Secret Config Data

[Paul Tiseo]

So, any team-based project has to manage secret connection strings, passwords and other privileged info. Traditionally, I've used Sails and put all those things into the local.js file, which gets .gitignored by default. I suppose that the same could be done in AH, but what's the canonical way to do this under AH?

[Evan Tahler]

The way that actionhero handles this is per-environment configs.  You can have default configs for things, and then overwrite them per environment.  Some things are OK to check in (like the port your web server listens on), while others you want to keep secret.  

For the actual secrets, you have a few options:

- You can go the heroku/12-factor application way and source things from your ENV.  So you might have a line like: `password: process.env.secret_password || "default_password"`.  You could check this in safely, and not need the per-NODE_ENV settings

- You can use your deployment tool (chef/puppet/ansible/etc) to manage config files which you have only in the production environments.  Just symlink these over the files you have checked in, and actionhero will source them.  

I'ver personally used both methods, and I find that for a small number of settings, I prefer the ENV method, but for larger more complex projects, I love the clarity "secret" files provide which are managed/deployed outside of my application

[Chad Robinson]

You can also specify multiple config sources now:

ACTION_HERO_CONFIG=config,local-config npm start

or:

actionhero --config=config,local-config

or:

actionhero --config=config --config=local-config

This is available as of 10.x and it's what we use here. We just .gitignore local-config. Config blocks are executed in the order they're listed, so later entries override earlier ones.