Continuing the discussion from Exec binding and echo, netcat, a pipe, carriage return and quotation marks:
I decided to respond n a new thread because I think others might be interested in the answer.
Here is a full description of my source control for my OH configurations.
I use a Docker Container running git and ssh with a folder I backup mounted as a volume for the repositories. I do this for several reasons. First, I wanted to learn how to use Docker and how it works and this was a really low impact low complexity way to get my foot in the door. I like that I can reconstitute the service instantly (I also cm control my Dockerfile) and I like that I can add some additional isolation and additional layers of security. For example, I set ssh up for the git user in that container to only allow login for users with the right cert (a different cert than my host), and only allow certain hosts on my LAN access to it, which is pretty easy to do through Docker.
I like the security because I do have sensitive files checked in to my repos (passwords, ssh certs, locations, etc.). So indeed no, I do not use github for any of this. For the one project that I have shared on github I actually created two repos, one for github and one for my personal deployment. For the github repo I use git ignore to exclude some files and simply don’t put others there in the first place.
This is kind of a hassle but for this particular project (sensorReporter) I have three (soon more) machines I need to deploy it to it is really really nice to be able to clone the repo and run a script and be up and running with passwords and certs and everything. And using git makes it really easy to keep them all updated.
But getting back to the security, I must admit I have not really looked that deeply into whether I’m really buying some real security or just the illusion of security. But even if there is no value added security wise, the ability to run
docker build and a minute or two later have my service completely restored is a huge win.
The backup is multifaceted. First I usually have one or two clones of the repos scattered about which provides one level of backup. The other is I have Bacula keeping backups of the drive where the git repos reside. If I were really paranoid I’d probably sign up for some offsite service but haven’t gotten around to it.
I have one repo to capture all of my OH conf changes. These changes include
/etc/openhab, '/usr/share/openhab/webapps` so I keep them both in one repo which I clone into my home directory and symlink them to to their proper locations.