# SSH Key Management

This directory should contain SSH private keys for deployment to different environments.

## Setup Instructions

### 1. Generate SSH Key Pairs

For each environment, generate a dedicated SSH key pair:

```bash
# Generate production key
ssh-keygen -t ed25519 -f deploy/keys/production_key -C "calejo-production-deploy" -N ""

# Generate staging key  
ssh-keygen -t ed25519 -f deploy/keys/staging_key -C "calejo-staging-deploy" -N ""

# Set proper permissions
chmod 600 deploy/keys/*
```

### 2. Deploy Public Keys to Servers

Copy the public keys to the target servers:

```bash
# For production
ssh-copy-id -i deploy/keys/production_key.pub calejo@production-server.company.com

# For staging
ssh-copy-id -i deploy/keys/staging_key.pub calejo@staging-server.company.com
```

### 3. Configure SSH on Servers

On each server, ensure the deployment user has proper permissions:

```bash
# Add to sudoers (if needed)
echo "calejo ALL=(ALL) NOPASSWD: /usr/bin/docker-compose, /bin/systemctl" | sudo tee /etc/sudoers.d/calejo
```

## Security Notes

- **Never commit private keys** to version control
- **Set proper permissions**: `chmod 600 deploy/keys/*`
- **Use passphrase-protected keys** in production
- **Rotate keys regularly**
- **Use different keys** for different environments

## File Structure

```
deploy/keys/
├── README.md                    # This file
├── production_key              # Production SSH private key (gitignored)
├── production_key.pub          # Production SSH public key (gitignored)
├── staging_key                 # Staging SSH private key (gitignored)
└── staging_key.pub            # Staging SSH public key (gitignored)
```

## Environment Variables

For additional security, you can also use environment variables:

```bash
export CALEJO_DEPLOY_KEY_PATH="deploy/keys/production_key"
export CALEJO_DEPLOY_PASSPHRASE="your-passphrase"
```