I see that the example repo consists of the entire parent directory, containing both the /site/ and /trellis/ folders inside the repo. Is there a reason you want to store that /trellis/ folder? Doesn’t it contain sensitive information such as database passswords, salts, etc? I was going to attempt to just make a repo that only includes the /site/ folder, but I am not sure if it’s a good idea to be renaming the /site/ folder to something like /example.com/ so that my GitHub repo doesn’t have to be named ‘site’ . I suppose I could include everything and just put the /trellis/ folder in .gitignore also?
What do you guys think? Am I being stupid here?
Generally yes, you do want to track
trellis/ since that allows you to make your server configuration relatively reliable.
You are certainly not stupid for thinking that keeping passwords in your repo in plaintext is a bad idea: it is a very bad idea. Fortunately Trellis has support for Ansible Vault, which offers a way to keep your passwords and other sensitive data securely encrypted. There’s more information on it in the docs. If you don’t want to/can’t use Anisble vault, there’s git-crypt. I can personally speak to using git-crypt: Once you have it set up, it’s essentially completely transparent, and keeps all your stuff encrypted and secure. Setting up git-crypt on Windows is a little more difficult, but can be done: Ask me if you need to do that and I can give you some pointers.
Oh wow thanks for the quick response blank, much appreciated
Ahhh missed that. Usually I am a little better with reading the docs before I post! I caught the blurb in the docs about needing to use Vault, but I kind of thought I already was once I updated my vault.yml file. Once I was about to commit the plaintext though made me second guess what is supposed to be happening here exactly.
Let me get through that Vault link you sent, I think I should be ok. I am on Mac OS Sierra, so no Windows drama for me!
@alwaysblank quick question about Vault, maybe you have the answer to.
I know .env files are never part of source control, therefore it is ok if plaintext is stored there, so I assume that Vault does not encrypt it when doing the other .yml files. So wouldn’t the DB_PASS entry have to be set to the same value stored in my .vault_pass file?
After thinking some more I believe the .env will be re-generated for me after I do a vagrant destroy && vagrant up.
The .env file is generated on each provision of a site (e.g.
vagrant up --provision and the values are made up of default values and also what is found in the env section of the
As for the version control aspect, I’d highly recommend the setup explained by @tangrufus shown here https://github.com/roots/trellis/issues/883#issuecomment-329052189
Me and my colleagues follow this closely and it’s extremely easy to keep trellis up to date.