eolas/zk/Create_a_deploy_user.md

---
tags:
  - servers
---

# Create a deploy user

When I want to run deploy operations on my server from a client that is not me
(e.g. Forgejo) it is best to create a user for this purpose that has limited
conditions - more restricted than my `/home` user.

Create user on server:

```sh
sudo useradd -m -s /bin/bash deploy
```

> `-m` gives him a home directory which is necessary for him to have an `.ssh/`
> directory. `/bin/bash` gives him the ability to run shell commands.

Give permissions:

```sh
sudo chown -R deploy:www-data /var/www
sudo chmod -R 755 /var/www/
```

This:

- Adds the user ("deploy") to the group of the default web server user
  (`www-data`)
- Gives deploy user full read/write/execute

Then create an SSH key-pair for the deploy user following the steps at
[Generating an SSH key for server access](./Generating_SSH_key_for_server_access.md)
and add his public key to the `authorized_keys` file on the server.

He'll first need his own `.ssh` directory however:

```sh
sudo mkdir -p /home/deploy/.ssh
sudo touch /home/deploy/.ssh/authorized_keys
sudo chmod 700 /home/deploy/.ssh
sudo chmod 600 /home/deploy/.ssh/authorized_keys
sudo chown -R deploy:deploy /home/deploy/.ssh
```

Then attempt to connect to ensure SSH access is working:

```sh
ssh -i .ssh/deploy_self_host_server deploy@server_ip

```

Now the SSH key associated with the deploy user can be used to remotely execute
deployment functions on the server from any client.

Next need to add deploy user's key to Forgejo eolas-api repo and test the action
again

## Rewrite later:

This:

```
sudo chown -R deploy:deploy /data/sqlite/eolas
sudo chmod -R 770 /data/sqlite/eolas

```

Doesn't require the user to be specified in the chmod because the preceding
chown makes him the owner.

This invites a problem though - what if you need multiple owners each with
certain permissions. This is when you would use a group.

In this scenario, the data will only need to be accessed by `deploy` so it is
sufficient to make him the sole owner.
content: new entries on network management 2025-10-06 19:36:34 +01:00			`---`
			`tags:`
			`- servers`
			`---`

			`# Create a deploy user`

			`When I want to run deploy operations on my server from a client that is not me`
			`(e.g. Forgejo) it is best to create a user for this purpose that has limited`
			conditions - more restricted than my `/home` user.

			`Create user on server:`

			```sh
			`sudo useradd -m -s /bin/bash deploy`
			```

			> `-m` gives him a home directory which is necessary for him to have an `.ssh/`
			> directory. `/bin/bash` gives him the ability to run shell commands.

			`Give permissions:`

			```sh
			`sudo chown -R deploy:www-data /var/www`
			`sudo chmod -R 755 /var/www/`
			```

			`This:`

			`- Adds the user ("deploy") to the group of the default web server user`
			(`www-data`)
			`- Gives deploy user full read/write/execute`

			`Then create an SSH key-pair for the deploy user following the steps at`
			`[Generating an SSH key for server access](./Generating_SSH_key_for_server_access.md)`
			and add his public key to the `authorized_keys` file on the server.

			He'll first need his own `.ssh` directory however:

			```sh
			`sudo mkdir -p /home/deploy/.ssh`
			`sudo touch /home/deploy/.ssh/authorized_keys`
			`sudo chmod 700 /home/deploy/.ssh`
			`sudo chmod 600 /home/deploy/.ssh/authorized_keys`
			`sudo chown -R deploy:deploy /home/deploy/.ssh`
			```

			`Then attempt to connect to ensure SSH access is working:`

			```sh
			`ssh -i .ssh/deploy_self_host_server deploy@server_ip`

			```

			`Now the SSH key associated with the deploy user can be used to remotely execute`
			`deployment functions on the server from any client.`

			`Next need to add deploy user's key to Forgejo eolas-api repo and test the action`
			`again`
content: creating a deploy user 2025-11-05 19:31:37 +00:00
			`## Rewrite later:`

			`This:`

			```
			`sudo chown -R deploy:deploy /data/sqlite/eolas`
			`sudo chmod -R 770 /data/sqlite/eolas`

			```

			`Doesn't require the user to be specified in the chmod because the preceding`
			`chown makes him the owner.`

			`This invites a problem though - what if you need multiple owners each with`
			`certain permissions. This is when you would use a group.`

			In this scenario, the data will only need to be accessed by `deploy` so it is
			`sufficient to make him the sole owner.`