How to version control config files pragmatically?

Question

Suppose we have a config file with sensitive passwords. I\'d like to version control the whole project, including the config file as well, but I don\'t want to share my pass

Answer 1

Not sure how your config is implemented, but having hierarchical overides is how I would handle this.

You have a main config that contains common config plus dummy username/password (or leave these out altogether). Each developer then creates a local override.config (or whatever) with their specific username/password. The main config goes under source control, the developer (or machine) local overrides do not.

I've done this in .NET but not PHP so I don't know how easy this would be I'm afraid.

Answer 2

Have a separate file with ONLY the secrets in, that isn't under version control?

Or ideally, do away with passwords entirely use openssh, or similar, and do public/private key authentication for each user.

Answer 3

In my projects I use a directory that holds these kinds of files but it's not uploaded to server, so my db config file is in that directory and it is configured for server where the project is placed. If someone changes config file he will change server config file and anyone updating revision will see changes in that file and will need to manually change his local config.

I don't see a way of doing it rather than that. If you find a different approach please share.

Answer 4

Create a local overrides file that contains the user specific info as PHP variables.

For instance create a file called local_overrides.php which contains the following:

$local_password = 'qUzaEAFK13uK2KHy';

Then in the file that includes your DB password do something like this

$overrides = 'local_overrides.php';

if (file_exists($overrides)) {
   #include_once($overrides);
   $db_password = $local_password;
} else {
   // perform appropriate action: set default? echo error message? log error?    
   $db_password = 'l1m1t3d!'
}

The local overrides file would never has to be seen by source control.

Answer 5

I had something similar to this although I don't know if it would work for you. I had a directory that contained files that contained passwords. This directory was not version controlled. The files were named after the applications which used them and in the config files, I 'sourced' the appropriate password file at the point it was needed. This would demand that your config parser can handle sourcing.

Answer 6

I'm used to make a txt file of it with the structure of the configfile. And after that I'll make a copy and change the extension and let my version control system ignore this file(s).

So when you make changes in the config file, just update the txt version of it. That's the only option I can think of which is logic as well (in my eyes)