Git Push to Deploy: Automating Server Deployment with Post-Receive Hooks and Docker Compose

-

🔐 Secure Git Push-Based Deployment

This guide explains how to securely deploy a Docker-based application using Git push, with two users:

  • sshuser – non-root user responsible for pushing code.
  • myrootuser – root-privileged user responsible for executing deployment.

✅ Deployment Flow Summary

ActorActionRuns As
sshuserPushes code to bare Git reposshuser
post-receiveTriggers deploy scriptvia sudo -u myrootuser
deploy.shRuns Docker Composeas myrootuser

🧭 Step-by-Step Setup

🔹 1. On Server: Create Bare Git Repo (as sshuser)

ssh sshuser@your-server
mkdir -p ~/repos/myapp.git
cd ~/repos/myapp.git
git init --bare

🔹 2. Create post-receive Hook (as sshuser)

nano ~/repos/myapp.git/hooks/post-receive

Paste this:

#!/bin/bash
sudo -u myrootuser /home/myrootuser/deploy-scripts/deploy.sh

Make it executable:

chmod +x ~/repos/myapp.git/hooks/post-receive

🔹 3. Allow sshuser to Run Only This Script as myrootuser

Run as root or myrootuser:

sudo visudo -f /etc/sudoers.d/sshuser-deploy

Add this line:

sshuser ALL=(myrootuser) NOPASSWD: /home/myrootuser/deploy-scripts/deploy.sh

🔹 4. Create the deploy.sh Script (as myrootuser)

mkdir -p /home/myrootuser/deploy-scripts
nano /home/myrootuser/deploy-scripts/deploy.sh

Paste this:

#!/bin/bash

DEPLOY_DIR="/home/myrootuser/myapp"
REPO_DIR="/home/sshuser/repos/myapp.git"
LOG_FILE="$DEPLOY_DIR/deploy.log"

echo "[$(date)] Deployment triggered by git push." >> "$LOG_FILE"

# Checkout code
GIT_WORK_TREE=$DEPLOY_DIR git --git-dir=$REPO_DIR checkout -f >> "$LOG_FILE" 2>&1

cd "$DEPLOY_DIR" || exit 1

# Docker Compose actions
docker compose build >> "$LOG_FILE" 2>&1
docker compose down >> "$LOG_FILE" 2>&1
docker compose up -d >> "$LOG_FILE" 2>&1

echo "[$(date)] Deployment finished." >> "$LOG_FILE"

Make it executable:

chmod +x /home/myrootuser/deploy-scripts/deploy.sh

Ensure ownership of target directory:

mkdir -p /home/myrootuser/myapp
chown -R myrootuser:myrootuser /home/myrootuser/myapp

🔹 5. On Your Local Machine: Push Code to Server

git remote add production ssh://your-server-alias/home/sshuser/repos/myapp.git
git push production master
How to configure GIT_SSH_COMMAND for one-off pushes or set a permanent ~/.ssh/config alias with IdentityFile Using Custom SSH Keys with Git Push: How to Deploy Securely with -i


✅ Final Flow Recap

ActorActionRuns As
sshuserPushes code via Gitsshuser
post-receiveTriggers deploy scriptvia sudo -u myrootuser
deploy.shRuns Docker Composemyrootuser

🔐 Security Considerations

  • sshuser can only run the deploy script, not arbitrary sudo commands.
  • All Docker and sensitive actions are isolated under myappuser.
  • Logs are stored per deployment in /home/myrootuser/myapp/deploy.log.


Comments

Post a Comment

Popular posts from this blog

Mount StorageBox to the server for backup

-
  Quickly  solution Install cifs-utils: apt-get install cifs-utils Adjust and add the following lines to   crontab -e   : # reboot # This one should be moved to /etc/fstab @reboot /sbin/mount.cifs -o user=uXXXXXXXX,pass=xxxxxXXXXXX//uXXXXXX.your-storagebox.be/backup /mnt/storagebox_jobsites_backup/ SAMBA/CIFS You can mount your Storage Box via Samba/CIFS. You can use the following UNC path. If you are using your main account, the share name is  backup . If you are using a sub-account, you must use the username of the sub-account as the username and share name. Linux/Unix: //<username>.your-storagebox.de/<share_name> Windows \\<username>.your-storagebox.de\<share_name> If you use a FritzBox Router from AVM, you need to deactivate the NetBIOS filter for Samba/CIFS to work. Please check the AVM knowledge base for more information.  https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7590/835_Shared-files-and-printers-o...
Read more

psql: error: connection to server at "localhost" (127.0.0.1), port 5433 failed: ERROR: failed to authenticate with backend using SCRAM DETAIL: valid password not found

-
Image
ERROR psql: error: connection to server at "localhost" (127.0.0.1), port 5433 failed: ERROR: failed to authenticate with backend using SCRAM DETAIL: valid password not found Since Pgpool-II is a PostgreSQL proxy that works between clients and PostgreSQL servers, the authentication comprises two steps: Authentication between client and Pgpool-II Authentication between Pgpool-II and PostgreSQL servers Starting with Pgpool-II 4.0, Pgpool-II supports scram-sha-256 authentication. scram-sha-256 authentication method is strongly recommended because it is the most secure password-based authentication method. Solution 1 If PostgreSQL servers require  MD5  or  SCRAM  authentication for some user’s authentication but the password for that user is not present in  pool_passwd , then enabling  allow_clear_text_frontend_auth  will allow the  Pgpool-II  to use clear-text-password authentication with user to get the password in plain text form from the user ...
Read more

Keeping Your SSH Connections Alive: Configuring ServerAliveInterval and ServerAliveCountMax

-
Image
Maintaining a stable SSH connection is essential when working on remote servers. Disconnections due to inactivity can interrupt workflows and be quite frustrating. Fortunately, you can configure SSH to send periodic keep-alive messages, preventing your connection from timing out. Step-by-Step Guide 1. Open the SSH Client Configuration File Use your preferred text editor to modify the SSH configuration file. For example, with  vim : sudo vim /etc/ssh/ssh_config If OpenSSH is installed via Homebrew, the configuration file might be located at: /usr/ local /etc/ssh/ssh_config 2. Modify the Configuration Add the following lines after the  Host *  directive to apply these settings to all SSH connections: ServerAliveInterval 240 ServerAliveCountMax 10 ServerAliveInterval : Specifies the interval (in seconds) at which the client sends keep-alive messages to the server. In this case, every 240 seconds. ServerAliveCountMax : Limits the number of keep-alive messages sent w...
Read more