Question About Version Control Best Practice

Hey Everybody,

I see that the example repo consists of the entire parent directory, containing both the /site/ and /trellis/ folders inside the repo. Is there a reason you want to store that /trellis/ folder? Doesn’t it contain sensitive information such as database passswords, salts, etc? I was going to attempt to just make a repo that only includes the /site/ folder, but I am not sure if it’s a good idea to be renaming the /site/ folder to something like / so that my GitHub repo doesn’t have to be named ‘site’ . I suppose I could include everything and just put the /trellis/ folder in .gitignore also?

What do you guys think? Am I being stupid here?

Generally yes, you do want to track trellis/ since that allows you to make your server configuration relatively reliable.

You are certainly not stupid for thinking that keeping passwords in your repo in plaintext is a bad idea: it is a very bad idea. Fortunately Trellis has support for Ansible Vault, which offers a way to keep your passwords and other sensitive data securely encrypted. There’s more information on it in the docs. If you don’t want to/can’t use Anisble vault, there’s git-crypt. I can personally speak to using git-crypt: Once you have it set up, it’s essentially completely transparent, and keeps all your stuff encrypted and secure. Setting up git-crypt on Windows is a little more difficult, but can be done: Ask me if you need to do that and I can give you some pointers.


Oh wow thanks for the quick response blank, much appreciated :+1:

Ahhh missed that. Usually I am a little better with reading the docs before I post! I caught the blurb in the docs about needing to use Vault, but I kind of thought I already was once I updated my vault.yml file. Once I was about to commit the plaintext though made me second guess what is supposed to be happening here exactly.

Let me get through that Vault link you sent, I think I should be ok. I am on Mac OS Sierra, so no Windows drama for me!

Thanks again.


@alwaysblank quick question about Vault, maybe you have the answer to.

I know .env files are never part of source control, therefore it is ok if plaintext is stored there, so I assume that Vault does not encrypt it when doing the other .yml files. So wouldn’t the DB_PASS entry have to be set to the same value stored in my .vault_pass file?

After thinking some more I believe the .env will be re-generated for me after I do a vagrant destroy && vagrant up.

The .env file is generated on each provision of a site (e.g. vagrant up --provision and the values are made up of default values and also what is found in the env section of the wordpress_sites.yml file.

As for the version control aspect, I’d highly recommend the setup explained by @tangrufus shown here

Me and my colleagues follow this closely and it’s extremely easy to keep trellis up to date.

1 Like