我正在使用Capistrano作为基于Laravel应用的部署工具。存储所有服务器凭据的.ENV文件是在部署过程中创建的。这是构建逻辑(Deploy.rb(的概述。
# config valid only for current version of Capistrano
lock "3.8.1"
set :application, "my_app"
set :repo_url, "git@bitbucket.org:me/myapp.git"
set :deploy_to, '/var/www/myapp'
# Environment variables
set :app_path, '/var/www/myapp/current'
set :app_debug, true
set :app_env, 'local'
set :app_key, 'base64:k1IYcD0k8Q59nDOBds0sgPVJye/vy85ovAS8GQecRuI='
set :app_log_level, 'debug'
set :app_url, 'http://localhost'
set :db_connection, 'mysql'
set :db_host, '127.0.0.1'
set :db_port, '3306'
set :db_name, 'my_db_name'
set :db_user, 'my_db_user'
set :db_password, 'mypassword'
set :keep_releases, 3
# Do composer install
namespace :composer do
desc "Running Composer install ..."
task :install do
on roles(:app) do
within release_path do
execute :composer, "install --no-dev"
execute :composer, "dumpautoload"
end
end
end
end
# Do database migrations
namespace :database do
desc "Running database migrations ..."
task :migrate do
on roles(:app) do
execute "php #{fetch(:app_path)}/artisan migrate"
end
end
end
# Create .env file
namespace :environment do
desc "Setting up environment variables ..."
task :set_variables do
on roles(:app) do
puts ("Creating environment configuration file...")
execute "cat /dev/null > #{fetch(:app_path)}/.env"
execute "echo APP_NAME=#{fetch(:application)} >> #{fetch(:app_path)}/.env"
execute "echo APP_ENV=#{fetch(:app_env)} >> #{fetch(:app_path)}/.env"
execute "echo APP_KEY=#{fetch(:app_key)} >> #{fetch(:app_path)}/.env"
execute "echo APP_DEBUG=#{fetch(:app_debug)} >> #{fetch(:app_path)}/.env"
execute "echo APP_LOG_LEVEL=#{fetch(:app_log_level)} >> #{fetch(:app_path)}/.env"
execute "echo APP_URL=#{fetch(:app_url)} >> #{fetch(:app_path)}/.env"
execute "echo DB_CONNECTION=#{fetch(:db_connection)} >> #{fetch(:app_path)}/.env"
execute "echo DB_HOST=#{fetch(:db_host)} >> #{fetch(:app_path)}/.env"
execute "echo DB_PORT=#{fetch(:db_port)} >> #{fetch(:app_path)}/.env"
execute "echo DB_DATABASE=#{fetch(:db_name)} >> #{fetch(:app_path)}/.env"
execute "echo DB_USERNAME=#{fetch(:db_user)} >> #{fetch(:app_path)}/.env"
execute "echo DB_PASSWORD=#{fetch(:db_password)} >> #{fetch(:app_path)}/.env"
end
end
task :set_permissions do
on roles(:app) do
puts ("Set directory permissions to writtable...")
execute "chmod -R 777 #{fetch(:app_path)}/storage"
execute "chmod -R 777 #{fetch(:app_path)}/bootstrap/cache"
end
end
end
namespace :deploy do
after :updated, "composer:install"
after :finished, "environment:set_variables"
after :finished, "environment:set_permissions"
after :finished, "database:migrate"
end
您可以看到数据库密码存储在文件本身中,这不是一个安全的方法。如何将密码分开?我是Capistrano和Ruby的新手。
您有几个机制可以使用。
我要考虑的第一个是使用linked_files。像
append :linked_files, '.env'
在您的config/deploy.rb中,将导致部署目录中的该文件链接到部署目录之外的shared/config/deploy.rb。您将手动设置该文件,然后在部署时将Capistrano链接到其。
其次,您可以将环境变量添加到系统中,允许您读取它们并完全跳过.env文件。
最后,您可以在存储库中创建一个新的YAML文件,也可以使用Gitignore,然后阅读以获取密码。这将起作用,因为读取Capistrano配置的逻辑在部署计算机上本地运行。