Avoiding version control of passwords with Capistrano

Favcol is built with Ruby on Rails. It's the first Rails application I've built and deployed on a public facing server, and I've learned a thing or two along the way.

For example, at some point I may well open up the code. When that happens, it would be good to not have the production database password stored in my subversion repository.

This is also an issue for anyone who works in an managed environment where the development team shouldn't have access to production passwords.

The good news is that (as suggested here), it's easy to workaround, at least if you're using Capistrano (previously Switchtower):

First, copy config/database.yml to the shared deployment directory (eg: /u/apps/example/shared/config/database.yml) and add your production database details to it.

Then add the following to config/deploy.rb:

desc "link in production database credentials"
task :after_update_code do
  run <<-CMD
    rm #{release_path}/config/database.yml && 
    ln -nfs #{deploy_to}/#{shared_dir}/config/database.yml #{release_path}/config/database.yml 

Now, every time you deploy a new copy of your app, the development copy of database.yml is replaced by a symbolic link to a production version. This means the copy of database.yml in subversion doesn't need to include your passwords.

You can adapt this idea for other uses. For example, I'm also using it to protect the Flickr API keys used by Favcol.

Capistrano makes customisations like this trivially easy. If you're not using it already, you really should look into it.

< previous next >