Use environment-specific credential files for credential storing

.env.example

@@ -1,24 +1 @@
-COMPOSE_PROJECT_NAME=alpha_tomato_<env>
-
-BIND_ON=0.0.0.0:5000
-
-# RAILS_MAX_THREADS=5
-# WEB_CONCURRENCY=2
-
-REDIS_PASSWORD=<password>
-
-# POSTGRES_USER=alpha_tomato_<env>
-# POSTGRES_PASSWORD=<password>
-
-MAILGUN_API_KEY=<mailgun api key>
-
-SENTRY_DSN=https://localhost
-
-SECRET_KEY_BASE=<bundle exec rails secret>
-
-BANANA_CLIENT_ID=<see README.md>
-BANANA_CLIENT_SECRET=<see README.md>
-BANANA_API_HOST=http://localhost:4200
-
-LISTEN_ON_PORT=5000
-TOMATO_HOST=localhost
+RAILS_ENV=development

.gitignore

@@ -36,3 +36,15 @@ yarn-error\.log
 /node_modules
 yarn-debug.log*
 .yarn-integrity
+
+# Ignore master key for decrypting credentials and more.
+/config/master.key
+
+# Ignore master key for decrypting credentials and more.
+/config/master-development.key
+
+# Ignore master key for decrypting credentials and more.
+/config/master-staging.key
+
+# Ignore master key for decrypting credentials and more.
+/config/master-test.key

Gemfile

@@ -48,6 +48,7 @@ group :development, :test do
   gem 'guard-rspec', require: false
   gem 'pry-byebug'
   gem 'pry-rails'
+  gem 'rails-env-credentials'
   gem 'rspec-rails'
   gem 'slim_lint'
 end

Gemfile.lock

@@ -271,6 +271,8 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
+    rails-env-credentials (0.1.3)
+      rails (>= 5.2.0.rc1)
     rails-html-sanitizer (1.0.4)
       loofah (~> 2.2, >= 2.2.2)
     rails-i18n (5.1.2)
@@ -483,6 +485,7 @@ DEPENDENCIES
   pundit (~> 2.0)
   rack-attack (~> 5.0)
   rails (~> 5.2)
+  rails-env-credentials
   rails-i18n (~> 5.1)
   redis-rails (~> 5.0.2)
   rest-client (~> 2.0.2)

app/controllers/users_controller.rb

@@ -61,8 +61,8 @@ def api_token
     return @token if @token
 
     options = { grant_type: 'client_credentials',
-                client_id: Rails.application.secrets.fetch(:banana_client_id),
-                client_secret: Rails.application.secrets.fetch(:banana_client_secret) }
+                client_id: Rails.application.credentials.fetch.banana_client_id,
+                client_secret: Rails.application.credentials.fetch.banana_client_secret }
     token_response = RestClient.post "#{Rails.application.config.x.banana_api_host}/api/v1/oauth/token", options
 
     @token = JSON.parse(token_response)['access_token']

app/helpers/slack_helper.rb

@@ -5,7 +5,7 @@ module SlackHelper
 
   def notifier
     @notifier ||= Slack::Notifier.new(
-      Rails.application.secrets.fetch(:slack_webhook),
+      Rails.application.credentials.slack_webhook,
       username: 'Tomato',
       channel: Rails.application.config.x.slack_channel
     )

config/application.rb

@@ -23,8 +23,8 @@ class Application < Rails::Application
     # See https://github.com/kickstarter/rack-attack#getting-started
     config.middleware.use Rack::Attack
 
-    config.x.banana_api_host  = ENV['BANANA_API_HOST']
-    config.x.tomato_host      = ENV['TOMATO_HOST']
+    config.x.banana_api_host  = credentials.banana_host
+    config.x.tomato_host      = credentials.tomato_host
     config.x.slack_channel    = '#monitoring'
   end
 end

