Merge pull request #70 from RSE-Sheffield/chore/deploy-env

Add .env file to deployment script

Author: f-allian

deploy.sh

@@ -17,6 +17,7 @@ venv_dir="$sort_dir/venv"
 pip="$venv_dir/bin/pip"
 python_version="python3.12"
 python="$venv_dir/bin/python"
+env_file="$sort_dir/.env"
 
 # Install British UTF-8 locale so we can use this with PostgreSQL.
 # This is important to avoid the limitations of the LATIN1 character set.
@@ -25,6 +26,7 @@ sudo locale-gen en_GB.UTF-8
 sudo update-locale
 
 # Create Python virtual environment
+mkdir --parents "$sort_dir"
 apt update -qq
 apt install --upgrade --yes -qq "$python_version" "$python_version-venv"
 python3 -m venv "$venv_dir"
@@ -33,6 +35,11 @@ python3 -m venv "$venv_dir"
 $pip install --quiet -r requirements.txt
 cp --recursive * "$sort_dir/"
 
+# Create environment file
+sudo touch "$env_file"
+sudo chown gunicorn:gunicorn "$env_file"
+sudo chmod 600 "$env_file"
+
 # Install static files into DJANGO_STATIC_ROOT
 # This runs in a subshell because it's changing directory
 (cd "$sort_dir" && exec $python manage.py collectstatic --no-input)

docs/deployment.md

@@ -52,10 +52,13 @@ We can run commands and Bash scripts as the superuser (`root`) using the [`sudo`
 
 To configure the environment variables for the service, you can either edit the `.env` file and/or add them to the systemd service using `systemctl edit`.
 
-To edit the environment file:
+To create and edit the environment file, which should have access restricted to only the Python app (the Gunicorn service):
 
 ```bash
 sudo mkdir --parents /opt/sort
+sudo touch /opt/sort/.env
+sudo chown gunicorn:gunicorn /opt/sort/.env
+sudo chmod 600 /opt/sort/.env
 sudo nano /opt/sort/.env
 ```