Document .env deployment options
This commit is contained in:
@@ -137,6 +137,18 @@ To rotate a password:
|
|||||||
|
|
||||||
Do not commit `.env` to git. The `.env.example` template is the only password-related file that belongs in the repo.
|
Do not commit `.env` to git. The `.env.example` template is the only password-related file that belongs in the repo.
|
||||||
|
|
||||||
|
### Deploy-time only
|
||||||
|
|
||||||
|
The `.env` file is read only during `docker compose up` (container create/recreate). At runtime, secrets live in Docker volumes and container env vars. Options for handling `.env` on the target machine:
|
||||||
|
|
||||||
|
| Option | Security | Convenience |
|
||||||
|
|--------|----------|-------------|
|
||||||
|
| **Keep with `chmod 600`** (current) | Root on agge can still read it — but root already owns the volumes | Compose works immediately |
|
||||||
|
| **Remove after deploy** | Minimal disk exposure | Must scp from hector before any `docker compose down && up` |
|
||||||
|
| **Deploy script** (`deploy.sh`) | `.env` lives only on hector, pushed transiently during deploy | Single command, cleanest for production |
|
||||||
|
|
||||||
|
For the prototype, `chmod 600` is fine. For a production VPS, a deploy script is better — the `.env` never sits on disk permanently.
|
||||||
|
|
||||||
# Session history
|
# Session history
|
||||||
|
|
||||||
**Session ses_21ab382baffej8OpnTkrmaG5UA** — initial prototype deployment: Docker files written, containers configured, applications deployed and verified.
|
**Session ses_21ab382baffej8OpnTkrmaG5UA** — initial prototype deployment: Docker files written, containers configured, applications deployed and verified.
|
||||||
|
|||||||
Reference in New Issue
Block a user