Questions on Ansible Vault & Staging Environment

dannytaki · October 13, 2022, 5:04pm

Two different questions:
First Question:

If I have already committed code where my vault.yml files were unencrypted (default trellis-cli state), can I retroactively encrypt my vault.yml files, then recommit the code? What’s the best way to do this to remove any trace of the plaint text secrets? What Git command can I use to rewrite the Git History of the repo and have the current code base (after encrypting vault.yml files) be the first and only commit?

Second Question:

If I’m using Digital Ocean as my host, can a Staging environment AND a Production environment be provisioned on the same droplet (IP Address). It seems the command trellis droplet create staging creates a entirely new droplet. Is that the common workflow with a staging and production environment, each hosted on a different droplet, but connected to different branches of the Git Repository?

swalkinshaw · October 13, 2022, 7:12pm

Yeah that’s our default recommendation. It is possible to run multiple environments on the same server though I wouldn’t recommend it since that kind of defeats the purpose of a staging server!

dannytaki · October 13, 2022, 7:58pm

Awesome Thank you! I’ll probably just redo the repo and start fresh since Trellis makes it all so easy. One issue when I deployed my Staging Environment was accessing the site by the IP address wasn’t possible. I even changed my /etc/hosts file to the server IP example.com, but I still couldn’t access the site by the domain example.com.

My wordpress_sites.yml file:

# Created by trellis-cli v1.7.0
# Documentation: https://docs.roots.io/trellis/master/wordpress-sites/

wordpress_sites:
  example.com:
    site_hosts:
    - canonical: www.example.com
      redirects:
      - example.com
    local_path: ../site
    branch: master
    repo: git@github.com:dannytaki/example.com.git
    repo_subtree_path: site
    multisite:
      enabled: false
    ssl:
      enabled: false
      provider: letsencrypt
    cache:
      enabled: false

My example.com.conf file in /etc/nginx/sites-enabled looks like the following default config:

# Ansible managed


server {
  listen [::]:80;
  listen 80;
  server_name www.example.com;

  access_log   /srv/www/example.com/logs/access.log main;
  error_log    /srv/www/example.com/logs/error.log;

  root  /srv/www/example.com/current/web;
  index index.php index.htm index.html;
  add_header Fastcgi-Cache $upstream_cache_status;

  # Specify a charset
  charset utf-8;

  # Set the max body size equal to PHP's max POST size.
  client_max_body_size 25m;

  include acme-challenge-location.conf;

  include includes.d/all/*.conf;
  include includes.d/example.com/*.conf;

  # Prevent PHP scripts from being executed inside the uploads folder.
  location ~* /app/uploads/.*\.php$ {
    deny all;
  }

  # Prevent Blade and Twig templates from being accessed directly.
  location ~* \.(blade\.php|twig)$ {
    deny all;
  }

  # composer
  location ~* composer\.(json|lock)$ {
    deny all;
  }

  location ~* composer/installed\.json$ {
    deny all;
  }

  location ~* auth\.json$ {
    deny all;
  }

...

# Redirect some domains
server {
  listen [::]:80;
  listen 80;
  server_name example.com;

  include acme-challenge-location.conf;

  include includes.d/all/*.conf;
  include includes.d/example.com/*.conf;

  location / {
    return 301 http://www.example.com$request_uri;
  }
}

dannytaki · October 13, 2022, 8:35pm

Actually after updating my /etc/hosts file with the www.example.com and example.com, it worked!