Load Balancer Passport Keys

From personal experience I would avoid copying files between servers if possible as you are going to experience issues where your servers are out of sync.

Personally, I would always go for the single source of truth option. For my servers behind a load balancer I have a master server that exports the shared folder via NFS and the other servers mount the NFS share in read-only mode and removes any sync issues

It does introduce a single point of failure but it's fit for purpose for my needs (It's not for a laravel app but a config management system but logic holds true)

However, depending on how often the keys change, if ever, will determine your approach. If your environment isnt very dynamic then the easiest might be to just copy the keys manually to your server before introducing to the cluster. If you a dynamically scaling based on load then chances are you using a configuration management too like puppet so you could look to add you keys here and centrally manage that way (or use a central file location with NFS).

The one thing I would say is you need to ensure you auth keys are secure so if you decide to use something like Amazon(I would personally keep my keys inhouse) lock it down!

I use s3 for a .env file per environment. However I also generally host on AWS where I can apply permissions on the server itself (instance profiles) rather than generate a user with an access key/secret.

In any case, I download the .env file appropriate on each deploy (as part of the deploy script).

If you'd like you can encrypt them also (not just encrypting the s3 bucket but the actual file contents prior to uploading). Then your deploy script that copies the encrypted file would need to decrypt it (and know the encryption key).

@futurefuture - would go with @fideloper - he knows his stuff!!!

@D9705996 and @fideloper Thanks so much for the insight.

Good to know I wasn't way off the beaten path with my thoughts on this.

For the time being, I've just copied the keys over to the second server. This is just going to be temporary until I ultimately most likely with the s3 like you suggested @fideloper.

So you have the entire .env file in s3? That's smart, as that would save me the trouble of having to update 2 or more .env files in general as well when making changes.

Pretty cool btw that you got back to me on this @fideloper. Was using your Scaling On Forge lessons to guide me through and entire overhaul of my server setup.

It was absolutely great. Super informative, good pace and interesting. I'll probably be purchasing your Scaling Laravel course in the near future so thanks for that :)

As we are using Passport Client Grant for our JSON API auth with jwt tokens It is a bad practice to run artisan passport:keys in each deployment?

So far I can see, It will produce that the actual logged users would need to login again but give more confidence than putting the SSL keys pairs in a git repo (our "scripts" to deploy are cookbooks/recipes with AWS Opsworks (chef) and they are taken from a private git repo)

Thanks