Capistrano：为Laravel存储数据库密码

Question

我正在使用capistrano作为基于Laravel的应用程序的部署工具。存储所有服务器凭证的.env文件是在部署过程中创建的。这里是构建逻辑（deploy.rb）的概述。

# config valid only for current version of Capistrano 
lock "3.8.1" 

set :application, "my_app" 
set :repo_url, "git@bitbucket.org:me/myapp.git" 
set :deploy_to, '/var/www/myapp' 

# Environment variables 
set :app_path, '/var/www/myapp/current' 
set :app_debug, true 
set :app_env, 'local' 
set :app_key, 'base64:k1IYcD0k8Q59nDOBds0sgPVJye/vy85ovAS8GQecRuI=' 
set :app_log_level, 'debug' 
set :app_url, 'http://localhost' 

set :db_connection, 'mysql' 
set :db_host, '127.0.0.1' 
set :db_port, '3306' 
set :db_name, 'my_db_name' 
set :db_user, 'my_db_user' 
set :db_password, 'mypassword' 

set :keep_releases, 3 

# Do composer install 
namespace :composer do 
    desc "Running Composer install ..." 
    task :install do 
     on roles(:app) do 
      within release_path do 
       execute :composer, "install --no-dev" 
       execute :composer, "dumpautoload" 
      end 
     end 
    end 
end 

# Do database migrations 
namespace :database do 
    desc "Running database migrations ..." 
    task :migrate do 
     on roles(:app) do 
      execute "php #{fetch(:app_path)}/artisan migrate" 
     end 
    end 
end 

# Create .env file 
namespace :environment do 
    desc "Setting up environment variables ..." 
    task :set_variables do 
     on roles(:app) do 
       puts ("Creating environment configuration file...") 
       execute "cat /dev/null > #{fetch(:app_path)}/.env" 

       execute "echo APP_NAME=#{fetch(:application)} >> #{fetch(:app_path)}/.env" 
       execute "echo APP_ENV=#{fetch(:app_env)} >> #{fetch(:app_path)}/.env" 
       execute "echo APP_KEY=#{fetch(:app_key)} >> #{fetch(:app_path)}/.env" 
       execute "echo APP_DEBUG=#{fetch(:app_debug)} >> #{fetch(:app_path)}/.env" 
       execute "echo APP_LOG_LEVEL=#{fetch(:app_log_level)} >> #{fetch(:app_path)}/.env" 
       execute "echo APP_URL=#{fetch(:app_url)} >> #{fetch(:app_path)}/.env" 

       execute "echo DB_CONNECTION=#{fetch(:db_connection)} >> #{fetch(:app_path)}/.env" 
       execute "echo DB_HOST=#{fetch(:db_host)} >> #{fetch(:app_path)}/.env" 
       execute "echo DB_PORT=#{fetch(:db_port)} >> #{fetch(:app_path)}/.env" 
       execute "echo DB_DATABASE=#{fetch(:db_name)} >> #{fetch(:app_path)}/.env" 
       execute "echo DB_USERNAME=#{fetch(:db_user)} >> #{fetch(:app_path)}/.env" 
       execute "echo DB_PASSWORD=#{fetch(:db_password)} >> #{fetch(:app_path)}/.env" 
     end 
    end 

    task :set_permissions do 
     on roles(:app) do 
      puts ("Set directory permissions to writtable...") 
      execute "chmod -R 777 #{fetch(:app_path)}/storage" 
      execute "chmod -R 777 #{fetch(:app_path)}/bootstrap/cache" 
     end 
    end 
end 

namespace :deploy do 
    after :updated, "composer:install" 
    after :finished, "environment:set_variables" 
    after :finished, "environment:set_permissions" 
    after :finished, "database:migrate" 
end 

正如您所见，数据库密码存储在文件本身中，这不是一种安全的方式。如何保持密码分开？我是卡皮斯特拉诺和红宝石的新手。

Answer 1

您有几种机制可供您使用。

我会考虑的第一个是使用linked_files。像

append :linked_files, '.env' 

在 config/deploy.rb

东西会导致deploy目录中该文件链接到shared/config/deploy.rb deploy目录之外。您可以手动设置该文件，然后在部署时将Capistrano链接到该文件。其次，你可以添加环境变量到你的系统，让你只读取它们，完全跳过.env文件。

最后，您可以在您的存储库中创建一个新的YAML文件，也许可以对它进行gitignore，然后读取密码。这将起作用，因为读取Capistrano配置的逻辑在部署计算机上本地运行。