GitHub Actions CI/CD Tutorial Series — Part 1
Dive into a comprehensive step-by-step tutorial series, where you’ll learn how to harness the power of GitHub Actions CI/CD pipeline, Docker, and Docker Compose for your Kotlin Spring Boot application. We’ll use our Ubuntu instance on Linode from the previous tutorial. Then integrate all the necessary tools, and deploy the app with ease. Enhance your DevOps skills and streamline your workflow with our practical, real-world examples.
Prerequisites
- You went through Part 1, Part 2 and Part 3 of my Linode Tutorial series or watch my YouTube series.
- You have Docker Desktop installed and a little bit of Docker knowledge.
- Ktlint plugin for your IDE
Who should read this tutorial series?
Any developer who wants to gain DevOps skills and wants to make the app lifecycle more professional.
Disclaimer
The initial two parts focus on enhancing the security of our Ubuntu instance, laying a solid foundation for seamless deployment using GitHub Actions in the third part. This tutorial series might not cater to those who have prior experience setting up CI/CD pipelines on alternative platforms like GitLab or Jenkins. It’s worth noting that I am using MacOS on my local machine; thus, Windows or Linux users may need to research some commands independently to adapt to their respective operating systems.
What the end result will look like:
Prologue
If you’ve seen my first videos on Habibi Coding YouTube then you might already know the CI/CD tutorial series is coming next. But before we begin with GitHub Actions, I want to improve some things on our Ubuntu instance on Linode.
Improve Ubuntu instance — Yalla | يلا
Replace your RSA key with ed25519
I want to replace first our RSA keys with ed25519
keys because ed25519
are considered more state-of-the-art and more secure. ed25519
keys offer superior performance and security compared to RSA keys. They are based on modern elliptic curve cryptography, which enables shorter key lengths while maintaining equivalent or higher security. Additionally, ed25519
keys boast faster key generation, signing, and verification processes, making them a more efficient choice for cryptographic operations. You can read more about it here on Teleport.
Navigate in your home directory to the .ssh/
folder and list everything inside:
cd .ssh/ && ls -la
We don’t need those RSA keys anymore so just delete them. (Of course, you can let them where they are, if you use them somewhere else.)
rm id_rsa
rm id_rsa.pub
rm id_rsa.pub
If you list again all files there should be no RSA keys:
ls -la
Create the ed25519
key with the following command:
ssh-keygen -a 100 -t ed25519 -C "{your-email}"
ssh-keygen
: The main command used for generating, managing, and converting authentication keys for SSH.-a 100
: Specifies the number of rounds for the key derivation function (KDF). A higher number increases the time it takes to derive the private key from the passphrase, making it more resistant to brute-force attacks. In this case, 100 rounds are used.-t ed25519
: Indicates the type of key to be generated, which is Ed25519 in this case. Ed25519 is an elliptic curve cryptography algorithm that offers better performance and security compared to RSA.-C "{your-email}"
: Adds a comment to the generated key pair, which is useful for identifying the key's purpose or owner.
ed25519 ssh key generating
I would suggest also adding a passphrase for your new ed25519
SSH key to make it more secure.
Now list again all files in your directory with:
ls -la
There you should see your new SSH keys id_ed25519
and id_d25519.pub
Copy the ed25519 key to your instance
Now, use secure copy to put your public SSH key id_d25519.pub
on your Ubuntu instance.
First, connect to your Ubuntu instance and make sure you have a folder called .ssh
and file authorized_keys
ssh {your-user}@{your-linode-ip}
When you are connected again type: ls -la
ls -la
Create the folder .ssh
and file authorized_keys
:
mkdir .ssh && cd .ssh/ && touch authorized_keys
Then logout again with: exit
Now, secure copy your public SSH key id_d25519.pub
to your user
scp ~/.ssh/id_ed25519.pub {your-user}@{your-ip}:~/.ssh/authorized_keys
Connect again to your Linode instance:
ssh {your-user}@{your-linode-ip}
At this point, you should be prompted to enter your key passphrase exclusively.
