Env file for prod
Closed this issue · 3 comments
Hi! I appreciate you putting this together and publishing it. I am going to prod with a new site using this. I typically use env files in local and prod that are not checked in to git. I prevent this by adding all .en* files to gitignore. How are you handling secrets? I wish your project was a little more opinionated on this. If I overwrite the settings in .env, i would have to handle them not getting updated when I pull changes into prod. If I create a new .env-prod file that is not checked in to git, I would have to update references to the existing .env file with something like "if SETTINGS.DEBUG use .env else use .env-prod". Am I missing something?
Hi @shariq1989! Thanks for asking! Let me tell you how I handle secrets. It really depends on the situation.
For small or pet projects, I usually just store secrets in an .env file. Docker lets you split settings between different env files, like .env.ci, .env.dev, .env.prod, etc. Just make sure to exclude env files with sensitive data (secrets) from Git tracking (.gitignore).
For more flexibility, I might deploy Vault from HashiCorp within the infrastructure. This way, secrets are accessed through an API instead of environment variables. Here's an example: https://github.com/hashicorp/vault-examples/blob/main/examples/_quick-start/python/example.py.
You'll need to modify your settings.py, but that's no big deal. django-docker-template is just a starting point, you can customize it however you like.
For larger projects (with multiple Docker hosts), I use Docker Swarm. Secret support is built-in: https://docs.docker.com/engine/swarm/secrets/.
There are different ways to work with secrets, but the most important thing is to keep them secure. Everything else is just a matter of convenience.
So if I add a .env.prod file, will I just run docker compose --env-file .env.prod config to feed it the file?
You can add env files directly in docker-compose.tls.yml as described in the docker docs (env_file option). Then you won't have to change the run command.