Issue CI/CD server security #6
Labels
No labels
Compat/Breaking
Compat/Deprecation
Kind
Bug
Kind
Chore
Kind
Documentation
Kind
Enhancement
Kind
Feature
Kind
Investigation
Kind
Question
Kind
Security
Kind
Testing
Meta/Good First Issue
Meta/Help Wanted
Meta/Stale
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Resolution
Confirmed
Resolution
Duplicate
Resolution
Invalid
Resolution
Won't Fix
Status
Abandoned
Status
Blocked
Status
Needs More Info
Status
Needs Triage
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
XeplosionGames/.forgejo#6
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Type of chore
Security hardening
What needs doing and why?
The current server setup uses a single
cicduser with a shared home directorycontaining all repo clones. This means any workflow has filesystem access to every
other service's files. The planned model uses a dedicated Linux user per service,
each owning only its own files, with SSH access locked to a single forced command.
The following work is outstanding on both the VPS (
node-i440fx) and hub (hub-x9scl-f).VPS —
node-i440fxsvc-nginxuser (/usr/sbin/nologin, home/home/svc-nginx/)svc-bungeecorduser (/usr/sbin/nologin, home/home/svc-bungeecord/)forgejo-runneruser (/usr/sbin/nologin, no SSH, home/home/forgejo-runner/)devuser (/usr/sbin/nologin, key-only SSH, restricted sudo)node-nginxinto/home/svc-nginx/node-nginx/owned bysvc-nginxnode-bungeecordinto/home/svc-bungeecord/node-bungeecord/owned bysvc-bungeecorddeploy.shfor each service user (not in any repo)authorized_keysentry per service user withcommand=restriction pointing atdeploy.shsudoers.d/svc-nginx→NOPASSWD: /bin/systemctl reload nginxsudoers.d/svc-bungeecord→NOPASSWD: /bin/systemctl restart bungeecordcicduser and home directory once all services are migratedforgejo-runneruser, update WireGuard URL to hubHub —
hub-x9scl-fsvc-nginxusersvc-forgejousersvc-mc-survivaluser (ensure ownership of/opt/minecraft/survival/)svc-mc-moddeduser (ensure ownership of/opt/minecraft/modded/)svc-zulipuser (ensure ownership of/opt/zulip/)svc-uptime-kumauserforgejo-runneruser (no SSH, no sudo)devuser (/usr/sbin/nologin, key-only SSH, restricted sudo)deploy.shfor each service user (not in any repo)authorized_keysentry per service user withcommand=restrictionsudoers.d/entry for each service user — one command each, NOPASSWDcicduser once all services are migratedhubBoth servers
chmod 700)deploy.shfiles are owned by root and not writable by the service usercommand=restrictions are correct by testing with the deploy key from a local machinehub,vps) are registered correctly in ForgejoRisk or impact
Requires migrating the runner on the VPS to point at hub-hosted Forgejo (part of the
Forgejo migration, tracked separately if not yet complete). Service users need correct
ownership of existing files before the old
cicduser is removed — migrate one serviceat a time and test CI/CD before removing the fallback.
No user-facing behaviour changes. This is a backend permissions restructuring.
Additional context
Full user and permissions reference:
docsbranch →INFRASTRUCTURE-VPS.md,INFRASTRUCTURE-HUB.mdDeploy script pattern (root-owned, minimal surface):
authorized_keys command= restriction pattern: