Capistrano：爲Laravel存儲數據庫密碼

Question

我正在使用capistrano作爲基於Laravel的應用程序的部署工具。存儲所有服務器憑證的.env文件是在部署過程中創建的。這裏是構建邏輯（deploy.rb）的概述。

# config valid only for current version of Capistrano 
lock "3.8.1" 

set :application, "my_app" 
set :repo_url, "git@bitbucket.org:me/myapp.git" 
set :deploy_to, '/var/www/myapp' 

# Environment variables 
set :app_path, '/var/www/myapp/current' 
set :app_debug, true 
set :app_env, 'local' 
set :app_key, 'base64:k1IYcD0k8Q59nDOBds0sgPVJye/vy85ovAS8GQecRuI=' 
set :app_log_level, 'debug' 
set :app_url, 'http://localhost' 

set :db_connection, 'mysql' 
set :db_host, '127.0.0.1' 
set :db_port, '3306' 
set :db_name, 'my_db_name' 
set :db_user, 'my_db_user' 
set :db_password, 'mypassword' 

set :keep_releases, 3 

# Do composer install 
namespace :composer do 
    desc "Running Composer install ..." 
    task :install do 
     on roles(:app) do 
      within release_path do 
       execute :composer, "install --no-dev" 
       execute :composer, "dumpautoload" 
      end 
     end 
    end 
end 

# Do database migrations 
namespace :database do 
    desc "Running database migrations ..." 
    task :migrate do 
     on roles(:app) do 
      execute "php #{fetch(:app_path)}/artisan migrate" 
     end 
    end 
end 

# Create .env file 
namespace :environment do 
    desc "Setting up environment variables ..." 
    task :set_variables do 
     on roles(:app) do 
       puts ("Creating environment configuration file...") 
       execute "cat /dev/null > #{fetch(:app_path)}/.env" 

       execute "echo APP_NAME=#{fetch(:application)} >> #{fetch(:app_path)}/.env" 
       execute "echo APP_ENV=#{fetch(:app_env)} >> #{fetch(:app_path)}/.env" 
       execute "echo APP_KEY=#{fetch(:app_key)} >> #{fetch(:app_path)}/.env" 
       execute "echo APP_DEBUG=#{fetch(:app_debug)} >> #{fetch(:app_path)}/.env" 
       execute "echo APP_LOG_LEVEL=#{fetch(:app_log_level)} >> #{fetch(:app_path)}/.env" 
       execute "echo APP_URL=#{fetch(:app_url)} >> #{fetch(:app_path)}/.env" 

       execute "echo DB_CONNECTION=#{fetch(:db_connection)} >> #{fetch(:app_path)}/.env" 
       execute "echo DB_HOST=#{fetch(:db_host)} >> #{fetch(:app_path)}/.env" 
       execute "echo DB_PORT=#{fetch(:db_port)} >> #{fetch(:app_path)}/.env" 
       execute "echo DB_DATABASE=#{fetch(:db_name)} >> #{fetch(:app_path)}/.env" 
       execute "echo DB_USERNAME=#{fetch(:db_user)} >> #{fetch(:app_path)}/.env" 
       execute "echo DB_PASSWORD=#{fetch(:db_password)} >> #{fetch(:app_path)}/.env" 
     end 
    end 

    task :set_permissions do 
     on roles(:app) do 
      puts ("Set directory permissions to writtable...") 
      execute "chmod -R 777 #{fetch(:app_path)}/storage" 
      execute "chmod -R 777 #{fetch(:app_path)}/bootstrap/cache" 
     end 
    end 
end 

namespace :deploy do 
    after :updated, "composer:install" 
    after :finished, "environment:set_variables" 
    after :finished, "environment:set_permissions" 
    after :finished, "database:migrate" 
end 

正如您所見，數據庫密碼存儲在文件本身中，這不是一種安全的方式。如何保持密碼分開？我是卡皮斯特拉諾和紅寶石的新手。

Answer 1

您有幾種機制可供您使用。

我會考慮的第一個是使用linked_files。像

append :linked_files, '.env' 

在 config/deploy.rb

東西會導致deploy目錄中該文件鏈接到shared/config/deploy.rb deploy目錄之外。您可以手動設置該文件，然後在部署時將Capistrano鏈接到該文件。其次，你可以添加環境變量到你的系統，讓你只讀取它們，完全跳過.env文件。

最後，您可以在您的存儲庫中創建一個新的YAML文件，也許可以對它進行gitignore，然後讀取密碼。這將起作用，因爲讀取Capistrano配置的邏輯在部署計算機上本地運行。