We have had several problems with being hacked. We currently have all the config files in our versioniong software (git). I would like to remove all the passwords. A common practice is to not put the files in there, but to change the passwords manually in the version control. We can not do it that way.
It would be best if we can set a shell envrionment variable on the respective systems. If this is a good idea, does this reduce performance?
The other idea I am having is to generate passwords via a cronjob. This cronjob then updates the mySQL and user password. It would however need to replace the password in the config files.
How are you solving this problem?
We check in config files without passwords. When we check out code to work on, we git ignore the config files, and add the passwords by hand.
That way you have passwords in your local checkout that never go into the repository, and they will never be overwritten from another branch.
Alternatively, some people suggest using a deploy script – something that checks out the git code, and then creates proper config files.