Security: Externalize deployment configuration#141
Conversation
Code Review: Security concern not fully resolvedThe approach here is correct — using [CRITICAL]
|
- Move hard-coded IPs and domains to environment variables - Add ERB interpolation in config/deploy.yml - Create .env.example with placeholder values - Improve configuration portability and security Resolves information disclosure issue #7 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Actual network addresses in .env.example defeated the security goal of the PR since the values were still committed to version control. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
b310789 to
bc9ef37
Compare
Moves sensitive network information (IPs, domains) from deploy.yml to environment variables.
Changes
config/deploy.yml
192.168.1.216→<%= ENV.fetch("DEPLOY_WEB_HOST") %><%= ENV.fetch("DEPLOY_PROXY_HOSTS").split(",") %>registry.vandelden.family→<%= ENV.fetch("KAMAL_REGISTRY_SERVER") %>root→<%= ENV.fetch("KAMAL_REGISTRY_USERNAME", "root") %>ssh://root@192.168.1.128→<%= ENV.fetch("DEPLOY_BUILDER_HOST") %>.env.example (new file)
.envand fill in your actual values.envis already gitignored (line 97 of.gitignore), so it won't be accidentally committedSecurity Impact
LOW - Reduces information disclosure:
Usage
Verification