====== Coolify SSH Key Setup ======

**Status:** Resolved\\
**Date:** 2026-05 (initial setup)\\
**Affects:** [[folkzone:services:coolify|Coolify]]

Full incident summary. Each root cause has its own atomic page.

===== Root Causes (atomic pages) =====

  - [[folkzone:troubleshooting:coolify_ssh_key_ui_only|Private keys must be added via Coolify UI, not directly to database]]
  - [[folkzone:troubleshooting:coolify_ssh_docker_gateway|Correct host IP is the Docker network gateway (172.18.0.1), not LAN IP]]
  - [[folkzone:troubleshooting:coolify_root_ssh|Coolify requires root SSH access — PermitRootLogin prohibit-password]]
  - [[folkzone:troubleshooting:coolify_fail2ban|fail2ban bans the Coolify container IP after repeated failures]]

===== Quick Fix Sequence =====

**1. Generate fresh SSH key:**
<code bash>
sudo ssh-keygen -t ed25519 -a 100 -f /data/coolify/ssh/keys/id_coolify -q -N '' -C 'root@coolify'
</code>

**2. Add to authorized_keys (both user and root):**
<code bash>
echo "<pubkey>" >> ~/.ssh/authorized_keys
sudo sh -c 'echo "<pubkey>" >> /root/.ssh/authorized_keys'
</code>

**3. Allow root SSH:**
<code bash>
sudo sed -i 's/^PermitRootLogin no/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
sudo systemctl restart sshd
</code>

**4. Set correct IP in database:**
<code bash>
docker exec coolify-db psql -U coolify -d coolify \
  -c "UPDATE servers SET ip = '172.18.0.1', \"user\" = 'root' WHERE name = 'localhost';"
</code>

**5. Add private key through Coolify UI:** Settings → Private Keys → Add Private Key.

**6. Unban container IP if needed:**
<code bash>
sudo fail2ban-client set sshd unbanip <container-ip>
</code>

**7. Verify:**
<code bash>
docker exec coolify ssh -o StrictHostKeyChecking=no \
  -i /var/www/html/storage/app/ssh/keys/id_coolify root@172.18.0.1 'echo success'
</code>

===== See Also =====
  * [[folkzone:troubleshooting:start|Homelab Troubleshooting Index]]

  * [[folkzone:services:coolify|Coolify]]
  * [[start|Return to wiki home]]