Change port number and disable password login
Next, when you are logged in, open with Vim or Nano Editor the sshd_config
file:
sudo vim /etc/ssh/sshd_config
You should see this file:
In these steps, we enhance the security of our Linode instance by disabling password-based logins and modifying the default port, a measure often regarded as security through obfuscation.
Let us start with security through obfuscation, changing the port from 22
to 1022
After that disable password authentication, by changing PasswordAuthentication
from yes
to no
PasswordAuthentication to no
Save and close the file, before we restartsshd
we need to check if any application uses already port 1022.
Let us display all applications and used ports:
sudo netstat -tunlp
Under “Local Address,” you will see local IP addresses along with their corresponding ports, displayed in the format {IP-Address}:{Port}
. The section following the colon (:) represents the port number. In this case, none of the applications utilize port 1022.
Now restart the sshd
client by entering:
sudo systemctl restart sshd
IMPORTANT: Open a NEW WINDOW and attempt to connect to your Linode instance using the newly assigned port 1022. However, DO NOT CLOSE your current SSH window while doing so.
ssh {your-user}@{your-ip} -p 1022
Please, ensure that you DO NOT REMOVE the id_d25519.pub
and id_d25519
files from your .ssh
folder. Doing so will prevent you from logging in to your Linode instance without accessing the dashboard CLI or contacting customer support. Once you’ve confirmed this, you may use the exit
command to log out from one of the windows.
Install a firewall
The Uncomplicated Firewall (UFW) is a user-friendly front-end for managing iptables
firewall rules on Ubuntu systems. Installing and using UFW on your Ubuntu instance offers several benefits:
- Simplified management: UFW provides an intuitive command-line interface for configuring and managing firewall rules, making it easier for users who are not familiar with the complex syntax of
iptables
. - Security enhancement: By enabling UFW and configuring appropriate rules, you can protect your Ubuntu instance against unauthorized access, reducing the risk of security breaches and potential attacks.
- Application profiles: UFW supports application profiles, which are predefined sets of rules for specific applications. This allows you to easily apply necessary rules for commonly used applications and services without manual configuration.
- Default deny policy: UFW operates with a default deny policy, which means that all incoming connections are blocked unless explicitly allowed by a rule. This minimizes the attack surface and provides a secure starting point for configuring your firewall.
- Logging and monitoring: UFW offers configurable logging options to help you monitor and analyze network traffic, identify potential threats, and maintain an audit trail for security purposes.
- IPv6 support: UFW is compatible with both IPv4 and IPv6, ensuring your firewall is prepared for the transition to the newer addressing system and providing consistent security across both protocols.
Here is the command to install UFW:
sudo apt install ufw
Check the status of UFW:
sudo ufw status
Now it’s time to configure specific ports on our Linode Ubuntu instance that can be accessed from the internet.
Allow our new SSH port 1022:
sudo ufw allow 1022
Allow HTTP port access:
sudo ufw allow 80
Allow HTTPS port access:
sudo ufw allow 443
Now you need to enable UFW and confirm it:
sudo ufw enable
Check again the status of your firewall:
sudo ufw status
Okay, type now exit
to logout.
Navigate to your local .ssh
folder and add the SSH key to your SSH-agent. This step ensures that you don’t need to enter your SSH key passphrase each time you connect to your Linode instance, as long as don’t turn off your device.
cd .ssh && ssh-add id_ed25519
Connect again to your Linode Ubuntu instance:
ssh {your-user}@{your-linode-ip}
This time there shouldn’t be a passphrase prompt popping up.
With that, we conclude the first part of this tutorial series. If you found it useful and informative, give it a clap. Here is Part 2
Don’t forget to check out the video series on YouTube at https://www.youtube.com/@habibicoding.