GitHub Actions CI/CD Tutorial Series — Part 1

Published in

Geek Culture

8 min readApr 23, 2023

Dive into a comprehensive step-by-step tutorial series, where you’ll learn how to harness the power of GitHub Actions CI/CD pipeline, Docker, and Docker Compose for your Kotlin Spring Boot application. We’ll use our Ubuntu instance on Linode from the previous tutorial. Then integrate all the necessary tools, and deploy the app with ease. Enhance your DevOps skills and streamline your workflow with our practical, real-world examples.

Prerequisites

You went through Part 1, Part 2 and Part 3 of my Linode Tutorial series or watch my YouTube series.
You have Docker Desktop installed and a little bit of Docker knowledge.
Ktlint plugin for your IDE

Who should read this tutorial series?

Any developer who wants to gain DevOps skills and wants to make the app lifecycle more professional.

Disclaimer

The initial two parts focus on enhancing the security of our Ubuntu instance, laying a solid foundation for seamless deployment using GitHub Actions in the third part. This tutorial series might not cater to those who have prior experience setting up CI/CD pipelines on alternative platforms like GitLab or Jenkins. It’s worth noting that I am using MacOS on my local machine; thus, Windows or Linux users may need to research some commands independently to adapt to their respective operating systems.

What the end result will look like:

Prologue

If you’ve seen my first videos on Habibi Coding YouTube then you might already know the CI/CD tutorial series is coming next. But before we begin with GitHub Actions, I want to improve some things on our Ubuntu instance on Linode.

Improve Ubuntu instance — Yalla | يلا

Replace your RSA key with ed25519

I want to replace first our RSA keys with ed25519keys because ed25519 are considered more state-of-the-art and more secure. ed25519keys offer superior performance and security compared to RSA keys. They are based on modern elliptic curve cryptography, which enables shorter key lengths while maintaining equivalent or higher security. Additionally, ed25519 keys boast faster key generation, signing, and verification processes, making them a more efficient choice for cryptographic operations. You can read more about it here on Teleport.

Navigate in your home directory to the .ssh/ folder and list everything inside:

cd .ssh/ && ls -la

We don’t need those RSA keys anymore so just delete them. (Of course, you can let them where they are, if you use them somewhere else.)

rm id_rsa
rm id_rsa.pub

If you list again all files there should be no RSA keys:

ls -la

Create the ed25519 key with the following command:

ssh-keygen -a 100 -t ed25519 -C "{your-email}"

ssh-keygen: The main command used for generating, managing, and converting authentication keys for SSH.
-a 100: Specifies the number of rounds for the key derivation function (KDF). A higher number increases the time it takes to derive the private key from the passphrase, making it more resistant to brute-force attacks. In this case, 100 rounds are used.
-t ed25519: Indicates the type of key to be generated, which is Ed25519 in this case. Ed25519 is an elliptic curve cryptography algorithm that offers better performance and security compared to RSA.
-C "{your-email}": Adds a comment to the generated key pair, which is useful for identifying the key's purpose or owner.

I would suggest also adding a passphrase for your new ed25519 SSH key to make it more secure.

Now list again all files in your directory with:

ls -la

There you should see your new SSH keys id_ed25519 and id_d25519.pub

Copy the ed25519 key to your instance

Now, use secure copy to put your public SSH key id_d25519.pub on your Ubuntu instance.

First, connect to your Ubuntu instance and make sure you have a folder called .ssh and file authorized_keys

ssh {your-user}@{your-linode-ip}

When you are connected again type: ls -la

Create the folder .ssh and file authorized_keys :

mkdir .ssh && cd .ssh/ && touch authorized_keys

Then logout again with: exit

exit ssh connection

Now, secure copy your public SSH key id_d25519.pub to your user

scp ~/.ssh/id_ed25519.pub {your-user}@{your-ip}:~/.ssh/authorized_keys

Connect again to your Linode instance:

ssh {your-user}@{your-linode-ip}

At this point, you should be prompted to enter your key passphrase exclusively.

Change port number and disable password login

Next, when you are logged in, open with Vim or Nano Editor the sshd_config file:

sudo vim /etc/ssh/sshd_config

You should see this file:

In these steps, we enhance the security of our Linode instance by disabling password-based logins and modifying the default port, a measure often regarded as security through obfuscation.

Let us start with security through obfuscation, changing the port from 22 to 1022

After that disable password authentication, by changing PasswordAuthentication from yes to no

Save and close the file, before we restartsshdwe need to check if any application uses already port 1022.

Let us display all applications and used ports:

sudo netstat -tunlp

Under “Local Address,” you will see local IP addresses along with their corresponding ports, displayed in the format {IP-Address}:{Port}. The section following the colon (:) represents the port number. In this case, none of the applications utilize port 1022.

Now restart the sshdclient by entering:

sudo systemctl restart sshd

restart sshd

IMPORTANT: Open a NEW WINDOW and attempt to connect to your Linode instance using the newly assigned port 1022. However, DO NOT CLOSE your current SSH window while doing so.

ssh {your-user}@{your-ip} -p 1022

Please, ensure that you DO NOT REMOVE the id_d25519.pub and id_d25519 files from your .ssh folder. Doing so will prevent you from logging in to your Linode instance without accessing the dashboard CLI or contacting customer support. Once you’ve confirmed this, you may use the exitcommand to log out from one of the windows.

Install a firewall

The Uncomplicated Firewall (UFW) is a user-friendly front-end for managing iptablesfirewall rules on Ubuntu systems. Installing and using UFW on your Ubuntu instance offers several benefits:

Simplified management: UFW provides an intuitive command-line interface for configuring and managing firewall rules, making it easier for users who are not familiar with the complex syntax of iptables.
Security enhancement: By enabling UFW and configuring appropriate rules, you can protect your Ubuntu instance against unauthorized access, reducing the risk of security breaches and potential attacks.
Application profiles: UFW supports application profiles, which are predefined sets of rules for specific applications. This allows you to easily apply necessary rules for commonly used applications and services without manual configuration.
Default deny policy: UFW operates with a default deny policy, which means that all incoming connections are blocked unless explicitly allowed by a rule. This minimizes the attack surface and provides a secure starting point for configuring your firewall.
Logging and monitoring: UFW offers configurable logging options to help you monitor and analyze network traffic, identify potential threats, and maintain an audit trail for security purposes.
IPv6 support: UFW is compatible with both IPv4 and IPv6, ensuring your firewall is prepared for the transition to the newer addressing system and providing consistent security across both protocols.

Here is the command to install UFW:

sudo apt install ufw

Check the status of UFW:

sudo ufw status

Now it’s time to configure specific ports on our Linode Ubuntu instance that can be accessed from the internet.

Allow our new SSH port 1022:

sudo ufw allow 1022

Allow HTTP port access:

sudo ufw allow 80

Allow HTTPS port access:

sudo ufw allow 443

Now you need to enable UFW and confirm it:

sudo ufw enable

Check again the status of your firewall:

sudo ufw status

Okay, type now exit to logout.

Navigate to your local .ssh folder and add the SSH key to your SSH-agent. This step ensures that you don’t need to enter your SSH key passphrase each time you connect to your Linode instance, as long as don’t turn off your device.