config/credentials-development.yml.enc

@@ -0,0 +1 @@
+WRKMZZtJre75RXj6I+DsqZ7R/kV+y84z0LKVFkMpGybNH2EUT+96sCMAAhUNRpR6F+e+svfACJ9G2YKhrZfkxYoHZKRWzrOI+iEz5PhOGbO0h/YJJ1bUB4TCaqzVA4+XpjEj/L8LJkJMUcJc50n1dd2/scpLhxPEcomMQtuxOFFCnN14OLai+krTr3faqVSS1mQ2FquUgBb0gDA21U2PfgVHoOevk8tu8EzvfarrOaTAfTLI4r7cOBWA2CwV29adwcjQq1SeuSMw59FLE1D4r6Dr7cenE16jIzVsRHzUiL+ga43gQfy0POQnfrLIjGeYge8pe9GsluSxqqflY+GvivS3bVfNkz2IcGv8j5TqSWAaGv0bgd55NolZEeuWjWgpdo789dC8KcXvulc0CqT8drcLwaue+3v3DGCNYW5Ynn3r/oZV094NmEsM375s3F/8ATkfpDm4XzS6W7afndk1lfenrQ0+BnQOMJvuu7yX8AgYB0kcchJufzyGm+F/IwES3Yk=--kVWrCcMjJ69Fsn+2--kKZl3Nx78xT6BQn4NK29Kg==

config/credentials-staging.yml.enc

@@ -0,0 +1 @@
+Ch2BPXRk2F/FSEoPlfi0IE3VW1uBNOgMkqidsZL0n6KJsdl5Ttsqh3IyMwVvzlLSHwd4IyECeU6YcYjeNlhsE3Ds2w1H1Sa2ynt4GmN0qNCcP+hITB2Sak6yV19FTg5ixAIsU/EGJXwYsPR546RbO4EGNeTvJDp3NA/8FojOPN11mQlhSyjFi4RfCWT6Y8aQTPXSr2gwILVJjPcezpObP/tq3FI5eBR+ndbiJJ2iMOpg/hg1wxSAu4fqeqzfz5ovoDhd/Oy42vtDGlBaP5Eiua8tp+Tjtvquqy7NFE5aU3PcpAqxLNHcIlBYQrHNvqfItBlTTjHi/FrwciQr78nSLMB1dsrdxRi0/3kuMnIJz8NPxw8glnKh/lDUTpPYk7184e5cEu1uQJGdUtkdBFNHoCCuiRYWARlExHcKUPLamb/vjrYaXutDLj6EJdPSEzgTtyku0+fEdtxPPDjw6zQxcOPfKE+GlX7pWgo3xlhB9wInbEYT0NniLYErtTbEEXWSsJVRaUa5zcZrhK4pJmjihRJwj+DSEBRSUdXyAp7i2fsuJc0oBygzx52DZZR37hagALV5Lma80Ig0uKSxG8mCK49S3DHdqNYNaaL8RaIHjvWbMR7YC7Drf8lGYh+g/k+oGpVVr6QW5wYBbLs9eAHTU5UEz3OMW+1z7krZUkzKYWDAJfBLN1P2N0uyQxCL+2ZFpBfH+XyIpOqbrDjTZt2Ern/DsAu06bgB3fgs6RTy4QSlF5qpDhXtqohMQKWYMOsSj29BMtUAIAV0YLus3ZqZZReY1vkGr2xsT+NQoAGK0sjj3GfMydjwZcZ+EqmozZsvqtDGckGC/gtRJgjavWS20FPc6QTbJwNbvOnYyJRox0Qj6edMyc/ER75T2XCJtlLlAOs/RQAx/4IkGekZY2u/CTses7nbA7taKGlZ/ktAlSgQKOqflanEBbAC1vJ/7oLOFCLzd2ZwVDtDXtxpR78FpNaTZ/YoGWGV4rIJaM0/c93e1LiLKUNVynbq6dEPHbND--R+xG3I6jla9lzf5x--/P75526kAr/4KJlOA1Y4nQ==

config/credentials-test.yml.enc

@@ -0,0 +1 @@
+Ixjm7C4M5SBxKk1uAZ6ljFfqefnnLOSaqO/0DdH4xWNn3rqvAVR5nHxcpB3fAMabM8cTewzK98AOk69wEXKXTqka3Mz4oZZBbnfdK1WlrAI7lCXRZXoxdejJK3OMHt11s8VCeh950wgoaQTq+0hb7Eoay8eTQXyFt3ru8lk28UYRpF+3Ar9wPEhuJVQjO9pW9GhYAelOx+x4rlBbKS/BOV1ZcyDt/Mw+kuwPvmauV7sSTGyXYBnAfflWvd73AfQFUnGUX4mSWh74Hr8qTaz5Kc+2CkBvv/xcy+56zuFpQoA7jsngIeJ21VfHwUGyaZrznV05WlWlJFQFGcxEfo4wL1cz2zGzz2DTkUbQmIIu4TIPthrqUtkOX8es1tcWhU0dujfYAzmyAvD/y0ppGVc2NB8dvFo+8VFlrZubPNar3JWGh5sur7eGNmjllKrWULf+x/3iNXe9OHpCF1xKKSsA3EaCYxzUzKioWaLB+atCvmXgLdm/kN8=--KsWYjhaW5cDG4rG+--zxFe1JGKBS9jtrrPEROWaw==

