We provision servers with ofn-install. And most people deploy with that as well. While the code includes some configuration files for each server, we also need a secrets.yml
file for each server to run the scripts. There have been several practices so far:
- Sharing the file in a private slack channel.
- Encrypting the file with ansible-vault and share it through a private Github repository.
- Copying the file onto the server, e.g.
scp inventory/host_vars/openfoodnetwork.net/secrets.yml openfoodnetwork.net:secrets.yml
I found several downsides to these approaches:
- Slack cannot be trusted. People may forget that secrets where shared months ago and invite someone into a channel who should not have the secrets. It’s also a bit cumbersome to copy and paste all the time.
- Sharing via Github adds the overhead of permission management for the additional repository. Private repositories are not for free on Github. And we need to enter the vault password every time we want to run Ansible or edit the file.
- Having it as simple file on the server does not provide any version control. If one person empties the file, other people easily overwrite their copies as well and the contents can become lost. It’s also a lengthy scp command and we have to remember to sync it.
New proposal
We create a Git repository on each server holding the secrets file. The initial setup would look like this:
ssh ofn-admin@openfoodnetwork.net 'git --bare init secrets.git'
cd inventory/host_vars/openfoodnetwork.net
git init
git remote add origin ofn-admin@openfoodnetwork.net:secrets.git
git add secrets.yml
git commit -m 'Initial secrets file'
git push --set-upstream origin master
The ofn-install repository is not affected by this. It ignores the additional .git
folder. This gives everybody with admin access to the server access to the file needed for provisioning. No additional permission management. We also get version control and synchronising the secrets is as easy as git push
and git pull
. Okay, you man need to go to the directory first: (cd inventory/host_vars/openfoodnetwork.net && git pull)
We can document the setup in ofn-install and have that as the default location.
What do you think? @enricostn @sauloperez @luisramos0 @Matt-Yorkley @sigmundpetersen @paco
A note on security on dev machines: My disk is encrypted and that’s why I don’t worry about storing sensitive information on there. If this is a concern, we can still use ansible-vault for an additional layer of security. It doesn’t matter on the server, because the server has all the secrets in application.yml and the database anyway.