Deploy SSH Keypairs with Reis (YAML Mode)

SSH keypairs can be declared in your bahriya.yml file under the vaults section and applied with reis apply.

YAML structure

vaults:
  ssh_keypairs:
    deploy-key:
      name: Production Deploy Key
      public_key: "{{ file:./keys/deploy.pub }}"
      private_key: "{{ file:./keys/deploy }}"

The {{ file:./path }} helper reads the file content at apply time, so you can keep your key files separate from the YAML declaration.

Attaching to a project

projects:
  production:
    attachments:
      vaults:
        ssh_keypairs: [deploy-key]

Wiring to a container

Once attached to a project, reference the keypair in a container definition:

containers:
  api:
    project: production
    image: ghcr.io/myorg/api:latest
    vaults:
      ssh_keypairs:
        - handle: deploy-key
          mountpath: /etc/ssh

The key files are mounted as public_key and private_key under the specified mount path.

Rotation

To rotate, update the key files on disk and run reis apply again. A new version is created and marked current. Previous versions are retained for rollback.

See also

• SSH Keypairs with Terraform
• SSH Keypairs with Reis (Flag Mode)