config/credentials.yml.enc

@@ -0,0 +1 @@
+BxZTGrzRVLFfu/Lc1QdibIJQ39aKE01FjVl09qUgjMf+hFJvtns37mfgC1QbxUvA/nabt1T+LnIzFu0tF3pbD6lnftCrpk6P06eniRFK+Oc/1BMlbC0H5utQae/MfyPzDMnWDMcD6Ijusu052viXTuN8PxGeqNGE39W6H2G4/zltnv3uqIg8LGR5SHnl6LE+YfKsBbM1fQjK2bgCRpppJNA3nHb8uZInEMf2yd/L8WBwkATgfB7ZbrafN/eShraE1k4X7id69r0ADFpe+P+Xf9JHDoS6HiNIfNEjo7Rs31LEDB3xNV90NHBlUIqQnSUuBAkzQSYgD8SSQJEZ60o4m8sQmX11NlPExdsQeSqJkfIm1ZhJ3bgcpY9aKe2Clh8Qv9SM0lVLEG86EmGjg1T9sm1jdV0jJ3JrGnhKcGZaAJq64su68JyYdzCG6JIG1vwZ1yvVV/5ZnfzKZanKo0o9uaDlGF/jzmhEzQZr0BZbZntWNMfVQlTVl/SespZ9ZFGtJW6HaK8+VZYIueOp3XSH2wt2LARvs2qCGXX8BJDbB/BKOwta9v9lX6NdbuYRWGV8goMoLJvSqYSaiAkDEKo9iS9AA8ry6W2Voq7TbU7vpASw0Jk2IXzU+YgNDg/+4BDIrLqJbS0lNAa4ZjWvLjXeEsX2jclaa/oL3+IJWz8ekgYhjk+nfp6xIRHBx39brteDP+fgGyl2UTcIHKldJMSbnzSvYmu82k1NWKdtgwwWMxDgcKMmED/Y2e2FYL7zhW08ipNhGUUTMoqOBFtfRFwMFDB/dBPmfCVzqQYQQZmW2w7N2wiSmBxqF8XGHcMZwl+4VR/H7uNq4bnJ3s5xeiCoYlaqlv+KvQp9nPRa4EYul6SQsglKnwgxDDj45r/Rtb05L4JQlX6CP1aX8vUXFzudCqdCg/wBTrJPiUUu5B6e8D2lfvW5uyNLRYUMJYDSdFatm38o7XJjgVeR7lwRbMJShzBKyV1ziznjCTytVGOc+DQCI28XTTyDYK2wFuGRBXUNrJexZJq572FHYQqLVTNAKgFntPCrsFZi4hBbE5ptno4QOR/M8G01xO9WXlgDsu+mwImMWZzZC3duoNdidKkP81uH4vc93IE4Xu6qSxFptMkgFETiHMo3/yOCJHtVF+SfssehRiIWSSIK8e5w01lFHkL1pYuu0SIj3U7+nAHYSERZyxPYU6S/MFah2fn1/kLf+sCyhiHeS0BssvDa--UBWuaDX0lz7lWFpk--eMLQ/2xDN0ixjlzvkj6dcQ==

config/environments/production.rb

@@ -86,14 +86,14 @@
   # config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new 'app-name')
 
   config.action_mailer.default_url_options = {
-    scheme: 'https', host: Rails.application.config.x.tomato_host || 'tomato.csvalpha.nl'
+    scheme: 'https', host: Rails.application.config.x.tomato_host
   }
 
   config.action_mailer.delivery_method = :mailgun
   config.action_mailer.asset_host = "https://#{config.action_mailer.default_url_options[:host]}"
   config.action_mailer.mailgun_settings = {
-    api_key: Rails.application.secrets.fetch(:mailgun_api_key),
-    domain: 'csvalpha.nl'
+    api_key: Rails.application.credentials.mailgun_api_key,
+    domain: Rails.application.credentials.banana_host
   }
 
   if ENV['RAILS_LOG_TO_STDOUT'].present?

