leeand00's picture
leeand00 - Mon, 2015/12/07 - 16:12

Does anyone store their server configuration in git?  It seems to me it would be a good way to keep a history of changes made to a server.

There are a few things I'm concerned about however;

What files to include:

- /etc seems like a pretty obvious place to start, as most applications keep their configuration in there, (but of course not all applications).
- /var/www (if applicable)

Software updates and such seem as though they could be handled by apt-get or some similar package update tool.

Security:

It's probably best to lock people out of it, and maybe even using git on the system at all, but what about storing the git repo in a sshfs mounted share that's only mounted when making changes to the server?

Repo Type:

Should the git repo be a hub-repo that copies it's changes out to the specified directories only when the changes have been pushed back out to it.

 

Anything else that would make a good best practice?

Forum: 
Support
Tags: 
lamp
git
Jeremy Davis's picture

Jeremy Davis - Tue, 2015/12/08 - 00:37
TurnKey includes etckeeper (using git as VC) by default. IIRC once per day it checks for uncommitted changes and auto commits them. It also has an apt hook, so it also commits prior to adding/removing software.

Obviously it doesn't catch everything (like you say sometimes config is elsewhere). But there is discussion on serverfault oh how to workaround that if you desire.

I don't really understand your security concerns. /etc is world readable already (and it has to be; otherwise apps couldn't read their config). And most important stuff there is only writeable by root (or sudo if installed) by default so I'm not sure what advantages would be gained by hiding it...

leeand00's picture

leeand00 - Tue, 2015/12/08 - 15:36

Oh wow!  Thanks for showing me that.  Now I can keep a change record of all the changes I've made to the configuration!  Even changes I've made to tklbam!

leeand00's picture

leeand00 - Tue, 2015/12/08 - 22:47

 

Inital Setup for tracking changes to files outside of /etc

Before you do anything if you want to add an external configuration you have to create a commit.d hook script to collect those external changes and store them in the mirrored directory in the repo, make it executable and fill it with the script you mentioned.  Then run etckeeper commit to commit the hook script to the repo.  (At this point it won't really do much provided you've removed the examples from the script).
 

Adding files and directories to etckeeper

Next, and this step will be repeated for any new files or directories added to etckeeper's repo over the life of the server...

For each file or directory, to the end of the commit hook script add a call to one of the folllowing functions specifying the path to the file or directory as an argument:

Files:

mirror_file "/var/blah/bar.conf"

Directories:

mirror_dir "/var/foo"

Next then you need to run etckeeper commit and it will display the following message:

etckeeper: mirroring outside files to /etc/etckeeper.mirror.d: <file or director name>
 

and after you wait a bit (depending on how much you've stored, which probably shouldn't be much) it will ask you for a commit message.

 

Jeremy Davis's picture

Jeremy Davis - Wed, 2015/12/09 - 01:30
TBH I've never done it so you already know more about it than me! :)

But from what I can see it looks good.

Once you have tested a little and confirmed it all works as it should perhaps we should add this info to the docs (they're a wiki). Probably in the "how-to/tutorial" section...

Add new comment