my-project
    Hostname github.com
    IdentityFile=/home/off/.ssh/github_my-project

Then clone your project using this server alias name:

git clone git@github.com-my-project:my-org/my-project.git`

For more information github documentation

Use repository to store server configurations#

See Explanation on server configuration with git

You simply create a folder for your service in confs/ directory.

Create a structure that loosely mimic the one in /etc for the files you have to modify. Them symlink /etc files to your repository files.

IMPORTANT: never ever put files with passwords in the git repository ! See Files with passwords

NOTE: /etc/pve on proxmox hosts is a specific fuse mount that just expose proxmox configuration as if they where files. You won't be able to use symlinks for this part.

BEWARE: logrotate needs file to be owned by root, or it will fail silently.

Files with passwords#

Try to isolate private file with as minimal content as possible (most services configuration enables that, either through include or specific directives).

If you have private files that you can't put in the repository, you have two situations:

  • if the file is easy to re-create (eg. a letsencrypt certificate, or an API key, or a password than can be reset easily) just leave it to the server only
  • if it's not easy to re-create, put it in the shared KeepassX

Use repository to store server scripts#

Server specific scripts can also be pushed to this repository to have a backup and follow evolution.