config/environments/staging.rb

@@ -0,0 +1,107 @@
+Rails.application.configure do
+  # Verifies that versions and hashed value of the package contents in the project's package.json
+  config.webpacker.check_yarn_integrity = false
+
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # Code is not reloaded between requests.
+  config.cache_classes = true
+
+  # Eager load code on boot. This eager loads most of Rails and
+  # your application in memory, allowing both threaded web servers
+  # and those relying on copy on write to perform better.
+  # Rake tasks automatically ignore this option for performance.
+  config.eager_load = true
+
+  # Full error reports are disabled and caching is turned on.
+  config.consider_all_requests_local       = false
+  config.action_controller.perform_caching = true
+
+  # Attempt to read encrypted secrets from `config/secrets.yml.enc`.
+  # Requires an encryption key in `ENV["RAILS_MASTER_KEY"]` or
+  # `config/secrets.yml.key`.
+  config.read_encrypted_secrets = true
+
+  # Disable serving static files from the `/public` folder by default since
+  # Apache or NGINX already handles this.
+  config.public_file_server.enabled = true
+  # config.public_file_server.enabled = Rails.env.production?
+
+  # Compress JavaScripts and CSS.
+  config.assets.js_compressor = Uglifier.new(harmony: true)
+  # config.assets.css_compressor = :sass
+
+  # Do not fallback to assets pipeline if a precompiled asset is missed.
+  config.assets.compile = false
+
+  # `config.assets.precompile` and `config.assets.version`
+  # have moved to config/initializers/assets.rb
+
+  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
+  # config.action_controller.asset_host = 'http://assets.example.com'
+
+  # Specifies the header that your server uses for sending files.
+  # config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache
+  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX
+
+  # Mount Action Cable outside main process or domain
+  # config.action_cable.mount_path = nil
+  # config.action_cable.url = 'wss://example.com/cable'
+  # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
+
+  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
+  # config.force_ssl = true
+
+  # Use the lowest log level to ensure availability of diagnostic information
+  # when problems arise.
+  config.log_level = :debug
+
+  # Prepend all log lines with the following tags.
+  config.log_tags = [:request_id]
+
+  # Use a different cache store in production.
+  # config.cache_store = :mem_cache_store
+
+  # Use a real queuing backend for Active Job (and separate queues per environment)
+  # config.active_job.queue_adapter     = :resque
+  # config.active_job.queue_name_prefix = "tomato_#{Rails.env}"
+  config.action_mailer.perform_caching = false
+
+  # Ignore bad email addresses and do not raise email delivery errors.
+  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
+  # config.action_mailer.raise_delivery_errors = false
+
+  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
+  # the I18n.default_locale when a translation cannot be found).
+  config.i18n.fallbacks = true
+
+  # Send deprecation notices to registered listeners.
+  config.active_support.deprecation = :notify
+
+  # Use default logging formatter so that PID and timestamp are not suppressed.
+  config.log_formatter = ::Logger::Formatter.new
+
+  # Use a different logger for distributed setups.
+  # require 'syslog/logger'
+  # config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new 'app-name')
+
+  config.action_mailer.default_url_options = {
+    scheme: 'https', host: Rails.application.credentials.tomato_host
+  }
+
+  config.action_mailer.delivery_method = :mailgun
+  config.action_mailer.asset_host = "https://#{config.action_mailer.default_url_options[:host]}"
+  config.action_mailer.mailgun_settings = {
+    api_key: Rails.application.credentials.mailgun_api_key,
+    domain: Rails.application.credentials.banana_host
+  }
+
+  if ENV['RAILS_LOG_TO_STDOUT'].present?
+    logger           = ActiveSupport::Logger.new(STDOUT)
+    logger.formatter = config.log_formatter
+    config.logger    = ActiveSupport::TaggedLogging.new(logger)
+  end
+
+  # Do not dump schema after migrations.
+  config.active_record.dump_schema_after_migration = false
+end

config/initializers/devise.rb

@@ -9,6 +9,6 @@
   # ==> OmniAuth
   require 'omniauth_strategies'
 
-  config.omniauth :banana_oauth2, Rails.application.secrets.fetch(:banana_client_id),
-                  Rails.application.secrets.fetch(:banana_client_secret)
+  config.omniauth :banana_oauth2, Rails.application.credentials.banana_client_id,
+                  Rails.application.credentials.banana_client_secret
 end

config/initializers/sentry.rb

@@ -1,5 +1,5 @@
 Raven.configure do |config|
-  config.dsn = Rails.application.secrets.fetch(:sentry_dsn)
+  config.dsn = Rails.application.credentials.sentry_dsn
   config.environments = %w[production]
   config.sanitize_fields = Rails.application.config.filter_parameters.map(&:to_s)
 end